Bitcoin Forum

Message on their site:


What do you think?

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

https://bitcointalk.org/index.php?topic=159673.0

However the bug I found only impacted about 3000 of their clients and roughly 100 bitcoins max,  what's showing up on that screen is something bigger (at least big enough to shut down the whole freaking site)  and most likely unrelated,  because mine was just that Google was listing people's wallets....  and they banned it in Google Webmaster tools, so that issue is resolved...   that notice though is all sorts of red flags..

Yeah, they put a simple robots.txt.
Seems strange how long it took them to do that. I think it was already a known issue before you reported it :)

LOL I hope your kidding right?  Robots.Txt wasn't the problem ...    Google lists your stuff even with robots.txt ban...  you have to ban it in webmaster tools ... not via robots.txt ... robots.txt just says "don't spider me"  it doesn't say "don't list me"

Google lists your urls regardless of what the robots.txt says.

I would have to say there is as much blame on Google's side as there was at instawallet's... they have people believing that robots.txt ban means don't list the urls... which is not the case at all.

see under each url there is a "a description not available due to robots.txt"  but they still listed the freaking urls.

http://www.adaptiveglass.com/instawallet/1.jpg

I might be confusing people, but isn't davout behind both instawallet and bitcoin-central, who also "detected a security breach"? https://bitcointalk.org/index.php?topic=164132.0

AFAIK, that's behind the configuration of the robots.txt file. It should be capable of being configured so that the Google bot doesn't even visit the domain :P

And yes, it IS the same team.

yep, and instawire.org which disappeared
for a while it was showing an error page with a list of all their directories. saw a lot of ruby gems there not good, anybody remember the insecure gems fiasco a few months ago?

I don't understand any of this robots stuff :/

Basically, was the problem you uncovered something that could see urls then?

I only ever check my instawallet through tor.

I am a little worried at the moment, should I just chill out?

I just hope that Instawallet has a backup of how many Bitcoins belong to how many people and each URL :P
I have only BTC0.012, but that's a lot to me :P Considering that I'm a faucet loiterer and penny dust collector :D

this doesn't sound good at all.

Literally shitting myself

Too early to tell, but either way the lesson will be "trust no one to hold your coins".

But there were 3.5million wallets. Is it just limited to 3000?

Well, I guess that Instawallet's way of doing things was for convenience, rather than security.
Not that security isn't important, but still.

We don't know if the problem is related to that, or another problem entirely.  We don't know if coins were stolen, lost, looked at, fondled, or licked.  Just have to wait for official statements at this point.

If this is davout's kind of an April Fools' joke, I'm never using Instawallet again.
Promise.

I don't use instawallet anyways. If you want quick transactions download Electrum client, or just use the regular ol' Bitcoin-qt because we all learned our lesson from mybitcoin right

The system would be perfectly secure if not for Google Chrome.

Literally?

Hopefully they were only fondled and licked.  My bitcoins like that.  :/

That would be a kind of humor almost inexcusable. I doubt that.

I think the coins were licked. (not based on anything, just because that's funny as hell)

can't you guys tell if your bitcoins were sucked dry via blockexplorer?   If not then it's no biggie.. .but if for some idiotic reason you kept 2000 bitcoins there and now blockexplorer is saying they are not there anymore than you have a problem.

http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

 (Instawallet Cold Storage )  transferring from there?   Holy shit.....  

Watch now it will give people an excuse to sell,  not thinking that the vast majority of people at instawallet only keep pennies there...

Still if they are moving around 41,854.59 BTC  that's something big.

What do you need to check this?

I only have the URLSs i do not have the address related to that, can i do anything?

Don't give us the URLS :P lol
You're supposed to cut+paste the bitcoin address your URL leads to so you can watch it with the blockchain.
You're also supposed to only keep pocket change on instawallet or any online wallet service.

Did you ever send money to that address using another service? there will be a record of transactions probably, find your instawallet address there

For about two weeks.  History shows that people repeatedly leave their funds with wallet services and exchanges no matter how many times those types of services lose user funds.  I doubt that is going to change any time soon.

If this is in any way connected to the vulnerability which was publicly discussed last week then Instawallet needs to explain why they didn't take the service offline until that vulnerability was fixed.  .

Source?

If this is right:


http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

and the spot price is right 103.02

http://www.ounce.me

You're looking at a $4,311,859.86 bank heist

Again I am hoping I am wrong....    in the scope of things a 4.3 million dollar bank heist (4.3 pizzas)  is not huge overall... but you know there will be headlines on Forbes and shit.

Oh fuck

Deep breaths. Remember, we really don't know anything right now.

Sorry about that, it was StrongCoin's wallet hint which was made public.  There were discussions elsewhere last week regarding vulnerabilities of a number of wallet services.  The Instawallet vulnerability did display the user's wallet hint, though.

https://bitcointalk.org/index.php?topic=159983.msg1691505#msg1691505

But now that the cat is out of the bag, paymium should clarify ASAP if the emptying of the cold wallet was done by them or by a thief.

No doubt.  Every minute of silence is bad for them no matter WHAT the outcome.

Unless of course this is their sick april fools day joke

I've always said nothing could offend me when it comes to jokes.

I might have been wrong.

You are right.

I'm always right  :D

I find it strange that the two big transactions at http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still unconfirmed.  Any reason for this besides someone trying to spend coin that isn't there?

Yeah, a few words from the people behind Instawallet would be very much appreciated, by all of us I guess. I'm still looking at dust in my wallet so not much lost if it goes belly up, but there might be quite a few that are about to get some sweaty hands soon....

If such a large transaction is underway, is there then nobody that raises an eyebrow and lift a finger?

No, I only remember that rails had problems and a lot of sites want quick enough, bad processes really. Is that what you referring to ? Or was is something else and bitcoin-related and I missed it.

Bitcoin users that trust nobody, but chose to move funds around at the worst time humanly possible, very much affected.

Well, this is interesting...

There might be good news to this,  the fact that they had bitcoins in cold storage in the first place to help repopulate what they lost might be a good sign.

maybe the theif was too cheap to pay txn fees :)

Someone on HN pointed out that the transfer happened an hour or two before the site went down. Can anyone confirm this? It looks like the transfer happened about an hour before *this thread* appeared, but did this thread start immediately after the site came down?

https://news.ycombinator.com/item?id=5475389

Actually the tx fees are 0.10 BTC each. 10 USD!

Maybe the cold storage or some wallet got compromise, and they are moving it to a new wallet... Or maybe the owners of the site are pretending they were hacked, then cash out then go live on an island somewhere... Hard to tell really. Guess time will tell. I didn't use Instawallet but I have a feeling lots of newbies used it since its convenience.

That will do nothing but make users panic when they see value moving out of that address. The address Instawallet associates/associated with a certain URL is used only for depositing, increasing your balance in Instawallet's internal DB. Then once the money is throwed into the Instawallet system, it can be taken from these deposit addresses without the having the user send money out of the wallet. In other words, the balance of a Instawallet wallet is unrelated to the balance, verifiable with the blockchain, of the deposit address for that wallet.

Also, before Instawallet and Bitcoin Central went down, users had trouble sending money out - https://bitcointalk.org/index.php?topic=163918.0 . I already said this in another thread about this Instawallet security breach, but now I found the link to that thread. I think this has something to do with the hot wallet being empty - now who or what caused it to empty is another story... what do you think?

hm, blockexplorer doesn't know about the large transactions: http://blockexplorer.com/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

[Apr-1 10:30 CET] Bitcoin-Central and Paytunia update: Our customer's bitcoins and euros are safe and will not be affected by the security breach. We have taken the websites off-line for proper investigation.

The address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy is under our exclusive control.

We thank you for your patience and will provide updates exclusively on this page as they come in. We are committed to resuming service as soon as possible. Expect normal service to resume within 48 hours.


----

Deep breath ...

They failed to mention instawallet ?   Why?

Does that include instawallet?

And is this user reliable?

The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key?

I locked my thread https://bitcointalk.org/index.php?topic=164132.msg1717292#msg1717292 (about Bitcoin-Cetnral security breach) and told people to come here.

Injust, can you please change thread title to include "bitcoin central"?

What's the site?

But exclusive control sounds so much COOLER.

They sure kept us in a state of panic for a while there! Glad to see it's all working out fine :)


It's showing up on https://bitcoin-central.net/

So far it hasn't appeared on Paytunia and Instawallet yet, but as the Instawallet transaction was to the same address I can only assume that those funds are safe as well.

Seconded

Glad this one has panned out OK (or will do once that transaction actually confirms)

As the value of bitcoin goes up, so does the amount (and the combined skillset) of hackers wanting to relieve people and business of coins. There is only so well prepared these companies can be, as seen by the social-engineering hack on BitInstant.

I hope so. I really do.

Strange that they're still unconfirmed.

I made the thread after I tried to access my Instawallet and couldn't. I have no idea when it went down.

They should sign a message with that adress to proof it's under their exclusive control.

Signing a message with 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy would be appropriate... also, a message at a website which may be compromised doesn't guarantee much IMO.

(Nick had the same idea as me it seems...)

Bitcoin Central has been failing to process transactions since 5PM CET (which is 6 hours ago at the moment of writing) and went to 'Down for maintenance'-mode 2 hours later. It seems the transaction was indeed done well before it went down, roughly when they stopped processing transactions on BTCentral.


I hardly think a hacker would take the time to post such a message after he has looted 4 million worth of USD. I don't really see the added value. Would it serve as a convincer to miners that are currently not adding it to the blocks? I doubt miners would decide based upon a post like that - seeing as the transaction fee is so huge, the reason it hasn't been added to a block can hardly be a collective moral decision of miners.

Is it me or has the transactions been waiting 3 hours to be included in a block?

seems VERY odd. Could understand if they had been sent with no fees, but they haven't

Both good points. Also lol at person indignant that they're not paid for the work done googling site:instawallet.com

It's instawallet.ORG
:P

What page is that from?


Sounds to me like they're just saying "we know this address hasn't been compromised, and we control it, so don't worry".

This is from https://bitcoin-central.net/.

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

Hmmm, your explanation makes more sense of the word "exclusive" :).
Guess the implied info is that the two cold storage wallets maybe compromized and not in "exclusive" control, out of caution, they moved to a wallet they feel more secure.

But instawallet is really convenent and if you need spend, it is such a snap to use. They even have a iphone HTML5 app.
Anyway, I put some funds there with the intention to spend, but still got a little panic (not really, but my money there is not immaterial either).
I guess I will just take some BTC out there after this fiasco. (It wasn't really signficiant amount money, but BTC keep rising and now not a change any more!)

Essentially, the only way I use Instawallet is I use it to condense all the small transactions that I get from faucets (that's my only source of Bitcoins :P) and when I get BTC0.02, I send BTC0.01 to my other wallet. So I never keep more than BTC0.02 there.

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy (http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy) are still confirmed after several hours despite each including a massive 0.1 BTC fee?

That's kind of a huge "wtf" to me as well.

Is Bitcoin broken??   :P

+1

for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

Well, invalid tx hash when I click on the link, but that makes sense anyway.

So, question.  Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed.

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

EDIT: piuk, you should probably change your avatar. People (at least I) got used to the new logo.

It was submitted using https://blockchain.info/pushtx

makes sense

There has been talk about optimizing tx prioritization in bitcoind for quite a while. I can now see why it would make sense to have a high-fee tx (such as these 2) "pull in" the no- (or low-) fee inputs. I kinda thought this was the case already.

The last few posts made no sense to me at all. :)

Does it look good or bad?

good.

not because of what was talked in the last couple posts. That was just a technical "mystery" explained.

I'd like this too.  When I look at the 'advanced' view of a transaction on blockchain.info I'd like to see unconfirmed inputs marked as such.

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit big transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  :)

Thanks for this explanation, dooglus!

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

There is a patch that makes miners calculate fees recursively like that, as everyone agrees it's a good idea. The problem is the code is rather non-trivial and Gavin isn't yet convinced it's a safe change.

They didn't mention instawallet though. :(

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff

Yup, he is.

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion.

If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole.

i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying".

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

he can include them in the same block

yea i got 30 coin in instawallet  :(

Confirmed! Eligius picked up the $20.

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

Do you believe it?

Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt.

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now ::)

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have a chainsaw. Your argument is valid.
But anyway, your analogy is VERY bad. VERY.
It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere.

I have no idea how to say this.

Last week,  if you googled  site:instawallet.org
You would be greeted with at least 3000 wallets,  many of them with bitcoins which you can click on that link and transfer those coins out.

If you googled site:hotmail.com
I would not be greeted with your inbox and read all your e-mails.

This not anywhere near the same issue, what they had was a SECURITY FLAW.

partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site.

In reality it means they would not SPIDER the urls,  it doesn't mean they won't list them.

Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw.

but let's put all this aside,  want to know the diffrence between a "flaw" and a "security flaw"

Nicolai,  would you put all your bitcoins on Instawallet?   Your answer should let you know the difference between a flaw and a security flaw.

Vladimir,  I do blame Google to an extent,  it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file.  This is not the case.  They can and DO index anything they believe exists,  even if they technically can't spider it.     But hey.. if Chrome Browser can hit that url,  or someone sent that link via GMAIL,  or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists.

Out of all the companies on earth, that one scares me the most...  I've been working with search engines since 1994,  and Google since 1999 ...  trust me..  this company scares me.

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them? :o

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.

It is my understanding the site wasn't crawled, Google simply recorded the URLs people typed/pasted on the URL bar of their browser or in one of their many services and programs.

I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:

My day job,  I'm president of Yooter InterActive.
I've been working with search engines for a long time..  

Let me tell you some tibits of what I have discovered over the years regarding Google.

1 - Their mission is to obtain information, and resell that in the form of advertising.   Period.  
2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering.
3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc...
4 - these products exist for the sole purpose of collecting information..  that spider collects only a fraction of their info now.  every search you make is recorded, every url you visit is recorded if you use their product,  every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live.
5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists,  if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file

This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.

That's google...  

If they wanted to find the urls of instawallet.. nothing on earth could stop them.   That being stated,  the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file)  is their (instawallets) fault.

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.  

I wish I could get a million people to read this exact post...  because I don't think people fully comprehend what they are dealing with when they mention the company google.










 

I've been saying this for years, Google is the Devil.

Google wants to know everything about everybody, so they can sell you stuff.

Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively.  Whether they realize that is the likely end result of their cries or not...

The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary.  Just like a lot of other niceties that just seem to fall into our laps from the sky gods.

Who are these stupid sheeple dumbfucks using Chrome?

"Zomg its shiny and new, I better use Chrome to check my Gmail so I have zero privacy and my identity may be stolen by anyone who wants it.  Hurr Durr!!"

The FEMA camps are too good for them...

Google: Your business is our business.

I'm surprised that Instawallet wouldn't do any number of adjustments to their code to prevent something that's risk-prone like that from happening.

For example, I do photography with Smugmug.  They randomize every single photo's ending URL at 9 different sizes.  Your gallery name may go into the URL but you (should) have a password for anyone accessing it, and your starting photo URL is still pretty random (not just photo1). 

To think they'd let someone's own password be spelled out right in the URL is pretty shocking if I understand it correctly. 

Oh and yeah, not a fan of Chrome.  I'll use it for Bitconity updates since currently my IE is broken with it and for coding.  Otherwise, nope.  But go figure, my brothers love Gmail though.

Does the same apply to Chromium?

It depends on whether you've enabled 'instant' or not.  I think it's off by default, but it's worth checking:

https://i.imgur.com/RdN1hQz.png

I don't think most people realize when you enter a url for an https address such as instawallet, the part of the url after instawallet.org is sent as an encrypted string

https://www.instawallet.org/"encrypted string"

The actual password or whatever in the url is not sent as plain text and is not readable by all the hops inbetween.

Now if chrome is treating everything entered in the search/url bar as a search, even a full https url, and sending it to google, that is a serious problem.

Thanks dooglus. Mine was off.

So do we think it is only affecting chrome users or is this just speculation?

Aside from that there is no news is there?

Thanks for the warning Founder. My own experience shows that this security hole does not always lead to bitcoin losses.

I set up an Instawallet for a friend, and put 3 BTC in it. There is no password on the wallet, knowledge of the URL is sufficient for access. I then emailed the wallet URL from my  email account to my friends Gmail account.

My friend has suffered no losses or problems. The wallet was still working fine up to couple of days ago.

Ah right you are, it didn't occur to me.

Speculation, but justified.

Chrome is the ultimate spyware

And I love it for that.

I can google for a new movie on my desktop, then completely forget about it and weeks later my phone will automagically remind me that "hey that movie you googled a while ago is now running in that theater near you".
Without me doing anything.

Or I look up a restaurant at lunchtime and later at dinnertime i'm in the area and my phone goes "dude that steak restaurant you looked up is like 20 minutes away thought you should know duder".
Without me doing anything.

Or when it's like half an hour before I usually leave work to go home and my phone going "Yeah, here's the thing. You know how you drive at x pm and take that route usually? That's gonna bite you in the ass today. I mean, just look at that traffic jam. Look at this shit. You'd better drive this way. Just saying".

Without me doing anything.

It's perfect and exactly what my phone should do.

The lesson here is not: Google is evil.

The lesson is: Security through Obscurity does never ever work.

FACTS:

1) Google is evil, and will spy on you in order to have as much information possible to cash it in form of advertisments
2) sending your funds to a wallet consisting in an non-password protected URL is RIDICOLOUS

Bitcoin-Central about a minute ago again showed me the normal light-blue design, but with an "Internal Server Error". Now they have restored the "Maintainance" message.

Seems they will be up again soon.

The waiting is killing me

These services have their place. Instawallet is a brilliant service for introducing newbies to bitcoin. A newbie can have a bitcoin address up and running and making payments, literally within seconds. In this era of short attention spans, the Instawallet service is invaluable for spreading bitcoin adoption.

I frequently tell friends to visit Instawallet.org and quote me the address they see. Then I send some small change to that address. They immediately "get" bitcoin.

Can anyone help with this?

Yeah, in this era of short attention spans Instawallet is perfect to have newbie's coins stolen.

Tell your friends to use blockchain.info's My Wallet for their first pennies, is quite as immediate as Instawallet and much more secure.

https://www.google.com/search?q="instawallet.org%2Fw%2F" (https://www.google.com/search?q="instawallet.org%2Fw%2F")

About 29,400 results were found.

3. Spelling is a lost art.

4. I would like to see your spelling skills in Turkish.

/flameon

I love google, I haven't been lost ANYWHERE in like 4 years!

I WANT my browser to know what I'm thinking, and web searches to sell me shit that interests me!

I LOVE the fact if I don't know something, I can just GOOGLE it!

/flameoff

First rule, don't trust that number Google gives you. It is always way off all the results one can get (some guy did a research on that, turns out you only have access to the first 1000 results or so). And second, you don't know how many of these results are the same wallet URL appearing on multiple pages.

What about we try and stay on topic?

Has anyone been able to contact the people at Paymium, the company behind instawallet and bitcoin-central?

None of them are actually on instawallet, though. https://www.google.com/search?q=%22instawallet.org/w/%22+site:instawallet.org

I realise that this may be because they have now removed direct links from Google, but the number is meaningless.

At least do it properly: https://www.google.com/search?q=inurl%3A%2Fw%2F+site%3Ainstawallet.org ;)

I wanted to do the exact opposite of that.
Trying to show him where Google got those addresses.  ;)

In short "Keep your private keys private". Rule number ONE in Bitcoin land.

bitcoin-central.net (http://bitcoin-central.net) has updated its message

Still no mention of instawallet  ???

Since nobody commented on other thread, https://bitcointalk.org/index.php?topic=164638.0, thought it might be useful to mention that Easywallet has same problem with google.

About 1000 wallets visible from web. Balance seems to be zero on all.

For some reason this feels intentional to me, I'm glad I wasn't on that service (only bitcoin-central).

Still though, instawallet's cold storage got transferred out with 82 confirmations last time I checked (hours ago), it should mostly be fine I guess.

So true.

Let's hope problems can be fixed in due time!

What do you think will happen with our purchase orders / sales going?

Personally, I have sales orders that I wanted to cancel because the btc was strong up, now if the website re-opens, my orders will be sent immediately without anulation possible ...

I hope they will think about it and cancel all those sales orders scheduled.

I hope that payments that our Instawallet addresses receive during the lack-of-service period will be credited :P

I just want whatever was in the wallets. ;)

I feel it is definitely intentional to not mention instawallet, the webpage is still the same too whereas the bit coin-central/paytunia page has been updated. :(

However, if 42,000ish BTC was moved from their cold storage and is now "under their exclusive control" then surely they must not have lost everything. Maybe it is like some people have said, a problem with google that left some wallets searchable?

One thing that is really pecking my head though is the fact that there has been no update and Davout has disappeared too. This seems a bit suss.

Finally, can anyone with some technical knowhow please set me straight on the problem below. Surely if the money was sent from pone address to another 48 hours before this debacle then it has to be safe? If so, why hasnt it shown up in my wallet?

You would be surprised how many people got Google as their home page and type URLs in the page's search box instead of the browser's URL bar...

Merhaba rahatsız etmemek için lütfen gel!

Could it be that Instawallet went full "Tom Williams" on the user's accounts ? Or maybe something like this: trade the coins on mtgox, wait for the bubble to pop, buy coins back, profit.

You're storing BitcoinSpinner users private keys in plaintext on their phones. How is this helping them to keep their private keys private?

Yes, I think chromium has all it's "spying for google" features disabled by default.

If bitcoin-central.net has an update, I'm sure instawallet will come down the line! Usually this one is very safe!

When you're using Chrome as your browser, (on the default settings) there is no difference between the two. None.

For first Instawallet URL hack I think the Google Chrome is to blame. I never used Chrome outside VMWare test environment and I recommend anyone not to install Google Chrome on any computer for this privacy reason. If there is any technical need when Chrome is preferred over Firefox, then use SRWare Iron that have all bad things deleted. The use of URL as a private key is not a big security problem because SSL also encrypts the URL and prevents anyone from seeing it, including Tor exit nodes, FBI, etc. As long as the browser history are safe and not compromised, the URL is safe.

I have no idea about second hack. If it is true that the servers are suspected to be compromised, then it might take some time to install new operating system on new hardware, test and secure the setup before it is launched public again.

So you think if I have used only Firefox in safe mode then it should be all good?

Ouch.

What is the likelihood of us seeing our coins again guys? Getting worried about the severe lack of communication

No idea. I switch from positive to negative feelings nonstop. Driving me crazy. :/

One thing for sure though. If it turns out all right I am taking some profits and flying to a beach for a holiday. (Not before I finally get armory working though ;) )

The lack of communication is definitely disturbing.. I can only assume they havn't got any time for communicating as they've got the entire team working round the clock on this thing, but a little memo every few hours would have been great.

Their predicted 48 hours are nearly running out.. I had hoped to see them back online by now.  :-[

I feel your pain steelboy. Kicking myself for not keeping them somewhere more secure, definitely a lesson learnt but hopefully not the hard way!

Yeah the communication has been apalling, and has probably tarnished the company a great deal - it looks like some people have lost A LOT of money, they deserve some sort of explanation. The fact that funds have been moved to this 'Instawallet Cold Storage' address is quite reassuring, unless it's an inside job and they are just stalling  ???

Anyone have a private communication channel to them? Could anyone trying to get some info on this, customers/users are deserve to know the current status of the affair.

That's odd. The font used on https://bitcoin-central.net/ and https://paytunia.com/ are different. You'd think they'd just point to the same HTML file..  :P

Oddly enough, Instawallet still displays the old downtime message. I can only hope this is an indication of priorities  ;)

Cheers mate. Hope you're not in as much as me.

The stalling thing is an option I suppose I just feel that as the owners are known there will be a lot of people ready to kick off if it has gone.

Yes. Firefox don't leak URLs unless some malicious add-on or antivirus/firewall does it. And the safe mode for Firefox are not meant to be "safer" mode of operation. It is only for troubleshooting purposes if some add-on or plugin causes it to crash.

The URL leak is not Instawallet fault, I found another service who still have exactly same problems. I did not manage to find any coins in there but it is only matter of time. At least I will work back the coins that have gone with Instastealwallet.

If I'm going to run away with 4000 coins I will not post message that I will be back. I will post something like this: "Na nana nana I got Your coins and You will not see them again, na na nanaana!" together with picture of Eric Cartman.

how many coins you got in there steelboy?

I got 30 in there the price was  @ $103 each

now there $130 lol

crazy shit i hope get them back !!!!

A lot more than that. :(

Didnt realise how unsafe they were and i just started to realise before Easter that i needed to do something about it.

Started a thread to get some advice about the armory and setting it up, even bought an offline asus on friday ready to get it sorted this week.

Oh well....let's see. 

yea not a good place to hold them mate. i was only using it as transporter not a wallet to hold.
 i hope you and every1 else gets them back.
I am leaving my computer at work today otherwise i am up all night waiting to hear something.
My opinon is they had a problem they managed to keep everyones coins safe now there going to profit from it before it goes back live!!

cheers

At least you had BTC in there before the steep rise this morning ;)

How do you think they can profit from it?

davout give us a shoutout PLEASE We wanna know what your doing!!!!!!!!!!!!!!!!!!!!
 :'(

I'm wondering if I'm the only one who attempted to withdraw my coins from instawallet at the unfortunate day of 01.04?

I was not holding any coins there, but tried to tumble some. I sent the coins in, and as soon as they confirmed tried to withdraw
them. The wallet balance went to 0, but the coins never arrived at destination  - the transactions were never broadcast.
Then in about 6-8 hours, instawallet goes down "for maintenance."



I'm afraid I'm even more screwed then those who were  just holding their coins on instawallet.
Unless we all lose all, that is.

The coins from my deposit address were tumbled away into instawallet cold storage, and from there
to the address they claim to have "exclusive control" over. So they are probably
not lost. The question is whether I can get them back though.

I also had funds on the way out. It had happened before that it would take 24 hours so I wasn't worried.

We shall see. Fingers crossed and good luck mate.

na they will have a record of it  ;)

I checked my address using https://blockchain.info.  They left me a few satoshis men.  >:( >:( ;D

I tried to follow the trail, but I couldn't see it end up on the address posted at bitcoin-central.

Thx for the info.  Without feedback from ~davout, paytuna, or whatever it is natural that people will speculate.

I would hypothesis that if any of the services that these guys ran were robbed, it may be Instawallet users who end up paying the bill.  The other services seemed to be (and were) more important where-as Instawallet was always advertised to be of only moderate security.

Who thinks davout has gone rouge and has left paris to live in asia with his 45,000 bitcoins !! thats a good fresh start that is!!

It seems a perfectly valid hypothesis at this point.  There are many other hypotheses with this rating however.

Is his real identity known?

Well guys I made a small investigation about the guy "davout" .

So first of all the domain bitcoin-central.net is registered under the following details:

Domain name: bitcoin-central.net

Registrant:
  W3BFLOWS SARL
  FRANCOIS DAVID
  34 CHARLES CHEFSON
  BOIS-COLOMBES, 92270
  FR
  +33.668242163
  x7kfp9c2o1j0ynegf3ym@h.o-w-o.info

Administrative Contact:
  W3BFLOWS SARL
  FRANCOIS Michel
  34 rue Charles Chefson
  Bois Colombes, 92270
  FR
  +33.672332684
  650cpyijxhkip452kqfs@l.o-w-o.info

where "W3BFLOWS SARL" is the company behind bitcoin-central:

Company: W3BFLOWS SARL
Address: FRANCOIS DAVID 34 CHARLES CHEFSON BOIS-COLOMBES, 92270 FR
Phone: +33.668242163

and it seems that FRANCOIS DAVID is the official representative.   FRANCOIS DAVID is  our guy : davout ( https://github.com/davout). That guy is also the CTO in Paymium (http://paymium.com/about/)

Well I dont want to extract any particular cocnclusions. I am just giving out some information that I have found publicly online

BTW: Instawallet charges no fee. What's their business model? Somebody could explain?

I find it so amazing that you could put the 45,000 btc [ $6,359,000] on a paper wallet and put it in your pocket and go anywhere in the world!!

Which I am still hoping is not the case.

I imagine in a situation like this some element of media silence is needed. Especially if you don't want to say something that might turn out to be wrong later.

Lets just hope he is as decent as he has seemed before. :)

steelboy you are right. I want to make myself clear that I am not blaming anybody . I just give out some information that I found publicly online

I was also about to say that Paymiym seems a reliable company since on their webpage all the board members appear.

However I still think that the official representative of the company should regulalry update and inform the clients. In this case we are lacking essential update on a crucial issue.

JUST SPOKE TO DAVOUT

hes about to make a update this second!!

Really appreciate your effort!

That's due. The 48 hours since "Expect normal service to resume within 48 hours." have just about passed  :P How did you get in touch, though? Are you sure it's not some perp with that nickname on one of the IRC servers trying to pull your leg? ;)

Thanks for letting us all know though! Appreciated :)

They are hacked and lost bitcoin!!They will close this this business and go the "claim" process!!

Source?

 I rang this number and he answered  +33.668242163

well, this means losses.  >:(

no information how much coins the hacker(s) were able to take.

the website now updated with the notice.

I'm not seeing it. If you're trolling, this is not a good time. If you're not, do post a screenshot.

and???? did you talk to anyone??


Where did you quote this message from? Are there any information about bitcoin-central ????

INSTAWALLET SERVICE NOTICE

The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture.


Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.


In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Important information on claims submission:

1.For the first 90 days we will accept claims for individual Instawallets. Your wallet's URL and key will be used to pre-populate a form to file the claim.
2.After 90 days, if no other claim has been received for the same url, your Instawallet balance under 50 BTC will be refunded. If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.
3.Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.

From http://notice.instawallet.org/

Good news, looks like we can claim our funds back... looks like the process is gonna take 90 days though, no other option than to hold  8)

To be honest, I don't feel good at all, they didn't say will refund 50BTC or larger fully, (which means they lose money, truely hacked). Secondly, due to the nature of Instawallet, apparently the hacker could claim the money as well if they got access to the database of the URL. Thirdly,that is 90 Days and you know those "delay" tatics a lot of scammers use, first 90 days, then another 90 days, then partial refund, then....
Not saying they are, but this is not good news at all.

still no update for bitcoin-central

How much did davout pay for instawallet?

Well an update at last

Here is my issue

Lets assume the worst that its an inside job. Maybe the team do not have access to the individual urls.

By making us give them to them we are effectively handing over our bitcoins.

By making it a first come first serves it makes you want to give it to them straight away. Just saying.

What do you think?

But to claim, you almost have to present that to prove ownership, because that is the only evidence.

They obviously have access to the individual urls - how else could they serve you a web page on those? By sending your bitcoins to them in the first place you handed them over. They have the private keys. Well, they did at least.

Still no update with regards to Bitcoin Central though. That's what I'm really worried about. That volume was twice as large as well.

You have bigger than 50? Otherwise, I think you should be able to get back fully, given their current tone.

My lord. I was very close to being effected by this. Thankfully my fund went out prior to the issue.

Hope you learnt an important lesson: NEVER TRUST ONLINE WALLETS WITH MORE THAN POCKET MONEY.

And remember that what's pocket money today, can be retirement money tomorrow ;)

Yeah I get what your saying, I think if your funds went to cold storage though you must be safe? Maybe not good news, but at least it's something... looks alot brighter than it did yesterday anyway

Update for Bitcoin-Central and Paytunia (only showing on paytunia.com, seems they are a bit confused with the many URLs they have):

[Apr-03 7:00PM CET]

 We are still working on bringing the service back up: we expect to resume operations within the next 48 hours.

 A lot of people have asked about the state of orders currently pending. Due to the recent and important price fluctuations we will cancel some outstanding orders before reopening. For example if the average price stays above 100 EUR/BTC we will cancel all asks below 110 EUR/BTC. No trades will be reversed.

We also don't want to take anyone by surprise and as such will give a 24h notice before trades start to get executed again.

During these 24 hours you will be able to place and cancel orders. When the trading engine gets restarted they will be executed in the order they were placed.

Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption.

The deposits received while the service was interrupted will be added to your balance during the 24h notice time.

----

Doesn't look that bad for this services, defitively the problem was with Instawallet. Should we split the threads because there are different problems?

Oddly enough, Bitcoin-Central is down at the moment. Not showing anything.

I guess you are not using firefox.

The problem with bitcoin-central and paytunia is this:

<sup>Secure Connection Failed
      
          An error occurred during a connection to bitcoin-central.net.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)</sup>

Actually this doesn't even say that some coins were stolen.
This doesn't look good.

It never works Vlad, they never listen.

http://www.reddit.com/r/Bitcoin/comments/1blk1t/public_service_announcement_regarding_online/ (http://www.reddit.com/r/Bitcoin/comments/1blk1t/public_service_announcement_regarding_online/)

Same thing with instawallet, I'm sure those who manage those serve are doing something to fix those!

But it's unbelievable. Never trust third party wallets with more than pocket is money is so clear everywhere. It's so up in the wiki that you learn this in the first hour reading about bitcoin.

Instawallet? Instawallet is dead, kaput, it has served it's last bit(coin).

2 things at work here:

a) some people are dumb

b) bitcoin's false reputation as "easy money" attracts a disproportionaly large share of a)

You ain't the only one! I didn't even know this was going on. I visited the site yesterday and saw it was down, but paid it no mind thinking it will be back up soon. I was in the process of storing my coins elsewhere, but didn't think I had to do it anytime soon since being assured by many on this forum that all is well.

I've even gotten others to use InstaWallet recently, sending them coins to show how easy it is.

My stomach is totally in knots right now, and I've only begun to read this thread.

Madness!!!

~Bruno K~

Wait, YOU were storing your BTC on instawallet??

c) people take stupid risks even though they know better.

Just got to page 7, and now have shit to do after I take a shit (seriously). I is not a happy camper now.

Have Chainsaw - Will Travel

This is a really fucked up situation, especially for the ones that were actually using instawallet.org
However, Paymium says you can claim your BTC back.
We don't know what exactly caused this 'hack', we can only speculate.
Therefore, I think we can't blame Paymium for what happened, at least not yet.

Come on guys, try to stay positive.
After all, it's just money.

http://i47.tinypic.com/2zhqdd0.jpg

This is evolution in action. In two years, should Bitcoin still be chugging along, paper wallet holders will still have bitcoins while the trusting will be wondering what happened to theirs. Since Bitcoin is decentralized by nature, it will ultimately force its users to be decentralized also. The learning curve is a painful one for those that let the glitter overtake common sense.

Positivity is the key now I think.

Vlad, you are right. It's our fault. (I was in the process of sorting out the armory on Friday). Give me a break though mate, still smarting here.

Lets assume the hacker has all the urls. I assume he will argue any large balances with the rightful owner. What if their was documented proof of owning the URL for a while. I assume the hacker has only has access in the last few weeks.  

What do you think?

I wouldn't rely on Truecrypt for very serious stuff. Code was not scrutinized by the community. This is why TAILS do not include it. I would prefer GPG.

But for not so serious stuff a hidden volume of TC is pretty nice... And if you add stenography and of course offline storage only you will be pretty safe.

Of course you can blame them. People can't access their funds for at least 90 days because of some security breach. It's the job of those operating a service to ensure its security can't be breached and vulnerabilities in Instawallet were made public a week ago. 

This is going to hurt. And I don't just mean the 200 bucks I've just lost, it's going to hurt hard on bitcoin.

I don't recall the fact that you could access (actually access, as opposed to theoretically) the accounts of other users being publicly discussed until last week, although when it was being discussed last week quite a few people mentioned having been aware of it for some time.

They still needed to take the service offline for a security audit when that particular vulnerability became a topic for discussion last week, because nothing was more certain than people trying to exploit that one and looking for other vulnerabilities as well (as well as looking for similar vulnerabilities in other services).

Dude come on, this is the problem of the whole fucking society.
People just blaming each other because they don't have the balls to take responsibility for it themselves.
If you store your money somewhere, YOU are responsible. It is YOUR money. If you want to be absolutely sure it won't disappear in a financial crisis, you have to hold on to it yourself.

If you drink too much Heineken beer, you are responsible for the consequences. You can not blame Heineken because they provided it.
You are always the only one responsible for your own actions.

In this case; Ofcourse, people trusted their money to Instawallet. But if you trust something or someone, that's a risk you are taking yourself. It is like losing bitcoins, after a big correction. You can't blame the economy for it, it was your risk to take, and you didn't have to take it.

Don't walk away from you responsibility, and be happy Paymium is at least trying to come up with a solution.

After having read your trolling but insightful post, I, for one, will actually improve my cold storage strategy. Thx to you for that.

If you've read any of my posts at all then you're aware that I believe leaving your funds on any third party Bitcoin service is the height of stupidity and when this first happened I questioned how many times shit like this is going to happen before people grasp the fact that your funds can never be totally safe on such services.

That doesn't excuse services from the responsibility to ensure that their security is adequate and to immediately take measures to beef it up when they become aware of a vulnerability - especially when vulnerabilities in that service are being widely and publicly discussed.

The bitcoin-central website seems to be changing often. First the site's https was down, then it was serving a http connection over https port (results in firefox in record too long or something), then error 500, now the message is back. It looks like they're changing physical location or even physical server (changing certificate, reconfiguring webserver, perhaps an IP change).

I find that strange too, though I'm not sure if it should really have us worried. At least the bitcoin-central users, I have a worse feeling about instawallet. But I'm not involved with instawallet at all and I'm not checking on that all day, so my feeling could easily be wrong.

I think if anyone had, they are friends and are told things in confidence, or acquaintances are told the same as everyone. If they're not talking, it's most likely that nothing is supposed to come out... And I think they're reading this topic at least once or twice a day, if something was to be said they'd have said it. Maybe (like someone else suggested) they're not talking for the case that they are wrong. Official statements are always taken as promises, even if it's not said anywhere (and for a good reason, but that might be why they're silent).

How can you say that when we don't even know what exactly happened yet. Sure it can be due to the vulnerability's discussed earlier but as said before, that is only speculating.
Also, if you are aware of the vulnerability than what would stop you from immediately withdrawing all you funds... I am not saying Paymium didn't make any mistakes, Im just saying Do what ever you can to protect your funds, and if you don't, take responsibility for it.

The volume is/was hardly influential. Mtgox didn't even notice when Bitcoin Central went down.

Because it doesn't matter whether it was the vulnerability which was discussed last week which was exploited.  The moment it becomes public that your service has a vulnerability, there's a massive target on your back and people will not only try to exploit that particular vulnerability, they will actively look for others (and they'll look for similar vulnerabilities in other services).

The fact that it's going to take them more than 90 days to start returning user funds (and likely more if you have over 50 BTC with them) indicates that they had no adequate disaster plan in place.  How you're going to verify claims in the event of a security breach should be something you already plan for before a breach occurs and it sure as hell shouldn't involve providing information which is already known to be easily compromised.

People don't demand enough of Bitcoin services.  Half the time they know little - if anything - about the people behind them and especially about the resources they have available.  They don't bother asking service providers about their disaster plans (which is insane because very few Bitcoin services have the financial resources to simply absorb losses which occur due to security failures).  They leave amounts they can't afford to lose with services which could literally be out of business an hour from now.  No doubt some of the people who'll be impacted by this have previously lost funds to other exchange/wallet service failures (and will likely do so again in the future).

None of this means that services themselves should get a free pass when disaster strikes or that people should be ever so grateful for any steps they take to try to make users whole.

Hear hear. So many people here are against regulation. Until people become accustomed enough to regulate companies themselves, more regulation is good for Bitcoin.

They don't say it is gonna take more then 90 days. They only say your balance will automatically be refunded (<50btc) if you were too lazy too file a claim.
You can not have an immediate disaster plan in a case like this. If your security gets compromised, than how can you have a plan for it at that moment, when you just find out about the leak.
Paymium is already providing information regarding a solution, only within 2 days. That is fast. Just because you are refreshing their website every minute doesn't make 2 days a long period to come up with a solution.

Trying to figure out the logic of the statement and claims process.

Assuming everyone's Instawallet BTC was moved to cold storage (as all received TXs seemed to be moved off your BTC address shortly after receipt), and this was a database hack, the hacker just obtained the secret URLs and the BTC balances of all of them? Unless the hacker ALSO coded some kind of script to access every secret URL, withdraw entire balance on each of them via whatever method Instawallet had for withdrawing them out of cold storage, then this would explain why there is a 90 day claims process at all. Basically Instawallet has to make sure only one person is claiming each secret URL, and then detect a pattern of similar double claims; the one doing the double claims for more than maybe 3 secret URLs or >50 BTC is the hacker?

It is not sure yet, that the security was compromised by leaking the instawallet url's.
It could be something completely different.
Also, they didn't say it is going to take 90 days to refund; after 90 days you will be autorefunded (<50btc).
You will most likely get your bitcoins back a lot faster if you file a claim.

No news from davout?

Is English not your first language.  They quite clearly state that your funds will be refunded after 90 days if no other claims have been filed on your account.  


1) you do need to file a claim and 2) even when you do your funds will be returned after 90 days if there are no competing claims on your account.

I have no idea why you believe that it's impossible to develop disaster plans before an incident occurs.  If you don't have a way to verify the identity of your users in the event of a disaster, then you don't have adequate ways to identify them period.  Users need to accept that the greater degree of the anonymity a service allows them, the more difficult it may be for them to ever prove ownership of funds should it become necessary and services need to clearly state the possibility of that issue arising.

At this point with a registration date of today and his suspicious posting behaviour, I'm leaning toward the assumption of HATA28 to either be a davout sockpuppet or the 'hacker' himself.

Oh, wait. Hehe, duplicates.

Okay, you are totally right, I did not read carefully enough (missed "other" and "same"). I thought they meant they were going to refund if you file a claim, and refund automatically if you didn't claim anything at all. I have never used instawallet and I have never even seen the website. I only have a slight idea on how its working, so I think its time for me to shut up about this. 


Maybe I am. Why don't we find out in the next couple of days...

It was most definitely a security flaw. There's a reason many services that offer similar things, use the 'fragment' in the URL (the part after the # in the URL) to authenticate users. The end result is that you can't use the actual URL itself to gain access to the wallet, and need the 'fragment' as well. The fragment is entirely clientside.

To put it simply, using a url as your sole authentication is a really fucking stupid idea.

Even worse is that they knew this flaw was being discussed publicly, as was the StrongCoin flaw.  You can't assume that every user will read thread about security flaws but services themselves should make it their business to know when such discussions are taking place.

Fucking maroons. For this to be true, they'd have to be storing the raw, unhashed keys from the URLs, and there's not really any good reason why they should do things this way. Simply hashing the URLs would have made it difficult or impossible for someone who got hold of the database to imitate account holders.

bitcoin central is back

Note from bitcoin-central.com and paytunia.com:

It is only referring to the open orders!As everything else is  OK?

Therefore, all the NPO/NGOs I emailed with InstaWallet.org in the text will look upon Bitcoin as a farce if they happen to click the link.

Currently on Page 8 of this thread, hoping there's good news by the time I get to Page 14.

So far it's looking like this'll be the first time I lose bitcoins via another entity. The ONLY saving grace is that it was all profit, but then again so is close to 100% of all the barn wood I currently have in stock, but would hate it if the buildings burned down or I was ripped up off of the entire lot.

I'm holding my tongue till I reach the end of this thread.

Madness!!!

~Bruno K~

YOU GOTTA BE FUCKIN' KIDDIN' ME!!!


I hope I'm calmed down before I get to the end of this thread, otherwise I WILL be asking for an address, and not the BlockChain kind.

I totally agree with your last line, but "a fucking stupid idea" != security flaw.
Just like when a website create a recover link: blah.tld/recover.php?secret=SomEtHingRandom, as long as I don't share this link, then only I and the website know the link, so only I can change my password/recover my user. THIS IS NOT A SECURITY FLAW.

However, if I share this link with world+dog (public internet) - and a lot of people did this, by sharing their *PRIVATE URL* with everyone on the public internet - then everybody can "hack" me. But this is NOT due to a security flaw in the website! This is due to a human error, because someone shared their private urls (not a security flaw in the website and will never be).

The "flaw" first discussed in instawallet (which wasn't even a flaw) was simply because Google allow everyone to easy see this list of PUBLIC SHARED URLS by typing the command "site:" in Google. It is STILL possible to get this list, by simply changing "site:" to e.g. "allintext:" (proof (http://google.com/search?q=allintext:instawallet.org/w/)) however now you manually have to visit every site on the list and dig out the instawallet link (before Google would do this for you).

It is best practice to tell Google: "please don't make this list _easy_ accessible", however you and everyone else will always be able to find "the list" (and the list will always exist, as long as people share their urls with everyone). It is NOT a security flaw in any website, that you can find this list (assuming the list only consist of private urls leaked by users, not the website).

Had Instawallet leaked just one link, then this had been a security flaw, but they DIDN'T. Not a single link.

And can we now please stop talking about this silly "mistake" (it's not even a flaw - and you would NEVER be able to use it, to hack Instawallet), and actually focus on THE REAL HACK. Please?

Somebody fuck me in my ass and then stick your dick in my mouth, for I'm sure I'll enjoy that much better than what I've just read.

I've read that he's probably in Paris, so so much for a road trip. Is there anybody in Paris that can at least visit the address provided to glean any viable information?

I will blow my fuckin' top if I learn that my close friend and a dear client (2 separate individuals) have coins tied up on InstaWallet.org after I went out on a limb to assure them that they need not worry giving my personal guarantee.

This is so fucked up on so many levels.

Back to page 10, or is it 11?

~Bruno K~

No Mother Fuckin' Kidding!

Stick two dicks up my ass, for it's quite obvious that I didn't listen.

Also...


Somebody tell me then how the hell are they going to be able to return funds given the above?

Spot on, and did not take offense, bud. All others feel free to stick it up me, but at least ask me if I want to taste it when you do.

Although this hurts me financial, it's not drastic, but this is a major blow to Bitcoin on several levels. Not in my wildest dreams I thought InstaWallet would go down, but looking back I should have thought otherwise. In fact, for a brief second I did about a week or so ago, but was assured that all is well, opting to not look deeper and explore my options further.

Without disclosing what this idiot had at InstaWallet, I could've easily purchased a house due to the recent exchange rate increase. Today, I don't have a single satoshi to my name, all because I never took the time to set up a secure wallet whether it be a paper wallet (no fuckin' idea what that's all about) or on a USB stick or downloading the client on some off-the-grid computer.

11000 posts and you never came across a thread explaining how to set up a secure paper wallet? ???

Sorry to hear than Phin.  I guess I just kind of assumed that you above all people would be especially wary of leaving funds with third party services after the Bitcoinica debacle.

I came across it, but opted to ignore it, not wanting to take the time to go through the learning curve. Hell, I purchased a Samsung III to use with Bitcoin in mind, but got frustrated with the screen, so I gave it to my niece.

I am capable of figuring things out, but sometimes the lack of time gets in the way of me doing certain things.

I'm on record for stating that even if Bitcoin went to zero, i'll be fine with that, for all-in-all I'm ahead of the game, with the exception of that fuckin' Bitcoinica fiasco of which I didn't have a single satoshi in, yet lost thousands indirectly, and still feeling the effects. This episode has my stomach in knots, but This Too Will Pass, a phrase I learnt about the same time as this one: Luck is preparation waiting for opportunity. Damn, I miss the early 80's. After a good night's sleep, I'll feel better, but still bitter.

Later, bud.

~Bruno K~

EDIT: Ironically, we cross-post:

They previously stated that they had exclusive control of the wallet and that user funds were safe.  They've said nothing so far to indicate that's not still the case.  The issue here seems to be how they return funds to legitimate users when the database has been compromised.  You're obviously going to fall into the "case by case" category, but at this stage they're saying they can start returning funds after a 90 day claim period and not that there are missing funds.

In my opinion, they need to make very clear that no user funds have been lost (or none that they can't replace out of their own pockets) if that's the case.  If user funds have been lost then they need to be truthful about that because no-one wants to sit around thinking they're going to get their funds in 90 days only to find in 3 months time that there's a shortfall.

I'll just say that the Bitcoin-QT wallet is incredibly easy to set up (pretty much just click install, and it's done), and it is reasonably secure once you password protect it.  The downside is just that it takes a number of hours to synchronize, and it does take up some ram and a decent amount of HDD space.  But that's a small sacrifice to make to have full control over your coins.

Davout seems to be a standup guy.  I'd be surprised if you didn't get the vast majority of your funds back, given how much of instawallet's funds were sitting in a cold wallet.  But certainly, put more effort into making sure your coins are secure down the road, especially when you have enough to buy a house with!

I lost 0.02 BTC :(, even when its only 2,50 dollars, I'm angry to see a website stealing the money of their users. "Trust no one" is the name of a post on the newbie area; I think it's right.

I think they've done a lot wrong, but right now there is no evidence whatsoever that anyone's funds have been "stolen".

Would it be a good idea for victims to find out which address (or addresses) they used to transfer their BTC to Instawallet, and immediately sign a message, to prove that they control that bitcoin adddress, if possible?

This wouldn't prove that they own the funds at Instawallet (they might only be somebody who sent BTC to the real owner) but it would help Instawallet to more easily sort out claims into 'probably true' and 'probably false'.

That's because scammers won't be able to prove that they sent any bitcoins in to the Instawallet address that they claim to own. And somebody who really did send bitcoins into another person's address isn't likely to have the knowledge, or the desire, to scam them later (though it's not impossible, if a large sum is at stake, so Instawallet would still need to review the case and other evidence)

I don't have anything stored at Instawallet. I'm just thinking it would be best for victims to prove as soon as possible that they control any sending addresses, in case they're not able to do that later (for example, they could delete their wallet, or overwrite keys, accidentally or because they think it's not important any more)

Does this idea help?

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed : "I have to be strict about this, as I would otherwise open myself to social engineering attacks" would have been "it is physically impossible for me to do so since we do not store your URLs unencrypted, and are thus unable to recover them, whatever the circumstances".
Am I wrong ?

Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.

I quote a part from an article appeared in "bitcoinmagazine" (http://bitcoinmagazine.com/instawallets/) regarding pros and cons about using instawallet:

Because of Instawallet’s “URL as password” mechanism it’s the least secure of all the options. Instawallet themselves recommend that users “please do not store more than some spare change here” for casual use.


Instawallet people themselves recommended their clients not to store large amount of bitcoins. This shows some honesty.

14,000 total coins were stored in instawallet? Lost faith in humanity once again :)

Looks like me and you are in the same boat Phinnaeus, nice to meet you. Shame it couldn't have been under better circumstances. :(

Ok, I have been doing some analysis/thinking about the situation and am feeling (relatively) positive. Ladies and gentlemen, if you would care to indulge me. :)

INSTAWALLET DEBACLE 2013

Firstly i have made some assumptions

1. The people behind Instawallet are honest and want to return the money to their rightful owners.

I have assumed this based on the fact that they have their public profiles on record, some of them have been directors of big multinational companies (Orange), they have other businesses which i believe they want to keep earning them money and finally they probably realise that a higher percentage of the bitcoin userbase compared to the general public might go after them personally if the money was not returned. (Based on the fact that the currency is underground and only recently surfacing to most people).

Besides this, if we assume they are dishonest then our money might as well be gone anyway. :/

2. Everybody who had money in instawallet now realises the error of their ways and will be using a paper wallet rolled up into a tube and inserted anally at all times.

Some of the people here have lost a fair bit of money and the I told you so's are a little annoying. I for one will invest a few bitcoins in awareness of this problem for newbies if i get my money back.

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

• All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
• All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
• A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
• All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
• A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

4. The hacker has already stolen something?

Now this i am not sure of. I feel that the wording of their agreement leads us to believe that some has gone but not all. If this is the case, when was it stolen? If it was only stolen in the last few days then maybe a date-stamped document in Time Machine (Mac recovery service) would be enough to prove that you have held the URLS for a while?

CONCLUSION

After all this we can conclude that if we claim back on an address and find that all large amounts are being double claimed we can be sure that the first option in section 3 is probably true.

If this is not the case then i think the chances of double claiming go down and we can hope to see our money again.

You never know, a 90 day force holding period might be a blessing in disguise. :D

What do you guys think?

I would like to know the conceptual difference between bitcoin-central and instawallet. After an extensive discussion here in the topic, I learnt about the security gaps but why someone woudl prefer to keep the bitcoins in Instawallet rather than in bitcoin-central?

Anyone else having problems accessing the Instawallet site atm? Getting these errors in Firefox and Chrome...   ???

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.

It's probablye that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

I'm pretty sure that instawallet was a shared wallet, so blockchain analysis doesn't tell you the balance of any of its accounts.  You can find all the deposits to a given address, but can't tell anything about the withdrawals from it.[/list]

Given how low the threshold was to start a wallet there, this could be spread over thousands of people. Judging by Phil's posts above, though, this is hardly the case  :-\

And learn your lesson - use blockchain.info, bitcoin-qt, electrum, whatever.

I don't think the hot wallet was emptied.
If you look at the transaction history of their cold wallet, 1FrtkNXastDoMAaorowys27AKQERxgmZjY
 (http://blockchain.info/address/1FrtkNXastDoMAaorowys27AKQERxgmZjY) you see that 6 transfers totalling 320BTC were made *to* this wallet, just prior to its subsequent
evacuation into 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  (together with bitcoin-central funds).
You can also notice that this is a very unusual pattern for them to put money into cold storage: usually it's 1 transaction every few days; not several transactions in quick succession.

What is more, among these 6 transactions, is the address of my instawallet, to which I transferred
the funds about 6 hours before.  (I was  unlucky to try to tumble some coins through instawallet in the worst
possible moment.)


So from this it's quite clear  that not all hot-wallet money were stolen. Probably the hacker accessed
the database from where it was not supposed to be accessed, and that triggered the alarm.
How many URLs he got and how many he tried to empty we don't know.

No it is not. What you don't get, is that there is a huge difference between "not following best practice" and "having a security flaw in your website". The reason why the "password in url" was described as a "security flaw", was because 'the founder' (a user) wanted it to look worse than it was (so Instawallet would look more bad for not paying him, even trough it was public knowledge that this was possible loooong before 'the founder' even "found" this).

Instawallet had a security flaw that got them hacked (this incident, we don't know how, but we do know that it had NOTHING to do with "password in url"), however the "password in url" was just a case of "not following best practice" (NOT a security flaw). It is just like when a websites uses a simple username+password combination to authenticate users, instead of a "zero-knowledge password proof"-protocol. Most websites use the lesser-secure username+password, but this doesn't mean you should create a forum post for each website, whining that you told all the websites on the internet that ZKPP is better and now you want a cookie + pay check ( <-- this was what 'the founder' did).

So to sum up, it is not a security flaw/exploit, if you can't exploit/get access to *anything*, without requiring the users to tell you their passwords (<-- this is ofc just very simplified, but the point is that if your exploit is "give me your shared secret, and I can authenticate as you" then it isn't a exploit, it is a intend behaviour. You could argue "why use a shared secret, why not something else and more secure?" but it still wouldn't be a security flaw. Not now, not ever).

I agree on most parts, but:

2) Actually "2" would be almost like "1". It wouldn't be time consuming at all, because you can just write a parser to parse the blockchain and sort by amount (change a bit here and there, and this source code (https://bitcointalk.org/index.php?topic=88584.0) + the blockchain, is all you need).

3) As I wrote earlier, then this is 100% without any doubt NOT the case.

HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!

Keep your calm and learn to read.

Hi please fill in this claim form if you lost instawallet funds here.......



YOUR URL password .....


your bitcoin address....



YOUR BALANCE:   


Your Email address that you made your first complaint with......

Good point.
Little hints like that FAQ entry, the lack of a proper robots.txt, are instilling in my mind little particles of doubt about the technical abilities of our bitcoin-central friends.

Thanks but you know how it is when your upset you read it but your brain did not register it.

I understand that instawallet was a piece of shit and needed to close but...

What the fork has that got to do with bitcoin-central?!?

I just put some BTCBTCBTC in there.

I go to the bitcoin-central page and it now says INSTAWALLET at the top of it.

This stinks of bullshit

Guys, just try to stay calm and read the whole thread before posting and blaming.

The safest conlusion so far is that indeed bitcoin-central and instawallet suffered from hacker`s attack and they are working towards a solution....and this takes time. We are not dealing with a multi-national company or bank  which can restore theirs system in few hours . So be patient.

I've deliberately not used my instawallet URL until some word that the claims process is in place.  I want to know what info is going to be required, then 'log on' one time and get it done with.

What is annoying is that ~davout mentions that the first claimant will be given preference, but does not say when things will be ready.

One thing that these guys might think about doing would be to allow users to PM or e-mail them with a heads-up that they are going to be filing a claim for XYZ wallet.  For us user who had one wallet that should reduce fraud quite a bit (under a situation where an attacker managed to get a hold of a large collection of URL's somehow.)

I wonder if going to Paris and trying to visit their office would be any use.

I live in the south of the UK and a trip on the Eurostar would be about 1.5 btc at the moment. If there are any other bitcointalk members who have lost maybe we could make a trip of it and see what we can find out.

Any donations from other members further afield to cover costs/wages lost from work would be great. And in my case if I get my money back would be repaid in full :)

I can assure you my time would be spent standing outside their offices until I get seen and not drinking espresso by the seine. :)

Seriously though, I think for he cost involved it can only be a good idea to get a bit of info.

I did read the whole thread.  I've been following it post by post for the last few days.

I'm just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed.

see my issue now?

What makes you say that " I m just pissed off that the bitcoins I put in bitcoin-central are going to take 90+ days to get back to me because the owners other business was badly designed."  ?  

Your account balances (EUR, USD, GBP and BTC) were not affected by the service interruption.

This is the latest update in bitcoin-central

Are you sure you know where their offices are?

No. But the phone number above got through to Davout and as mentioned before the board members seem credible. Got to be worth a few hundred quid to find out.

Here the latest:

In next few days account refund process will begin as explained below:

- Will accept refund in first 90 days, be sure you kave your wallet url and key
- Account having less than 50BTC will be refunded
- Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis.

Above came from: https://www.instawallet.org/ (https://www.instawallet.org/)

Yes, in the last hours sometimes http://bitcoin-central.net showed the "Instawallet" message. Now they have changed it to the correct message (for the services Paytunia  and Bitcoin-Central).

Bad neighborhood. Better take some resilient people along.

Lol. C'est pas problem. Je parle francais.

It did say the same thing on bitcoin-central as it did on Instawallet web site.  At the time of posting what I said was correct. This has now been changed.


I'm a little less worried now

Alors tu fais. Mais savez tu aussi parler Darija?

This is what I learned about France in school (with google translation.)  Typical American education.

  Il est un pays qui s'appelle la France
    où les femmes ne portent pas de pantalon
  Et les hommes se promener
    avec leur ding-dong traîner.

Translated back, it loses some of it's rhyme.  It came with a catchy little tune which is probably why I remembered it.  Maybe it was subtly planted by French infiltrators to provoke future tourism?

If you are the owner of an instawallet balance, check out this topic I just opened:
Instawallet claim process (https://bitcointalk.org/index.php?topic=167215.0)

But is there any news on Bitcoin Central yet? You mentioned 48 hours, then another 48 hours and a 24 hour announcement. Seeing as there has been no such announcement yet, the second 48 hours is going to be crossed as well..

Please focus on communications a bit more. It's quite frustrating to see only so few updates, especially when instawallet is under such pressure.

I just got someone to answer on this number

Administrative Contact:
  W3BFLOWS SARL
  FRANCOIS Michel
  34 rue Charles Chefson
  Bois Colombes, 92270
  FR
  +33.672332684
  650cpyijxhkip452kqfs@l.o-w-o.info

His name wasn't Michel Francois. He said he worked on a project with a friend of a friend. He sounded like he knew David Francois (the number someone (Hous?)spoke to Davout  on and that Michel is his father?

He seemed to find the whole thing amusing that I had his number and knew about the hack in general. Seemed genuine but strange his number is listed.

 ???

The whole thing with bitcoin-central and paytunia is taking too long.
They better bring them back online ASAP, they've got 40minutes to bring up bitcoin-central back online before the 48hour deadline is reached (again).

They just broke this deadline (again). I'm really looking forward to their update now.. it better be good  :-\

There was an announcement, but btc-central is still not online unfortunately..
https://bitcointalk.org/index.php?topic=168072.0

Thanks, bud. I feel better now knowing that IW has been found and the police are guarding it as exhibit A.

http://farm9.staticflickr.com/8535/8621667579_230a7be7c2.jpg
(As they say in the trade, this photo is unretouched.)

Sometimes, you just can't make this SHIT up.

FYI some coins in an old instawallet I had from a while back have been moved to a new address as of this morning:

https://blockchain.info/tx/4da598abb6e6b92dc3fb68b095d4aac74eae8c7ac1bba57769772c07173b7673

Will

That seems a bit strange if everything is locked down?

This must be instawallet moving it around surely?

Yes - I am not alarmed, they are probably just sweeping the smaller balances into a wallet so they can set up for making payments out to people within the next few days.

Will

Ok, I have now seen something that i am worried about.

I have checked the address of the coins that i moved from Instawallet just before the site went offline and it is saying that the date of the transfer of the coins out was less than 12 hours after the coins were originally deposites more than 6 months ago. (I do not want to say when that was  as i may need to prive identity later.

Is this just the way instawallet worked and the transfer of the coins was to the hot wallet?

???

Still have to wait for the claim form and then wait 90 days and then wait for the refund. that's around the end of july !!!! wonder if my singles from bfl will come before my refund?? better still wonder if any of it gets too me?? ::)

I think Vircurex is down....lol
this is surreal!

Vircurex has some tweets, they are moving to a bigger server due to DDOS.

There is an update from Bitcoin-Central on their site

Where is this claim form then??? ???

Read:

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I been wondering this exact thing for the last few days.

And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that?

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there

In my opinion, a straight URL like this not much different than a username/password scheme.  Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea.  20/20 hindsight I guess.  Maybe for the next go-around.  And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.

edit: spelling

Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.

But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control.

The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess.

Or, you know, Google Chrome.



I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..


Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.)  And disable core dumps.  I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format.  That's just the off-the-top-of-my-head thoughts on how to deal with the issues.  There are probably database implementations which have support for this kind of thing natively I would suspect.


I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread.


At the risk of venturing off-topic: a while ago I was pointed to PwdHash (https://www.pwdhash.com/), and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt :) Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems.

I don't trust any browser kept passwords, browsers are not nor have they ever been remotely secure. They are gigantic blobs of code to leak data everywhere and are a 0day exploit factory. I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA

http://www.schneier.com/passsafe.html by Bruce Schneier is good, plus works with Yubikeys

I don't see how the fact that it's a browser addon reduces its security. It does not store your 'seed' password, you type that in each time. What makes it insecure?

What `s wrong again with bitcoin-central  ???

The platform was running for a while but now it s again down for maintance.

Actually, its online and you can trade again :)

Incorrect, no trades are going through atm

No trades and no withdrawals.
I have SEPA transfers and BTC withdrawals pending, the SEPA transfers are still from before it going down.
Davout likes to shout that Mtgox works fractional reserve style on their euro accounts but bitcoin-central doesn't look much better to me. ;D

I also have incoming SEPA transfer from 25.03.2013 pending... no reaction on tickets and PMs. :(

"BTC withdraws will be processed manually for the next couple of days until we switch back to immediate automatic withdraws.
This temporary restriction is meant to allow careful monitoring of our operations in the initial phase of the recovery."

This looks way too much like Cyprus situation. Oh, the irony.

Why oh why on Earth would you do this? Why open the website for trade, but not allow people to withdraw? Even if you are sincere about "is meant to allow careful monitoring of our operations", don't you see how messed up this looks to your users?

I didn't lose my trust when you were hacked, I didn't lose my trust when you were offline for a week, I didn't lose my trust when the deadline for re-opening the website was extended several times, but NOW I lost any trust I had in you. I am withdrawing everything I have (assuming that will be possible at all; my bitcoin withdrawal is "pending" for ~36 hours now), and never using your website again.

I can trade just fine.

Yes, but you can't withdraw.

UPDATE:
My withdrawal finally got completed (after more than 48 hours), but now bitcoin-central is down again.
I still had some funds there which I was not yet able to withdraw.

Bitcoin-Central still down as of now (for me at least).
Anyone heard an explanation for this downtime yet?

It's down for me now.... :(

GRRR first it has the highest prices, 2nd no mtgox vouchers or similar to add funds/withdraw funds, wake up btc-c, hire more people! you are losing money in volume!

Starting to freak/piss me off i have a non trivial amount of euro there because of there "we are insured thing" but it looks like nothing is working properly.
No answer on the help desk for 2 week now (yeah 1 week crash i know but still).
Sepa Withdraw also blocked for 2 weeks.

Continuous crash.

I believe they are doing what they can. They are under DDOS now, you can obtain alternative link to the site if you are verified. All info from https://twitter.com/Bitcoin_Central

Thanks for the info! Pretty sad situation, both btc24 and bc appear to be under attack ...

New Instawallet Notice:

I visited a few of my Instawallet URLs, but there was still a 404 error?
IDK.
EDIT: Now, when I visit the main Instawallet site, it's an infinite load loop?
:P

Great! I just checked all three of my IW URLs, and each showing O BTC residing in wallets of which addresses weren't supplied. Upon refreshing one of the pages, I'm once again greeted with the static home page, indicative of doing the same for the other two.

Madness!

Same here, 404 error on all 5 of my wallet addresses.

You guys are so lucky! I don't even get a 404 error, just the endless fruit-loop (actually stops at the static page, but that wouldn't have worked as humor).

For my wallet URLs, I get the 404 error, but for the main site, I get the endless fruit-loop :D

No apologies for the cross-post:


You had your time when coins weren't so precious.

Goodbye, bitcoins. I tried to protect you. Enjoy you new life in Pattaya.

http://travelony.files.wordpress.com/2009/04/pattaya-100.jpg

WTF
Look at instawallet.org's source code now:

It was made PURPOSELY to keep refreshing the site.
WTF.

Okay, Instawallet website has been back up for a while.
The wallet URLs also work now. File your claims!

i love that place.

Oh boy, is this for real?, i mean, post like this can really damage the confidence of the people.

i sincerely hope they are upgrading their security and hiring more people,

just look at what happend with bitcoin-24, it's really bad news, specially for the ones that bought bitcoin at 180€

i guess i will withdraw my 2 coins to a coldwallet and come back in a few years.

Any news on how many claims are coming in Boussac?

Also, have you got the details of the crime reported with BEFTI? I need to pass the info to my insurance provider.

Thanks

I have started a new thread https://bitcointalk.org/index.php?topic=177317.0 about Boussac's refusal to provide the police report reference number.

I invite anyone who shares my point of view to provide comment there.

Could simply mean that weak security was good enough when btc weren't so expensive, but now the instawallet model won't work. Trying to put a positive spin on this ... I'd hate to believe paymium is intentionally swindling people. If they were, there would be hell to pay.

A reasonable request methinks...

Still refusing to answer, Boussac? :)

Sure it's reasonable, hence Boussac putting him on his ignore list after he posted such a kind request. In his mind, it's fuck you and your insurance computer, for I got mine after all this time providing a free service to all you dumb fucks.

Here's a question: Does that mean that all the other principles are also ignoring this very important issue? Nary a one has come to our rescue. Sure the hell says a lot of them, don't you think? Time to hunt down their accounts and see if they too have gone dark just like davout.

This is Boussac's response when you ask for a police report number:


Meanwhile, I will have to wait till after the 90 days that he has set before I even have a chance in hell to ever see my bitcoins again.

This guy is one sick motherfucker!

https://i.imgur.com/yZ0d16Fl.png (https://i.imgur.com/yZ0d16F.png)

goddamnit, again?!?

thread: https://bitcointalk.org/index.php?topic=186609.0

"2 identical hacks in 2 days for #bitcoin services hosted at #OVH. @olesovhcom your manager will reset a password without e-mail confirmation"
https://twitter.com/Bitcoin_Central/status/327131323342942209

Looks like OVH is to blame >:(

And srsly host critic websites on your own servers, don't trust OVH/Linode or anyone :(

glad i never heard of them until now

They are only the biggest hosting company in the world.

Nope, they chose their hosting service.  If they chose a hosting service which allows password resets without adequate verification, that's on them, not the hosting service.  It'd be interesting to know if there was a more secure option available to them with OVH and they simply chose not to use it (which has happened in the past with other intrusions - the services haven't paid for full database back up or haven't utilised all the security options available to them).

^ if they had chosen a cheap crappy provider, then I would agree, but AFAIK then OVH isn't known for "being crappy" or use insecure/outdated software on their systems.

and thank god not the ONLY one

http://www.webhostingtalk.com/showthread.php?t=1193737