Pages:
Author

Topic: Instawallet/Bitcoin-Central Security Breach - page 7. (Read 85356 times)

hero member
Activity: 952
Merit: 1009
At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.
hero member
Activity: 868
Merit: 1000

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  

Quote
For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.

After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded.

1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.
legendary
Activity: 1148
Merit: 1018
No news from davout?
newbie
Activity: 14
Merit: 0
It is not sure yet, that the security was compromised by leaking the instawallet url's.
It could be something completely different.
Also, they didn't say it is going to take 90 days to refund; after 90 days you will be autorefunded (<50btc).
You will most likely get your bitcoins back a lot faster if you file a claim.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
Trying to figure out the logic of the statement and claims process.

Assuming everyone's Instawallet BTC was moved to cold storage (as all received TXs seemed to be moved off your BTC address shortly after receipt), and this was a database hack, the hacker just obtained the secret URLs and the BTC balances of all of them? Unless the hacker ALSO coded some kind of script to access every secret URL, withdraw entire balance on each of them via whatever method Instawallet had for withdrawing them out of cold storage, then this would explain why there is a 90 day claims process at all. Basically Instawallet has to make sure only one person is claiming each secret URL, and then detect a pattern of similar double claims; the one doing the double claims for more than maybe 3 secret URLs or >50 BTC is the hacker?
newbie
Activity: 14
Merit: 0
How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.
The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  
They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.
legendary
Activity: 1246
Merit: 1077
How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.

Hear hear. So many people here are against regulation. Until people become accustomed enough to regulate companies themselves, more regulation is good for Bitcoin.
hero member
Activity: 868
Merit: 1000
How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.
member
Activity: 68
Merit: 10
This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.

The volume is/was hardly influential. Mtgox didn't even notice when Bitcoin Central went down.
newbie
Activity: 14
Merit: 0
...

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.
How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.
Also, if you are aware of the vulnerability than what would stop you from immediately withdrawing all you funds... I am not saying Paymium didn't make any mistakes, Im just saying Do what ever you can to protect your funds, and if you don't, take responsibility for it.
newbie
Activity: 47
Merit: 0
The bitcoin-central website seems to be changing often. First the site's https was down, then it was serving a http connection over https port (results in firefox in record too long or something), then error 500, now the message is back. It looks like they're changing physical location or even physical server (changing certificate, reconfiguring webserver, perhaps an IP change).

Getting worried about the severe lack of communication
I find that strange too, though I'm not sure if it should really have us worried. At least the bitcoin-central users, I have a worse feeling about instawallet. But I'm not involved with instawallet at all and I'm not checking on that all day, so my feeling could easily be wrong.

Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair.
I think if anyone had, they are friends and are told things in confidence, or acquaintances are told the same as everyone. If they're not talking, it's most likely that nothing is supposed to come out... And I think they're reading this topic at least once or twice a day, if something was to be said they'd have said it. Maybe (like someone else suggested) they're not talking for the case that they are wrong. Official statements are always taken as promises, even if it's not said anywhere (and for a good reason, but that might be why they're silent).
hero member
Activity: 868
Merit: 1000

Dude come on, this is the problem of the whole fucking society.
People just blaming each other because they don't have the balls to take responsibility for it themselves.
If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself.

If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it.
You are always the only one responsible for your own actions.

In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it.

Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution.

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.

cho
full member
Activity: 155
Merit: 100
Boar with me
Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

After having read your trolling but insightful post, I, for one, will actually improve my cold storage strategy. Thx to you for that.
newbie
Activity: 14
Merit: 0
This is a really fucked up situation, especially for the ones that were actually using instawallet.org
However, Paymium says you can claim your BTC back.
We don't know what exactly caused this 'hack', we can only speculate.
Therefore, I think we can't blame Paymium for what happened, at least not yet.

Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. 
Dude come on, this is the problem of the whole fucking society.
People just blaming each other because they don't have the balls to take responsibility for it themselves.
If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself.

If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it.
You are always the only one responsible for your own actions.

In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it.

Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution.
hero member
Activity: 868
Merit: 1000
Actually that has happened the moment they went public with their braindead idea of having "proxy private keys" for BTC addresses in URL. Was it one or two years ago I do not quite remember.

I don't recall the fact that you could access (actually access, as opposed to theoretically) the accounts of other users being publicly discussed until last week, although when it was being discussed last week quite a few people mentioned having been aware of it for some time.

They still needed to take the service offline for a security audit when that particular vulnerability became a topic for discussion last week, because nothing was more certain than people trying to exploit that one and looking for other vulnerabilities as well (as well as looking for similar vulnerabilities in other services).
member
Activity: 73
Merit: 10
BTC
This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.
hero member
Activity: 868
Merit: 1000
This is a really fucked up situation, especially for the ones that were actually using instawallet.org
However, Paymium says you can claim your BTC back.
We don't know what exactly caused this 'hack', we can only speculate.
Therefore, I think we can't blame Paymium for what happened, at least not yet.

Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. 
legendary
Activity: 1148
Merit: 1018
Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time"

"run away" includes "getting 'hacked'"

It is basically the same as amount of mined bitcoins asymptotically approaches 21 million.

People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones.

Store not only encrypted images but truecrypt distribution/installation too.

This is all you need to know and do.

Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks.

Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then.

I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount.



I wouldn't rely on Truecrypt for very serious stuff. Code was not scrutinized by the community. This is why TAILS do not include it. I would prefer GPG.

But for not so serious stuff a hidden volume of TC is pretty nice... And if you add stenography and of course offline storage only you will be pretty safe.
hero member
Activity: 756
Merit: 1000
Positivity is the key now I think.

Vlad, you are right. It's our fault. (I was in the process of sorting out the armory on Friday). Give me a break though mate, still smarting here.

Lets assume the hacker has all the urls. I assume he will argue any large balances with the rightful owner. What if their was documented proof of owning the URL for a while. I assume the hacker has only has access in the last few weeks.  

What do you think?
sr. member
Activity: 476
Merit: 250
Too bad nobody is gong to listen to the above.

This is evolution in action. In two years, should Bitcoin still be chugging along, paper wallet holders will still have bitcoins while the trusting will be wondering what happened to theirs. Since Bitcoin is decentralized by nature, it will ultimately force its users to be decentralized also. The learning curve is a painful one for those that let the glitter overtake common sense.
Pages:
Jump to: