Bitcoin Forum
November 11, 2024, 07:11:07 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 »
  Print  
Author Topic: I just got hacked - any help is welcome! (25,000 BTC stolen)  (Read 381804 times)
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
June 14, 2011, 01:48:55 PM
 #241

PS: To everyone talking about encrypted wallets: It is possible to generate a receiving address on a computer that has NEVER been connected to the internet and never will be.  That address can receive coins (though they will obviously not appear in the GUI on the offline computer).  The computer and its (hopefully backed-up) keys can remain offline forever until it must sign a transaction transferring the coins elsewhere.  You could then transfer the wallet to an internet-connected workstation, send out whatever transactions are necessary, and then send the remaining coins back to a new address you've created on your "offline-forever" machine.  There is absolutely no need for a computer holding a destination address key to be connected to the network ever.

That's a good idea, but it doesn't help security if the network connected machine is compromised. The moment you copy over the wallet to send, it's compromised too. Also, you somehow have to be able to clean install the non-connected machine. If you do this by downloading an OS image, the download machine has to be clean to begin with etc. You can't really guarantee any of that, or expect the average user to do it.

A 'BTC bank' is one obvious solution, the question is whether you want to compromise the distributed idea by centralizing some aspects of it (similar to exchanges). I think the next big hero is whoever comes up with a decentralized version piggybacking off the existing blockchain network. Centralized versions could coexist of course, for if you want something like a 2 factor authentication method. A proper implementation could prevent unauthorized transactions from your wallet, even if your machine is compromised.

Jesus. (going blue in the face)

Just implement Unix file semantics on accounts and addresses: RECEIVE, SEND, OPERATE / VIEW (for accounts)

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
dserrano5
Legendary
*
Offline Offline

Activity: 1974
Merit: 1029



View Profile
June 14, 2011, 02:02:21 PM
 #242

I have a friend with several thousand in his wallet (mined from earlier in the year) and he just leaves his laptop on without encryption and carries it around with him around town. I could have easily transferred the BTCs to my wallet while he was in the washroom.

Do it.

Then a day or two later, return him the money Wink. He will learn the lesson.
Gareth Nelson
Hero Member
*****
Offline Offline

Activity: 721
Merit: 503


View Profile
June 14, 2011, 02:56:30 PM
 #243

For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto

Actually, there are provably secure systems which have nothing to do with encryption, and very little to do with the idea of a OTP.


Do tell!
jackjack
Legendary
*
Offline Offline

Activity: 1176
Merit: 1280


May Bitcoin be touched by his Noodly Appendage


View Profile
June 14, 2011, 03:23:25 PM
 #244

I have a friend with several thousand in his wallet (mined from earlier in the year) and he just leaves his laptop on without encryption and carries it around with him around town. I could have easily transferred the BTCs to my wallet while he was in the washroom.

Do it.

Then a day or two later, return him the money Wink. He will learn the lesson.
I approve this message

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
kokojie
Legendary
*
Offline Offline

Activity: 1806
Merit: 1003



View Profile
June 14, 2011, 04:44:17 PM
 #245

I wonder if you had adequate antivirus on your windows machine? It'd be very hard for a trojan to take control of your computer if you had adequate security software, that can detect trojan behavior. Plus Win7 has some default security built in like UAC. I think it'd take a seriously good hacker (like top 0.001% in the world), to hack a windows machine, over the internet, with firewalled router + good security software + UAC turned on.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 14, 2011, 04:48:11 PM
 #246

go to the police! 25k BTC are about $500.000, thats crazy! they can investigate and find out who it was.

Doubtful.  They'll take a report.  The people on these boards are MUCH more likely to be able to assist in a situation like this than the Police.  10 BTC says that when he states that "Bitcoins were stolen" they look at him cross-eyed.

Also, putting your BTC inside of a virtual machine on a Windows computer is no safer than having them on the Windows computer itself.  You can mount the VM drive to Windows, you can screen scrape, keyloggers will still get every key sent to the VM.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
Rob P.
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile WWW
June 14, 2011, 04:49:59 PM
 #247

I am the flaw with bitcoin, but let's be honest the wallet should be encrypted. The developers should've put a very very high priority on this the moment bitcoin went over $1.

An encrypted wallet wouldn't have helped you.  If you had Malware on the system, especially a keylogger, they'd have your key for the wallet.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
michaelmclees
Hero Member
*****
Offline Offline

Activity: 633
Merit: 500


View Profile
June 14, 2011, 04:51:43 PM
 #248

Offer 5,000BTC to a private investigator to get the info you want.
midnightmagic
Member
**
Offline Offline

Activity: 88
Merit: 37


View Profile
June 14, 2011, 04:53:16 PM
 #249

For a bitcoin wallet backup, personally I ain't letting anyone else have physical possession even with incredibly strong crypto

Actually, there are provably secure systems which have nothing to do with encryption, and very little to do with the idea of a OTP.


Do tell!

I can't, it would give away where my wallet is.. which I guess is kind of stupid, because why did I post to begin with then, right?

Stupid. Sorry.

Also, assuming you did lose your wallet, allinvain, when I read your story it was like a punch in the gut. Some hacker douche is into emo gut-punchery, and I hope you track those coins until the end of time, finally get a name, and then Hulk Smash. Good luck. :-( Come to think of it, though, why don't you call the police and get them involved? Open a case at least. You are paying taxes into their paycheques, and theft of this size is more illegal than smaller amounts.
Bazil
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
June 14, 2011, 04:56:18 PM
 #250

Hmm, since Lulzsec is claiming he caused the market correction, maybe he stole the bitcoins with a trojan to sell in mtgox for dirt cheap.  Can someone track down if those bitcoins went into mtgox?

17Bo9a6YpXN2SbwY8mXLCD43Wup9ZE4rwm
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
June 14, 2011, 05:32:13 PM
 #251

I am surprised after all this time no one (including me) has suggested he post his debug.log.

That might narrow down how the coins got sent, at least can narrow down as to whether the coins were sent from his own computer (either by "meatspace" as suggested, or a trojan that allowed complete remote control) versus the transaction being initiated from a different machine.

Though I am not certain if debug.log could contain private keys.  I would hope not.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
dserrano5
Legendary
*
Offline Offline

Activity: 1974
Merit: 1029



View Profile
June 14, 2011, 06:43:32 PM
 #252

I think anything requiring "Updates" (Including Windows and certain GNU/Linux distros, most graphical browsers) is inherently insecure.

I ROTFL'd at this.
bitclown
Full Member
***
Offline Offline

Activity: 185
Merit: 100


View Profile
June 14, 2011, 07:00:20 PM
 #253

This is an excellent opportunity for jgarzik to demonstrate how easy it is to track down these "pretty bleepin' dumb kids" who thinks Bitcoin is anonymous... Roll Eyes
allinvain (OP)
Legendary
*
Offline Offline

Activity: 3080
Merit: 1083



View Profile WWW
June 14, 2011, 07:11:40 PM
 #254

I am surprised after all this time no one (including me) has suggested he post his debug.log.

That might narrow down how the coins got sent, at least can narrow down as to whether the coins were sent from his own computer (either by "meatspace" as suggested, or a trojan that allowed complete remote control) versus the transaction being initiated from a different machine.

Though I am not certain if debug.log could contain private keys.  I would hope not.

I can do that. Do you think that would expose anything to the hacker? I'll have to consult first with someone who knows better than me.

phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
June 14, 2011, 07:15:25 PM
Last edit: June 14, 2011, 07:32:52 PM by phillipsjk
 #255

I think anything requiring "Updates" (Including Windows and certain GNU/Linux distros, most graphical browsers) is inherently insecure.

I ROTFL'd at this.

That is because you don't understand how insecure modern computers really are. "Automatic Updates" are the equivalent of a security blanket: they may even protect you from some known attacks (like a blanket can protect you from cold). However, any software shipping with automatic updates enabled is not proven correct. Automatic updates also require you to trust the software provider not to be malicious or make further mistakes.

At the time of this writing, there is no such thing as as a "totally secure" live CD. Until August 14, 2009, I thought you could be safe by using "Read-only" memory to guard against attack. Then I read about an attack against a voting machine using a harvard architecture (Code is in read-only memory). They leveraged a single stack overflow into a full compromise of the machine using return-oriented programming.

It is possible to prove software is correct; it just takes time and expense few are willing to invest yet. For example, the L4 Mirokernel has been machine checked. Long term, software development houses need to start compiling their code on proven correct hardware as well. This will involve using ROM burners programmed using toggle switches and hardwired CRC checkers. The "proven correct" source code would have to be stored on microfiche or something similar.

But sometimes, I think may I have just gotten too paranoid.

Edit: Preview doesn't work for busy threads Tongue

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
AntiVigilante
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
June 14, 2011, 07:35:15 PM
 #256

Hmm, since Lulzsec is claiming he caused the market correction, maybe he stole the bitcoins with a trojan to sell in mtgox for dirt cheap.  Can someone track down if those bitcoins went into mtgox?

LulzSec only commented on it.

Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296
Goal: http://forum.bitcoin.org/index.php?topic=12536.0
Means: Code, donations, and brutal criticism. I've got a thick skin. 1Gc3xCHAzwvTDnyMW3evBBr5qNRDN3DRpq
bitstarter
Sr. Member
****
Offline Offline

Activity: 300
Merit: 250


BitcoinStarter.com Support Account


View Profile WWW
June 14, 2011, 08:31:41 PM
 #257

This story made it on Gawker! http://gawker.com/5811868/a-500000-geek-cyberheist   

 Shocked

Bitcoin Crowd Funding! Bitcoinstarter.com
JusticeForYou
VIP
Sr. Member
*
Offline Offline

Activity: 490
Merit: 271



View Profile
June 14, 2011, 08:32:27 PM
 #258

Let me ask,

  Would you keep $25,000 dollars in your house?

  I am not judging one way or the other, but if 'someone' knows your computer has $25,000 on it, then you need to really protect that computer, not just from the internet and crackers. Don't let your wife/husband/kids near it. Keep it locked up in a safe, sort of speak.

 Curiously, not assuming you had bad passwords for online accounts, but was the one for the logon, 'simple'?

 Did you ever leave the room/home with it on? effectively leaving $25,000 on the desk?

 Might you have had a second computer with BitCoin client to transfer a large sum to as a sort of Savings, and then disconnect it from the internet?

 Of course now I presume, you have already thought of those questions.

If you care to discuss your, well, 'adventure', bring it to #bitcoin-court so others may learn.. and maybe provide advice.

Not that we are perfect, and we all make mistakes, the 'key' is to learn from them....

Best Regards,
The Bear

p.s. Hope your coins find their way home... but i guess they are there already, in the block chain, just have to get them back out.  Grin

.
..1xBit.com   Super Six..
▄█████████████▄
████████████▀▀▀
█████████████▄
█████████▌▀████
██████████  ▀██
██████████▌   ▀
████████████▄▄
███████████████
███████████████
███████████████
███████████████
███████████████
▀██████████████
███████████████
█████████████▀
█████▀▀       
███▀ ▄███     ▄
██▄▄████▌    ▄█
████████       
████████▌     
█████████    ▐█
██████████   ▐█
███████▀▀   ▄██
███▀   ▄▄▄█████
███ ▄██████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████▀▀▀█
██████████     
███████████▄▄▄█
███████████████
███████████████
███████████████
███████████████
███████████████
         ▄█████
        ▄██████
       ▄███████
      ▄████████
     ▄█████████
    ▄███████
   ▄███████████
  ▄████████████
 ▄█████████████
▄██████████████
  ▀▀███████████
      ▀▀███
████
          ▀▀
          ▄▄██▌
      ▄▄███████
     █████████▀

 ▄██▄▄▀▀██▀▀
▄██████     ▄▄▄
███████   ▄█▄ ▄
▀██████   █  ▀█
 ▀▀▀
    ▀▄▄█▀
▄▄█████▄    ▀▀▀
 ▀████████
   ▀█████▀ ████
      ▀▀▀ █████
          █████
       ▄  █▄▄ █ ▄
     ▀▄██▀▀▀▀▀▀▀▀
      ▀ ▄▄█████▄█▄▄
    ▄ ▄███▀    ▀▀ ▀▀▄
  ▄██▄███▄ ▀▀▀▀▄  ▄▄
  ▄████████▄▄▄▄▄█▄▄▄██
 ████████████▀▀    █ ▐█
██████████████▄ ▄▄▀██▄██
 ▐██████████████    ▄███
  ████▀████████████▄███▀
  ▀█▀  ▐█████████████▀
       ▐████████████▀
       ▀█████▀▀▀ █▀
.
Premier League
LaLiga
Serie A
.
Bundesliga
Ligue 1
Primeira Liga
.
..TAKE PART..
Unthinkingbit
Hero Member
*****
Offline Offline

Activity: 935
Merit: 1015



View Profile
June 14, 2011, 08:34:20 PM
 #259

There is something Mtgox could do to help prevent theft in future, and prevent the hacker from profiting from this theft.

In this case, and others where there is suspicious activity, there could be a trial date set on skype.  If the suspicious party does not appear for the trial, then the money in question is donated to charity.  For example the money could be split up and sent to each of the charities on this list:
https://en.bitcoin.it/wiki/Donation-accepting_organizations_and_projects

If the suspicious party does appear for the trial, then if their explanation of the transaction is good, the transaction goes through.  If the explanation is probably unbelievable, then the money in question is donated top charity in proportion to the unbelievability.  The judges for the trial could be drawn at random from developers and/or writers who have a public web site or blog.  If the amount in question is smaller than 1,000 USD, one judge would be sufficient, above that up to 10,000 USD three judges would be asked for, above that five judges would be asked for.

By removing the profit motive from theft, hackers would spend less effort to steal in the first place.  Since any money not sent to the suspicious party would be sent to charity, there would be no profit in false accusations.

TraderTimm
Legendary
*
Offline Offline

Activity: 2408
Merit: 1121



View Profile
June 14, 2011, 08:51:45 PM
 #260

This story made it on Gawker! http://gawker.com/5811868/a-500000-geek-cyberheist   

 Shocked

Adrien Chen is a tool. Every story he's posted about bitcoin is only to cast it in a negative light. His writing style mimics that of a college freshman. You can practically see him giggling as he hammers out his prose.


fortitudinem multis - catenum regit omnia
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!