Slashdot Mirror
Linode Exploit Caused Theft of Thousands of Bitcoins
Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?"
Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.
oops...
Imaginary currency is not safe.
The greatest value of bitcoin seems to be in generating headlines.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
http://www.linode.com/tos.cfm
Section 9, paragraph 1:
I saw an analysis of their Terms of Service somewhere, indicating that they will only compensate up to the value of the service paid. So, if your service was $100/mo, they'd only compensate you for the downtime you experienced, or up to that month's service charge of $100.
If Linode cares about Bitcoin, it will find a way to compensate its users. Otherwise, if the users who lost money are up to it, I'm sure there is at least one lawyer out there willing to be counsel on the first case involving theft of a digital currency, testing whether or not the data/rights to data stolen are legitimate property of legal value. We supporters of Bitcoin say, "Of course!" but it's not until there's a legal precedent that we really can say that.
Or, Linode can sit behind its ToS and test contract law.
Or, the users can vote with their money and leave Linode and tell others why they're leaving.
At least in my eyes, that I would ever consider Linode in the future is hanging in the balance, and they've previously always had a good reputation in my mind. I would venture that there are plenty of other like-minded geeks out there. Given that Linode's market is primarily we geeks, I believe it behooves them to do the right thing and compensate for the losses.
Colin Dean Go a year without DRM
Really? Isn't the dream of librarians of that top button finally being released to expose the...
Oh wait, that's my dream of librarians.
Meh. No correlation. Linode has nothing to do with Bitcoins. You could store magic unicorns on their servers, want compensation if they get stolen? In the end _you_ are responsible for your data, not the host. So sorry if Bitcoin is flawed to the point where it can be so easily stolen by little old root. If you purchase service with a back up plan and the servers get hacked and your content is deleted, then you would legally/reasonably expect a restore but sorry fake money that gets "stolen" doesn't count.
Let's write a news article about it
15k is nothing of value eh? Doesn't matter if you think they are worthless. Fact is, they are worth real value to about a million people who use them for a lot more then just interesting math.
Back when I worked for a web host company, we occasionally (rarely) had some issues where customers got screwed. In the worst case, your VPS is on a box where multiple disks die in a RAID array, and you don't have backups, and that's that.
We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.
There's a rule of thumb in physical security; you should spend ~5% of the value of the thing to secure the thing. E.g. ~$1000 bicycle means ~$50 bicycle lock. If you're using a $19/mo service to hold $10k worth of value, you better be taking some other precautions. These guys were doing the equivalent of keeping $10k in cash in a $20 lockbox in a public place.
Oh the drama. As an actual bitcoin miner, let me fill you in on the real story instead of that media fluff that's purposely inflated to overdramatic proportions. Almost all bitcoin mining pool websites are configured to pay people every time 1 BTC is reached. That's around $5 US and takes a mediocre mining rig approximately 2 days to generate. So the most that the average person probably lost is $0.01 - $5.00. NOBODY keeps massive piles of BTC sitting around at the pool itself. The exchanges, yeah, but not the pools. They're known for lax security too. At the #1 biggest mining pool, your miners' login passwords are listed as plaintext on the page because what are people going to do, mine for you? And none of your money stay there for long so nobody really cares.
What really doesn't add up is the 3000 BTC estimate. Even Deepbit, the largest pool, doesn't have 6000 members, which would be the number required to, at any given point in time, have an average of 3000 BTC on-hand. So it likely was the site owner's profit pool that got robbed the most heavily.
A question I consider sometimes is the relationship between Bitcoins and the US Customs (or any other border agency.)
When we cross the border there are obvious signs making it clear that if you carry more than $10,000 across the border (Canadian or American in my case) in either direction you must declare the transaction. Suppose one's bitcoin wallet is on their cellphone and they are carrying more than $10,000 worth of bitcoins on their cellphone. Would these need to be declared?
I guess it would be similar to carrying bearer bonds across the border but I'm not certain what the conditions are for those, either.
The concern would be whether two people with cellphone bitcoin wallets could meet and move bitcoins from one cellphone wallet to the other without another server or service being involved in the transaction. If so then I can certainly see how this process could be used to facilitate illegal transactions with less obvious traces than carrying large volumes of actual cash.
They're worth US dollars, which I can use to pay for stuff, including my taxes. Even if every retailer on the planet took BitCoin, they'd still be less valuable than whatever the national currency is.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
If anyone (like me) was wondering if there was any confirmation that linode accepted blame other than from the person who was robbed, there is.
http://status.linode.com/2012/03/manager-security-incident.html
Linode is actually rather lucky this person who did this only went for 8 machines. They could have been in a whole lot more trouble when someone got access like this.
http://lkml.org/lkml/2005/8/20/95
Bad decisions were made. If you have ever had to deal with PCI DSS certification then you know what the credit card processing companies expect of their merchant customers. Now imagine the standards the credit card companies themselves try to adhere to. Some developers using BitCoin need to think about the security Big Picture before creating infrastructure for their projects/businesses. Keeping a BitCoin wallet containing thousands of BTC on a little cloud server is not wise.
Having said that, there is a solution in the pipe to help with this problem. Gavin Andresen, lead BitCoin developer, had his Bitcoin Faucet Linode server hacked. While only a few Bitcoins were lost he now is using this incident to support his proposal for Multisignature Transactions.
Guru Meditation #6d416769.21610a21
So I take it we're back on the BitCoin thing full-time?
Does this mean that we at least don't have to see anything about Raspberry Pie or Strawberry Jam, or whatever, for a few weeks?
sic transit gloria mundi
Boy did they bury the lead. Here's the entire story. Allegedly someone broke into the Linode web hosting company, hacked specifically just 8 sites involved in bitcoins and THAT'S IT, no other sites, and stole a hell of a lot more than 3000 BTC. 3000BTC isn't significant but 43,554 BTC were stolen from another major exchange, Bitcoinica. That company is claiming they have the money to cover it and will reimburse everyone. That's almost a quarter of a million US dollars by the way.
Apparently the word on the street is this was targeted and definitely an inside job from an employee or multiple employees at Linode. The easiest way a simultaneous 8-site web control panel hack would be to simply log in with a secret back-door master password that basically all web hosts have. Either someone hacked Linode and found out that master password or it was an employee, the latter of which is obviously a lot simpler and more believable.
Yes, you can do all of that with bitcoins. Just follow these steps:
1) you need to already have bitcoins. If you don't have any bitcoins, you can go to one of the sites that will convert dollars into bitcoins.
2) When you want to buy lunch/gas/videogame/whatever, go to one of the sites that will convert bitcoins into dollars, and convert your bitcoins to dollars.
You can use them to pay taxes, snort cocaine, or wipe your ass. That's three more things than bitcoins are good for.
http://status.linode.com/2012/03/manager-security-incident.html
So in say 2008 in Zimbabwe you seriously think US dollars were less valuable than Zimbabwe dollars just because the government said Zimbabwe dollars were the national currency?
If every retailer on the planet took Bitcoin then all your local retailers would. So how would they be less valuable than the national currency?
Sure it's an illiquid market and you'd be silly to mark to market a large number of them at whatever the most recent trade was priced at and declare that that is what they are worth. But that's not the same as being worthless.
I have a 1 ounce silver round on my desk - I couldn't use it at the grocery store, I couldn't pay my taxes with it, it's completely useless to me aside from being the paper weight it's acting as. But that doesn't make it worthless - it's worth whatever I can find someone else to pay for it - most likely about $25 these days (it's not exactly pristine given it serves as a card protector in poker games when it isn't a paper weight and isn't in plastic or anything).
Oh, look, it's reductio ad absurdum *and* a strawman *and* a false dichotomy all in one neat little package!
Always the libertarian argument: Less regulation is ALWAYS good, and ANY regulation means TOTAL FASCISM and NO MIDDLE GROUND AT ALL.
--
BMO
1. Generate bitcoins.
2. Hack in and steal bitcoins.
3. Sue for real money.
4. Profit!
The trouble with the rat race is that even if you win, you're still a rat." Lily Tomlin
Might be a bit difficult to find someone who even would insure their bitcoin balance, not to mention the difficulties that would probably arise if a claim was filed. Fortunately, in this case the operators of the services are absorbing the lose and their customers/clients are not directly affected.
It should be easily settled by converting real dollars into BTC.
I head about 3000 BTC has coincidentally just become available on the market, which if they put up the US$15,000 to buy them, should cover the "stolen" BTC.
1. Mine a bunch of BTC
2. Fake an online break-in and theft
3. Sell the not really stolen property to the entity who has to replace it, using an untraceable currency
4. Profit!
PS: There is no ???? step when it comes to insurance fraud, it's a rather well researched field.
-- Terry
Oh, look, it's reductio ad absurdum *and* a strawman *and* a false dichotomy all in one neat little package!
Oh, look, a list of fallacies with no backing - always a strong argument!
Go ahead, though, propose a mechanism where legal responsibility for lost revenue doesn't raise prices. Show me the magic money.
Always the libertarian argument: Less regulation is ALWAYS good, and ANY regulation means TOTAL FASCISM and NO MIDDLE GROUND AT ALL.
No, more customer regulation is a great thing. See GoDaddy/SOPA for how this works.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I can, there is a little cafe down the street that takes Bitcoin. In our office Bitcoin is also the typical method of settling a shared check for lunches. You can also conduct all manner of black market trade with Bitcoin. Drugs, guns, prostitutes, all on the table. Or you can just turn it into your local currency to conduct business.
Bitcoin has plenty of uses. It doesn't have to be used as a drop in replacement for us dollars.
So basically they are NOT a currency at all.
They are about as much "currency" (defined as "a widely accepted medium of exchange") as cancelled postage stamps or baseball cards.
I've just met a bunch of people who proclaim their utopian ideas of the world being better who would screw you and your aged grandmother in a heartbeat.
You missed the fine print: they think their ideas would make the world better for them.
(Though I've never met one who wasn't delusional, thinking he - always a he - has enough money or influence to come out ahead in a free-for-all society.)
Sheesh, evil *and* a jerk. -- Jade
Actually, pool users aren't losing anything. The "hot" wallet stored at Linode was only the daily-use petty cash fund used for routine payouts. The bulk of the pool's balance is in "cold" storage and was not affected, so it's not like they were cleaned out. They got the register at the front, but not the safe in the back.
The owner of the pool, Slush, is covering the losses out of pocket, so nobody is losing anything except him.
The same story (though with a larger "hot" wallet) is happening over at Bitcoinica as well.
Dear god your office sounds horrible, and you must live in an insufferable city. If my coworkers wanted to settle a check with bitcoins, I'd lobby to get them fired. Do they all like Ron Paul too?
Here is a place that accepts bitcoins for videogames:
http://gamerkeys.net/
Here is an ebay-like auction site:
http://bitmit.net/en/shop/c/13-pc-and-video-games/2-pc-games
There are no chargebacks with bitcoins, so you need to do research on the rep of various sellers and merchants. You save money on fees you would otherwise pay to cover chargebacks, etc.
Yep, gold is not a currency either. Hasn't been in a while. Now it's mostly a commodity traded on the market like other commodities. I think I'd prefer to trade in gold than freaking bitcoins, though.
and i've met exactly zero people in life who will pay real money for comic books. so what? just because i don't hang out in the comic book collectors circle, doesn't mean they don't exist. i know that if i go looking for them, i'll find them.
same idea applies to bitcoin - if you go looking for people who will pay real money for bitcoins, you will find them. just like comic books, it is a niche market, and a 'random joe on the street' is not likely to be part of the niche.
or gold
Not true. I bet you in 10,000 years if the human race is still around, gold will still be tradeable for anything used as a form of currency anywhere on the planet. Bitcoins? LOL. People are quick to point out how worthless they think gold is. Not one of them would pass up the opportunity to grab a bunch of gold coins if they were just lying there. Why? Because they recognize the value. They just don't want to admit it. The value of gold is not in the gold itself, it's in the fact that everyone on the planet is taught from an early age that it has value.
Seven puppies were harmed during the making of this post.
are really starting to sound a lot like gold/silver bugs do on the investment forums. I'm invested in uranium exploration, oil exploration and undersea exploration companies and I suspect they are no more safe an investment that Bitcoin, or (right now) gold and silver. But damn, you don't hear me frothing at the mouth every time someone starts talking about BP or Fukushima. Fact is, the value of my risky investments and Bitcoin can both flat-line - if you're not prepared to accept that, then you shouldn't be investing either real money, or your time and energy in it. But honestly, best of luck to Bitcoin - I find the experiment at turns fascinating and ridiculous, but it never fails to entertain.
At least US ones. The gaming commission of the various states that engage in it checks to make sure payouts are as required. They catch any tampering with it, there is hell to pay.
In the case of physical game (like Roulette) there are possibilities for some strange streaks, the overall payout is regulated by payout vs probability (like every number has a 1/36 probability of occurring but a bet on any number pays only 34:1) but on machine games it is regulated even tighter. The machines have specific percentages they are expected to pay out, and there's also usually regulation about how they have to make sure there are no long losing streaks (that's what "progressive" slots are). So they don't just check the odds on those, but can make sure of things like "Machine A paid out precisely 95% of the money it took in."
Casinos are just the entertainment industry. They don't take any risks, and they don't even pretend to (all the odds are 100% known to you, as to them). It is just people seem to like the thrill of the chance of winning. Some people DO win big, and that tiny chance is enough to make people enjoy the thrill of playing.
If the people who play with Bitcoins don't keep making headlines and hype, they face the very real possibility of their "investment" going down to zero. They are not catching on as use as a general currency. You can't go spend BTC at Newegg or Amazon or the like. So they have to keep new people interested to keep this going. Otherwise nobody will want to buy BTC meaning the value will effectively be zero. You'd still be able to trade them among people who take them, but since that is almost nobody it gets you nothing.
You can also conduct all manner of black market trade with Bitcoin. Drugs, guns, prostitutes, all on the table.
I would really like to see the prostitute who takes bitcoins.
No, on second thought, I would really not like to see the prostitute who takes bitcoins.
> let's make ISP's fully responsible for all incidental and consquential damages.
Strawman: Hi, you didn't say this, but I'm going to say that you want to have ISPs responsible for content and then I'm going to attack it.
False dichotomy: "obviously" some regulation leads to regulation of everything down to the most minor minutia, implying that you can either have no regulation at all or intrusive regulation, excluding the middle.
Reductio ad absurdum: "I'm going to take what you said and invent a mythical case (ISPs responsible for content) that would never exist in reality and somehow this is proof of something"
All three of these are related. Can you guess how?
In case you can't, I'll put it in simple terms: You are putting words in the parent's mouth that were never said. In even simpler terms, it's a lie.
>Calling you out on bullshit isn't allowed
Oh yes it is.
Good Day.
--
BMO
It is stored on secure systems which are more importantly tracked and audited. It is true most currency these days is just an entry in a digital system. It is much more convenient that way. However it isn't like it is just in some excel spreadsheet and if that sheet goes away the money is gone. It is on special system, and is very well accounted for. When money gets transfered bank to bank it is carefully tracked. At the immediate level it happens via some system like ACH, which itself is monitored and tracked, but that is just the banks chattering basically. Bank A says "You have $5000 more to go in to account X," and Bank B says "I now have $5000 more in that account," and balances are updated accordingly. However that is the banks loaning money, more or less. The actual transfer takes place on the fedwire later which is watched by the federal reserve, as the name implies.
Banks keep careful track of their digital currency, just like their physical currency. It isn't just having secure systems, it is having auditing and tracking. So if something unauthorized happens, it can be rolled back.
That's one of the big reasons to keep your money in a bank and not in a safe or something like that. You keep $10k in bills in a safe and someone steals it, it is gone, you are fucked. You keep $10k electronically in a bank and someone steals it, good chance the transaction can be reversed and you lose nothing.
I reckon this was a targeted attack.
There were at least two big bitcoin users with accounts there - if you actually RTFA, the biggest loss was 10,000 bitcoins (~45,000 USD) from Bitcoinica in addition to the 3,000 bitcoins from Palatinus.
If it was well-known, or could be easily discovered, that several bitcoin sites used the same hosting service, then that would be something worth breaking into, wouldn't it? Social attack, brute-force, some custom malware on a stick in the parking lot of the hosting site - it would be worth it to get your hands on big money.
Everyone should do their own research when choosing which hosting service to use (cost, uptime, features, history of security cock-ups), but it might also be worthwhile making sure no big players use the same host. If they do, then maybe avoid them and look at the next-best option.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
Like any vendor, Linode has included language in their contract which limits their liability. This is standard language, and it operates according to the following principal, which originated in landlord/tenant law: Linode has no control over the value or sensitivity of the property that you store on its site, so you must get insurance against the loss of this property yourself. No landlord/host wants to act as an insurance company, and they are in no position to do so. I can put anything I want in a rented space; it could be a $5,000,000.00 supercomputer, or a $30,000,000.00 Van Gogh. If there is a leak in my landlord's roof and a drop of water destroys the supercomputer, I must look to my own insurance policy, because I am the one why owns this property. If I want to store $15,000 in cash, I am not going to rent a storage unit and leave it lying all over the floor (the equivalent of what these Linode users did). I am going to put it in a BANK, which is a business specifically designed to store one type of thing, and which provides insurance against its loss.
Here's a link to the TOS: http://www.linode.com/tos.cfm
THIS POST DOES NOT CONSTITUTE LEGAL ADVICE OR CREATE AN ATTORNEY-CLIENT RELATIONSHIP. ANY LEGAL ADVICE MUST BE TAILORED TO YOUR INDIVIDUAL NEEDS BY AN ATTORNEY LICENSED IN YOUR JURISDICTION.
And this right here is why Bitcoin is going to struggle to take off. Very few people want to actually go through the trouble to do this just to spend some money.