Slashdot Mirror
Linode Exploit Caused Theft of Thousands of Bitcoins
Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?"
Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.
Imaginary currency is not safe.
I saw an analysis of their Terms of Service somewhere, indicating that they will only compensate up to the value of the service paid. So, if your service was $100/mo, they'd only compensate you for the downtime you experienced, or up to that month's service charge of $100.
If Linode cares about Bitcoin, it will find a way to compensate its users. Otherwise, if the users who lost money are up to it, I'm sure there is at least one lawyer out there willing to be counsel on the first case involving theft of a digital currency, testing whether or not the data/rights to data stolen are legitimate property of legal value. We supporters of Bitcoin say, "Of course!" but it's not until there's a legal precedent that we really can say that.
Or, Linode can sit behind its ToS and test contract law.
Or, the users can vote with their money and leave Linode and tell others why they're leaving.
At least in my eyes, that I would ever consider Linode in the future is hanging in the balance, and they've previously always had a good reputation in my mind. I would venture that there are plenty of other like-minded geeks out there. Given that Linode's market is primarily we geeks, I believe it behooves them to do the right thing and compensate for the losses.
Colin Dean Go a year without DRM
Those people had no business storing $15,000 worth of irreplaceable data, electronic currency or not, on a service with these kinds of terms. Instead of spending an appropriate amount of money for the proper security they gambled with a service not designed to insure against that kind of liability and lost.
And nothing of value was lost.
Then again, I'm not one who sees any particular use to bitcoin other than interesting math.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Meh. No correlation. Linode has nothing to do with Bitcoins. You could store magic unicorns on their servers, want compensation if they get stolen? In the end _you_ are responsible for your data, not the host. So sorry if Bitcoin is flawed to the point where it can be so easily stolen by little old root. If you purchase service with a back up plan and the servers get hacked and your content is deleted, then you would legally/reasonably expect a restore but sorry fake money that gets "stolen" doesn't count.
Back when I worked for a web host company, we occasionally (rarely) had some issues where customers got screwed. In the worst case, your VPS is on a box where multiple disks die in a RAID array, and you don't have backups, and that's that.
We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.
There's a rule of thumb in physical security; you should spend ~5% of the value of the thing to secure the thing. E.g. ~$1000 bicycle means ~$50 bicycle lock. If you're using a $19/mo service to hold $10k worth of value, you better be taking some other precautions. These guys were doing the equivalent of keeping $10k in cash in a $20 lockbox in a public place.
If anyone (like me) was wondering if there was any confirmation that linode accepted blame other than from the person who was robbed, there is.
http://status.linode.com/2012/03/manager-security-incident.html
Linode is actually rather lucky this person who did this only went for 8 machines. They could have been in a whole lot more trouble when someone got access like this.
http://lkml.org/lkml/2005/8/20/95
The crash of the beanie baby market clearly shows that government regulation is needed.
Oh, look, it's reductio ad absurdum *and* a strawman *and* a false dichotomy all in one neat little package!
Always the libertarian argument: Less regulation is ALWAYS good, and ANY regulation means TOTAL FASCISM and NO MIDDLE GROUND AT ALL.
--
BMO
It's irreplaceable in the sense that Bitcoin transactions can not be reversed.
That would be 'irreversible', not irreplaceable. Obviously the stolen bitcoins can be replaced by transferring an equivalent number of bitcoins to victims' accounts.
It's not as if a particular BitCoin ID string is of great sentimental value to anyone here; it's the value of the stolen coins that is the issue. Bitcoins are fungible.
I don't care if it's 90,000 hectares. That lake was not my doing.
Might be a bit difficult to find someone who even would insure their bitcoin balance, not to mention the difficulties that would probably arise if a claim was filed. Fortunately, in this case the operators of the services are absorbing the lose and their customers/clients are not directly affected.
It should be easily settled by converting real dollars into BTC.
I head about 3000 BTC has coincidentally just become available on the market, which if they put up the US$15,000 to buy them, should cover the "stolen" BTC.
1. Mine a bunch of BTC
2. Fake an online break-in and theft
3. Sell the not really stolen property to the entity who has to replace it, using an untraceable currency
4. Profit!
PS: There is no ???? step when it comes to insurance fraud, it's a rather well researched field.
-- Terry
Oh, look, it's reductio ad absurdum *and* a strawman *and* a false dichotomy all in one neat little package!
Oh, look, a list of fallacies with no backing - always a strong argument!
Go ahead, though, propose a mechanism where legal responsibility for lost revenue doesn't raise prices. Show me the magic money.
Always the libertarian argument: Less regulation is ALWAYS good, and ANY regulation means TOTAL FASCISM and NO MIDDLE GROUND AT ALL.
No, more customer regulation is a great thing. See GoDaddy/SOPA for how this works.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
So basically they are NOT a currency at all.
They are about as much "currency" (defined as "a widely accepted medium of exchange") as cancelled postage stamps or baseball cards.
I've just met a bunch of people who proclaim their utopian ideas of the world being better who would screw you and your aged grandmother in a heartbeat.
You missed the fine print: they think their ideas would make the world better for them.
(Though I've never met one who wasn't delusional, thinking he - always a he - has enough money or influence to come out ahead in a free-for-all society.)
Sheesh, evil *and* a jerk. -- Jade
Yep, gold is not a currency either. Hasn't been in a while. Now it's mostly a commodity traded on the market like other commodities. I think I'd prefer to trade in gold than freaking bitcoins, though.