Instawallet/Bitcoin-Central Security Breach

[hous]

yea i got 30 coin in instawallet 

[1715337672]

1715337672

[1715337672]

1715337672

[foo]

The last few posts made no sense to me at all.

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet. 

Confirmed! Eligius picked up the $20.

[Injust]

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

[steelboy]

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

[steelboy]

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.

Do you believe it?

[Injust]

The two large transactions to address 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy from Instawallet Cold Storage now have 1 confirmation each.
First one took 299 minutes to confirm, second one took 296 minutes.
EDIT: Both now have 2 confirmations.

Good or bad?

If we are to believe that 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  belongs to Instawallet/Bitcoin-Central then good.

Do you believe it?

Impossible to know for sure, but I believe it's legit, albeit with a bit of doubt.

[Nicolai]

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

[Injust]

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have a chainsaw. Your argument is valid.
But anyway, your analogy is VERY bad. VERY.
It's Instawallet's flaw because they allowed Google bots to index their wallet URLs. Nobody pasted a database dump of Instawallet URLs anywhere.

[the founder]

BitDreams & Injust: So by your definition, I have found a security bug _in hotmail_, by going to google, searching for a hacked database dump of some random other site (i.e. not hotmail), find a random user with a @hotmail email and try to login to his mail by reusing his password from the other hacked site. If this work (which it does with enough tries), then it would be hotmail.com's fault? This is what your saying right now

I suggest you read this: https://bitcointalk.org/index.php?topic=159025.msg1695310#msg1695310 basically the founder's "flaw" (which has been known for ages) is about finding people who leaks their private keys (just like leaking your mail+pass). Not protecting against this, is not - and will never - be a security flaw. It is, as I've said before, best practice to do whatever you can to stop user errors, but it the end it's the users fault. To quote Albert Einstein: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

I have no idea how to say this.

Last week,  if you googled  site:instawallet.org
You would be greeted with at least 3000 wallets,  many of them with bitcoins which you can click on that link and transfer those coins out.

If you googled site:hotmail.com
I would not be greeted with your inbox and read all your e-mails.

This not anywhere near the same issue, what they had was a SECURITY FLAW.

partially it was Google's fault, they (google) lie to people saying that a robots.txt ban means google doesn't index your site.

In reality it means they would not SPIDER the urls,  it doesn't mean they won't list them.

Big difference, the hedge against that instawallet failed to address, hence why it became a security flaw.

but let's put all this aside,  want to know the diffrence between a "flaw" and a "security flaw"

Nicolai,  would you put all your bitcoins on Instawallet?   Your answer should let you know the difference between a flaw and a security flaw.

[the founder]

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

Vladimir,  I do blame Google to an extent,  it appears that many people here believe (and understandably) that Google won't index anything banned in the robots.txt file.  This is not the case.  They can and DO index anything they believe exists,  even if they technically can't spider it.     But hey.. if Chrome Browser can hit that url,  or someone sent that link via GMAIL,  or someone sent it give Google Talk or texted it via Google Voice.. etc etc...... it must be real ... so even without spidering it they know it exists.

Out of all the companies on earth, that one scares me the most...  I've been working with search engines since 1994,  and Google since 1999 ...  trust me..  this company scares me.

[Nicolai]

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them?

[Injust]

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them?

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.

[TiagoTiago]

Vladimir: +1.

And while the way Instawallet work is not security-by-design, then doing a "site:"-search is not a security flaw - as long as Instawallet didn't leak the url's.

Injust: Just to make sure; you do know that google didn't "magically" find these urls, right? And Instawallet didn't leak them. (Also, 2+2 is not equal 5). If it wasn't Instawallet and google can't do magic, who do you think leaked them?

Um...Instawallet essentially leaked them. Not actively, but passively.
Because they failed to secure the site so that robots couldn't crawl and discover the URLs.

It is my understanding the site wasn't crawled, Google simply recorded the URLs people typed/pasted on the URL bar of their browser or in one of their many services and programs.

[herzmeister]

I've always felt this instawallet model is a bad idea, since the beginning... it just felt much too "instant" for me.

[SgtSpike]

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

[TiagoTiago]

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

[dree12]

If you put password in URL on your website, it is not Googles fault. It would be your and your only your complete and grossly negligible disregard of most trivial best practices in information security.

Do not blame Google it is not their fault.

I find it hard to believe that 3000+ instawallets were posted on the web.  Maybe a dozen, maybe even 10 dozen, but 3,000?

1) How many people created instawallets?
2) Out of those, how many actually used those instawallets?
3) Out of those, how many still hold balances in instawallets?
4) Out of those, how many decided it was a good idea to post their instawallet URL's on the web somewhere, despite the huge red warning against doing so?

I just don't see 3,000 as coming solely from URLs that people have posted online.  As someone else mentioned, I believe Google also gathers information about websites based on what people access through their browser or other services.  If the URL might exist, Google crawls it to find out.

If i'm not mistaken, unless you remember the https part Chrome will send whatever you put on the URL bar to Google's databases.

Chrome will always send what's in the URL bar to Google, even in HTTPS when even the ISP can't decode the URL. That's why you should never use Chrome. They never actually send any browsing history, but because of the sneaky design merging a "search bar" and a "url bar", anything that gets put in there is treated as a search and sent to Google.

From lifehacker:

If you've enabled Instant in your settings, or from the about:flags section, it's safe to presume that pretty much every character you type into Chrome's address bar is sent, analyzed, and returned to you.

[the founder]

My day job,  I'm president of Yooter InterActive.
I've been working with search engines for a long time..  

Let me tell you some tibits of what I have discovered over the years regarding Google.

1 - Their mission is to obtain information, and resell that in the form of advertising.   Period.  
2 - They used to collect it back the very late 1990's and early 2000's virtually all though spidering.
3 - Then out of no where they started spending money on stuff like gmail, google maps, google chrome, android, google voice, google chat, google x, y ,z etc...
4 - these products exist for the sole purpose of collecting information..  that spider collects only a fraction of their info now.  every search you make is recorded, every url you visit is recorded if you use their product,  every time you use google maps and your start location is residental and that happens more than 2 or 3 times they now know where you live.
5 - you send a link to your friend from gmail or to a gmail address, they now know that link exists,  if your friend clicks on that link.. now google knows that url exists.. even if that site is banned in the robots.txt file

This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.

That's google...  

If they wanted to find the urls of instawallet.. nothing on earth could stop them.   That being stated,  the fact that instawallet didn't ban Google from listing all urls in Webmaster tools (instead relying on just a robots.txt file)  is their (instawallets) fault.

For the record,  if 3000 people over the course of 2 years e-mail themselves (not anyone, but themselves) to their gmail account their instawallet address for safe keeping...  google knows and most likely will list the results.

These people most likely leaked the info ... TO THEMSELVES!!!  hence the problem!

The more I research,  the more I believe that some of these instawallet urls (not all but a big number of them) were due to people mailing themselves their OWN URL using Gmail.  

I wish I could get a million people to read this exact post...  because I don't think people fully comprehend what they are dealing with when they mention the company google.










 

[coinuser4000]

I've been saying this for years, Google is the Devil.

Google wants to know everything about everybody, so they can sell you stuff.

[tvbcof]

...
This goes on forever... in one huge massive ungodly database of tens of thousands of machines linked together that makes the complete hashing power of the bitcoin network look like a peanut.
...

Most Bitcoiners are begging and screaming for Bitcoin to scale to a magnitude where only organizations with a very large network footprint and sophisticated processing clusters will be able to run the system reliably and competitively.  Whether they realize that is the likely end result of their cries or not...

The upside is that the business (and other) intelligence value of carrying so much of the capacity of an economic system will likely make it such that transaction fees are unnecessary.  Just like a lot of other niceties that just seem to fall into our laps from the sky gods.