Back around the turn of the millennium, there was a company called AllAdvantage. They paid you to install spyware/ad injection software and watch you browse, and sold the add space and analytics to corporations. They'd pay you for... I think it was 48 hours of ad-injected spied browsing per month, and then stop paying you (but keep injecting ads and spying on you). There was also a pyramid aspect where you'd get something like 10% of all of the amount earned by your direct referrals, with no monthly cap. Also, 48 hours of browsing wasn't enough to hit their minimum threshold for AllAdvantage to mail you a cheque.
Edit: maybe there wasn't actually spyware and it just injected extra banner ads in your browsing. I never looked into installing it myself.
A /16 subnet was routed to our fraternity house, licensed to house up to 22 people. 65,536 (minus broadcast, gateway, and network address) IPv4 addresses for 22 people. My roommate bought 1 GB of RAM (about $4k at the time) and a VMWare student license for his Linux desktop. He cut down Win95 to be able to run in 32 MB of RAM (including his COM scripting bot, Internet Explorer, and the AllAdvantage spyware). I seem to remember him configuring the VMs to run 16-bit color to save memory footprint. He scripted the Win95 boot process to read a CSV file off of NFS, remove the top line, and write the file back. The CSV file contained fake name, fake address, etc. The VM would register itself with AllAdvantage, with my roommate as the referrer, and then randomly click on links in Internet Explorer until hitting the payout limit, and then shut down the VM. A Perl script (remember the late 90s?) on the Linux host would re-launch a clean VM every time an old VM shut down, and keep the CSV populated with fake account details.
30 VMs were browsing 24x7 for ALlAdvantage. My roommate set up a caching proxy on his Linux box, so he didn't hose the house's T1 connection. 10% of the payout (the referral fees) over something like 4-5 months paid for the whole desktop. AllAdvantage never got returned cheques from the fake addresses because they never paid out. I think he ran his system for over a year before AllAdvantage went out of business, for a total of something like $12k in profit.
He ran his own DNS server that hopped randomly all over the /16 to reduce the probability of detection. He's pretty convinced AllAdvantage's fraud people noticed him as an extreme outlier. He suspects they ignored him because the data he was generating for them cost 1/11th as much as most of the other data they were selling to customers.
Edit: a quick search shows the AllAdvantage rate was maybe $0.40/hr. 10% of this was $0.04 x 30 VMs = $1.20/hr 24x7. 8766 hours/year works out to about $10,000 per year. $12k in profit, $4k in RAM, and $1k for the rest of the machine works out to a bit under 2 years of running the system, if the rest of my memory is roughly accurate.
A few years later, our school kept the /16 allocated to us, but only routed the first /24 to the house. I'm sure my roommate wasn't the only one to get up to shenanigans with so many IP addresses.
Edit: He also found some online casinos that didn't explicitly forbid bots and he set up some poker bots that would keep track of its winning percentages against all other players. He set up some monitoring/control software for his feature phone (or was it a PDA?) so he could watch his losses from class and shut it down if necessary.
He kept records of every card seen in every game his bots played. I asked on at least 3 occasions for access to that data, to check for (1) naive shuffling (2) using a linear congruential generator instead of cryptographic quality random numbers and (3) seeding with time instead of a true random seed. He told me at least 3 times that he would give me FTP access to card histories, but never did. A couple years later, a paper came out detailing a code review of the most common online poker software finding (1) naive shuffling (2) using a linear congruential generator (3) seeded using only the time the game started and (4) containing an off-by-one error in the naive shuffle. The off-by-one error might have prevented me from figuring it all out from the poker bot histories, but there's some alternate history where we made millions in online poker, fully within the published rules of the sites. (Unfortunately, the millions would have come entirely from other players, the online casinos not bearing any of the costs of the shoddy coding.)
He mused several times that it would be fun to create a cardboard box with one of those see-through windows for a shipping label... and two subtle slits allowing a continuous roll of various shipping addresses and an advancement mechanism to be hidden within the package. He'd use a battery and/or inertial energy harvesting weight to power a device to change the sipping address every 4 hours. He wanted to send such a package with tracking information and watch it ping-pong around the country until someone realized something was fishy with the package.
He eventually dropped out of school and was living off of his poker bots until (without health insurance) his appendix burst and he was forced to get a day job to pay off his medical debt.
I hope he gets elected to Congress someday (though he's not very political) just to make a great epilogue to a biographical film.
It's too late to edit, but I swear I know the difference between ad and add.
On a side note, I thought a naive shuffle with a well-seeded cryptographic-quality pseudorandom number generator was the most likely finding from his poker bot history archive. I thought the linear congruential generator and seeding with the current time were long shots. I was just hoping that the skewed distribution gave a measurable edge over bots and players that were playing under the assumption of a uniform distribution of cards.
Had I thought there was a reasonable probability of a popular poker site using a LCRNG seeded with the current time, I would have been much more persistent in my requests for the history data.
Yes. Did you happen to work with the AllAdvantage anti-fraud team, or know someone in Course 2 at MIT who dropped out of school writing poker bots and AllAdvantage bots?
Edit: maybe there wasn't actually spyware and it just injected extra banner ads in your browsing. I never looked into installing it myself.
A /16 subnet was routed to our fraternity house, licensed to house up to 22 people. 65,536 (minus broadcast, gateway, and network address) IPv4 addresses for 22 people. My roommate bought 1 GB of RAM (about $4k at the time) and a VMWare student license for his Linux desktop. He cut down Win95 to be able to run in 32 MB of RAM (including his COM scripting bot, Internet Explorer, and the AllAdvantage spyware). I seem to remember him configuring the VMs to run 16-bit color to save memory footprint. He scripted the Win95 boot process to read a CSV file off of NFS, remove the top line, and write the file back. The CSV file contained fake name, fake address, etc. The VM would register itself with AllAdvantage, with my roommate as the referrer, and then randomly click on links in Internet Explorer until hitting the payout limit, and then shut down the VM. A Perl script (remember the late 90s?) on the Linux host would re-launch a clean VM every time an old VM shut down, and keep the CSV populated with fake account details.
30 VMs were browsing 24x7 for ALlAdvantage. My roommate set up a caching proxy on his Linux box, so he didn't hose the house's T1 connection. 10% of the payout (the referral fees) over something like 4-5 months paid for the whole desktop. AllAdvantage never got returned cheques from the fake addresses because they never paid out. I think he ran his system for over a year before AllAdvantage went out of business, for a total of something like $12k in profit.
He ran his own DNS server that hopped randomly all over the /16 to reduce the probability of detection. He's pretty convinced AllAdvantage's fraud people noticed him as an extreme outlier. He suspects they ignored him because the data he was generating for them cost 1/11th as much as most of the other data they were selling to customers.
Edit: a quick search shows the AllAdvantage rate was maybe $0.40/hr. 10% of this was $0.04 x 30 VMs = $1.20/hr 24x7. 8766 hours/year works out to about $10,000 per year. $12k in profit, $4k in RAM, and $1k for the rest of the machine works out to a bit under 2 years of running the system, if the rest of my memory is roughly accurate.
A few years later, our school kept the /16 allocated to us, but only routed the first /24 to the house. I'm sure my roommate wasn't the only one to get up to shenanigans with so many IP addresses.
Edit: He also found some online casinos that didn't explicitly forbid bots and he set up some poker bots that would keep track of its winning percentages against all other players. He set up some monitoring/control software for his feature phone (or was it a PDA?) so he could watch his losses from class and shut it down if necessary.
He kept records of every card seen in every game his bots played. I asked on at least 3 occasions for access to that data, to check for (1) naive shuffling (2) using a linear congruential generator instead of cryptographic quality random numbers and (3) seeding with time instead of a true random seed. He told me at least 3 times that he would give me FTP access to card histories, but never did. A couple years later, a paper came out detailing a code review of the most common online poker software finding (1) naive shuffling (2) using a linear congruential generator (3) seeded using only the time the game started and (4) containing an off-by-one error in the naive shuffle. The off-by-one error might have prevented me from figuring it all out from the poker bot histories, but there's some alternate history where we made millions in online poker, fully within the published rules of the sites. (Unfortunately, the millions would have come entirely from other players, the online casinos not bearing any of the costs of the shoddy coding.)
He mused several times that it would be fun to create a cardboard box with one of those see-through windows for a shipping label... and two subtle slits allowing a continuous roll of various shipping addresses and an advancement mechanism to be hidden within the package. He'd use a battery and/or inertial energy harvesting weight to power a device to change the sipping address every 4 hours. He wanted to send such a package with tracking information and watch it ping-pong around the country until someone realized something was fishy with the package.
He eventually dropped out of school and was living off of his poker bots until (without health insurance) his appendix burst and he was forced to get a day job to pay off his medical debt.
I hope he gets elected to Congress someday (though he's not very political) just to make a great epilogue to a biographical film.