Odd pattern in BitcoinMonitor

[ironwolf]

I looked at BitcoinMonitor.com this evening and noticed this strange descending line of transactions. Each transaction has a fixed 0.05 BTC amount and the remainder in "change". Any ideas about what's up with this?

[1715416360]

1715416360

[1715416360]

1715416360

[1715416360]

1715416360

[caveden]

The faucet?

[caveden]

By the way, either the faucet is getting very popular, or some scumbag found a way to cheat and get all its money. Too many transactions...

[Raulo]

By the way, either the faucet is getting very popular, or some scumbag found a way to cheat and get all its money. Too many transactions...

It's probably the latter because just a day ago there were significantly fewer transactions from the faucet and much less regular.

[ironwolf]

The pattern went down to zero and seems to have restarted again at around 17.5 BTC.

[caveden]

I've PMed Gavin about it.

[ribuck]

Also notice how there's a small gap in the Faucet withdrawals whenever a block is generated. This probably tells us something about network propagation speed or somesuch.

[mahadri]

Also notice how there's a small gap in the Faucet withdrawals whenever a block is generated. This probably tells us something about network propagation speed or somesuch.

No. After a new block, the faucet pays out from its ~45 BTC transaction, then pays out from a smaller transaction until the next block. The gap will disappear when the faucet funds drop below 45 BTC, when there's only one transaction available to pay out from.

[Gavin Andresen]

I've turned off the faucet; somebody is definitely stealing from it.  There were 500 sends queued when I woke up this morning.

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

Code:

121.1.54.214 - zqdckyxnhmjj [14/Apr/2011:05:20:19 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6,gzip(gfe)" "freebitcoins.appspot.com"
213.0.109.214 - clkjqwbhwefj [14/Apr/2011:05:20:15 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.3) Gecko/20100403 Fedora/3.6.3-4.fc13 Firefox/3.6.3,gzip(gfe)" "freebitcoins.appspot.com"
193.110.115.0 - rdcxalrgxyrvb [14/Apr/2011:05:17:40 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100726 CentOS/3.6-3.el5.centos Firefox/3.6.7,gzip(gfe)" "freebitcoins.appspot.com"

"zqdckyxnhmjj" and "clkjqwbhwefj" are the google account logins, which are obviously bogus.  Well, obvious to humans, anyway...

[Anonymous]

I've turned off the faucet; somebody is definitely stealing from it.  There were 500 sends queued when I woke up this morning.

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

Code:

121.1.54.214 - zqdckyxnhmjj [14/Apr/2011:05:20:19 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6,gzip(gfe)" "freebitcoins.appspot.com"
213.0.109.214 - clkjqwbhwefj [14/Apr/2011:05:20:15 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.3) Gecko/20100403 Fedora/3.6.3-4.fc13 Firefox/3.6.3,gzip(gfe)" "freebitcoins.appspot.com"
193.110.115.0 - rdcxalrgxyrvb [14/Apr/2011:05:17:40 -0700] "POST /getsome HTTP/1.1" 200 1206 "http://freebitcoins.appspot.com/getsome" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100726 CentOS/3.6-3.el5.centos Firefox/3.6.7,gzip(gfe)" "freebitcoins.appspot.com"

"zqdckyxnhmjj" and "clkjqwbhwefj" are the google account logins, which are obviously bogus.  Well, obvious to humans, anyway...

Someone hired a captcha farm  ?

[jav]

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

It's really unfortunate, because the Faucet is probably the most important promotional tool that Bitcoin has. So what's next? manual approval of every Faucet transaction? maybe a group of trusted forum members could do this, so that there is always someone online? would be pretty tedious though, I guess.

[HostFat]

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

Destroying is easier than creating

[Anonymous]

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

It's really unfortunate, because the Faucet is probably the most important promotional tool that Bitcoin has. So what's next? manual approval of every Faucet transaction? maybe a group of trusted forum members could do this, so that there is always someone online? would be pretty tedious though, I guess.

Pay someone .01 of the .05  to sit there clicking "confirm"

[caveden]

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

+1

[jpent]

Is this pattern definitely due to the faucet then? I was thinking it could also be caused by mining pools sending out rewards.

[Gavin Andresen]

That pattern is definitely the faucet.  The big mining pools are already using the new 'sendmany' functionality to pay lots of people with one transaction.

I'm thinking of doing something similar for the Faucet.  Perhaps:

+ Bundle up requests for payments, so instead of sending out payment right away you have to wait a bit (15 minutes or an hour or... something somewhat random and non-predictable).

+ Dropping the Faucet reward AGAIN so there is less incentive to cheat.  I'll need to use sendmany so the faucet isn't paying as much in fees as it is in bitcoins it gives out.

And maybe:

+ Publicly display the queue of waiting requests.  This would be the tricky part-- I don't want to just dump email address and IP address, but I do want to dump enough information so people looking at the information can tell the difference between a cheater and legitimate users.

+ A way of flagging requests as "looks like cheating to me".  This is also hard-- griefers might decide it would be fun to flag lots of legitimate requests.

[Mr.512]

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

It's really unfortunate, because the Faucet is probably the most important promotional tool that Bitcoin has. So what's next? manual approval of every Faucet transaction? maybe a group of trusted forum members could do this, so that there is always someone online? would be pretty tedious though, I guess.

Pay someone .01 of the .05  to sit there clicking "confirm"

That is probably by far the most intellectual idea. It's a smart idea to have someone online at all times, I'm sure there's someone Gavin can trust.

[BitterTea]

+ Dropping the Faucet reward AGAIN so there is less incentive to cheat.  I'll need to use sendmany so the faucet isn't paying as much in fees as it is in bitcoins it gives out.

I think I suggested this to you when I first found Bitcoin, but why not make the faucet's payout a direct function of the available balance? Like... payout = balance / 2000. This would mean diminishing returns for an attacker.

Oooh, what about integrating faucet authentication with Gribble? There's almost always somebody on IRC.

[randomguy7]

I don't think making the payout smaller is going to stop people cheating. Can't we add a switch to the gui to switch to testnet and run the faucet with testnet coins?

[BitterTea]

I don't think making the payout smaller is going to stop people cheating. Can't we add a switch to the gui to switch to testnet and run the faucet with testnet coins?

Sure, but the whole point is to give people some coins they can spend. Granted, I'm not sure what you're going to buy with .05 BTC, but whatev. I think introducing testnet into this will just confuse people.

[randomguy7]

How about a "generate donation" switch? It could enable a mining like calculation with ultra low constant difficulty and submit the results to the faucet. The faucet could unlock the donation after some amount of shares (big amount of simple shares to minimize variance).

[Gavin Andresen]

RE: paying somebody to monitor the faucet:  good idea, although I like the idea of some kind of "community watch" more.  And monitoring the Faucet is an all-day-and-night, all-the-time kind of job.  And if the scammers are willing to try to drain the faucet slowly then they could create accounts with more realistic-looking names and would be able to sneak by the monitors...

RE: just using testnet coins:  I worry about people starting to trade testnet coins, giving them real value.  Giving lots of newbies who don't really understand bitcoin testnet coins seems like a really good way to make that happen!

RE: proof-of-work before getting coins:  Interesting idea!  Some JavaScript in-the-browser proof-of-work that required keeping the 'get some' page open for a minute or six might make the cost to the scammers high enough that the bitcoin reward wouldn't be worth it.

RE: looking at the google account creation date:  that information isn't available to the Faucet's code (unless I'm missing something in the Google App Engine API).

[Jim Hyslop]

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

Do it enough, and the pennies add up.

I started with one of the .05BTC transactions and traced it back to this coin, donated to the bitcoin faucet:

I then followed the money given out by the faucet. The first 9 transactions haven't been redeemed yet (as I write this, approx. 2215 UTC on April 14). Then transaction #10 is this interesting fella.

Ooh, look, it has 17 inputs, one of which is .04BTC and the rest are 05 BTC, and one output. So then I started following that coin. Next up was a transaction which had the .84 BTC input as #1, plus a whole bunch of other .05BTC inputs.

I didn't follow each of the .05BTC transactions to their source, but I followed enough to convince myself that each .05BTC transaction originated from the faucet.

The .84BTC transaction was combined with 13 other .05BTC transactions, which I sampled enough of to confirm they also originated from the faucet. The single output of that transaction was worth 1.49.

It's pretty clear by now that one person controls all the addresses I mentioned so far - the 30 addresses drained from the faucet, plus the .84BTC intermediate and the 1.49 BTC final.

The 1.49BTC transaction is input 1 of this transaction.
Input 2 is the 50BTC bounty from this block. Input 3. The inputs to that transaction all appear to be payouts from a mining pool. This tells me that the person (or, probably more accurately, one of the people) who is sucking the faucet dry is also a solo miner, AND a member of a mining pool.

Seriously, dude? Mining isn't enough for you, ya also have to rip off the bitcoin faucet???

At that point, the thief started trying to cover his tracks with some laughably see-through attempts at laundering the money (side note: I am glad that I have not yet posted my ideas on anonymizing Bitcoins, as that would have made the tracking much more difficult. After this escapade, I don't know if I will.).

The above transaction has two outputs: one for .68BTC and one for 71.29BTC. At that point I thought "OK, here we go, have to follow two separate trails." Nope. The next transaction in the chain combined the two coins, with two other outputs. Again: Seriously, dude??? This is supposed to confuse someone??? A few transactions later, add in other BTC for a total value of 198.62BTC (now we're talking serious coinage!): http://blockexplorer.com/t/CWMyLvqes

Right, so the transaction has two outputs, and dude tries his obfuscation again. As I'm starting to get bored with the "click-click-click" monotony, I finally come to this transaction which breaks the pattern. Output 1 is 188.61BTC which continues to rinse-and-repeat. Output 2, for 10.01BTC, is more interesting. It leads to this transaction.

The transaction gloms together 6 different transactions worth a total of 570.957 BTC. Output 0, for 0.019BTC, has not yet been redeemed. Output 2, for 570.938, does the rinse, add in more BTC, repeat a few more times. Now, I should note that most of the 570BTC appears to be legitimately gained from mining.

So, dude who's sucking the faucet: we're on to you. It's only a matter of time until we find you and force you to refill the faucet and put you on display in the Hall Of Shame.

The mystery, though, is what the (other?) thief intends to do with the BTC that haven't been redeemed yet. Looks like he has sucked quite a bit of cash from the faucet, and hasn't redeemed it yet.

[Mike Hearn]

I'd like to point out a few things, in case whoever attacked the Faucet is reading this thread.

The first is that whilst my 20% project at Google is BitCoinJ, my actual job is working on the Google abuse team. Bulk signups are against our Terms of Service and result in account termination.

Gavin sent me a list of accounts that were abusing the Faucet and they are now gone, as are a significant number more that were idle and waiting to be used. People who abuse the Faucet should understand that it is guarded by people as well as machines, and abuse at scale is likely to result in destruction of the entire account cluster. This is especially true if the accounts were bought from a supplier.

Account metadata such as age is not supplied through the OpenID or OAuth APIs, but in this case it would not have helped as the accounts were created several months ago, were not used until today and were both created and used via a large set of proxies. Regardless, we'll be investigating how they were able to get past the signup controls.

Adjusting the amount of coins issued depending on the US$ exchange rate might help. Unfortunately there is a black market in accounts for all large websites. Gmail accounts are more expensive than most, but they still have a specific price and once the amount that can be extracted from the Faucet goes beyond the cost of the accounts, abuse will happen.

I don't think naively implemented proofs of work will help. The abusers already have to write bots to automate the Faucet, if they want any useful quantity of coins. They can then easily re-implement the proof of work in native code rather than JavaScript. There are ways to solve this, but they involve quite a bit of effort.

[Trader]

I'd like to point out a few things, in case whoever attacked the Faucet is reading this thread.

The first is that whilst my 20% project at Google is BitCoinJ, my actual job is working on the Google abuse team. Bulk signups are against our Terms of Service and result in account termination.

Gavin sent me a list of accounts that were abusing the Faucet and they are now gone, as are a significant number more that were idle and waiting to be used. People who abuse the Faucet should understand that it is guarded by people as well as machines, and abuse at scale is likely to result in destruction of the entire account cluster. This is especially true if the accounts were bought from a supplier.

Account metadata such as age is not supplied through the OpenID or OAuth APIs, but in this case it would not have helped as the accounts were created several months ago, were not used until today and were both created and used via a large set of proxies. Regardless, we'll be investigating how they were able to get past the signup controls.

Adjusting the amount of coins issued depending on the US$ exchange rate might help. Unfortunately there is a black market in accounts for all large websites. Gmail accounts are more expensive than most, but they still have a specific price and once the amount that can be extracted from the Faucet goes beyond the cost of the accounts, abuse will happen.

I don't think naively implemented proofs of work will help. The abusers already have to write bots to automate the Faucet, if they want any useful quantity of coins. They can then easily re-implement the proof of work in native code rather than JavaScript. There are ways to solve this, but they involve quite a bit of effort.

I've seen many instances of people using mturk and crowdflower (as well as few less know sites) to aquire a bunch of provider accounts.  That same mechanizm is most likely proffitable for draining the faucet as you have actual workers completing the task for a penny a pop.   

The proof of work might be the most effective way of stopping that as the turkers won't waste time on a penny hit if they could be earning money on something else.

The linking to the WOT might also be very effective as it would require them to jump through enough hoops that it wouldn't be cost effective plus it would get them familiar with that tool.

[jpent]

How about including a simple game to play for the coins? One that would be difficult for a computer, but easy and mildly entertaining for a human.

[Anonymous]

+1 on using the otc WOT.

That's what it is there for. Also a good idea on people asking in an irc room for coins maybe #bitcoin-faucet ?

[dishwara]

+1 on using the otc WOT.

That's what it is there for. Also a good idea on people asking in an irc room for coins maybe #bitcoin-faucet ?

+1 for #bitcoin-faucet. It solves many problems.

[xf2_org]

While the faucet is a neat idea, and has given many legitimate people bitcoins to play with, I think it is fundamentally unsustainable to give away free money...

[mcdett]

While the faucet is a neat idea, and has given many legitimate people bitcoins to play with, I think it is fundamentally unsustainable to give away free money...

I gave 50.10 BTC to the faucet yesterday.  In the long run it is unsustainable, but it helps us grow in the meantime.


Take Care!

[grue]

yay, my prediction was right!

[just_someguy]

Is there another service out there like bitcoin faucet for a complete noob?
It figures that the very day I start to read about bitcoin it gets shut down.
I checked in the suggested #bitcoin-faucet irc but it doesn't look like its an active group.
All the other options for getting even a small amount of bitcoin seems like it would take about a week.

Of course if anyone can spare a few cents while its down so I can try it out it would be much appreciated!
1EX8V8y4L8TdNVGKTCij2eot9WD8qDqM4N

[Anonymous]

Is there another service out there like bitcoin faucet for a complete noob?
It figures that the very day I start to read about bitcoin it gets shut down.
I checked in the suggested #bitcoin-faucet irc but it doesn't look like its an active group.
All the other options for getting even a small amount of bitcoin seems like it would take about a week.

Of course if anyone can spare a few cents while its down so I can try it out it would be much appreciated!
1EX8V8y4L8TdNVGKTCij2eot9WD8qDqM4N

The witcoin giveaway is on if you qualify.
http://bitcointalk.org/index.php?topic=5757.0

[Anonymous]

what if the faucet sent an sms to verify ?

[randomguy7]

Kinda expensive. How about some premium sms number to sell a few coins? Its of curse not efficient as a normal form of selling coins because the phone provider guys take a huge amount of the payment, but it would be ok for some first testing coins.

[MBS]

Wouldn't sending an SMS be free if email2sms gateways and/or google voice were used?

[Jered Kenna (TradeHill)]

Following this.
This pisses me off.
Everyone loves the faucet.

[Mike Hearn]

SMS verification raises the bar but not as much as you might think for things like the Faucet. SIM cards in developing countries are often free. We do see Gmail abuse where the abusers phone verify. It's just a question of profitability.

[Jered Kenna (TradeHill)]

Where do you draw the line on too much work?

If you made something that was kind of fun the first time. Say a maze you have to run through that might take 30seconds or 1min but couldn't be automated.
Obviously you wouldn't care if it was the first time you were doing it and you're new to bitcoins and you want those .05 to play with.
It wouldn't be worth repeating though. Obviously you'd have to fine tune it. 10seconds the bad guys might keep it up. 3 minutes the good guys might not bother.
If it was semi fun then they wouldn't mind playing it for a few minutes but playing something semi fun for a few minutes for .05 takes the fun out of it if that makes sense.

Maybe tetris with falling bitcoin blocks and after you solve 20 lines you get your .05btc  


Edit: leaving google accounts in place etc at the same time I'm thinking but maybe the game would allow you to drop that part if you think it scares some people away.

[Mike Hearn]

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.

[HostFat]

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.

Is there a way to know if a Google account has a confirmed phone number?
You ( and Google ) could add something like this

[Jered Kenna (TradeHill)]

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.

I'm with you on this but there is a point it's not worth it anymore.
5 minutes of Tetris + google login.
That comes out to lets say .50 to .60btc an hour.
I'm not saying you can't find someone to work that cheap, you probably can.
I'm saying you could probably make more having them do something else ie mturk etc.

[manifold]

@faucet admin:
First of all: Thank you for your service. I got 0.05 BTC from you and that helped me started to get into the network. I earned about 0.30 BTC from pooled mining, and donated the 0.05 BTC already back to you (first 0.01, then 0.04).

Second, it's sad that their is always someone trying to destroy... I hope you can find out how to shut those thiefs out.


PS: How can he get so many google accounts, isn't there an sms confirmation?

[gigabytecoin]

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

It's really unfortunate, because the Faucet is probably the most important promotional tool that Bitcoin has. So what's next? manual approval of every Faucet transaction? maybe a group of trusted forum members could do this, so that there is always someone online? would be pretty tedious though, I guess.

Pay someone .01 of the .05  to sit there clicking "confirm"

That is probably by far the most intellectual idea. It's a smart idea to have someone online at all times, I'm sure there's someone Gavin can trust.

How is a human going to determine that these are unique requests any better than a script, though?

[bitcoinex]

@faucet admin:
First of all: Thank you for your service. I got 0.05 BTC from you and that helped me started to get into the network. I earned about 0.30 BTC from pooled mining, and donated the 0.05 BTC already back to you (first 0.01, then 0.04).

Second, it's sad that their is always someone trying to destroy... I hope you can find out how to shut those thiefs out.


PS: How can he get so many google accounts, isn't there an sms confirmation?

This may be old logins, created before google was introduced SMS verification. they can be bought on the black market

[nanotube]

RE: paying somebody to monitor the faucet:  good idea, although I like the idea of some kind of "community watch" more.  And monitoring the Faucet is an all-day-and-night, all-the-time kind of job.  And if the scammers are willing to try to drain the faucet slowly then they could create accounts with more realistic-looking names and would be able to sneak by the monitors...

yes, ultimately where 'free money' is concerned, human monitors will not solve the problem. no matter how low you set the reward, there are people whose time is worth nothing, and they'd thus be willing to spend it getting something > nothing.

RE: just using testnet coins:  I worry about people starting to trade testnet coins, giving them real value.  Giving lots of newbies who don't really understand bitcoin testnet coins seems like a really good way to make that happen!

Nothing wrong with testnet coins having value. they had value before the testnet was reset, and they'll have value again at some point, right up until testnet is reset again (if it is).

RE: proof-of-work before getting coins:  Interesting idea!  Some JavaScript in-the-browser proof-of-work that required keeping the 'get some' page open for a minute or six might make the cost to the scammers high enough that the bitcoin reward wouldn't be worth it.

it can always be scripted to run the PoW calc outside the browser, then submit the result. seems like that would be only a temporary solution - long enough to last until the cheaters write code.

[ffe]

Add a delay to the payout which is a function of the number of payouts in the last hour. Set it to not kick in unless payouts are much more frequent than usual.

[Raoul Duke]

I can't offer you solutions, but i can offer the best spam bot to test against the faucet, but i tell you in advance that using external accounts to give away coins will be hard to stop the dudes. The same bot can make thousands of accounts in any site, decapthing solution included...

I can tell you some things that stops most bots: javascript/ajax or flash stuff...

Hope i helped in some way. And if you need help to test your anti-fraud measures I won't mind to spend some hours trying to bypass them. 

[dishwara]

The best thing, give the free coin 14-20 hours after the newbie ask with gmail account.
This gives time to know how many free coin request came & even time to verify many things.
It won't bother newbies as all knows any transaction used to take place 1-10 days with banks & now with internet transaction even paypal takes 10 minutes-1,2 days WITH fees.
So, newbies, really newbies wont worry much. & it will make stealer insane, coz he won't get immediately.  


Edited.

[Rena]

That seems like the best way. Each request doesn't result in an immediate transaction but instead just enters into a queue. You look at the queue and see if the requests look suspicious before approving them manually. Designed right it wouldn't be foolproof, but it could be handled entirely by one person - they'd just have a list like IP, account name, time, and a checkbox (and select/deselect all buttons), say 100 items per page, and could just approve or deny them en masse.
There is risk of denying a legitimate request that happens to be in the middle of a ton of spam, but just add a note to the page explaining this risk. People shouldn't be too upset that someone who's giving away free money might miss their request. :p

For those suggesting Javascript games and such, you should know that the browser is no more than a user interface. Whatever you achieve in the game, the browser has to report back to the server - a bot can just tell the server anything it wants. So the only secure mechanism is to make it work similar to mining, where the client - be it a browser or a bot - has to do several minutes' worth of computation to figure out a valid response to send to the server, and each response is only valid once.

It's worth noting though that in my experience, browsers and OSes of all types suck at limiting CPU usage by Javascript, and a script doing heavy computation like that can bog down the entire machine. So it's not a really user-friendly solution... :/

[Anonymous]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

[dishwara]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

I really don't understand what you saying.
You mocking up me or rena or telling some thing else?

[tt7777]

I don't think lowering the amount of Bitcoins given out via the faucet will help; have you ever considered that whoever is doing this just doesn't like Bitcoin, or wants to see it fail, perhaps? I don't think someone with enough skill to pull this off would do it for (what is essentially) pennies.   

Just a thought... 

[BitterTea]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

I really don't understand what you saying.
You mocking up me or rena or telling some thing else?

He's saying that Witcoin is a better way for newbies to get coins than the Faucet. It's like Reddit, except votes cost small fractions of a Bitcoin, and the person who posted the comments gets some large fraction of the money collected by voting.

[Mike Hearn]

Except that you need some coins to post on Witcoin, if I recall correctly. Catch 22.

I think it's probably worth trying to defend the Faucet as long as possible, but unless the min tx fee is dropped as BTC/USD keeps rising the Faucet will be attacked by more and more sophisticated fraudsters who are trying to get free money. Consider that a successful attack can drain $50+ and that's a heck of a lot in many third world countries.

[Gavin Andresen]

Thanks for the suggestions and comments, everybody; I think a combination of dropping the faucet reward again (I'll start bundling up faucet payments into 'sendmany' transactions, so the transaction fees are lower) and "community watch program" will work.

The 'community watch' will be a web page that anybody can see that shows the last 100 IP addresses that got payments along with an obfuscated version of the email address (I'll obfuscate by randomly turning an email address like 'gavinandresen@gmail.com' into 'gavniadresen23@gmail.com').  And I'll recruit some trusted people and give them access to a master faucet shut-off switch if it starts getting abused again.

[Nick]

http://img6.imagebanana.com/img/f7t8ftmv/oddbitcoin.PNG
There are multiple transactions showing up which have a combined size of 94600 BTC.
Is this a double-spending attempt or does someone actually have multiple chunks of 94600 BTC?

[Jered Kenna (TradeHill)]

There are multiple transactions showing up which have a combined size of 94600 BTC.
Is this a double-spending attempt or does someone actually have multiple chunks of 94600 BTC?

There are single accounts out there with more than that so it could be legit.
If I remember correctly one account (the highest) has 250k in it.

[manifold]

The best thing, give the free coin 14-20 hours after the newbie ask with gmail account.
This gives time to know how many free coin request came & even time to verify many things.
It won't bother newbies as all knows any transaction used to take place 1-10 days with banks & now with internet transaction even paypal takes 10 minutes-1,2 days WITH fees.
So, newbies, really newbies wont worry much. & it will make stealer insane, coz he won't get immediately.  


Edited.

Yes I think that is a good strategy too. And if you (or the community sees) obviously fake google accounts they don't get anything.

[Insti]

Except that you need some coins to post on Witcoin, if I recall correctly. Catch 22.

There is a free section you can post on for free now.
Catch 22 resolved.

[theymos]

There are multiple transactions showing up which have a combined size of 94600 BTC.
Is this a double-spending attempt or does someone actually have multiple chunks of 94600 BTC?

They're the same coins.

[TiagoTiago]

Since the sending of the money doesn't need to be instantaneous, how about a captcha system kinda like this:

You collect a bank of images, things like group photos, photos of animals, landmarks etc (perhaps simply by scraping the results of image searchs, taking note of the keywords used, and if the site the image comes from got tags for the image, take note of the tags too, ) .

Each time someone tries to request coins from the faucet, the server randomly picks one of the pictures, distorts it a bit, in a unique way each time, taking note of the way it's distorted to remap distorted corrdinates back to original; and then asks the person to click where in the picture somthing is (selecting what based on the keywords used to find the picture and associated tags if any; things like the front left headlight of the car, the nose of the cat, the tip of the Eiffel tower, the biggest digit in the picture, the face of the youngest person in the picture etc).

Remaping the clicks to the undistorted coordinates, the server then starts ranking the clicks in terms of how close to the average of the other clicks for that same feature. But  each time a same person refreshes or asks to try a different picture the weighting of their vote for the coordinate of the picture average is reduced, so if someone tries several times in order to find the same picture and being asked for the same feature, to try to distort the average in their favour, their attempt of tampering will not easilly outvote legit clicks.



Perhaps besides the geometric distortion, it might be good to also add other interferences, like hue, saturation and brightness noise and gradients, invert the color in small randomly shaped part, "burn" out little holes here and there, add a few blur gradients (kinda like randrops on the camera lens), overlay small randomly shaped patches with the colors "solarized", the resolution reduced (pixelazing the image) etc; basicly all sorts of image "filters" that would confuse computer vision, specially when combined, but (at least most of the time) still leave the contents of the image easilly identifyable by humans.

[ironwolf]

Hi all. I just looked at the monitor again and I'm seeing this stripe pattern— again, and it looks like Gavin's opened the faucet again. So, attack in progress again?

Ironwolf

[dishwara]

No, Its in 100BTC. gavin wont give 100btc per person.
Also some guy is sending 0.02 & 0.12 continuously, to take bandwidth?
 

[stillfire]

Also some guy is sending 0.02 & 0.12 continuously, to take bandwidth?

I bet that's the Bitcoin Bubble game. A lot of 0.01 and 0.02 going on there. http://bitcointalk.org/index.php?topic=6117.0

[Anonymous]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

I really don't understand what you saying.
You mocking up me or rena or telling some thing else?

He's saying that Witcoin is a better way for newbies to get coins than the Faucet. It's like Reddit, except votes cost small fractions of a Bitcoin, and the person who posted the comments gets some large fraction of the money collected by voting.

No its a different way not a better way. Something as simple as you posting a pic or a photoshop of a bitcoin logo in a funny place would convince me you've done something to earn a free coin.

http://free.witcoin.com if you want to try it out. Also a percentage of site profits go to the bitcoin faucet if people choose. http://witcoin.com/charity/The-Bitcoin-Faucet


This is a complementary service not a replacement.

[ironwolf]

No, Its in 100BTC. gavin wont give 100btc per person.

If I'm not mistaken, doesn't the "total" reflect the sum of the "Ins" on the transfer, while the other numbers represent the "Outs", in this case 1 bitcent and about 100 bitcoins in change. This is the same pattern I witnessed when the faucet was drained before, but it was 0.05 BTC at a time, and this was 0.01 BTC.

[jav]

No, Its in 100BTC. gavin wont give 100btc per person.

If I'm not mistaken, doesn't the "total" reflect the sum of the "Ins" on the transfer, while the other numbers represent the "Outs", in this case 1 bitcent and about 100 bitcoins in change.

That's correct. Well, the total reflects the sum of all "outs" and then the outs are listed separately in brackets. Eventually I plan to list the sum of the "ins" as well, which also makes it possible to calculate the fee (total in - total out = fee). But just from looking at a single transaction you don't actually know the sum of the "ins". You have to look up the in-transactions in the block chain / database. I haven't implemented that yet and it will probably require a little bit of reorganizing of my codebase.

In any case, this is probably still not the faucet, because it's just 0.01 BTC and the faucet still gives out 0.05 BTC as far as I know.

[dmp1ce]

Add a delay to the payout which is a function of the number of payouts in the last hour. Set it to not kick in unless payouts are much more frequent than usual.

+1  !

I second this idea.  Much less of an incentive to game the system then.

[bourgis]

I think I found some other anomalies at Bitcoin Monitor earlier today (May 29th). Look at around 20:00 UTC and 21:00 UTC. There are a lot of transactions at exactly a few seconds after every whole hour. Is this normal? Also at 20:45 UTC there seem to be an unusual long time between new block creations?

/Bourgis


http://i390.photobucket.com/albums/oo348/bourgis/Bugs/Bitcoin/Bitcoin2.jpg


http://i390.photobucket.com/albums/oo348/bourgis/Bugs/Bitcoin/Bitcoin1.jpg