Suspect #1: Linode admins/insiders

[lonelyminer (Peter Šurda)]

That's interesting... so, if I got this right, the password reset requires information an outside attacker should not have? I don't know how Linode handles administration, but that sounds quite important.

Well, it does not necessarily mean that they shouldn't have had the information they had. If control panel was crap, or the privileges of the compromised account were too high, this could have been sufficient. My point is that either way, incompetence or fraud, it's a major screwup.
EDIT
Let me try to explain again. The attackers had a lot of information. This wasn't a script kiddie, it was carefully designed and swiftly and accurately executed. Of course, this does not imply the assistance of Linode employees or contractors. But this only shifts the nature of Linodes failure, it does not really lessen the magnitude.

[1714958064]

1714958064

[1714958064]

1714958064

[1714958064]

1714958064

[farfiman]

From their terms of service:

"Therefore, subscriber agrees that Linode.com shall not be liable for any damages arising from such causes beyond the direct and exclusive control of Linode.com. Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred. In no event shall Linode.com be liable for any special or consequential damages, loss or injury. Linode.com is not responsible for any damages your business may suffer. Linode.com does not make implied or written warranties for any of our services. Linode.com denies any warranty or merchantability for a specific purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by Linode.com."

I'm not a lawyer but this more or less says they aren't responsible for almost anything ?

Rule #1 of law: States and courtrooms decide damages, not silly internet contracts. Numerous times, big players like eBay and Paypal have had judges call their user contracts "ridiculous and verbose" and had cases lost because of it.

Rule #2 of law: states differ on what is actually allowed in a contract and what is not.

Rule #3 of law: If this contract was supposedly "air tight", then what do you think would happen if their employees openly admitted to having robbed the customer while working there? You think the law would not be able to prosecute them because of the contract? It doesn't mean anything.

Thats why I put a question mark at the end .   You are probably right if this ever gets to court.
Bitcoin itself will be on trial. A court will have to decide what it is first before it can deliberate about the rest no? ( once more a question mark....)

[kiba]

First, people need to decide if it's worth suing the company for 200K combined total. Linode might have a very good lawyer and it will tie up the case for many month, if not years.

Second, I don't think linode is in the business of storing and protecting valuables. You can't get much from a 50 dollars a month web host.

[Matthew N. Wright]

You are probably right if this ever gets to court. Bitcoin itself will be on trial.

That is in fact a concern. Some of us think of Bitcoin already as a digital commodity, but to have ANY court decisions related to values of property loss related to Bitcoin will be a dangerous territory to get into because it can set precedence for things we can't easily take back later imo.

A court will have to decide what it is first before it can deliberate about the rest no?

No, I don't believe so. It will be treated as a digital commody, just like if someone hacked your account then stole facebook credits. I don't think they need to define it anything further than just "damaged incurred due to the illegal entry" etc. It might be pushed further than that but I doubt it. Disclaimer, I'm not a lawyer.

Thats why I put a question mark at the end .   ....   ( once more a question mark....)

hehe. Don't worry about me. I am a dog. I chew bones.

[bitplane]

Second, I don't think linode is in the business of storing and protecting valuables. You can't get much from a 50 dollars a month web host.

This is the key thing we should take away from this. Real currency stored by banks is also digital currency but is heavily protected physically, digitally and legally. Given that Bitcoin doesn't have legal protection (they can't be seized), digital protection is very hard (private keys need to be available to sign a transaction) then the bare-bones level of protection you should have as a holder of many bitcoins is physical security at the server access level. Letting third-party admins have access to your server and having admin panels exposed over the Internet is incredibly foolish.

[Daily Anarchist]

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

[Matthew N. Wright]

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

[Daily Anarchist]

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

I'm not talking about a government law. I'm talking about principle. You're talking to an anarchist, somebody who has zero respect for the government and its definitions of right and wrong.

[Matthew N. Wright]

The only individuals responsible for this are the criminals themselves

I'm sorry, are you a circuit court judge? Why don't you let people who understand the laws better make such statements?

I'm not talking about a government law. I'm talking about principle. You're talking to an anarchist, somebody who has zero respect for the government and its definitions of right and wrong.

Oh, okay. Please carry on then. ^_^

[Aggro]

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.

[Matthew N. Wright]

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.

That has its limitations. You can't have employees working at your company willfully stealing things from customers and saying "woops! You agreed! haha".

There needs to be an investigation and it's something Zhou, Slush, and the proposed attorney will be discussing over the next few days.

[Daily Anarchist]

The only individuals responsible for this are the criminals themselves, be they Linode employees or not. Linode has no moral responsibility to refund the victims. However, if they do not they risk gaining a seriously bad reputation forcing others to look for a VPS that assumes responsibility for loss or theft of a client's assets. Like all things, competition will allow for a diversity in quality of services. Some VPS's will be insured against theft, others will not. Some will refund victims, others will not. If Linode chooses not to refund the victims, so be it. If you don't like that about Linode, find a VPS provider that will.

I would be very surprised if any hosting company (VPS or otherwise) will assume responsibility in the form of economical compensation for incidents like this. Every Terms and Conditions I have read from virtually every hosting company I have worked with is very clear about no compensation for damages of any kind, for any reason.

If there is enough of a demand it will happen. Sure, the VPS premiums are likely going to be a lot higher, but it can happen. What we're really talking about here is insurance. If the VPS doesn't supply the optional insurance, then individuals will have to get it themselves. Take Tradehill. They could have gotten some insurance before this situation ever happened. They could have been insured up to, what was it, 45,000 BTC? In the case they got ripped off the insurance would have kicked in, and the insurance provider would have the most interest in catching the criminal and recovering the stolen bitcoins. Now, I'm sure no CORPORATE, "legal" insurance company exists like this right now. But there is definitely a need for one. Wasn't there a poll the other day asking people what is most necessary for Bitcoin? One of the poll answers was "insurance." I didn't participate in the poll, but my answer was "insurance" when I read it. Nobody else picked that one though. Perhaps it's time for a Bitcoin insurance company to pop up, preferably one that is totally underground, i.e. not sanctioned by the government at all.

[CA Coins]

IMHO, it would be tough to get the losses directly from the courts.  Settlement is much more likely.  Linode had revenue of $10 million in 2010 and looked to be growing rapidly.  Bad press (servers hacked, assets lost) can cost them dearly.  

[Matthew N. Wright]

IMHO, it would be tough to get the losses directly from the courts.  Settlement is much more likely.  Linode had revenue of $10 million in 2010 and looked to be growing rapidly.  Bad press (servers hacked, assets lost) can cost them dearly.  

Finally, someone who understand US legal precedings.

[cypherdoc]

No one will insure a speculative asset like Bitcoin.  Can you imagine the liability if the price spiked to 100 just before a heist?

[majamalu]

No one will insure a speculative asset like Bitcoin.  Can you imagine the liability if the price spiked to 100 just before a heist?

That would not be a problem if they charge in bitcoins.

[Raoul Duke]

Matthew, don't get mad for what I'm about to say. It's not an attack on you or your organization, it's just something that makes sense.

So, Zhoutong told you guys where he was hosting his hot wallet... Sorry to say, but that makes you(DCAO) suspects also. It's a lot easier to steal something if you know where it is exactly.
I would step out of that investigation if I was in your place.
It would be the almost perfect crime: You steal and then you "help" to try and catch the "thieves"...

[Matthew N. Wright]

Matthew, don't get mad for what I'm about to say. It's not an attack on you or your organization, it's just something that makes sense.

So, Zhoutong told you guys where he was hosting his hot wallet... Sorry to say, but that makes you(DCAO) suspects also. It's a lot easier to steal something if you know where it is exactly.
I would step out of that investigation if I was in your place.
It would be the almost perfect crime: You steal and then you "help" to try and catch the "thieves"...

I'm having trouble finding where I said he told anyone where he held his wallet....

We all knew where he was hosted (everyone in the community) though.


Also, I love being suspect.  

When you guys are ready for an interview, I'll start with the first time I ran away from home at 7.

[Raoul Duke]

Nothing but the payment functions need to have been hosted there. Zhou made a grave mistake by not collocating as he was advised to do by DCAO representatives when he first joined. He held the belief that there was bigger chance of outside security threats or single collocation operator trust issues than with major companies.

Are you going to tell me that when he described the part about less trust issues with major companies he didn't mentioned the company he was using? c'mon...

[Matthew N. Wright]

Nothing but the payment functions need to have been hosted there. Zhou made a grave mistake by not collocating as he was advised to do by DCAO representatives when he first joined. He held the belief that there was bigger chance of outside security threats or single collocation operator trust issues than with major companies.

Are you going to tell me that when he described the part about less trust issues with major companies he didn't mentioned the company he was using? c'mon...

Uhh. Yes. That's exactly what I'm telling you.

We were having a discussion related to collocation vs cloud in regards to general security for bitcoin applications.