Slashdot Mirror
Linode Exploit Caused Theft of Thousands of Bitcoins
Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?"
Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.
oops...
Imaginary currency is not safe.
The greatest value of bitcoin seems to be in generating headlines.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
http://www.linode.com/tos.cfm
Section 9, paragraph 1:
Bitcoinica has confirmed 10,000 btc stolen, thats another $50,000 USD
With 10,000 BTC stolen I'd be heading on over to Silk Road very quickly!
"Worth 15,000" Good luck cashing them out for a currency you can actually use.
This is the equivalent of stealing Monopoly money.
And after this, if Linode does not make the users whole, they will leave for someone who will. That is the dream of Librarians.
I saw an analysis of their Terms of Service somewhere, indicating that they will only compensate up to the value of the service paid. So, if your service was $100/mo, they'd only compensate you for the downtime you experienced, or up to that month's service charge of $100.
If Linode cares about Bitcoin, it will find a way to compensate its users. Otherwise, if the users who lost money are up to it, I'm sure there is at least one lawyer out there willing to be counsel on the first case involving theft of a digital currency, testing whether or not the data/rights to data stolen are legitimate property of legal value. We supporters of Bitcoin say, "Of course!" but it's not until there's a legal precedent that we really can say that.
Or, Linode can sit behind its ToS and test contract law.
Or, the users can vote with their money and leave Linode and tell others why they're leaving.
At least in my eyes, that I would ever consider Linode in the future is hanging in the balance, and they've previously always had a good reputation in my mind. I would venture that there are plenty of other like-minded geeks out there. Given that Linode's market is primarily we geeks, I believe it behooves them to do the right thing and compensate for the losses.
Colin Dean Go a year without DRM
No, it is just that things will go more smoothly and fairly than under the alternatives.
Seems like Linode had more in common with Disney's Pirates of the Caribbean ride than, say, San Francisco Bay. Yarrr!
Why isn't the MPAA up in arms about this? They clearly subverted DRM to steal these bitcoins.
Really? Isn't the dream of librarians of that top button finally being released to expose the...
Oh wait, that's my dream of librarians.
And nothing of value was lost.
Then again, I'm not one who sees any particular use to bitcoin other than interesting math.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
American Libertarians, you mean. They've co-opted the term and twisted it to mean something other than its original meaning.
Social or technical?
"I don't know, therefore Aliens" Wafflebox1
Meh. No correlation. Linode has nothing to do with Bitcoins. You could store magic unicorns on their servers, want compensation if they get stolen? In the end _you_ are responsible for your data, not the host. So sorry if Bitcoin is flawed to the point where it can be so easily stolen by little old root. If you purchase service with a back up plan and the servers get hacked and your content is deleted, then you would legally/reasonably expect a restore but sorry fake money that gets "stolen" doesn't count.
Let's write a news article about it
Ain't that the dream of Libertarians, that without regulation, things will go so much smoother and more effectively, and nobody will have cause for complaint.
I have an idea - let's make ISP's fully responsible for all incidental and consquential damages.
OK, your turn - figure out what the monthly pricing is going to look like.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Jeez,
So Bitcoin is a viable currency?? Diss it all you want, but it seems to be holding up well, even growing against the US$.
-or-
Got me, but if I had $50k in digital currency I think I'd spread my risk around and stash bits (no pun intended) across many servers at many different hosting sites and companies. The things are like $20/month, for pete's sake.
Back when I worked for a web host company, we occasionally (rarely) had some issues where customers got screwed. In the worst case, your VPS is on a box where multiple disks die in a RAID array, and you don't have backups, and that's that.
We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.
There's a rule of thumb in physical security; you should spend ~5% of the value of the thing to secure the thing. E.g. ~$1000 bicycle means ~$50 bicycle lock. If you're using a $19/mo service to hold $10k worth of value, you better be taking some other precautions. These guys were doing the equivalent of keeping $10k in cash in a $20 lockbox in a public place.
This. Linode was hobbyist VPS', their TOS explicitly says you aren't owed anything. Why were people hosting such vast sums of 'money' without an SLA?
Oh the drama. As an actual bitcoin miner, let me fill you in on the real story instead of that media fluff that's purposely inflated to overdramatic proportions. Almost all bitcoin mining pool websites are configured to pay people every time 1 BTC is reached. That's around $5 US and takes a mediocre mining rig approximately 2 days to generate. So the most that the average person probably lost is $0.01 - $5.00. NOBODY keeps massive piles of BTC sitting around at the pool itself. The exchanges, yeah, but not the pools. They're known for lax security too. At the #1 biggest mining pool, your miners' login passwords are listed as plaintext on the page because what are people going to do, mine for you? And none of your money stay there for long so nobody really cares.
What really doesn't add up is the 3000 BTC estimate. Even Deepbit, the largest pool, doesn't have 6000 members, which would be the number required to, at any given point in time, have an average of 3000 BTC on-hand. So it likely was the site owner's profit pool that got robbed the most heavily.
A question I consider sometimes is the relationship between Bitcoins and the US Customs (or any other border agency.)
When we cross the border there are obvious signs making it clear that if you carry more than $10,000 across the border (Canadian or American in my case) in either direction you must declare the transaction. Suppose one's bitcoin wallet is on their cellphone and they are carrying more than $10,000 worth of bitcoins on their cellphone. Would these need to be declared?
I guess it would be similar to carrying bearer bonds across the border but I'm not certain what the conditions are for those, either.
The concern would be whether two people with cellphone bitcoin wallets could meet and move bitcoins from one cellphone wallet to the other without another server or service being involved in the transaction. If so then I can certainly see how this process could be used to facilitate illegal transactions with less obvious traces than carrying large volumes of actual cash.
Everyone gets all scared when big piles of BTC are stolen because the price usually crashes afterwards. In case you were wondering about that, selling off 3000BTC all at once, right now this very second would drop it from $4.94 US to $4.83. See for yourself:
Live graph of MTGox who does 80-90% of all exchange transactions
If anyone (like me) was wondering if there was any confirmation that linode accepted blame other than from the person who was robbed, there is.
http://status.linode.com/2012/03/manager-security-incident.html
Linode is actually rather lucky this person who did this only went for 8 machines. They could have been in a whole lot more trouble when someone got access like this.
http://lkml.org/lkml/2005/8/20/95
Bad decisions were made. If you have ever had to deal with PCI DSS certification then you know what the credit card processing companies expect of their merchant customers. Now imagine the standards the credit card companies themselves try to adhere to. Some developers using BitCoin need to think about the security Big Picture before creating infrastructure for their projects/businesses. Keeping a BitCoin wallet containing thousands of BTC on a little cloud server is not wise.
Having said that, there is a solution in the pipe to help with this problem. Gavin Andresen, lead BitCoin developer, had his Bitcoin Faucet Linode server hacked. While only a few Bitcoins were lost he now is using this incident to support his proposal for Multisignature Transactions.
Guru Meditation #6d416769.21610a21
Is it not supposed that a super admin password should be stored only in the brains of the super admins?
Unless Linode decides to cough up $15k in a private deal, there will likely be no compensation. IANAL, but since the United States government doesn't recognize bitcoins as a legal form of currency anyway, taking this to court would probably be fruitless and a waste of time. Unless I'm missing details, of course.
If they were to be compensated, though, there is some potential to have this incident set a major precedent in regards to the legitimacy of bitcoins in the U.S.
So I take it we're back on the BitCoin thing full-time?
Does this mean that we at least don't have to see anything about Raspberry Pie or Strawberry Jam, or whatever, for a few weeks?
sic transit gloria mundi
Boy did they bury the lead. Here's the entire story. Allegedly someone broke into the Linode web hosting company, hacked specifically just 8 sites involved in bitcoins and THAT'S IT, no other sites, and stole a hell of a lot more than 3000 BTC. 3000BTC isn't significant but 43,554 BTC were stolen from another major exchange, Bitcoinica. That company is claiming they have the money to cover it and will reimburse everyone. That's almost a quarter of a million US dollars by the way.
Apparently the word on the street is this was targeted and definitely an inside job from an employee or multiple employees at Linode. The easiest way a simultaneous 8-site web control panel hack would be to simply log in with a secret back-door master password that basically all web hosts have. Either someone hacked Linode and found out that master password or it was an employee, the latter of which is obviously a lot simpler and more believable.
Instead, why not just take money from those who manage their affairs prudently, and use it to prop up incompetent busnessmen to continue in their ways, as long as they promise not to do it again.
The crash of the beanie baby market clearly shows that government regulation is needed.
http://status.linode.com/2012/03/manager-security-incident.html
Honest question, since I haven't waded through their ToS. But I bet not, at least in terms of compensation for a security fault on their side. They might be more secure to begin with though...
Spinning straw into bitcoins. The computational effort doesn't create value, it just creates entropy in the case of bitcoins. Theoretically interesting, and perhaps it will provide a lot of useful lessons in creating a practical digital currency, but for now, it has no trust, no backing, no guarantor, and no fungible value.
1. Generate bitcoins.
2. Hack in and steal bitcoins.
3. Sue for real money.
4. Profit!
The trouble with the rat race is that even if you win, you're still a rat." Lily Tomlin
If you don't know, bitcoin was one of the few ways to get money to Wikileaks and Julian Assange left. EFTs and Credit card transaction have been halted by the banks. Is this an accident or a conspiracy?
putting the 'B' in LGBTQ+
As linode says that a machine with access was hacked from outside and then was used to access the other machines.
This wouldn't require a master password nor an employee.
This is what linode claims. Do I believe it? I don't think I even believe that only 8 machines were compromised.
But I don't take the "word on the street" very seriously. People repeat conspiracy theories very easily, regardless whether they are true or not.
http://lkml.org/lkml/2005/8/20/95
what are you in for?
Molesting a dead horse.
Might be a bit difficult to find someone who even would insure their bitcoin balance, not to mention the difficulties that would probably arise if a claim was filed. Fortunately, in this case the operators of the services are absorbing the lose and their customers/clients are not directly affected.
It should be easily settled by converting real dollars into BTC.
I head about 3000 BTC has coincidentally just become available on the market, which if they put up the US$15,000 to buy them, should cover the "stolen" BTC.
1. Mine a bunch of BTC
2. Fake an online break-in and theft
3. Sell the not really stolen property to the entity who has to replace it, using an untraceable currency
4. Profit!
PS: There is no ???? step when it comes to insurance fraud, it's a rather well researched field.
-- Terry
I'm really tired of hearing the same Bitcoin-is-worthless jargon coming out of /. on every Bitcoin headline. And it's not like there's a Bitcoin story every day... it's once every couple months, so you can't really be getting "sick" of it...
/. was about geeks. Bitcoin should be a popular topic here, as it represents online freedom, cryptography, politics, economics, computing, and networking all in one big, brilliant mess of bits -- basically everything everyone loves talking about, here. Even if you think the currency will crash tomorrow, it should still be a fascinating topic, hardly worth the intransigent beatings that it receives on every slashdot story.
People can argue all they want about economic theory and fiat currency, intrinsic value, etc. But the fact is that Bitcoin has had value >=$1/BTC for over a year now. And it's growing. When the speculator bubble burst, everyone thought for sure that was the end of it. But what really happened was that the speculators got out of the game, and now Bitcoin is progressing much more naturally... and so far it's been successful.
I don't care what your economic theories are: Bitcoin still exists and is used for online commerce. I don't care whether you think it's worthless: they have clearly demonstrated they are not worthless, and in fact have very non-negligible value to a great very many people. I don't care whether you think the gold-standard was a bad idea, or whether Bitcoin is a commodity or a currency: Bitcoin is thriving and has been thriving for a long time. There's still plenty of questions left to be answered about Bitcoin and its place in society, politics and economics. But one fact remains: Bitcoin itself is empirical evidence that all your theories about whether it should, could or will remain valuable, may not be accurate. That's not to say there's no truth at all in your arguments. But Bitcoin is a truly novel, one-of-a-kind thing, and it has demonstrated more than just being worthless-bits, simply by the fact that it not only still exists, but that it is thriving.
And geezuz: I thought
Bitcoinica lost 43,554 BTC (valued at about US$200K) in the same incident.
Really? Isn't the dream of librarians of that top button finally being released to expose the...
Oh wait, that's my dream of librarians.
Actually, pool users aren't losing anything. The "hot" wallet stored at Linode was only the daily-use petty cash fund used for routine payouts. The bulk of the pool's balance is in "cold" storage and was not affected, so it's not like they were cleaned out. They got the register at the front, but not the safe in the back.
The owner of the pool, Slush, is covering the losses out of pocket, so nobody is losing anything except him.
The same story (though with a larger "hot" wallet) is happening over at Bitcoinica as well.
This is a disclaimer for damages occurring due to interruption of service. The service wasn't interrupted at all. This is a break-in due to bad security and in my opinion, not covered in this disclaimer. No, I am not a lawyer, but this disclaimer is rather explicit about what Linode is is not responsible or accountable and data theft due to bad security is not excluded from liability in this piece of text.
I was promised a flying car. Where is my flying car?
are really starting to sound a lot like gold/silver bugs do on the investment forums. I'm invested in uranium exploration, oil exploration and undersea exploration companies and I suspect they are no more safe an investment that Bitcoin, or (right now) gold and silver. But damn, you don't hear me frothing at the mouth every time someone starts talking about BP or Fukushima. Fact is, the value of my risky investments and Bitcoin can both flat-line - if you're not prepared to accept that, then you shouldn't be investing either real money, or your time and energy in it. But honestly, best of luck to Bitcoin - I find the experiment at turns fascinating and ridiculous, but it never fails to entertain.
i really am asking this there value is so low now that it cost you more on your power bill to mine them then they are worth. and all these thefts are going to do is drop it even lower.
Well, yeah, especially because of the parents who decided a college fund in the form of highly flammable stuffed animals was a good idea.
At least US ones. The gaming commission of the various states that engage in it checks to make sure payouts are as required. They catch any tampering with it, there is hell to pay.
In the case of physical game (like Roulette) there are possibilities for some strange streaks, the overall payout is regulated by payout vs probability (like every number has a 1/36 probability of occurring but a bet on any number pays only 34:1) but on machine games it is regulated even tighter. The machines have specific percentages they are expected to pay out, and there's also usually regulation about how they have to make sure there are no long losing streaks (that's what "progressive" slots are). So they don't just check the odds on those, but can make sure of things like "Machine A paid out precisely 95% of the money it took in."
Casinos are just the entertainment industry. They don't take any risks, and they don't even pretend to (all the odds are 100% known to you, as to them). It is just people seem to like the thrill of the chance of winning. Some people DO win big, and that tiny chance is enough to make people enjoy the thrill of playing.
If the people who play with Bitcoins don't keep making headlines and hype, they face the very real possibility of their "investment" going down to zero. They are not catching on as use as a general currency. You can't go spend BTC at Newegg or Amazon or the like. So they have to keep new people interested to keep this going. Otherwise nobody will want to buy BTC meaning the value will effectively be zero. You'd still be able to trade them among people who take them, but since that is almost nobody it gets you nothing.
The law is pretty broad. US law says if you have more than $10,000 in monetary instruments you have to declare. That means any currency from any nation, they don't give a shit, if the total value is more than $10k they want to know about it. Fail to declare it and they can seize it if they notice it, which is good incentive to declare it (or better incentive to just not carry that much on you, and transfer it through banks).
So letter of the law, ya you'd need to declare. As a practical matter, they'd never notice bitcoins, at least not at this point, so you wouldn't risk anything directly.
Go to their homepage. They are a cut rate Linux VPS host. If you decide you want your own Linux server instance, with root and all, but you don't want to pay very much to have it, that is what they do. What you do with it they don't care, so long as it isn't illegal (and I imagine then they only care if someone complains).
They are a budget host, that is all. Some BTCtards though they'd be a great place to host some infrastructure related to playing with BTC. It got broken in to and now they are crying. Linode is going to tell them to piss up a rope. Doesn't matter that they decided that their bits were expensive bits, that isn't Linode's business. As a low end web host their thing is "Make sure you back up your shit."
Same with any low end (and even many high end) hosts. Hostgator does back up your data if under a certain amount, but they warn you that this isn't to be taken as a guarantee. Shit can happen that causes loss and it is on you to have a backup copy.
In the case of bitcoins doesn't quite work like that but that is not the web host's problem. Don't put "special bits" on a cheap service.
Also, maybe this helps enlighten some people to the reason why there are things like tracking and regulation in real banks.
... and nothing of value was lost.
> We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.
Of course you can - since everybody is responsible for the consequences of their actions. If you buy a radio for 19 USD, it short circuits and burns down, you can go after the manufacturer for your damages. Same with services, unless it says otherwise in the contract.
It is stored on secure systems which are more importantly tracked and audited. It is true most currency these days is just an entry in a digital system. It is much more convenient that way. However it isn't like it is just in some excel spreadsheet and if that sheet goes away the money is gone. It is on special system, and is very well accounted for. When money gets transfered bank to bank it is carefully tracked. At the immediate level it happens via some system like ACH, which itself is monitored and tracked, but that is just the banks chattering basically. Bank A says "You have $5000 more to go in to account X," and Bank B says "I now have $5000 more in that account," and balances are updated accordingly. However that is the banks loaning money, more or less. The actual transfer takes place on the fedwire later which is watched by the federal reserve, as the name implies.
Banks keep careful track of their digital currency, just like their physical currency. It isn't just having secure systems, it is having auditing and tracking. So if something unauthorized happens, it can be rolled back.
That's one of the big reasons to keep your money in a bank and not in a safe or something like that. You keep $10k in bills in a safe and someone steals it, it is gone, you are fucked. You keep $10k electronically in a bank and someone steals it, good chance the transaction can be reversed and you lose nothing.
I reckon this was a targeted attack.
There were at least two big bitcoin users with accounts there - if you actually RTFA, the biggest loss was 10,000 bitcoins (~45,000 USD) from Bitcoinica in addition to the 3,000 bitcoins from Palatinus.
If it was well-known, or could be easily discovered, that several bitcoin sites used the same hosting service, then that would be something worth breaking into, wouldn't it? Social attack, brute-force, some custom malware on a stick in the parking lot of the hosting site - it would be worth it to get your hands on big money.
Everyone should do their own research when choosing which hosting service to use (cost, uptime, features, history of security cock-ups), but it might also be worthwhile making sure no big players use the same host. If they do, then maybe avoid them and look at the next-best option.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
Let's say I had seismic data that cost millions to collect, I'm stupid enough to have no copy other than the one on linode and then something goes wrong. Even if it's linode's fault that their copy of the data is lost I'd have no grounds to hit them for millions. If that happened it would be my own fault for being too stupid to have a backup of very easily copied digital information.
I really do not see any difference between that situation and the participants in the bitcoin pyramid scheme who failed to keep backups or were prevented from having a backup by some quirk of the scam they are involved in.
So from my point of view it's an epic failure on two fronts for the people that lost their "coins" - first for not having a copy and second for being involved in a pyramid selling get rich quick scam that just happens to have shiny bait for the technophillic. The more people that adopt bitcoin the more the "coins" of the early adopters are worth - it's the classic ponzi scheme barely disguised.
So sorry kids, I don't think linode owes you anything other than a refund on lost time. They won't say it because such a thing pisses customers off, but I'm not them and not even a customer (but I did read their terms of service once before deciding to host stuff closer to me instead).
I don't agree. The exploit was in Linode's admin panel. Even if the user had spent 3000$ on a security consultant to secure his VPS, it still would have been bypassed.
...You are over-qualified and under-paid. If we give you a raise, we will break the cosmic balance of the universe.
Now the question is, will Linode compensate for lost bitcoins?
And the answer is "No".
Insurance agent: Any valuables in the house?
Homer: Well, the Picasso, my collection of classic cars...
Insurance agent: Sorry, this policy only covers actualy losses, not made-up stuff.
Homer: [miffed] Well that's just great!
-- ``Homer the Heretic''
Couldn't circulating a hash of the stolen "coins" be used to prevent the theif using it, just like banks blacklist stolen credit card numbers? What's the use of a "digital currency" without such a blindingly obvious application of it?
That's why I moved all my beanie baby stock into tulip futures.
Please consider this account deleted, I just can't be bothered with the spam anymore.
A note for submitters and editors - if something has happened recently, it's conventional to use the present tense. I read this and thought it had happened some time ago, only being brought to light recently.
and the answer is no.
I don't think linodes admin panel has a memory debugger, so some in-vps security could have helped with this actually.
world was created 5 seconds before this post as it is.
nothing of value was lost.
Like any vendor, Linode has included language in their contract which limits their liability. This is standard language, and it operates according to the following principal, which originated in landlord/tenant law: Linode has no control over the value or sensitivity of the property that you store on its site, so you must get insurance against the loss of this property yourself. No landlord/host wants to act as an insurance company, and they are in no position to do so. I can put anything I want in a rented space; it could be a $5,000,000.00 supercomputer, or a $30,000,000.00 Van Gogh. If there is a leak in my landlord's roof and a drop of water destroys the supercomputer, I must look to my own insurance policy, because I am the one why owns this property. If I want to store $15,000 in cash, I am not going to rent a storage unit and leave it lying all over the floor (the equivalent of what these Linode users did). I am going to put it in a BANK, which is a business specifically designed to store one type of thing, and which provides insurance against its loss.
Here's a link to the TOS: http://www.linode.com/tos.cfm
THIS POST DOES NOT CONSTITUTE LEGAL ADVICE OR CREATE AN ATTORNEY-CLIENT RELATIONSHIP. ANY LEGAL ADVICE MUST BE TAILORED TO YOUR INDIVIDUAL NEEDS BY AN ATTORNEY LICENSED IN YOUR JURISDICTION.
Hmm, storing valuable data on a 3rd party host? Better not forget to use the "Encrypt Wallet" option.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Estimated value of entire bitcoin market: $39.6 Million
Estimated value of lost productivity due to Bitcoin news stories and comment threads: $41.8 Million
Now this is my kind of Lin-sanity!
American Libertarians, you mean. They've co-opted the term and twisted it to mean something other than its original meaning.
This is because American Liberals did the same with this word. Everywhere else "liberal" is a person opposed to both religious and State intervention, as well as hell-bent on defending free markets. But since that's not the meaning the word ended with in US English, the anti-authoritarian free-market advocates were without a single word to describe themselves, and thus went for the most similar sounding one they managed to find that wasn't being actively used by someone else. The other attempted terms are either two-worded ("classic liberalism", "paleo-liberalism" and "anarcho-capitalism") or completely at-a-glance unintelligible ("minarchism"), hence much less useful.
By the way: what Americans call "liberalism" is better know around the world as "social democracy".
Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
To be fucked over, and have almost no recourse for it?
Forgive me if I'd rather wake up.
Being fucked over, and not getting some form of restitution is your definition of "going smoothly"?
I really hope you always find yourself in a position of being able to absorb those losses, and never get fucked over on something that could potentially ruin you. And in such an event, I hope your "recourse" in taking your now, non-existent ability to conduct business elsewhere gives you comfort.
So what I've learned here today is that I should ask my cloud hosting company whether they allow or encourage the use of their servers to generate bitcoin. And if they do, I should drop them for another company that doesn't.
Isn't that about the size of it? I don't want my cloud hosts to be in the same place as somebody's financial instruments, because when the burglars come looking for money they are going to give me a security nightmare at the same time.
Or maybe I should just make sure my cloud hosting company has more layers of security in place than just a password in order to gain access to ring 0.
First. That $15k everyone is talking abut is what we call a "Hot Wallet". Most people who use bitcoin tend to use encrypted wallets or have multiple physical backups (I keep one in my safety deposit box at my bank). In this case, the site that lost this amount. www.bitcoin.cz or Slushpool, pays out people who hash bitcoins collectively. The 3000btc that were stolen was from the funsd used to distribute these payments. This is the equivalent of a cash drawer at a local retailer. They do not keep every cent in that drawer, but only what is needed for the day to day transactions of their business.
Now for the 40k btc from Bitcoinca. Unlike Slushpool, Bitcoinica is an Bitcoin trading exchange with some pretty impressive options relating to short sale, interest and some other investment tools. However, just like Slushpool, they need to keep an HotWallet in order to quickly execute withdraws to its customers. Bitcoinica had issues earlier this year when they used a second but larger exchange and bitcoin payment processor (Mt.gox) and the volume of Bitcoinica grew beyond the daily limits that Mt.Gox allows you to withdraw without providing documentation for AML compliance. This can be overcome by providing such documents, but the head of Bitconica is a 17 year old Chinnese national living in mainland China.
Other affected sites include TradeHill, GLBSE (the global bitcoin stock exchange) and a few other smaller sites. Where Linode is screwed is where for in the case of Slush and Bitcoinica, is that the passwords and admin accounts used where in no way visible, known or authorized by either site. In the Slushpool case, this was discussed prior to moving the server over in which the operator of Slushpool specifically stated that no such accounts were allowed and that a full disclosure of the security system was provided. In simple terms, They said this would not happen because there was no account on the server like the one that was compromised.
As far as where did the coins go? A 99% likely scam exchange known as www.coinexchanger.com made a public statement this morning that his exchange received a 20btc deposit and a 12k btc deposit. This was called out imediately not in regards to the theft, but due to the lack of volume the site has, wide price spread between bid and ask prices, and evidence that this individual in fact has failed to provide payment to people food services. When asked to show proof of these said deposits (bitcoins transparency can allow this with a simple web link) communication broke down and this piece of info came to light.
http://blockchain.info/address/0d9e2cd87cef275505cd1a831a8fdf86cd2ff571
A quick 24hour run down of all large volume bitcoin transactions shows this to be the only one large enough to match the ops claim, but also to be one of the few that can only really come from the theft. Even if the op of coinexchange is not involved, it is very possible that the theif is attempting to use this fly-by-night exchange instead of the standard ones in order to hide his theft. Also that this exchange belives it does not have to comply to AML laws as they withdraw to LibertyReserve.
All this rigamarole makes me want to indulge my Luddite tendencies, dump all my credit cards and automatic withdrawls, deposits, bitcoins, and any other virtual currencies, convert it all to cash or better yet, gold coins, and move to the middle of nowhere. When I need something, I'll drive my beatup old clunker to the nearest town and buy everything I need with cold, hard, currency...
I can no longer read Dilbert. It's too depressing, because it is too real. -- Hyperhaplo
You are so dumb. Really, what are you going on about? People can "fuck you over" with or without regulation and often there is no restitution, all you can do is mitigate the chances of this. This is such basic information it doesn't even have anything to do with libertarianism vs statism (or whatever), you are just acting like an idiot.
If you want to argue that government licensing, regulation, etc is the mitigation strategy that provides the best value for the money. Then ok.
Look at the wikipedia (or any other) article on ponzi schemes and then compare it with the basic sales mechanism of bitcoin while ignoring the fluffy bits to reel in the technophillic as the window dressing that it is. You'll see what I mean. The early players may not have started the scam but they get almost as much out of the poor suckers that come in late as the initiators. You could add it's no more morally wrong than "claim salting" or selling at false weight, but those society needs to be protected from people that think that is OK and put it into practice.
Randian? I'm not from the USA where that trash only became popular because it was home grown and recent (then stuck like bubblegum to a shoe so current generations are stuck with it), but do mean the views of "every man for himself", "never give a sucker an even break". Or do you mean the truly ridiculous crap from the "Atlas Shrugged" title of thinking that a valid third choice of pick up or put down is to do the job so fucking badly that people will wish you've never picked it up in the first place? Or is it something more realistic that was borrowed from elsewhere but has Rand's label on it in the USA?
Why would you believe anything coin exchanger says?
How you can lose something what doesn't exist ?
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)