Bitcoin Forum
December 11, 2016, 10:13:49 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 [14] 15 »  All
  Print  
Author Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM...  (Read 57599 times)
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
March 05, 2012, 06:40:58 AM
 #261

After reading Mt. Gox terms of service over and over again, it is probably easier to just describe it like this:

"We do as we please with your account, but if you play nice we might send your held currencies to a bank account upon termination. We also reserve the right to change our mind at any time."
That's pretty typical of terms of service. That's why it's very important to distinguish what the terms of service say and what a company actually does. Mt. Gox's terms of service claim to allow them to steal someone's Bitcoins, but they certainly don't have a policy of doing that. (Nor could they actually get away with it if they tried.)

Quoting their ToS in response to a question of whether Mt. Gox actually has a policy of rejecting "tainted" Bitcoins is spectacularly unhelpful. The question is -- what would Mt. Gox actually do if someone deposited Bitcoins traceable to the Linode theft into their account. And my hope would be that they might notify authorities or notify the depositor, but they most certainly would process that deposit normally, absent some evidence the depositor was involved in the theft somehow.

Almost anything else destroys the usability of Bitcoins. If I have to worry that my Bitcoins might become unspendable in the future, how can I accept them as payment?

+1

1481451229
Hero Member
*
Offline Offline

Posts: 1481451229

View Profile Personal Message (Offline)

Ignore
1481451229
Reply with quote  #2

1481451229
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
March 05, 2012, 07:45:50 AM
 #262

After reading Mt. Gox terms of service over and over again, it is probably easier to just describe it like this:

"We do as we please with your account, but if you play nice we might send your held currencies to a bank account upon termination. We also reserve the right to change our mind at any time."
That's pretty typical of terms of service. That's why it's very important to distinguish what the terms of service say and what a company actually does. Mt. Gox's terms of service claim to allow them to steal someone's Bitcoins, but they certainly don't have a policy of doing that. (Nor could they actually get away with it if they tried.)

Quoting their ToS in response to a question of whether Mt. Gox actually has a policy of rejecting "tainted" Bitcoins is spectacularly unhelpful. The question is -- what would Mt. Gox actually do if someone deposited Bitcoins traceable to the Linode theft into their account. And my hope would be that they might notify authorities or notify the depositor, but they most certainly would process that deposit normally, absent some evidence the depositor was involved in the theft somehow.

Almost anything else destroys the usability of Bitcoins. If I have to worry that my Bitcoins might become unspendable in the future, how can I accept them as payment?

This is pretty clear, but you're stopping halfway through your reasoning: it's
not like you have a choice in the matter.

Given the existing information out there (the universal ledger, aka the block chain),
and given a public list of fraudulent transactions, the"cleanliness" of a batch of coins
can be computed fairly simply unless it's been laundered extensively.

As to a public registry of fraudulent fraudulent TX, it's only a matter of time,
and I suspect the claims made there will be reputation weighted.

A bitcoin business, such as an exchange can decide to accept your coins or
not based on how "clean" they are. Whether you like it or not, whether this
destroys bitcoin fungibility are both completely irrelevant: you can't prevent
it from happening.

The only way would be if cheap, large scale laundering operations start to
crop up. And even those aren't easy.


Okay, if this shall be inevitably the case I will leave the bitcoin project sooner or later. I'm guessing sooner. Eventually, with all that risk and technical verification that will need to be involved by everyone, it means there will be no future for BTC and I won't continue to invest in something that has no future.

JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
March 05, 2012, 08:28:13 AM
 #263

A bitcoin business, such as an exchange can decide to accept your coins or not based on how "clean" they are. Whether you like it or not, whether this destroys bitcoin fungibility are both completely irrelevant: you can't prevent it from happening.
I think there's a lot I, and others, can do to prevent it from happening. The first thing is to make stakeholders understand that this is a huge threat. The second thing is to come up with better responses that don't involve tainting coins. (Which, from the evidence I've seem so far, seems to be what Mt. Gox is doing. So kudos to Gox.)

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
March 05, 2012, 08:31:02 AM
 #264

Whether you like it or not, whether this destroys bitcoin fungibility are both completely irrelevant: you can't prevent it from happening.
Okay, if this shall be inevitably the case I will leave the bitcoin project sooner or later.

Just because you can't prevent something from happening doesn't mean it is inevitable!

Sure, if Bitcoin businesses and individuals started to check for the reputation of coins they receive then there's little you can do about it but I highly doubt this will happen. It is simply too much of a hassle to do this in a sensible way. Amongst other things, you'd have to establish a reputation infrastructure, a dispute resolution process and of course you have to get it supported by the standard client. Also, what if the coin reputation service goes down or is DDoSed? Do you suspend the Bitcoin network?

I honestly don't see that happening - especially with Bitcoin often being used in an automated fashion this becomes much too much of a hassle. Also I really hope that with multisig / two-factor authentication becoming established, we won't see many large thefts in Bitcoinland anymore.
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
March 05, 2012, 08:39:23 AM
 #265

Whether you like it or not, whether this destroys bitcoin fungibility are both completely irrelevant: you can't prevent it from happening.
Okay, if this shall be inevitably the case I will leave the bitcoin project sooner or later.

Just because you can't prevent something from happening doesn't mean it is inevitable!

Sure, if Bitcoin businesses and individuals started to check for the reputation of coins they receive then there's little you can do about it but I highly doubt this will happen. It is simply too much of a hassle to do this in a sensible way. Amongst other things, you'd have to establish a reputation infrastructure, a dispute resolution process and of course you have to get it supported by the standard client. Also, what if the coin reputation service goes down or is DDoSed? Do you suspend the Bitcoin network?

I honestly don't see that happening - especially with Bitcoin often being used in an automated fashion this becomes much too much of a hassle. Also I really hope that with multisig / two-factor authentication becoming established, we won't see many large thefts in Bitcoinland anymore.

Agreed. Let's hope it is too much of a hassle. But let's hope MtGox, who is by far the biggest and possibly indispensible exchange, sees it that way also.

JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
March 05, 2012, 10:17:47 AM
 #266

Now let's move on and talk about a technical solution.
I don't think there's a technical problem. What problem do you think needs a technical solution? If you mean working on a way to help thieves more easily make their coins untrackable, you're way off track. Dollar bills are quite trackable, every one has a serial number on it, and they don't have this problem. Bitcoins should not need to optimize themselves for thieves and money launderers but should instead optimize themselves for use by honest folk.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
March 05, 2012, 10:23:46 AM
 #267

Anything adding an extra layer of complexity is a massive NO-GO for bitcoin IMO.

You have to take into account that there are hundreds of ways such a system would be gamed. A complexity arms race is the least thing bitcoin needs.

For example: order of transactions within a block is not deterministic. I can have a clean account with, say, only freshly mined coins, and a tainted account. I give you the clean address and you accept the payment by some automatic means of checking taint. Then I immediately transfer a boatload of highly tainted coins to this address. Both transactions happen in the same block and you cannot reliably tell which happened first. Your account is now highly tainted, you may just have lost a lot of value if untainted coins have a big premium due to this system. Then you have to add even more delay to the already high delay there is to have a proper number of confirmations, and you really cannot have an automated system.

Off the top of my head I can think of dozens of attacks.

I wouldn't work in a system like this. Not while I still have coins.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
March 05, 2012, 10:41:53 AM
 #268

Bitcoins should not need to optimize themselves for thieves and money launderers but should instead optimize themselves for use by honest folk.

i disagree that something as neutral as money should be biased towards any specific kind of person.

i do agree that as you say, this is not a technical problem.
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
March 05, 2012, 11:53:17 AM
 #269

Anything adding an extra layer of complexity is a massive NO-GO for bitcoin IMO.

You have to take into account that there are hundreds of ways such a system would be gamed. A complexity arms race is the least thing bitcoin needs.
+1

As soon as there's such a mechanism, stolen coins will find a way to avoid being detected, there's just no way you can do that 100% reliably. This would only result in a great big mess - people wrongfully accusing others of having their coins stolen (even if it was a regular payment or donation) just to get them into trouble, people fighting over evidence and reputation, online wallet services getting into trouble because some think their acceptance policies are not strict enough, tainting coins of innocent others in the process, people flooding donation addresses with tainted coins,...
Also, what would be the next step? Refuse blocks from "shady" miners who include transactions with tainted fees?

We really don't need that - fighting Bitcoin thefts at that level is just not the way to go. You'd only make it a bit harder for Bitcoin thieves at the cost of making Bitcoin a much more miserable experience for everyone else!

Oh and I'm not trying to talk anybody out of implementing such a system, please go ahead and do it, just don't expect it to become widely adopted. Even people thinking such a system would be a good idea in principle are likely to disagree on the details, fighting and lobbying for their favored policies, etc... In the end, it would have been much more effective to just make two-factor authentication easy to use for everyone.
Andrew Vorobyov
Hero Member
*****
Offline Offline

Activity: 565



View Profile
March 05, 2012, 05:03:00 PM
 #270

http://articles.cnn.com/2009-08-14/health/cocaine.traces.money_1_cocaine-dollar-bills-paper-bills?_s=PM:HEALTH

"Coming soon to Bitcoin..."

But we will have - some drugs, pedophile, guns... maybe even murders

what else? Smiley

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
March 05, 2012, 05:07:58 PM
 #271

http://articles.cnn.com/2009-08-14/health/cocaine.traces.money_1_cocaine-dollar-bills-paper-bills?_s=PM:HEALTH

"Coming soon to Bitcoin..."

But we will have - some drugs, pedophile, guns... maybe even murders

what else? Smiley

Who cares?...  Roll Eyes

A coin is a coin is a coin, just like a dollar bill is a dollar bill is a dollar bill, with or without coke on it.

muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
March 05, 2012, 06:19:21 PM
 #272

http://articles.cnn.com/2009-08-14/health/cocaine.traces.money_1_cocaine-dollar-bills-paper-bills?_s=PM:HEALTH

"Coming soon to Bitcoin..."

But we will have - some drugs, pedophile, guns... maybe even murders

what else? Smiley

Who cares?...  Roll Eyes

A coin is a coin is a coin, just like a dollar bill is a dollar bill is a dollar bill, with or without coke on it.

That was the point...

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Micon
Legendary
*
Offline Offline

Activity: 1218


I'm not the law, but I represent justice


View Profile WWW
March 11, 2012, 06:02:00 AM
 #273

1)  product idea:  "level of taint on my bitcoin" site, with a formula to determine level of taint, how many transactions ago, etc

2)  I agree, Gox or any other exchange shouldn't judge your coins, a coin is a coin and it's a brutal, unforgiving system but that's what it has been created here / can't police the coins.

Chairman SwCPoker.eu Bitcoin Poker 2.0 |  Pro Poker Player  |  blog & podcas DonkDown.com | @BryanMicon | 2015- PGP Key
LightRider
Legendary
*
Offline Offline

Activity: 1488


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
March 11, 2012, 06:26:55 AM
 #274

Quote
Since last week, we've been completely consumed with evaluating, discussing, debating, planning, etc, ways in which we can do better. This was a learning experience for us and Linode will only improve because of it. Hoping to have an announcement soon covering the results of these efforts.

http://forum.linode.com/viewtopic.php?p=49004#49004

Apparently they're still dealing with it internally.

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
March 11, 2012, 08:24:23 AM
 #275

Quote
Since last week, we've been completely consumed with evaluating, discussing, debating, planning, etc, ways in which we can do better. This was a learning experience for us and Linode will only improve because of it. Hoping to have an announcement soon covering the results of these efforts.

http://forum.linode.com/viewtopic.php?p=49004#49004

Apparently they're still dealing with it internally.

I wonder if this could become a sort of marketing tool:

  • bad security incident happens to company
  • company gets negative press, loads of it
  • company acts responsibly and betters itself, improves security
  • company shines, gets new customers who think company must now be very secure

it worked for mtgox

I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Killdozer
Full Member
***
Offline Offline

Activity: 204



View Profile
March 11, 2012, 08:36:30 AM
 #276

Quote
I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

If you should learn anything from this incident is that you shouldn't keep any big amounts of coins on a vps, linode or not.

ThomasV
Legendary
*
Offline Offline

Activity: 1722



View Profile WWW
March 11, 2012, 09:30:51 AM
 #277

Quote
I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

If you should learn anything from this incident is that you shouldn't keep any big amounts of coins on a vps, linode or not.

+1

If all you need is to accept Bitcoin in an e-commerce, then you do not need to leave your private keys on the server. For example, you can use a deterministic wallet to generate your addresses without the private keys.

If your server needs to send bitcoins to customers (which was the case for bitcoinica and slush's pool), it is probably not reasonable to use a VPS, especially if large amounts are involved.

Electrum: the convenience of a web wallet, without the risks
kano
Legendary
*
Offline Offline

Activity: 1932


Linux since 1997 RedHat 4


View Profile
March 11, 2012, 09:37:27 AM
 #278

...

I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

You'd trust a company that had a hidden backdoor? (yes that description is correct, it did not show up for the logs for slush and was either unknown by the person he contacted originally or the access was hidden by them)
As I said early on, I think they deserve to go bankrupt and be done with.
Not a chance in hell I'd trust them for anything.

Pool: https://kano.is BTC: 1KanoiBupPiZfkwqB7rfLXAzPnoTshAVmb
CKPool and CGMiner developer, IRC FreeNode #ckpool and #cgminer kanoi
Help keep Bitcoin secure by mining on pools with Stratum, the best protocol to mine Bitcoins with ASIC hardware
notme
Legendary
*
Offline Offline

Activity: 1540


View Profile
March 11, 2012, 06:01:09 PM
 #279

Quote
I myself didn't even know of linode before. If they act correctly now, I might even consider them next time I look for a VPS provider -> successful marketing.

If you should learn anything from this incident is that you shouldn't keep any big amounts of coins on a vps, linode or not.

+1

If all you need is to accept Bitcoin in an e-commerce, then you do not need to leave your private keys on the server. For example, you can use a deterministic wallet to generate your addresses without the private keys.

If your server needs to send bitcoins to customers (which was the case for bitcoinica and slush's pool), it is probably not reasonable to use a VPS, especially if large amounts are involved.

Public addresses are derived from the private key, so deterministic wallet is not the solution.  However, you are correct that you don't need the private keys.  You can simple keep a buffer of a few thousand address in your db that match private keys you store in a safe location.

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
March 11, 2012, 06:04:07 PM
 #280

Public addresses are derived from the private key, so deterministic wallet is not the solution.  However, you are correct that you don't need the private keys.  You can simple keep a buffer of a few thousand address in your db that match private keys you store in a safe location.

I think electrum has implemented a solution where the addresses can also be derived from a seed.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 [14] 15 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!