Bitcoin Forum
December 08, 2016, 08:22:29 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Odd pattern in BitcoinMonitor  (Read 10519 times)
randomguy7
Hero Member
*****
Offline Offline

Activity: 528


View Profile
April 14, 2011, 06:22:03 PM
 #21

How about a "generate donation" switch? It could enable a mining like calculation with ultra low constant difficulty and submit the results to the faucet. The faucet could unlock the donation after some amount of shares (big amount of simple shares to minimize variance).
1481185349
Hero Member
*
Offline Offline

Posts: 1481185349

View Profile Personal Message (Offline)

Ignore
1481185349
Reply with quote  #2

1481185349
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
April 14, 2011, 06:31:41 PM
 #22

RE: paying somebody to monitor the faucet:  good idea, although I like the idea of some kind of "community watch" more.  And monitoring the Faucet is an all-day-and-night, all-the-time kind of job.  And if the scammers are willing to try to drain the faucet slowly then they could create accounts with more realistic-looking names and would be able to sneak by the monitors...

RE: just using testnet coins:  I worry about people starting to trade testnet coins, giving them real value.  Giving lots of newbies who don't really understand bitcoin testnet coins seems like a really good way to make that happen!

RE: proof-of-work before getting coins:  Interesting idea!  Some JavaScript in-the-browser proof-of-work that required keeping the 'get some' page open for a minute or six might make the cost to the scammers high enough that the bitcoin reward wouldn't be worth it.

RE: looking at the google account creation date:  that information isn't available to the Faucet's code (unless I'm missing something in the Google App Engine API).

How often do you get the chance to work on a potentially world-changing project?
Jim Hyslop
Member
**
Offline Offline

Activity: 98


View Profile
April 14, 2011, 09:22:44 PM
 #23

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?
Do it enough, and the pennies add up.

I started with one of the .05BTC transactions and traced it back to this coin, donated to the bitcoin faucet:

I then followed the money given out by the faucet. The first 9 transactions haven't been redeemed yet (as I write this, approx. 2215 UTC on April 14). Then transaction #10 is this interesting fella.

Ooh, look, it has 17 inputs, one of which is .04BTC and the rest are 05 BTC, and one output. So then I started following that coin. Next up was a transaction which had the .84 BTC input as #1, plus a whole bunch of other .05BTC inputs.

I didn't follow each of the .05BTC transactions to their source, but I followed enough to convince myself that each .05BTC transaction originated from the faucet.

The .84BTC transaction was combined with 13 other .05BTC transactions, which I sampled enough of to confirm they also originated from the faucet. The single output of that transaction was worth 1.49.

It's pretty clear by now that one person controls all the addresses I mentioned so far - the 30 addresses drained from the faucet, plus the .84BTC intermediate and the 1.49 BTC final.

The 1.49BTC transaction is input 1 of this transaction.
Input 2 is the 50BTC bounty from this block. Input 3. The inputs to that transaction all appear to be payouts from a mining pool. This tells me that the person (or, probably more accurately, one of the people) who is sucking the faucet dry is also a solo miner, AND a member of a mining pool.

Seriously, dude? Mining isn't enough for you, ya also have to rip off the bitcoin faucet???

At that point, the thief started trying to cover his tracks with some laughably see-through attempts at laundering the money (side note: I am glad that I have not yet posted my ideas on anonymizing Bitcoins, as that would have made the tracking much more difficult. After this escapade, I don't know if I will.).

The above transaction has two outputs: one for .68BTC and one for 71.29BTC. At that point I thought "OK, here we go, have to follow two separate trails." Nope. The next transaction in the chain combined the two coins, with two other outputs. Again: Seriously, dude??? This is supposed to confuse someone??? A few transactions later, add in other BTC for a total value of 198.62BTC (now we're talking serious coinage!): http://blockexplorer.com/t/CWMyLvqes

Right, so the transaction has two outputs, and dude tries his obfuscation again. As I'm starting to get bored with the "click-click-click" monotony, I finally come to this transaction which breaks the pattern. Output 1 is 188.61BTC which continues to rinse-and-repeat. Output 2, for 10.01BTC, is more interesting. It leads to this transaction.

The transaction gloms together 6 different transactions worth a total of 570.957 BTC. Output 0, for 0.019BTC, has not yet been redeemed. Output 2, for 570.938, does the rinse, add in more BTC, repeat a few more times. Now, I should note that most of the 570BTC appears to be legitimately gained from mining.

So, dude who's sucking the faucet: we're on to you. It's only a matter of time until we find you and force you to refill the faucet and put you on display in the Hall Of Shame.

The mystery, though, is what the (other?) thief intends to do with the BTC that haven't been redeemed yet. Looks like he has sucked quite a bit of cash from the faucet, and hasn't redeemed it yet.

Like my answer? Did I help? Tips gratefully accepted here: 1H6wM8Xj8GNrhqWBrnDugd8Vf3nAfZgMnq
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526


View Profile
April 14, 2011, 09:34:09 PM
 #24

I'd like to point out a few things, in case whoever attacked the Faucet is reading this thread.

The first is that whilst my 20% project at Google is BitCoinJ, my actual job is working on the Google abuse team. Bulk signups are against our Terms of Service and result in account termination.

Gavin sent me a list of accounts that were abusing the Faucet and they are now gone, as are a significant number more that were idle and waiting to be used. People who abuse the Faucet should understand that it is guarded by people as well as machines, and abuse at scale is likely to result in destruction of the entire account cluster. This is especially true if the accounts were bought from a supplier.

Account metadata such as age is not supplied through the OpenID or OAuth APIs, but in this case it would not have helped as the accounts were created several months ago, were not used until today and were both created and used via a large set of proxies. Regardless, we'll be investigating how they were able to get past the signup controls.

Adjusting the amount of coins issued depending on the US$ exchange rate might help. Unfortunately there is a black market in accounts for all large websites. Gmail accounts are more expensive than most, but they still have a specific price and once the amount that can be extracted from the Faucet goes beyond the cost of the accounts, abuse will happen.

I don't think naively implemented proofs of work will help. The abusers already have to write bots to automate the Faucet, if they want any useful quantity of coins. They can then easily re-implement the proof of work in native code rather than JavaScript. There are ways to solve this, but they involve quite a bit of effort.
Trader
Newbie
*
Offline Offline

Activity: 1


View Profile
April 14, 2011, 10:20:17 PM
 #25

I'd like to point out a few things, in case whoever attacked the Faucet is reading this thread.

The first is that whilst my 20% project at Google is BitCoinJ, my actual job is working on the Google abuse team. Bulk signups are against our Terms of Service and result in account termination.

Gavin sent me a list of accounts that were abusing the Faucet and they are now gone, as are a significant number more that were idle and waiting to be used. People who abuse the Faucet should understand that it is guarded by people as well as machines, and abuse at scale is likely to result in destruction of the entire account cluster. This is especially true if the accounts were bought from a supplier.

Account metadata such as age is not supplied through the OpenID or OAuth APIs, but in this case it would not have helped as the accounts were created several months ago, were not used until today and were both created and used via a large set of proxies. Regardless, we'll be investigating how they were able to get past the signup controls.

Adjusting the amount of coins issued depending on the US$ exchange rate might help. Unfortunately there is a black market in accounts for all large websites. Gmail accounts are more expensive than most, but they still have a specific price and once the amount that can be extracted from the Faucet goes beyond the cost of the accounts, abuse will happen.

I don't think naively implemented proofs of work will help. The abusers already have to write bots to automate the Faucet, if they want any useful quantity of coins. They can then easily re-implement the proof of work in native code rather than JavaScript. There are ways to solve this, but they involve quite a bit of effort.



I've seen many instances of people using mturk and crowdflower (as well as few less know sites) to aquire a bunch of provider accounts.  That same mechanizm is most likely proffitable for draining the faucet as you have actual workers completing the task for a penny a pop.   

The proof of work might be the most effective way of stopping that as the turkers won't waste time on a penny hit if they could be earning money on something else.

The linking to the WOT might also be very effective as it would require them to jump through enough hoops that it wouldn't be cost effective plus it would get them familiar with that tool.
jpent
Jr. Member
*
Offline Offline

Activity: 31



View Profile
April 14, 2011, 10:41:10 PM
 #26

How about including a simple game to play for the coins? One that would be difficult for a computer, but easy and mildly entertaining for a human.

PGP Key Fingerprint: 142E BEF5 5420 B00F 186C  7332 0B15 F673 EF9F DA26

# make install, not war

149gNEaA45b4NkM37XuBbhrM3gTAKikzqd - In case anyone needs this
Anonymous
Guest

April 14, 2011, 11:22:11 PM
 #27

+1 on using the otc WOT.

That's what it is there for. Also a good idea on people asking in an irc room for coins maybe #bitcoin-faucet ?
dishwara
Legendary
*
Offline Offline

Activity: 1372

Truth may get delay, but NEVER fails


View Profile
April 15, 2011, 12:43:40 AM
 #28

+1 on using the otc WOT.

That's what it is there for. Also a good idea on people asking in an irc room for coins maybe #bitcoin-faucet ?

+1 for #bitcoin-faucet. It solves many problems.
xf2_org
Member
**
Offline Offline

Activity: 70


View Profile
April 15, 2011, 01:25:05 AM
 #29


While the faucet is a neat idea, and has given many legitimate people bitcoins to play with, I think it is fundamentally unsustainable to give away free money...

mcdett
Full Member
***
Offline Offline

Activity: 157



View Profile
April 15, 2011, 01:59:16 AM
 #30


While the faucet is a neat idea, and has given many legitimate people bitcoins to play with, I think it is fundamentally unsustainable to give away free money...



I gave 50.10 BTC to the faucet yesterday.  In the long run it is unsustainable, but it helps us grow in the meantime.


Take Care!
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 1932



View Profile
April 15, 2011, 02:17:37 AM
 #31

yay, my prediction was right!

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
just_someguy
Full Member
***
Offline Offline

Activity: 125


View Profile
April 15, 2011, 12:04:03 PM
 #32

Is there another service out there like bitcoin faucet for a complete noob?
It figures that the very day I start to read about bitcoin it gets shut down.
I checked in the suggested #bitcoin-faucet irc but it doesn't look like its an active group.
All the other options for getting even a small amount of bitcoin seems like it would take about a week.

Of course if anyone can spare a few cents while its down so I can try it out it would be much appreciated!
1EX8V8y4L8TdNVGKTCij2eot9WD8qDqM4N


Anonymous
Guest

April 15, 2011, 12:36:32 PM
 #33

Is there another service out there like bitcoin faucet for a complete noob?
It figures that the very day I start to read about bitcoin it gets shut down.
I checked in the suggested #bitcoin-faucet irc but it doesn't look like its an active group.
All the other options for getting even a small amount of bitcoin seems like it would take about a week.

Of course if anyone can spare a few cents while its down so I can try it out it would be much appreciated!
1EX8V8y4L8TdNVGKTCij2eot9WD8qDqM4N




The witcoin giveaway is on if you qualify.
http://bitcointalk.org/index.php?topic=5757.0
Anonymous
Guest

April 15, 2011, 04:14:38 PM
 #34

what if the faucet sent an sms to verify ?
randomguy7
Hero Member
*****
Offline Offline

Activity: 528


View Profile
April 15, 2011, 04:18:14 PM
 #35

Kinda expensive. How about some premium sms number to sell a few coins? Its of curse not efficient as a normal form of selling coins because the phone provider guys take a huge amount of the payment, but it would be ok for some first testing coins.
MBS
Newbie
*
Offline Offline

Activity: 19


View Profile
April 16, 2011, 03:14:20 AM
 #36

Wouldn't sending an SMS be free if email2sms gateways and/or google voice were used?
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
April 16, 2011, 01:55:38 PM
 #37

Following this.
This pisses me off.
Everyone loves the faucet.

moneyandtech.com
@moneyandtech @jeredkenna
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526


View Profile
April 16, 2011, 04:05:26 PM
 #38

SMS verification raises the bar but not as much as you might think for things like the Faucet. SIM cards in developing countries are often free. We do see Gmail abuse where the abusers phone verify. It's just a question of profitability.
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
April 16, 2011, 04:29:43 PM
 #39

Where do you draw the line on too much work?

If you made something that was kind of fun the first time. Say a maze you have to run through that might take 30seconds or 1min but couldn't be automated.
Obviously you wouldn't care if it was the first time you were doing it and you're new to bitcoins and you want those .05 to play with.
It wouldn't be worth repeating though. Obviously you'd have to fine tune it. 10seconds the bad guys might keep it up. 3 minutes the good guys might not bother.
If it was semi fun then they wouldn't mind playing it for a few minutes but playing something semi fun for a few minutes for .05 takes the fun out of it if that makes sense.

Maybe tetris with falling bitcoin blocks and after you solve 20 lines you get your .05btc  Cheesy


Edit: leaving google accounts in place etc at the same time I'm thinking but maybe the game would allow you to drop that part if you think it scares some people away.

moneyandtech.com
@moneyandtech @jeredkenna
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526


View Profile
April 16, 2011, 04:33:18 PM
 #40

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!