Here we go again: BTCServ hacked, BTC gone

[zefir]

From http://btcserv.net/:

Dear BTCServ users,

we are afraid to tell you that some hacker gained access to our server and was able to empty out the wallet containing all our Bitcoins.

Please understand that this website will not be available for an indefinite period.

We are deeply sorry for that incident. :[


Still available in #btcserv irc.freenode.net and in the forums.

Transaction: http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

Another week's mining reward gone 

I followed the recent discussion on why mining at the major pools is bad and clearly agree on the ideological issues. But as a miner, one kind of is constrained to, as they seem to be more secure. No idea how vulnerable P2Pool is, but for sure people will try as soon as it grows and becomes a valuable prey. Sad.

[1714810719]

1714810719

[hazek]

Dear BTCServ users,

we are afraid to tell you that some hacker gained access to our server and was able to empty out the wallet containing all our Bitcoins.

Please understand that this website will not be available for an indefinite period.

We are deeply sorry for that incident. :[


Still available in #btcserv irc.freenode.net and in the forums.

Transaction: http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

Hmmm maybe I should start a pool and then after a while of mining pretend my pool got jacked by a hacker 

[vuce]

Dear BTCServ users,

we are afraid to tell you that some hacker gained access to our server and was able to empty out the wallet containing all our Bitcoins.

Please understand that this website will not be available for an indefinite period.

We are deeply sorry for that incident. :[


Still available in #btcserv irc.freenode.net and in the forums.

Transaction: http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

Hmmm maybe I should start a pool and then after a while of mining pretend my pool got jacked by a hacker  

this. This all just sounds so far fetched...

[Phinnaeus Gage]

Please understand that this website will not be available for an indefinite period.

My guess is that this will no longer be available after June.

Domain: btcserv.net

Creation Date: 20-JUN-2011
Updated Date: 20-JUN-2011
Expiration Date: 20-JUN-2012

[Gabi]

Another scam 

[Nicolai Larsen]

Sorry to hear :/

[Gabi]

How many btc did he steal?

[muyuu]

How many btc did he steal?

http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

419BTC

Received Time   2012-02-02 20:49:54 (GMT I assume)

So valuation around US$ 6.1 * 419 =~ US$ 2,556 at the moment. But the coins remain there so far.

[zefir]

Another week's mining reward gone 

I followed the recent discussion on why mining at the major pools is bad and clearly agree on the ideological issues. But as a miner, one kind of is constrained to, as they seem to be more secure. No idea how vulnerable P2Pool is, but for sure people will try as soon as it grows and becomes a valuable prey. Sad.

P2Pool is as vulnerable as your computer is. There is no central point of failure. It's a peer to peer pool.

Ummm, a p2p-overlay network over another p2p-overlay network - sounds easy.

I understand that p2p has no single point of failure and is therefore DoS resistant, but is the P2Pool protocol itself secure? Realistically speaking, we all hope that the Bitcoin protocol is simple enough to be invulnerable - but we do not know for sure (and never will). And now after one just starts to scratch the surface on how the blockchain works, he must start learning about 'sharechain' to just mine...

I like the idea of P2Pool and therefore tried to get some insight on how it works, but to have a clear idea on how reliable it might be, one needs to read the code. Sadly, I'm otherwise busy this weekend, but alone from reading the official P2Pool thread it appears that it is far from being stable (split chains, etc.).

That said, I'll for sure switch to P2Pool as soon as I have a better understanding.

[QuantumFoam]

At this point I'd be surprised if the miners get their earnings back. This is why I always withdraw from manual payout pools on a regular basis, though lately this pool was a backup one for me, so I wasn't checking it as often, and lost about half a BTC (which still isn't too bad).

[Gabi]

Oh i missed the question about security of p2pool

Excuse me but where is the problem about p2pool is? Everytime a block is found, you receive the payment on your address, everything is p2p and it's opensource...

[zefir]

How secure does the pool have to be? You are paid out as generation when a block is found by the pool, so as long as your bitcoin address is secure, you won't be in a situation where your coins can be stolen. The address doesn't even need to be in the wallet of the bitcoin client that is running on your computer to mine with P2Pool. It can be an address in an offline wallet! You can check the balance via block explorer.

I'm no coder, so I have to trust coders, but reading the old P2Pool thread shows the software has been audited by several people who I consider trustworthy (it's been around for a while now). I don't need to know how it works just to mine, although I do have a general idea. Besides, you were content to mine with a traditional pool where you have to trust the operator. Did you read the code for poolserverj (or whatever the pool was using)? How do you know the operator didn't modify it in some way? Wouldn't it be better to need to place less trust in others?

Valid points, indeed. I always mine PPS to have some means to check the shares submitted against  accepted ones. But honestly, after switching to a pool I usually checked for only the first days to get some confidence. I am credulous (spell: naive) enough to trust the operators for one reason: with the fees they are making, in the long run it does not pay off to cheat, since credibility is their most important stake (and reliability of course).

After reading a little bit more about P2Pool, I understand that the maximum loss one can take are rewards mined since the last found block (which as of today is at ~26h). That is far less risky then what I lost to BTCServ.

Yes, it's still being improved, and there was a share chain split. It was patched and fixed. I've been mining for close to a year now, and since switching to P2Pool I am very happy with the stability. The only time I've needed to stop mining was to restart the software to update to the newest version. About one minute downtime total in the past month. That's stable enough for me considering the other advantages of P2Pool.

I'm interested and confident enough in the idea to jump in. I'll soon put some GH into P2Pool, as soon as my BitForces arrive (no kidding).

[wtfman]

whoever says this was a scam should think about if he maybe have the least reason to do this. it's easy to blame the pool operators, but those who made such comments probably have never had to do with us, so just shut the fuck up.

i understand doubts but amateur sherlocks that make that stretch from an expiring domain name in 6 months to a scam just make me wanna puke.

[adamstgBit]

How many btc did he steal?

http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

419BTC

Received Time   2012-02-02 20:49:54 (GMT I assume)

So valuation around US$ 6.1 * 419 =~ US$ 2,556 at the moment. But the coins remain there so far.

cant we just sit wait for the coins to move and follow them everywhere they go?

if the go and pay for goods ... ask the merchant where he shipped to.

compile some evidence, and then egg his house.. or something

[Littleshop]

How many btc did he steal?

http://blockchain.info/tx/e266dd4a5aba8c848c2d66016c3716f2e08e8939e605edc4c80cf7643e95c3d3

419BTC

Received Time   2012-02-02 20:49:54 (GMT I assume)

So valuation around US$ 6.1 * 419 =~ US$ 2,556 at the moment. But the coins remain there so far.

cant we just sit wait for the coins to move and follow them everywhere they go?

if the go and pay for goods ... ask the merchant where he shipped to.

compile some evidence, and then egg his house.. or something

How would you know an address was a merchants if they used unique addresses?

If you knew that it was a specific merchant, how would you know the ship to was not a diversion like a public member of the community?

[zefir]

whoever says this was a scam should think about if he maybe have the least reason to do this. it's easy to blame the pool operators, but those who made such comments probably have never had to do with us, so just shut the fuck up.

i understand doubts but amateur sherlocks that make that stretch from an expiring domain name in 6 months to a scam just make me wanna puke.

wtfman, I'm sorry if I sounded like accusing you being a scammer. Pretty sure you are not, since loosing credibility for less than 2.5k$ is a bad deal. But no matter what, miners lost their BTC, and this adds up to the line of bad things that periodically happen to Bitcoin. Just because some idiots don't see that (in the long run) they can make more money using it for what it was designated instead of misusing it.

That said, I assume operating a pool needs a very long time horizon to get profitable. Even operating deepbit hardly can make [Tycho]'s a living, if my math is not fully wrong: currently it generates 100 BTC per hour; with ~3% fees thats less than 13k$ per month. Minus operational expenses, still a good salary - but for the price of carrying responsibility for a third of miners worldwide? No, thanks.

I'm not expecting you will get the lost BTC back or reimburse them from your pocket. I'll take it and wish the best if you decide to try again.

[zefir]

cant we just sit wait for the coins to move and follow them everywhere they go?

if the go and pay for goods ... ask the merchant where he shipped to.

compile some evidence, and then egg his house.. or something

How would you know an address was a merchants if they used unique addresses?

If you knew that it was a specific merchant, how would you know the ship to was not a diversion like a public member of the community?

Verification must be done at receive time. Ideally there should be a public black-list of addresses to be checked against before a transaction is confirmed.

I remember such ideas popped up when allinvain got his 25k BTCs stolen, but didn't follow.

[BitcoinBug]

Verification must be done at receive time. Ideally there should be a public black-list of addresses to be checked against before a transaction is confirmed.

I remember such ideas popped up when allinvain got his 25k BTCs stolen, but didn't follow.

I believe MtGox already does that. MtGox followed the stolen funds and locked an account (about a month ago), when it looked like bitcoins came from allinvain's stolen bitcoins. But it was a false alarm, account holder proved he got the money from Tradehill.

[muyuu]

Verification must be done at receive time. Ideally there should be a public black-list of addresses to be checked against before a transaction is confirmed.

I remember such ideas popped up when allinvain got his 25k BTCs stolen, but didn't follow.

I believe MtGox already does that. MtGox followed the stolen funds and locked an account (about a month ago), when it looked like bitcoins came from allinvain's stolen bitcoins. But it was a false alarm, account holder proved he got the money from Tradehill.

This is really interesting. Where can I read more about this?

Another interesting front is law enforcement. Bitcoins are not legal tender, here in the UK I sincerely doubt it would even be a prosecutable crime to transfer to yourself somebody else's bitcoins, even ownership would be challengeable as in virtual game's pretend money, anyone who has the key can claim legitimate ownership.

In short, f*cking protect your private keys, lads! there is no other real protection for bitcoins at the moment. Less so internationally.

[BitcoinBug]

Can't find it
It was an irc conversation with MagicalTux pasted here on forums, if anyone recalls it, please confirm.