
Bitfloor Hacked, $250,000 Missing - doublextremevil
http://bitcoinmagazine.net/bitfloor-hacked-250000-missing/
======
david_shaw
And therein lies the problem with non-traceable, uninsured currency.

One of the benefits of using a major bank (in the United States, for this
example), is that your money is federally insured. You'll always see little
logos or blips of text advertising that the bank is a "member, FDIC."

People take this for granted -- after all, if your bank is robbed, why should
it be _your_ loss? It's a little harder when the currency is anonymous and
completely uninsured.

Many bitcoin exchanges will do their best to dip into their profits to
reimburse users after they were hacked. I know that several major exchanges
have already dipped into their own coffers to reimburse their users. However,
they need to pay for this completely out-of-pocket, and even then there's
nothing that indicates that they _have_ to do so.

I think that bitcoin is an interesting idea, and certainly has gained a lot of
traction for more privacy-minded individuals. Those that want to active day-
trade it, though, should stick to standard forex markets, in my opinion. In
fact, there is nothing to guarantee that the organizers of an exchange won't
simply steal your money and disappear -- there'd be no way to prove that it
was them, short of seizing their machines and hoping an incriminating bitcoin
wallet was sitting there.

~~~
tjoff
How is this a property of "non-traceable"/anonymity?

If someone physically robs the bank and gets away with a large amount of cash
that is arguably even more anonymous and non-traceable than bitcoins.

The only problem ought to be that bitcoin exchanges are not being insured, by
who or that the currency happened to be bitcoin doesn't matter (as long as the
insurance covers it).

~~~
astrodust
Don't banks track the new money they receive by serial number range?

~~~
tjoff
What stops you from doing that at a bitcoin exchange as well?

------
bdcravens
Read the thread referenced in the article:
<https://bitcointalk.org/index.php?topic=105818.0e>

Bitfloor admits to earning about $2100 a month. So it's a totally unregulated
market, and it'd be easy to increase your earnings by 100x this month. During
the time the wallet was left in an unencrypted location, just happened to get
hacked.

I can't call the Bitfloor owner a thief, but reading his posts about looking
to the future, and not to the past, no claim of a police report being filed,
and the generic term "We got hacked!" make for some obvious conclusions.

~~~
javert
I seriously doubt they stole the money, because they've exhibited an extremely
high level of professionalism in the past.

(Even when not comparing them to other bitcoin ventures, which tend to set a
very low bar.)

Another reason I doubt they would steal it is because "cashing out" now would
be like Zuckerburg cashing out a year after starting Facebook. At least, from
the perspective of someone who believes in bitcoin.

------
modarts
"the attacker gained accesses to an unencrypted backup of the wallet keys"

<shakes head>

What is with these bitcoin exchanges and their pathetic records on security?
How is the currency ever supposed to go mainstream with these continual
security lapses?

~~~
jamescun
Well when you consider that a traditional bank has teams of security experts,
spend millions of dollars on security infrastructure and STILL have the
occasional lapse in security; how do you think a couple of guys in their spare
time will fare?

~~~
spamizbad
A bank's software infrastructure and "attack surface" dwarfs these tiny bit
coin exchanges. Banks also have byzantine processes and guidelines that
encumber their technical teams so building their software is inherently costly
regardless of security.

Meanwhile unregulated, nimble BitCoin exchanges struggle with the OWASP top
10.

~~~
ajross
I'm not quite sure I buy that. Obviously banks are more complicated. But
because of the regulatory environment what they are not is "just servers on
the internet". You can break into a bitcoin exchange and steal BTC by copying
data. You can't do that with a bank -- banks can only transfer electronically
to other banks, and "being a bank" is a tightly regulated state.

So while the complexity is there, it's not clear to me that it correlates to
an "attack surface" in the sense network security people use the term.

------
shuw
A problem with an untraceable currency is that it's also very easy for an
exchange to collaborate with a hacker and vanish (or declare banckrupcy). Not
saying that is what happened here, but that would be my fear.

~~~
javert
Those kinds of trust issues are present in some form in _many_ kinds of
commercial transactions, and there are many ways of dealing with them
(insurance, lawsuits, interact with companies you can trust and avoid ones you
can't, etc.).

~~~
shuw
Bitcoin provides plausible deniability, which makes lawsuits difficult. In
contrast to centralized banking systems which leave a paper trail.

And insuring bitcoins has its own logistical challenges that will probably
scare an actuary.

Trust is a hard one as I'm sure the people who used bitfloor had trusted it
until today.

~~~
javert
Insuring bitcoins is actually pretty easy. As a sidenote, there are already
people doing it. The ideal way to do it would be to audit the exchange, and
possibly also use an escrow, populated with money from the exchange, that pays
you (the insurer) if the exchange loses money. It would be in the interest of
the exchange to cooperate in these areas, in order to promote the availability
of cheaper insurance, and therefore more customers.

A digression: Bitcoin would be the government regulator's wet dream if you
could assign people addresses (and they could only use the assigned address),
because you can trivially track all transactions. Actually, I have in mind a
way to implement such a system in a (likely) cryptographically sound and
enforceable way. But in theory, the government could outlaw cash and track all
transactions _anyway._

------
pixie_
'hacked' ... Anyways, here's my question - why aren't private keys for these
centralized wallets encrypted with a password the user has to put in when they
do a transaction. That way private keys aren't stored on disk, but only
temporarily in memory. Also if the encrypted keys get stolen, there's time for
people to move their money to new wallets before the encryption is broken.

~~~
witten
Transactions are often automatic and unattended. For instance, you put in a
buy or sell order that may or may not be automatically fulfilled sometime in
the next day.

------
gst
The best thing about this is that the conversion rate of Bitcoins is
relatively unaffected. And that's good, because this is not a failure of
Bitcoin, but of a single service provider.

------
mdonahoe
Since all bitcoin transactions are traceable, it will be interesting to see
how this money gets laundered.

~~~
gst
1) Setup free Bitcoin mixer service where people can "launder" their own
Bitcoins for improved anonymity (Hint: those services already exist)

2) Feed your stolen coins into the service and make sure that the rate of this
isn't too high

3) Profit (if someone asks you have the perfect excuse)

And in case you argue "using money from such a mixer service is suspicious":
It doesn't have to be a mixer service. Use one of the numerous Bitcoin
casinos. With the right games you can expect to win around 90% or more of the
money that you've invested. And if you're lucky the coins that you get from
the casino are different than the ones you paid them.

------
tlrobinson
1\. Start a Bitcoin exchange

2\. Announce you were "hacked"

3\. Profit!

------
tlrobinson
Are there tools/databases out that keep track of stolen Bitcoins and where
they end up? It seems like it would be in the interest of the exchanges to
share this information and blacklist coins originating from a theft.

They should also allow users to check incoming transactions against this
blacklist and reject them if they choose. I suppose you'd end up with a black
market of tainted Bitcoin, but that's better than just allowing thieves to
immediately exchange stolen coins for another currency or legitimate
services/products.

~~~
javert
To answer your first question: It's pretty easy to track where bitcoins go.
People have tools that visualize this (I've seen them). I don't know of one
off the top of my head I can point you to, though.

To answer your second question: This idea has been discussed at length on
bitcointalk.org by a lot of people. The idea is known as "tainting." There are
a lot of problems with making it work in practice, so the concensus seems to
be "don't go there."

To give you a sample of the (IMHO valid) objections: For one thing, it's
difficult to verify which coins really should be tainted. (How do you know
someone claiming certain coins should be tainted is trustworthy?) For another
thing, tainting creates two "competing" bitcoin currencies, black coins and
white coins. Finally, there is no central authority, so it would be
challenging (though perhaps not impossible) to come to a "general concensus"
on who should be in charge of declaring coins tainted.

------
nvmc
I lost a lot back when they were ~$20 a pop and you could still crunch them. I
lost enough to put me off completely. Nice to know my caution isn't entirely
paranoia induced.

~~~
brador
When you day lost, how exctly? Hacked trading? other?

~~~
nvmc
I had some in an exchange which was hacked.

------
rb2k_
Yet another Bitcoin exchange on Linode being hacked through the service
console (I can't find the post where he mentioned it, but I remember reading
it yesterday. He mentioned that the machine wasn't reachable on an external
IP.).

I'm currently not sure about weather this is partially to blame or not. Would
a dedicated server have made it harder to access the machine?

------
campbx
Sorry to hear that a lot of people's bitcoin deposits were lost in the
BitFloor hack.

CampBX has been in operation for over a year, is based in Atlanta, and has
successfully cleared multiple independent Pen-tests and security audits.

Give us a try! www.CampBX.com

------
drivebyacct2
Why do people leave any amount of money in the wallets at these places?

~~~
wmf
Do you mean the exchange or the customers? The customers have to deposit BTC
before they can place any sell order, and the BTC has to be held in escrow by
the exchange as long as that order stays on the books. As others have said
though, the exchange shouldn't be keeping much money in a hot wallet; that's
probably just lazy programming.

