Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM...

[Matthew N. Wright]

So far there haven't been indications that negligence occurred.

From...?

Did you expect Linode to announce it openly or for anyone in the community to know that without a formal investigation?

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do.

I was referring to the off-chance that Linode knew about their hacker and he works there at Linode, and they're just covering it up. They mentioned something about a policy change due to this incident. Covering their asses through insurance or profits doesn't change anything for existing customers. I guess you misunderstood. Anyway, it doesn't matter what I think, what matters is if a court of law sees Linode as being responsible.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it.

Really? And when it's the coat checker that steals the watch, you can't expect the police to come? When the coat checker isn't caught, you can't sue the restaurant? You must not live in the USA....

[bitcoinbetas]

So what is the latest has the 43,000 bitcoins left the wallet yet ?

What exactly do you mean by "left the wallet"?

I guess I meant left the wallet of the thief to say an exchange i.e. Mt. Gox  or off to silk road to purchase $15,000 dollars worth of guns and drugs.

[Portnoy]

It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.

I have been trying for a while now. I haven't gotten the email that page says will be sent to allow one to do that.

[check_status]

You missed  - on eligius, added bonus:
The coins you receive are virgin whereas with most pools you potentially could get mixed/old coins.

What is the advantage of virgin coins  

weren't you the one that brought up the whole concept of taint recently?

virgin coins have 0% taint.

I thought Taint was the space between the vajayjay and the brown eye.

It would seem Linode is the weakest link for those hosting bitcoin stuff. Customers will need to implement a system that can thwart Linodes retardedness.

Could this be another attempt to manipulate the market with bad news? The stolen funds would remain in hibernation because they are not needed when the theft is for damaging BTC value via bad news.

[Clipse]

To any sane person the bad news is all on linode.

[JoelKatz]

IMO the only way in court you might successfully win damages is if you showed they were negligent regarding their security.

Well, before you can determine that, you have to determine how vigilant their security should have been, and that depends on whether you think Linode was marketed as suitable for high-value, easy theft targets like hot Bitcoin wallets.

I think that would be pretty hard. You'd probably have to show they were aware of the vulnerability or open "customer service portal" and disregarded it. Or maybe they knew an employee was involved in malicious accesses but ignored it. In either case it would probably require an inside whistle blower. So far there haven't been indications that negligence occurred.

Well, we don't know yet. But from just the evidence we have so far, I think it's at least reasonably probable that negligence on Linode's part was involved if you think the appropriate standard is sufficient security to host high-value Bitcoin sites.

Take my $50,000 Rolex in the coat room example. If the coat check attendant goes to the bathroom and doesn't have another employee watch the coat room, is that negligent? Yes if the coat room is supposed to be suitable for storing $50,000 Rolexes. Otherwise, no.

[Matthew N. Wright]

Take my $50,000 Rolex in the coat room example. If the coat check attendant goes to the bathroom and doesn't have another employee watch the coat room, is that negligent? Yes if the coat room is supposed to be suitable for storing $50,000 Rolexes. Otherwise, no.

Dude. Please don't embarrass us with "coat check" examples anymore. Even a parking lot would be more suitable of an example, or even a storage container facility. Those have contracts at least and expect you to store things for extended periods of time.

You're saying I can't sue the parking garage of one of their employees breaking into my car and stealing it?

You're saying that I can't sue the shipping container company for leaving their keys outside of my container and letting someone just rob me?

Give me a break.

[JoelKatz]

That forces the majority of Linode customers, who don't host large-value websites, to subsidize those who do.

I was referring to the off-chance that Linode knew about their hacker and he works there at Linode, and they're just covering it up. They mentioned something about a policy change due to this incident. Covering their asses through insurance or profits doesn't change anything for existing customers. I guess you misunderstood. Anyway, it doesn't matter what I think, what matters is if a court of law sees Linode as being responsible.

They're not covering anything up. I think it's quite likely an inside job involving a Linode employee or former employee. Linode hasn't said so, but they haven't denied it. It's possible they don't know.

If you put leave your $50,000 Rolex watch in the pocket of a coat you put in the coat check of your local restaurant, you can't expect them to be responsible for it.

Really? And when it's the coat checker that steals the watch, you can't expect the police to come? When the coat checker isn't caught, you can't sue the restaurant? You must not live in the USA....

You can certainly expect the police to come and the employee, if caught, to go to jail. But you aren't likely to recover $50,000 from the restaurant. They're not required to make Fort Knox to check coats.

[eleuthria]

It's tough to say if Linode should be held liable for the damages, but only because I don't think they're going to give us the full story of what happened.

If this was an outsider accessing their Customer Service administration, then that seems like negligence to me.  Under no circumstances should a "super admin" style of account be accessible from anything but pre-approved IP addresses.  That is negligence to allow such a powerful type of account to be public facing.

If this was an inside job (rogue sys admin), Linode shouldd be liable to the customers.  It is then up to them to decide if they are going to sue the now former employee to recoup the damages on their end.

[Herodes]

If it looks like an insider job, and it smells like an insider job, it is.... ... an insider job.

First off, what strikes me as odd (and forgive me not to read through everything that's been written about these issues in the forum for the last hours) is that the attacker targeted just Linode customers that had bitcoind running. I mean, if it was only Bitcoinica that was targeted, an outside attacker would seem more plausible, but eight customers that all ran bitcoind, and those were the only ones affected ? Seems very plausible that it's a superadmin that did this. After all, that makes logical sense, when tracks are hidden that well.

The first thing I would do if I were to investigate this case would be to interview everyone that have superadmin access at Linode, and I mean though confrontive cross examination, and lie detectors tests, everything you can throw at them + getting at all and every server logs. I assume Bitcoinica works with law enforcement on this one ? It's a lot of money gone here.

Anyway, let's take the lessons we can, and thumbs up for all the good operators that decided to use their own money to reimburse the customers.

[digital]

Wow, Bitcoinica actually lost over 43,000 coins.

Damn.

http://arstechnica.com/business/news/2012/03/bitcoins-worth-228000-stolen-from-customers-of-hacked-webhost.ars?clicked=related_right

[check_status]

To any sane person the bad news is all on linode.

So you are not willing to believe that the Dole food chain (salads specifically) were poisoned in order to profit from put option trades?
There are hundreds more of this type of examples for stocks. Of course there are no put options for Bitcoins but the method can still be used to profit or attack the value. Good and bad news has reactive tangible effects on volatile markets, of which Bitcoin is one.

[Clipse]

To any sane person the bad news is all on linode.

So you are not willing to believe that the Dole food chain (salads specifically) were poisoned in order to profit from put option trades?
There are hundreds more of this type of examples for stocks. Of course there are no put options for Bitcoins but the method can still be used to profit or attack the value. Good and bad news has reactive tangible effects on volatile markets, of which Bitcoin is one.

Yes of course it makes more sense in the realworld that someone stole the coins not to sell it for personal gain but to only crash the market due to tinfoil conspiracies.

[Matthew N. Wright]

Guys, CoinExchanger is turning out to be the likely culprit in the hack.

I am almost sure that bitcoinica.com is out of funds and they are keeping the site open to get more deposits and ponzi those deposits on those who want to withdrawal. The 17 year old just lost 250,000 Dollars and I doubt he has an extra 250K to cover his loss.

I would encourage everyone to withdrawal your funds from bitcoinica and watch the shit hit the fan.

Visit, www.coinexchanger.com

We will lower our withdrawal fee in the next couple of days, in the meantime 9% is fair.

CoinExchanger.com is an admittedly unregistered MLB (money license business) that must be registered by FinCEN within 6 months of opening their doors and sharing their first stored value. They have not done so and are in direct violation of federal law.

The owner of CoinExchanger.com is Leo Camilo, who advertises his address as 440 9th ave, New york, New York,10001 US and personal telephone number 1 (347) 469-1040.

His private email (search google) is atqcapital@gmail.com.

He has publicly stated on multiple occasions that:

• bitcoin is fake money, "monopoly money" and has no value and should not be trusted for this reason.
• his exchange is functional with a large user base, when not a single user has ever reportedly done business with him
• he is holding coins stolen from Zhou Tong's Bitcoinica and says "fuck you Zhou, you're just a stupid 17 year old kid, these coins are mine now" basically.

He also:

• goes under the sock puppet scammer account name "Maria"
• claims to be a millionaire and restaurant owner

He is currently in possession of stolen Bitcoins from the Linode hack and any coins purchased from him will not be accepted by MtGox or anyone in the Bitcoin community.

[Jon]

Except after they have been properly laundered through the Silk Road.

/devil's advocate

[SgtSpike]

Guys, CoinExchanger is turning out to be the likely culprit in the hack.

I am almost sure that bitcoinica.com is out of funds and they are keeping the site open to get more deposits and ponzi those deposits on those who want to withdrawal. The 17 year old just lost 250,000 Dollars and I doubt he has an extra 250K to cover his loss.

I would encourage everyone to withdrawal your funds from bitcoinica and watch the shit hit the fan.

Visit, www.coinexchanger.com

We will lower our withdrawal fee in the next couple of days, in the meantime 9% is fair.

CoinExchanger.com is an admittedly unregistered MLB (money license business) that must be registered by FinCEN within 6 months of opening their doors and sharing their first stored value. They have not done so and are in direct violation of federal law.

The owner of CoinExchanger.com is Leo Camilo, who advertises his address as 440 9th ave, New york, New York,10001 US and personal telephone number 1 (347) 469-1040.

His private email (search google) is atqcapital@gmail.com.

He has publicly stated on multiple occasions that:

• bitcoin is fake money, "monopoly money" and has no value and should not be trusted for this reason.
• his exchange is functional with a large user base, when not a single user has ever reportedly done business with him
• he is holding coins stolen from Zhou Tong's Bitcoinica and says "fuck you Zhou, you're just a stupid 17 year old kid, these coins are mine now" basically.

He also:

• goes under the sock puppet scammer account name "Maria"
• claims to be a millionaire and restaurant owner

He is currently in possession of stolen Bitcoins from the Linode hack and any coins purchased from him will not be accepted by MtGox or anyone in the Bitcoin community.

The part in big letters there... how do you know that he is in possession of coins from the hack?

[Jine]

We cannot know for sure to be totally honest, he claims this is a transaction to his service;
http://blockchain.info/address/0d9e2cd87cef275505cd1a831a8fdf86cd2ff571

See... some other thread for proof, to many thread to look through.
But it was something like "Hey, we just received another 12k deposit!"

[SgtSpike]

We cannot know for sure to be totally honest, he claims this is a transaction to his service;
http://blockchain.info/address/0d9e2cd87cef275505cd1a831a8fdf86cd2ff571

See... some other thread for proof, to many thread to look through.
But it was something like "Hey, we just received another 12k deposit!"

Got it - thanks.

[kiba]

I  am rather confused. Don't like to judge until I have better information about this CoinExchanger, ie, posts and comments.

[JoelKatz]

Dude. Please don't embarrass us with "coat check" examples anymore. Even a parking lot would be more suitable of an example, or even a storage container facility. Those have contracts at least and expect you to store things for extended periods of time.

The point is the difference between using a service in a way that requires the normal level of security and using a service in a way that requires an extraordinary level of security from the provider.

You're saying I can't sue the parking garage of one of their employees breaking into my car and stealing it?

Yes, but don't expect to get back the $5 million if you store a prototype car there.

You're saying that I can't sue the shipping container company for leaving their keys outside of my container and letting someone just rob me?

Yes, but don't expect them to cover the costs if your shipment was diamonds, unless they knew and agreed to extra security appropriate to diamonds.

Give me a break.

In your world, every business would have to provide security adequate to cover the most bizarre uses of their service. FedEx would have to have a team of armed guards follow every truck they dispatch just in case a package had millions of dollars worth of diamonds in it and the owner of the shipment made the shipment details public so thieves knew just what to target. But in fact, that's not how such services operate. They have precisely-defined liability limits and they require shippers to declare high-value operations and pay extra if you want them to insure them.

Yes or no, do you believe FedEx is legally obligated to defend every package they ship in a way that's suitable to protect millions of dollars worth of diamonds from an inside job? If yes, how do you think they should pay for that? If no, how can they be negligent if their security was adequate for ordinary shipments?