Hacker News new | past | comments | ask | show | jobs | submit login
Inputs.io hacked – 4100 BTC stolen (inputs.io)
161 points by citricsquid on Nov 7, 2013 | hide | past | web | favorite | 180 comments



"No regulations" sounds great up until the moment when the bank gets robbed, the police don't care, and the only proof that it wasn't an inside job is a screenshot of the banker's email[1]. (Not that I think that it was an inside job. I just think this whole situation is kinda funny.)

https://bitcointalk.org/index.php?topic=283756.msg3505394#ms...


If the owner is either incapable or unwilling to refund everybody's money then it doesn't even matter whether it was an inside job or not. It's pretty telling that he's posting a screenshot that essentially says nothing instead of being open about whether or not he'll be able to fully reimburse the people who lost money. I don't think it was explicitly stated, but it seems like people are just getting whatever percentage of the remaining funds that they owned.


If that guy did not have some kind of insurance like banks do, how can he refund anyone? ( that's a question ).

And would insurances insure this kind of business ? Now are bitcoin wallets banks ? and are they subject to the same regulations ?

Is that guy a US citizen ? can he be sued by his clients ?


> If that guy did not have some kind of insurance like banks do, how can he refund anyone?

Bitcoin is a relatively new thing, would not be surprised to start seeing bitcoin insurance for these types of services.

> Is that guy a US citizen ? can he be sued by his clients ?

I think it would depend if his clients have contracts, otherwise its a caveat emptor deal, especially when dealing with bitcoin.


There was actually a Bitcoin "insurance" provider for a while. Like everything else in the Bitcoin economy, it was entirely unregulated, basically a scam, and ran with everyone's money.


Normal bank insurance is done by the central bank, which can lend unlimited money to cover this kind of hole.

(A large part of the Euro crisis was the Euro central bank refusing to backstop banks itself, delegating that to national central banks which can't print money and can therefore run out themselves)


I read that he's an Australian citizen. But I'm not sure if anyone asked for his real identity (before trusting him with $1mm worth of bitcoin)


I would add "Must he refund anything at all by contract/policies?"


These coins were stored on a VPS? On Linode? All it took to steal 1 million USD was to hack an email account?

Insanity.


This needs to be upvoted more. How can someone have a hosting provider whilst claiming to be the most secure BANK out there?

This should have been pointed out long ago. It's a terrible thing that people get away with this. Arrogant developers who think they can do without sysadmin skills when building crucial software.


> This should have been pointed out long ago.

It was. The creator smugly relied that it wasn't going to be an issue.


BitCoin is security amateur hour. That's why the BitCoin protocol and client hasn't been attacked too much. It's just easier to hack some exchange.


4100 BTC = 1.1 mil USD at current prices. These Bitcoins were stolen from website's "hot wallet" (every shared wallet has to operate one to process current withdrawals). This hot wallet was probably too hot though, as it seems that they had most of their coins online, and only about one third offline (other services claim to store 80-90% offline). According to postings on Bitcointalk.org forums people are getting back partial refunds. One person claimed to receive 37% of his balance back [1].

UPDATE: Correction - according to [4] it seems that almost all funds were stoled in the hot wallet, and the hacker was "nice" enough to not steal it all at once, presumably to stay undetected and come back for more. I'm not sure if I buy this argument though.

Also, according to the owners the hack occurred on 26th October [2]. It may be possible that if you deposited funds after that date you will receive full refund, as they should still be on their wallets. Unless hackers took that too.

UPDATE: Also according to [4] the funds that were being deposited after 26th were being withdrawn at the same time by other users. So they're as gone as the ones from before 26th. You will be refunded in full only if you deposited very recently.

This whole situation (and a bunch of previous ones) is also why at Bitalo [3], we are developing an exchange which will not have this problem, as we use multi-signature addressees to store the coins. This means that you need two signatures to spend funds - one from us, and second one from the user. We also never transmit users password over the wire, as we use SRP protocol for authentication.

In unrelated news, China just passed 1800 CNY per BTC :). I wonder how's the security status of chinese exchanges/wallets. Unfortunately I don't know the language, so can't test that.

[1] https://bitcointalk.org/index.php?topic=248803.msg3505884#ms...

[2] https://bitcointalk.org/index.php?topic=248803.msg3505966#ms...

[3] http://bitalo.com (in private beta, drop a message to martin@bitalo.com to receive an invite)

[4] https://bitcointalk.org/index.php?topic=248803.msg3506034#ms...


I see what you did there[3] ;-)

Also, it's a shame that this kind of breach happens, but it seems like it's been a while since a "$COMPANY hacked X BTC stolen" headline was out there[1]. There seem to have been more of those in the past and they appear with less frequency, which is a good thing, I guess.

[1] Silk Road doesn't count toward this recollection, since it falls under the "Bitcoin $COMPANY busted by the feds" headline, which will probably happen more often in the future.


It's probably because the market for such services is slowly saturating. Entry bar is quite high, and people are not willing to use newly released services as much anymore, as it was before. So yeah, it's good that the rate is decreasing, but unless we remove the source of this (i.e. move away from "hosted Bitcoin wallets" scheme) this will still happen in the future.


You're right. I think the last few big online wallet breaches were Instawallet, and MyBitcoin.

For anyone who wants to get their missing BTC out of inputs.io (who doesn't), I've written a blog post here: http://bitcoinreviewer.com/inputs-io-hacked-refund/


i m ok with the feds stamping out crime. But i m not ok with the feds stamping out something which also has use outside of crimes. I sincerely hope bitcoin transactions aren't associated with crime, so that its popularity can grow more mainstream.


If you have read the whole story of Silk Road they didn't busted them for bitcoins but for drug trading. And they explicitly stated there were legitimate uses.

From what I have read the current Fed stance is - if you think BitCoin is money, we are ok with that as long as you comply with all regulations.


> I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement.

Um....I don't see how anyone is okay with this answer.


Because bitcoin! Way of the future man!

No thanks, I'll stick with insured deposits. Imagine if your bank called you up and said "Your money is gone, but we're reeeeeally sorry."


Actually this happened in Cyprus very recently...


When you're hacked, I hope someone posts a self-serving expose here.


Interesting I had missed where he claimed the hack occurred 10-26. Because he pointed[1] to this transaction https://blockchain.info/tx/9536feebe3a50b94f85ca27d56e669a72... as the blockchain evidence. That transaction was on 10-23

[1] https://bitcointalk.org/index.php?topic=248803.msg3509247#ms...


What sort of server is Bitalo hosted on?


[deleted]


Meh, he provided a bunch of useful and relevant info, and subtly (but not misleadingly) plugged his business. I don't mind.


I wish the [Deleted] thing didn't blend in so well with the post above. Always ends up confusing me for a second.


What's wrong with posting an alternative solution to the problem? If someone else developed this kind of service, I would post it here instead, because I'm in Bitcoin from 2011 and I believe it will succeed. Unfortunately no one to date did this yet, that's why we come in.


This was a long time coming. The owner of the site's first posts on the forum was offering blackhat SEO and forum spamming services. Anybody who looked into the background of the creator could see that.

https://bitcointalk.org/index.php?topic=111563.msg1208770#ms...


I had hundreds of Bitcoin on Coinlenders up until very recently when they switched to a "demo" legal-workaround that was legally terrible and childish.

Coinlenders is a sister site to Inputs that share the same wallets. Coinlenders funds are being re-distributed to Inputs wallets. I obviously made a good decision to leave Coinlenders when I did as Coinlenders users are going to get perhaps 40% of their invested amounts back.

What really should happen is the owner (Tradefortress on BitcoinTalk) Should use his own massive stash of Bitcoins to compensate all his users.


I don't know, $1.1M is a lot of money. If someone stole a million dollars from my company, I don't know if I'd be rushing to reimburse it with personal funds (assuming I even could), however bad I felt for the users.

That said, if I recall correctly, one case where the corporate veil can potentially be pierced in a lawsuit is negligence. IANAL, but maybe users would have a legitimate case against personal funds, assuming keeping a large percentage of deposits online was found to be negligent. It'd obviously be an incredibly complicated and expensive class action suit if it were to happen though. Also it would probably mean trying to bankrupt a guy who just got hacked and lost his company...


And there you have it... if you were registered with a regulator you would have insurance and have had put up a multimillion dollar bond in some cases for a scenario were YOU screw up.


Well, the site owner apparently promised to reimburse any deposit losses with his own funds back when he was trying to convince people to deposit money on the site: https://bitcointalk.org/index.php?topic=283756.msg3505423#ms...


Ah, that's a bit different then. Thanks.



Is there anything to stop the community from creating a database of known-stolen Bitcoins which participants can choose to reject? I guess all it takes is one non-participating exchange, but it seems like you could make it much less convenient to cash out.


Many members of the community have reacted quite loudly and negatively to the suggestion that a central authority should be able to declare certain bitcoins tainted. This effectively introduces an external-to-the-blockchain way to essentially remove their bitcoins from their control, which they (currently) believe is impossible in bitcoin, and which they believe would devalue their bitcoins if it were known to be possible.


I gather that it would be straightforward for individual bitcoin users to refuse to handle known-stolen bitcoins.

Perhaps this is illegal already - under local handling of stolen goods laws. People would likely be inclined to take up this policy were there a single case of legal enforcement.

I believe this would lead to a stable situation where those known-stolen bitcoins were worth far less than regular bitcoins.

The present loud reaction would become irrelevant. What's more, I believe it would benefit bitcoin to remove some of the danger of (irreversible) theft.


I wonder if this is a problem that could be solved with an evolution of the technology. Meaning bitcoin (or a future crypto-currency) policing itself in a distributed manner, without requiring a central authority. Perhaps some way to hold referendums as to whether specific coins should be considered stolen. And if passed, some predetermined resolution mechanism would come into play, whereby the stolen coins would no longer be valid anywhere, and new coins would become available - either returned to the theft victim, or added to the mining pool, or something.


Well, one attack that I can come up with immediately is to just create a new wallet, transfer the bitcoins from the flagged wallet, then cash out from the new wallet. Your obvious retort would then be "Aha! But how about we just track any transactions from the flagged wallet and flag those wallets too!", sure, but then you open up for an alternative attack where you could get your wallet flagged and then send a minimal amount of bitcoins to some prominent wallet to have it automatically flagged (say the hot wallet of a major exchange), extortion anyone? To solve this we would need whitelists and the arms race goes on and on...


You can track the individual transactions. So if I have some tainted coins and I really do not like you. I know your main wallet and transfer 1$ worth of tainted coins to you. You can just transfer the tainted coins out of the wallet and that is it - the rest of the coins in your wallet are perfectly fine.

That said, tainting is not a path we want to go down. The potential for abuse is enormous, and rendering more and more coins useless.


Except bitcoins are completely fungible. Once the bitcoin is transferred in the wallet, you can no longer make any difference with the other bitcoins in the wallet ; it has no distinct identity anymore.

Think transaction into a bank account : you cannot separate the money that was transfered in from what was already there.

We can taint accounts, but not individual coins.


You know exactly what input transactions contains tainted coins, so you know the amount, and thus how many untainted coins there are.


But when you transfer BTC out, even if it's in the exact amount of the tainted coins transferred in, how do you decide whether the outgoing coins represent the tainted ones or the untainted ones?

Say there's a 50 BTC untainted wallet, and tainted 1 BTC is transferred in, then 1 BTC is transferred out. How do you decide whether that outgoing 1 BTC was drawn on the tainted portion or the untainted portion of the account?


Always regards the last bitcoins as the tainted ones. Local wallets could simply treat tainted bitcoins as not existing, thus removing that annoyance too.


The FBI would probably come knocking with a warrant demanding that all Bitcoins that has passed thru Silk Road should be added to the list, because thus founds comes from illegal activities.


But they can always just run them through mixing services.


I have better question:

If all transactions are public, in theory you could trace user, who has your bitcoin now. Than you could sue him to get your stolen stuff back.


Is it clear that you have any kind of legal property when you "own" a bitcoin? I mean, it's just some numbers in a distributed database (and not one with legal backing the way the banking system has).


So I have seen several of these stories pop up and I am still kind of confused by them. Are these hackers actually getting "real" money at some point? Are they able to cash out these bitcoins to USD or something else in a reasonable time-frame, or do they simply have a large amount of "fake" money that they can use for very specific goods and services?


They can certainly cash it out using a number of bitcoin to currency services. So the hacker has done the equivalent of stealing $1mil out of a bank, except a bank is very easy to trace while stealing BTC means the thief is home free.

  https://www.bitcoin.de/en?cr=1
  https://www.bitstamp.net/
  https://btc-e.com/
  https://www.bitfinex.com/
  https://localbitcoins.com/


BitCoins are difficult to anonymize. If you take your stolen coins directly to an exchange, the exchange would be able to identify you if law enforcement asked.


Well, you could use a site like this: https://localbitcoins.com/ but then again doing hundreds of these cash transactions in person seems like it would be stressful.


Seems to me that the most useful point of the LocalBitcoins service is to find traders willing to exchange via postal service. Face-to-face interaction seems like a bad move, especially since the money you're sending could be tracked to a "theft" and the service or trader might decide to snoop on you. And again, as the criminal complaint against Nod showed, using USPS is only safe if you act with sufficient randomness and change profiles. Otherwise they may detect a large pattern you generate.

It's also safer because it seems the government isn't likely to setup a major investigation for the case of BTC "theft".

(I say "theft" because it is possible, but unlikely, that the owner of the wallet transferred the money to someone intentionally, to pay them or something.)


They may very well hang onto them for a while, and in the event the price goes up even more in the coming months, they may make out with quite a bit more than $1M.


They're likely moving the Bitcoins to their own cryptowallet. At that point they could spend on sources that accept Bitcoin for payment (Silk Road and the like, Reddit Gold, the small but growing set of real-world places that take Bitcoin, etc) or could transfer to an exchange to cash out.

tl;dr - both.


Problem is that the coins can be traced, so they need to spend them anonymously.


Couldn't they tumble the coins and cash out?


Tumbling simply makes the accounting harder, but not impossible.


Even if they do, the mixing service must be anonymous too. The blockchain provides irrefutable evidence, and you need at least one step to make the coins anonymous.


It is possible ... but you need some specific conditions - someone willing to convert bitcoin for real money in a jurisdiction that has lax money laundering laws, then he must somehow launder them.


They can sell the coins on any exchange that allows them to convert it to real money. Not sure how deep the order book is so they may not be able to convert it all at once.


From their website:

"Security + privacy The most secure wallet ever created."


That's usually true... Until it isn't


How do we know it's not the owner of input.io cashing out?


You don't! This is the risk of transferring your money to someone without any sort of regulations whatsoever.


Here is his proof that it is not an inside job: https://bitcointalk.org/index.php?topic=283756.msg3505394#ms...


I'm curious, how would someone go about proving this wasn't an inside job. Is that possible?


Short of the actual thief publicly outing himself, I can't really think of any way.


Nope.


Back in July, TradeFortress, the operator of input.io claimed that 0 coins are store on the web facing server.

https://bitcointalk.org/index.php?topic=251553.0


is a trend.. start up a legit Bitcoin service. Run it well with high aims, etc, etc to make an impression to the public. Consciously create a loop hole and hack your own Bitcoin service and close it down.


"Please don't store Bitcoins on an internet connected device, regardless of it is your own or a service's."

Best advice I've read so far about bitcoins. All these services that's started up around keeping bitcoins for you, wallets, banks, they are all dodgy and no matter how well their marketing seems or how nice their webpages look, I think in the end - I'd like to keep my own money.


Anybody wondering how long it will take for Bitcoin to gain enough respectability for the FBI or Secret Service to get involved after hacks like this? If the same amount of money was stolen from a normal bank, it'd likely be covered by every news outlet.


Banks losing $1 million to hackers are not exactly science fiction. Typical outcomes including authorities not catching the thief, insurance paying out or the bank self-insuring, reiterating NDAs to employees who became aware of the theft, and absolutely no media coverage.

[Edit to add: For avoidance of ambiguity, I'm really, really, REALLY not suggesting that "Since banks are equally insecure, bitcoins are a great idea." Of greatest interest to HN readers, if your bank has a security fumble and your account is debited $25,000 as a result of this, you will almost certainly be reimbursed for every penny of that post-haste.]


> I'm really, really, REALLY not suggesting that "Since banks are equally insecure

That's just as well, because otherwise I'd have to mock you. Banks are not equally insecure. I work for one, and we typically spend 10-20% of the cost of development for apps on security reviews and testing, and not from numptys from accounting firms, but actual, well-known, well-respected white hats who review our designs and run hacks against us.

We aren't perfect, of course. But these monkeys are barely on the same planet, never mind in the ballpark.


Serious question, not trying to be rude.

If banks are full of competent programmers, why are their customer-facing online banking websites so utterly, utterly terrible?


I suspect this because, every time there is competition between innovative features that are nice for users, and ensuring security/limiting exposure and attack surface, the latter concern wins with little discussion.

What I mean is, if they implement a new whiz-bang feature, the best case is that people complain a bit less. But if their new feature opens up an attack vector or social engineering opportunity, they may suffer serious financial loss and very bad press.


I'm not asking for whizz-bang features, just a lack of the busy, overengineered sort we tend to see.

Heck, First Direct is one of the better banks in this country, but their website popups deliberately hide browser chrome including the address bar, which is just obviously terrible for security. But that's something that must have been deliberately added.


I have had poo-flinging contests (in banking) with external "security experts" (i.e. grads with a 3 ring binder from accountancy firms) who think ripping out the chrome is a todo on the required security checklist.


Programmers don't decide the UX. And any decent-sized bank will be pulled in different directions by:

1. The standard "enterprise problems": strategic partnerships dictating toolsets and so on.

2. The standard "big company problems": many business units acting as fiefdoms who will be arguing over how much real estate they need on customer-facing channels.

3. Tensions between customers who are scared of "money" and "online" and want everything locked down vs customers who want the latest whizz-bang everything.

4. Regulations.

5. Customers spanning a range from high-value rural farmers with vast sums of agribusiness who are stranded on dialup (yes, they exist), customers who do their banking on whatever their work PC is (XP and IE6 is still a thing - out biggest surge of the day is the 9 am rush when people log in from work to do their banking), through to customers who want the latest and greatest HTML5 webbery.

Saying, "fuck it we only support WebKit and high speed internet" is not really an option.



Usually because they have to support IE6


The BBC, Ars Technica, and others covered a theft one year ago of about one-quarter this much value (when converted to USD at the time). And the FBI was involved (not that they recovered the funds or anything): http://www.bbc.co.uk/news/technology-19633980


Not sure about that. Also, I read somewhere that the going rate of solving bank robberies is around 75-80% and many robbers are only caught because a) they do something stupid like not wear a mask or do anything to conceal their identity, or b) continuing robbing banks until their caught.

Considering hacks like this take time and a fairly high level of sophistication, not sure the FBI would want to employ the amount of long term resources needed to hunt these guys down.


The inputs.io hack required zero sophistication. Did you read TradeFortress' explanation? The hacker merely used the password reset feature on an email account, and then reset the Linode Manager password from the email.


They had to get access to the email account first though; I thought it was a Google mail account with 2FA [can't be bothered checking back].


I don't think it is the FBI a BitCoin thief needs to fear.

That said, it is fascinating to watch people getting caught out when they have a "few dollars" in BitCoin and now its "a few hundred thousand dollars" suddenly the security requirements change dramatically. One would hope that would be bitcoin wallet holders are taking notes and things like daily security audits are the new normal.


Which begs the question, how can one determine the veracity of the security claims of website operators? Bitcoins are a convertible currency but are not regulated, insured or guaranteed by any authority. I guess even modern fiat currencies had their teething problems with theft and counterfeiting, so this is not too surprising.


You cannot, just like you can't determine the claims of any other random server responding to port 80 somewhere on the 'net.


I wouldn't be surprised (or disappointed) if some enterprising company developed a security certification (a la PCI) for Bitcoin-related providers. You wouldn't _have_ to offer it, but the market might favor those that had subjected themselves to that scrutiny.


It would be great to see a market solution to this. Bitcoin is a bit like the gold rush/wild west at the moment which is fine for those who understand this before diving in, but until these types of trust issues are resolved market participation will be limited, which presumably will eventually effect the liquidity of the market for btc.


What happens when bitcoins are stolen? Can they be use again without being traced?


It depends on what you mean by 'traced.' All bitcoin transactions are 'traced,' but you can just set up a few thousand wallets, transfer some money to all of them, send them between each other, trade some away to other people for things... it's not clear simply from the transaction log who actually took them, and who is just receiving BTC from an anonymous buyer for some sort of service.


From my understanding of bitcoin, doing this would be trivially easy to track also. However, I haven't studied this in great detail, so what is said here may be incorrect.

*simplified view Wallet 1 stores 50 bitcoin for(i = 1; i < 100000; i++) { Transfer 1 bitcoin from Wallet i to Wallet i+1 }

At this point, wallet 100000 contains exactly 1 bitcoin, that every transaction can be traced back to wallet 0. I understand that you would include more wallets, varying values, etc. But the point is every one of those bitcoins can be traced back to the original wallet which has the stolen funds.

The only way to make this behavior viable that I can see, is to have intermediate services that mix up funds.

So you have 50BTC Stolen funds in Wallet A. I run Wallet B, that takes transactions from many people. You give me the 50BTC that is stolen. I send you 50 bitcoins in small increments randomly over a set period of time, but from the other transactions I have. I do the same for other people, using the 50BTC that you sent me.

As such, my service mixed the coins through a common point, which now makes tracking the chain very difficult. If I didn't mix this with other people's transactions, and gave you back you're own coin numbers, the coins would just track through me back to the original stolen wallet.

This would need a party to offer this type of service, with enough volume to obscure the source, and for that service to not keep records (or not be inspected through other means).

Again, I want to re-iterate, my knowledge of bitcoin is somewhat superficial, so don't take this as an authoritative post on the subject.


> The only way to make this behavior viable that I can see, is to have intermediate services that mix up funds.

They're called 'mixers.'

> Again, I want to re-iterate, my knowledge of bitcoin is somewhat superficial, so don't take this as an authoritative post on the subject.

You've got your head on straight. Here's one small aspect you're missing: there's no connection between a person and a wallet, and there's no transaction costs, so just make a million wallets and send random amounts to each one, and then send them through a mixer, and then to each other some more, and then to a mixer....


From what I've been told, yes....they can be used when stolen; it's kinda the whole untraceable, distributed nature of it all.


> untraceable

This is wrong. Every single transaction is saved, by everyone. It's the core of how the protocol works.

That doesn't mean there aren't ways to obscure who controls the wallets, but it's not untraceable, and 'distributed' has nothing to do with privacy.


I find this point a very interesting one. Everyone insists that transactions are saved and traceable (which of course they are), but I've never heard of anyone finding out who stole their coins and getting them back. People just seem to accept after a break-in that the money is gone and there's nothing they can do about it. That's not acceptable to me in a currency, particularly not one that people use as a store of value long-term. So it is effectively untraceable even if technically you can trace the anonymous transactions. The important part of that statement, which was not wrong, is they can be used when stolen.

This is my biggest reservation about bitcoin - they have taken the worst attributes of paper cash (pretty anonymous, not tied to a verifiable identity), and replicated them in a digital currency. If I'm transacting with someone I want to know who they are, in case of fraud or theft. People even openly run money laundering operations (mixing), and the community put up with it! In contrast, most people never store large values of money in actual paper cash anymore, they store it in a bank, which has identification and laundering checks, proper tracing of accounts to identities, immediate yet reversible transactions, and compensation if money is stolen. Bitcoin doesn't come out well in that comparison.

The other reservation I have about it is the lack of regulation - these exchanges which hold the money of lots of people are not regulated as banks are. No-one knows exactly what security they actually have (as opposed to say they have), sometimes people don't know who's behind them (I remember that 17 year old from Singapore talking here about starting one[1]), and there's no protection against market manipulation, speculation and cornering, or it seems against online theft. Given they have become so valuable so quickly, you can be quite sure the market is heavily manipulated, perhaps even in advance of thefts like this in order to gain the maximum benefit. What is the cause of the huge recent spike in prices for example? If bitcoin is to work as a currency and a store of value (the traditional roles of money), it does need regulation and verification, but I find it hard to see how that would come about, given the lack of a central authority and the lack of will to deal with incidents like this.

I'd love to see a digital currency that tried to emulate the advantages of digital cash, while doing away with the ability of a central government to print the currency ad infinitum - that's the big downside of our current state-backed currencies - it seems Bitcoin is not that currency.

[1] https://news.ycombinator.com/item?id=2973301


> The important part of that statement, which was not wrong, is they can be used when stolen.

I think the important part that's missing is this:

If you have the proper opesec, BTC is anonymous.

The 'BTC is anonymous' meme does nothing more than help people who don't know what they're doing get busted. It's like Sarah Palin's email account getting hacked because she picked security questions that were well-known. Even if you're not doing anything nefarious, you may want to keep certain transactions private. "BTC is anonymous" means that some people who don't fully understand how BTC works will be doing things they _think_ are private but actually are not.

And if you think people know how BTC work, just examine this thread.


As an interested bystander who doesn't know much about bitcoin I'm genuinely curious if you can address any of the criticisms above or what you think about them. I'd love to see digital currencies outside state control thrive but am hesitant to use things like Bitcoin given the explicit lack of regulation and controls. The anonymous, unregulated side of it is the least attractive to me - I'd prefer it were not at all anonymous, because of all the issues raised by that - it leads directly to incidents like this IMO.


Oh, I'm sorry if I gave a pro-bitcoin impression. I think BTC is nothing more than a curiosity. Your criticisms are spot on. I won't ever use BTC for anything.


The most recent spike is due to Baidu starting to accept Bitcoin and people speculating (not unreasonably) that nothing in China happens without the government's approval. Combine this with the fact that the Chinese are getting sick of receiving worthless American paper for their labour, which just gets devalued when they have accumulated enough of it. People are thinking China will switch to XBT and as a result it will become the new international currency (because, let's face it, whatever China says, the rest of the world must follow - if they decided to stop supplying us, we're dead - we don't have factories anymore, everything tangible that we had is now over there).

About the lack of regulation and verifiable identities - that's the allure of it :) It's not just the lack of inflation, it's the whole "Wild Wild West" atmosphere :) Like, remember the Internet before the old people and politicians found out about it?


It's traceable...

But no one's gonna stop them from using it, and if you're the receiver, you wouldn't care where it came from.


But they are traceable. There is a public record of every wallet address the bitcoin has touched. If those who it was stolen from reveal their wallet addresses, it should be possible to track down the coins and find out who the thief was.


You can still use a "mixing" service, which takes many coins from many sources and mixes it in a way that you can't tell anymore what is the source of Bitcoins you received. Blockchain.info operates one of these.


Interesting thought. Could there be "shunned" Bitcoins where, if they held certain blacklisted wallets in their history, businesses and users would choose not to accept them?

One could imagine people still choosing to trade in these Bitcoins, but that such a penalty would forevermore reduce their value next to "unshunned" coins. Could legit businesses and people using Bitcoin collectively reduce the value of stolen Bitcoins in this fashion to discourage it without directly discovering who misappropriated them...?


Who would manage such database of "shunned" Bitcoins? Who would decide which ones are "shunned" and which aren't? This is a delicate topic, almost as much controversial as censoring internet to get rid of child porn. With decentralized protocol/currency as Bitcoin is, that is not possible to do properly. OTOH, every service can decide on their own what they accept and how they operate, so each and every service operator COULD implement such measures. But then the thief would just choose another service provider who doesn't implement that.


Note, I'm not saying it's a fantastic idea, just something that happened to occur to me as a possible development in Bitcoin's future.

It'd likely be along the lines of anti-spam lists. You might have one that's high-profile thefts or seizures. For that matter, these lists could be political, issue-based, or whatever.

It's ridiculous and unlikely to be followed if taken out to the extremes of issue-based disputes, but I don't think it's impossible for a significant number of people to agree not to transact in stolen Bitcoins, some on principle, some as self-preservation (the exchanges), and most because their utility is reduced by the first two groups refusing them. This also happens to increase the value of untainted Bitcoins.


If you think that a pile of anonymous people on the internet are going to respect a 'stolen' flag with no real downsides, I've got a bridge to sell you...

Also, this is ignoring the entire problem of 'who decides what stolen means in a totally decentralized protocol?' That's non-trivial in and of itself.


I think you might be able to just start and end with the laundry cleaners. Blockchain.info could just decide that they won't wash coins that they know were from a high profile hack like this.


Then use Satoshi Dice first, or start your own game of chance with ridiculous odds floated with the stolen coins and exploit peoples natural greed.


They could, but there will always be people willing to accept the coins anyway. Without protocol support, it's not particularly meaningful.


I don't think it needs to be binary. Anyone today can choose to accept stolen or blood money. But I think you could create a distributed dye pack. It could just be an API that you query with a coin and receive a signed answer. Your Bitcoin client can report saying e.g. 'Blockchain.info thinks that this coin may be stolen. Accept anyway? Y/N' and leave it up to the user to decide. The downside is that the next person you try to give the coin to could decide that they trust Blockchain.info and not accept your money.

It's a democracy. If the masses decide that Blockchain.info is blocking coins that weren't stolen for some nefarious reason, they can just ignore their warning.

The question is: do the majority of bitcoin users even care if they are using stolen coins?


Law enforcement could enflict some real downsides if bitcoins were considered stolen goods. Stolen goods can be seized when discovered by police, even if their current owner acquired them legitimately.


>Interesting thought. Could there be "shunned" Bitcoins where, if they held certain blacklisted wallets in their history, businesses and users would choose not to accept them?

This is the mechanism I always thought the feds would use to go after bitcoin. "Possession of stolen property" - My understanding of the law in my area is that I am breaking the law if I possess stolen property, even if I can prove that I obtained said property legitimately and even if I couldn't reasonably be expected to know that said property was stolen.

What if the feds decided to apply the same thing to bitcoins? I mean, what if you legitimately obtain bitcoins that are, in fact, stolen property? Or bitcoins that were used in a law-breaking transaction?


that would never work due to a simple reason -- there would never be a 100% way of telling if the "shunned" flag is legit.


Isn't that effectively bitcoin laundering?


Yep, that's exactly what it is.


Yes and no. You can trace every transaction back to day 0, so it is possible to know which other bitcoin wallet(s) the money was transferred to. If the thief however only uses the stolen BTC to pay for non-identifying services (i.e. internet hosting), it will be very hard to find them.


This is exactly why not everyone should learn how to code and be a developer.


I think it's exactly why they should.

If these unfortunate folk knew their internet security they would know better than to pump their money into random internet wallets, despite claims that it's the "most secure wallet ever created".


No it isn't. Its why you shouldn't keep your money in places that aren't secure.


Just like Mein Kampf is evidence not everyone should learn to read and write.



This is exactly why everyone SHOULD learn how to code and be a developer. They were negligent.


Who will bake my bread and pump my gas?


"Everyone should learn to code" != "everyone should have a job as a programmer."

"Everyone should learn to write" does not mean that everyone is an author.


bread will be made by robots (well actually already is.) and it will be delivered by automated drones, and your car is going to be electric and it's going to be charged just by parking it over a wireless charger.


There's an API for that!


Available BANK HACKING SOFTWARE = $1500 This software hacks bank accounts.

HACKDOO (TROJAN) = $1100 Can steal information from any computer, informations like username and passwords, other account login details and credit card details.

VAMPIRE 3.5 = $200 Helps in hiding your ip unlimitedly. you can use any ip address you want

SOFTWARE BUG WESTERN UNION VERSION 2013 = $900 Western Union Bug is a software that cracks Western Union databases and gives the DATA of Western Union infomation for payment made to any country in the world. It scans the Western Union worldwide database and gets you MTCN from any country and city you choose just within 20 Minutes of clicking on the button start hack The Western Union Bug 2013 version comes with two types of Activation code, the first 20 digit activation code logs you into the first panel whereby you do fresh transfer while the second 20 digit activation code logs you into the Western Union database You can also use the software to make a fresh transfer by also scanning out a Western Union agent logins and using it to make a transfer to any Western receiving country in the world It is easy to use. And make quickly countries such as Africa, EU, CA, AU. TEACHING FEES BUY BANK HACKING SOFTWARE

I will teach you Hacking 3 months with all softwares for $3000 Become a hacker today. Contact me Odidollarsman@gmail.com

Bank transfers are now available to the following countries : USA UK EU Canada Australia Russia Singapore Dubai Vietnam

$2,000 - $10,000 per transfer to Personal accounts (Checking accounts, Savings accounts, Current accounts, Standard accounts) Transfers over $10,000 are available to Business or Corporate accounts only

Same day service to UK/USA/EU/Canada/Australia - 1 to 2 business days service to Russia/Dubai/Singapore,

Contact: odidollarsman@gmail.com


People who don't understand the importance of storing their own bitcoins spread across plenty of cold addresses -- generated from fresh, never-connected boxes and enough entropy -- are begging for loss. Given the attitude people have with security and the nature of viruses alone, 99%+ of people aren't 'ready' to use bitcoin beyond small amounts. It's inherently risky for any considerable amount. I never recommend bitcoin to most other people. It's recommended as worthy in and of itself, though.

Bitcoin's digital fungibility, which will always be a curse to some, will always be its greatest virtue. Distrust is one of its most valuable effects. Respect it or don't respect it. That's up to you.


1.1 Million US$ is a strong incentive to fake a theft. How can they prove it was someone else?


They don't need to


They seem to be using Google Apps for the e-mail. And they claim:

    > The attacker was able to bypass 2FA due to a flaw on the server host side
Which flaw is this? Is it a known issue for Google? I would like to know more details.


As a Linode & GApps customer that uses DFA I'm curious about this as well... Are they talking about Google, Linode or their own app?


Do bit coins have identity and hence be flagged as stolen somewhere ?.


Each bitcoin goes into a wallet, which contains an address. There's no connection between a person and a wallet, though, and it's not a 1:1 mapping, either.

> flagged as stolen

That would imply some sort of centralized authority to decide exactly what 'stolen' means. Even if a third-party service kept track, it'd be meaningless in short order, as mixers exist...


Also there is no connection between a wallet and an address except the wallet stores the address.

When the client sends the address the change is returned to a new change address, and the wallets are being designed now to never reuse addresses.

So it would become very hard to determine which of the outputs are change addresses and in the same wallet.


This is the wallet that the owner of Inputs.IO has claimed[1] is where the stolen funds were transferred:http://blockchain.info/fb/1emztw

Blockchain.info has tagged it as inputs.io hack. And a couple users have tagged it as well with public messages. But besides that, as far as I know, all anyone can do is watch it get drained.

[1] https://bitcointalk.org/index.php?topic=248803.msg3509247#ms...


In theory, each coin (called transaction output in bitcoin lingo) can be traced through a chain of transactions to its originating block. In practice, this is useless because there is no correspondence between bitcoin addresses and individuals (except in certain points like exchanges that require your ID)

In other words, each time a coin changes addresses there is a plausible deniability for the owner of the receiving address that s/he received the coin as a result of a legitimate transaction (sale of goods/services, donation, whatever)


I had 0.25 BTC on Inputs.io and was uneasy about using the service. I withdrew it all on Monday to my phone... now I'm so glad that I did!


Smells like inside job


It doesn't smell like either, because a competent outside or inside job will smell the same.


When are these online wallet companies going to start using colocated servers owned by themselves instead of Linode and other vps companies.


Interesting that the "theft" didn't happen until BTC reached $300.


I don't know what you expected, Bitcoin enthusiasts.

You bought into a system where coins could be permanently lost because you forgot a password.

You bought into a system where the government cheerfully gained control of a large share of the market by simple confiscation.

You have recreated money. But you aren't even good at it! You still think that simple cryptography will excuse you from the fact that you're greedy bastards.

The reason I hate Bitcoin is that it intentionally promotes a counter-establishment treatise, and you have the batshit insane gall to claim that it is different.

I'm venting.


Are you referring to the 144,000 BTC confiscated in the Silk Road bust? There are almost 12,000,000 BTC in circulation. The Silk Road share accounts for about 1.2% Compare that with any government currency that is 100% government-controlled.

It's easy to permanently lose cash, too.


Yeah, it's easy to lose cash if you're on Wall Street, but no one lauds that.

You're stuck in a place where you're trying to differentiate yourself from Wall Street and you are exactly like Wall Street.

And then you compare the total BTC in circulation and its equivalence in USD... and...

What the fuck do you think you're doing?

Do you think you're toying with trillions of dollars?

The banking machine is ignoring you. It simply doesn't care.


i guess the point is that money on wall street only changes hands. BTC are permanently destroyed.


>You bought into a system where coins could be permanently lost because you forgot a password.

As opposed to a system where coins can be permanently lost because you have a hole in your pocket?


Would have to be a rather large hole to lose a million dollars through it. Would have to be about 43" wide.


It's funny seeing you on my side. How you been? I haven't crossed words with you in a while. james_d?


Different, James, I think. I'm not completely on board with your view, but your criticism here is valid and should be acknowledged by BTC proponents if they have any hope of observing their currency as realists. This kind of thing is a major drawback to using Bitcoin.


Have you never trolled the r/debatereligion circuit?


Oh, you have got the right guy then. :) but I don't know why you said james_d.


Somehow I always thought your middle name (or initial) was d.

It's nice to see you.


I'm not an enthusiast, I don't own and have never owned any Bitcoin.

However I think your dismissal of Bitcoin is wrong. Not because it doesn't have flaws, and not even because it's guaranteed to succeed—there's no telling when a crypto breakthrough could cause Bitcoin to crash and burn faster than tulip bulbs—but rather because Bitcoin is the most interesting development in currency of the past millennium. There's simply no denying it has unique properties of considerable interest, regardless of ideology or affiliation.


I'm not particularly invested in BTC either (own like 0.000001 or something), but I find it fascinating for similar reasons.

Imho it represents and inflection point in human history, by virtue of solving a previously unsolvable algorithmic problem (distributed consensus), at least in the context of digital currency.

BTC's solution wasn't even technically possible until two other major innovations - the construction of the internet, and the invention of the Bittorrent protocol. And 'Satoshi's' insight that a simple time delay via proof-of-work finally tied it all together and made possible the first (technically) viable distributed currency.

All the remaining problems are minor by comparison and will eventually get solved, in the same way the modern banking system eventually solved problems of bank robberies and fraud - not so much completely solving them, but by making them extremely difficult to pull off and/or get away with, reducing the odds and risk to levels acceptable for the general public. Same will happen with BTC and its infrastructure over time as well.


You fail to point out that cash has all the same drawbacks:

You can permanently lose cash if destroyed in a fire.

Your cash or bank account can be confiscated easily by the government.

Etc.

Of course, unlike cash, Bitcoin has advantages because it offers the option to prevent these losses: you can back up a Bitcoin wallet. You can avoid government confiscation (password-protected wallet). Etc.


I'm always astounded by comparisons of bitcoin to paper cash - in 10 years we probably won't even be using paper cash and it is hardly ever used for large transactions now in advanced countries - paper cash is history. I think I've done about 5% at most of my spending in paper in the last month.

How about digital cash?

Also, Bitcoin can be confiscated by the government, along with the computer/server it sits on (see silk road). A $5 wrench or a jail cell will deal with your encryption. You can also permanently lose it if someone copies your wallet/backup and then spends it particularly while it is on one of these exchanges - that's because transactions are not reversible or traceable to a verified identity.

Technically, I think Bitcoin sounds really substantial and love the idea of creating/spending keys which avoid government inflation, but the axioms on which the usage is based are all wrong -

I've never lost money in a fire, and never will. I don't want to avoid government confiscation by technical means (which fail), I want to avoid it by law. I don't want to be able to launder money (or for others to). I don't want my transactions to be anonymous and to have no central authority and no accountability when theft/fraud happens.


> Also, Bitcoin can be confiscated by the government

Not if you specifically want to prevent this. A bitcoin private key is 256-bit ECDSA, which provides 128 bits of security. If you can remember a 10 word randomly generated diceware phrase[1], you can securely store bitcoins in your brain.

[1] calculating the private key as a SHA256(phrase) for example


A $5 wrench or a jail cell will deal with your encryption.


You are wrong and overly pessimistic. Look at DPR. The govt confiscated 174k BTC, but he supposedly has another (encrypted) ~500k BTC wallet, and he is NOT/will NOT be tortured to reveal the key.


The govt confiscated 174k BTC, but he supposedly has another (encrypted) ~500k BTC wallet

If he does I'd be very surprised if he can ever spend it, even if he does somehow get to a copy. Torture is not the only or most effective avenue to thwart encryption or your plans to keep money from them, they could claim enough back-taxes to bankrupt you, repossess anything you buy etc, etc.


Of course an oppressive government has many options to attack an individual, but Bitcoin enables individuals to protect themselves. For example a political refugee can flee his country with bitcoins in his head (brainwallet) which would be a lot safer than fleeing with cash in his pockets.

You also have scenarios that are not as drastic, where the adversary is not a government but, for example, a powerful (ex-)spouse trying to seize some of the assets in illegal ways during a divorce going wrong. Etc.

Your refusal to acknowledge this usefulness of Bitcoin makes your criticism look weak and one-sided.


I don't think the US is at the point where they torture citizens for private keys. And they'd only be able to use jail as leverage by offering a reduced sentence. Even then, you might refuse if, for example, you'd rather stay in prison and leave the money to your family.


Be careful with your first sentence. For example, the US would not hesitate to torture Snowden for his key if they even had the slightest way to get their hands on him.

Just declare this person an enemy of the state/terrorist and there you go - to you and your encryption.


Even then, you might refuse if, for example, you'd rather stay in prison and leave the money to your family.

Somehow, I don't think the government will leave you that option ;) You'll stay in prison and have the means to use the bitcoins confiscated or outlawed. They can also confiscate all your other assets, like the house your family lives in.

There are many options available to a sovereign government which mean that relying on purely technical measures will not defeat them, because they have a monopoly on force, up to and including lethal force.


Yes, but unless the government becomes significantly more tyrannical than they are at present, bitcoin is a useful tool for dodging asset forfeiture. For example, your private keys could be distributed amongst n of m gangsters/wife/sons/lawyers/whatever including foreigners.

Implemented correctly, it's much much more difficult to steal or seize than cash while at the same time being much much easier to smuggle to places with no extradition where money trumps the rule of law.


[deleted]


Wait a few years for the Bitcoin ecosystem to mature, and all the security mechanisms developed by banks (and more advanced ones that are just inapplicable to cash) will appear and be applied to Bitcoin: theft insurances, properly secured web wallets (HSM, userbased multi-sig, cold wallets, etc), tamper-proof hardware wallets, etc.


And at which point we'll be back to seeing 0.3+2.9% on every transaction to cover the costs of such...


Which will be fine. Even with such fees, Bitcoin would remain superior to existing currencies/payement networks: instant transfers across the world, censorship resistance, etc.


Unicorns!


.


Instead of hating something you should try to understand it first:

> permanently lost because you forgot a password

You don't have to encrypt your wallet, that's up to you. If you believe that not even knowing the password of an encrypted wallet you should be able to recover your bitcoins your problem is actually with cryptography in general.

> the government cheerfully gained control of a large share

Powerful entities have power, welcome to the real world.

> the fact that you're greedy bastards

huh? can you expand on this?

> it intentionally promotes a counter-establishment treatise

Nop, Bitcoin is a technology, and neither the paper nor the Bitcoin Foundation is "counter-establishment". Actually the last one is trying really hard to make Bitcoin "pro" establishment.

Sorry I don't wanna be rude but your post is absurd.


Nobody is forcing you to use it OR help its development. Why do you even care?


I care because the stories are spamming up HN. You can't downvote stories, and flagging them would probably be considered inappropriate.


Can't you just... like... not read them? On every visit to HN I click 3-4 links tops, but you don't see me complaining in the comments section of the other 26 :)


Yes I can, but if I do then the site will only get worse. http://lesswrong.com/lw/c1/wellkept_gardens_die_by_pacifism/


Interesting link, thank you!

But I don't see how it's relevant - this is a site about start-up news and Bitcoin is exactly where the opportunities for start-ups are. It's not like they're posting porn or something - probably the next PayPal will come from someone reading these links and comments here.

Although I admit that sometimes there are too many links about politics on HN, but you can say politics is also kind of relevant to the start-up world, especially when it concerns policy decisions about technology.

In conclusion, I'm yet to see an irrelevant link on HN. The algorithm works as advertised IMHO.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: