Cryptocurrency Miners Are Now Abusing the Free Tiers of Cloud Platforms (therecord.media) 75
An anonymous reader shares a report:
Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms. Gangs have been operating by registering accounts on selected platforms, signing up for a free tier, and running a cryptocurrency mining app on the provider's free tier infrastructure. After trial periods or free credits reach their limits, the groups register a new account and start from the first step, keeping the provider's servers at their upper usage limit and slowing down their normal operations...
The list of services that have been abused this way includes the likes of GitHub, GitLab, Microsoft Azure, TravisCI, LayerCI, CircleCI, Render, CloudBees CodeShip, Sourcehut, and Okteto.
GitLab and Sourcehut have published blog posts detailing their efforts to curtail the problem, with Sourcehut complaining cryptocurrency miners are "deliberately circumventing our abuse detection," which "exhausts our resources and leads to long build queues for normal users."
In the article an engineer at CodeShip acknowledges "Our team has been swamped with dealing with this kind of stuff."
The list of services that have been abused this way includes the likes of GitHub, GitLab, Microsoft Azure, TravisCI, LayerCI, CircleCI, Render, CloudBees CodeShip, Sourcehut, and Okteto.
GitLab and Sourcehut have published blog posts detailing their efforts to curtail the problem, with Sourcehut complaining cryptocurrency miners are "deliberately circumventing our abuse detection," which "exhausts our resources and leads to long build queues for normal users."
In the article an engineer at CodeShip acknowledges "Our team has been swamped with dealing with this kind of stuff."
"deliberately circumventing our abuse detection" (Score:5, Funny)
Oh my. The nerve of abusers deliberately circumventing detection! What has become of the earlier generation of gentlemanly abusers, who would take no steps to avoid detection? I swear, the manners of kids these days.
Re: (Score:1)
Oh yeah. The FP thing.
Yes, you drone on incessantly about it every time. You are free to leave and start your own site, filtered just the way you like it, we're not gonna strain your food for you, hire your own baby sitter
When the article is behind a paywall (Score:2)
The FP thing. How about forcing the FP author to read the story?
"No one can comment until a WSJ subscriber decides to open comments." In cases where the featured article is behind a paywall, should people have to mine cryptocurrency in order to afford a subscription?
The "value" of magic money (Score:2)
Well, I also think it should be one of the jobs of the editors to try to find sources for the featured stories that aren't behind paywalls. I didn't notice where the link went in this particular case, but I did look at the story to check for "Bitcoin". Maybe I was just lucky on a free story at a website I rarely visit?
I'm kind of disappointed no one responded with an answer to my original Subject question: "What is wrong with this summary of Bitcoin?" Though I've read a number of books about Bitcoin, I don'
Re: (Score:2)
Neither the summary nor the linked story specifically mention Bitcoin, but it's the only one I've studied enough to summarize. However, I would also be interested in summaries of other cryptocurrencies that clarified why they would abuse cloud platforms (or waste energy or do other negative things).
In the case of Bitcoin, the key is deciding who signs the data blocks. Obviously, it could be done at random at extremely low cost, but Satoshi Nakamoto decided to create a kind of artificial scarcity. When it is time for a block to be signed, there is a grand lottery among the so-called miners, and the more lottery tickets, the more it looks like scarcity and the more motivating it is for people with that old "gold rush" mentality. In Bitcoin, the lottery tickets are checksums, and the more of them you can calculate, the more chances you have to win some Bitcoins. I doubt that Satoshi was thinking that far ahead, but the should-have-been predictable result was specialized hardware to generate LOTS of checksums and even the creation of entire server farms near cheap power sources to crank out more checksums. But extending the pursuit of lottery tickets to cloud computing platforms is only a minor wrinkle for small-time crooks.
So that's my summary of Bitcoin. What's wrong with it? (But from the nontechnical perspective, I still see Bitcoin as also being a kind of pyramid scheme that has to collapse at some point. I don't have sufficient data to address any of the other cryptocurrencies.)
(As regards blockchain, I mostly see it as an interesting technology in pursuit of a "unique solution" or "killer app". Yeah, blockchain can be used for many applications, but I have yet to see any application of blockchain that cannot be handled with other technologies. And so far every time I've compared the solutions, the blockchain solution has more problems or costs than one or more of the alternatives.)
(Oh yeah. The FP thing. How about forcing the FP author to read the story? That could create a delay to allow for some better FPs? I think it would probably put an unreasonable load on the Slashdot editors, but maybe they are being paid enough to do such work? But the basic idea would be to include a comprehension question that gets triggered when you try to submit an FP. If you get it wrong, then your comment just gets queued until someone else answers it correctly and earns the FP slot. The main problem is that the question would have to be a sort of CAPTCHA that couldn't be handled with simple text searches against the story. The secondary problem is that sometimes the FP is a joke. I'm talking about an actually funny joke that deserves FP. Unlike the bit of AC drivel that got FP for this story.)
Really? That bit of fluff needs to be requoted against censorship? Angry trolls? Or losing gambler? No sympathy from me in either case, but I'm always feeling rewarded when I hit a nerve. And must even confess to feeling a bit smug that you don't have the guts or wherewithal to engage in an actual intellectual discussion, but can only resort to such trivial mod-point censorship to "defend" your position.
However, if you did lose big gambling on Bitcoin, then I do feel sorry for your dependents if they suffer
Re: (Score:2, Insightful)
That's basically what Microsoft have done, their free option is now largely pointless.
But then, your snark about not giving away free servers is also ignorant nonsense. How the fuck do you think they're going to convince people to move from on-prem to the cloud if people can't even try out the cloud without risking a significant spend?
They give away free servers because so long as people aren't breaching the T&Cs and taking the piss, it nets them more customers. These people breaching the T&Cs are g
Re:This is easy (Score:5, Insightful)
GitHub Actions continuous integration (Score:2)
Although note in the case of github distributing source code, there is no fundamental reason they need to allow running arbitrary user-supplied code/scripts on their servers (aka, cryptominers), especially in the free tier.
The cryptominers are running in GitHub Actions, a continuous integration (CI) service that lets a repository owner automate building and testing each pull request before merging it. Do you remember Tinderbox, an early CI system that Mozilla developed?
I guess one way to deter cryptocurrency mining is to put GitHub Actions completely behind a paywall. This, however, will discourage repository owners from training themselves on GitHub Actions instead of some other CI.
Re: (Score:1)
You can't engage in a conversation without resorting to insult?
We really need an "asshole" moderation. "Troll" and "flamebait" don't exactly cover it.
Re: This is easy (Score:4, Funny)
Re: (Score:3)
They should include a captcha on sign up
Captcha farms currently charge $3 per thousand solutions.
Unless they are carefully designed, captchas can be ADA violations.
Re: (Score:1)
The free servers are key to growing their market share, without free access many companies wouldn't try it and even more people wouldnt learn to use it / develop things for on it.
Re: (Score:3)
Stop giving away free servers. Problem solved.
That doesn't solve the problem. If AWS has a free tier and Azure doesn't, then potential customers will try AWS, decide it meets their needs, and sign up for a higher tier. Azure loses.
The solution may be tying a free account to some evidence of unique humanness, such as a cell phone verification.
Re: (Score:2)
I use several hosting providers and none have free tiers. Probably why they're less expensive.
Re: (Score:3)
Yeah, Google has already done this. They dramatically limited the size of the servers you can spin up in the free tier, don't allow you to use GPU's at all, and they will shut you off without warning if they detect crypto mining on the instances you spin up.
Re: (Score:1)
Rather than 'shut you off without warning', is there some way they could quietly corrupt the output of the crypto mining? Change it to put bad data into it somehow and damage the credibility of the people trying to mine with others in the community?
This is just idle speculation, but if there are ways to fuck over crypto miners doing things they shouldn't, it should be happening. The worst kind of 'errors' are those that run awhile and create deep corruption.
Re:This is easy (Score:4, Interesting)
Really? You WANT Google to monitor and possibly alter the output of your programs running on their servers? It's not enough they read the contents, now they need to alter the output?
Re: This is easy (Score:1)
Not my programs and my output. Google already monitors both of the above. Adulterating the output of mining software specifically when it is identified, and only when it is running on their free servers.
Re: (Score:2)
So you agree with the principle, it's OK for Google to monitor programs as long as the programs are not yours...
Re: (Score:1)
And that's why... (Score:5, Insightful)
Re: (Score:1)
Piratebay is still up so apparently abusing free things still works.
Re: (Score:3)
Piratebay is how we CAN have nice things even after the DRM server is shut down :-)
Cryptocurrency should just... (Score:4, Insightful)
Re: (Score:2)
It could be a legitimate system in the future but the electrical usages is definitely a problem right now. However, cryptomining is a ravenous plague without cause and can not be sated.
Re: (Score:3, Insightful)
Not anymore. It is tainted beyond all recovery by criminals and greedy assholes.
Re: (Score:2)
Isn't that true about literally every financial system?
Re: (Score:2)
Isn't that true about literally every financial system?
No. It is true for some currencies that are unstable and where the assholes in charge just print more money to fuel their corruption.
Re: (Score:1)
It's actually a honeypot but needs to start being utilized as such. When people advocate cryptocurrency it should be noted about them.
Re: (Score:3)
Possibly. After all, depending on variant, all transactions ever made can be traced. BTC has that as a fundamental principle, and it does not get more anti-privacy unless you require clear names for every wallet. Without professional money-launderers, BTC would be completely unusable for crime.
Re: (Score:1)
Are crypto-miners difficult to detect? (Score:2)
It seems like such activity is easy see and block
Re: (Score:1)
Yes, this is exactly the issue. Microsoft no longer give you free access to build agents in Azure DevOps unless you e-mail them to manually enable it precisely because this isn't about people abusing virtual machine instances or similar, but running mining operations on things like build agent containers where detection efforts haven't previously been focussed.
This is why we have high prices for everything (Score:3)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It'd probably work, it depends on how much stolen credit card people charge ... A quick search says $0.11 to $1k with most being a dollar or two. I'd guess the 0.11 cards are mostly duds.
Lots of chargebacks could potentially be even worse than giving away some capacity for free.
Re: (Score:2)
Works for p0rn sites.
Re: (Score:2)
Right. Except in that biased list (other people are the abusers) the behavior of the consumer when presented with cheap and free items isn't covered. [ibtimes.com]
Re: (Score:3, Insightful)
Since cheap stuff gets abused. Cheap graphics cards, cheap games consoles, cheap housing all taken by the exploiters who call themselves market optimizers. It is why cryptocurrency has the illusion of value of the first place.
It's called arbitrage and has always existed and always will. Vendors are themselves trying to optimize and profit by selling things for one price in one market and another price in another. It's a bit ripe of them to complain when clever people take advantage of that.
Re: This is why we have high prices for everything (Score:2)
free isn't a price, it's a marketing ploy. Free samples as Costco isn't about a market where tiny cups of food have zero value. It's about luring in and hooking a fish. It's the worms you give away when your real market is fish.
Numbers that don't accept SMS (Score:2)
A perhaps less onerous solution is to require a phone number and/or other personal ID
I've seen a lot of websites' phone verification fail when they try SMS, notice that the number doesn't accept SMS, and don't bother falling back to voice. What "other personal ID" would you suggest to accommodate users of voice-only phone service (such as landlines, wireless home phone service, or VoIP)?
Solution: Charge per CPU usage (Score:2)
If you're under a certain CPU usage for a period of time, like daily/weekly/monthly (which cryptominers won't stay under), you're "free"; but go over a certain amount, and you have to pay - either you get charged right away, with a CC on file, or else you have whatever is running throttled.
Of course, there's the issue of a stolen CC being used to deal with, but that's not a new problem, and is likely easier to detect already (there's already an infrastructure for that).
Re: (Score:2)
You just described *precisely* how it works today.
Re: (Score:2)
Then they clearly missed a step - actual monitoring and charging; I can't see cryptominers being "cautious" about the CPU usage - the summary even states it negatively affects other customers, so it should be easy to spot the abusers (constant 90%+ usage, instead of occasional spikes). I'm sure the style of usage should also be easy to detect
If they throttled the cryptominers unless there was enough payment for the CPU usage, it wouldn't become profitable for them to abuse it.
Re: (Score:2)
They are monitoring and charging. The cryptominers create new accounts when they run out of free credits and start to get billed.
What do you mean, "now"? (Score:2)
Re: (Score:2)
My impression is that nobody bothered with this idea because the amount of processing power available per free account was so miniscule, but I suppose if they can handle these accounts en masse the equation changes...
Duh? (Score:2)
What if I told you, that by merely investing the smallest amount of physical effort to take advantage of the generosity of free service providers, you could initiate mathematical calculations that have no value but to facilitate criminal activities, thereby keeping a percentage of the earnings as your reward? What if I further told you that depending upon the economies of your place of residence, those percentages could significantly compete with the wages you would have earned exerting the greatest amount
Re: (Score:2)
What if you just simply said what mean?
Re: (Score:1)
Re: (Score:2)
Think of the electricity grid in these developing countries - should it really be consumed by cryptomining?
Struggling to imagine how a person subsisting on $2/day could afford the hardware and electricity costs to "generate" money.
I thought about this at least 3 years ago ... (Score:2)
... and assumed I was behind the times. I figured - come on, that's so obvious, sombody must have thought of that, and figured out a way to detect, and prevent it.
FFS, my employer can prevent me from running mining apps on our behemouth (totally under-utilized) servers - I've tried - why can't the geniouses at GitHub and the like do the same ?
Clearly I couldn't be a tech-abuser (Score:2)
How are they getting access again once banned?
I already used up my free tier of AWS, years ago. Is it possible to get it again?
What services offer free tier using GPUs? Answer? (Score:2)
What services offer free tier usage with GPUs? Answer: none.
Can someone explain how CPU mining is in any way producing profits for the exploiters?
Re: (Score:2)
Abusing their CI? (Score:2)
Only allow certain executables and only allow scripting languages. Ban arbitrary native binaries on free tier. Problem solved.
Gangs? (Score:2)
Are they bangin' in the hood packing a Glock when they are not cryptoin'?
Gangs are scary, so calling a bunch of kids taking advantage of cloud computing trials "gangs" gets people all excited and aroused, and it generates clicks as well as giving law enforcement to try out their big scary toys.
Why didn't I think of that? (Score:2)