This is a cat and mouse game. We add code to detect and disable abuse – sometimes in very clever ways – and then the abusers come up with a new way of circumventing that detection. In order to prevent miners from creating long queues for legitimate free users of GitHub Actions, we have to stay on top of this all the time. So the miners are not just stealing CPU time, they are also stealing engineer time. Because without mitigations the miners will consume all available CPU, and because devising abuse countermeasures is, for whatever reason, a very powerful nerd snipe (including for me!). The sad thing is that it's displacing time that would be spent improving Actions in other ways.
Actions are awesome... but scary as soon as you have a public repos, contractor, rogue employee, etc. They seem to go against security fundamentals. Ex: Actions should allow going into default-deny mode for all basic runtime capabilities and resource use, and only brought back on via RBAC. Today, it's not hard to steal npm/pip/etc creds or get into people's corp runners. Having gone through the browser security policy heyday, this is deja vu, except now for exposing the server side and supply chain.
Ex:
- do not run on any event.. unless user authorized for that event. Same for actions.
- separate out policies and users cannot edit policies unless authorized to do that
- do not get physical/logical resources (runners, disk quota, long runs, ...) unless given
- default-deny network outbound with url safe-listing
That way only trusted users can run them, and a bit harder for them to get hurt when there is a surprising action that they run
The next level would probably be something like sandboxing : allow anyone to run an action , but a sandbox mode can autofail if violated, and have explicit imports/exports to lock down for how it gets used.
A lot possible.. but need to invest in the basics first..
Getting a hold of someone's secrets is not possible just by doing a pull request. It's really only about resource usage, at least when the runners in question provide sufficient isolation (true at least for the Github-hosted ones, or we're all in big trouble).
Unfortunately, using self-hosted runners to provide additional capabilities not supported by Github-hosted ones is basically impossible (for public repos at least) as you can't restrict a runner to an organization or project. Set up a bare-metal runner and it will receive jobs from random forks.
> Getting a hold of someone's secrets is not possible just by doing a pull request
Only if you've configured the actions correctly. I would bet that there is a high number of repositories on both GitLab and GitHub with misconfigured CI pipelines where someone can submit a PR with `env | curl` to grab any secrets defined as environment variables.
No, GitLab does not allow marking variables as secrets. They allow "masking" env variables, subject to a bunch of caveats, like your secrets not being multiple lines (e.g. a private key cannot be masked). Even then, the masking is just about log output -- it doesn't prevent a `env | curl` type situation. [0]
The correct mitigation is to ensure that any "secret" variables are marked as "protected" so they can only run on protected branches that are limited to pushes by maintainers. And you'll still need to make sure the masking works in the logs.
They do support integrating with Vault to access secrets in a CI job, but you need to pay them to use that feature. [1]
For GitLab if you don't have at least developer access to the repository (as in you are sending a MR from a fork) that will run in the context of your user, so you don't have access to any secrets configured upstream, etc.
If you have access to a repository you can customize the script to do whatever you want, but there will always be a trace tracking it back to you.
There is a discussion about ultimate security (access only when asked) Vs the convenience of self-service.
You can still avoid that by having people use a fork model, or triggering CD from an external project with tight access.
Putting a burocratic process between ICs will only limit their throughput as in Jenkins paradigm.
The better advice is don't hire people you can't trust
Add one extra command ;-) These can be innocuous if buried in something like unit tests of configs or network behavior, or in a big pr:
logs: `env | base64`
network: `env | gzip | curl`
It should be easy to set most workflows to run sandboxed with almost no capabilities - no secrets access, safelisted network access, safelisted package manager accesses for top 10 langs, etc - so that testing someone's PR isn't scary, and runtime violations make loud noises. The whole 'just disable actions on fork PRs' thing is a great default, but ultimately a figleaf as it's not hard to get someone to run an action.
Do I understand correctly that the attacker forks a repository with GitHub Actions enabled, modifies the action, submits a PR, which makes GitHub run the altered action?
If so, I wonder if there is a legit need for running modified GitHub actions from non-collaborators?
Could also subject modified actions coming in via pull requests (from non-collaborators) to heavy resources constraints and timeouts.
The mitigations you suggest are all logical. However, there are legitimate reasons to run CI and tests for outside contributions without taxing maintainers with the cognitive load of having to evaluate whether each contribution is CI-worthy.
The attack vector in the article is not the main way miners try to steal CPU from the GitHub community. It's just an interesting one that the journalist chose to write about.
But when a PR is submitted that modifies an Actions workflow, shouldn't GitHub run the old unmodified workflow until that PR is accepted?
IIRC, they already treat the .github folder as a special case; you can't push modifications to workflow files with a personal access token. So why not ensure that an action or workflow will only run if it is checked into the base branch?
That wouldn't stop PRs from modifying scripts that the action runs, but the current behavior seems a bit counter-intuitive.
If that action is "./run_tests.sh", which is a top use case, the attacker just changes "./run_tests.sh", so while I agree that's useful, it doesn't secure the typical case, and makes for a hard cost/value stance.
The threat models are probably more like 1. "make sure only the right people run actions" and separately, 2. "make sure authorized events/actions only use the expected capabilities." Both largely fail today.
Well the idea is that a person submits a PR, and the action runs to verify that the tests pass BEFORE the PR is accepted. You don’t want to wait until after the code is merged in order to see if tests still pass.
The issue is that even if you don’t allow changes to the actual action workflow, running tests gives an attacker the ability to run arbitrary code. They just need to add the code they want to run to the tests (e.g. have the tests mine crypto)
A TOTP code response is trivial to implement on the client. So if you wanted this to be meaningful, you would need to force users to use SMS 2FA, which is widely considered insecure. Not a great solution IMO.
I wonder if it would help forming an internal red team that could help stay a step ahead with such and related attacks and abuse scenarios by running such attacks against yourself?
Yes. This is just a category of attack whose growth has been incentivized by rising crypto prices. All providers of free compute are experiencing some level of mining attack right now. Eventually a new equilibrium will emerge.
A new equilibrium that thanks to cryptocurrency speculators is a worse world.
This speculation is making some people rich, yes. But the amount of externalities is staggering.
Thanks to PoW nobody can provide a free compute anymore without getting owned, and of course the environmental impact of bitcoin alone is worse than when Saddam Hussein set oil wells on fire while retreating.
Let the world burn, and products rot to shit, as long as my HODL portfolio goes up. Cryptocurrency supporters really are sociopaths, worse than any hedge fund manager.
To be clear, these are very specific problems to proof of work. It's almost to the point where I'm in favour of banning or heavily taxing proof of work mining.
There are lots of things driving for crypto besides speculation though. Suggesting cryptocurrency supporters are sociopaths is quite simplistic, and overlooks the majority who are not involved in anything like this article discusses
> There are lots of things driving for crypto besides speculation though.
Like what? I mean aside from crime.
E.g. the "Venezuela argument" has been debunked, from my reading.
In my own life I've seen employees ask to be paid in bitcoin, because of the large fees involved in getting your salary and transferring it into Brazil.
So… those "fees" are mainly taxes, and not paying them is illegal.
To steal manned argument I guess is that some people actually do want to buy stuff online without a third party knowing who paid whom.
First of all BTC is terrible for that. But second, most people don't care if a third party knows they bought pizza. Especially since the pizza place still knows, and they need to keep records anyway, because tax laws.
Fourth, if they don't keep records then they can just say you didn't pay them. They can say "oh, that was not our wallet, you must have mistyped".
Fifth, if the pizza has poop on it you can't even reverse the charge.
Sixth, every pizza place will now be a money laundering scheme.
This is not what we want as individuals, nor as a society.
But yes, some people do want to buy a pizza online and not have a third party know. It's basically LARPing.
Buying a house or a car anonymously? That was made illegal on purpose.
Buying a big mansion anonymously? Well that's clearly at the very least tax fraud.
Anyway, I truly want to hear about any legit use case for cryptocurrencies that is not just LARPing, because as far as I've seen nobody in the 12 years since bitcoin launched has come up with one that actually makes sense.
> Suggesting cryptocurrency supporters are sociopaths is quite simplistic,
Yeah, it is. It's like the old expression "it's very hard to make someone understand something when their livelihood depends on them not understanding it", or something like that.
But the amount of rationalization from cryptocurrency proponents I do think is sociopathic.
> and overlooks the majority who are not involved in anything like this article discusses
When you're in the mob you're still one of the baddies, even if you're not actually the one murdering.
I do blame every cryptocurrency supporter. They are complicit in making the world worse for their own profits. They have a moral obligation to recognize their supporting role in this, and to stop it.
In 2015 I moved to a different country. I needed to arrange to pay my security deposit for my place before I had moved. Guess what? After talking about it for a bit, it turned out bitcoin was the easiest way to do it. There was nothing illegal about this, and it saved us a giant hassle.
Cryptocurrency users aren't any more complicit in others using it for illicit activities than people who use cash. And you seem to be equating cryptocurrency with proof of work and bitcoin, which, again, are ignoring the majority of the real-world use cases.
I'm not ignoring non-PoW or non-BTC. The topic is big, and the case and data against cryptocurrencies literally have filled books.
But just to establish what you're saying, do you agree that PoW and BTC in particular is absolutely terrible for the world? Can we establish that?
I just want to make sure you're not selecting the parts I have not addressed in these comments and from there you're dismissing the things I have said.
If you can agree that PoW and BTC are awful, then there's no point in staying on that topic, but we can instead look at other parts. Otherwise it seems like a dishonest rhetorical device.
I don't know what countries you moved between, but what you did could be illegal. Or if not, the law may have not caught up yet, because the laws tend to be on the financial institutions, not the payer and payee. But probably the intention of the law is that it should be illegal.
Maybe. It depends how exactly the bitcoin was transferred.
That's requirements on payment service providers, so (maybe?) not on you. With a decentralized payment service provider, a case could be made that you are the payment service provider of this transaction, but let's assume not, to not make it simple. Still, it is the intention of this EU law that somebody is, right? That's the world in which the law was written.
If you agree with this, that the intention was that somebody has KYC (Know Your Customer) requirements on your transaction, then as I see it the only remaining argument is that you think KYC laws should not exist.
I hope I've not misrepresented you so far. I honestly want to build a trail from your truly legit and moral transaction to what it means in the larger picture.
If you're against KYC I don't quite know what your argument is (it could be a good one), but they were in fact put in place for a reason. Your honest transfer "under the radar" has the same technical means as the ISIS sympathizer's, and the money laundering mob boss's, or the tax dodging wall street CEO's.
I'll assume that you're not an anarchist-libertarian who considers all government action to be theft, and "money laundering" to be a non-crime.
So… the real question is how do we allow transactions like yours, but not make crime like this be trivial under the same technical means?
So far it's by KYC. And KYC laws and enforcement are not perfect. But baby and bathwater. If your argument is that KYC is inherently bad, then I disagree, but don't make it a distraction while actually making a different point.
Do you think anyone has ever done this with bitcoin, or any other cryptocurrency? I assume not, because cryptocurrency people will pick and choose when it's "just like cash" and when it's not. Or they'll claim "it's not in a country, it's in cyberspace". But that's all clearly rationalizing to the point of trolling.
To summarize my point: The reason we can't have nice things, the reason there are fees and taxes on international money transfers, is that this is exactly the place where an uncountable amount of fraud and crime happens. It's not "clever" to go around KYC, it's illegal. (or if not technically illegal, the intent clearly was that it would be)
(I have more points against cryptocurrencies, but bringing up every topic at the same time will just be a big distracted mess. If we've agreed on PoW, and if you agree on KYC, then maybe we can do other arguments too)
Neither of these were EU countries, but both of our exchanges had KYC. I don't believe there was anything illegal about what we did.
And I'm not libertarian (I'm far too socialist), but I do believe that there are problems with the extent to which we are being tracked by governments, especially because I have a lot of issue with various laws around the world (see: criminalizing homosexuality, drugs, sex toys, women driving) I do believe controlling the methods by which people pay for things extends government control, and having more freedom there allows more personal freedom in general. Perhaps surprisingly, I do support paying due taxes (when it's often what funds social services and social programs).
Actually, speaking of money laundering, I learned recently that you can pay taxes on illicit income and the IRS won't have any issue with you. However, I don't trust that this isn't used to track down criminals by criminal agencies. Money laundering allows people to pay their taxes without implicating themselves, so in many ways it's something I support.
I'm not in any way suggesting cryptocurrency is a good way to get around government tracking. Cash might often be better. I don't particularly support KYC, so I'm excited to see the development around decentralized exchanges. And I think painting all "crime" with the same brush is quite reductive. Yesterday's crime is too often tomorrow's activism: Breaking an NDA to expose human right's abuses, using a VPN to browse wikipedia, the list goes on.
But yes, I 100% agree about PoW being problematic, and have frequently posted on HN about how the only way it will be solved is through government intervention. I guess I'm not much of an anarchist either.
More countries than those in the EU have KYC laws. But no, I'm not saying illegal means immoral, nor that there aren't degrees of illegality. I mean that if what you did was legal, then you probably used a loophole. And that same loophole can be used by organized crime to launder money from human trafficking.
And that the trade-off between allowing your transaction and preventing organized crime is why KYC and money laundering laws were created.
I recently did a 6 figure international transfer, and I had to talk to people at the bank, who had to sign off that the source of my funds were fine and I wasn't doing anything shady (nor being defrauded). Just a 15min phone call.
For someone who regularly does this I assume it's streamlined, but it does make sense for the bank to be suspicious on multiple levels when I do the biggest transfer of my life.
They also checked with me to make sure I did basic security precautions like "Did someone contact you and tell you to make this transfer, or did you come up with it yourself? Did someone send you the account number, or did you look it up on a trusted source?".
Sure, part of that was "cover your ass" for the bank's liability to a mistake, but some of it is legally mandated for KYC/ML.
Again, don't take my comments as saying governments or these laws in particular are perfect. I'm saying they are deliberate because something like them is really really a good idea, both for the individual and society as a whole.
But I think it's a red herring to say "some governments criminalize homosexuality, therefore KYC/ML laws are bad or overreaching".
> I don't particularly support KYC
So what's your alternative proposal for preventing / detecting the crime it really does catch?
What's your proposal for forcing banks to not look the other way when drug cartels bank their profits?
Again, I'm not saying it's perfect, but without KYC/ML banks wouldn't even have an obligation to look, and would have no liability when they aid organized crime. Clearly we need to do something? KYC/ML is not flawless, but it also works. So this is not a "We have to do something, this is something" case.
If you take away KYC/ML you have to replace it with something better. Otherwise you're just saying "defund the police" with no plan to replace the police.
So that's KYC/ML.
Taxes.
I guess I brought up taxes a little bit, but it's another chapter in the book on cryptocurrencies.
Right now there is huge tax evasion happening in industries that deal with cash. Taxi drivers are a prime example, but also plumbers, carpenters, etc...
Not everyone, of course, but it's so easy for them. E.g. it's common practice among people felling trees for people that they charge a lot because they need to pay insurance in case the tree falls on something expensive. But when the tree doesn't, they just pocket the whole thing and don't tell the tax man or insurance company.
What if we had the cryptocurrency dystopia, where everyone who wants to can get paid in some ideal cryptocurrency? I bet you HUGE parts of salaries will suddenly go dark, and be tax free.
People earning 6-7 digit salaries would just not declare that at all. It would take a lot of sense of civic duty to hand off 5-6 digits per year if you know you can get away with not doing that. Most people don't have that, and I can admit I'd be super tempted too, if I knew math would protect me perfectly.
The reason people actually pay income tax today is because double entry accounting and the paper trail actually makes it hard to hide salary payments. And paying people in cash is also logistically hard, and even harder if you have to do it fraudulently.
You can do it with low wage workers, but I sure as hell wouldn't want to have to deal with thousands of dollars in my hand every week.
But even then, in many countries it's illegal to pay salaries in cash. Because of the rampant fraud that happens when salaries are in cash.
And why would you want to be paid in cash to hide it from the government? You say you believe in taxes, so the tax man will know your income eventually anyway. So there's no point in hiding it.
Interesting about IRS and theoretically not reporting you. Sounds similar to some places where robbing a bank with a fake gun carries a lighter sentence, so that robbers are incentivized to bring the fake gun instead of the real one, thus reducing harm to innocent bystanders and police.
They got Capone for tax evasion, so it's a charge you don't want. But I suspect if you just declare you bank robbery gains, that's not going to work well for you.
A lot of em are already trying to shift to other viable alternative proofs.
Your analogy of calling Cryptocurrency supporters as sociopaths.
sounds similar to insulting
Edison because he designed the inefficient incandescent bulbs , which consume waaay more energy compared to LEDs built these days.
How would it sound , if someone insults artificial light , just because of that ? .
Cryptocurrencies are perfectly good ideas/products.
> sounds similar to insulting Edison because he designed the inefficient incandescent bulbs
If he designed and sold that in 2021, trying to replace LED lightbulbs, and lying through his teeth to pump up the value of his lightbulbs, well then yes.
Can blockchain people please first come up with a use case, that isn't crime, before saying it's worth using more energy that many countries? (for a rounding error away from 0 number of transactions)
All the enumerated use cases are so naive and uninformed that clearly they've just been invented without knowledge about the field. "Move aside, expert in field, I'll just solve this with technology. No I don't need to hear you describe the issues".
Try doing a transaction comparison between any payment service that offers foreign transactions , and compare it to cryptocurrency transactions and use it once to do a real trade/purchase , or try using smart contracts in crypto , for once in your projects.
You’ll know why it’s a great product/ service
Once it’s environmental viability has been figured
out .
Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.
Crypto has/does much much more , than just act as a form of trading / speculation
Scammers often steal money in dollars too.
Speculators often trade currency pairs with dollar in them.
Are you still gonna say people who use the dollar for daily transactions don’t exist ?
That dollar is also a good idea only for scammers and speculators ?
> Try doing a transaction comparison between any payment service that offers foreign transactions
I've done many. Order of magnitude better experience than bitcoin, which I've also done.
And without knowing that your bitcoin transaction cost many tonnes of co2 on stolen electricity (~70% of which is based on fossil fuels, per a recent bitcoin energy use study).
It's like building an instant messaging system based on throwing molotov cocktails on your neighbors houses to create smoke signals.
"Works great!"
> try using smart contracts in crypto
Smart contracts is just the dumbest idea yet. Anyone who thinks they're a good idea clearly doesn't know what the actual challenges are in existing contracts. It's not solving these challenges at all, but instead making them much worse.
> Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.
Seriously? But that's all there is. To a rounding error.
And for good reason. Aside for committing crimes cryptocurrencies are worse in every single aspect.
> Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?
What do you think the percentage of dollar transaction that's crime? What do you think is the case for bitcoin?
> or try using smart contracts in crypto , for once in your projects.
If someone is willing to fund time spend on researching how to do it safely I would do it.
But I am not aware of anyone willing to fund hundreds of hours on such research. And it includes myself.
> Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.
I do not care what 'news' reporters 'report'. I am in contact with several crypto-adjacent messages each week, all of them scammers in in mail inbox, on Telegram, in Discord.
Crypto-adjacent scam spam is over half of ads that managed to reach my on my own computer.
I consider it perfectly good reason to heavily dislike BTC and BTC-adjacent things.
> Crypto has/does much much more , than just act as a form of trading / speculation
Yes, it is also scam platform.
> Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?
Bitcoin is priced pretty much on par with low cost energy consumption. It's not any more profitable to mine Bitcoin now in terms of energy per dollar worth of Bitcoin then before
limit the action configurations file to be only editable by a configured set for a specific repo and give us a special folder like .github-action-commands or so that is scoped like that aswell..
I was mostly ambivalent about crypto - it seemed like a lot of speculation but I liked some scenarios it enabled (mostly scenarios where traditional payment was not practical for w/e reason).
But seeing the HW situation, energy burn, scammers, infra hijacking, etc. there are so many negatives I'm more and more in favour of making it illegal.
This is a clear case of market incentives getting corrupted and not actually providing any utility. At this point it's not about whether you believe crypto will succeed at any of it's proposed utilities, people are investing because they want to get in on the hype bubble and ride high. And once you're in you have every incentive to prothletise before you cash out.
Meanwhile the rest of us get stuck with externalities - huge energy consumption, hardware supply disruptions, hardware waste, compute hijacking, enabling scammers and extortions schemes.
I don't think crypto should be illegal but the institutions enabling it should
You should read about Accelerationism. You have a left-wing interpretation of Accelerationism (we should create new laws to handle technological divergences) and I have a right-wing interpretation of Accelerationism (as systems becomes more fragile from cryptocurrencies, such as in this example, corporations will be motivated to find cheaper ways to produce electricity, GPUs. Thus I believe that because of increased chaos, "Corporations find a way").
I always thought right wingers where interested in the Sovereignty of the Individual but you are explicitly and consciously pro-corporations? Seems likely to have some bad local maxima without regulation from the Individuals speaking thru a Democratic Government.
I am pro autonomous corporations. I want Manna[0] in reverse so that instead of making fast-food employees listen to an AI, I want to start at the top.
I think some debate on the political level is very much necessary. From the way use it to the way we manufacture crypto. At the moment it’s not just sustainable (think environment, think speculation and so on)
Crypto / blockchain is great, its current implementation is very much lacking.
It's illegal already to dump toxic waste in your neighbors pond. And just bitcoin does something way WAY worse than this.
I realize what I'm asking for. I'm asking for cryptocurrency speculators to actually pay for the externalities they cause.
Because that's the core of the libertarianism they pretend to support. But of course they don't have libertarian values. The only ideal they stand for is them getting richer by burning everyone else to the ground.
Electricity usage has major externalities which are not taxed because people would get pissed off. If every country instituted carbon taxes I'd be much more accepting of crypto/proof of work, but we're nowhere close to that happening.
The topic at hand should already be illegal, no? You don't need a cryptocurrency-specific law to cover running code on someone's server without permission.
Something like a very hefty tax for fiat/crypto exchanges would probably already solve the whole problem if a ban is the end goal.
People would still be able to use it freely for the applications crypto enthusiasts claim it is meant for (like using it as a decentralized currency for payment).
But in reality the hype (and with that, its value) would probably crash because it would not longer be as attractive for the money gambling it is actually used for.
Just a thought, I'm probably overlooking something.
No, but it lets you punish people that do them. No one is under the assumption that outlawing something means that it will never happen, and implying that people breaking the law means that the law is useless is asinine.
If we believed laws had zero effect on behavior, society would be a lot different.
Illegal is the appropriate word when you're looking at something that's draining resources (electrical and human) in every major country and providing nothing of value in return. (I've made some nice money from crypto speculating, but that's not making the world better, that's just taking advantage of bigger fools.)
Proof of work systems, which by design compete on wasting resources, need to internationally outlawed.
If people want cryptocurrencies to keep going, they can get a move on finally fucking migrating to these alternatives systems they tell us are just around the corner. If none of the major networks are able to do so, they shouldn't exist.
If there is a regulatory route towards reducing / eliminating crypto, I would hope that involves restrictions on the fiat / crypto interchange, not restrictions on what kind of math you can do with a computer.
We have rules against speculation because it highly skews towards people already with the necessary resources. 2008 is already a distant memory for some.
Math will never be outlawed, but as it stands now it is just too speculative. I don’t have an answer, but as it stands [cryptocurrency / NFT] we need to have a lively debate on what we want it to be.
This is so broad I am not sure which laws you reference. Most of the laws I am aware of talk about how bmuch money you must have to be allowed to speculate.
> Math will never be outlawed,
I wish I shared you certainty. We currently have laws about exporting some types of Math (cryptography) and we have lots politicians interested in placing further restrictions on cryptography.
Countries around the world implemented laws : Dodd-Frank in the US. Banks have tighter rules against speculative activities in general around the world after 2008. It was a mortgage crisis foremost, with lots of speculation. Crypto is kind of the same : you invest and hope to gain a return. It stands to reason you want to curb the damage it can do if (and when) it bombs.
Laws in general should not be unnecessary broad, most countries have that general rule, and while there is certainly another debate to had on privacy and backdoors, it is a different debate. So when a law comes against Crypto, it should be very specific to curb its problems.
We have already "outlawed" physics, chemistry and biology (various crimes involve these) and even communication (fraud and slander). Might as well "outlaw math" as well.
Thing is crypto already has huge negative impacts and I'm yet to see any utility that would even remotely compare. It seems like the ultimate buble hype market for people to speculate on and sell bullshit stories.
I have seen no proof that it solves anything the proponents have been touting for 5+ years now - just examples of increases in negative externalities.
Reposting my comment from another thread about DeFi. There's clear innovation and utility in that space and it would be a shame to kill it all over the worst crypto has to offer.
"There are financial primitives that cannot exist in traditional finance that I'd call pretty novel. For example flash loans allow uncollateralized loans for millions of dollars[0]. Or take KeeperDAO[1] or Dai[2] or any of the other meta protocols generating returns by providing utility. Also the sheer fact that this is all decentralized/identity-less is already a novel aspect.
Read into it- it's not as scary as it sounds and it allows for more efficient aribtrage meaning tighter markets across services. The whole transaction is atomic meaning no risk for the lenders (lump sum must be paid back in a single transaction + small interest fee).
Flash loans are only executed if the entire transaction is valid monetarily. A transaction on Ethereum is like a database, if there are any issues it's rolled back.
It’s the easiest and 2nd most secure way to pay for Mullvad VPN (also used as the backend of the Mozilla VPN). The only other alternative that leaves them with nothing to log is sending cash in an envelope.
Donations to people where paypal doesn’t work are also easier.
Those are the only uses cases (for me) I encountered and used though ;)
Can't get a log that has been wiped. But yes, Mullvad are only as good as their word. The other more expensive and complicated alternative would be to host your own vpn server, which still has the server provider as the trust anchor.
Tor is the only network sufficient enough to thwart malicious state actor's efforts.
Rumor no more [0]
No sane person should want the state marking them an enemy. Playing that game quickly becomes a contest of who'll be the first to blink. And you will in the end, blink.
It seems fairly obvious once you trace the funding on a lot of nodes. Plus that court case that got dropped with the child porn guy - they dropped it because they refused to show how they found him. 0day most likely.
It's certainly a nice tool if your country is falling apart. Nearly every other asset class is less accessible, transportable or secure against seizure than Bitcoin.
When countries descend into chaos or go full on authoritarian the best option is often to leave, but there might already be capital controls. So what can you take with you? Stocks: good luck if held by a broker in the country. Physical gold or cash: good luck at the border/customs. Foreign accounts: hard to come by for most people even in the first world due to regulations. Any serious amount of money is very hard to move between jurisdictions, especially in times of crisis, through traditional means.
If you believe your host country doesn't own you and you should be able to relocate to wherever you are treated best, Bitcoin can be a good tool if you were unprepared so far (e.g. because you didn't think a crisis could hit _your_ country). This might not be a use case for you today, especially if you are happy with your country and it is stable. But don't discount that the situation of others might differ.
That only really works for stable countries anyway. While shit is hitting the fan there will be enough incentive not to care about some silly rule as long as breaking it is not easily detectable. In the worst case trading moves from centralized exchanges to decentralized OTC trades. I don't think any government can really stop Bitcoin at this point.
If that's your critic then Proof-of-Work is the issue, not crypto currencies in general. There are multiple Proof-of-Stake implementations already in production (still very young though), each with its set of properties (see Cardano, Algorand, Tezos, Polkadot, Harmony, etc).
It took me a while to find out the description of this proof of space-time (and check whether it's satire or not), so to save you time here's the gist of it:
From the whitepaper:
Loosely speaking, the PoST consists of two phases: an initialization phase (executed once), in which miners “commit” to the data that fills the space S , and an execution phase (executed repeatedly), in which miners prove that they are still storing the data. The time component of the spacetime resource is the elapsed time between successive proofs—if the interval between initialization (or the previous execution phase) and the latest execution phase is T, this proves the miner expended S · T spacetime.
> We provide an initial security analysis of the Chia backbone, showing that as long as at least ≈ 61.5% of the space is controlled by honest parties Chia satisfies basic blockchain security properties.
That seems to be a alarming high threshold for control of the network? So as little as 38.6% can attack the network?
I think it will provide horrible incentives to demand ever greater storage space, driving up the costs of storage in the same way that PoW coins have driven up the cost of graphics cards. It's also likely to have pretty bad environmental externalities as manufacturing said storage will have both energy and material waste side-effects.
Proof of space is just as poor an idea as PoW, because if it takes off it will drive up demand and prices for hard drives, creating the same incentives around them as there is currently around GPUs.
The whole idea of creating artificial digital scarcity by basing it on physical scarcity of resources is just horrible.
Hardly. It's not about scarcity for PoS+T. The pollution, heat, and energy waste of Proof of Work far outweigh and minimal change in the cost of storage that PoS+T might bring.
Of course it’s about scarcity. If it’s profitable to dedicate storage to this scheme, it will stoke demand for that storage, the only limit of which is breakeven on the costs, scarcity and availability of that storage is then the factor limiting the space. And the whole scheme, as with all cryptocurrency, is designed to create digital scarcity in a decentralised way.
It’s a terrible plan and very shortsighted. Making hard drives isn’t free of environmental externalities.
Again, I fail to understand that math or extremist rationale. You're comparing existing significant energy waste to an artificial scenario where all drive space is hoarded - and if that case ever came true, the total energy waste would still remain less than PoW by orders of magnitude.
That's not an artificial scenario, it's the scenario that would happen if proof of space took off, people would have a financial incentive to use storage space.
> if that case ever came true, the total energy waste would still remain less than PoW by orders of magnitude.
Yes less ongoing energy use, but it does reward creation and effective waste of hard drive space, which isn't without environmental knock-on effects, both some energy use and for chemical byproducts etc.
This is not an 'extremist rationale', if you give people a direct financial incentive to get as much storage as possible, what do you think would happen?
That is a very simplistic, and incorrect, response to the problem.
GitHub provides computing resources, for free, to attract users. This is just one of the challenges of that business model. If this is intolerable for GitHub then it's up to them to find a strategy to counter it.
We don't need to ask the government to punish everyone participating in cryptocurrency.
>That is a very simplistic, and incorrect, response to the problem.
Perhaps we should consider higher-order consequences of doing absolutely nothing. Hypothetically, what happens if free-to-use code collaboration tools are forced out of the market due to rampant abuse and zero regulation? Do we care that there is now a higher barrier of entry to engage in the craft?
Do you want GitHub to start requiring state-issued identification for creating new accounts? That is where this cat-mouse game is going to end up if you allow it to continue naturally.
Since the downsides of proof-of-work get worse based on market price, instead of making it illegal, governments could try to crash it. A 10% wealth tax on holding proof-of-work cryptocurrency would encourage people and businesses who don’t cheat on their taxes to sell.
Let's start with universal carbon tax / credit system to start to curb the interplay of crypto with existential planetary threat. Less worried about taxing people with piles of virtual shells more about basic survival and human quality of life.
With credit systems we can have progressive rates i.e food can be a priority while VR and cryto can subsidize carbon neutral transition.
This problem will resolve itself in 5-10 years when people move to proof-of-stake blockchains. There will be no more demand for proof-of-work cryptocurrencies and attacks like this are no longer economically interesting.
The problem is what is illegal then? Numbers? Cryptography? Because nobody buy sell or own crypto technically, there just happen to be transactions on a distributed network, with some people knowing private keys to generate new transactions. It could be possible to regulate exchanges dealing with fiat, but I feel like the regulable surface area is thin. Also I hope Proof of stake take over so that a big part of these issues will be non existent in a few years.
> It could be possible to regulate exchanges dealing with fiat, but I feel like the regulable surface area is thin.
It may be thin, but it covers most people. Most crypto buyers use fiat exchanges. If those were ruled out, the monetary value of tokens would go down, and with it the mining incentives would lower. It wouldn't be the end of crypto, but it would alleviate many issues (energy, hardware shortage, etc).
PS: I don't think crypto is the only reason for GPU shortage (others being more demand from stay-at-home people, and general semiconductor shortages), but I believe it plays a part.
So basically get rid of all the legitimate use cases and leave the nefarious ones? Not everyone lives in the developed world where they can just Venmo their friends for brunch. Some people live in counties with capital controls that means they see their wealth disappear year after year.
Gamers in western countries have to pay slightly higher prices for their high end gaming GPUs. Excuse me while I clutch my pearls!
The cavalier attitude people have about this tech is really disheartening to see.
Can anyone claim with a straight face that the current state of the crypto ecosystem permits use cases like "splitting a bill with your friends after lunch" or "hiding your earnings from unjust taxation"?
It may aspire to be/do these things, and that's great, but that’s not the present reality.
It's the base layer of payment system. There will be a layer on top of it for things like that. When you split a check on venmo, that money isn't really there until a few days. The venmo system is a few layers removed from the equivalent of Bitcoin..
What Bitcoin provides is sound money with a fixed predictable supply not at the whims of politicians and fed officials. There is no way to increase the supply of Bitcoin by 23% like we had with the us dollar over the last year
I would expect "sound money" to have a fairly stable, predictable value in terms of real-world goods and services for which it can be exchanged. I haven't observed that to be the case for Bitcoin.
Being "at the whims of politicians and fed officials" seems in practice to provide much better stability than being at the whims of a horde of reddit "investors" (or a cabal of Chinese miners).
> Being "at the whims of politicians and fed officials" seems in practice to provide much better stability than being at the whims of a horde of reddit "investors" (or a cabal of Chinese miners).
Not to mention almost everyone I know who "invests" in crypto does so "at the whims of politicians and fed officials." SEC rulings and the likes.
If you want a (relatively) untraceable cryptocurrency, they exist [0]. Yes, most cryptocurrencies are _perfectly_ traceable - you can trace the source/destination of every transaction - contrary to the common narrative.
> slightly higher prices for their high end gaming GPUs
This is across the board, not just for high-end cards.
Newegg has a total of one graphics card released in the past 5 years in stock that it sells directly (https://www.newegg.com/p/1DW-001Z-00042), a RX 550 going for $200 (plus $8 shipping) -- the 2GB model launched at a MSRP of $79; I assume the 4GB model's MSRP would be somewhere between that and the $99 MSRP of the RX 560.
The rest of the items for sale are third parties which are often no-name brands/shippers from China (e.g. Yeston which seems to have lackluster reviews about short warranty and sloppy build quality, Corn which has many horror stories about shipping delays or just missing products), and all have similarly drastically hiked prices. Next cheapest card shipped from the US is a 560 at $279+15.
The 550 is by no means a high-end gaming GPU, nor was it when it came out.
No one has a claim on any one product such that they can demand the destruction of something millions of people find value in and that has a market value of a trillion dollars so you can have your GPU return to a price in the past that they found reasonable
You're exaggerating why people dislike cryptocurrency by focusing on a singular reason.
I think the root cause is because it's conflated with bitcoin and the PoW system it's built on top of, which is generally considered to be unproductive. Take away PoW, and you remove the incentives for miners to suck up vast amounts of electricity, the supply of graphics cards, probably even infrastructure hijacks to some point.
(And yes, I understand that the graphic card shortage is more strongly tied to Ethereum's ASIC-resistant hash. But that's still a PoW system.)
Bitcoin and PoW crypto is priced to the global lowest cost of energy. For instance, it would not be economical mine bitcoin in Los Angeles in the middle of the day in August. Most of the mining happens in remote areas in China where there is abundant cheap energy at off-peak times.
So it's not fair to look at pure energy used by the Bitcoin network as though its some fungible limited supply that we can just move away from Bitcoin production and move to Texas during the winter storm.
Regarding carbon emission, that's a political problem. If you want to create a tax on carbon, you can do that, although I'd prefer carbon capture tech. But in no way should some governing body try to allocate the validity of carbon emissions based on purpose. That would be no different than central planning where some central authority determines how many X should be produced, when and where. It's been tried and failed.
But look at the point of PoW and the purpose of crypto. Its sound money and has value, and an expense to maintain. Whats the alternative? Create a currency with a trusted central bank, and build an army to defend your organization when someone uses your currency to "fund terrorism"? I imagine there's CO2 emissions w/ maintaining an army as well
HN has hated crypto for a decade now and it's only recently been about energy consumption. It was and will be about monetary policy and the role of government in issuing currency. Kaynes vs Hayek kind of thing. Which in a way is about authoritarian vs market forces. For some reason Hacker News really likes the idea of centralized authority and criminalizing things like math and free association by threat of violence and imprisonment.
> For some reason Hacker News really likes the idea of centralized authority and criminalizing things like math and free association by threat of violence and imprisonment.
The new kind of "geek" in the opposite of the traditional "geek" who was a libertarian / pro freedom.
My guess is that most geeks can't afford to bite the hand that feeds them (google/facebook/twitter...) so they decided to loudly proclaim their allegiance to modern values (environmentalism/social justice/wokeness in general)
There were leftists among geeks the whole time. Stallman didn’t even want passwords. A lot of people viewed technology as a way to achieve mass human prosperity and end the bullshit accumulation of numbers in a database/blockchain ledger as a proxy for social status/power. The environmentalism and the desire for justice is a genuinely held belief of many scientific oriented people of a humanist bent. The difference between math and computers back then was that computers would let you do math stuff and thereby transform society.
> The environmentalism and the desire for justice is a genuinely held belief of many scientific oriented people of a humanist bent
Is it not interesting in how this is a new social good, especially for geeks working for large corporations in California?
I believe all behavior is based in self preservation: it would be career suicide for a young googler to be part of the christian right, or pro Trump, or try to pull off a Damore like memo.
So I am not surprise they do not bite the hand that feed. I am only surprised in the convoluted rationalization they engage in, instead of being more honest (at least online where they can be anonymous) and say "I pretend I'm woke because I like my job because I like the money and status it gets me"
Oceans razor good sir. And left desire to transform society has if anything decreased in the last fifty years. In the 1970s people with sincere belief said The US is on a journey towards a just and free society. Where we honor e pluribus unum. Where people programmed computers to unleash the potentially awesome society it would enable. What is new is a bunch of smart and powerful individuals settling for a salary while they give their power over to corporations that are structurally unable to stop stealing everones privacy and stop from putting human decency under the next quarters profit.
The reason why so-called Christians are unpopular is because they are seen as public hypocrites; rather than follow Jesus and condemn praying in public, and instead helping the poor, the widows, and the orphans, they seem to spend their energy seemingly endorsing superstitious racialist ideas that were clearly un-Godly 100 years ago.
Those ideas are horrid and they are rejected because they are horrid. Not because Google is pushing an agenda of the sacredness of all human beings, a mirror of the image of God no matter what history they walked to get here.
And the environmental movement is just the same as the people saying “there is a flood coming from the blocked sewer drain, let’s go unblock it.” The anti-environmentalists are the people saying, naw, don’t worry about it.
A second reply. If you sincerely believe all behavior is based on self preservation, perhaps you do not understand that a sincere Christian, seeing each person as good and capable of more good and worth suffering for, can thrive in all sorts of environments, being a angel to others and not being untrue to God and without being a notable asshole. We have songs for training people in how to do this, about Love and the Christ in me greets the Christ in thee and on on.
> Some people live in counties with capital controls that means they see their wealth disappear year after year.
So the purpose of cryptocurrency here is to enable people to evade the laws of the society in which they live? Not sure I can regard that as a "legitimate use case".
Under PoW each of those GPUs consumes significant energy and that's the real issue. It seems like a fairly cavalier attitude to ignore that fact. Maybe PoW will be fine in 200 years when fossil fuels are finally phased out, but likely not in this century.
Memory and SSD chips are made on older processes with coarser structures which means that they're more or less unaffected by the current limitations in manufacturing capacity that CPUs and GPUs suffer.
Because they're harder to build, and there is some serious HPC capacity is being built up right now around the world, which buys these chips buy thousands.
Same entities which hoard Tesla GPUs are not interested in unregistered RAM, consumer SSDs and CPUs. Unfortunately, a run of the mill Tesla is not much different from a GeForce. OTOH, RAM, CPU and SSD for these applications are built from different parts.
> The problem is what is illegal then? Numbers? Cryptography?
What is cash? Paper? Ink? Currency isn't defined by what it's made of.
> there just happen to be transactions on a distributed network, with some people knowing private keys to generate new transactions
Transactions in which digital tokens are exchanged for goods, services, or other currencies, and the recipient of the tokens generally receives no benefit other than the ability to trade those tokens again.
Cryptocurrencies are recognizable by the way they are used.
Like making drugs and alcohol illigal. Declaring something illigal doesn't stop it. It still has value - therefore it will continue on without you, and then only those that deal illigally get the benefits of crypto.
I don't care if people own or trade crypto - exchanges and financial institutions should not be allowed to trade it - there's a reason those institutions are heavily regulated.
As long as the proposed outlawing is along lines of taxation to make legitimate holdings infeasible, rather than establishing some arbitrary # of SHA256 hashes I am legally allowed to compute per unit time.
The SEC has always been in place supposedly to protect the average citizen from being able to make bad investments - however I don't understand how they dropped the ball so hard with crypto-"currencies;" regulatory capture by VC-finance industrial complex?
Is it that they are global and decentralized that made them just not take a stance on them, also the same reason it obviously would easily and quickly gain popularity as a global, decentralized MLM-Ponzi structure?
ML requires a useful corpus of data to train on. I don’t see how the energy abuse of crypto mining is remotely replicable with ML. For me, this has nothing to do with having a “neo-Luddite stance”
Training a decently large ML model requires a huge amount of compute power. There exists specialized hardware for these purposes (e.g. TPUs, FPGAs, bespoke ASICs or even the giant wafer-sized chips from Cerebras).
Besides, even after training, inference can also require huge amounts of computing power, with data requirements only a fraction of those during training.
The energy usage of ML is astonishingly high, even at inference time. Getting it down to the energy efficiency of human brains is a major area of research, sort of like proof of stake.
The parallels between the two domains are very strong for those who are well-versed in them, but some people seem to pick one or the other as "too dangerous to keep around" for some reason, which is literally the Luddite stance.
"The Luddites were an early 19th century radical group which destroyed textile machinery as a form of protest. The group was protesting against the use of machinery in a "fraudulent and deceitful manner" to get around standard labour practices."
That's not "because they thought textile machinery was too dangerous to keep around" or "because they hate technology".
I fail to see the problem here. There are legitimate (often different) concerns about both of these two technologies.
The term "luddite" is often used to dismiss legitimate concerns about the negative impacts of a technology by those with no interest in addressing their impacts. If you find yourself using that term, you should go back a reassess your writing.
I am all in favor of discussing the problems with both sets of technologies. I personally think both have the potential to move humanity forward, or to be destructive.
I think "downsides exist therefore we must ban" as OP expressed is not a reasonable position. I'd consider it a neo-Luddite stance, but if that word is too strong or has the wrong connotations, then maybe "anti-progress" or tech-restrictionist or something.
Regardless, I still have yet to see why anyone wanting to ban crypto for the states reasons would not accept the same arguments w/r/t ML.
The only reason I assume we haven't seen the same vulnerability exploited for ML is that making decent model architectures is beyond the reach of most script kiddie types.
You haven't made any argument for similarity besides "they both consume computing resources to produce something of value.”
The legitimate concerns about ML (bias, privacy loss, etc) are very different from those about crypto (energy usage, enables a signifant amount of online crime, speculation)
i see crypto currencies as the only decentralized entity to act as a counterweight to the big corporations that make a living from tracking and snooping.
monero is very anonymous; also with bitcoin i read the term "pseydonymous" - they still have to make a non trivial effort to link an address to your real identity, it is still harder than to identify you by your phone number, gmail account/apple id and credit card transactions. (even harder if you generate a new bitcoin address per transaction)
It needs to be regulated, that’s a fact. Governments are behind the ball on regulating the mining of it. The environmental damage of unbounded mining is offsetting much of climate change progress.
I'm really curious as to Who is upvoting this take.
Making something illegal won't stop it from happening. Just because tech can be used for bad purposes doesn't mean you have to or will have any effectiveness in banning it. See encryption.
It's such a lazy take, ignores the freedom aspect and goes for convenience and feels like a concern troll, honestly.
I think the upvotes are more in the spirit of "I share your frustration and negative outlook of crypto in general" rather than an endorsement of the specific policy suggestion.
While I agree that making something illegal won't stop it from happening - in this case, banning a currency drastically curtails the functionality of it. That reduces the value of it, which in turn would reduce demand and supply.
"Making something illegal won't stop it from happening"
But in the case of cryptocurrency, putting impediments in the way of exchanging it back and forwards with 'fiat' would significantly impact its appeal and demand. Could they stop it entirely? Probably not. Would it stop most people who only care about the easy profit potential and don't care about the idealogy? Probably.
Detecting mining jobs sounds like an interesting engineering challenge. Kernel has an OOM-killer, could it have a mining algorithm detector and killer too? Something that is hard to bypass.
Detecting them while they are running would be the best approach I guess. Not after the time limit when the damage is already done.
We, a medium-sized hosting provider, just do it using the process name. Works much better than you'd expect, since most miners are using very similar software. No interesting engineering challenge here, sadly.
Ssssh.... If you tell everyone that's what you do, people will just rename the binary...
The trick to protections like this is to not tell anyone how they work, and to run them only occasionally. Ie. once a week, ban half of users who are running xmrig.exe. Also include users who signed up with the same email address, phone number or IP address as the detected users and who have a consistently high CPU use - these are probably successful bypasses of your simple process name based filter.
That way bad actors have a very hard time figuring out exactly what your protections are or how they work. If they were to get an immediate ban as soon as they fired up xmrig.exe, then they'd quickly think to rename it or recompile it or run it under wine or a host of other ideas. Yet having a random selection of their accounts banned seemingly at random means they learn nothing.
Obviously you need a process for users accidentally caught in the net to get their accounts reactivated, and if you're a service like githuib you should probably let the user have a grace period to do that before killing their entire business...
So if you only ban half of illegitimate accounts once a week, does this mean I just need to launch my mining code registration scripts also once a week, ideally just after I see some of my accounts have been banned?
And doing this will get me a full week's of free mining on half my miners (if I'm the only one in the world pursuing this strategy) or most of my miners if the banning campaign is capped and also hits other abusers? It sounds like a great deal, honestly.
For most places you can get free compute power, a week's mining revenue might only be a few cents.
As long as the account sign-up process requires a captcha or phone number for the most spam-like signups, you'll keep their profits low enough to deter most people.
Good luck finding that post and linking it to the provider. That set aside, except for DDoS defense, we've run into no problems at all when talking very openly about how we operate. Seems naive at first glance, but we've had a good 10+ year run (so far!). Works for us, might not for others.
> Good luck finding that post and linking it to the provider.
No need to link it to the provider. If one provider does things that way, you want to block their method. (And, of course, the odds are overwhelming that the other providers are doing the same thing.)
It seems like a Whois search about the domain that's in your Hacker News profile yields lots of interesting information. Your previous comments seem to indicate that's a provider you work for. Maybe it's not related though. Or maybe it's just a way of doing PR. I know nothing.
Do miners heavily rely on crush instructions? Then it could perhaps be possible to reduce the performance of these instructions 100-fold, making mining useless but other code still run.
We're offering shared hosting for web apps and other hacker/toy projects. Intense compute workloads are just not what our product is built for, so we let other providers handle that part of the market.
We're aiming to make our service accessible to everyone, which involves customers choosing their own price. So there isn't a fixed price we could raise. Additionally, there is a free trial month, which adversaries typically make use of, instead of paying for the service. Hiking he price without deep additional changes is not in our interest and wouldn't change anything in our case.
Google Colab supposedly has great miner detection for example. I Googled out of curiosity recently and couldn't find any clearnet mentions of anyone bypassing it in the recent past and the old ways don't work. Though it must be possible it at minimum doesn't seem to be easy.
Google Cloud is similar (perhaps the same). I run sites there that involve arbitrary code execution by our users, and periodically Google support contacts us to report cryptomining violations. I don't know exactly what Google's heuristics are for triggering this, but their reports to us typically include the ip address of a mining pool that was contacted by one of our virtual machines. My impression is that mining typically involves a network connection.
No I am definitely not afraid of that, based on several factors: knowing what really happens in practice having used GCP since 2014; my company being in the highest tier of Google’s startup program; I know many people who work at Google (eg numerous of my past PhD students). Of course my risk analysis parameters may be completely different than yours. On a purely technical level, GCP is a good quality product.
They also care because in practice such use is often done by attackers unbeknownst to the person paying for the resources. That would much rather make the person paying aware ASAP of such usage, rather than have them be on the hook for a large bill at the end of the month. Google does have a complicated process to allow cryptomining on their infrastructure. They also flag all kinds of other suspicious activity, eg once somebody was launching DOS attack from cocalc on “the country of Turkey” and that got some of cocalc shutoff immediately.
RandomX is quite easily detectable due to the unusual use of floating point operations. Proof of concept detectors have already been created, for example https://github.com/tevador/randomx-sniffer
What's there to get under control? It cannot get out of control.
GH Action have a timeout of 60min already. A PR with about 5 jobs running for 5 hrs is nothing to gain for the culprit. The repo owner certainly finds out soon enough, and reports it at GitHub to block him. GitHub doesn't even need to start a mass scan for such losers.
Azure is such a huge server farm, nobody should care about a few 1hr miners, who get eventually thrown out.
But the easiest mitigation
would be up block outbound traffic to the miners IPs. These are well-known.
Cryptomining is a waste of energy and compute resources. Imagine such an effort being put into protein folding, or finding a cure against rare diseases instead.
What makes it worse is that a tax, higher energy or hardware costs, or increased transaction fees only speed up crypotocurrency inflation relative to other currencies. It's hard for me to comprehend, that others don't see the pyramid scheme behind it.
Ethereum is working to address a lot of those points. When it switches to Proof of Stake (beacon chain is already live), energy costs will drop significantly (talking < 100 watts / node)... Just doing minimum to process blocks, no wasteful mining.
That means network has to pay less in block reward under PoS, so inflation drops to 1% or less.
Eip-1559 upgrade this summer will also start "burning" a portion of fees. Estimates have this around 0.5% - 1.5% deflation.
Combine those features together, and Ethereum should have long term issuance at around 0% indefinitely, while still paying for validators to secure it.
It's a feedback mechanism too... If usage goes down, burn drops, supply inflates slightly, stimulating use, increasing burn again.
The idea is to make an elastic self-securing system.
I don't understand where the pyramid scheme is in that... The money being paid out to validators will by nature barely cover costs (otherwise more people will validate, reducing margins to match). Since anyone can join, and the network punishes correlated misbehavior, that incentivizes decentralization and wide disbursement of block rewards.
---
In the case of topic here, spare CPU cycles will no longer be valuable to exploit under PoS. The valuble qualities will be availability and uptime... Which won't be had by exploring in-broswer mining scripts, or CI exploits.
>Cryptomining is a waste of energy and compute resources.
I have my objections to crypto currencies, but this is not one of them. Most everything we do as humans is a 'waste' if you want to get philosophical.
Blockchain is an interesting technology. It may or may not go anywhere, but there is value in thousands of people 'playing' with it to see what's possible. That is, there is value in exploring the solution space of the Blockchain because there is possibility in finding some local or global efficiency minima. Think of it as a R&D investment that may or may not pay off. Still too early to tell.
Besides, the energy cost of the Blockchains is not and will not be the determining factor in fight against climate change or any other environmental concern. So the last thing you want is government bureaucracies cracking down on it from that angle. Let people explore and play and see where it goes.
Having said that, if crypto mining does start to impact other infrastructure, regulators may have to look at it. And there's precedent for that kind of action. For example, regulators will typically work against silver speculation because silver is also an industrial product and if the price inflates to much, it will have deleterious effects on other industries and the wider economy.
>It's hard for me to comprehend, that others don't see the pyramid scheme behind it.
There is that aspect of it and most recognize it. When crypto intersects money and acts as an investment, it should be regulated because there are a lot of nefarious individuals who are using crypto currencies to swindle money from people. For example, my next door neighbor tried to enlist me to buy into some crypto scheme recently. It took me 5 mins of googling around to see how incredibly risky that 'sure-bet' is [1]. I'm pretty sure he sunk tens of thousands of his money into it and I'm pretty sure he doesn't quite understand what it is that these scammers are offering him (basically he's trading in crypto, that he had to buy, that is popular and therefore relatively liquid - i.e. something you can actually sell - for crypto that is not and has a good chance of collapsing in the near to mid future). Regulations will help in this area.
> Cryptomining is a waste of energy and compute resources.
As others have pointed out, there is a lot of waste everywhere. If I lived further up north, I would certainly take advantage of using a compute cluster to heat my house while also generating cash. Yes, there are more efficient ways to heat a house other than 100% electricity, but it is still quite common.
But the point is, although it uses energy, it makes you money as well. And there are plenty of other such similar things. Take the financial markets for instance. It seems prior to 1980, if you wanted to create "wealth", you kind of actually had to do something. You know like found a company, invent something, claim a patent, etc. Since Greenspan cut interest rates in the 1980s, all efforts have gone into hedging against the stock market.
Outside of semi-conductors, very little tech has been invented for a few decades now. Instead, a ton of manpower (and energy) has gone into inventing financial devices to the point where house mortgages end up being sold five or six times through various lenders until they end up in a pool of mortgages that one would buy slices of. And if you were worried about risk, you could then buy "insurance" to hedge against your slices in either direction. I mean that took a lot of energy, and I'm not sure what society got out of it... Of course there is more regulation now, but still, new ETFs are made every month to fit some niche, and stock options and calls... So in other words, we've spent the last 30 years not really inventing anything but just passing a giant ball of money around through various devices.
Edit: and yes I am completely unqualified to make any of these claims. They are opinion, but they seem awfully close to reality.
As somebody who has been creating or supporting websites for mathematicians for two decades that support running arbitrary code (e.g., Pari/Magma calculator, Sage notebook, Sage Cell server, CoCalc), this is very much the case. In fact, https://sagecell.sagemath.org/ finally had to be locked down much more in the last few days due to abuse by cryptominers.
We’ve been dealing with mining at Replit since the beginning and have gotten really good at handling it. Early on they nearly bankrupt us. There was one month when our compute bill was 500% more than average. So we just had build tooling to catch it and handle it early. It’s a fun problem because it’s not only technical but also psychological.
Mining is one vector of abuse but there are many others when you’re giving free compute to the world. Especially in the radically open way we’re doing it at Replit.
This is pretty much par for the course if you allow others to run arbitrary code. I'd bet that Github deals with many cases of people trying to do this, and the only thing different here is a security researcher found it and talked to a reporter.
When I worked at ZEIT (Vercel) this was a huge issue we'd face. There was one person on GitHub that was shamelessly encouraging others to set up a docker image that ran crypto mining processes.
This is inevitable, and I'm sure every CI system has faced this issue.
I think it could be solved by requiring maintainers to kick off the CI job for every PR coming from a first-time contributor manually. I would not be annoyed by this provided that regular contributors don’t have to go through this. I think GH can further reduce the impact of this by not applying the limitation to first-time contributors who have lots of followers, forks, PR reviews, commits in the last year.
Also, edits to the CI script could be made suspect. I never had a first-time contributor on my projects start by making changes to the CI pipeline.
I am pretty sure smart folks at GH thought of this and just deliberating whether to introduce such a breaking flow to maintainers.
I think that’d definitely help. The Kubernetes project requires a maintainer to reply with /ok-to-test for the CI bot to begin testing a PR. This also helps reduces load on their CI systems, as the project gets a lot of commits.
What's to stop attackers from making a one-off harmless edit ("forgot a comma in readme") and then, once they're whitelisted, deploying a malicious executable to the CI pipeline.
I think the root issue is that people without write access to your repo can queue arbitrary compute on your dime by simply creating a PR and changing the GitHub workflow files (the definition for GitHub actions). This is even a bigger issue for companies with self-hosted runners who can't use those for public repos as an attacker could file a PR with malicious code and compromise a machine (https://docs.github.com/en/actions/hosting-your-own-runners/...)
One possible solution here is that a maintainer needs to okay any change that changes a workflow file before it runs. Not sure if that introduces other problems...
Or put the action definitions outside of the repository for which they apply.
I see the advantages of having CI configuration right next to the code, but once you start deploying multiple branches or accepting outside contributors, the downsides start to outweigh the benefits.
Having the maintainer trigger the CI job moves the problem elsewhere. Attackers will create new repositories (or take over existing ones) and create the PRs, for which they will trigger the CI jobs.
The more apparent problem is that CI jobs can execute arbitrary code and are not limited wrt. their execution time. If limited, it would render them useless when used for cryptomining.
In this specific case, a simple rule change should suffice: CI code committed for the first time does not run until after the PR closes. These guys are exploiting a loophole where you can add CI code and it runs whenever you initially open the PR. Requiring the PR to be closed before the code runs would solve this.
> Requiring the PR to be closed before the code runs would solve this.
That's not going to work! You want to make sure all the tests that run as part of the CI pass before you merge. What you can do is to make a blanket ban on auto-running the CI pipeline if the CI config was changed till the maintainer clicks Run Actions.
This simple rule change would defeat the purpose of running CI CD on external contributions: I want to see if the tests run and everything is up to my quality standards. I don't want to manually trigger the pipeline, that adds around 5 minute to every PR I receive...
However, as an attacker, I can still execute anything I want. Sure, maybe it's not as convenient as replacing the yml file, but I could embed a script in the tests that will just mine as long as possible.
The point is that you didn't solve anything, you just ruined CI CD
> that adds around 5 minute to every PR I receive...
I am sure not every PR you get touches files under '.github/workflows'. Are you sure you were replying to me and not @_fat_santa? It's his approach that ruins CI/CD as far as tests are concerned.
> Sure, maybe it's not as convenient as replacing the yml file, but I could embed a script in the tests that will just mine as long as possible.
Yes, but that slows things down a lot. Now you need to write a fake unit test that spawns a process and that will require to clone a project, get a project to build, writing different code for different programming languages and unit test frameworks...
This has been a frustrating thing for us on GitHub , not because of crypto, but for stealing credentials. It's hard to make it so only approved people can run actions and lock down what exposed actions' runtimes can do.
Until it is default-deny for ~all capabilities with say RBAC for enabling, which are basic security principles, they're pretty scary for public repos. It's even scary for private ones as you might want say a contractor or intern to be limited. That they have people publicly dedicated to whackamole response, but seemingly not to security fundamentals (or if they do, not following them / empowered to), is frustrating. Look at the GHA permissions panel and then think like an attacker or defender, it's scary.
The environment variable stuff awhile back was understandable.. but not the big issue. As basically any user can submit a PR that can make current actions that run code (ex: run tests) to run something else by editing the action or code, that means any public user can burn repo $, play in repo-exposed runners (ex: get into corp sandboxes), and if using continuous deployment or service integrations , into their production systems, wherever they publish packages, etc. GitHub is api exposed and git can have commits deleted, so they can even cover most of their tracks. This is SolarWinds all over again, but now a bot can run it automatically on ~everyone!
GHA is both one of my favorite things about GitHub but also been scary. Maybe now that they have access to some. of the best security engineers and researchers in the world, they can fix this...
Yeah and afaict actions on fork PR's are off by default. This is akin to fixing a sinking ship by plugging your fingers into holes as they appear, not how you build secure systems: default deny on all logical+physical capabilities, central authorization policies for grants, defense in depth for layering those.
Very clearly we can still see the battle between the cathedral and the bazaar. I think the idea of blocking all network traffic from the CI should be entertained. It would be harder now than it would have been twenty years ago because more and more stuff assumes you can download what ever from where ever in your CI; the art of making an air gapped software development lifecycle is evaporating. Maybe GitHub can offer per repo/per CICD white listed network access, so you can whitelist NPM and I can whitelist go Lang and no one white lists the mining endpoints.
I'm optimistic here. This stuff probably feels intimidating to most PM-types, though interestingly, it's a wonderful era for security engineers. We're in a new era of reified/virtual/sofotware-controlled-everything. There are multiple layers of virtualization already at play with each supporting all sorts of controls nowadays. Hypervisors, VMs, os / docker, networking layers can all be instrumented now -- GHA certainly does tricks here to speed up things, save money, and isolate tenants. However, they don't expose those controls too apps, so we're all an action away from a remote code execution doing... well.. anything.
I'm not sure on cathedral vs bazaar. I think it's more like disneyification: instead of handling this stuff, they want it to be a few buttons, and as soon as it's not, it's your problem. Except by nature of the intended use of actions, that's pretty fast. The other side of the spectrum is something like AWS's thrusting of a giant ball of IAM at everyone... but there is plenty of middle ground.
RE:artifactories & repos, github wants you to use those as its part of their monetization strategy -- onramp for a few paid areas + less public internet traffic costs for them. Likewise, as most package managers now have enterprise stewards or b2b investors backing them, the harder / more core parts of the tech is in place for locking down sw deps for most ecosystems.
I was excited when MS bought GitHub primarily because they could accelerate GH to support more of the software dev lifecycle. For the security side, I like they've pushed on auditing, but what could be a massive business for them and boon to the community has instead felt quite slow and small. The dev org is clearly great, just seems lopsided on focus wrt security approach.
I just meant the people saying it is crazy to allow anons to do something to run CI vs the people saying it is crazy to make me look at a PR before CI has blessed it. The prior assessment of value to an anon PR is -1 for the former, Cathedral folks, and +1 for the latter, Bazaar folks. I don’t know if FSF even now has CI but I think you have to sign paper work of copyright assignment before they consider your PR, more or less. While rando GitHub repos will take even my PRs.
If I could wave my wand no build or deploys would need to talk to the internet. We want that all to be deterministic and based on resources we control. But that battle is lost. But white listing software depos and so on seems winnable still.
It also mirrors the “unit tests / CI should be self-contained with network deps mocked” vs “it isn’t tested till it is integration tested” debate. The mock/unit test folks don’t need the network access in CI. Even the clever integration testers can spin up a DB and a local Hadoop cluster during the tests. Only the busy, harried integration testers need the real system to test against during CI. (Disclaimer I have written tests of all three kinds).
Ah, right. I'm in the camp of "Why not both?" for OSS public PRs: Make it safe for CI on external pulls by external users. To support the disneyification of security / smart defaults, make an easy button to infer the policy per workflow, such as based on the last X runs. However, instead of today's unsafe and chaotic set of checkbox rules & enforcements, tie that to an RBAC policy over user/role x workflow x capability, and cover the usual suspects of physical + logical resources that virtual & data envs typically protect.
Ex: I'd expect the typical inferred public PR CI policy to be no creds/keys, a fixed set of network URL regexes (package deps like https://npm/@trusted_org/\*), upperbounds on CPU/memory/network/disk/etc, and ~no use of internal github APIs. There's probably surprises like `apt-get update`, which in turn is probably addressable with some common special cases. Likewise, for failure modes, as long as no creds are there and resource quotas are in place, most orgs are probably ok to make network read violations be WARN instead of HALT.
That probably covers the 90-99% case when making public PR workflows much safer.
For internal teams and higher-trust actions (CD, issue bots, ...), I'd expect the same but different. Currently, I'm not really sure how to do something like "Add a contractor but keep them away from most things" except by setting up a second repo with just CI. If there was RBAC and policy inference, however, that'd be all of 2 minutes.
This is a real talking point of crypto currency enthusiasts for people that didn't know and assume satire.
They think that consuming more and more power results in more renewable energy being build. But because PoW algorithms create a static load, they siphon the energy away and when renewables cannot deliver enough power (e.g. no wind, no sun), coal and gas will be burned so blackouts don't happen.
We are one step closer to having GitHub Actions limited or disabled entirely on free accounts. Really soon it is going to be available on paid plans and for open-source after an approval.
Approval will do nothing. It's not projects who are abusing actions, but PR submitters! This is actually a much bigger risk to the PR model popularised by GH than GH would like to admit. Now the git-send-email model does not look so wrong anymore.
Wouldn't it be great if Crypto was just a giant honey pot. With the intent of creating cyber criminals who think they can get rich with crypto money but instead just end up putting tons of effort into mining coins rather than doing other simpler crimes.
I think if half the effort spent here was spent learning finance, the bad actors would have more money.
I asked this question previously[0] but why are random PRs ran by CIs by default without user intervention? It would make more sense that by default PRs aren't ran by default and an explicit whitelist or configuration option needs to be set.
[0] in a discussion about the dangers of running your own CI server. I thought it were sensible if there was a permission config file which specified who can trigger which actions, where the CI uses the permissions of the last ran commit.
I was surprised that Github Actions allows you to write scripts that anon users could trigger by opening PRs. But then it turns out this is how a lot of open source CI flows work. So maybe Github overlooked that they would become the biggest player overnight and be an obvious target?
It's really strange to me. You would think anyone offering free anything on the internet knows there are people out there who will automate abusing your compute, storage, IPs, any resources you leave exposed.
I've seen someone abuse a password reset form cuz they could advertise using that email addr '+' trick. (realuser+buy_our_scam@example.com). On a platform that didn't even have a million users. If it's free resources, there's no scam too unlikely.
What do you mean "by default"? By default workflows simply aren't run, not even when you push to master. You need to explicitly include the 'pull_request' or 'pull_request_target' event in the 'on' section of your workflow in order to build PRs. And you can implement a whitelist with reasonable ease if you want to.
However, it turns out — who would have guessed — people do want to build random PRs, because 99% of PRs aren't jerks trying to mine crypto.
---
Edit: To expand on the 'pull_request_target' event, it was introduced later and defends against running arbitrary unsanctioned workflows. It could have been introduced earlier, and maybe made more prominent, but there's a tradeoff.
Following the files used reveals the pool and wallet used. The pool lets you look up the stats for this wallet. For this wallet, it says:
> Total Paid: 163000 TRTL - 42.16$
But I guess the culprit is rotating wallets. Judging by the hash rate, the pool estimates a weekly income of 700$. It could be a multiple of this if the culprit uses multiple wallets at once.
The article says they’ve been doing this since November 2020. But I was mostly referring to how much crytpo they could really mine, since I assume the process has limited CPU, and a limited run time.
If I were them I'd mine unpopular coins hoping that they go up in value during a general bull run in the future. That way you're quite likely to end up with a decent number of coins.
This, to me, isn't news. Any platform that permits free arbitrary code execution (so, Netlify, Cloudflare Pages, GitHub Actions, DockerHub automated builds, CircleCI, et al) that can access the network can be assumed to have been abused in this manner.
I think blocking network access is the simplest fix. Just make the payor specify a whitelist. Email them the blocked attempts. You can run the white list checker on a c3a.large for a pretty big CI.
I am of the school of know and manage your dependencies. And it is really hard to block stuff with a black list. Especially when the opponent has money.
