There is a lot of confusion in this thread regarding basic concepts of the law.<p>1. The NJAG is not prosecuting the MIT student(s) (at least not yet). Therefore, this is not similar to the alleged overzealous prosecutors in the Swartz case.<p>2. A subpoena is a writ compelling testimony or evidence. A subpoena is not synonymous with being a defendant.<p>3. NJAG served one MIT student with a subpoena to turn over documentation (source code, downloads, users, ect...)for a program which maybe being used by third party websites in a way that violates the rights of NJ residents vis-a-vis unauthorized access to computer systems.<p>4. It seems there is an issue raised arguing NJAG does not have jurisdiction over the MIT student(s). Personally I would find this analysis the most compelling because it is at the intersection of where facts and law meet.<p>5. EFF is arguing that complying with the subpoena may violate the students right against self-incrimination. I think this is a losing argument where one's right against self-incrimination is rather limited, generally to information contained within their mind and not typically extended to documentation and records.<p>6. Though this is not at issue, it would be almost impossible for the MIT student(s) to have committed a crime, as the crime would require intent. It would be nearly impossible to prove the student(s) <i>intended that their code be downloaded by third-party websites for the specific purpose of running on the end users computers without their knowledge</i>. It would be on par with charging a gun manufacturer criminally for intending that their guns be manufactured and sold for the exclusive purpose of committing crimes.
That article describes a though experiment that would A. remove an ad, and B. should (but doesn't) trigger a BitCoin miner. It's clearly marketed as an illustration to an idea. I'm failing to see the consumer fraud. Is this like accusing a car-manufacturer of manslaugher because they latest concept-car didn't have seat-belts?<p>I would like to know if that's selective reporting from Wired, or spectacular fishing from NJ state atorney.<p>Also, neither the hackathon, nor MIT appear to be in NJ: what is their jurisdiction? Those two issues should be clarified in any basic coverage of the incident: at this point, it is plain bad reporting.
The EFF has the actual documents in the case posted <a href="https://www.eff.org/cases/rubin-v-new-jersey-tidbit" rel="nofollow">https://www.eff.org/cases/rubin-v-new-jersey-tidbit</a><p>Based on a quick skim, this is the closest NJ comes to making a case: <a href="https://www.eff.org/document/nj-attorney-general-response-eff-letter" rel="nofollow">https://www.eff.org/document/nj-attorney-general-response-ef...</a>
I feel like this article is a bit one sided. It doesn't ever state NJ's case against the students and draws strong parallels to Aaron Swartz (a hero to many people). A lot of the time these parallels seem to be weak, the student who did this is an MIT student who built a piece of software at a hackathon, this has almost nothing to do with Aaron Swartz's situation except it involves a young programmer and MIT.
Tidbit inspired me to write my own web-miner, which I open sourced. It's hacked together as I was really just trying to learn how the cryptocoin&mining stuff worked. The mining rate you get with straight javascript is truly abysmal, even with web workers (much worse than the standard cpuminer).<p>I found a couple examples that do the scrypt part with GPU in browser, but your browser has to support custom shaders, I think (I forget the details), and the version most browsers support doesn't allow this (again, my memory is sketchy about the details).<p>Anyway Here you go, NJ! <a href="https://github.com/borlak/cryptocoin_scrypt_stratum" rel="nofollow">https://github.com/borlak/cryptocoin_scrypt_stratum</a>
There is an option in all browsers to disable javascript. That, combined with the fact that you are <i>requesting</i> files from a website (as opposed to them being surreptitiously forced onto your machine) implies consent to execute the code sent to you. Finally, the code made no attempt to go beyond user-granted access limits (in this case the ability to run javascript in the browser, a decision which is entirely under the control of the user).<p>I cannot see how a fraud or hacking case of any kind could be made here, even if they got the code.
Don't users implicitly consent to a website using their CPU and bandwidth for arbitrary tasks while the website is open, by using a browser that downloads and runs arbitrary JavaScript and allows it to XMLHTTPRequest?<p>Even if the code in question was being run on a publicly accessible website, was used by a New Jersey consumer, and was fully functional and actually mined Bitcoins (all of those points are disputed by the students' counsel)...The only thing that's being taken by the website operators would be users' CPU cycles and bandwidth. And if the users have implicitly consented to the website's arbitrary use of those resources, how is anyone being harmed?
I'd curious to find out why NJ AG would get so paranoid about this? I couldnt really find a link to their side of the story.<p>The Natinal Science Foundation did discipline a researcher who did some mining on their computers.
Perhaps most interesting in my reading of the documents provided by the EFF is the correspondence regarding the counter-sue made by Rubin against the NJAG.<p>In it NJAG lay out exactly what they think Rubin did:<p><i>...Plaintiffs development, use and deployment of the Tidbit Code which, by plaintiffs own description, strongly suggests the code was designed to hijack consumer's computers to mine for bitcoins, including the computers of New Jersey consumers. Further, prior to the issuance of the Subpoena and Interrogatories, the Division determined that the Tidbit Code was present and active on the websites of entities located in New Jersey and Plaintiff affirmatively sent the Tidbit Code to the New Jersey based entities.</i><p>They posit that the code was<p>1. Designed to hijack a consumer's computer for the purpose of mining bitcoins<p>2. The computers targeted for hacking (implicitly the entire internet) include those of New Jersey consumers<p>3. The code was found on websites owned by New Jersey entities<p>4. Rubin sent the code "affirmatively" to those New Jersey entities<p>I think 1. is the weakest point, but that weakness is based on my understanding of the definition of 'hijack'. 2. and 3. seem to follow easily from assumptions, or could be easily shown as fact. 4. seems like it would be harder to prove, but I don't know the implications of the term affirmatively used here.
How is surreptitious use of compute resource any different than the surreptitious accumulation and analysis of data exhaust? If this moves forward to prosecution, I'd argue it will actually open up an avenue of attack against Facebook, Google, et al.
This sounds like some trivial code, not even fully functioning, that was written during a hackathon. Why does New Jersey care?<p>It wouldn't even make sense as a business model anymore, because asic miners are so much more efficient than GPUs, but I heard many people talking about building this kind of service years ago.<p>NJ could pay a software developer to write them code to let people generate small amounts of bitcoin in a browser. Why would they possibly want this MIT student's code so badly?
I don't understand how their javascript based miner is feasible.<p>Mining bitcoins with a CPU is an extremely futile endeavor, and on top of that, it is implemented in asm.js.<p>Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds to over a MILLION MH/S while modern cpus top out at 20 with most around 5.<p><a href="https://en.bitcoin.it/wiki/Mining_hardware_comparison" rel="nofollow">https://en.bitcoin.it/wiki/Mining_hardware_comparison</a>
I don't understand how it could be considered consumer fraud or computer fraud and abuse if it was clearly indicated to the visitor that their browser would be used as a BitCoin miner in lieu of being displayed Ads. Assuming they weren't told, I could see the issue but it didn't seem like they were trying to dupe visitors.
New Jersey's Position is laid out in their 3/7/2014 filing. <a href="https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_to_motion_to_quash.pdf" rel="nofollow">https://www.eff.org/files/2014/03/07/njs_memo_in_opposition_...</a><p>Here's the relevant parts (lightly edited):<p>The Division issued the Subpoena and Interrogatories in furtherance of its investigation into an entity called Tidbit. Tidbit is a group of students who developed a software code that may have hijacked the computer resources of consumers within the State of New Jersey and improperly accessed and/or used such computer resources to mine for bitcoins for the benefit of Tidbit and its customers and without any notice to, or obtaining consent from, New Jersey consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA") and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of exchange that can be traded on online exchanges for a dollar value. Bitcoins are "mined" through the use of computer resources to solve complex algorithms. Many times, consumers' computer resources are unknowingly accessed by entities through software code or otherwise in order to mine for Bitcoins.<p>Plaintiff's own description of its services strongly suggests that the code it developed is, in fact, designed to hijack consumer's computers. .... Further, contrary to Plaintiffs allegations in its brief, the Division specifically found Plaintiff's code on the websites of entities located in New Jersey. Furthermore, the Division determined that the code was active.<p>The following representations, among other things, are made on the Tidbit Website: "Monetize without ads"; "Let your visitors help you mine for Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further provides: "How does it work? ... [1] Make an account - Sign up with your Bitcoin wallet ... [2] Paste the code - we'll give you a snippet to put in your website ... [3] Cash Out! - We'll send a transaction to your Bitcoin wallet." ...<p>E. The Division's Undercover Investigation<p>On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up" button. While on the Tidbit 'Website, the Division submitted Sign-up Information to Tidbit using an undercover e-mail address and an undercover bitcoin wallet id. In response to receiving the Division's undercover Sign-up information, Tidbit sent the Tidbit Code to the Division's investigator via a confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code that the Division received includes the Division's undercover bitcoin wallet id. Additionally, among other things, the Confirmation Page states: "<i>Your embed code</i> - Paste this at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!" (emphasis in original).)
they need to bring in a couple of seasoned enterprise developers who can hand off any project in such a state that it would be easy to rewrite it from scratch than to even just successfully build it, less run/debug/understand...
We're lucky to have an organization like the EFF that fights this nonsense. It's a good time to support their work.<p><a href="https://supporters.eff.org/donate" rel="nofollow">https://supporters.eff.org/donate</a>