|
|
DeathAndTaxes
Donator
Legendary
 Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
 |
March 02, 2012, 02:48:58 AM |
|
Regardless, I find it hard to believe that a hacker who supposedly has access to all of the Linodes uses that ability to hijack a few bitcoins. A "few" bitcoins? troll much? Looks like at least 4 major bitcoin sites/wallets were hit. There may be dozens more. At least 12K BTC were taken in a few minutes. Could easily be double that. We are talking six figures in USD, better than most armed bank robberies and a lot safer. You find it "hard to believe" a hacker or dishonest employee would use a foolishly unprotected super admin account to acquire $100K in irrevocable funds for a few minutes of "work"? |
|
|
|
|
bitcoinBull
Legendary
Offline
Activity: 826
Merit: 1001
rippleFanatic
|
|
March 02, 2012, 02:50:05 AM |
|
I think an additional measure would be for services to broadcast transactions from their hot wallets strictly behind proxies (as simple as connecting it to a single, separate bitcoind without a wallet hosted somewhere else?), wherever they are hosted. That way attackers can't figure out the ip address of your hot wallet just by lurking in #bitcoin.
|
College of Bucking Bulls Knowledge
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 02:50:56 AM |
|
What's that transaction? Who got jacked out of 25k BTC? |
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
March 02, 2012, 02:52:26 AM |
|
Interesting. There's remaining question - how attacker found that exactly those eight accounts are running bitcoin services without scanning whole database? It just confirms my opinion that they compared linode database with list of IPs with running bitcoind, but technically they had access to all linode boxes, if they wanted. |
|
|
|
paraipan
In memoriam
Legendary
Offline
Activity: 924
Merit: 1004
Firstbits: 1pirata
|
|
March 02, 2012, 02:52:38 AM |
|
What's that transaction? Who got jacked out of 25k BTC? that would be the thief counting his coins in a single stash, seen live as it happened... |
BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 02:54:03 AM |
|
Interesting. There's remaining question - how attacker found that exactly those eight accounts are running bitcoin services without scanning whole database? It just confirms my opinion that they compared linode database with list of IPs with running bitcoind, but technically they had access to all linode boxes, if they wanted. It uses the terms "credential s" and mentions that he had to gain individual access to eacher account, so it wasn't a superuser account |
|
|
|
|
adamstgBit
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
March 02, 2012, 02:54:26 AM |
|
I'm half a noob when it comes to exactly how the blockchain can be used to track transactions, but my understanding is that since we have the hash that stole the coins, even if he tries to wash them can't we see at least where big chunks will go? can we track this money through the block chain?
funny I was wondering the very same thing. I don't get why anyone would steal bitcoin since when you go to "cash out" it could conceivably be red-flagged - then again they could do small amounts BUT STILL what thief wants to sit there and do $50 cash out at a time ? can anyone explain this? right... anyone trying to follow the bits? |
|
|
|
|
nebulus
|
|
March 02, 2012, 02:55:10 AM |
|
Blackmail linode... Get money for yourself plus publicity for bitcoin...
|
|
|
|
bbit
Legendary
Offline
Activity: 1330
Merit: 1000
Bitcoin
|
|
March 02, 2012, 02:57:40 AM |
|
I'm half a noob when it comes to exactly how the blockchain can be used to track transactions, but my understanding is that since we have the hash that stole the coins, even if he tries to wash them can't we see at least where big chunks will go? can we track this money through the block chain?
funny I was wondering the very same thing. I don't get why anyone would steal bitcoin since when you go to "cash out" it could conceivably be red-flagged - then again they could do small amounts BUT STILL what thief wants to sit there and do $50 cash out at a time ? can anyone explain this? right... anyone trying to follow the bits? Help? |
|
|
|
|
onesalt
|
|
March 02, 2012, 03:01:27 AM |
|
Remind me why linode should pay you back for your own fuck up? If you're too lazy to search around and to then use a respectable host with reasonable security measures then its your own problem if you lose your own money. It's no different to if I change my gold into fiat dollars, put it into a government backed bank who then goes bust.
|
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 03:02:17 AM |
|
I'm half a noob when it comes to exactly how the blockchain can be used to track transactions, but my understanding is that since we have the hash that stole the coins, even if he tries to wash them can't we see at least where big chunks will go? can we track this money through the block chain?
funny I was wondering the very same thing. I don't get why anyone would steal bitcoin since when you go to "cash out" it could conceivably be red-flagged - then again they could do small amounts BUT STILL what thief wants to sit there and do $50 cash out at a time ? can anyone explain this? right... anyone trying to follow the bits? Help? WTF http://blockchain.info/address/0c767fd66d57a601838213fe5da3b20681a85db499K Bitcoins?  1 hop away from the 25k transaction? holly SH************************ Or is that a Bitcoinica or Slushs' address? I can't get my head to understand all those inputs and outputs. |
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 02, 2012, 03:02:56 AM |
|
Remind me why linode should pay you back for your own fuck up? If you're too lazy to search around and to then use a respectable host with reasonable security measures then its your own problem if you lose your own money. It's no different to if I change my gold into fiat dollars, put it into a government backed bank who then goes bust.
Slush never asked or demanded that Linode pay him back so how about you just fuck off for a while? |
|
|
|
|
|
Eveofwar
|
|
March 02, 2012, 03:03:22 AM |
|
I'm half a noob when it comes to exactly how the blockchain can be used to track transactions, but my understanding is that since we have the hash that stole the coins, even if he tries to wash them can't we see at least where big chunks will go? can we track this money through the block chain?
funny I was wondering the very same thing. I don't get why anyone would steal bitcoin since when you go to "cash out" it could conceivably be red-flagged - then again they could do small amounts BUT STILL what thief wants to sit there and do $50 cash out at a time ? can anyone explain this? right... anyone trying to follow the bits? Help? WTF http://blockchain.info/address/0c767fd66d57a601838213fe5da3b20681a85db499K Bitcoins? 1 hoop away from the 25k transaction? holly SH************************ You obviously missed the part about the coins leaving and coming back to the same address. BTC received != BTC total |
|
|
|
|
markm
Legendary
Offline
Activity: 2996
Merit: 1121
|
|
March 02, 2012, 03:04:43 AM |
|
It is sad that you have no option of hosting at home, Slush. I always figured it would be stupid to think private keys hosted anywhere else are not compromised and thus as long as they have not yet been stolen to assume it is mostly because there is not yet enough value in them to bother stealing them yet.
I have never considered hosting my private keys anywhere other than a site I physically control and know who else (if anyone) has physical access to. Hence, at home or in some kind of locked bunker no-one else has keys to.
Is there really no way you can get your own home hooked up to the net?
-MarkM-
|
|
|
|
|
onesalt
|
|
March 02, 2012, 03:05:06 AM |
|
I'm still waiting what they'll find, but expect they'll try to hide any issue on their side and they will definitely reject to pay 3000 BTC for this attack :-/.
Dude even says he doesn't expect the company to cover this which kinda implied he hoped they would in the first place. |
|
|
|
|
|
trentzb
|
|
March 02, 2012, 03:07:59 AM |
|
Getting access to the Linode admin UI doesn't give access to the server itself. You can view the console, but you just get the login prompt. You still need the server's password to log in.
To reset the password the server has to be shut down so that /etc/shadow can be modified. At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.
A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here. I'm guessing the exploit is in their web-based server management.
This is by far one of the scariest things about the process. Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel. A -very- scary situation, considering Linode is one of the largest VPS providers around. I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now. |
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
March 02, 2012, 03:09:30 AM |
|
I obviously get lost whenever I see more than 2k Bitcoins /me drools
|
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 03:11:35 AM |
|
Also, JeffK, your Ron Paul sig quote irritates me.
Is quoting Paul not alloed here? I thought everyone was pretty libertarian? or was it that I had a Carl Marks quote next to it. |
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
March 02, 2012, 03:13:32 AM |
|
Getting access to the Linode admin UI doesn't give access to the server itself. You can view the console, but you just get the login prompt. You still need the server's password to log in.
To reset the password the server has to be shut down so that /etc/shadow can be modified. At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.
A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here. I'm guessing the exploit is in their web-based server management.
This is by far one of the scariest things about the process. Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel. A -very- scary situation, considering Linode is one of the largest VPS providers around. I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now. I guess it was mostly the 'highest profile' targets that got hit, which explains Gavin getting chosen (although I always thought the faucet kept a rather low amount of coins in it at any time to a roughly equal inflow/outflow of coins or the fact that it used to run empty often |
|
|
|
|
|
