Hacker News new | past | comments | ask | show | jobs | submit login
MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code (wired.com)
416 points by msantos on Sept 22, 2014 | hide | past | web | favorite | 123 comments



There is a lot of confusion in this thread regarding basic concepts of the law.

1. The NJAG is not prosecuting the MIT student(s) (at least not yet). Therefore, this is not similar to the alleged overzealous prosecutors in the Swartz case.

2. A subpoena is a writ compelling testimony or evidence. A subpoena is not synonymous with being a defendant.

3. NJAG served one MIT student with a subpoena to turn over documentation (source code, downloads, users, ect...)for a program which maybe being used by third party websites in a way that violates the rights of NJ residents vis-a-vis unauthorized access to computer systems.

4. It seems there is an issue raised arguing NJAG does not have jurisdiction over the MIT student(s). Personally I would find this analysis the most compelling because it is at the intersection of where facts and law meet.

5. EFF is arguing that complying with the subpoena may violate the students right against self-incrimination. I think this is a losing argument where one's right against self-incrimination is rather limited, generally to information contained within their mind and not typically extended to documentation and records.

6. Though this is not at issue, it would be almost impossible for the MIT student(s) to have committed a crime, as the crime would require intent. It would be nearly impossible to prove the student(s) intended that their code be downloaded by third-party websites for the specific purpose of running on the end users computers without their knowledge. It would be on par with charging a gun manufacturer criminally for intending that their guns be manufactured and sold for the exclusive purpose of committing crimes.


Have you read the subpoena? It's definitely aimed at incriminating the student. I don't disagree with your take on their lack of protection by the 5th amendment, but I think you're just wrong about who they're going after. Excerpts:

3. All documents and correspondence concerning all breaches of security and/or unauthorized access to computers by you.

10. All documents concerning complaints against you...concerning the unauthorized access of computers and/or Bitcoin code.

Items 11 - 14 are also aimed at finding evidence that they've done something wrong.

Source: https://www.eff.org/document/subpoena-jeremy-rubin-dba-tidbi...

Edit: trying to cut down on tone


From "New Jersey's Further Reply," this part caught my eye:

"For example, Mr. Fakhoury's Certification describes how Plaintiff discovered that the Division issued subpoenas to the New Jersey Coded Websites, Plaintiff's state of mind upon discovering this information, and Plaintiff's decision to send an email to its entire list of users."


Regarding 5 & 6, EFF seem to think there is a prosecution being sought against the students.

"The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act. The state recently used consumer protection laws to secure a $1 million settlement from a gambling website that turned its users' computers into a botnet to mine for Bitcoins without the users' knowledge. It appears the state suspects Tidbit of something similar here, despite the fact Tidbit's code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user's knowledge and consent."

"Some of the interrogatories also suggest that New Jersey believes Rubin and Tidbit are in violation of criminal hacking laws. One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized." That language comes from New Jersey's computer fraud act, which, in turn, is modeled after the federal Computer Fraud and Abuse Act. Since the subpoena is clearly demanding Rubin incriminate himself by opening himself to both civil and criminal liability, the privilege against self incrimination applies and he should be given immunity if ordered to comply with the subpoena."

https://www.eff.org/deeplinks/2014/02/eff-challenges-new-jer...


If there is a finding of wrong doing I am sure there will be prosecution, only not against the students, but against the operators of websites using the students code without the knowledge of end users. Again it would be an exercise is futility for the AG to attempt to prove beyond a reasonable doubt that was the intent of the students (unless the students operated third party websites running the Tidbit code without knowledge of the end user).

EFF simply wants immunity. Everything else is posture:

>The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act.

If that's what the state believed criminal charges would be filed, not a subpoena issued.

>One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized."

Note how the question is not just focused on Tidbit but also 3rd party websites.


So, in your view, is NJ AG incompetent or evil here?

From my vantage point AG is either:

1. Looking to build a case against the students, which in all likelihood appears to a loosing bet (if you apply any common sense to the fact pattern). However, he can always trump up bogus charges, like Ortiz did against Schwartz, and look to settle for something lesser to check off a win on his/her scorecard.

2. Pressuring students to collect information necessary to build a case against a third party without tipping off such third party. If this is the case, it is pure evil and constitutes a gross overreach. There are a handful of other ways to accomplish the same goal without exerting an undue toll on these guys.

Let's remember we are talking about a couple of talented kids from MIT, who could be building the next $1bn business instead of being bogged down by some bogus nonsense. Also, can imagine what sort of financial/emotional/time sink this represents.

Then again, we are talking about the state where Governor makes Sopranos script look like a child play...


"Let's remember we are talking about a couple of talented kids from MIT, who could be building the next $1bn business instead of being bogged down by some bogus nonsense. Also, can imagine what sort of financial/emotional/time sink this represents."

While I agree with your remaining points, them being talented kids from MIT should be irrelevant and so should be their business potential. These are exactly kind of things criminal law and process should be blind to.


Yep, law should apply equally to all (in theory). In practice, prosecutors have great deal of discretion on which cases they decide to pursue with limited resources at their disposal. All I am saying is that there are certainly hardened criminals and corrupt politicians in NJ who deserve those fishing expedition resources far more than a talented MIT hacker (who as it appears didn't commit a crime). I am no law enforcement expert, but Rubin's resume doesn't read like a hardened criminal to me - http://rubin.io/static/portfolio/media/resume.pdf

Really hoping they get in front of a sensible judge who puts a kibosh on this whole nonsense.


As one of the many, many people who interacted with Aaron online before his death and as a Node Knockout judge and was pretty shocked to see this news.

>"There is a lot of confusion in this thread regarding basic concepts of the law."

Just so that we have some idea how to weigh your comments with those of the EFF, could you tell us a little bit about your expertise? Are you a lawyer? Have you worked with this kind of subpoena before?


I am a Florida attorney. In two different instances I have been admitted Pro Hac Vice in the State of New Jersey, and in one of those instances it was a civil case brought by the NJAG office against a corporate client who was alleged to be providing chimney cleaning services without being licensed. In short I have received/reviewed/responded to subpoenas (and other discovery requests) from the very same office.


I agree the jurisdiction issue is an interesting one but the US as a whole has a long history of overreach (eg I know someone who worked in the UK who was issued with a bench warrant for his arrest by a state judge in the US because he worked on a site that "enabled" Americans to gamble online).

I also agree that (5) is an odd argument. From [1]:

> Know this, however: There is no Fifth Amendment privilege to refuse to produce subpoenaed documents on the ground their contents are self-incriminating; courts hold that such information is not "compelled testimony." However, as explained below, there is a crucial corollary: In certain circumstances the act of producing such documents may indeed be entitled to protection under the Fifth Amendment. - See more at: http://www.callawyer.com/Clstory.cfm?eid=920910#sthash.NmnSC...

On the last point, by a strict definition of intent [2], you are probably correct. However, recklessness and negligence can constitute criminal intent.

You can argue that it's not reasonable to hold someone accountable for what someone else does with their program. It's easy to fall into what I call the "engineer's trap" here.

An example is "you can't prove someone else didn't use my Wifi to distribute [pick your poison], therefore you can't find me guilty". While strictly true, the law doesn't work that way. Subjective standards and tests are applied in situations like this. So if law enforcement can show [bad activity] was happening only when you were home, stopped when you went on vacation and happened on many occasions the balance of evidence will suggest you're responsible even if you can't strictly prove it.

So if you designed and distributed a Windows program that was a RATing toolkit that worked with the click of a button and the only real purpose is [illegal stuff] then an argument like "I'm not responsible for what people use this for" will fail before a judge and jury as not being "reasonable".

[1]: http://www.callawyer.com/Clstory.cfm?eid=920910

[2]: http://en.wikipedia.org/wiki/Mens_rea#United_States


That article describes a though experiment that would A. remove an ad, and B. should (but doesn't) trigger a BitCoin miner. It's clearly marketed as an illustration to an idea. I'm failing to see the consumer fraud. Is this like accusing a car-manufacturer of manslaugher because they latest concept-car didn't have seat-belts?

I would like to know if that's selective reporting from Wired, or spectacular fishing from NJ state atorney.

Also, neither the hackathon, nor MIT appear to be in NJ: what is their jurisdiction? Those two issues should be clarified in any basic coverage of the incident: at this point, it is plain bad reporting.


It's been in the news before.

It's spectacular fishing from NJ state attorney, it could in theory violate the law as written if deployed on a website and mined bitcoins without implied consent by the client (but then again I could argue the same for flash ads), but the whole thing took place in MA and as far as anyone is aware only in lab environments in MA as part of the competition. The code could be used maliciously, but wasn't and there is no evidence it ever was, its NJ overreaching, pure and simple.


This is where I am as well, why is the NJ AG in such a snit? I get they may have thought there was crime here, but once they got the facts they should have just gone on about their merry way, especially when the university tells them this. Now they look stupid, they have to know they look stupid, and so what or who is pulling so hard that they are willing to look stupid to fulfill that request. Very very strange.


Could just be sunk cost. They think they wont look stupid if they 'win', so are willing to look a lot more stupid yet in the hope they can do someone for something, as otherwise the whole affair is a huge waste of time and money and they can't have that.


Oh man, overall it would suck, but if NJ won this case... Could you actually sue a company for a resource-intensive ad?


Ads are just the visible parts, so many web pages are bloated with so much invisible tracker/analytics javascript code etc. collecting data to be sold.


As a coder, I was actually shocked to realize just how bad it was when I tried Ghostery. Some pages load more than 10 scripts that are just trackers and analytics. Aside from the performance implications, the amount of data collected on your behalf, on each page, without any mention (implied consent, I spose), is pretty crazy.


Ghostery is great and I use it too, but I would also suggest NoScript if you use Firefox, it blocks a lot more.


And an ad blocker.


I do use an Ad Blocker as well, I just installed Ghostery to better understand what it did (had heard the name, wasn't familiar with the product).


Would it be nice if that stuff also became illegal in NJ?


The article is indeed poor. The actual subpoena and subsequent filings indicate that Tidbit distributed embeddable code in return for an email address and bitcoin wallet, and that New Jersey authorities obtained a copy by the same method. They are concerned that there doesn't appear to be any safeguards against the malicious use of this tool and essentially asked Tidbit to cough up a list of who they had distributed it to.

From New Jersey's point of view, it seems rather as if Tidbit is, or was, in the business of distributing something that could very easily be abused, and whose distribution in NJ is regulated by law - in much the same way that some items in catalogs are marked 'Not for sale in [list of states]' because such items are restricted from sale i those places. For example, I don't think you can sell lock-picking tools to the general public in California, and I imagine that it's illegal to sell ATM skimming devices in many states.


You'll rarely be wrong if you assume that prosecutors are fishing.

On the other hand, you'll also rarely be wrong if you assume Wired fucked up the story.

50/50, flip a coin.


Can I vote for both?


They want source code for a client side javascript miner that they saw on a website. Was their right mouse button broken?


They aren't the brightest people, they think this is some deep web evil hackers and probably think they have some secret code that hacks the DoD or something.


For the benefit of doubt: Javascript is often a compiler target these days.


The EFF has the actual documents in the case posted https://www.eff.org/cases/rubin-v-new-jersey-tidbit

Based on a quick skim, this is the closest NJ comes to making a case: https://www.eff.org/document/nj-attorney-general-response-ef...


It sounds like the NJ AG is saying, "Someone in NJ may have downloaded and run the code written by Tidbit and said code may have done things which are not allowed in NJ, hence Tidbit must provide said code to the NJ AG."

But it doesn't sound like the AG has much evidence (or simply isn't providing such evidence) that anyone in NJ ever actually downloaded or ran the code.

Is this a normal ask for Attorneys General to make in any circumstance regarding software?


There is evidence that the code was present on websites, but, the code was never functional, that is, it never mined bitcoins. Therefore it never breached any laws.

As such, one has to wonder either whether the cyber fraud unit of the state department has basic understanding of programming or whether the state department is willfully taking this action to send some sort of message.


Is intent to break a law good enough? If I buy a gun and try to shoot someone, it's still a crime even if the gun never worked. If someone signed up to receive the code and put it on their website with the intent of mining bitcoins on user's computers (which the NJAG is saying is illegal, I have no idea), is that not also a crime?


Exactly, they have zero evidence it was ran outside the competition. And if they downloaded it and ran it themselves, then they've given express consent, or if someone else ran it on someone else's machine after modifying it significantly to be work and be malicious, they're the ones culpable, not the students.


Since hypothetical person may have hypothetically used Windows as well, the NJ AG should be subpoenaing Microsoft for a complete copy of the source code for Windows 8.1


I feel like this article is a bit one sided. It doesn't ever state NJ's case against the students and draws strong parallels to Aaron Swartz (a hero to many people). A lot of the time these parallels seem to be weak, the student who did this is an MIT student who built a piece of software at a hackathon, this has almost nothing to do with Aaron Swartz's situation except it involves a young programmer and MIT.


> It doesn't ever state NJ's case against the students

That's because NJ literally doesn't have a case against the students -- there have been no charges filed. This is an unconstitutional fishing expedition that I suspect is intended to intimidate and create an atmosphere of fear, not just among Bitcoiners but all tinkerers and hackers (in the MIT/HN sense of the word).


To be fair, they are supposed to collect sufficient evidence of a crime before charging someone. That they haven't charged anyone yet doesn't prove anything. New Jersey, I suppose, has a right to investigate businesses it thinks are defrauding its residents.

But it really feels like there is more to the story. Perhaps someone reused the existing code in malware? Or maybe New Jersey is simply confused.


They sure do have a right, they also have the right to get a warrant if they want to search.


Well, so far that's what the whole case is about: whether the students should have to comply with the subpoena.


Could someone explain the difference between a warrant and a subpoena? I have a feeling the distinction is significant here.


I am not a lawyer, so I have no idea how accurate https://ssd.eff.org/your-computer/govt/subpoenas is, but chances are it's pretty accurate; I would trust the EFF on this sort of thing.



> hackers (in the MIT/HN sense of the word).

As someone at Berkeley who's been to many events at MIT, I feel like the definition of Silicon Valley/West Coast "hacker" is very different from the MIT hacker.


The original term hacker came from the MIT Model Railroad Club. It came from when they "hacked" together some phone switching equipment to control the relays on their model railroad. Someone who used something other than its original intended or imagined purpose for some cool new innovative purpose.

SV/West Coast has largely adopted the same term, albeit in a much looser sense.


MIT "hack" comes from the pranks and unauthorized adventuring that many undergraduates came to enjoy on campus. (eg. http://hacks.mit.edu/Hacks/misc/best_of.html)

Hack was then used by MIT's TMRC of which many members became involved with/helped build the AI-lab. The first third of Hackers (http://www.amazon.com/Hackers-Computer-Revolution-Anniversar...) gives a good perspective on the evolution.


Yes, I've actually read the book, that's why I thought it came originally from the TMRC as one of the many slang terms or jargon they came up with.


Hmm, I think it depends on who is using it out West. There are plenty of MIT-style hackers in CA who describe themselves as such, including many on HN. But you may be partly right, I think that the way it's used among SV entrepreneurs differs a little from the MIT connotation.

But all that is pretty immaterial to the question at hand. Both hacker subcultures are probably intended as the target of intimidation.


The term you're looking for is "white hat" hackers.


Parallel to Aaron Swartz is rather strong, in my view, in that this is also a case of gross prosecutorial overreach.


I think that issue is that running a Bitcoin miner on unsuspecting website visitors' computers would constitute unauthorized access. Much like a miner botnet.


Heh, if that works, guess one could sue Google for putting their analytics on many websites. See, those bastards unauthorizedly run their software on my machine, and it even spies on me, reporting on my browsing habits! /jk


I think there could actually be a case be made that it should require the users consent. Just like the EU has recently mandated that websites have to get the consent of users to use cookies.


Except it's slamming the barn door about a decade after the horse bolted.

The EU cookie case is indeed an excellent parallel - cookies are so thoroughly entrenched into the business models of the web that all that's been accomplished is the more compliant websites throw up a big annoying banner you must dismiss. If you try to hamstring javascript the same way, the shady websites that actually run the stuff you want to worry about will take no notice. And the nice websites will explode with infinite regress trying to figure out how to obtain consent to run their cookie banner javascript...


Yet no website provides you with an add free version first or analytic free version first before asking for your consent. The way EU law is currently implemented by websites assumes consent making the whole exercise completely redundant.


I don't find it redundant; I quite like having a direct link to the cookie policy available when I visit a website for the first time, instead of having to hunt for it. I don't always care about the site's policy on such matters, but dismissing the notices of sites that I don't care about is a minor annoyance at best.


I think with the right pressure from Civil Rights groups they might actually be willing to strengthen those laws further, especially since most of the corporations affected are from the US. Things like mandating that Data stored about you has to be deletable and stored in Europe.


Tidbit inspired me to write my own web-miner, which I open sourced. It's hacked together as I was really just trying to learn how the cryptocoin&mining stuff worked. The mining rate you get with straight javascript is truly abysmal, even with web workers (much worse than the standard cpuminer).

I found a couple examples that do the scrypt part with GPU in browser, but your browser has to support custom shaders, I think (I forget the details), and the version most browsers support doesn't allow this (again, my memory is sketchy about the details).

Anyway Here you go, NJ! https://github.com/borlak/cryptocoin_scrypt_stratum


There is an option in all browsers to disable javascript. That, combined with the fact that you are requesting files from a website (as opposed to them being surreptitiously forced onto your machine) implies consent to execute the code sent to you. Finally, the code made no attempt to go beyond user-granted access limits (in this case the ability to run javascript in the browser, a decision which is entirely under the control of the user).

I cannot see how a fraud or hacking case of any kind could be made here, even if they got the code.


Don't users implicitly consent to a website using their CPU and bandwidth for arbitrary tasks while the website is open, by using a browser that downloads and runs arbitrary JavaScript and allows it to XMLHTTPRequest?

Even if the code in question was being run on a publicly accessible website, was used by a New Jersey consumer, and was fully functional and actually mined Bitcoins (all of those points are disputed by the students' counsel)...The only thing that's being taken by the website operators would be users' CPU cycles and bandwidth. And if the users have implicitly consented to the website's arbitrary use of those resources, how is anyone being harmed?


I think there's an argument for the users having consented to the use of CPU and bandwidth for the purposes of displaying the website. That the website can technically use that allowance for unrelated purposes doesn't imply consent, any more than you'd be giving a parket valet permission to take a ride with your car just because you handed him/her the keys without an express agreement.

In an implied contract, it's the expectations of a "reasonable person" that count.


> for the purposes of displaying the website.

What about analytics tools ?


It's an edge case, I'm not sure. But I'd say it's still part of the website tooling made to improve it, not an unrelated appendix, even if I'd prefer people stopped using them.


This implicit conset is an interesting area, and I'd wager on seeing more cases like the OP.

Last year a a friend and I spent an evening napkin-sketching a service that would piggyback on an existing js platform (ads, analytics, etc) but would do a little "extra" work performing quality of service tests. For example, it could do timed fetching of images from different sites to test promised speeds. So you could know how fast sever X could deliver to a user in Guatamala, when some other client in Guatamala connected to server Y.


What law did they supposedly break?


Was wondering the same thing, the only thing I could find (and its vague) was:

"Officials claimed that Rubin’s project, which allowed people to replace advertisements on websites with Bitcoin mining capabilities, had the potential to breach computer security through unauthorized access and possibly violated the New Jersey Consumer Fraud Act."

http://www.bostonmagazine.com/news/blog/2014/09/22/mit-stude...


Under that definition a lot of things are too dangerous to own. That libc you're packing? You're heading for jail for that, you potential criminal.


the potential to breach computer security through unauthorized access

never mind code, it covers everything from soldering irons to telephones


The purchasing of this product presents a high risk of potential thought-crime.


Being hyperbolic helps the opposition.


It's not hyperbole when it's accurate.


Not if you also laugh and point.


Yeah, by that measure a computer able to compile source code into exec, should be considered weapon of mass destruction given the potential.


Pursuing legal action for the potential to commit a crime under a broad definition is a scary day indeed.


NJ has successfully sued companies that created bitcoin botnets in the past. This is clearly not the same thing, but I guess it's enough to make a court grant a subpoena.

http://www.wired.com/2013/11/e-sports/


The puzzling thing here is that I read the tool as something the user chose to install on his PC so that instead of seeing a bunch of ads, it would remove those ads and mine bitcoins using background processes.

Not sure how they can say they gained "unauthorized access" if the users were willfully installing this on their PC's. I could certainly see a cyber thief using this to run a botnet to mine BTC, but the MIT guys already said it wasn't really ready for prime time. Again, not sure how this makes this software so dangerous.


From what I understand, it's not a user who installs it on their own pc. A website owner installs it on their website, and then visitors to the website mine bitcoins for the owner. I'm not sure how visiting a website implies consent to use their computer to mine bitcoins, but ianal.


Is playing autoplay videos "unauthorized access" too?


They should file a bar complaint against the AG because being an AG gives rise to the potential to abuse laws.


> The state’s attorney general claims Rubin and his classmates violated New Jersey computer crime laws and demanded they hand over source code for their creation and any documentation related to the tool.


> any documentation related to the tool.

Documentation from a hackathon? If anything they should print out their source code on paper and hand it over.


That's too vague, unfortunately.


Apparently running unauthorized JavaScript is now computer fraud.


They pissed off the wrong people. It might not be written down, but the law is there.


That isn't generally what is known as 'law'.


I'm sure they will write it down as they go along.


Too bad all the comments here are just angry and contribute no understanding.

The reason that this could be illegal is because it is using someone's computer in an unauthorized way to mine bitcoins.


I'm not even sure it would be illegal even if you just started using Javascript miners on every page as a condition for viewing the page - with or without notice. I don't think many people would consider it illegal to display an advertisement in a page "without authorization", or run an animated advertisement.

That said, running these things without user consent isn't even the business model - they are specifically talking about allowing users to choose whether they'd like to do bitcoin mining or view ads, and they haven't released the product yet, so, basically the reason it "could be illegal" is because someone could take it and use it contrary to the intent of its creators in such a way that their actions have dubious legality. Should we also arrest all mask manufacturers because someone could wear one when robbing a bank?


Right, and the hammer in my house could be used as a method to gain unauthorized entry to someones house.

The problem here is the word 'unauthorized'. What if the website has an EULA that says something like "By visiting foo.bar.com your computer will be used to mine Bitcoins, if you do not accept this agreement please close this website". Now by most legal definitions I understand it is no longer unauthorized, the TOS authorized such uses.

Next, why should mining Bitcoins be directly illegal in such a manner? Are stupid, slow, annoying flash ads that play music and videos illegal? They are 'programs' that use my computers resources for the end result of generating revenue for the website.


> "The reason that this could be illegal is because it is..."

Stop being dishonest. It isn't and never has.


Wow, thanks for the downvotes. FYI, I'm totally pro-bitcoin and anti-government, just like you, so trying to punish me for having a conflicting opinion is dumb.

I'm simply trying to enlighten people as to what the prosecution's stand is on the issue, not that I agree with them. Just trying to contribute a bit more than "ehrmehgerd evilll!!!11"


"all the comments here", "just angry", "no understanding".

That's why you're being downvoted. Plenty of people present non-majority views without being slammed for it. They happen to do it without being condescending.


This seems insane to me. What law was broken? What could even be considered remotely criminal about this? Seems like a gross over reach by the gov.


Think like the NJ AG, it's not about what law was broken, it's about what law could have been broken.


You can use a hacksaw to: (a) cut a lock that you have permission to cut (b) cut a lock illegally

You can use the code to: (a) legally mine bitcoins on visitors' computers (b) illegally mine bitcoins on visitors' computers

Potential for a law to be broken is a stupid basis for a subpoena.


You unwillingness to base your thought on a broken and stupid basis is preventing you from thinking like the NJ AG.


Unless they can show an actual instance of the software installed on a computer in NJ they have no case whatsoever. The constitutional argument of the EFF is pretty sound.


I'd curious to find out why NJ AG would get so paranoid about this? I couldnt really find a link to their side of the story.

The Natinal Science Foundation did discipline a researcher who did some mining on their computers.


They say that the code could "hijack" a computer like some hackers have "hijacked" some computers to mine bitcoins.

Their concerns aren't completely unfounded in that it is granted it is quite possible to use any piece of code for ill. However, their complete failure to understand that this wasn't a case of "hijacking" computers by black hackers, but a potentially innovative business revenue generating project says to me that the cyber unit of the state department has no understanding whatever of programming. If that is the case, these 19 year olds should be awarded damages so that this reckless behaviour can be discouraged.


It sounds to me like NJ wants to start mining bitcoin. Nothing is sacred when you're running a deficit I guess.


Perhaps most interesting in my reading of the documents provided by the EFF is the correspondence regarding the counter-sue made by Rubin against the NJAG.

In it NJAG lay out exactly what they think Rubin did:

...Plaintiffs development, use and deployment of the Tidbit Code which, by plaintiffs own description, strongly suggests the code was designed to hijack consumer's computers to mine for bitcoins, including the computers of New Jersey consumers. Further, prior to the issuance of the Subpoena and Interrogatories, the Division determined that the Tidbit Code was present and active on the websites of entities located in New Jersey and Plaintiff affirmatively sent the Tidbit Code to the New Jersey based entities.

They posit that the code was

1. Designed to hijack a consumer's computer for the purpose of mining bitcoins

2. The computers targeted for hacking (implicitly the entire internet) include those of New Jersey consumers

3. The code was found on websites owned by New Jersey entities

4. Rubin sent the code "affirmatively" to those New Jersey entities

I think 1. is the weakest point, but that weakness is based on my understanding of the definition of 'hijack'. 2. and 3. seem to follow easily from assumptions, or could be easily shown as fact. 4. seems like it would be harder to prove, but I don't know the implications of the term affirmatively used here.


How is surreptitious use of compute resource any different than the surreptitious accumulation and analysis of data exhaust? If this moves forward to prosecution, I'd argue it will actually open up an avenue of attack against Facebook, Google, et al.


This sounds like some trivial code, not even fully functioning, that was written during a hackathon. Why does New Jersey care?

It wouldn't even make sense as a business model anymore, because asic miners are so much more efficient than GPUs, but I heard many people talking about building this kind of service years ago.

NJ could pay a software developer to write them code to let people generate small amounts of bitcoin in a browser. Why would they possibly want this MIT student's code so badly?


I don't understand how their javascript based miner is feasible.

Mining bitcoins with a CPU is an extremely futile endeavor, and on top of that, it is implemented in asm.js.

Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds to over a MILLION MH/S while modern cpus top out at 20 with most around 5.

https://en.bitcoin.it/wiki/Mining_hardware_comparison


It seems more like a proof of concept, not something meant to be feasible.


Then it seems strange that they would be subpoenaed for something that didn't really do anything.


Yes. That's one reason people are so angered here.


I don't understand how it could be considered consumer fraud or computer fraud and abuse if it was clearly indicated to the visitor that their browser would be used as a BitCoin miner in lieu of being displayed Ads. Assuming they weren't told, I could see the issue but it didn't seem like they were trying to dupe visitors.


Funny how voting machine companies won't release their source code, but MIT must for Bitcoin? Just a thought.


New Jersey's Position is laid out in their 3/7/2014 filing. https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_...

Here's the relevant parts (lightly edited):

The Division issued the Subpoena and Interrogatories in furtherance of its investigation into an entity called Tidbit. Tidbit is a group of students who developed a software code that may have hijacked the computer resources of consumers within the State of New Jersey and improperly accessed and/or used such computer resources to mine for bitcoins for the benefit of Tidbit and its customers and without any notice to, or obtaining consent from, New Jersey consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA") and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of exchange that can be traded on online exchanges for a dollar value. Bitcoins are "mined" through the use of computer resources to solve complex algorithms. Many times, consumers' computer resources are unknowingly accessed by entities through software code or otherwise in order to mine for Bitcoins.

Plaintiff's own description of its services strongly suggests that the code it developed is, in fact, designed to hijack consumer's computers. .... Further, contrary to Plaintiffs allegations in its brief, the Division specifically found Plaintiff's code on the websites of entities located in New Jersey. Furthermore, the Division determined that the code was active.

The following representations, among other things, are made on the Tidbit Website: "Monetize without ads"; "Let your visitors help you mine for Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further provides: "How does it work? ... [1] Make an account - Sign up with your Bitcoin wallet ... [2] Paste the code - we'll give you a snippet to put in your website ... [3] Cash Out! - We'll send a transaction to your Bitcoin wallet." ...

E. The Division's Undercover Investigation

On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up" button. While on the Tidbit 'Website, the Division submitted Sign-up Information to Tidbit using an undercover e-mail address and an undercover bitcoin wallet id. In response to receiving the Division's undercover Sign-up information, Tidbit sent the Tidbit Code to the Division's investigator via a confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code that the Division received includes the Division's undercover bitcoin wallet id. Additionally, among other things, the Confirmation Page states: "Your embed code - Paste this at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!" (emphasis in original).)


tl;dr: NJ thinks the tidbit code hijacks computers for a bitcoin-mining bot-net.


they need to bring in a couple of seasoned enterprise developers who can hand off any project in such a state that it would be easy to rewrite it from scratch than to even just successfully build it, less run/debug/understand...


HACKERS!!! WONT SOMEONE PLEASE THINK OF THE CHILDREN!!!?


LAWYERS! WON"T SOMEONE PLEASE THINK OF THE STARTUPS!?

...etc.

I see your point but few of the comments here are responsive to any of the legal issues, and indeed the EFF's briefs are not (IMHO) very responsive to NJ AG's legal arguments, offering some quite fallacious arguments in rebuttal.


They could just, you know, give it to them?


Cause, you know, they can't do "View Page Source".


We're lucky to have an organization like the EFF that fights this nonsense. It's a good time to support their work.

https://supporters.eff.org/donate


Additionally if you're in the US and use Amazon at all you can donate for "free" (via orders to Amazon) by just using:

https://smile.Amazon.com

And selecting the EFF as your charity of choice. Note that only orders made via smile.amazon.com are counted, not orders made on normal amazon.com.

How this works: On normal Amazon.com third parties can earn referer fees if you click on an ad to Amazon and purchase something. With smile.amazon.com referer fees don't exist, and the money is instead given to the chosen charities.

Note: As far as I know this isn't tax deductible from your perspective since Amazon themselves are the ones doing the "donating." You're just ordering something like you normally would (which might be tax deductible in its own right, but not as a charitable contribution).

This has no real downsides to users except remembering to use smile.amazon.com instead of amazon.com(!).


There's actually a nice Chrome extension that will automatically redirect you to the smile subdomain every time you visit Amazon.

https://chrome.google.com/webstore/detail/smile-always/jgpmh...



> It's a good time to support their work.

To add to this: The EFF works tirelessly to protect rights online. It's always a good time to support them.


Is there another website other than wired with this article?


As mentioned elsewhere on this page: https://www.eff.org/cases/rubin-v-new-jersey-tidbit


Fuck New Jersey.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: