Over a million developers have joined DZone.

I am a Serial Cryptominer: An Open Letter to Software Developers

DZone's Guide to

I am a Serial Cryptominer: An Open Letter to Software Developers

In an open letter from a serial cryptominer, this post dives into the security threats between software developers and open source components.

· Security Zone ·
Free Resource

Learn how integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology.

Dear Developer,

The dictionary defines gluttony: (Latingula, derived from the Latin gluttire meaning "to gulp down or swallow") as the over-indulgence and over-consumption of fooddrink, and other valuable items. In Christianity, it is considered one of the seven deadly sins, if the excessive desire for food causes it to be withheld from the needy.

As speed to market beckoned, I was there for you. You needed to develop faster, so I released my code as open source for you to drink. You needed to deploy without hesitation, so I released my applications so that you could easily consume and binge on containers. I have continuously quenched your quest for velocity. Like 1989's Young MC, in his breakout hit, Bust a Move, I've been chanting, "you want it, I got it."

The path to today has been so good and easy — you are now addicted to me. You consume at will. The taste is so sweet. You only crave more. When something as good as open source based development and containerization comes along, it’s hard not to over indulge. I mean, just think about — why would anyone ever want to write anything from scratch when you’re free to borrow pre-assembled component parts and containers from a community of respected developers?

My open source components are now being consumed in the billions. Your gluttony measures in at 87 billion download requests for Java components last year. Your gluttony weighs in at more 250 billion javascript downloads. Your gluttony is exposed in more than 12 billion Docker container pulls. Your thirst is unbridled. Efficiency is off the charts. You love it. I love it.

Some would argue that you are over-indulging, but I say they just don't know you like I do. They don't recognize your need to build, to deploy, to grow. Believe me, I understand. At this scale and efficiency, we're never going back. But, just as I serve you so freely, I too need something. And, it (kind of) won't cost you a dime. I just need a little portion of your CPU. So little in fact, you won't even notice that I am here.

For example, in May 2017, I started with a new Docker Hub account. I simply added a couple of popular application images up there to make it easier for you to deploy them. As of today, I've served 5 million requests. I have helped some people, and they have helped me. With a little help from my friends, this one adventure has netted my cryptocurrency mining business USD $90,000 as I exploited known deserialization vulnerabilities in applications like Jenkins. Even though "the man" has since removed my images from Docker Hub, preventing others from joining us, I appreciate the working relationship that you and I have built. We'll continue to prosper together (even if you've removed those images from your prod environment).

Screen Shot 2018-06-14 at 9.52.32 AM

As cravings continued, I helped a little more. A few more folks noticed me back in December 2017 when I was borrowing your CPU for mining cryptocurrency, using your vulnerable instances of the Struts web application framework. Yes. The same one implicated in the Equifax heist (but that wasn't me — I promise). They called me a "Zealot" then, and our open source-vulnerability-entwined journey netted me about USD $10,000.

I am so thankful to those organizations out there who continue to deploy vulnerable Struts instances in their public domains. Last month, Fortune magazine featured thousands of you who still rely on those versions. Sonatype highlighted the scale of my market opportunity earlier this Spring, as it counted over 80,000 vulnerable Struts downloads every month over the past year. Thanks to your efforts, I can quickly deploy my mining operations across thousands of web applications.

Screen Shot 2018-06-14 at 11.43.28 AM

Another time you may have noticed me was back in February 2018. Around that time, I borrowed the credentials of an npm core contributor to help me get in touch with more of you. I offered 11,000 of you free JavaScript packages with my Monero cryptominer tagging along, until "the man" shut me down after 36 hours. I won't say how much I have profited since then, but I'll say that we make a good team.

That partnership worked so well that later that month, I exploited a vulnerability in Jenkins, a popular open source CI tool, to make $3 million by mining Monero. You made your vulnerable Jenkins X instances so easy to find using Shodan that I could hardly resist. As they say, "teamwork makes the dream work."

Simon Mainwaring once quipped: "Gluttony might be innocuous — were it not for the fact that gluttons tend to disregard whether their self-serving behaviors harm anyone else. We don't need to look far and wide to find examples of gluttonous behavior, as they are numerous throughout the history of capitalism."

To that end, eat, drink, and be merry. We all need to make a living. Right?

Yours truly,

Hack Overflow

Learn how enterprises are using tools to automate security in their DevOps toolchain with these DevSecOps Reference Architectures.

security ,open source ,hack overflow ,docker ,containers ,downloads

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}