

We have detected a security breach. Services are temporarily suspended - primaryobjects
http://instawallet.org

======
jimrandomh
"Online wallet services" are an invitation to theft and fraud. Do not use
them. I've been saying that since July 2011
(<https://bitcointalk.org/index.php?topic=26260.0>), before MyBitcoin ran off
with everyone's money, and it's just as true today as it was then.

If you lost money today I feel for you, but seriously, it's your own damn
fault. A Bitcoin is only yours if it was last sent to an address that is
yours, and an address is only yours if no one else knows what it is - in other
words, you have to have generated it anew on a secure, malware-free computer,
and avoided ever putting the wallet file on any computer that has malware or
that is not yours.

Seriously, stop it, you fools.

~~~
itcmcgrath
Which is essentially saying BTC will never become more than a semi-serious
play thing for the tech community. How is the non-tech user ever going to be
able to use this with anywhere near level of trust/safety they do with current
traditional currencies. Hell, a lot of my tech friends can't keep their
computer secure/clean, not to mention backed-up, so how are Joe and Jane
Average?

Or, alternatively BTC embraces the same banking industry setup it is trying to
get away from.

That said, I don't disagree with what you are saying (and upvoted) - just
pointing out some implications.

~~~
wereHamster
Those who want to trust BTC banks can do so. But now people have the choice
not to trust them and instead manage their wallet themselves. You don't have
that choice in the current banking system.

~~~
itcmcgrath
When I moved to the US, I spent a week+ living on cash until I had my bank
account set up. Being able to buy pre-paid VISA cards for cash at retailers
solves the part of the online issue as well. You can be a 'mattress' banker
with cash if you wish, securing your house just like you would secure your
computer.

Not sure there is _as_ big as a difference between BTC and the current as
people would lead you to believe. Emphasis on _as_ since there obviously are
differences - at least until new laws get thought up and passed.

~~~
aneth4
> Not sure there is as big as a difference between BTC and the current as
> people would lead you to believe

1) The value of your card is unlikely to be stolen by a hacker, unless you
make an online purchase.

2) If someone spends the value of your card, you have recourse

3) Bitcoin is used to store much large amounts of money than you likely had on
your VISA card

------
teraflop
Someone on bitcointalk.org [1] noticed that approximately 42,000 BTC
(currently worth about US$4.3 million) was just transferred out of one of
Instawallet's accounts [2]. No idea whether the transaction was Instawallet's
doing, or the attacker's.

[1]
[https://bitcointalk.org/index.php?topic=164143.msg1716794#ms...](https://bitcointalk.org/index.php?topic=164143.msg1716794#msg1716794)

[2]
[http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96...](http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy)

~~~
dobbsbob
UH OH

Says it was sent FROM cold storage that's not a good sign.

~~~
beala
If it's actual cold storage, then it's probably just them taking precautions.
The whole point of cold storage is to make the wallet immune to a server
breach. But who knows? It sounds like their security was sloppy.

~~~
dobbsbob
Edit..

[Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins
and euros are safe and will not be affected by the security breach. We have
taken the websites off-line for proper investigation.

The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control.

from <https://bitcoin-central.net/>

All is fine then I guess

------
dobbsbob
Instawallet has always only been meant to keep spare change for quick
transactions. For the longest time you could type into google
site:instawallet.org/w and get a list of URLs with money in them, it's not
secure.

Neither is Strongcoin who had all their wallet labels leaked recently, some of
which users had decided to type in the hints for their key passwords.

If I remember correctly Instawallet is a ruby/rails app run by the same people
who do Bitcoin-Central.net. If you look at their other app Instawire you see
lot's of ruby gems used, in a financial application, not good.

EDIT.. bitcoin-central.net is also down

~~~
benmmurphy
it looks like they fixed the /w issue with google but it stil shows up in
other search engines.

------
aneth4
I'm a big believer in the future of bitcoin and hold a significant amount.
However I find holding bitcoin terrifying. There is just so much that can go
wrong - from data loss, to personal tragedy, to hackers, to algorithmic
weaknesses.

Ultimately we probably need insured, trusted third parties to hold keys, such
that even if there is a breach, someone financially viable is on the line to
reimburse.

Individuals holding their own keys may be a nice dream, but its highly
impractical for most people if they have a significant portion of their wealth
in bitcoin. Certainly there will be very high net worth people and security
maniacs who want to hold their own keys, but I believe most people will want a
third party to guarantee them.

~~~
dobbsbob
If you hold a lot of coins you simply print out the keys and keep them in a
safety deposit box in a bank. Problem solved

Or use the Armory offline wallet to store them on an encrypted non-networked
storage, print the keys, do the above.

~~~
smackfu
Don't you also need to destroy all other records of those keys?

~~~
dobbsbob
Only if you don't trust the encryption on your cold wallet backup where you
generated the keys. Personally I'd keep both, encrypted drive and printed keys
then if say the bank is robbed or burns to the ground you can still transfer
the coins.

You'd want to also make sure the printer isn't storing memory of those keys
that were printed.

Some weird startup out of Europe is splitting up $2mil worth of coins on 3 USB
encrypted sticks, using Shamir's secret sharing as the master key to decrypt
(this according to Bitcoin magazine). Sounds like a bad idea I don't trust
wear leveling drives that could fail taking all your coins with them

~~~
Saavedro
You can make Shamir's secret sharing redundant if you are worried about that.

You could make say, 6 USB drives, any 3 which can recovery your wallet. As
long as no more than -half- fail you would then be fine. And you can set
either number as high or low as you like, of course.

And it's not like wear leveling should come in to play if you aren't actually
writing to them.

~~~
aneth4
You guys are making my point. You are speaking a language most people don't
begin to want to understand.

------
jstanley
If this is an April Fool's joke, it is likely to backfire significantly!

~~~
minimaxir
There needs to be a protocol for "this is definitely 100% not an April Fool's
joke."

~~~
larrybolt
Any financial sites should not participate in April Fool's jokes if you ask
me, or just as google add a notice it's for just a joke.

<https://www.google.com/intl/en/landing/nose/help.html>

~~~
loceng
You mean they're not shutting down YouTube after the contest is over?

------
gesman
Bitcoin rules:

1\. Keep your own self-generated, backupable and recoverable wallet without
dependency on any third party babysitting services that are being consistently
broken into (and your money is lost). Electrum wallet is recommended as it
also allows you to export "master public key" using which you may launch your
own online store business and accept bitcoins as a payment without risk of
losing money if someone hacks your online store.

2\. Use third party service only for buying and selling bitcoins. As soon as
transaction is complete - transfer bitcoins back to your own wallet.

3\. Have a will so your loved one could get a hold of coins. Just in case.

~~~
dobbsbob
Yes Electrum is good but remember you're relying on somebody else's blockchain
instead of your own. Though I generally trust the Electrum blockchain servers
you never know.

Your online store key, you should be using some sort of script to generate
receive payment addresses offline and stick those in a db. The payments should
go to a cold wallet you can either with a serial cable send a txn or manually
enter the signed transactions, but that's just my paranoid security

~~~
gesman
The beauty of electrum master public key is that it can be used to generate
unlimited number of "receive only" bitcoin addresses. Server script could do
it for each sale. If someone hacks into server - he can't steal anything,
because Electrum's master private key (to send money) never stored in server.

------
doktrin
The server appears to no longer be responding. That would appear to indicate a
non-April fools joke (coupled with the fact that they shouldn't really be
pulling pranks in the first place).

edit : back online

------
thechut
There is this from a few days ago:
<https://bitcointalk.org/index.php?topic=159673.0>

The founder said it was fixed but who knows

------
larrybolt
Though I like seeing sites pulling an April Fool's joke, I do think any money-
related sites (so bitcoin sites as well) have to say no to pulling pranks on
their users.

------
unimpressive
I'm pretty certain it's not a joke.

If it is, it's obvious that the instawallet guys have no business handling
your money.

~~~
rdl
Whereas, if they were just hacked, that's a great sign for handling your
money?

~~~
unimpressive
Either way it's a bad sign. At least with disaster response they show they're
taking things seriously.

------
ryusage
...I can't imagine a financial company would ever actually take down their
main site and claim to have been compromised just as a joke. For one thing,
it's not even funny, so where's the joke? And second, it's obviously really
bad for business. I think it's safe to assume this is real.

------
ashergm
Interesting that instawallet goes down on the day the BTC:USD hits 106 on Mt.
Gox

~~~
digitalsushi
I am not a financial guy - just a web programmer - why is this interesting,
please?

~~~
wmf
If Bitcoins are worth more, criminals are probably willing to work harder to
steal them.

------
phasevar
If it is an April fools joke, it's a terrible one. They should have been more
creative. As it is, they're just destroying the trust in their brand. Nothing
funny about it.

