
Bitcoin payment processor BIPS compromised, 1295 BTC stolen - nwh
https://bitcointalk.org/index.php?topic=252308.msg3645043#msg3645043
======
ChuckMcM
Pretty sad, especially for folks who lost coin.

The part that intrigues me is the whole security aspect of it. Take your
average bright guy and say "Lets set up a place where people can store and
move around gold coins. All the gold coins are going to sit in your living
room, and of course if anyone were to get there hands on those coins they
could melt them down into pieces and resell them so that you never knew where
they went. There is going to be more than a million dollars worth of coins in
your living room, do you think you're door lock is up to it?"

Ok so its a stretch, but Bitcoin has two interesting properties, one it is
pretty fungible, and two most if not all governments consider it about as
'real' as the gold in World of Warcraft. If CFAA doesn't apply (say the server
is outside the US) then what exactly would you even charge someone with who
"stole" 1000 BTC? It isn't recognized as currency by any jurisdiction on the
planet as far as I can tell, so what got stolen? Numbers? Block chain data?

This fairly unique combination of properties quite possibly make Bitcoin the
_ideal_ target for thieves. Better than cash, better than raw gemstones,
better than pretty much anything except possibly bearer bonds [1]. Have you
seen how much security there is around vaults that hold bearer bonds?

And yet people create exchanges or wallet services or whatnot and then seem
shocked when they get compromised by very sophisticated programmers [2], that
steal all their BTC? You are surprised?

Given these huge thefts where is the money going? I mean is there a steady
stream of redemptions at exchanges? Is there a note in the chain when the coin
is transacted for cash? Should there be?

[1] [http://www.investopedia.com/articles/bonds/08/bearer-
bond.as...](http://www.investopedia.com/articles/bonds/08/bearer-bond.asp)

[2] When the payoff is huge, the risk small, you can pay someone a lot of
money if they are good to get you the coins.

~~~
mrb
_" It isn't recognized as currency by any jurisdiction on the planet as far as
I can tell"_

Wrong:
[http://www.forbes.com/sites/kashmirhill/2013/08/07/federal-j...](http://www.forbes.com/sites/kashmirhill/2013/08/07/federal-
judge-rules-bitcoin-is-real-money/)

~~~
ChuckMcM
Thanks for the link, the reasoning from the ruling [1] is a bit more precise
however. For the purposes of establishing standing the SEC to prosecute. The
judge reasoned to that in part with this:

 _" First, the Court must determine whether the BTCST investments constitute
an investment of money. It is clear that Bitcoin can be used as money. It can
be used to purchase goods or services, and as Shavers stated, used to pay for
individual living expenses. The only limitation of Bitcoin is that it is
limited to those places that accept it as currency. However, it can also be
exchanged for conventional currencies, such as the U.S. dollar, Euro, Yen, and
Yuan. Therefore, Bitcoin is a currency or form of money, and investors wishing
to invest in BTCST provided an investment of money."_

The key here is that the judge is trying to understand if the transactions
involved met the standard of being an 'investment of money.' Which he reasons
to by establishing that you can convert currency to and from BTC and you can
buy products with BTC. He doesn't address the question of people who create
BTC out of the act of 'mining' it. Let's say Van Gough was alive today, you
could use his paintings as "money" in exactly the same way, except Van Gough
could make new money just by painting something. Which makes other things more
complicated (are bottles of tide "money" if you can trade them for drugs? [2])
It sounds like this ruling simply allowed the SEC to move forward with their
case, but I'll be interested to watch it to see if it gets appealed (the
ruling). Clearly ruling to overly broad here would put the onus on people with
collectibles to follow FinCen rules when trading them, which to date they have
largely avoided.

[1]
[http://www.courthousenews.com/2013/08/06/Bitcoin.pdf](http://www.courthousenews.com/2013/08/06/Bitcoin.pdf)

[2] [http://www.theatlantic.com/business/archive/2012/03/why-
are-...](http://www.theatlantic.com/business/archive/2012/03/why-are-
criminals-stealing-tide-detergent-and-using-it-for-money/254631/)

------
skorgu
That technical explanation sounds almost like word salad. How did a DDoS hit
your SAN in the first place and how did your SAN blowing up allow a
compromise?

~~~
mmmooo
iSCSI san, so attached via ethernet or similar, taking network devices offline
would take san offline. The rest is pure magic.

~~~
packetslave
If your iSCSI network traffic can be impacted by an Internet-based DDoS, your
network architect is an idiot.

~~~
mmmooo
yep, sounded like they shared switches between public and iscsi lans, or
worse.

------
nwh
Address of the stolen funds:
[https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj...](https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs)

~~~
zhuzhuor
Since every bitcoin transaction is in public, why don't we build a public
blacklist for these addresses with stolen coins (and all addresses these
bitcoins further transferred to)? such that the hackers cannot get too much
from their actions

~~~
rtpg
if you could get such a thing in place, couldn't everyone just roll back
transactions?

I feel like having such a system in place would probably end up breaking a lot
of the legitimacy (since you'd need over half of miners to agree to it, in
which case some sort of "central" entity would exist)

~~~
nwh
You could to a point, but you would need a lot of mining power and the ability
to act quickly.

BIPS didn't announce that they'd been compromised until over a week since the
funds were sent out, so it's completely impossible at this point. If you
wanted to get a transaction with one confirmation reversed, you would need to
convince the two largest pools (ghash.io and btcguild) to mine a fork that
doesn't contain your blacklisted transaction in under 10 minutes, and even
then they'd create a very noticeable reorganisation. You'd also then have to
race to get your funds out, as you know your keys have been compromised.

It's fairly impossible really.

------
pearjuice
1295 bitcoin stolen with a value of x dollar. See, they didn't care about the
bitcoin they cared about the dollars behind it. As long as a bitcoin its value
is measured in dollars and accepting bitcoin is merely done because it is at a
high dollar rate, how can this possibly be a viable alternative currency?
Apart from the whole fluctuation on steroids, bitcoin is nothing more than a
wrapper for American dollars.

Because, at the end of the day, you have to pay for your groceries and
mortgage in dollars. _B-but muh Subway sandwich_

~~~
woah
Honestly, let's think a little bit here. If this story was reported on in
China, what currency would it be converted to for the readership?

If a story about American dollars being stolen was reported on in China, what
currency would it be reported in? Is the dollar just a wrapper for the Yuan?

------
omni_
How do we know this isn't an inside job?

~~~
benatkin
A good question to be asking. I agree with this sentiment:

> Every time a company loses somebody else's bitcoins, the main assumption
> should be that it was an inside job. It's way too easy for a company to take
> the money and say that they were hacked.

[http://www.reddit.com/r/Bitcoin/comments/1rexob/bitcoin_paym...](http://www.reddit.com/r/Bitcoin/comments/1rexob/bitcoin_payment_processor_bips_attacked_over_1m/)

------
Erwin
Here's their security page:
[https://bips.me/security](https://bips.me/security) \-- "industry-leading
security" .. "BIPS ... does not store bitcoin on its servers".

Is it time for a PCI-like consortium that will validate your bitcoin storage
security procedures? (Not that PCI is guarantee of anything, but at least
following it prevents you from having full credit card data lying around in
files).

I.e. analyze your fail-safes (which seem to be lacking) and validate that
unless someone is holding a gun to the owner's head, that your 1000 bitcoins
held for you in their "vault" cannot be sent off to a random address.

~~~
steveklabnik
Bitcoin advocates talk about lack of regulations a feature, not a bug, so I'd
wonder how well it'd go over.

I think it's important and will have to happen eventually.

~~~
warfangle
Could see if voluntary adoption works out.

------
vbuterin
> It is imperative to understand that everything was wiped out from our
> servers and getting functionality back is priority #1. The wallet part of
> BIPS was a free service to make payments easier for users. Web Wallets are
> like a regular wallet that you carry cash in and not meant to keep large
> amounts in. Hence we offered a paper wallet as a cold storage alternative
> for those who wanted a safe storage solution.

"Oh, we never said that our food is screened against infection - if you wanted
that you should have checked out the premium section!"

------
stretchwithme
Hey, how about just disconnecting the critical machines from the network when
under such an attack?

~~~
fleitz
Our DDOS recovery plan is to just shut everything off and admit defeat.
Brilliant.

~~~
eli
That seems infinitely better than catastrophic loss of customer funds.

~~~
fleitz
There's no difference as if you shut your site down everytime someone DDoS
then you'll have no customers anyway.

~~~
fat0wl
mmm i think at this point in the Bitcoin community, stating that practice on
your homepage would actually get you _more_ customers.

"In the event of an obvious attack, we disconnect from the network and begin
diagnostics after __ minutes of sustained activity."

~~~
buster
ddos can run over a rather long period of time and come and go fairly quick.
cutting the internet connection just is no viable solution for an online
service.

------
d0ugie
1295 stolen, sounds like a lot - does that figure count as actual bitcoin
transactions?

------
woah
Why do people use online wallets? I don't understand.

~~~
letstryagain
BIPS was a payments processor. Merchants used them to accept Bitcoin payments
AFK.

------
iso-8859-1
Linked post is from November 19, 2013.

