Bitcoin Forum

Stealth mining on others' PCs can be completely voluntary and non-criminal. Assume software scans for GPU. No GPU? Not eligible (or maybe eligible, depending on coin sought to be mined). Not particularly useful to SHA256 anymore, but still relevant to ASIC-resistant Scrypt and other, more exotic algorithms which don't have ASICs built for them.

Create, say, a $25 minimum payout requirement among some other trickery and these disincentives to claiming rewards can bring real cost vs advertised cost down dramatically.



"There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

Even though a participant's machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.

...

The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn't seem to mind.

...

Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.

..."

Full article @ https://www.techdirt.com/articles/20140624/16091327675/would-you-compromise-your-computer-one-cent-hour-new-study-says-many-are-happy-to-do-exactly-that.shtml

After thinking on this for a day, this part is actually what scares me about putting bitcoin mainstream.

Knowing the technological stupidity of most of the populace, this would instantly become the #1 malware method if distribution.  "Earn $1 in Bitcoin per hour, regardless of hardware!"

It actually kinda surprised me the rate of people who allowed for it to run for just $1/hour, even if it is $24. Nearly half of those people didn't have any red flags going up?

It's a shame to see what happened and how easily people just fell right into the pit, and they had no idea what it could have been doing.

Well, thanks for sharing this study. A real eye-opener from what I originally imagined.

People who just click yes on everything will also be signed up to the MS defender virus checker, so the malware could be back out the door in a week is my guess.

If they survey had tested how many would install the malware if it was described as malware, I think you'd still have a high percent.  So long as its not harming themselves especially, most people dont do much with their computer except load music or youtube

Most antivirus software now removes cgminer or similar

Run it on my spare laptop and put it in a closet. Doesn't matter what it does that way.

I've seen oh so many people trying to create scams like this, and still people fall for it
"mom, why isn't the computer working anymore"

That's the advantage of ASICs, despite the fact that many people despise ASICs for various reasons the fact remains that a single ASIC can easily outperform several million computers.

Even if someone were to somehow trick pretty much every computer owner into running his malware, he would not even come remotely close to 50% of the hashing power.

Of course he could do other things like installing malware that affects their wallet, so they may think they are sending coins to overstock.com but in reality they are sending them to someone else. Or maybe they will add transaction fees (you'd be amazed how many people would not notice extra fees, even if you can look them up in the blockchain).

But that would not really hurt the people who store their bitcoins safely anyway.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

What makes you think a criminal won't do the same thing? I can say I'm doing an academic study when I ask people to send me 5 BTC. I can bloody say I'm from NASA doing something. But am I? Nope.

This what what people don't seem to get. Why in the world can a few words change everything. If it asks for something high-security, screw it! I won't touch that.

I can dress up as a cop and tell people "I'm a cop" and be a criminal. Could you tell the difference between a guy in a seemingly authentic polic uniform with all the gear I bought down at the surplus store, and me being a hardened criminal posing as a polic officer?

I'm going to leave it at that.

EDIT: I'm not a criminal. I don't maliciously break laws, and I live a "normal" life. The scenario is an theoretical example.

Most people who have to pay the electric bill won't be doing this for $0.01 an hour I would assume. $1 an hour yeah maybe. I would probably set up an old computer for $1 an hour. I know that it can't possibly be profitable for someone to mine more than $1 an hour off of an old computer so it's not a scenario that is likely to come up.

I am not saying that anything would stop a criminal from simply saying that they are doing the study for academic use. I am saying that the promise (real or not) of academic use is enough to convince a lot of people. I am not saying this is a good idea or not, but just explaining human behavior.

Yeah, I think a lot of people will take much more liberty with what they are willing to commit when they hear that their actions will be used for an academic study. It's really a different type of motivation at that point.

If they were to have their computer running regardless then in their mind it would not change their electric bill.

Most people do not understand that a computer will use up more electricity when it's processor is running at a higher percentage of it's capacity

in internet marketign there is somethign called PPI. affiliates get paid for making people insall stuff - usualy theres hidden viruses etc. this is done trought scareware [omg you have w virus, install this freeware to get rid of it!] or just there is bundled extra programs with stuff.

Should it be called malware if you have already given consent for it to run on your computer?

That's why i never install any toolbar or addons which aren't open-source

I would be interested to know how much evidence was used to show the users that it actually was for academic purposes. For example an ".edu" address would have given them legitimacy verses a ".com" or ".it" domain

https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf

Relevant stuff @ bottom of p3. They posted it as a "task" through Mechanical Turk. Participants clicked through a form saying they consent to a research study but intentionally made it otherwise look like a "normal" non-academic program (second paragraph, p5).

i have another machine ready for virus, no data there clean like a baby ass lol, you can't stole nothing and secure erase is always ready for it

Maybe this is just the case of people being too trusting of what they are told on the internet.

Even though the research project was not anywhere on the CMU website, I would find it unlikely that participants would do that much research when the potential reward is only $0.24

How do you think people would have reacted if the disclosure forms were not presented to users prior to them starting the countdown timer?

I'm surprised at the number of people who allowed it to run for 1 cent an hour. 1 dollar an hour, I could understand. Since that would be getting you $24 a day or $168 a week; i.e. probably enough to pay the rent and then some.

There are a lot of people on there that are willing to do actual work on there for only a few cents per several minutes.

That's kind of neat
Honestly if I was going to be a douche about it I would install the program on my computer, consider that it is safe to assume it has potential viral properties and then put it in the sandbox and use it like a normal user and move out of the sandbox if there is important work to be done.
http://en.wikipedia.org/wiki/VirtualBox
http://lifehacker.com/5714966/five-best-virtual-machine-applications

That said your right the network effect is scary for users without the technical skill to build loopholes around it and I think it would be a bad idea to see that type of system in mass usage.

Let it think it's getting important data but it's just watching me looking at videos and news :)

 Whenever you download an application from any source, trusted or otherwise, you should complete a simple mental checklist.

Did I scan for malware just before I clicked to install the application? Is my operating system warning me about the security risks with this application? Did I scan my system for malware after I installed the application? And finally, do I have up to date anti-malware software?

OR perhaps put it on a virtual box and have 10 or 20 of them hehe.

That said it is worth noting that some games give in game credits to users for installing apps already and sometimes those apps are semi-malware
Mytoolbar anyone.

But the software being used could potentially damage what would be at least a $500 piece of equipment. This would mean that after just one hour (or less) that the damage would be done.

Also if you read the article you can see that participants can only participate one time so they would only work for one hour and then stop.

I used to know a couple of people who would fall for those fake "Download" buttons that try to install junk on your PC. So it would be interesting to know more about how tech-savvy the participants of this study were. The fact that the task was posted through Mechanical Turk suggests that they weren't exactly computer newbies however.

EDIT: Wikipedia has this to say about the demographics of MTurk:



I guess MTurk is similar to faucets then. Faucets only pay cents per hour but they seem to be very popular.

I still know people who fall for this. Some of these peoe are IT SPECIALISTS. And when I'm with them, they ask me "Why didn't it work?" And I have to go on a five-minute explanation explaining why one download button isn't the one they need, since they cannot understand "It's an ad. The real button is over here."

I seem to know the least tech-savvy people. A few don't even know what RAM is. It really does disappoint me.

But I am curious to know what the average tech say vines was. That could have a big impact on why everything played out the way it did.

I would agree. I have even seen a knockoff of mturk that will pay you in bitcoin (it may somehow be connected as the jobs available were very similar).

There is no button you can push, to stop people from being greedy. Some of the richest people in the world, are so greedy, they would not even tip a waitress.

And the fast majority of the population, live in poverty or they are under huge debt.

These are some of the reasons, why people do what they do.

Just yesterday, I heard that the item being stolen most in the world is, wait for it... " Cheese "   

Sigh I know the same, people will fall for that fake download button a lot more than I admit
Of course it comes loaded with a viral file or something of the sort instead of a legit download lol.

Hmm IT Specialist = Technical Support guy lol unless they are like the A rank rep they don't know much
Which is why I ask for the promotion rank right off if its a challenging task.

If you are referring to the fake download ads on cnet for example then you really simply need to know what you are looking for and you need to look closely at the entire page prior to clicking anything. I would say it is less of knowing what you are doing and more about attention to detail.

Well the ones I was thinking of in particular is if your using a filesharing website like rapidgator or the old megaupload and you had those download buttons on the top and the bottom parts with the real download button in the middle lol.
But yah Cnet is a good example of that as well

Something like this but I've seen more harder ones where they make the true download button tiny and the fakes huge lol.
http://www.pcworld.com/article/207601/7_things_we_still_hate_about_the_web.html
http://images.pcworld.com/news/graphics/207601-megaul1606_original.jpg

Anyways people with IT knowledge if they are doing a lot of downloads know to use Jdownloader but this is about non-technical users, and general users who don't know Jdownloader exists etc.

Just from looking at the screenshot I would say the "correct" download button is on the upper right and the play/download buttons in the middle are ads. I would think that hovering your mouse over the link should show links that are apparently ads as well (unless Java is used to change what is displayed)

Correct but there are worse ones out there
I just couldn't find a good screenshot for one :)
Here is a moderately harder one although I recall that a few sites don't do show underlying url links
http://marcdurdin.com/wp-content/uploads/blogger/-bUQrbsWcoKk/UDGLc-icAGI/AAAAAAAABSw/WttSIA99WmQ/s1600/Download-Fake-7-Brothersoft-IrfanView.PNG

Personally I've never and will never download anything from Brothersoft. Even though it's a fairly large and supposedly legit site. The amount of misleading advertising they use makes me distrust them immediately. If they're willing to do all that, who's to say that they wouldn't throw malware/spyware/adware in one of those files?

I'm with you on that one, I personally don't use Brothersoft myself and look for alternatives
It's one of those places of last resort if you need to get a document
That said some of the download file sharing sites have files that are only uploaded in one location at times and those are the ones where you run into the wall of download screens lol...

Well if its not in the Jdownloader loading script (Again not including those who know how to use Java XD)
But the normal users :)

This one is much more difficult to say for sure which is the correct link/image to click on. It is almost as if they are cheating their advertisers to generate additional impressions for their ads.

I know I've heard of folks downloading malware on purpose in a sandbox (say a virtual install of Windows XP running on a linux box) just to claim the rewards in some of these shady situations.  Then, after claiming whatever reward, they simply destroy the XP install and repeat.

As Bitcoin morphs into a digital passport we soon arrive to the point of people wearing 'i'm an idiot' signs out in public.

- "Get away from me with your bad address!"

I don't think this would be the case in this situation as the reward for participating was very small. It would likely not be worth the effort.

Hard to say when people mine faucets' dust rewards, and whether or not using MTurk at all is worth the effort is completely debatable. MTurk typically pays ~half federal minimum wage [citation needed] while most states go above that, and that certainly doesn't stop a good many US users from participating. Maybe they're mostly kids using parents' accounts, but again, hard to say.

I really do doubt most people would be running these in VM, though obviously a few, at least, are going to. This forum is relatively tech-savvy, and plenty of people are willing to run new altcoin executables just by reading the short OP. Later, a thread pops up, "some hacker stole all my monies!!" "Well, what've you installed lately?" "All I did was download the Cosbycoin client from some new guy on the forum!" Duhhhhhhhhhhhhhhhhh... and then it's the forum's fault for not moderating, Bitcoin's fault for not being secure enough, or the Cosbycoin dev team's fault for not ensuring no fakes are posted. ... Err, but I digress.