Slashdot Mirror
BitFloor Joins List of Compromised BitCoin Exchanges
hypnosec writes "An attacker managed to access an unencrypted backup of wallet keys and steal 24,000 BTC (worth more than a quarter million USD), following which Bitcoin exchange Bitfloor has been shut down while the investigation of the theft is going on. The attack was carried out sometime last night. In a forum post, Shtylman pleads with Bitcoin users that BitFloor needs their help."
BitFloor Operator: Good morning sir welcome to BitFloor how can I help you today? ...
... this is all anonymous, right? ... ... I ... I've already received the "product" and they're GOING TO TAKE MY THUMBS if I don't get this money to them now.
Customer: Well, I had heard a lot about this new currency called BitCoin and I was hoping to transfer this $100 in my account to
BitFloor Operator: Oh I completely understand, sir, in today's economy one can't rely solely on the faulty fiat currencies backed by governments like the United States dollar AAAAAAND IT'S GONE! Please log out of this site sir, this is for customers with a positive balance in their accounts.
Customer: What?!
BitFloor Operator: It's gone, it's all gone, sir, our system's been compromised, you now have zero dollars in your account please log off or deposit more money, thank you!
Bitcoinica Operator: Good afternoon sir, welcome to Bitcoinica! How can I help you today?
Customer: Well, uh, I don't know how to, uh, say this but
Bitcoinica Operator: Oh completely sir, we don't have any logs or even backups for that matter!
Customer: Good, good, well, uh, you see I have this "sickness" and I need to transfer this $5,500 for this stuff from this silk road retailer and I
Bitcoinica Operator: Woah woah woah, that's more than enough information to get us started here. So let's see you now have $5,500 in BitCoin balance on your account and the wallet is being updated and written to our single hard drive on a Windows 98 computer connected to the internet with no firewall AAAAAAND IT'S GONE! Please leave this site sir, your account has no balance in it!
Customer: ??? Um, what?
Bitcoinica Operator: It's gone, it's all gone. All of it, something happened, we were hacked or that 8 year old spinning disk crashed or something but it's all gone, thank you sir, thank you for using Bitcoinica now please leave this site or put more money into your account.
Customer: But you don't understand
Bitcoinica Operator: That's wonderful sir, we here at Bitcoinica like to keep our transactions anonymous so please stop relaying me identifying details of this account. Now you have a nice day, sir!
My work here is dung.
The actual Bitcoin protocol looks quite secure, it's just that every website using it seems to be run by the kind of people I wouldn't trust with a toaster oven.
For God's sake, the largest Bitcoin exchange is MTGox. That's the site formerly known as "Magic The Gathering Online Exchange".
This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.
Why the fuck was your backup of keys stored umencrypred? It costs only a vew cpu cycles.
This smacks of an inside job, which given the nature of bitcoin, is far to easy.
Set up exchange, collect keys, lose keys in 'compromise', profit. No ???? Needed.
Silence is a state of mime.
But, that's kind of the core of the problem.
In the real world, the banking and trading system is monitored by people with the power to enforce, have long histories and memories of what can go wrong, and is generally policed by governments cooperating.
But the internet equivalent makes it sound like a bunch of shady, back alley people doing financial transactions outside of the normal system.
So for me, there's simply no basis to trust "Bob's online brokerage and clearing house for virtual currency", or the entire BitCoin system.
Much like PayPal isn't a bank, but does many bank-like things -- it isn't regulated like a bank, and doesn't offer you the same legal protections. It's hard not to see this as more of the same -- but since the currency still has real world value, people will treat it as such. The tendency to lie, cheat and steal doesn't go away because it's virtual currency.
LOL, like I said, "Bob's online brokerage" ... why should I trust them? They're completely unregulated, outside of the normal banking system, and not really accountable to anybody. What could possibly go wrong?
I view this as being pretty close to walking up to someone running a lemon-aid stand who claims to be a bank, and depositing a bunch of money. When the guy with the lemon-aid stand proves to have little or no security, or is completely dishonest ... well, good luck getting your money back.
Lost at C:>. Found at C.
People in places that Americans frequently view as backward and primative have had this figured out for a long time
Obviously, there's lots of ways things could go wrong, but I'd give them my money before I'd put it in a bitcoin exchange...
It filled the need for an anti-corporate moral superiority.
BitCoin was developed from the start to screw over large companies, who invariably require a trail of some kind for significant transactions. It's promoted as the digital equivalent of cash, and just like cash, the only way to trust a transaction is when you implicitly trust the other party. That kind of trust is only feasible for a small business dealing with a small client base, where the natural urge for social behavior still trumps the natural human urge for antisocial greed.
Sure, maybe BitCoin could eventually work... but it'll first evolve a traceable "BitCoin Certificate" that will be exchangeable for BitCoins at a particular place, and those certificates will have a booming economy grow around their trade, because they're easier to secure than actual BitCoins. Then certificates will be created for BitCoins that don't actually exist, but they'll be paired with certificates for BitCoin debt, and BitCoins will be loaned. Eventually, the BitCoins will just be a meaningless wallet locked away on a server, and the certificates will be the real money, and the demand for certificates will fluctuate in relation to the actual value of the BitCoins. Then someone will gripe about how these certificates are no longer fixed to the BitCoin standard, and they're traceable, and we should make a new currency to solve the problems, that's not controlled by Big BitCoin...
You do not have a moral or legal right to do absolutely anything you want.
If PayPal isn't regulated like a bank in your country, then thats a failing of your country - in the UK, PayPal is regulated by the Financial Services Authority, and is registered as a bank within the European Economic Area.
Bitcoin indeed seems to attract the same sort of nutters that gold standard advocacy does.
Anyone who advocates a fixed supply currency where massive deflation is inevitable needs to have their head checked.
They go to this one doctor from Texas for the exam. According to him, they're thinking perfectly rationally.
Except that article is incorrect - because its registered within the European Economic Area, it is still FSA registered and falls under the FSAs regulatory umbrella.
PayPal (Europe) Sarl et Cie SCA is registered with the FSA under the registration number 226056.
The fact that it moved to Luxembourg doesn't change the fact that it is regulated within the UK.
A lot of my friends had similar experiences with their 401K plans.
401k Operator: Hello there welcome to your 401k how can I help you today? ... ... ... and ...
Customer: Well, I was calling about my Vanguard mutual funds that I had a diversified portfolio in but with the recent housing and financial crisis I
401k Operator: AAAAAAND IT'S GONE!
Customer: What? No, actually, I mean the worth is very low at this point -- not even a third of what it was before the crisis but I'm logged into your site right now and I still have the same number of stocks in this mutual fund.
401k Operator: There must be something wrong, sir, all of your money is supposed to be gone.
Customer: Well, I mean actually I was thinking about taking another $10,000 I have of liquid assets and investing in a post tax fund of these same stocks since they're so low right now.
401k Operator: Why on Earth would you do that? These are worthless and your money is all gone.
Customer: No, I mean, I haven't realized these losses yet, the number of shares is still the same and I'd like to buy more of them with some of my savings. I mean, if these things are truly worthless -- they represent huge cross sections of the biggest companies and industries in America. If these things are worthless, this $10,000 isn't going to be of any value to me anyway. Price anarchy will take hold and the economy will grind to a halt. The only people this is really bad for are those that are retiring between now and when/if the price rebounds.
401k Operator: Listen sir, if you're not going to let me say AAAAAAND IT'S GONE, I'm going to use your address here to find you and
Customer: Okay okay, jeez, um, oh, I just drank the last of my coffee and
401k Operator: *long sigh* It's not the same. I need to be alone now, goodbye.
My work here is dung.
Because the difference is meaningless to the users of it? If all the places that you can use to exchange bitcoin are insecure it really doesn't make a difference whether or not the protocol is secure. If bitcoin is only secure as long as you don't use an exchange then it becomes worthless as a currency for... exchanging money.
You hit the nail on the head. Bitcoin just isn't trustworthy for a lot of reasons:
1: It isn't anonymous. Anyone who thinks it is is deluded. There are anonymous currencies (look up Chaum or Tim May's items on this) that actually are truly anonymous, using RSA blinding factors or other items.
2: The system was rigged from the ground up to give lots of coins to people hopping on first, then shaft people later on. This reeks of a classic Ponzi scheme.
3: The lack of interest in security of BitCoin clearing houses. No PCI-DSS regulations, no money spent in watching accountholder stuff. To boot, if the the whole institution gets cleaned out, there is no way to recoup losses.
4: The lack of open source clients.
5: The fact that BitCoin can deflate in a matter of hours.
6: BitCoin is not backed by a single thing. Even the dollar is backed by a relatively stable government.
7: There is no honor among thieves. The problem of doing business in the shadows is that the unregulated clearinghouses have little to no interest in protecting their customers. This is why you don't see crack dealers using other crack dealers as places for stashing their ill-gotten gains.
8: Governments get really interested, really fast, with people using BitCoins. Especially entities like FinCEN. Since BitCoins are not anonymous, someone being stupid can bring the IRS down on them in a heartbeat. Someone who thinks they can use BitCoins for laundering money will find some guys with suits and handcuffs waiting for them.
There is just no point to using BitCoins:
They are not anonymous.
No regulation means that one can lose all their holdings in an instant.
They were created to line the pockets of the original people with ease of creating coins.
They have zero value, even less than a fiat currency.
Wow, Silk Road is still functioning? I would have through with all the publicity it has gotten it wouldn't be trustworthy anymore....
Very trustworthy still. It's basically a service where some people want to buy drugs; and other people want to sell drugs. Add to that the idea that a user rates their purchase (eBay-like) and it's pretty easy to distinguish a legitimate seller from a fake one (theoretically, someone COULD set up a seller account; a bunch of other accounts and then rate themselves on transactions; but so far that doesn't seem to be common, and is usually quite easy to spot).
Publicity only seems to have improved things in general.
Right now, there is a problem with high prices, since a lot of sellers haven't changed their prices since bitcoins were worth half to 3/4 of what they are now; but I suspect that will level out once business starts dropping and they realise they'll make more by lowering their prices somewhat.
Disclaimer: I am only an infrequent purchaser, since I tend to only buy LSD and in lots of 25 tabs for personal use (which means one purchase lasts me a LONG time (my last purchase was around Christmas last year)). I have a friend who also uses it more frequently though, and his experiences are also good (other than the recent price issues).
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
That's actually not correct at all.
Firstly, Bitcoin exchanges are regulated, that's why Mt Gox requires you to do ID verification and other such things. Not that regulations are a magic wand - US banks routinely get pillaged due to their pathetically weak (often single factor!) security systems. And whilst many European banks at least use dedicated 2-factor calculators, that hasn't stopped massive bank runs in Spain and Greece as people fear different kinds of failure mode.
Secondly, they are not outside the normal banking system. The whole point of a centralized exchange like Mt Gox is to interface with the banking system. They have bank accounts, accept and send bank wires, etc.
Thirdly, they are accountable in the same way any company is accountable. But they go further, publishing transparency reports that detail exactly how their business is operating. You'll note that Mt Gox is very different to Bitfloor. It is a real company (albiet a small one), not a one-man operation anymore. They have staff processing support tickets. They have redundant datacenters and the ability to withstand 100Gbps DoS attacks. Most crucially 90%+ of their Bitcoins on deposit are stored in offline wallets in various places that can only be accessed physically. Bitfloor (with a whopping 2% of the market) was a one-man job that ran on Linode, a provider that has been completely rooted in the past! That right there should have been an indication that maybe he wasn't really serious.
Let me be clear, anything Bitcoin related is risky right now. That's not because of some inherent flaw of Bitcoin, it's because it's very new and so the ecosystem is immature. In particular the fact that it's an open system with open APIs means a lot of programmers just jump right in and start creating services without fully thinking things through. If you're going to run an exchange you need to have your shit together and there are just way too many people who don't. Now is that their fault, the fault of people who then hand them money, or both?
"Another post about bitcoin service being hacked..."
But have you noticed? Just like with the banks and finance companies, the big data breaches haven't been due to "hacking" accounts... they have almost invariably been related to gaining access to unencrypted data... which is a failure of the "victim" institution. I would not even be surprised if most of them were inside jobs.
Similar example: a bank some years ago "lost" some hard drives containing an unencrypted backup, while they were being transported to off-site storage. They didn't even claim it was stolen... just somehow "lost". Well, what the hell, eh? Any money that got stolen as a result is guaranteed by the government.
Bitcoin is a secure protocol. The recent "hacks" had to do with other data that was not adequately protected by the holders of the bitcoins. Those people are fully responsible. It is not a failure on the part of Bitcoins themselves.
Human failure is where this so-called "web of trust" breaks down. Stuff sent over the internet is (or can be, anyway), pretty darned secure. What happens to it once it gets there is where the big point of failure has been.
A "web of trust" means nothing if the people you are ultimately supposed to trust are careless with your data once they get it.