I wonder if there is second category of attack which is less direct. When you browse a website the client side javascript dedicates a large portion of your computational cycles to tasks such as breaking passwords? The implementation would be not dissimilar to the javascript bitcoing miner.
Can anyone guess as to how this works? Does the client send javascript directly to the remote browser? I would imagine that the remote browser goes out and fetches it instead. Or might this rely on hosting custom javascript for each of your map-reduce jobs that you want to run?