
Computer compromise leads to theft of bitcoins valued at $500,000 USD - trotsky
https://forum.bitcoin.org/index.php?topic=16457.0
======
tybris
I now understand that BitCoin is actually an experiment to teach people basic
economics and why many of today's rules and institutions (e.g., banks) exist.
Sorry for criticizing it. BitCoin is an awesome educational tool.

~~~
byrneseyeview
What prevents you from setting up a BitCoin bank?

More interestingly: are the features that let you set up a dollar-denominated
bank features or bugs?

~~~
recoiledsnake
Banks are regulated by law and have the funds insured by FDIC. i.e even if the
bank goes belly up, the FDIC will make sure the depositors get the money. With
BitCoin, how do you trust a bank? Even if it's just by word-of-mouth trust,
eventually the bank will be taken over or run by non-trustworthy people. The
threat of federal prison keeps most real banks honest. Nothing like that
exists in the BTC world.

~~~
timbowhite
Banks also inflate the money supply using fractional reserve banking,
effectively diminishing the value of every other dollar in active currency.

If you think that is honest behavior, then bury all your money for 10 years
and then try to spend it. Suprise! You've been robbed.

If I'm not mistaken, there is an eventual limit on the amount of bitcoins that
can ever be created.

~~~
jonknee
That's not entirely a negative... We're better off that people are
incentivized to not bury all their money. Deflationary spirals are no fun.

~~~
timbowhite
I agree that circulation of currency/commodities is necessary for a healthy
economy. I don't agree that we're better off having value stolen from our
currency by inflating it for the sake of "incentive".

How many joe sixpacks actually spend their money as quickly as possible
because they're afraid of inflation? Hopefully it never comes to that.

> Deflationary spirals are no fun. $5/gallon of gas and $7/gallon of orange
> juice are no fun either.

------
ansy
I'm a BitCoin skeptic with the best of them. But this is breathtaking.

That's one thing about bitcoins. There's no FDIC or SIPC watching your back.
It's the wild west with train robberies and stage coach heists in all.

~~~
byrneseyeview
It's interesting to consider why that is. I could start a BitCoin deposit
insurance company, for example: you'd pay me X% of your balance each month,
and I'd make you whole in the event of fraud.

Of course, I'd want all sorts of regulations on how you set this up; I might
sell you some kind of extra-secure system for managing your balance, for
example. At that point, the market would basically be putting a price on
BitCoin security.

Obviously, my deposit insurance scheme could go broke, if I price it wrong.
That's theoretically a risk with SIPC. It's not a risk with the FDIC, since
that is ultimately backed by the government's ability to print an unlimited
amount of money.

So it might make more sense to say that deposit insurance is a feature of
unstable currencies: if anyone's dollar-denominated debt can be 100%
guaranteed by the government, then the value of _everyone's_ dollar-
denominated assets will face an inflation tax to pay for this guarantee.

~~~
dminor
Maybe I'm missing some detail of the scheme you're proposing, or have some
fundamental misunderstanding of bitcoin, but if bitcoin is anonymous and
untraceable, how do you prevent insurance fraud?

~~~
jarin
You could only insure bitcoin that is stored in a wallet that you control
(i.e. act as a bank).

------
hullo
Seems fairly inevitable: if I sat by the window of my house, talking to anyone
who walked by about having a large cache of money, which it was clear was also
in my house... well, I would probably want to do one or all of: (a) invest in
some quality locks; (b) stop talking about it; (c) keep my money somewhere
else

------
mrcharles
Correct me if I'm wrong, but given the P2P nature of bitcoin, wouldn't it
effectively give someone interested in malicious activity a list of target IP
addresses? In theory he could set up his own P2P, watch for large
transactions, and then he has an ip running a bitcoin client who (potentially)
has a large wallet.

Then it's just a matter of running common exploits (or new ones, if you have
them) in order to access the machine and the bitcoin wallet.

~~~
Astrohacker
There's no way to know which IP address corresponds to which bitcoin address.

~~~
omarchowdhury
The point is that all of the IP addresses recorded in the network transactions
_are_ Bitcoin users.

~~~
Groxx
No, you can make a receiving address without _ever_ connecting to the network.
Current clients won't do so (that I'm aware of), but it's entirely possible.

The main reason though is that new addresses aren't broadcast. The only time
you know their location is when they send, and _only_ if you were watching
their traffic / the traffic of all nodes they sent to.

------
gravitronic
[http://blockexplorer.com/address/176LRX4WRWD5LWDMbhr94ptb2MW...](http://blockexplorer.com/address/176LRX4WRWD5LWDMbhr94ptb2MW9varCZP)

That's the account record of the address that supposedly stole the huge amount
of bitcoin. The maximum balance I see it have is 400 blocks. Is it missing
from the record or is a bitcoin block larger than 1 BTC?

~~~
sp332
A BTC "block" is currently 50 BTC, I think.

------
sp332
This reminds me of the "come from" statement. COMEFROM is a long-running joke,
it's a flow control statement which is intentionally confusing. It works like
a GOTO but backwards. There is no indication in the area being jumped from
that flow control is about to go somewhere else in the program.
<https://secure.wikimedia.org/wikipedia/en/wiki/COMEFROM>

I think, when parts of your currency start to resemble any part of INTERCAL,
you have a big problem :-)

~~~
astrodust
People joke about the COMEFROM statement all the time, but isn't this was
observers do?

------
edw
This guy's experience reads like something out of a William Gibson novel. If
BTC takes off, I wouldn't be surprised if the world got several orders of
magnitude nastier, malware-wise. If the value of breaking into someone's
machine is not merely the computer's connectivity or, worse, information to
enable identity theft but _actual, untraceable value-holding currency_ , you
know the incentive to compromise computers is going to skyrocket.

Are we prepared to live in that world?

~~~
wmf
What's the cyber-analog of those "driver carries no cash" signs?

~~~
edw
Funny. More seriously, this reminds me of the difference in deterrence value
between Lojack and The Club:

Lojack makes it little less likely that any particular car will get stolen but
increases the likelihood that a car thief will be caught.

The Club basically says, "Go steal someone else's car."

"Driver carries no cash" is well intentioned but says, "Go rob someone who
_does_ have cash." It has a local deterrent value perhaps, but is of limited
value as a deterrent from robbing people who drive delivery trucks.

All of this gets me wondering? Does UPS still do COD? And if so, do they
accept _cash_?

------
StavrosK
The worst part of this is how irreversible it is. With a bank you might be
able to get it back, with cash nobody can just siphon the actual paper money
remotely, but with bitcoin you're out of luck.

~~~
imjustatechguy
Traceability in the real world banking institutions has its advantages. As a
business owner I've once had a mistaken transactions that resulted in
erroneous withdrawal of +10,000 from business bank account. A phone call to
the bank and a bit of investigation fixed things and I don't think the bank
was out any money either, it was just a wrong account number issue.

With bitcoin, things are not at all reversible.

Also I expect bitcoin to be shutdown because it could be a great way to fund
terrorist activities. (There are major federal investments in anti-money
laundering systems that monitor bank transactions, bitcoin transactions
operate outside of this system and thus will be suspect.)

~~~
jasongullickson
_Also I expect bitcoin to be shutdown because it could be a great way to fund
terrorist activities._

So is cash :)

~~~
mbreese
It's pretty hard to move large quantities of cash around... it's pretty easy
to move a flash drive with a bitcoin wallet around.

------
lukejduncan
BitCoin has an analog in cash. Yes, it's anonymous but there are things you
simply dont do with it.

~~~
stipes
The design of BitCoin only includes very weak anonymity. A medium-to-large
scale network analysis could most likely break any anonymity people thought
they had.

~~~
stuhood
Adding Tor to the equation makes the system fully anonymous, assuming you
don't leak other information.

------
insulation
For a bunch of DIY hackers, I'm sort of surprised you guys are so willing to
hand your money and control over its security over to the government and
financial institutions. Then again, I was a computer security guy for the
government and online financial institutions, so I guess I'm comfortable with
my ability to protect my (very very small amount of) money, or I'm just more
cynical about them.

Western Union is irreversible, and would probably have been shut down if it
wasn't so well-established. Most other US payment systems are reversible,
which is why you have holds on getting the money out of those systems - they
want time to detect fraud and reverse the fraudulent transaction. This
requirement for reversibility seeps through the system, which makes anonymity
very difficult, and causes a lot of friction on anything that changes a
reversible payment into a non-reversible payment, since that's where you eat
the fraud. Now you know why it's hard to get cash equivalents out of the
system, especially to a remote party.

The point here is that once the money is in a non-reversible network, you can
accept a payment and know that it's good very very quickly. If you make
bitcoin reversible, you might as well just use one of the old payment systems,
where the money might disappear later (and you'll be out your privacy, goods,
cash and services), or you'll be paying transaction fees based on your charge-
back rates, and unable to charge more for the reversible payments than the
non-reversible ones due to contracts you have to sign to be part of the
payment network - and thus the non-reversible payers subsidize the reversible
payers. What a racket.

As we used to say, "there's no good guys in payment processing, only bad guys
and less-bad guys".

------
pnathan
Sounds to me like a BTC bank should be set up, with corresponding accounts.
Instead of 'you' holds all your BTC, your BANK holds most of your BTC in a
secured location, and you can make withdrawals to your account on demand.

Of course, this would effectively require an insurance corp also set up in
such a fashion that integrity of the bank could be configured.

/hmm... maybe I should do this!

------
cheez
Third sentence:

> If only the wallet file was encrypted on the HD.

Yep. Anyone who doesn't do this is stupid.

~~~
berberich
I haven't used Bitcoin, so this is an honest question - Why doesn't the
software encrypt the wallet automatically?

~~~
nickik
Bitcoin is a Thesis of one Guy. Its great in many ways but in terms of
Softwaredesing and Engeniering at least the Client sucks. I've the Auther had
knew it would be blowing up like this he would probebly have build something
better.

Its Open Source and you can interact via JSON so it would be that hard to
build a good client that does this kind of stuff.

------
atakan_gurkan
It seems to me that Bitcoin requires an actual wallet. A physical device that
will store your "money" ie. verifiable account info, the way a general purpose
computer is storing it now.

------
llimllib
Anybody have the text of the post available? The site's not working for me.

~~~
DrewHintz
I just got hacked - any help is welcome! allinvain June 13, 2011, 08:47:05 pm

Hi everyone. I am totally devastated today. I just woke up to see a very large
chunk of my bitcoin balance gone to the following address:

1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg

Transaction date: 6/13/2011 12:52 (EST)

I feel like killing myself now. This get me so f'ing pissed off. If only the
wallet file was encrypted on the HD. I do feel like this is my fault somehow
for now moving that money to a separate non windows computer. I backed up my
wallet.dat file religiously and encrypted it but that does not do me much good
when someone or some trojan or something has direct access to my computer
somehow.

The transaction sent belongs rightfully to this address:
1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG

Block explorer is down so I cannot even see where the funds went.

I tried restoring an earler backup of my wallet but naturally that does not
work because the transaction has already been validated.

Needles to say I feel like I have lost faith in bitcoin.

Anyone have any ideas what I can do besides just jump off a bridge?!

\--------------- [snipping out posts that don't contribute much]
\--------------- Re: I just got hacked - any help is welcome! June 13, 2011,
09:05:04 pm allinvain

First thing that I noticed is that my slush's pool account got hacked into and
someone changed the payout address to this:

15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f

I then changed the password and proceeded to run some antivirus and anti
malware scans. Some stuff was found, but they were all cleaned up and they
were all in my windows user profile temp dir which I deleted all the temp
files. God I can't even type properly. Sorry folks I'm a bit emotional now.

I then left another virus scanner running and went to sleep. When I woke up I
check my bitcoin wallet. I leave the client running to help the network, and I
notice -25,000 (and a transaction fee) gone.

Fuck, I really should've moved the coins to a vmware linux session I have
running. But the question is was it already too late? Could someone had my
access to my wallet.dat for a long time and now just decided to "cash out"

------
pavel_lishin
Valued by who? Hasn't this been fluctuating like crazy lately?

~~~
chopsueyar
No. One exchange one day.

~~~
ctide
No? I'd say a high of $24 and a low of $16.10 over the last 48 hours most
assuredly qualifies as 'fluctuating like crazy.'

~~~
chopsueyar
Man, JCP is fluctuating like crazy.

------
Vitaly
someone should make a physical bitcoin wallet device.

------
mrvc
It's not really $500,000 though is it? As soon as you exchange a small amount
of that into dollars you crash the exchange and the value drops significantly.
I'd estimate it at about $30,000 worth.

~~~
roel_v
Can you elaborate on how to came to the discount factor you used?

~~~
csomar
He means that there isn't enough people to cash with the current rate. That is
$500K.

~~~
roel_v
Yes, I realize that, I'm just wondering how he came to 30k.

------
shareme
ahem, read up on European history..

The Merchant trade in Europe came up with three valued things:

1\. Corporations 2\. Insurance 3\. Banks

Those three items are related to one another. While its true that due to the
anonymous nature BitCoin is biased towards illegal mafia-like formation of
banks and such for illegal activities as soon as legal activities start using
them as trade banks, insurance, etc will form as a nature evolution.

------
recoiledsnake
Maybe there's value in creating a BitCoin bank that will hold money for
people, just like real banks?

~~~
jaysonelliot
Mt. Gox and Bitcoin Market already do that.

~~~
nkohari
They're just exchanges though -- they don't offer incentives (e.g. interest)
for depositing.

~~~
abofh
Since you can't manufacture bitcoins, I think guaranteeing interest would be
difficult at best

------
AlexV
This is why we can't have nice things.

------
joeyh
IMHO the shadiest side of the bitcoin daemon is that it discovers peers by
connecting to an irc channel. Just like a typical virus botnet handles command
and control. Connecting these two uses of IRC is pretty obvious, and then you
get a virus that attacks windows machines running bitcoin and steals wallets.

~~~
cheez
What... That's like saying the shadiest part of the BTC daemon is that it uses
computers because botnets use computers.

