Tril, thanks for the great analysis. You make some very good points.
Topic: Bitcoin is a hackers dream (Read 5718 times)
Tril, thanks for the great analysis. You make some very good points.
From the title, I thought this thread was about the other kind of hackers and would have some cool ideas about multisignatures, or verifying receipt of coins without having to have the private key online, or hackerspaces, or other great ideas. Oh well. I'll address this:
It's not OK to steal, and it's wrong for the thief to do so. It's also wrong to harm innocents or destroy bitcoin entirely in the quest to punish thieves.
Bitcoin provides Internet cash, which does have the weakness of being stealable. While no one wants to encourage theft, it's a difficult problem, because the initial proposed solution to stop thieves just makes things worse. Tainting coins makes it too easy for thieves to cause trouble for innocent recipients of stolen coins and adds very little to stop the thief, so it's been rejected as unacceptable by most. What else can be done? Convincing merchants and service providers to demand their customers prove the origin of all their coins? The blockchain can't offer proof, as it's easy to trade private keys outside the blockchain. Verifying identity? Adds very little protection (thieves also routinely steal identities) while defeating one of the main reasons to use bitcoin, pseudonymity. And any intentional collaboration of major mining pools to reverse selected transactions would strike fear into the heart of every Bitcoin user. Even if improved versions of all of those solutions were adopted by honest merchants, you still have plenty of unscrupulous sellers willing to accept known stolen bitcoins; after all they are "cold", "hard", verifiable bitcoins.
It's easy to pass blame, but everything has tradeoffs. Yes, bitcoin holders can increase wallet security, at a cost. Yes, MtGox can make withdrawals more difficult, which they have been doing, but customers have been complaining. Governments can collaborate internationally to allow stronger investigation and enforcement of computer crime across borders, but this reduces everyone's freedom. As Internet cash, bitcoin enforces the idea of "trust no one, but yourself" and the wallet holder is ultimately responsible for his or her own security. And anyone who trusts someone else with their coins is also indirectly responsible for that security. I knew Bitcoinica had a large hot wallet based on how fast withdrawals were occurring, so I withdrew all my funds. I have no coins or funds in MtGox or GLBSE because they're huge targets. I could be making more money if I took these risks but it's up to me. Security is a trade-off and has a cost. With Bitcoin, everyone has the freedom to decide who to trust and how much to invest in security.
OP, I understand your disappointment at the state of things. It's best not to complain about the state of Bitcoin but instead treat the weakness as opportunity. Go ahead, come up with an amazing new way to stop thefts. And yes, demand more security from those who hold your coins. I expect it will be needed, as stealing bitcoins need not be the only incentive for the thieves; they're also paid in fiat, created out of nothing by those who stand to profit from Bitcoin's demise. Increasing amounts of resources will be spent on attacking bitcoin sites as Bitcoin grows, so at each price jump, spend some bitcoins on as much security as the value of those coins demand, and it will likely pay off.
I think OP was referring to the mindset of certain Bitcoin users, not criticizing btc itself. Apparently many think that it's perfectly ok to steal, and to let thieves operate without any consequences.
It's not OK to steal, and it's wrong for the thief to do so. It's also wrong to harm innocents or destroy bitcoin entirely in the quest to punish thieves.
Bitcoin provides Internet cash, which does have the weakness of being stealable. While no one wants to encourage theft, it's a difficult problem, because the initial proposed solution to stop thieves just makes things worse. Tainting coins makes it too easy for thieves to cause trouble for innocent recipients of stolen coins and adds very little to stop the thief, so it's been rejected as unacceptable by most. What else can be done? Convincing merchants and service providers to demand their customers prove the origin of all their coins? The blockchain can't offer proof, as it's easy to trade private keys outside the blockchain. Verifying identity? Adds very little protection (thieves also routinely steal identities) while defeating one of the main reasons to use bitcoin, pseudonymity. And any intentional collaboration of major mining pools to reverse selected transactions would strike fear into the heart of every Bitcoin user. Even if improved versions of all of those solutions were adopted by honest merchants, you still have plenty of unscrupulous sellers willing to accept known stolen bitcoins; after all they are "cold", "hard", verifiable bitcoins.
It's easy to pass blame, but everything has tradeoffs. Yes, bitcoin holders can increase wallet security, at a cost. Yes, MtGox can make withdrawals more difficult, which they have been doing, but customers have been complaining. Governments can collaborate internationally to allow stronger investigation and enforcement of computer crime across borders, but this reduces everyone's freedom. As Internet cash, bitcoin enforces the idea of "trust no one, but yourself" and the wallet holder is ultimately responsible for his or her own security. And anyone who trusts someone else with their coins is also indirectly responsible for that security. I knew Bitcoinica had a large hot wallet based on how fast withdrawals were occurring, so I withdrew all my funds. I have no coins or funds in MtGox or GLBSE because they're huge targets. I could be making more money if I took these risks but it's up to me. Security is a trade-off and has a cost. With Bitcoin, everyone has the freedom to decide who to trust and how much to invest in security.
OP, I understand your disappointment at the state of things. It's best not to complain about the state of Bitcoin but instead treat the weakness as opportunity. Go ahead, come up with an amazing new way to stop thefts. And yes, demand more security from those who hold your coins. I expect it will be needed, as stealing bitcoins need not be the only incentive for the thieves; they're also paid in fiat, created out of nothing by those who stand to profit from Bitcoin's demise. Increasing amounts of resources will be spent on attacking bitcoin sites as Bitcoin grows, so at each price jump, spend some bitcoins on as much security as the value of those coins demand, and it will likely pay off.
The only place where I have coins that are not encrypted on my HDD or USB is with an exchanger that uses the yubikey with 2 factor authentication.. The only downside is is that if I were to lose my key, I would be sol for about 2 weeks...
Thats another question.. Is the yubikey is as secure as they make it?
Thats another question.. Is the yubikey is as secure as they make it?
we have to admit that is nothing 100% safe/secure
believe me this word come from old folks
believe me this word come from old folks
...
Well, maybe you didn't realize that you aren't required to keep ALL your Bitcoins on ONE wallet?
You can have a myriad of security measures for as many wallets as you desire. No one in their right mind would make an offline fragmented wallet for 1 Bitcoin.
One of the more amazing features of Bitcoin is, once you have created the deep savings wallet, you can safely SEND as many coins as you wish from anywhere in the world.
What is the deep in "deep saving wallet" ?Well, maybe you didn't realize that you aren't required to keep ALL your Bitcoins on ONE wallet?
You can have a myriad of security measures for as many wallets as you desire. No one in their right mind would make an offline fragmented wallet for 1 Bitcoin.
One of the more amazing features of Bitcoin is, once you have created the deep savings wallet, you can safely SEND as many coins as you wish from anywhere in the world.
Do you mean "safely SEND as many coins as you wish" to it ? The opposite is not true.
...
The software part I agree can make it "virtually" impossible to steal, but there always is a physical and mental part that is near impossible to secure without high costs and high inconveniences.
...
Perhaps you could elaborate on the "physical and mental part" and explain what they have to do with Bitcoin and not any other asset.The software part I agree can make it "virtually" impossible to steal, but there always is a physical and mental part that is near impossible to secure without high costs and high inconveniences.
...
You understand this vault has a cost right ?
You understand someone know how to open than vault right ? (without force)
You may be unaware of it, but there are ways and drugs that will make you do anything even against your will.
Who said anything about a paper wallet? Who said anything about a vault? And your examples go far beyond "hacking".
You can have convenience or you can have security. With clients like Armory you can even have both.
For the price of a cheap laptop and a few thumb drives you can have security that is practically impossible to break. When individually inaccessible pieces of your wallet are spread around in different physical locations, it's going to be pretty hard to "hack". If you fear drugs or torture, and would prefer death over having your Bitcoins stolen, give pieces of your wallet to random family members and tell them to keep secure regardless of any kidnapping ransoms.
I stand by my statement, "I feel it's far easier and far cheaper to secure Bitcoins than any other asset I can think of." I can split the wallet to make it worthless without obtaining each piece. With physical assets, even if they are stored in a vault, once that is breached, you've lost your asset.
I think I've already agreed on the secure part of software (armory), but software run on hardware and are used by brains.
Anyway how convenient is it to have to remember where and recover all the piece of paper wallet are stored before spending it.
That make me think, do we want people to sit on their paper wallet forever or actually use Ƀ for commerce ?
...
The software part I agree can make it "virtually" impossible to steal, but there always is a physical and mental part that is near impossible to secure without high costs and high inconveniences.
...
Perhaps you could elaborate on the "physical and mental part" and explain what they have to do with Bitcoin and not any other asset.The software part I agree can make it "virtually" impossible to steal, but there always is a physical and mental part that is near impossible to secure without high costs and high inconveniences.
...
You understand this vault has a cost right ?
You understand someone know how to open than vault right ? (without force)
You may not know, but there are ways and drugs that will make you do anything even against your will.
A. If you go after the thief, he will be ultimately unsuccessful in his plan, and others will think twice if theft is worth the consequences. Going after thieves protects honest people from becoming victims.
B. If you go after service provider (assuming no criminal negligence or insider jobs, in which case A applies), you will punish the victim - and we are talking potentially devastating consequences for their careers, families, and health. Other service providers will boost up security out of fear, and outsource the cost to third parties or to customers[/u]. Thieves will have nothing to fear, and will now have to either step up their efforts or find another victim. Either way, more shitty situations which could have been avoided with option A.
B. If you go after service provider (assuming no criminal negligence or insider jobs, in which case A applies), you will punish the victim - and we are talking potentially devastating consequences for their careers, families, and health. Other service providers will boost up security out of fear, and outsource the cost to third parties or to customers[/u]. Thieves will have nothing to fear, and will now have to either step up their efforts or find another victim. Either way, more shitty situations which could have been avoided with option A.
Good points. I highlighted an important part of your post.
If criminals are never punished, innocents will always pay for it one way or another. Security is not free. If we didn't have to worry much about criminals, we could use these resources in better ways. And I know no better way to create a counter-incentive to crime then to punish those who commit it.
I tend to agree with OP.
Me too, except that I don't think this problem is exclusive to bitcoin. It's a "cyberspace problem". Hackers are almost never punished, and the costs of their actions fall over everybody else. Actually, as Timo Y quoted below notes, it's a little better in BTC-world than in CC-word as here the costs of a hack are not totally diluted. (I wouldn't be so harsh on all those who put their money on Bitcoinica though...)
So are credit cards.
What fraction of carders actually get caught?
Even if the credit card customer is negligent, it's usually the bank that takes the hit, and then socializes the cost among all customers. Very rarely the it's the scammer.
With bitcoin, at least I don't have to pay for other people's negligence. And yes, if you entrust tens of thousands of dollars to an alpha-web app run by an one-man enterprise then that is also a form of negligence.
What fraction of carders actually get caught?
Even if the credit card customer is negligent, it's usually the bank that takes the hit, and then socializes the cost among all customers. Very rarely the it's the scammer.
With bitcoin, at least I don't have to pay for other people's negligence. And yes, if you entrust tens of thousands of dollars to an alpha-web app run by an one-man enterprise then that is also a form of negligence.
I think OP was referring to the mindset of certain Bitcoin users, not criticizing btc itself. Apparently many think that it's perfectly ok to steal, and to let thieves operate without any consequences.
Then the thread should be titled: "A few individuals are a hackers dream".
If there was a poll thread asking if the Bitcoinica thieves should be punished if caught, I'm sure the overwhelming majority would vote yes.
This is definitely a big, huge learning experience for all of us, for sure. :-)
-p
I think OP was referring to the mindset of certain Bitcoin users, not criticizing btc itself. Apparently many think that it's perfectly ok to steal, and to let thieves operate without any consequences.
Bitcoin so far has been a great distributory tool in moving value from honest people to hackers, thiefs, and scammers. You could say it's a way to destroy wealth. 
Hopefully Bitcoin teaches people personal responsibility. I doubt it, but one can dream.
It's so ridiculously easy to secure your own coins, if yours are stolen, you've made a mistake. This isn't blaming the victim, it's stating a fact.
The world is a harsh place full of people who will do whatever they can to get an advantage. This probably isn't going to change anytime in the near future, so the answer is to protect yourself.
Personally, I feel it's far easier and far cheaper to secure Bitcoins than any other asset I can think of. With some minimal effort you can raise the bar for wallet theft so high that it is practically impossible to have your coins stolen. I'm speaking of encrypted wallet fragments located in different physical locations under lock and key. I'd like to see someone hack that.
TL;DR: The Bitcoin user has the option to make his coins impossible to hack, for all practical purposes. A hacker's dream, I think not. A fool and his money are soon parted.
Worth noting in Bitcoinland, there just isn't much money floating around. The current BTC market cap could not even purchase the world's 15th most expensive yacht. Much (if not most) business is done between people with little to no experience in the sector they're trading in. Security is surprisingly lacking when you assume everyone is a well-read nerd with plenty of time and money, but much more expected thinking most Bitcoin-related businesses are 3 years old or newer, start with the standard start-up budget of near-nothing, do not have profits able to justify hiring serious, experienced security experts, and having business operators with as much experience in their sector as their business has existed.It's so ridiculously easy to secure your own coins, if yours are stolen, you've made a mistake. This isn't blaming the victim, it's stating a fact.
The world is a harsh place full of people who will do whatever they can to get an advantage. This probably isn't going to change anytime in the near future, so the answer is to protect yourself.
Personally, I feel it's far easier and far cheaper to secure Bitcoins than any other asset I can think of. With some minimal effort you can raise the bar for wallet theft so high that it is practically impossible to have your coins stolen. I'm speaking of encrypted wallet fragments located in different physical locations under lock and key. I'd like to see someone hack that.
TL;DR: The Bitcoin user has the option to make his coins impossible to hack, for all practical purposes. A hacker's dream, I think not. A fool and his money are soon parted.
Hard to imagine this problem not getting better, even without shifting responsibility onto governments instead of those who permitted victimization. Even if Bitcoinica ops do not learn from mistakes, other ops will. MtGox did not need two more tens-of-thousands-worth-of-USD hacks to realize they needed to beef up security in a dramatic fashion, and they did not need the government tracking down a cyber-criminal in Moldova to do so, nor to repay customers.
Lol this thread is so fail. Let's speak about the hundreds or thousands of billions of dollars and euro scammed and hacked every year?
I give you an example: someone recognized Zhou exchanging some 40k$ LR to RMB for some bad rate in a hurry a day after the theft. Zhou said it was unrelated, but this shows that a community can recognize way more than some astonished local Japanese police officer.
Since my name has been mentioned I would just reply in this thread anyway. I'll explain this, for once and for all.
As I explained in the QQ Group where the trades happened, I was cashing out for a Singaporean friend who has $100K in total in several LR accounts. I was able to get much better USD/SGD exchange rates than any bank customers. (I was able to get "interbank" rates: https://bitcointalksearch.org/topic/expire-selling-mt-gox-and-bitcoinica-code-at-025-discount-usdaudsgdcny-76156)
I was not "in a hurry". Even on today I have done a deal with someone. (7 days is not "hurry".)
The rate was not bad. Most e-currency exchanges charge 1.5%-2% plus wire fees (about $50 per transaction including routing fees). USD/CNY exchange rate is highly stable and I can access to discounted exchange rate through my Chinese bank as well. I actually got a better deal.
And it's definitely not $40K (which is the stolen USD amount that Bitcoinica claims). I have also placed a single $40K AurumXchange order during the same period.
I still have an operating business in Singapore (http://www.sgitcoin.com/) and this service is actually quite popular (top Google result for "buy bitcoin in singapore"). Therefore I regularly deal with foreign exchange, money transfers and e-currencies.
This kind of transactions are very common to me. It happens all the time before the hack. (For example, trading over $20K with UserXXX: https://bitcointalksearch.org/topic/m.1039996)
Hopefully Bitcoin teaches people personal responsibility. I doubt it, but one can dream.
It's so ridiculously easy to secure your own coins, if yours are stolen, you've made a mistake. This isn't blaming the victim, it's stating a fact.
The world is a harsh place full of people who will do whatever they can to get an advantage. This probably isn't going to change anytime in the near future, so the answer is to protect yourself.
Personally, I feel it's far easier and far cheaper to secure Bitcoins than any other asset I can think of. With some minimal effort you can raise the bar for wallet theft so high that it is practically impossible to have your coins stolen. I'm speaking of encrypted wallet fragments located in different physical locations under lock and key. I'd like to see someone hack that.
TL;DR: The Bitcoin user has the option to make his coins impossible to hack, for all practical purposes. A hacker's dream, I think not. A fool and his money are soon parted.
It's so ridiculously easy to secure your own coins, if yours are stolen, you've made a mistake. This isn't blaming the victim, it's stating a fact.
The world is a harsh place full of people who will do whatever they can to get an advantage. This probably isn't going to change anytime in the near future, so the answer is to protect yourself.
Personally, I feel it's far easier and far cheaper to secure Bitcoins than any other asset I can think of. With some minimal effort you can raise the bar for wallet theft so high that it is practically impossible to have your coins stolen. I'm speaking of encrypted wallet fragments located in different physical locations under lock and key. I'd like to see someone hack that.
TL;DR: The Bitcoin user has the option to make his coins impossible to hack, for all practical purposes. A hacker's dream, I think not. A fool and his money are soon parted.
Sorry I don't buy the bolded parts.
The software part I agree can make it "virtually" impossible to steal, but there always is a physical and mental part that is near impossible to secure without high costs and high inconveniences.
A good way to make your coins practically impossible to steal is to send them to a random address...
As I said we know how and where the USD moved, so yes.
And about the Bitcoins, it would have been easy for MtGox to tell us the transaction ID, but they choose to astonish some Japanese police officer with such information, IF they even filed that report.
Some Japanese police officiers, our lawyers, and the people at Bitcoinica, plus the people who have helped during the investigation.
About the Bitcoins, we could share the transaction IDs, but I'm pretty sure everyone already got them (a 40k BTC tx is easy to locate)
Bitcoin is really a hackers dream.
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
And how is that different from cash, exactly ?
Hack a USD bank, lose your life.
Hack a BTC bank, lose your OTC reputation lol
Hack a USD bank, lose your life.
Hack a BTC bank, be completely ignored and happily spend the coins.
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
Bitcoin is really a hackers dream.
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
And how is that different from cash, exactly ?
Hack a USD bank, lose your life.
Hack a BTC bank, lose your OTC reputation lol
Bitcoin is really a hackers dream.
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
Last year, some hacker managed to steal huge funds from mybitcoin.com. How got blamed? The operator of mybitcoin.com. No one cared about the actual hacker.
This year, a hacker stole 45k from Bitcoinica. Everyone blamed the operators. The owners replaced the funds. No one cared about the actual hacker.
Now recently more funds where stolen from Bitcoinica. MtGox even knows who the hacker is, but "of course" cannot share this information. So same thing as every time, no one cares about the actual hacker. Everyone blames the operators and tries to lynch them.
Conclusion: In the Bitcoin world it is OK to steal, the blame will always be on the victim. A hacker can even use his real name and real address, and still no one cares. Blame and lawsuits are always on the victims...
Welcome to crypto-anarchy! The future is already here.
A. If you go after the hacker... there will be 10 more in line behind him.
A. Going after the hackers protects a bad service.
B. If you go after the service provider... the next 10 hackers will be unsuccessful.
B. Going after the service provider ensures a better service is provided in the future.
A. If you go after the thief, he will be ultimately unsuccessful in his plan, and others will think twice if theft is worth the consequences. Going after thieves protects honest people from becoming victims.
B. If you go after service provider (assuming no criminal negligence or insider jobs, in which case A applies), you will punish the victim - and we are talking potentially devastating consequences for their careers, families, and health. Other service providers will boost up security out of fear, and outsource the cost to third parties or to customers. Thieves will have nothing to fear, and will now have to either step up their efforts or find another victim. Either way, more shitty situations which could have been avoided with option A.
I tend to agree with OP.
Jump to: