damn. hot wallet is hot.
Zs hot wallet was hot.
And now his hot wallet is not.
Proudhon= Dr.Seuss
Topic: Bitcoinica Warning: Please do not re-use any old Bitcoin deposit addresses (Read 9680 times)
March 03, 2012, 09:19:28 AM
Zs hot wallet was hot.
And now his hot wallet is not.
Proudhon= Dr.Seuss
March 02, 2012, 06:22:26 PM
zhoutong you were asking for this, vulnerabilities in your site i even pointed out from the start, it was only a matter of time before you make another mistake. (hosting coins on a cloud/vps based service)
March 02, 2012, 12:48:50 PM
When does deposits into new addresses show up in my account? I'am waiting for about half a day now :>
March 02, 2012, 12:43:14 PM
Have you had your cert re-keyed? http://help.godaddy.com/article/4976?locale=en
March 02, 2012, 12:18:22 AM
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. You're right. I made a mistake here. It should be "hashed".
March 02, 2012, 12:18:13 AM
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. i sure hope Zhou knows the difference
March 02, 2012, 12:05:08 AM
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. i sure hope Zhou knows the difference
March 01, 2012, 11:57:02 PM
All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. March 01, 2012, 11:54:42 PM
- Customer data is safe.
The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account. Might I suggest adding this feature? The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer. I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.
It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.
But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.
All customer passwords were encrypted with BCrypt. It's almost impossible to brute force even when the database is compromised.
Currently we require manual password reset because we want to evaluate the risk levels of password reset before we take actions on any accounts. E-mail shouldn't be the master key to everything.
March 01, 2012, 11:44:02 PM
more and more worthless with every theft.
Generally speaking criminals don't steal worthless things.
Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.
I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.
Couldn't agree more with you even if I wanted to
March 01, 2012, 11:43:45 PM
Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?
trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.
marked
True, but that still implies beforehand knowledge or a guess that large BTC sites would have a host in common. Then upon gaining the target is it really that inconsequential to gain such high level access to Linode, such a respected Linux host, as evidenced by them being a common denominator among sites? (although I suppose that could be the basis for such a guess... but still, then to easily gain access? Either Linode is guilty or they shouldn't be hosting anyway.)
March 01, 2012, 11:27:10 PM
Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.
Very impressed with you and Slush today. I give you my sincere gratitude.
+1; Very impressed with you and Slush today. I give you my sincere gratitude.
March 01, 2012, 11:19:18 PM
Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?
trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.
marked
March 01, 2012, 11:18:39 PM
- Customer data is safe.
The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account. Might I suggest adding this feature? The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer. I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.
It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.
But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.
March 01, 2012, 10:59:31 PM
That's sad.
March 01, 2012, 10:54:09 PM
more and more worthless with every theft.
Generally speaking criminals don't steal worthless things.
Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.
I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.
March 01, 2012, 10:52:40 PM
Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.
Very impressed with you and Slush today. I give you my sincere gratitude.
Very impressed with you and Slush today. I give you my sincere gratitude.
March 01, 2012, 10:48:38 PM
That's why
we should support BIP16 as soon as possible...
Actually no. This too will pass. Bitcoin is a multi-decade project, and once technical decisions are written into the blockchain they are very hard or impossible to reverse.we should support BIP16 as soon as possible...
Hence, it's much more important for the dev team to resist artificial time pressures and focus on making the right decision for the long-term, even if they need to take longer in the short-term to fully understand the ramifications and consequences of crucial technical decisions.
March 01, 2012, 10:40:31 PM
This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?
Hadn't bitcoinica gone all quiet for some time before this happened?
I think this is just a handy way to release some old bad news.
Hadn't bitcoinica gone all quiet for some time before this happened?
I think this is just a handy way to release some old bad news.
I figure he wanted to host the site, with user information and all, separately from the wallet. That way if the site gets penetrated (which one would think is more likely since it has more attack vectors), the wallet would still be secure.
damn. hot wallet is hot.
Zs hot wallet was hot.And now his hot wallet is not.
Au contraire, now its even hotter.
March 01, 2012, 10:19:03 PM
The Linode's user agreement says, "no".
That doesn't mean they Linode can't be sued and forced to reimburse the losses.
It would need to be worth the lawyer fee to sue.
Jump to: