jsecoin.com

This is where you should report issues arising from the subscription filters.
Locked
DaveJSE
New Member
New Member
Posts: 4
Joined: Wed Mar 21, 2018 10:43 am

jsecoin.com

Post by DaveJSE »

We are a browser based cryptocurrency start-up that provide webmasters a Javascript based miner as an alternative way to monetise their sites, as well as a self-mining platform where a user can log into their account and mine using their own device. We operate very differently from the hidden Monero miners and believe that we have been categorised in the same way. Unlike these miners our system is fully opt-in and so no mining will take place unless the site visitors has agreed to allow mining to take place. A notification appears when a user visits a site with the miner installed to alert them to the fact that the site uses JSEcoin mining. They are given the options to continue, to opt out or to learn more. The notification will remain in place until the user has decided which they would like to do, but no mining will begin unless continue is selected. Once mining does begin it is designed to use minimal amounts of CPU power, generally less than 10%. As soon as the user then leaves the page the process stops.

We believe that we are leading the way in promoting the ethical use of browser based mining and would appreciate it if someone could review the domains, and hopefully you will see that there is nothing malicious.

Code: Select all

https://jsecoin.com/
intense
Contributor
Contributor
Posts: 10497
Joined: Wed Mar 27, 2013 9:56 am

Post by intense »

You should provide test cases and the domains / sites using your technology / scripts.

Are you sure your scripts cannot be used by some other site without asking the user permission ?
DaveJSE
New Member
New Member
Posts: 4
Joined: Wed Mar 21, 2018 10:43 am

Post by DaveJSE »

HI Intense,

Thanks for getting back to me so quickly. We have the script running on our main site https://jsecoin.com/ This can also be seen running at gamcast.com. We have gone to great lengths to prevent unauthorised mining and if you look at the Javascript code you will see we are using private functions, dynamic classes and ID's and fraud prevention techniques such as checking mouse click or touch on the button to prevent automated or computer controlled opting in.
meoten
New Member
New Member
Posts: 6
Joined: Tue Mar 20, 2018 6:39 pm

Post by meoten »

DaveJSE wrote: Wed Mar 21, 2018 3:09 pmThis can also be seen running at gamcast.com. We have gone to great lengths to prevent unauthorised mining and if you look at the Javascript code you will see we are using private functions, dynamic classes and ID's and fraud prevention techniques such as checking mouse click or touch on the button to prevent automated or computer controlled opting in.
What is preventing the site gamcast.com from running a simple

Code: Select all

document.getElementsByTagName("button")[2].click();
because your Continue-Button is the third one on the page. Even on more complex pages it would always be possible to find your button with a CSS-Selector and then run the click()-Method.
meoten
New Member
New Member
Posts: 6
Joined: Tue Mar 20, 2018 6:39 pm

Post by meoten »

It's a little bit weird what the optInAuthKey is doing, because mining (and so the resource usage) will also start without such a key when you run the single line of code above. But even if it later would be detected as fraud by some "magic" in the backend, it's simple to fool your mouse detection and get the optInAuthKey:

Code: Select all

var continueButton = document.getElementsByTagName("button")[2];
continueButton.onmousedown();
continueButton.onclick({offsetX: 1, offsetY: 1, clientX: 1, clientY: 1, pageX: 1, pageY: 1});
DaveJSE
New Member
New Member
Posts: 4
Joined: Wed Mar 21, 2018 10:43 am

Post by DaveJSE »

It's always going to be possible to get around clientside restrictions but even if someone does go to lengths to fake opt-in clicks we have manual and automated checks in place to flag publishers with unrealistic opt-in ratios. As you can see we are doing everything possible to prevent misuse of the system. If you have any further suggestions for improvements please let me know and I will forward them to the dev team. Now you've had a chance to look at the system though would you agree it is not malicious or related in any way to malware.
meoten
New Member
New Member
Posts: 6
Joined: Tue Mar 20, 2018 6:39 pm

Post by meoten »

I've not reviewed the whole code. In my eyes it's a mess.

Further you are operating in a field of high fraud risk and we've seen that your technical prevention mechanisms are nearly useless.

But there is one more thing: You are blocked within EasyPrivacy. It's not only because of CPU (ab-)use but also because of tracking. You are able to track users across any site where your script is included. That's a privacy risk without any compensating value for the user. So I wouldn't recommend to unblock it.
DaveJSE
New Member
New Member
Posts: 4
Joined: Wed Mar 21, 2018 10:43 am

Post by DaveJSE »

Hi Meoten,

Thanks for taking time to review and provide feedback.

We have to track users opt-in and opt-out preferences. If a user opts-out for example then it should be across the entire network. We are not tracking any personal or private data just storing an opt-in preference as a cookie on the jsecoin.com domain. This is not a privacy risk.

As mentioned before it is possible to circumvent the client-side restrictions. Client-side code is always going to be open to manipulation because it runs externally. This is only a small part of the fraud prevention which we feel is effective. The only reason for a webmaster to manipulate the code in the way that you demonstrated would be to achieve an unrealistic opt-in ratio. This would be flagged straight away in our admin panel. Publishers who modify the code or attempt to circumvent the opt-in mechanism are suspended.

I believe we are doing everything possible to create a fair and ethical browser based mining system. What else would you require from us to achieve a whitelisting?
meoten
New Member
New Member
Posts: 6
Joined: Tue Mar 20, 2018 6:39 pm

Post by meoten »

DaveJSE wrote: Fri Mar 23, 2018 7:19 pm We are not tracking any personal or private data just storing an opt-in preference as a cookie on the jsecoin.com domain.
Let me quote your privacy policy: https://jsecoin.com/en/legal/privacyPolicy
We collect analytics data on our site.

The data we collect is:
  • pubid – publisher id for who sent the traffic
  • siteid – site id which is the domain name of the site
  • userip – ip address of the user
  • useragent – this is the browser useragent string which identifies the browser i.e. Chrome/Firefox/Safari
  • os – operating system
  • referrer – this is the referrer string which contains the url of the site sending traffic.
So you have the user IP and the JSECoin-enabled sites a user with that IP has visited. Even your opt-in cookie isn't only a single "true" or "false" but a 256-bit ID.
DaveJSE wrote: Fri Mar 23, 2018 7:19 pm The only reason for a webmaster to manipulate the code in the way that you demonstrated would be to achieve an unrealistic opt-in ratio.
This would be a very strong reason, at least if your coin is traded some day and has some value. If money is part of the equation there are always bad intentions too. For example a clever manipulation only automatically opt-in for a certain percentage of users is difficult to detect on your side.
DaveJSE wrote: Fri Mar 23, 2018 7:19 pmI believe we are doing everything possible to create a fair and ethical browser based mining system. What else would you require from us to achieve a whitelisting?
I'm not deciding, I'm only posting my opinion. I think in the end your business model simply isn't compatible with the needs of privacy-aware users. I don't see a solution there, especially as long as your service is build upon a central instance able to control everything and getting data from everywhere. I can understand the reasons for this decision in order to prevent the mining-power race Bitcoin is known for. However every decision also has drawbacks...
Khrin
EasyList Author
EasyList Author
Posts: 3562
Joined: Fri Mar 26, 2010 8:50 pm

Post by Khrin »

That filter is here to stay, and we aren't planning to review our decision.
Locked