
Czech bitcoin exchange Bitcash.cz hacked, up to 4,000 user wallets emptied - vlastik
http://www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/
======
cs702
Every new day seems to bring another new Bitcoin scandal -- whether it's a
hacked exchange, stolen wallets, frozen funds, collapsed Ponzi schemes,
arrested illegal-market operators, or who knows what else.

Yet, despite all this, Bitcoin keeps appreciating, recently reaching an all-
time high.[1]

\--

[1] [https://blockchain.info/charts/market-
price?timespan=all](https://blockchain.info/charts/market-price?timespan=all)

~~~
smtddr
These stories of hacks & scandals and your link showing increasing-value only
increases my desire to buy bitcoin. Also, this wild story[1] makes me want
bitcoin too. What if I just want to buy $500 USD worth of bitcoin and just sit
on it? Maybe 10 years from now it'll be worth close to a million, or maybe
bitcoin will be shutdown and it'll be worth nothing. I think I can risk it.
Who's trust-worthy these days if I want to make that purchase?

1\. [http://now.msn.com/kristoffer-koch-norwegian-man-buys-
apartm...](http://now.msn.com/kristoffer-koch-norwegian-man-buys-apartment-
with-bitcoin-profit)

~~~
aianus
Coinbase.com is a YC company that's trustworthy and convenient if you have a
US bank account

~~~
zachlatta
Eh, I wouldn't recommend Coinbase. They deemed one of my purchases from them
as "high-risk" and have been holding my money hostage since. Support team has
been taking 3-4 days to reply to each email in the thread.

~~~
christiangenco
Yeah, their support department is absolutely awful.

~~~
Wingman4l7
They've been chalking that up to growing pains -- for the longest time, they
didn't even have a dedicated support guy hired; it was just the two founders.
Last time I checked they had just one member of staff dedicated to support,
although by now they might have one or two more.

------
honzzz
It might be interesting to note that someone in the discussion under the
original article (an unregistered user going by the name 'The one who knows')
claims that "the admin of bitcash.cz Carlos upset the czech hacker comunity
SooM.cz and accordingly to Blockchain
([https://blockchain.info/tx/44f66e60460926d1ac75667ce30604290...](https://blockchain.info/tx/44f66e60460926d1ac75667ce3060429000f7cbd30e9afe5a1f3af62cae7727f))
it looks like those hackers donated all the BTC that was on bitcash.cz to
wikileaks".

~~~
altero
If all BTC are on single place, it could be possible to recover them. Seems
like well documented case, both parties are in civilized countries and court
could take it.

Soom.cz is not very reliable source. Also Czech Linux community does not
mention anything.

But according to some users it did not even used SSL!!!

~~~
saraid216
> But according to some users it did not even used SSL!!!

It's never going to stop amusing me that Bitcoin's big selling point is how
it's this amazing form of applied cryptography... and the people who actually
try to do this kind of thing cheerfully neglect security concerns that seem
rather basic.

It's not hard to explain this phenomenon, but it's still amusing.

------
LukeWalsh
Please. Please. For the love of god please.
[https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_sa...](https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet)

~~~
aqme28
How safe is this compared to using a brainwallet
([https://en.bitcoin.it/wiki/Brainwallet](https://en.bitcoin.it/wiki/Brainwallet))
with sufficiently strong password (say, a hundred secure-randomly generated
characters)?

A brainwallet sounds far far simpler to set up, at least.

~~~
GigabyteCoin
Brainwallets are never a good idea.

See here:
[https://www.google.com/search?q=brainwallet+(stolen+OR+hacke...](https://www.google.com/search?q=brainwallet+\(stolen+OR+hacked\))

~~~
meowface
Uh, no.

Brainwallets with _weak passphrases_ are a bad idea. Every case of a
brainwallet theft has been due to users coming up with predictable passphrases
to generate the key.

Most brainwallet private keys are simply a SHA256 hash of a passphrase, which
is fairly easy for a dedicated attacker to crack via bruteforce or dictionary
attacks, yes. But if you use, say, a 12-word sentence with completely random
words, like SHA256("fire pickle shipment lachrymose deity unwitting pernicious
obstacle kitchen tumbleweed mannequin erudite"), and maybe some random letters
or numbers at the end, it's infeasible that it'll ever be cracked.

One common problem is that many people will pick song lyrics, book titles, or
Bible quotes as their passphrase. Obviously attackers are going to scrape and
add those to their dictionaries (which will then also be permutated in many
ways), so it's critical that the words are picked arbitrarily and that there
are enough of them.

The idea itself isn't inherently insecure, except for the fact that SHA256 was
probably a poor hash function to use since it's fast.

I can guarantee that this will always be more secure than trusting any online
service to store your wallet instead. The only risk is you forgetting one or
more of the words, in which case you're in trouble.

~~~
aianus
Just wanted to add a note that you can come up with whatever deterministic
process you want to generate the keypair.

For example SHA256(MySuperSlowAwesomeLongHash("fire pickle shipment lachrymose
deity unwitting pernicious obstacle kitchen tumbleweed mannequin erudite"))

~~~
meowface
True. Many people appear to use
[http://brainwallet.org](http://brainwallet.org) or similar sites though; they
don't really understand what hashing functions are, so they trust these sites
to securely generate a private key.

Someone should really make an alternative with bcrypt or scrypt.

------
etherael
I'm getting somewhat tired of these kinds of stories, the stories _and_ the
responses here both follow identical patterns.

1) Security is compromised at an entity that deals somehow with bitcoins. The
security of the blockchain remains unimpacted, it is as relevant to the
fundamentals of the currency as much as someone getting robbed is relevant to
the fundamentals of the fiat currency they were robbed in.

2) Much whining and gnashing of teeth ensues as to how bitcoin is going to
collapse any second now because clearly it is just some crazy snake oil and
look at the rash of compromises as evidence, and by the way it also happens I
disapprove of it because it goes against my views on what a currency needs to
be.

3) People respond much along the lines I'm responding now.

4) It devolves into an ideological argument along the lines of the
characteristics of the currency itself and the potential death of fiat money
and its implications.

Conclusion; Some people are fundamentally ideologically opposed to bitcoin and
will use whatever they can to drag it through the mud at every opportunity.

Compromising the blockchain or the fundamentals of bitcoin itself is news,
even when it's overblown or exaggerated like the recent Cornell findings, some
venture getting owned because they failed to adequately secure their place of
business is par for the course and barely a footnote at this point in time.

For the first time in normal everyday business history, security _really
matters_ now. You can't just put up a banner with the legal penalties for
acting against corporate policy and actually expect to hold people accountable
via the legal system for ignoring your banner, the new rules are that you need
_real_ security.

Frankly I think that's a good thing and something that is far overdue, the
swiss cheese state of general security practices coupled with the apathy and
ignorance of general computer users has gone on for far too long, but because
the individuals in question were never held personally to account there was
never the motivation to really fix the problem.

Now there is, people need to accept this new paradigm if they want to deal in
this space.

~~~
yahelc
re: #1, don't you think it would be newsworthy if someone robbed a bank of
_all_ its customers' uninsured deposits? That doesn't really happen commonly,
and if it did, it would be huge news.

~~~
etherael
It was just as much news when Gox got owned, even though they covered the
losses. Also, Insured vs uninsured is irrelevant in this category because you
simply can't have an uninsured traditional bank in the fashion you're talking
about.

------
alecsmart1
This is the third story in two weeks. Either the hacking attempts are
increasing or the site owners are cashing out. Either way it's bad news.
Anyone with bitcoins must use an offline wallet.

~~~
fat0wl
It's been shown that it can happen, so it will continue to happen until it
becomes unprofitable or infeasible.....

------
antonius
First the Chinese exchange (GBL) and now this? Scammers have been hitting the
exchanges hard recently.

~~~
speeder
Of course, this is a prime time to get btc and sell it. Scammers probably are
not expecting the price to climb much longer in short term.

~~~
monsterix
On the other hand I see this more like a concerted attempt to build mistrust
against the virtual currency and its distribution network. Tinfoil hat anyone?

[Edit: Thank you for your lame negative votes, sad people. You can go further
and ask for more negative power to vote this down and then just die negatively
voting right here.]

~~~
vlastik
Another theory says that the webmasters are stealing the coins themselves.
Perfect crime ;).

~~~
monsterix
Sure, makes sense but why would I steal millions when I could do billions? -
though it's better to err on side of petty.

~~~
lmm
Once you get past about $5million you might as well cash it in there rather
than take any more risks - you're set for life either way.

------
disdev
I'd love to say there's some more nefarious work going on, like governments
trying to quash Bitcoin and executing these hacks...

But my guess is it comes down to poor security.

~~~
fembot__
I couldn't agree more. I took a cool seminar in college about web security, in
which a former senior security specialist for a government agency said that
there is no such thing as full security, just varying levels of insecurity.
Scary thought...

~~~
BlackDeath3
>there is no such thing as full security, just varying levels of insecurity

Six in one hand...

But it is good to realize that there really no such thing as perfect security.
If it can be accessed, it can be accessed nefariously.

------
kumarski
I think CoinMKT with its verification seems like the only solid place....

~~~
iancarroll
I think Mt. Gox, the most reputable exchange, is the only solid place. This
sounds like self advertising.

~~~
mithras
Sure if you like to wait 8 weeks for your money.

------
Nux
You mean, they weren't insured?

