slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
March 02, 2012, 01:55:27 AM |
|
WHY DA FUCK DO YOU USE VPS's TO HOST IMPORTANT STUFF?
Hm, please read my previous post. I don't think that VPS containers itself are huge security risk. As you see now, virtualization wasn't the reason for the hack, but it was supporting tool which is in some form in every hosting company, even for unmanaged servers (yes, I'm even paying extra fee for software KVM).
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
March 02, 2012, 01:56:18 AM |
|
I would not trust any shared host (VM or not) that has access to your data for a wallet over $1000. The only way to do this is with encrypted disks that are setup or encrypted by the customer with no host access of any kind.
Unfortunately this is very hard to achieve in real world. For example, I cannot use any housing here in Prague because of stupidly poor connectivity to abroad. Then it really don't matter if the provider is VPS or not, because technically there must be somebody who have physical access to the server instead of me. I'm hosting the pool in France - it's standalone server, but there is still software KVM (because *I* need to reach the server anytime) and there are probably tens of sysadmins with physical access to server. So it happen today in Linode, but it can happen everywhere else tomorrow. So choosing server provider for services where you don't have thousands of dollars monthly to protect your own server room is like playing russian roulette. I do agree that it is hard to find options in some areas. In Baltimore we have a few 'rack space' rental places that will allow you to drop in a server that you have physically set up and nobody has access to online. Sure, they could get to it physically but that kind of attack is quite different if disks are encrypted. (and yes, I know it is POSSIBLE to break into those as well but you do need to take the machine offline to do it)
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
March 02, 2012, 01:56:31 AM |
|
Lol, psy deleted his post immediately
|
|
|
|
muyuu
Donator
Legendary
Offline
Activity: 980
Merit: 1000
|
|
March 02, 2012, 01:58:05 AM |
|
In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money. It's a lot of money to launder, though. We're talking about 1/4 million US$ or so. Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days.
|
GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D) forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 01:58:51 AM |
|
Since they are a company with real money on the line, they are probably doing an investigation before they make any statement, period.
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 01:59:06 AM |
|
Yeah, I deleted it because I wasn't even trying to attack you nor did I wished to derail the thread.
Was just replying to you now to say: colocation with encrypted disks?
I understand if you tell me it's expensive, but the alternative is worse, as we all see now.
PS: I don't have any bitcoind facing the web so it's easy for me to stay safe. Those guides about setting up hidden services are really helpful when one wants to setup a secure server.
Sorry Slush, hope you didn't got mad with me. I'm really in pain with this situation. I was already in pain when it was only you and Gavin, much more now that Bitcoinica even lost more than both of you together.
|
|
|
|
Thralen
|
|
March 02, 2012, 02:03:40 AM |
|
I think he may be trying to "set JeffK straight" as they say...
Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand. Thralen
|
Supporting bitcoin as best I can with 1. mining, 2. buying with bitcoin, 3. selling (or trying to) for bitcoin. If you make a donation to: 1MahzUUEYJrZ4VbPRm2h5itGZKEguGVZK1 I'll get it into circulation.
|
|
|
dunand
|
|
March 02, 2012, 02:07:42 AM |
|
Can someone explain how the encrypted wallet was compromised? The attacker found the wallet's password in the source code / config file somewhere?
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 02:09:10 AM |
|
Can someone explain how the encrypted wallet was compromised? The attacker found the wallet's password in the source code / config file somewhere?
Maybe because it wasn't encrypted? I don't remember any of them saying the wallets were encrypted. Maybe I'll need to re-read the thread(s)...
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 02:09:24 AM |
|
I think he may be trying to "set JeffK straight" as they say...
Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand. Thralen It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you.
|
|
|
|
paraipan
In memoriam
Legendary
Offline
Activity: 924
Merit: 1004
Firstbits: 1pirata
|
|
March 02, 2012, 02:15:46 AM |
|
In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money. It's a lot of money to launder, though. We're talking about 1/4 million US$ or so. Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days. zhoutong didn't provide transaction id of the robbery like slush did
|
BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
|
|
|
copumpkin
Donator
Sr. Member
Offline
Activity: 266
Merit: 252
I'm actually a pineapple
|
|
March 02, 2012, 02:18:06 AM |
|
I think he may be trying to "set JeffK straight" as they say...
Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand. Thralen It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you. Backups are not really the issue here.
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 02:19:54 AM |
|
@JeffK Full disclosure request:
What is your relationship with Linode?
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 02:20:06 AM |
|
I think he may be trying to "set JeffK straight" as they say...
Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand. Thralen It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you. Backups are not really the issue here. It is "hosting something of value on an unencrypted server that is irreplaceable" then?
|
|
|
|
Eveofwar
|
|
March 02, 2012, 02:20:18 AM |
|
In the transaction related to your incident, one of the destination addresses had 25k BTC or so... by the looks of it the perp has amassed a lot of bitcoins and I bet there were many legit wallets in Linode with legit transactions so he can also use these to launder his money. It's a lot of money to launder, though. We're talking about 1/4 million US$ or so. Beware of big mining contract purchases in ferroh or GPUMax (or others) during the next few days. zhoutong didn't provide transaction id of the robbery like slush did http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 -- may be it.
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
March 02, 2012, 02:20:27 AM |
|
I think he may be trying to "set JeffK straight" as they say...
Yes, I have issues with people that I've never seen contribute meaningfully to something trying to tear apart people that I know have contributed to that thing. In this case, Bitcoin being the thing and Slush (as someone with major contributions to it) being 'attacked' and being, in essence, called a liar. I tend to jump to the defense of what I believe in at those points. Therefore I posted the link to the other major breach that was only tangentially mentioned and linked to in this thread as additional proof, seeing if he'd decide to call Zhou (as well as Slush) a liar by continuing his current stand. Thralen It's also terribly unfair to attack one of the longest standing most reputable providers without any real statement on their part, and it's doubly unfair to demand they pay back what was allegedly "lost" on the service, since they aren't required by law or their TOS to hold backups of your data for you. Backups are not really the issue here. Not saying that the host did anything wrong.... but the problem is not the lack of backups.... It is one backup too many.
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 02:21:26 AM |
|
@JeffK Full disclosure request:
What is your relationship with Linode?
Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen"
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
March 02, 2012, 02:22:33 AM |
|
@JeffK Full disclosure request:
What is your relationship with Linode?
Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen" Ok, you're going to be suspicious of Gavin, the bitcoinica guy, and Slush?
|
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1724
|
|
March 02, 2012, 02:23:17 AM |
|
Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen"
Normally I would agree with you but in this case Slush (and Zhoutong who's btc also were stolen) said they will cover the losses out of their own pocket.
|
Signature space available for rent.
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 02:24:24 AM |
|
@JeffK Full disclosure request:
What is your relationship with Linode?
Two year customer last month, never had problems but I've been around the Bitcoin community long enough to be suspicious of people who "lose" bitcoins or have them "stolen" And I find suspicious that after being inactive since Jan 9th 2012 you came back today...
|
|
|
|
|