ResistancePlatform / resistance-platform-release

Resistance Desktop Wallet with ResDEX, Mainnet, CPU Miner, and more
4 stars 3 forks source link

malware included in download - DO NOT DOWNLOAD INSTALLATION FILE ON YOUR COMPUTER #13

Open AureusN opened 4 years ago

AureusN commented 4 years ago

the download of the installation software contains malware: win32:MinerD-A

Not very nice of you a..holes to infect other computers with malware. Your project looks good on paper but trying to clandestinely installing malware on people's computers is mean. What were you thinking? That everybody is stupid enough to not realize it?

solardiz commented 4 years ago

This is duplicate of issues #9 and #7. The GUI wallet includes a miner built-in, as an explicit feature that you may or may not use, and some modern anti-malware reasonably detects that and says so, e.g. as "win32:MinerD-A" in this case, because miners are also found hidden in malware these days. While this is the expected behavior on all sides, it's unfortunate that this confuses users and in some cases prevents from distinguishing intentional and desired miners from real malware. There's not much the Resistance project can do here.

AureusN commented 4 years ago

at the very minimum this "feature", which only benefits the resistance guys and not the poor chap who happens to download the wallet, should be disclosed. A simple information would raise more confidence whereas simply hiding such things raises at least an eye brow.

solardiz commented 4 years ago

This repository's description and README says "Resistance Desktop Wallet with ResDEX, Mainnet, CPU Miner, and more" - notice this mentions "CPU Miner". The miner is not active by default. When you do activate it, any of its mined coins (if it does find a block) are yours, not benefiting "the resistance guys".

Edit, clarification: each block also includes rewards for PoR, masternodes, and dev fund. However, blocks are found somewhere on the network at the same rate (one per minute on average) regardless of whether you're mining or not (as long as at least one node is, or else the network stops), so there's no added benefit to "the resistance guys" from you choosing to PoW-mine, nor any harm from you choosing not to (although mining decentralization is good for the network's health).

AureusN commented 4 years ago

You are a bunch of criminal crooks. Why would you include malware in the first place in download packages?

solardiz commented 4 years ago

I can't figure out if you're still confused or are now trolling. Assuming good faith (so genuine confusion and not trolling): why would you call an explicitly mentioned, non-hidden, not running by default miner "malware"? Do you call every other cryptocurrency miner out there "malware" as well? If so, why would you be interested in cryptocurrencies at all? Puzzling.

Do you perhaps find the bundling of miner along with a wallet unexpected? That I sort of can understand. Historically though, Bitcoin's original bitcoin-qt GUI wallet similarly connected to a locally running Bitcoin node, and the node included a miner in it (not enabled by default, just like Resistance's miner is not). All of this was, and still is, part of Bitcoin Core. It's just that most people use lightweight wallets these days (not running full nodes) and are not mining cryptocurrencies on CPU (since most are unsuitable for CPU-mining now), whereas Resistance wallet and mining is closer to what Bitcoin wallet and mining used to be like in the early days (locally running full node, CPU mining).

While I see plenty of real issues with the Resistance project (in fact, making it mostly a failure), this one "issue" is an almost total non-issue (even in my opinion, as someone who's really unhappy about how the project went). The only real aspects here are user confusion and inability to check for real malware because of the false positive (such ability which would be desirable e.g. in case the download gets compromised by a third-party), as seen on your comments here. If you or others have suggestions on how to minimize such confusion, please share. Thanks.

Two ideas are:

  1. Continue to include the miner, but prevent its detection by anti-malware at least until the user actually chooses to activate the miner. There are ways to achieve that (supply the miner component in encrypted form, decrypt it when the user clicks a button and clearly acknowledges they want the miner). However, a concern is that the deliberate anti-anti-malware measure like this would actually fuel accusations such as yours. Of course, there would be very explicit user interaction to enable the miner, so it certainly wouldn't become "malware", but I guess some people could find this inappropriate anyway.

  2. Don't bundle the miner with the wallet. Accept the functionality loss (even though some users liked the bundled miner), and accept the slightly worse network health - lower mining decentralization and lower hashrate (although frankly Resistance's current status in these respects is so bad that making it a little worse almost doesn't matter).

Given the questionable tradeoffs with these ideas above, I doubt anyone will work to implement either of them. But if there's some better (non-tradeoff) idea that you or someone else has on this, it might be different.

ian-p-johnson commented 4 years ago

I am actually with solardiz on this - the desktop software openly includes a CPU miner and the signature of that is what the software scanners are picking up. This might be through particular byte codes in the binary, in memory or by behavior of the miner.

It is possible, though far from trivial, to mitigate this detection (certainly against all virus/malware scanners) and i believe the team chose to be open in recognition of this down side. It was considered a waste of what might be considerable effort to remove the need for a significant proportion of the scanners out there

Unfortunately this does lead to "false positivse" (they are not really false - they are positives) but they have been open so i don't believe it is some in intention to infect your PC. It didn't help the reputation of the already fragile installation experience though.

ian-p-johnson commented 4 years ago

The detection is common because of the historical inclusion of Monero (and similar) mining software in web pages, "free" software etc which was used to build network of thousands of machines mining for their masters. Its an awkward problem when you are trying to openly mine with the users permission

ghost commented 4 years ago

I agree with you Ian (Sorry) but that puts ignorant people off and raise complains and makes the program look dodgy. So, we need to resolve it as an option just for desktop miners . Rest do not have to do it but a clean installation

ian-p-johnson commented 4 years ago

The intention was, i am sure, to strengthen network security and thus include a miner on every installation. If you release a wallet version without the miner you will lose that network security and be more open to a speculative attack.

Ideally obfuscating the miner to reduce the number of (false) positives is appealing but i do believe it will be non trivial to hide it from all scanners. Most wallets do not include a desktop miner

ghost commented 4 years ago

What needs to be done is to install without a miner and only for people that want the desktop miner gives them the option to install the desktop miner after having resistance installed warning them that the miner is considered a malware by most modern antivirus, whilst it is not. So, at least you can do first installation with no issues. The main issue in my opinion as expressed in numerous time to the team is the lack of documentation, communication to the user, transaparency etc. There should be a guide menu , FAQ menu,etc and all that explain clearly there. However, we will keep on fighting for it.

SickProdigy commented 3 years ago

the kyc thing had me on edge, because why would i need to worry about kyc with a desktop wallet? And the miner included is more standoffish for me. Please let me know if you do a standalone wallet without all the extras and installation.

ian-p-johnson commented 3 years ago

I do have a standalone wallet but gave up on the project when they clearly exit scammed

On Thu, Nov 18, 2021 at 1:08 AM SickProdigy @.***> wrote:

the kyc thing had me on edge, because why would i need to worry about kyc with a desktop wallet? And the miner included is more standoffish for me. Please let me know if you do a standalone wallet without all the extras and installation.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ResistancePlatform/resistance-platform-release/issues/13#issuecomment-972393754, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MF3RATNHV2ZYMFFOHRK3UMRG2TANCNFSM4M2TDYRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

solardiz commented 3 years ago

@ian-p-johnson You know, this still hurts a lot and I'm sure no one on the team intended for the project to fail (which your harsh words seem to imply)... but I also gave up.

@SickProdigy Not a valid excuse (nor do I want to provide one), but to answer your question to at least some extent:

The full source code needed to build a standalone wallet without DEX (as DEX+KYC doesn't fly) is (finally) in other public repos under the ResistancePlatform org. If anyone capable still has any interest in the core tech (a clean Zcash fork with CPU-focused PoW, a miner for that, and an optional GUI wallet around these), they can rebuild the wallet package with only the desired components included (can drop the miner, too). They can continue with the existing blockchain or choose to fork or restart the blockchain. Whether there's any point in any of that is doubtful, but at least the options are there.

As I had worked on the core and miner, I had more of a say on getting the source code for those released right upon launch - which the project did. I didn't work on the GUI wallet nor packaging, so had little say there, and this part of the source code was only made public when the project became pretty much irrelevant, unfortunately - but in the end it's public and is technically reusable.

The GUI wallet can be fairly easily adapted to work with Zcash proper and with other Zcash forks, so maybe it should become a separate project supporting Zcash and all of its forks. That would be a reasonable reuse.

Other than potential (unlikely?) reuses, I doubt there's any future here.

ian-p-johnson commented 3 years ago

With respect (and i do mean that @solardiz) the project was a DEX, not just a coin, miner & wallet. The core, cli wallet & miner were not what let the project down. The DEX was a shoddy clone of an existing DEX with an incomplete and non functional GUI. I don't know if the exit scam was originally intended but the funding did not go into the project, so it was effectively abandoned with an attempt to blame others

This, i know, was not your responsibility, but the outcome was the same

On Thu, Nov 18, 2021 at 1:15 PM Solar Designer @.***> wrote:

@ian-p-johnson https://github.com/ian-p-johnson You know, this still hurts a lot and I'm sure no one on the team intended for the project to fail (which your harsh words seem to imply)... but I also gave up.

@SickProdigy https://github.com/SickProdigy Not a valid excuse (nor do I want to provide one), but to answer your question to at least some extent:

The full source code needed to build a standalone wallet without DEX (as DEX+KYC doesn't fly) is (finally) in other public repos under the ResistancePlatform org. If anyone capable still has any interest in the core tech (a clean Zcash fork with CPU-focused PoW, a miner for that, and an optional GUI wallet around these), they can rebuild the wallet package with only the desired components included (can drop the miner, too). They can continue with the existing blockchain or choose to fork or restart the blockchain. Whether there's any point in any of that is doubtful, but at least the options are there.

As I had worked on the core and miner, I had more of a say on getting the source code for those released right upon launch - which the project did. I didn't work on the GUI wallet nor packaging, so had little say there, and this part of the source code was only made public when the project became pretty much irrelevant, unfortunately - but in the end it's public and is technically reusable.

The GUI wallet can be fairly easily adapted to work with Zcash proper and with other Zcash forks, so maybe it should become a separate project supporting Zcash and all of its forks. That would be a reasonable reuse.

Other than potential (unlikely?) reuses, I doubt there's any future here.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ResistancePlatform/resistance-platform-release/issues/13#issuecomment-972855729, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MF3XVQOSDXCKXZBVJFI3UMT375ANCNFSM4M2TDYRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

SickProdigy commented 3 years ago

Fair enough. First time I've heard of it. But found it on a pretty big mining site.

I figure I'd comment since no one has in awhile. Glad to see the GitHub community active honestly.

I like the project name and the idea of the program. But some features are unnecessary for majority of users. An aio solution is what it seems they tried to achieve. And btc was an aio solution in the past almost. But ive never heard of Bitcoin shipping with a miner.

I've done the whole node setup shabang and have never installed a miner along with.

The dex thing has me more curious though. Then centralize it with kyc.

I'd be more interested in seeing someone else take hold of the project for sure.

It's clearly never gonna fully die.

ian-p-johnson commented 3 years ago

Nobody will pick it up, without restarting the chain as the lion's share of the original minted tokens are in the hands of the project "executive" and quite frankly they cannot be trusted not to dump as soon as they can

The most difficult bit of the project was not complete. There is no working DEX, no plan for liquidity, no marketing, no further development, no funding, staking was constantly failing and was abandoned, no community

It's dead Jim !

There is almost as much to do as has been done already

POR was interesting (Proof of Research) - that was well done

On Thu, Nov 18, 2021 at 2:02 PM SickProdigy @.***> wrote:

Fair enough. First time I've heard of it. But found it on a pretty big mining site.

I figure I'd comment since no one has in awhile. Glad to see the GitHub community active honestly.

I like the project name and the idea of the program. But some features are unnecessary for majority of users. An aio solution is what it seems they tried to achieve. And btc was an aio solution in the past almost. But ive never heard of Bitcoin shipping with a miner.

I've done the whole node setup shabang and have never installed a miner along with.

The dex thing has me more curious though. Then centralize it with kyc.

I'd be more interested in seeing someone else take hold of the project for sure.

It's clearly never gonna fully die.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ResistancePlatform/resistance-platform-release/issues/13#issuecomment-972892394, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MF3RCDYU5MWKKSQ5JHD3UMUBOPANCNFSM4M2TDYRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

solardiz commented 3 years ago

@SickProdigy Not to argue, but FWIW both Bitcoin and Zcash (and many others) had built-in miners in their full nodes. Inefficient and little-known, except in the early days of those coins. Resistance Core has that too (inherited from Zcash and updated for the change of PoW), although this issue is about a standalone miner bundled in the wallet package (so technically there are two miners here).

I'd be more interested in seeing someone else take hold of the project for sure.

Maybe @whiteknightrader could? He wasn't on the original team, but he contributed some final minor updates of the GUI wallet.

Nobody will pick it up, without restarting the chain

I doubt anyone would bother and I don't really recommend it, but technically a middle ground is possible - a "community Resistance" hard-fork where addresses with a balance of, say, 1M+ RES (or any other threshold chosen by whoever does this) at the time of fork would become unspendable (reducing the total supply accordingly). At the very least this can be done for the 25M+ RES balance of the already assumed-burned coins that people exchanged for RESDX (a token on Binance chain) - locking those up technically wouldn't even be a fork, but would be reinforced main Resistance chain. I doubt any of that would be sufficient for a successful project and it's not a trivial change to implement (would require expertise), but technically it's possible.

ian-p-johnson commented 3 years ago

There is also no benefit in fixing the DEX without access to the DEX server process - i just looked and all i can find is the RESDEX GUI - and not the server process.

This was forked from Komodo so it could possibly be replicated - at the time i was pushing heavily for access to the API - which is now implicitly visible in the GUI

It looks like all that was opened up was that required to tick a box to mitigate exit scam accusations - a common procedure throughout the latter stages of the project

When i make exit scam accusations, I have no evidence that the dev team were directly responsible (though they were debatably complicit) but it is directly targetted at the executive for sure - it may have been that some of the dev team were themselves burned - but we will never know

So as a clean forked ZEC + Miner + POR it is solid (also no source of the POR web/server side so that is a non starter)

As a DEX it sucks, is incomplete and without chain restart/fork is a non starter

Forking the chain is problematic as its only really possible to go back to that summer after investors got their distributions, but by then the project reserve was fragmenting heavily making it practically impossible to track what was reserve, what was mined, what was investors distributions, what was siphoned (without some heavy anaylsis of the chain - i was watching it, believe me), so it is not a simple fork

If there was ledger of original investors contributions + an tracing of mining/POR revenue it would be possible to make a clean start + drop of freshly mined coins to those categories - but a chain fork would not be useful as it would include too much dodgy stuff

On Thu, Nov 18, 2021 at 3:31 PM Solar Designer @.***> wrote:

@SickProdigy https://github.com/SickProdigy Not to argue, but FWIW both Bitcoin and Zcash (and many others) had built-in miners in their full nodes. Inefficient and little-known, except in the early days of those coins. Resistance Core has that too (inherited from Zcash and updated for the change of PoW), although this issue is about a standalone miner bundled in the wallet package (so technically there are two miners here).

I'd be more interested in seeing someone else take hold of the project for sure.

Maybe @whiteknightrader https://github.com/whiteknightrader could? He wasn't on the original team, but he contributed some final minor updates of the GUI wallet.

Nobody will pick it up, without restarting the chain

I doubt anyone would bother and I don't really recommend it, but technically a middle ground is possible - a "community Resistance" hard-fork where addresses with a balance of, say, 1M+ RES (or any other threshold chosen by whoever does this) at the time of fork would become unspendable (reducing the total supply accordingly). At the very least this can be done for the 25M+ RES balance of the already assumed-burned coins that people exchanged for RESDX (a token on Binance chain) - locking those up technically wouldn't even be a fork, but would be reinforced main Resistance chain. I doubt any of that would be sufficient for a successful project and it's not a trivial change to implement (would require expertise), but technically it's possible.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ResistancePlatform/resistance-platform-release/issues/13#issuecomment-972974587, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MF3UOG7FP3RMFDSEFPNTUMUL45ANCNFSM4M2TDYRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

SickProdigy commented 3 years ago

A lock up of the current coins, basically burning them could be rather effective.

Or have a trade to the new chain lockup those coins and airdrop new coins.

The dex side of things is interesting and did get to thinking last night, a dex that is truelly decentralized with no id's mandatory would be nice. Maybe just can't go to usd or other fiat to accomplish this legally.

But if it's all run by the system and fees go to miners it would be a more rather interesting approach.

Restarting the chain in its current state would clearly be setup for disaster we know. But if someone was trying to move this project forward, how much is really left to salvage before starting a new?

ian-p-johnson commented 3 years ago

It is interesting because it is not ERC-20 based - it would offer an Atomic swap for multiple chains supporting HTLC. Am pretty sure the Komodo implementation is order book based, not AMM - so that complicates liquidity provision as you need a "market maker" relationship. It could, theoretically offer "secret" swaps (swapping through the chain, but that would paint a bullseye on the project) Am not sure on whether the chain is scalable enough though - ..

Apart from the AMM (Uniswap, Sushiswap, Pancake swap and all the clones and alternate L1 chain implementations) the hot area looks to be L2 based DEX implementations - some offering leverage. Look at DyDx, Loopring- no need for KYC - fast swaps, some have leveraged perpetuals - shame DyDx exploded so much they have technical problems keeping up with the load when it gets busy .. buts thats a scaling problem rather than a conceptual problem

POR is missing, the GUI is flaky - and you need a lot more to start a DEX than working software - you need funding - and ever a "fair start" project would struggle to compete

There is also not enough time left in this cycle to do something before this one ends Too much work to do for "love" - i seriously considered it once but decided against it

The nearest similar DEX i can think of is Thorchain - i think that has the ground well covered

On Thu, Nov 18, 2021 at 6:30 PM SickProdigy @.***> wrote:

A lock up of the current coins, basically burning them could be rather effective.

Or have a trade to the new chain lockup those coins and airdrop new coins.

The dex side of things is interesting and did get to thinking last night, a dex that is truelly decentralized with no id's mandatory would be nice. Maybe just can't go to usd or other fiat to accomplish this legally.

But if it's all run by the system and fees go to miners it would be a more rather interesting approach.

Restarting the chain in its current state would clearly be setup for disaster we know. But if someone was trying to move this project forward, how much is really left to salvage before starting a new?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ResistancePlatform/resistance-platform-release/issues/13#issuecomment-973144018, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MF3XT3FLJLFAHRQTW4QTUMVA4DANCNFSM4M2TDYRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.