So the attack goes: 1) compromise some site to serve arbitrary JS 2) have it serve simple JS that requests other JS that contains the real malicious payload.
And the reason for this two-step architecture is to make it convenient to change the real payload.
And the problem is where to host the real payload. The first idea was Cloudflare, but Cloudflare keeps taking that sort of thing down. So now they host it "on the blockchain" which means it "can’t be blocked".
What I don't understand is who is actually serving the HTTP call that effectively proxies the data from the blockchain. It seems like they (like Cloudflare, or a regular hosting service) are opening themselves up to all sorts of risks by serving arbitrary content.
Because reads from blockchain are "free" (meaning, there is no cryptocurrency payment required to read data from the smart contracts on BSC), this is effectively free storage/hosting for the attacker.
The malicious code is served by BSC web API. According to the Krebs article, BSC "is aware of the malware abusing its blockchain, and is actively addressing the issue." I am not clear if they are taking this situation Very Seriously(TM), but I assume they are.
> In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.
Earlier in the article it said
> Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown... “So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.
Make up your mind...
It's not robust since you have to use an API (i.e. Binance API) to access the blockchain from a compromised website, then Binance can effectively "take it down" by blocking access via the API.
Now if they made the compromised website talk directly to the node on the blockchain network that would be different. Except, why not just host the malware on the website in the first place...
Anybody can spin up a mirror node, even on the mostly centralized BSC. This is just a misunderstanding.
Every public blockchain works this way afaik. I've even made a site for hosting webpages on Optimism: https://newgeocities.com
The real discussion imo is that blockchain node operators should be pressured to respond to concerns about unwanted content. There's no reason they can't coordinate on filters in the same way Ethereum validators use Flashbots to ignore Tornado Cash transactions. Although I hope they can find a better solution than blocking entire contracts because it's really nice to write a simple contract for data storage. Remember: a contract is a protocol, not a program. The validators follow the instructions but it's more like a database schema to which people submit conforming messages. As the contract creator, you're just publishing your code on chain. Each user takes responsibility for their own data.
Blockchains - that is, the communities that use them - are at least theoretically committed to immutable permanent records of everything that happened. By design, if you tried to "retroactively" edit the contents of the blockchain, you would break the whole thing. So if the blockchain hosters stick to their avowed principles and system design, they can't remove your exploit code without taking down their whole system.
Of course in reality most blockchain folk are grifters who will happily compromise their principles as soon as you credibly threaten their pocketbook - see the Ethereum DAO for the clearest example. Still, it's funny to force them to admit it.
In fact the blockchain cannot be broken because it is a chain. Compare it to git commits. If you would hack away one commit in the middle, the whole system would change. The other commits are comparable to any other transaction (ledger) that happened anywhere. As far as i understood, 'in blockchain' =='carved in stone' .
If people actually follow the rules they claim they do then yes. In practice once you ask them to put their money where their mouth is people make an exception. Again see the Ethereum DAO incident.
I think nocoiners completely miss this aspect, the media too
many devs will always post their applications on blockchains, and simply do system design conducive to that environment, because web 2.0 cloud models do not compete in pricing especially if you have a burst of activity
many devs bring their whole audience over, and the audience is willing to pay to update the state of the application with no overhead cost to the dev, which is also impossible to implement in web 2.0 cloud offerings, aside from just searching and hoping for free tiers
who cares if none of those applications match your use case, just call it the entertainment sector then and you still have value and utility to someone, that self perpetuates
If it becomes a problem consensus can evolve to trim inactive data (say expiring unspent outputs after N blocks in UTXO chains, "move it or lose it" model) or explicit charging for storage per unit of size and time (decay some associated balance accordingly).
Again, that's for a validator node. If you're running a mirror that's not taking part in making new blocks, you don't need the speed, just enough space. It may not be always synced to the latest block but it should work.
I believe there's other requirements for BSC validators too, like staking a bunch of BNB.
the code is still on BSC blockchain and any node will still return the information in those addresses
even binance operated nodes
the only thing Binance did was do the exact same thing that Cloudflare did, both on their HTTP routes. Binance just had one for convenience and to attract use of their blockchain, which … worked?
its actually lazy and amateurish that the hackers are using HTTP to access this code on the blockchain, they dont have to
Sounds like we should poison this vector (and IPFS) by uploading copyrighted movie torrents to this free storage system. For a change we’d be doing good.
Comically I was experimenting on this in 2013 or so and came to the conclusion it wasn't worth it except as a joke, something I'm sure lots of other people did too.
But combined with the insane browser expectation of being able run unsigned JS and such from anywhere, you could probably host an entire simple text forum on whatever public chain as long as no one cares about it being fast.
Direct API is nice but any block chain explorer service would work in a pinch.
You have to pay for the initial insert but it's then hosted forever for free. For reads, you can either download the data from nodes in the network which works somewhat like a torrent, or find a service that has a full copy of the blockchain and is providing it via a HTTP interface.
it costs money to store/write a transaction to the chain (transaction fee)
- binance smart chain is subsidised so runs at a loss/pretty cheap to store small amounts of data on (if you did this on ethereum would be very expensive)
- retrieval is free in that you can use a public RPC to retrieve the data
For the Blockchain reads, someone still needs to host a JSON-RPC server. Most of hosting is commercial SaaS (Infura, QuickNode, LlamaNodes) but Binance provides a free endpoint for better adoption of their chain.
This free endpoint has many abuse protection mechanisms, as free services need (see: Cloudflare). However until today no one was hosting any malicious web payloads.
It's just matter to add a new abuse rule by BNB Smart Chain team to take this down.
unless there's been an edit the parent didn't write abuse they wrote malware, which sort of anyway answers your question because we are supposed to consider the aiding and abetting of the malicious purposes of malware to be abusive.
I looked at an early flavor of this and spent a while reversing the malware. This was the same malware that hit McClatchy and MediaNews a few years ago (2020, but I remember being concerned about the malware's practice of replacing the DOM with the lure and how that could have been further abused to inject fake content). It ran on many regional media sites like Denver Post, etc. This one did a lot of cleverness like fingerprinting a host via JS to ensure it was legitimate, geolocating an IP, only serving the bait once to an IP, and making sure the referrer header was set-- among other things. They also had a nice pool of domains, but they were discoverable by looking for artifacts specific to the lure. It was an interesting campaign to dig into and watch evolve.
If I recall too, the intermediate domains appeared to all be subdomains from (possibly) compromised godaddy accounts.
> It seems like they (like Cloudflare, or a regular hosting service) are opening themselves up to all sorts of risks by serving arbitrary content.
That's pretty much any website that accepts user input or integrates with an external service. I could post a base64-encoded malware to HN too, it would just get caught a lot faster (wasn't this a real thing on reddit?). I think the trick here is that it doesn't look out of place on a blockchain explorer/gateway because most of that data is opaque binary content to begin with.
IPFS along with ipfs http gateways is also abused like this a lot. It's hopeless to try to take things like this down, but in general taking down domains is hard.
How are you going to stop people from serving arbitrary content though? What appears to one parser as "Alice sent Bob 0.00000006767 BTC" may appear to another parser as malicious code.
So long as there is uncensorable data anywhere, this will always remain possible.
The suffocating irony of this forum being called "Hacker News" when it is filled with comments like this never fails to amaze me. A truly unimaginative bunch.
Take your favorite payment provider (PayPal, Stripe, whichever bank provides your Visa/MasterCard, etc.), and look at their terms of service. Enumerate all the prohibited usages. From that list, delete illegal activities, of course.
The remaining items on the list are your practical examples of use cases. It's roughly the set of things that are legal, but that big corporations have decided you can't do because they're morally questionable or financially risky.
* Pornography and other mature audience content (including literature, imagery and other media) depicting nudity or explicit sexual acts
* Online dating services
* Bankruptcy attorneys and bail bonds
* Sports forecasting or odds making with a monetary or material prize
* Charity sweepstakes and raffles for the explicit purpose of fundraising
* Unauthorized sale of brand name or designer products or services
And so on. All these are legal, but in a cashless society without decentralized currency, they might as well be illegal because no centralized payment processor will allow them.
But hey, Bitcoin can also be used for CSAM, unlike VPNs, Tor, or cash, which is why the HN cognoscenti condemns it.
Besides the payment processor I use allowing these things afaik(but that might be an EU vs USA thing): isn't the point of blockchain that everything is immutable and a full history of every transaction is kept? That means that if your wallet(or w/e you use to pay) is ever connected to you as a person, everyone will know what "morally questionable or financially risky" things you did in the past, which unless you don't care about that will still cause you to be really careful using your money on these type of things(honestly: even more careful than right now probably).
You could be careful to not leak your wallet address of course, but if we'd truly be a cashless society without decentralized currency you'd want to buy your groceries with it too, or order computer parts. What prevents these shops you buy from from having a security issue and leaking your wallet address? You could have a separate wallet per shop, but you need to get money into it somehow which can be traced as well(because it's the blockchain).
Note: I'm not an expert on blockchain/crypto, there might be ways to mitigate this, I'm just legit curious as to how this would be solved in a world like this.
Answer #1: relax, they already know everything about you. With every interaction in society, you leave some combination of name, email, address, purchase history, security-camera footage, license-plate footage, IP address, cell-tower history, credit-card number, Venmo likes, etc. The history of a unit of digital currency certainly helps fill in gaps. But whoever "they" are to you, they already know.
Answer #2: No single tool is a one-size-fits-all answer to privacy. TCP/IP needs TLS for transport-layer privacy, DNSSEC and TLS certs for authenticity, VPNs and Tor for protection against traffic analysis, throwaway accounts to segregate one's personal workstreams, and so on. The privacy of the internet results from an ever-evolving collection of tools.
Bitcoin is TCP/IP for money. It's a pipe that allows transfer of value from one place to another -- that's it. It doesn't provide anonymity, but unlike centralized payment-processing systems, it allows the creation of tools on top of it that could provide a practical level of anonymity. A Bitcoin mixer, for example, is comparable to a VPN.
Note that if VPNs or TLS were invented today, rather than decades ago, the Hive Mind would be demonizing them as tools for criminals and/or the kind of person none of us admits to being (purchasers of porn, etc.). We take a lot of internet privacy tools for granted, mostly because we're accustomed to them, but also because they were grandfathered before September 2001.
I'm pointing out a longstanding inconsistency on HN. Every think-of-the-children argument against cryptocurrency also applies to many privacy-focused tools. The loudest commenters in the HN community are anti-censorship, but they espouse the belief that anyone against censorship of money must be a criminal.
He's right. There's no reason, for instance, that CSAM media can't go on the blockchain as a block - and then everyone plays plausible deniability because the "blockchain is immutable". The internet is written in ink, the blockchain is written in unwashable graffiti that many people are taking pictures of to save their own copy of it at any given time.
Preserving privacy, reliable transactions with no, i repeat, no bank or govmnt involvement, no kyc. No/low fees (on some currencies), public immutable databases...
Somehow I'm living day to day without needing to think about being associated with a service I am paying for. I totally get your point about minimizing interference, but there is absolutely no way anyone thinks Monero is a good solution to this problem who isn't involved in some shady business.
Wasn't able to find a single article mentioning use under opressive regimes. It does seem to be the most popular ransomware crypto now though so there is that
Well, you are - and I mean this with as little offense as possible - only entertaining the blockchain from a likely incredibly privileged position. Consider people living under an oppressive regime. Things you are considering perfectly normal, like freely living as a homosexual, may be a punishable offense and illegal for its citizens. "Illegal nonsense" uses of the blockchain may be live-saving privacy for them.
I really think Monero in particular deserves way more criticism for their practice. Bitcoin is one thing, Monero is created for and marketed towards cybercriminals, you don't need to be a communications expert to get that premise. I haven't seen it used once for any legitimate purpose. Atleast with Bitcoin and Ethereum you can get buy some legitimate things like VPNs or NFTs
You could say exactly the same thing about any form of encryption.
I haven't bought much with Monero, but I always offer it because I adore the premise. I personally think its great, one of the few truly valuable cryptocurrencies.
Monero was built and used for privacy purposes but it gets abused by cybercriminals for malicious purposes. Just like all cryptocurrencies and even plain paper cash.
People abandon all analysis when it comes to Tor. Yes, Tor serves a legitimate purpose (in contrast to Monero, noone has changed my mind yet), but I'd argue that value would also be fullfilled without onion services. If I have to gess 99 % of onion services are illegal activity. The only exception to this rule is SecureDrop which I am certain could be realized with just a regular server too. You need to self host it anyways.
I use Monero to donate to FLOSS software projects and as a way of paying friends without surveillance capitalism demanding I tell them what my private transactions are for. If these aren't "legitimate purposes" then there no point in engaging in this conversation. Maybe you're happy with being subject to corporate panopticons of Venmo/Cash App/whatever but I'd rather not engage with companies that seek to demand an ever larger pool of information from me.
Onion services provide authentication and NAT traversal while maintaining security and anonymity. Just because you aren't using that functionality doesn't mean it doesn't have a use.
How do you intend to have a clearnet application that can stand up to the same threat model that SecureDrop does?
> Maybe you're happy with being subject to corporate panopticons of Venmo/Cash App/whatever
Get this, I've never used either of these services before. And the even crazier part is that if I did, they wouldn't know what I'm giving my friends money for anyways. And lastly, just use cash if your decision making is being opressed by the surveillance capitalism. Monero serves no purpose that hasn't already been fullfilled by a non-dubious measure
> How do you intend to have a clearnet application that can stand up to the same threat model that SecureDrop does?
I don't know, ask Stripe maybe how they haven't gotten any customer data stolen yet with their massive threat profile while not using Tor in any capacity
Silly me, I didn't realize that I can send cash over the Internet.
Stripe's threat modeling is nothing like SecureDrop's. Stripe has plenty of identifying information that they would be forced to surrender upon subpoena that SecureDrop simply wouldn't be able to furnish because it never has that information to begin with. How is this not apparent? Comparing the two reeks of bad faith.
> just use cash if your decision making is being opressed by the surveillance capitalism
This is morally equivalent to:
- "just send a letter through the post if you don't like EU's chat control"
- "just read the newspaper if you don't like Google's Federated Learning of Cohorts"
I'd like to believe we can get the benefits of 21st century tech without giving up our privacy to get it. Thanks to Monero that belief is a reality. You're welcome to stick with cash and the pony express if you like, but it's not a great look painting everyone who disagrees with your values as a criminal.
So Tor and I2P also should be criticized? IMO, something being away enough from the government that it starts to get abused shows how secure/private it is.
Tor and I2P allow the free flow of information, which is a net good for society. Monero allows the free flow of money which is a net negative; it effectively destroys the rule of law because those with enough money can freely commission crimes that benefit them.
Ironically Tor is mostly funded by the US government. 80% in 2012. They are still a significant donor however I'm not sure if the percentage is still so high.
Today you are on the right side of the fence. You buy things that are permitted so its all good. I wonder if you would keep the same opinion, once that changes.
The quality of full screen takeover pages seems to have dramatically risen recently. My family members, who don’t know the Escape key exists, accidentally click one from a banner ad every week now taking them to a page like examplefoobar38561.cloudfront.net and the use of elements that imitate browser or OS chrome (generally imitating Windows Defender or similar) has reached near perfection. All browsers should have a setting to permanently block full screen mode for all sites (not “ask”).
Maybe one of these days scammers will release their UI elements as web components or React whatever, so we'll finally get some high-quality JS versions of native UI elements; maybe we could get Electron app developers to use them.
Google probably prefers when you don't fullscreen the video; More ways to have your eyes drawn to ads, recommendations, and comments in the periphery. Maybe this is why they added the different "bigger but still not fullscreen" modes a few years back.
Seriously considering running a JIT-less JavaScript free browser should be the standard for surfing these days, and only whitelisting sites you trust (like your online banking site or Amazon for example). Disabling JS wipes out entire classes of attacks. I know developers assume the user has JS enabled and codes their site to that end, but a small minority disables JS to get rid of various annoyances and for accessibility reasons, and, malware issues in the browser.
This attack can still be pulled off without JS though: using plain old CSS & HTML. It seems these attacks are targeted to the non tech savvy, but even I (tech savvy) get duped by persuasive messages in my browser. This is why I advocate for a Phishing/Malware 101 course which is mandatory for all types of tech-related courses and learning.
I would argue that a world that didn't have JS would make these types of attacks more common, not less common. Because in that world, people would have to download desktop apps for everything, which would make people used to downloading desktop apps from random Web pages, which would make malware easier to distribute.
In fact, we don't have to imagine that world: it was the world of the late 90s.
That's a very real problem, but one would hope that package managers would be a lot more widely adopted in that counterfactual world. Maybe that's a naive hope.
Desktop software runs with fewer protections than web applications. So unless everyone is planning on becoming SELinux experts tomorrow, the web still makes sense for a lot of stuff.
Hence why exploits like these are always about getting software installed onto the host rather than being 100% JS.
And before anyone says “but package managers solve this problem”, no they don’t. There have been numerous cases of compromised software leaking into office repositories. It happened with a Ubuntu package were an attacker hacked the upstream repository. It’s happened with npm. Browser extensions from Google and Firefox repos are frequently a source for Trojans. Android and iOS have lots of apps that appear to be free torches or other such utilities but are actually just harvesting all your data. Just because a software package is published to an official repository, it doesn’t make that package safe.
but realistically they aren't, so why are you even mentioning it?
not every app is on the windows or Mac App store, not every app is on the Linux package managers. even so there is no sandboxing so you're just waiting until one of them gets compromised and hope nothing bad happens
sandboxing hostile apps is the only true way to protect yourself, and even that isn't perfect
Lenovo sells all-in-one PCs that run Android, and in a world without Javascript, you can imagine such a thing having become much more common that it actually has become so far in our world (e.g., with more enhancements done to Android to work well with a mouse) and of course Android has very solid sandboxing of apps.
This isn't that complicated. Like everything else in life it's a matter of trust and awareness, not really that technical. I'll never understand why the default stance on HN is always javascript bad.
I don't think it's a matter of trust and awareness, because your browser is already happily executing the javascript payload before you have decided whether to trust the website or not. And users are completely unaware of what the payload is doing unless it's spinning at 100% cpu or throwing UI elements in the user's face. It's a matter of convenience mostly, from my point of view.
The HN population consists for a large part of computer power users and developers who are fully aware of the capabilities of browsers and the dangers of remote code execution. I'll never understand why the default stance on HN still mostly seems to be javascript good, if not for the convenience factor.
The browser had Javascript ON or Javascript OFF. If the browser had JS off for all until user whitelists the site, that would negate the need for plugins like uBO/NoScript/etc.
>I'll never understand why the default stance on HN is always javascript bad.
I am a web dev, and I agree that JS on the web is bad for pages that should be just documents like a news webpage or wiki page. JS makes sense for applications like a video game, video/audio/level/text editor, or some internal app that your company trust, but for random untrusted document pages JavaScript is a detriment, even if we only consider UX.
You're a web developer but your mental map of the web consists of "documents" on one end and "applications like a video game, video/audio/level/text editor(s)" on the other?
You haven't in your career, stumbled across web (sites/apps) that sit somewhere on the spectrum between the extremes of "document" vs "app"?
It strikes me that there's a fairly even distribution between those two points - even if we discount all the misguided "could have been a static site but someone decided it had to be an app" decisions.
I actually agree with you on reigning in javascript but I think much of the web is poorer without it. We had an answer for this years back and it was called "progressive enhancement".
> Progressive enhancement is a strategy in web design that puts emphasis on web content first, allowing everyone to access the basic content and functionality of a web page, whilst users with additional browser features or faster Internet access receive the enhanced version instead.
Most links we opened daily are to read stuff not to interact with stuff, either read documentation, read news, read some social media page. Those pages should be readable without scripting but for some reason they do not load at all without JS.
Your browser is a platform that downloads and runs arbitrary code on your local hardware. "JavaScript bad" doesn't capture the nuance I read in people's comments here, but history shows that JavaScript is a gaping maw of security nightmares.
For me personally it isn't as much "danger" as annoyance. Most of the web is hidden behind piles of modals, dickbars, autoplay videos, etc. Almost none of that happens without javascript. But don't dismiss those fools, they're inside sensitive networks around the world.
It's simple; the web becomes a much nicer place when you block javascript by default. Some things don't work, but they never compromise you, or bog down your computer, and throw huge ads and banners in your face. I could go on. I obviously see that JS can be used for good things, but it seems like people can't constrain themselves to that.
Or alternatively, you can pursue security through compartmentalization. My VM for random browsing has JS enabled, but if I'm hacked, the attacker will not get access to any files. Also the VM is destroyed when the browser is closed.
What’s the threat model here? Javascript sandbox escapes are extremely rare these days (subjectively they happen less frequently that image or video codec bugs).
I get that the angle of BNC here generates views (and outrage and haha blockchain bad).
But the real story is "WordPress websites still hacked in masses".
WordPress, somehow, cannot manage to turn themselves into a secure and tough system. It remains a prime target, it's installations get hacked by the thousands and it's causing real harm at that.
(Yeah, yeah, I know the users, admins, plugins, themes and hosted are to blame. And I know it's possible to truly harden a WP- I've built a WP hosting company that did exactly this. But it's saddening how poor the wider community handles it's security)
To be fair, WordPress core has gotten better. The bigger problem is that there are many WordPress plugins, and many of the plugins can't even pretend to be related to being secure.
Until developers are widely taught how to develop secure software, the problem will just keep moving around. We can't make software development environments where it's impossible to create a vulnerability, and we will never convince users to stop wanting new capabilities. Making things secure in the first place needs to be part of the solution.
Very over the top, but bear with me. For example: if your community of plugin developers cannot produce secure(ish) plugins, then it's probably time to get rid of the plugin system altogether. "Plugins endanger our users, we no longer allow them."
Being a player that powers a vast part of all websites, gives a responsibility. Taking up that responsibility includes making unpopular decisions. While "getting rid of the entire plugin system" is probably a bridge too far (it would kill WP instantly) the system needs overhaul (same for hosting, same for themes), badly. There is an intermediate solution, I am sure¹.
But the starting point must be "our community cannot handle the power we give it, so let's find a solution for that".
¹ I refrain from concrete examples here, bc HN tends to spiral into discussions on why random potential solution X will never work. I want to keep this on a higher level.
That, and/or a sandbox model where plugins cannot escape a sandbox.
And/Or a setup where a plugin's runtime is isolated from main WP and other plugins and it can only communicate with WP over a tiny and very much hardened API.
so many possibilities. This problem has been solved mostly. Just not for PHP (that I know) and certainly not for WP.
Being one of the biggest publishing softwares naturally attracts all of that: more publicity/cases, uninformed users, incentive and a probing/persistence ecosystem for hackers,.
I have to host a few dozen WordPress sites for customers and the ones that got hacked were all backtracked to: enumerating usernames, and some had their password equal that.
You could blame WordPress for not being more strict rejecting those per default.
Being one of the biggest publishing softwares gives a giant responsibility to prevent this.
I am convinced this responsibility isn't taken up by the community or by organisations behind it, seriously enough. Simply because the current status continues to be abysmal. I have many practical ideas how many issues could be solved, most are put forward and put down almost monthly in the community.
The current status is resignment: "well, we are big and this is how things are". No! Things could be better, more secure etc. But for that, things do have to change.
Good. It's bigger now than it ever should have been, and it'll reap what it has sown for it. It should have been a technology on the down-low, it should have been a technology that purposely purported not to attract attention, it should have been a technology that volatility shouldn't have been its primary feature.
Cryptocurrency would have been good, as a technology, if its infrastructure didn't purposely embrace grifters and skepticism.
They could also use ipfs as there are many http proxies for it including cloudflare. All proxies would individually need to blacklist the address.
In general it is going to be impossible to block content. We need to charge for bytes or something like that. But that produces other problems which could be worse
pretty sure that the final solution is going to be the same as email: a bunch of centralized blocklists, like Spamhaus but for IPFS.
There will be occasional false positives and some people would complain, but most IPFS gateway operators would just choose the top blocklist for simplicity.
Browsers cannot talk to blockchain directly, they need to go through some HTTPS server... And that server can block any request.
I am kinda surprised you haven't heard about this already. This has been used in the past to take down NFTs [0] and to make Bitcoins unspendable [1]
It's the famous "on chain only" caveat: all the decentralized systems are only decentralized in the ideal world, if nothing except the chain exists. Once practical reality comes in, there are plenty of levers for centralized control.
to be clear the caveat has a caveat - the centralized control you're talking about is through public (privately hosted) APIs. anyone running a node on the chain can still send and receive whatever they want. unless the majority of the chain chooses to black list addresses, then you have a hard fork because the nodes don't have a consensus on the protocol (open vs black listing).
I don't see how this changes my point? Yes, on the chain you can send and receive any data you want. But if all you want to do is to exchange meaningless data, you don't need a blockchain for that.
An in practice, there was no hard fork, and yet Moxie's NFT was "removed" from opensea and from the metamask wallet. Sure, someone with a full client can still see the NFT and _techinically_ all the data is there.. and yet the data is value-less. Would you pay any amount of money for NFT you cannot show off to anyone nor use with any online service?
The same goes with bitcoin - sure, the chain will happily process your bitcoin transactions from the mixer and accept your gas fees. So if you are only looking on the chain, it is all fine and decentralized. But if you are actually trying to withdraw the money, then your accounts get blocked. So in practice, this may not be 100% useless, but this is still significantly less useful than "clean" bitcoin. And no hard fork or even community consensus required.
> But if all you want to do is to exchange meaningless data, you don't need a blockchain for that.
in this context it does matter. cloudlfare and any other "web 2" (for lack of a better encompassing term) is censorable. they can use any other HTTP API (or host their own although that could be blocked by a VPS eventually).
i agree with the rest of what you're saying. the reality is that it's a decentralized world that inherently requires centralized bridging. the KYC push was the turning point for controlling all the on/off ramps. it's still possible to exchange entirely on chain but the recipient would have to acknowledge that if the sender is black listed then their received holdings are subject to the same control.
as long as there is "border control" back to tradfi then there will always be a centralized constraint on the concept. in theory we may see a future where people have enough markets for remaining purely on chain but anything related to government fiat (housing, taxes etc) will by definition remain centralized.
just launder it differently. the blocking mechanisms cannot discern.
forget about mixers. just launch an NFT or ordinals collection, buy it first with your clean KYC’d coin, pump it with your dirty coin, and sell your clean coin to whoever is buying - the audience or your dirty coin address
now you just have more clean coin, if you even want govbucks then you can get that on an exchange with no issue now
there's a difference between decentralized transactions and centralized APIs for viewing on-chain data.
a decentralized blockchain cannot block an address from sending or receiving transactions (without a hard fork - like ethereum did some years ago).
however, centralized services (like binancd) run nodes which read and publish on-chain data (transactions and data, like malware, associated with them) through regular HTTP APIs.
anyone running an API can choose to not allow access to data associated with certain addresses. it's their API and they can do what they want with it. the same way the youtube (insert platform) API could decide to block queries for certain channels or topics.
I one time naively downloaded wordpress thinking I could read some of it. Turns out it has 5000 files. My blog has only 1 small php file. If I had more time it would be smaller.
I don't mean this as a particular defence of Binance chain per se - and I realise I'm not directly answering your question either - but pedestrian everyday usage of no special note would, by its very nature, go entirely unremarked, certainly by any 'news' source. It's only ever the dramatic heists, the hackings, thefts, etc, that drive reported media.
Therefore, the fact that "every time [you] read about" it, it involves some dramatic exceptional circumstance, is somewhat par-for-the-course.
By the same standard, the only things that I - as a non-enthusiast - ever read about the art world, is the extreme valuations, the thefts, the rude vandalisms. The only things I ever read about banks are the record profits, the manipulations of finance, the robberies. The only thing I ever read about the Middle East, is war.
The fact that it's mostly filled with decent ordinary people just trying to live their lives, is the boring, the unremarked yet dominant landscape, which somehow gets lost in the loud buzz of persistent drama.
I get what you're saying. Media bias towards certain headlines. I was extremely active in the crypto scene for many years (participating in Polkadot auctions, ETH domain names, NFT card games, DAI repo auctions, de-fi apps etc) and have never seen a legitimate use-case come out of BSC at all (they were always scam coins) and was wondering if anyone else has felt the same or had any evidence proving otherwise.
Ironic that even this blockchain still had some centralised aspects:
“In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.”
I thought one of the big drivers for people using blockchain is the decentralised nature- resistance to censorship etc. Seems like this one isn’t a great long-term choice for malware as it’s not censorship resistant (as evidenced by the blacklist).
I think this is like a block explorer type url. They can refuse requests to view those blocks. I don't think they can stop the creation of those blocks.
The malware guys can probably still find another 3rd party block viewer . But it is hassle for them.
IIRC blacklisting in this manner is basically just a suggestion - it's saying, "hey, in the opinion of Binance, these adresses are bad. Don't do business with them".
If the majority of nodes in the network comply with the blacklist, then it works. But at any point, someone who runs a node (or nodes) can choose to ignore the blacklist.
It's only centralized if the majority of people running BNB Smart Chain decide to trust Binance.
I'm no blockchain expert but I don't think you need a majority. The majority relates with the financial incentives of following the longest chain, but ultimately you can configure your node to "disbelieve" any block breaking the blacklist and carry on with like-minded nodes in a fork.
Since the attack is likely JavaScript based, provided one configures Ublock Origin to by default deny all JavaScript (this is not Ublock's default mode, you have to turn on "I am an advanced user" mode and then block all JS by default using the advanced user UI controls) then the answer is very likely: yes, it will. Because if it is JS based - if no JS runs, no exploit happens.
> New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain
I'm surprised Krebs says something like this, because it's not novel at all. I'm in the industry, and malware used public blockchains at least as far back as 2017 (probably way before, but that's when I first analysed a sample that does that).
> More than a decade ago, this site published Krebs’s Three Rules for Online Safety, of which Rule #1 was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant today.
Good ol' Krebs and Schneier ..either way too late to a scam, or ignoring other scams, or ineffectual regardless. What about those fake "download here" Adword buttons that have been a scourge of the web for the past decade or longer infecting untold millions of computers with malware. When will anyone bring that up.
1) the simplest methods can stick around the longest. His skimmer page is 13 years old and it's still relevant, for example. Similarly, we will not be rid of fake download buttons or compromised wordpress sites in our lifetimes.
2) If you write about the simple stuff, your articles will be evergreen. You don't have to time the market when your product never falls out of demand.
Google can simply decline to run any ad which has the words "download here" as an image. how hard is that? I guess people do not come forward and less media coverage, unlike crypto losses and scams.
Not sure if it's exactly the same thing as what you just mentioned, but I did write recently about criminals using paid Google ads to get their links for popular software downloads show up before even the first organic search result. And it includes the right icons and branding, and people click and are brought to a site that looks an awful lot like a site Microsoft might use to let you download Teams, and you get an information stealer program instead.
Tl;dr, there are multiple ransomware groups that are using this method to find new infostealer victims.
And the reason for this two-step architecture is to make it convenient to change the real payload.
And the problem is where to host the real payload. The first idea was Cloudflare, but Cloudflare keeps taking that sort of thing down. So now they host it "on the blockchain" which means it "can’t be blocked".
What I don't understand is who is actually serving the HTTP call that effectively proxies the data from the blockchain. It seems like they (like Cloudflare, or a regular hosting service) are opening themselves up to all sorts of risks by serving arbitrary content.