Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers

Fluffeh writes "Around a year ago, a person working for the ABC in Australia with the highest levels of access to systems got caught with his fingers on the CPU cycles. The staffer had installed Bitcoin mining software on the systems used by the Australian broadcaster. While the story made a bit of a splash at the time, it was finally announced today that the staffer hadn't been sacked, but was merely being disciplined by his manager and having his access to systems restricted. All the stories seem a little vague as to what he actually installed, however — on one side he installed the software on a public facing webserver, and the ABC itself admits, 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software,' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed."

SETI@Home

[SJHillman]

Reminds me of the guy who got fired for running SETI@Home on all the PCs where he worked. Of course, he also (allegedly) stole 18 computers and accelerated the depreciation cycle, etc...

Re:SETI@Home

[Teancum]

Both Seti@Home and the default client for Bitcoin operate at the lowest thread priority possible (at least for a standard high level application that doesn't go into kernel mode). They are designed explicitly with the goal in mind to not get in the way of other programming tasks and should take up the CPU computing time normally performed by some other sort of idle process that most operating systems have when there is nothing else for the CPU to be performing.

In terms of "people's time is valuable", that is utter bullshit. This software will not steal hours and in both cases the network bandwidth is negligible as well. Network bandwidth might be a lesser issue to worry about, but these are very lightweight protocols.... Seti@Home especially. Browsing one web page per hour is going to suck up far more bandwidth, and don't even get started on any multi-media content like streamed audio or video.

In terms of CPU bandwidth, this would be CPU cycles that the computer would otherwise be doing absolutely nothing anyway. There is a very slight overhead in terms of having a few extra threads for the CPU to manage that otherwise wouldn't be there (very small overhead but is still there none the less) and these processes do take up a small portion of the RAM on the computer as well which could impact performance of some applications that are poorly written or are memory hogs. If you are running Microsoft Windows, the Windows Explorer program itself is such a wasteful hog of resources that any other application like Bitcoin or Seti@Home are marginal noise by comparison, much less if you are running something like MS Office. Linux is a bit more lean but even then a GUI shell of almost any sort also tends to chew up a whole bunch of system resources that put to shame anything these other applications perform... and both software packages can be operated in command-line only mode as well to reduce system impact.

One other side issue is simply software systems interaction. As much as you hope that modern operating systems keep data and code separated from one application to the next and some strong memory protection to keep programs from clobbering each other or impacting each other in competition for "system resoruces" of various kinds, sometimes weird interactions happen between various applications that can sometimes produce unexpected results. Simply having this software on a computer might cause a software glitch merely by being there. It certainly introduces more potential bugs to a computer system. On the other hand, these software packages are heavily tested and bugs which would crash your computer with something like the Blue Screen of Death would likely have been found and fixed with popular software packages like Bitcoin and Seti@Home, where my first guess for a BSOD would be something else and putting these applications as nearly the last thing to consider for system trouble shooting. Regardless, I've uninstalled this kind of software on systems I've used when trying to do software development if only to reduce the number of variables that might be causing problems with my software.

The problem is that many modern computer systems have a reduced power option when they are idle, even if it is for just a fraction of a second. In particular the Bitcoin software tends to do some rather high performance mathematical routines that require parts of the CPU to be powered that otherwise wouldn't be in a low-power mode, or perhaps really push the GPU to be performing calculations that can be very energy intensive. For older computers, this is something that wouldn't even be noticed as the CPU power consumption on older CPUs was rather constant but for the newer computers it can mean a doubling of power, certainly causing more heat to be generated and if they are in an air conditioned server closet that increased power consumption is something that could potentially be rather significant and even noticeable to an outside observer like a comptroller who notices that power consumption has increa

Duh?

I don't know how it is down under, but in the US federal systems are "For Official Use Only" meaning if you use them for personal gain, you're in hot water.

Re:Duh?

[PRMan]

So take a picture of the car and license plate and post it online. Watch the hilarity ensue. (IANAL.)

Re:Duh?

[vlm]

Government issued cars with "For Official Use Only" would seem to be an exception to that. I've seen a Lexus around here with that stamped on it with a car seat and groceries piled in it. Sure, there could be an official reason for that but the odds are against it.

I can authoritatively comment on this, that a TDY car for all intents and purposes can be used almost exactly like a privately owned vehicle. TDY is the govt equivalent of a short to medium term business trip (maybe 1 day to I think a max 6 months). Basically its cheaper for the .gov to act like a car leasing company to itself, than to reimburse .gov employee for a rental car. Which is bizarre, you'd think Enterprise Rentacar would donate re-election funds to politicians to take over that apparently lucrative market, but they haven't done so ... yet. Someday it might happen to eliminate the non-scandal scandal stories.

The law says something like "administrative discretion" so its one of those "character" tests where you can do anything your boss allows but don't do anything stupid. This is really the only rule for a govt car. It can be hard for outsiders to wrap their head around this concept of not having 1000 individual specific rules, and only having a general rule of don't do something your boss thinks is dumb. A remarkable amount of .mil paperwork and regulations to death the stupidest little things and also has no paperwork and regulations for some of the most complicated things. Discretion and good taste...

Get permission from boss to drop kid off at daycare, fine no problemo as long as you have that permission. Drive to an occupy-wall-street protest in a non-official role, or as a protester, um... that might be a problem. Food store/restaurant while on TDY, almost certainly OK, that's the whole point of giving you a TDY car. Dive bar while on TDY, could get you in hot water depending on your boss and local culture and especially your behavior (this can be an addition charge in a conduct unbecoming hearing, or it can just be ignored if the department memorial day party is held at the dive bar). Do anything as a recruiter however tangentially far fetched as long as it directly involves potential recruits, OK. Do almost anything as a recruiter alone in a car without obvious recruit involvement, probably a bad idea.

Re:Duh?

[vlm]

So while someone may not get in trouble for using their FOUO car for groceries on the way home from work

That's almost the definition of why they give you a TDY car, not abuse of the system at all. Been there driven that. It was not a snazzy lexus but some POS falling apart compact chevy for me. The scandal is why its a lexus, not why its at the grocery store. Cheaper for the .gov to essentially be its own leasing company than for them to reimburse you for a rental or endless taxi. Also think about it... if you bring donuts to a official meeting at any time during your TDY, that grocery trip was now official business. Sgt merely told me not to do anything I wouldn't want my mom to see on the front page of the paper (now a days they probably say on facebook or whatever). This was nearly 20 years ago, things may be different now.

You end up in some pretty twisted logic if you give TDY people a car and pay them a TDY per-diem specifically for food that they can only spend on foot, or something weird like that.

Re:Duh?

[PopeRatzo]

Government issued cars with "For Official Use Only" would seem to be an exception to that.

This only happens in government vehicles.

Nobody ever used a company car for anything but business. In fact, no teenager has ever borrowed the family car to "go to the store for grandma" and then picked up his pals, smoked some weed and then drove out to the Labaugh Forest Preserve parking lot to spin some donuts on the frozen pavement on January 23rd 1983.

That totally never happened.

Re:Duh?

[vlm]

Yeah that happens, and falls in the "do anything your boss allows but don't do anything stupid" superset of rules, although its also covered by the "don't do anything you wouldn't want your mom to see on the front page of the newspaper".

From personal experience, everyone seems to have heard some story about how a hot female recruiter got all the guys to sign up, but no one has anything more than "I heard" and a lot of wishful thinking / daydreaming.

I was thinking more along the lines of stories I've heard about recruiters driving kids with F-ed up families around so they can clear up their paperwork, like drive the kid to the DMV to get his ID card or to a Dr for an appointment to get an asthma waiver. I predict the level of this activity depends on how many applicants they get per slot and the state of the local economy, and especially the ratio of "recruits signed up this month" vs "monthly quota".

Re:JavaScript Miner?

[SJHillman]

Depends on how you define malware. Some people would consider malware to be anything that runs on your computer without permission or knowledge. The "mal" part would be where it uses your system resources that could otherwise be allocated to programs you want to run.

No wonder gov't doesn't get it

[bersl2]

This guy was going to fill the Federal budget deficit, but no, all the stupid bureaucracy gets in the way.

installation directory

[vlm]

All the stories seem a little vague as to what he actually installed however — on one side he installed the software on a public facing websever, and the ABC itself admits 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed.

Sounds like hopeless journalist-speak for "he had access only to /var/www not /usr/local, so ... he put it in /var/www"

My guess is whatever they use to monitor their systems watches /usr/local and /usr/bin like a hawk but trying to watch /var/www would be chaos depending on what the marketing and graphics art dept uploaded this week or whatever, so they don't watch /var/www.

This does have a minor chilling effect in that I'm not a complete moron, so before commissioning any new hardware into production at work (or home) for years (decades?) I've run memtest86+ and bonnie++ (I'm old enough that I ran the original memtest86 and the original bonnie back in the day). I've occasionally considered that running a BTC miner would be a good CPU cooling test as a third item, but stories like this do kind of discourage me at work.

My suspicion is the practical financial matter of $. Back in ye olden days when I started BTC mining a CPU miner could generate quite a few BTC per month and over the past couple years the exchange rate has stabilized at $5/BTC so that is a substantial chunk of change per month. However for all practical purposes a software BTC miner is currently pointless, just warming up the CPU. I haven't checked the difficulty rating but I know its increased a bit from the mid double digits when I started in BTC. So as a disciplinary matter they probably couldn't decide to bust him for running unauthorized sw (which given his "highest levels of access" might mean he's authorized to authorized BTC sw, making it a bit complicated) or bust him for attempting to use govt property for personal gain but not actually getting any gain, or bust him for actually earning some BTC however unlikely that seems. Doesn't Australia have the same "might is right" style of employment laws we have in the US where they can just fire him for not being a team player or spending too much time in the can?

stupid

[slashmydots]

Before know-nothing morons start commenting on this article, here's some truth from an actual bitcoin miner. Mining software has no public facing interface when ran from a website. He also was not trying to send out a virus to mine for him or he'd be arrested and fired. He was simply using the CPU and GPU cycles to mine coins and make money.
This is exceptionally stupid because if it was CPU mining, well my i5 chip can hit 8 million hashes per second and my single overclocked 5830 Radeon card can hit 315 million, making it almost 40x faster. So assuming it was a faster modern Xeon, let's say 2x the speed, if the company owned 40 servers and he ran it nonstop on all of them at 100% CPU usage (not likely) then he should have instead bought 1 5830 for about $90 on ebay and mined coins himself. What an idiot.
It is possible that the servers had AMD/ATI cards that he was using without much performance impact on the website(s) but google "bitcoin hardware mining comparison" to see just how awful cards that aren't optimized for gaming do at mining.

Re:stupid

[Nursie]

No, it was exceptionally stupid because he doesn't own the equipment or pay the energy bills, regardless of what the bitcoin outcome was.

Re:stupid

[cHiphead]

Before you smart ass bitcoin miner kids think you know everything, Website Bitcoin Mining. ;)

Site visitors do the mining, multiple a little slice of power times x million visitors over x amount of days and your localized mining is tiddly winks. This uses the website visitor's machine to mine coins (and this particular example is terribly inefficient itself but the idea is there, someone with the know how could really go the distance for their own mining operation). This can be exceptionally more efficient that running a local mining op on a single machine/small cluster if you have a relatively trafficed website it is running from.

You are focused on high speed precision mining instead of scaled general mining. A pressure washer vs. a regular water hose, the water moves faster through the pressure washer but put 5,000,000 hoses together and you can push insanely more total water per second than a handful of pressure washers.

Re:JavaScript Miner?

[K.+S.+Kyosuke]

There are some antispamming systems that force the client/message sender to perform some useful computation before they, e.g., accept the message to be sent, with the server verifying that the computation actually took place. A spammer would have to perform an outrageous amount of computation to have his messages sent, while an ordinary user wouldn't even notice the background process running while he's typing away. Perhaps with this idea generalized to a broader set of client/server applications, the engineer could have said that he did it to improve the security and fair use policy of the servers (and keep the bitcoins :-)).

ABC != Federal

[OzPeter]

Federal implies "of the Federation", which in the context of Australia implies the government. However while the ABC being the state broadcaster is funded (and owned) by the government it is not a federal organization. The ABC is independent of the government, so saying that the bit coin software was installed on federal servers is disingenuous to say the least. In fact after reading TFA's I can't see anywhere where it specifies exactly on what servers the software was installed other than some "web servers".
 
And once again the summary is a joke. You explain what "the coalition" is, but don't explain what the ABC is. I feel sorry for the people who pay for this site.

Not firing someone with skills is bad?

So the story is that they didn't fire this guy? Perhaps his manager has some common sense and realizes he has some valuable skills, and that firing him would be ultimately bad for the company.

Of course, common sense has no place in this world any more. Some higher up will probably come along now and fire the both of them to get some momentary glory before they realize they have to spend 5 times as much replacing them and miss some important deadlines because of the time consumed.

Re:Not firing someone with skills is bad?

[TheCarp]

Harsh punishment is always popular. People like retribution, whether it makes sense or not.

Never mind if no harm was caused, never mind if it was just a silly lapse in judgement. Fire people, prosecute them, send them to jail....why? Because you can?

Re:JavaScript Miner?

[ArsenneLupin]

Busy computers consume more electricity. And electricity costs real money. Now some this up over all the customer who unknowingly lost a couple of cents like this, and suddenly we are talking real money. One of the rare cases where the "theft" label is appropriate for a digital crime.

Only fair

[PopeRatzo]

Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers

They made him live on bitcoins for a week.

Re:JavaScript Miner?

[quenda]

Many times I have court myself typing the wrong homonym. Like won part of my brain is dictating phonetically to the dumb typist lobe.
Nobody else does this? The odd thing is it is very obvious on proofreading, unlike a lot of other typo's that are easily mist.