bitfloor needs your help!

[repentance]

The only people profiting from bitcoin are hackers. Fuck this shit.

I haven't lost anything yet from bitcoin but it does seem like hackers are just having a field day with it.  As much as everyone hates Mt.Gox because of the cost to put money on there and the loss of anonymity, it seems like they have the best methods on there.  I feel like bit floor should have known better than to have all of their coins in a hot wallet after btc-e and other hacks.  

Exchanges are damned if they do and damned if they don't.  People want the convenience of being able to do instant withdrawals and transfers without any of the risk.

Small Bitcoin services which hold large amounts of other people's BTC are hacker magnets and intruders know that such services are often one or two man operations without capital reserves to invest in infrastructure.  They're soft targets.  Security needs to be baked in from the day a service is created but many Bitcoin services are more concerned about rushing to market than they are about security (they probably tell themselves they'll invest in "proper" security once the profits are rolling in, not realising that a rapidly expanding business often makes little or no profit).

Until Bitcoin service providers lift their game security-wise, people should severely limit the amount of BTC they store on such services.   Bitcoins stored on a service are always at risk.  You accept the risk of them being lost or stolen by leaving them on deposit with a service.

[1713509096]

1713509096

[jwzguy]

Roman is trying to do the right thing, with all the information he has available. You guys with USD on the site, please be patient. You can see he tried to let you withdraw, but probably thought it better to make sure he wasn't doing anything illegal as Stephen kept reiterating. There's nothing shady about that. Hopefully he will continue with that soon.

Well sadly Stephen was misinformed and likely turned a bad situation into a worse one.  His talk of injunctions and criminal activity were simply false.  I am just not certain if it was coming from a place of intentional malfeasance or simple ignorance.

I do agree with you jwzguy, that bitfloor has a lot going for it and the situation isn't intractable.

I completely agree, and I think you're correct. Of course I'm not a lawyer, and not responsible for all that money...I certainly don't blame him for wanting to check. I can only imagine the stress he's going through right now.

Icebreaker - please don't jump to conclusions just because someone here is being very opinionated. From his behavior, I think Roman must agree with you.

[Shadow383]

Wow, somebody at Linode really is making a fortune from Bitcoin  
Linode's stolen what? 80K BTC? About $800k?
Not bad.

[fcmatt]

Wow, somebody at Linode really is making a fortune from Bitcoin  
Linode's stolen what? 80K BTC? About $800k?
Not bad.

i am of the opinion the owner of bitfloor has very little idea what happened.

put it this way.. he put the site back online. does that sound like someone who knows security?

at the very least you nuke the install from orbit, reinstall a clean patched os, recover from backups,

AND fix the darn hole.

I do not think that happened. I would like to know how they got in.

[giszmo]

Maybe we should go for fractional reserve for security. Exchanges don't have to hold any bitcoins and instead of charging addresses, they show withdrawal addresses that were earlier posted to them by people wanting to withdraw. This would only imply a slight delay here and there but provide much more security.</irony>

[blakdawg]

Maybe we should go for fractional reserve for security. Exchanges don't have to hold any bitcoins and instead of charging addresses, they show withdrawal addresses that were earlier posted to them by people wanting to withdraw. This would only imply a slight delay here and there but provide much more security.</irony>

It would be a lot easier if the hackers would accept USD, then we wouldn't have to go to the trouble of converting to BTC so it can be stolen.

Or we could just put the account records on a wiki, and we can just update the wiki when we make deposits and withdrawls. Then the exchange operators wouldn't even need to log in to their own site.

[whitslack]

It would be a lot easier if the hackers would accept USD, then we wouldn't have to go to the trouble of converting to BTC so it can be stolen.

LoL! They do. Those hackers are known as "banksters."

[stoppots]

Sounds like the cold storage was deposited with pirate.
 

[bitcorn]

I go to the site and it reads this (which it still reads)

Bitfloor Website
Is currently offline.
It will be back shortly.
I check back later and its up. So I sent 136 coin to my deposit address.
Anyone else think the message on the site should read
DO NOT SEND ANY COIN TO US WE HAVE BEEN HACKED!!!!!
or something of that nature. I only keep my money in coin for less than 24 hours before converting it and got screwed. Guess I stop taking bitcoin cause its too risky.

Speaking like a true Junior.

Imagine how Bitfloor feels right now.

Speaking of Junior League: looking through Google's cache of bitfloor, and maybe I'm just missing something obvious here, but I don't see TOS at all. Did bitfloor users agree to a specific TOS via email, or some form of messaging, or… what?

[ErebusBat]

Wow, somebody at Linode really is making a fortune from Bitcoin  
Linode's stolen what? 80K BTC? About $800k?
Not bad.

i am of the opinion the owner of bitfloor has very little idea what happened.

put it this way.. he put the site back online. does that sound like someone who knows security?

at the very least you nuke the install from orbit, reinstall a clean patched os, recover from backups,

AND fix the darn hole.

I do not think that happened. I would like to know how they got in.

Especially on a supposed semi-airgapped machine.  My theory:  roman allowed access from his machine for connivence and they compromised THAT which allowed them to pivot into the cold storage server.

Also as to the backun on an unencrypted portion of the disk:  this would make no difference if they were logged into the running server, unless the encrypted volume was usually unmounted (which does not sound like it was).  It sounds like the machine used encryption, but that only really defeats cold attacks on the disk.

[IveBeenBit]

Speaking of Junior League: looking through Google's cache of bitfloor, and maybe I'm just missing something obvious here, but I don't see TOS at all. Did bitfloor users agree to a specific TOS via email, or some form of messaging, or… what?

I actually don't remember seeing one, either, and at one point, I DID go looking for one to clarify one of their policies, but wound up just emailing support instead.

[thebaron]

In b4 pirateat40 ran bitfloor.

[fcmatt]

Wow, somebody at Linode really is making a fortune from Bitcoin  
Linode's stolen what? 80K BTC? About $800k?
Not bad.

i am of the opinion the owner of bitfloor has very little idea what happened.

put it this way.. he put the site back online. does that sound like someone who knows security?

at the very least you nuke the install from orbit, reinstall a clean patched os, recover from backups,

AND fix the darn hole.

I do not think that happened. I would like to know how they got in.

Especially on a supposed semi-airgapped machine.  My theory:  roman allowed access from his machine for connivence and they compromised THAT which allowed them to pivot into the cold storage server.

Also as to the backun on an unencrypted portion of the disk:  this would make no difference if they were logged into the running server, unless the encrypted volume was usually unmounted (which does not sound like it was).  It sounds like the machine used encryption, but that only really defeats cold attacks on the disk.

I dunno. He used linode and i would guess to save money it was vps. Not a few dedicated machines.

[dust]

I'm not sure why anyone would use Linode for anything bitcoin related after multiple simultaneous hackings of bitcoin services through the internal customer service panel resulted in barely any response or details from Linode admins.

[fcmatt]

I'm not sure why anyone would use Linode for anything bitcoin related after multiple simultaneous hackings of bitcoin services through the internal customer service panel resulted in barely any response or details from Linode admins.

It is cheap, advertised, and maybe OP did not read the threads about it.

I am going to guess mysql inject, found a crypt pass or plain text pass of OP, then logged in via ssh or web which had no acls.

[Shadow383]

I'm not sure why anyone would use Linode for anything bitcoin related after multiple simultaneous hackings of bitcoin services through the internal customer service panel resulted in barely any response or details from Linode admins.

It is cheap, advertised, and maybe OP did not read the threads about it.

I am going to guess mysql inject, found a crypt pass or plain text pass of OP, then logged in via ssh or web which had no acls.

I'm going to guess someone at linode has a car that seems very expensive for their salary.

[Domrada]

Roman:

If you decide to raise money from investors, please send me a pm.

[lomax]

it seems likely that BTC sent in AFTER the hack announcement may be set aside in an eventual settlement

What about the people who don't go here. Shouldn't the site have a warning or an e-mail blast? This is kinda like lets post on bitcointalk and hope everyone knows to go read there before sending or god forbid an automated system since they advertized having api for that very reason.

You are 100% correct, there is still nothing on the website to indicate that it is down for anything other than some trivial maintenance. Relying on your customers to read this thread is insane.

[Maria]

I had 4,231 BTC in Bitfloor. I want my money NOW!


Just kidding, lol! Thank God a few months ago I was going to make a HUGE deposit to bitfloor but a very Wise Man told me.."Stay away from that dude, hes a fucking idiot, he uses his personal bank account for deposits and withdrawals.."

I Thank You Sir You Know Who You Are!!

MultiCoin Maria.

Dont hate

[jwzguy]

I had 4,231 BTC in Bitfloor. I want my money NOW!


Just kidding, lol! Thank God a few months ago I was going to make a HUGE deposit to bitfloor but a very Wise Man told me.."Stay away from that dude, hes a fucking idiot, he uses his personal bank account for deposits and withdrawals.."

I Thank You Sir You Know Who You Are!!

MultiCoin Maria.

Dont hate

Oh look, the forex scammer! And another lie. How predictable.
Glad to see that so many people have you on ignore, Leo.