Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 2. (Read 62090 times)

You'd trust a company that had a hidden backdoor? (yes that description is correct, it did not show up for the logs for slush and was either unknown by the person he contacted originally or the access was hidden by them)
As I said early on, I think they deserve to go bankrupt and be done with.
Not a chance in hell I'd trust them for anything.

+1

If all you need is to accept Bitcoin in an e-commerce, then you do not need to leave your private keys on the server. For example, you can use a deterministic wallet to generate your addresses without the private keys.

If your server needs to send bitcoins to customers (which was the case for bitcoinica and slush's pool), it is probably not reasonable to use a VPS, especially if large amounts are involved.

If you should learn anything from this incident is that you shouldn't keep any big amounts of coins on a vps, linode or not.

I wonder if this could become a sort of marketing tool:

• bad security incident happens to company
• company gets negative press, loads of it
• company acts responsibly and betters itself, improves security
• company shines, gets new customers who think company must now be very secure

it worked for mtgox

I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

http://forum.linode.com/viewtopic.php?p=49004#49004

Apparently they're still dealing with it internally.

1)  product idea:  "level of taint on my bitcoin" site, with a formula to determine level of taint, how many transactions ago, etc

2)  I agree, Gox or any other exchange shouldn't judge your coins, a coin is a coin and it's a brutal, unforgiving system but that's what it has been created here / can't police the coins.

That was the point...

Who cares?... 

A coin is a coin is a coin, just like a dollar bill is a dollar bill is a dollar bill, with or without coke on it.

http://articles.cnn.com/2009-08-14/health/cocaine.traces.money_1_cocaine-dollar-bills-paper-bills?_s=PM:HEALTH

"Coming soon to Bitcoin..."

But we will have - some drugs, pedophile, guns... maybe even murders

what else?

+1

As soon as there's such a mechanism, stolen coins will find a way to avoid being detected, there's just no way you can do that 100% reliably. This would only result in a great big mess - people wrongfully accusing others of having their coins stolen (even if it was a regular payment or donation) just to get them into trouble, people fighting over evidence and reputation, online wallet services getting into trouble because some think their acceptance policies are not strict enough, tainting coins of innocent others in the process, people flooding donation addresses with tainted coins,...
Also, what would be the next step? Refuse blocks from "shady" miners who include transactions with tainted fees?

We really don't need that - fighting Bitcoin thefts at that level is just not the way to go. You'd only make it a bit harder for Bitcoin thieves at the cost of making Bitcoin a much more miserable experience for everyone else!

Oh and I'm not trying to talk anybody out of implementing such a system, please go ahead and do it, just don't expect it to become widely adopted. Even people thinking such a system would be a good idea in principle are likely to disagree on the details, fighting and lobbying for their favored policies, etc... In the end, it would have been much more effective to just make two-factor authentication easy to use for everyone.

i disagree that something as neutral as money should be biased towards any specific kind of person.

i do agree that as you say, this is not a technical problem.

Anything adding an extra layer of complexity is a massive NO-GO for bitcoin IMO.

You have to take into account that there are hundreds of ways such a system would be gamed. A complexity arms race is the least thing bitcoin needs.

For example: order of transactions within a block is not deterministic. I can have a clean account with, say, only freshly mined coins, and a tainted account. I give you the clean address and you accept the payment by some automatic means of checking taint. Then I immediately transfer a boatload of highly tainted coins to this address. Both transactions happen in the same block and you cannot reliably tell which happened first. Your account is now highly tainted, you may just have lost a lot of value if untainted coins have a big premium due to this system. Then you have to add even more delay to the already high delay there is to have a proper number of confirmations, and you really cannot have an automated system.

Off the top of my head I can think of dozens of attacks.

I wouldn't work in a system like this. Not while I still have coins.

I don't think there's a technical problem. What problem do you think needs a technical solution? If you mean working on a way to help thieves more easily make their coins untrackable, you're way off track. Dollar bills are quite trackable, every one has a serial number on it, and they don't have this problem. Bitcoins should not need to optimize themselves for thieves and money launderers but should instead optimize themselves for use by honest folk.

Agreed. Let's hope it is too much of a hassle. But let's hope MtGox, who is by far the biggest and possibly indispensible exchange, sees it that way also.

Just because you can't prevent something from happening doesn't mean it is inevitable!

Sure, if Bitcoin businesses and individuals started to check for the reputation of coins they receive then there's little you can do about it but I highly doubt this will happen. It is simply too much of a hassle to do this in a sensible way. Amongst other things, you'd have to establish a reputation infrastructure, a dispute resolution process and of course you have to get it supported by the standard client. Also, what if the coin reputation service goes down or is DDoSed? Do you suspend the Bitcoin network?

I honestly don't see that happening - especially with Bitcoin often being used in an automated fashion this becomes much too much of a hassle. Also I really hope that with multisig / two-factor authentication becoming established, we won't see many large thefts in Bitcoinland anymore.

I think there's a lot I, and others, can do to prevent it from happening. The first thing is to make stakeholders understand that this is a huge threat. The second thing is to come up with better responses that don't involve tainting coins. (Which, from the evidence I've seem so far, seems to be what Mt. Gox is doing. So kudos to Gox.)

Okay, if this shall be inevitably the case I will leave the bitcoin project sooner or later. I'm guessing sooner. Eventually, with all that risk and technical verification that will need to be involved by everyone, it means there will be no future for BTC and I won't continue to invest in something that has no future.

+1

That's pretty typical of terms of service. That's why it's very important to distinguish what the terms of service say and what a company actually does. Mt. Gox's terms of service claim to allow them to steal someone's Bitcoins, but they certainly don't have a policy of doing that. (Nor could they actually get away with it if they tried.)

Quoting their ToS in response to a question of whether Mt. Gox actually has a policy of rejecting "tainted" Bitcoins is spectacularly unhelpful. The question is -- what would Mt. Gox actually do if someone deposited Bitcoins traceable to the Linode theft into their account. And my hope would be that they might notify authorities or notify the depositor, but they most certainly would process that deposit normally, absent some evidence the depositor was involved in the theft somehow.

Almost anything else destroys the usability of Bitcoins. If I have to worry that my Bitcoins might become unspendable in the future, how can I accept them as payment?

I think Andrew makes perfect sense, even before the wiki link.

After reading Mt. Gox terms of service over and over again, it is probably easier to just describe it like this:

"We do as we please with your account, but if you play nice we might send your held currencies to a bank account upon termination. We also reserve the right to change our mind at any time."