Topic: Instawallet/Bitcoin-Central Security Breach - page 3. (Read 85276 times)

As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread.


At the risk of venturing off-topic: a while ago I was pointed to PwdHash, and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems.

I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.)  And disable core dumps.  I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format.  That's just the off-the-top-of-my-head thoughts on how to deal with the issues.  There are probably database implementations which have support for this kind of thing natively I would suspect.


I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

Or, you know, Google Chrome.



I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..


Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.

But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control.

The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess.

In my opinion, a straight URL like this not much different than a username/password scheme.  Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea.  20/20 hindsight I guess.  Maybe for the next go-around.  And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.

edit: spelling

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there

I been wondering this exact thing for the last few days.

And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

Read:

Make sense? Or do I need to increase the font size and italicize it too?

Where is this claim form then???

There is an update from Bitcoin-Central on their site

Vircurex has some tweets, they are moving to a bigger server due to DDOS.

I think Vircurex is down....lol
this is surreal!

Still have to wait for the claim form and then wait 90 days and then wait for the refund. that's around the end of july !!!! wonder if my singles from bfl will come before my refund?? better still wonder if any of it gets too me??

Ok, I have now seen something that i am worried about.

I have checked the address of the coins that i moved from Instawallet just before the site went offline and it is saying that the date of the transfer of the coins out was less than 12 hours after the coins were originally deposites more than 6 months ago. (I do not want to say when that was  as i may need to prive identity later.

Is this just the way instawallet worked and the transfer of the coins was to the hot wallet?

Yes - I am not alarmed, they are probably just sweeping the smaller balances into a wallet so they can set up for making payments out to people within the next few days.

Will

That seems a bit strange if everything is locked down?

This must be instawallet moving it around surely?

FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning:

https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673

Will

Thanks, bud. I feel better now knowing that IW has been found and the police are guarding it as exhibit A.


(As they say in the trade, this photo is unretouched.)

Sometimes, you just can't make this SHIT up.

There was an announcement, but btc-central is still not online unfortunately..
https://bitcointalksearch.org/topic/bitcoin-central-resumes-operations-168072