Bitcoin Forum
November 06, 2024, 12:40:37 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Bitcoinica Warning: Please do not re-use any old Bitcoin deposit addresses  (Read 9727 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
March 02, 2012, 02:13:48 AM
 #21

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
proudhon
Legendary
*
Offline Offline

Activity: 2198
Merit: 1311



View Profile
March 02, 2012, 02:14:58 AM
 #22

damn.  hot wallet is hot.

Zs hot wallet was hot.
And now his hot wallet is not.


Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
pirateat40
Avast Ye!
Sr. Member
****
Offline Offline

Activity: 378
Merit: 250


"Yes I am a pirate, 200 years too late."


View Profile WWW
March 02, 2012, 02:15:03 AM
 #23

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I disagree, whatever happened, happened today.  I move coins all the time in and out of bitcoinica without an issue.

Eveofwar
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250


View Profile
March 02, 2012, 02:15:33 AM
 #24

@ zhoutong

What is the tx id of the lost coins?

+1

EDIT:  http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 ?
malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1724



View Profile
March 02, 2012, 02:18:23 AM
 #25

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.

Signature space available for rent.
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1020


View Profile
March 02, 2012, 02:19:03 AM
 #26

The Linode's user agreement says, "no".

That doesn't mean they Linode can't be sued and forced to reimburse the losses.


It would need to be worth the lawyer fee to sue.

bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
March 02, 2012, 02:40:31 AM
 #27

This doesn't make sense, why would you have a hot wallet with 10K BTC? Why would it ONLY be stored on a Linode VPS?

Hadn't bitcoinica gone all quiet for some time before this happened?

I think this is just a handy way to release some old bad news.

I figure he wanted to host the site, with user information and all, separately from the wallet.  That way if the site gets penetrated (which one would think is more likely since it has more attack vectors), the wallet would still be secure.


damn.  hot wallet is hot.
Zs hot wallet was hot.
And now his hot wallet is not.

Au contraire, now its even hotter.


College of Bucking Bulls Knowledge
kurtosis
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
March 02, 2012, 02:48:38 AM
 #28

That's why

we should support BIP16 as soon as possible...
Actually no.  This too will pass.  Bitcoin is a multi-decade project, and once technical decisions are written into the blockchain they are very hard or impossible to reverse.

Hence, it's much more important for the dev team to resist artificial time pressures and focus on making the right decision for the long-term, even if they need to take longer in the short-term to fully understand the ramifications and consequences of crucial technical decisions.
evoorhees
Legendary
*
Offline Offline

Activity: 1008
Merit: 1023


Democracy is the original 51% attack


View Profile
March 02, 2012, 02:52:40 AM
 #29

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
March 02, 2012, 02:54:09 AM
 #30

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.
finway
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
March 02, 2012, 02:59:31 AM
 #31

That's sad.

kurtosis
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
March 02, 2012, 03:18:39 AM
 #32

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.
marked
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
March 02, 2012, 03:19:18 AM
 #33

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked
btc_artist
Full Member
***
Offline Offline

Activity: 154
Merit: 102

Bitcoin!


View Profile WWW
March 02, 2012, 03:27:10 AM
 #34

Zhou, thank you sincerely for being honorable, reporting quickly and fully, and absorbing the loss.

Very impressed with you and Slush today. I give you my sincere gratitude.
+1;

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
March 02, 2012, 03:43:45 AM
Last edit: March 02, 2012, 03:54:36 AM by acoindr
 #35

Supposedly some outside hacker knew different high value sites would have Bitcoin wallets on Linode?

trivial to determine - nslookup/dig a records and then traceroute to all the large sites. Find common denominators. See linode is one, hack linode, have many BTC.

marked

True, but that still implies beforehand knowledge or a guess that large BTC sites would have a host in common. Then upon gaining the target is it really that inconsequential to gain such high level access to Linode, such a respected Linux host, as evidenced by them being a common denominator among sites? (although I suppose that could be the basis for such a guess... but still, then to easily gain access? Either Linode is guilty or they shouldn't be hosting anyway.)
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
March 02, 2012, 03:44:02 AM
 #36

more and more worthless with every theft.

Generally speaking criminals don't steal worthless things.

Like for example I haven't ever heard of a thief stealing poop out of someone's toilet, rotten garbage, or used tissues.

I have heard of thieves stealing artwork, cars, gold, currency and yes Bitcoins.

Couldn't agree more with you even if I wanted to Wink
zhoutong (OP)
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
March 02, 2012, 03:54:42 AM
 #37

- Customer data is safe.

The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account.  Might I suggest adding this feature?  

The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer.  I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.  

It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.  

But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.

All customer passwords were encrypted with BCrypt. It's almost impossible to brute force even when the database is compromised.

Currently we require manual password reset because we want to evaluate the risk levels of password reset before we take actions on any accounts. E-mail shouldn't be the master key to everything.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
btc_artist
Full Member
***
Offline Offline

Activity: 154
Merit: 102

Bitcoin!


View Profile WWW
March 02, 2012, 03:57:02 AM
 #38

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
March 02, 2012, 04:05:08 AM
 #39

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
btc_artist
Full Member
***
Offline Offline

Activity: 154
Merit: 102

Bitcoin!


View Profile WWW
March 02, 2012, 04:18:13 AM
 #40

All customer passwords were encrypted with BCrypt.
The correct term is "hashed", not "encrypted". Huge difference. Smiley

i sure hope Zhou knows the difference  Roll Eyes
Well, he mentioned BCrypt, which is a hashing function, not an encryption function.  I think he just inadvertently used the wrong term here.

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!