Slashdot Mirror
BitFloor Joins List of Compromised BitCoin Exchanges
hypnosec writes "An attacker managed to access an unencrypted backup of wallet keys and steal 24,000 BTC (worth more than a quarter million USD), following which Bitcoin exchange Bitfloor has been shut down while the investigation of the theft is going on. The attack was carried out sometime last night. In a forum post, Shtylman pleads with Bitcoin users that BitFloor needs their help."
BitFloor Operator: Good morning sir welcome to BitFloor how can I help you today? ...
... this is all anonymous, right? ... ... I ... I've already received the "product" and they're GOING TO TAKE MY THUMBS if I don't get this money to them now.
Customer: Well, I had heard a lot about this new currency called BitCoin and I was hoping to transfer this $100 in my account to
BitFloor Operator: Oh I completely understand, sir, in today's economy one can't rely solely on the faulty fiat currencies backed by governments like the United States dollar AAAAAAND IT'S GONE! Please log out of this site sir, this is for customers with a positive balance in their accounts.
Customer: What?!
BitFloor Operator: It's gone, it's all gone, sir, our system's been compromised, you now have zero dollars in your account please log off or deposit more money, thank you!
Bitcoinica Operator: Good afternoon sir, welcome to Bitcoinica! How can I help you today?
Customer: Well, uh, I don't know how to, uh, say this but
Bitcoinica Operator: Oh completely sir, we don't have any logs or even backups for that matter!
Customer: Good, good, well, uh, you see I have this "sickness" and I need to transfer this $5,500 for this stuff from this silk road retailer and I
Bitcoinica Operator: Woah woah woah, that's more than enough information to get us started here. So let's see you now have $5,500 in BitCoin balance on your account and the wallet is being updated and written to our single hard drive on a Windows 98 computer connected to the internet with no firewall AAAAAAND IT'S GONE! Please leave this site sir, your account has no balance in it!
Customer: ??? Um, what?
Bitcoinica Operator: It's gone, it's all gone. All of it, something happened, we were hacked or that 8 year old spinning disk crashed or something but it's all gone, thank you sir, thank you for using Bitcoinica now please leave this site or put more money into your account.
Customer: But you don't understand
Bitcoinica Operator: That's wonderful sir, we here at Bitcoinica like to keep our transactions anonymous so please stop relaying me identifying details of this account. Now you have a nice day, sir!
My work here is dung.
post about bitcoin service being hacked ,
raspberry Pi's not being delivered
who where what when now?
I'm not really surprised by this. Someone had the idea to create a purely virtual currency, and someone else has found it to be an attractive target.
The fact that it is vulnerable to this kind of attack probably indicates there's some real flaws in how this currency is supposed to work -- or at least a few places where someone can get through the cracks.
I remember when I first started hearing about this, and thinking "gee, I hope they've thought through all of the security issues". It's like security in operating systems ... there's tons of things you could overlook which can let someone in, and until it starts happening, you likely haven't even thought of all of them.
I feel bad for anybody has lost their money on this, but I've been treating this like an experiment which has the potential to go really wrong. It's just so massively complex to try to design your own currency system that someone isn't going to try to exploit without going through a lot of growing pains.
Lost at C:>. Found at C.
Easy way to make money, set up a bitcoin exchange, run it long enough to get a couple 100 grand of bitcoins then steal them all from yourself, since bitcoin is untraceable there's really no way to get caught.
Buying drugs & stolen goods over the internet. Donating to Wikileaks. That's about it really..
This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.
Why the fuck was your backup of keys stored umencrypred? It costs only a vew cpu cycles.
This smacks of an inside job, which given the nature of bitcoin, is far to easy.
Set up exchange, collect keys, lose keys in 'compromise', profit. No ???? Needed.
Silence is a state of mime.
Its not anonymous, but pseudonomous. Its actually the opposite of anonymous, as EVERY transaction is recorded in public.
It can't scale.
The major use beyond geek things is buying drugs (Silk Road etc). Heck, even illegal arms sales weren't profitable in BitCoin land!
The believers seem to have a huge amount of "goldbug variation", obsessing about a fixed currency supply.
Hardly any exchange or similar service has remained unhacked.
And 5% of ALL bitcoins ended up in a 6 month, blatenly obvious pyramid scheme run by an anonymous individual named PIRATE!!!!
The only saving grace is bitcoin is remarkably small: with only ~10M bitcoins in existence, the delusionary notional value is small.
Test your net with Netalyzr
People in places that Americans frequently view as backward and primative have had this figured out for a long time
Obviously, there's lots of ways things could go wrong, but I'd give them my money before I'd put it in a bitcoin exchange...
It filled the need for an anti-corporate moral superiority.
BitCoin was developed from the start to screw over large companies, who invariably require a trail of some kind for significant transactions. It's promoted as the digital equivalent of cash, and just like cash, the only way to trust a transaction is when you implicitly trust the other party. That kind of trust is only feasible for a small business dealing with a small client base, where the natural urge for social behavior still trumps the natural human urge for antisocial greed.
Sure, maybe BitCoin could eventually work... but it'll first evolve a traceable "BitCoin Certificate" that will be exchangeable for BitCoins at a particular place, and those certificates will have a booming economy grow around their trade, because they're easier to secure than actual BitCoins. Then certificates will be created for BitCoins that don't actually exist, but they'll be paired with certificates for BitCoin debt, and BitCoins will be loaned. Eventually, the BitCoins will just be a meaningless wallet locked away on a server, and the certificates will be the real money, and the demand for certificates will fluctuate in relation to the actual value of the BitCoins. Then someone will gripe about how these certificates are no longer fixed to the BitCoin standard, and they're traceable, and we should make a new currency to solve the problems, that's not controlled by Big BitCoin...
You do not have a moral or legal right to do absolutely anything you want.
It's better that the stupid bitcoin experiment dies now than when average people with something to lose are duped into the scam.
If it's not well regulated, open and the result of mutually beneficial agreement then expect someone smarter than you to take it from you: this rule applies to money, commerce and war.
By that argument, we should probably also ban hedge funds, ponzi schemes, derivatives trading, that entire 31 multi-level marketing thing, PayPal, Secured Debt Obligations, Beanie Babies, Exchange Traded Funds, house-flipping, Thomas Kinkade paintings, and investment in what China calls a stock market. Wait. What?
Maybe because when you are the victim of credit card fraud that you don't assume the liability and instead that is the card issuer's problem? Or if someone robs you of your cash that they will face criminal charges? On the other hand, the people losing virtual play money assume no liability and will face no prosecution.
A lot of my friends had similar experiences with their 401K plans.
401k Operator: Hello there welcome to your 401k how can I help you today? ... ... ... and ...
Customer: Well, I was calling about my Vanguard mutual funds that I had a diversified portfolio in but with the recent housing and financial crisis I
401k Operator: AAAAAAND IT'S GONE!
Customer: What? No, actually, I mean the worth is very low at this point -- not even a third of what it was before the crisis but I'm logged into your site right now and I still have the same number of stocks in this mutual fund.
401k Operator: There must be something wrong, sir, all of your money is supposed to be gone.
Customer: Well, I mean actually I was thinking about taking another $10,000 I have of liquid assets and investing in a post tax fund of these same stocks since they're so low right now.
401k Operator: Why on Earth would you do that? These are worthless and your money is all gone.
Customer: No, I mean, I haven't realized these losses yet, the number of shares is still the same and I'd like to buy more of them with some of my savings. I mean, if these things are truly worthless -- they represent huge cross sections of the biggest companies and industries in America. If these things are worthless, this $10,000 isn't going to be of any value to me anyway. Price anarchy will take hold and the economy will grind to a halt. The only people this is really bad for are those that are retiring between now and when/if the price rebounds.
401k Operator: Listen sir, if you're not going to let me say AAAAAAND IT'S GONE, I'm going to use your address here to find you and
Customer: Okay okay, jeez, um, oh, I just drank the last of my coffee and
401k Operator: *long sigh* It's not the same. I need to be alone now, goodbye.
My work here is dung.
Hawala works because it occurs inside a cultural and religious system that has strong penalties for not following thru. Bitcoin exchanges don't work because it's mainly run by a bunch of people who are completely against any oversight. They expect their word and their technical expertise to be the bond, without an ovarching cultural/religious framework to validate it.
Enron would have been very different if the perpetrators could have lost appendages for their malfeasance.
"My God...it's full of trolls!"
There are risks when you deal with non-trackable currencies. Theft and loss to destruction are two obvious ones.
Whether its gold stashed in a bank vault that gets broken into, bitcoins or something similar, or dollar bills in your wallet, you are vulnerable to theft. Gold isn't easily destroyed but paper currency is. So are files that only exist as bits on a typical storage medium.
Traceable, cancel-able mediums of exchange, such as travelers checks, credit or debit cards, bank-to-bank transactions, dollar bills that you know the serial numbers of, etc. are at least in theory cancel-able and replace-able if they haven't been used already. I say "in theory" because without an efficient means of checking to see if a piece of currency has been canceled, it's not cancel-able in practice.
Risk of theft without recourse is the price we pay for anonymity. For small transactions and for transactions that I don't want records of, it's worth the price.
For BitCoin to really take off, "bitcoin banks" will need to have auditable, accredited security measures and they will need to insure against loss from theft.
I don't know if BitCoin has a repudiation/cancellation mechanism, but if they do not, such a mechanism should be built into any future system. While cancellation won't necessarily allow a victim to recover his losses, it will deter theft because once stolen, money will be "hot" and have an unknown but likely very short shelf-life.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Hawala works because it occurs inside a cultural and religious system that has strong penalties for not following thru.
That's why it works between the hawaladars, the people who exchange money. Traditionally, the people at both ends of the transaction were from the same family. The reason it works for their customers is that it's only a money transfer system. If you send a remittance to someone through hawaladars, and it doesn't show up quickly, you'll never use them again, and neither will your friends. Retail users don't keep balances inside the hawala systems. They don't try to act as banks. So, at least at the lower levels, there are no big stored reserves to embezzle.
The trouble with Bitcoin is that it's a transfer system, a storage medium, and a speculative investment. Most of the trouble comes from the last two features.