-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
malware included in download - DO NOT DOWNLOAD INSTALLATION FILE ON YOUR COMPUTER #13
Comments
This is duplicate of issues #9 and #7. The GUI wallet includes a miner built-in, as an explicit feature that you may or may not use, and some modern anti-malware reasonably detects that and says so, e.g. as "win32:MinerD-A" in this case, because miners are also found hidden in malware these days. While this is the expected behavior on all sides, it's unfortunate that this confuses users and in some cases prevents from distinguishing intentional and desired miners from real malware. There's not much the Resistance project can do here. |
at the very minimum this "feature", which only benefits the resistance guys and not the poor chap who happens to download the wallet, should be disclosed. A simple information would raise more confidence whereas simply hiding such things raises at least an eye brow. |
This repository's description and README says "Resistance Desktop Wallet with ResDEX, Mainnet, CPU Miner, and more" - notice this mentions "CPU Miner". The miner is not active by default. When you do activate it, any of its mined coins (if it does find a block) are yours, not benefiting "the resistance guys". Edit, clarification: each block also includes rewards for PoR, masternodes, and dev fund. However, blocks are found somewhere on the network at the same rate (one per minute on average) regardless of whether you're mining or not (as long as at least one node is, or else the network stops), so there's no added benefit to "the resistance guys" from you choosing to PoW-mine, nor any harm from you choosing not to (although mining decentralization is good for the network's health). |
You are a bunch of criminal crooks. Why would you include malware in the first place in download packages? |
I can't figure out if you're still confused or are now trolling. Assuming good faith (so genuine confusion and not trolling): why would you call an explicitly mentioned, non-hidden, not running by default miner "malware"? Do you call every other cryptocurrency miner out there "malware" as well? If so, why would you be interested in cryptocurrencies at all? Puzzling. Do you perhaps find the bundling of miner along with a wallet unexpected? That I sort of can understand. Historically though, Bitcoin's original bitcoin-qt GUI wallet similarly connected to a locally running Bitcoin node, and the node included a miner in it (not enabled by default, just like Resistance's miner is not). All of this was, and still is, part of Bitcoin Core. It's just that most people use lightweight wallets these days (not running full nodes) and are not mining cryptocurrencies on CPU (since most are unsuitable for CPU-mining now), whereas Resistance wallet and mining is closer to what Bitcoin wallet and mining used to be like in the early days (locally running full node, CPU mining). While I see plenty of real issues with the Resistance project (in fact, making it mostly a failure), this one "issue" is an almost total non-issue (even in my opinion, as someone who's really unhappy about how the project went). The only real aspects here are user confusion and inability to check for real malware because of the false positive (such ability which would be desirable e.g. in case the download gets compromised by a third-party), as seen on your comments here. If you or others have suggestions on how to minimize such confusion, please share. Thanks. Two ideas are:
Given the questionable tradeoffs with these ideas above, I doubt anyone will work to implement either of them. But if there's some better (non-tradeoff) idea that you or someone else has on this, it might be different. |
I am actually with solardiz on this - the desktop software openly includes a CPU miner and the signature of that is what the software scanners are picking up. This might be through particular byte codes in the binary, in memory or by behavior of the miner. It is possible, though far from trivial, to mitigate this detection (certainly against all virus/malware scanners) and i believe the team chose to be open in recognition of this down side. It was considered a waste of what might be considerable effort to remove the need for a significant proportion of the scanners out there Unfortunately this does lead to "false positivse" (they are not really false - they are positives) but they have been open so i don't believe it is some in intention to infect your PC. It didn't help the reputation of the already fragile installation experience though. |
The detection is common because of the historical inclusion of Monero (and similar) mining software in web pages, "free" software etc which was used to build network of thousands of machines mining for their masters. Its an awkward problem when you are trying to openly mine with the users permission |
I agree with you Ian (Sorry) but that puts ignorant people off and raise complains and makes the program look dodgy. So, we need to resolve it as an option just for desktop miners . Rest do not have to do it but a clean installation |
The intention was, i am sure, to strengthen network security and thus include a miner on every installation. If you release a wallet version without the miner you will lose that network security and be more open to a speculative attack. Ideally obfuscating the miner to reduce the number of (false) positives is appealing but i do believe it will be non trivial to hide it from all scanners. Most wallets do not include a desktop miner |
What needs to be done is to install without a miner and only for people that want the desktop miner gives them the option to install the desktop miner after having resistance installed warning them that the miner is considered a malware by most modern antivirus, whilst it is not. |
the kyc thing had me on edge, because why would i need to worry about kyc with a desktop wallet? |
I do have a standalone wallet but gave up on the project when they clearly
exit scammed
…On Thu, Nov 18, 2021 at 1:08 AM SickProdigy ***@***.***> wrote:
the kyc thing had me on edge, because why would i need to worry about kyc
with a desktop wallet?
And the miner included is more standoffish for me. Please let me know if
you do a standalone wallet without all the extras and installation.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN6MF3RATNHV2ZYMFFOHRK3UMRG2TANCNFSM4M2TDYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
@ian-p-johnson You know, this still hurts a lot and I'm sure no one on the team intended for the project to fail (which your harsh words seem to imply)... but I also gave up. @SickProdigy Not a valid excuse (nor do I want to provide one), but to answer your question to at least some extent: The full source code needed to build a standalone wallet without DEX (as DEX+KYC doesn't fly) is (finally) in other public repos under the ResistancePlatform org. If anyone capable still has any interest in the core tech (a clean Zcash fork with CPU-focused PoW, a miner for that, and an optional GUI wallet around these), they can rebuild the wallet package with only the desired components included (can drop the miner, too). They can continue with the existing blockchain or choose to fork or restart the blockchain. Whether there's any point in any of that is doubtful, but at least the options are there. As I had worked on the core and miner, I had more of a say on getting the source code for those released right upon launch - which the project did. I didn't work on the GUI wallet nor packaging, so had little say there, and this part of the source code was only made public when the project became pretty much irrelevant, unfortunately - but in the end it's public and is technically reusable. The GUI wallet can be fairly easily adapted to work with Zcash proper and with other Zcash forks, so maybe it should become a separate project supporting Zcash and all of its forks. That would be a reasonable reuse. Other than potential (unlikely?) reuses, I doubt there's any future here. |
With respect (and i do mean that @solardiz) the project was a DEX, not just
a coin, miner & wallet. The core, cli wallet & miner were not what let the
project down. The DEX was a shoddy clone of an existing DEX with an
incomplete and non functional GUI. I don't know if the exit scam was
originally intended but the funding did not go into the project, so it was
effectively abandoned with an attempt to blame others
This, i know, was not your responsibility, but the outcome was the same
…On Thu, Nov 18, 2021 at 1:15 PM Solar Designer ***@***.***> wrote:
@ian-p-johnson <https://github.com/ian-p-johnson> You know, this still
hurts a lot and I'm sure no one on the team intended for the project to
fail (which your harsh words seem to imply)... but I also gave up.
@SickProdigy <https://github.com/SickProdigy> Not a valid excuse (nor do
I want to provide one), but to answer your question to at least some extent:
The full source code needed to build a standalone wallet without DEX (as
DEX+KYC doesn't fly) is (finally) in other public repos under the
ResistancePlatform org. If anyone capable still has any interest in the
core tech (a clean Zcash fork with CPU-focused PoW, a miner for that, and
an optional GUI wallet around these), they can rebuild the wallet package
with only the desired components included (can drop the miner, too). They
can continue with the existing blockchain or choose to fork or restart the
blockchain. Whether there's any point in any of that is doubtful, but at
least the options are there.
As I had worked on the core and miner, I had more of a say on getting the
source code for those released right upon launch - which the project did. I
didn't work on the GUI wallet nor packaging, so had little say there, and
this part of the source code was only made public when the project became
pretty much irrelevant, unfortunately - but in the end it's public and is
technically reusable.
The GUI wallet can be fairly easily adapted to work with Zcash proper and
with other Zcash forks, so maybe it should become a separate project
supporting Zcash and all of its forks. That would be a reasonable reuse.
Other than potential (unlikely?) reuses, I doubt there's any future here.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN6MF3XVQOSDXCKXZBVJFI3UMT375ANCNFSM4M2TDYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Fair enough. First time I've heard of it. But found it on a pretty big mining site. I figure I'd comment since no one has in awhile. Glad to see the GitHub community active honestly. I like the project name and the idea of the program. But some features are unnecessary for majority of users. An aio solution is what it seems they tried to achieve. And btc was an aio solution in the past almost. But ive never heard of Bitcoin shipping with a miner. I've done the whole node setup shabang and have never installed a miner along with. The dex thing has me more curious though. Then centralize it with kyc. I'd be more interested in seeing someone else take hold of the project for sure. It's clearly never gonna fully die. |
Nobody will pick it up, *without restarting the chain* as the lion's share
of the original minted tokens are in the hands of the project "executive"
and quite frankly they cannot be trusted not to dump as soon as they can
The most difficult bit of the project was not complete. There is no working
DEX, no plan for liquidity, no marketing, no further development, no
funding, staking was constantly failing and was abandoned, no community
It's dead Jim !
There is almost as much to do as has been done already
POR was interesting (Proof of Research) - that was well done
…On Thu, Nov 18, 2021 at 2:02 PM SickProdigy ***@***.***> wrote:
Fair enough. First time I've heard of it. But found it on a pretty big
mining site.
I figure I'd comment since no one has in awhile. Glad to see the GitHub
community active honestly.
I like the project name and the idea of the program. But some features are
unnecessary for majority of users. An aio solution is what it seems they
tried to achieve. And btc was an aio solution in the past almost. But ive
never heard of Bitcoin shipping with a miner.
I've done the whole node setup shabang and have never installed a miner
along with.
The dex thing has me more curious though. Then centralize it with kyc.
I'd be more interested in seeing someone else take hold of the project for
sure.
It's clearly never gonna fully die.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN6MF3RCDYU5MWKKSQ5JHD3UMUBOPANCNFSM4M2TDYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
@SickProdigy Not to argue, but FWIW both Bitcoin and Zcash (and many others) had built-in miners in their full nodes. Inefficient and little-known, except in the early days of those coins. Resistance Core has that too (inherited from Zcash and updated for the change of PoW), although this issue is about a standalone miner bundled in the wallet package (so technically there are two miners here).
Maybe @whiteknightrader could? He wasn't on the original team, but he contributed some final minor updates of the GUI wallet.
I doubt anyone would bother and I don't really recommend it, but technically a middle ground is possible - a "community Resistance" hard-fork where addresses with a balance of, say, 1M+ RES (or any other threshold chosen by whoever does this) at the time of fork would become unspendable (reducing the total supply accordingly). At the very least this can be done for the 25M+ RES balance of the already assumed-burned coins that people exchanged for RESDX (a token on Binance chain) - locking those up technically wouldn't even be a fork, but would be reinforced main Resistance chain. I doubt any of that would be sufficient for a successful project and it's not a trivial change to implement (would require expertise), but technically it's possible. |
There is also no benefit in fixing the DEX without access to the DEX server
process - i just looked and all i can find is the RESDEX GUI - and not the
server process.
This was forked from Komodo so it could possibly be replicated - at the
time i was pushing heavily for access to the API - which is now implicitly
visible in the GUI
It looks like all that was opened up was that required to tick a box to
mitigate exit scam accusations - a common procedure throughout the latter
stages of the project
When i make exit scam accusations, I have no evidence that the dev team
were directly responsible (though they were debatably complicit) but it is
directly targetted at the executive for sure - it may have been that some
of the dev team were themselves burned - but we will never know
So as a clean forked ZEC + Miner + POR it is solid (also no source of the
POR web/server side so that is a non starter)
As a DEX it sucks, is incomplete and without chain restart/fork is a non
starter
Forking the chain is problematic as its only really possible to go back to
that summer after investors got their distributions, but by then the
project reserve was fragmenting heavily making it practically impossible to
track what was reserve, what was mined, what was investors distributions,
what was siphoned (without some heavy anaylsis of the chain - i was
watching it, believe me), so it is not a simple fork
If there was ledger of original investors contributions + an tracing of
mining/POR revenue it would be possible to make a clean start + drop of
freshly mined coins to those categories - but a chain fork would not be
useful as it would include too much dodgy stuff
…On Thu, Nov 18, 2021 at 3:31 PM Solar Designer ***@***.***> wrote:
@SickProdigy <https://github.com/SickProdigy> Not to argue, but FWIW both
Bitcoin and Zcash (and many others) had built-in miners in their full
nodes. Inefficient and little-known, except in the early days of those
coins. Resistance Core has that too (inherited from Zcash and updated for
the change of PoW), although this issue is about a standalone miner bundled
in the wallet package (so technically there are two miners here).
I'd be more interested in seeing someone else take hold of the project for
sure.
Maybe @whiteknightrader <https://github.com/whiteknightrader> could? He
wasn't on the original team, but he contributed some final minor updates of
the GUI wallet.
Nobody will pick it up, *without restarting the chain*
I doubt anyone would bother and I don't really recommend it, but
technically a middle ground is possible - a "community Resistance"
hard-fork where addresses with a balance of, say, 1M+ RES (or any other
threshold chosen by whoever does this) at the time of fork would become
unspendable (reducing the total supply accordingly). At the very least this
can be done for the 25M+ RES balance of the already assumed-burned coins
that people exchanged for RESDX (a token on Binance chain) - locking those
up technically wouldn't even be a fork, but would be reinforced main
Resistance chain. I doubt any of that would be sufficient for a successful
project and it's not a trivial change to implement (would require
expertise), but technically it's possible.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN6MF3UOG7FP3RMFDSEFPNTUMUL45ANCNFSM4M2TDYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
A lock up of the current coins, basically burning them could be rather effective. Or have a trade to the new chain lockup those coins and airdrop new coins. The dex side of things is interesting and did get to thinking last night, a dex that is truelly decentralized with no id's mandatory would be nice. Maybe just can't go to usd or other fiat to accomplish this legally. But if it's all run by the system and fees go to miners it would be a more rather interesting approach. Restarting the chain in its current state would clearly be setup for disaster we know. But if someone was trying to move this project forward, how much is really left to salvage before starting a new? |
It is interesting because it is not ERC-20 based - it would offer an Atomic
swap for multiple chains supporting HTLC. Am pretty sure the Komodo
implementation is order book based, not AMM - so that complicates liquidity
provision as you need a "market maker" relationship. It could,
theoretically offer "secret" swaps (swapping through the chain, but that
would paint a bullseye on the project) Am not sure on whether the chain is
scalable enough though - ..
Apart from the AMM (Uniswap, Sushiswap, Pancake swap and all the clones and
alternate L1 chain implementations) the hot area looks to be L2 based DEX
implementations - some offering leverage. Look at DyDx, Loopring- no need
for KYC - fast swaps, some have leveraged perpetuals - shame DyDx exploded
so much they have technical problems keeping up with the load when it gets
busy .. buts thats a scaling problem rather than a conceptual problem
POR is missing, the GUI is flaky - and you need a lot more to start a DEX
than working software - you need funding - and ever a "fair start" project
would struggle to compete
There is also not enough time left in this cycle to do something before
this one ends
Too much work to do for "love" - i seriously considered it once but decided
against it
The nearest similar DEX i can think of is Thorchain - i think that has the
ground well covered
…On Thu, Nov 18, 2021 at 6:30 PM SickProdigy ***@***.***> wrote:
A lock up of the current coins, basically burning them could be rather
effective.
Or have a trade to the new chain lockup those coins and airdrop new coins.
The dex side of things is interesting and did get to thinking last night,
a dex that is truelly decentralized with no id's mandatory would be nice.
Maybe just can't go to usd or other fiat to accomplish this legally.
But if it's all run by the system and fees go to miners it would be a more
rather interesting approach.
Restarting the chain in its current state would clearly be setup for
disaster we know. But if someone was trying to move this project forward,
how much is really left to salvage before starting a new?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN6MF3XT3FLJLFAHRQTW4QTUMVA4DANCNFSM4M2TDYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
the download of the installation software contains malware: win32:MinerD-A
Not very nice of you a..holes to infect other computers with malware. Your project looks good on paper but trying to clandestinely installing malware on people's computers is mean. What were you thinking? That everybody is stupid enough to not realize it?
The text was updated successfully, but these errors were encountered: