Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 3. (Read 85341 times)

member
Activity: 68
Merit: 10
Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

At the risk of venturing off-topic: a while ago I was pointed to PwdHash, and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt Smiley Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems.
legendary
Activity: 4690
Merit: 1276
...
On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.)  And disable core dumps.  I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format.  That's just the off-the-top-of-my-head thoughts on how to deal with the issues.  There are probably database implementations which have support for this kind of thing natively I would suspect.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

member
Activity: 68
Merit: 10
Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.
Or, you know, Google Chrome.


On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.

But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control.

The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess.
legendary
Activity: 4690
Merit: 1276
Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there


In my opinion, a straight URL like this not much different than a username/password scheme.  Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea.  20/20 hindsight I guess.  Maybe for the next go-around.  And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.

edit: spelling
hero member
Activity: 899
Merit: 1002
Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there









member
Activity: 110
Merit: 10
Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.



I been wondering this exact thing for the last few days.

And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that?
legendary
Activity: 4690
Merit: 1276
Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

legendary
Activity: 1008
Merit: 1000
Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?
member
Activity: 98
Merit: 10
Where is this claim form then??? Huh
newbie
Activity: 52
Merit: 0
There is an update from Bitcoin-Central on their site
legendary
Activity: 2128
Merit: 1002
I think Vircurex is down....lol
this is surreal!

Vircurex has some tweets, they are moving to a bigger server due to DDOS.
newbie
Activity: 28
Merit: 0
I think Vircurex is down....lol
this is surreal!
member
Activity: 98
Merit: 10
Still have to wait for the claim form and then wait 90 days and then wait for the refund. that's around the end of july !!!! wonder if my singles from bfl will come before my refund?? better still wonder if any of it gets too me?? Roll Eyes
hero member
Activity: 756
Merit: 1000
Ok, I have now seen something that i am worried about.

I have checked the address of the coins that i moved from Instawallet just before the site went offline and it is saying that the date of the transfer of the coins out was less than 12 hours after the coins were originally deposites more than 6 months ago. (I do not want to say when that was  as i may need to prive identity later.

Is this just the way instawallet worked and the transfer of the coins was to the hot wallet?

Huh
hero member
Activity: 767
Merit: 500
That seems a bit strange if everything is locked down?

This must be instawallet moving it around surely?

Yes - I am not alarmed, they are probably just sweeping the smaller balances into a wallet so they can set up for making payments out to people within the next few days.

Will
hero member
Activity: 756
Merit: 1000
FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning:

https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673

Will

That seems a bit strange if everything is locked down?

This must be instawallet moving it around surely?

hero member
Activity: 767
Merit: 500
FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning:

https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673

Will
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
All the legal information about the company is here.
For a few euros you can also get the list of the shareholders.
The corporate headquarter is in Boulogne. It's in the suburbs of Paris, you can go there with the metro. The offices are probably at the same place but the datacenter (and davout) might be anywhere in or around Paris.


Thanks, bud. I feel better now knowing that IW has been found and the police are guarding it as exhibit A.


(As they say in the trade, this photo is unretouched.)

Sometimes, you just can't make this SHIT up.
newbie
Activity: 14
Merit: 0
The whole thing with bitcoin-central and paytunia is taking too long.
They better bring them back online ASAP, they've got 40minutes to bring up bitcoin-central back online before the 48hour deadline is reached (again).

They just broke this deadline (again). I'm really looking forward to their update now.. it better be good  Undecided
There was an announcement, but btc-central is still not online unfortunately..
https://bitcointalksearch.org/topic/bitcoin-central-resumes-operations-168072
Pages:
Jump to: