[jbaczuk]

lol

> In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

Earlier in the article it said

> Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown... “So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.

Make up your mind...

It's not robust since you have to use an API (i.e. Binance API) to access the blockchain from a compromised website, then Binance can effectively "take it down" by blocking access via the API.

Now if they made the compromised website talk directly to the node on the blockchain network that would be different. Except, why not just host the malware on the website in the first place...

[numtel]

Anybody can spin up a mirror node, even on the mostly centralized BSC. This is just a misunderstanding.

Every public blockchain works this way afaik. I've even made a site for hosting webpages on Optimism: https://newgeocities.com

The real discussion imo is that blockchain node operators should be pressured to respond to concerns about unwanted content. There's no reason they can't coordinate on filters in the same way Ethereum validators use Flashbots to ignore Tornado Cash transactions. Although I hope they can find a better solution than blocking entire contracts because it's really nice to write a simple contract for data storage. Remember: a contract is a protocol, not a program. The validators follow the instructions but it's more like a database schema to which people submit conforming messages. As the contract creator, you're just publishing your code on chain. Each user takes responsibility for their own data.

[jbaczuk]

seems like "blockchain" has nothing to do with it... they could just host the file on a server they do control. "Blockchains" aren't magic.

[lmm]

Blockchains - that is, the communities that use them - are at least theoretically committed to immutable permanent records of everything that happened. By design, if you tried to "retroactively" edit the contents of the blockchain, you would break the whole thing. So if the blockchain hosters stick to their avowed principles and system design, they can't remove your exploit code without taking down their whole system.

Of course in reality most blockchain folk are grifters who will happily compromise their principles as soon as you credibly threaten their pocketbook - see the Ethereum DAO for the clearest example. Still, it's funny to force them to admit it.

[nuancebydefault]

In fact the blockchain cannot be broken because it is a chain. Compare it to git commits. If you would hack away one commit in the middle, the whole system would change. The other commits are comparable to any other transaction (ledger) that happened anywhere. As far as i understood, 'in blockchain' =='carved in stone' .

[lmm]

If people actually follow the rules they claim they do then yes. In practice once you ask them to put their money where their mouth is people make an exception. Again see the Ethereum DAO incident.

[numtel]

It's not magic but it is a radically different pricing model: pay once, host forever.

I see it as a massive bet on storage prices continuing to decrease.

[yieldcrv]

I think nocoiners completely miss this aspect, the media too

many devs will always post their applications on blockchains, and simply do system design conducive to that environment, because web 2.0 cloud models do not compete in pricing especially if you have a burst of activity

many devs bring their whole audience over, and the audience is willing to pay to update the state of the application with no overhead cost to the dev, which is also impossible to implement in web 2.0 cloud offerings, aside from just searching and hoping for free tiers

who cares if none of those applications match your use case, just call it the entertainment sector then and you still have value and utility to someone, that self perpetuates

[meltedcapacitor]

If it becomes a problem consensus can evolve to trim inactive data (say expiring unspent outputs after N blocks in UTXO chains, "move it or lose it" model) or explicit charging for storage per unit of size and time (decay some associated balance accordingly).

[jbaczuk]

or pay never and host it on the infected website

[miohtama]

Running a BNB Smart Chain full node requires 16 TB fast NVMe disk. "Anybody" cannot do it.

[numtel]

Again, that's for a validator node. If you're running a mirror that's not taking part in making new blocks, you don't need the speed, just enough space. It may not be always synced to the latest block but it should work.

I believe there's other requirements for BSC validators too, like staking a bunch of BNB.

[yieldcrv]

the code is still on BSC blockchain and any node will still return the information in those addresses

even binance operated nodes

the only thing Binance did was do the exact same thing that Cloudflare did, both on their HTTP routes. Binance just had one for convenience and to attract use of their blockchain, which … worked?

its actually lazy and amateurish that the hackers are using HTTP to access this code on the blockchain, they dont have to