
Australian bitcoin site hacked, $1 million in virtual currency stolen - apapli
http://www.abc.net.au/news/2013-11-08/bitcoin-site-hacked-founder-says/5078148
======
knodi
More like he may have stole the BTCs him self. A lot of his security claims
where false and he failed to disclose the hack after it happened for almost a
week but during this week he still allowed people to transfer BTCs into
inputs.io.

[http://www.reddit.com/r/Bitcoin/comments/1q3rpp/tradefortres...](http://www.reddit.com/r/Bitcoin/comments/1q3rpp/tradefortress_stole_30_of_my_btc/)

------
adamconroy
Call me a luddite if you like, and I will probably be left behind in work and
life, but I really can't shake the feeling that Bitcoin is an unworkable bad
idea. Taking into account the risks of theft, the risk of government
legislation, the risk of the system being gamed, the risk of wild fluctuations
in value without rhyme or reason....

~~~
mrb
Let's address your fears.

"risks of theft": cash is also at high risk of theft, yet cash works alright
in the real world. So why not Bitcoin? Web wallets need to develop excellent
security procedures, like banks, and the best ones have done so: MtGox,
Coinbase, etc.

"risk of government legislation": so far governments have been welcoming to
Bitcoin. A US Federal Judge have ruled Bitcoin is real money [1]. The US
Treasury Department FinCEN said Bitcoin "hold greats promise" to the US
economy [2]. The German financial regulatory agency, BaFin, has officially
classified Bitcoin as a commodity. Australia said they would investigate
Bitcoin thefts with the same thoroughness as cash thefts. China is tacitly
approving Bitcoin as government-controlled China Central Television is
increasing its coverage of Bitcoin, with a surprisingly positive tone(!)
Canada is very Bitcoin-friendly (hence the first ATM located there). Etc. And
keep in mind it only takes a handful of countries to be friendly to Bitcoin
for it to have a safe base to rely on. It is highly unlikely that ALL the
countries in the world will ALL be hostile toward Bitcoin.

"risk of the system being gamed": there are no such risk. That's the one thing
about Bitcoin you can trust: the protocol is ruled by cryptography and
algorithms. It has been reviewed by many security experts. There is no known
way to "game" the system. Some theoretical attacks exist but are never
practical (eg. require investing half a billion dollars in mining hardware!).

"risk of wild fluctuations": true. But on the long term, as trading volume
increase, volatility will reduce.

[1]
[http://www.forbes.com/sites/kashmirhill/2013/08/07/federal-j...](http://www.forbes.com/sites/kashmirhill/2013/08/07/federal-
judge-rules-bitcoin-is-real-money/) [2]
[http://www.fincen.gov/news_room/speech/pdf/20130613.pdf](http://www.fincen.gov/news_room/speech/pdf/20130613.pdf)

~~~
andrewfong
> risk of theft

There are key distinctions between cash and Bitcoin theft: Physically robbing
large amounts of cash is really hard. Most people don't carry suitcases full
of money, and bank robbers usually end up in jail or worse.

Electronic theft is difficult as well. If a bank believes a wire transaction
was fraudulent, it can reverse it. And because bank accounts are generally not
anonymous, fraud detection is a lot easier. By contrast, Bitcoin nodes can't
undo a cryptographically valid transaction if evidence later shows it was
fraudulent.

In addition, most bank deposits are insured up to a point by the government.
Granted, you could privately insure Bitcoin deposits, but it's difficult to
get the same scale of insurance that the Fed offers. Maybe at some point, but
I'm not sure there's enough data points yet for an actuary to comfortable
estimate the risks here. In addition, because insurance requires scale, the
market for bitcoin insurance would probably consolidate into a small number of
players very quickly, which raises the question of what happens if one of them
collapses AIG-style.

~~~
gnerd
In BitCoin I do believe the irreversible nature of transactions is seen as a
feature, not a flaw. My bank has fraud protection but if I use my debit card
and the transaction goes through, it is very unlikely I will ever see those
funds again.

Also important to note, the Fed doesn't protect your value or purchasing
power, they just insure (to a degree) the balance, but they also have the
power to erode purchasing power at will.

~~~
russgray
"My bank has fraud protection but if I use my debit card and the transaction
goes through, it is very unlikely I will ever see those funds again"

Why would you think that? My wife had a couple of fraudulent transactions on
her debit card earlier this year, and they were refunded the same day we
reported them.

~~~
sanskritabelt
The maximum liability for a credit card user is $50 but is (potentially)
unlimited for a debit card user. Depending on when it was reported, your bank
might not have been obliged to make the refunds.

See: [http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-
cre...](http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-
and-debit-cards) and [http://www.consumer.ftc.gov/articles/0093-credit-card-
loss-p...](http://www.consumer.ftc.gov/articles/0093-credit-card-loss-
protection)

I see bitcoin advocates talking up the fact that chargebacks are impossible,
which doesn't make me feel safe about it at all.

------
nwh
Seems to be an issue of his age there. He claims to be much older on
Bitcointalk. He owns a $750k house and previously rented a $500/week apartment
too, so I highly doubt he is truly 18.

~~~
maxden
Why do you question his age, but apparently accept that he owns a $750k house
etc? Not being snarky, but has he provided evidence etc?

I'm not sure how the ABC got to talk to him but he sounds young on the radio
interview, for what it's worth.

~~~
nwh
It wasn't given by him, other users have done their jobs tracking down
information about this person -
[https://bitcointalk.org/index.php?topic=326914](https://bitcointalk.org/index.php?topic=326914)

Seems credible enough to be real in my eyes.

------
VexXtreme
Incidents like this are good. They will teach idiots not to trust "online
wallets". Why on earth would you entrust a 3rd party service with your coins
when you can keep your private key safe on your own and never have to worry
about this?

When will people finally learn that since Bitcoin is decentralized by nature,
that there is no need to re-invent these online "banks" to store coins?

Serves them right.

~~~
asperous
Well you're making the assumption that people can protect their wallets better
than a bank.

I hope I'm not making a crazy statement to say that people in general aren't
that great at security. Unless you have the wisdom to keep your wallets
offline or secured with a password longer than 20+ (or whatever) charactes,
it's only a matter of time before a worm or virus gathers up hundreds of
insecure wallets.

Secondly, there's nothing intrinsically wrong with banks. Banks help the
supply of money and keep economies going through investment. Banks can build
green addresses for instant purchases which Bitcoin needs to be successful.

Bitcoin wasn't designed to get rid of banks. Bitcoin was designed to give
banks and people a common way of transferring money without expensive
accounting auditing, secret protocols, and government centralization.

~~~
andrewfong
In addition to worms and viruses, consider the risk of good old fashioned data
loss. Everyone knows they should back up their hard-drive but many (if not
most) users do a piss-poor job of it. Storing your bitcoins online somewhere
increases the risk they'll be compromised by an online attacker, but it
reduces the risk that you'll lose everything in a fire.

~~~
hackerboos
I keep my wallet.dat in Dropbox. It's versioned and they have 2 factor
authentication. I also trust their security more (they have a dedicated
security team:
[https://www.dropbox.com/help/27/en](https://www.dropbox.com/help/27/en)) than
some John Doe on a Bitcoin forum.

Just use online wallets as your hot wallet and keep most your coins offline.

~~~
makomk
People who've kept their wallets in Dropbox have found them mysteriously
emptied in the past, from what I recall.

~~~
Fuxy
I would argue your wallet.dat should't be accessible from the internet all the
time to begin with just put it on a old USB stick that you can store in a safe
place.

If you're worried it can disappear in a fire you can always make a copy of it
put it on another USB stick and give it to your grandma or other trusted
person.

If you are paranoid you can always just encrypt the file before saving it on
the USB stick.

Treating them like the keys to your house should offer more security than any
bank can give you. For one thing it makes it less profitable for any thief to
target you.

There's only 1 problem with this. You should always check the computer you're
about to load your wallet file into for malicious software.

Although I would argue a live CD with a Linux distro would probably be the
best choice in this case. Quickly transfer some funds to your regular use
account if you need while keeping the bulk of your funds in a safe place.

------
sanskritabelt
Say what you like about 'fiat money' and 'taxation is theft' and big gov't and
etcetcetc but if somebody robs my bank it doesn't cost me anything directly.

~~~
mrb
Same with Bitcoin.

When Bitcoin exchange MtGox was hacked on June 19, 2011, the attacker stole
2000 coins (worth $0.6 million today), but MtGox covered the losses with their
own funds. Customers lost nothing.

Large, reputable, mature businesses will cover losses for you, no matter if it
is USD or BTC.

~~~
stephenr
Banks have some kind of regulation (even in the financial wild west that is
the USA), and deposit insurance covers their customers against theft.

This jackass has said he isn’t likely to even report the theft to police.

That another bit coin exchange was able to cover the losses from a theft out
of its own pocket is more likely good luck than good planning.

~~~
mrb
"Good luck"?? No that's planning. Read about some of the security mechanisms
that reputable exchanges put in place:
[http://blog.coinbase.com/post/33197656699/coinbase-now-
stori...](http://blog.coinbase.com/post/33197656699/coinbase-now-
storing-87-of-customer-funds-offline)

------
gnerd
It seems to me the gold analogy is more applicable when storing BTC than the
cash one. I might be OK storing my gold with _some_ institutions, especially
ones with a proven track record and insurance policy, but other than those few
institutions, I'd probably opt for a fire proof safe (a safe rated to protect
the amount of money stored).

If one were to use BTC to store vast sums of money, you can store your BTC
with a traditional bank. Simply generate a wallet offline on new hardware with
a relatively secure USB bootable OS, write the keys down on a piece of old
fashioned paper (use carbon paper and store the copy, destroying the original)
and cover with some sort of tamper proof seal. Lock inside a lead box and then
put it in a safety deposit box.

~~~
davidsong
Please excuse my ignorance, but why would you use carbon paper and store the
copy rather than the original?

~~~
gnerd
Paranoid overkill really. Suppose you didn't have access to a locked lead box
and stored your extremely large sum in an envelope, you would feel silly in 10
years when you realized someone was able to steam the envelope and use the
raised letters from the pressure when writing to reveal the key without
removing the tamper proof seal.

There are better, more modern methods of applying a seal or printing but it
increases the attack surface so for the truly paranoid, they should probably
be avoided (unless using something like Shamirs Secret Sharing Algorithm).

------
dredwerker
Makes you think though. Setup a site take the lot, blame it on a robbery ==
Millionaire.

------
nl
In some kind of _very_ weird way, these incidents give me more confidence in
bitcoin-the-currency.

There are so many attacks on "bitcoin infrastructure" it is pretty clear that
it is seen as a target by criminals (of various degrees of skill).

And yet there is no evidence of any critical break in bitcoin itself. They
still haven't worked out how to print money.

I'm still a bitcoin cynic, but I'm slowly gaining confidence in it as a store
of value.

Like I said: Weird.

------
i_am_dead
This kid is 18? And people trusted a million dollars in untraceable money to
him?

~~~
selmnoo
Zhou Tong was 17, when his Bitcoin project was hacked (this is the thread
where he announced the project, and was astutely pointed out (concernedly, not
mockingly) that he was destined for spectacular failure:
[https://news.ycombinator.com/item?id=2973301](https://news.ycombinator.com/item?id=2973301)
).

I really don't know why we keep trusting very young individuals on things that
require implementation of _really_ good security. This is one of the places
where ageism probably /should/ exist in some ways -- but the other way around
from how we know it, because experience is one of the things that is really
important here.

~~~
freehunter
Age isn't the only factor in experience, though. Reputation and _relevant_
experience is the key. There are people I would trust at 35 (for 15 years of
experience) where I wouldn't trust someone at 45 (for 3 years of experience).

And then remember, John McAfee started McAfee in 1987 and left in 1994. He's
68 years old and I wouldn't trust him to tie my shoes.

------
josephagoss
| "And the more of it that is out there, the more thieves will be drawn to it.

Bitcoin will eventually be the defacto valuable item to steal, however I see
the community is in its early days and perhaps Bitcoin will lead to even safer
computing as our operating systems will need to be more secure.

Theres a lot of things we can learn.

~~~
Phlarp
A while back PG asked "what motive could a government actor have to create
bitcoin?"

Could the long game answer be "To teach the masses of idiot developers basic
info security"? If you take a step back the whole thing is a pretty neat
experiment in punishing poor security practices.

As a soon to graduate computer science graduate, learning the in's and out's
of bitcoin in the hope of making money has taught me way more about
application security and the underlying crypto than four years of state
schooling did.

------
Mustafabei
Guys help me here. It seems that I don't understand and maybe don't really
know how bitcoin works. How can it be stolen? A change in the logs? A pseudo-
transaction?

~~~
A1kmm
If you know the private key for a wallet, you can transfer all the coins out
to another wallet (i.e. make a real transaction).

Anyone holding BitCoins for someone else should protect the private key for
the wallets holding the coins strongly - for example, by moving most coins to
a 'cold wallet' where the private key is kept on an airgapped computer
encrypted with a long secure password, and only occasionally accessed when the
hot wallet runs out of funds, and protecting the computer with the hot wallet
strongly as well (with multiple layers of defense and controls to detect and
stop activity that might represent an attack).

