Kent K January 7, 2022 7:48 AM

Would have liked to be a fly on the wall at the meeting where this was decided. There must have been at least one person in the room saying “oh hell no” and getting shouted down by the others. I’ll buy the “naysayer” a round if I ever meet them…

ATN January 7, 2022 8:02 AM

Short comment:
Norton’s Antivirus: Virus detected [Another Ethereum Miner has been detected on this machine], fixed!
Norton’s Antivirus: Virus detected [Wrong currency Miner has been detected on this machine], fixed!

James M January 7, 2022 9:40 AM

I feel like calling this Opt-In is only half right. A true Opt-In feature would not be installed at all unless it was asked for. This is muddied a little when the feature is baked into a larger program, but in this case it’s standalone and does not need to be installed at all before the user has opted in. It’s also doing hardware profiling for marketing, I’d bet there is a clause burred in the EULA about this, but it really moves it out of Opt-In territory for me.

The fact that it’s installed without consent means that Norton has the option in the future to move from a Opt-In stance to an Opt-Out stance without notifying users, or even requiring any visible change to the user. It’s already there, the next time it automatically contacts Norton for virus definition updates it could get a message to just turn on the miner for all compatible system. I wouldn’t think that Norton would start turning this on by default, but I also would not have thought a few days ago that an AV product would stealth install a crypto-miner.

All considered I feel the Opt-In statement is a very disingenuous.

Clive Robinson January 7, 2022 9:53 AM

@ ALL Folks,

Sorry I would have said this earlier, but on reading the Krebs article I got to,

“… the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.””

And found myself rolling around on the floor making strange noises wirh tears of mirth flowing out of my eyes…

What was it the FBI did with a “Cold cloud wallet” just the other day, wasen’t to fish out a few thousand bit coins worth a hundrred million or so.

Also “Ethereum” the crypto-flip of exchange con artists…

The odds that your computer will make “a coin” is a near fractional of nothing. If some elf choses to bless you with a little tinkle, and you want to cash out… You will find like those who tried to buy a copy of the constitution, the transaction fees will be as large if not larger than the value of that fraction.

Also who would realy trust Norton, to make your online wallet? They in effect will control or have access to it untill you do the “Dog-n-Pony show” thing to esure that wallet is actually 100% under your control (if you even can).

I can see a time when Norton will decide if you’ve not done the back flip tripple somersault and splits landing, you don’t want your share and just take it away… And you may be down $1000 of expensive electricity (Hey any one out there actually payed off their six day Texas Special?).

The words “utter madness” does not cover this…

Mind you one thought does occure to me. If you don’t take 100% control of the wallet some one at Norton could use your computer to access the wallet to launder money through… Now it could be fun NOT trying to talk your way out of that…

Clive Robinson January 7, 2022 9:58 AM

@ Bruce,

You and I are old enough to know where the expression,

“Follow the money”

First entered popular culture.

With the likes of crypto-coins that can be done but only to a limited extent.

Perhaps it’s time we had,

“Follow the root of trust”

Replace it, just saying 😉

Curious January 7, 2022 12:16 PM

Isn’t this a bit like stealing electricity from others?
Or, is the processing power required an unsignificatn amount, not sending your cpu cores to 100% load?

Ted January 7, 2022 12:52 PM


Isn’t this a bit like stealing electricity from others?

If you mean that Norton possibly makes more money on AV crypto mining than its users, you could have a point.

The Verge ran a test and said they came out even on the cost of electricity v. the value of Ethereum generated.

However they said that “Norton took all the profit.” I guess this means that Norton still got 15% of what went into the wallet?

The Verge also says most pool operators usually only take a 1 or 2 percent fee. So I’m not sure who is feeling good about this.

JonKnowsNothing January 7, 2022 2:09 PM

@Curious, @Ted, @All

re: Isn’t this a bit like stealing electricity from others?

Short Answer: YES

fwiw: In cold California, the California Public Utilities Commission has granted a new tiered pricing system for PG&E which provides electricity to most of the state north of Los Angeles (San Francisco, Silicon Valley, Sacramento …)

This new tiered system is divided into 3 levels but really offers only 2.

Level 1: The current method. Tiered pricing based on total quantity used.
Level 2: Time of Use A: You pay more for electricity between 4pm-9pm
Level 3: Time of Use B: You pay more for electricity between 5pm-8pm

If you do nothing you get Auto Opt-In to Level 2 or Level 3. If you want to stay on Level 1 you have to call them. (1)

A few things to note about the new system:

  1. The time of peak use is when people are at home and need heat, cooling, lights and use electrical appliances (microwaves, ovens, ranges) and use more electronic stuff (TVs, PCs, charging phones) and of course charging the car.
  2. The car charger may have a timer, but if you need 12 hours of charge (110v) and need to leave for work at 4am (or earlier), delayed charging won’t help and the cost of charging your car will rise significantly.
  3. People who are Stay-At-Home, Sheltering-from-Omicron, or otherwise Not-Out-of-the-House-All-Day get all the maximum bills. Unless they shut off the electricity completely.
  4. The price does not go down. Per the Price-Comparison PG&E provided to me based on my current+historical usage, I will pay @150-$200 MORE per year under the new plans.
  5. One culprit: well known in electrical seepage are the converters you plug in the wall and leave them plugged in (aka trickle chargers, Vampire Boxes). People used to put them on power strips that had an On/Off toggle. There are way too many now to fit on power strips. The advent of recharging Li-ion long term battery powered items (vacuum sticks, power tools, leaf blowers(2)) has increased the number of Vampire Boxes in use.
  6. A partial reason given for the new pricing is to force homeowners, especially those with CA Subsidized Solar Roof Panels (now a mandatory requirement for new housing) to buy into Solar Charge House Battery. These are well known for Off-Grid Homes. The idea being you will spend $$$ to buy a house battery that will kick in, like a generator, when PG&E brown outs or black outs your neighborhood.
  7. Those familiar with Off-Grid Battery Systems will know that they are not going to power the new mega size 3,300sqft $800,000USD housing being constructed. They are also not going to power anything for very long when PG&E power lines get burned down (electrical arcing) or blown down (hurricane speed wind storms). Even underground power lines are no guarantee of continuous electrical service.


  • Bitcoin miners steal electricity.
  • Installing them with Faux Opt-Outs is stealing and deceptive business practices.
  • Installing bitcoin miners using extension cords plugged into your neighbor’s exterior electrical sockets, may be questionable. (3)(4)


1) Call In ends 01/18/2022

Thank you for calling PG&E. Your call is very important to us. All operators are busy with other clients. Please stay on the line and your call will be answered in order received.

Your wait time is: ETERNITY

2) Some cities in CA have now banned gas powered leaf blower. Only electric or battery powered leaf blowers allowed.

3) George Lopez, the American comedian and actor, had a very funny routine about building an extension on to his home. A great review of practical engineering.

4) There have been reports of large scale bitcoin mining operations in “unoccupied” warehouses that pirated the electricity from neighboring businesses.

null clam January 7, 2022 2:31 PM

@ JonKnowsNothing

the new system

Somehow this all reminds me of stories from the Prohibition era …

Anders January 7, 2022 3:02 PM


I imagine how Bill Gates now gathered all the MS top executives
into one room and shout on them for a half an hour “why we didn’t
come to that idea and why we don’t have any similar product”. (1)

And here is nice to remember NC development story.


(1) This happened with Turbo Pascal and Greg Whitten : hxxps://

EvilKiru January 7, 2022 6:15 PM

Friends don’t let friends use Norton software became a common saying among techs after Symantec took Norton over.

EvilKiru January 7, 2022 6:29 PM

@Anders: Bill Gates isn’t even on the Microsoft board anymore. His only involvement is as Technology Advisor and the second largest shareholder (behind Steve Ballmer).

John Watson January 7, 2022 8:50 PM

It is ridiculous that people are complaining about this.

Cryptojacking people’s computers and increasing their power usage for Norton’s profits is by far the least malicious use of system resources any Norton product has made in the 21st century (yes, yes, we all know that back in the day the real Norton company made Norton Commander for OS/2, no, no, it doesn’t count).

SpaceLifeForm January 8, 2022 12:35 AM

John Watson, EvilKiru

Re: Norton

It is ridiculous that people are complaining about this.


The fastest, most productive way that I know of to remove that junk is to install Linux.

null clam January 8, 2022 9:07 AM

Re: patient etherized upon a table

Since apparently Ethereum incorporates a programming language that models a Turing complete machine, it would seem Ethereum scripting is thereby a fertile ground for developing exploits, i.e. “hacking”, and also the implied complexity which is a problem for security. Anything can happen because we built a system that can do anything.

Winter January 8, 2022 9:45 AM

” it would seem Ethereum scripting is thereby a fertile ground for developing exploits,”

On the bright side, there is now a programming task with strong incentives, $Bs, to get it right. Ethereum also has a tradition of funding development. So, maybe, there will finally be attention to computational security.

null clam January 8, 2022 10:14 AM

@ Winter

… programming task with strong incentives …

On both sides of the house 😉 . Perhaps we have just another arena for arms race, and an new “endemic” security risk.

null clam January 8, 2022 5:47 PM

@ Clive Robinson

Re: anything

I may not be understanding correctly, but what I had intended seems to me to agree with the comment you linked.

Ethereum programming is so rich (my understanding of the force of “Turing complete”) that it can express anything any system could compute (modulo sufficient “hardware” resources), so is intrinsically capable of being used for exploits. It is not just that it is so complex that as an inevitable practical matter exploitable bugs will creep in, but more, that it is so capable that it is a good tool for creating exploits, such as you point out in your linked comment namely:

“Look at it this way, if I put malware into a current computer architecture system, that detects you are trying to establish if the malware is there I can via the malware make the computer give the same response as it would if there was no malware there…”

One could at least imagine an exploit that infected enough Ethereum machines that the whole blockchains could be subverted and the consensus trust idea negated.

Maybe there are safeguards against this, I’m just speculating in the void of ignorance.

Clive Robinson January 9, 2022 12:55 AM

@ null clam, ALL,

Maybe there are safeguards against this, I’m just speculating in the void of ignorance.

Ever hear of the expression,

“Wouldn’t touch it with a six foot pole”

Or similar?

It’s one of those rules of thumb that keep you alive and well…

When an animal dies or becomes sufficiently close to death the parasites upon it, know it is going to die. The parasites like the rats on a sinking ship want to “jump ship” for a knew home, which if you are daft enough to get in range will be you…

So history teaches the only safe thing to do is avoid the animal and keep well away from it. But what if it has entered your environment? Then pushing it out with a pole such as a walking staff may be your only safe option.

But what if the beast is to fetid then an ordinary pole may not be long enough to be safe… Then I think you would certainly agree you would not want to get close and inspect it because of the danger it represents.

Hence the gut feeling and cautionary rule.

So is Ethereum a fetid beast, that is too dangerous to get close enough to inspect?

Well, first of I’m biased, my gut tells me it’s not wise or safe to run JavaScript. So it normally gets the six foot pole treatment from me and for good reason. Even the very short history of JavaScript tells us it is “unsafe” and “unwise” to use, but it gets forced upon most people, by those with decidedly unpleasent intent, the least of which is “data rape, pillage and plunder”.

The only reason Javascript exists is a “Long Con”. You get bombarded with alleged “upsides” but few tell you the “downsides” in fact you are ridiculed or called into question if you try. Which actually is a very certain or sure indicator a “Long Con” is present. And where there is one long con there are usually several.

So knowing that about JavaScript why would I want to voluntarily get close to something so potentially toxic it could wipe out the economy of a Nation State and be used as a weapon of war?

My general feelings on Web3.0 are not exactly printable. It is an invention of those trying to create a faux market into which those behind it see a way to get rich beyond current measure. They are going to try to do this by two basic ways as a minimum. Firstly is you need something to sell. Idealy this something that has no intrinsic worth and a number in semimutable electronic memory is almost the perfect ideal product. Secondly you creat a closed market that can only be accessed by intermediaries that charge handeling fees. The likes of the “Block Chain” and similar give both in one package…

History tells us of “black tulip” and other “bubble markets” which expand by rapidly passing on something near worthless for an ever increasing price untill eventually some one gets left holding the losses. You can see how the likes of the block chain would have fitted right in…

But back to the present long con that Ethereum and Web3.0 are currently at, it’s at this point those behind long cons find usefull idiots, turn them into acolytes and send them out to “sell a dream” not the reality of what they are doing. When they have suckered a few in using what is in effect “Pyramid Selling”, they attract what see themselves as “savvy investors” who think they can junp in because they know when to jump out with a huge profit… Well most are not in the slitest bit savvy, but those running the long con turn such investors into “shills” who “bring in more marks” and can be relied upon to scream down any one who says it’s in reality a “long con”. We’ve seen it with JavaScript we see it with block chains and we see it with crypto-coins, Web3.0 is just the next on an apparently endless supply of empty dreams that cost dreamers dearly.

Having had the two basics of long cons identified the only thing a sensible person should need to think about is what other indicators are there tucked in to confirm it as “enemy action”… Well how about looking for ways those operating the long con might stop you nullifying their extraction of value?

This is where history gives you insight. Ask yourself,

“Why do all historical transaction systems that have any stability have a way to reverse any transaction, yet these new systems do not, and who realy benifits by such lack of reversability?”

If a person is still not convinced there is a long con in play with Ethereum and Web3.0 systems they might care to look at what advantages it gives those who “rug pull” or “charge large transaction fees”…

A “contract” if absolutly binding, which is what a lack of reversability gives, is legally a “licence”, something a wise person does not give without extream caution. Thus historically, at the very least, licences came with a time limit or similar control method.

One form of licence that used to be used was those called “Letters of Marque”,

These were in effect licences to commit not just acts of piracy, but acts of war. Whilst they nearly stopped being used by Sovereign States several hundred years ago, they persisted in various ways untill 1910. When they were effectively baned by international treaty.

But before then an expression had passed firmly into the language which was,

“A licence to print money.”

Which kind of says it all in a pithy short form. But did people learn from this?

It’s where the expression “Don’t be silly” naturally arises, of course not, such dangerous licences are in one form or another still in existence.

For examole, have a look at the Lloyds Act passed by the English Parliment in 1982 just fourty years ago, and the subsequent Lloyds LMX spiral created by crooked and deceitful men who had not the morals of an ally cat. There is a very strong “living history” leason to be learned from it,

So Ethereum and similar that are the under pinings of Web3.0 takes us backwards not forwards in time, with a system history tells us is a very bad idea.

So to answer your implicit question of do you or I need to get closer to such a fetid beast?

My answer is “Not if I have any choice in the matter”.

But as I said the idea behind Letters of Marque are very very seductive, as are the ideas of faux financial markets with high transaction fees that gave us the Global Finacial Crisis not just once but twice this century so far, and still exist via “Hedge Funds” and other faux financial instruments.

So highly seductive wild speculation is what some want, as they see the potential for vast personal enrichment. Which unfortunately when coupled with the “lobbying politicians” business, means that with a high probability legislation will get passed…

I can tell people now that,

Web3.0 is an idea that is very deliberately flawed, and you can not fix those flaws and still have Web3.0.

As history shows that those flaws can and have lead to acts of war, global recession, and significant unstopable criminal activity where people get at the least very badly hurt.

Knowing that, do you or I realy need to climb in the belly of the fetid beast, just to get further proof it is a significant hazard to life?

trsm.mckau January 9, 2022 1:52 AM

@Clive your comment (January 9, 2022 12:55 AM) is very rambling, even for you 🙂

But you make some really good points. Especially on the “rug pull” and “large transaction fee” points. Combine that with things like NFT end-user client transactions not being cryptographically tied into the block-chain, giving the intermediaries the ability to bypass the security claims (as discussed in

null clam January 9, 2022 2:05 AM

@ Clive Robinson … all

Re: waking up from the anaesthetic

Thanks for adjusting the focus to what is logically prior and more fundamental, as you typically do. Working out what is the first question, and the order of other questions is a survival skill everyone needs to hone !

glue sniffer January 9, 2022 3:04 AM

I expect nothing less than this type of behavior from a closed source, proprietary application(s).

The very first thing I do when I work on someone’s system is remove Norton and/or McAfee software, which are usually always expired anyway.

For those tired of the bullshit I install Linux and there’s never a problem.

Winter January 9, 2022 9:43 AM

“One could at least imagine an exploit that infected enough Ethereum machines that the whole blockchains could be subverted and the consensus trust idea negated.”

I think there is a confusion about the way Ethereum programs work.

The code in a program are evaluated in a virtual machine/interpretor inside the miner, any miner. The code evaluation could theoretically infect the mining computer. However, the code is fully open, relatively small, and miners run different implementations of the language interpretor. Also, the language lacks most hooks into hardware or the world. Ethereum contracts do not need to access memory, printers, keyboards, wifi or TCP/IP stacks. As blockchain data is immutable, it is not possible to infect other parts of the blockchain.

So far I have not heard about any case of, or possibility to infect mining computers by this route. But I am willing to to be surprised. I would love to hear about such actions from Ethereum contracts.

Sdedaluz January 9, 2022 10:43 AM

At 15% take, this should – at a minimum – replace subscription fees for the client software, subject to meeting some modest processing power threshold. Not holding my breath for that. Norton seems content to gamble with other people’s money. But we all knew that after the lifelock merger, Norton abandoned the pretense of (over-rated, underskilled) software development and hitched it’s wagon to grifterhood. It’s galling to witness the metastasis of externalized risk into a multi-pronged business model.

Your operating system is insecure? Pay us to stand guard. Thousands of companies barter your data and store it insecurely with no meaningful liability? Pay us to tell you you’re screwed months or years after the fact. Need an investment opportunity that’s nothing short of the unholy union between a slot machine and a payday lender? Pay us to flip an invisible switch.

lurker January 9, 2022 3:01 PM


(moxie) … you have a website for buying and selling JPEGS with your debit card.

All the smoke and mirrors to hide this basic fact seems to be working well.

people do not want run their own servers

Of course most of those people do not realise they have just given away the first weak link in the chain of trust.

Not Sure January 10, 2022 10:52 AM

  • 500M Avira Antivirus Users Introduced to Cryptomining –

January 8, 2022

“Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus — which has built a base of 500 million users worldwide largely by making the product free — was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto.

Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for their Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019. LifeLock is now included in the Norton 360 service; Avira offers users a similar service called Breach Monitor.

Like Norton 360, Avira comes with a cryptominer already installed, but customers have to opt in to using the service that powers it. Avira’s FAQ on its cryptomining service is somewhat sparse. For example, it doesn’t specify how much NortonLifeLock gets out of the deal (NortonLifeLock keeps 15 percent of any cryptocurrency mined by Norton Crypto).

“Avira Crypto allows you to use your computer’s idle time to mine the cryptocurrency Ethereum (ETH),” the FAQ explains. “Since cryptomining requires a high level of processing power, it is not suitable for users with an average computer. Even with compatible hardware, mining cryptocurrencies on your own can be less rewarding. Your best option is to join a mining pool that shares their computer power to improve their chance of mining cryptocurrency. The rewards are then distributed evenly to all members in the pool.”

NortonLifeLock hasn’t yet responded to requests for comment, so it’s unclear whether Avira uses the same cryptomining code as Norton Crypto. But there are clues that suggest that’s the case. NortonLifeLock announced Avira Crypto in late October 2021, but multiple other antivirus products have flagged Avira’s installer as malicious or unsafe for including a cryptominer as far back as Sept. 9, 2021.

The above screenshot was taken on, a service owned by Google that scans submitted files against dozens of antivirus products. The detection report pictured was found by searching Virustotal for “ANvOptimusEnablementCuda,” a function included in the Norton Crypto mining component “Ncrypt.exe.”

Some longtime Norton customers took to NortonLifeLock’s online forum to express horror at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” reads a Dec. 28 thread on Norton’s forum titled “Absolutely furious.”

Others have charged that the crypto offering will end up costing customers more in electricity bills than they can ever hope to gain from letting their antivirus mine ETH. What’s more, there are hefty fees involved in moving any ETH mined by Norton or Avira Crypto to an account that the user can cash out, and many users apparently don’t understand they can’t cash out until they at least earn enough ETH to cover the fees.

In August 2021, NortonLifeLock said it had reached an agreement to acquire Avast, another longtime free antivirus product that also claims to have around 500 million users. It remains to be seen whether Avast Crypto will be the next brilliant offering from NortonLifeLock.

As mentioned in this week’s story on Norton Crypto, I get that participation in these cryptomining schemes is voluntary, but much of that ultimately hinges on how these crypto programs are pitched and whether users really understand what they’re doing when they enable them. But what bugs me most is they will be introducing hundreds of millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.”

Ollie Jones January 12, 2022 9:08 AM

Doing this in an endpoint security product (end-user antivirus product) is worse than merely stealing kilowatt hours.

It increases the attack surface of the machine supposedly being protected.

It increases, if only by a little, the attractiveness of the machine to cybercriminals.

“Offense in depth”, it’s called.

It’s time for some US state attorney general to open a formal investigation into this heinous practice.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.