Bitcoin is a magnet for hackers and crooks

[organofcorti]

I actually think it's a good thing.

What doesn't kill you makes you stronger.

You mean like cancer? Or schizophrenia? In all the time I heard Nietzsche's phrase "That which does not kill us makes us stronger" parroted about, I've yet to hear of one convincing example. In this case, no, getting hacked will not make RSantana's business any stronger. And for any new merchant who doesn't have RSantana's server skills, getting hacked might put them off altogether.

I know you mean well znort987, but remember we're trying to encourage bitcoin access to the wider community. This means helping them be safe, not waiting until they get wiped out - or even nearly wiped out.

[1715258677]

1715258677

[1715258677]

1715258677

[1715258677]

1715258677

[1715258677]

1715258677

[Kluge]

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

I actually think it's a good thing.

What doesn't kill you makes you stronger.

I'm thinking along these lines, too, and wondering if there aren't a good few white-hats doing these attacks. Funny OP mentioned the crackers never looked for the wallet.dat file. I had VNC servers compromised a few months ago, not too long after the MtGox attack. What did the invader do? Was very obvious and tried infecting one computer (which did not run the Bitcoin daemon) with adware. - And I was very confused by this at first, but I'm since started thinking they were doing a service of pointing out a very obvious security flaw in my setup which I quickly corrected. I immediately disconnected my router, but I regret not trying to communicate with him.

After the Gox attack, security improved (both in Gox and the affected users) and we're better for it. After Bitscalper's security flaw was noted, security improved and... well.... security improved. All of these attacks are bad short-term, but long-term, they make us more alert and wiser, and may be necessary for Bitcoin to continue being used 10 years from now.

[btc_artist]

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

[foggyb]

I actually think it's a good thing.

What doesn't kill you makes you stronger.

You mean like cancer? Or schizophrenia?

Those diseases kill and maim. Web servers are immune to diseases, last time i checked.

[RSantana]

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

There is no such thing as a secure server.
Trust, is Bitcoin's #1 problem.

[caveden]

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

[Timo Y]

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

Don't know what you mean by "fully secure". There is no such thing as perfect security.

Anyhow, it does have something to do with Bitcoin because, if you store wallets on servers, the level of security required is so much higher than for a site like Wikipedia, where any damage caused by hackers can easily be reversed.  

Security is fiendishly hard to get right even for experienced web developers.   Hiring a team of 10 security experts should NOT be a requirement for every startup in the Bitcoin economy, otherwise there will be very few startups and this economy will never bootstrap.  

This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.  

[Phinnaeus Gage]

This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.

Let's see if I don't know what I'm talking about--again.

I think we need not one LinuxCoin, but seven--one for each 10 fold increase of Bitcoin, all the way to what is currently know as a satoshi. And don't start developing the next level until it looks like it's going to be needed soon, therefore all the latest security features and fixes can be in place, eliminating as many future patches as possible.

It can be called LinuxCoin, or any other name, but Bitcoin would remain its brand status, to satisfy the purist and not confuse the ongoing adapters.

Work should start on the next level now. Once in place, and Bitcoin reaches a certain level, say trading at $100 USD (but doesn't have to be exact), then the new client would be LC1, therefore whoever had 10 bitcoins prior to the move, now has 100 coins, valued at the same price. But now it resides on the new secure cliet without all the previous mundane luggage which, by the way, is still made available somewhere, somehow, for obvious reasons.

It's days like this that I wish I was a programmer. You guys are truly smart lads and lassies. But, then again, if I were a programmer, perhaps Atlas would then be the DaBitcoinGuy.

~Bruno~

[Coinbuck @ BTCLot]

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.

In here they come from Russia. It's really annoying.

[k9quaint]

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

[RSantana]

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

So who do you think is worthy to stay in the Internet business?

[ZodiacDragon84]

OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.


just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.

could even set up a site directory with bounties in BTC.

It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven  hats.

creation and destruction.

May as well make the destroyers skwirm. xD

Basically, set up honey pots, and see how many bees you can collect?

[k9quaint]

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

So who do you think is worthy to stay in the Internet business?

People who can.

[Jan]

If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Thats why we have Bit-Pay.

[Liberate]

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

If you can't secure your sites then you should not be handling other peoples money/bitcoins.

[payb.tc]

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

So who do you think is worthy to stay in the Internet business?

People who can.

sony?

[Jon]

I would be more concerned if Bitcoin only attracted law-abiding citizens and government officials.

[NASDAQEnema]

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

The prize in bitcoin land is BTC. The prize in fiat land is Credit Card numbers. Both can be sold for fiat. The barrier to entry is exaggerated.
It's just easier at the moment for large sums of BTC to trade into fiat. There's no secret trading platform where you can invest in credit card haxor teams. Not yet.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

[ZodiacDragon84]

Trust, is Bitcoin's #1 problem.

Time to downgrade back to the good ol' credit cards, checks, and cash; systems where we don't need to trust anyone at all! 

riiiiiiight.

[caveden]

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?

Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.

But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.