Bitcoin Forum

This is getting were ridiculous. Every site is getting hacked and the owners don't understand how it could happen, they have nothing to do with it. Right, who believes that. Not me.

Please define "every site".  It's only been a small number.

Important sites. True not all sites, and not all important sites. But in general, it seems to me that if you want to steal the funds, you just say that phrase and everyone accepts it, that's ridiculous.

Please definite "Important sites".  Besides Mt. Gox I don't know of any "hacking".

man, that is killer title for a web comic.

The polish exchange Bitomat and have a look at mybitcoin.com

Bitomat didn't get hacked.

Bitomat was due to pure, unadulterated incompetence, so they claim, and not hacking but there's no real proof.

MyBitcoin... I'm still out on the fence if it was truly hacked too.  It could be a cover story but who knows...

Cheers,
Kermee

Bitomat lost their wallet because of how the Amazon ECC works.

Mybitcoin probably wasn't hacked.  As it stands, I believe the current guess is that the service was a scam from the start with the owner selling off bitcoins as they came in.

Neither one was hacked, and two sites don't mean "every site" even if both had been hacked.

Forget the word hack, that isn't the main point, the main point is that the owners try to steal the coins and funds and blame it on ridiculous things.

+1

Ah, great, this looks like a nice thread to hijack instead of starting a whole thread just about the implementation of my own exchanges (which currently is by means of "eggdrop" IRC bots and a perl bot for the Crossfire RPG game).

Is there, in fact, any reasonable alternative to simply coming right out and telling you from the get-go that my exchanges are, of course, going to get hacked, and that that, in fact, is part of why I have implemented them in a do it oneself from home manner?

A kind of "standard open source response", as it were: "hey, if you think my {bots|exchanges} might get hacked, run your own fergoshsakes, heck, gimme the patches if you want even!"

???

-MarkM- (Operator of, for example, "NickelBot", which haunts various Freenode #bitcoin* IRC channels...)

What are you trying to do here?

Both these asshats are trolling to undermine bitcoin.

Supposedly security was high in at least some cases of hacks.

How then can one prevent being hacked?

If even MyBitCoin, supoosedly having most of its coins completely off the net, lost so many they have to go into receivership how the heck can anyone manage to do business?

I am very cautious about any kind of scaling up because so many that have attempted it have supposedly found even their best efforts at security are not secure enough.

I would hate to lose a large amount of someone else's bitcoins. Is there a way other than only operating on trivial scales to avoid it though?

An adult site operator posted in the past about the need in their industry for expensive software in order to process payments in niches prone to attack by hackers. Maybe she had a point? Or if not then at least maybe it would be useful to find out what high value target websites that have never successfully been hacked actually do that might be instrumental in their not having gotten hacked yet?

How many of the supposed "security solutions" various sites' marketing mentions are actually effective or are most mostly more a marketing spiel than an really useful security?

It will help a lot hopefully to find out exactly what measures were actaully in place at MyBitcoin and how exactly they failed...

-MarkM-

The list:

• Mt. Gox - claims to have been "hacked" and is still operating, but it's not clear if they actually have all the funds on deposit.
• Bitomat - claims to have lost their data in Amazon's cloud, and went out of business without paying their debts.
• Global Standard Bank - faked pictures of bank building, not registered with Canadian banking authorities. Site exchange rates no longer being updated.
• Dwolla - began "reversing transactions" which were supposedly complete after some fraud against them.
• MyBitcoin - claims to have been "hacked" and is going into "receivership", but isn't disclosing the name of the party going into receivership or in what jurisdiction.

The Bitcoin ecosystem is very, very flaky. And when these semi-anonymous outfits get in trouble, they disappear, rather than paying up.

According to bitcoin charts bitomat has been trading.

The better way to put it would be that the bitcoin ecosystem is in it's infancy.  Everything is still very new, there are legitimate operations comes up though, checkout Ruxum.

MtGox: No users lost any money, unless they claim their trades on fraudulent data were "theirs".  I disagree.  Besides the delays, MtGox handled that correctly.

Bitomat - total clusterfuck.  I agree.

Global Standard Bank - I have to pass, because I am not familiar with this one.  Did any users lose any money?

Dwolla:  No users lost any money.  Dispute between two businesses.  Happens all the time.

MyBitcoin: Total clusterfuck, and we'll see how much money gets lost.


Unless users lost money, I don't see how it applies.

Bitcoin is the Wild West, gold rush 1849.  The weak businesses are getting flushed out before our eyes.  What's left standing will be a stronger foundation to build on.

Conventional financial institutions spend literally tens of millions of dollars on securing their systems and they still get intrusions - they try to minimise their losses but they can never eliminate them entirely.  People need to accept that the services which have grown up around Bitcoin don't have that same level of sophisticated security and that as those services grow and process more and more transactions, preventing and detecting intrusions is going to become more complex and cost more.

And right about there/here is where I end up going back to check whether Open Transactions has yet gotten around to fixing its self-admitted problem of not using secure enough crypto/hash.

It looks to me more and more the case that until Open Transactions actually uses the level of crypto it claims to need for real use it would be crazy to attempt to go much farther than games and/or trivial amounts of bitcoin in developing open source financial software intended to handle huge amounts of money. Meanwhile tell the billionaires, millionaires, probably even those throwing around only a few hundred thousand - even in the aggregate, such as a very small numberof  customers each throwing around only a few thousands or tens of thousands - to please simply use bitcoin itself, directly, to do their trading person to person, "heck it *is* a person to person currency, y'know".

There (is? was?) a wild west element to the potential for a rags to riches story rich enough to put together enough capitol to simply throw money at the problem(s), and maybe MtGox might even be such a story or close to such a story. Two more recent entries to the niche seem to at least be giving an appearance of being "old money" (maybe even so old that it predates the "early adopter windfall new-rich"? Not sure).

Have we learned enough yet that a project could be started with the goal of making a reference implementation "secure" exchange and/or trading and/or minting and/or banking site?

Maybe if devcoins take off it might become possible to throw money at getting Open Transactions to use the math it apparently believes it should be using, which I keep seeming to end up coming back to as about the only serious way forward that seems to be in reasonably plain sight...

-MarkM-


 

(The above is from someone promoting pyramid schemes in their signature: "Random Pyramid - make BTC for life with 1 deposit", "Another Pyramid game", "Bitcoin Kamikaze is BACK!". So they need people to act like suckers, putting money into questionable operations. Assurances from such a source are questionable.)

In the past two months, most of the organizations which purport to be "financial institutions" for Bitcoins, taking deposits and holding money for others, have had serious problems. With the possible exception of Dwolla, none are in compliance with laws on money-transfer firms or financial institutions for the country in which they operate. Mt. Gox should be registered as a money-transfer service in Japan, and it isn't. Global Standard Bank should be registered as a bank in Quebec, and it isn't. MyBitcoin and Bitomat were fronts for someone acting anonymously. Liberty Reserve is in Costa Rica, and may or may not be legal there.

I think what we are learning here is "Buyer Beware", and doing your own due diligence. You don't do your homework, you'll fail. That goes for anything, really. It is no more detrimental to bitcoin than you losing a pile of cash out of your pocket as you step out of a cab. Things happen, and mistakes are made.

Don't trust new services blindly, take steps to secure your main savings wallet.

There aren't any Bitcoin services which come up to the reputability level and financial stability of a small-town bank. Every Bitcoin exchange is a startup with no money behind it. None of them are additional services of a real bank or brokerage. 

Also, none of them guarantee a settlement date. In the real world, brokerages are required to pay up within N days of a transaction; the number of days ranges from 2 to 5 depending on what's being traded. Foreign exchange transactions normally settle within 2 days, stocks in 3 days. None of the Bitcoin exchanges commit to that, and routinely take longer. People are constantly complaining about exchanges not paying promptly.

The whole ecosystem is flaky. Too flaky for retailers. No major retailer could accept Bitcoins when they didn't know how long it would take to convert them to something they could pay their suppliers. 

You guys realize that this is just making life worse for everyone... everyone that owns bitcoins.

Prime example,  every time we feel we're confident enough to get out of invite and allow everyone to register an account...  we see that "mt.gox" was hacked,  or "mybitcoin was hacked" ...

Literally as of last night we were prepared to go live...  until this story broke out regarding mybitcoin,  made us question everything all over again... even though we did a million security checks...  we postponed the launch because we want to do another million... and add more security features like email authentication on transfers out of your account over a user specified amount.

I know it's not a bad thing, delaying launch in light of the mybitcoion story that broke out right before we were about to go live to everyone..  

In a perfect world security wouldn't be needed...  but CLEARY in the bitcoin world security is even more needed than banking...   we have clients that are banks...  trust me they don't go though this level of shit.


***  I'm hoping that mybitcoin was a hack and not a owner theft .. but the jury is out... 

The operator of Bitomat.pl was never anonymous. His home address, telephone and employer were always readily available. Only after the recent failure the WHOIS information became hidden to avoid constant interruptions at his residence (or his parents' residence).

This doesn't change the fact that he was an incompetent sysadmin.

though the result is the same,  there is a huge difference between leaving a door unlocked to your bank and someone stealing... or setting up a bank with the intention of stealing all your depositors money. 

the jury is out regarding mybitcoin,  hopefully it turns out that most people get most of their bitcoins back.

Your analogy is a nonsense. If you want to make a sensible comparison with paper money then talk about bank which didn't have a fire protection system and all the deposited cash had burned after a lightning strike.

It sounded more like a case of a teller asking how much you want to deposit, saying okay let me go write that down for you, meanwhile you go over to the withdrawals teller and withdraw, the first teller gets back from writing down your deposit and prepares to do confirmation number one: counting the actual money you deposited. Oh but wait... wait... wait... hmmm, you left, eh? So much for waiting for confirmation number one. I wonder if the teller then goes back to the ledger and un-writes-down the amount you deposited?

-MarkM-

Hi guys!

I'm writing from the beautiful desert land of Sedona, AZ, where I'm on vacation for a few days.

I wanted to address this quote. FYI, Open-Transactions currently generates 1024-bit keys by default.  Ultimately I would prefer that it uses 4096-bit keys instead of 1024, but that is not a terribly difficult fix to make. As more software is released based on OT, and as entities move closer towards actual production use, the keysize will be increased. (In other words, I wouldn't look at this as a deal-breaker, but rather as one of a long series of security fixes that naturally occur in this sort of project as it nears production.)

Similarly, the (untraceable) digital cash currently uses Lucre, which uses Wagner's algorithm and incorporates the SHA-1 hash. SHA-1 has had weaknesses uncovered over the past few years, though I'm not sure of their implications towards Chaumian blinding. This is fine: the whole idea of OT is similar to PGP: that it's easy to swap in new algorithms as the old ones expire. So on OT, it's not difficult to make new subclasses of OTToken and OTMint that use new algorithms.

(FYI, I have already obtained the source code for 2 new cash algorithms--Chaum and Brands--so these will be available within OT at some point in the future. Again, this is the sort of easy change that will probably happen once OT starts nearing production use.)

-Fellow Traveler