Pages:
Author

Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 10. (Read 62186 times)

legendary
Activity: 980
Merit: 1020
@JeffK Full disclosure request:

What is your relationship with Linode?

Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen"

Ok, you're going to be suspicious of Gavin, the bitcoinica guy, and Slush?
sr. member
Activity: 350
Merit: 250
I never hashed for this...
@JeffK Full disclosure request:

What is your relationship with Linode?

Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen"
legendary
Activity: 1386
Merit: 1004

I think he may be trying to "set JeffK straight" as they say...

Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand.

Thralen

It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you.

Backups are not really the issue here.

Not saying that the host did anything wrong....  but the problem is not the lack of backups....

It is one backup too many.

sr. member
Activity: 406
Merit: 250

In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money.

It's a lot of money to launder, though. We're talking about 1/4 million US$ or so.

Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days.

zhoutong didn't provide transaction id of the robbery like slush did

http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 -- may be it.
sr. member
Activity: 350
Merit: 250
I never hashed for this...

I think he may be trying to "set JeffK straight" as they say...

Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand.

Thralen

It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you.

Backups are not really the issue here.

It is "hosting something of value on an unencrypted server that is irreplaceable" then?
legendary
Activity: 1358
Merit: 1002
@JeffK Full disclosure request:

What is your relationship with Linode?
donator
Activity: 266
Merit: 252
I'm actually a pineapple

I think he may be trying to "set JeffK straight" as they say...

Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand.

Thralen

It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you.

Backups are not really the issue here.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata

In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money.

It's a lot of money to launder, though. We're talking about 1/4 million US$ or so.

Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days.

zhoutong didn't provide transaction id of the robbery like slush did
sr. member
Activity: 350
Merit: 250
I never hashed for this...

I think he may be trying to "set JeffK straight" as they say...

Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand.

Thralen

It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you.
legendary
Activity: 1358
Merit: 1002
Can someone explain how the encrypted wallet was compromised? The attacker found the wallet's password in the source code / config file somewhere?

Maybe because it wasn't encrypted?
I don't remember any of them saying the wallets were encrypted.
Maybe I'll need to re-read the thread(s)...
hero member
Activity: 637
Merit: 502
Can someone explain how the encrypted wallet was compromised? The attacker found the wallet's password in the source code / config file somewhere?
full member
Activity: 123
Merit: 100

I think he may be trying to "set JeffK straight" as they say...

Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand.

Thralen
legendary
Activity: 1358
Merit: 1002
Yeah, I deleted it because I wasn't even trying to attack you nor did I wished to derail the thread.

Was just replying to you now to say: colocation with encrypted disks?

I understand if you tell me it's expensive, but the alternative is worse, as we all see now.

PS: I don't have any bitcoind facing the web so it's easy for me to stay safe.
Those guides about setting up hidden services are really helpful when one wants to setup a secure server.

Sorry Slush, hope you didn't got mad with me. I'm really in pain with this situation. I was already in pain when it was only you and Gavin, much more now that Bitcoinica even lost more than both of you together.
sr. member
Activity: 350
Merit: 250
I never hashed for this...
Since they are a company with real money on the line, they are probably doing an investigation before they make any statement, period.
donator
Activity: 980
Merit: 1000

In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money.

It's a lot of money to launder, though. We're talking about 1/4 million US$ or so.

Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days.
legendary
Activity: 1386
Merit: 1097
Lol, psy deleted his post immediately Wink
legendary
Activity: 1386
Merit: 1004
I would not trust any shared host (VM or not) that has access to your data for a wallet over $1000.  The only way to do this is with encrypted disks that are setup or encrypted by the customer with no host access of any kind.

Unfortunately this is very hard to achieve in real world. For example, I cannot use any housing here in Prague because of stupidly poor connectivity to abroad. Then it really don't matter if the provider is VPS or not, because technically there must be somebody who have physical access to the server instead of me. I'm hosting the pool in France - it's standalone server, but there is still software KVM (because *I* need to reach the server anytime) and there are probably tens of sysadmins with physical access to server.

So it happen today in Linode, but it can happen everywhere else tomorrow. So choosing server provider for services where you don't have thousands of dollars monthly to protect your own server room is like playing russian roulette.

I do agree that it is hard to find options in some areas.  In Baltimore we have a few 'rack space' rental places that will allow you to drop in a server that you have physically set up and nobody has access to online.  Sure, they could get to it physically but that kind of attack is quite different if disks are encrypted.  (and yes, I know it is POSSIBLE to break into those as well but you do need to take the machine offline to do it)
legendary
Activity: 1386
Merit: 1097
WHY DA FUCK DO YOU USE VPS's TO HOST IMPORTANT STUFF?

Hm, please read my previous post. I don't think that VPS containers itself are huge security risk. As you see now, virtualization wasn't the reason for the hack, but it was supporting tool which is in some form in every hosting company, even for unmanaged servers (yes, I'm even paying extra fee for software KVM).
legendary
Activity: 1386
Merit: 1097
I would not trust any shared host (VM or not) that has access to your data for a wallet over $1000.  The only way to do this is with encrypted disks that are setup or encrypted by the customer with no host access of any kind.

Unfortunately this is very hard to achieve in real world. For example, I cannot use any housing here in Prague because of stupidly poor connectivity to abroad. Then it really don't matter if the provider is VPS or not, because technically there must be somebody who have physical access to the server instead of me. I'm hosting the pool in France - it's standalone server, but there is still software KVM (because *I* need to reach the server anytime) and there are probably tens of sysadmins with physical access to server.

So it happen today in Linode, but it can happen everywhere else tomorrow. So choosing server provider for services where you don't have thousands of dollars monthly to protect your own server room is like playing russian roulette.
sr. member
Activity: 406
Merit: 250

Hell if I know, I'm just saying that the proof is very shaky, I'll wait for a statement from Linode before I think they actually screwed up, but given this community's history for having 'trusted people' disappear with funds, I don't know how much the opinion of 'some people on this forum' matters.

Here is some more 'proof' for you. Although you're liable to dismiss this in the same manner as the other:

https://bitcointalksearch.org/topic/bitcoinica-warning-please-do-not-re-use-any-old-bitcoin-deposit-addresses-66961

Thralen

That corroborates the current theory (Linode admin leak).

What are you trying to prove with that link that is contrary to a Linode admin leak?

I think he may be trying to "set JeffK straight" as they say...
Pages:
Jump to: