Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM...

[payb.tc]

You missed  - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins  

weren't you the one that brought up the whole concept of taint recently?

virgin coins have 0% taint.

[1714170438]

1714170438

[1714170438]

1714170438

[1714170438]

1714170438

[BkkCoins]

You missed  - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins 

They're not associated with any past transactions so have better anonymity.

[sje397]

Lesson learned: private keys (wallet.dat) are just that: private. Once you put them out there, cloud, webserver, hosting server, email, etc, THEY ARE NO LONGER PRIVATE.

Can we move along now?

Actually, I think the real lesson here for pool operators
is that they should all move to the eligius model:

    - eligius has no notion "customer accounts. These are a giant PITA for the miners,
      require the pool op to manage a DB which is a PITA in itself. Accounts are also the
      source of a whole host of security problem:
              - need to create account/login -> need to enter data in website -> exposure surface to SQL injections
              - need an email -> phishing attacks, etc .

    - on eligius, miner just send their shares along with a public address
    - on eligius, no need to store any kind of BTC amount on the pool server at any time:
      the payout is built into the block from the coinbase. No BTC ever hit disk.
    - on eligius, added bonus: anonymity for the pool users
    - on eligius, added bonus: much easier to use for miners

P2pool is another one.

[Micon]

1)  BTC / block chain / block explorer is awesome as we can literally see where the money goes.  If anyone does any transaction with any of these funds, assuming you would ever really follow this enough to have a computer look for one of the hashes on this trail of tears, then please post everything about it here.

2)  Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now.  (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox.  If they are smart they will lay low and not make any more transactions for a while.  But, at some point, those coins are going to have to make it to Gox.  we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange.  Tradehill too.  If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox.  Might be able to get some more clues.

just some thoughts.

definitely clubs.

[muyuu]

2)  Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now.  (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox.  If they are smart they will lay low and not make any more transactions for a while.  But, at some point, those coins are going to have to make it to Gox.  we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange.  Tradehill too.  If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox.  Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

[Matthew N. Wright]

2)  Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now.  (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox.  If they are smart they will lay low and not make any more transactions for a while.  But, at some point, those coins are going to have to make it to Gox.  we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange.  Tradehill too.  If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox.  Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

It's even more likely they never will. People who already had that amount could just be recouping losses of selling their legitimate coins. We're not looking for a poor hacker here, we're looking for someone who already had a lot of coins to begin with. A business maybe. Bitcoinica would be the first person to suspect tbh (although I don't have reason to believe it was Zhou).

[Kluge]

2)  Ok, so I'm a master criminal, and I hacked the lol-tastic Linoodle security web tool, and I steal the 40k BTC off all the BTC business sites hosted there - so I have ~ $160k USD and i'm an asshole so I'd like to get some cash now.  (also note homeboy is certainly reading this thread) You pretty much need to sell any reasonable amount on Gox.  If they are smart they will lay low and not make any more transactions for a while.  But, at some point, those coins are going to have to make it to Gox.  we should ask them, really fucking nicely, to do all they can to make sure those coins don't get turned into cash on their xchange.  Tradehill too.  If you can get enough of the exchanges, even down to the small ones, to get on board with this and someone write some code to follow the block chain until it gets to Gox.  Might be able to get some more clues.

Firstly, it looks like we're looking at 50K+ BTC.

Secondly, we need the homeboy to get either lazy or impatient. I don't want to be giving ideas but certainly these coins don't have to ever make it to any exchange if he's determined enough...

It's even more likely they never will. People who already had that amount could just be recouping losses of selling their legitimate coins. We're not looking for a poor hacker here, we're looking for someone who already had a lot of coins to begin with. A business maybe. Bitcoinica would be the first person to suspect tbh (although I don't have reason to believe it was Zhou).

Operator of Silk Road?

[Raoul Duke]

Operator of Silk Road?

Coincidently with this incident I went to check the road, and guess what...

The Silk Road is down for maintenance. We will get the site back up asap. Thank you for your patience.

[bitcoinsarefun]

I was reading the slashdot story on this today and got a chuckle ... they served a linode ad embedded in the article about a linode exploit.

i thought it was funny

[Matthew N. Wright]

I was reading the slashdot story on this today and got a chuckle ... they served a linode ad embedded in the article about a linode exploit.

i thought it was funny

Irony.

[goodlord666]

Shit, this guy knows his stuff. Check out the transaction size of the 25k transaction:
http://blockchain.info/tx-index/2893660/d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333
Size:   1337 (bytes)

I guarantee that isn't a coincidence.

Satoshi is back!!

[Matthew N. Wright]

Shit, this guy knows his stuff. Check out the transaction size of the 25k transaction:
http://blockchain.info/tx-index/2893660/d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333
Size:   1337 (bytes)

I guarantee that isn't a coincidence.

Satoshi is back!!

Yep. Just reclaiming his property.

[HostFat]

Satoshi is back!!

Wait! Are these addresses connected with some that Satoshi owned? ( I know that I can check, I just want an easy answer )

[HostFat]

Anyway, it can be interesting to see who with a good knowledge of Bitcoin isn't posting on the forum during the last 2/3 days
( posting somewhere in the forum after my message isn't a good way to avoid the scanning )

[JoelKatz]

Yea, so you agree then? Linode should be held responsible since it had nothing to do with customer security and was indistinguishable from an inside job...

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do. To provide coverage for exceptional and consequential losses, Linode would have to obtain much more expensive insurance and raise their rates to cover it. There's certainly room in the market for such a service, but I don't see why Linode should be forced to provide it, and their customers forced to pay for it, if they don't wish to.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it. It's just too costly to provide a service suitable for that type of high-value item. Use a safety-deposit box, where you pay for that level of security.

Bitcoins in a hot wallet are simply too valuable and too easy to steal. Putting them on a cheap hosting account is equivalent to checking the Rolex at a restaurant.

[cypherdoc]

our gov't stores gold at Fort Knox (allegedly) or in the basement of the FRBNY inside vaults with security guards, etc.

our banks store their fiat cash in vaults with similar heavy security.

Bitcoin cash needs to be stored in a likely manner.

[bitcoinBull]

Operator of Silk Road?

Coincidently with this incident I went to check the road, and guess what...

The Silk Road is down for maintenance. We will get the site back up asap. Thank you for your patience.

Now this would be interesting.  Wild speculation here.. but SR could've been hosting their online-wallet at linode and may have been one of the other 5 linode accounts accessed.

[BkkCoins]

Yea, so you agree then? Linode should be held responsible since it had nothing to do with customer security and was indistinguishable from an inside job...

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do. To provide coverage for exceptional and consequential losses, Linode would have to obtain much more expensive insurance and raise their rates to cover it. There's certainly room in the market for such a service, but I don't see why Linode should be forced to provide it, and their customers forced to pay for it, if they don't wish to.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it. It's just too costly to provide a service suitable for that type of high-value item. Use a safety-deposit box, where you pay for that level of security.

Bitcoins in a hot wallet are simply too valuable and too easy to steal. Putting them on a cheap hosting account is equivalent to checking the Rolex at a restaurant.

IMO the only way in court you might successfully win damages is if you showed they were negligent regarding their security. I think that would be pretty hard. You'd probably have to show they were aware of the vulnerability or open "customer service portal" and disregarded it. Or maybe they knew an employee was involved in malicious accesses but ignored it. In either case it would probably require an inside whistle blower. So far there haven't been indications that negligence occurred.

[bitcoinbetas]

So what is the latest has the 43,000 bitcoins left the wallet yet ?

[btc_artist]

So what is the latest has the 43,000 bitcoins left the wallet yet ?

What exactly do you mean by "left the wallet"?