Investigating the Pomegranate Network Mining Gridcoin

in #gridcoin5 years ago (edited)

PLEASE NOTE: This article has been edited as a result of discussions with the CEO of Charity Engine.

Gridcoin miner Pomegranate has been somewhat of an enigma lately, with lots of users questioning where, and how, they are gathering a magnitude to rival that of GRCPool. At the time of writing, Pomegranate has two active CPIDs, detailed here and here. The first has a magnitude of 15833, while the second sits at 670. This second CPID has only just been advertised with a beacon, so its magnitude is expected to skyrocket over the next few weeks, taking Pomegranate to an estimated total magnitude of near 30,000. This is a significant amount of compute power being brought to bear.

After noticing the odd magnitude growth pattern of the user, and noting they do not take part in the community, @deltik and myself attempted to learn more about the network. We started digging and found that Pomegranate's computer power is generated through a custom BOINC client installed on computers all over the globe.

The software identifies itself as a modified BOINC version 7.0.80, which we believe is actually Charity Engine 7.0.80, a non-public release of Charity Engine that was likely bundled with other software. Note that the latest public release of Charity Engine available on their website is BOINC 7.0.76, which is hardly used by Pomegranate at all. Therefore, most of the clients being used to mine GRC were not downloaded off the Charity Engine website.

Collectively, the BOINC 7.0.80 network of computers Pomegranate controls is already yielding Pomegranate more than 4000 GRC per day. This converts to over $280/day or over $8400/month.

It does not appear that the people who have the BOINC 7.0.80 software computers are getting any sort of Gridcoin related credit, or even know that they are running BOINC tasks for Pomegranate. It's hard to prove the lack of something, but from our research we have found that there have been no announcements of connections to Gridcoin, notices of reward payouts, or community participation. There is one notable exception - Pomegranate claiming the GRC commemorative coin as if they were a legitimate miner.

Why would the user name themselves "Pomegranate" when their connections are to Charity Engine? It appears this is a side operation by Charity Engine to make more money from the network they control, after they were unable to sell off all their compute power to industry. To back this up, the software has previously been used to mine ETH on user machines running both the BOINC 7.0.80 (bundled software) and BOINC 7.0.76 (direct download) copies of their client, until a user questioned the mining on the Charity Engine forums.

Although inconclusive on their own, here are further findings relating to Pomegranate that concerned us:

  • BOINC 7.0.80 is an uncommon version, accounting for 0.58% of all BOINCstats BAM! client versions as of 11 December 2017, yet nearly 100% of Pomegranate's computers run that version.

  • The vast majority of clients are a hodge-podge of low-end to middle-of-the-road computers running older versions of Microsoft Windows. Here are the computers belonging to Pomegranate as seen on VGTU, where they forgot to hide their hosts. These hosts have since been hidden.

  • If Pomegranate were a real pool where users are aware that their computers are being used for BOINC, like GRCpool, there would be a lot more diversity expected. See CPID 7d0d73fe026d66fd4ab8d5d8da32a611 for an example of one of GRCpool's CPIDs.

  • Pomegranate runs [email protected], but [email protected] does not allow weak authenticators. This means that open pools like GRCpool can't allow users on that project because any connected user would be allowed to take over the account. It's likely that the owners of the computers running Charity Engine have no idea about the [email protected] strong authenticator stored on their machines.

  • SRBase discovered that some work units are being wasted because of a bug with BOINC 7.0.80 and publicly asked users to upgrade BOINC, but how can those who don't know about the software installed on their computers know to do this? Charity Engine, just like BOINC, cannot update itself.

  • Curiously, PrimeGrid seeded Pomegranate early on. PrimeGrid paid Pomegranate 5000 GRC on 13 August 2017 (worth $161.80 at the time). Transaction here. Notice that the funds came out of S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec, which is the same address as the PrimeGrid GRC donation address. We discovered that administrator Rytis of PrimeGrid is also an administrator of Charity Engine.

  • PrimeGrid sent funds to Pomegranate, even though it wasn't mentioned on the donation page. A Gridcoin ops member got in touch with the PrimeGrid team who explicitly stated that the donations were for new hardware.

  • Although PrimeGrid is the one project that funded Pomegranate, that project received the least work done by Pomegranate.

  • Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.

We are concerned about what we have uncovered about the Pomegranate network. There has been a lot of debate behind the scenes on whether or not this information should be made public, but we feel the Gridcoin community has a right to know. Pomegranate's Slack account was given ample opportunity to comment and chose not to.



Well, even if they were scammed, at least they were running philanthropic projects like World Community Grid and [email protected], so one might say it was for the good cause.

Today, you become a part of the PoW botnet by simply visiting certain webpages with your browser. It probably happened to many of us here, while perhaps we haven't even noticed.

I discovered and investigated the Pomegranate network, and I'm here to answer any questions about Pomegranate if you have any. AMA!

Hi guys, this is Mark from Charity Engine. Apologies for not chipping in sooner, only just seen this.

First and most important thing; can I just point out that our client is only EVER installed with the user's explicit permission. Jumping to an accusation of "botnet" is entirely unwarranted.

CE is a global computing grid which is doing dozens of commercial tasks along with computing for GRC projects (GRC only gets our surplus, which is a fraction of our full capacity).

Don't understand why you didn't just call or email us, guys. Would have taken 60 seconds.

EDIT: Now I understand why. This is simply a smear by disgruntled GRC miners whose only motivation is removing the biggest fish so they earn more GRC themselves. Duly noted, and we shall now increase our contribution to GRC projects accordingly. Told you we were actually holding back just to be nice, so well done lads. Shot yourselves in both feet.

Hi Mark,

We have reached out to you on the Gridcoin Developer Slack channel, except you never replied. I know you were active there at the time, and I know you have seen at least my message, unless you are saying that the user Pomegranate on Slack was not you?

I am aware of what you claim CE to be, and how you claim it works. It would be great if you could please explain the following:

  • Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

  • Why does your website serve CE based on BOINC 7.0.76, while the Pomegranate account runs BOINC 7.0.80 CE instances? Deltik would like to point out that BOINC 7.0.80 has a severe security vulnerability.

Multiple stack-based buffer overflows in the XML parser in BOINC 7.x allow attackers to have unspecified impact via a crafted XML file, related to the scheduler.

  • Why did you try and hide the link to CE so actively? Wouldn't "Charity Engine Pool" have sounded a lot less sketchy?

Thank you for your time.

Okay, let's get one thing straight here: You are flat out falsely accusing me of criminal behaviour. In public.

I'm personally not on Slack, but I am on the end of a phone or email and the first rule of journalism is right to reply. I've no idea who you are, but it seems to me that you have an axe to grind here, some personal reason to get us away from GRC, and that whatever I tell you will not change that.

Am I correct?

At first, we thought Pomegranate was cool for winning the commemorative coin, but following Pomegranate's meteroic growth, @dutch and I noticed various peculiarities.

A lot of us wanted to give you the benefit of the doubt, especially since each individual point this article made could have plausible explanations, but altogether, they don't add up.

The best recourse would be to be open and transparent about how Pomegranate works. I think we'll all rest easy if we can trust Charity Engine and Pomegranate.

  • What is an example of an ad that leads to a Charity Engine 7.0.80 download? Despite a 99% acquisition through ads, we're having trouble finding any.
  • Charity Engine 7.0.80 was reportedly released on 24 June 2014 with no updates since. Why did it take so long to announce an upcoming update just today?
  • And why hasn't there been an update the last 3½ years since the severe vulnerability CVE-2013-2298, which affects Charity Engine 7.0.80?
  • Another independent investigation found that Charity Engine is bundled with other programs and may be installed without the users noticing. Can you walk us through the installation flow of a Charity Engine software bundle?
  • Why is it called Pomegranate?
  • Why did you just rename the second Pomegranate pool from "pomegranate2" to "PSVR-1075"? This name change reduces transparency and suggests that you may be trying to hide the second pool.
  • We expect to see a lot of active users if there are over 460,000 hosts in 2016, but the Charity Engine forum is almost dead. Where is the community talking about Charity Engine?
  • Why aren't people talking about Charity Engine? There is hardly a peep about Charity Engine on social media.
  • When users like myself or this guy try to do work for Charity Engine 7.0.76 (the public version), we get what appears to be a dummy task taking up "0.0001 CPU" and using very little CPU. Why can't we voluntarily contribute to Charity Engine through the client?
  • If your users are knowingly running Charity Engine, why did Pomegranate participate in [email protected], a project that requires strong authenticators? This is bad security practice at best and unaware users at worst.
  • PrimeGrid (address S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec) provided funds to get Pomegranate started. What is PrimeGrid's role in Pomegranate?
  • PrimeGrid consequently was the project with the least return from Pomegranate despite providing the initial wallet funds. This suggests that PrimeGrid was not incentivizing Pomegranate to crunch for them. Why is Pomegranate not contributing compute power to PrimeGrid?
  • Can you provide your earnings reports and charity donations so that we can verify your 33-33-33 income distribution claim?

If and only if we resolve these questions and confirm that your user base is legitimate, we'll go out of our way to exonerate Charity Engine.

And also, what was the deal with exclusively obsolete hardware as VGTU hosts?

Edit: And out of interest: Why no Primegrid?

You should try to enlighten us more about your operations. What value/service are you providing to your users? Can't they just use their own BOINC clients with their own CUIDs and donate (or do whatever they want) with their GRC. If indeed you are exploiting the lack of information on your users' part, we as the GRC community should aim to educate them.

No, we are stating a series of facts and likely conclusions, then giving you the option to explain why there is so much shady business going on.

If you were not personally on Slack, then who is the Pomegranate account that tried to claim the commemorative coin? You proved your identity through your wallet to try claim that coin to @jringo, so I do not understand how you can claim that was not you.

We have no axe to grind, and have no personal reason to get anyone away from GRC. Quite the opposite. In fact, we would have hoped you can explain why everything looks so shady in a way that alleviated the concerns of the community.

You are not correct. In a perfect world our concern is unfounded and your end users continue to do research. It's fantastic to see the amount of compute your CPID is contributing, but it needs to be above board or it looks really bad for both BOINC and Gridcoin.

Likely conclusions? You mean entirely unfounded and malicious accusations. Botnet? Stealing? Are you serious?

(You keep suggesting we're a one man band, btw. I've never even used Slack. That was a dev. You would know all this if you'd bothered to contact me to get to the truth.)

Since I wrote that comment, I've discovered that you do indeed have an axe to grind, as you're a massive miner yourself. So if we go away, you earn more GRC? Well, colour me amazed.

This also means you understand BOINC, and surely must have also known that our client can only ever be installed with user permission. I am therefore now struggling to see your accusations as honest mistakes.

We have contributed more to BOINC than you know. In fact, without our company's intervention, BOINC might not even exist now. Literally.

Bang out of order, dude.

I never used the word stealing, where are you getting this from?

I am aware you are not a one man band. Why is contacting another member of your band not an attempt to contact CE? They verified their identity through access to your GRC wallet, so they seemed like a reasonable port of call.

Stop accusing me of having an axe to grind. I am a 'big' miner, but I am running literally the least efficient project ([email protected]). I am not bothered by mag, but as a researcher myself I do want to see GRC succeed.

I am not accusing you of anything. I am asking you to comment on some things that don't seem to add up. This discussion has been going on internally for a long time now.

Are you for real? Your title is "Exposing the pomegranate botnet", for crying out loud! How is that not accusing?

I've also just been sent some chat logs in which you openly call us a scam, you "have all the dirt on us", we are a front for malware (really? !), etc. So yeah, you're accusing us just fine (defaming, to be exact...) - and now you're lying about it too.

I haven't sacrificed ten years of my life creating this thing from scratch, on a shoestring, to have it bad-mouthed by a couple of conspiracy theorists who can't do basic fact checking.

You owe us a massive apology.

Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

What PrimeGrid does with their donated funds is entirely up to their own discretion. If I had to bet, I'd say that PrimeGrid sold the GRC to CE for cash in order to buy said hardware, rather than having to dump GRC for BTC then convert to FIAT. Heck, BISQ could have been used for a p2p transfer of funds.

The tracking of funds is a slippery slope & frankly pretty disgusting.

The GRC was mostly returned once the seed funds were no longer needed, so that is highly unlikely. The disgusting thing here is asking for donations for A, and then using them for B.

If I collect donations to help the homeless, and then use the money for my own benefit, how is that ok?

If a project embezzles funds that were donated in good faith, people deserve to know so they do not donate again.

I have donated 1000 GRC to PrimeGrid back in March 2016 (when they started accepting GRC for donations). I must say it was never mentioned back then they will buy hardware with that money. Here is their donation webpage from that time. The donation drive for new hardware was started only few months ago and their donation page was then updated accordingly.

All said and done, I don't feel that my donation was embezzled in any way. Under conditions specified in March 2016, PrimeGrid admins could have taken it as their salary (normal procedure with [email protected] donations). After that, it's their private property and they can do with it as they like.

So they lent the GRC to another entity then got them back? So there has been a zero net loss of donated GRC? If it ends up going to the same equipment fund, did the donated funds not serve their purpose in the end?

This to me looks like one of the first times known BOINC entities have utilized Gridcoin as a cryptocurrency, and you want to drag them through the dirt for doing so? It doesn't make Gridcoin look that appealing for other BOINC admins.

From the article:

Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.

It was a 76% refund; PrimeGrid didn't get back 1200 GRC.

No, they got millions of core-hours of computing. Tens of millions.


If you guys were journos, you'd be sacked on the spot for this.

How don't you know he bought the GRC off primegrid then donated GRC back once they began earning GRC?

Major assumptions here.

I see a misunderstanding here. @markmcandrew said that we should have contacted him via the official email/phone. @dutch responded that he contacted user 'pomegranate' on our slack. There is no evidence that these two accounts are together, nor that the messages actually arrived to Mark's attention.
I agree that you should have been contacted earlier via official means, but how? They did not know it was you until you responded here.
Also the accusation that Charity Engine uses this Pomegranate pool is not backed. There is only a speculation that Pomegranate pool members use CE software. Also that software might not be approved by CE, the attacker could just have used CE software as a base.
So please stop getting all angry and explain.

Hey Brod. Actually, Mark confirmed that Pomegranate is CE. With regard to the Slack account being linked to CE, that Slack account tried to claim the commemorative coin. To do so, they proved ownership of the Pomegranate wallet. Therefore, the Pomegranate account on Slack had access to the Pomegranate wallet.

Was this message intended to be a reply to me? I am not angry and unsure what you are asking me to explain.

Hi Tomas,

CE does indeed control the pom account. It wasn't a big secret, just didn't want to scare the community that a grid of over half a million PCs was now involved (since been told it's now PoS instead of PoW anyway, so that no longer matters). If we were bad actors then we'd have just used multiple IDs - and added all our spare capacity too, which we've never done.

The Slack account was created purely to claim that one-off coin thing, on the logic that it WOULD look suspicious if we didn't. It wasn't ever used again.

They admit they got no reply from the slack account, and that they didn't bother trying phone, email, or any other normal way of contacting a company CEO.

It's a charade.

i got one word for you mister:


I got one for Dutch too. "Libel".

Thanks for the response. Two questions

  1. How come most users are running a different version than what's downloadable?

  2. Is the modified source available for download somewhere?

It's not meant to be different, it's a bug! Nearly all (over 99%) of our users come via adverts, not via the main site. We just forgot to update the link.

New version coming very soon anyway. Will make sure it's the same everywhere.

Where can I find a list of charities and amount of donations you have provided?
Thank you.

Oki! Out of curiosity, from where is the updated client installed? As bundles or via ad banners?

Regarding the source, I noticed that there is support for Charity Engine in the BOINC source tree. Do you use the vanilla source?

ok, so basically you have convinced a bunch people to run BOINC with your CPID by telling them that they will get back %33 in prizes while you keep the other %33 and the rest goes to charity. Is that it? And your point is people are OK with it so what is to you? Am I getting it right?

That, I see no problem with. The deceit, I do see a problem with.

The lack of the 33% 'prizes' payout, I also have a problem with.

You are currently earning approx $6000 per month in Gridcoin (@ $0.05 per GRC) and claim it's a 33-33-33 split between you, charities and users.

Yet you are only seeming to be giving out a raffle to end users of $1000 every 2-3 months.

You would need to be selling at around $0.01 / GRC for those figures to add up.

4000GRC per day * 30 = 120,000GRC per month
120,000 * 0.01 = $1200 per month, split three ways is $400

Of course that is before any computing power you sell, again as you claim.

There is money disappearing somewhere along this chain.

Even if it were not and the 33% split was legit, taking 33% of proceeds that could be going to charity and users for not doing much at all is extremly dubious.

When coupled with your charitable claims, with which you used to get various lots of funding, it certainly isn't ethical.

There are also the profits received from Eth mining if that is still in use.

And any other mining that users may have not spotted. Clearly they went out of their way to hide the ETH hash files, so others may be hidden.

"Quick, screenshot that incriminating forum post before they delete it! I mean, it's only been there for the last two years..."

CE is a global computing grid which is doing dozens of commercial tasks along with computing for GRC projects (GRC only gets our surplus, which is a fraction of our full capacity).

This implies that in addition to the custom client you have your own server end modified BOINC software?

Your global grid is super inefficient, as 1/3 of the profits users get is less than 1/3 of gridcoin earnings even though, as you claim GRC (or should be BOINC) gets a fraction of your capacity.

Is there a list of charities and amount of donations you have provided?

you have your own server end modified BOINC software?

I doubt that he has any preferential treatment by BOINC projects.

They have their own server though. When you first install CE, it sends the end user tasks that appear to take forever. Turns out they are empty, and are literally just idling. I don't know why they do this.

Well done, if you find out any more information please keep us up to date ..

I wouldn't classify it as a 'botnet', that implies a lack of consent in the software being installed on the end user's computer. It's a distributed compute cluster with consent approved to run the CE software on their computer.

Perhaps you could argue that the TOS the users signed don't cover the specific types of computation being performed, but that's not the argument you seem to be making..

No actually I did 2+ months ago before leaving thanks to the typical bitch antics of the people we are forced into trusting as community leaders...
Interesting as I also found kikipope too and odd too that others claimed they discovered or " found " him too when neither are hiding and they are both in plain site. Guess neither kissed enough ass to the people we are forced to trust as community members. GRC8

I'm in 'stitches' here as a result of watching that!!

Very funny but true.

Detrimental. If hosts didn't consent to use their energy and hardware, then it can be considered stealing no? The intentions are very opposed to the work being done.

I agree, and this is playing right into the hands of BOINC enthusiasts who think GRC is detrimental to BOINC and its reputation. As a community we should not tolerate this behaviour just because of the short term processing gain.

It is most definately theft if users are unaware that some one is benefitting from their computing power and electricity.

And also against the BOINC terms if the user is unaware.

Except they consented to using CE When they registered & installed the CE software..

Exactly. Something I find difficult to believe that Dutch is unaware of.

(And something which he still isn't commenting on.)

I'm commenting for @dutch because he's gone to sleep.

We are able to confirm express consent for the less than 1% of users who install Charity Engine through the website, as that is the only installer available for us to analyze.

From Spyware Techie:

According to our team of specialists, CharityEngine often comes bundled with other programs, which is why many users do not notice how it enters systems and cannot remember downloading it themselves.

This sounds like about as much consent as leaving a sneaky checkbox checked by default in a bundled software installation.

Spyware Techie??? Bloody hell, mate. Spyware Techie exists purely to spread FUD about other apps to make you download their crappy SpyHunter software (Google it). Great source, lads. Really impressive research. Maybe a quote from Infowars next?

So guess what? We do not "leave a sneaky checkbox ticked by default" and I'm now about one more snotty (and ever-changing) accusation from screenshotting this whole thing and sending it to our legal guy.

I would defend with Freedom of Speech (and Write), but legal is as full of holes as gridcoin source.
Also I suggest to save this wbepage (File->Save page as) to save the poor lawyer from copy-typing the text from your screenshot image.

They consented to using CE when they registered and installed the CE software, it's not like it's being installed via a drive-by trojan.

I don't know, if the software is bundled with other software unless you untick a checkbox I don't know how valid the consent argument is. I mean, it's not like people used to run 600 IE toolbars because they liked them and gave explicit consent. They ran them because they came bundled with something they actually consented to.

Edit: All installations supposedly require explicit consent (as in check a box to install, not uncheck a box to avoid installation), so it might be moot.

I don't know, if the software is bundled with other software unless you untick a checkbox I don't know how valid the consent argument is.

Installing CCleaner today, Avast Antivirus attempted to do exactly this. It's standard practice within the freeware/shareware scene.

Did it install CE or something else?

There has been a lot of debate behind the scenes on whether or not this information should be made public

There should be no debate about this. All this information is circumstantial and is/was public. The community should almost always be informed and be left to come up with their own conclusions. Thanks @deltik and @dutch for the investigation and compilation of this information.

In complete agreement. This runs contrary to all our goals and ethos and transparency is extremely important to us.

All our goals/ethos

This may be your ethos/perspective, but it's not the gridcoin networks' stance - it is a decentralized network which does not impose such ideologies upon its userbase.

tansparency is extremely important to us

Perhaps transparency in its developers intentions/actions and the work units being actually computed within BOINC projects, but demanding absolute transparency from network participants is absurd.

Everything with Gridcoin is behind the scenes.. You have to kiss ass and be in the " in " club/clique , I gave it the GRC8 nickname thank you very much. You would not want an open community project to actually have the whole community able to participate and voice their views and ideas , they might not match your own and you may not be able to push your own agenda.

How different is this from viruses that mine bitcoin? How can running anything on a users hardware without his consent be considered legal? It doesn't even matter if it costs energy or not, it doesn't matter if it is for research for the greater good, it doesn't matter...

It's different because nobody had the software unwillingly installed on their computer.

I reacted when the article was posted.

From the article: "it is highly likely Pomegranate is earning GRC illegitimately through unwanted software installed unknowingly on victims' computers".

By now there is more information from the comments and I no longer see the issue. I checked the website and it looks quite clear to me that when installing you are donating computer power.

It is the users responsibility to make sure that what he installs is legit, from a trusted source and functions as intended.

As long as they are contributing to the BOINC projects, paid or not, I see no issue. I have been BOINCing for 15 or so years. Don't really care what client.

I do understand big miners get nervous. Their magnitude drops and they can't do anything about it but to try and blame someone else.

Does gridcoin now need to 'check' what is used to contribute to science? Being the BOINC internet cop. Good luck with that.

As vortac says: it's still contributing to science.

I would like to return to some of the bullet points here:

I checked the website and it looks quite clear to me that when installing you are donating computer power.

Yes, but the clients mining BOINC were not downloaded off the website. This was just stated explicitly.

I do understand big miners get nervous. Their magnitude drops and they can't do anything about it but to try and blame someone else.

Actually, we found out about this months ago and did nothing, mainly due to CM being very opposed to saying anything publicly. It was several big discussions in the Slack channel between many users that made us decide to say something. I personally do not care for mag - check my project selection if you don't believe me ([email protected] on all GPUs - literally the least efficient).

The other reason is several projects are getting many corrupted results and burned work units, as explained. The Pomegranate account has not fixed this issue.

Does gridcoin now need to 'check' what is used to contribute to science?

Nope, not at all.

If Gridcoin ops had not acted a few months ago, we would still have Kikipope around. How does it look for BOINC and Gridcoin if the main contributors are these kind of networks?

Let me reiterate: We all want CE to be legit, because their contribution to science is great. I know of several people, including myself, who reached out over the last months and were ignored. Ideally, we would like these concerns alleviated and move on.

You have never contacted me, nor has anyone else. I learned of this page thanks to a Google alert.

We have a website with a contact form. We have an address. We have email, we have a phone number. Contacting me is not rocket science - and of course I would respond to something like this.

I note your comment about running the least-earning project. Good to know, and that does make me more reassured as to your motives - if not your methods...

EDIT: No longer reassured one bit. Deltik's lies about us being bundled with malware cannot be unintentional, IMHO. His own evidence says the opposite of what he claims it says.

Ye, but the connection between 'Pomegranate' and 'Charity engine' was not public, so the accusers couldn't use, or even find the contact form.

They knew Pom was CE for ages. Hence this hit piece.

First we knew they had any questions at all? A Google alert about this post.

That's not honest journalism, it's a smear campaign.

Summarized: CE says the are using your computing power when you install their SW. Their SW downloads and installs something else, BOINC, whatever version, from whatever location, modified or not.

It's not unusual that an installer downloads and install other installers. The average user doesn't care.

If the science results are ok for the projects there is no issue for BOINC as a concept.

To me BOINC and Gridcoin don't look any different because of it. The user makes choices and if legit that's the end I think. The grcpool doesn't allow voting. Does that make contribution to science any less? Does that make it worse for BOINC?

This article has botnet in the title, a word with a very negative connotation. It boils down to not agreeing to the way the client is downloaded and someone not responding to you guys?

In the end it seems like a storm in a teacup. I fail to see the issue here. The internet is full of strange things I don't support. Fine, I just don't use them, if they're no good they die anyway.

Edit: before all wars break loose I'm not supporting CE either, don't know what it is and not interested.

I do understand big miners get nervous. Their magnitude drops and they can't do anything about it but to try and blame someone else.

Actually, we found out about this months ago and did nothing, mainly due to CM being very opposed to saying anything publicly. It was several big discussions in the Slack channel between many users that made us decide to say something. I personally do not care for mag - check my project selection if you don't believe me ([email protected] on all GPUs - literally the least efficient).

I don't recall any such communications regarding your allegations against CE.

I am indeed opposed to public slander & doxing of individuals of whom you suspect are committing serious large scale computer crime (running a botnet will get you life in jail).

The best course of action is to contact the BOINC projects direclty, specifically their cyber security divisions - Oxford, IBM, LHC, they all have dedicated teams whom can investigate such claims with greater access to volunteer data.

If not BOINC projects then you should have contacted the authorities with the information you believe you have. Posting a smear piece like this without concrete evidence is likely going to get you sued by CE for public defamation/slander.

We've contributed over a hundred million core hours to science since we launched in 2011.

I can give you another titbit which you are free to check too. In our early days, I went out and raised extra seed funding just to give $60k to the BOINC project at Berkeley, which was faced with shutting down because of a six month funding gap.

You can probably start to see why I'm fuming at this hit piece.

There is also little movements of computers between projects for what I can see, Pomegranate only keeps adding new ones. Last week Pomegranate started adding computers to [email protected] and the Gridcoin team RAC output has moved up with 1.5M (see chart) while the GRC earnings per 1k system RAC has dropped 25% in the same period for this project.

In case Pomegranate has the consent from members to install the software and add projects as he feels fit this would be fine but if he doesn't, I would consider it unacceptable.

That's correct. When running their software in a sandbox, we found the end user has no choice on what projects are run. The instructions are sent from their account manager.

I removed my comments as they are not directly relevant to the discussion.

Which CPID is this for? It could be that @bgb has moved users around.

If the users don't consent, then yes I agree it's wrong. But if they do consent then it should be fine.

EDIT: I commented on this post in the morning without being aware of many facts relevant to this discussion. A lot seems to be blowing over my head, so I've decided to extract myself from this conversation.

I absolutely agree with you @caleb23.

Discussion has been going on in public on slack and IRC, the chance to clear their name has come and gone ..

I disagree that it's gone. It's always there - it perhaps should have happened earlier but if proof of a legitimate operation happens now then we as a community will still have to accept it.

This is key. Let's not forget that.

well it sounds like stealing so we should definitely condemn it

I concur that we condemn stealing. Just be careful in future about condemning something because of the way it sounds.

Can we report that specific version of BOINC to antivirus manufacturers? I dont know how they work with determining one version from another, but if its a customized version can it be explicity listed as malware?

The fact that these users are unwittingly infected may mean they do not have any security, or that its so compromised that it wont make a difference, but who knows, it may stop this version from spreading further.

I think that getting one version of BOINC labeled as malware would get all versions flagged, it would be massively detrimental to non tech-savvy users to see that the software they understand to be solving cancer is potentially malware (Even if it's a false negative).

A better alternative would be to get BOINC projects to enforce mandatory minimum BOINC client versions & if they don't adhere to these minimum requirements they're voted out of the whitelist.

Sure that works better I guess, at least I tried for a solution :)

There has been mention before of integrating BOINC into the Gridcoin wallet - could this possibly be a solution to the problem? For example, a sub-version of BOINC that can only be used and has its GUI in the Gridcoin wallet, ideally developed in conjunction with BOINC so that this problem doesn't come up again?

There was a Idea, and I still support it: to replace (parts of) the boinc manager in the gridcoin wallet gui. The reason is: less icons in the notification area and more centralized user interface. However this plan does not want to modify, replace, or integrate the core BOINC client daemon in any way. Only the user interface. Gridcoin task

I don't think it's in the interest of Gridcoin to take over any part of BOINC. Rather, we interface with BOINC to get the statistics we need for Gridcoin.

If anything, we'd work with BOINC to develop a better way to report those statistics, not to curb researchers at our own will.

I was also curious about the pomegranate cpid, did some searching, and ran across this thread. Timely.

I'll chip in my .02 speaking as only a mid-level "miner", although it's hard to think of BOINC as mining. From all the discussion points on both sides it seems like this is a pretty grey area.

I agree with zamaza in that I think this is actually a gridcoin problem. The incentive for this sort of behavior will only increase as the value of gridcoin increases, making it ever more difficult for regular folk to receive rewards for their compute work in any meaningful way. From the numbers on, the two pomegranate cpid's are currently collecting a total of ~4430 GRC / day. My understanding is there are ~48,000 GRC rewarded / day, and there are 26 projects receiving cuts of that, which would mean the pomegranate net is currently consuming over 2 entire projects worth of GRC rewards / day. About 2.4 projects worth, to be more specific.

Think about when the value of GRC rises further (it doubled in just the last month or so) - more large operators will likely decide to get in. A bare handful of people controlling networks or warehouses full of machines could easily consume most of the GRC produced per day. Is this a good thing? I tend to think no. It's more compute power for the research, but wouldn't this discourage participation from the wider community of compute volunteers over time? Isn't that wider participation sort of the original point of gridcoin? I get that competition is a good thing to drive productivity and expand compute capability, but unchecked dominance of any market eventually turns into monopoly.

this seems like a major issue that has to be solved/prevented on the gridcoin side. i don't remember reading anything that would address this in any of the current 2018 roadmap proposals.

I completely disagree, this is a BOINC problem not a Gridcoin problem.

I agree with this. Gridcoin should not do anything.

This is not really for Gridcoin to solve. What we can do is to try to expose those who break the BOINC ToS.

I don't think BOINC would care, if anything they would see it as a side effect of having monetary reward on a systems that was meant to be voluntary. They would blame us for opening this can of warms.

You'd be surprised. Deltik has sent a copy of our investigation's findings to all BOINC admins, and they definitely care.


Way to confirm your intentions, guys.

We have had this before when certain individuals have 'played the system' and used equipment that is not theirs by right and funnelled GRC into their own pockets.

As far as I'm concerned, taking advantage of other peoples 'lack of security' and knowledge is tantamount to larceny.

However it is extremely difficult to 'punish' these indescretions as we have found out in the past.

Previously it took many posts and emails to project admins to 'blacklist' the perpertrator.
It took a while but was successful.

I believe that we have to find another simpler and more direct way to 'stamp out' these 'perps' as quickly as possible.

Any ideas?

Courtesy of @joshoeah

However it is extremely difficult to 'punish' these indescretions as we have found out in the past. Previously it took many posts and emails to project admins to 'blacklist' the perpertrator. It took a while but was successful. I believe that we have to find another simpler and more direct way to 'stamp out' these 'perps' as quickly as possible.

If it's too easy it could be abused.

If by lack of security you mean the BOINC projects, then we aught to enforce minimum BOINC client versions within BOINC projects & vote projects out if they don't adhere to the minimum version requirement.

If you mean end user, then nobody is having malware installed here - they consented fully to CE running on their computer AFAIK.

This really sucks. It is stealing from unsuspecting people, and if news like this were to go mainstream it could harm the overall reputation of Gridcoin which is still fragile based on how small the community is still right now.
Is there anyway that Gridcoin could ban running a certain version of Boinc? I suspect that many miners of Gridcoin are running newer versions as such it would affect very few legit miners by banning the use of the version.

I doubt this will have much negative impact on Gridcoin, there's thousands of negative press stories about Bitcoin every year & it goes unaffected.

We could ask projects to impose minimum BOINC client versions & vote projects out of the whitelist if they reject the proposal.

What I understand Charity Engine is a custom boinc distribution acting as a parasite. First, we should deal with it ASAP, second - this type of abuse might grow would gridcoin become more valuable, so we need to find ways of preventing such behaviours.

Edit. Although it's just a client, not server side work deployment platform.

They have a custom server too. It serves idle jobs to the clients. I have no idea why.

This seems like a grey area to me. Yes, it sucks as miners that we make less with pomegranate around but it does go towards a good cause. The main issue is that they did not simply come out and say that they are the charity engine pool but instead tried to keep things opaque.

No worse than forcing new users onto the cpid's in order to start out vs solo. Nor is it any worse than the IT guy for a University to BOINC up the campus lab's since he writes the rules and local TOS along with using federal and private funds to pay for their fleet of machines OR the head of a companies IT whom chooses what hardware to purchase based off his Boinc needs for Gridcoin and sneaks his " [email protected] screen saver " onto the client machines and uses the stolen resources to process BOINC work and earn Gridcoin... Nobody knows , nobody will find out and when you write the rules they do not apply to you. I applaud this guy , mind you I pointed him out a full 2 months ago right after first pointing out the July 5th hack and before that kikipope and his viri net.. Everybody in Gridcoin has their own agenda , least this guy isn't a coward and puts it right out there in front for all to see vs being a two faced piece of shit acting like he is around for the betterment of Gridcoin and the community itself.

no it's not the same

  • the pool distributes to the poolers
  • newcomers can read and learn what to solo mine, they are not forced
  • what this guy does is to act as a middleman, take a cut from ignorant, while providing no service
  • he is being "honest" about it because he has been publicly called out, not because he is not a piece of shit

You do Know that slack/irc/steemit or any interaction between this/any user and you/world is required? Who the hell are you to dictate what mediums anybody uses for Gridcoin let alone anything else? Would you like to limit where Gridcoin team members surf smut? Additionally this is perfect coming from a new whale like yourself , but hay just because he thought of and did it before you does not mean you should be butt hurt. This really is a gray area and lets relate it to a similar situation before we bring up Kikipope and the user HeyMerlin whom apparently either deleted his user or changed his nick as I do not know his CPID but think ce5c32c54e986594e6388045a7ca33f9 user humpydiddle that just poped up in the top list recently but goes back to the correct time line and with no active projects and the person not being around IRC ( or slack , shame on them ). So this person is/was ( hope the bitch got fired ) the head of IT for the University of Saskatchewan , so installing BOINC on all the lab/class/library computers and setting them up to processing BOINC WU soon as the system is IDLE sure is not violating their TOS he wrote them. This person was a #gridcoin trusted community leader and was backed by the other channel operators and defended by the other whales and people like our fearless team leader were/are well aware of his setup and status. He stated that the money collected was being donated to a charity and per that the community turned their noses. 10,000,000GRC+ in holdings and a past of almost 2,000,000 withdrawn over time and the current holdings value estimated current at my connect $950,000 USD. BTW , this university also has their own supercomputer lab too! But if you are in the with devs and the community leaders you can get away with anything.. Just takes sucking a little skin. Anyways sorry to again fill up your valuable space that could be used to how full of yourself you are and how much power you use , least pomegranate's drones use idle resources and follows the BOINC\Gridcoin model of using the overhead spare idle system resources in an idle state vs adding a massive extra load draw onto the power grid. 3.8kWhr

LOL, HeyMerlin is UofS-Computer-Science and his CPID is 015baf274dd9265b1c53d6aa064cface. That's ALWAYS been his ID; it's never changed. If you took as much time doing actual research as you do writing giant walls of text (full of bullshit with no real facts), you would've known that.

And, in less than 10 seconds, you can see that he doesn't have, nor has he ever had, anywhere near 10 million GRC.

But let's not let facts get in the way of our rants.

Woops , I had it wrong cpid 015baf274dd9265b1c53d6aa064cface User: UofS-Computer-Science - user = HeyMerlin and is Boinc'ed up University of Saskatchewan and everybody is aware , the community leaders , trusted community members and the dev's etc. Says that he/they donate it to charity ( charity engine??? ) and current holdings are 213,450.04 GRC ($19,407.69) so lets talk about BLACK vs WHITE vs GREY...
To bad when people write rules that also pertain to themselves they tend to take advantage of anything they can and walk a thin white line and people are GREEDY... This was allowed and supported by the Gridcoin community leaders. Myself and others brought it up many times and our great and wonderful team leader as always shrugged it off like he does everything else. Now tell me how this is allowed and not a violation of the BOINC user agreement and something about gov and publicly funded systems that are not yours " , I think they word it like " You may run this software on a computer only if you own the computer
or have the permission of the owner. "
Well since his mag has gone from 10,000 MAG to 10 and I hope he ends up like " "
I wish more of us were into this for the Science , maybe then more of team Gridcoin would have some quality ethics vs greed.

Coin Marketplace

STEEM 0.19
TRX 0.06
JST 0.025
BTC 26919.67
ETH 1712.46
USDT 1.00
SBD 2.71