back to article Argy-bargy Argies barge into Starbucks Wi-Fi with alt-coin discharges

Starbucks has joined the long growing list of organizations that have inadvertently and silently mined alt-coins on customers' computers for mystery miscreants. A sharp-eyed quaffer in a branch of the frothy-coffee-flavored-milk franchise noticed that when he signed on to the cafe's free Wi-Fi service something was amiss. …

  1. Anonymous Coward
    Anonymous Coward

    You expect this from crooks, aided by lazy corporates.

    But I'm waiting for the first sysadmin to get busted for running coinhive on his corporate computers. Our BOFH could patch it into the standard build image, and run a single thread on clients, but that's risky because somebody somewhere will know enough to spot it. A safer bet would be an on-command implementation for the servers. Few know or care what goes on in the server cupboard or DC. Run when user loads are small, and nobody will even notice.

    1. Anonymous Coward
      Anonymous Coward

      Re: You expect this from crooks, aided by lazy corporates.

      I'd bet it happens at computer retailers too. Bigger stores tend to have their PCs hooked up to the internet. It wouldn't be hard to set miners up on them. You could easily get enough H/s to mine a block or two per week. Since each block is worth ~$1800 atm, that's a nice payday for a minimum wage retail techie.

      1. d3vy

        Re: You expect this from crooks, aided by lazy corporates.

        You'd struggle solo mining with the machines in a single store, your competing with people running at an industrial scale..

        If your in a pool then you only get a fraction of the block reward, still would be worth it for some staff to volunteer to close and open up for a night and run xmrig on all of the machines before the head out for the night!

        1. Anonymous Coward
          Anonymous Coward

          Re: You expect this from crooks, aided by lazy corporates.

          Monero has far lower requirements than the likes of Bitcoin and Litecoin, and it uses a different algorithm that doesn't run any better on ASICs than on desktop PCs. 30 low-mid range PCs could easily run 150-300H/s each on the CPU alone. The ones with GPUs could run anywhere between 500 to 1000H/s.

          10-15KH/s may not be enough to mine a block solo in any reasonable time but it certainly could in a pool.

          1. Mark 65

            Re: You expect this from crooks, aided by lazy corporates.

            For more info see...

            https://www.cryptocompare.com/mining/calculator/xmr

            also

            https://www.cryptocompare.com/mining/#/equipment

          2. MonkeyCee

            Re: You expect this from crooks, aided by lazy corporates.

            "30 low-mid range PCs could easily run 150-300H/s each on the CPU alone. The ones with GPUs could run anywhere between 500 to 1000H/s."

            The CPUs maybe, if they're i7 or Ryzens. Maybe an i5, none of which I'd consider mid-low range. Old xeons are about the cheapest bang to buck ratio, 150 H/s for an E52xx, 200H/s for an X55xx, running a thread per core. To get 500+ on a GPU you'll need a rx 570 or a 1060.

            That's using a tuned miner run locally, not bothered benchmarking coinhive, but I'd suspect it was a tad slower.

            If it's in a heated space, then it may even end up saving money, since they are remarkable efficient little heaters. If you've got a shop full of those, along with free reign to run what you like on them, then I'd expect you'd already be running some sort of mining operation.

            I've suggested it to my local PC builder, but he's averse to doing anything with new (or customer returned) kit, as he then can't legally sell it "as new". While he always has a decent selection of GPUs, none of them get taken out of a box unless it's to install in a clients box. Since he's the one running a successful bricks and mortar computer retail business, I suspect he's making the right call.

            "Monero has far lower requirements than the likes of Bitcoin and Litecoin, and it uses a different algorithm that doesn't run any better on ASICs than on desktop PCs."

            Eh, that's not quite true. You can build an ASIC for it, but that ASIC would end up being more expensive than the equivalent CPU. Hence why no-one has bothered. You'd be better off picking up a retired HPC cluster or equivalent bulk 9-10th gen blade servers at 30-40 quid a pop.

            There's at least one data centre around these parts that uses spare cycles for mining, which pays their 'leccy bill. Not worth the return on capital, but beats them sitting idle :)

    2. MonkeyCee

      Re: You expect this from crooks, aided by lazy corporates.

      "Run when user loads are small, and nobody will even notice."

      If you aren't paying for cooling, then it might pass under the radar.

      However, I'm pretty sure the "running private stuff on the network" is covered under misuse of company property since the days of SETI.

  2. Patched Out

    Why?

    So if Coin-Hive is so regretful that this is being used nefariously, why haven't they removed access to this?

    The code snippet shown is pulling the java script down directly from Coin-Hive.com.

    Don't they have a new version that won't run unless it gets specific authorization from the user accessing the web page? Considering how the old version has been abused, they should only be providing access to this new version. Why make it easier for the crooks?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      You mean the same way they've always asked explicit permission before showing us ads for which they're paid?

    2. d3vy

      Re: Why?

      That's an easy one to answer.

      They get a cut.

      But more than that if you start mining for them and abandon your endeavours before you have mined .5 xmr they keep it (they only pay out at .5)

      I've mined a few ££ worth with their is miner by running it on all the pcs in the house as a bit of an experiment.. but I'd have to leave them all on 24/7 for a few months before I could withdraw anything!

      1. Danny 14

        Re: Why?

        sophos blocks mining .JS in our works. It has steadily increased in the alert management report too so the inclusion in webpages are on the up too.

      2. MonkeyCee

        Re: Why?

        If you're running it on your own hardware, then you're probably better off with one of the designed for purpose miners, rather than one designed to run through a browser.

        xmr-stak is the one I find that behaves the best, you can recompile it from source if you don't want to cough up the dev fee, and it's (as far as miners go) pretty simple to set up.

        1. d3vy

          Re: Why?

          "If you're running it on your own hardware, then you're probably better off with one of the designed for purpose miners, rather than one designed to run through a browser.

          xmr-stak is the one I find that behaves the best, you can recompile it from source if you don't want to cough up the dev fee, and it's (as far as miners go) pretty simple to set up."

          Ill have a look at that, tried XMRig too.. Mining in the UK isnt really worth it with the high cost of power, 24p per KW/h I believe Im paying..

          A Decent rig needs 8-10 decent graphics cards, your looking at £2k hardware, then the power works out at close to 24p an hour... the returns just arent there for me. Im much happier to buy the coins others mine while they are cheap and cross my fingers that they go up in value!

  3. Charles Calthrop

    what a headline

    very good

  4. Anonymous Coward
    Joke

    Send back fake results?

    So now we know this is happening, can we visit Starbucks and send back fake results?

    At the very least, when they ask your name to write on the cup we should all be Monero Miner

    1. Anonymous Coward
      Anonymous Coward

      Re: Send back fake results?

      Tell them to write your wallet address on it.

      1. Danny 14

        Re: Send back fake results?

        yup, just iptables the monero sites to your own .js

  5. cbars Bronze badge

    I still don't understand

    How this 'makes money'. I understand generating crypto currency. I understand trading crypto currency for real world cash in order to trade without taxation/fees internationally.

    I don't understand how the intrinsic value of the 'currency' is able to increase, it's not linked to anything... Adverts generate money through some theoretical link between seeing them and giving the real world company that paid for the advert some of your money, as far as I can tell these currencies are just another big bubble waiting to pop

    Clearly, I should have thought harder about this and got in on the con earlier...

    1. cbars Bronze badge

      Re: I still don't understand

      a downvote? Thanks for that, rather than explaining what I'm missing!

  6. Salestard

    Mining is purely a process?

    That being the case, would I be advised to borrow the retired AS/400s we've got - currently being used mostly as trip hazards until someone gets round to disposing of them. Yeah, I know they're power efficient in that late 80s way (as in, the electricity mostly stays in the box and doesn't leak out all over the carpet), but it'd be nice to see/hear them running again.

    -

    1. wallaby
      Facepalm

      Re: Mining is purely a process?

      "retired AS/400s "

      I so miss my old B35, mind you - showing someone how to power it down by typing PWRDWNSYS *IMMED at the command prompt and then accidentally hitting the enter key with your elbow is not recommended - Got lots of praise from the boss for keeping what appeared to be a poorly system from going down though :)

      1. ukgnome

        Re: Mining is purely a process?

        You have just reminded me of the game we used to play back in the day when I was an operator.

        Have PWRDWNSYS typed and ready to go and leave it. Then have a game of overtime cricket. Using a printer ribbon cartridge as a bat you would bat until a stray ball hit the return key. Hilarity ensues

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like