+1.  I strongly recommend keeping wallets of any significant value in a separate high-security location and retrieving queued transactions from your web server.

Aside from covering the losses themselves, both Slush and Zhoutong have been operating honorably and openly for some time.  This is not at all like MyBitcoin which was red flagged by plenty of people as a likely scam long before it went down.

Not true.  Each transaction into an address is a separate coin, and they are redeemed separately when you spend them.  They only mix when multiple coins are redeemed at the same time.

If you mean completely individual, non-mixing coins, I don't think there's a practical way to do it with a Bitcoin-like cryptocurrency.  The blockchain would become huge.

Blockexplorer is at 169217, Blockchain.info is at 169277.  If your transaction is between those you should expect to see different results.

https://www.linode.com/tos.cfm

I wouldn't expect any different from inexpensive hosting.  No one would take on that kind of liability without a large markup.

It might be in their interests to take responsibility for damages for PR reasons, but I don't think they have a mandate (ethically or legally) to cover $15k of consequential damages for a customer using a $50-100/month service.

I also would not jump on them for admitting fault.  There are way too many companies out there that try to cover everything up when they screw up.  Linode should be commended for providing a prompt and honest answer right from the top brass.

I suggest asking nicely, not with a lawyer's letterhead.

Getting access to the Linode admin UI doesn't give access to the server itself.  You can view the console, but you just get the login prompt.  You still need the server's password to log in.

To reset the password the server has to be shut down so that /etc/shadow can be modified.  At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.

A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here.  I'm guessing the exploit is in their web-based server management.

Your software has to know the encryption key in order to make the payouts.

In this particular case it may have helped - if the key was stored only RAM (Slush would have had to type it in every reboot) it would have been wiped when the server was rebooted.  On the other hand, if the attackers get access without rebooting they can grab the key out of RAM and decrypt the wallet.

The downside is this would destroy fungibility.  I'm not eager to see that happen.

The idea of reputation is intriguing, but realistically that will just mean people will pay for premium laundry services that can provide freshly-mined coins.  Mining could become unusually profitable for a while.  

It exists now at an informal level, but I expect the "tainted coins" stigma will decrease over time.  Right now we have a high percentage of relatively fresh coins, but just like fiat, after they've been in circulation for some time it will be taken for granted that some percentage of it has been involved in some kind of scam.

Three things for everyone to learn from this:

#1, use cold storage as preemptive damage control.  Congratulations on being the first high-profile case to get this right.  

#2, don't store high value wallets on a public-facing server.  It's much better to keep your wallet on a machine in another secure location, poll for any required sends, sanity check them, and then send them to the network.

#3, Slush just earned 3094 honor points.

-1 IronKey
+1 TrueCrypt

Hardware encryption doesn't improve security; it actually makes it worse because there's no way to audit it.  How would you know if they added a back door?  I recommend sticking to TrueCrypt, GPG, FreeOTFE, or other open-source, software-based encryption based on AES or 3DES.

Edit:  And +1 paper.  The biggest threats right now are automated viruses collecting your data.  Keeping it in a form they can't easily steal is a big benefit.  You can GPG-encrypt your paper wallet if you want to protect against people stealing the paper.

Also, obvious substitutions like:

2 for to|too|two|Z
3 for E
5 for S
0 for O
! for i

etc add only about 1-1.5 bits worth of entropy each and are hard to remember long term.  You are much better off including a random number (about 3.3 bits per digit), a random lowercase letter (4.7 bits each), or best of all, some random words from the Diceware list (12.9 bits each).

When the only copy of the key is in your brain you don't want to make one that ends up being secure even from you.  

In my opinion keeping a backup copy on paper is a good idea.

Edit: to drive the point home, a 10-word (all-lowercase, no punctuation or substitutions) Diceware password has 129 bits of entropy, which is enough security to last forever.  There is no quantum algorithm to crack your die rolls.

I think the best is to keep an encrypted Satoshi-client wallet with enough funds for daily use, then store the rest in a small pile of offline wallets (either USB or paper), and only import as many as you need on a known-clean computer when you're ready to spend.  Think of it like a checking and savings account.

The level of physical security you use to protect the paper/USB should correspond to the level of measures you'd use to protect that much cash or gold.  100BTC = file folder.  1000 = home safe.  10,000 = safe deposit box.  100,000 = a proper vault.

In case you haven't seen them: https://www.casascius.com/

Seconded.  A guarantee to peg has to come from a specific entity; that entity is effectively the central bank of the currency.

If you figure it out Bitcoin will be obsolete, but it won't be easy.  I'm not going to say it's completely impossible, but it's a hard enough problem that no one has proposed a realistic way to do it, despite plenty of people wanting a currency with those properties.

Yes:

https://en.bitcoin.it/wiki/Script
https://en.bitcoin.it/wiki/Contracts

That's almost how it actually works.

The first valid transaction transmitted is the one that the miners will consider valid.  Every transaction after that one will be dropped.

https://www.casascius.com/

Note that the security of physical Bitcoins depends on honesty of the issuer.  Casascius is an honorable guy, but beware of scams.

You can also print your own by creating a paper wallet and filling it in whatever denomination you want.

Sure, just copy the private key onto all the nodes.  Note that the Satoshi client will display balances weird if you do this, but there's no technical reason that multiple nodes can't share the key.

Compare it to dollar bills.  Why are they worth something?  Because everyone agrees they're worth something.  Right now the market considers them worth about 0.017 grams of gold or one side of fries, but there's nothing about the paper that makes it worth that other than its limited supply and the amount of market demand for that paper.

The same thing is true of BTC: by themselves they're not worth anything until someone else wants to use them to buy a hamburger.  Then they're willing to pay you something to get some BTC to buy the hamburger.

By making your purchases in BTC you create more demand for BTC which causes a small increase in the stored value of all BTC.  Nothing is absorbed into coins just because you used them.

Prior demand does not necessarily create future demand.  If you stop making purchases in BTC the global stored value decreases a little because of the reduced demand.