Title: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 01, 2013, 06:49:55 PM Message on their site:
Quote Down for Maintenance We have detected a security breach. Services are temporarily suspended until we have thoroughly investigated the situation. We will resume services as soon as possible. Please do not send funds to your address for the time being. Stay tuned for further updates, thank you for your understanding. What do you think? Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 07:04:21 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything...
https://bitcointalk.org/index.php?topic=159673.0 However the bug I found only impacted about 3000 of their clients and roughly 100 bitcoins max, what's showing up on that screen is something bigger (at least big enough to shut down the whole freaking site) and most likely unrelated, because mine was just that Google was listing people's wallets.... and they banned it in Google Webmaster tools, so that issue is resolved... that notice though is all sorts of red flags.. Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:08:19 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... https://bitcointalk.org/index.php?topic=159673.0 However the bug I found only impacted about 3000 of their clients, what's showing up on that screen is something bigger and most likely unrelated, because mine was just that Google was listing people's wallets.... and they banned it in Google Webmaster tools, so that issue is resolved... that notice though is all sorts of red flags.. Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it :) Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 07:09:19 PM Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it :) LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. see under each url there is a "a description not available due to robots.txt" but they still listed the freaking urls. http://www.adaptiveglass.com/instawallet/1.jpg Title: Re: Instawallet Security Breach Post by: molecular on April 01, 2013, 07:12:44 PM I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0
Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:14:11 PM Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it :) LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. see under each url there is a "a description not available due to robots.txt" but they still listed the freaking urls. http://www.adaptiveglass.com/instawallet/1.jpg AFAIK, that's behind the configuration of the robots.txt file. It should be capable of being configured so that the Google bot doesn't even visit the domain :P Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:14:43 PM I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0 The maintenance notice is identical. This suggests the same team is running both. And yes, it IS the same team. Title: Re: Instawallet Security Breach Post by: moni3z on April 01, 2013, 07:15:03 PM I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0 yep, and instawire.org which disappeared for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago? Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:16:54 PM Yeah, they put a simple robots.txt. Seems strange how long it took them to do that. I think it was already a known issue before you reported it :) LOL I hope your kidding right? Robots.Txt wasn't the problem ... Google lists your stuff even with robots.txt ban... you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me" it doesn't say "don't list me" Google lists your urls regardless of what the robots.txt says. I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all. I don't understand any of this robots stuff :/ Basically, was the problem you uncovered something that could see urls then? I only ever check my instawallet through tor. I am a little worried at the moment, should I just chill out? Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:17:43 PM I just hope that Instawallet has a backup of how many Bitcoins belong to how many people and each URL :P
I have only BTC0.012, but that's a lot to me :P Considering that I'm a faucet loiterer and penny dust collector :D Title: Re: Instawallet Security Breach Post by: molecular on April 01, 2013, 07:18:20 PM this doesn't sound good at all.
Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:19:32 PM this doesn't sound good at all. Literally shitting myself Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 07:19:51 PM I am a little worried at the moment, should I just chill out? Too early to tell, but either way the lesson will be "trust no one to hold your coins". Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:21:37 PM But there were 3.5million wallets. Is it just limited to 3000?
Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:21:40 PM I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0 The maintenance notice is identical. This suggests the same team is running both. Injust, the solution to this problem is not robots.txt. The solution is not using URLs as private keys in the first place. Well, I guess that Instawallet's way of doing things was for convenience, rather than security. Not that security isn't important, but still. Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 07:22:47 PM But there were 3.5million wallets. Is it just limited to 3000? We don't know if the problem is related to that, or another problem entirely. We don't know if coins were stolen, lost, looked at, fondled, or licked. Just have to wait for official statements at this point. Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:24:49 PM If this is davout's kind of an April Fools' joke, I'm never using Instawallet again.
Promise. Title: Re: Instawallet Security Breach Post by: moni3z on April 01, 2013, 07:27:08 PM I don't use instawallet anyways. If you want quick transactions download Electrum client, or just use the regular ol' Bitcoin-qt because we all learned our lesson from mybitcoin right
Title: Re: Instawallet Security Breach Post by: dree12 on April 01, 2013, 07:27:15 PM But there were 3.5million wallets. Is it just limited to 3000? We don't know if the problem is related to that, or another problem entirely. We don't know if coins were stolen, lost, looked at, fondled, or licked. Just have to wait for official statements at this point. We know that they think that it is ok to have authorization information in clear text in URL to allow access to financial accounts. This tells you all you need to know. Whomever runs it has no clue. The system would be perfectly secure if not for Google Chrome. Title: Re: Instawallet Security Breach Post by: bitcoinnix on April 01, 2013, 07:28:42 PM Literally shitting myself Literally?Title: Re: Instawallet Security Breach Post by: deadweasel on April 01, 2013, 07:28:46 PM But there were 3.5million wallets. Is it just limited to 3000? We don't know if the problem is related to that, or another problem entirely. We don't know if coins were stolen, lost, looked at, fondled, or licked. Just have to wait for official statements at this point. Hopefully they were only fondled and licked. My bitcoins like that. :/ Title: Re: Instawallet Security Breach Post by: molecular on April 01, 2013, 07:31:24 PM If this is davout's kind of an April Fools' joke, I'm never using Instawallet again. Promise. That would be a kind of humor almost inexcusable. I doubt that. I think the coins were licked. (not based on anything, just because that's funny as hell) Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 07:34:11 PM can't you guys tell if your bitcoins were sucked dry via blockexplorer? If not then it's no biggie.. .but if for some idiotic reason you kept 2000 bitcoins there and now blockexplorer is saying they are not there anymore than you have a problem.
Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 07:34:33 PM http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy
Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 07:35:46 PM (Instawallet Cold Storage ) transferring from there? Holy shit.....
Watch now it will give people an excuse to sell, not thinking that the vast majority of people at instawallet only keep pennies there... Still if they are moving around 41,854.59 BTC that's something big. Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:37:39 PM can't you guys tell if your bitcoins were sucked dry via blockexplorer? If not then it's no biggie.. .but if for some idiotic reason you kept 2000 bitcoins there and now blockexplorer is saying they are not there anymore than you have a problem. What do you need to check this? I only have the URLSs i do not have the address related to that, can i do anything? Title: Re: Instawallet Security Breach Post by: moni3z on April 01, 2013, 07:41:36 PM can't you guys tell if your bitcoins were sucked dry via blockexplorer? If not then it's no biggie.. .but if for some idiotic reason you kept 2000 bitcoins there and now blockexplorer is saying they are not there anymore than you have a problem. What do you need to check this? I only have the URLSs i do not have the address related to that, can i do anything? Don't give us the URLS :P lol You're supposed to cut+paste the bitcoin address your URL leads to so you can watch it with the blockchain. You're also supposed to only keep pocket change on instawallet or any online wallet service. Did you ever send money to that address using another service? there will be a record of transactions probably, find your instawallet address there Title: Re: Instawallet Security Breach Post by: repentance on April 01, 2013, 07:42:46 PM Too early to tell, but either way the lesson will be "trust no one to hold your coins". For about two weeks. History shows that people repeatedly leave their funds with wallet services and exchanges no matter how many times those types of services lose user funds. I doubt that is going to change any time soon. If this is in any way connected to the vulnerability which was publicly discussed last week then Instawallet needs to explain why they didn't take the service offline until that vulnerability was fixed. . Title: Re: Instawallet Security Breach Post by: Scott J on April 01, 2013, 07:43:39 PM Too early to tell, but either way the lesson will be "trust no one to hold your coins". If this is in any way connected to the vulnerability which was publicly discussed last week then Instawallet needs to explain why they didn't take the service offline until that vulnerability was fixed. The password clue for their own wallet was made public, for fuck's sake. .Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 07:46:23 PM If this is right:
http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy and the spot price is right 103.02 http://www.ounce.me You're looking at a $4,311,859.86 bank heist Again I am hoping I am wrong.... in the scope of things a 4.3 million dollar bank heist (4.3 pizzas) is not huge overall... but you know there will be headlines on Forbes and shit. Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:50:57 PM Oh fuck
Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 07:52:06 PM Oh fuck Deep breaths. Remember, we really don't know anything right now. Title: Re: Instawallet Security Breach Post by: repentance on April 01, 2013, 07:54:38 PM Too early to tell, but either way the lesson will be "trust no one to hold your coins". If this is in any way connected to the vulnerability which was publicly discussed last week then Instawallet needs to explain why they didn't take the service offline until that vulnerability was fixed. The password clue for their own wallet was made public, for fuck's sake. .Sorry about that, it was StrongCoin's wallet hint which was made public. There were discussions elsewhere last week regarding vulnerabilities of a number of wallet services. The Instawallet vulnerability did display the user's wallet hint, though. https://bitcointalk.org/index.php?topic=159983.msg1691505#msg1691505 Title: Re: Instawallet Security Breach Post by: Nick on April 01, 2013, 07:55:34 PM Oh fuck Deep breaths. Remember, we really don't know anything right now. But now that the cat is out of the bag, paymium should clarify ASAP if the emptying of the cold wallet was done by them or by a thief. Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 07:56:17 PM Oh fuck Deep breaths. Remember, we really don't know anything right now. But now that the cat is out of the bag, paymium should clarify ASAP if the emptying of the cold wallet was done by them or by a thief. No doubt. Every minute of silence is bad for them no matter WHAT the outcome. Title: Re: Instawallet Security Breach Post by: moni3z on April 01, 2013, 07:57:28 PM Unless of course this is their sick april fools day joke
Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 07:58:52 PM Unless of course this is their sick april fools day joke I've always said nothing could offend me when it comes to jokes. I might have been wrong. Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 08:00:33 PM No doubt. Every minute of silence is bad for them no matter WHAT the outcome. You are right. Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 08:06:09 PM No doubt. Every minute of silence is bad for them no matter WHAT the outcome. You are right. I'm always right :D I find it strange that the two big transactions at http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still unconfirmed. Any reason for this besides someone trying to spend coin that isn't there? Title: Re: Instawallet Security Breach Post by: NamLaLai on April 01, 2013, 08:06:43 PM Yeah, a few words from the people behind Instawallet would be very much appreciated, by all of us I guess. I'm still looking at dust in my wallet so not much lost if it goes belly up, but there might be quite a few that are about to get some sweaty hands soon....
If such a large transaction is underway, is there then nobody that raises an eyebrow and lift a finger? Title: Re: Instawallet Security Breach Post by: uuidman on April 01, 2013, 08:09:30 PM I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0 yep, and instawire.org which disappeared for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago? Title: Re: Instawallet Security Breach Post by: Merralea on April 01, 2013, 08:10:46 PM Bitcoin users that trust nobody not affected. Bitcoin users that trust nobody, but chose to move funds around at the worst time humanly possible, very much affected. Title: Re: Instawallet Security Breach Post by: SgtSpike on April 01, 2013, 08:11:57 PM Well, this is interesting...
Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 08:12:16 PM There might be good news to this, the fact that they had bitcoins in cold storage in the first place to help repopulate what they lost might be a good sign.
Title: Re: Instawallet Security Breach Post by: moni3z on April 01, 2013, 08:12:31 PM Quote I find it strange that the two big transactions at http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still unconfirmed. Any reason for this besides someone trying to spend coin that isn't there? maybe the theif was too cheap to pay txn fees :) Title: Re: Instawallet Security Breach Post by: beala on April 01, 2013, 08:13:04 PM Someone on HN pointed out that the transfer happened an hour or two before the site went down. Can anyone confirm this? It looks like the transfer happened about an hour before *this thread* appeared, but did this thread start immediately after the site came down?
https://news.ycombinator.com/item?id=5475389 Title: Re: Instawallet Security Breach Post by: Nick on April 01, 2013, 08:13:52 PM Quote I find it strange that the two big transactions at http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still unconfirmed. Any reason for this besides someone trying to spend coin that isn't there? maybe the theif was too cheap to pay txn fees :) Title: Re: Instawallet Security Breach Post by: keverw on April 01, 2013, 08:15:45 PM Maybe the cold storage or some wallet got compromise, and they are moving it to a new wallet... Or maybe the owners of the site are pretending they were hacked, then cash out then go live on an island somewhere... Hard to tell really. Guess time will tell. I didn't use Instawallet but I have a feeling lots of newbies used it since its convenience.
Title: Re: Instawallet Security Breach Post by: gbl08ma on April 01, 2013, 08:18:00 PM You're supposed to cut+paste the bitcoin address your URL leads to so you can watch it with the blockchain. That will do nothing but make users panic when they see value moving out of that address. The address Instawallet associates/associated with a certain URL is used only for depositing, increasing your balance in Instawallet's internal DB. Then once the money is throwed into the Instawallet system, it can be taken from these deposit addresses without the having the user send money out of the wallet. In other words, the balance of a Instawallet wallet is unrelated to the balance, verifiable with the blockchain, of the deposit address for that wallet. Also, before Instawallet and Bitcoin Central went down, users had trouble sending money out - https://bitcointalk.org/index.php?topic=163918.0 . I already said this in another thread about this Instawallet security breach, but now I found the link to that thread. I think this has something to do with the hot wallet being empty - now who or what caused it to empty is another story... what do you think? Title: Re: Instawallet Security Breach Post by: molecular on April 01, 2013, 08:31:01 PM Quote I find it strange that the two big transactions at http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still unconfirmed. Any reason for this besides someone trying to spend coin that isn't there? maybe the theif was too cheap to pay txn fees :) hm, blockexplorer doesn't know about the large transactions: http://blockexplorer.com/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy Title: Re: Instawallet Security Breach Post by: d5000 on April 01, 2013, 08:34:33 PM [Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation.
The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... Title: Re: Instawallet Security Breach Post by: the founder on April 01, 2013, 08:40:25 PM They failed to mention instawallet ? Why?
Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 08:40:55 PM Does that include instawallet?
And is this user reliable? Title: Re: Instawallet Security Breach Post by: twolifeinexile on April 01, 2013, 08:41:33 PM [Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation. The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key?The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... Title: Re: Instawallet Security Breach Post by: molecular on April 01, 2013, 08:43:08 PM I locked my thread https://bitcointalk.org/index.php?topic=164132.msg1717292#msg1717292 (about Bitcoin-Cetnral security breach) and told people to come here.
Injust, can you please change thread title to include "bitcoin central"? Title: Re: Instawallet Security Breach Post by: pof on April 01, 2013, 08:44:04 PM [Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation. The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... What's the site? Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 08:44:22 PM twolifeinexile, nahh it just means that they and only they control it. Could just as well say "it is our address". But exclusive control sounds so much COOLER. Title: Re: Instawallet Security Breach Post by: Joost on April 01, 2013, 08:44:51 PM They sure kept us in a state of panic for a while there! Glad to see it's all working out fine :)
[Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation. The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... What's the site? It's showing up on https://bitcoin-central.net/ So far it hasn't appeared on Paytunia and Instawallet yet, but as the Instawallet transaction was to the same address I can only assume that those funds are safe as well. Title: Re: Instawallet Security Breach Post by: lucb1e on April 01, 2013, 08:47:38 PM either way the lesson will be "trust no one to hold your coins". SecondedTitle: Re: Instawallet Security Breach Post by: uhoh on April 01, 2013, 08:49:37 PM Glad this one has panned out OK (or will do once that transaction actually confirms)
As the value of bitcoin goes up, so does the amount (and the combined skillset) of hackers wanting to relieve people and business of coins. There is only so well prepared these companies can be, as seen by the social-engineering hack on BitInstant. Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 08:50:12 PM They sure kept us in a state of panic for a while there! Glad to see it's all working out fine :) [Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation. The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... What's the site? It's showing up on https://bitcoin-central.net/ So far it hasn't appeared on Paytunia and Instawallet yet, but as the Instawallet transaction was to the same address I can only assume that those funds are safe as well. They sure kept us in a state of panic for a while there! Glad to see it's all working out fine :) [Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation. The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control. We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours. ---- Deep breath ... What's the site? It's showing up on https://bitcoin-central.net/ So far it hasn't appeared on Paytunia and Instawallet yet, but as the Instawallet transaction was to the same address I can only assume that those funds are safe as well. I hope so. I really do. Title: Re: Instawallet Security Breach Post by: mccorvic on April 01, 2013, 08:50:48 PM Glad this one has panned out OK (or will do once that transaction actually confirms) Strange that they're still unconfirmed. Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 08:51:44 PM Someone on HN pointed out that the transfer happened an hour or two before the site went down. Can anyone confirm this? It looks like the transfer happened about an hour before *this thread* appeared, but did this thread start immediately after the site came down? https://news.ycombinator.com/item?id=5475389 I made the thread after I tried to access my Instawallet and couldn't. I have no idea when it went down. Title: Re: Instawallet Security Breach Post by: Nick on April 01, 2013, 08:52:26 PM They should sign a message with that adress to proof it's under their exclusive control.
Title: Re: Instawallet Security Breach Post by: gbl08ma on April 01, 2013, 08:52:31 PM Signing a message with 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy would be appropriate... also, a message at a website which may be compromised doesn't guarantee much IMO.
(Nick had the same idea as me it seems...) Title: Re: Instawallet Security Breach Post by: Joost on April 01, 2013, 08:54:33 PM Someone on HN pointed out that the transfer happened an hour or two before the site went down. Can anyone confirm this? It looks like the transfer happened about an hour before *this thread* appeared, but did this thread start immediately after the site came down? https://news.ycombinator.com/item?id=5475389 I made the thread after I tried to access my Instawallet and couldn't. I have no idea when it went down. Bitcoin Central has been failing to process transactions since 5PM CET (which is 6 hours ago at the moment of writing) and went to 'Down for maintenance'-mode 2 hours later. It seems the transaction was indeed done well before it went down, roughly when they stopped processing transactions on BTCentral. Signing a message with 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy would be appropriate... also, a message at a website which may be compromised doesn't guarantee much IMO. I hardly think a hacker would take the time to post such a message after he has looted 4 million worth of USD. I don't really see the added value. Would it serve as a convincer to miners that are currently not adding it to the blocks? I doubt miners would decide based upon a post like that - seeing as the transaction fee is so huge, the reason it hasn't been added to a block can hardly be a collective moral decision of miners. Title: Re: Instawallet Security Breach Post by: uhoh on April 01, 2013, 08:57:56 PM Is it me or has the transactions been waiting 3 hours to be included in a block?
seems VERY odd. Could understand if they had been sent with no fees, but they haven't Title: Re: Instawallet Security Breach Post by: MPOE-PR on April 01, 2013, 08:59:21 PM Signing a message with 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy would be appropriate... also, a message at a website which may be compromised doesn't guarantee much IMO. (Nick had the same idea as me it seems...) Both good points. Also lol at person indignant that they're not paid for the work done googling site:instawallet.com Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 08:59:56 PM Signing a message with 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy would be appropriate... also, a message at a website which may be compromised doesn't guarantee much IMO. (Nick had the same idea as me it seems...) Both good points. Also lol at person indignant that they're not paid for the work done googling site:instawallet.com It's instawallet.ORG :P Title: Re: Instawallet Security Breach Post by: dooglus on April 01, 2013, 09:00:13 PM We thank you for your patience and will provide updates exclusively on this page as they come in. What page is that from? The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key? Sounds to me like they're just saying "we know this address hasn't been compromised, and we control it, so don't worry". Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 09:01:07 PM We thank you for your patience and will provide updates exclusively on this page as they come in. What page is that from? The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key? Sounds to me like they're just saying "we know this address hasn't been compromised, and we control it, so don't worry". This is from https://bitcoin-central.net/. Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 09:02:07 PM I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.
If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues? Title: Re: Instawallet Security Breach Post by: twolifeinexile on April 01, 2013, 09:06:29 PM We thank you for your patience and will provide updates exclusively on this page as they come in. What page is that from? The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key? Sounds to me like they're just saying "we know this address hasn't been compromised, and we control it, so don't worry". Hmmm, your explanation makes more sense of the word "exclusive" :). Guess the implied info is that the two cold storage wallets maybe compromized and not in "exclusive" control, out of caution, they moved to a wallet they feel more secure. Title: Re: Instawallet Security Breach Post by: twolifeinexile on April 01, 2013, 09:11:43 PM either way the lesson will be "trust no one to hold your coins". SecondedApparently every new batch of Bitcoiners will need to learn this valuable lesson. If you aren't the sole controller of your private keys, you don't have any bitcoins. Take whatever steps necessary to be the sole controller of your private keys people! yep But instawallet is really convenent and if you need spend, it is such a snap to use. They even have a iphone HTML5 app. Anyway, I put some funds there with the intention to spend, but still got a little panic (not really, but my money there is not immaterial either). I guess I will just take some BTC out there after this fiasco. (It wasn't really signficiant amount money, but BTC keep rising and now not a change any more!) Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 09:13:15 PM either way the lesson will be "trust no one to hold your coins". SecondedApparently every new batch of Bitcoiners will need to learn this valuable lesson. If you aren't the sole controller of your private keys, you don't have any bitcoins. Take whatever steps necessary to be the sole controller of your private keys people! yep But instawallet is really convenent and if you need spend, it is such a snap to use. They even have a iphone HTML5 app. Anyway, I put some funds there with the intention to spend, but still got a little panic (not really, but my money there is not immaterial either). I guess I will just take some BTC out there after this fiasco. (It wasn't really signficiant amount money, but BTC keep rising and now not a change any more!) Essentially, the only way I use Instawallet is I use it to condense all the small transactions that I get from faucets (that's my only source of Bitcoins :P) and when I get BTC0.02, I send BTC0.01 to my other wallet. So I never keep more than BTC0.02 there. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 01, 2013, 09:19:11 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee?
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: SgtSpike on April 01, 2013, 09:23:26 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? That's kind of a huge "wtf" to me as well.Is Bitcoin broken?? :P Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jabetizo on April 01, 2013, 09:24:09 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? +1for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: piuk on April 01, 2013, 09:24:19 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: SgtSpike on April 01, 2013, 09:26:33 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees. So, question. Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: molecular on April 01, 2013, 09:27:07 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? +1for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them? and why does blockchain.info list "blockchain.info" as originating IP for the transactions? EDIT: piuk, you should probably change your avatar. People (at least I) got used to the new logo. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: piuk on April 01, 2013, 09:28:34 PM and why does blockchain.info list "blockchain.info" as originating IP for the transactions? It was submitted using https://blockchain.info/pushtx Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: molecular on April 01, 2013, 09:29:39 PM and why does blockchain.info list "blockchain.info" as originating IP for the transactions? It was submitted using https://blockchain.info/pushtx makes sense Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: molecular on April 01, 2013, 09:31:47 PM Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee? They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees. There has been talk about optimizing tx prioritization in bitcoind for quite a while. I can now see why it would make sense to have a high-fee tx (such as these 2) "pull in" the no- (or low-) fee inputs. I kinda thought this was the case already. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 01, 2013, 09:32:21 PM The last few posts made no sense to me at all. :)
Does it look good or bad? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: molecular on April 01, 2013, 09:37:43 PM The last few posts made no sense to me at all. :) Does it look good or bad? good. not because of what was talked in the last couple posts. That was just a technical "mystery" explained. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 01, 2013, 09:41:36 PM So, question. Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed. I'd like this too. When I look at the 'advanced' view of a transaction on blockchain.info I'd like to see unconfirmed inputs marked as such. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 01, 2013, 09:49:16 PM The last few posts made no sense to me at all. :) Does it look good or bad? Not bad. They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address. Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours. It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed. The transactions which are holding the A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet. :) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: lucb1e on April 01, 2013, 09:52:24 PM Thanks for this explanation, dooglus!
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: SgtSpike on April 01, 2013, 09:53:57 PM They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Mike Hearn on April 01, 2013, 09:55:05 PM There is a patch that makes miners calculate fees recursively like that, as everyone agrees it's a good idea. The problem is the code is rather non-trivial and Gavin isn't yet convinced it's a safe change.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 01, 2013, 09:56:57 PM They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe. They didn't mention instawallet though. :( Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily. It would be nice to hear from Davout. I believe he is instawallet staff Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 01, 2013, 10:06:29 PM They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe. They didn't mention instawallet though. :( Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily. It would be nice to hear from Davout. I believe he is instawallet staff Yup, he is. Title: Re: Instawallet Security Breach Post by: Nicolai on April 01, 2013, 10:10:38 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability. Title: Re: Instawallet Security Breach Post by: steelboy on April 01, 2013, 10:11:23 PM I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support. If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues? So in regards to this, without being too technical. Why would a transaction take two days to confirm? Is it something to do with instawallet being free? Title: Re: Instawallet Security Breach Post by: BitDreams on April 01, 2013, 10:16:08 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability. If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion. Title: Re: Instawallet Security Breach Post by: Injust on April 01, 2013, 10:19:49 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability. If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jabetizo on April 01, 2013, 10:24:51 PM A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet. :) i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying". Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MPOE-PR on April 01, 2013, 10:26:52 PM A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet. Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jabetizo on April 01, 2013, 10:31:58 PM A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet. Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive. he can include them in the same block Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 01, 2013, 10:39:31 PM yea i got 30 coin in instawallet :(
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: foo on April 01, 2013, 10:51:56 PM The last few posts made no sense to me at all. :) Does it look good or bad? Not bad. They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address. Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours. It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed. The transactions which are holding the bit transactions up have fees of 0, so miners aren't prioritising them. A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet. :) Confirmed! Eligius picked up the $20. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 01, 2013, 10:53:17 PM The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes. EDIT: Both now have 2 confirmations. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 01, 2013, 10:55:11 PM The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each. First one took 299 minutes to confirm, second one took 296 minutes. EDIT: Both now have 2 confirmations. Good or bad? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 01, 2013, 10:56:42 PM The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each. First one took 299 minutes to confirm, second one took 296 minutes. EDIT: Both now have 2 confirmations. Good or bad? If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy belongs to Instawallet/Bitcoin-Central then good. Do you believe it? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 01, 2013, 10:59:32 PM The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each. First one took 299 minutes to confirm, second one took 296 minutes. EDIT: Both now have 2 confirmations. Good or bad? If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy belongs to Instawallet/Bitcoin-Central then good. Do you believe it? Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt. Title: Re: Instawallet Security Breach Post by: Nicolai on April 02, 2013, 12:05:11 AM BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now ::)
I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." Title: Re: Instawallet Security Breach Post by: Injust on April 02, 2013, 12:16:38 AM BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now ::) I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." I have a chainsaw. Your argument is valid. But anyway, your analogy is VERY bad. VERY. It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere. Title: Re: Instawallet Security Breach Post by: the founder on April 02, 2013, 12:21:58 AM BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now ::) I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." I have no idea how to say this. Last week, if you googled site:instawallet.org You would be greeted with at least 3000 wallets, many of them with bitcoins which you can click on that link and transfer those coins out. If you googled site:hotmail.com I would not be greeted with your inbox and read all your e-mails. This not anywhere near the same issue, what they had was a SECURITY FLAW. partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site. In reality it means they would not SPIDER the urls, it doesn't mean they won't list them. Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw. but let's put all this aside, want to know the diffrence between a "flaw" and a "security flaw" Nicolai, would you put all your bitcoins on Instawallet? Your answer should let you know the difference between a flaw and a security flaw. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: the founder on April 02, 2013, 12:34:32 AM If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security. Do not blame Google it is not their fault. Vladimir, I do blame Google to an extent, it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file. This is not the case. They can and DO index anything they believe exists, even if they technically can't spider it. But hey.. if Chrome Browser can hit that url, or someone sent that link via GMAIL, or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists. Out of all the companies on earth, that one scares me the most... I've been working with search engines since 1994, and Google since 1999 ... trust me.. this company scares me. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Nicolai on April 02, 2013, 12:42:34 AM Vladimir: +1.
And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's. Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? :o Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 02, 2013, 12:51:39 AM Vladimir: +1. And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's. Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? :o Um...Instawallet essentially leaked them. Not actively, but passively. Because they failed to secure the site so that robots couldn't crawl and discover the URLs. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: TiagoTiago on April 02, 2013, 12:56:14 AM Vladimir: +1. And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's. Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? :o Um...Instawallet essentially leaked them. Not actively, but passively. Because they failed to secure the site so that robots couldn't crawl and discover the URLs. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: herzmeister on April 02, 2013, 01:08:44 AM I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: SgtSpike on April 02, 2013, 02:16:32 AM If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security. I find it hard to believe that 3000+ instawallets were posted on the web. Maybe a dozen, maybe even 10 dozen, but 3,000?Do not blame Google it is not their fault. 1) How many people created instawallets? 2) Out of those, how many actually used those instawallets? 3) Out of those, how many still hold balances in instawallets? 4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so? I just don't see 3,000 as coming solely from URLs that people have posted online. As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services. If the URL might exist, Google crawls it to find out. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: TiagoTiago on April 02, 2013, 02:19:30 AM If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security. I find it hard to believe that 3000+ instawallets were posted on the web. Maybe a dozen, maybe even 10 dozen, but 3,000?Do not blame Google it is not their fault. 1) How many people created instawallets? 2) Out of those, how many actually used those instawallets? 3) Out of those, how many still hold balances in instawallets? 4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so? I just don't see 3,000 as coming solely from URLs that people have posted online. As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services. If the URL might exist, Google crawls it to find out. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dree12 on April 02, 2013, 03:05:02 AM If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security. I find it hard to believe that 3000+ instawallets were posted on the web. Maybe a dozen, maybe even 10 dozen, but 3,000?Do not blame Google it is not their fault. 1) How many people created instawallets? 2) Out of those, how many actually used those instawallets? 3) Out of those, how many still hold balances in instawallets? 4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so? I just don't see 3,000 as coming solely from URLs that people have posted online. As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services. If the URL might exist, Google crawls it to find out. Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google. From lifehacker: Quote If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: the founder on April 02, 2013, 03:13:48 AM My day job, I'm president of Yooter InterActive.
I've been working with search engines for a long time.. Let me tell you some tibits of what I have discovered over the years regarding Google. 1 - Their mission is to obtain information, and resell that in the form of advertising. Period. 2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering. 3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc... 4 - these products exist for the sole purpose of collecting information.. that spider collects only a fraction of their info now. every search you make is recorded, every url you visit is recorded if you use their product, every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live. 5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists, if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut. That's google... If they wanted to find the urls of instawallet.. nothing on earth could stop them. That being stated, the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file) is their (instawallets) fault. For the record, if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping... google knows and most likely will list the results. These people most likely leaked the info ... TO THEMSELVES!!! hence the problem! The more I research, the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail. I wish I could get a million people to read this exact post... because I don't think people fully comprehend what they are dealing with when they mention the company google. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: coinuser4000 on April 02, 2013, 03:20:15 AM I've been saying this for years, Google is the Devil. Google wants to know everything about everybody, so they can sell you stuff. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 02, 2013, 03:40:53 AM ... This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut. ... Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively. Whether they realize that is the likely end result of their cries or not... The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary. Just like a lot of other niceties that just seem to fall into our laps from the sky gods. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: iCEBREAKER on April 02, 2013, 03:53:44 AM Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google. From lifehacker: Quote If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you. Who are these stupid sheeple dumbfucks using Chrome? "Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it. Hurr Durr!!" The FEMA camps are too good for them... Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Severian on April 02, 2013, 04:54:11 AM Google: Your business is our business.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: The-Real-Link on April 02, 2013, 05:24:08 AM I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.
For example, I do photography with Smugmug. They randomize every single photo's ending URL at 9 different sizes. Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. Oh and yeah, not a fan of Chrome. I'll use it for Bitconity updates since currently my IE is broken with it and for coding. Otherwise, nope. But go figure, my brothers love Gmail though. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: caveden on April 02, 2013, 06:23:00 AM Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google. From lifehacker: Quote If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you. Does the same apply to Chromium? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 02, 2013, 06:31:31 AM Does the same apply to Chromium? It depends on whether you've enabled 'instant' or not. I think it's off by default, but it's worth checking: https://i.imgur.com/RdN1hQz.png Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jcdf on April 02, 2013, 06:40:07 AM I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string
https://www.instawallet.org/"encrypted string" The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween. Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: caveden on April 02, 2013, 08:07:43 AM Does the same apply to Chromium? It depends on whether you've enabled 'instant' or not. I think it's off by default, but it's worth checking: Thanks dooglus. Mine was off. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 02, 2013, 09:08:44 AM So do we think it is only affecting chrome users or is this just speculation?
Aside from that there is no news is there? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DublinBrian on April 02, 2013, 10:24:12 AM For the record, if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping... google knows and most likely will list the results. Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.These people most likely leaked the info ... TO THEMSELVES!!! hence the problem! The more I research, the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail. I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my email account to my friends Gmail account. My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MPOE-PR on April 02, 2013, 10:52:47 AM he can include them in the same block Ah right you are, it didn't occur to me. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Atruk on April 02, 2013, 11:35:02 AM So do we think it is only affecting chrome users or is this just speculation? Aside from that there is no news is there? Speculation, but justified. Chrome is the ultimate spyware Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 02, 2013, 11:48:49 AM Chrome is the ultimate spyware And I love it for that. I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you". Without me doing anything. Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder". Without me doing anything. Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying". Without me doing anything. It's perfect and exactly what my phone should do. The lesson here is not: Google is evil. The lesson is: Security through Obscurity does never ever work. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 02, 2013, 01:34:43 PM FACTS:
1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments 2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: d5000 on April 02, 2013, 01:56:23 PM Bitcoin-Central about a minute ago again showed me the normal light-blue design, but with an "Internal Server Error". Now they have restored the "Maintainance" message.
Seems they will be up again soon. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 02, 2013, 02:01:08 PM The waiting is killing me
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DublinBrian on April 02, 2013, 02:37:30 PM sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin. Title: Re: Instawallet Security Breach Post by: steelboy on April 02, 2013, 02:38:56 PM I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support. If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues? So in regards to this, without being too technical. Why would a transaction take two days to confirm? Is it something to do with instawallet being free? Can anyone help with this? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 02, 2013, 02:39:32 PM sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin. Yeah, in this era of short attention spans Instawallet is perfect to have newbie's coins stolen. Tell your friends to use blockchain.info's My Wallet for their first pennies, is quite as immediate as Instawallet and much more secure. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: ingrownpocket on April 02, 2013, 02:40:49 PM If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security. I find it hard to believe that 3000+ instawallets were posted on the web. Maybe a dozen, maybe even 10 dozen, but 3,000?Do not blame Google it is not their fault. 1) How many people created instawallets? 2) Out of those, how many actually used those instawallets? 3) Out of those, how many still hold balances in instawallets? 4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so? I just don't see 3,000 as coming solely from URLs that people have posted online. As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services. If the URL might exist, Google crawls it to find out. About 29,400 results were found. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MPOE-PR on April 02, 2013, 02:55:10 PM FACTS: 1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments 2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS 3. Spelling is a lost art. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 02, 2013, 03:16:27 PM FACTS: 1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments 2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS 3. Spelling is a lost art. 4. I would like to see your spelling skills in Turkish. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DobZombie on April 02, 2013, 03:46:37 PM /flameon
I love google, I haven't been lost ANYWHERE in like 4 years! I WANT my browser to know what I'm thinking, and web searches to sell me shit that interests me! I LOVE the fact if I don't know something, I can just GOOGLE it! /flameoff Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: gbl08ma on April 02, 2013, 04:01:57 PM https://www.google.com/search?q="instawallet.org%2Fw%2F" (https://www.google.com/search?q="instawallet.org%2Fw%2F") About 29,400 results were found. First rule, don't trust that number Google gives you. It is always way off all the results one can get (some guy did a research on that, turns out you only have access to the first 1000 results or so). And second, you don't know how many of these results are the same wallet URL appearing on multiple pages. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Arthur Randolph on April 02, 2013, 04:09:13 PM What about we try and stay on topic?
Has anyone been able to contact the people at Paymium, the company behind instawallet and bitcoin-central? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Grinder on April 02, 2013, 04:10:50 PM https://www.google.com/search?q="instawallet.org%2Fw%2F" (https://www.google.com/search?q="instawallet.org%2Fw%2F") None of them are actually on instawallet, though. https://www.google.com/search?q=%22instawallet.org/w/%22+site:instawallet.orgAbout 29,400 results were found. I realise that this may be because they have now removed direct links from Google, but the number is meaningless. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Raoul Duke on April 02, 2013, 04:20:06 PM https://www.google.com/search?q="instawallet.org%2Fw%2F" (https://www.google.com/search?q="instawallet.org%2Fw%2F") About 29,400 results were found. At least do it properly: https://www.google.com/search?q=inurl%3A%2Fw%2F+site%3Ainstawallet.org ;) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: ingrownpocket on April 02, 2013, 04:35:08 PM https://www.google.com/search?q="instawallet.org%2Fw%2F" (https://www.google.com/search?q="instawallet.org%2Fw%2F") About 29,400 results were found. At least do it properly: https://www.google.com/search?q=inurl%3A%2Fw%2F+site%3Ainstawallet.org ;) Trying to show him where Google got those addresses. ;) Title: Re: Instawallet Security Breach Post by: Jan on April 02, 2013, 04:56:17 PM either way the lesson will be "trust no one to hold your coins". SecondedApparently every new batch of Bitcoiners will need to learn this valuable lesson. If you aren't the sole controller of your private keys, you don't have any bitcoins. Take whatever steps necessary to be the sole controller of your private keys people! Title: Re: Instawallet Security Breach Post by: steelboy on April 02, 2013, 04:59:38 PM either way the lesson will be "trust no one to hold your coins". SecondedApparently every new batch of Bitcoiners will need to learn this valuable lesson. If you aren't the sole controller of your private keys, you don't have any bitcoins. Take whatever steps necessary to be the sole controller of your private keys people! bitcoin-central.net (http://bitcoin-central.net) has updated its message Still no mention of instawallet ??? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: pbtc on April 02, 2013, 05:41:07 PM Since nobody commented on other thread, https://bitcointalk.org/index.php?topic=164638.0, thought it might be useful to mention that Easywallet has same problem with google. About 1000 wallets visible from web. Balance seems to be zero on all. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: lucb1e on April 02, 2013, 05:42:51 PM Still no mention of instawallet ??? For some reason this feels intentional to me, I'm glad I wasn't on that service (only bitcoin-central).Still though, instawallet's cold storage got transferred out with 82 confirmations last time I checked (hours ago), it should mostly be fine I guess. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Atruk on April 02, 2013, 05:48:10 PM Chrome is the ultimate spyware And I love it for that. I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you". Without me doing anything. Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder". Without me doing anything. Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying". Without me doing anything. It's perfect and exactly what my phone should do. The lesson here is not: Google is evil. The lesson is: Security through Obscurity does never ever work. So true. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: splat44 on April 02, 2013, 06:45:37 PM Let's hope problems can be fixed in due time!
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: kakashi234 on April 02, 2013, 07:45:09 PM What do you think will happen with our purchase orders / sales going?
Personally, I have sales orders that I wanted to cancel because the btc was strong up, now if the website re-opens, my orders will be sent immediately without anulation possible ... I hope they will think about it and cancel all those sales orders scheduled. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 02, 2013, 07:47:12 PM I hope that payments that our Instawallet addresses receive during the lack-of-service period will be credited :P
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 02, 2013, 08:01:48 PM I hope that payments that our Instawallet addresses receive during the lack-of-service period will be credited :P I just want whatever was in the wallets. ;) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 02, 2013, 08:10:14 PM Still no mention of instawallet ??? For some reason this feels intentional to me, I'm glad I wasn't on that service (only bitcoin-central).Still though, instawallet's cold storage got transferred out with 82 confirmations last time I checked (hours ago), it should mostly be fine I guess. I feel it is definitely intentional to not mention instawallet, the webpage is still the same too whereas the bit coin-central/paytunia page has been updated. :( However, if 42,000ish BTC was moved from their cold storage and is now "under their exclusive control" then surely they must not have lost everything. Maybe it is like some people have said, a problem with google that left some wallets searchable? One thing that is really pecking my head though is the fact that there has been no update and Davout has disappeared too. This seems a bit suss. Finally, can anyone with some technical knowhow please set me straight on the problem below. Surely if the money was sent from pone address to another 48 hours before this debacle then it has to be safe? If so, why hasnt it shown up in my wallet? I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support. If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues? So in regards to this, without being too technical. Why would a transaction take two days to confirm? Is it something to do with instawallet being free? Can anyone help with this? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: TiagoTiago on April 02, 2013, 08:50:33 PM So do we think it is only affecting chrome users or is this just speculation? You would be surprised how many people got Google as their home page and type URLs in the page's search box instead of the browser's URL bar...Aside from that there is no news is there? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MPOE-PR on April 02, 2013, 09:23:58 PM FACTS: 1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments 2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS 3. Spelling is a lost art. 4. I would like to see your spelling skills in Turkish. Merhaba rahatsız etmemek için lütfen gel! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: BubbleBoy on April 02, 2013, 10:03:51 PM Could it be that Instawallet went full "Tom Williams" on the user's accounts ? Or maybe something like this: trade the coins on mtgox, wait for the bubble to pop, buy coins back, profit.
Title: Re: Instawallet Security Breach Post by: molecular on April 02, 2013, 11:04:38 PM In short "Keep your private keys private". Rule number ONE in Bitcoin land. You're storing BitcoinSpinner users private keys in plaintext on their phones. How is this helping them to keep their private keys private? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 03, 2013, 01:54:41 AM Thanks dooglus. Mine was off. Yes, I think chromium has all it's "spying for google" features disabled by default. Title: Re: Instawallet Security Breach Post by: splat44 on April 03, 2013, 02:29:25 AM If bitcoin-central.net has an update, I'm sure instawallet will come down the line! Usually this one is very safe!
either way the lesson will be "trust no one to hold your coins". SecondedApparently every new batch of Bitcoiners will need to learn this valuable lesson. If you aren't the sole controller of your private keys, you don't have any bitcoins. Take whatever steps necessary to be the sole controller of your private keys people! bitcoin-central.net (http://bitcoin-central.net) has updated its message Still no mention of instawallet ??? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 07:29:41 AM So do we think it is only affecting chrome users or is this just speculation? You would be surprised how many people got Google as their home page and type URLs in the page's search box instead of the browser's URL bar...Aside from that there is no news is there? When you're using Chrome as your browser, (on the default settings) there is no difference between the two. None. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MysteryMiner on April 03, 2013, 01:05:50 PM For first Instawallet URL hack I think the Google Chrome is to blame. I never used Chrome outside VMWare test environment and I recommend anyone not to install Google Chrome on any computer for this privacy reason. If there is any technical need when Chrome is preferred over Firefox, then use SRWare Iron that have all bad things deleted. The use of URL as a private key is not a big security problem because SSL also encrypts the URL and prevents anyone from seeing it, including Tor exit nodes, FBI, etc. As long as the browser history are safe and not compromised, the URL is safe.
I have no idea about second hack. If it is true that the servers are suspected to be compromised, then it might take some time to install new operating system on new hardware, test and secure the setup before it is launched public again. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 01:20:15 PM For first Instawallet URL hack I think the Google Chrome is to blame. I never used Chrome outside VMWare test environment and I recommend anyone not to install Google Chrome on any computer for this privacy reason. If there is any technical need when Chrome is preferred over Firefox, then use SRWare Iron that have all bad things deleted. The use of URL as a private key is not a big security problem because SSL also encrypts the URL and prevents anyone from seeing it, including Tor exit nodes, FBI, etc. As long as the browser history are safe and not compromised, the URL is safe. I have no idea about second hack. If it is true that the servers are suspected to be compromised, then it might take some time to install new operating system on new hardware, test and secure the setup before it is launched public again. So you think if I have used only Firefox in safe mode then it should be all good? Title: Re: Instawallet Security Breach Post by: MPOE-PR on April 03, 2013, 01:20:38 PM In short "Keep your private keys private". Rule number ONE in Bitcoin land. You're storing BitcoinSpinner users private keys in plaintext on their phones. How is this helping them to keep their private keys private? Ouch. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Kotcha on April 03, 2013, 01:27:08 PM What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 01:30:13 PM What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication No idea. I switch from positive to negative feelings nonstop. Driving me crazy. :/ One thing for sure though. If it turns out all right I am taking some profits and flying to a beach for a holiday. (Not before I finally get armory working though ;) ) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 01:31:40 PM What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication The lack of communication is definitely disturbing.. I can only assume they havn't got any time for communicating as they've got the entire team working round the clock on this thing, but a little memo every few hours would have been great. Their predicted 48 hours are nearly running out.. I had hoped to see them back online by now. :-[ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Kotcha on April 03, 2013, 01:42:09 PM I feel your pain steelboy. Kicking myself for not keeping them somewhere more secure, definitely a lesson learnt but hopefully not the hard way!
Yeah the communication has been apalling, and has probably tarnished the company a great deal - it looks like some people have lost A LOT of money, they deserve some sort of explanation. The fact that funds have been moved to this 'Instawallet Cold Storage' address is quite reassuring, unless it's an inside job and they are just stalling ??? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 01:42:12 PM What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication The lack of communication is definitely disturbing.. I can only assume they havn't got any time for communicating as they've got the entire team working round the clock on this thing, but a little memo every few hours would have been great. Their predicted 48 hours are nearly running out.. I had hoped to see them back online by now. :-[ Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 01:50:27 PM That's odd. The font used on https://bitcoin-central.net/ and https://paytunia.com/ are different. You'd think they'd just point to the same HTML file.. :P
Oddly enough, Instawallet still displays the old downtime message. I can only hope this is an indication of priorities ;) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 01:55:30 PM I feel your pain steelboy. Kicking myself for not keeping them somewhere more secure, definitely a lesson learnt but hopefully not the hard way! Yeah the communication has been apalling, and has probably tarnished the company a great deal - it looks like some people have lost A LOT of money, they deserve some sort of explanation. The fact that funds have been moved to this 'Instawallet Cold Storage' address is quite reassuring, unless it's an inside job and they are just stalling ??? Cheers mate. Hope you're not in as much as me. The stalling thing is an option I suppose I just feel that as the owners are known there will be a lot of people ready to kick off if it has gone. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: MysteryMiner on April 03, 2013, 02:30:16 PM So you think if I have used only Firefox in safe mode then it should be all good? The URL leak is not Instawallet fault, I found another service who still have exactly same problems. I did not manage to find any coins in there but it is only matter of time. At least I will work back the coins that have gone with Instastealwallet. If I'm going to run away with 4000 coins I will not post message that I will be back. I will post something like this: "Na nana nana I got Your coins and You will not see them again, na na nanaana!" together with picture of Eric Cartman. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 02:34:00 PM how many coins you got in there steelboy?
I got 30 in there the price was @ $103 each now there $130 lol crazy shit i hope get them back !!!! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 02:35:55 PM A lot more than that. :(
Didnt realise how unsafe they were and i just started to realise before Easter that i needed to do something about it. Started a thread to get some advice about the armory and setting it up, even bought an offline asus on friday ready to get it sorted this week. Oh well....let's see. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 02:51:17 PM yea not a good place to hold them mate. i was only using it as transporter not a wallet to hold.
i hope you and every1 else gets them back. I am leaving my computer at work today otherwise i am up all night waiting to hear something. My opinon is they had a problem they managed to keep everyones coins safe now there going to profit from it before it goes back live!! cheers Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 02:51:51 PM I got 30 in there the price was @ $103 each now there $130 lol At least you had BTC in there before the steep rise this morning ;) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 02:59:01 PM yea not a good place to hold them mate. i was only using it as transporter not a wallet to hold. i hope you and every1 else gets them back. I am leaving my computer at work today otherwise i am up all night waiting to hear something. My opinon is they had a problem they managed to keep everyones coins safe now there going to profit from it before it goes back live!! cheers How do you think they can profit from it? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 02:59:08 PM davout give us a shoutout PLEASE We wanna know what your doing!!!!!!!!!!!!!!!!!!!!
:'( Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: trout on April 03, 2013, 03:12:53 PM I'm wondering if I'm the only one who attempted to withdraw my coins from instawallet at the unfortunate day of 01.04?
I was not holding any coins there, but tried to tumble some. I sent the coins in, and as soon as they confirmed tried to withdraw them. The wallet balance went to 0, but the coins never arrived at destination - the transactions were never broadcast. Then in about 6-8 hours, instawallet goes down "for maintenance." I'm afraid I'm even more screwed then those who were just holding their coins on instawallet. Unless we all lose all, that is. The coins from my deposit address were tumbled away into instawallet cold storage, and from there to the address they claim to have "exclusive control" over. So they are probably not lost. The question is whether I can get them back though. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 03:15:21 PM I'm wondering if I'm the only one who attempted to withdraw my coins from instawallet at the unfortunate day of 01.04? I was not holding any coins there, but tried to tumble some. I sent the coins in, and as soon as they confirmed tried to withdraw them. The wallet balance went to 0, but the coins never arrived at destination - the transactions were never broadcast. Then in about 6-8 hours, instawallet goes down "for maintenance." I'm afraid I'm even more screwed then those who were just holding their coins on instawallet. Unless we all lose all, that is. The coins from my deposit address were tumbled away into instawallet cold storage, and from there to the address they claim to have "exclusive control" over. So they are probably not lost. The question is whether I can get them back though. I also had funds on the way out. It had happened before that it would take 24 hours so I wasn't worried. We shall see. Fingers crossed and good luck mate. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 03:17:41 PM na they will have a record of it ;)
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: poriks on April 03, 2013, 03:17:58 PM I checked my address using https://blockchain.info. They left me a few satoshis men. >:( >:( ;D
I tried to follow the trail, but I couldn't see it end up on the address posted at bitcoin-central. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 03, 2013, 03:20:58 PM ... The coins from my deposit address were tumbled away into instawallet cold storage, and from there to the address they claim to have "exclusive control" over. So they are probably not lost. The question is whether I can get them back though. Thx for the info. Without feedback from ~davout, paytuna, or whatever it is natural that people will speculate. I would hypothesis that if any of the services that these guys ran were robbed, it may be Instawallet users who end up paying the bill. The other services seemed to be (and were) more important where-as Instawallet was always advertised to be of only moderate security. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 03:23:05 PM Who thinks davout has gone rouge and has left paris to live in asia with his 45,000 bitcoins !! thats a good fresh start that is!!
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 03, 2013, 03:29:22 PM Who thinks davout has gone rouge and has left paris to live in asia with his 45,000 bitcoins !! thats a good fresh start that is!! It seems a perfectly valid hypothesis at this point. There are many other hypotheses with this rating however. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 03:39:33 PM Who thinks davout has gone rouge and has left paris to live in asia with his 45,000 bitcoins !! thats a good fresh start that is!! It seems a perfectly valid hypothesis at this point. There are many other hypotheses with this rating however. Is his real identity known? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 03, 2013, 03:42:26 PM Well guys I made a small investigation about the guy "davout" .
So first of all the domain bitcoin-central.net is registered under the following details: Domain name: bitcoin-central.net Registrant: W3BFLOWS SARL FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR +33.668242163 x7kfp9c2o1j0ynegf3ym@h.o-w-o.info Administrative Contact: W3BFLOWS SARL FRANCOIS Michel 34 rue Charles Chefson Bois Colombes, 92270 FR +33.672332684 650cpyijxhkip452kqfs@l.o-w-o.info where "W3BFLOWS SARL" is the company behind bitcoin-central: Company: W3BFLOWS SARL Address: FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR Phone: +33.668242163 and it seems that FRANCOIS DAVID is the official representative. FRANCOIS DAVID is our guy : davout ( https://github.com/davout). That guy is also the CTO in Paymium (http://paymium.com/about/) Well I dont want to extract any particular cocnclusions. I am just giving out some information that I have found publicly online Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 03, 2013, 03:42:36 PM BTW: Instawallet charges no fee. What's their business model? Somebody could explain?
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 03:44:42 PM I find it so amazing that you could put the 45,000 btc [ $6,359,000] on a paper wallet and put it in your pocket and go anywhere in the world!!
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 03:47:43 PM Well guys I made a small investigation about our guy "davout" . So first of all the domain bitcoin-central.net is registered under the following details: Domain name: bitcoin-central.net Registrant: W3BFLOWS SARL FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR +33.668242163 x7kfp9c2o1j0ynegf3ym@h.o-w-o.info Administrative Contact: W3BFLOWS SARL FRANCOIS Michel 34 rue Charles Chefson Bois Colombes, 92270 FR +33.672332684 650cpyijxhkip452kqfs@l.o-w-o.info where "W3BFLOWS SARL" is the company behind bitcoin-central: Company: W3BFLOWS SARL Address: FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR Phone: +33.668242163 and it seems that FRANCOIS DAVID is the official representative. FRANCOIS DAVID is our guy : davout ( https://github.com/davout). That guy is also the CTO in Paymium (http://paymium.com/about/) Well I dont want to extract any particular cocnclusions. But at least now we know who is the guy we should be looking for in case something really bad happens ;) Which I am still hoping is not the case. I imagine in a situation like this some element of media silence is needed. Especially if you don't want to say something that might turn out to be wrong later. Lets just hope he is as decent as he has seemed before. :) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 03, 2013, 03:54:20 PM Well guys I made a small investigation about our guy "davout" . So first of all the domain bitcoin-central.net is registered under the following details: Domain name: bitcoin-central.net Registrant: W3BFLOWS SARL FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR +33.668242163 x7kfp9c2o1j0ynegf3ym@h.o-w-o.info Administrative Contact: W3BFLOWS SARL FRANCOIS Michel 34 rue Charles Chefson Bois Colombes, 92270 FR +33.672332684 650cpyijxhkip452kqfs@l.o-w-o.info where "W3BFLOWS SARL" is the company behind bitcoin-central: Company: W3BFLOWS SARL Address: FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR Phone: +33.668242163 and it seems that FRANCOIS DAVID is the official representative. FRANCOIS DAVID is our guy : davout ( https://github.com/davout). That guy is also the CTO in Paymium (http://paymium.com/about/) Well I dont want to extract any particular cocnclusions. But at least now we know who is the guy we should be looking for in case something really bad happens ;) Which I am still hoping is not the case. I imagine in a situation like this some element of media silence is needed. Especially if you don't want to say something that might turn out to be wrong later. Lets just hope he is as decent as he has seemed before. :) steelboy you are right. I want to make myself clear that I am not blaming anybody . I just give out some information that I found publicly online I was also about to say that Paymiym seems a reliable company since on their webpage all the board members appear. However I still think that the official representative of the company should regulalry update and inform the clients. In this case we are lacking essential update on a crucial issue. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 03:57:31 PM JUST SPOKE TO DAVOUT
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 03:58:38 PM hes about to make a update this second!!
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 03:59:21 PM hes about to make a update this second!! Really appreciate your effort! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 04:02:37 PM hes about to make a update this second!! That's due. The 48 hours since "Expect normal service to resume within 48 hours." have just about passed :P How did you get in touch, though? Are you sure it's not some perp with that nickname on one of the IRC servers trying to pull your leg? ;) Thanks for letting us all know though! Appreciated :) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:04:47 PM hes about to make a update this second!! That's due. The 48 hours since "Expect normal service to resume within 48 hours." have just about passed :P How did you get in touch, though? Are you sure it's not some perp with that nickname on one of the IRC servers trying to pull your leg? ;) Thanks for letting us all know though! Appreciated :) They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 04:10:20 PM They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Source? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 04:10:33 PM I rang this number and he answered +33.668242163
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: trout on April 03, 2013, 04:11:35 PM Quote For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. well, this means losses. >:( no information how much coins the hacker(s) were able to take. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:11:59 PM They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Source? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 04:13:08 PM They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Source? I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 03, 2013, 04:14:37 PM I rang this number and he answered +33.668242163 and???? did you talk to anyone?? Quote For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. well, this means losses. >:( no information how much coins the hacker(s) were able to take. Where did you quote this message from? Are there any information about bitcoin-central ???? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:14:38 PM They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Source? I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot. The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Important information on claims submission: 1.For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. 2.After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. 3.Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. From http://notice.instawallet.org/ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Kotcha on April 03, 2013, 04:14:57 PM Good news, looks like we can claim our funds back... looks like the process is gonna take 90 days though, no other option than to hold 8)
Quote INSTAWALLET SERVICE NOTICE The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Important information on claims submission: For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:18:23 PM Good news, looks like we can claim our funds back... looks like the process is gonna take 90 days though, no other option than to hold 8) To be honest, I don't feel good at all, they didn't say will refund 50BTC or larger fully, (which means they lose money, truely hacked). Secondly, due to the nature of Instawallet, apparently the hacker could claim the money as well if they got access to the database of the URL. Thirdly,that is 90 Days and you know those "delay" tatics a lot of scammers use, first 90 days, then another 90 days, then partial refund, then....Quote INSTAWALLET SERVICE NOTICE The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Important information on claims submission: For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. Not saying they are, but this is not good news at all. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 03, 2013, 04:19:54 PM still no update for bitcoin-central
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 03, 2013, 04:24:35 PM How much did davout pay for instawallet?
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 04:25:15 PM Well an update at last
Here is my issue Lets assume the worst that its an inside job. Maybe the team do not have access to the individual urls. By making us give them to them we are effectively handing over our bitcoins. By making it a first come first serves it makes you want to give it to them straight away. Just saying. What do you think? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:26:47 PM Well an update at last But to claim, you almost have to present that to prove ownership, because that is the only evidence.Here is my issue Lets assume the worst that its an inside job. Maybe the team do not have access to the individual urls. By making us give them to them we are effectively handing over our bitcoins. By making it a first come first serves it makes you want to give it to them straight away. Just saying. What do you think? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 04:28:31 PM Lets assume the worst that its an inside job. Maybe the team do not have access to the individual urls. By making us give them to them we are effectively handing over our bitcoins. They obviously have access to the individual urls - how else could they serve you a web page on those? By sending your bitcoins to them in the first place you handed them over. They have the private keys. Well, they did at least. Still no update with regards to Bitcoin Central though. That's what I'm really worried about. That volume was twice as large as well. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: twolifeinexile on April 03, 2013, 04:29:34 PM Well an update at last You have bigger than 50? Otherwise, I think you should be able to get back fully, given their current tone.Here is my issue Lets assume the worst that its an inside job. Maybe the team do not have access to the individual urls. By making us give them to them we are effectively handing over our bitcoins. By making it a first come first serves it makes you want to give it to them straight away. Just saying. What do you think? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HighInBC on April 03, 2013, 04:38:11 PM My lord. I was very close to being effected by this. Thankfully my fund went out prior to the issue.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 03, 2013, 04:40:28 PM Hope you learnt an important lesson: NEVER TRUST ONLINE WALLETS WITH MORE THAN POCKET MONEY.
And remember that what's pocket money today, can be retirement money tomorrow ;) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Kotcha on April 03, 2013, 04:43:50 PM Good news, looks like we can claim our funds back... looks like the process is gonna take 90 days though, no other option than to hold 8) To be honest, I don't feel good at all, they didn't say will refund 50BTC or larger fully, (which means they lose money, truely hacked). Secondly, due to the nature of Instawallet, apparently the hacker could claim the money as well if they got access to the database of the URL. Thirdly,that is 90 Days and you know those "delay" tatics a lot of scammers use, first 90 days, then another 90 days, then partial refund, then....Quote INSTAWALLET SERVICE NOTICE The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Important information on claims submission: For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. Not saying they are, but this is not good news at all. Yeah I get what your saying, I think if your funds went to cold storage though you must be safe? Maybe not good news, but at least it's something... looks alot brighter than it did yesterday anyway Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: d5000 on April 03, 2013, 05:10:40 PM Update for Bitcoin-Central and Paytunia (only showing on paytunia.com, seems they are a bit confused with the many URLs they have):
[Apr-03 7:00PM CET] We are still working on bringing the service back up: we expect to resume operations within the next 48 hours. A lot of people have asked about the state of orders currently pending. Due to the recent and important price fluctuations we will cancel some outstanding orders before reopening. For example if the average price stays above 100 EUR/BTC we will cancel all asks below 110 EUR/BTC. No trades will be reversed. We also don't want to take anyone by surprise and as such will give a 24h notice before trades start to get executed again. During these 24 hours you will be able to place and cancel orders. When the trading engine gets restarted they will be executed in the order they were placed. Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption. The deposits received while the service was interrupted will be added to your balance during the 24h notice time. ---- Doesn't look that bad for this services, defitively the problem was with Instawallet. Should we split the threads because there are different problems? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 05:15:06 PM Update for Bitcoin-Central and Paytunia (only showing on paytunia.com, seems they are a bit confused with the many URLs they have): Oddly enough, Bitcoin-Central is down at the moment. Not showing anything. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 05:31:06 PM Update for Bitcoin-Central and Paytunia (only showing on paytunia.com, seems they are a bit confused with the many URLs they have): Oddly enough, Bitcoin-Central is down at the moment. Not showing anything. The problem with bitcoin-central and paytunia is this: Secure Connection Failed An error occurred during a connection to bitcoin-central.net. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: trout on April 03, 2013, 05:32:44 PM Quote Our database was fraudulently accessed, Actually this doesn't even say that some coins were stolen. This doesn't look good. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 03, 2013, 05:48:58 PM It seems every generation of bitcoiners just has to learn hard lessons on their own. FFS if experienced bitcoiners like so not modest myself who warned other about exactly this shit long before mybitcoin fiasco tells you TRUST NO ONE. Pay fucking attention next time. It never works Vlad, they never listen. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: justusranvier on April 03, 2013, 06:02:52 PM http://www.reddit.com/r/Bitcoin/comments/1blk1t/public_service_announcement_regarding_online/ (http://www.reddit.com/r/Bitcoin/comments/1blk1t/public_service_announcement_regarding_online/)
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: splat44 on April 03, 2013, 06:04:21 PM Same thing with instawallet, I'm sure those who manage those serve are doing something to fix those!
Update for Bitcoin-Central and Paytunia (only showing on paytunia.com, seems they are a bit confused with the many URLs they have): Oddly enough, Bitcoin-Central is down at the moment. Not showing anything. The problem with bitcoin-central and paytunia is this: Secure Connection Failed An error occurred during a connection to bitcoin-central.net. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 03, 2013, 06:05:11 PM It seems every generation of bitcoiners just has to learn hard lessons on their own. FFS if experienced bitcoiners like so not modest myself who warned other about exactly this shit long before mybitcoin fiasco tells you TRUST NO ONE. Pay fucking attention next time. It never works Vlad, they never listen. But it's unbelievable. Never trust third party wallets with more than pocket is money is so clear everywhere. It's so up in the wiki that you learn this in the first hour reading about bitcoin. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 03, 2013, 06:06:43 PM Same thing with instawallet, I'm those who manage those serve are doing something to fix those! Instawallet? Instawallet is dead, kaput, it has served it's last bit(coin). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 03, 2013, 06:09:00 PM But it's unbelievable. Never trust third party wallets with more than pocket is money is so clear everywhere. It's so up in the wiki that you learn this in the first hour reading about bitcoin. 2 things at work here: a) some people are dumb b) bitcoin's false reputation as "easy money" attracts a disproportionaly large share of a) Title: Re: Instawallet Security Breach Post by: Phinnaeus Gage on April 03, 2013, 06:30:15 PM this doesn't sound good at all. Literally shitting myself You ain't the only one! I didn't even know this was going on. I visited the site yesterday and saw it was down, but paid it no mind thinking it will be back up soon. I was in the process of storing my coins elsewhere, but didn't think I had to do it anytime soon since being assured by many on this forum that all is well. I've even gotten others to use InstaWallet recently, sending them coins to show how easy it is. My stomach is totally in knots right now, and I've only begun to read this thread. Madness!!! ~Bruno K~ Title: Re: Instawallet Security Breach Post by: SgtSpike on April 03, 2013, 06:37:50 PM this doesn't sound good at all. Literally shitting myself You ain't the only one! I didn't even know this was going on. I visited the site yesterday and saw it was down, but paid it no mind thinking it will be back up soon. I was in the process of storing my coins elsewhere, but didn't think I had to do it anytime soon since being assured by many on this forum that all is well. I've even gotten others to use InstaWallet recently, sending them coins to show how easy it is. My stomach is totally in knots right now, and I've only begun to read this thread. Madness!!! ~Bruno K~ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 03, 2013, 06:40:14 PM c) people take stupid risks even though they know better.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 03, 2013, 06:50:47 PM Just got to page 7, and now have shit to do after I take a shit (seriously). I is not a happy camper now.
Have Chainsaw - Will Travel Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 06:55:13 PM This is a really fucked up situation, especially for the ones that were actually using instawallet.org
However, Paymium says you can claim your BTC back. We don't know what exactly caused this 'hack', we can only speculate. Therefore, I think we can't blame Paymium for what happened, at least not yet. Come on guys, try to stay positive. After all, it's just money. http://i47.tinypic.com/2zhqdd0.jpg Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Severian on April 03, 2013, 06:56:47 PM Too bad nobody is gong to listen to the above. This is evolution in action. In two years, should Bitcoin still be chugging along, paper wallet holders will still have bitcoins while the trusting will be wondering what happened to theirs. Since Bitcoin is decentralized by nature, it will ultimately force its users to be decentralized also. The learning curve is a painful one for those that let the glitter overtake common sense. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 03, 2013, 07:00:00 PM Positivity is the key now I think.
Vlad, you are right. It's our fault. (I was in the process of sorting out the armory on Friday). Give me a break though mate, still smarting here. Lets assume the hacker has all the urls. I assume he will argue any large balances with the rightful owner. What if their was documented proof of owning the URL for a while. I assume the hacker has only has access in the last few weeks. What do you think? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 03, 2013, 07:00:33 PM Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time" "run away" includes "getting 'hacked'" It is basically the same as amount of mined bitcoins asymptotically approaches 21 million. People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones. Store not only encrypted images but truecrypt distribution/installation too. This is all you need to know and do. Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks. Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then. I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount. I wouldn't rely on Truecrypt for very serious stuff. Code was not scrutinized by the community. This is why TAILS do not include it. I would prefer GPG. But for not so serious stuff a hidden volume of TC is pretty nice... And if you add stenography and of course offline storage only you will be pretty safe. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 03, 2013, 07:25:53 PM This is a really fucked up situation, especially for the ones that were actually using instawallet.org However, Paymium says you can claim your BTC back. We don't know what exactly caused this 'hack', we can only speculate. Therefore, I think we can't blame Paymium for what happened, at least not yet. Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: shamntalk on April 03, 2013, 07:27:56 PM This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 03, 2013, 07:35:29 PM Actually that has happened the moment they went public with their braindead idea of having "proxy private keys" for BTC addresses in URL. Was it one or two years ago I do not quite remember. I don't recall the fact that you could access (actually access, as opposed to theoretically) the accounts of other users being publicly discussed until last week, although when it was being discussed last week quite a few people mentioned having been aware of it for some time. They still needed to take the service offline for a security audit when that particular vulnerability became a topic for discussion last week, because nothing was more certain than people trying to exploit that one and looking for other vulnerabilities as well (as well as looking for similar vulnerabilities in other services). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 07:38:34 PM This is a really fucked up situation, especially for the ones that were actually using instawallet.org However, Paymium says you can claim your BTC back. We don't know what exactly caused this 'hack', we can only speculate. Therefore, I think we can't blame Paymium for what happened, at least not yet. Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. People just blaming each other because they don't have the balls to take responsibility for it themselves. If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself. If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it. You are always the only one responsible for your own actions. In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it. Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: cho on April 03, 2013, 07:39:58 PM Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then. After having read your trolling but insightful post, I, for one, will actually improve my cold storage strategy. Thx to you for that. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 03, 2013, 07:52:13 PM Dude come on, this is the problem of the whole fucking society. People just blaming each other because they don't have the balls to take responsibility for it themselves. If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself. If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it. You are always the only one responsible for your own actions. In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it. Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution. If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services. That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: lucb1e on April 03, 2013, 07:58:18 PM The bitcoin-central website seems to be changing often. First the site's https was down, then it was serving a http connection over https port (results in firefox in record too long or something), then error 500, now the message is back. It looks like they're changing physical location or even physical server (changing certificate, reconfiguring webserver, perhaps an IP change).
Getting worried about the severe lack of communication I find that strange too, though I'm not sure if it should really have us worried. At least the bitcoin-central users, I have a worse feeling about instawallet. But I'm not involved with instawallet at all and I'm not checking on that all day, so my feeling could easily be wrong.Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair. I think if anyone had, they are friends and are told things in confidence, or acquaintances are told the same as everyone. If they're not talking, it's most likely that nothing is supposed to come out... And I think they're reading this topic at least once or twice a day, if something was to be said they'd have said it. Maybe (like someone else suggested) they're not talking for the case that they are wrong. Official statements are always taken as promises, even if it's not said anywhere (and for a good reason, but that might be why they're silent).Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 07:58:41 PM ... If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services. That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed. Also, if you are aware of the vulnerability than what would stop you from immediately withdrawing all you funds... I am not saying Paymium didn't make any mistakes, Im just saying Do what ever you can to protect your funds, and if you don't, take responsibility for it. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 03, 2013, 08:08:57 PM This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin. The volume is/was hardly influential. Mtgox didn't even notice when Bitcoin Central went down. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 03, 2013, 08:26:56 PM How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating. Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited. The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services). The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place. How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised. People don't demand enough of Bitcoin services. Half the time they know little - if anything - about the people behind them and especially about the resources they have available. They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures). They leave amounts they can't afford to lose with services which could literally be out of business an hour from now. No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future). None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dree12 on April 03, 2013, 08:31:17 PM How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating. Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited. The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services). The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place. How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised. People don't demand enough of Bitcoin services. Half the time they know little - if anything - about the people behind them and especially about the resources they have available. They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures). They leave amounts they can't afford to lose with services which could literally be out of business an hour from now. No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future). None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole. Hear hear. So many people here are against regulation. Until people become accustomed enough to regulate companies themselves, more regulation is good for Bitcoin. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 08:50:45 PM How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating. The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place. You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak. Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: TheButterZone on April 03, 2013, 08:52:33 PM Trying to figure out the logic of the statement and claims process.
Assuming everyone's Instawallet BTC was moved to cold storage (as all received TXs seemed to be moved off your BTC address shortly after receipt), and this was a database hack, the hacker just obtained the secret URLs and the BTC balances of all of them? Unless the hacker ALSO coded some kind of script to access every secret URL, withdraw entire balance on each of them via whatever method Instawallet had for withdrawing them out of cold storage, then this would explain why there is a 90 day claims process at all. Basically Instawallet has to make sure only one person is claiming each secret URL, and then detect a pattern of similar double claims; the one doing the double claims for more than maybe 3 secret URLs or >50 BTC is the hacker? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 09:01:27 PM It is not sure yet, that the security was compromised by leaking the instawallet url's.
It could be something completely different. Also, they didn't say it is going to take 90 days to refund; after 90 days you will be autorefunded (<50btc). You will most likely get your bitcoins back a lot faster if you file a claim. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Rampion on April 03, 2013, 09:04:05 PM No news from davout?
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 03, 2013, 09:04:50 PM They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim. You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak. Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution. Is English not your first language. They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account. Quote For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. 1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account. I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs. If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period. Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 03, 2013, 09:08:11 PM At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.
Oh, wait. Hehe, duplicates. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 03, 2013, 09:23:44 PM They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim. You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak. Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution. Is English not your first language. They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account. Quote For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. 1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account. I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs. If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period. Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising. At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself. Maybe I am. Why don't we find out in the next couple of days...Oh, wait. Hehe, duplicates. Title: Re: Instawallet Security Breach Post by: joepie91 on April 03, 2013, 09:31:44 PM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability. It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside. To put it simply, using a url as your sole authentication is a really fucking stupid idea. Title: Re: Instawallet Security Breach Post by: repentance on April 03, 2013, 09:42:23 PM It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside. To put it simply, using a url as your sole authentication is a really fucking stupid idea. Even worse is that they knew this flaw was being discussed publicly, as was the StrongCoin flaw. You can't assume that every user will read thread about security flaws but services themselves should make it their business to know when such discussions are taking place. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: makomk on April 03, 2013, 10:35:00 PM The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Fucking maroons. For this to be true, they'd have to be storing the raw, unhashed keys from the URLs, and there's not really any good reason why they should do things this way. Simply hashing the URLs would have made it difficult or impossible for someone who got hold of the database to imitate account holders.Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: panoss on April 03, 2013, 11:15:05 PM bitcoin central is back
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 03, 2013, 11:19:28 PM Note from bitcoin-central.com and paytunia.com:
Quote [Apr-03 7:00PM CET] We are still working on bringing the service back up: we expect to resume operations within the next 48 hours. A lot of people have asked about the state of orders currently pending. Due to the recent and important price fluctuations we will cancel some outstanding orders before reopening. For example if the average price stays above 100 EUR/BTC we will cancel all asks below 110 EUR/BTC. No trades will be reversed. We also don't want to take anyone by surprise and as such will give a 24h notice before trades start to get executed again. During these 24 hours you will be able to place and cancel orders. When the trading engine gets restarted they will be executed in the order they were placed. Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption. The deposits received while the service was interrupted will be added to your balance during the 24h notice time. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: panoss on April 03, 2013, 11:19:51 PM It is only referring to the open orders!As everything else is OK?
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 03, 2013, 11:50:17 PM sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin. Therefore, all the NPO/NGOs I emailed with InstaWallet.org in the text will look upon Bitcoin as a farce if they happen to click the link. Currently on Page 8 of this thread, hoping there's good news by the time I get to Page 14. So far it's looking like this'll be the first time I lose bitcoins via another entity. The ONLY saving grace is that it was all profit, but then again so is close to 100% of all the barn wood I currently have in stock, but would hate it if the buildings burned down or I was ripped up off of the entire lot. I'm holding my tongue till I reach the end of this thread. Madness!!! ~Bruno K~ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 12:08:23 AM davout give us a shoutout PLEASE We wanna know what your doing!!!!!!!!!!!!!!!!!!!! :'( YOU GOTTA BE FUCKIN' KIDDIN' ME!!! Quote Name: davout Posts: 2744 Position: Staff Date Registered: October 17, 2010, 06:01:12 AM Last Active: April 02, 2013, 10:16:50 AM I hope I'm calmed down before I get to the end of this thread, otherwise I WILL be asking for an address, and not the BlockChain kind. Title: Re: Instawallet Security Breach Post by: Nicolai on April 04, 2013, 12:18:08 AM I found a security breach in instawallet last week... I fixed it for them... they never tipped me or anything... Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability. To put it simply, using a url as your sole authentication is a really fucking stupid idea. Just like when a website create a recover link: blah.tld/recover.php?secret=SomEtHingRandom, as long as I don't share this link, then only I and the website know the link, so only I can change my password/recover my user. THIS IS NOT A SECURITY FLAW. However, if I share this link with world+dog (public internet) - and a lot of people did this, by sharing their *PRIVATE URL* with everyone on the public internet - then everybody can "hack" me. But this is NOT due to a security flaw in the website! This is due to a human error, because someone shared their private urls (not a security flaw in the website and will never be). The "flaw" first discussed in instawallet (which wasn't even a flaw) was simply because Google allow everyone to easy see this list of PUBLIC SHARED URLS by typing the command "site:" in Google. It is STILL possible to get this list, by simply changing "site:" to e.g. "allintext:" (proof (http://google.com/search?q=allintext:instawallet.org/w/)) however now you manually have to visit every site on the list and dig out the instawallet link (before Google would do this for you). It is best practice to tell Google: "please don't make this list _easy_ accessible", however you and everyone else will always be able to find "the list" (and the list will always exist, as long as people share their urls with everyone). It is NOT a security flaw in any website, that you can find this list (assuming the list only consist of private urls leaked by users, not the website). Had Instawallet leaked just one link, then this had been a security flaw, but they DIDN'T. Not a single link. And can we now please stop talking about this silly "mistake" (it's not even a flaw - and you would NEVER be able to use it, to hack Instawallet), and actually focus on THE REAL HACK. Please? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 12:28:11 AM They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!! Source? I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot. The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is. In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Important information on claims submission: 1.For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim. 2.After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder. 3.Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. From http://notice.instawallet.org/ Somebody fuck me in my ass and then stick your dick in my mouth, for I'm sure I'll enjoy that much better than what I've just read. I've read that he's probably in Paris, so so much for a road trip. Is there anybody in Paris that can at least visit the address provided to glean any viable information? I will blow my fuckin' top if I learn that my close friend and a dear client (2 separate individuals) have coins tied up on InstaWallet.org after I went out on a limb to assure them that they need not worry giving my personal guarantee. This is so fucked up on so many levels. Back to page 10, or is it 11? ~Bruno K~ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 12:31:16 AM Hope you learnt an important lesson: NEVER TRUST ONLINE WALLETS WITH MORE THAN POCKET MONEY. And remember that what's pocket money today, can be retirement money tomorrow ;) No Mother Fuckin' Kidding! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 12:37:50 AM It seems every generation of bitcoiners just has to learn hard lessons on their own. FFS if experienced bitcoiners like so not modest myself who warned other about exactly this shit long before mybitcoin fiasco tells you TRUST NO ONE. Pay fucking attention next time. It never works Vlad, they never listen. Stick two dicks up my ass, for it's quite obvious that I didn't listen. Also... Quote Q: I forgot my URL, can you help me? A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests. Somebody tell me then how the hell are they going to be able to return funds given the above? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 12:58:03 AM Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time" "run away" includes "getting 'hacked'" It is basically the same as amount of mined bitcoins asymptotically approaches 21 million. People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones. Store not only encrypted images but truecrypt distribution/installation too. This is all you need to know and do. Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks. Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then. I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount. Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do. Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further. Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: justusranvier on April 04, 2013, 01:00:36 AM Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. 11000 posts and you never came across a thread explaining how to set up a secure paper wallet? ???Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 04, 2013, 01:21:36 AM Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. Sorry to hear than Phin. I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 04, 2013, 01:23:30 AM Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. 11000 posts and you never came across a thread explaining how to set up a secure paper wallet? ???I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece. I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things. I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter. Later, bud. ~Bruno K~ EDIT: Ironically, we cross-post: Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. Sorry to hear than Phin. I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 04, 2013, 01:36:52 AM I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter. Later, bud. ~Bruno K~ They previously stated that they had exclusive control of the wallet and that user funds were safe. They've said nothing so far to indicate that's not still the case. The issue here seems to be how they return funds to legitimate users when the database has been compromised. You're obviously going to fall into the "case by case" category, but at this stage they're saying they can start returning funds after a 90 day claim period and not that there are missing funds. In my opinion, they need to make very clear that no user funds have been lost (or none that they can't replace out of their own pockets) if that's the case. If user funds have been lost then they need to be truthful about that because no-one wants to sit around thinking they're going to get their funds in 90 days only to find in 3 months time that there's a shortfall. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: SgtSpike on April 04, 2013, 03:25:45 AM Vladimir Law: "chances of a 3rd party running away with your bitcoins asymptotically approaches 100% over time" "run away" includes "getting 'hacked'" It is basically the same as amount of mined bitcoins asymptotically approaches 21 million. People! FFS! Figure out brainwallets, paper wallets and best of all truecrypt containers, preferably with a hidden partition and decoy partition and standard bitcoin-qt with encrypted wallet.dat. Do not forget your pass phrases but still use very strong ones. Store not only encrypted images but truecrypt distribution/installation too. This is all you need to know and do. Remember risk management formula: Risk = Asset * Vulnerability * Threat. This means you can trust 3rd parties for small amount of BTC for short time. The smaller the amount and the shorter the time, the better. In this case Risk is acceptable. For large amounts and long time you simply cannot trust 3rd parties without taking on disproportional risks. Too bad nobody is gong to listen to the above. No matter how often I (and others) repeat it. So fuck you, you deserve all your coins to be stolen eventually then. I hate blaming the victims, but people you should have more sense. Phinnaeus Gage, I am really sorry, hopefully it was a trivial amount. Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do. Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further. Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. Davout seems to be a standup guy. I'd be surprised if you didn't get the vast majority of your funds back, given how much of instawallet's funds were sitting in a cold wallet. But certainly, put more effort into making sure your coins are secure down the road, especially when you have enough to buy a house with! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Twerka on April 04, 2013, 03:53:14 AM I lost 0.02 BTC :(, even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 04, 2013, 03:58:38 AM I lost 0.02 BTC :(, even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right. I think they've done a lot wrong, but right now there is no evidence whatsoever that anyone's funds have been "stolen". Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: avegetable on April 04, 2013, 05:29:45 AM Would it be a good idea for victims to find out which address (or addresses) they used to transfer their BTC to Instawallet, and immediately sign a message, to prove that they control that bitcoin adddress, if possible?
This wouldn't prove that they own the funds at Instawallet (they might only be somebody who sent BTC to the real owner) but it would help Instawallet to more easily sort out claims into 'probably true' and 'probably false'. That's because scammers won't be able to prove that they sent any bitcoins in to the Instawallet address that they claim to own. And somebody who really did send bitcoins into another person's address isn't likely to have the knowledge, or the desire, to scam them later (though it's not impossible, if a large sum is at stake, so Instawallet would still need to review the case and other evidence) I don't have anything stored at Instawallet. I'm just thinking it would be best for victims to prove as soon as possible that they control any sending addresses, in case they're not able to do that later (for example, they could delete their wallet, or overwrite keys, accidentally or because they think it's not important any more) Does this idea help? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: cho on April 04, 2013, 06:49:02 AM Quote Q: I forgot my URL, can you help me? A: As I lined out in the warning, I'm afraid the answer is no. I have to be strict about this, as I would otherwise open myself to social engineering attacks and putting my users and myself at risk. If you have not done so already, I can only recommend to check your browser history. An easy way of doing that is to just enter https://www.instawallet.org/w/ and see what your browser's auto completion suggests. Somebody tell me then how the hell are they going to be able to return funds given the above? Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed : "I have to be strict about this, as I would otherwise open myself to social engineering attacks" would have been "it is physically impossible for me to do so since we do not store your URLs unencrypted, and are thus unable to recover them, whatever the circumstances". Am I wrong ? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 07:27:09 AM Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 07:58:36 AM I quote a part from an article appeared in "bitcoinmagazine" (http://bitcoinmagazine.com/instawallets/) regarding pros and cons about using instawallet:
Because of Instawallet’s “URL as password” mechanism it’s the least secure of all the options. Instawallet themselves recommend that users “please do not store more than some spare change here” for casual use. Instawallet people themselves recommended their clients not to store large amount of bitcoins. This shows some honesty. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: piramida on April 04, 2013, 07:59:44 AM 14,000 total coins were stored in instawallet? Lost faith in humanity once again :)
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 04, 2013, 08:25:31 AM Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. 11000 posts and you never came across a thread explaining how to set up a secure paper wallet? ???I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece. I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things. I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter. Later, bud. ~Bruno K~ EDIT: Ironically, we cross-post: Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer. Sorry to hear than Phin. I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle. Looks like me and you are in the same boat Phinnaeus, nice to meet you. Shame it couldn't have been under better circumstances. :( Ok, I have been doing some analysis/thinking about the situation and am feeling (relatively) positive. Ladies and gentlemen, if you would care to indulge me. :) INSTAWALLET DEBACLE 2013 Firstly i have made some assumptions 1. The people behind Instawallet are honest and want to return the money to their rightful owners. I have assumed this based on the fact that they have their public profiles on record, some of them have been directors of big multinational companies (Orange), they have other businesses which i believe they want to keep earning them money and finally they probably realise that a higher percentage of the bitcoin userbase compared to the general public might go after them personally if the money was not returned. (Based on the fact that the currency is underground and only recently surfacing to most people). Besides this, if we assume they are dishonest then our money might as well be gone anyway. :/ 2. Everybody who had money in instawallet now realises the error of their ways and will be using a paper wallet rolled up into a tube and inserted anally at all times. Some of the people here have lost a fair bit of money and the I told you so's are a little annoying. I for one will invest a few bitcoins in awareness of this problem for newbies if i get my money back. 3. The hacker has some info This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.
There may be more but that's all i could think of for now. 4. The hacker has already stolen something? Now this i am not sure of. I feel that the wording of their agreement leads us to believe that some has gone but not all. If this is the case, when was it stolen? If it was only stolen in the last few days then maybe a date-stamped document in Time Machine (Mac recovery service) would be enough to prove that you have held the URLS for a while? CONCLUSION After all this we can conclude that if we claim back on an address and find that all large amounts are being double claimed we can be sure that the first option in section 3 is probably true. If this is not the case then i think the chances of double claiming go down and we can hope to see our money again. You never know, a 90 day force holding period might be a blessing in disguise. :D What do you guys think? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 08:26:08 AM Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there. Instawallet did not have any form of security. Anyone knowing the url of a wallet could have withdrawn all its funds. (basically anyone gaining some form of access to the server could read the http log file and get hundreds of wallets) Bitcoin Central has/had : - a login/password system - an optionnal double authentication mecanism - a KYC politics requiring people wishing to put more than x euros (x=250 or 1000€ I don't remember) or the equivalent in BTC to identify themselves with name, address and a proof of identity. I would like to know the conceptual difference between bitcoin-central and instawallet. After an extensive discussion here in the topic, I learnt about the security gaps but why someone woudl prefer to keep the bitcoins in Instawallet rather than in bitcoin-central? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Kotcha on April 04, 2013, 08:50:55 AM Anyone else having problems accessing the Instawallet site atm? Getting these errors in Firefox and Chrome... ???
Quote This Connection is Untrusted You have asked Firefox to connect securely to www.instawallet.org, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. Quote This is probably not the site you are looking for! You attempted to reach instawallet.org, but instead you actually reached a server identifying itself as *.bitcoin-central.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of instawallet.org. You cannot proceed because the website operator has requested heightened security for this domain. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 04, 2013, 08:55:41 AM Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...] Am I wrong ? I think so. It is conceivable that the URLs are stored encrypted using the dev's public key. He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: dooglus on April 04, 2013, 09:05:13 AM
It's probabl
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 04, 2013, 09:29:11 AM 14,000 total coins were stored in instawallet? Lost faith in humanity once again :) Given how low the threshold was to start a wallet there, this could be spread over thousands of people. Judging by Phil's posts above, though, this is hardly the case :-\ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: 🏰 TradeFortress 🏰 on April 04, 2013, 10:27:56 AM And learn your lesson - use blockchain.info, bitcoin-qt, electrum, whatever.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: trout on April 04, 2013, 11:00:54 AM It's probably that instawallet's 'hot wallet' wasn't large enough to empty all the big ones. Perhaps the hot wallet was drained and that's what tipped them off that there was a problem. Perhaps they refilled it a few times before noticing what was going on. We do know they had a 'cold wallet' which presumably held the majority of the coins. I don't think the hot wallet was emptied. If you look at the transaction history of their cold wallet, 1FrtkNXastDoMAaorowys27AKQERxgmZjY (http://blockchain.info/address/1FrtkNXastDoMAaorowys27AKQERxgmZjY) you see that 6 transfers totalling 320BTC were made *to* this wallet, just prior to its subsequent evacuation into 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (together with bitcoin-central funds). You can also notice that this is a very unusual pattern for them to put money into cold storage: usually it's 1 transaction every few days; not several transactions in quick succession. What is more, among these 6 transactions, is the address of my instawallet, to which I transferred the funds about 6 hours before. (I was unlucky to try to tumble some coins through instawallet in the worst possible moment.) So from this it's quite clear that not all hot-wallet money were stolen. Probably the hacker accessed the database from where it was not supposed to be accessed, and that triggered the alarm. How many URLs he got and how many he tried to empty we don't know. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Nicolai on April 04, 2013, 11:41:58 AM Quote from: Vladimir link=topic=164143.msg1736247#msg1736247 Having password in URL is a security flaw. It opens obvious attack vectors with very high probability of being exploited sooner or later. Information Security is all about risks and probabilities. Everything that increases risk is a "security flaw" to some degree. No it is not. What you don't get, is that there is a huge difference between "not following best practice" and "having a security flaw in your website". The reason why the "password in url" was described as a "security flaw", was because 'the founder' (a user) wanted it to look worse than it was (so Instawallet would look more bad for not paying him, even trough it was public knowledge that this was possible loooong before 'the founder' even "found" this).Instawallet had a security flaw that got them hacked (this incident, we don't know how, but we do know that it had NOTHING to do with "password in url"), however the "password in url" was just a case of "not following best practice" (NOT a security flaw). It is just like when a websites uses a simple username+password combination to authenticate users, instead of a "zero-knowledge password proof"-protocol. Most websites use the lesser-secure username+password, but this doesn't mean you should create a forum post for each website, whining that you told all the websites on the internet that ZKPP is better and now you want a cookie + pay check ( <-- this was what 'the founder' did). So to sum up, it is not a security flaw/exploit, if you can't exploit/get access to *anything*, without requiring the users to tell you their passwords (<-- this is ofc just very simplified, but the point is that if your exploit is "give me your shared secret, and I can authenticate as you" then it isn't a exploit, it is a intend behaviour. You could argue "why use a shared secret, why not something else and more secure?" but it still wouldn't be a security flaw. Not now, not ever). [...] I agree on most parts, but:3. The hacker has some info This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.
There may be more but that's all i could think of for now. [...] What do you guys think? 2) Actually "2" would be almost like "1". It wouldn't be time consuming at all, because you can just write a parser to parse the blockchain and sort by amount (change a bit here and there, and this source code (https://bitcointalk.org/index.php?topic=88584.0) + the blockchain, is all you need). 3) As I wrote earlier, then this is 100% without any doubt NOT the case. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DavinciJ15 on April 04, 2013, 12:29:39 PM HOW DO YOU FILE A CLAIM!
I hate that the site says file a claim but provides no way to do so. It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 04, 2013, 12:43:24 PM HOW DO YOU FILE A CLAIM! I hate that the site says file a claim but provides no way to do so. It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back! Keep your calm and learn to read. Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 04, 2013, 01:57:59 PM Hi please fill in this claim form if you lost instawallet funds here.......
YOUR URL password ..... your bitcoin address.... YOUR BALANCE: Your Email address that you made your first complaint with...... Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: cho on April 04, 2013, 02:10:24 PM Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed [...] Am I wrong ? I think so. It is conceivable that the URLs are stored encrypted using the dev's public key. He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database. Good point. Little hints like that FAQ entry, the lack of a proper robots.txt, are instilling in my mind little particles of doubt about the technical abilities of our bitcoin-central friends. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DavinciJ15 on April 04, 2013, 02:11:06 PM Keep your calm and learn to read. Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Thanks but you know how it is when your upset you read it but your brain did not register it. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DobZombie on April 04, 2013, 02:14:27 PM I understand that instawallet was a piece of shit and needed to close but...
What the fork has that got to do with bitcoin-central?!? I just put some BTCBTCBTC in there. I go to the bitcoin-central page and it now says INSTAWALLET at the top of it. This stinks of bullshit Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 02:21:58 PM I understand that instawallet was a piece of shit and needed to close but... What the fork has that got to do with bitcoin-central?!? I just put some BTCBTCBTC in there. I go to the bitcoin-central page and it now says INSTAWALLET at the top of it. This stinks of bullshit Guys, just try to stay calm and read the whole thread before posting and blaming. The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank which can restore theirs system in few hours . So be patient. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 04, 2013, 02:41:36 PM Keep your calm and learn to read. Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Thanks but you know how it is when your upset you read it but your brain did not register it. I've deliberately not used my instawallet URL until some word that the claims process is in place. I want to know what info is going to be required, then 'log on' one time and get it done with. What is annoying is that ~davout mentions that the first claimant will be given preference, but does not say when things will be ready. One thing that these guys might think about doing would be to allow users to PM or e-mail them with a heads-up that they are going to be filing a claim for XYZ wallet. For us user who had one wallet that should reduce fraud quite a bit (under a situation where an attacker managed to get a hold of a large collection of URL's somehow.) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 04, 2013, 02:49:24 PM I wonder if going to Paris and trying to visit their office would be any use.
I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out. Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full :) I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine. :) Seriously though, I think for he cost involved it can only be a good idea to get a bit of info. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DobZombie on April 04, 2013, 02:51:56 PM I understand that instawallet was a piece of shit and needed to close but... What the fork has that got to do with bitcoin-central?!? I just put some BTCBTCBTC in there. I go to the bitcoin-central page and it now says INSTAWALLET at the top of it. This stinks of bullshit Guys, just try to stay calm and read the whole thread before posting and blaming. The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank which can restore theirs system in few hours . So be patient. I did read the whole thread. I've been following it post by post for the last few days. I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed. see my issue now? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 02:59:30 PM I understand that instawallet was a piece of shit and needed to close but... What the fork has that got to do with bitcoin-central?!? I just put some BTCBTCBTC in there. I go to the bitcoin-central page and it now says INSTAWALLET at the top of it. This stinks of bullshit Guys, just try to stay calm and read the whole thread before posting and blaming. The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank which can restore theirs system in few hours . So be patient. I did read the whole thread. I've been following it post by post for the last few days. I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed. see my issue now? What makes you say that " I m just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed." ? Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption. This is the latest update in bitcoin-central Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 04, 2013, 03:00:25 PM I wonder if going to Paris and trying to visit their office would be any use. I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out. Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full :) I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine. :) Seriously though, I think for he cost involved it can only be a good idea to get a bit of info. Are you sure you know where their offices are? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 04, 2013, 03:05:23 PM I wonder if going to Paris and trying to visit their office would be any use. I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out. Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full :) I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine. :) Seriously though, I think for he cost involved it can only be a good idea to get a bit of info. Are you sure you know where their offices are? No. But the phone number above got through to Davout and as mentioned before the board members seem credible. Got to be worth a few hundred quid to find out. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: splat44 on April 04, 2013, 03:17:21 PM Here the latest:
In next few days account refund process will begin as explained below: - Will accept refund in first 90 days, be sure you kave your wallet url and key - Account having less than 50BTC will be refunded - Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. Above came from: https://www.instawallet.org/ (https://www.instawallet.org/) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: d5000 on April 04, 2013, 03:40:30 PM I did read the whole thread. I've been following it post by post for the last few days. I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed. see my issue now? Yes, in the last hours sometimes http://bitcoin-central.net showed the "Instawallet" message. Now they have changed it to the correct message (for the services Paytunia and Bitcoin-Central). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 04, 2013, 04:05:37 PM Bad neighborhood. Better take some resilient people along. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 04, 2013, 04:17:30 PM Bad neighborhood. Better take some resilient people along. Bad neighborhood. Better take some resilient people along. Bad neighborhood. Better take some resilient people along. Lol. C'est pas problem. Je parle francais. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DobZombie on April 04, 2013, 04:36:02 PM I did read the whole thread. I've been following it post by post for the last few days. I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed. see my issue now? Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption. This is the latest update in bitcoin-central It did say the same thing on bitcoin-central as it did on Instawallet web site. At the time of posting what I said was correct. This has now been changed. Yes, in the last hours sometimes http://bitcoin-central.net showed the "Instawallet" message. Now they have changed it to the correct message (for the services Paytunia and Bitcoin-Central). I'm a little less worried now Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 04, 2013, 04:43:36 PM C'est pas problem. Je parle francais. Alors tu fais. Mais savez tu aussi parler Darija? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 04, 2013, 04:55:33 PM C'est pas problem. Je parle francais. Alors tu fais. Mais savez tu aussi parler Darija? This is what I learned about France in school (with google translation.) Typical American education. Il est un pays qui s'appelle la France où les femmes ne portent pas de pantalon Et les hommes se promener avec leur ding-dong traîner. Translated back, it loses some of it's rhyme. It came with a catchy little tune which is probably why I remembered it. Maybe it was subtly planted by French infiltrators to provoke future tourism? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Boussac on April 04, 2013, 05:03:36 PM If you are the owner of an instawallet balance, check out this topic I just opened:
Instawallet claim process (https://bitcointalk.org/index.php?topic=167215.0) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 04, 2013, 06:23:48 PM But is there any news on Bitcoin Central yet? You mentioned 48 hours, then another 48 hours and a 24 hour announcement. Seeing as there has been no such announcement yet, the second 48 hours is going to be crossed as well..
Please focus on communications a bit more. It's quite frustrating to see only so few updates, especially when instawallet is under such pressure. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 05, 2013, 09:25:00 AM I just got someone to answer on this number
Administrative Contact: W3BFLOWS SARL FRANCOIS Michel 34 rue Charles Chefson Bois Colombes, 92270 FR +33.672332684 650cpyijxhkip452kqfs@l.o-w-o.info His name wasn't Michel Francois. He said he worked on a project with a friend of a friend. He sounded like he knew David Francois (the number someone (Hous?)spoke to Davout on and that Michel is his father? He seemed to find the whole thing amusing that I had his number and knew about the hack in general. Seemed genuine but strange his number is listed. ??? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 05, 2013, 04:15:03 PM The whole thing with bitcoin-central and paytunia is taking too long.
They better bring them back online ASAP, they've got 40minutes to bring up bitcoin-central back online before the 48hour deadline is reached (again). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 05, 2013, 05:35:11 PM The whole thing with bitcoin-central and paytunia is taking too long. They better bring them back online ASAP, they've got 40minutes to bring up bitcoin-central back online before the 48hour deadline is reached (again). They just broke this deadline (again). I'm really looking forward to their update now.. it better be good :-\ Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 05, 2013, 05:50:46 PM The whole thing with bitcoin-central and paytunia is taking too long. They better bring them back online ASAP, they've got 40minutes to bring up bitcoin-central back online before the 48hour deadline is reached (again). They just broke this deadline (again). I'm really looking forward to their update now.. it better be good :-\ https://bitcointalk.org/index.php?topic=168072.0 Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 05, 2013, 05:55:54 PM All the legal information about the company is here (http://www.societe.com/societe/paymium-533264800.html). For a few euros you can also get the list of the shareholders. The corporate headquarter is in Boulogne. It's in the suburbs of Paris, you can go there with the metro. The offices are probably at the same place but the datacenter (and davout) might be anywhere in or around Paris. Thanks, bud. I feel better now knowing that IW has been found and the police are guarding it as exhibit A. http://farm9.staticflickr.com/8535/8621667579_230a7be7c2.jpg (As they say in the trade, this photo is unretouched.) Sometimes, you just can't make this SHIT up. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: willphase on April 05, 2013, 07:07:04 PM FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning:
https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673 Will Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 05, 2013, 09:06:50 PM FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning: https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673 Will That seems a bit strange if everything is locked down? This must be instawallet moving it around surely? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: willphase on April 05, 2013, 09:08:49 PM That seems a bit strange if everything is locked down? This must be instawallet moving it around surely? Yes - I am not alarmed, they are probably just sweeping the smaller balances into a wallet so they can set up for making payments out to people within the next few days. Will Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 05, 2013, 09:15:27 PM Ok, I have now seen something that i am worried about.
I have checked the address of the coins that i moved from Instawallet just before the site went offline and it is saying that the date of the transfer of the coins out was less than 12 hours after the coins were originally deposites more than 6 months ago. (I do not want to say when that was as i may need to prive identity later. Is this just the way instawallet worked and the transfer of the coins was to the hot wallet? ??? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 05, 2013, 09:22:03 PM Still have to wait for the claim form and then wait 90 days and then wait for the refund. that's around the end of july !!!! wonder if my singles from bfl will come before my refund?? better still wonder if any of it gets too me?? ::)
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: panoss on April 05, 2013, 09:34:39 PM I think Vircurex is down....lol
this is surreal! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: ninjaboon on April 05, 2013, 11:02:18 PM I think Vircurex is down....lol this is surreal! Vircurex has some tweets, they are moving to a bigger server due to DDOS. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 05, 2013, 11:49:31 PM There is an update from Bitcoin-Central on their site
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 06, 2013, 12:10:03 AM Where is this claim form then??? ???
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 06, 2013, 12:42:50 AM Read:
Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Make sense? Or do I need to increase the font size and italicize it too? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 06, 2013, 01:02:22 AM Read: Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Make sense? Or do I need to increase the font size and italicize it too? Also stated are that the first claim gets priority. This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form. He and likely an army of friends will swoop in to claim the high value accounts. Hopefully ~davout/~bousac will have anticipated this. I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: coinuser4000 on April 06, 2013, 01:13:49 AM Read: Quote In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption. Make sense? Or do I need to increase the font size and italicize it too? Also stated are that the first claim gets priority. This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form. He and likely an army of friends will swoop in to claim the high value accounts. Hopefully ~davout/~bousac will have anticipated this. I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever. I been wondering this exact thing for the last few days. And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: moni3z on April 06, 2013, 02:22:57 AM Hopefully ~davout/~bousac will have anticipated this. I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever. I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info Glad I only had 0.015 BTC lost there Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 06, 2013, 02:52:40 AM Hopefully ~davout/~bousac will have anticipated this. I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever. I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info Glad I only had 0.015 BTC lost there In my opinion, a straight URL like this not much different than a username/password scheme. Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc. Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off. For a lot of things and not just URL-secured access. On the back end it should be handled with the same sensitivity as a password. Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such. That way loss of the database would not compromise the sensitive data as easily. Dunno if this is how the Frenchmen had Instawallet working or not. One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin. I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way. A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea. 20/20 hindsight I guess. Maybe for the next go-around. And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation. edit: spelling Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 06, 2013, 03:39:11 AM Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.
But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control. The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 06, 2013, 07:07:00 AM Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off. For a lot of things and not just URL-secured access. Or, you know, Google Chrome.On the back end it should be handled with the same sensitivity as a password. Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such. That way loss of the database would not compromise the sensitive data as easily. Dunno if this is how the Frenchmen had Instawallet working or not. I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's.. One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin. I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way. Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tvbcof on April 06, 2013, 07:40:01 AM ... On the back end it should be handled with the same sensitivity as a password. Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such. That way loss of the database would not compromise the sensitive data as easily. Dunno if this is how the Frenchmen had Instawallet working or not. I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's.. I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.) And disable core dumps. I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format. That's just the off-the-top-of-my-head thoughts on how to deal with the issues. There are probably database implementations which have support for this kind of thing natively I would suspect. One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin. I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way. Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based. I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves. Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y. It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such. Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity. But it's always a pain in the ass. It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 06, 2013, 08:02:14 AM Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based. I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves. Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y. As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread. It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such. Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity. But it's always a pain in the ass. It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers. At the risk of venturing off-topic: a while ago I was pointed to PwdHash (https://www.pwdhash.com/), and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt :) Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: moni3z on April 06, 2013, 09:19:27 AM I don't trust any browser kept passwords, browsers are not nor have they ever been remotely secure. They are gigantic blobs of code to leak data everywhere and are a 0day exploit factory. I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA
http://www.schneier.com/passsafe.html by Bruce Schneier is good, plus works with Yubikeys Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Joost on April 06, 2013, 10:25:39 AM I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA I don't see how the fact that it's a browser addon reduces its security. It does not store your 'seed' password, you type that in each time. What makes it insecure? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: psilos on April 08, 2013, 09:20:41 AM What `s wrong again with bitcoin-central ???
The platform was running for a while but now it s again down for maintance. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: HATA28 on April 08, 2013, 09:33:31 AM What `s wrong again with bitcoin-central ??? Actually, its online and you can trade again :)The platform was running for a while but now it s again down for maintance. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: addi on April 08, 2013, 10:21:04 AM What `s wrong again with bitcoin-central ??? Actually, its online and you can trade again :)The platform was running for a while but now it s again down for maintance. Incorrect, no trades are going through atm Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Raoul Duke on April 08, 2013, 11:54:09 AM No trades and no withdrawals.
I have SEPA transfers and BTC withdrawals pending, the SEPA transfers are still from before it going down. Davout likes to shout that Mtgox works fractional reserve style on their euro accounts but bitcoin-central doesn't look much better to me. ;D Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: nurbili on April 08, 2013, 01:00:16 PM I also have incoming SEPA transfer from 25.03.2013 pending... no reaction on tickets and PMs. :(
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: 1PFYcabWEwZFm2Ez5LGTx3ftz on April 08, 2013, 04:09:34 PM "BTC withdraws will be processed manually for the next couple of days until we switch back to immediate automatic withdraws.
This temporary restriction is meant to allow careful monitoring of our operations in the initial phase of the recovery." This looks way too much like Cyprus situation. Oh, the irony. Why oh why on Earth would you do this? Why open the website for trade, but not allow people to withdraw? Even if you are sincere about "is meant to allow careful monitoring of our operations", don't you see how messed up this looks to your users? I didn't lose my trust when you were hacked, I didn't lose my trust when you were offline for a week, I didn't lose my trust when the deadline for re-opening the website was extended several times, but NOW I lost any trust I had in you. I am withdrawing everything I have (assuming that will be possible at all; my bitcoin withdrawal is "pending" for ~36 hours now), and never using your website again. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Spaceman_Spiff on April 08, 2013, 05:54:56 PM I can trade just fine.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: 1PFYcabWEwZFm2Ez5LGTx3ftz on April 08, 2013, 06:03:08 PM I can trade just fine. Yes, but you can't withdraw.Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: 1PFYcabWEwZFm2Ez5LGTx3ftz on April 09, 2013, 12:35:31 PM UPDATE:
My withdrawal finally got completed (after more than 48 hours), but now bitcoin-central is down again. I still had some funds there which I was not yet able to withdraw. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: davebodger on April 09, 2013, 01:47:52 PM Bitcoin-Central still down as of now (for me at least).
Anyone heard an explanation for this downtime yet? Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jonytk on April 09, 2013, 03:22:37 PM Bitcoin-Central still down as of now (for me at least). Anyone heard an explanation for this downtime yet? It's down for me now.... :( GRRR first it has the highest prices, 2nd no mtgox vouchers or similar to add funds/withdraw funds, wake up btc-c, hire more people! you are losing money in volume! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: glub0x on April 09, 2013, 03:34:36 PM Starting to freak/piss me off i have a non trivial amount of euro there because of there "we are insured thing" but it looks like nothing is working properly.
No answer on the help desk for 2 week now (yeah 1 week crash i know but still). Sepa Withdraw also blocked for 2 weeks. Continuous crash. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: scarce on April 09, 2013, 04:30:47 PM I believe they are doing what they can. They are under DDOS now, you can obtain alternative link to the site if you are verified. All info from https://twitter.com/Bitcoin_Central
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: drb on April 09, 2013, 04:45:11 PM Thanks for the info! Pretty sad situation, both btc24 and bc appear to be under attack ...
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 11, 2013, 07:56:24 PM New Instawallet Notice:
Quote Instawallet is closed Visit your wallet's URL to file a claim. Submit your claim now: claims will be processed in the order they were received. Multiple claims for a same wallet will require more time to process. The claim process started April 11, 2013 at 10PM CEST. I visited a few of my Instawallet URLs, but there was still a 404 error? IDK. EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop? :P Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 11, 2013, 08:44:06 PM New Instawallet Notice: Quote Instawallet is closed Visit your wallet's URL to file a claim. Submit your claim now: claims will be processed in the order they were received. Multiple claims for a same wallet will require more time to process. The claim process started April 11, 2013 at 10PM CEST. I visited a few of my Instawallet URLs, but there was still a 404 error? IDK. EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop? :P Great! I just checked all three of my IW URLs, and each showing O BTC residing in wallets of which addresses weren't supplied. Upon refreshing one of the pages, I'm once again greeted with the static home page, indicative of doing the same for the other two. Madness! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: pyedpyper on April 11, 2013, 08:46:07 PM New Instawallet Notice: Quote Instawallet is closed Visit your wallet's URL to file a claim. Submit your claim now: claims will be processed in the order they were received. Multiple claims for a same wallet will require more time to process. The claim process started April 11, 2013 at 10PM CEST. I visited a few of my Instawallet URLs, but there was still a 404 error? IDK. EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop? :P Same here, 404 error on all 5 of my wallet addresses. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 11, 2013, 08:49:21 PM New Instawallet Notice: Quote Instawallet is closed Visit your wallet's URL to file a claim. Submit your claim now: claims will be processed in the order they were received. Multiple claims for a same wallet will require more time to process. The claim process started April 11, 2013 at 10PM CEST. I visited a few of my Instawallet URLs, but there was still a 404 error? IDK. EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop? :P Same here, 404 error on all 5 of my wallet addresses. You guys are so lucky! I don't even get a 404 error, just the endless fruit-loop (actually stops at the static page, but that wouldn't have worked as humor). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 11, 2013, 09:16:43 PM New Instawallet Notice: Quote Instawallet is closed Visit your wallet's URL to file a claim. Submit your claim now: claims will be processed in the order they were received. Multiple claims for a same wallet will require more time to process. The claim process started April 11, 2013 at 10PM CEST. I visited a few of my Instawallet URLs, but there was still a 404 error? IDK. EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop? :P Same here, 404 error on all 5 of my wallet addresses. You guys are so lucky! I don't even get a 404 error, just the endless fruit-loop (actually stops at the static page, but that wouldn't have worked as humor). For my wallet URLs, I get the 404 error, but for the main site, I get the endless fruit-loop :D Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 11, 2013, 09:20:11 PM No apologies for the cross-post:
What the fuck is this?: https://www.instawallet.org/ (very top) Damn. That doesn't look good.Quote <html> <head> <title>Instawallet</title> <!-- RIP 2011 - 2013 --> <!-- You had your time when coins weren't so precious. --> EDIT: Correct URL and adding an image: view-source:https://www.instawallet.org/ http://farm9.staticflickr.com/8241/8640417063_b337e3d854_b.jpg You had your time when coins weren't so precious. Goodbye, bitcoins. I tried to protect you. Enjoy you new life in Pattaya. http://travelony.files.wordpress.com/2009/04/pattaya-100.jpg Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 11, 2013, 09:27:53 PM WTF
Look at instawallet.org's source code now: Code: <!DOCTYPE html> It was made PURPOSELY to keep refreshing the site. WTF. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Injust on April 12, 2013, 11:26:28 AM Okay, Instawallet website has been back up for a while.
The wallet URLs also work now. File your claims! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: hous on April 13, 2013, 03:56:06 PM No apologies for the cross-post: What the fuck is this?: https://www.instawallet.org/ (very top) Damn. That doesn't look good.Quote <html> <head> <title>Instawallet</title> <!-- RIP 2011 - 2013 --> <!-- You had your time when coins weren't so precious. --> EDIT: Correct URL and adding an image: view-source:https://www.instawallet.org/ http://farm9.staticflickr.com/8241/8640417063_b337e3d854_b.jpg You had your time when coins weren't so precious. Goodbye, bitcoins. I tried to protect you. Enjoy you new life in Pattaya. http://travelony.files.wordpress.com/2009/04/pattaya-100.jpg i love that place. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: jonytk on April 14, 2013, 03:49:25 AM Oh boy, is this for real?, i mean, post like this can really damage the confidence of the people.
i sincerely hope they are upgrading their security and hiring more people, just look at what happend with bitcoin-24, it's really bad news, specially for the ones that bought bitcoin at 180€ i guess i will withdraw my 2 coins to a coldwallet and come back in a few years. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: steelboy on April 15, 2013, 08:19:26 AM Any news on how many claims are coming in Boussac?
Also, have you got the details of the crime reported with BEFTI? I need to pass the info to my insurance provider. Thanks Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: pyedpyper on April 15, 2013, 07:05:14 PM I have started a new thread https://bitcointalk.org/index.php?topic=177317.0 about Boussac's refusal to provide the police report reference number.
I invite anyone who shares my point of view to provide comment there. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: tremtie on April 17, 2013, 07:21:39 PM What the fuck is this?: https://www.instawallet.org/ (very top) Quote <html> <head> <title>Instawallet</title> <!-- RIP 2011 - 2013 --> <!-- You had your time when coins weren't so precious. --> Could simply mean that weak security was good enough when btc weren't so expensive, but now the instawallet model won't work. Trying to put a positive spin on this ... I'd hate to believe paymium is intentionally swindling people. If they were, there would be hell to pay. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: pyedpyper on April 17, 2013, 07:34:01 PM Any news on how many claims are coming in Boussac? Also, have you got the details of the crime reported with BEFTI? I need to pass the info to my insurance provider. Thanks A reasonable request methinks... Still refusing to answer, Boussac? :) Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 17, 2013, 09:39:50 PM Any news on how many claims are coming in Boussac? Also, have you got the details of the crime reported with BEFTI? I need to pass the info to my insurance provider. Thanks A reasonable request methinks... Still refusing to answer, Boussac? :) Sure it's reasonable, hence Boussac putting him on his ignore list after he posted such a kind request. In his mind, it's fuck you and your insurance computer, for I got mine after all this time providing a free service to all you dumb fucks. Here's a question: Does that mean that all the other principles are also ignoring this very important issue? Nary a one has come to our rescue. Sure the hell says a lot of them, don't you think? Time to hunt down their accounts and see if they too have gone dark just like davout. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 17, 2013, 11:36:04 PM This is Boussac's response when you ask for a police report number:
Unignore I see how the game is played now: Hack your own sites, claim money was stolen, claim to fill out a police report, ignore all requests from those who entrusted you with their assets, then call them trolls for requesting a simple number to set them at ease. You sir, are one sick mother fucker! Couldn't agree more... All ease aside, the one hint is the lack of a police report number (and possibly them being one sick motherfuckers). Ignore http://www.e-ducat.fr/wp-content/uploads/2013/04/movieposterbruno-e1366238359313.jpg Meanwhile, I will have to wait till after the 90 days that he has set before I even have a chance in hell to ever see my bitcoins again. This guy is one sick motherfucker! Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: molecular on April 24, 2013, 07:49:59 PM https://i.imgur.com/yZ0d16Fl.png (https://i.imgur.com/yZ0d16F.png)
goddamnit, again?!? thread: https://bitcointalk.org/index.php?topic=186609.0 Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Nicolai on April 24, 2013, 11:04:31 PM "2 identical hacks in 2 days for #bitcoin services hosted at #OVH. @olesovhcom your manager will reset a password without e-mail confirmation"
https://twitter.com/Bitcoin_Central/status/327131323342942209 Looks like OVH is to blame >:( And srsly host critic websites on your own servers, don't trust OVH/Linode or anyone :( Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DPoS on April 24, 2013, 11:09:24 PM glad i never heard of them until now
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: greyhawk on April 24, 2013, 11:20:19 PM glad i never heard of them until now They are only the biggest hosting company in the world. Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: repentance on April 24, 2013, 11:21:03 PM "2 identical hacks in 2 days for #bitcoin services hosted at #OVH. @olesovhcom your manager will reset a password without e-mail confirmation" https://twitter.com/Bitcoin_Central/status/327131323342942209 Looks like OVH is to blame >:( And srsly host critic websites on your own servers, don't trust OVH/Linode or anyone :( Nope, they chose their hosting service. If they chose a hosting service which allows password resets without adequate verification, that's on them, not the hosting service. It'd be interesting to know if there was a more secure option available to them with OVH and they simply chose not to use it (which has happened in the past with other intrusions - the services haven't paid for full database back up or haven't utilised all the security options available to them). Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Nicolai on April 24, 2013, 11:28:55 PM ^ if they had chosen a cheap crappy provider, then I would agree, but AFAIK then OVH isn't known for "being crappy" or use insecure/outdated software on their systems.
Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: DPoS on April 24, 2013, 11:52:25 PM glad i never heard of them until now They are only the biggest hosting company in the world. and thank god not the ONLY one Title: Re: Instawallet/Bitcoin-Central Security Breach Post by: Phinnaeus Gage on April 25, 2013, 02:36:53 AM http://www.webhostingtalk.com/showthread.php?t=1193737
Quote Hosting won't keep you safe if the actual source code is vulnerable. The only way to protect is to see how the attacks happen. That is what we do when we work with clients. We check logs to see what really is going on. In this case it sounds like it is the code and not web hosting. |