Bitcoin Forum
December 10, 2016, 10:51:20 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Bitcoinica Warning: Please do not re-use any old Bitcoin deposit addresses  (Read 8911 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
March 02, 2012, 02:13:48 AM
 #21

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
1481367080
Hero Member
*
Offline Offline

Posts: 1481367080

View Profile Personal Message (Offline)

Ignore
1481367080
Reply with quote  #2

1481367080
Report to moderator
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
March 02, 2012, 02:14:58 AM
 #22

damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.

pirateat40
Avast Ye!
Sr. Member
****
Offline Offline

Activity: 378


"Yes I am a pirate, 200 years too late."


View Profile WWW
March 02, 2012, 02:15:03 AM
 #23

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I disagree, whatever happened, happened today.  I move coins all the time in and out of bitcoinica without an issue.

Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
March 02, 2012, 02:15:33 AM
 #24

@ zhoutong

What is the tx id of the lost coins?

+1

EDIT:  http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 ?
malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 1624



View Profile
March 02, 2012, 02:18:23 AM
 #25

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
March 02, 2012, 02:19:03 AM
 #26

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.


It would need to be worth the lawyer fee to sue.

bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
March 02, 2012, 02:40:31 AM
 #27

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I figure he wanted to host the site, with user information and all, separately from the wallet.  That way if the site gets penetrated (which one would think is more likely since it has more attack vectors), the wallet would still be secure.


damn.  hot wallet is hot.
Zs hot wallet was hot.
And now his hot wallet is not.

Au contraire, now its even hotter.


College of Bucking Bulls Knowledge
kurtosis
Newbie
*
Offline Offline

Activity: 17

What is this I don't even


View Profile
March 02, 2012, 02:48:38 AM
 #28

That's why

we should support BIP16 as soon as possible...
Actually no.  This too will pass.  Bitcoin is a multi-decade project, and once technical decisions are written into the blockchain they are very hard or impossible to reverse.

Hence, it's much more important for the dev team to resist artificial time pressures and focus on making the right decision for the long-term, even if they need to take longer in the short-term to fully understand the ramifications and consequences of crucial technical decisions.

https://cryptanalys.is/profile.php?u=kurtosis
evoorhees
Legendary
*
Offline Offline

Activity: 994


Democracy is the original 51% attack


View Profile
March 02, 2012, 02:52:40 AM
 #29

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 02, 2012, 02:54:09 AM
 #30

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
March 02, 2012, 02:59:31 AM
 #31

That's sad.

kurtosis
Newbie
*
Offline Offline

Activity: 17

What is this I don't even


View Profile
March 02, 2012, 03:18:39 AM
 #32

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

https://cryptanalys.is/profile.php?u=kurtosis
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 02, 2012, 03:19:18 AM
 #33

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
March 02, 2012, 03:27:10 AM
 #34

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
+1;

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
March 02, 2012, 03:43:45 AM
 #35

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked

True, but that still implies beforehand knowledge or a guess that large BTC sites would have a host in common. Then upon gaining the target is it really that inconsequential to gain such high level access to Linode, such a respected Linux host, as evidenced by them being a common denominator among sites? (although I suppose that could be the basis for such a guess... but still, then to easily gain access? Either Linode is guilty or they shouldn't be hosting anyway.)
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
March 02, 2012, 03:44:02 AM
 #36

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.

Couldn't agree more with you even if I wanted to Wink

zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
March 02, 2012, 03:54:42 AM
 #37

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

All customer passwords were encrypted with BCrypt. It's almost impossible to brute force even when the database is compromised.

Currently we require manual password reset because we want to evaluate the risk levels of password reset before we take actions on any accounts. E-mail shouldn't be the master key to everything.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
March 02, 2012, 03:57:02 AM
 #38

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
March 02, 2012, 04:05:08 AM
 #39

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
March 02, 2012, 04:18:13 AM
 #40

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
Well, he mentioned BCrypt, which is a hashing function, not an encryption function.  I think he just inadvertently used the wrong term here.

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!