Who’s using your computing power?
A story about PC-based malware, hijacking your computer to mine crypto-currencies for other people, gave me pause for thought today.
Back in the late 90’s I was working with a company on Unix equipment, and I was surprised to find processes running that I hadn’t expected. A little digging and this turned out to be clients for the popular distributed computing experiment SETI@home. This was (is) an attempt to use the power of thousands of home computers to process vast amounts of information from radio telescopes, in the hope of finding candidate signals from intelligent life on other planets.
When I asked the infrastructure manager about this, he said he’d installed it to run when the computing power was idle, so it would generally run overnight and he thought it was a good use of the company’s IT power. At the time, I considered it relatively benign – we hadn’t really learned about multiple vectors of attack from the Internet, and the connectivity was pretty basic back then.
For him, part of the attraction was to get his name up the charts of contributors of computing power to this service – seen as an altruistic effort in the public good.
Fast forward to 2017, and the world is very different. A lot of organisations still host their own server infrastructure. That is shrinking as the big players in the cloud computing world make their offers more compelling, both through the capability and price points of services such as Azure and AWS, but also in Microsoft’s case through increased licensing costs for on-premise tools.
The rewards for using computing power for distributed computing have also changed a lot. Bitcoin uses a lot of computing power to manage the highly encrypted transactions. So it uses the same distributed technology and rewards ‘miners’ for processing these exchanges.
Bitcoin miners can ‘win’ these valuable virtual tokens through the effort they put into the blockchain process – Bitcoin runs a lottery, and the chances of winning bitcoins depends on the number of virtual tickets you have gained through the mining activity.
Exploiting corporate networks and infrastructure to do this work for personal gain has become a way for nefarious individuals to line their own pockets, either from within the organisation or by breaking in from outside.
This can be a problem for you – if you have your own servers, they can be using far more power than they need to and possibly reducing the performance of your critical systems. If you are hosting at a third party, they often charge by unit of power and it’s going to cost you that way. If you’re using cloud services you can be charged for processing cycles, bandwidth, etc.
This can be a hidden cost in many businesses. And if the activity is being carried out by people in your own teams, you might never really know, short of calling in third party auditors to check the power usage and network traffic. As the value of these crypto-currencies increases, so does the temptation.
My recommendation would be to ensure that you have good third-party organisations that can check your infrastructure and keep your tin working on your problems, and not those from the outside world.