Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 5.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: JoelKatz on March 02, 2012, 12:19:00 PM

Quote from: Matthew N. Wright on March 02, 2012, 06:01:03 AM

Yea, so you agree then? Linode should be held responsible since it had nothing to do with customer security and was indistinguishable from an inside job...

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do. To provide coverage for exceptional and consequential losses, Linode would have to obtain much more expensive insurance and raise their rates to cover it. There's certainly room in the market for such a service, but I don't see why Linode should be forced to provide it, and their customers forced to pay for it, if they don't wish to.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it. It's just too costly to provide a service suitable for that type of high-value item. Use a safety-deposit box, where you pay for that level of security.

Bitcoins in a hot wallet are simply too valuable and too easy to steal. Putting them on a cheap hosting account is equivalent to checking the Rolex at a restaurant.

IMO the only way in court you might successfully win damages is if you showed they were negligent regarding their security. I think that would be pretty hard. You'd probably have to show they were aware of the vulnerability or open "customer service portal" and disregarded it. Or maybe they knew an employee was involved in malicious accesses but ignored it. In either case it would probably require an inside whistle blower. So far there haven't been indications that negligence occurred.

bitcoinBull

legendary

Activity: 826

Merit: 1001

rippleFanatic

Quote from: Raoul Duke on March 02, 2012, 10:24:49 AM

Quote from: Kluge on March 02, 2012, 10:00:04 AM

Operator of Silk Road?

Coincidently with this incident I went to check the road, and guess what...

Quote

The Silk Road is down for maintenance. We will get the site back up asap. Thank you for your patience.

Now this would be interesting. Wild speculation here.. but SR could've been hosting their online-wallet at linode and may have been one of the other 5 linode accounts accessed.

cypherdoc

legendary

Activity: 1764

Merit: 1002

our gov't stores gold at Fort Knox (allegedly) or in the basement of the FRBNY inside vaults with security guards, etc.

our banks store their fiat cash in vaults with similar heavy security.

Bitcoin cash needs to be stored in a likely manner.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: Matthew N. Wright on March 02, 2012, 06:01:03 AM

Yea, so you agree then? Linode should be held responsible since it had nothing to do with customer security and was indistinguishable from an inside job...

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do. To provide coverage for exceptional and consequential losses, Linode would have to obtain much more expensive insurance and raise their rates to cover it. There's certainly room in the market for such a service, but I don't see why Linode should be forced to provide it, and their customers forced to pay for it, if they don't wish to.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it. It's just too costly to provide a service suitable for that type of high-value item. Use a safety-deposit box, where you pay for that level of security.

Bitcoins in a hot wallet are simply too valuable and too easy to steal. Putting them on a cheap hosting account is equivalent to checking the Rolex at a restaurant.

HostFat

staff

Activity: 4214

Merit: 1203

I support freedom of choice

Anyway, it can be interesting to see who with a good knowledge of Bitcoin isn't posting on the forum during the last 2/3 days

( posting somewhere in the forum after my message isn't a good way to avoid the scanning Grin

)

HostFat

staff

Activity: 4214

Merit: 1203

I support freedom of choice

Quote from: goodlord666 on March 02, 2012, 10:48:00 AM

Satoshi is back!!

Wait! Are these addresses connected with some that Satoshi owned? ( I know that I can check, I just want an easy answer Grin

)

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: goodlord666 on March 02, 2012, 10:48:00 AM

Quote from: Maged on March 01, 2012, 10:48:11 PM

Shit, this guy knows his stuff. Check out the transaction size of the 25k transaction:
http://blockchain.info/tx-index/2893660/d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333
Size: 1337 (bytes)

I guarantee that isn't a coincidence.

Satoshi is back!!

Yep. Just reclaiming his property.

goodlord666

sr. member

Activity: 434

Merit: 250

100%

Quote from: Maged on March 01, 2012, 10:48:11 PM

Shit, this guy knows his stuff. Check out the transaction size of the 25k transaction:
http://blockchain.info/tx-index/2893660/d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333
Size: 1337 (bytes)

I guarantee that isn't a coincidence.

Satoshi is back!!

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: bitcoinsarefun on March 02, 2012, 10:24:58 AM

I was reading the slashdot story on this today and got a chuckle ... they served a linode ad embedded in the article about a linode exploit.

i thought it was funny

Irony.

bitcoinsarefun

member

Activity: 98

Merit: 10

I was reading the slashdot story on this today and got a chuckle ... they served a linode ad embedded in the article about a linode exploit.

i thought it was funny

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: Kluge on March 02, 2012, 10:00:04 AM

Operator of Silk Road?

Coincidently with this incident I went to check the road, and guess what...

Quote

The Silk Road is down for maintenance. We will get the site back up asap. Thank you for your patience.

Kluge

donator

Activity: 1218

Merit: 1015

Quote from: Matthew N. Wright on March 02, 2012, 09:55:44 AM

Quote from: muyuu on March 02, 2012, 09:51:42 AM

Quote from: Micon on March 02, 2012, 09:44:13 AM

2) Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now. (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox. If they are smart they will lay low and not make any more transactions for a while. But, at some point, those coins are going to have to make it to Gox. we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange. Tradehill too. If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox. Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

It's even more likely they never will. People who already had that amount could just be recouping losses of selling their legitimate coins. We're not looking for a poor hacker here, we're looking for someone who already had a lot of coins to begin with. A business maybe. Bitcoinica would be the first person to suspect tbh (although I don't have reason to believe it was Zhou).

Operator of Silk Road?

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: muyuu on March 02, 2012, 09:51:42 AM

Quote from: Micon on March 02, 2012, 09:44:13 AM

2) Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now. (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox. If they are smart they will lay low and not make any more transactions for a while. But, at some point, those coins are going to have to make it to Gox. we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange. Tradehill too. If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox. Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

It's even more likely they never will. People who already had that amount could just be recouping losses of selling their legitimate coins. We're not looking for a poor hacker here, we're looking for someone who already had a lot of coins to begin with. A business maybe. Bitcoinica would be the first person to suspect tbh (although I don't have reason to believe it was Zhou).

muyuu

donator

Activity: 980

Merit: 1000

Quote from: Micon on March 02, 2012, 09:44:13 AM

2) Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now. (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox. If they are smart they will lay low and not make any more transactions for a while. But, at some point, those coins are going to have to make it to Gox. we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange. Tradehill too. If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox. Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

Micon

legendary

Activity: 1232

Merit: 1014

FPV Drone Pilot

1) BTC / block chain / block explorer is awesome as we can literally see where the money goes. If anyone does any transaction with any of these funds, assuming you would ever really follow this enough to have a computer look for one of the hashes on this trail of tears, then please post everything about it here.

2) Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now. (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox. If they are smart they will lay low and not make any more transactions for a while. But, at some point, those coins are going to have to make it to Gox. we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange. Tradehill too. If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox. Might be able to get some more clues.

just some thoughts.

definitely clubs.

sje397

newbie

Activity: 23

Merit: 0

Quote from: ?? on ??

Quote from: 99Percent on March 02, 2012, 01:56:46 AM

Lesson learned: private keys (wallet.dat) are just that: private. Once you put them out there, cloud, webserver, hosting server, email, etc, THEY ARE NO LONGER PRIVATE.

Can we move along now?

Actually, I think the real lesson here for pool operators
is that they should all move to the eligius model:

   - eligius has no notion "customer accounts. These are a giant PITA for the miners,
   require the pool op to manage a DB which is a PITA in itself. Accounts are also the
   source of a whole host of security problem:
   - need to create account/login -> need to enter data in website -> exposure surface to SQL injections
   - need an email -> phishing attacks, etc .

   - on eligius, miner just send their shares along with a public address
   - on eligius, no need to store any kind of BTC amount on the pool server at any time:
   the payout is built into the block from the coinbase. No BTC ever hit disk.
   - on eligius, added bonus: anonymity for the pool users
   - on eligius, added bonus: much easier to use for miners

P2pool is another one.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: ?? on ??

Quote from: BkkCoins on March 02, 2012, 06:13:02 AM

You missed - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins Huh

They're not associated with any past transactions so have better anonymity.

payb.tc

hero member

Activity: 812

Merit: 1000

Quote from: ?? on ??

Quote from: BkkCoins on March 02, 2012, 06:13:02 AM

You missed - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins Huh

weren't you the one that brought up the whole concept of taint recently?

virgin coins have 0% taint.

Matthew N. Wright

hero member

Activity: 588

Merit: 500

Hero VIP ultra official trusted super staff puppet

Quote from: LightRider on March 02, 2012, 06:10:13 AM

Quote from: Matthew N. Wright on March 02, 2012, 05:59:37 AM

Quote from: LightRider on March 02, 2012, 05:44:37 AM

Quote from: Matthew N. Wright on March 02, 2012, 05:19:08 AM

Quote from: LightRider on March 02, 2012, 05:14:15 AM

In any event, I bet every major host is double checking their TOS and reminding their clientele that they don't cover "imaginary webzone dollar" losses.

If facebook's employee administrator panel was hacked into and someone stole facebook credits from users, would they say "fuck you it's imaginary money"?

I hope you're being sarcastic and not an uneducated twat who has never heard of digital commodities, intellectual properties and suing for damages.

Well Facebook has complete control over their own currency and could easily mitigate such issues. Bitcoin is a different animal of a different color on a different planet. This isn't a data redundancy issue, nor an intellectual property issue. This is storing, backing up and restricting access to unique digital information that once accessed and used, is no longer valuable to anyone anywhere ever again (particularly the victim). I can steal the secret formula for Coca Cola, but that doesn't prevent Coca Cola from continuing to produce and sell their beverage. I can pirate a movie, but that doesn't mean the original copy is unviewable (in the vast majority of cases). I can login and delete all of your live data, but you still likely have backups. I can't keep my wallet in a safe and have the ability to double spend my illicitly accessed bitcoin (outside of exceedingly unlikely circumstances).

I do not believe that I am a twat.

PS: All money is imaginary.

You are trying to preach a libertarian ideal without accepting that the US legal system is not libertarian. Bring it back down to earth now.

In a court of law, what Linode did was actionable. That is the only point that needs be made.

P.S. I don't think you're a twat and I typically agree with you, but this point smells of agenda.

A court of law and physical reality don't always agree, I'll give you that. I'm hopeful that all parties involved will work together to determine what can be done to mitigate the losses, but this is an unfortunate collision between the purity of mathematical and physical reality and legal opinion, (assuming it even gets that far), and opinion will never trump reality.

Fair enough. ^^

LightRider

legendary

Activity: 1500

Merit: 1021

I advocate the Zeitgeist Movement & Venus Project.

Quote from: ?? on ??

Quote from: BkkCoins on March 02, 2012, 06:13:02 AM

You missed - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins Huh

You can sacrifice them to please internet gods.

Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 5. (Read 62090 times)