Covert Cryptocurrency Miners Quickly Become A Major Problem

from the lessons-unlearned dept

As websites increasingly struggle to keep the lights on in the age of ad blockers, a growing number of sites have increasingly turned to bitcoin miners like Coinhive. Such miners covertly use visitor CPU cycles to mind cryptocurrency while a user is visiting a website, and actively market themselves as a creative alternative to the traditional advertising model. And while this is certainly a creative revenue generator, these miners are increasingly being foisted upon consumers without informing them or providing an opt out. Given the miners consume user CPU cycles and a modest amount of power -- that's a problem.

The Pirate Bay was forced to disable its bitcoin miner back in September, after users complained it was eating up to 90% of their available CPU cycles. Showtime was similarly caught using a bitcoin miner on two of its domains, and has yet to provide any detail on why it launched the miners or refused to inform visitors they were running. More recently, Trend Micro unveiled that at least two Android apps -- downloaded up to 50,000 times from the Google Play store -- were covertly putting crypto miners inside a hidden browser window:

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER

[...]

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

The explosion in bitcoin miners is both above and below board. There's indication that the bitcoin miners running on Showtime's domains were the result of a website hack. More recently, researchers from security firm Sucuri discovered that at least 500 websites running WordPress had been hacked, and that other publishing platforms including Magento, Joomla, and Drupal were also being consistently abused. Reddit users this week documented how Choice Hotels (owner of Comfort Inn) websites have also been compromised with cryptocurrency miners the company itself seems oblivious to.

Political fact-checking website PolitiFact also recently acknowledged it was hacked by intruders who installed bitcoin miners that quickly gobbled up visitors' CPU cycles without permission:

BREAKING NEWS: #Coinhive found on official @PolitiFact website in latest case of #cryptojacking. pic.twitter.com/czGc5aaug7

— Bad Packets Report (@bad_packets) October 13, 2017

Not too surprisingly, security firms like Malwarebytes have started blocking the miners:

The reason we block Coinhive is because there are site owners who do not ask for their users' permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.

And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it's a good idea to run the miners without notifying users or providing a functioning opt out. Which means there are plenty of folks busy trying to combat the rise of ad blockers -- by engaging in the exact same behavior that caused the rise of ad blockers in the first place.

Filed Under: coinhive, cryptocurrency, miners

How To Avoid Future Krack-Like Failures: Create Well-Maintained 'Fat' Protocols Using Initial Coin Offerings

from the blockchain-cryptocurrency-fashionable-moi? dept

It came as something of a shock to learn recently that several hugely-popular security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2, were vulnerable to a key re-installation attack (pdf). A useful introduction from the EFF puts things in context, while more technical details can be found on the krackattacks.com site, and in a great post by Matthew Green. As well as the obvious security implications, there's another angle to the Krack incident that Techdirt readers may find of note. It turns out that one important reason why what is a fairly simple flaw was not spotted earlier is that the main documentation was not easily accessible. As Wired explains:

The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security [TLS], the popular cryptographic protocol used in web encryption, WPA2 doesn't make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.

The obvious way to avoid this issue is to ensure that key protocols are all freely available so that they can be scrutinized by the greatest number of people. But the Wired article points out that there's a different problem in that situation:

Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don't have the funding for deep, robust maintenance and vetting

It's another well-known concern: just because protocols and software are open doesn't necessarily mean that people will find even obvious bugs. That's because they may not have the time to look for them, which in turn comes down to incentives and rewards. Peer esteem only goes to far, and even hackers have to eat. If they receive no direct reward for spending hours searching through code for bugs, they may not bother.

So if we want to avoid major failures like the Krack vulnerability, we need to do two things. First, key protocols and software should be open and freely available. That's the easy part, since openness is now a well-accepted approach in the digital world. Secondly, we need to find a way to reward people for looking at all this stuff. As Krack shows, current incentives aren't working. But there's a new approach that some are touting as the way forward. It involves the fashionable idea of Initial Coin Offerings (ICO) of cryptocurrency tokens. A detailed article on qz.com explains how ICOs can be used to fund new software projects by encouraging people to buy tokens speculatively:

The user would pay for a token upfront, providing funds for coders to develop the promised technology. If the technology works as advertised and gains popularity, it should attract more users, thus increasing demand for the token offered at the start. As the token value increases, those early users who bought tokens will benefit from appreciating token prices.

It's that hope of future investment gains that would encourage people to buy ICO tokens from a risky venture. But it's not just the early users who benefit from a technology that takes off. A key idea of this kind of ICO is that the coders behind the technology would own a sizable proportion of the total token offering; as the technology becomes popular, and tokens gain in value, so does their holding.

This novel approach could be applied to protocol development. The hope is that by creating "fat" protocols that can capture more of the value of the ecosystem that is built on top of them, there would be funds available to pay people to look for bugs in the system, which would be totally open. It's an intriguing idea -- one that may be worth trying given the problems with today's approaches.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cryptocurrency, funding, ico, krack, protocols, standards, wpa2

Coinbase User (Also, Class Action Lawyer) Files To Intervene In Case Where IRS Wants Info On All Coinbase Users

from the overreach dept

We've written a bit about how the IRS is trying to force Coinbase to hand over information on all its users, because it's discovered some evidence of at least one person using Bitcoin, via Coinbase, as a tax dodge. While the demand seems massively overbroad, so far the judge has allowed it to move forward. Coinbase has indicated that it will fight back on behalf of users, but nothing definitive has been done yet -- which has some Coinbase users feeling uncomfortable. At least one has now filed to intervene in the case, in order to seek to quash the summons.

Now, where this gets slightly more interesting is the fact that the individual filing, Jeffrey K. Berns, is a managing partner of a class action law firm that has his name on the masthead. The firm does seem to be focusing on building up a reputation in the cryptocurrency world, with a blog dedicated to the topic and much of the firm's recent press relating to issues on cryptocurrencies. So it appears that some of the decision to intervene here may be a bit of brand building, as the firm seems to want to be the go-to player for legal issues dealing with cryptocurrencies. At the very least, that may raise some questions about the motivations behind the filing here -- but it does seem like some objections should be raised to allowing a grand fishing expedition by the IRS.

Filed Under: cryptocurrency, doj, irs, jeffrey berns, taxes
Companies: coinbase

Court Rubber Stamps IRS's Demand To Get All Coinbase User Data

from the um... dept

A couple weeks back, we wrote about a ridiculous and massively overbroad demand from the IRS that virtual currency exchange/online wallet host Coinbase turn over basically all info on basically all Coinbase users. They did this because they saw evidence of a single person using Bitcoin to avoid paying taxes. Coinbase expressed concern over this, but Judge Jacqueline Scott Corley didn't seem too concerned, and has granted the IRS's request by literally rubber stamping the DOJ's request. I know it's not all that uncommon for judges to accept "proposed orders" but it's still a bit disturbing to see it happen on something with potentially massive consequences. Coinbase has indicated that they're going to push back on this legally, but it's still quite unfortunate that the judge didn't seem all that concerned about this. While Coinbase says it expected the court to grant this order, and that "we look forward to opposing the DOJ's request in court," it's unfortunate how quick judges are to agree to these kinds of orders. Either way, this is going to be a case to follow.

Filed Under: bitcoin, cryptocurrency, data, doj, irs, privacy, taxes
Companies: coinbase

IRS Demands All Info On All Coinbase Customers

from the slow-down,-skippy dept

There have always been questions about the tax implications of cryptocurrencies like Bitcoin. A few years ago, the IRS came out with some guidelines, declaring cryptocurrencies to be property, rather than currency, and then taxed more like equity. But late last week, the IRS went to court to basically demand Coinbase turn over all info it has on everyone. Coinbase is one of, if not the, leading online cryptocurrency exchanges and places where many people store their cryptocurrency in an online wallet. It's a company that has bent over backwards to comply with the laws. But, no matter, the IRS basically thinks everyone who uses it is a tax cheat. Here's what the IRS demanded:

All records of account/wallet/vault activity including transaction logs or other records identifying the date, amount, and type of transaction (purchase/sale/exchange), the post transaction balance, the names or other identifiers of counterparties to the transaction; requests or instructions to send or receive bitcoin; and, where counterparties transact through their own Coinbase accounts/wallets/vaults, all available information identifying the users of such accounts and their contact information.

Uh, yeah, that's not very limited. It's not limited at all. The IRS literally wants everything. Why? Because, according to the IRS, it's investigating one single tax cheat. In a declaration, IRS agent David Utzke, talks about a single tax cheat, and says this gives him a basis for requesting all info.

After using a traditional abusive offshore arrangement for approximately 5 years, Taxpayer 1 became fatigued with the effort required to manage his offshore accounts, attorneys, and applicable regulations, and discovered virtual currency while conducting internet research on the topic. Taxpayer 1 began testing the use of virtual currency and eventually abandoned the use of his offshore structure. Taxpayer 1 was able to use virtual currency to repatriate his assets without governmental detection.

For example, Taxpayer 1 originally worked with a foreign promoter who set up a controlled foreign shell company which diverted his income to a foreign brokerage account, then to a foreign bank account, and lastly back to Taxpayer 1 through the use of an automated teller machine (ATM). Once Taxpayer 1 abandoned the use of his offshore structure in favor of using virtual currency, the steps described above were the same until his income reached his foreign bank account. Once there, instead of repatriating his income from an ATM in the form of cash, Taxpayer 1 diverted his income to a bank which works with a virtual currency exchanger to convert his income to virtual currency. Once converted to virtual currency, Taxpayer 1’s income was placed into a virtual currency account until Taxpayer 1 used it to purchase goods and services. Taxpayer 1 failed to report this income to the IRS.

Utzke also mentions two other taxpayers, which were companies, not individuals, but which used Coinbase. He notes that others are laundering money and thus likely to be using cryptocurrencies. That may be true, but it seems like a pretty big stretch to argue that means Coinbase should cough up all details on all transactions.

In the IRS's memorandum of support, it insists that it's just trying to find all the tax cheats, so it should get to look at all the records.

Since 2009, the use of virtual currency has increased exponentially. Some users value the relatively high degree of anonymity associated with virtual currency transactions because only a transaction in virtual currency, such as buying goods or services, is public and not the identities of the parties to the transaction. Because of that, virtual currency transactions are subject to fewer third-party reporting requirements than transactions in conventional forms of payment. However, due to this anonymity and lack of third-party reporting, the IRS is concerned that U.S. taxpayers are underreporting taxable income from transactions in virtual currencies. Further, because the IRS considers virtual currencies to be property, United States taxpayers can realize a taxable gain from buying, selling, or trading in virtual currencies. There is a likelihood that United States taxpayers are failing to properly determine and report any taxable gain from such transactions.

.... The issuance of the summons is warranted here because (i) the summons relates to an ascertainable group or class of persons; (ii) there is a reasonable basis for believing these U.S. taxpayers failed to comply with internal revenue laws; and (iii) information sufficient to establish these U.S. taxpayers’ identities is not readily available to the IRS from other sources.

Coinbase posted a short blog post Friday evening expressing concern over this while exploring the issues:

Our customers may be aware that the U.S. government filed a civil petition yesterday in federal court seeking disclosure of all Coinbase U.S. customers' records over a three year period. The government has not alleged any wrongdoing on the part of Coinbase and its petition is predicated on sweeping statements that taxpayers may use virtual currency to evade taxes.

Although Coinbase's general practice is to cooperate with properly targeted law enforcement inquiries, we are extremely concerned with the indiscriminate breadth of the government's request. Our customers’ privacy rights are important to us and our legal team is in the process of examining the government's petition. In its current form, we will oppose the government’s petition in court. We will continue to keep our customers informed on developments in this matter.

What happens here is going to be a big, big deal in the cryptocurrency world. The IRS had to know that this was going to get attention, and perhaps that's the intent. But this seems like a massive overreach.

Filed Under: bitcoin, cryptocurrency, irs, tax cheats, taxes
Companies: coinbase

DailyDirt: Saving For A Rainy Day

from the urls-we-dig-up dept

Physical cash seems to be a bit less popular than it once was. Some European countries are even contemplating completely digital currencies to combat the potential side effects of negative interest rates (i.e. people taking out all of their savings as cash). At the same time, Bitcoin and other cryptocurrencies could provide other means of payments without dealing with physical cash. So are we ready for a cashless society? (No, probably not for some time.) However, digital currencies could take away the importance of centralized banking, bit by bit. Perhaps some older forms of savings will make a comeback.

• A sou-sou is a kind of informal savings club where a small group of people agree to contribute cash regularly and distribute lump sums on a schedule. This kind of arrangement is not uncommon for immigrants or people who can't build credit with centralized banking systems. [url]
• Lending circles or Rotating Savings and Credit Associations (ROSCAs) is the academic term for a savings club like a sou-sou. Related savings vehicles are also called a huay, tanda or chit fund -- and some organizations are helping to document the transactions of these informal groups so that more formal credit histories can be established. [url]
• The tontine is an old kind of retirement fund (or financing scheme, actually) that was much more popular over 100 years ago. People would contribute money to a tontine with many other investors, get regular distributions... and each member's distributed share would increase as members died off (hopefully due to old age), so the longer you lived, the more you could profit. A new kind of tontine could be revived to replace the pensions and annuities that people nowadays don't seem to be participating in. [url]

Hold on. If you're still reading this, head over to our Daily Deals to save an additional 10% on any item in our Black Friday collection -- using the code: 'EARLY10' -- just through this Sunday, November 22nd.

Filed Under: alternative banking, annuity, banking, bitcoin, cash, chit fund, credit history, cryptocurrency, financing schemes, huay, investing, lending circle, p2p lending, retirement fund, rosca, rotating savings and credit associations, savings club, sou-sou, tan

JPMorgan CEO Jamie Dimon Says The Government Will 'Stop' Bitcoin

from the good-luck-with-that dept

One of these days I'm finally going to get around to writing the piece I've been planning for the better part of a year on the importance of the blockchain and cryptocurrencies, but in the meantime, it's still fun to see the way traditional bankers try to wrap their heads around it. Apparently, for JPMorgan CEO Jamie Dimon, it's to say he's not at all concerned about it because he's sure that the government will step in and kill Bitcoin should it ever really matter:

“Virtual currency, where it’s called a bitcoin vs. a U.S. dollar, that’s going to be stopped,” said Dimon. “No government will ever support a virtual currency that goes around borders and doesn’t have the same controls. It’s not going to happen.”

That's kind of an incredible statement when you think about it -- a sort of direct admission that Wall Street knows how tightly it's in bed with Washington DC, that should something like Bitcoin ever challenge Wall Street's power, he has no fear that the politicians will "stop" the virtual currency.

Talk about regulatory capture...

Of course, that confidence that the US government will kill the innovation is perhaps the biggest weakness of Dimon's argument. We have no doubt that governments are already trying their damnedest to kill off innovation around cryptocurrencies, but the larger question is really whether or not that's even really possible.

Here's the problem for Dimon: should Bitcoin really reach the point at which Wall Street really views it as a true threat, then it's probably too late for it to be stopped. That's one of the (many) interesting parts about cryptocurrencies. The ability to stop them as they get more and more successful becomes significantly more difficult, to the point of reaching a near impossibility. But, it sure will lead to some amusing and ridiculous regulatory fights.

Filed Under: bitcoin, cryptocurrency, innovation, jamie dimon, money, regulation
Companies: jpmorgan

California Proposes Bill To Ban All Unlicensed Bitcoin Businesses, Without Even Defining What That Means

from the a-mess-in-the-making dept

California, the state that prides itself as the birthplace of modern technology and whose policies such as the unenforceability of non-competes contributed substantially to the innovation ecosystem, recently proposed a law that requires innovators to get permission from the state, or be banned.

Last week CA's State Assembly announced AB 1326, a bill that would ban any unlicensed bitcoin or cryptocurrency business activity. It would "prohibit a person from engaging in this state in the business of virtual currency, as defined, in this state unless the person is licensed by the Commissioner of Business Oversight or is exempt from the licensure requirement." Banks, financial institutions, and governments would be exempted under the law, making it even harder for a startup to compete. Worse yet, the bill doesn't even define what "the business of virtual currency'" means, making it both overly vague and counter to the very nature of the trustless, permissionless innovation that bitcoin and blockchain technology enable. So right now, if you're building multisignature technology to better enable people to secure their bitcoin, or developing an open source peer-to-peer remittance app that connects users to send each other bitcoin, the state of CA could very well ban you from operating unless you've received a license.

So for the next wave of entrepreneurs building technology in the bitcoin or blockchain space, the state is poised to say that in order to start your company or release your technology, you must pay $5000 for a license and tens or hundreds of thousands in legal and compliance fees, not to mention requirements such as informing them of your educational background and 10 years of past addresses. That might be awkward for the 21 year old college dropouts working on a cryptocurrency startup. And of course there's no guarantee the state will actually grant the license, or shall we say, permission.

I wrote last summer about the problematic approach that NY state is taking with its proposed BitLicense, an attempt to make virtual currency entrepreneurs demand permission from the state to innovate, and how the even greater danger was that other states would follow suit. I expected a more innovation-friendly approach from California, but this bill may prove me wrong.

The cryptographic technology behind bitcoin itself has tremendous potential to enable more transparency (proof of solvency, real time continuous auditing), and security (multisig, threshold encryption), providing compelling solutions to public policy concerns that licensing regimes only attempt to address. The assumption that the analog-world model of licensing must fit this new and fast-evolving space is ignorant at best and dangerous at worst.

California can and should do better. It can craft policies that enable entrepreneurs to innovate and encourage them to implement good practices on security and consumer protection without requiring licensing and permission. And if California won't do it, there are many other jurisdictions that will. Australia, UK, and Singapore, to name few, are all looking to implement policies to be the crypto Silicon Valley.

Tomorrow, I and others will be discussing the development of cryptocurrency and blockchain policy at the Copia Inaugural Summit. The future viability of this important ecosystem depends on getting it right -- so we need everyone to make themselves heard as the debate moves forward.

Filed Under: bitcoin, california, cryptocurrency, financial institutions, innovation, licensing