The Pirate Bay recently made the news by mining the cryptocurrency Monero in users' browsers without their knowledge or consent. They did this in an effort to reduce their reliance on advertising, whose utility as a revenue-generator is increasingly being undermined by ad-blocking software.

Around the same time, CBS Showtime was maliciously compromised to likewise mine cryptocurrency in users' browsers, stoking fears that “cryptojacking” attacks will become commonplace in the future. Moreover, a new company called Coinhive began offering in-browser mining as a service, possibly furthering the likelihood of “legitimate” in-browser mining becoming mainstream.

In this article, I will discuss the pros and cons of these mining trends, and propose what I consider to be a superior alternative to this style of ad-hoc, in-browser mining.

I’ll conclude my cryptominer series with a “bonus” installment.

The Gainesville Hackerspace graciously invited me to talk about this build. Thanks to Christopher Hoffman of Hoffman Engineering for filming, editing, and uploading the video:

This is Part 4 in a series on building a cryptocurrency mining rig.

Previously, I designed and built the miner chassis, corrected motherboard BIOS settings, and optimized my mining strategy. Now, in Part 4, I’ll discuss how I attempted to:

1. Overclock GPUs to increase the mining hashrate
2. Decrease power consumption
3. Increase overall hardware utilization

Before discussing optimizations, let’s review the baseline benchmarks.

This is Part 3 in a series on building a cryptocurrency mining rig.

I physically constructed a mining rig in Part 1, and made motherboard BIOS adjustments in Part 2. Now, in Part 3, I’ll discuss how I financially optimized my mining strategy.

This is Part 2 in a series on building a cryptocurrency mining rig.

In Part 1, I designed and built a custom miner chassis. In Part 2, I’ll discuss how I resolved some BIOS-related issues that I encountered.

When Ethereum exploded in popularity (and value) in Summer of 2017, I decided to educate myself about cryptocurrencies and blockchain technology. As part of that process, I built an Ethereum (Classic) mining rig.

Here I’ll discuss how I designed and built my miner, focusing primarily on the construction of the chassis using OpenBeam, Fusion 360, and a Shapeoko 3. (Later, I’ll discuss BIOS configuration in Part 2, mining strategy optimization in Part 3, and compute performance optimization in Part 4.)

Shortly after assembling my new Shapeoko 3, I realized that the milling process was quite loud, and would likely disturb my neighbors. (I live in a small apartment.) Wanting to avoid that, I decided to build a “soundproof” enclosure for the Shapeoko.

Here I’ll document my design for the enclosure, as well as some of the thought that went into it. I hope this effort benefits others who are looking to build something similar.

I recently purchased a Shapeoko 3, and am currently exploring options for my CNC workflow. Being averse to closed-source software like Carbide Create, today I spent some time configuring Universal G-code Sender as an alternative.

For reasons mostly related to Java dependencies, I decided to run Universal G-code Sender on a VirtualBox-based virtual-machine. Configuring the VM turned out to be non-trivial, so I’m documenting the process here. What follows are (a streamlined version of) the steps I took.

The following article was published in 2600 magazine (Volume 30, Number 2) in Summer of 2013. It is republished here with permission.

Having recently completed my first PhoneGap application, I wanted to take a moment to summarize my experience. What follows are my opinions regarding “The Good”, “The Bad”, and “The Ugly” of the PhoneGap framework.

While recently finishing up my first PhoneGap application (which was tailored strictly for the Android platform), I encountered a problem that wasted some of my time. I’m documenting the problem and solution below for the sake of others who may run into the same issue.

I’m currently developing an Android application via PhoneGap. It took me two entire workdays to learn how to prevent this application’s screen from dimming or sleeping (after 5 minutes of inactivity), so I want to document what I learned here for the sake of others who need to solve the same problem.

This week a client forwarded me a spam email he received that I thought was interesting. It is reproduced below, with sensitive information and spam links redacted out:

I spend a lot of time in front of a computer, and thus, a lot of time at a desk. Because I generally don’t like sitting still, and because I recently learned that sitting all day can kill you, I decided to try to build a standing desk. I’m documenting here a design that I came up with that is inexpensive, easy to build, and has proven to be very practical.

I stumbled onto this comment in a client’s Wordpress database, and thought it was interesting. It looks like a spam bot malfunctioned and output all of (or at least, a large portion of) its comments. They are reproduced below:

I recently reformatted my system for the first time since I originally installed Ubuntu 11.04 on it, and I want to document some of the “gotchas” I encountered. I unnecessarily lost a few hours to trial-and-error, and I hope to spare you the same frustration.

For this rebuild, I personally installed Lubuntu (with an “L”) 12.04, because I hate Unity, and because gnome-panel shares too many of Unity’s constraints (like only supporting four workspaces) to be useful. With that said, I’d imagine that the following advice applies to some of the other *buntus as well.

This was the process I used to install Lubuntu 12.04 on a clean system:

I gave this brief talk about deploying a high-traffic Wordpress site on EC2 in Fall 2011 at the Gainesville Hackerspace. The content discussed here can be considered a follow-up to my post on solving a file-synchronization issue when deploying Wordpress across multiple servers on EC2.

I’ve been working on a tool that I call “Watchtower” for the last several weeks. Watchtower is a platform- and language-agnostic Static Code Analysis tool that can be used for code audits and incident-response.

I recently published a new plugin to the Wordpress.org Plugins Directory. I call it Foresight. It is available for download here:

http://wordpress.org/extend/plugins/foresight/

Foresight is a simple plugin that serves a simple purpose: it helps blog administrators to stay current on known exploits for Wordpress and for Wordpress plugins.

I enjoy using PHP for writing command-line applications. PHP’s power and flexibility make it ideal, in my opinion, for writing both full-featured applications, as well as for use as a “glue language” for automating various system-administrative tasks. There’s one area where PHP has traditionally fallen short in my mind, however - it lacks a good command-line option parser.

Recently I decided to purchase a headset to allow me to be heard more clearly when using Skype. Given that I’m also a casual gamer (PS3, primarily), I figured a headset that would also be compatible with the Playstation 3 would be ideal.

After looking around (at length) at the options, I decided to go with Sony’s Wireless Stereo Headset, which is produced specifically for the PS3. I wasn’t sure if it was going to be Linux-compatible or not, but now, after having used it for a while, I can say with confidence that it is.

While I’m no longer as much of a purist as I used to be, whenever I’m tasked with writing HTML, I usually go to great lengths to make sure that it is valid. For academic reasons beyond the scope of this artcle, my preferred DOCTYPE is still HTML 4.01 Transitional, and I almost always code - and validate my code - to that standard.

Having been doing a lot of Wordpress work recently, however, I’ve discovered an annoying Wordpress quirk that can make it difficult to produce valid HTML 4.01 Transitional code: the wp_head() method outputs markup formatted for XHTML, and thus, its output will register as invalid when validated against the HTML 4.01 Transitional DOCTYPE.

Affiliate marketers will from time to time have to process what’s called an “MD5 suppression list”. In brief, an MD5 suppression list is a list of email addresses which a marketer must remove from her mailing lists, in order to comply with the CAN SPAM Act of 2003, and respect the rights of individuals to opt-out of email marketing campaigns.

An MD5 suppression list is simply a file containing a long list of MD5 hashes of unsubscribers' email addresses, the hashing being a security measure designed to prevent unscrupulous marketers from using suppression lists themselves as sources for obtaining more email addresses to use in email marketing campaigns.

To use a suppression list, an email marketer must compare each hash in the suppression list against an MD5 hash of each contact in her mailing lists. A matched pair of MD5 hashes indicates that an email address has been found in the suppression list, and thus must be removed from the marketer’s email lists. (The mechanic here, obviously, is similar to how user passwords are hashed before being stored in a database.)

Recently, at work, I had to process a 2 gigabyte suppression list (of about 62 million rows) from Groupon. To my surprise, I didn’t find any readily available tools to do this, and thus, rolled my own.

Recently, some of my company’s WordPress sites have become so popular that I chose to migrate them onto a multiple-webserver deployment system in order to keep up with the traffic.  I encountered some interesting challenges while setting this up, so I figured I’d document them here.

While designing a new deployment system for my company with Amazon’s AWS, I stumbled onto a problem that cost me some time - I could not get my EC2 instances to connect to our Amazon RDS database servers. I figured I’d document the solution here for the sake of those to follow.

I had created two webservers, and a MultiAZ instance of an RDS server with which they were to transact. I could connect to each webserver and the RDS server directly, but I could not get the webservers to connect to the RDS. The issue ultimately ended up being related to my security groups configuration.

Earlier this week, my trusty Toshiba Satellite died after five years of faithful service. I decided to go with the new Samsung Series 9 Laptop as its successor, with the intention of configuring the system to dual-boot into Ubuntu and Windows 7. I encountered a few brutal gotchas during the installation process, so I figured I’d document them here. (To the best of my Googling, there’s not a lot of information out there on the net as of today.)

What follows is what I believe to be the shortest path to a clean installation. It is not the path that I took. Therefore, if you find that anything does not work as described, please let me know.

I like Wordpress a lot. It’s one of my favorite open-source projects, and I use it often for both my professional and personal projects. It’s been my go-to web development framework for a number of years now.

There’s one thing I don’t like about Wordpress, though: the domain to which a Wordpress site is deployed is saved as a setting in its database. I don’t think that was a good design decision, because it makes it painful to move a Wordpress site from one domain to another. This shortcoming is especially evident if you’re trying to develop a Wordpress site on one domain, but would like to deploy to another. (For example, I always set up my local sandbox such that the WIP lives at example.dev, while deployments are pushed to example.com). I really wish Wordpress had been designed to path against its own document root, much like MediaWiki (another great piece of web software).

A while ago, though, I came up with a little hack to make Wordpress do exactly that.

If you who haven’t heard of it, Tin Eye is an image search engine with a unique twist. While most image search engines (like Google Image search) allow you to search for images based off of textual search criteria, TinEye allows you to search for images that are similar to other images.  The service works by allowing a user to upload an image file to TinEye.  Images that are “similar to” the uploaded image are returned in the search results.  (The ways in which the images are “similar”, of course, is up to the TinEye algorithm, but in my opinion/experience, its groupings make sense to me as a human.)

TinEye is thus a great resource for finding images in a series, or for finding different variations upon a specific image.  Looking for a higher quality version of a low-res pic?  Try TinEye. Curious where your favorite wallpaper came from originally?  Try TinEye.  Looking for the same without Longcat ‘shopped into it?  TinEye.

I believe, however, that this unique functionality has some interesting security implications.  I propose that, as TinEye is given more and more time to index the web, it may open up new attack vectors on personal privacy.

TinyURL is a service that transforms long, inconvenient URLs (like http://www.the-medium-and-the-messenger.com) into short, convenient ones (like http://tinyurl.com/yb6p4oz). Services like TinyURL are frequently used when posting links into Twitter, where character space is at a premium.

Like so many other web technologies, though, TinyURL can be abused for nefarious purposes. Specifically, it can be used for disguising payloads used in Cross-Site Scripting (XSS) attacks.