Bitcoin Forum
December 11, 2016, 06:19:09 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Suspect #1: Linode admins/insiders  (Read 4061 times)
lonelyminer (Peter Šurda)
Donator
Hero Member
*
Offline Offline

Activity: 544


View Profile
March 02, 2012, 02:10:38 PM
 #21

That's interesting... so, if I got this right, the password reset requires information an outside attacker should not have? I don't know how Linode handles administration, but that sounds quite important.
Well, it does not necessarily mean that they shouldn't have had the information they had. If control panel was crap, or the privileges of the compromised account were too high, this could have been sufficient. My point is that either way, incompetence or fraud, it's a major screwup.
EDIT
Let me try to explain again. The attackers had a lot of information. This wasn't a script kiddie, it was carefully designed and swiftly and accurately executed. Of course, this does not imply the assistance of Linode employees or contractors. But this only shifts the nature of Linodes failure, it does not really lessen the magnitude.
1481437149
Hero Member
*
Offline Offline

Posts: 1481437149

View Profile Personal Message (Offline)

Ignore
1481437149
Reply with quote  #2

1481437149
Report to moderator
1481437149
Hero Member
*
Offline Offline

Posts: 1481437149

View Profile Personal Message (Offline)

Ignore
1481437149
Reply with quote  #2

1481437149
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481437149
Hero Member
*
Offline Offline

Posts: 1481437149

View Profile Personal Message (Offline)

Ignore
1481437149
Reply with quote  #2

1481437149
Report to moderator
1481437149
Hero Member
*
Offline Offline

Posts: 1481437149

View Profile Personal Message (Offline)

Ignore
1481437149
Reply with quote  #2

1481437149
Report to moderator
farfiman
Legendary
*
Offline Offline

Activity: 1434



View Profile
March 02, 2012, 02:16:18 PM
 #22

From their terms of service:

"Therefore, subscriber agrees that Linode.com shall not be liable for any damages arising from such causes beyond the direct and exclusive control of Linode.com. Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred. In no event shall Linode.com be liable for any special or consequential damages, loss or injury. Linode.com is not responsible for any damages your business may suffer. Linode.com does not make implied or written warranties for any of our services. Linode.com denies any warranty or merchantability for a specific purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by Linode.com."

I'm not a lawyer but this more or less says they aren't responsible for almost anything ?


Rule #1 of law: States and courtrooms decide damages, not silly internet contracts. Numerous times, big players like eBay and Paypal have had judges call their user contracts "ridiculous and verbose" and had cases lost because of it.

Rule #2 of law: states differ on what is actually allowed in a contract and what is not.

Rule #3 of law: If this contract was supposedly "air tight", then what do you think would happen if their employees openly admitted to having robbed the customer while working there? You think the law would not be able to prosecute them because of the contract? It doesn't mean anything.




Thats why I put a question mark at the end .   You are probably right if this ever gets to court.
Bitcoin itself will be on trial. A court will have to decide what it is first before it can deliberate about the rest no? ( once more a question mark....)

"We are just fools. We insanely believe that we can replace one politician with another and something will really change. The ONLY possible way to achieve change is to change the very system of how government functions. Until we are prepared to do that, suck it up for your future belongs to the madness and corruption of politicians."
Martin Armstrong
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
March 02, 2012, 02:22:49 PM
 #23

First, people need to decide if it's worth suing the company for 200K combined total. Linode might have a very good lawyer and it will tie up the case for many month, if not years.

Second, I don't think linode is in the business of storing and protecting valuables. You can't get much from a 50 dollars a month web host.

Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 02, 2012, 02:25:20 PM
 #24

You are probably right if this ever gets to court. Bitcoin itself will be on trial.
That is in fact a concern. Some of us think of Bitcoin already as a digital commodity, but to have ANY court decisions related to values of property loss related to Bitcoin will be a dangerous territory to get into because it can set precedence for things we can't easily take back later imo.

A court will have to decide what it is first before it can deliberate about the rest no?
No, I don't believe so. It will be treated as a digital commody, just like if someone hacked your account then stole facebook credits. I don't think they need to define it anything further than just "damaged incurred due to the illegal entry" etc. It might be pushed further than that but I doubt it. Disclaimer, I'm not a lawyer.

Thats why I put a question mark at the end .   ....   ( once more a question mark....)

hehe. Don't worry about me. I am a dog. I chew bones.

bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
March 02, 2012, 03:14:21 PM
 #25

Second, I don't think linode is in the business of storing and protecting valuables. You can't get much from a 50 dollars a month web host.
This is the key thing we should take away from this. Real currency stored by banks is also digital currency but is heavily protected physically, digitally and legally. Given that Bitcoin doesn't have legal protection (they can't be seized), digital protection is very hard (private keys need to be available to sign a transaction) then the bare-bones level of protection you should have as a holder of many bitcoins is physical security at the server access level. Letting third-party admins have access to your server and having admin panels exposed over the Internet is incredibly foolish.
Daily Anarchist
Hero Member
*****
Offline Offline

Activity: 615



View Profile WWW
March 02, 2012, 06:11:05 PM
 #26

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

Discover anarcho-capitalism today!
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 02, 2012, 06:14:01 PM
 #27

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

Daily Anarchist
Hero Member
*****
Offline Offline

Activity: 615



View Profile WWW
March 02, 2012, 06:19:50 PM
 #28

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

I'm not talking about a government law. I'm talking about principle. You're talking to an anarchist, somebody who has zero respect for the government and its definitions of right and wrong.

Discover anarcho-capitalism today!
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 02, 2012, 06:21:52 PM
 #29

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

I'm not talking about a government law. I'm talking about principle. You're talking to an anarchist, somebody who has zero respect for the government and its definitions of right and wrong.

Oh, okay. Please carry on then. ^_^

Aggro
Donator
Sr. Member
*
Offline Offline

Activity: 296



View Profile
March 02, 2012, 06:25:21 PM
 #30

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 02, 2012, 06:31:34 PM
 #31

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.

That has its limitations. You can't have employees working at your company willfully stealing things from customers and saying "woops! You agreed! haha".

There needs to be an investigation and it's something Zhou, Slush, and the proposed attorney will be discussing over the next few days.

Daily Anarchist
Hero Member
*****
Offline Offline

Activity: 615



View Profile WWW
March 02, 2012, 06:33:10 PM
 #32

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.

If there is enough of a demand it will happen. Sure, the VPS premiums are likely going to be a lot higher, but it can happen. What we're really talking about here is insurance. If the VPS doesn't supply the optional insurance, then individuals will have to get it themselves. Take Tradehill. They could have gotten some insurance before this situation ever happened. They could have been insured up to, what was it, 45,000 BTC? In the case they got ripped off the insurance would have kicked in, and the insurance provider would have the most interest in catching the criminal and recovering the stolen bitcoins. Now, I'm sure no CORPORATE, "legal" insurance company exists like this right now. But there is definitely a need for one. Wasn't there a poll the other day asking people what is most necessary for Bitcoin? One of the poll answers was "insurance." I didn't participate in the poll, but my answer was "insurance" when I read it. Nobody else picked that one though. Perhaps it's time for a Bitcoin insurance company to pop up, preferably one that is totally underground, i.e. not sanctioned by the government at all.

Discover anarcho-capitalism today!
CA Coins
Donator
Sr. Member
*
Offline Offline

Activity: 306


View Profile
March 02, 2012, 06:35:00 PM
 #33

IMHO, it would be tough to get the losses directly from the courts.  Settlement is much more likely.  Linode had revenue of $10 million in 2010 and looked to be growing rapidly.  Bad press (servers hacked, assets lost) can cost them dearly.  
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 02, 2012, 06:42:09 PM
 #34

IMHO, it would be tough to get the losses directly from the courts.  Settlement is much more likely.  Linode had revenue of $10 million in 2010 and looked to be growing rapidly.  Bad press (servers hacked, assets lost) can cost them dearly.  

Finally, someone who understand US legal precedings.

cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
March 03, 2012, 04:38:33 PM
 #35

No one will insure a speculative asset like Bitcoin.  Can you imagine the liability if the price spiked to 100 just before a heist?
majamalu
Legendary
*
Offline Offline

Activity: 1652



View Profile WWW
March 03, 2012, 04:48:49 PM
 #36

No one will insure a speculative asset like Bitcoin.  Can you imagine the liability if the price spiked to 100 just before a heist?

That would not be a problem if they charge in bitcoins.

http://elbitcoin.org - Bitcoin en español
http://mercadobitcoin.com - MercadoBitcoin
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
March 03, 2012, 07:00:44 PM
 #37

Matthew, don't get mad for what I'm about to say. It's not an attack on you or your organization, it's just something that makes sense.

So, Zhoutong told you guys where he was hosting his hot wallet... Sorry to say, but that makes you(DCAO) suspects also. It's a lot easier to steal something if you know where it is exactly.
I would step out of that investigation if I was in your place.
It would be the almost perfect crime: You steal and then you "help" to try and catch the "thieves"...

Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 03, 2012, 07:03:20 PM
 #38

Matthew, don't get mad for what I'm about to say. It's not an attack on you or your organization, it's just something that makes sense.

So, Zhoutong told you guys where he was hosting his hot wallet... Sorry to say, but that makes you(DCAO) suspects also. It's a lot easier to steal something if you know where it is exactly.
I would step out of that investigation if I was in your place.
It would be the almost perfect crime: You steal and then you "help" to try and catch the "thieves"...

I'm having trouble finding where I said he told anyone where he held his wallet....

We all knew where he was hosted (everyone in the community) though.


Also, I love being suspect.  Cheesy

When you guys are ready for an interview, I'll start with the first time I ran away from home at 7.

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
March 03, 2012, 07:12:26 PM
 #39

Nothing but the payment functions need to have been hosted there. Zhou made a grave mistake by not collocating as he was advised to do by DCAO representatives when he first joined. He held the belief that there was bigger chance of outside security threats or single collocation operator trust issues than with major companies.

Are you going to tell me that when he described the part about less trust issues with major companies he didn't mentioned the company he was using? c'mon... Roll Eyes

Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
March 03, 2012, 07:26:35 PM
 #40

Nothing but the payment functions need to have been hosted there. Zhou made a grave mistake by not collocating as he was advised to do by DCAO representatives when he first joined. He held the belief that there was bigger chance of outside security threats or single collocation operator trust issues than with major companies.

Are you going to tell me that when he described the part about less trust issues with major companies he didn't mentioned the company he was using? c'mon... Roll Eyes

Uhh. Yes. That's exactly what I'm telling you.

We were having a discussion related to collocation vs cloud in regards to general security for bitcoin applications.

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!