Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linode Exploit Caused Theft of Thousands of Bitcoins

Posted by ryuzaki0 on from the say-goodbye dept.

Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?" Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.

4 of 450 comments (clear)

  1. Newsflash by Anonymous Coward · · Score: 5, Insightful

    Imaginary currency is not safe.

    1. Re:Newsflash by dlgeek · · Score: 5, Insightful

      How would insurance of bitcoins even work? It seems particularly challenging for many reasons.

      Generally, insurance policies are written for things with a strongly-known approximate value. Jewlery, physical property, buildings, a fixed amount of cash in a safe.... You can't generally get insurance on things with fluctuating value like real estate (you can insure the building on top of it, but you can't insure the lot against loss of value), various financial instruments, commodities futures, etc. Bit coins are highly variable - if I take out a policy against 10,000 bit coins, and they're lost, what value would the policy pay out based on? The value at the time I got my policy? The value at the time they were stolen? The value at the time the claim is settled? Does this take into account that if someone steals a large number of bitcoins, they're probably going to liquidate them quickly, which would depress the market? If the policy is based on the value at the time it's issued, the insured party has a motivation to purposefully lose or destroy the coins if the market dramatically drops - the insured value is higher than the market value. On the other hand, if the policy is based on the market value at the time of the incident, the insurance company's costs can skyrocket and no sane underwriter would write such a policy.

      Speaking of the insurred's motivation to defraud based on fluctuating value, the risk of fraud here is sky-high. A cryptographically-secure, untraceable currency where mere knowledge of a few numbers is enough to steal the entire value without leaving any evidence behind? It'd be trivial for the owner to purposefully leave a backdoor, then anonymously exploit it, especially given the nasscent state of computer security in the legal system. It wouldn't even have to be that subtle a hole, either. As far as I know, there isn't any precedent to establish what liability companies have with regard to negligence in the field, with the notable exception of PCI:DSS for the credit card industry. (For example, all the cases against Sony were dismissed as far as I'm aware.) In our current environment, the insurance company would have a hard time proving neglicence to dispute the claim. With that kind of risk, there's no way any insurer would issue that kind of policy. I just don't see any reasonable way that an insurance company would write a policy like this, at any price. Moreover, many of these issues reach past the bitcoin realm and apply to all sorts of online providers. As more and more of companies move data to "the cloud" - what kind of recourse do they have when security and availibility events happen. Can I get an insurance policy to protect me if my cloud email provider exposes confidential business informaton to the world which significantly impacts my revenue stream? It's a very thorny landscape...

  2. No correlation. by Anonymous Coward · · Score: 5, Insightful

    Meh. No correlation. Linode has nothing to do with Bitcoins. You could store magic unicorns on their servers, want compensation if they get stolen? In the end _you_ are responsible for your data, not the host. So sorry if Bitcoin is flawed to the point where it can be so easily stolen by little old root. If you purchase service with a back up plan and the servers get hacked and your content is deleted, then you would legally/reasonably expect a restore but sorry fake money that gets "stolen" doesn't count.

  3. if you pay $10/mo, you can't really expect damages by Chalex · · Score: 5, Insightful

    Back when I worked for a web host company, we occasionally (rarely) had some issues where customers got screwed. In the worst case, your VPS is on a box where multiple disks die in a RAID array, and you don't have backups, and that's that.

    We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.

    There's a rule of thumb in physical security; you should spend ~5% of the value of the thing to secure the thing. E.g. ~$1000 bicycle means ~$50 bicycle lock. If you're using a $19/mo service to hold $10k worth of value, you better be taking some other precautions. These guys were doing the equivalent of keeping $10k in cash in a $20 lockbox in a public place.