Pages:
Author

Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 7. (Read 62186 times)

legendary
Activity: 1330
Merit: 1000
Bitcoin
Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!

Yeah, it's more likely market panic.

The price is dropping  Huh  Not going to lie I got a little shaken also ...uggh...
legendary
Activity: 980
Merit: 1020
Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!

Yeah, it's more likely market panic.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
aaaand the selling begins... http://mtgoxlive.com

Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!
full member
Activity: 146
Merit: 100
I would not trust any shared host (VM or not) that has access to your data for a wallet over $1000.  The only way to do this is with encrypted disks that are setup or encrypted by the customer with no host access of any kind.  No 'control panel" based hosting.  

 For sure a shared host can be less trusted than a dedicated server but . . . if the datacenter manager ( or employee ) is compromised, the thief can reboot in rescue mode, acces the disk, change root password . . . and the result will be the same . . . cold storage and therefore delayed withdraws ( manually validated once / day by the pool or exchange admin ) seem to be the only safe answer to me . . .


hero member
Activity: 812
Merit: 1000
aaaand the selling begins... http://mtgoxlive.com
sr. member
Activity: 406
Merit: 250

These are all the transactions with outputs of 2500 BTC or more in the time period we're looking at:

Code:
Thu Mar  1 02:16:40 2012 e558957e4108f33775f08cc1277d22fbb51261d232a2d2a14cfd518d333ce5f1 2822.44
Thu Mar  1 06:50:07 2012 7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732 20555.0
Thu Mar  1 06:50:07 2012 0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 10000.0
Thu Mar  1 06:50:07 2012 901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3 3000.0
Thu Mar  1 06:50:07 2012 a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68 3000.0
Thu Mar  1 06:50:07 2012 a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e 3000.0
Thu Mar  1 07:59:31 2012 34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb 3094.0 <-- slush
Thu Mar  1 18:39:22 2012 d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333 25000.0

The Bitcoinica 10k is certainly in that 06:50:07 block - it was a busy block indeed!  http://blockexplorer.com/b/169179

https://bitcointalksearch.org/topic/bitcoinica-lost-43554-btc-from-linode-compromise-suspicious-txids-publicized-66979 -- They posted some of their "suspicious" TX Id's
legendary
Activity: 1764
Merit: 1002
Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.

The last few replies mention allinvain and CIA  - anyone seen allinvain?  hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Couple of ways to look at it. One Allinvain worked for the CIA and wanted to make it look like there was a "huge bitcoin" loss or two the  CIA off'd Allinvain since nobody has heard from him in what like a thousand years? Or taken him to the brig off at sea....

no, he's been posting regularly over in the Hardware section in the Ztex thread i believe.
legendary
Activity: 2940
Merit: 1333

These are all the transactions with outputs of 2500 BTC or more in the time period we're looking at:

Code:
Thu Mar  1 02:16:40 2012 e558957e4108f33775f08cc1277d22fbb51261d232a2d2a14cfd518d333ce5f1 2822.44
Thu Mar  1 06:50:07 2012 7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732 20555.0
Thu Mar  1 06:50:07 2012 0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 10000.0
Thu Mar  1 06:50:07 2012 901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3 3000.0
Thu Mar  1 06:50:07 2012 a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68 3000.0
Thu Mar  1 06:50:07 2012 a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e 3000.0
Thu Mar  1 07:59:31 2012 34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb 3094.0 <-- slush
Thu Mar  1 18:39:22 2012 d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333 25000.0

The Bitcoinica 10k is certainly in that 06:50:07 block - it was a busy block indeed!  http://blockexplorer.com/b/169179
sr. member
Activity: 372
Merit: 250
I can't believe the hacker!

Don't even let off 5 Bitcoins...  Sad


If you think about it that is pretty low - attack the free bitcoin faucent wtf?  Huh

Thieving is the lowest of all sins.  
legendary
Activity: 1330
Merit: 1000
Bitcoin
Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.

The last few replies mention allinvain and CIA  - anyone seen allinvain?  hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Couple of ways to look at it. One Allinvain worked for the CIA and wanted to make it look like there was a "huge bitcoin" loss or two the  CIA off'd Allinvain since nobody has heard from him in what like a thousand years? Or taken him to the brig off at sea....
legendary
Activity: 1428
Merit: 1000
https://www.bitworks.io
I've seen a fair bit of traffic since I got into bitcoin talking about encrypting one's wallet if it's used for backup, etc. The initial articel I read indicating Linode was used only to hold a copy of the wallet but in reading the posts it sounds like it was the live wallet used to make transactions on the running systems, I guess I'm curious regarding which it was.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.
sr. member
Activity: 406
Merit: 251
Getting access to the Linode admin UI doesn't give access to the server itself.  You can view the console, but you just get the login prompt.  You still need the server's password to log in.

To reset the password the server has to be shut down so that /etc/shadow can be modified.  At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.

A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here.  I'm guessing the exploit is in their web-based server management.

This is by far one of the scariest things about the process.  Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel.  A -very- scary situation, considering Linode is one of the largest VPS providers around.

I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now.

I guess it was mostly the 'highest profile' targets that got hit, which explains Gavin getting chosen (although I always thought the faucet kept a rather low amount of coins in it at any time to a roughly equal inflow/outflow of coins or the fact that it used to run empty often

Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.


legendary
Activity: 2940
Merit: 1333
Have a more secure system in place next time.

The attacker went outside his secure system and gained root access.  There's not much you can do about that except for not using a hosting service which allows attackers root access to your files.

How about encrypting the wallet ?

I have root access.  I log in, modify bitcoind to send a copy of the plaintext password in a file somewhere the next time they type it, then reboot their system.  They log back in, type their password, and I get their BTC.  It's very hard to protect against an attacker with root access.  P2SH would help, of course.
legendary
Activity: 826
Merit: 1001
rippleFanatic
I can't believe the hacker!

Don't even let off 5 Bitcoins...  Sad


If you think about it that is pretty low - attack the free bitcoin faucent wtf?  Huh

It was just for confirming he had access to all of Linode.  They said only 8 accounts were accessed (presumably those running bitcoind), so one question is, who were the other 5 and did they have any coins in their wallet?

Also, why 25k BTC?  That's the exact same number allinvain lost.  allinvain had a bit more than 25k in his wallet, but the thief only stole 25k even and let him keep the rest.
legendary
Activity: 1330
Merit: 1000
Bitcoin
I can't believe the hacker!

Don't even let off 5 Bitcoins...  Sad


If you think about it that is pretty low - attack the free bitcoin faucent wtf?  Huh
hero member
Activity: 714
Merit: 500
I can't believe the hacker!

Don't even let off 5 Bitcoins...  Sad

legendary
Activity: 1764
Merit: 1002
do these incidents not bode well for online clients like Electrum or Blockchain.info?

even with encrypted user generated private keys, they can be stolen by the server when opened to sign tx's.

Server never "opens" the key.  The signing is done client side.  While you could have funds stolen it would be because of malware on your computer.  There is nothing on the server to steal.

refer to the section written by piuk himself:  http://bitcoin.stackexchange.com/questions/2240/what-are-the-risks-of-using-strongcoin-com-as-an-online-wallet
sr. member
Activity: 350
Merit: 250
I never hashed for this...
Getting access to the Linode admin UI doesn't give access to the server itself.  You can view the console, but you just get the login prompt.  You still need the server's password to log in.

To reset the password the server has to be shut down so that /etc/shadow can be modified.  At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.

A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here.  I'm guessing the exploit is in their web-based server management.

This is by far one of the scariest things about the process.  Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel.  A -very- scary situation, considering Linode is one of the largest VPS providers around.

I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now.

I guess it was mostly the 'highest profile' targets that got hit, which explains Gavin getting chosen (although I always thought the faucet kept a rather low amount of coins in it at any time to a roughly equal inflow/outflow of coins or the fact that it used to run empty often
sr. member
Activity: 350
Merit: 250
I never hashed for this...
Also, JeffK, your Ron Paul sig quote irritates me.

Is quoting Paul not alloed here? I thought everyone was pretty libertarian? or was it that I had a Carl Marks quote next to it.
Pages:
Jump to: