Pages:
Author

Topic: Bitcoinica Warning: Please do not re-use any old Bitcoin deposit addresses (Read 9731 times)

legendary
Activity: 1449
Merit: 1001
damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.



Proudhon= Dr.Seuss  Smiley
full member
Activity: 186
Merit: 100
zhoutong you were asking for this, vulnerabilities in your site i even pointed out from the start, it was only a matter of time before you make another mistake. (hosting coins on a cloud/vps based service)
full member
Activity: 199
Merit: 100
When does deposits into new addresses show up in my account? I'am waiting for about half a day now :>
full member
Activity: 227
Merit: 100
vip
Activity: 490
Merit: 502
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

You're right. I made a mistake here. It should be "hashed".
full member
Activity: 154
Merit: 102
Bitcoin!
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
Well, he mentioned BCrypt, which is a hashing function, not an encryption function.  I think he just inadvertently used the wrong term here.
legendary
Activity: 1764
Merit: 1002
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
full member
Activity: 154
Merit: 102
Bitcoin!
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley
vip
Activity: 490
Merit: 502
- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

All customer passwords were encrypted with BCrypt. It's almost impossible to brute force even when the database is compromised.

Currently we require manual password reset because we want to evaluate the risk levels of password reset before we take actions on any accounts. E-mail shouldn't be the master key to everything.
legendary
Activity: 1358
Merit: 1002
more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.

Couldn't agree more with you even if I wanted to Wink
legendary
Activity: 1050
Merit: 1002
Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked

True, but that still implies beforehand knowledge or a guess that large BTC sites would have a host in common. Then upon gaining the target is it really that inconsequential to gain such high level access to Linode, such a respected Linux host, as evidenced by them being a common denominator among sites? (although I suppose that could be the basis for such a guess... but still, then to easily gain access? Either Linode is guilty or they shouldn't be hosting anyway.)
full member
Activity: 154
Merit: 102
Bitcoin!
Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
+1;
full member
Activity: 168
Merit: 100
Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked
newbie
Activity: 17
Merit: 0
- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.
hero member
Activity: 714
Merit: 500
donator
Activity: 1218
Merit: 1079
Gerald Davis
more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.
legendary
Activity: 1008
Merit: 1023
Democracy is the original 51% attack
Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
newbie
Activity: 17
Merit: 0
That's why

we should support BIP16 as soon as possible...
Actually no.  This too will pass.  Bitcoin is a multi-decade project, and once technical decisions are written into the blockchain they are very hard or impossible to reverse.

Hence, it's much more important for the dev team to resist artificial time pressures and focus on making the right decision for the long-term, even if they need to take longer in the short-term to fully understand the ramifications and consequences of crucial technical decisions.
legendary
Activity: 826
Merit: 1001
rippleFanatic
This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I figure he wanted to host the site, with user information and all, separately from the wallet.  That way if the site gets penetrated (which one would think is more likely since it has more attack vectors), the wallet would still be secure.


damn.  hot wallet is hot.
Zs hot wallet was hot.
And now his hot wallet is not.

Au contraire, now its even hotter.

legendary
Activity: 980
Merit: 1020
The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.


It would need to be worth the lawyer fee to sue.
Pages:
Jump to: