Linode Exploit Caused Theft of Thousands of Bitcoins

Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?" Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.

oops

[buzzsawddog]

oops...

Re:oops

[sg_oneill]

It has been said that on the internet, comedy is tragedy that ends in the words "And then I lost my bitcoins".

Thankyou randoids, thank you once again for proving that in the world there are people more comically thoughtless than I.

Re:oops

[subreality]

You accidentally all your bitcoins? :)

Newsflash

Imaginary currency is not safe.

Re:Newsflash

[Kenja]

That would be an interesting claim to file. "They stole my bits! I demand that you replace them."

Re:Newsflash

[mrmeval]

Isn't that the point of bitcoin? To make the intangible tangible? If those bits can be stolen they're about as tangible as it gets. ;) So there is a loss. I'm sure Lloyds of London could write that policy but I don't see them doing it for a price that was affordable.

Re:Newsflash

[BenJCarter]

Perhaps if they paid for the policy in Bitcoins?

Re:Newsflash

[dlgeek]

How would insurance of bitcoins even work? It seems particularly challenging for many reasons.

Generally, insurance policies are written for things with a strongly-known approximate value. Jewlery, physical property, buildings, a fixed amount of cash in a safe.... You can't generally get insurance on things with fluctuating value like real estate (you can insure the building on top of it, but you can't insure the lot against loss of value), various financial instruments, commodities futures, etc. Bit coins are highly variable - if I take out a policy against 10,000 bit coins, and they're lost, what value would the policy pay out based on? The value at the time I got my policy? The value at the time they were stolen? The value at the time the claim is settled? Does this take into account that if someone steals a large number of bitcoins, they're probably going to liquidate them quickly, which would depress the market? If the policy is based on the value at the time it's issued, the insured party has a motivation to purposefully lose or destroy the coins if the market dramatically drops - the insured value is higher than the market value. On the other hand, if the policy is based on the market value at the time of the incident, the insurance company's costs can skyrocket and no sane underwriter would write such a policy.

Speaking of the insurred's motivation to defraud based on fluctuating value, the risk of fraud here is sky-high. A cryptographically-secure, untraceable currency where mere knowledge of a few numbers is enough to steal the entire value without leaving any evidence behind? It'd be trivial for the owner to purposefully leave a backdoor, then anonymously exploit it, especially given the nasscent state of computer security in the legal system. It wouldn't even have to be that subtle a hole, either. As far as I know, there isn't any precedent to establish what liability companies have with regard to negligence in the field, with the notable exception of PCI:DSS for the credit card industry. (For example, all the cases against Sony were dismissed as far as I'm aware.) In our current environment, the insurance company would have a hard time proving neglicence to dispute the claim. With that kind of risk, there's no way any insurer would issue that kind of policy. I just don't see any reasonable way that an insurance company would write a policy like this, at any price. Moreover, many of these issues reach past the bitcoin realm and apply to all sorts of online providers. As more and more of companies move data to "the cloud" - what kind of recourse do they have when security and availibility events happen. Can I get an insurance policy to protect me if my cloud email provider exposes confidential business informaton to the world which significantly impacts my revenue stream? It's a very thorny landscape...

Re:Newsflash

[plover]

It may appear thorny, but insurance is simply legitimized gambling, which ultimately is dirt simple. The company will lay odds against your losses. Now, they're going to study what's happening, and they're going to change the premiums on a scheduled basis, and they're going to present a quote that represents their estimate of your chances of loss, and they're going to have a lawyer write as many weaselly exclusions in the policy that they think they can get away with. If you ask them to insure $10,000 worth of bitcoins against loss, and they're only 50% confident in your security, they may take those odds and set your premium at $6,000.

That's the other thing about insurance companies. They're exactly the same as the casino owner: the house always gets its cut.

Re:Newsflash

[nedlohs]

How does one destroy a bitcoin?

Storing it at linode seems a good start.

Re:Newsflash

[__aajfby9338]

How does one destroy a bitcoin?

Send it to a nonexistent address, or lose the private key that is needed to send the bitcoin to somebody else. Either case results in a bitcoin that cannot be spent, so it is effectively destroyed. So, if you lose your bitcoin wallet and all backups of it, the associated bitcoins are gone for good.

Both situations have happened, and bitcoins have been lost forever as a result. Well, if and when it becomes practical to break the encryption that bitcoin is based on, then it should be possible to recover those lost private keys. I think that is a moot point though, because that would also render the current implementation worthless, and cause it to be replaced with something else (optimistically assuming that anybody still cares about bitcoin once computing power renders the crypto trivially breakable).

Re:Newsflash

[Mister+Transistor]

Actually more of them do than you think! I used to work for a bank, and we would NEVER publicize robberies. First, because of the fear of creating a wave of copycat crimes. Second, to not undermine the bank's secure image. There are 2-5 bank robberies a MONTH in the Chicagoland area, but none of them ever hits the news. Only when there's external involvement, like a shootout or a hostage situation does it ever make the evening news. I found this quite surprising how much the general public is kept in the dark about this sort of thing.

Re:Newsflash

[sixtyeight]

That would be an interesting claim to file. "They stole my bits! I demand that you replace them."

The RIAA, MPAA and Microsoft have been doing it for years now.

Re:Newsflash

[Serious+Callers+Only]

What I find curious about these bit coin thefts is that they have no way to trace the coins once they have left - they see the account it goes to, but have no higher authority to dispute the transfer with, no way to find out who that is or where they are. It truly is virtual cash, but without the audit-trail which real banks have instituted for very good reasons for the cash in our bank accounts. So it seems once someone steals your digital wallet, it is truly gone, with no way to track who stole it, no compensation, no insurance (what insurance company would insure such risk?), and no way to call in the authorities. No wonder there have been a string of thefts, as this currency seems designed to avoid leaving an audit trail.

I can't see why someone would want to keep their wealth in something like bitcoin for this reason alone, quite apart from the volatility and potential for the entire currency to collapse at some point.

The greatest value of bitcoin

[cold+fjord]

The greatest value of bitcoin seems to be in generating headlines.

Linode Terms of Service

[Laebshade]

http://www.linode.com/tos.cfm

Section 9, paragraph 1:

Subscriber acknowledges that the service provided is of such a nature that service can be interrupted for many reasons other than the negligence of Linode.com and that damages resulting from any interruption of service are difficult to ascertain. Therefore, subscriber agrees that Linode.com shall not be liable for any damages arising from such causes beyond the direct and exclusive control of Linode.com. Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred. In no event shall Linode.com be liable for any special or consequential damages, loss or injury. Linode.com is not responsible for any damages your business may suffer. Linode.com does not make implied or written warranties for any of our services. Linode.com denies any warranty or merchantability for a specific purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by Linode.com.

Re:Linode Terms of Service

[Wonko+the+Sane]

Those people had no business storing $15,000 worth of irreplaceable data, electronic currency or not, on a service with these kinds of terms. Instead of spending an appropriate amount of money for the proper security they gambled with a service not designed to insure against that kind of liability and lost.

Re:Linode Terms of Service

[v1]

Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred.

So if this is binding and enforceable, (which should always be questioned, you can put just about anything in your TOS) that means if they are incompetent retards and let your hosted server get hacked through their back door to your hosted machine they won't be liable for anything beyond the monthly fees you paid them while being hacked?

That's very likely to go to court. They may win or they may lose, but that fails the "common sense" assumption that part of what you are paying for is at least reasonable security for your IP at the facility you are leasing time on. And losing control of your hypervisor-ish password should be easy to prove to be negligent.

I think if they came right out and had to decode that and say "we reserve the right to let random vandals come in and snoop all your data and you won't have any legal recourse" they'd lose a lot of customers. But that's basically what this is going to tell all their customers now. They'd have been a lot smarter to just have quietly reimbursed them. It'll cost them more due to bad publicity.

Re:Linode Terms of Service

[Jeremi]

It's irreplaceable in the sense that Bitcoin transactions can not be reversed.

That would be 'irreversible', not irreplaceable. Obviously the stolen bitcoins can be replaced by transferring an equivalent number of bitcoins to victims' accounts.

It's not as if a particular BitCoin ID string is of great sentimental value to anyone here; it's the value of the stolen coins that is the issue. Bitcoins are fungible.

Re:Don't you just LOVE an unregulated service

Really? Isn't the dream of librarians of that top button finally being released to expose the...

Oh wait, that's my dream of librarians.

No correlation.

Meh. No correlation. Linode has nothing to do with Bitcoins. You could store magic unicorns on their servers, want compensation if they get stolen? In the end _you_ are responsible for your data, not the host. So sorry if Bitcoin is flawed to the point where it can be so easily stolen by little old root. If you purchase service with a back up plan and the servers get hacked and your content is deleted, then you would legally/reasonably expect a restore but sorry fake money that gets "stolen" doesn't count.

if you pay $10/mo, you can't really expect damages

[Chalex]

Back when I worked for a web host company, we occasionally (rarely) had some issues where customers got screwed. In the worst case, your VPS is on a box where multiple disks die in a RAID array, and you don't have backups, and that's that.

We were customer-friendly, so we would refund the customer's hosting charges if something went terribly wrong. But if you're paying $19/month, you can't really expect us to refund you more than $19/mo when something goes wrong.

There's a rule of thumb in physical security; you should spend ~5% of the value of the thing to secure the thing. E.g. ~$1000 bicycle means ~$50 bicycle lock. If you're using a $19/mo service to hold $10k worth of value, you better be taking some other precautions. These guys were doing the equivalent of keeping $10k in cash in a $20 lockbox in a public place.

overblown news story, here's the real truth

[slashmydots]

Oh the drama. As an actual bitcoin miner, let me fill you in on the real story instead of that media fluff that's purposely inflated to overdramatic proportions. Almost all bitcoin mining pool websites are configured to pay people every time 1 BTC is reached. That's around $5 US and takes a mediocre mining rig approximately 2 days to generate. So the most that the average person probably lost is $0.01 - $5.00. NOBODY keeps massive piles of BTC sitting around at the pool itself. The exchanges, yeah, but not the pools. They're known for lax security too. At the #1 biggest mining pool, your miners' login passwords are listed as plaintext on the page because what are people going to do, mine for you? And none of your money stay there for long so nobody really cares.
What really doesn't add up is the 3000 BTC estimate. Even Deepbit, the largest pool, doesn't have 6000 members, which would be the number required to, at any given point in time, have an average of 3000 BTC on-hand. So it likely was the site owner's profit pool that got robbed the most heavily.

Re:overblown news story, here's the real truth

[godofpumpkins]

What about the 43,000 coins bitcoinica reported stolen in the same breach? Still overblown? https://bitcointalk.org/index.php?topic=66979.0

tip of the ice berg - not even the real story!

[slashmydots]

Boy did they bury the lead. Here's the entire story. Allegedly someone broke into the Linode web hosting company, hacked specifically just 8 sites involved in bitcoins and THAT'S IT, no other sites, and stole a hell of a lot more than 3000 BTC. 3000BTC isn't significant but 43,554 BTC were stolen from another major exchange, Bitcoinica. That company is claiming they have the money to cover it and will reimburse everyone. That's almost a quarter of a million US dollars by the way.

Apparently the word on the street is this was targeted and definitely an inside job from an employee or multiple employees at Linode. The easiest way a simultaneous 8-site web control panel hack would be to simply log in with a secret back-door master password that basically all web hosts have. Either someone hacked Linode and found out that master password or it was an employee, the latter of which is obviously a lot simpler and more believable.

Re:tip of the ice berg - not even the real story!

[Larryish]

secret back-door master password

Was the HACKER in question getting a BLOWJOB at the time while having a GUN pointed at his head?

How to covert bitcoins to hard currency

[yukk]

1. Generate bitcoins.
2. Hack in and steal bitcoins.
3. Sue for real money.
4. Profit!

Claim settlement difficulties

[tlambert]

Might be a bit difficult to find someone who even would insure their bitcoin balance, not to mention the difficulties that would probably arise if a claim was filed. Fortunately, in this case the operators of the services are absorbing the lose and their customers/clients are not directly affected.

It should be easily settled by converting real dollars into BTC.

I head about 3000 BTC has coincidentally just become available on the market, which if they put up the US$15,000 to buy them, should cover the "stolen" BTC.

1. Mine a bunch of BTC
2. Fake an online break-in and theft
3. Sell the not really stolen property to the entity who has to replace it, using an untraceable currency
4. Profit!

PS: There is no ???? step when it comes to insurance fraud, it's a rather well researched field.

-- Terry

Re:$15000 USD????

[shaitand]

I can, there is a little cafe down the street that takes Bitcoin. In our office Bitcoin is also the typical method of settling a shared check for lunches. You can also conduct all manner of black market trade with Bitcoin. Drugs, guns, prostitutes, all on the table. Or you can just turn it into your local currency to conduct business.

Bitcoin has plenty of uses. It doesn't have to be used as a drop in replacement for us dollars.

Re:$15000 USD????

[Dahamma]

So basically they are NOT a currency at all.

They are about as much "currency" (defined as "a widely accepted medium of exchange") as cancelled postage stamps or baseball cards.

Re:$15000 USD????

[vipvop]

Dear god your office sounds horrible, and you must live in an insufferable city. If my coworkers wanted to settle a check with bitcoins, I'd lobby to get them fired. Do they all like Ron Paul too?

Re:$15000 USD????

[Dahamma]

Yep, gold is not a currency either. Hasn't been in a while. Now it's mostly a commodity traded on the market like other commodities. I think I'd prefer to trade in gold than freaking bitcoins, though.

Re:$15000 USD????

[M.+Baranczak]

You can also conduct all manner of black market trade with Bitcoin. Drugs, guns, prostitutes, all on the table.

I would really like to see the prostitute who takes bitcoins.

No, on second thought, I would really not like to see the prostitute who takes bitcoins.

Re:Free Insurance

[bmo]

> let's make ISP's fully responsible for all incidental and consquential damages.

Strawman: Hi, you didn't say this, but I'm going to say that you want to have ISPs responsible for content and then I'm going to attack it.

False dichotomy: "obviously" some regulation leads to regulation of everything down to the most minor minutia, implying that you can either have no regulation at all or intrusive regulation, excluding the middle.

Reductio ad absurdum: "I'm going to take what you said and invent a mythical case (ISPs responsible for content) that would never exist in reality and somehow this is proof of something"

All three of these are related. Can you guess how?

In case you can't, I'll put it in simple terms: You are putting words in the parent's mouth that were never said. In even simpler terms, it's a lie.

>Calling you out on bullshit isn't allowed

Oh yes it is.

Good Day.

--
BMO

Section 9: Limitation of Liability

[coldsalmon]

Like any vendor, Linode has included language in their contract which limits their liability. This is standard language, and it operates according to the following principal, which originated in landlord/tenant law: Linode has no control over the value or sensitivity of the property that you store on its site, so you must get insurance against the loss of this property yourself. No landlord/host wants to act as an insurance company, and they are in no position to do so. I can put anything I want in a rented space; it could be a $5,000,000.00 supercomputer, or a $30,000,000.00 Van Gogh. If there is a leak in my landlord's roof and a drop of water destroys the supercomputer, I must look to my own insurance policy, because I am the one why owns this property. If I want to store $15,000 in cash, I am not going to rent a storage unit and leave it lying all over the floor (the equivalent of what these Linode users did). I am going to put it in a BANK, which is a business specifically designed to store one type of thing, and which provides insurance against its loss.

Here's a link to the TOS: http://www.linode.com/tos.cfm

THIS POST DOES NOT CONSTITUTE LEGAL ADVICE OR CREATE AN ATTORNEY-CLIENT RELATIONSHIP. ANY LEGAL ADVICE MUST BE TAILORED TO YOUR INDIVIDUAL NEEDS BY AN ATTORNEY LICENSED IN YOUR JURISDICTION.