Kano, thanks for keeping newbies and others aware of shady characters. Not that I would dream of moving from Kano.is, but some people could be taken in. As usual, good work!
yep, good work killing a non-profit pool asking for donations to local charity organizations (<< to who did/enjoyed it).
im not able to proof that im not a scammer, but shady is effectively incorrect. just browse the internets.
also, im going to maintain online the website (pool service is killed and warning texts displayed), just to keep the memory alive, you know, for newbies.
i would like to suggest to kano to add a config option in cgminer to each pool to set a expected string that the coinbase must cointain.
cgminer must disconnect as soon as it is missing the expected string, and pool operators could notice quick any hack soon after all miners left the pool at once.
doesn't seems so dificult to implement this easy security condition (if you really wanna help newbies/operators).
This is bullshit.
You have the code to the proxy in your git to do exactly what you are doing.
https://github.com/ctubio/php-proxy-stratumphp-proxy-stratum
ReactPHP stratum+tcp proxy between miners and pools with database and minimal web interface.
Used to demostrate how pools steal your hash by renaming worker names and redirecting the hashrate.
Used² to recommend you to mine only on trusted (self owned!) pools.
the creation of php-proxy-stratum was what make me think of having my own bitcoind/ckpool (a year ago)
i wanted to create a proxy for merge many miner connections into a signle conn to a pool but meanwhile i discovered how easily pools steal the hash of the miners with the agreement of authors of mining software.
you (mining software authors), simply need to allow miners to have 2 new config options:
- expected coinbase
- expected btc address
why this config options do now exists? and why mining software is not interested into validate this?
btw, im not able to explain wtf happened here. since effectively solo.mining-pool.io was compromised, i took a snapshot of the disk and killed with fire the running instance.
An expected coinbase and btc address are pointless for 2 reasons:
1) Although avalon would add the changes if we added them, bitmain would not.
We have made many changes and improvements in cgminer since 2013 that bitmain have completely ignored to their own detriment.
The miner running in bitmain devices still has well known problems for years that we fixed for their driver.
2) I have changed the coinbase 5 times on my pool and will again soon.
That would require every miner on my pool to change settings in every miner.
Enforcing such a requirement would effectively mean that no pool could ever change their coinbase.
If it was optional, then almost no one would ever look at the messages saying it changed - as happens with the majority of miners.
Basically what you are saying here, if the compromise story isn't a scam, is that you didn't bother to keep an eye on the pool at all and want to be able to blame someone else for that ... even though you have written your own code to actually deal with hacking exactly that.
... and although I consider craphash to be exactly that, crap, no one would be able to mine there if the coinbase/address was checked ... that's the exact security risk of the #extranonce command that is not in master cgminer due to the issue of being able to completely change the coinbase randomly at any time, that most miners think is ok that use hacked cgminers on craphash ...
---
As for being "compromised" ... why would someone even bother to do that?
You had a tiny, next to unknown, pair of pools: solo running your hacking code, and a normal pool running our ckpool+ckdb.
(... and I do wonder why you deleted your ckpool+ckdb git on 4-Nov ...)
Even I had no idea about the connection between the solo pool and the normal pool, so didn't realise what was going on at first when someone reported your scam.
Such a hack on the solo pool would make hardly anything per day.
Are you saying your solo pool ran for weeks in this scam mode and you didn't even realise it?
They even compromised it (at least) twice without you even knowing?
Once when your hack was set to mine as xinxan on FUPool and a second time later when it was set to mine as zhangjia90 on FUPool after the block was found?
Have you contacted FUPool to find out what was going on?
So when your solo pool did find a block, (even if it was for some other pool) why did you not say anything at all anywhere until we were asked by the block finder, days later, what was going on?
Your story seems to imply you are a fool and don't know what you are doing, and yet you have code you wrote (and last updated in March) that knows exactly how to do this scam.
As bitsolutions said above, give someone access to the snapshot.
If you aren't lying, then that could help confirm your unlikely and convenient story.
