Investigating the Pomegranate Network Mining Gridcoin
PLEASE NOTE: This article has been edited as a result of discussions with the CEO of Charity Engine.
Gridcoin miner Pomegranate has been somewhat of an enigma lately, with lots of users questioning where, and how, they are gathering a magnitude to rival that of GRCPool. At the time of writing, Pomegranate has two active CPIDs, detailed here and here. The first has a magnitude of 15833, while the second sits at 670. This second CPID has only just been advertised with a beacon, so its magnitude is expected to skyrocket over the next few weeks, taking Pomegranate to an estimated total magnitude of near 30,000. This is a significant amount of compute power being brought to bear.
After noticing the odd magnitude growth pattern of the user, and noting they do not take part in the community, @deltik and myself attempted to learn more about the network. We started digging and found that Pomegranate's computer power is generated through a custom BOINC client installed on computers all over the globe.
The software identifies itself as a modified BOINC version 7.0.80, which we believe is actually Charity Engine 7.0.80, a non-public release of Charity Engine that was likely bundled with other software. Note that the latest public release of Charity Engine available on their website is BOINC 7.0.76, which is hardly used by Pomegranate at all. Therefore, most of the clients being used to mine GRC were not downloaded off the Charity Engine website.
Collectively, the BOINC 7.0.80 network of computers Pomegranate controls is already yielding Pomegranate more than 4000 GRC per day. This converts to over $280/day or over $8400/month.
It does not appear that the people who have the BOINC 7.0.80 software computers are getting any sort of Gridcoin related credit, or even know that they are running BOINC tasks for Pomegranate. It's hard to prove the lack of something, but from our research we have found that there have been no announcements of connections to Gridcoin, notices of reward payouts, or community participation. There is one notable exception - Pomegranate claiming the GRC commemorative coin as if they were a legitimate miner.
Why would the user name themselves "Pomegranate" when their connections are to Charity Engine? It appears this is a side operation by Charity Engine to make more money from the network they control, after they were unable to sell off all their compute power to industry. To back this up, the software has previously been used to mine ETH on user machines running both the BOINC 7.0.80 (bundled software) and BOINC 7.0.76 (direct download) copies of their client, until a user questioned the mining on the Charity Engine forums.
Although inconclusive on their own, here are further findings relating to Pomegranate that concerned us:
BOINC 7.0.80 is an uncommon version, accounting for 0.58% of all BOINCstats BAM! client versions as of 11 December 2017, yet nearly 100% of Pomegranate's computers run that version.
The vast majority of clients are a hodge-podge of low-end to middle-of-the-road computers running older versions of Microsoft Windows. Here are the computers belonging to Pomegranate as seen on VGTU, where they forgot to hide their hosts. These hosts have since been hidden.
If Pomegranate were a real pool where users are aware that their computers are being used for BOINC, like GRCpool, there would be a lot more diversity expected. See CPID 7d0d73fe026d66fd4ab8d5d8da32a611 for an example of one of GRCpool's CPIDs.
Pomegranate runs yoyo@home, but yoyo@home does not allow weak authenticators. This means that open pools like GRCpool can't allow users on that project because any connected user would be allowed to take over the account. It's likely that the owners of the computers running Charity Engine have no idea about the yoyo@home strong authenticator stored on their machines.
SRBase discovered that some work units are being wasted because of a bug with BOINC 7.0.80 and publicly asked users to upgrade BOINC, but how can those who don't know about the software installed on their computers know to do this? Charity Engine, just like BOINC, cannot update itself.
Curiously, PrimeGrid seeded Pomegranate early on. PrimeGrid paid Pomegranate 5000 GRC on 13 August 2017 (worth $161.80 at the time). Transaction here. Notice that the funds came out of S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec, which is the same address as the PrimeGrid GRC donation address. We discovered that administrator Rytis of PrimeGrid is also an administrator of Charity Engine.
PrimeGrid sent funds to Pomegranate, even though it wasn't mentioned on the donation page. A Gridcoin ops member got in touch with the PrimeGrid team who explicitly stated that the donations were for new hardware.
Although PrimeGrid is the one project that funded Pomegranate, that project received the least work done by Pomegranate.
Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.
We are concerned about what we have uncovered about the Pomegranate network. There has been a lot of debate behind the scenes on whether or not this information should be made public, but we feel the Gridcoin community has a right to know. Pomegranate's Slack account was given ample opportunity to comment and chose not to.
Well, even if they were scammed, at least they were running philanthropic projects like World Community Grid and Rosetta@home, so one might say it was for the good cause.
Today, you become a part of the PoW botnet by simply visiting certain webpages with your browser. It probably happened to many of us here, while perhaps we haven't even noticed.
https://www.cryptocoinsnews.com/pirate-bay-resumes-mining-monero-using-visitor-cpu-power
I discovered and investigated the Pomegranate network, and I'm here to answer any questions about Pomegranate if you have any. AMA!
Hi guys, this is Mark from Charity Engine. Apologies for not chipping in sooner, only just seen this.
First and most important thing; can I just point out that our client is only EVER installed with the user's explicit permission. Jumping to an accusation of "botnet" is entirely unwarranted.
CE is a global computing grid which is doing dozens of commercial tasks along with computing for GRC projects (GRC only gets our surplus, which is a fraction of our full capacity).
Don't understand why you didn't just call or email us, guys. Would have taken 60 seconds.
EDIT: Now I understand why. This is simply a smear by disgruntled GRC miners whose only motivation is removing the biggest fish so they earn more GRC themselves. Duly noted, and we shall now increase our contribution to GRC projects accordingly. Told you we were actually holding back just to be nice, so well done lads. Shot yourselves in both feet.
Hi Mark,
We have reached out to you on the Gridcoin Developer Slack channel, except you never replied. I know you were active there at the time, and I know you have seen at least my message, unless you are saying that the user Pomegranate on Slack was not you?
I am aware of what you claim CE to be, and how you claim it works. It would be great if you could please explain the following:
Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.
Why does your website serve CE based on BOINC 7.0.76, while the Pomegranate account runs BOINC 7.0.80 CE instances? Deltik would like to point out that BOINC 7.0.80 has a severe security vulnerability.
Thank you for your time.
Okay, let's get one thing straight here: You are flat out falsely accusing me of criminal behaviour. In public.
I'm personally not on Slack, but I am on the end of a phone or email and the first rule of journalism is right to reply. I've no idea who you are, but it seems to me that you have an axe to grind here, some personal reason to get us away from GRC, and that whatever I tell you will not change that.
Am I correct?
At first, we thought Pomegranate was cool for winning the commemorative coin, but following Pomegranate's meteroic growth, @dutch and I noticed various peculiarities.
A lot of us wanted to give you the benefit of the doubt, especially since each individual point this article made could have plausible explanations, but altogether, they don't add up.
The best recourse would be to be open and transparent about how Pomegranate works. I think we'll all rest easy if we can trust Charity Engine and Pomegranate.
If and only if we resolve these questions and confirm that your user base is legitimate, we'll go out of our way to exonerate Charity Engine.
And also, what was the deal with exclusively obsolete hardware as VGTU hosts?
Edit: And out of interest: Why no Primegrid?
You should try to enlighten us more about your operations. What value/service are you providing to your users? Can't they just use their own BOINC clients with their own CUIDs and donate (or do whatever they want) with their GRC. If indeed you are exploiting the lack of information on your users' part, we as the GRC community should aim to educate them.
No, we are stating a series of facts and likely conclusions, then giving you the option to explain why there is so much shady business going on.
If you were not personally on Slack, then who is the Pomegranate account that tried to claim the commemorative coin? You proved your identity through your wallet to try claim that coin to @jringo, so I do not understand how you can claim that was not you.
We have no axe to grind, and have no personal reason to get anyone away from GRC. Quite the opposite. In fact, we would have hoped you can explain why everything looks so shady in a way that alleviated the concerns of the community.
You are not correct. In a perfect world our concern is unfounded and your end users continue to do research. It's fantastic to see the amount of compute your CPID is contributing, but it needs to be above board or it looks really bad for both BOINC and Gridcoin.
Likely conclusions? You mean entirely unfounded and malicious accusations. Botnet? Stealing? Are you serious?
(You keep suggesting we're a one man band, btw. I've never even used Slack. That was a dev. You would know all this if you'd bothered to contact me to get to the truth.)
Since I wrote that comment, I've discovered that you do indeed have an axe to grind, as you're a massive miner yourself. So if we go away, you earn more GRC? Well, colour me amazed.
This also means you understand BOINC, and surely must have also known that our client can only ever be installed with user permission. I am therefore now struggling to see your accusations as honest mistakes.
We have contributed more to BOINC than you know. In fact, without our company's intervention, BOINC might not even exist now. Literally.
Bang out of order, dude.
I never used the word stealing, where are you getting this from?
I am aware you are not a one man band. Why is contacting another member of your band not an attempt to contact CE? They verified their identity through access to your GRC wallet, so they seemed like a reasonable port of call.
Stop accusing me of having an axe to grind. I am a 'big' miner, but I am running literally the least efficient project (Einstein@home). I am not bothered by mag, but as a researcher myself I do want to see GRC succeed.
I am not accusing you of anything. I am asking you to comment on some things that don't seem to add up. This discussion has been going on internally for a long time now.
Are you for real? Your title is "Exposing the pomegranate botnet", for crying out loud! How is that not accusing?
I've also just been sent some chat logs in which you openly call us a scam, you "have all the dirt on us", we are a front for malware (really? !), etc. So yeah, you're accusing us just fine (defaming, to be exact...) - and now you're lying about it too.
I haven't sacrificed ten years of my life creating this thing from scratch, on a shoestring, to have it bad-mouthed by a couple of conspiracy theorists who can't do basic fact checking.
You owe us a massive apology.
What PrimeGrid does with their donated funds is entirely up to their own discretion. If I had to bet, I'd say that PrimeGrid sold the GRC to CE for cash in order to buy said hardware, rather than having to dump GRC for BTC then convert to FIAT. Heck, BISQ could have been used for a p2p transfer of funds.
The tracking of funds is a slippery slope & frankly pretty disgusting.
The GRC was mostly returned once the seed funds were no longer needed, so that is highly unlikely. The disgusting thing here is asking for donations for A, and then using them for B.
If I collect donations to help the homeless, and then use the money for my own benefit, how is that ok?
If a project embezzles funds that were donated in good faith, people deserve to know so they do not donate again.
I have donated 1000 GRC to PrimeGrid back in March 2016 (when they started accepting GRC for donations). I must say it was never mentioned back then they will buy hardware with that money. Here is their donation webpage from that time. The donation drive for new hardware was started only few months ago and their donation page was then updated accordingly.
All said and done, I don't feel that my donation was embezzled in any way. Under conditions specified in March 2016, PrimeGrid admins could have taken it as their salary (normal procedure with SETI@home donations). After that, it's their private property and they can do with it as they like.
So they lent the GRC to another entity then got them back? So there has been a zero net loss of donated GRC? If it ends up going to the same equipment fund, did the donated funds not serve their purpose in the end?
This to me looks like one of the first times known BOINC entities have utilized Gridcoin as a cryptocurrency, and you want to drag them through the dirt for doing so? It doesn't make Gridcoin look that appealing for other BOINC admins.
From the article:
It was a 76% refund; PrimeGrid didn't get back 1200 GRC.
No, they got millions of core-hours of computing. Tens of millions.
Which you would know IF YOU'D BOTHERED TO ASK US BEFORE ASSUMING THE WORST.
If you guys were journos, you'd be sacked on the spot for this.
How don't you know he bought the GRC off primegrid then donated GRC back once they began earning GRC?
Major assumptions here.
I see a misunderstanding here. @markmcandrew said that we should have contacted him via the official email/phone. @dutch responded that he contacted user 'pomegranate' on our slack. There is no evidence that these two accounts are together, nor that the messages actually arrived to Mark's attention.
I agree that you should have been contacted earlier via official means, but how? They did not know it was you until you responded here.
Also the accusation that Charity Engine uses this Pomegranate pool is not backed. There is only a speculation that Pomegranate pool members use CE software. Also that software might not be approved by CE, the attacker could just have used CE software as a base.
So please stop getting all angry and explain.
Hey Brod. Actually, Mark confirmed that Pomegranate is CE. With regard to the Slack account being linked to CE, that Slack account tried to claim the commemorative coin. To do so, they proved ownership of the Pomegranate wallet. Therefore, the Pomegranate account on Slack had access to the Pomegranate wallet.
Was this message intended to be a reply to me? I am not angry and unsure what you are asking me to explain.
Hi Tomas,
CE does indeed control the pom account. It wasn't a big secret, just didn't want to scare the community that a grid of over half a million PCs was now involved (since been told it's now PoS instead of PoW anyway, so that no longer matters). If we were bad actors then we'd have just used multiple IDs - and added all our spare capacity too, which we've never done.
The Slack account was created purely to claim that one-off coin thing, on the logic that it WOULD look suspicious if we didn't. It wasn't ever used again.
They admit they got no reply from the slack account, and that they didn't bother trying phone, email, or any other normal way of contacting a company CEO.
It's a charade.
i got one word for you mister:
sketchy
I got one for Dutch too. "Libel".
Thanks for the response. Two questions
How come most users are running a different version than what's downloadable?
Is the modified source available for download somewhere?
It's not meant to be different, it's a bug! Nearly all (over 99%) of our users come via adverts, not via the main site. We just forgot to update the link.
New version coming very soon anyway. Will make sure it's the same everywhere.
Where can I find a list of charities and amount of donations you have provided?
Thank you.
Oki! Out of curiosity, from where is the updated client installed? As bundles or via ad banners?
Regarding the source, I noticed that there is support for Charity Engine in the BOINC source tree. Do you use the vanilla source?
ok, so basically you have convinced a bunch people to run BOINC with your CPID by telling them that they will get back %33 in prizes while you keep the other %33 and the rest goes to charity. Is that it? And your point is people are OK with it so what is to you? Am I getting it right?
That, I see no problem with. The deceit, I do see a problem with.
The lack of the 33% 'prizes' payout, I also have a problem with.
You are currently earning approx $6000 per month in Gridcoin (@ $0.05 per GRC) and claim it's a 33-33-33 split between you, charities and users.
Yet you are only seeming to be giving out a raffle to end users of $1000 every 2-3 months.
You would need to be selling at around $0.01 / GRC for those figures to add up.
4000GRC per day * 30 = 120,000GRC per month
120,000 * 0.01 = $1200 per month, split three ways is $400
Of course that is before any computing power you sell, again as you claim.
There is money disappearing somewhere along this chain.
Even if it were not and the 33% split was legit, taking 33% of proceeds that could be going to charity and users for not doing much at all is extremly dubious.
When coupled with your charitable claims, with which you used to get various lots of funding, it certainly isn't ethical.
There are also the profits received from Eth mining if that is still in use.
And any other mining that users may have not spotted. Clearly they went out of their way to hide the ETH hash files, so others may be hidden.
"Quick, screenshot that incriminating forum post before they delete it! I mean, it's only been there for the last two years..."
This implies that in addition to the custom client you have your own server end modified BOINC software?
Your global grid is super inefficient, as 1/3 of the profits users get is less than 1/3 of gridcoin earnings even though, as you claim GRC (or should be BOINC) gets a fraction of your capacity.
Is there a list of charities and amount of donations you have provided?
I doubt that he has any preferential treatment by BOINC projects.
They have their own server though. When you first install CE, it sends the end user tasks that appear to take forever. Turns out they are empty, and are literally just idling. I don't know why they do this.
Well done, if you find out any more information please keep us up to date ..
I wouldn't classify it as a 'botnet', that implies a lack of consent in the software being installed on the end user's computer. It's a distributed compute cluster with consent approved to run the CE software on their computer.
Perhaps you could argue that the TOS the users signed don't cover the specific types of computation being performed, but that's not the argument you seem to be making..
No actually I did 2+ months ago before leaving thanks to the typical bitch antics of the people we are forced into trusting as community leaders...
Interesting as I also found kikipope too and odd too that others claimed they discovered or " found " him too when neither are hiding and they are both in plain site. Guess neither kissed enough ass to the people we are forced to trust as community members. GRC8
I'm in 'stitches' here as a result of watching that!!
Very funny but true.
Detrimental. If hosts didn't consent to use their energy and hardware, then it can be considered stealing no? The intentions are very opposed to the work being done.
I agree, and this is playing right into the hands of BOINC enthusiasts who think GRC is detrimental to BOINC and its reputation. As a community we should not tolerate this behaviour just because of the short term processing gain.
It is most definately theft if users are unaware that some one is benefitting from their computing power and electricity.
And also against the BOINC terms if the user is unaware.
Except they consented to using CE When they registered & installed the CE software..
Exactly. Something I find difficult to believe that Dutch is unaware of.
(And something which he still isn't commenting on.)
I'm commenting for @dutch because he's gone to sleep.
We are able to confirm express consent for the less than 1% of users who install Charity Engine through the website, as that is the only installer available for us to analyze.
From Spyware Techie:
This sounds like about as much consent as leaving a sneaky checkbox checked by default in a bundled software installation.
Spyware Techie??? Bloody hell, mate. Spyware Techie exists purely to spread FUD about other apps to make you download their crappy SpyHunter software (Google it). Great source, lads. Really impressive research. Maybe a quote from Infowars next?
So guess what? We do not "leave a sneaky checkbox ticked by default" and I'm now about one more snotty (and ever-changing) accusation from screenshotting this whole thing and sending it to our legal guy.
I would defend with Freedom of Speech (and Write), but legal is as full of holes as gridcoin source.
Also I suggest to save this wbepage (File->Save page as) to save the poor lawyer from copy-typing the text from your screenshot image.
They consented to using CE when they registered and installed the CE software, it's not like it's being installed via a drive-by trojan.
I don't know, if the software is bundled with other software unless you untick a checkbox I don't know how valid the consent argument is. I mean, it's not like people used to run 600 IE toolbars because they liked them and gave explicit consent. They ran them because they came bundled with something they actually consented to.
Edit: All installations supposedly require explicit consent (as in check a box to install, not uncheck a box to avoid installation), so it might be moot.
Installing CCleaner today, Avast Antivirus attempted to do exactly this. It's standard practice within the freeware/shareware scene.
Did it install CE or something else?
There should be no debate about this. All this information is circumstantial and is/was public. The community should almost always be informed and be left to come up with their own conclusions. Thanks @deltik and @dutch for the investigation and compilation of this information.
In complete agreement. This runs contrary to all our goals and ethos and transparency is extremely important to us.
This may be your ethos/perspective, but it's not the gridcoin networks' stance - it is a decentralized network which does not impose such ideologies upon its userbase.
Perhaps transparency in its developers intentions/actions and the work units being actually computed within BOINC projects, but demanding absolute transparency from network participants is absurd.
Everything with Gridcoin is behind the scenes.. You have to kiss ass and be in the " in " club/clique , I gave it the GRC8 nickname thank you very much. You would not want an open community project to actually have the whole community able to participate and voice their views and ideas , they might not match your own and you may not be able to push your own agenda.
How different is this from viruses that mine bitcoin? How can running anything on a users hardware without his consent be considered legal? It doesn't even matter if it costs energy or not, it doesn't matter if it is for research for the greater good, it doesn't matter...
It's different because nobody had the software unwillingly installed on their computer.
I reacted when the article was posted.
From the article: "it is highly likely Pomegranate is earning GRC illegitimately through unwanted software installed unknowingly on victims' computers".
By now there is more information from the comments and I no longer see the issue. I checked the website and it looks quite clear to me that when installing you are donating computer power.
It is the users responsibility to make sure that what he installs is legit, from a trusted source and functions as intended.
As long as they are contributing to the BOINC projects, paid or not, I see no issue. I have been BOINCing for 15 or so years. Don't really care what client.
I do understand big miners get nervous. Their magnitude drops and they can't do anything about it but to try and blame someone else.
Does gridcoin now need to 'check' what is used to contribute to science? Being the BOINC internet cop. Good luck with that.
As vortac says: it's still contributing to science.
I would like to return to some of the bullet points here:
Yes, but the clients mining BOINC were not downloaded off the website. This was just stated explicitly.
Actually, we found out about this months ago and did nothing, mainly due to CM being very opposed to saying anything publicly. It was several big discussions in the Slack channel between many users that made us decide to say something. I personally do not care for mag - check my project selection if you don't believe me (Einstein@home on all GPUs - literally the least efficient).
The other reason is several projects are getting many corrupted results and burned work units, as explained. The Pomegranate account has not fixed this issue.
Nope, not at all.
If Gridcoin ops had not acted a few months ago, we would still have Kikipope around. How does it look for BOINC and Gridcoin if the main contributors are these kind of networks?
Let me reiterate: We all want CE to be legit, because their contribution to science is great. I know of several people, including myself, who reached out over the last months and were ignored. Ideally, we would like these concerns alleviated and move on.
You have never contacted me, nor has anyone else. I learned of this page thanks to a Google alert.
We have a website with a contact form. We have an address. We have email, we have a phone number. Contacting me is not rocket science - and of course I would respond to something like this.
I note your comment about running the least-earning project. Good to know, and that does make me more reassured as to your motives - if not your methods...
EDIT: No longer reassured one bit. Deltik's lies about us being bundled with malware cannot be unintentional, IMHO. His own evidence says the opposite of what he claims it says.
Ye, but the connection between 'Pomegranate' and 'Charity engine' was not public, so the accusers couldn't use, or even find the contact form.
They knew Pom was CE for ages. Hence this hit piece.
First we knew they had any questions at all? A Google alert about this post.
That's not honest journalism, it's a smear campaign.
Summarized: CE says the are using your computing power when you install their SW. Their SW downloads and installs something else, BOINC, whatever version, from whatever location, modified or not.
It's not unusual that an installer downloads and install other installers. The average user doesn't care.
If the science results are ok for the projects there is no issue for BOINC as a concept.
To me BOINC and Gridcoin don't look any different because of it. The user makes choices and if legit that's the end I think. The grcpool doesn't allow voting. Does that make contribution to science any less? Does that make it worse for BOINC?
This article has botnet in the title, a word with a very negative connotation. It boils down to not agreeing to the way the client is downloaded and someone not responding to you guys?
In the end it seems like a storm in a teacup. I fail to see the issue here. The internet is full of strange things I don't support. Fine, I just don't use them, if they're no good they die anyway.
Edit: before all wars break loose I'm not supporting CE either, don't know what it is and not interested.
I don't recall any such communications regarding your allegations against CE.
I am indeed opposed to public slander & doxing of individuals of whom you suspect are committing serious large scale computer crime (running a botnet will get you life in jail).
The best course of action is to contact the BOINC projects direclty, specifically their cyber security divisions - Oxford, IBM, LHC, they all have dedicated teams whom can investigate such claims with greater access to volunteer data.
If not BOINC projects then you should have contacted the authorities with the information you believe you have. Posting a smear piece like this without concrete evidence is likely going to get you sued by CE for public defamation/slander.
We've contributed over a hundred million core hours to science since we launched in 2011.
I can give you another titbit which you are free to check too. In our early days, I went out and raised extra seed funding just to give $60k to the BOINC project at Berkeley, which was faced with shutting down because of a six month funding gap.
You can probably start to see why I'm fuming at this hit piece.
There is also little movements of computers between projects for what I can see, Pomegranate only keeps adding new ones. Last week Pomegranate started adding computers to NFS@home and the Gridcoin team RAC output has moved up with 1.5M (see chart) while the GRC earnings per 1k system RAC has dropped 25% in the same period for this project.
In case Pomegranate has the consent from members to install the software and add projects as he feels fit this would be fine but if he doesn't, I would consider it unacceptable.
That's correct. When running their software in a sandbox, we found the end user has no choice on what projects are run. The instructions are sent from their account manager.
I removed my comments as they are not directly relevant to the discussion.
Which CPID is this for? It could be that @bgb has moved users around.
If the users don't consent, then yes I agree it's wrong. But if they do consent then it should be fine.
EDIT: I commented on this post in the morning without being aware of many facts relevant to this discussion. A lot seems to be blowing over my head, so I've decided to extract myself from this conversation.
I absolutely agree with you @caleb23.
Discussion has been going on in public on slack and IRC, the chance to clear their name has come and gone ..
I disagree that it's gone. It's always there - it perhaps should have happened earlier but if proof of a legitimate operation happens now then we as a community will still have to accept it.
This is key. Let's not forget that.
well it sounds like stealing so we should definitely condemn it
I concur that we condemn stealing. Just be careful in future about condemning something because of the way it sounds.
Can we report that specific version of BOINC to antivirus manufacturers? I dont know how they work with determining one version from another, but if its a customized version can it be explicity listed as malware?
The fact that these users are unwittingly infected may mean they do not have any security, or that its so compromised that it wont make a difference, but who knows, it may stop this version from spreading further.
I think that getting one version of BOINC labeled as malware would get all versions flagged, it would be massively detrimental to non tech-savvy users to see that the software they understand to be solving cancer is potentially malware (Even if it's a false negative).
A better alternative would be to get BOINC projects to enforce mandatory minimum BOINC client versions & if they don't adhere to these minimum requirements they're voted out of the whitelist.
Sure that works better I guess, at least I tried for a solution :)