Topic: Instawallet/Bitcoin-Central Security Breach - page 7. (Read 85276 times)

At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  


1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.

No news from davout?

It is not sure yet, that the security was compromised by leaking the instawallet url's.
It could be something completely different.
Also, they didn't say it is going to take 90 days to refund; after 90 days you will be autorefunded (<50btc).
You will most likely get your bitcoins back a lot faster if you file a claim.

Trying to figure out the logic of the statement and claims process.

Assuming everyone's Instawallet BTC was moved to cold storage (as all received TXs seemed to be moved off your BTC address shortly after receipt), and this was a database hack, the hacker just obtained the secret URLs and the BTC balances of all of them? Unless the hacker ALSO coded some kind of script to access every secret URL, withdraw entire balance on each of them via whatever method Instawallet had for withdrawing them out of cold storage, then this would explain why there is a 90 day claims process at all. Basically Instawallet has to make sure only one person is claiming each secret URL, and then detect a pattern of similar double claims; the one doing the double claims for more than maybe 3 secret URLs or >50 BTC is the hacker?

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Hear hear. So many people here are against regulation. Until people become accustomed enough to regulate companies themselves, more regulation is good for Bitcoin.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.

The volume is/was hardly influential. Mtgox didn't even notice when Bitcoin Central went down.

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.
Also, if you are aware of the vulnerability than what would stop you from immediately withdrawing all you funds... I am not saying Paymium didn't make any mistakes, Im just saying Do what ever you can to protect your funds, and if you don't, take responsibility for it.

The bitcoin-central website seems to be changing often. First the site's https was down, then it was serving a http connection over https port (results in firefox in record too long or something), then error 500, now the message is back. It looks like they're changing physical location or even physical server (changing certificate, reconfiguring webserver, perhaps an IP change).

I find that strange too, though I'm not sure if it should really have us worried. At least the bitcoin-central users, I have a worse feeling about instawallet. But I'm not involved with instawallet at all and I'm not checking on that all day, so my feeling could easily be wrong.

I think if anyone had, they are friends and are told things in confidence, or acquaintances are told the same as everyone. If they're not talking, it's most likely that nothing is supposed to come out... And I think they're reading this topic at least once or twice a day, if something was to be said they'd have said it. Maybe (like someone else suggested) they're not talking for the case that they are wrong. Official statements are always taken as promises, even if it's not said anywhere (and for a good reason, but that might be why they're silent).

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.

After having read your trolling but insightful post, I, for one, will actually improve my cold storage strategy. Thx to you for that.

Dude come on, this is the problem of the whole fucking society.
People just blaming each other because they don't have the balls to take responsibility for it themselves.
If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself.

If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it.
You are always the only one responsible for your own actions.

In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it.

Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution.

I don't recall the fact that you could access (actually access, as opposed to theoretically) the accounts of other users being publicly discussed until last week, although when it was being discussed last week quite a few people mentioned having been aware of it for some time.

They still needed to take the service offline for a security audit when that particular vulnerability became a topic for discussion last week, because nothing was more certain than people trying to exploit that one and looking for other vulnerabilities as well (as well as looking for similar vulnerabilities in other services).

This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.

Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. 

I wouldn't rely on Truecrypt for very serious stuff. Code was not scrutinized by the community. This is why TAILS do not include it. I would prefer GPG.

But for not so serious stuff a hidden volume of TC is pretty nice... And if you add stenography and of course offline storage only you will be pretty safe.

Positivity is the key now I think.

Vlad, you are right. It's our fault. (I was in the process of sorting out the armory on Friday). Give me a break though mate, still smarting here.

Lets assume the hacker has all the urls. I assume he will argue any large balances with the rightful owner. What if their was documented proof of owning the URL for a while. I assume the hacker has only has access in the last few weeks.  

What do you think?

This is evolution in action. In two years, should Bitcoin still be chugging along, paper wallet holders will still have bitcoins while the trusting will be wondering what happened to theirs. Since Bitcoin is decentralized by nature, it will ultimately force its users to be decentralized also. The learning curve is a painful one for those that let the glitter overtake common sense.