
MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code - msantos
http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-demanding-source-code-bitcoin-mining-tool/
======
will_brown
There is a lot of confusion in this thread regarding basic concepts of the
law.

1\. The NJAG is not prosecuting the MIT student(s) (at least not yet).
Therefore, this is not similar to the alleged overzealous prosecutors in the
Swartz case.

2\. A subpoena is a writ compelling testimony or evidence. A subpoena is not
synonymous with being a defendant.

3\. NJAG served one MIT student with a subpoena to turn over documentation
(source code, downloads, users, ect...)for a program which maybe being used by
third party websites in a way that violates the rights of NJ residents vis-a-
vis unauthorized access to computer systems.

4\. It seems there is an issue raised arguing NJAG does not have jurisdiction
over the MIT student(s). Personally I would find this analysis the most
compelling because it is at the intersection of where facts and law meet.

5\. EFF is arguing that complying with the subpoena may violate the students
right against self-incrimination. I think this is a losing argument where
one's right against self-incrimination is rather limited, generally to
information contained within their mind and not typically extended to
documentation and records.

6\. Though this is not at issue, it would be almost impossible for the MIT
student(s) to have committed a crime, as the crime would require intent. It
would be nearly impossible to prove the student(s) _intended that their code
be downloaded by third-party websites for the specific purpose of running on
the end users computers without their knowledge_. It would be on par with
charging a gun manufacturer criminally for intending that their guns be
manufactured and sold for the exclusive purpose of committing crimes.

~~~
icambron
Have you read the subpoena? It's definitely aimed at incriminating the
student. I don't disagree with your take on their lack of protection by the
5th amendment, but I think you're just wrong about who they're going after.
Excerpts:

3\. All documents and correspondence concerning all breaches of security
and/or unauthorized access to computers by you.

10\. All documents concerning complaints against you...concerning the
unauthorized access of computers and/or Bitcoin code.

Items 11 - 14 are also aimed at finding evidence that they've done something
wrong.

Source: [https://www.eff.org/document/subpoena-jeremy-rubin-dba-
tidbi...](https://www.eff.org/document/subpoena-jeremy-rubin-dba-tidbit)

Edit: trying to cut down on tone

~~~
akira2501
From "New Jersey's Further Reply," this part caught my eye:

"For example, Mr. Fakhoury's Certification describes how Plaintiff discovered
that the Division issued subpoenas to the New Jersey Coded Websites,
Plaintiff's state of mind upon discovering this information, and Plaintiff's
decision to send an email to its entire list of users."

------
bertil
That article describes a though experiment that would A. remove an ad, and B.
should (but doesn't) trigger a BitCoin miner. It's clearly marketed as an
illustration to an idea. I'm failing to see the consumer fraud. Is this like
accusing a car-manufacturer of manslaugher because they latest concept-car
didn't have seat-belts?

I would like to know if that's selective reporting from Wired, or spectacular
fishing from NJ state atorney.

Also, neither the hackathon, nor MIT appear to be in NJ: what is their
jurisdiction? Those two issues should be clarified in any basic coverage of
the incident: at this point, it is plain bad reporting.

~~~
surge
It's been in the news before.

It's spectacular fishing from NJ state attorney, it could in theory violate
the law as written if deployed on a website and mined bitcoins without implied
consent by the client (but then again I could argue the same for flash ads),
but the whole thing took place in MA and as far as anyone is aware only in lab
environments in MA as part of the competition. The code could be used
maliciously, but wasn't and there is no evidence it ever was, its NJ
overreaching, pure and simple.

~~~
ChuckMcM
This is where I am as well, why is the NJ AG in such a snit? I get they may
have _thought_ there was crime here, but once they got the facts they should
have just gone on about their merry way, especially when the university tells
them this. Now they look stupid, they have to know they look stupid, and so
what or who is pulling so hard that they are willing to look stupid to fulfill
that request. Very very strange.

~~~
lotsofmangos
Could just be sunk cost. They think they wont look stupid if they 'win', so
are willing to look a lot more stupid yet in the hope they can do someone for
something, as otherwise the whole affair is a huge waste of time and money and
they can't have that.

------
lotsofmangos
They want source code for a client side javascript miner that they saw on a
website. Was their right mouse button broken?

~~~
surge
They aren't the brightest people, they think this is some deep web evil
hackers and probably think they have some secret code that hacks the DoD or
something.

------
eli
The EFF has the actual documents in the case posted
[https://www.eff.org/cases/rubin-v-new-jersey-
tidbit](https://www.eff.org/cases/rubin-v-new-jersey-tidbit)

Based on a quick skim, this is the closest NJ comes to making a case:
[https://www.eff.org/document/nj-attorney-general-response-
ef...](https://www.eff.org/document/nj-attorney-general-response-eff-letter)

~~~
bradfa
It sounds like the NJ AG is saying, "Someone in NJ may have downloaded and run
the code written by Tidbit and said code may have done things which are not
allowed in NJ, hence Tidbit must provide said code to the NJ AG."

But it doesn't sound like the AG has much evidence (or simply isn't providing
such evidence) that anyone in NJ ever actually downloaded or ran the code.

Is this a normal ask for Attorneys General to make in any circumstance
regarding software?

~~~
Andrew_Quentin
There is evidence that the code was present on websites, but, the code was
never functional, that is, it never mined bitcoins. Therefore it never
breached any laws.

As such, one has to wonder either whether the cyber fraud unit of the state
department has basic understanding of programming or whether the state
department is willfully taking this action to send some sort of message.

~~~
npizzolato
Is intent to break a law good enough? If I buy a gun and try to shoot someone,
it's still a crime even if the gun never worked. If someone signed up to
receive the code and put it on their website with the intent of mining
bitcoins on user's computers (which the NJAG is saying is illegal, I have no
idea), is that not also a crime?

------
JacobEdelman
I feel like this article is a bit one sided. It doesn't ever state NJ's case
against the students and draws strong parallels to Aaron Swartz (a hero to
many people). A lot of the time these parallels seem to be weak, the student
who did this is an MIT student who built a piece of software at a hackathon,
this has almost nothing to do with Aaron Swartz's situation except it involves
a young programmer and MIT.

~~~
jnbiche
> It doesn't ever state NJ's case against the students

That's because NJ literally doesn't have a case against the students -- there
have been no charges filed. This is an unconstitutional fishing expedition
that I suspect is intended to intimidate and create an atmosphere of fear, not
just among Bitcoiners but all tinkerers and hackers (in the MIT/HN sense of
the word).

~~~
jychang
> hackers (in the MIT/HN sense of the word).

As someone at Berkeley who's been to many events at MIT, I feel like the
definition of Silicon Valley/West Coast "hacker" is very different from the
MIT hacker.

~~~
surge
The original term hacker came from the MIT Model Railroad Club. It came from
when they "hacked" together some phone switching equipment to control the
relays on their model railroad. Someone who used something other than its
original intended or imagined purpose for some cool new innovative purpose.

SV/West Coast has largely adopted the same term, albeit in a much looser
sense.

~~~
nsrango
MIT "hack" comes from the pranks and unauthorized adventuring that many
undergraduates came to enjoy on campus. (eg.
[http://hacks.mit.edu/Hacks/misc/best_of.html](http://hacks.mit.edu/Hacks/misc/best_of.html))

Hack was then used by MIT's TMRC of which many members became involved
with/helped build the AI-lab. The first third of Hackers
([http://www.amazon.com/Hackers-Computer-Revolution-
Anniversar...](http://www.amazon.com/Hackers-Computer-Revolution-Anniversary-
Edition/dp/1449388396)) gives a good perspective on the evolution.

~~~
surge
Yes, I've actually read the book, that's why I thought it came originally from
the TMRC as one of the many slang terms or jargon they came up with.

------
borlak
Tidbit inspired me to write my own web-miner, which I open sourced. It's
hacked together as I was really just trying to learn how the cryptocoin&mining
stuff worked. The mining rate you get with straight javascript is truly
abysmal, even with web workers (much worse than the standard cpuminer).

I found a couple examples that do the scrypt part with GPU in browser, but
your browser has to support custom shaders, I think (I forget the details),
and the version most browsers support doesn't allow this (again, my memory is
sketchy about the details).

Anyway Here you go, NJ!
[https://github.com/borlak/cryptocoin_scrypt_stratum](https://github.com/borlak/cryptocoin_scrypt_stratum)

------
downandout
There is an option in all browsers to disable javascript. That, combined with
the fact that you are _requesting_ files from a website (as opposed to them
being surreptitiously forced onto your machine) implies consent to execute the
code sent to you. Finally, the code made no attempt to go beyond user-granted
access limits (in this case the ability to run javascript in the browser, a
decision which is entirely under the control of the user).

I cannot see how a fraud or hacking case of any kind could be made here, even
if they got the code.

------
csense
Don't users implicitly consent to a website using their CPU and bandwidth for
arbitrary tasks while the website is open, by using a browser that downloads
and runs arbitrary JavaScript and allows it to XMLHTTPRequest?

Even if the code in question was being run on a publicly accessible website,
was used by a New Jersey consumer, and was fully functional and actually mined
Bitcoins (all of those points are disputed by the students' counsel)...The
only thing that's being taken by the website operators would be users' CPU
cycles and bandwidth. And if the users have implicitly consented to the
website's arbitrary use of those resources, how is anyone being harmed?

~~~
icebraining
I think there's an argument for the users having consented to the use of CPU
and bandwidth _for the purposes of displaying the website_. That the website
can technically use that allowance for unrelated purposes doesn't imply
consent, any more than you'd be giving a parket valet permission to take a
ride with your car just because you handed him/her the keys without an express
agreement.

In an implied contract, it's the expectations of a "reasonable person" that
count.

~~~
malka
> for the purposes of displaying the website.

What about analytics tools ?

~~~
icebraining
It's an edge case, I'm not sure. But I'd say it's still part of the website
tooling made to improve it, not an unrelated appendix, even if I'd prefer
people stopped using them.

------
tgb
What law did they supposedly break?

~~~
acomjean
Was wondering the same thing, the only thing I could find (and its vague) was:

"Officials claimed that Rubin’s project, which allowed people to replace
advertisements on websites with Bitcoin mining capabilities, had the potential
to breach computer security through unauthorized access and possibly violated
the New Jersey Consumer Fraud Act."

[http://www.bostonmagazine.com/news/blog/2014/09/22/mit-
stude...](http://www.bostonmagazine.com/news/blog/2014/09/22/mit-students-
head-court-bitcoin-hackathon-project/)

~~~
nwh
Under that definition a lot of things are too dangerous to own. That libc
you're packing? You're heading for jail for that, you potential criminal.

~~~
lotsofmangos
_the potential to breach computer security through unauthorized access_

never mind code, it covers everything from soldering irons to telephones

~~~
nwh
The purchasing of this product presents a high risk of potential thought-
crime.

~~~
happyscrappy
Being hyperbolic helps the opposition.

~~~
RickHull
It's not hyperbole when it's accurate.

------
joshdance
This seems insane to me. What law was broken? What could even be considered
remotely criminal about this? Seems like a gross over reach by the gov.

~~~
seanflyon
Think like the NJ AG, it's not about what law was broken, it's about what law
could have been broken.

~~~
cowsandmilk
You can use a hacksaw to: (a) cut a lock that you have permission to cut (b)
cut a lock illegally

You can use the code to: (a) legally mine bitcoins on visitors' computers (b)
illegally mine bitcoins on visitors' computers

Potential for a law to be broken is a stupid basis for a subpoena.

~~~
seanflyon
You unwillingness to base your thought on a broken and stupid basis is
preventing you from thinking like the NJ AG.

------
peter303
I'd curious to find out why NJ AG would get so paranoid about this? I couldnt
really find a link to their side of the story.

The Natinal Science Foundation did discipline a researcher who did some mining
on their computers.

~~~
Andrew_Quentin
They say that the code could "hijack" a computer like some hackers have
"hijacked" some computers to mine bitcoins.

Their concerns aren't completely unfounded in that it is granted it is quite
possible to use any piece of code for ill. However, their complete failure to
understand that this wasn't a case of "hijacking" computers by black hackers,
but a potentially innovative business revenue generating project says to me
that the cyber unit of the state department has no understanding whatever of
programming. If that is the case, these 19 year olds should be awarded damages
so that this reckless behaviour can be discouraged.

------
squozzer
It sounds to me like NJ wants to start mining bitcoin. Nothing is sacred when
you're running a deficit I guess.

------
Cogito
Perhaps most interesting in my reading of the documents provided by the EFF is
the correspondence regarding the counter-sue made by Rubin against the NJAG.

In it NJAG lay out exactly what they think Rubin did:

 _...Plaintiffs development, use and deployment of the Tidbit Code which, by
plaintiffs own description, strongly suggests the code was designed to hijack
consumer 's computers to mine for bitcoins, including the computers of New
Jersey consumers. Further, prior to the issuance of the Subpoena and
Interrogatories, the Division determined that the Tidbit Code was present and
active on the websites of entities located in New Jersey and Plaintiff
affirmatively sent the Tidbit Code to the New Jersey based entities._

They posit that the code was

1\. Designed to hijack a consumer's computer for the purpose of mining
bitcoins

2\. The computers targeted for hacking (implicitly the entire internet)
include those of New Jersey consumers

3\. The code was found on websites owned by New Jersey entities

4\. Rubin sent the code "affirmatively" to those New Jersey entities

I think 1. is the weakest point, but that weakness is based on my
understanding of the definition of 'hijack'. 2. and 3. seem to follow easily
from assumptions, or could be easily shown as fact. 4. seems like it would be
harder to prove, but I don't know the implications of the term affirmatively
used here.

------
javajosh
How is surreptitious use of compute resource any different than the
surreptitious accumulation and analysis of data exhaust? If this moves forward
to prosecution, I'd argue it will actually open up an avenue of attack against
Facebook, Google, et al.

------
everettForth
This sounds like some trivial code, not even fully functioning, that was
written during a hackathon. Why does New Jersey care?

It wouldn't even make sense as a business model anymore, because asic miners
are so much more efficient than GPUs, but I heard many people talking about
building this kind of service years ago.

NJ could pay a software developer to write them code to let people generate
small amounts of bitcoin in a browser. Why would they possibly want this MIT
student's code so badly?

------
codexon
I don't understand how their javascript based miner is feasible.

Mining bitcoins with a CPU is an extremely futile endeavor, and on top of
that, it is implemented in asm.js.

Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds
to over a MILLION MH/S while modern cpus top out at 20 with most around 5.

[https://en.bitcoin.it/wiki/Mining_hardware_comparison](https://en.bitcoin.it/wiki/Mining_hardware_comparison)

~~~
eru
It seems more like a proof of concept, not something meant to be feasible.

~~~
codexon
Then it seems strange that they would be subpoenaed for something that didn't
really do anything.

~~~
eru
Yes. That's one reason people are so angered here.

------
larssorenson
I don't understand how it could be considered consumer fraud or computer fraud
and abuse if it was clearly indicated to the visitor that their browser would
be used as a BitCoin miner in lieu of being displayed Ads. Assuming they
weren't told, I could see the issue but it didn't seem like they were trying
to dupe visitors.

------
chris_wot
Funny how voting machine companies won't release their source code, but MIT
must for Bitcoin? Just a thought.

------
teachingaway
New Jersey's Position is laid out in their 3/7/2014 filing.
[https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_...](https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_to_motion_to_quash.pdf)

Here's the relevant parts (lightly edited):

The Division issued the Subpoena and Interrogatories in furtherance of its
investigation into an entity called Tidbit. Tidbit is a group of students who
developed a software code that may have hijacked the computer resources of
consumers within the State of New Jersey and improperly accessed and/or used
such computer resources to mine for bitcoins for the benefit of Tidbit and its
customers and without any notice to, or obtaining consent from, New Jersey
consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA")
and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of
exchange that can be traded on online exchanges for a dollar value. Bitcoins
are "mined" through the use of computer resources to solve complex algorithms.
Many times, consumers' computer resources are unknowingly accessed by entities
through software code or otherwise in order to mine for Bitcoins.

Plaintiff's own description of its services strongly suggests that the code it
developed is, in fact, designed to hijack consumer's computers. .... Further,
contrary to Plaintiffs allegations in its brief, the Division specifically
found Plaintiff's code on the websites of entities located in New Jersey.
Furthermore, the Division determined that the code was active.

The following representations, among other things, are made on the Tidbit
Website: "Monetize without ads"; "Let your visitors help you mine for
Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further
provides: "How does it work? ... [1] Make an account - Sign up with your
Bitcoin wallet ... [2] Paste the code - we'll give you a snippet to put in
your website ... [3] Cash Out! - We'll send a transaction to your Bitcoin
wallet." ...

E. The Division's Undercover Investigation

On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up"
button. While on the Tidbit 'Website, the Division submitted Sign-up
Information to Tidbit using an undercover e-mail address and an undercover
bitcoin wallet id. In response to receiving the Division's undercover Sign-up
information, Tidbit sent the Tidbit Code to the Division's investigator via a
confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code
that the Division received includes the Division's undercover bitcoin wallet
id. Additionally, among other things, the Confirmation Page states: " _Your
embed code_ \- Paste this at the bottom of your HTML page, and your visitors
will start mining Bitcoins for you!" (emphasis in original).)

~~~
teachingaway
tl;dr: NJ thinks the tidbit code hijacks computers for a bitcoin-mining bot-
net.

------
trhway
they need to bring in a couple of seasoned enterprise developers who can hand
off any project in such a state that it would be easy to rewrite it from
scratch than to even just successfully build it, less run/debug/understand...

------
ndesaulniers
HACKERS!!! WONT SOMEONE PLEASE THINK OF THE CHILDREN!!!?

~~~
anigbrowl
LAWYERS! WON"T SOMEONE PLEASE THINK OF THE STARTUPS!?

...etc.

I see your point but few of the comments here are responsive to any of the
legal issues, and indeed the EFF's briefs are not (IMHO) very responsive to NJ
AG's legal arguments, offering some quite fallacious arguments in rebuttal.

------
u124556
They could just, you know, give it to them?

~~~
russum
Cause, you know, they can't do "View Page Source".

------
joshfraser
We're lucky to have an organization like the EFF that fights this nonsense.
It's a good time to support their work.

[https://supporters.eff.org/donate](https://supporters.eff.org/donate)

~~~
Someone1234
Additionally if you're in the US and use Amazon at all you can donate for
"free" (via orders to Amazon) by just using:

[https://smile.Amazon.com](https://smile.Amazon.com)

And selecting the EFF as your charity of choice. Note that only orders made
via smile.amazon.com are counted, not orders made on normal amazon.com.

How this works: On normal Amazon.com third parties can earn referer fees if
you click on an ad to Amazon and purchase something. With smile.amazon.com
referer fees don't exist, and the money is instead given to the chosen
charities.

Note: As far as I know this isn't tax deductible from your perspective since
Amazon themselves are the ones doing the "donating." You're just ordering
something like you normally would (which might be tax deductible in its own
right, but not as a charitable contribution).

This has no real downsides to users except remembering to use smile.amazon.com
instead of amazon.com(!).

~~~
joshfraser
There's actually a nice Chrome extension that will automatically redirect you
to the smile subdomain every time you visit Amazon.

[https://chrome.google.com/webstore/detail/smile-
always/jgpmh...](https://chrome.google.com/webstore/detail/smile-
always/jgpmhnmjbhgkhpbgelalfpplebgfjmbf)

~~~
oftenwrong
Similar extension for firefox:

[https://addons.mozilla.org/en-
US/firefox/addon/amazonsmilere...](https://addons.mozilla.org/en-
US/firefox/addon/amazonsmileredirector/?src=search)

------
Thesaurus
Is there another website other than wired with this article?

~~~
daveloyall
As mentioned elsewhere on this page: [https://www.eff.org/cases/rubin-v-new-
jersey-tidbit](https://www.eff.org/cases/rubin-v-new-jersey-tidbit)

------
stealthlogic
Fuck New Jersey.

