Bitcoinica lost 43,554 BTC from Linode compromise, suspicious TXIDs publicized

[Rassah]

I just want to note that after MtGox got severely hacked, it became one of the most secure Bitcoin exchanges out there.

Exactly how have you made the assessment of the security of the Mt. Gox platform that allows you to make this claim?

Their word that they rewrote the code for it from scratch, closed down all access they could, and are now storing most coins in offline storage. Also them putting limits on all withdrawals, requiring some type of ID for anyone wishing to withdraw substantial funds, and being the first to use two factor authentication. Plus the part about them still being the top exchange by volume by far, and yet not being hacked since that last incident almost 9 months ago. Also, I wouldn't be surprised if a lot of the common sense ideas everyone uses now (cold storage, withdrawal limits, two factor option) were things people didn't care about until MtGox incident, and which they got from MtGox since then. I wouldn't be surprised if Bitcoinica came up with new security procedures that everyone else six months from now would look back on as a no-brainer, and at the very least this would emphasize the urgency of implementing multi-sig security, whereas without it people would have greeted the change with a "meh." In fact, I'd go as far as to say we were about due for another major security breach to get people to learn more about or invent better security measures. The more that happens during Bitcoin's development stage the better.

[1715278241]

1715278241

[1715278241]

1715278241

[1715278241]

1715278241

[1715278241]

1715278241

[1715278241]

1715278241

[1715278241]

1715278241

[muyuu]

I just want to note that after MtGox got severely hacked, it became one of the most secure Bitcoin exchanges out there.

Exactly how have you made the assessment of the security of the Mt. Gox platform that allows you to make this claim?

Their word that they rewrote the code for it from scratch, closed down all access they could, and are now storing most coins in offline storage. Also them putting limits on all withdrawals, requiring some type of ID for anyone wishing to withdraw substantial funds, and being the first to use two factor authentication. Plus the part about them still being the top exchange by volume by far, and yet not being hacked since that last incident almost 9 months ago. Also, I wouldn't be surprised if a lot of the common sense ideas everyone uses now (cold storage, withdrawal limits, two factor option) were things people didn't care about until MtGox incident, and which they got from MtGox since then. I wouldn't be surprised if Bitcoinica came up with new security procedures that everyone else six months from now would look back on as a no-brainer, and at the very least this would emphasize the urgency of implementing multi-sig security, whereas without it people would have greeted the change with a "meh." In fact, I'd go as far as to say we were about due for another major security breach to get people to learn more about or invent better security measures. The more that happens during Bitcoin's development stage the better.

In reality we have one true measure regarding to security and its perception in the Bitcoin community: time passed since last big fuck-up.

It was just reset to zero yesterday. In the particular case of MtGox, we have it running at under a year still.

[cypherdoc]

I just want to note that after MtGox got severely hacked, it became one of the most secure Bitcoin exchanges out there.

Exactly how have you made the assessment of the security of the Mt. Gox platform that allows you to make this claim?

Their word that they rewrote the code for it from scratch, closed down all access they could, and are now storing most coins in offline storage. Also them putting limits on all withdrawals, requiring some type of ID for anyone wishing to withdraw substantial funds, and being the first to use two factor authentication. Plus the part about them still being the top exchange by volume by far, and yet not being hacked since that last incident almost 9 months ago. Also, I wouldn't be surprised if a lot of the common sense ideas everyone uses now (cold storage, withdrawal limits, two factor option) were things people didn't care about until MtGox incident, and which they got from MtGox since then. I wouldn't be surprised if Bitcoinica came up with new security procedures that everyone else six months from now would look back on as a no-brainer, and at the very least this would emphasize the urgency of implementing multi-sig security, whereas without it people would have greeted the change with a "meh." In fact, I'd go as far as to say we were about due for another major security breach to get people to learn more about or invent better security measures. The more that happens during Bitcoin's development stage the better.

i agree with this.

[grue]

In reality we have one true measure regarding to security and its perception in the Bitcoin community: time passed since last big fuck-up.

It was just reset to zero yesterday. In the particular case of MtGox, we have it running at under a year still.

It's not really a "fuck-up" if the server provider is compromised. the mtgox breach was caused by a employee that had access to the db, which is totally different.

[Rassah]

Rassah, you are a bastion of common sense.

Common sense is just common, not sensical. What MtGox and Bitcoinica were doing before they got hacked was common sense  

[muyuu]

In reality we have one true measure regarding to security and its perception in the Bitcoin community: time passed since last big fuck-up.

It was just reset to zero yesterday. In the particular case of MtGox, we have it running at under a year still.

It's not really a "fuck-up" if the server provider is compromised. the mtgox breach was caused by a employee that had access to the db, which is totally different.

It doesn't matter who fucked up. It's a combination of things. Criminals have stashed a big amount of coins from important figureheads in the community. For the layman this translates as "BTC are insecure, even their gurus get stolen."

Notice I was talking about security and its perception.

Personally I think one should never store his private keys anywhere it can be seen in any form they can possibly be seen, so the responsibility would be shared.

True enough, VPS's are nice and cheap. I use them. But I don't put any private keys in them, or anything that can be directly stolen.

Hopefully this is a learnt lesson now.

[Elwar]

Bitcoin is definitely not yet ready for prime time when it comes to large companies where several people have access to the money with no paper trail if it goes missing.

[goodlord666]

Again, we would like to reassure that trading will not be in any way affected and we are already in the process of contacting Linode regarding this incident. The Bitcoinica system has not been compromised and our reserves are more than sufficient for regular trading activities.

Your writing style has improved exceptionally since the beginning! Keep it up!

[MPOE-PR]

Yes, our historical profit is fairly sufficient to cover the loss from this incident

From bitcoinica right now:

73,661.62 traded (56% hedged) 1.152% equivalent fees (indicative)

73661.62 BTC * 1.152 / 100 = 848.581862400 BTC

From Thursday, 1 September 2011 to Friday, 2 March 2012: 183 days.

If bitcoinica grew linearly (unlikely, but for the sake of argument)

848.581862400 * 183 / 2 = 77645.240409600 BTC, or less than twice the 43k lost.

Basically Zhou is putting most of this revenue to cover for this loss, which shows real mettle. To all the people going "o, he's a 17 yo kid": no. He's a 17 yo man.

[BadBear]

He has a nice little business going, eventually he can hire staff to run it while he focuses on other things, using the profits as capital. So he's definitely gonna wanna keep it going.

[LoupGaroux]

As the business owner he set the volume of his hot wallet based on what he believed to be his transactional needs. Hard to fault a businessman for trying to handle his customers needs well. He got ripped off and is standing behind his reputation and his service with his own money. Hard to fault a guy for being honest and showing some backbone in adversity.

Sounds like he may be getting some valuable advice about who should be the responsible party here... absolutely inexcusable that Linode permitted this vulnerability, and the responsibility is theirs to make good on all losses, irrespective of whatever exclusionary language they might have pasted into their service agreements. It is called fiduciary responsibility, and they failed.

[Aggro]

I cant help but know some Linode employee wont be at work tomorrow.

This all is way way way to convenient, seems like an inside job planned overtime with the knowledge of who runs worthwhile bitcoin services and on which VPS accounts.

This is alot of money, please for all of us make its your top priority to get compensation out of Linode otherwise any future losses less than this would be seen acceptable by these crappy hosting companies or other services.

Indeed. It seems rather odd that a random hacker would systematically probe linode for security flaws, and then magically find 8 customers related to bitcoin, and methodically empty their wallets. This is clearly somebody from the inside.

[Matthew N. Wright]

I cant help but know some Linode employee wont be at work tomorrow.

This all is way way way to convenient, seems like an inside job planned overtime with the knowledge of who runs worthwhile bitcoin services and on which VPS accounts.

This is alot of money, please for all of us make its your top priority to get compensation out of Linode otherwise any future losses less than this would be seen acceptable by these crappy hosting companies or other services.

Indeed. It seems rather odd that a random hacker would systematically probe linode for security flaws, and then magically find 8 customers related to bitcoin, and methodically empty their wallets. This is clearly somebody from the inside.

I don't know, I hacked VizVideo's phone banks and the St. Joseph county library network both using the method you just described --stumbling upon it.

[stochastic]

We didn't have the opportunity to scan our whole system for suspicious transactions that were not initiated from our customers because we had to shut down the system immediately after we've discovered the huge loss. We did get a rough estimate and we published a press release to warn our users about the deposit address replacement.

However, now we have concluded that we lost 43,554 BTC from this incident and we will reimburse our customers for the full amount. For transparency, we would like to disclose all the suspicious transaction ids in this incident:

I hope you get insurance next time to account for any losses due to theft.

Doesn't exist.

You could only have the USD insured.

Any insurance can exist.  It is just a contract.  Of course if these thefts keeps happening then the premiums are going to be expensive.

[Matthew N. Wright]

Any insurance can exist.  It is just a contract.  Of course if these thefts keeps happening then the premiums are going to be expensive.

I didn't say it won't ever exist, I said it doesn't exist. Now provide your link to the only service in the world that will insure bitcoins (because I've checked to London and back and there isn't one) or stop daydreaming outloud.

[stochastic]

Any insurance can exist.  It is just a contract.  Of course if these thefts keeps happening then the premiums are going to be expensive.

I didn't say it won't ever exist, I said it doesn't exist. Now provide your link to the only service in the world that will insure bitcoins (because I've checked to London and back and there isn't one) or stop daydreaming outloud.

What I am saying is a person needs to call a specialist insurance company and they will figure it out.  Did you call Lloyd's?

[Phinnaeus Gage]

Again, we would like to reassure that trading will not be in any way affected and we are already in the process of contacting Linode regarding this incident. The Bitcoinica system has not been compromised and our reserves are more than sufficient for regular trading activities.

Your writing style has improved exceptionally since the beginning! Keep it up!

Ironically, I was going to pen a similar sentiment, but you, goodlord666, beat me to it.

[Matthew N. Wright]

Any insurance can exist.  It is just a contract.  Of course if these thefts keeps happening then the premiums are going to be expensive.

I didn't say it won't ever exist, I said it doesn't exist. Now provide your link to the only service in the world that will insure bitcoins (because I've checked to London and back and there isn't one) or stop daydreaming outloud.

What I am saying is a person needs to call a specialist insurance company and they will figure it out.  Did you call Lloyd's?

Are you kidding? They're the first I thought of!

Given the lack of assurance to the location of the bitcoins, the fact that the keys can be copied and moved, the volatility of the market value, and the inability to hold the only physical copies in any medium, they won't insure.

If it had a fixed price, I'd imagine they would insure it for more than it's spot value in fees, but what's the point of that?

[ball4thegame]

Just a thought to share with Zhou and others trying to locate the thief...

Approximately a week ago on the SR forums, there was someone who put out a $30,000 offer to anyone who would submit ID info and such to Mt Gox to enable him/her to withdraw from a large account without giving up his/her real information. Perhaps this was the hacker trying to cover his identity for his future 'endeavor'. Figured I would let people know.

[Matthew N. Wright]

Just a thought to share with Zhou and others trying to locate the thief...

Approximately a week ago on the SR forums, there was someone who put out a $30,000 offer to anyone who would submit ID info and such to Mt Gox to enable him/her to withdraw from a large account without giving up his/her real information. Perhaps this was the hacker trying to cover his identity for his future 'endeavor'. Figured I would let people know.

Link?