Slashdot Mirror
Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA
hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."
That's the whole point: there's no investment at all if it's running on somebody else's machine.
How soon before websites try using the CPU of visitors to mine bitcoin? Would that be possible?
It's been done. Link goes to a Javascript-based bitcoin miner that you can embed in a webpage.
It is pitch black. You are likely to be eaten by a grue.
The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.
They might be able to claim that, but it doesn't mean that courts would necessarily agree. Consumers typically have greater legal protections than companies precisely because they are usually so much less skilled in contract law. This applies in many areas of commerce; for someone to say that computer software should be exempt from this principle is entirely unrealistic.
"Little does he know, but there is no 'I' in 'Idiot'!"
I'd imagine that the fact that even GPU mining is a fairly dubious proposition at this point (I can't remember if the increases in price lately allow it to still be viable if the hardware costs are already sunk but you need to pay the electric bill; but the FPGAs and ASICs aren't getting any slower or less numerous), even donated or stolen CPU time would be close to worthless, even if doing it in Javascript doesn't impose much overhead...
The cost of production is irrelevant if you can dump it off onto a hacked/infected/duped user as a negative externality. It's like when a meth head smashes your car window, to steal your $400 phone, which he sells for $20:
Cost to you, $400 phone, $250 window, time & stress from the window repair and loss of communications: $650+
Income to meth head: $20.
That's a net -$630 loss to the pair of you, but you bear all the cost and he all the "profit".
This is also why methadone clinics should be funded by clear thinking conservatives, as well as after school programs and "crap" like arts, music and sports.
I'd imagine that the fact that even GPU mining is a fairly dubious proposition at this point (I can't remember if the increases in price lately allow it to still be viable if the hardware costs are already sunk but you need to pay the electric bill; but the FPGAs and ASICs aren't getting any slower or less numerous)
Indeed, for *Bitcoin*, anything under a high-end ASIC (dozens or more GH/s) is worthless and a huge waste of electricty and heat.
even donated or stolen CPU time would be close to worthless, even if doing it in Javascript doesn't impose much overhead...
The trick is choosing the correct crypto coin: there's a whole zoo of them.
Some rely on SHA256^2 hashing like bitcoin, other rely on hashing algorithme for which only CPU implementations do exist (Primecoin is a nice example, and also doubles by doing actually useful computations instead of just plain brute-forcing hashes).
In fact TFA article is wrong, this isn't a Bitcoin miner. This is a miner for Protoshare, which is currently mostly mined on CPUs.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]