Are people trying to do crypto mining on Glitch?

It’s happening on other services that provide compute power.

We’re affected in at least these ways:

  • Low project container CPU quota. This must be at least part of the reason why the CPU quota is so low. A higher quota would get chewed up by miners and leave less for other projects. But with the low quota, everything non-mining we do is slow.
  • A project that I invested a lot of time into now can’t be hosted on Glitch because a piece of data received over the network (never executed, to be clear) had contained a word that triggers Glitch’s crypto miner detection. Staff said this scenario is rare though, in comparison to true positive detections.

This is something I want to talk to the community and the Glitch team about. Here are some questions to start us off.

  1. How prevalent is this kind of abuse on Glitch currently?
  2. What’s the situation of the arms race between detecting this abuse and concealment/evasion?
  3. What guidance is there for projects that deal with non-executable data from external sources such as user-generated content?
  4. General sentiment, do you think any service that provides compute will survive this?
  5. Philosophically, is it a good thing to be exploring how to do things on Glitch other than write pure Node.js code from scratch in a web based editor? Findings might end up making it easier for greedy users to mine.
6 Likes

I would doubt it. On Glitch, it seems really easy to detect abuse. Since apps will get auto suspended for going over the node_modules storage limit, I can’t see why there wouldn’t be a similar system in place for CPU.

Also, like you said, Glitch containers are given so few resources that it would be pointless to mine. The CI servers likely had a lot of available resources and were executing multiple projects in one VM.

DigitalOcean will auto delete any VPS that runs at 100% CPU for a while, and I’ll assume other cloud providers deal with abuse in similar ways.

4 Likes
  1. I’m not sure, but projects do seem slower.
  2. I think it’s hard to know for sure if a project is cryptocurrency mining. And it leads to a whole category of problems to deal with on Glitch.
  3. Not sure.
  4. I think all services will have a problem of sorts. But you could apply the same thing with ban evaders.
  5. If you are referring to having languages other than Node.js and some HTML, CSS, JS. It will make it easier for miners to abuse Glitch for this. But at the same time, it’s nice to be able to write and run C++ if that’s your preference.
1 Like

I think as things are now, there are too many things that hit 100% of the CPU quota. Because the quota is so low, things like installing native nodejs modules hit 100% and stay there for some time, because they take so long to finish.

I’ve heard that Amazon offers “burstable” instances that can use a lot of CPU for a while, then they get throttled. If they go idle, it kind of recharges. That seems more sane than outright deleting a VPS :sweat_smile: . I’m glad Glitch doesn’t go down the DigitalOcean route!

Good point about observing project performance. I’ve consistently been able to get quota of 0.25 CPU cores, so seem like these servers aren’t being overcrowded by miners.

When I first signed up for Glitch, I used to be of the opinion that “it’s bad to do this;” “it distracts the team from their own vision;” and “bad time investment because they’ll soon lock it out.” It took a long time of viewing the community and the moderators’ positive attitude for me to come around on this. “It makes Glitch more useful and accessible;” “the team doesn’t mind, they just don’t have the time to do it themselves;” and ultimately “it’s good to do this.”

Since then I’ve done several projects to this end. It’s been fun.

4 Likes
  1. Actually for the same reason bad tor nodes can steal crypto, we can check for crypto transactions. Also miners typically connect to a mining pool, so using the same method to block gitlab we can block the well-known mining pools

btw our one and only RiversideRocks has done a lot of investigation into this

another way to fingerprint cryptominers is to make a list of cryptominer executable/file hashes and every once in a while checking the running processes

5 Likes

First off, thanks for starting this thread, it’s an important conversation for not only developers and platforms to have, but also cryptocurrency enthusiasts. I have soooo many thoughts!

Before anyone starts panicking or speculating, I want to make it very clear that Glitch does not have any plans to get rid of our free tier. And I honestly couldn’t see a scenario for us that would warrant such a dramatic change given how it benefits our community and also our business. And that’s not a jab at the companies ending their free tiers - we are very different from a CI in both service, business, and user base.

That being said, yes, people definitely try to do crypto mining on Glitch! Over the past few years it’s become an expected problem for virtually every platform that provides compute, joining the likes of spamming and phishing. It’s hard to say how prevalent the abuse is, though. My hypothesis is that Glitch is probably not nearly as attractive in its offerings (especially after we started banning pinging to keep projects awake, a necessity for miners) than, say, VPS or even shared hosting services.

It’s extremely rare that such false-positive suspension scenarios like yours happen, but that’s not to say we are happy about it happening. We also don’t find spam and phishing to be acceptable, but it definitely happens and we use a significant amount of our resources to combat it. And mining’s not a new problem; some of the tools we use to address it have been in place back before we were even called Glitch. But the cryptocurrency scene has dramatically grown since then and I think that’s why the developer community is starting to see the effects of this abuse.

Now, do I think any service that provides compute will survive this? For sure they will, just like we all exist despite the multi-billion dollar phishing and spamming industries. We’ll just need to invest more resources to combat it and adapt to the tactics that platform abusers do, and for many companies that means scaling down or getting rid of free tiers (again, Glitch does not have plans for this). The miners, just like the spammers and phishers, will get more and more sophisticated - I have to admit that attacking CIs is quite clever and illustrates what a complex problem this all is.

I would love to see cryptocurrency enthusiasts do the work on speaking out against this abuse, even if it appears to benefit them more otherwise. If its community wants wider adoption, it needs to come in way less hot with all these vectors of abuse imho!

10 Likes

Just wondering @jenn, how common are browser based miners in projects?

1 Like

This probably isn’t relevant, but i’ve scrolled down repl.it and found a lot of browser-based crypto miners.

2 Likes

One example I’ve seen of a browser-based coin is webdollar.io, but ofc browser mining isn’t relevant since it’s not like your using their servers for mining, your using your device.

2 Likes

yeah, but it still breaks their TOS

2 Likes

I don’t think they’re as common, although we’ve come across some. I have a feeling we (as in those who are connected to the Web) will see an increase of folks running client-side miners in lieu of traditional advertising, which is fine so long as users are told and given the opportunity to consent to being a part of such a transaction.

4 Likes

If people started running client-side miners, then isn’t there a danger that somebody who isn’t aware that crypto mining is against the TOS might think its fine to do so?

2 Likes

If someone does something that’s against the TOS thinking it’s fine, we just tell them that it’s not fine and often they apologize and move on. Cryptocurrency and the actions all around it are new and everyone’s still learning what’s okay or bad. I don’t necessarily consider client-side mining that makes it clear that’s what it’s doing to the user (so they can opt out) as particularly malicious.

5 Likes