You are viewing a single comment's thread from:

RE: Investigating the Pomegranate Network Mining Gridcoin

in #gridcoin7 years ago (edited)

I discovered and investigated the Pomegranate network, and I'm here to answer any questions about Pomegranate if you have any. AMA!

Sort:  

Hi guys, this is Mark from Charity Engine. Apologies for not chipping in sooner, only just seen this.

First and most important thing; can I just point out that our client is only EVER installed with the user's explicit permission. Jumping to an accusation of "botnet" is entirely unwarranted.

CE is a global computing grid which is doing dozens of commercial tasks along with computing for GRC projects (GRC only gets our surplus, which is a fraction of our full capacity).

Don't understand why you didn't just call or email us, guys. Would have taken 60 seconds.

EDIT: Now I understand why. This is simply a smear by disgruntled GRC miners whose only motivation is removing the biggest fish so they earn more GRC themselves. Duly noted, and we shall now increase our contribution to GRC projects accordingly. Told you we were actually holding back just to be nice, so well done lads. Shot yourselves in both feet.

Hi Mark,

We have reached out to you on the Gridcoin Developer Slack channel, except you never replied. I know you were active there at the time, and I know you have seen at least my message, unless you are saying that the user Pomegranate on Slack was not you?

I am aware of what you claim CE to be, and how you claim it works. It would be great if you could please explain the following:

  • Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

  • Why does your website serve CE based on BOINC 7.0.76, while the Pomegranate account runs BOINC 7.0.80 CE instances? Deltik would like to point out that BOINC 7.0.80 has a severe security vulnerability.

Multiple stack-based buffer overflows in the XML parser in BOINC 7.x allow attackers to have unspecified impact via a crafted XML file, related to the scheduler.

  • Why did you try and hide the link to CE so actively? Wouldn't "Charity Engine Pool" have sounded a lot less sketchy?

Thank you for your time.

Okay, let's get one thing straight here: You are flat out falsely accusing me of criminal behaviour. In public.

I'm personally not on Slack, but I am on the end of a phone or email and the first rule of journalism is right to reply. I've no idea who you are, but it seems to me that you have an axe to grind here, some personal reason to get us away from GRC, and that whatever I tell you will not change that.

Am I correct?

At first, we thought Pomegranate was cool for winning the commemorative coin, but following Pomegranate's meteroic growth, @dutch and I noticed various peculiarities.

A lot of us wanted to give you the benefit of the doubt, especially since each individual point this article made could have plausible explanations, but altogether, they don't add up.

The best recourse would be to be open and transparent about how Pomegranate works. I think we'll all rest easy if we can trust Charity Engine and Pomegranate.

  • What is an example of an ad that leads to a Charity Engine 7.0.80 download? Despite a 99% acquisition through ads, we're having trouble finding any.
  • Charity Engine 7.0.80 was reportedly released on 24 June 2014 with no updates since. Why did it take so long to announce an upcoming update just today?
  • And why hasn't there been an update the last 3½ years since the severe vulnerability CVE-2013-2298, which affects Charity Engine 7.0.80?
  • Another independent investigation found that Charity Engine is bundled with other programs and may be installed without the users noticing. Can you walk us through the installation flow of a Charity Engine software bundle?
  • Why is it called Pomegranate?
  • Why did you just rename the second Pomegranate pool from "pomegranate2" to "PSVR-1075"? This name change reduces transparency and suggests that you may be trying to hide the second pool.
  • We expect to see a lot of active users if there are over 460,000 hosts in 2016, but the Charity Engine forum is almost dead. Where is the community talking about Charity Engine?
  • Why aren't people talking about Charity Engine? There is hardly a peep about Charity Engine on social media.
  • When users like myself or this guy try to do work for Charity Engine 7.0.76 (the public version), we get what appears to be a dummy task taking up "0.0001 CPU" and using very little CPU. Why can't we voluntarily contribute to Charity Engine through the client?
  • If your users are knowingly running Charity Engine, why did Pomegranate participate in yoyo@home, a project that requires strong authenticators? This is bad security practice at best and unaware users at worst.
  • PrimeGrid (address S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec) provided funds to get Pomegranate started. What is PrimeGrid's role in Pomegranate?
  • PrimeGrid consequently was the project with the least return from Pomegranate despite providing the initial wallet funds. This suggests that PrimeGrid was not incentivizing Pomegranate to crunch for them. Why is Pomegranate not contributing compute power to PrimeGrid?
  • Can you provide your earnings reports and charity donations so that we can verify your 33-33-33 income distribution claim?

If and only if we resolve these questions and confirm that your user base is legitimate, we'll go out of our way to exonerate Charity Engine.

And also, what was the deal with exclusively obsolete hardware as VGTU hosts?

Edit: And out of interest: Why no Primegrid?

You should try to enlighten us more about your operations. What value/service are you providing to your users? Can't they just use their own BOINC clients with their own CUIDs and donate (or do whatever they want) with their GRC. If indeed you are exploiting the lack of information on your users' part, we as the GRC community should aim to educate them.

No, we are stating a series of facts and likely conclusions, then giving you the option to explain why there is so much shady business going on.

If you were not personally on Slack, then who is the Pomegranate account that tried to claim the commemorative coin? You proved your identity through your wallet to try claim that coin to @jringo, so I do not understand how you can claim that was not you.

We have no axe to grind, and have no personal reason to get anyone away from GRC. Quite the opposite. In fact, we would have hoped you can explain why everything looks so shady in a way that alleviated the concerns of the community.

You are not correct. In a perfect world our concern is unfounded and your end users continue to do research. It's fantastic to see the amount of compute your CPID is contributing, but it needs to be above board or it looks really bad for both BOINC and Gridcoin.

Likely conclusions? You mean entirely unfounded and malicious accusations. Botnet? Stealing? Are you serious?

(You keep suggesting we're a one man band, btw. I've never even used Slack. That was a dev. You would know all this if you'd bothered to contact me to get to the truth.)

Since I wrote that comment, I've discovered that you do indeed have an axe to grind, as you're a massive miner yourself. So if we go away, you earn more GRC? Well, colour me amazed.

This also means you understand BOINC, and surely must have also known that our client can only ever be installed with user permission. I am therefore now struggling to see your accusations as honest mistakes.

We have contributed more to BOINC than you know. In fact, without our company's intervention, BOINC might not even exist now. Literally.

Bang out of order, dude.

I never used the word stealing, where are you getting this from?

I am aware you are not a one man band. Why is contacting another member of your band not an attempt to contact CE? They verified their identity through access to your GRC wallet, so they seemed like a reasonable port of call.

Stop accusing me of having an axe to grind. I am a 'big' miner, but I am running literally the least efficient project (Einstein@home). I am not bothered by mag, but as a researcher myself I do want to see GRC succeed.

I am not accusing you of anything. I am asking you to comment on some things that don't seem to add up. This discussion has been going on internally for a long time now.

Are you for real? Your title is "Exposing the pomegranate botnet", for crying out loud! How is that not accusing?

I've also just been sent some chat logs in which you openly call us a scam, you "have all the dirt on us", we are a front for malware (really? !), etc. So yeah, you're accusing us just fine (defaming, to be exact...) - and now you're lying about it too.

I haven't sacrificed ten years of my life creating this thing from scratch, on a shoestring, to have it bad-mouthed by a couple of conspiracy theorists who can't do basic fact checking.

You owe us a massive apology.

By saying that "Exposing the pomegranate botnet" is an accusation to you, you admitted that you, or your company are behind the pomegranate.

Also how they were to contact you, if there was no easy way from 'Pomegranate' to 'Mark McAndrew'?

We'll apologize once we can trust you. Here's how.

Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

What PrimeGrid does with their donated funds is entirely up to their own discretion. If I had to bet, I'd say that PrimeGrid sold the GRC to CE for cash in order to buy said hardware, rather than having to dump GRC for BTC then convert to FIAT. Heck, BISQ could have been used for a p2p transfer of funds.

The tracking of funds is a slippery slope & frankly pretty disgusting.

The GRC was mostly returned once the seed funds were no longer needed, so that is highly unlikely. The disgusting thing here is asking for donations for A, and then using them for B.

If I collect donations to help the homeless, and then use the money for my own benefit, how is that ok?

If a project embezzles funds that were donated in good faith, people deserve to know so they do not donate again.

I have donated 1000 GRC to PrimeGrid back in March 2016 (when they started accepting GRC for donations). I must say it was never mentioned back then they will buy hardware with that money. Here is their donation webpage from that time. The donation drive for new hardware was started only few months ago and their donation page was then updated accordingly.

All said and done, I don't feel that my donation was embezzled in any way. Under conditions specified in March 2016, PrimeGrid admins could have taken it as their salary (normal procedure with SETI@home donations). After that, it's their private property and they can do with it as they like.

So they lent the GRC to another entity then got them back? So there has been a zero net loss of donated GRC? If it ends up going to the same equipment fund, did the donated funds not serve their purpose in the end?

This to me looks like one of the first times known BOINC entities have utilized Gridcoin as a cryptocurrency, and you want to drag them through the dirt for doing so? It doesn't make Gridcoin look that appealing for other BOINC admins.

From the article:

Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.

It was a 76% refund; PrimeGrid didn't get back 1200 GRC.

No, they got millions of core-hours of computing. Tens of millions.

Which you would know IF YOU'D BOTHERED TO ASK US BEFORE ASSUMING THE WORST.

If you guys were journos, you'd be sacked on the spot for this.

This information is public. To date, Pomegranate has earned 743,301 cobblestones on PrimeGrid.

That's about the equivalent of running one GeForce GTX 1070 graphics card on PrimeGrid for one day.

How don't you know he bought the GRC off primegrid then donated GRC back once they began earning GRC?

Major assumptions here.

I see a misunderstanding here. @markmcandrew said that we should have contacted him via the official email/phone. @dutch responded that he contacted user 'pomegranate' on our slack. There is no evidence that these two accounts are together, nor that the messages actually arrived to Mark's attention.
I agree that you should have been contacted earlier via official means, but how? They did not know it was you until you responded here.
Also the accusation that Charity Engine uses this Pomegranate pool is not backed. There is only a speculation that Pomegranate pool members use CE software. Also that software might not be approved by CE, the attacker could just have used CE software as a base.
So please stop getting all angry and explain.

Hey Brod. Actually, Mark confirmed that Pomegranate is CE. With regard to the Slack account being linked to CE, that Slack account tried to claim the commemorative coin. To do so, they proved ownership of the Pomegranate wallet. Therefore, the Pomegranate account on Slack had access to the Pomegranate wallet.

Was this message intended to be a reply to me? I am not angry and unsure what you are asking me to explain.

Hi Tomas,

CE does indeed control the pom account. It wasn't a big secret, just didn't want to scare the community that a grid of over half a million PCs was now involved (since been told it's now PoS instead of PoW anyway, so that no longer matters). If we were bad actors then we'd have just used multiple IDs - and added all our spare capacity too, which we've never done.

The Slack account was created purely to claim that one-off coin thing, on the logic that it WOULD look suspicious if we didn't. It wasn't ever used again.

They admit they got no reply from the slack account, and that they didn't bother trying phone, email, or any other normal way of contacting a company CEO.

It's a charade.

i got one word for you mister:

sketchy

I got one for Dutch too. "Libel".

Thanks for the response. Two questions

  1. How come most users are running a different version than what's downloadable?

  2. Is the modified source available for download somewhere?

It's not meant to be different, it's a bug! Nearly all (over 99%) of our users come via adverts, not via the main site. We just forgot to update the link.

New version coming very soon anyway. Will make sure it's the same everywhere.

Where can I find a list of charities and amount of donations you have provided?
Thank you.

Oki! Out of curiosity, from where is the updated client installed? As bundles or via ad banners?

Regarding the source, I noticed that there is support for Charity Engine in the BOINC source tree. Do you use the vanilla source?

ok, so basically you have convinced a bunch people to run BOINC with your CPID by telling them that they will get back %33 in prizes while you keep the other %33 and the rest goes to charity. Is that it? And your point is people are OK with it so what is to you? Am I getting it right?

That, I see no problem with. The deceit, I do see a problem with.

The lack of the 33% 'prizes' payout, I also have a problem with.

You are currently earning approx $6000 per month in Gridcoin (@ $0.05 per GRC) and claim it's a 33-33-33 split between you, charities and users.

Yet you are only seeming to be giving out a raffle to end users of $1000 every 2-3 months.

You would need to be selling at around $0.01 / GRC for those figures to add up.

4000GRC per day * 30 = 120,000GRC per month
120,000 * 0.01 = $1200 per month, split three ways is $400

Of course that is before any computing power you sell, again as you claim.

There is money disappearing somewhere along this chain.

Even if it were not and the 33% split was legit, taking 33% of proceeds that could be going to charity and users for not doing much at all is extremly dubious.

When coupled with your charitable claims, with which you used to get various lots of funding, it certainly isn't ethical.

There are also the profits received from Eth mining if that is still in use.

And any other mining that users may have not spotted. Clearly they went out of their way to hide the ETH hash files, so others may be hidden.

"Quick, screenshot that incriminating forum post before they delete it! I mean, it's only been there for the last two years..."

CE is a global computing grid which is doing dozens of commercial tasks along with computing for GRC projects (GRC only gets our surplus, which is a fraction of our full capacity).

This implies that in addition to the custom client you have your own server end modified BOINC software?

Your global grid is super inefficient, as 1/3 of the profits users get is less than 1/3 of gridcoin earnings even though, as you claim GRC (or should be BOINC) gets a fraction of your capacity.

Is there a list of charities and amount of donations you have provided?

you have your own server end modified BOINC software?

I doubt that he has any preferential treatment by BOINC projects.

They have their own server though. When you first install CE, it sends the end user tasks that appear to take forever. Turns out they are empty, and are literally just idling. I don't know why they do this.

Well done, if you find out any more information please keep us up to date ..

I wouldn't classify it as a 'botnet', that implies a lack of consent in the software being installed on the end user's computer. It's a distributed compute cluster with consent approved to run the CE software on their computer.

Perhaps you could argue that the TOS the users signed don't cover the specific types of computation being performed, but that's not the argument you seem to be making..

No actually I did 2+ months ago before leaving thanks to the typical bitch antics of the people we are forced into trusting as community leaders...
Interesting as I also found kikipope too and odd too that others claimed they discovered or " found " him too when neither are hiding and they are both in plain site. Guess neither kissed enough ass to the people we are forced to trust as community members. GRC8

Coin Marketplace

STEEM 0.19
TRX 0.25
JST 0.037
BTC 96709.35
ETH 3340.46
USDT 1.00
SBD 3.16