
Silk Road 2 Hacked, All Bitcoins Stolen - nikcub
http://www.deepdotweb.com/2014/02/13/silk-road-2-hacked-bitcoins-stolen-unknown-amount/
======
zedshaw
This is seriously the most hilarious thing I have read in a long time. Here we
have a group of objectivist libertarians who believe that there should be
effectively no laws other than the law of economics and self-interest who run
an illegal website devoted to the pure greed of cashing in on contraband, and
this is what they write:

"I’ve included transaction logs at the bottom of this message. Review the
vendor’s dishonest actions and use whatever means you deem necessary to bring
this person to justice." We need the government! Please, come find the guy who
took all of our illegal drug money and give it back to us so we can continue
to say you aren't necessary.

"Given the right flavor of influence from our community, we can only hope that
he will decide to return the coins with integrity as opposed to hiding like a
coward." Yes, you bad guy, you should do the right thing and think of the
community not your self-interests by giving back your illegal gains back to
the guy named Dead Pirate Roberts (that's totally his real name).

"Whoever you are, you still have a chance to act in the interest of helping
this community." In the interest of the community?! Bwahahahaa!

"I will fight here by your side, even the greedy bastards amongst us." Like
_everyone_ on the site?!

"The only way to reverse a community’s greed is through generosity." Just like
Ayn Rand said my brothers!

Then I come here and not a single person on here even notices the massive
hypocrisy and lack of self-awareness. Amazing.

~~~
tolmasky
I think you have a deep misunderstanding of libertarianism (which is your
right of course). Libertarians don't necessarily not believe in laws, they
simply don't believe in a monopoly of laws and law enforcers. This is kind of
the whole point. Its clear that in your world view "justice" is somehow
inexorably tied to government, but there others that disagree (which leads to
your confusion in thinking that because someone asks for justice he is
necessarily asking for government).

To illustrate this a bit better, perhaps using an example that you probably
agree with Libertarians on: just because libertarians believe drugs should not
be illegal, does not necessarily mean they believe drug use shouldn't be
discouraged or treated. It is not hypocritical to fight for drug
decriminalization but then seek rehabilitation programs for your drug addicted
friends. That is in no way acquiescing to the need for drug control -- it is
using a _different_ tactic to fight a problem both sides may very well agree
exists.

Similarly, it is not hypocritical to want the government to stay out of
currencies, but still want a method of punishing thieves. You may believe
other methods don't work (just like there are a lot of red voters who think
its naive to think not putting drug users in jails works), but that doesn't
make the other position inconsistent.

~~~
zedshaw
"they simply don't believe in a monopoly of laws and law enforcers"

Ahahahahaah! That's the same as not having laws! And even then, what you're
saying is they believe someone should bring this guy to justice...and then do
nothing to him. Then it's not justice. You're killing me my friends. Just
killing me here.

~~~
redthrowaway
>Ahahahahaah!... You're killing me my friends. Just killing me here.

You can make the same argument without being an ass about it.

~~~
zedshaw
It's funny how me pointing out the stupidity and bullshit of a group of
criminals makes me an asshole...

But a guy who has actually lost people's money, put them at risk of reprisal
from drug dealers, helped people (potentially young people) commit major
crimes, enabled future addicts, and potentially is lying about the security
flaw to steal all this money while spouting hypocritical contradictory
statements...is a fucking hero.

Bravo! You win the ultimate hypocrite award of the century!

~~~
jacobtracey
It's the condescending way you write that makes you seem like an asshole...
i.e saying "Hahahahah" all the time - I don't particularly disagree with your
points but the insulting tone is unnecessary, don't you think?

~~~
zedshaw
First off, only my mother gets to tell me to "watch my tone". Random jackoffs
online can go fuck themselves if they think they've earned my respect by
default, especially if those same jackoffs use political rhetoric to harm and
steal from others.

My tone is simply a reaction to the tone of arrogance and superiority most
objectivists and commenters take. If you don't want to be ridiculed, then
don't write like a arrogant douchebag with zero self-awareness. Those kinds of
people are due a large dose of insulting and "tone".

~~~
jacobtracey
redthrowaway's comment:

> You can make the same argument without being an ass about it.

Your reply:

> It's funny how me pointing out the stupidity and bullshit of a group of
> criminals makes me an asshole...

You completely missed their point, how you can't see that is beyond me.

~~~
wtallis
Careful, now. It looks like you're saying that calling something stupid
bullshit is being an asshole. Some of us happen to believe that stupid
bullshit is a real thing and that there are circumstances where calling
something stupid bullshit may be entirely fair and justified.

Try defending against the accusation itself instead of taking the stance that
the accusation is always automatically invalid.

~~~
redthrowaway
>It looks like you're saying that calling something stupid bullshit is being
an asshole.

No, being an asshole _while_ calling something bullshit is being an asshole. A
^ B |- A. You can say something's bullshit without ridiculing people. Zed's
problem isn't that he says unpopular things, it's that he seems to try to be
as rude as possible in saying them.

Saying something's bullshit isn't necessarily rude. Saying something's
bullshit and anyone who disagrees with you is an idiot|hypocrite|moron|asshole
is.

~~~
wtallis
> " _Saying something 's bullshit and anyone who disagrees with you is an
> idiot|hypocrite|moron|asshole is._"

The truth of that statement still depends on what the issue is. There are some
beliefs you really do have to be stupid or disingenuous to espouse.

------
blhack
This is almost certainly hogshit, and anybody who has been paying even a
little bit of attention over the last week can probably smell it.

The "hole" in MtGox's security was a social one. You could contact customer
support and claim that you had not received your coins, and they could re-
issue you new ones if they chose to. There is also no evidence that this ever
happened.

This wasn't, and isn't, a flaw in the underlying architecture, it's just a way
to convince a customer service rep that you weren't lying.

If SR was re-issuing coins _automatically_ , it's because they were being
intentionally stupid.

\--

They're using this as a scapegoat. Either somebody ran off with the coins, or
something otherwise hacked them and they're using this as an explanation.

~~~
sillysaurus2
_If SR was re-issuing coins automatically, it 's because they were being
intentionally stupid._

MtGox was re-issuing coins automatically. Due to this, Gox has lost money.
Possibly a huge amount. Were they being intentionally stupid, or just stupid?

Source:
[https://news.ycombinator.com/item?id=7222690](https://news.ycombinator.com/item?id=7222690)

This transaction malleability flaw is certainly a convenient excuse. But if
these people implemented their wallet software in the same manner as Gox, then
they would've suffered the same fate: a loss of thousands of coins, which is
exactly what they claim happened.

~~~
blhack
Maybe I just haven't had enough coffee today, but: where does it say there
that gox was re-issuing coins automatically?

~~~
sillysaurus2
Sorry, I should have linked two comments higher:
[https://news.ycombinator.com/item?id=7222457](https://news.ycombinator.com/item?id=7222457)

 _You 'll note that mtgox had funds taken from it. None of these other sites
[did]. They're just being flooded with junk that screws up their transaction
processing. It's not really the same thing at all._

------
pstrateman
The claim that this was caused by transaction malleability rings hollow.

The reference client (github.com/bitcoin/bitcoin) does not resend transactions
because of malleability.

The only way you can have double transfers due to malleability is if you are
manually reviewing transfers and re-sending them yourself manually.

This seems like a very convenient scapegoat.

~~~
deskamess
I thought the 'malleability' problem only resulted in miners being DDOS'd. The
transactions themselves were supposedly still 'intact' \- i.e., inputs,
outputs, addresses were not modified.

So.... what are SR2 saying happened here? \- Is it a double spend using SR2
escrow bitcoins? \- How was the malleability introduced?

~~~
pmorici
There are two potential issues with the malleability. One is the MtGox problem
where you might not realize a transaction was successful and you are duped
into sending the money twice.

The second issue is a bug that was discovered in the reference client where if
you try to spend coins you sent to yourself before they are confirmed a bug in
the wallet causes your balance to be off.

Neither problem inherently allows theft but if you aren't careful the first
can open your to social engineering. The reason they are calling this a dos as
far as I can tell is because they are preventing you from spending your money
until the bug is fixed with the accounting in the reference wallet.

SR2 is probably full of crap but there is a small possibility that they some
how automated re-sending of failed transactions w/o properly accounting for
malleability in which case you might be able to steal a multiple of the actual
amount of money in your account over a few days. The sheer size of this though
would make me skeptical of that scenario.

~~~
nullc
> One is the MtGox problem where you might not realize a transaction was
> successful and you are duped into sending the money twice.

This isn't really a malleability issue however. Lets say it wasn't successful:
You send again. Opps, someone pulls the original out of a hat and both go
through.

The only way to safely reissue is to double spend the original transaction.
Then you get atomic exclusion, and it's completely safe: only one can possibly
get into the longest chain. This safety still applies if there is mutation
going on.

------
jfasi
Given illegal nature of Silk Road 2, I can't help but be suspicious of this
explanation of the hack. If someone's sufficiently willing to flaunt laws as
to operate a site devoted to selling contraband, what stops them from taking
advantage of their position of power and stealing from their users?

~~~
aegiso
It's entirely possible to be in support of a free and peaceful drug trade,
while at the same time being morally against theft. I don't know why you're
lumping the two.

~~~
mbillie1
There's a difference between supporting a free and peaceful drug trade and
participating in a very-much illegal drug trade. It's possible to be a hemp-
wearing, tree-hugging hippie and be pro-death penalty - it also happens to be
rare.

~~~
MarkPNeyer
the law has very little to do with supporting freedom and peace these days.

~~~
mbillie1
That is very true, but there's still an enormous chasm for your average person
between being mostly-law-abiding (I'm not counting things like jaywalking or
going 5mph over the limit) and participating in drug sales, which could land
you life in prison. Hell, I think drug laws are incredibly unjust in the US,
and that the government is overstepping its bounds left and right. By no means
should you infer from this that I'm not careful of the legality of my actions.
I think it's perfectly reasonable to assume that someone participating in a
life-in-prison-risking drug enterprise would also be willing to make other
illegal/immoral decisions - in fact I think it would be foolish and naive NOT
to assume that as a default, despite the fact that it will of course not be
true in every case.

~~~
DerpDerpDerp
Having dealt passingly with a large number of marijuana dealers, I disagree
strongly with your assessment.

Do you have any statistics to back this up, or just the naive reasoning "Well,
it's a /serious/ crime, so they'd probably commit others, because only bad
people commit /serious/ crimes"?

------
bhaumik
On 1/31, a SR Forum user warned, "SR2 massive scam about to hit very soon"

    
    
      >no Auto Finalize/no resolution center coins are pilling up massively 
       whitout anyone even  realising what s coming .
      >there is propably couple millions $$ just in escrow alone and 
       no one is fucking complaining.
      >You guys really think it takes more than a month to implement
       a resolution center?how dumb are you
      >This is about to be the biggest scam in the history of the darkmarkets.
      >Defcon postponing dates again and again,then annoucing that a fix
       has been done when clearly it hasn t done shit ?(captcha)in this case.
      >Can t you fucking see throught their bullshit and blatant lies that
       the ship is about to go down the drain very soon??wake the fuck up .
    

Follow-up from today:

    
    
      >well,I ve done what I could to warn you at least,next time you
       call me a troll rethink maybe.
      >my posts weren t really convincing because of the bad grammar
       (not english) but the message was there for everyone willing to hear it.
      >If you believe all this bullshit again from defcon ,then I am affraid 
       you d get scammed over and over again.SR isn t what it once was,
       it is run by a greedy cunt.
      >This was just so predictable,it doesn t take 2 fucking month to 
       implement a resolution center ,not having it was the main tool 
       of their scamming operation.
      >The funniest thing in that story is that SR would still be up ,
       means this scams could go on forever because people are 
       licking blindly these greedy mofo.
      >don t be fooled by the green camel next time rant over/
    

[http://www.reddit.com/r/DarkNetMarkets/comments/1xu8wc/sr_fo...](http://www.reddit.com/r/DarkNetMarkets/comments/1xu8wc/sr_forum_post_31st_january_sr2_massive_scam_about/)

------
DigitalSea
Irony at its finest here. If you're going to go to the effort to use a
decentralised currency that is difficult to track to a particular individual
for a website selling illicit drugs and items served via a decentralised and
anonymously run network, don't expect any sympathy when your Bitcoin goes
missing... You go to the great effort of avoiding conventional means of
currency (banking, trackable transactions to individuals) and yet you realise
how the traditional banking system in many ways while not being perfect
protects you from a lot of this type of activity. If an attacker hacks into
your Internet banking or your credit card is stolen, you in most cases get the
money back.

No monetary system is perfect, and I think these increasingly frequent
scenarios where X amount of crypto-currency is "stolen" and cannot be
recovered drive that point home. I strongly believe that crypto-currency has a
bright future, I own a few Bitcoin myself and many other alternative crypto,
but I don't entrust and never would entrust my coins in a drug-dealer exchange
escrow wallet, I keep them on my computer and in cold storage. These kind of
situations just keep driving BTC's price down further, we don't need a Silk
Road for Bitcoin to succeed.

This whole situation really just makes me laugh. Some people have no faith in
the traditional system of Government or currency, but for some reason have
faith in a system and currency that is inherently insecure, unpredictable and
when shit hits the fan, there's nobody to help you...

~~~
aianus
Your point about the traditional banking system is irrelevant since there's
zero chance of successfully buying a kilo of coke with your Visa card.

So whether it's bricks of cash or shady darknet sites, the prohibition on
drugs necessarily doesn't leave one with much recourse when transactions go
wrong.

------
swalsh
My favorite part of bitcoin is just how wild west it always feels. Real money,
in very massive quantities is stolen, and there's no authorities who will do
anything about it. Old school scams are new again. Crashes happen on a monthly
basis. I'm staying out of it in any serious quantities because frankly i'm
having too much fun watching it.

~~~
emhart
It's even more fun with skin in the game.

~~~
NathanKP
Just remember to never invest more than you can afford to lose.

~~~
dopamean
Heh.. "invest."

------
Meekro
This is nonsense. The transaction malleability issue doesn't cause coins to be
automatically resent. The simple explanation is that the owner ran off with
everybody's money.

------
roymurdock
Sounds like Defcon got the excuse he needed to line his pockets with all of
the Silk Road 2 money.

I don't run a marketplace, but I would assume that an alarm protocol would be
implemented and triggered when thousands of bitcoins start to drain out of
"hot storage".

Exploiting the transaction malleability bug wouldn't net you 4,500 BTC at
once. It would take a lot of requests of broken transactions to drain the
entire marketplace of thousands of BTC. Defcon and SR2 should have been on
high alert for this kind of problem after the Mt. Gox announcement.

Anyone who runs a Bitcoin marketplace would not be "slow to respond and
skeptical of the issue at hand", especially not when the entire balance of the
marketplace is in such a vulnerable state.

Defcon has been around this business for years, he isn't an amateur. How could
he make such a fundamental, incredibly ignorant error?

Even if we believe the "bad luck, terrible timing" explanation, Defcon's lack
of caution and general awareness is simply inexplicable. There is no way he
would be so nonchalant about any kind of fault in the Bitcoin protocol with
everyone's money sitting out in the open, just waiting to be stolen.

I think the moral of this story is to not open an account with an anonymous
exchange. Instead, open an account with a marketplace backed by some high-
profile VC's who have some skin in the game. You can bet that Andreesen isn't
going to be careless and ignorant enough to let the same thing happen to
Coinbase. Not when he's got $25m and his invaluable image on the line.

~~~
gwern
> I think the moral of this story is to not open an account with an anonymous
> exchange. Instead, open an account with a marketplace backed by some high-
> profile VC's who have some skin in the game. You can bet that Andreesen
> isn't going to be careless and ignorant enough to let the same thing happen
> to Coinbase.

Great. Call me when Andreesen funds a black-market for highly illegal drugs.

~~~
roymurdock
I think people are less worried about finding a source for illegal drugs, and
more worried about finding a secure marketplace where they can trust the
administration and exchange their funds securely.

Theoretically, I would be relatively bummed out if my favorite drug dealer was
arrested. Then I would get over it and find a new dealer.

I would be livid if my drug dealer took my money, pointed a gun at my head,
then got in his car and drove away, all the while claiming that he wasn't
robbing me and that he had always had my best intentions at heart.

So I'm not so concerned about a new marketplace popping up. The market demands
drugs, and it will have them (SR3?). My point was simple: if you don't want to
lose your money, don't store your money in an anonymous, drug-dealing
marketplace. I'm not sure why this warranted such a sarcastic response?

~~~
gwern
I'm being sarcastic because your solution is a non-solution: using a
trustworthy exchange does not solve the problem of centralized escrows being
vulnerable. A real solution looks something like 'use multi-sig escrow'.

------
rglover
Reports like these make me wonder what Hacker News would have looked like
during the gold rush in the 1800s.

~~~
jaekwon
Hello good sirs, I am able bodied and in want of land and picket. Please reach
me at the bar, call for Sam.

~~~
samstave
Exhibit HN: I've concocted a most healthful and beneficial syrum of the utmost
pure ingredients! This here oil shall alleviate ye of all woe, misery and
weak-of-knee! Looking for a most suitable alchemical co-founder to assist in
mine taking this to production ready status for this year's county fair!
Please contact me by post or telegram!

Dr. Samuel's Special Synergistic Syrum One Market Plaza, San Francisco

------
aaronem
"Movement"? "Comrades"? "Freedom fighters"? Excuse me, isn't this the online
equivalent of an open-air drug market he's talking about here?

------
mindstab
... and things like this do to a point hilight why there is a lot of
regulation around money and trying to create a new "freer" currency is
actually really dangerous. I'm pretty sure his operating practice of keeping
all the money in one place would be against regulations. Also usually there
are big security standards. And finally high transaction fees do in some part
support _insurance_ so when my/your visa is stolen or what ever, the bank can
just refund me, and take it out of its insurance. Because storing a lot of
money for a lot of people is a big deal, but its a well looked at deal, and
trying to start from scratch ignoring all of that... well... you just end up
with people loosing money in ways that would never happen otherwise. :/

------
Steko
For anyone still drinking the "Bitcoin is frictionless" kool-aid, this hasn't
been a good week.

~~~
MarkPNeyer
for anyone who sees bitcoin as a 'wild west' environment, this sort of thing
is obvious and just moves the bitcoin economy forward. problems found now are
fixed, and won't be as big of a deal later.

~~~
chasing
But this isn't a beta test. People treat Bitcoin as if it's ready for
primetime and ready to replace traditional currency.

~~~
DerpDerpDerp
Yes, there's never limits on cash withdrawl in the glorious banking system.

[0]
[http://www.bbc.co.uk/news/business-25861717](http://www.bbc.co.uk/news/business-25861717)

~~~
Steko
If one of the main bullet points of your currency replacement is that "it's
frictionless unlike regular money", and you ever find yourself pointing the
finger at regular money and saying "it has frictions too" you already lost the
argument.

------
dreamdu5t
How do we know the founder didn't steal everyone's coins and is using hacking
as a scapegoat?

~~~
gwern
We don't know that, and there's good reason to think they're doing just that.

------
gesman
Owner decided to cash in and retire to no extradition treaty island?

~~~
riquito
Why "no extradition"? Would he risk anything penal? If bitcoins are not money
he may risk just a fine.

~~~
ErsatzVerkehr
[http://en.wikipedia.org/wiki/Fraud](http://en.wikipedia.org/wiki/Fraud)

~~~
Crito
If he is ever found, criminal charges are the least of his worries. We are
supposing that he stole lots of money from lots of different drug dealers.

~~~
fleitz
Dime Bag Donny is hardly pablo escobar.

If it took the FBI 2 years to track him down, unless he fucked over the
Zapatas exactly nothing will be done about this. But then again the Zapatas
hide behind guns, not crypto currency.

------
toasted
In the San Fran startup world where iphone taxi requesting and self-deleting
video clips for 14 yr olds are the cusp of innovation, thank god for bitcoin
and all the fun that comes with it.

------
atwebb
Wow, it really is the wild west out there right now...

I wish that some of the "post-mortem" reports I've seen were this good and
detailed with problem, explaination, resolutions. I don't have a horse in this
race so people affected probably feel differently.

------
theswan
Not having very much knowledge about the financial industry - is this also an
issue with marketplaces that deal with fiat monies?

i.e. Dwolla, Balanced, Stripe, Venmo, all serve as intermediaries for moving
money - do these companies have bank accounts that hold onto massive sums of
money? What protections would go into keep those accounts secure?

~~~
beat
Modern banking is over 100 years old. There is 100+ years of fraud protection
processes, legal experience, etc built into the system, plus a huge and
complex industry that has a vested interest in overall currency stability.

Bitcoin and other digital currencies are learning firsthand what it means to
"disrupt" on this scale. Part of that is learning the hard way what the old
industry has known since before any of us were born.

~~~
weavejester
Modern banking is also largely reversible, so stolen funds can often be
recovered, and insurance covers the other cases.

Bitcoin has the problem of having irreversible transactions, and it's also a
lot more difficult to determine whether or not an account has been
legitimately stolen from.

I don't think it's the case that the current banking industry is insulated
from theft due to superior security. From what I've heard from programmers
working in the financial industry, the software there can be quite ropey, or
at least no better than anywhere else.

~~~
beat
Reversible transactions _are_ a security mechanism. And not all mainstream
financial transactions are reversible - short term bank to bank loans, which
can run in the tens of millions of dollars over periods of mere minutes, are
not reversible within the transaction process itself (set up another
transaction to balance the books if necessary). Of course, this is hardly a
realm for consumers! Only a rarified few that have passed stringent regulatory
requirements can participate in high-end mechanisms, and they can be booted
out easily in case of fraud or failure.

Irreversible, unregulated, software-driven money at the consumer level is a
thief's wet dream. It's even more appealing than cash. Money can be stolen
from halfway across the globe, anonymously. Digital currencies face security
challenges that go far beyond those of the fiat currency so many people
despise.

Besides the theft problem, there's the crime problem. Digital currency is
extremely convenient for high-dollar criminals like international drug and
arms dealers. They're the first big customers, while mainstream businesses lag
far, far behind in their own cautious way. This makes governments even more
hostile, and civilians as well. And a currency that isn't accepted by the vast
majority of legitimate businesses is not terribly useful.

But to your other point... yeah, banking software is not necessarily a paragon
of security, any more than any other big enterprise software. But consumer-
facing parts are generally fairly limited in scope (worst breach I know of is
the recent Target breach), and the really big-money parts are hidden well away
from the world and buried under many layers of process as well as software
security.

~~~
weavejester
Sure, but the processes that make banking secure mostly rely on human
interaction, insurance and centralisation, which are obviously difficult or
impossible to apply to Bitcoin. The current batch of Bitcoin businesses are
getting hard lessons in information security, whereas the mainline banking
system can compensate for any deficiencies in their software with more
traditional security processes.

To me, one of the more interesting results of Bitcoin is how critical
information security is to the businesses that deal in it, and how a flaw in
their security can make companies vanish overnight. It really provides some
darwinian pressure to get security right!

~~~
beat
And fiat currency starts looking better all the time. The fact that the most
powerful security mechanisms aren't even _applicable_ to digital currency
should be a huge red flag.

Short the exchange rate + significant DDOS attack on the exchanges = millions
in free money. That's just a for example. It doesn't even require explicit
crime on the bitcoins themselves, and can be done at a safe remove through
multiple cutouts. (Historical point of comparison - shell companies were used
to short airline stock just before 9/11, resulting in tremendous windfall
profits for presumably close allies of the perpetrators)

~~~
weavejester
> And fiat currency starts looking better all the time. The fact that the most
> powerful security mechanisms aren't even applicable to digital currency
> should be a huge red flag.

You could make similar arguments about security on the internet compared to
physical security in the real world. The recent Target credit card theft, for
instance - it's unlikely that the thieves could have appropriated 40 million
credit card numbers by physically taking them!

> Short the exchange rate + significant DDOS attack on the exchanges =
> millions in free money. That's just a for example. It doesn't even require
> explicit crime on the bitcoins themselves, and can be done at a safe remove
> through multiple cutouts.

Sure, but you could achieve a similar effect by attacking an internet retailer
and shorting their stock. It's also a lot easier to short stock, which is a
shame, as shorting typically reduces price volatility.

------
bhouston
How much was stolen? How many bitcoins are we talking about. It isn't very
clear.

~~~
rqebmm
at the top of the article:

Update: The amount of BTC that was stolen was calculated by Nicholas Weaver
@NCWeaver – Computer Security Researcher, to be around: 4474.266369160003BTC
that are with the value of about $2.7 Million.

~~~
jboggan
That should be 4474.26636916 . . . who is doing BTC calculations with floats?

~~~
brokentone
Bitcoin can be divided down to Satoshi's (0.00000001) an are often traded in
fraction. Since they're worth $500+ at the moment, it makes a lot of sense.

~~~
jboggan
I was talking about the trailing decimals after the hundred-millionths place.
It's an obvious sign that someone was doing calculations on them as floats and
not integers (and dividing by 100,000,000 for display purposes).

------
primitivesuave
> our projections of order finalization volume indicated that we would need
> the community’s full balance in hot storage.

As a bitcoin community leader, you _have_ to stay informed with how other
people got hacked in the past, and there are so many cases where all the
bitcoins were foolishly kept out of air-gapped cold storage until an
adventurous hacker plundered them. I guess history is doomed to repeat itself.

------
MrJagil
All the Reddit kids are talking about a new site called The Marketplace,
apparently very secure.

[http://www.reddit.com/r/themarketplace/comments/1tx26z/the_m...](http://www.reddit.com/r/themarketplace/comments/1tx26z/the_marketplace_simple_guide_with_pictures_latest/)

Anyone with more knowledge and less bias care to elaborate?

~~~
gwern
Multi-sig _seems_ like it would prevent these problems of markets scamming
their users, and thus far seems to have worked for TMP, but the major issue is
that TMP hasn't been very popular because it's harder to use, and so we don't
know how robust multi-sig is in practice.

~~~
MrJagil
Thanks for answering Gwern. I admire your work, trust your opinion, and it
resonates with my impression.

------
crystaln
The hatred for Mt Gox in the bitcoin community blinded them to the reality
that the malleability bug is very serious. The way the bitcoin community
responded was irresponsible.

Regardless of whether there are workarounds, it's a tragic security flaw in
the protocol and should have been treated as such.

~~~
jadeddrag
As I understand it, this was a problem that was identified over 2 years ago,
and fixed for over a year. The problem is that MtGox implemented their own
wallet software, and neglected to include bug fixes from the reference client.

~~~
crystaln
I don't believe that is correct. The core devs relied on people implementing
workarounds.

------
EGreg
Ummm seriously why do these marketplaces hold your bitcoins???

Don't they know bitcoins support m-of-n transactions? There should be a
marketplace without the ability to have bitcoins stolen! It's rather
straighforward people.

~~~
gwern
> There should be a marketplace without the ability to have bitcoins stolen!

There is at least one, and it's pretty well-known. You underestimate how much
ordinary people don't want to deal with things like m-of-n transactions/multi-
sig.

~~~
EGreg
So why can't it be made more user friendly?

Marketplace initiates the transaction, and all you have to do is sign it with
your bitcoin client.

~~~
gwern
> Marketplace initiates the transaction, and all you have to do is sign it
> with your bitcoin client.

'All'?

------
mathattack
_I’ve included transaction logs at the bottom of this message. Review the
vendor’s dishonest actions and use whatever means you deem necessary to bring
this person to justice. More details will emerge as we continue to
investigate._

This seems like absolving themselves of responsibility. Was that in the spirit
of how this was set up? I understand that this is different than a bank, both
in spirit and law. But is there really nobody who would go after Silk Road 2
to get the money back?

------
jessaustin
Interesting...

 _I’ve included transaction logs at the bottom of this message. Review the
vendor’s dishonest actions and use whatever means you deem necessary to bring
this person to justice. More details will emerge as we continue to
investigate._

Presumably the particular addresses used will be noted for future reference by
vengeance-minded parties? Perhaps the list should be referenced by popular
client software so innocents can avoid receiving BTC, even indirectly, from
the blamed addresses...

------
npcc
Okay, I'm going to go out on a branch and throw up a strange hypothesis. I
don't have any stake in the Bitcoin or drug dealing games, apart from
generalized anarchistic tendancy:

Silk Road 2 was a project set-up by some government agency or gangsters. The
overall plan is to eliminate competition and sow uncertainty around both
Bitcoin and Silk Road type unregulated markets with anonymous owners. The
"transaction malleability" issue is totally unrelated to this event - it's not
an exploit that can be used to 'steal' Bitcoins, only to corrupt the
blockchain and/or mess with transactions (eg. cause them to fail or end up in
limbo).

"We were planning on re-launching the new auto-finalize and Dispute Center
this past weekend, and our projections of order finalization volume indicated
that we would need the community’s full balance in hot storage." \- a silly
excuse for such an obvious mistake. No imaginable system would require the
_entire_ balance of the community to be stored in such a way, no reasonable
systems architect would do this.

"The details we have on the hacker are below. Stop at nothing to bring this
person to your own definition of justice. We normally do not doxx anyone, and
hold user information sacred. But this is an extreme situation affecting our
entire community, and all three users who have exploited this vulnerability
are very much at risk until they approach us directly to assist with any
information. Do not reveal any details of the attack. This will jeopardize
your reward. Contact us directly. If anyone has purchased or sold to these
usernames, expect generous bounties for any information you can contribute
which leads to identification." \- hold on, where's the evidence? What is he
going to do with any information provided by his internet personal army? Why
should others do his work for him in tracking these supposed hackers down?

"Few hours before the announcement we at DeepDotWeb received a mail saying:
'SilkRoad hacked, 150 BTC stolen, you heard it first from me' this was sent to
us by a reddit user who claimed since yesterday he was going to hack SR and
steal the sites money" \- Wouldn't that just be the perfect cover? Get some
small-timers to grab a little and point the finger at them while he makes off
with the much larger remainder. Besides, didn't this guy just say that he
needs help tracking the attackers down? How does he then know enough to attach
addresses to particular handles and countries? I admit some unfamiliarity with
both Bitcoin and Silk Road/2 here so I hope somebody else can fill me in on
this.

"It takes the integrity of all of us to push this movement forward. Whoever
you are, you still have a chance to act in the interest of helping this
community. Keep a percentage, return the rest. Don’t walk away with your
fellow freedom fighters’ coins." \- An attempt to insinuate that the 'thief'
is a member of the Bitcoin in-group, alongside the author. An appeal to those
already attached to the in-group to 'join' the author in 'solidarity' and
painting this event as an battle to defend Bitcoin itself. One that was
already 'lost', I note.

"Multi-signature transactions are the only way this community will be
protected long-term." \- oh yes, if ditching anonymity by tying identities and
transactions together in an easily auditable fashion is 'protection' in this
business.

"I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as
soon as the malleability issue was reported. I was slow to respond and too
skeptical of the possible issue at hand." \- I believe this to be a stretch of
the truth, weren't the MtGox and Bitstamp shutdowns totally unrelated to this
'exploit'?

"If this financial hardship places you at risk of physical harm, contact me
directly and I will do my best to help you with my remaining personal funds."
\- Give us all your information and I promise I'll send you some money!

"Hindsight is already suggesting dozens of ways this could have been
prevented, but we must march onward." \- Translation: I just lost a lot of
your money, trust me so I can do it again or lose faith in Bitcoin entirely.

"In retrospect this was incredibly foolish, and I take full responsibility for
this decision. I have failed you as a leader, and am completely devastated by
today’s discoveries." \- Awesome, an anonymous guy with nothing to lose takes
full responsibility.

I'd love to hear some thoughts on these comments and if anybody is thinking
along the same lines? Alternatively, I'd also love to hear good arguments
against this position.

~~~
objclxt
> _Alternatively, I 'd also love to hear good arguments against this position_

Oh, I'll bite:

If you have the choice between conspiracy and incompetence the latter is
almost always the more likely.

~~~
npcc
Ah, yes, Hanlon's razor. It works as a general rule, but I think that there
are enough powerful, vested interests (proven by eg. Russia, China and US Fed
actions/statements regarding Bitcoin) and enough precedence (CIA disinfo
campaigns, NSA TAO and it's 'dirty tactics', Chinese and Russian gang ops and
propaganda/DoS attacks, corporate APTs) to make conspiracy a real possibility.
I think that one of the key things here is that many of us discussed _the
possibility of exactly this situation_ , whether conducted by advanced actors
or petty criminals the last time that Silk Road was burned to the ground (and,
in that case, it was pretty clear who was behind it).

------
cbeach
This is why we need to find decentralised means of exchanging Bitcoins.

I built [https://www.cointouch.com/](https://www.cointouch.com/) to find
trading partners in my extended social network. I don't want to use a
centralised third party.

There's little need for a centralised exchange given we have a rich social
graph, and a programmable currency that is truly P2P.

Keep it all P2P.

------
microcolonel
TL;DR one opportunist business with no strong external audits has failed its
customers, and everyone who wasn't affected seems to think it's the perfect
opportunity to criticise the philosophical views of people who may not even be
involved.

Please stop upvoting such low quality threads. We can do better than this,
guys. :P

------
gojomo
Whatever happened to honor among thieves?

~~~
samstave
Well.. if they weren't stealing them bitcoins, then they wouldn't be thieves
to uphold said honor...

------
barkingcat
They were just asking for it. If you work with bitcoins in such quantities,
you will have an attack surface so appealing that every single hacker on earth
will be targeting you. You better treat security seriously.

------
watty
Play with fire and get burned. Sounds like the thugs have started tracking the
thief, which would end in blood if caught. Classy stuff here folks, amazed
drug dealers and crooks seem "normal" now.

------
d23
Is our only recourse downloading the entire block-chain to keep our wallets
stored offline? Or do I have some misunderstanding? I just really like the
convenience of services like coinbase.

~~~
facepalm
You don't need the block chain to keep coins. You only need a wallet.
Technically your private keys never need to see the internet at all.

Edit: here is one way to do it
[https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_sa...](https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet)

At a recent meetup there was a presentation recommending Electrum with HD
wallets instead. That would mean you really would only need to memorize a
passphrase, all the keys would be generated from that so no backup necessary.
Personally I am not yet 100% sure HD wallets are safe, need to look into it.

------
memracom
index.php?

Can we say that they were inviting themselves to be hacked? Really, the only
way to not have all their cash stolen would be for the NSA to hack them first
and close up all the security holes.

------
tedivm
About 150 coins were stolen by the main attacker- $91,870.

------
samstave
SO, I am completely ignorant on exactly how bitcoin works; but how the hell is
it not possible to secure a bitcoin one owns.

~~~
dispense
It is perfectly possible. Your only task is to secure the private keys. These
are short enough to be printed as a QR code or written down. keep that piece
of paper somewhere safe. Alternatively, it is possible to use a good, random,
long passphrase as your de facto private key. That way, the keys to your
wallet are literally stored in your mind and nowhere else.

As of now, there are no known fatal flaws or weaknesses in the Bitcoin
protocol itself. The network is secure and as long as you manage to secure
your private keys, Bitcoin is extremely safe.

~~~
robzyb
> It is perfectly possible [to secure a bitcoin one owns].

You're forgetting about social engineering.

~~~
dispense
Social engineering applies to pretty much everything. It has nothing to do
with Bitcoin (or whatever else a social engineer wants from you) and
everything with your own lack of due diligence and gullibility.

~~~
robzyb
I agree entirely - and that is the reason that one shouldn't say "It is
perfectly possible to secure a bitcoin one owns."

~~~
dispense
Semantics. Obviously, theoretically, everybody can be fooled. The common sense
definition of secure is not "secure with zero possibility of the security
being broken". Storing diamonds in a safe at the bank is secure. Printing your
private key and storing it at the bank is not any less secure than storing
diamonds there.

------
ausjke
How much is the loss? Who is going to cover it? don't think there is an
insurance policy for bitcoin hacking.

------
tethis
Yeah, right, they "got hacked".

------
mattdeboard
This thread is now about zed shaw

------
shomyo
"hacked"

------
notastartup
how the hell do they get away with kind of heist? Wouldn't they be able to
follow the blockchain addresses until arriving at the wallet they are using to
cash out?

~~~
smtddr
I've talked about this before.
[http://news.ycombinator.com/item?id=7086399](http://news.ycombinator.com/item?id=7086399)

You won't be able to find me without the authorities forcing the exchanges to
provide info since they make their own cut helping me move the funds around in
transaction-fees if they keep quiet about these kinds of things. As long as
I'm not too greedy/eager and don't rush things, I can collect on these funds
over the course of several months. I can even spice things up by sending a
bunch into an online bitcoin-gambling-site. Gamble a little bit; perhaps lose
some then withdraw after a few days. So now if I had sent 10 BTC in then 9 BTC
goes somewhere else, you don't know if I lost 9 BTC to the casino or if I lost
1 to the casino and 9 is going to another wallet of mine.

All this will look pretty crazy to anyone trying to follow me on the
blockchain. You can't know which coins are actually mine and which belong to
the exchanges & casinos. Maybe I legitimately won the jackpot; who knows.

Also, there's this: [http://www.bitcoinfog.com/](http://www.bitcoinfog.com/)

Sidenote: Casinos are a great business to launder real life fiat money too...

------
tillinghast
I suspect bandits.

------
relampago
What it means to be a libertarian by Harvard Professor [VIDEO]
(01:57)[https://www.youtube.com/watch?v=zxj00QD6fNY](https://www.youtube.com/watch?v=zxj00QD6fNY)

------
padseeker
This is why bitcoin is a sham. The premise of perceived bitcoin value is based
on the greater fool theory. What the hell were any of these people thinking?

[http://en.wikipedia.org/wiki/Greater_fool_theory](http://en.wikipedia.org/wiki/Greater_fool_theory)

~~~
shawnz
That has nothing to do with what has happened here and has been argued ad
nauseam in other threads already. In short: the only aspect of bitcoin that
may be considered an instance of the greater fool theory is the idea that it
is a guarenteed investment. Obviously it is not, and this news has nothing to
do with bitcoin as an investment vehicle anyway.

~~~
padseeker
It has everything to do with this - the reason it was stolen is it is a crypto
currency with no legitimacy or inherit value. It's not even a physical object,
its more like a stock that is not regulated.

If this were real currency or a stock, then there might be some regulation and
stealing would be hard to pull off.

This virtual currency's value is based on nothing. The whole hacked account
thing has a lot in common with some of the stock scams that occurred pre-
depression. You have phony stocks which people buy into, it gets pumped, value
is inflated, then dumped only to find out there was no company or the books
were cooked. For all we know the guy that created silk road 2 'hacked' it
himself and pocketed the bitcoins. This has more in common with a bad stock
deal than a real robbery. And bitcoin has about the same real value as one of
the phony stocks peddled on the market in the 1920s.

~~~
RankingMember
What about the USD's value is based on something other than a mental construct
shared by billions of people?

