Slashdot Mirror
BitFloor Joins List of Compromised BitCoin Exchanges
hypnosec writes "An attacker managed to access an unencrypted backup of wallet keys and steal 24,000 BTC (worth more than a quarter million USD), following which Bitcoin exchange Bitfloor has been shut down while the investigation of the theft is going on. The attack was carried out sometime last night. In a forum post, Shtylman pleads with Bitcoin users that BitFloor needs their help."
BitFloor Operator: Good morning sir welcome to BitFloor how can I help you today? ...
... this is all anonymous, right? ... ... I ... I've already received the "product" and they're GOING TO TAKE MY THUMBS if I don't get this money to them now.
Customer: Well, I had heard a lot about this new currency called BitCoin and I was hoping to transfer this $100 in my account to
BitFloor Operator: Oh I completely understand, sir, in today's economy one can't rely solely on the faulty fiat currencies backed by governments like the United States dollar AAAAAAND IT'S GONE! Please log out of this site sir, this is for customers with a positive balance in their accounts.
Customer: What?!
BitFloor Operator: It's gone, it's all gone, sir, our system's been compromised, you now have zero dollars in your account please log off or deposit more money, thank you!
Bitcoinica Operator: Good afternoon sir, welcome to Bitcoinica! How can I help you today?
Customer: Well, uh, I don't know how to, uh, say this but
Bitcoinica Operator: Oh completely sir, we don't have any logs or even backups for that matter!
Customer: Good, good, well, uh, you see I have this "sickness" and I need to transfer this $5,500 for this stuff from this silk road retailer and I
Bitcoinica Operator: Woah woah woah, that's more than enough information to get us started here. So let's see you now have $5,500 in BitCoin balance on your account and the wallet is being updated and written to our single hard drive on a Windows 98 computer connected to the internet with no firewall AAAAAAND IT'S GONE! Please leave this site sir, your account has no balance in it!
Customer: ??? Um, what?
Bitcoinica Operator: It's gone, it's all gone. All of it, something happened, we were hacked or that 8 year old spinning disk crashed or something but it's all gone, thank you sir, thank you for using Bitcoinica now please leave this site or put more money into your account.
Customer: But you don't understand
Bitcoinica Operator: That's wonderful sir, we here at Bitcoinica like to keep our transactions anonymous so please stop relaying me identifying details of this account. Now you have a nice day, sir!
My work here is dung.
post about bitcoin service being hacked ,
raspberry Pi's not being delivered
who where what when now?
I'm not really surprised by this. Someone had the idea to create a purely virtual currency, and someone else has found it to be an attractive target.
The fact that it is vulnerable to this kind of attack probably indicates there's some real flaws in how this currency is supposed to work -- or at least a few places where someone can get through the cracks.
I remember when I first started hearing about this, and thinking "gee, I hope they've thought through all of the security issues". It's like security in operating systems ... there's tons of things you could overlook which can let someone in, and until it starts happening, you likely haven't even thought of all of them.
I feel bad for anybody has lost their money on this, but I've been treating this like an experiment which has the potential to go really wrong. It's just so massively complex to try to design your own currency system that someone isn't going to try to exploit without going through a lot of growing pains.
Lost at C:>. Found at C.
What need did it fill that was not satisfied by other online payment systems?
I want to delete my account but Slashdot doesn't allow it.
It's better that the stupid bitcoin experiment dies now than when average people with something to lose are duped into the scam.
If it's not well regulated, open and the result of mutually beneficial agreement then expect someone smarter than you to take it from you: this rule applies to money, commerce and war.
Easy way to make money, set up a bitcoin exchange, run it long enough to get a couple 100 grand of bitcoins then steal them all from yourself, since bitcoin is untraceable there's really no way to get caught.
So I go to the 7-11 with my smartphone with all 250K worth of bitcoins to get some coffee and a newspaper and the clerk says that will be $2.48 and I hold up my smartphone and he says what's that and I say that's $250 million worth of bitcoins and he says do you want to trade the phone for the paper and coffee and I say no, I want you to use NFC to deduct $2.76 from my magical bitcoins and he says, Sorry dude, I don't have the other half of the encryption key... Just use paper money dude.
This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.
Why the fuck was your backup of keys stored umencrypred? It costs only a vew cpu cycles.
This smacks of an inside job, which given the nature of bitcoin, is far to easy.
Set up exchange, collect keys, lose keys in 'compromise', profit. No ???? Needed.
Silence is a state of mime.
as the exit strategy for a con.
Its not anonymous, but pseudonomous. Its actually the opposite of anonymous, as EVERY transaction is recorded in public.
It can't scale.
The major use beyond geek things is buying drugs (Silk Road etc). Heck, even illegal arms sales weren't profitable in BitCoin land!
The believers seem to have a huge amount of "goldbug variation", obsessing about a fixed currency supply.
Hardly any exchange or similar service has remained unhacked.
And 5% of ALL bitcoins ended up in a 6 month, blatenly obvious pyramid scheme run by an anonymous individual named PIRATE!!!!
The only saving grace is bitcoin is remarkably small: with only ~10M bitcoins in existence, the delusionary notional value is small.
Test your net with Netalyzr
I've been following this bitcoin phenom for awhile, wondering what it was all about and if it really could replace "normal" currency. All these recent thefts makes me say "no." At least with dollars the private central bank only steals your money ~5% per year (via supply inflation & dollar devaluation) rather than all at once. And also it's insured from losses (FDIC).
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
A lot of negative comments coming from the people here. Considering your governments (by 'your' I'm assuming you are from the US or UK) determination to stamp all over your rights, rob you blind and give what you have to the banksters I'm surprised there is not a little more support for bitcon on /.
I wouldn't use Bitcon as a store of value but as a means of exchange it is great. Just remember that at some point what you do with your money will be deemed to be either subversive or illegal (donate to wikileaks et al?) and you will be on the receiving end of the boot.
History is filled with people sleepwalking into these traps.
I wonder why people see these Bitcoin sites being hacked as a counter argument to Bitcoin. Do they assume that cash is not being stolen or that credit card fraud does not exist, just because such stories don't make it to /.?
A lot of my friends had similar experiences with their 401K plans.
401k Operator: Hello there welcome to your 401k how can I help you today? ... ... ... and ...
Customer: Well, I was calling about my Vanguard mutual funds that I had a diversified portfolio in but with the recent housing and financial crisis I
401k Operator: AAAAAAND IT'S GONE!
Customer: What? No, actually, I mean the worth is very low at this point -- not even a third of what it was before the crisis but I'm logged into your site right now and I still have the same number of stocks in this mutual fund.
401k Operator: There must be something wrong, sir, all of your money is supposed to be gone.
Customer: Well, I mean actually I was thinking about taking another $10,000 I have of liquid assets and investing in a post tax fund of these same stocks since they're so low right now.
401k Operator: Why on Earth would you do that? These are worthless and your money is all gone.
Customer: No, I mean, I haven't realized these losses yet, the number of shares is still the same and I'd like to buy more of them with some of my savings. I mean, if these things are truly worthless -- they represent huge cross sections of the biggest companies and industries in America. If these things are worthless, this $10,000 isn't going to be of any value to me anyway. Price anarchy will take hold and the economy will grind to a halt. The only people this is really bad for are those that are retiring between now and when/if the price rebounds.
401k Operator: Listen sir, if you're not going to let me say AAAAAAND IT'S GONE, I'm going to use your address here to find you and
Customer: Okay okay, jeez, um, oh, I just drank the last of my coffee and
401k Operator: *long sigh* It's not the same. I need to be alone now, goodbye.
My work here is dung.
That was MY scoop! How will I claim mod points now to fight the Trolls?
The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
I have heard from a source I cannot disclose that these attacks *might be* government sponsored.
The notion here is that if governments actively attempted to outlaw, ban or block the use of this alternative currency, people would backlash and buckle down even tighter. (You can see how well the "war on terror" and the "war on drugs" has been working out.) Making this currency illegal will only create more criminals.
Instead, it has been said that there is an extremely active initiative to discredit the risk and reliability of the currency.
Personally, I am not sure whether this will work or not, but the purpose and the methods seem reasonable.
With the normal banking system your account is insured to about $40k-80k depending on laws of the country you live in.
Untraceable currency is untraceable! Bitcoins are cash, but your wallet may be laying out on the street with notes hanging out, is it a surprise that some of them get stolen?
Mt GOX DID IT!!!!
I took a look at the first and last pages (as I write this) of the link in the article called "BitFloor needs their help". Wow. What a delusional bunch of people. There are discussions of ways for suckers (cough cough), sorry, I mean "investors" to pump more money into BitFloor. On page 17 (last page now, but won't be for long) one guy proudly proclaims that he now has even more faith in Mt. Gox and BitFloor (assuming BitFloor ever comes back online) because since they've already been hacked, then surely they must have secured those problems and they are now apparently impervious to any future attack. It seems to me that BitCoin exchanges have security policies founded on the idea that people will simply leave them alone and not look for ways to steal what they have. That hasn't worked so far.
I think before anyone goes spouting off nonsense (this is to no one in particular, I just know people will) on how bitcoin is insecure you should stop and read up on it. All that has ever been hacked are 3rd party websites. Exchanges are no different, they are NOT bitcoin, they are 3rd party sites acting as exchanges and of course if the users are unable to actually use decent passwords for their accounts or as this case maybe the exchange operators are not able to properly secure their site, then yeah this stuff happens. Worth mentioning that a lot of these exchanges are not always run by experts, it could be just some guy or girl in a apartment running it for a hobby and ended up getting bigger than they can handle. happens quite a bit, but bitcoin itself has never been compromised/hacked...etc it's still secure.
Kinda wonder who keeps attacking bitcoin sites. *cough* Governments? *cough* (my paranoid 2cents lol).
Looking over the big picture though, Bitcoin is by FAR safer than any other financial institution or bank on the planet. Bitcoin has had 3rd party sites hacked and what? in total how many coins have been lost? 50,000? 500,000? 1 million? that's peanuts. Go google all the major security breaches that have happened in the last 5 years at both giant corporations, Banks, even the credit card companies and their payment processors.
In most of these cases something like 30-100+ MILLION personal accounts and all the information inside of them have been stolen. Look at the major breach Sony had with it's PS3 network (wasn't that shutdown for a while afterwards?) Adding up the number of stolen accounts, which contain credit card numbers or bank numbers, personal information, social security numbers probably... addresses phone numbers... all of it, you can probably get up to or maybe even past 1 billion+ in stolen accounts which are all then easily drained of money if someone wanted to or any other number of frauds.
Really the weak link is the bank/credit/cash system as that is where the hackers attack... the exchanges and online "wallets". As bitcoin becomes more spread out and adopted by merchants (and it is being adopted, slowly, but it is) it removes the need to expose your coins to the weak link of the exchanges. Once you start paying and making transactions in just bitcoins, your security goes up tremendously.
Honestly I'd personally rather use bitcoins for payments if I could than anything else I've seen, especially something like Paypal(ughh). It's faster, more secure, gives much more anonymity (Especially if used correctly, or minor security measures are taken), doesn't care about holidays or weekends or time of day to process transactions, Doesn't matter where they are located on the planet - which means no idiotic priced fees or LONG wait times for sending money to another country and having it converted or just sending the money period, International wire transfers can end up costing a small fortune. It's also a payment system that is very easy for this era of smartphones and other devices. Digital payment for digital systems =)
There are risks when you deal with non-trackable currencies. Theft and loss to destruction are two obvious ones.
Whether its gold stashed in a bank vault that gets broken into, bitcoins or something similar, or dollar bills in your wallet, you are vulnerable to theft. Gold isn't easily destroyed but paper currency is. So are files that only exist as bits on a typical storage medium.
Traceable, cancel-able mediums of exchange, such as travelers checks, credit or debit cards, bank-to-bank transactions, dollar bills that you know the serial numbers of, etc. are at least in theory cancel-able and replace-able if they haven't been used already. I say "in theory" because without an efficient means of checking to see if a piece of currency has been canceled, it's not cancel-able in practice.
Risk of theft without recourse is the price we pay for anonymity. For small transactions and for transactions that I don't want records of, it's worth the price.
For BitCoin to really take off, "bitcoin banks" will need to have auditable, accredited security measures and they will need to insure against loss from theft.
I don't know if BitCoin has a repudiation/cancellation mechanism, but if they do not, such a mechanism should be built into any future system. While cancellation won't necessarily allow a victim to recover his losses, it will deter theft because once stolen, money will be "hot" and have an unknown but likely very short shelf-life.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
BitCoin is frankly too small and too loony and too easy to trace!
The insane self-destructive tendencies of the BitCoin community ensure that governments don't need to do anything about BitCoin. Any "Currency" where 5%!!!! end up in a single Ponzi scheme, where +/- 200% swings in "value" are taken as, ehh, whatever, etc, is going to implode just fine on its own.
Heck, if I was the US Treasury I'd instead (quietly) buy out Magic the Gathering Online Exchange, so that they can trace the USD -\> BTC -\> USD flow in detail, since once things are in BitCoin land, the traceability is easy. Not because BTC will get big, but so they can quietly say "yeah, we have a handle on it" when some congresscritter gets a bee in his bonnet.
Test your net with Netalyzr
The interesting thing is, that someone is actually willing to accept bitcoins (a virtual not value backed currency) and give in return real stuff. E.g: There is a $ value for bitcoins.
OK trade porn for bitcoins, but anything else makes me just shake my head...
Hawala works because it occurs inside a cultural and religious system that has strong penalties for not following thru.
That's why it works between the hawaladars, the people who exchange money. Traditionally, the people at both ends of the transaction were from the same family. The reason it works for their customers is that it's only a money transfer system. If you send a remittance to someone through hawaladars, and it doesn't show up quickly, you'll never use them again, and neither will your friends. Retail users don't keep balances inside the hawala systems. They don't try to act as banks. So, at least at the lower levels, there are no big stored reserves to embezzle.
The trouble with Bitcoin is that it's a transfer system, a storage medium, and a speculative investment. Most of the trouble comes from the last two features.
It is your something and their nothing that is going to be exchanged.
Fugue for Aaron Swartz
Who would have thought the currency of choice for drug addicts and pedophiles was untrustworthy!
I'm glad the scumbags of society lost their money.
Again, much like Bitcoinica, there will be no police involvement or even a report filed. And again, like Bitcoinica, this will eventually be revealed as an inside job. I don't understand what the entire bitcoin community keeps falling for these obvious scams.