“When able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near”
Sun Tzu, Art of War
I came across this article last week:
<image credits: Salon.com>
If you find it TL;DR : my rough translation will be:
The news site Salon.com is telling their viewers to:
- Pay them $$$ for news access (subscription model) or
- Show their Advertisements; else
- Mine them some Monero/XMR
This is like premium subscription model (usual for some US news sites) vs Ads/Adsense model (freemium) vs Coinhive model. Wow! Just wow!
And from an #InfoSec perspective, I find this move so wrong on many levels. Initially, I wanted to rant out in twitter
— Menard Osena (@Menardconnect) February 15, 2018
But I chose to have an open mind and weigh things out first. Why not a blog post for AVSecurityProductManager.com on this topic? Maybe this can be a good way of “furthering the dialogue” and this is why we have this post 🙂 )
I’m not a regular visitor of Salon.com. All I know is that they are US/American news/opinion website. I also checked they seem to be Top 1000 site in US, Top 5000 Global site according to Alexa siteinfo
<Screen capture from Alexa.com siteinfo>
So green light and good website creds for me imho.
Some interesting points on their announcement (highlighted)
How does Salon make money by using my processing power?
The demand for computing power across many different industries and applications is potentially very high. We intend to use a percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation.
For our beta program, we’ll start by applying your processing power to mine cryptocurrencies to recoup lost ad revenue when you use an ad blocker. We plan to further use any learnings from this to help support the evolution and growth of blockchain technology, digital currencies and other ways to better service the value exchange between content and user contribution.
In any case, the possibilities for this sort of technology are limitless: In the future your spare computing power may go to solving the kinds of complex math problems that form the integrity of blockchains, but it can also be used for humanitarian and scientific projects such as helping research how proteins fold, to aid in biological discovery or helping pay for misdemeanor prisoners’ bail, or to see if we can better predict the impact of climate change.
Your spare computing power can even help analyze astronomical signals to figure out if extraterrestrials are trying to contact us. Some scholars have proposed using spare computing power to help secure voting and verify the integrity of democratic elections.
Uh-oh! That “spare processing power to contribute to the advancement of technological discovery, evolution and innovation” and “extraterrestrials are trying to contact us” cards again 🙂 I honestly feel this is sugar-coating the risks posed by cryptocurrency mining issue 🙂
And what will they mine?
What is Salon doing with my computer if I decide to opt-in?
Salon is mining digital currencies (for our beta, Monero). To do that, we are instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process
Monero. XMR. Mucho Monero!!!
Don’t get me wrong now, I am not saying that “Monero is bad” or “Monero is evil”. I would just like to put in the discussion table that recent infosec events show that this crypto (Monero/XMR) tops other crypto in Mal activity. Some related links here and here.
(sidenote: I may write more about this Monero/XMR cryptocurrency in the future so this can be sort of a multipart post)
To sum up my thoughts, this change by Salon.com is a risky security move. It’s also a tricky business model.
And I will be watching closely on how this one will unfold…
Before I end this post, here are some Disclosure/Disclaimer:
I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin