Slashdot Mirror
Hacked Bitcoin Financial Site Had No Backups
An anonymous reader writes "A fortnight ago the Bitcoin financial website Bitcoinica was hacked and the hacker stole $87,000 worth of Bitcoins. At the time the owner promised that all users would have their Bitcoins and US dollars returned in full, but one of the site developers has just confirmed that they have no database backups and are having difficulty figuring out what everyone's account balance should actually be. A failure of epic proportions for a site holding such large amounts of money."
How are situations like this still happening?
Just check out the WayBack machine. Use the same security hole the hackers used, and just read off everyone's bank balance. Sorted!
Regulation of currency has nothing to do with this. In fact shortly before it closed Bitcoinica was boasting that it had recently come under regulatory supervision. And do you think dollars and euros are immune from incompetence leading to massive losses? If so, where have you been in the last few years?
The underlying problem here is simple, and actually has little to do with Bitcoin itself. The problem is that Bitcoin has grown so extremely fast that almost anyone who sets up a unique financial service, as Bitcoinica and MtGox did, is immediately flooded with users and vast sums of money. These guys are then plunged into the pain of scaling up their operations from zero almost overnight .... setting up customer support, dealing with bugs and new features, figuring out the relevant regulations so they can start to comply with them and attempting to secure their operations.
It does not help that many of these operations started out being run by rank amateurs. MtGox was written in amateurish PHP and had to be almost completely rewritten from scratch by Mark Karpeles, who appears to be fairly competent. Their big security breach came when the previous owner (the amateur) got hacked, he had retained too much access to the business internals. Bitcoinica was, notoriously, set up by a Chinese 17 year old who was able to build a nice UI and working trading platform, but quickly realized he was in over his head with regards to building a rock solid secure operation.
Securing IT systems is hard and Bitcoin as it stands today doesn't do much to help you with it. It's worth noting here that if you just want to sell things for coins (the common merchant case) your server does not need to have the ability to spend the received money at all. You can use a split wallet (also called a "watching wallet") on the server, and then only a totally diffferent secure machine of your choosing can actually move the money. So the difficulty mostly affects companies that need to automatically receive and send large sums of money. The community knows how to make improvements - the protocol allows for money to require multiple signatures to move it, so a framework for having an independent second system that verifies/risk-analyses a transaction stream before signing it would be a good step forward. Using trusted computing platforms like Intel TXT + the TPM chip allows you to secure your wallet in such a way that root level compromise of the machine cannot be used to extract the keys. And the use of "cold storage" wallets is already commonplace. Etc, etc.
The Bitcoin world is going through a period of rapid evolution in which amateur wildcat operations prove demand and are then rapidly replaced by companies designed by highly paranoid people. If you are skilled at computer security and willing to do a lot of paperwork, there's golden opportunities for you right now.
Cash doesn't need backups.
Close. Cash is the equivalent of no backups. Having your money in a regulated, underwritten by government, bank is having your money well backed up. An unregulated industry like bitcoin (as illustrated in TFA) is the worst of both worlds.
I used to think that too. Soooo sick of Bitcoin articles. But now, every Bitcoin article is a new hilarious episode of idiocy, and it gives me my daily dose of schadenfreude, so I'm loving it.
Until the government decides to steal that money from you: "Freezing your assets" because they suspect you of some crime, "garnishing" or "levying" your bank account because you didn't "voluntarily" pay their taxes, and so on. And then of course, the government can just decide to print more money at will, stealing wealth from everyone, through inflation.
The risk of theft or loss with government-backed banks is the same; the thieves are just more organized. And if you consider inflation, the slow, persistent, and inexorable theft of your banked USDs is all but certain.
Liberty in your lifetime
Cash doesn't need backups.
If I keep my money in coins (a precursor to BitCoins) or in bills (aka foldin' money) and someone steals them I have no cash and I have no backups. If I keep it in a cash server (aka bank, savings and loan, or other financial institution) and they get robbed I do have a backup (even if management are the ones that steal the money or bankrupt the institution, but only up to $250k which is plenty to cover my accounts).
Meanwhile, the EUR is imploding due to abject irresponsibility on the part of its government backers, banks, and investors, and the USD is probably not far behind. I wonder how long off until we see wheelbarrows full of euros and dollars being used to feed woodstoves rather than as currency. The growing sovereign debt crises and $700T (yes, that's a "T") derivatives market going tits-up are going to make BTC's problems look like a joke.
Yet I see comment after comment of how irresponsible and amateurish BTC is, and how we should only trust regulated, state-backed currencies. Yeah.
Liberty in your lifetime
There are plenty of people who are trying to use Bitcoin as currency. They are really going to be unhappy when the hype dies down...
Palm trees and 8
This story about the woes of Bitcoinica is grossly overblown. The amount of money is comparatively very small, and the Bitcoin network itself is nothing to do with this theft and is sound.
To put some perspective on the Bitcoinica incidents, in 2008, the estimated UK bank fraud level was £52.5 million; that is 990.28441 times the amount of this Bitcoin theft:
http://www.themoneystop.co.uk/042009/online-banking-fraud-is-on-the-rise-in-the-uk.html
There are people on many sides who want Bitcoin to fail, and who will do anything to stop it from growing. The banks hate it, because it will disintermediate and replace their business. The Statists dont like it because it will defund their socialist dreams. The gold bugs loathe it because it is not gold. Keynesian journalists bristle at the fact that the money supply in Bitcoin is limited, and dream of seeing it destroyed.
None of these people will matter in the end, and they do not understand Bitcoin.
Bitcoin will continue to grow, and events like this will winnow out the weak services and strengthen the existing ones. Each theft, disaster and problem are iterations that add to the unpublished "how to run a safe Bitcoin service" manual. Bitcoin and the services that will grow up around it cannot be stopped, just like Bittorrent cannot be stopped, and the latter is responsible for 53.3% of upstream traffic:
http://torrentfreak.com/bittorrent-still-dominates-global-internet-traffic-101026/
It doesn't take much to see how important Bitcoin is going to become once the core public facing interfaces are solidified, refined and reliable. Bitcoinica is not Bitcoin, and neither are any of the services that are built on it. Bitcoin is a protocol. Events like this are nothing more than a bump in the road, and a vanishingly small one at that.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
Regulation has a good deal to do with it. Regulations on financial transactions shouldn't allow semi-competent 17 year olds to handle large amounts of other peoples' money, for instance, or to design software for such. They should require that data and transactions be recorded, backed up and auditable and audits should be required. AND insured. If you let a person not sufficiently insured hold your money, you are a fool.
Retrieval of that free backup costs a whopping $25.
Think about that statement for a minute...
If you want news from today, you have to come back tomorrow.
Blacks are a net drain on society.
And you, sir, are an unacceptable drain on the Earth's supply of breathable air.
Regulations on financial transactions shouldn't allow semi-competent 17 year olds to handle large amounts of other peoples' money, for instance, or to design software for such.
So using Free software would be out of the question, because it might include code written by a minor? Or by somebody with a false identity, a codename such as "Satoshi"?
I agree on your main point about handling other people's money responsibly. But the designer of the software has nothing to do with this, you still have to choose the software responsibly.
Escher was the first MC and Giger invented the HR department.
First of all, Bitcoinica is not Bitcoin. It is a broker of Bitcoin futures contracts. And one that is unaudited, poorly-backed, unregulated, and run by a 17 year old Singaporean student.
So, those who were paying any attention at all know that using Bitcoinica was always a highly risky proposition. Making such a thing work flawlessly was never guaranteed to even be possible, let alone without bumps along the way, even though Zhou Tong did a relatively stellar job in my opinion, all things considered.
But lastly, those who were paying close attention should have seen that Zhou Tong made a fatal error after the Rackspace hack, in courting regulation and accepting VC money. It seems like this was done in order to save face and achieve a degree of approval for what was, clearly, a marginalized (yet successful) business model. I'm not privy to the details, so perhaps there was no real choice. But the downfall of Bitcoinica was only a matter of time once that happened. And I said so at the time.
"I assumed blithely that there were no elves out there in the darkness"
Right on; say what you want, at least Bitcoins don't change in value.
It isn't the amount, it's the sheer amateurishness of the operation and the subsequent loss of trust.
Banks, exchanges, and other monetary systems, including currencies themselves, can only function when there exists an implied trust that the system will continue to function, and do so reliably. A loss of that trust is what causes bank runs, hyperinflation, and economic collapses.
Bitcoin has destroyed that trust. They're toast.
Regards;
Good luck getting any bank in America regulated if the Republicans all three branches.
Like they did in 2002 when the Sarbanesâ"Oxley Act was passed? You're delusional if you think Republicans don't love regulation. Look at their actions, not their words.
Seriously, look into starting a new bank as a startup (I have). It's not possible without massive capitalization and regulation. Upwards of $5M in legal fees alone.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Scrooge Mcduck never worried about banks and he was loaded.
If I've said it once, I've said it a thousand times. Scrooge McDuck is a better duck than I.
"Bitcoins are not currently money. They're more like arcade tokens, really. No value outside the venues honoring them.
Currency, on the other hand..."
Feel free to try and use North Korean currency in the United state or europe to buy something.
Currency has NO VALUE outside the venues honoring them.
Do not look at laser with remaining good eye.
Stable...and much, much lower. That is why most of these people will be unhappy: they bought into the Bitcoin system late in the game, and are going to see the value of their Bitcoins decline substantially. A lot of the market value of Bitcoin is based on hype and dubious promises.
Palm trees and 8
That's called inflation. I know it's confusing, since the talking heads on TV tell you that deflation is bad and that inflation is good. That's their job.
Just remember that when the money supply inflates due to money printing, your money is worth less.
"I assumed blithely that there were no elves out there in the darkness"
Well, sort of. But when a whole country, by law is bound to honor them, that lends a layer of credibility that just can't be had from any private organization.
Just remember that when the money deflates your work to grow the market has rewarded people sitting on said money. But please, do continue to condescend me onto your side.
Analogies don't equal equalities, they are merely somewhat analogous.
Cash (or "money") is not a store of value, it's a lubricant for exchange. A monetary system without inflation (small, predictable) encourages people to store wealth in "money", as opposed to investing it in productive uses. Monetary systems with a small amount of inflation will encourage investment of wealth to earn a return at least as good as the inflation being experienced. Which is why virtually every economy on the planet left the gold standard; the economies with "inflatable" currencies will outperform those without.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Right. Because we regulate traditional banks, they're never hacked or robbed.
Oh wait...
When money is printed, and the velocity of money and the quantity of all available goods and services remains constant, your money is worth less. FTFY.
Don't blame me, I voted for Baltar.
Nonsense. Bitcoins are a currency.
Although, I imagine that your idea of currency is tied to the number of merchants that accept it, with some idea of critical mass. Hence, if / when 700 million people are engaging in various transactions using BitCoins, you will think of it as a currency.
I am John Hurt.
Your statement assumes the previous AC deserves rational argument in return. The problem is doing so gives too much importance to something that has actual negative intellectual value.
âoeTo argue with a man who has renounced the use and authority of reason is like administering medicine to the dead.â - Thomas Paine
--
BMO
I think the restoration fee is because they're a business and want to earn money. They get customers by offering the backup for free, so they have to charge for something else.
And testing your backups once a year for a whopping $25 is still helluva lot better than not having any backups at all for $0.
Correct, monetary savings are not investments, if there is a reward, that is if the money is worth more just by sitting around, your system is broken. And as the unquoted part stated, that reward comes from everyone who is working to expand the economy, justify that part instead of spewing cheap rhetoric.
The argument I didn't even touch on? Keep on topic, that is on whether or deflation pumps wealth from those producing it to those who sit on their money in a fucking growing economy. Bringing up unrelated shit that actively runs counter to the argument presented is what's ridiculous.
If you believe that hyperinflation is happening right now and can't manage finances that might be correct. As it stands money is still worth almost all of its value a year later and there is a variety of stable options that will retain the value long term, is retaining enough for you? Some people need stupid excuses for spending but they are just that.
The world where you can afford to spend because everyone else is working their asses of to make your pile more valuable? Or do you just need an excuse that makes you feel better about spending. Money is part of a larger market dynamic, accept that and maybe you can feel better about the real world.
Analogies don't equal equalities, they are merely somewhat analogous.
It's not "all other things," it's growth of goods and services and velocity of money. And these things are never "held equal" in a real economy; Q consistently increases globally but is highly variable locally in time and space, depending on wether or not an economy is in recession, and V depends on a lot of factors, like confidence, inflation expectations, market depth, economic development...
Don't blame me, I voted for Baltar.
Don't worry, I've seen your postings and I for one am of the opinion that you are a very well duck.
"First they came for the slanderers and i said nothing."
And what exactly is worth a backup you can't restore ? It's like saying "the entrance to this theater is completely free! You only have to pay to get out."