You are viewing a single comment's thread from:

RE: Investigating the Pomegranate Network Mining Gridcoin

in #gridcoin7 years ago (edited)

Hi Mark,

We have reached out to you on the Gridcoin Developer Slack channel, except you never replied. I know you were active there at the time, and I know you have seen at least my message, unless you are saying that the user Pomegranate on Slack was not you?

I am aware of what you claim CE to be, and how you claim it works. It would be great if you could please explain the following:

  • Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

  • Why does your website serve CE based on BOINC 7.0.76, while the Pomegranate account runs BOINC 7.0.80 CE instances? Deltik would like to point out that BOINC 7.0.80 has a severe security vulnerability.

Multiple stack-based buffer overflows in the XML parser in BOINC 7.x allow attackers to have unspecified impact via a crafted XML file, related to the scheduler.

  • Why did you try and hide the link to CE so actively? Wouldn't "Charity Engine Pool" have sounded a lot less sketchy?

Thank you for your time.

Sort:  

Okay, let's get one thing straight here: You are flat out falsely accusing me of criminal behaviour. In public.

I'm personally not on Slack, but I am on the end of a phone or email and the first rule of journalism is right to reply. I've no idea who you are, but it seems to me that you have an axe to grind here, some personal reason to get us away from GRC, and that whatever I tell you will not change that.

Am I correct?

At first, we thought Pomegranate was cool for winning the commemorative coin, but following Pomegranate's meteroic growth, @dutch and I noticed various peculiarities.

A lot of us wanted to give you the benefit of the doubt, especially since each individual point this article made could have plausible explanations, but altogether, they don't add up.

The best recourse would be to be open and transparent about how Pomegranate works. I think we'll all rest easy if we can trust Charity Engine and Pomegranate.

  • What is an example of an ad that leads to a Charity Engine 7.0.80 download? Despite a 99% acquisition through ads, we're having trouble finding any.
  • Charity Engine 7.0.80 was reportedly released on 24 June 2014 with no updates since. Why did it take so long to announce an upcoming update just today?
  • And why hasn't there been an update the last 3½ years since the severe vulnerability CVE-2013-2298, which affects Charity Engine 7.0.80?
  • Another independent investigation found that Charity Engine is bundled with other programs and may be installed without the users noticing. Can you walk us through the installation flow of a Charity Engine software bundle?
  • Why is it called Pomegranate?
  • Why did you just rename the second Pomegranate pool from "pomegranate2" to "PSVR-1075"? This name change reduces transparency and suggests that you may be trying to hide the second pool.
  • We expect to see a lot of active users if there are over 460,000 hosts in 2016, but the Charity Engine forum is almost dead. Where is the community talking about Charity Engine?
  • Why aren't people talking about Charity Engine? There is hardly a peep about Charity Engine on social media.
  • When users like myself or this guy try to do work for Charity Engine 7.0.76 (the public version), we get what appears to be a dummy task taking up "0.0001 CPU" and using very little CPU. Why can't we voluntarily contribute to Charity Engine through the client?
  • If your users are knowingly running Charity Engine, why did Pomegranate participate in yoyo@home, a project that requires strong authenticators? This is bad security practice at best and unaware users at worst.
  • PrimeGrid (address S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec) provided funds to get Pomegranate started. What is PrimeGrid's role in Pomegranate?
  • PrimeGrid consequently was the project with the least return from Pomegranate despite providing the initial wallet funds. This suggests that PrimeGrid was not incentivizing Pomegranate to crunch for them. Why is Pomegranate not contributing compute power to PrimeGrid?
  • Can you provide your earnings reports and charity donations so that we can verify your 33-33-33 income distribution claim?

If and only if we resolve these questions and confirm that your user base is legitimate, we'll go out of our way to exonerate Charity Engine.

And also, what was the deal with exclusively obsolete hardware as VGTU hosts?

Edit: And out of interest: Why no Primegrid?

You should try to enlighten us more about your operations. What value/service are you providing to your users? Can't they just use their own BOINC clients with their own CUIDs and donate (or do whatever they want) with their GRC. If indeed you are exploiting the lack of information on your users' part, we as the GRC community should aim to educate them.

No, we are stating a series of facts and likely conclusions, then giving you the option to explain why there is so much shady business going on.

If you were not personally on Slack, then who is the Pomegranate account that tried to claim the commemorative coin? You proved your identity through your wallet to try claim that coin to @jringo, so I do not understand how you can claim that was not you.

We have no axe to grind, and have no personal reason to get anyone away from GRC. Quite the opposite. In fact, we would have hoped you can explain why everything looks so shady in a way that alleviated the concerns of the community.

You are not correct. In a perfect world our concern is unfounded and your end users continue to do research. It's fantastic to see the amount of compute your CPID is contributing, but it needs to be above board or it looks really bad for both BOINC and Gridcoin.

Likely conclusions? You mean entirely unfounded and malicious accusations. Botnet? Stealing? Are you serious?

(You keep suggesting we're a one man band, btw. I've never even used Slack. That was a dev. You would know all this if you'd bothered to contact me to get to the truth.)

Since I wrote that comment, I've discovered that you do indeed have an axe to grind, as you're a massive miner yourself. So if we go away, you earn more GRC? Well, colour me amazed.

This also means you understand BOINC, and surely must have also known that our client can only ever be installed with user permission. I am therefore now struggling to see your accusations as honest mistakes.

We have contributed more to BOINC than you know. In fact, without our company's intervention, BOINC might not even exist now. Literally.

Bang out of order, dude.

I never used the word stealing, where are you getting this from?

I am aware you are not a one man band. Why is contacting another member of your band not an attempt to contact CE? They verified their identity through access to your GRC wallet, so they seemed like a reasonable port of call.

Stop accusing me of having an axe to grind. I am a 'big' miner, but I am running literally the least efficient project (Einstein@home). I am not bothered by mag, but as a researcher myself I do want to see GRC succeed.

I am not accusing you of anything. I am asking you to comment on some things that don't seem to add up. This discussion has been going on internally for a long time now.

Are you for real? Your title is "Exposing the pomegranate botnet", for crying out loud! How is that not accusing?

I've also just been sent some chat logs in which you openly call us a scam, you "have all the dirt on us", we are a front for malware (really? !), etc. So yeah, you're accusing us just fine (defaming, to be exact...) - and now you're lying about it too.

I haven't sacrificed ten years of my life creating this thing from scratch, on a shoestring, to have it bad-mouthed by a couple of conspiracy theorists who can't do basic fact checking.

You owe us a massive apology.

By saying that "Exposing the pomegranate botnet" is an accusation to you, you admitted that you, or your company are behind the pomegranate.

Also how they were to contact you, if there was no easy way from 'Pomegranate' to 'Mark McAndrew'?

The only certain contact link we had was that Pomegranate on Slack controlled the Pomegranate miner's wallet. @jringo confirmed this as part of the commemorative coin claim process. When I tried to open a dialogue with Pomegranate on Slack it was ignored.

Yes, CE controls that account. So what? They already knew it was us, it wasn't some massive secret.

If we'd wanted to keep it secret we'd have used multiple CPIDs. Why draw attention if trying to hide?

Only reason we didn't call it CE grid or some such was because we're big enough to 51% the network (EDIT: since been told it changed to PoS) and we didn't want to worry the troops and potentially crash GRC. Indeed, we've been going deliberately easy - which we will now prove.

Meanwhile, I run the company and I'm easy to contact via all the regular channels. That one of our developers had once logged into slack to claim that coin, is of no relevance. They got no reply, so why didn't they call me? Email me? Find me on twitter or LinkedIn?

Because they didn't want answers, that's why. They wanted to smear.

We'll apologize once we can trust you. Here's how.

Not me that needs to earn trust here, it's you. You made the botnet accusation, it's pure bullshit, you're in the wrong, end of story.

Even if everything is above board, your business model appears to be predatary and entirely in bad taste.

You get people to install your client with either promises that they are helping charity and could win some money or by the dubious (even when legal) method of bundling it with other software. You then take all of the money earned and give some back to charity and some back to the users.

What your users don't seem to realise is that both they and the charities would be far better off if they ran Boinc themselves and donated half of their earnings to charity. The only people making money from this is yourselves by preying on people who are not informed or are not very computer literate.

Personally my opinion is that you are morally wrong (boarderline legally wrong) in your blatently over-exagerated claims.

  • The 33-33-33 split does not add up.
  • Elsewhere you state half your profits go to charities which doesn't tie up with the above.
  • You claim partnerships with several major charities yet they do not list you as a partner on their websites.
  • You claim to have 550,000+ PC's always available and 1million on request yet boinc only has 820,479 computers running in total.

I have no doubt you do give some money to charity and give some back to users, but how your business operates is extremely unethical and distasteful even if you can argue it's just about legal.

Why did PrimeGrid seed the Pomegranate account to help it stake, using donations by the public for their supposed hardware drive? We noticed that one of the PrimeGrid admins, Rytis, is also involved with CE. This is very concerning, and the reason I personally got suspicious of your activity.

What PrimeGrid does with their donated funds is entirely up to their own discretion. If I had to bet, I'd say that PrimeGrid sold the GRC to CE for cash in order to buy said hardware, rather than having to dump GRC for BTC then convert to FIAT. Heck, BISQ could have been used for a p2p transfer of funds.

The tracking of funds is a slippery slope & frankly pretty disgusting.

The GRC was mostly returned once the seed funds were no longer needed, so that is highly unlikely. The disgusting thing here is asking for donations for A, and then using them for B.

If I collect donations to help the homeless, and then use the money for my own benefit, how is that ok?

If a project embezzles funds that were donated in good faith, people deserve to know so they do not donate again.

I have donated 1000 GRC to PrimeGrid back in March 2016 (when they started accepting GRC for donations). I must say it was never mentioned back then they will buy hardware with that money. Here is their donation webpage from that time. The donation drive for new hardware was started only few months ago and their donation page was then updated accordingly.

All said and done, I don't feel that my donation was embezzled in any way. Under conditions specified in March 2016, PrimeGrid admins could have taken it as their salary (normal procedure with SETI@home donations). After that, it's their private property and they can do with it as they like.

So they lent the GRC to another entity then got them back? So there has been a zero net loss of donated GRC? If it ends up going to the same equipment fund, did the donated funds not serve their purpose in the end?

This to me looks like one of the first times known BOINC entities have utilized Gridcoin as a cryptocurrency, and you want to drag them through the dirt for doing so? It doesn't make Gridcoin look that appealing for other BOINC admins.

From the article:

Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.

It was a 76% refund; PrimeGrid didn't get back 1200 GRC.

No, they got millions of core-hours of computing. Tens of millions.

Which you would know IF YOU'D BOTHERED TO ASK US BEFORE ASSUMING THE WORST.

If you guys were journos, you'd be sacked on the spot for this.

This information is public. To date, Pomegranate has earned 743,301 cobblestones on PrimeGrid.

That's about the equivalent of running one GeForce GTX 1070 graphics card on PrimeGrid for one day.

You're doing it again. We contributed to Prime Grid before GRC even existed at all.

Stop. Assuming. The. Worst. About. People!

How don't you know he bought the GRC off primegrid then donated GRC back once they began earning GRC?

Major assumptions here.

I see a misunderstanding here. @markmcandrew said that we should have contacted him via the official email/phone. @dutch responded that he contacted user 'pomegranate' on our slack. There is no evidence that these two accounts are together, nor that the messages actually arrived to Mark's attention.
I agree that you should have been contacted earlier via official means, but how? They did not know it was you until you responded here.
Also the accusation that Charity Engine uses this Pomegranate pool is not backed. There is only a speculation that Pomegranate pool members use CE software. Also that software might not be approved by CE, the attacker could just have used CE software as a base.
So please stop getting all angry and explain.

Hey Brod. Actually, Mark confirmed that Pomegranate is CE. With regard to the Slack account being linked to CE, that Slack account tried to claim the commemorative coin. To do so, they proved ownership of the Pomegranate wallet. Therefore, the Pomegranate account on Slack had access to the Pomegranate wallet.

Was this message intended to be a reply to me? I am not angry and unsure what you are asking me to explain.

Hi Tomas,

CE does indeed control the pom account. It wasn't a big secret, just didn't want to scare the community that a grid of over half a million PCs was now involved (since been told it's now PoS instead of PoW anyway, so that no longer matters). If we were bad actors then we'd have just used multiple IDs - and added all our spare capacity too, which we've never done.

The Slack account was created purely to claim that one-off coin thing, on the logic that it WOULD look suspicious if we didn't. It wasn't ever used again.

They admit they got no reply from the slack account, and that they didn't bother trying phone, email, or any other normal way of contacting a company CEO.

It's a charade.

i got one word for you mister:

sketchy

I got one for Dutch too. "Libel".