The topic of this post could also be "How my carelessness cost me 75 BTC".
As some of you will (obviously - i'm expecting it) retort - "carelessness" can also be "foolishness", "stupidity", or some even harsher words.
But the fact is:
You only think you're invulnerable to mistakes until you make one.
I left my firewall vulnerable to the bitcoin daemon RPC with severely unsafe settings, and 75 BTCs vanished.
I will not dwell on a big whining - the simple fact is, mistakes cost me my wallet.
Or, as someone who I shall not quote just told me:
"It is 90% the attacker's fault for not being a nice person. 8% your fault for being careless, and 2% the system's fault for making it easy for you to be careless."
I was even raising my % a bit higher, but like I said, this is a quote.
With that said, regardless of fault %s, i hope this just serves as a big warning - do you know exactly if your settings are as safe as they can/should be? If you didn't say "yes" in less than half a second, then i urge you to revise your settings.
There are no excuses, really. There is a plethora of facts that lead me to this, YES, but that does not serve as justification.
"spill your guts anyway!" i hear in the back.
Ok, then, the loss of 75 BTCs is surely worse than the shame, so if you insist..:
I opened my firewall ports during lunch to show a friend some node.js things I have been working on - a realtime dashboard for P2Pool stats.
This wouldn't be too severe, if my RPCport settings were not too permissive. Which they were since I was abroad last month, and forgot to revert to secure settings.
Working 18 hours a day is not an excuse. Forgetting the RPCport settings is not an excuse. Leaving the firewall open when I got home and only wanted to sleep is also not an excuse.
Just a big sum of recklessness, that had a bitter taste in the end.
The attacker easily accessed my open RPC, brute-forced my user and pass (yes yes, which could also be more complex) and emptied my wallet.
Date: 1/25/12 08:07http://blockexplorer.com/address/18GQdbRCF1f7fjkx3rMdWbuqqR8XFxhQgMhttp://blockexplorer.com/tx/1cbcb30e26a00b81dfd03f3cf4b1d8ded8005a19493050b588d3f752a982b913#i4155767
Debit: -75.00 BTC
Transaction fee: -0.0235 BTC
The only thing i will whine about, is.. "on my birthday? really? that was harsh."
Also, there is a clear need for more security measures in place.
To defend the (dumb/reckless/whatever) miner. Yeah because in the whole BTC universe, even dumb miners... mine.
The whole BTC universe, as a whole, is a sum of its parts. Even the dumb ones.
And today, i was "just another dumb miner". Which was, and still is, a part of the whole.
Maybe bitcoind should log ip addresses.
Maybe the RPC port should have some anti-bruteforcing logic attached to it. A real, effective one, not just telling the attacker the password is short, like it happens now.
Maybe. Just sayin'.
Troll away. But only after you double-checked all your settings.