Topic: Wallet Hack on 4/25 - page 3. (Read 11267 times)

Easiest to implement would be XSS - just about every site seems to be vulnerable these days due to browsers and webapps sucking. I would look for that first.

Java is a giant POS - useless other than as an attack vector - even Macfags got 0wned via Java last year. I have no doubt there are hundreds of zero-days lurking...

If blockchain passwords are only SHA1-hashed, depending on the seed, if somebody got ahold of the DB passwords could be cracked using rainbow tables.

Thank you for the thoughtful reply. What I think, however, that you are missing in your comparison between BTC and electronic fiat  payment systems - and which is absolutely fundamental to why such fiat systems hold consumer confidence - is that there are "consumer protections" built-in to the electronic fiat infrastructure: reversibility of transfers, limited liability for fraud, etc. Whether we admit it to it or not, we use our credit cards with confidence because of the transaction protection built-in (and for which we admittedly pay a steep price in the form of high interest rates).

Admittedly, the transaction of fiat in its traditional form as cold, hard cash does not carry this benefit, and in this way, is identical to BTC in irreversibility. But BTC shares the worst of both worlds - the ease of theft introduced by the digital medium in which it exists and through which it is transferred and the fact that, for all practical purposes, it only exists in this medium.

The average person knows how to protect paper currency - hiding it in his pocket. If the average corporation continues to struggling with preserving data integrity, how can we expect an individual to safeguard his/her Bitcoins or, as importantly, feel comfortable enough in the safety of the medium to invest significant value?

This is why I feel that Bitcoin's success will have to come at the hands of a well-funding backing that can develop mature infrastructure. If we rely on a room of engineers in an office suite in Tokyo to be the de facto standard of security, along with a few open-source/not-for-profit organizations, then there really isn't much to offer the mainstream. But of course, this flies in the face of the anarcho-libertarian wet dream of a decentralized currency.

piuk, how are you generating keys for wallets? Is it possible it's not random enough and someone has just been able to find the keys by brute forcing the seed to your RNG? bitaddress.org uses mouse movements to add more randomness and it doesn't seem like you do something like that.

Yes, this is an area need improvement, currently the usage of the wallet is still too complex and dangerous. Maybe bitcoin will never be used by the majority, it seems many people really cannot/don't have time to take care the security of their own money, they have to rely on some secure money storage service like a bank

I would side with you at times on this Shinobi, but then you need to really step back and realize the lack of understanding of most things that people engage with on a daily basis.  You use VISA and pay your bill at the end of every month, but very very very few people understand the mechanics behind credit card transactions, payments via the ACH rails or anything else involved with day to day financial life in 2013.  Yet there are trillions of dollars spent each year by people typing in their passwords to online bank accounts and pull pieces of plastic out of their wallet that is representative of fiat money (which is a whole other rabbit hole altogether). 

I think there is something behind this, otherwise I wouldn't be wasting my time here. What will happen (and you can see it starting slowly) is that VC money, independent development and ingenuity with start to develop tools that will isolate the average end user from the complexity while still giving them the benefit fo the technology.  It has already begun with services like blockchain.info aggregating wallets and providing cloud based services.  It will eventually progress to hardware based tools (similar to the RSA key fob many people used to have at offices) and move on from there.  Long BTC public addresses will be replaced by alias services (how? I'm not sure, but they will) and people will slowly become accustomed to using this a method of money transport.  I could certainly be mistaken but it has attracted enough interest and has engaged enough people's aspirations that even if the current instance of BTC doesn't make it to prime-time, something similar will.

I once read that all it takes is for 10% of the population to be extremely excited about something (whether it be a fashion, technology, fad, etc) and it will become mainstream (given the average persons indifference and apathy).  While I don't think we're at the tipping point yet, the ideals behind this project is resonant enough with a population in turmoil to energize that portion of the population and turn this truly into a movement.

I read a thread like this and it just blows my mind that anyone thinks that Bitcoin will ever move away from a fringe casino hobby.

im guessing by wallet your refering to an address genrated but never stored anywhere digital then typed in when needed?

and whats the private public key parts , sorry i know im dense

best cold storage:
make a brain wallet. never import it into a bitcoin client. and simply deposit funds into the public address.. store it safely on paper in a fireproof safe.. thats about as cold as you can get

hot wallet
private key is imported into a wallet and is connected to the internet. whereby a rogue webhost or a hacker can get to the API calls to empty the wallet of funds.

since the addition of the bitcoin:// uri in windows. do any of those that have lost funds do any "free bitcoin" faucets regularly.

i remember last year there was one that actually made my QT client start running.

also

check all the programs installed EG the miners, drivers, etc that are not from the official websites. even check if you have a trading bot that was not created, compiled by yourself.

there was a guy named litecoin trader that hade a closed source trading bot. his version one last year was very very "iffy" and he soon went quiet when questioning him. he now has a version 2 which is also closed source.

do any of you use a trading bot for btc-e / mtgox?

can someone please explain this to me nicely,

cold storage.

hot wallet.

please give me the definition and an example

the only wallet i have is the encrypted on on my client.
thanks just trying to figure this out and learn

Android's not at risk from this sort of Java exploit. Other hacks are different matter - usually from installing something dodgy nd giving it permissions it shouldn't have.

I think this is the most likely explanation.  My friend also had coins stolen, and apart form Java which I don't know the answer to, she'd be a no to all the questions.

Android runs almost exclusively in a java virtual machine

"Dropped your wallet on the sidewalk" seems more appropriate than "Wallet stolen"

Does not seem like Android is involved at all. In fact, I am not aware of any Android-related Bitcoin thefts in all these years.

Unless I am missing something, the common denominator here is Java.

I did notice a Windows update last week - one lone security patch, outside of regular schedule - which only provided the usual "an issue has been identified that may allow a remote attacker blah blah". Does anyone know what kind of hole was patched?

Looks to me like it worked. "Wallet Hack" seems like an appropriate choice.

I re-imaged my Windows laptop from the recovery partition to get rid of it (and the creepy taskbar it installed on my browser.)  But my Windows machine is used irregularly for limited things which are not practical on my main workstations so it was relatively easy for me to do.   Backed up what few interesting docs I had in mega.co.nz before performing this action.

Now I don't even like to allow Microsoft or HP to install updates.  Since phone vendors are so willing to pre-install rootkits, and OS vendors seem happy to make that possible, it seems likely to me that commercial laptop and workstation vendors would be happy to follow suit.  The momentum behind the trend to make the Internet significantly more invasive seems to be building at an alarming rate.

---

BTW, so far my blockchain.info wallet seems fine in spite of the phone hack and gmail theft.  This seems to lend strength to the idea that the issue of this thread is not Android related.

Tried to change original post.  Dont' want to single out blockchain.info as source in fairness to piuk as it could've easily been a java exploit - don't think we've gotten to bottom of it yet.

I think you can just edit your original post (at the top of this thread), and change the subject.

I also just uninstalled java from my machine.