

More than $215,000 stolen from Bitcoinica in Linode incident - redegg
https://bitcointalk.org/index.php?topic=66979.0

======
JoachimSchipper
Ah, Bitcoin. Security amateur hour. Again.

Seriously, trusting ~$200 000 to the security of a general-purpose VPS
provider? With no failsafes of any kind? Ever notice how real banks don't do
that? Even if you don't want to build your own data center, you could _at
least_ chat with <http://www.thebunker.net/colocation/> or another properly-
paranoid data center.

At least _these_ guys didn't leave _all_ their Bitcoins on this machine...

~~~
peteretep
> Ever notice how real banks don't do that

<https://news.ycombinator.com/item?id=3656063>

------
joeyh
So they looked for connections to the IRC channel bitcoin uses to find linode
IP's (or portscanned linode, but why bother when every bitcoin daemon hangs
out advertising its IP on IRC?).

And they stole from at least 3 systems. One had $5; one $15 thousand, and one
had nearly a quarter $million. Which makes me curious why they bothered with
the $5 account at all. It's like robbing a bank, and stopping to smash a
gumball machine in the lobby on your way in or out.

My guess is that the attackers have a fully automated exploit payload that
transfers the bitcoin out. And ran it on every system they could get on,
indiscrimitely. So this is not a one-off. I'd be very cautious about running
the bitcoin daemon, at least without setting noirc=1 in its configuration.

~~~
kiba
My guess is that the attacker doesn't know how many bitcoin were stored on the
target's.

~~~
joeyh
The alternative is that they knew Bitcoinia was hosted on Linode, and when
this customer service exploit became available for purchase on the 0day market
(or whatever), they went in explicitly targeting Bitcoinia, but not knowing
which IPs on Linode belonged to it. It's not clear if Bitcoinia separated its
web server VM from its bitcoin VM, and if the attackers didn't know, it'd be
best to target all the IPs.

~~~
kylebrown
Bitcoinica's web server is hosted on rackspace (through Heroku). They would
likely have been able to determine that bitcoinica's bitcoin daemon was hosted
separately on linode, by watching the ip addresses broadcasting withdrawal
transactions. It is likely that bitcoinica was the target in breaching linode.

------
matdwyer
I'm not trying to troll here at all, but if "$215,000" worth of bitcoins are
stolen, do the authorities investigate as they would $215,000 worth of cash?

Is there taskforces that recognizes this? or is it just the wild west?

~~~
rmc
Unlikely. It's worth $215k on some open markets. But that's highly variable,
so it's not obvious that it's actually worth that amount of USD.

And yes, it is like the Wild West. That's part of the point of BitCoin, there
are no chargebacks, and no-one can freeze your account. Once the money moves,
the money moves. This has disadvantages if you are the victim of a theft (like
this) and you're bitcoins are essentially gone.

------
MCompeau
I feel incidents like these raise an interesting question about the long term
credibility of any crypto currency system. For instance if a traditional
nation state felt its monetary system was threatened by a crypto currency
could they employ an organization such as the NSA to attempt to undermine the
credibility of the crypto currency in this way? I know its a very speculative
proposition but it makes one wonder if even in a geographically agnostic realm
like the internet the force of a nation state is required to maintain
crediblity/stability for a new money system.

~~~
Jach
Much larger thefts than this in $USD happen pretty frequently, you just don't
hear about them that much. I don't know how the government could guarantee any
credibility (Edit: beyond already existing measures, this was theft so if the
thief is caught there is punishment available and if Linode was negligent they
might also be liable)--the stability is inherent in the network. All the BTC
thefts have been to improper security measures taken by the owner(s) and in
some cases a misplaced trust in the security of others. Anyone or group with
over 1000 BTC in one place should be taking way more security precautions than
these guys.

------
dmoy
I am not well-versed in the technical details behind bitcoins, but does the
nature of bitcoins make them vastly easier to track than normal currency? E.g.
if the attackers try to cash out or transfer the stolen bitcoins, is it much
easier to flag them?

~~~
joeyh
Where the money goes is all publically available, yes. But it can be split up
and fed through any number of accounts (you can make as many accounts as you
like) to try to launder it. Also, does Silk Road care where the bitcoin being
used to buy drugs came from?

~~~
kiba
I believe Silk Road is operated by actual agorist, or market anarchists to be
more general. If that is true, even they would care about where the money
comes from, especially if it is stolen money.

------
teyc
$215,000 is bigger than the size of an average bank robbery ($5,000) source:
[http://www2.fbi.gov/ucr/cius_02/html/web/specialreport/05-SR...](http://www2.fbi.gov/ucr/cius_02/html/web/specialreport/05-SRbankrobbery.html)

This reminds me of a tangentially related incident where government servers
were physically stolen by people dressed up as technicians. Even if you co-lo
a dedicated server, if you store enough coins there, it becomes an attractive
target for an attacker with some inside help.

~~~
nextparadigms
This is not an average Bitcoin "robbery" either.

------
woodall
Aside from all the issues that plague bitcoin, what would be a more secure way
of 'touching' the wallet.dat file?

Keep in mind that:

1) IO is expensive

2) the file will not be encrypted

3) the file will/should not be hosted on the same machine

4) the file will be accessed in excess of 1,000,000 times a day; maybe more.

The only thing I can think to do is do all the transactions with imaginary
bitcoins until the end of the day then, at night, push all the transfers;
almost like banks do.

~~~
maxerickson
It seems like it would be feasible to split the coins across wallets, with
more hassle surrounding the wallet with most of the coins.

I can't think of any huge disadvantage to manually managing the float on the
transaction server.

------
sharth
So I've a question about situations like this. I believe that a chain of
transfers can be created with bitcoin. So couldn't a blacklist be created?
That would allow users to ignore illegally obtained coins?

~~~
rmc
In theory yes, in practice no. There is nothing in the bitcoin design to allow
this. The only real way to do it is to fork bitcoin and to get everyone to
change to your new rolled-back block chain. Not everyone will agree (since co-
ordinating all these people to change at about the same time is hard), and
hence you'll have 2 different versions of bitcoin.

This also removes features of bitcoin that some view as advantages, namely
that there are no chargebacks and no-one can forcibly remove your funds. In
bitcoin, once you have it, no-one can take it from you (unlike, say, paypal).
This has disadvantages if you're the victim of a theft. Bitcoin is also a
decentralised system, so you'd have to convince everyone that you are the
victim of a theft, and that these transactions are to be rolled back. Other
wise someone could pay for a service in bitcoins, then try to get everyone to
roll back the transaction, and hence deprive someone of the bitoins.

------
Steko
No dollars were actually stolen. Dollars are a real currency, the kind you can
put in real banks so this kind of thing never happens to you.

~~~
27182818284
I see what you're doing, you're being purposefully condescending. You aren't
dumb enough to actually believe that something people trade for real dollars
has absolutely no value. Whether you like it or not, people do use Bitcoins
and a value can be assigned the same way a super model's legs can be insured
for a value. Deal with it.

~~~
nhebb
Yes, he's egging the crowd on, but his comment did make me wonder what the
legal ramifications of someone stealing bitcoins are. If one of the account
holders tried to take Linode to court, do you think a US court would even
acknowledge the value of a digital currency?

~~~
DanBC
China doesn't acknowledge virtual theft, which caused some problems here:

(<http://news.bbc.co.uk/1/hi/technology/4072704.stm>)

But a later case said that virtual property should be protected by law:

([http://news.xinhuanet.com/english/2009-05/24/content_1142726...](http://news.xinhuanet.com/english/2009-05/24/content_11427265.htm))

Dutch authorities arrested someone for virtual theft:

(<http://news.bbc.co.uk/1/hi/7094764.stm>)

Here's another Dutch case, involving real world violence, which went to their
supreme court:

([http://madisonian.net/2012/02/01/dutch-supreme-court-
decides...](http://madisonian.net/2012/02/01/dutch-supreme-court-decides-
virtual-theft-case/))

That last one mentions US case about domain names.

I'd be really interested to hear from previous US court cases, or from
lawyers, about this.

~~~
rmc
A lot of companies that deal in 'virtual goods', e.g. World of Warcraft, don't
like the idea that the bits are property, because then it's hard for them to
take the bits away from people (say for cheating), or if they want to shut
down the servers etc.

------
DiabloD3
I wish people would quit using Linode. They have a track record of having
security issues, they are not PCI compliant; and unless they replace every
single last BTC, I am going to just go ahead and state they never did care
about their customers.

I just can only hope the attacker spends the BTC instead of burns them:
burning would do far more damage to Bitcoin than just stealing them.

~~~
tylermenezes
> they are not PCI compliant

They're a VPS host. I mean, cats aren't PCI compliant either, but it doesn't
say much.

You shouldn't be using a VPS for this sort of thing for many reasons, mind
you.

~~~
ceejayoz
It is possible for a VPS host to become PCI compliant. Amazon EC2 is, for
example.

