It could be a sophisticated virus. But if it would steal his pool password, it could not grab his wallet. And vice versa. Would I design a worm stealing Bitcoins, I would not care about some pool payout address. I would just grab wallets.
Nowadays it seems these payloads are now "multifunction" all-in-ones. I once had a machine get infected with malware - it threw up the usual fake antivirus mumbo jumbo - and also had a folder full of temporary files. In the temporary files, the malware had constructed a message that was left in cleartext and presumably went to the author: "eBay passwords found... none. eGold passwords found... none. Hotmail passwords found... none". Fortunately all of these were "none" becuase I don't save this crap on my computer. It also had all my keystrokes since the time I got the malware, which started out iwth an instant message to a friend, along the lines of "shit, I think I just got a virus". I shut down and reinstalled my OS right away onto a different hard drive. The idea that malware does "this" - so therefore it does not do "that" - is not a safe assumption. I've worked with AI systems that can self-modify based on particular goals with very high realtime performance in a very lightweight application. If I wanted to, I could combine a selection of attack vectors as primitive actions in the goal system, code a set of rules for finding pool-like sites in browser history and wallet-like files and give it the goal of "obtain as many bitcoins as possible". Such a system would be capable of getting an enormous number of coins through a worm attack in a very short amount of time. The thing is though, i'm not a worm author - this would require a specific overlap of "worm author", "bitcoin user" and "AI knowledgeable" that is very very rare. Much more likely is a local compromise - occam's razor would tell us to ignore the unrequired entity of an external anonymous party on the internet to explain this theft. I'd look at coworkers and the staff of the remote backup services myself. |
|
|
|
|
I think anyone would buy at that price - but selling? really?
|
|
|
|
Paypal will freeze your account as soon as they find out what you're trading, at that point you will lose all funds in the account.
It sucks that paypal have this rule, but the TOS is a contract which you willingly enter into by opening an account and you should therefore abide by it.
I have no money in my 2nd  But you presumably will if you get customers. Customers will buy your BTC, they will pay to paypal - you send the BTC. You lose your BTC. Next, paypal freezes your account. You lose the fiat you sold that BTC for. |
|
|
|
Once again: Encryption would not have protected anything. Encryption can protect stored data. It does not protect a wallet file that is in use, because it is accessed by the client and stored unencrypted in main memory.
In theory yes. Of course it would protect against stealing the wallet file. Normally you only need the data encrypted for doing transactions which is a very short time window. Especially with savings wallets which get accessed not very often. An encrypted wallet that stays encrypted even while the client is running would do tons in favor of security. There is a big difference between getting one time access to a machine and having a program running to wait for the wallet to be decrypted in memory for 100ms. Encrypt wallet, decrypt only when the user wants to send coins - interesting idea. |
|
|
|
If you stored your wallet.dat in three online sites unencrypted, any one of those places could have possibly taken the bitcoins by loading that wallet.dat on their client then spending the coins.
Spreading the file out in multiple places isn not necessarily the best idea unless the file is securely encrypted by YOU and not the place that is storing it.
That's precisely what i've done for years personally (but for far less sensitive data - a MySQL dump of a website with 20k users including private messages - the "private" bit being what's sensitive). Basically I encrypt the SQL dump with a stupidly long key and a passphrase made up of random letters and numbers only I know and send it to a bunch of reasonably trustworthy individuals to store. For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto - any crypto system other than a one-time pad can fall eventually, and it only takes one smart and patient attacker to wait out the years/decades before cracking a bunch of wallet files and using them. I could get rich in BTC only to lose it all due to a silly mistake years ago. One thing that I would advise for anyone with a large amount of BTC though is to split it up across multiple wallets, the majority of them completely offline and stored in physically secure locations. If I had something in the 6 figure range i'd definitely be paranoid about it. |
|
|
|
|
Paypal will freeze your account as soon as they find out what you're trading, at that point you will lose all funds in the account.
It sucks that paypal have this rule, but the TOS is a contract which you willingly enter into by opening an account and you should therefore abide by it.
|
|
|
|
Honestly I don't think this is a "serious attack on bitcoin" by eBay.
It makes a lot of sense not to sell/distribute digital goods because the copyright is much harder to control. A listing that reads "Selling copies of Justin Beiber 'baby baby baby'!!" would be fine if they are original CDs, but when it's digital goods, then the merchant can become a supplier/distributor and sell unlimited copies. I'm sure you can see the problem there.
eBay is simply preventing this, and digital currency fits under a broad category such as this. They are simply protecting their brand and don't want to be a free-for-all marketplace.
The thing is, they're claiming it violates the rules due to copyright on game characters - that makes no sense at all. Most likely they're applying the same rules as they would for WoW gold and there's a very slim chance someone could get ebay to change their mind. |
|
|
|
|
If there was a means to invalidate the thieves coins or to reclaim them then the same could be done to a legitimate user.
Bitcoin is a secure system only so long as you keep your wallet secured - and sadly it seems you were not able to adequately do so.
This isn't a reason to abandon bitcoin completely or to dismiss it as flawed, but of course it's understandable that you wouldn't want to reinvest after having lost so much.
Keep an eye on that address in block explorer and you might find transactions that end up at some publicly-identifiable address, that might give you some chance of identifying the thief.
|
|
|
|
Hi everyone I'd like to announce that my proposed venture for fast mtgox payments for which I was seeking investors now has a confirmed investor and business partner with which I will be joining forces to build the product. Due to his past experience in startups of this nature, his connections, valuable insight during discussions and offer to get involved more intimately with the product development itself as opposed to simply putting up capital I have selected Yankee as sole investor for the time being. We have negotiated a basic deal and begun preliminary work on the service itself and I am pleased to announce that our new service BitInstant will soon be up and running. We intend to start with a simple method for fast payments into MTGox as detailed in my original proposal and to then scale out from there into areas such as fast inter-exchange BTC transfers. Our role essentially will be one of making your transfers in the bitcoin economy as fast and smooth as possible. I would like to thank everyone who displayed interest in investing in this venture and will keep you all in mind for future needs as we scale out. Looking forward to showing you all the end product now that the true fun part can begin. For those wondering, my original proposal was here - http://forum.bitcoin.org/index.php?topic=16134.0 |
|
|
|
Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:
1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg
Transaction date: 6/13/2011 12:52 (EST)
I feel like killing myself now. This get me so f'ing pissed off. If only the wallet file was encrypted on the HD. I do feel like this is my fault somehow for now moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something has direct access to my computer somehow.
The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG
Block explorer is down so I cannot even see where the funds went.
I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.
Needles to say I feel like I have lost faith in bitcoin.
Anyone have any ideas what I can do besides just jump off a bridge?!
Can you define "none windows computer" - What specific OS? Was it your own machine or one owned physically by another party? Where was it? How did you transfer the money/wallet to it? |
|
|
|
Sounds good, only problem is that people arent spending BTC like dollars.
They are just hoarding them or trading them as an appreciating commodity.
The volatility of the BTC is something like 5000% more volatile than the Dollar and IMHO will not make BTC effective as a currency.
This dialogue has been going on in other threads, but no clear resolution to that one central issue.
Chicken Egg |
|
|
|
That's pretty cool, there're three problems though: First, the link is broken (403 forbidden, probably either a permission issue or lack of an index page), so I had to go up a directory to access anything, and the source is inaccessible. Second, the user would have to confirm a security popup in order for the applet to run, since java's security policy disallows access to anything related to hardware accelerated rendering (even opengl), so any user visiting the page would get some unknown popup when they visited the page, probably assume it's malware, and leave. Third, the security popup never came up, and the code didn't run. I'm guessing the code is probably throwing an exception somewhere and failing before it gets a chance to ask the user for permission. I was doing some fiddling recently, should be fixed now. Thanks for letting me know about the missing index issue, I recently migrated that site from apache to nginx and missed that. As for the "unknown" applet problem, the idea is to ask users to voluntarily open a new tab with the applet running - my users trust me enough not to screw them with malware, and so I don't. |
|
|
|
|
I'd definitely be interested in joining up as a developer compensated in BTC with rates etc open to negotiation. Same for sysadmin work (though i'll suggest that you may want to have 2 tiers of sysadmin - some with access to the sensitive assets such as wallet.dat and some with access to less valuable assets).
Some thoughts on your business model:
1 - give retailers the option of multiple exchanges or just having BTC alone
2 - fees "may" be collected? no - fees WILL be collected or you make no profit at all
3 - people with money to pledge and people with the best sysadmin skills may not be overlapping groups
4 - offer a "wallet service" as a separate paid service but with value-add such as rapid USD cashout, accounting/reports etc - otherwise let retailers maintain their own bitcoin client
5 - though I may sound a hypocrite, don't build your business around mtgox's API - make it modular (in my defence, my own plan is similar - just starting out with mtgox)
Also, before you get serious interest from people with quality skills, it may help to prove you've evaluated the market:
Who are your main competitors (yes, you have some already) and where will you beat them?
One competitor i'll give away: mtgox themselves offer a merchant API.
|
|
|
|
I'm based in the UK.
What i've read up on the matter seems to suggest that I don't need a license unless i'm transmitting money into people's bank accounts.
I'm not sure that this is true. I suspect you might well need a license as you're transmitting money. It's an interesting idea though as the delay on mtgox is quite large. I'd be interested in helping with funding too so I'll PM you too. I'll look over the FSA rules again and seek proper legal advice on whether this may be an issue, but I truly believe it will not be. Some background: Previously when I was running a small virtual world hosting provider (think Second Life) I investigated the issue of currency and determined that a license would be required to handle any paying out of my service into a bank account but none is required for currencies that are purely virtual. My service at that time was accepting USD for providing hosting services paid in advance, users would hold a balance with my company and there was a conversion rate of $1USD to 0.25C (C for "credit"). Credits could be traded with other users who could only use them for funding further hosting, giving the currency value by backing it with the ability to host servers. Now, in the case of "Fast MTGox" (working title for this new idea) I will not even be holding deposits but simply accepting money for a virtual currency (the mtgox USD - this is not "real" USD as mtgox is not a bank). I therefore believe the law to be on my side. Of course I may be incorrect in my interpretation of the law, in which case i'd be grateful to anyone who points out my error. |
|
|
|
That sounds sweet. Could it be integrated into merchant shopping cards to allow instant conversion to cash through a trading house? I believe a service like that is in demand.
This could be possible, but I believe it's wise to start small and then to scale out. I'm thinking of a first launch with liberty reserve as it would be quite simple to fund mtgox from the same LR account and the target market (mtgox userbase) tends to already be familiar with liberty reserve. As for CV, i've responded to your PM. |
|
|
|
Be careful and check with a good lawyer first.
You would probably be considered a money transmitter if you do this.
Being a money transmitter requires a large bond in most states.
I'm based in the UK. What i've read up on the matter seems to suggest that I don't need a license unless i'm transmitting money into people's bank accounts. |
|
|
|
Good to see some level of interest in faster mtgox payments I'm writing the code for this site right now, but it really does need investors to work. |
|
|
|
|
Right now the fastest way is probably to send bitcoin and sell it for a high price, but that is what i'm trying to change with the site i'm setting up.
|
|
|
|
Why can't exchanges like mtgox or tradehill take ACH Deposit directly?
Some can (and do), but of course that's even slower due to the delays in bank processing (average of 3-5 working days for UK banks). |
|
|
|
|
Show Posts
