Yeah I am leaving this pool because it's too unstable. I don't like logging in and every few hours the stats say my hashrate is zero or some other weird stuff is going on with the stats. It doesn't instill confidence that you are somehow still counting my contributions and just now reporting on it properly.

Seems like an even less profitable endeavor than simply mining in a place that already has walls, internet, and electricity. Not only do you have to pay for the hardware like other miners, but you have to build a place, pay large up front costs per kW to set up solar and wind generation.

If you are efficient, 2kW  will get you around 1,100 (+ or - $200) a month, but that rate will only last for the first 10 days starting now. By the time you got this set up it would probably be more like $300/month in revenue. But you'd have dropped like 5 - 8K in setting it up. It would take you two or more years to break even at today's exchange rate. Then you'd have to pay for internet, and gas to go there every couple of weeks. I'm sure there are other random costs as well that haven't been mentioned yet. The only way this makes any sense is if you plan to hold the bitcoins in hopes that the price increases.

Are you looking build a Turkish Automaton type system?

To make that process easier:
You point your phone at the screen of the non-networked wallet machine and it reads the wallet address from the screen. There could be an app or software tool on the secure machine that displays the address full screen to make that process easier. QR code would work too. The phone forwards the address to a networked computer/email address of your choice so you don't have to type it in.

The part i don't understand, mainly because I haven't read about it yet, is how an address "receives" bitcoins. Is there a private key inside wallet.dat that allows the wallet owner to be the only one to unlock/use bitcoins that are transferred to one of his/her addresses?

Seems like a good move, assuming ZenDesk is a good service (don't know anything about it).

No, it's not weird at all. No offense to Mr. Wagner, I'm sure he really believes in the Bitcoin idea, but after I watched some of his videos on YouTube I got a similar impression. It made me question that I had an interest in the same thing this guy seemed to be trying to sell so hard. He comes off like a confidence man. The vibe I get from him is that if he were trying to convince me to enter into business with him or conduct a transaction with him, I would not trust him and would spend the entire conversation trying to figure out how he was trying to con me.

I don't mean to insult him and I have nothing personal against him, and I'm not insinuating that he is doing anything underhanded. I'm just saying that public perception is important and at the subconscious levels, with things like body language, and the way he talks, he does not instill confidence. You get the sense that he's trying to gas you up and that in turn makes you suspicious. It could be that he's just really excited about the idea and simply lacks charisma. I'm not going to pretend to know why he gives the impression that he does. Lemonginger and I both separately came to the same conclusion so I'm sure that there are others who get the same impression from Bruce Wagner.

As the so called face of Bitcoin, the PR man for Bitcoin, he is not going to be convincing any outsiders to join up.

Just runn
This assumes that i just run the miner and leave it, trusting that it will not crash. Every time the miner is restarted i would have to set the affinity, which is not practical. Is there a way to launch an app from the command line, and tell windows which core to "prefer" for that process?

I have two miners running at ~260Mh/s = 520Mh/s total. I have a scheduled job to kill them and kick them off again every 20 minutes.

The stats page for the Eligious pool lists my hashrate always in the 250-300 range. Why is it so much loger than what Phoenix miner is reporting for me on the command line? Is some of my hashing power being stolen somehow? 

Are there truly no vulnerabilities in Linux?

edit: nm. Wallet encryption is addressed in the OP.

I agree with mouse. Securing the wallet, and everything else possible (I don't know what to demand security on specifically, because I'm not an encryption or security expert) is the single most important thing that needs to be done in the bitcoin world right now. I am still shocked when I read a forum post saying that one of the developers said that securing the wallet was low priority.

You aren't gonna get multiple chances with bitcoin. If it experiences one catastrophic failure, that could be enough to scare people away for good. I have no bitcoins to my name right now but as soon as I do I will pledge some to a bounty on securing the wallet, and a security audit of the entire toolchain. That includes pools, miners, clients, and wallet security. If any coders here are legitametly GOOD if not GREAT security programmers, they should set up to work on that. Or people should recruit their friends who are experts in the arena to contribute.

I said this in another thread. Cryptocurrency with a plain text wallet. Is that a joke?

I'm on W7x64, Stream SDK 2.4, and latest ATI drivers. Each instance of Phoenix uses up 100% of a CPU core. Are there any open source miners that don't hose the CPU (I know that it's not Phoenix's fault, it's something to do with the latest ATI drivers also assigning OpenCL work to the CPU in addition to the GPU, right?).

What is the workaround? I'd rather not change the driver edition if there are other options.

Also anyone who uses the same passwords for DropBox as they do for anything Bitcoin related, or for that matter anything else at all, should change ASAP. See the XKCD comic about this very subject.

Is it possible that he was attacked due to something being compromised on one or more of the pools he's been using? I know Slush's pool was transmitting username and password in clear text. If Slush's setup were compromised an attacker could get user logins & pwd's to Slush's site. That could explain the payout address on Slush account being changed without the user's knowledge. Aside from the OP, there was one other instance of this happening being mentioned on the board. Or if something inside Slush's network is compromised they could easily pick up all the IP addresses of the pool's miners. Then the attacker would systematically scan those users' machines for security holes and infect all the vulnerable ones. I haven't ever used the tools or messed with this kind of stuff, but I know how to write code so it's clear to me that an attack like this could be done just by running a script. It wouldn't really take much effort. Or, no offense to Slush, Slush himself could be involved in some shady activities (I really mean no offense, I'm relatively new to the site so I don't know if he has some kind of high standing or established credibility here, if so, pardon).

If any users are using the same password on multiple sites that might be exploited to get into their PC. I think the focus on getting jerry-rigged programs and web apps set up in 1/2 a day has resulted in a ton of insecure stuff. People need to slow down and inspect all the new stuff coming online for security. Don't use the same password across more than one account.

No offense intended to the OP either, but his reaction doesn't seem realistic to the situation. I kind of had some doubts at certain points in this thread as to whether or not he was pulling our chain. People are trying to help him and he's not really providing any info that might help investigate what happened. His responses hardly answer any of the questions that were posed. He/she constantly attributes the problem to a hacked windows machine. Where is the evidence that this is what took place? I know that windows has a reputation of being insecure, but that doesn't automatically mean that was the attack vector. And anyone in their right mind who lost as much as the OP claims would not be talking about reformating their PC right away. If it were me I probably would just set that machine aside indefinitely with the hope that someone could examine it for evidence. But I understand that he might just be really emotional right now and not thinking clearly.


The two most likely sources of the attack seem to be:

1. An attacker found his IP via his pool mining activities (as in the hypothetical scenario I mentioned above), and did a mass attack on all the pool's miners. Some percentage of them might have been compromised. Or not.

2. A meatspace inside job; compromised his computer in advance, and took the BTC remotely. I don't see why the OP keeps saying it couldn't have been meatspace just because he didn't hear anyone enter his home. The attack could have been remote. He needs to really list all the people he knows IRL who were aware of his activities. From what I've read it's not that big a deal to social engineer someone you know IRL into running something that compromises their computer. Attackers sometimes just drop USB keys into the parking lot of a company they want to breach. Employees will often find those drives and out of curiosity plug them into the work machines and they are instantly infected. So someone the OP knows IRL could have passed something in an email, a USB thumb drive with a stealth auto-run trojan, or a CD/DVD with the same thing. Or the person used his computer sometime in the past to check their email or something, and when the OP wasn't looking, they planted a trojan on his Windows or Linux machines. They could have been monitoring him for a while to discover the passwords or whatever necessary to get to his wallet.

If you ever stored wallet.dat on dropBox unencrypted, I think an employee could get access to old versions of your wallet due to the fact that DropBox essentially stores a copy of every version of every file, as it changes over time. So even if you delete it from your hard drive i think you can go into DropBox web interface and get old versions of it. Presumably DropBox employees have this same type of access. This is why people store sensitive files on DropBox only if they are stored in encrypted containers (like a TrueCrypt volume).

TrueCrypt is annoying with DropBox though, because DropBox doesn't sync the changes to the container until after it is dismounted.

I haven't looked at the block chain data structure, but is it possible to set up a service that tracks coins? Kind of like Lo-Jack for bitcoins? I'm not sure how that would work with fractions of bitcoins though. I'm not even sure how a specific "Bitcoin" is distinguished from any other, but my vague understanding is that that is how it works. So this would be a web app where people like the OP register the address of their stolen or lost bitcoins, and the website permanently watches the block chain for activity for the flagged bitcoins. Email/text notifications of course.

I'm not sure how useful that would be because I'm not familiar with what data is available and what isn't, in the chain. Thinking about it more I'm not sure there would be much value in it. Someone could falsely flag any random coins as being stolen from them, and how would anyone prove ownership? But if there were some way to prove that they were stolen, then this tracker app could be used as a clearinghouse by people and institutions who want to only deal in clean money. Exchanges could refuse any coins that are flagged as stolen, etc. One way to prove ownership might be to register bitcoins with this website when you get them, and the website somehow verifies your ownership. That would be a precautionary step in case you ever get robbed of BTC.

Eh. Anyone who knows more about how the chain works know if this kind of thing is feasible?

Please describe the security of all the PC's in your home network. Do you a router with any firewall configured on it? Is your router secure? You said the funds were taken when the wallet was on a non Windows machine. What OS was running on that machine, and can you describe the security measures in place on both machines (firewall, anti virus, you only do day-to-day use with a non admin account, etc).

Is your network on wifi and is it secure? Have you done anything that would have publicized your IP address since you started acquiring bitcoins?

I'm asking all these because I think it sucks this happened, but all the people here might be able to help you investigate this incident. And another important motivation is that others could learn from your mistakes if any, and take steps to protect themselves. I think the fact that the wallet is unencrypted is the most ridiculous thing ever. How does a cryptocurrency not encrypt the very wallet where the value is stored? I think i read in another post someone explaining that it was low priority compared to other items in the work queue. That's ridiculous. It should be a top priority. Is the code for the client open source? If so it's probably time for a community effort to make that system more secure.

Good post.

D
Does anyone have any view on why there would be a *healthy* relationship between difficulty and price? I see difficulty as a reaction to price. Price increases cause more miners which raises the difficulty. So April - present has been a GPU arms race for everyone to acquire the highest possible portion of the total network hash rate. This has also driven up the hardware prices as a result, and in many cases caused outages. I think last week and this week are when the arms race stops, and there will still be 2-3 weeks lag as those systems come online.

The only question mark is the price itself. The best explanation is simply influx of outside interests due to the media coverage. The price now is just due to flow of cash. The flow has stopped, and eventually, and probably in the near term, that cash will flow away to some other location as people lose interest. This might be prolonged or prevented if there continued to be more interesting services and uses for Bitcoins that kept interest alive. Which is pretty cool and I think people realize this because there is practically a whole forum full of people scrambling to be the first to set up Bitcoin related operations. So far none of them have gotten to be Bitcoin "killer apps". I think the best thing that could actually happen at this point, is for a robust startup vehicle (like a BTC stock exchange) to fund well organized operations. This is sort of happening on a small scale with things like bounties, but that's not big enough. The closest thing I see to this is that one guy who set up a mining company and managed to get at least a few investors. More mainstream folks would continue to stream in and out of this community, and stay longer if they could invest in stuff. I think the average person would see this as a fun, and approachable bunch of pet projects surrounding a micro-economy. People are more willing to participate because the Wall Street vampire squids haven't haven't gotten their shady & corrupt tentacles onto it yet. So it's like a democratization of an economy (albeit more of a toy, or mock economy still, at this stage).

As a side note, I'd like to add that there really has only been 2-3 unique pieces of news in the past 2 weeks, yet over a dozen different articles released just rehashing the same stuff. Our media in this country sucks. They just copy stories from each other. I would like it if someone came up with a system to analyze news stories/content to trace them back to original source. Which website would get identified as the one generating the most original content?

It's nice that you think that, everyone wants to be privvy to information that others aren't, in order to get an edge, but that is not how publicly traded companies work. Everyone gets the same information at the same time.

One of the problems with Bitcoins is that people think they are reinventing a brand new miraculous economy, but what they are doing is regressing to a period way back in in the early days of American economy, before there was regulation. There is no law in bitcoin land, it really is the wild west. And people should be careful because there are tons of other predatory parties on the prowl looking to take advantage of the people who haven't read their history books.