Forgot your password?
typodupeerror
Bitcoin Software

E-Sports League Stuffed Bitcoin Mining Code Inside Client Software 223

Posted by Soulskill
from the not-how-you-do-it dept.
hypnosec writes "The E-Sports Entertainment Association (ESEA) gaming league has admitted to embedding Bitcoin mining code inside the league's client software. It began as an April Fools' Day joke idea, but the code ended up mining as many as 29 Bitcoins, worth over $3,700, for ESEA in a span of two weeks. According to Eric Thunberg, one of the league's administrators, the mining code was included as early as April. Tests were run for a few days, after which they 'decided it wasn't worth the potential drama, and pulled the plug, or so we thought.' The code was discovered by users after they noticed that their GPUs were working away with unusually high loads over the past two weeks. After users started posting on the ESEA forums about discovery of the Bitcoin mining code, Thunberg acknowledged the existence of a problem – a mistake caused a server restart to enable it for all idle users." ESEA posted an apology and offered a free month of their Premium service to all players affected by the mining. They've also provided data dumps of the Bitcoin addresses involved and donated double the USD monetary value of the mined coins to the American Cancer Society.
This discussion has been archived. No new comments can be posted.

E-Sports League Stuffed Bitcoin Mining Code Inside Client Software

Comments Filter:
  • by magarity (164372) on Wednesday May 01, 2013 @04:15PM (#43604243)

    Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.

    • by Anonymous Coward on Wednesday May 01, 2013 @04:30PM (#43604411)

      Absolutely not, for an organization that is striving for legitimacy this is an extreme breach of trust.

      • by Anonymous Coward on Wednesday May 01, 2013 @04:53PM (#43604597)

        Absolutely not, for an organization that is striving for legitimacy this is an extreme breach of trust.

        So admitting wrongdoing, giving credit, and donating the money to a nonprofit is an "Extreme breach of trust"?
        How do you figure that?

        • by Anonymous Coward on Wednesday May 01, 2013 @05:14PM (#43604789)

          I figure that because it happened in the first place, which is completely inexcusable. What were they thinking? What's to say it won't happen again? You know that old saying from Tennessee, well, from Texas, but probably from Tennessee too: fool me once, shame on, hmm, shame on you, fool me... well, you can't get fooled again.

        • by Goaway (82658) on Wednesday May 01, 2013 @05:28PM (#43604905) Homepage

          They hardly "admitted wrongdoing". They made up absurd stories about how it was all an April Fool's joke, and lied about how long it had been active and how much money they had made.

          (Consider this: Which part of this "April Fool's joke" was supposed to actually be FUNNY? It was installed in secret. If it was hidden from you, how were you supposed to laugh at it?)

          • by Dunbal (464142) * on Wednesday May 01, 2013 @06:17PM (#43605199)
            We're also supposed to take them at their word that only 29 bitcoins were mined. Sure they provided the dumps. How much are they holding back?
            • We're also supposed to take them at their word that only 29 bitcoins were mined. Sure they provided the dumps. How much are they holding back?

              Less than twice the stated amount. Follow the money.

          • by Hatta (162192) on Wednesday May 01, 2013 @06:40PM (#43605339) Journal

            Consider this: Which part of this "April Fool's joke" was supposed to actually be FUNNY?

            I ask myself that every time I visit /. on April 1st.

        • Absolutely not, for an organization that is striving for legitimacy this is an extreme breach of trust.

          So admitting wrongdoing, giving credit, and donating the money to a nonprofit is an "Extreme breach of trust"?
          How do you figure that?

          They are only sorry because they got caught.

    • by girlintraining (1395911) on Wednesday May 01, 2013 @04:49PM (#43604561)

      Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.

      ... After they were caught with their hand in the cookie jar, yes. Meanwhile, were I, a non-corporation, to do something like this, the FBI would be coming through my door with a bunch of dudes with shotguns for an enhanced "interview" over my connections to terrorism, money laundering, etc.

      So, my question is... whether intentional or accidental, it happened. That means it's a crime. So... where is the charge sheet, mmm?

      • What they did was a mistake and it was wrong to do so. But are we sure it's actually a crime?

        Looking at the facts:-

        - ESEA released software which people downloaded and willingly installed so it would be a big stretch to call it a bot net.
        - The software did what it said on the tin but it also did something else without advertising this fact to the users.
        - What it was doing is probably only relevant if mining bitcoins was illegal anyway.

        So what makes ESEA's software any different from operating systems which

        • by Khyber (864651)

          "The software did what it said on the tin but it also did something else without advertising this fact to the users."

          And I sued the fuck out of EA for the EXACT SAME THING.

          Looks like ESEA needs a visit from my legal team.

      • Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.

        ... After they were caught with their hand in the cookie jar, yes. Meanwhile, were I, a non-corporation, to do something like this, the FBI would be coming through my door with a bunch of dudes with shotguns for an enhanced "interview" over my connections to terrorism, money laundering, etc.

        So, my question is... whether intentional or accidental, it happened. That means it's a crime. So... where is the charge sheet, mmm?

        There is a subtle difference that you seem to be missing. The difference is 'mens rea'.

      • That means it's a crime. So... where is the charge sheet, mmm?

        Well, corporations are people [wikipedia.org], so a criminal charge against the ESEA should be forthcoming.

    • How is this different than installing some trojan botnet app that does ddos attacks or steals your credit card number? They stole money from users by using electricity to mine bitcoins. Handled well? Not until their asses are thrown in jail.
    • by Nyder (754090)

      Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.

      No they didn't.

      for example he said it was going to a S14 Pot: http://play.esea.net/index.php?s=forums&d=topic&id=492152 [esea.net]

      Yet now it's supposedly going to charity.

      I bet it goes into the corporations or the CEO's pocket.

  • Computer Trespass (Score:5, Insightful)

    by Peter Mork (951443) <Peter.Mork@gmail.com> on Wednesday May 01, 2013 @04:16PM (#43604249) Homepage
    This sounds an awful lot like computer trespass: coercing somebody else's computer into doing something on your behalf. If an individual pulled this stunt, he or she would be in prison.
    • by ThorGod (456163) on Wednesday May 01, 2013 @04:21PM (#43604317) Journal

      Yep, but instead the company involve just pays a fine. That's the only way companies pay for crimes...with dollars.

      Even if you're BP and you severely damage one of the world's oceans and kill an uncountable amount of wildlife and destroy whole ecosystems.

      • by lgw (121541) on Wednesday May 01, 2013 @04:29PM (#43604399) Journal

        See, BPs big mistake was to put out the fire. As everyone knows:

        Birds soaked in oil: evil

        Birds fried in boiling oil : tasty!

      • by dutchwhizzman (817898) on Wednesday May 01, 2013 @05:12PM (#43604765)
        Several people died in the explosions on the drilling rig. However (un)important the damage to the economy and the wildlife is, no human being gets away with killing someone and getting convicted to "only a fine", but a company like BP does.
    • Re:Computer Trespass (Score:5, Interesting)

      by Anubis IV (1279820) on Wednesday May 01, 2013 @04:27PM (#43604381)

      Probably so. Of course, the question this begs, at least in my mind, is not one of, "Why aren't these people in prison?", but rather, "Why does anyone go to prison over something so innocuous?"

      Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.

      • Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.

        But they are ignoring the costs of the clean-up. Every single user that had their system compromised like that needs to check everything from scratch to verify that the sports league software didn't compromise their systems in any other ways.

        The costs of that is probably in the millions. I mean major companies who already have staff on hand to handle that sort of thing as part of their regular duties routinely claim tens if not hundreds of thousands of dollars in clean-up costs, multiply that by all the o

        • But they are ignoring the costs of the clean-up. Every single user that had their system compromised like that needs to check everything from scratch to verify that the sports league software didn't compromise their systems in any other ways.

          I'm sorry, but no. You could apply the same logic to any other piece of software that was ever installed on any system ever. Unless you verified every line of code, how can you be sure that there wasn't some reused code from another project which had unwanted, but un

      • Why does anyone go to prison over something so innocuous?

        I broke into your car last night, but I didn't take anything. You wouldn't even know, if not for this message I'm leaving for you. Now, out of curiousity, does it feel innocuous to you to have your personal space violated? There was no harm done, right? Nothing was taken. You wouldn't even have known about it otherwise.

        So, you have no reason to feel violated, correct? And I could do the same thing by coming into your house, correct? You know, where your computer is.........

        • Your analogy would suggest that they broke into these computers. Quite the contrary. A better analogy might be that you invited me into your car (i.e. willingly downloaded the software), and I left behind a magnet that would pick up any loose change you dropped, but then I later thought better of it, let you know what I had done, and tried my best to make reparations.

          Again, innocuous.

          • Re:Computer Trespass (Score:4, Informative)

            by fredprado (2569351) on Wednesday May 01, 2013 @05:16PM (#43604815)
            Nah, a better analogy is, you hired me to change your tires, and I decided to put stuff in your car and copy your car lock to be able to access it and get my stuff whenever I wanted. Then when you found out I had copied the car keys I apologized and donated the results of my endeavor to a charity.

            Analogies are always wrong in the end, but wrong as it may be mine is still a lot better than yours.
            • by whoever57 (658626) on Thursday May 02, 2013 @02:13AM (#43607167) Journal

              Modifying your analogy a little:

              You took your car to a repair shop. The repair shop used your car as a taxi for a day (using your gas and adding miles to your car).

               

        • Here's a better analogy:

          They included some code in their software that intentionally performed unnecessary calculations.

      • Re:Computer Trespass (Score:5, Interesting)

        by arkhan_jg (618674) on Wednesday May 01, 2013 @05:48PM (#43605013)

        Probably so. Of course, the question this begs, at least in my mind, is not one of, "Why aren't these people in prison?", but rather, "Why does anyone go to prison over something so innocuous?"

        Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.

        Leaving it running for at least 2 weeks is not exactly promptly in my book. Even putting it in the release code disabled, without notification, is shady as hell. The forums are apparently riddled with complaints about gpu problems, including dead graphics cards on machines running the bitcoin software. While it's entirely possible it's pure co-incidence, it's also entirely possible they damaged thousands of dollars worth of high end graphics cards - which given they can easily cost $500 a pop, wouldn't take many. Consumer grade GPUs aren't designed to run full throttle for weeks at a time. Especially if, for example, a gamer has a manual fan control so they can shut up the half dozen case fans when idling, and ramp them up when they start a gaming session (I use this exact setup). A couple of generations back, I fitted after market copper heatsinks and fans to my GPUs to improve cooling at lower fan speeds, but the downside was they had to be manually controlled via a rheostat, so if something like this had been running without my knowledge it could easily have literally cooked my gpus without me being any the wiser as I ramped them down when to cut noise I was just browsing slashdot et al. Those cards are still trucking in a friend's machine several years later, incidentially.

        Criminal damage in the course of trespass for profit? Seriously bad judgement, and really not funny. Worth jail time? No. Worth some real consequences? Yes.

        • I'd certainly agree. I definitely believe that they deserve to be punished, but I also believe that the punishment should fit the crime, and jail time seems to be excessive for something such as this. Reparations to the victims and a fine would seem to make the most sense.

          • by SSpade (549608)

            If they used fraud or deception to install malware to take control of peoples machines to, say, send spam, that'd be solidly criminal.

            Sending spam probably costs the owner of the compromised machine much less than bitmining does (in additional energy costs, cooling costs and possibly accelerated degradation of the GPU, possibly leading to failure). I'm not seeing how the same standards don't apply.

          • by Lakitu (136170)

            Laws are prescriptive: they must be written and agreed upon beforehand. You cannot be punished for doing something which only becomes illegal after the fact.

            Punishments for breaking laws generally provide for a range in sentencing, giving the judicial system some leeway in case the "crime" actually was something rather innocuous or unintentional. If you think the range of sentencing doesn't quite fit the magnitude of the crimes, then you believe the law should be changed. This also needs to be pre-scrib

      • by Hatta (162192)

        Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.

        They deserve to face prison time because Aaron Swartz, Andrew Auernheimer, Matthew Keys, Eric McCarty, Stefan Puffer, Bret McDanel all faced prison time for less

        • As the saying goes, two wrongs don't make a right. Just because someone else faced an injustice does not mean that it should continue to be perpetrated on others, which is what you seem to be suggesting. If anything, it should point to a need to reform the system and come up with a new standard that will apply to everyone, rather than continuing to apply the unjust one.

    • by gehrehmee (16338)

      This is one of those cases where hitting a score of 5 doesn't quite cut it. The double-standard here is pretty stark and depressing.

    • by Fnord666 (889225)

      This sounds an awful lot like computer trespass: coercing somebody else's computer into doing something on your behalf. If an individual pulled this stunt, he or she would be in prison.

      Based on this section of ESEA's statement, it was an individual who pulled this stunt.

      It came to our attention last night, however, that an employee who was involved in the test has been using the test code for his own personal gain since April 13, 2013. What transpired the past two weeks is a case of an employee acting on his own and without authorization to access our community through our company's resources.

    • Nope. It's fraudulent missuse of computer resources (Mine). and no, I didn't download their crapware but if I had and they got caught lying to me twice, I'd charge em with the federal crime of Fraudulent Missuse of Computer Resources along with suing their asses off for the same reason and No I wouldn't go for a class action status and if the lawyer was to suggest it, I'd kick em to the curb as they're not working for me, instead for themselves.

  • by Anonymous Coward

    It's OK to add secret bit-mining code to client software as long as you do it on April 1.

  • 29 Bitcoins, worth over $3,700

    So one bitcoin is worth roughly USD$127? I imagine those who started all this bitcoin stuff are probably filthy rich by now... right?

  • Computer hacking... (Score:5, Informative)

    by aaronb1138 (2035478) on Wednesday May 01, 2013 @04:20PM (#43604297)
    I advocate the involved parties all be arrested and charged with relevant computer hacking charges. The software development community needs a clear message sent that such activities are federal crimes and will not be allowed. I don't understand why we are still tolerating a Wild Wild West attitude to computer crimes by corporations when the laws are on the books and quite clear.

    Also, trying to pass it off as merely an April fools joke is insulting as well. The closest part to a joke was the Office Space grade conversation about skimming from their own customer base.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The laws on the books aren't as clear as you think. "Hey, I didn't ask to mine BitCoins for someone else - what gives?!" is a logical user position, but I'm sure the license agreement that user agreed to upon installing basically gave them carte blanche to do whatever they wanted with his/her computer.

      Which would hold up in court - and are you sure enough to foot the bill for representation until (and possibly even if) you prevail?

      I'm not. I agree with you in spirit, but in this case their response was pret

    • by NIK282000 (737852) on Wednesday May 01, 2013 @04:36PM (#43604457) Homepage Journal

      I think it sounds like a pretty awesome business plan if you are not underhanded about it. Release your software for free with a note in he TOS that you will be mining bitcoins for the developer whenever you are using the software. Users get "free" software and developers get incentive to make software that people want to use. If you release rubbish not many people will continue to use it and you won't get paid.

    • by houghi (78078)

      Because it is corporations. We can not harm corporations. Next you know you can't even make serious mistakes (or doing fraude) as a bank and get away with it.

  • ..."They've also provided data dumps of the Bitcoin addresses involved" mean?

    I'm not up on bitcoin minutia. If these d-bags were running miners, that means that they own the coins... their wallet. So, what addresses do they mean? Specific coin IDs?

    • by Tynin (634655)

      ..."They've also provided data dumps of the Bitcoin addresses involved" mean?

      I'm not up on bitcoin minutia. If these d-bags were running miners, that means that they own the coins... their wallet. So, what addresses do they mean? Specific coin IDs?

      Yes, they went to a wallet that the ESEA owned. In your wallet, you can setup numerous addresses that you can give to unique miners so you can see how many bitcoins specific miners are brining in. You can also just use a single address to have all of your bitcoins sent to. Either way, they'd all end up in the same wallet. As an example, here is the address I used when I first tried mining on a pool, you can use it to see how much I bothered to get from this specific pool.

      1AiyVX1Ag87gar9E3oWb3QEziUHvDBRHax [blockchain.info]

  • Using somebody's resource for benefit for themselves, without consent? Like using using car repair shop to fix his car (or others) without telling the owner?
  • Giving these idiots the benefit of the doubt, how the Hell does something like this get past the planning stage, let alone into the release client, before someone realizes 'Hey! This could cause drama'? Fuck, Uber Entertainment apparently did the same thing with Super Monday Night Combat, but at least they had the guts to announce it, and offer company scrip in return for putting extra wear on your hardware and power bill.
  • Next time don't forget to add a Bitcoin clause
    • If a developer was up front about a distributed bitcoin mining scheme being baked into their software, Would some people go for it as an option to amortize, or even pay for, some useful application? Is anybody doing this already? I am wondering about the economics of this. How much does it cost per hour of mining on a modern reasonably energy efficient x86 box?
  • This looks like criminal activity under the Computer Fraud and Abuse Act. The "obtains anything of value" clause there seems to apply. When can we expect arrests?

    • by Kaenneth (82978)

      This looks like criminal activity under the Computer Fraud and Abuse Act. The "obtains anything of value" clause there seems to apply. When can we expect arrests?

      That would require the government asserting that bitcoins have actual value...

  • by h8mx (2713391) on Wednesday May 01, 2013 @04:51PM (#43604581)

    It began as an April Fools' Day joke idea

    How exactly does that work?

    "We were using your electricity and potentially damaging your computer for a whole month without your permission! APRIL FOOLS! Ha we got you good!"

  • I wonder about a website which embedded javascript which mined bitcoins as long as you were active on the page. You could burry in the TOS that you were doing it to be on the up and up. Of course you'd want to throttle the JS so the user's fans didn't spin up and alert them, but still if you had a popular enough site, you might be able to make a pretty bit-penny...

    • Re:Website with TOS? (Score:4, Interesting)

      by Shompol (1690084) on Wednesday May 01, 2013 @07:03PM (#43605445)
      TOS:
      ...
      279. By visiting this page you explicitly grant permission for our page scripts to run, regadless of the purpose, on your machine.

      There. Any responsibility avoided. Furthermore, lately they are trying to push laws in the US that braking TOS is a federal offence, so blocking the "agreed-upon" scripts makes YOU a criminal!!

No man is an island if he's on at least one mailing list.

Working...