Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers 86
Fluffeh writes "Around a year ago, a person working for the ABC in Australia with the highest levels of access to systems got caught with his fingers on the CPU cycles. The staffer had installed Bitcoin mining software on the systems used by the Australian broadcaster. While the story made a bit of a splash at the time, it was finally announced today that the staffer hadn't been sacked, but was merely being disciplined by his manager and having his access to systems restricted. All the stories seem a little vague as to what he actually installed, however — on one side he installed the software on a public facing webserver, and the ABC itself admits, 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software,' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed."
SETI@Home (Score:5, Interesting)
Reminds me of the guy who got fired for running SETI@Home on all the PCs where he worked. Of course, he also (allegedly) stole 18 computers and accelerated the depreciation cycle, etc...
Re: (Score:1)
Re: (Score:2)
In this case, it IS theft. The whole idea of bitcoin is to generate 'value' by using computing power. That computing power (and the very real actual power behind it) is not his to spend, but he nevertheless was converting it to 'cash' for his own benefit.
SETI also uses very real power (and cooling) to do it's work.
Re: (Score:2)
There are two costs: the cost of "computing power unavailable to the organization", and the "additional power consumed". The first would be his impact on systems, and would be extremely difficult to measure. But the second is very easy: measure the increase in machine power consumption caused by running the client. Did it draw an extra 160W per server? Multiply that by the number of servers, and then double it to account for the additional cooling required to remove the extra heat. There's the increase
Re: (Score:2)
They did that with the SETI case and figured it to be in the low seven figure range (hundreds of PCs over several years).
Re: (Score:2)
There are two costs: the cost of "computing power unavailable to the organization",
This is by far the larger of the two, the other is negligible. People's time is valuable, if you slow down computers on a network you're stealing hours, possibly hundreds of hours or more per week, depending on the size of the employer and how much it's slowed down. That adds up very quickly. Sure, the company can upgrade the network and clients - but that's very expensive too.
Re: (Score:2)
But it's almost impossible to measure the impact of the computing power lost. First, were there actual delays incurred because of the mining software, or did the process quickly get out of the way when a higher priority task happened? If there were delays, would they know how many internal users were supposed to be using it, and how much additional payroll burden they had due to those users working overtime because of the delays? Or if they didn't put in any overtime because of the delays, did they accom
Re:SETI@Home (Score:4, Informative)
Both Seti@Home and the default client for Bitcoin operate at the lowest thread priority possible (at least for a standard high level application that doesn't go into kernel mode). They are designed explicitly with the goal in mind to not get in the way of other programming tasks and should take up the CPU computing time normally performed by some other sort of idle process that most operating systems have when there is nothing else for the CPU to be performing.
In terms of "people's time is valuable", that is utter bullshit. This software will not steal hours and in both cases the network bandwidth is negligible as well. Network bandwidth might be a lesser issue to worry about, but these are very lightweight protocols.... Seti@Home especially. Browsing one web page per hour is going to suck up far more bandwidth, and don't even get started on any multi-media content like streamed audio or video.
In terms of CPU bandwidth, this would be CPU cycles that the computer would otherwise be doing absolutely nothing anyway. There is a very slight overhead in terms of having a few extra threads for the CPU to manage that otherwise wouldn't be there (very small overhead but is still there none the less) and these processes do take up a small portion of the RAM on the computer as well which could impact performance of some applications that are poorly written or are memory hogs. If you are running Microsoft Windows, the Windows Explorer program itself is such a wasteful hog of resources that any other application like Bitcoin or Seti@Home are marginal noise by comparison, much less if you are running something like MS Office. Linux is a bit more lean but even then a GUI shell of almost any sort also tends to chew up a whole bunch of system resources that put to shame anything these other applications perform... and both software packages can be operated in command-line only mode as well to reduce system impact.
One other side issue is simply software systems interaction. As much as you hope that modern operating systems keep data and code separated from one application to the next and some strong memory protection to keep programs from clobbering each other or impacting each other in competition for "system resoruces" of various kinds, sometimes weird interactions happen between various applications that can sometimes produce unexpected results. Simply having this software on a computer might cause a software glitch merely by being there. It certainly introduces more potential bugs to a computer system. On the other hand, these software packages are heavily tested and bugs which would crash your computer with something like the Blue Screen of Death would likely have been found and fixed with popular software packages like Bitcoin and Seti@Home, where my first guess for a BSOD would be something else and putting these applications as nearly the last thing to consider for system trouble shooting. Regardless, I've uninstalled this kind of software on systems I've used when trying to do software development if only to reduce the number of variables that might be causing problems with my software.
The problem is that many modern computer systems have a reduced power option when they are idle, even if it is for just a fraction of a second. In particular the Bitcoin software tends to do some rather high performance mathematical routines that require parts of the CPU to be powered that otherwise wouldn't be in a low-power mode, or perhaps really push the GPU to be performing calculations that can be very energy intensive. For older computers, this is something that wouldn't even be noticed as the CPU power consumption on older CPUs was rather constant but for the newer computers it can mean a doubling of power, certainly causing more heat to be generated and if they are in an air conditioned server closet that increased power consumption is something that could potentially be rather significant and even noticeable to an outside observer like a comptroller who notices that power consumption has increa
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Informative)
This guy was disciplined... at least according to the original article.
I've installed software like this on computers where I had permission to install various kinds of applications on those computers and was told to use my own judgement in those situations. It wouldn't hurt for a Director of Information Technology to set policies on distributed computing projects of various kinds as it relates to the organization in question, and in the case of Bitcoin it could be argued that any work units that are found
Re: (Score:1)
It reminds me that I'm not Australian and have no fucking clue what ABC is. Australian Bit Coins? Angry Boss Coming? Another Bloody Chump? Australian Bureau of Comfusion?
It wouldn't hurt to spell out the acronym once, unless you're talking about sometheng every nerd in the world would recognize.
Re: (Score:1)
Australian Bureau of Comfusions great! ... Can we keep that one?
ABC => Australian Broadcasting Corp... I think it's close to your NPR content wise but is funded by the Govt.
JavaScript Miner? (Score:2)
A wild guess is that he just embedded js code in there to mine some coins. Or WebGL? I wouldn't call it an "installation" and I don't imagine he put malware in there.
Re:JavaScript Miner? (Score:5, Insightful)
Depends on how you define malware. Some people would consider malware to be anything that runs on your computer without permission or knowledge. The "mal" part would be where it uses your system resources that could otherwise be allocated to programs you want to run.
Re:JavaScript Miner? (Score:5, Insightful)
Re: (Score:3)
dragon dictate?
Re:JavaScript Miner? (Score:5, Funny)
Many times I have court myself typing the wrong homonym. Like won part of my brain is dictating phonetically to the dumb typist lobe.
Nobody else does this? The odd thing is it is very obvious on proofreading, unlike a lot of other typo's that are easily mist.
Re: (Score:1)
Re: (Score:1)
Well good then. Mod me down.
Fact remains that the GP here is an illiterate that was able to pass himself off to the mods as +5 insightful.
Re: (Score:1)
Re: (Score:3)
Busy computers consume more electricity. And electricity costs real money. Now some this up over all the customer who unknowingly lost a couple of cents like this, and suddenly we are talking real money. One of the rare cases where the "theft" label is appropriate for a digital crime.
So basically, he spent other people's real money in order to steal virtual money. I have to agree, theft.
Re: (Score:2)
Yeah, this is obviously theft of electricity/computing power.
I'm not sure you'd have to to seek users' consent though, just like the online ads don't need to, but it should have been made explicit. Therefore it is stealing.
The "malware" part, I don't know. If we call it that, then a lot of scripts fall in the gray area. There are a lot of things that websites do without knowledge or explicit consent of the user, that a user may or may not want. This specific case is immoral (let's call it theft of computing
Re:JavaScript Miner? (Score:5, Interesting)
Duh? (Score:3, Informative)
I don't know how it is down under, but in the US federal systems are "For Official Use Only" meaning if you use them for personal gain, you're in hot water.
Re: (Score:3)
Government issued cars with "For Official Use Only" would seem to be an exception to that. I've seen a Lexus around here with that stamped on it with a car seat and groceries piled in it. Sure, there could be an official reason for that but the odds are against it.
Re:Duh? (Score:4, Funny)
Re: (Score:2)
So take a picture of the car and license plate and post it online. Watch the hilarity ensue. (IANAL.)
You could start your own Leak site.
Re: (Score:1)
Oh don't get me wrong, of course people are going to abuse "For Official Use Only" equipment/vehicles/etc...and the government is aware of the abuse.
The problem becomes...if you discipline everyone who abuses it...you end up disciplining 95% of your workforce, reducing morale, and getting them to work even less.
So, you have to decide what kind of abuse is tolerable, and what isn't. So while someone may not get in trouble for using their FOUO car for groceries on the way home from work, they would get in tr
Re:Duh? (Score:5, Insightful)
So while someone may not get in trouble for using their FOUO car for groceries on the way home from work
That's almost the definition of why they give you a TDY car, not abuse of the system at all. Been there driven that. It was not a snazzy lexus but some POS falling apart compact chevy for me. The scandal is why its a lexus, not why its at the grocery store. Cheaper for the .gov to essentially be its own leasing company than for them to reimburse you for a rental or endless taxi. Also think about it... if you bring donuts to a official meeting at any time during your TDY, that grocery trip was now official business. Sgt merely told me not to do anything I wouldn't want my mom to see on the front page of the paper (now a days they probably say on facebook or whatever). This was nearly 20 years ago, things may be different now.
You end up in some pretty twisted logic if you give TDY people a car and pay them a TDY per-diem specifically for food that they can only spend on foot, or something weird like that.
Re: (Score:3, Funny)
now a days they probably say on facebook or whatever
Given the stuff people put on FB I am not so sure I would recommend this yardstick...
Re: (Score:2)
If you don't mind it showing up as the lead headline of Drudge Report or Huffington Post, I suppose that is the current real yardstick.
I'd agree with you on FB and Twitter though. I swear some people post messages each time they take a dump.
Taxed? (Score:1)
In Canada, you pay taxes based on your "personal use" of a work-supplied vehicle.
This includes if you take the office vehicle to/from home (unless you don't have a centralized workplace AFAIK, for example if you're a delivery driver). Mileage should be assessed and at the end of the year you're expected to pay extra based on the percentage that was "personal" VS "work-related" travel.
The part that sucks for some people is that the actual "benefit" (what you pay taxes on) is based on the purchase value of th
Re:Duh? (Score:5, Informative)
Government issued cars with "For Official Use Only" would seem to be an exception to that. I've seen a Lexus around here with that stamped on it with a car seat and groceries piled in it. Sure, there could be an official reason for that but the odds are against it.
I can authoritatively comment on this, that a TDY car for all intents and purposes can be used almost exactly like a privately owned vehicle. TDY is the govt equivalent of a short to medium term business trip (maybe 1 day to I think a max 6 months). Basically its cheaper for the .gov to act like a car leasing company to itself, than to reimburse .gov employee for a rental car. Which is bizarre, you'd think Enterprise Rentacar would donate re-election funds to politicians to take over that apparently lucrative market, but they haven't done so ... yet. Someday it might happen to eliminate the non-scandal scandal stories.
The law says something like "administrative discretion" so its one of those "character" tests where you can do anything your boss allows but don't do anything stupid. This is really the only rule for a govt car. It can be hard for outsiders to wrap their head around this concept of not having 1000 individual specific rules, and only having a general rule of don't do something your boss thinks is dumb. A remarkable amount of .mil paperwork and regulations to death the stupidest little things and also has no paperwork and regulations for some of the most complicated things. Discretion and good taste...
Get permission from boss to drop kid off at daycare, fine no problemo as long as you have that permission. Drive to an occupy-wall-street protest in a non-official role, or as a protester, um... that might be a problem. Food store/restaurant while on TDY, almost certainly OK, that's the whole point of giving you a TDY car. Dive bar while on TDY, could get you in hot water depending on your boss and local culture and especially your behavior (this can be an addition charge in a conduct unbecoming hearing, or it can just be ignored if the department memorial day party is held at the dive bar). Do anything as a recruiter however tangentially far fetched as long as it directly involves potential recruits, OK. Do almost anything as a recruiter alone in a car without obvious recruit involvement, probably a bad idea.
Re: (Score:2)
Do anything as a recruiter however tangentially far fetched as long as it directly involves potential recruits, OK.
But make sure not to leave any white (... or worse: brown...) stains on the back seat...
Re:Duh? (Score:5, Informative)
Yeah that happens, and falls in the "do anything your boss allows but don't do anything stupid" superset of rules, although its also covered by the "don't do anything you wouldn't want your mom to see on the front page of the newspaper".
From personal experience, everyone seems to have heard some story about how a hot female recruiter got all the guys to sign up, but no one has anything more than "I heard" and a lot of wishful thinking / daydreaming.
I was thinking more along the lines of stories I've heard about recruiters driving kids with F-ed up families around so they can clear up their paperwork, like drive the kid to the DMV to get his ID card or to a Dr for an appointment to get an asthma waiver. I predict the level of this activity depends on how many applicants they get per slot and the state of the local economy, and especially the ratio of "recruits signed up this month" vs "monthly quota".
Re:Duh? (Score:5, Funny)
This only happens in government vehicles.
Nobody ever used a company car for anything but business. In fact, no teenager has ever borrowed the family car to "go to the store for grandma" and then picked up his pals, smoked some weed and then drove out to the Labaugh Forest Preserve parking lot to spin some donuts on the frozen pavement on January 23rd 1983.
That totally never happened.
Re: (Score:2)
There is a difference between using your parents resources and using the citizens' resources.
Re: (Score:2)
And what if "your parents resources" happens to be Mommy's company car?
Bad on Mommy, of course, if she let you take the car, since I assume most company car assignments limit authorized drivers to the assigned employee... but again, if Mommy didn't give permission to take out the car, the situation devolves into Grand Theft. So, taking your folks' ride out for a joyride is bad for you and for them. Thanks.
Re: (Score:2)
it's not a government site. not at all.
it's a tax-payer funded TV/radio network plus 24 hr news service. it's like the BBC, but in australia (get it? the ABC?).
stupid summary is misleading.
No wonder gov't doesn't get it (Score:5, Funny)
This guy was going to fill the Federal budget deficit, but no, all the stupid bureaucracy gets in the way.
Re: (Score:2)
Aw, damn, Austrialian Federal government. If only.
installation directory (Score:4, Interesting)
All the stories seem a little vague as to what he actually installed however — on one side he installed the software on a public facing websever, and the ABC itself admits 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed.
Sounds like hopeless journalist-speak for "he had access only to /var/www not /usr/local, so ... he put it in /var/www"
My guess is whatever they use to monitor their systems watches /usr/local and /usr/bin like a hawk but trying to watch /var/www would be chaos depending on what the marketing and graphics art dept uploaded this week or whatever, so they don't watch /var/www.
This does have a minor chilling effect in that I'm not a complete moron, so before commissioning any new hardware into production at work (or home) for years (decades?) I've run memtest86+ and bonnie++ (I'm old enough that I ran the original memtest86 and the original bonnie back in the day). I've occasionally considered that running a BTC miner would be a good CPU cooling test as a third item, but stories like this do kind of discourage me at work.
My suspicion is the practical financial matter of $. Back in ye olden days when I started BTC mining a CPU miner could generate quite a few BTC per month and over the past couple years the exchange rate has stabilized at $5/BTC so that is a substantial chunk of change per month. However for all practical purposes a software BTC miner is currently pointless, just warming up the CPU. I haven't checked the difficulty rating but I know its increased a bit from the mid double digits when I started in BTC. So as a disciplinary matter they probably couldn't decide to bust him for running unauthorized sw (which given his "highest levels of access" might mean he's authorized to authorized BTC sw, making it a bit complicated) or bust him for attempting to use govt property for personal gain but not actually getting any gain, or bust him for actually earning some BTC however unlikely that seems. Doesn't Australia have the same "might is right" style of employment laws we have in the US where they can just fire him for not being a team player or spending too much time in the can?
Re: (Score:2)
Re: (Score:2)
Where I work, we do not run ANYTHING that has not been approved by our legal department and gone through a vetting process.
Which brings us right back to the
which given his "highest levels of access" might mean he's authorized to authorized BTC sw, making it a bit complicated
Also I've worked at places where PHBs like to quote that kind of rule as a iron-fisted law, but when pressured they have no idea how the real world works or even what their demand means. End user visible application level changes, most of the time yes. Somebody wrote a two line shell script or the distribution maintainer upgraded the /bin/ls command, never. Internal/contracted software developers and sysadmins can write and run whatever they want, and pretty much install
Re: (Score:2)
I think such a policy is stupid, but it would depend on the kind of business or organization that you work for, how sensitive the data is that you are working with, and in general the nature of the company that you work for as well.
If your company deals with high end client financial data involving transactions of billions of dollars or is involved with highly classified (above Top Secret clearance information) government information on some given computer systems, I'd agree that a strong vetting process is
Re: (Score:3)
Doesn't Australia have the same "might is right" style of employment laws we have in the US where they can just fire him for not being a team player or spending too much time in the can?
No. http://www.fairwork.gov.au/ [fairwork.gov.au]
stupid (Score:4, Insightful)
This is exceptionally stupid because if it was CPU mining, well my i5 chip can hit 8 million hashes per second and my single overclocked 5830 Radeon card can hit 315 million, making it almost 40x faster. So assuming it was a faster modern Xeon, let's say 2x the speed, if the company owned 40 servers and he ran it nonstop on all of them at 100% CPU usage (not likely) then he should have instead bought 1 5830 for about $90 on ebay and mined coins himself. What an idiot.
It is possible that the servers had AMD/ATI cards that he was using without much performance impact on the website(s) but google "bitcoin hardware mining comparison" to see just how awful cards that aren't optimized for gaming do at mining.
Re:stupid (Score:5, Insightful)
No, it was exceptionally stupid because he doesn't own the equipment or pay the energy bills, regardless of what the bitcoin outcome was.
Re: (Score:1)
Re:stupid (Score:5, Informative)
Before you smart ass bitcoin miner kids think you know everything, Website Bitcoin Mining [bitcoinplus.com]. ;)
Site visitors do the mining, multiple a little slice of power times x million visitors over x amount of days and your localized mining is tiddly winks. This uses the website visitor's machine to mine coins (and this particular example is terribly inefficient itself but the idea is there, someone with the know how could really go the distance for their own mining operation). This can be exceptionally more efficient that running a local mining op on a single machine/small cluster if you have a relatively trafficed website it is running from.
You are focused on high speed precision mining instead of scaled general mining. A pressure washer vs. a regular water hose, the water moves faster through the pressure washer but put 5,000,000 hoses together and you can push insanely more total water per second than a handful of pressure washers.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
there are 3 distinct reasons why it can't run silently without a user's knowledge that I won't even go into
Bullshit alert.
The java miner runs fine hidden on a site, I played with it a bit to see just how it acts. It can run silently with minimal effort on the host's part. The story is light on technical detail and your smart ass-ed reply assumed it was one particular scenario and you painted yourself as someone who was knowledgeable. I pointed out your glaring omission and now you 'wont even go into' what are apparently '3 distinct reasons'? List them and lets explore why or why not.
Don't see the problem (Score:1)
ABC != Federal (Score:5, Informative)
Federal implies "of the Federation", which in the context of Australia implies the government. However while the ABC being the state broadcaster is funded (and owned) by the government it is not a federal organization. The ABC is independent of the government, so saying that the bit coin software was installed on federal servers is disingenuous to say the least. In fact after reading TFA's I can't see anywhere where it specifies exactly on what servers the software was installed other than some "web servers".
And once again the summary is a joke. You explain what "the coalition" is, but don't explain what the ABC is. I feel sorry for the people who pay for this site.
Re: (Score:3)
Actually I did find a statement as to what servers were affected: From The ABC didn't sack bit coin miner [delimiter.com.au]
The ABC stipulated that its Grandstand Sports website was affected by the Bitcoin operation for a short period, but there was no further impact on the broadcaster’s website or its distribution operations.
Hardly a "federal" server unless the government is in on sports.
Not firing someone with skills is bad? (Score:3, Interesting)
So the story is that they didn't fire this guy? Perhaps his manager has some common sense and realizes he has some valuable skills, and that firing him would be ultimately bad for the company.
Of course, common sense has no place in this world any more. Some higher up will probably come along now and fire the both of them to get some momentary glory before they realize they have to spend 5 times as much replacing them and miss some important deadlines because of the time consumed.
Re:Not firing someone with skills is bad? (Score:4, Insightful)
Harsh punishment is always popular. People like retribution, whether it makes sense or not.
Never mind if no harm was caused, never mind if it was just a silly lapse in judgement. Fire people, prosecute them, send them to jail....why? Because you can?
Only fair (Score:5, Funny)
They made him live on bitcoins for a week.
Pretty Lax (Score:3)
Re: (Score:2)
It wasn't really embezzling though. He put the mining software onto the web pages being served by the company running as a background processes in Javascript. The company itself didn't really spend much by way of resources other than a few extra lines of Javascript being pushed out by an HTTP request.
Instead, he was "stealing cycles" from all of the customers who visited the website and running down their web client performance. Considering much of the trash that sometimes is found on many web page these
Re: (Score:2)
Incorrect Headline (Score:3)
Re: (Score:2)
It is likely that his job duties were changed around so he didn't have access to the same kinds of equipment. That his skills are somehow still valuable is true, but he was "put on the bench" in a big way and certainly was given a negative job performance evaluation on his annual review (or will get one).
I've seen that happen more than once, including people who've earned their way back to trust again at a later date (hopefully wiser due to the process).
He Punished Himself (Score:2)