Buying the Network Effect - People accept $.01/hr to run possible malware

[Kluge]

Stealth mining on others' PCs can be completely voluntary and non-criminal. Assume software scans for GPU. No GPU? Not eligible (or maybe eligible, depending on coin sought to be mined). Not particularly useful to SHA256 anymore, but still relevant to ASIC-resistant Scrypt and other, more exotic algorithms which don't have ASICs built for them.

Create, say, a $25 minimum payout requirement among some other trickery and these disincentives to claiming rewards can bring real cost vs advertised cost down dramatically.



"There are many tales in literature over millennia about people selling their soul to a malevolent deity for the right price. But at least it’s usually a good price. Recent research has discovered that we are willing to compromise our computer for no more than one cent in income.

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

Even though a participant's machine would give them a pop up warning when they started the download to tell them that this application wanted higher level access to essential security services, 22% of them went ahead and downloaded. And when participants were offered $1 per hour, that figure rose to 43%.

...

The fact is, this application could easily have contained malware. Participants knew little about what they were installing other than it would pay them for their processing power but they didn't seem to mind.

...

Crooks will be pleased to learn from this study that it is apparently very easy to trick ordinary computer users into hosting your malware.

..."

Full article @ https://www.techdirt.com/articles/20140624/16091327675/would-you-compromise-your-computer-one-cent-hour-new-study-says-many-are-happy-to-do-exactly-that.shtml

[Yakamoto]

After thinking on this for a day, this part is actually what scares me about putting bitcoin mainstream.

Knowing the technological stupidity of most of the populace, this would instantly become the #1 malware method if distribution.  "Earn $1 in Bitcoin per hour, regardless of hardware!"

It actually kinda surprised me the rate of people who allowed for it to run for just $1/hour, even if it is $24. Nearly half of those people didn't have any red flags going up?

It's a shame to see what happened and how easily people just fell right into the pit, and they had no idea what it could have been doing.

Well, thanks for sharing this study. A real eye-opener from what I originally imagined.

[STT]

People who just click yes on everything will also be signed up to the MS defender virus checker, so the malware could be back out the door in a week is my guess.

If they survey had tested how many would install the malware if it was described as malware, I think you'd still have a high percent.  So long as its not harming themselves especially, most people dont do much with their computer except load music or youtube

Most antivirus software now removes cgminer or similar

[Ibian]

Run it on my spare laptop and put it in a closet. Doesn't matter what it does that way.

[moreia]

I've seen oh so many people trying to create scams like this, and still people fall for it
"mom, why isn't the computer working anymore"

[zimmah]

After thinking on this for a day, this part is actually what scares me about putting bitcoin mainstream.

Knowing the technological stupidity of most of the populace, this would instantly become the #1 malware method if distribution.  "Earn $1 in Bitcoin per hour, regardless of hardware!"

It actually kinda surprised me the rate of people who allowed for it to run for just $1/hour, even if it is $24. Nearly half of those people didn't have any red flags going up?

It's a shame to see what happened and how easily people just fell right into the pit, and they had no idea what it could have been doing.

Well, thanks for sharing this study. A real eye-opener from what I originally imagined.

That's the advantage of ASICs, despite the fact that many people despise ASICs for various reasons the fact remains that a single ASIC can easily outperform several million computers.

Even if someone were to somehow trick pretty much every computer owner into running his malware, he would not even come remotely close to 50% of the hashing power.

Of course he could do other things like installing malware that affects their wallet, so they may think they are sending coins to overstock.com but in reality they are sending them to someone else. Or maybe they will add transaction fees (you'd be amazed how many people would not notice extra fees, even if you can look them up in the blockchain).

But that would not really hurt the people who store their bitcoins safely anyway.

[DannyElfman]

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

[Yakamoto]

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

What makes you think a criminal won't do the same thing? I can say I'm doing an academic study when I ask people to send me 5 BTC. I can bloody say I'm from NASA doing something. But am I? Nope.

This what what people don't seem to get. Why in the world can a few words change everything. If it asks for something high-security, screw it! I won't touch that.

I can dress up as a cop and tell people "I'm a cop" and be a criminal. Could you tell the difference between a guy in a seemingly authentic polic uniform with all the gear I bought down at the surplus store, and me being a hardened criminal posing as a polic officer?

I'm going to leave it at that.

EDIT: I'm not a criminal. I don't maliciously break laws, and I live a "normal" life. The scenario is an theoretical example.

[Marlo Stanfield]

Most people who have to pay the electric bill won't be doing this for $0.01 an hour I would assume. $1 an hour yeah maybe. I would probably set up an old computer for $1 an hour. I know that it can't possibly be profitable for someone to mine more than $1 an hour off of an old computer so it's not a scenario that is likely to come up.

[DannyElfman]

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

What makes you think a criminal won't do the same thing? I can say I'm doing an academic study when I ask people to send me 5 BTC. I can bloody say I'm from NASA doing something. But am I? Nope.

This what what people don't seem to get. Why in the world can a few words change everything. If it asks for something high-security, screw it! I won't touch that.

I can dress up as a cop and tell people "I'm a cop" and be a criminal. Could you tell the difference between a guy in a seemingly authentic polic uniform with all the gear I bought down at the surplus store, and me being a hardened criminal posing as a polic officer?

I'm going to leave it at that.

EDIT: I'm not a criminal. I don't maliciously break laws, and I live a "normal" life. The scenario is an theoretical example.

I am not saying that anything would stop a criminal from simply saying that they are doing the study for academic use. I am saying that the promise (real or not) of academic use is enough to convince a lot of people. I am not saying this is a good idea or not, but just explaining human behavior.

[Marlo Stanfield]

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

What makes you think a criminal won't do the same thing? I can say I'm doing an academic study when I ask people to send me 5 BTC. I can bloody say I'm from NASA doing something. But am I? Nope.

This what what people don't seem to get. Why in the world can a few words change everything. If it asks for something high-security, screw it! I won't touch that.

I can dress up as a cop and tell people "I'm a cop" and be a criminal. Could you tell the difference between a guy in a seemingly authentic polic uniform with all the gear I bought down at the surplus store, and me being a hardened criminal posing as a polic officer?

I'm going to leave it at that.

EDIT: I'm not a criminal. I don't maliciously break laws, and I live a "normal" life. The scenario is an theoretical example.

I am not saying that anything would stop a criminal from simply saying that they are doing the study for academic use. I am saying that the promise (real or not) of academic use is enough to convince a lot of people. I am not saying this is a good idea or not, but just explaining human behavior.

Yeah, I think a lot of people will take much more liberty with what they are willing to commit when they hear that their actions will be used for an academic study. It's really a different type of motivation at that point.

[ShakyhandsBTCer]

Most people who have to pay the electric bill won't be doing this for $0.01 an hour I would assume. $1 an hour yeah maybe. I would probably set up an old computer for $1 an hour. I know that it can't possibly be profitable for someone to mine more than $1 an hour off of an old computer so it's not a scenario that is likely to come up.

If they were to have their computer running regardless then in their mind it would not change their electric bill.

Most people do not understand that a computer will use up more electricity when it's processor is running at a higher percentage of it's capacity

[kingscrown]

in internet marketign there is somethign called PPI. affiliates get paid for making people insall stuff - usualy theres hidden viruses etc. this is done trought scareware [omg you have w virus, install this freeware to get rid of it!] or just there is bundled extra programs with stuff.

[validium]

Should it be called malware if you have already given consent for it to run on your computer?

in internet marketign there is somethign called PPI. affiliates get paid for making people insall stuff - usualy theres hidden viruses etc. this is done trought scareware [omg you have w virus, install this freeware to get rid of it!] or just there is bundled extra programs with stuff.

That's why i never install any toolbar or addons which aren't open-source

[DannyElfman]

The researchers from the Carnegie Mellon University CyLab who carried out this work, tempted users into downloading and, in many cases, actually running a Windows application on their computer. After they had agreed to take part, they were told that it was for an academic study but were given very little other information about the application. The application pretended to run a series of computational tasks and paid those who installed it one cent for every hour it was left running.

If something is for "academic" use people are generally more trusting then they otherwise should be. The same goes for noble causes like the SETI project that lets people use their computer to look for possible signals from outer space.

I think that the acceptance rate would be much lower if participants were told that the application was for "for-profit research" without a specific cause.

What makes you think a criminal won't do the same thing? I can say I'm doing an academic study when I ask people to send me 5 BTC. I can bloody say I'm from NASA doing something. But am I? Nope.

This what what people don't seem to get. Why in the world can a few words change everything. If it asks for something high-security, screw it! I won't touch that.

I can dress up as a cop and tell people "I'm a cop" and be a criminal. Could you tell the difference between a guy in a seemingly authentic polic uniform with all the gear I bought down at the surplus store, and me being a hardened criminal posing as a polic officer?

I'm going to leave it at that.

EDIT: I'm not a criminal. I don't maliciously break laws, and I live a "normal" life. The scenario is an theoretical example.

I am not saying that anything would stop a criminal from simply saying that they are doing the study for academic use. I am saying that the promise (real or not) of academic use is enough to convince a lot of people. I am not saying this is a good idea or not, but just explaining human behavior.

Yeah, I think a lot of people will take much more liberty with what they are willing to commit when they hear that their actions will be used for an academic study. It's really a different type of motivation at that point.

I would be interested to know how much evidence was used to show the users that it actually was for academic purposes. For example an ".edu" address would have given them legitimacy verses a ".com" or ".it" domain

[Kluge]

https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf

Relevant stuff @ bottom of p3. They posted it as a "task" through Mechanical Turk. Participants clicked through a form saying they consent to a research study but intentionally made it otherwise look like a "normal" non-academic program (second paragraph, p5).

[Ayers]

i have another machine ready for virus, no data there clean like a baby ass lol, you can't stole nothing and secure erase is always ready for it

[DannyElfman]

https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf

Relevant stuff @ bottom of p3. They posted it as a "task" through Mechanical Turk. Participants clicked through a form saying they consent to a research study but intentionally made it otherwise look like a "normal" non-academic program (second paragraph, p5).

Maybe this is just the case of people being too trusting of what they are told on the internet.

Even though the research project was not anywhere on the CMU website, I would find it unlikely that participants would do that much research when the potential reward is only $0.24

[InwardContour]

https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf

Relevant stuff @ bottom of p3. They posted it as a "task" through Mechanical Turk. Participants clicked through a form saying they consent to a research study but intentionally made it otherwise look like a "normal" non-academic program (second paragraph, p5).

How do you think people would have reacted if the disclosure forms were not presented to users prior to them starting the countdown timer?

[Lorenzo]

It actually kinda surprised me the rate of people who allowed for it to run for just $1/hour, even if it is $24. Nearly half of those people didn't have any red flags going up?

I'm surprised at the number of people who allowed it to run for 1 cent an hour. 1 dollar an hour, I could understand. Since that would be getting you $24 a day or $168 a week; i.e. probably enough to pay the rent and then some.