[chrissnell]

I've been thinking about the possibility of injecting a JavaScript bitcoin miner into every page loaded through my access point. Imagine the possibilities for an open AP that's located in a very public place, like Times Square, or near a busy Starbucks (where access is slow and unreliable).

If you really wanted to take this to the evil next level, you'd just break one (or several) WPA keys on nearby APs and have your rouge injector AP act as both an open AP (to unsuspecting users) and a client (using cracked keys) to other APs, thus avoiding having to actually buy internet access for this spot. You'd essentially just need to find a place to hide and power your evil AP.

[MichaelGG]

Is that even remotely lucrative? As I understand, even a $300 GPU is orders of magnitude more powerful than any CPU miner, let alone a JavaScript based one. And even a single GPU isn't remotely competitive these days compared to the GPU farms and now ASIC setups. So you'd need to inject JS into, I dunno, a million, devices to make anything worthwhile.

[dave1010uk]

You could probably use WebCL, Flash or Silverlight to use the user's GPU. A quick Google shows this has been done with WebCL already: http://webcl.nokiaresearch.com/jsoclbm/

[MichaelGG]

There's a neat hardware comparison here: https://en.bitcoin.it/wiki/Mining_hardware_comparison

Seems like ASICs are measured in the thousands to tens or hundreds of thousands of MHashes/sec. Whereas powerful GPUs drawing ~1000 Watts don't even break 1000MH/sec. High-end laptop GPUs seem to be in the 10s of MH/sec, a quad-core Atom shows 2MH/sec, and the Galaxy SII comes in at 1.3.

The vast majority of devices connecting to public APs are not going to be high-power systems. Not to mention the time they'll spend connected is unlikely to be 24/7. Even if it was, mining will probably drain batteries pretty quickly. Plus power-saving is likely to be on for mobile devices and reduce peak perf. And if it's just injecting JS, then backgrounded tabs should get much less CPU time. And WebGL/etc. are unlikely to be running in background tabs.

If you assume a device stays connected and open for 1/4 a day, and stays for 3 days on average, and gives you 1MH/sec (seems optimistic, all things considered), 1 million devices compromised a month gives you ~$300 a month. If the assumption is that you can persistently own a machine, then you'd need less machines. But that's going beyond simple JS injection on HTML pages.

I used this calculator: http://www.alloscomp.com/bitcoin/calculator

[Ruska]

One of the winning entries from the Node Knockout competition did this[1]. They didn't give any real numbers (20kH is mentioned in the comments, but it's not clear how many devices it took for that), but it does seem like you would have to have a massive amount of devices running it.

[1] http://nodeknockout.com/teams/shoop-team

[philwelch]

Stealing is lucrative, not because it's an efficient use of available resources, but because it allows the thief to profit at the expense of others.

[_delirium]

It still has to add up to something significant if you want to make real money at it; stealing a few pennies here and there is not that lucrative. A typical recent-gen CPU mining bitcoins full-time is worth about $0.02/month. If you assume your AP is in a busy enough location that you can average 100 people connected, you'll manage to nab $2 of people's CPU time each month. To get anything significant it seems like you'd have to actually compromise the machines long-term, not just inject some JS into pages as they're browsing.