ALL of my bitcoins stolen (Around 60) . What the F*CK.

[EricJ2190]

I noticed many Namecoin builds had SHA1 sums so I took the SHA1 sum of my ikZZRk.zip (1e24ae15200eba151fae1d8514027666d4a2135d) and found this post. The download link gives me the same file as I already have. The guy who posts it, grue, seems to be an active and trusted member of the community, so I doubt he is behind the hackings, but this is the source of that Namecoin binary.

[1714107691]

1714107691

[1714107691]

1714107691

[1714107691]

1714107691

[jurasofish]

your coins were sent to the same address as this person:
http://forum.bitcoin.org/index.php?topic=22937.0

strange...

[bitcola]

This sucks and is really putting me off investing in bitcoin.

What is the point if some hacker can just come in under my nose and steal everything?

There is no security in bitcoin, it's ridiculous.

There is security in bitcoin, but it has to be YOU! Don't count on security by default...

I've been thinking and I've come to the conclusion that Satoshi and the dev team should have never released a bitcoin client for windows!!!

Then right now we'd all be a bunch of Linux geeks enjoying our geeky little currency and nobody would've had the opportunity to steal from us. Later on maybe once the security of the default client is vastly improved, then and only then release a windows version. Just my 2 cents.

Where is the security? One unencrypted desktop file compromised and, hey presto, your money is gone. This doesn't happen with internet banking.

Even a web client that you install to your own hosting would have been WAY better than a dumb desktop client.

[TraderTimm]

** Lights a votive candle in the "allinvain" church of shitty security precautions - chapel and whineatorium **

"Dear father, forgive me, I have kept my primary balance on my machine with not a thought to security."

"Say ten "allinvain" prayers and donate a satoshi in the name of your sin."

"Yes father, I shall reflect on my failings and pray before the patron saint of 'he-knows-not-what-he-does'."

"Bless you, my child. Sin no more."

[GeniuSxBoY]

Did you say all your coins on mt gox were stolen, too?

[allinvain]

And to those that say 'encrypting the wallet will make no difference' do you really think that the devs are thus adding it to pander to 'noobs', but that is secretly known as a waste of time?

Encrypting the wallet will help, but it doesn't solve the problem. When the BitCoin client is running, it will have decrypted your private keys and they will likely be in the memory of your machine. If you have a virus on your machine, that virus can access memory and get your private keys. Even if the devs of BitCoin work real hard and keep your keys encrypted when in memory, at some point they have be decrypted so they can be used. They may only be in memory or machine registers for a few milliseconds, but if you have a smart enough virus, your keys (and your BTC) will be compromised.

Encryption will help when the Bitcoin client is not running and it will protect you against an attack against your backups or other offline copies of your data.

It is essential for security (and the safekeeping of your BTC) that you keep your machine virus and malware free. If you can get to your money on your machine, so can a virus.

There is lots of good advice out there on how to keep your machine virus free, but the basics are to keep your machine patched, use antivirus, and never, ever, under any circumstances, access the Internet when you are logged in with administrative, root, or any other kind of elevated privileges.

In the Windows world turn on auto updates and let them run every day. Use a current, supported version of windows (that means Windows 7, not XP.) The anti-virus software the Microsoft gives out for free is solid - there is no excuse to not have anti-virus protection. Make sure your login account is not an "administrator". Only log in as an administrator when you want to install software.

In the Linux world, make sure you apply security packages from your distribution frequently. Don't run as root.

I don't post this to taunt or scold the OP, just to provide advice to prevent it happening to others.

Hmm, so basically when bitcoin goes big mainstream most of the users won't be using btc clients but rather be dealing with "bitcoin banks" of some sorts? I mean it looks to me that this is the only way to ensure 100% safety of your funds..well not really 100% because now you have to trust a third party.

This is becoming more and more evident because the moment even 1 BTC gets stolen from grandma, you can be your BTC she'll never use them again.

[allinvain]

Is crossposting bad?

http://forum.bitcoin.org/index.php?topic=23085.0

I might look at making a bounty if I can afford one, others could think about adding a bounty too, esp if youve been a victim (I havent, but I want to see bitcoin succeed)

Hmm, even a warning saying "hey dummy, in case you haven't read the bitcoin.org page/faq your wallet.dat file where the private keys which control your bitcoin balance are stored is unencrypted and unprotected. We recommend that you do not store large sums of bitcoins in the windows client. Please visit so and so website for a how-to on securing your wallet" would suffice.

[allinvain]

how about we add a few bits and let people do wallet locks?  i think most of us at this time are hoarders who know bitcoisn will be worth 100,000$ per bitcoin one day

a wallet lock is something that only honest users would be interested in imho.. u can use a password to lock/unlock but not to send coins

the fact is.. yeah windows has exploits that pretty much allow hackers at anytime to own your system, they are in the wild before they're even patched and no windows  box is ever totally secure at any given time.. a 0-day hacker can always rape yer bitcoinZ

But then the virus would have to just wait longer until you type your password. I favor a "secure keypad" that you input your password via mouse clicks. Next question is how to trick viruses that may take screenshots?

[qualia8]

Grandma will use mybitcoin.com and never touch a wallet.dat.  The client will never be friendly and secure enough for ordinary folk.  It's not play money for them and they don't want to have to match wits with the best hackers from China, the former Soviet bloc, and Silicon Valley just to buy a goddamn pair of socks.

[MeSarah]

I was thinking about trying namcecoin. Although I dont find it very interesting compaired to btc. Namecoin is now of my radar completely. Maybe someone could setup a honey pot to try and verify the namecoin cleint or the download mentioned in this tread. Interesting times.

[allinvain]

This sucks and is really putting me off investing in bitcoin.

What is the point if some hacker can just come in under my nose and steal everything?

There is no security in bitcoin, it's ridiculous.

There is security in bitcoin, but it has to be YOU! Don't count on security by default...

I've been thinking and I've come to the conclusion that Satoshi and the dev team should have never released a bitcoin client for windows!!!

Then right now we'd all be a bunch of Linux geeks enjoying our geeky little currency and nobody would've had the opportunity to steal from us. Later on maybe once the security of the default client is vastly improved, then and only then release a windows version. Just my 2 cents.

Where is the security? One unencrypted desktop file compromised and, hey presto, your money is gone. This doesn't happen with internet banking.

Even a web client that you install to your own hosting would have been WAY better than a dumb desktop client.

Don't get me wrong here, I was not saying that there is security in the default bitcoin client. Read my statement a bit more carefully to gain the full meaning of what I was trying to say - albeit in a sarcastic tone.

Internet banking is different and we can't fairly compare btc to that. With BTC YOU are your own bank.

[allinvain]

I was thinking about trying namcecoin. Although I dont find it very interesting compaired to btc. Namecoin is now of my radar completely. Maybe someone could setup a honey pot to try and verify the namecoin cleint or the download mentioned in this tread. Interesting times.

I have some doubts that the namecoin client is at fault here.

In my case I was using namecoin_win32.zip but was the official namecoin client from the namecoin website. Heaven forbid that actually containing an exploit. That would be quite shitty.

[mouse]

But then the virus would have to just wait longer until you type your password. I favor a "secure keypad" that you input your password via mouse clicks. Next question is how to trick viruses that may take screenshots?

Make the layout of the keyboard different each time, so if the SS it, they cant auto click it in again based on its presumed location.

Grandma will use mybitcoin.com and never touch a wallet.dat.  The client will never be friendly and secure enough for ordinary folk.  It's not play money for them and they don't want to have to match wits with the best hackers from China, the former Soviet bloc, and Silicon Valley just to buy a goddamn pair of socks.

Exactly, why does gramdma even need to know she has a wallet.dat? "Well DUH grandma, you should have known by reading the dev forums that if you dont compile your client with the -abc stwitch enabled for 64bit hardware that it broadcasts your private encryption keys to the network. Geez, what a fucking tard"  

[allinvain]

** Lights a votive candle in the "allinvain" church of shitty security precautions - chapel and whineatorium **

"Dear father, forgive me, I have kept my primary balance on my machine with not a thought to security."

"Say ten "allinvain" prayers and donate a satoshi in the name of your sin."

"Yes father, I shall reflect on my failings and pray before the patron saint of 'he-knows-not-what-he-does'."

"Bless you, my child. Sin no more."

[aeroSpike]

Encryption cannot protect wallets in use, because your legitimate client has to decrypt it anyway. Encryption is good for backups only.

Yep you're right. Even if the client encrypted the wallet when not in use it eventually has to decrypt it when you want to spend from it. AT that moment it is vulnerable to key logger attack and to any nasty viruses that could are residing in memory (waiting for the opportunity to strike). Someone on a different thread (forget which one) suggested that the client implement a unix style permissions system. Maybe also running the client in it's own chroot (something equivalent in windows) would be a good idea. But in the end it's still quite hard to avoid all avenues of attack. My point is that still the more security measures you can implement the lower the odds that some unclever hacker is easily able to steal your coins.

While it is true that at some point the data in the wallet needs to be decrypted in memory the level of security are orders of magnitude higher.
To start with it is much easier to copy a file with a known name and location from your file system than decrypting it, *only in the instant that it is needed which is only while signing a transaction" in an unknown memory location.
Then you have segmented memory protection which keeps memory segments isolated to the process that owns it.

Any existing Trojan or virus can easily be upgraded to copy the wallet.dat file from a know location and transfer it elsewhere, but copying decrypted keys from a memory location within thew time frame they exist is a none trivial task.

Wallet Encryption will add much more security if it is done right.

[bitcoinBull]

your coins were sent to the same address as this person:
http://forum.bitcoin.org/index.php?topic=22937.0

strange...

The thief should be smarter than that.  Or he wants everyone to know just how many he stole.

Another thing to consider is that the windows 7 iso torrent you downloaded years ago was pre-infected with a trojan.  Later, the author repurposes it remotely to scan for bitcoin wallets.  When the new client is released that supports wallet encryption, the trojan author will update it to keylog the encryption password for your wallet.  That's why an encrypted wallet really won't help much.

If the windows iso wasn't pre-infected with a trojan, you could have been infected in any number of ways (binary downloads, pdf, java or browser (IE) exploits, remote exploits).  And again, old and dormant trojans can be updated later by its controller to nab bitcoin wallets.

Anti-virus programs won't help much either.  Anti-virus programs will only detect known viruses/trojans, not new ones and new variants.  The trojan authors were already winning the arms race.  I warned back in May that it would only get worse when the Zeus trojan source code was leaked.  AV companies simply won't be able to keep up.

Using an OS besides windows can help but is far from a guarantee.  The only guarantee is a properly prepared offline wallet.  Create a new wallet and address on an offline and clean computer.  You don't need to be connected to the bitcoin network or even online to generate a wallet and an address.  Save your new address to a text file on a USB.  Back up the wallet file to a different USB.  You can safely back up the new "offline" wallet online too, if its encrypted and the encryption password is safe and secure somewhere else.  That way if you lose the USB or the house burns down there's a second backup copy in the cloud.

Now you have your offline wallet backed up and you have the offline wallet address in a text file.  Send your bitcoins to the offline address.  Send them from your current wallet or withdraw them from the exchange.  Check the address in block explorer to verify the bitcoins are there.  Now that bitcoin is safe in your offline wallet.

edit:  Don't forget to reformat the clean, offline computer.  You don't want forgotten extra copies of your offline wallet sitting around.

[allinvain]

But then the virus would have to just wait longer until you type your password. I favor a "secure keypad" that you input your password via mouse clicks. Next question is how to trick viruses that may take screenshots?

Make the layout of the keyboard different each time, so if the SS it, they cant auto click it in again based on its presumed location.

Hmm, what if the layout changed every 5 seconds or some predetermined time. It would make it a pain in the ass to input your password but hey it's worth it.

[bitcoinBull]

But then the virus would have to just wait longer until you type your password. I favor a "secure keypad" that you input your password via mouse clicks. Next question is how to trick viruses that may take screenshots?

Make the layout of the keyboard different each time, so if the SS it, they cant auto click it in again based on its presumed location.

Hmm, what if the layout changed every 5 seconds or some predetermined time. It would make it a pain in the ass to input your password but hey it's worth it.

None of this can help.  Trojans can take screenshots at every mouse click so it knows what the password is because it knows where you clicked.  This is already a standard feature in bank theft trojans.

[Grinder]

http://k.min.us/ikZZRk.zip (Namecoin binary build) <-- this is the only thing not open source/from trused place. But its namecoin and the link is in this forum.

It may only be because it's a really early build, but this archive does not contain the same files as the archive on dot-bit.org.

[allinvain]

Encryption cannot protect wallets in use, because your legitimate client has to decrypt it anyway. Encryption is good for backups only.

Yep you're right. Even if the client encrypted the wallet when not in use it eventually has to decrypt it when you want to spend from it. AT that moment it is vulnerable to key logger attack and to any nasty viruses that could are residing in memory (waiting for the opportunity to strike). Someone on a different thread (forget which one) suggested that the client implement a unix style permissions system. Maybe also running the client in it's own chroot (something equivalent in windows) would be a good idea. But in the end it's still quite hard to avoid all avenues of attack. My point is that still the more security measures you can implement the lower the odds that some unclever hacker is easily able to steal your coins.

While it is true that at some point the data in the wallet needs to be decrypted in memory the level of security are orders of magnitude higher.
To start with it is much easier to copy a file with a known name and location from your file system than decrypting it, *only in the instant that it is needed which is only while signing a transaction" in an unknown memory location.
Then you have segmented memory protection which keeps memory segments isolated to the process that owns it.

Any existing Trojan or virus can easily be upgraded to copy the wallet.dat file from a know location and transfer it elsewhere, but copying decrypted keys from a memory location within thew time frame they exist is a none trivial task.

Wallet Encryption will add much more security if it is done right.

Yes, well said. These wallet thefts are plain trivial to code for a hacker so that's why they are happening.