16 comments

[ 3.2 ms ] story [ 54.0 ms ] thread
Wouldn't it be cheaper to just buy Ether\Ethereum\Gas (whatever the correct name for the currency is)?
Is this profitable?
If it was I can promise you amazon would be out of gpu instances.
The readme shows roughly 4.5 Mh/s which might get you maybe $10/month if you're lucky.

A g2.2xlarge will cost you $0.65/hour.

So, no, it's not anywhere remotely close to profitable -- unless you've stolen some AWS credentials or (like what's apparently happening here) you get others to mine for you and eat the AWS costs.

(comment deleted)
Yes but likely only for the guy who has the private key hard coded in the config.
Or, in other words: "Just spin up this infrastructure -- which includes pre-generated SSH keys, an sshd that's apparently accessible from anywhere in the world, and a pre-compiled miner that you can't audit -- to mine some cryptocurrency -- for me -- at a huge loss".

Yeah, I think I'll pass.

----

ETA: The readme says to pass in "wallet_address" but I don't see that referenced anywhere in main.tf, although I do see this: https://github.com/17twenty/ethereum-miner-terraform/blob/ma....

I've never used Terraform, though, so maybe I'm wrong, but it looks like you can pass a wallet address in, it just won't be used. If that's the case, I don't see how this is anything but a "scam". Someone who knows Terraform please look into this and tell me I'm wrong.

One last thing: the readme says it uses the "Deep Learning AMI for Ubuntu 1604" [0], but the AMI ID in main.tf ("ami-37bb714d") doesn't match any of the IDs shown in the screenshot on that page (but perhaps they were updated or something?). I don't know if that's something to worry about or not but, at this point, there's no way I would trust this AT ALL. Also, "ami-cd0f5cb6" is referenced in a comment in main.tf but there's no indication what that refers to (I don't use EC2 so I'm not sure if it's possible to find out or not).

[0]: https://aws.amazon.com/about-aws/whats-new/2017/07/aws-deep-...

When you pass in a variable into terraform it becomes an environment variable, presumably used by the precompiled code
it will make more sense with something like

  data "template_file" "eth_service" {
    	filename = "./files/eth.service"
  	vars {
  		wallet_address = 
  "${var.wallet_address}"
  	}
  
  }

with

ExecStart=/tmp/ethminer -G -F eth-us.dwarfpool.com:80/${wallet_address}

Ok.

In this case, though, the included systemd unit launches "ethminer" with a hard-coded wallet address passed in.

Deep Learning AMI CUDA 8 Ubuntu Version - ami-37bb714d (us-east-1)

was reading about terraform, OP is starting a daemon with that wallet address.

> Deep Learning AMI CUDA 8 Ubuntu Version - ami-37bb714d (us-east-1)

Thanks. I wouldn't have been surprised if OP had used the "official" AMI as a base and then "extended" it with some malware or something. Good to know it's (apparently?) the official Amazon AMI, at least.

How I'm understanding this is (as you also pointed out):

The wallet address you pass in, as well as the default, is never read anywhere.

It starts a service that joins a mining pool on the OP's behalf rewarding the hardcoded address: 0x7ea397225ebd5c56afc26cb3bfa4fe994a60f106

Etherscan shows that the address hasn't had any activity on it yet so it likely has never reached a pool minimum for payout: https://etherscan.io/address/0x7ea397225ebd5c56afc26cb3bfa4f...

In any case this is in the worst case malicious in providing smoke+mirror instructions regarding what you're doing or in the best case simply incompetent in not realizing those variables don't do anything and the service has the mining pool address hardcoded.

> ... or in the best case simply incompetent in not realizing ...

From looking at the rest of the project and the author/OP's GitHub and company web pages, I don't think it's incompetency at all.

I mean, it could be, but... he got everything working right EXCEPT that hard-coded wallet address?

That's a helluva coincidence. Others can feel free to believe it was just an "oops!". As for myself, well, I'm not buying it.

Is it just me or the ssh private key present in the repo? (no way to know the server IP though)