Slashdot Mirror
BitFloor Joins List of Compromised BitCoin Exchanges
hypnosec writes "An attacker managed to access an unencrypted backup of wallet keys and steal 24,000 BTC (worth more than a quarter million USD), following which Bitcoin exchange Bitfloor has been shut down while the investigation of the theft is going on. The attack was carried out sometime last night. In a forum post, Shtylman pleads with Bitcoin users that BitFloor needs their help."
BitFloor Operator: Good morning sir welcome to BitFloor how can I help you today? ...
... this is all anonymous, right? ... ... I ... I've already received the "product" and they're GOING TO TAKE MY THUMBS if I don't get this money to them now.
Customer: Well, I had heard a lot about this new currency called BitCoin and I was hoping to transfer this $100 in my account to
BitFloor Operator: Oh I completely understand, sir, in today's economy one can't rely solely on the faulty fiat currencies backed by governments like the United States dollar AAAAAAND IT'S GONE! Please log out of this site sir, this is for customers with a positive balance in their accounts.
Customer: What?!
BitFloor Operator: It's gone, it's all gone, sir, our system's been compromised, you now have zero dollars in your account please log off or deposit more money, thank you!
Bitcoinica Operator: Good afternoon sir, welcome to Bitcoinica! How can I help you today?
Customer: Well, uh, I don't know how to, uh, say this but
Bitcoinica Operator: Oh completely sir, we don't have any logs or even backups for that matter!
Customer: Good, good, well, uh, you see I have this "sickness" and I need to transfer this $5,500 for this stuff from this silk road retailer and I
Bitcoinica Operator: Woah woah woah, that's more than enough information to get us started here. So let's see you now have $5,500 in BitCoin balance on your account and the wallet is being updated and written to our single hard drive on a Windows 98 computer connected to the internet with no firewall AAAAAAND IT'S GONE! Please leave this site sir, your account has no balance in it!
Customer: ??? Um, what?
Bitcoinica Operator: It's gone, it's all gone. All of it, something happened, we were hacked or that 8 year old spinning disk crashed or something but it's all gone, thank you sir, thank you for using Bitcoinica now please leave this site or put more money into your account.
Customer: But you don't understand
Bitcoinica Operator: That's wonderful sir, we here at Bitcoinica like to keep our transactions anonymous so please stop relaying me identifying details of this account. Now you have a nice day, sir!
My work here is dung.
The actual Bitcoin protocol looks quite secure, it's just that every website using it seems to be run by the kind of people I wouldn't trust with a toaster oven.
For God's sake, the largest Bitcoin exchange is MTGox. That's the site formerly known as "Magic The Gathering Online Exchange".
This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.
But, that's kind of the core of the problem.
In the real world, the banking and trading system is monitored by people with the power to enforce, have long histories and memories of what can go wrong, and is generally policed by governments cooperating.
But the internet equivalent makes it sound like a bunch of shady, back alley people doing financial transactions outside of the normal system.
So for me, there's simply no basis to trust "Bob's online brokerage and clearing house for virtual currency", or the entire BitCoin system.
Much like PayPal isn't a bank, but does many bank-like things -- it isn't regulated like a bank, and doesn't offer you the same legal protections. It's hard not to see this as more of the same -- but since the currency still has real world value, people will treat it as such. The tendency to lie, cheat and steal doesn't go away because it's virtual currency.
LOL, like I said, "Bob's online brokerage" ... why should I trust them? They're completely unregulated, outside of the normal banking system, and not really accountable to anybody. What could possibly go wrong?
I view this as being pretty close to walking up to someone running a lemon-aid stand who claims to be a bank, and depositing a bunch of money. When the guy with the lemon-aid stand proves to have little or no security, or is completely dishonest ... well, good luck getting your money back.
Lost at C:>. Found at C.
People in places that Americans frequently view as backward and primative have had this figured out for a long time
Obviously, there's lots of ways things could go wrong, but I'd give them my money before I'd put it in a bitcoin exchange...
It filled the need for an anti-corporate moral superiority.
BitCoin was developed from the start to screw over large companies, who invariably require a trail of some kind for significant transactions. It's promoted as the digital equivalent of cash, and just like cash, the only way to trust a transaction is when you implicitly trust the other party. That kind of trust is only feasible for a small business dealing with a small client base, where the natural urge for social behavior still trumps the natural human urge for antisocial greed.
Sure, maybe BitCoin could eventually work... but it'll first evolve a traceable "BitCoin Certificate" that will be exchangeable for BitCoins at a particular place, and those certificates will have a booming economy grow around their trade, because they're easier to secure than actual BitCoins. Then certificates will be created for BitCoins that don't actually exist, but they'll be paired with certificates for BitCoin debt, and BitCoins will be loaned. Eventually, the BitCoins will just be a meaningless wallet locked away on a server, and the certificates will be the real money, and the demand for certificates will fluctuate in relation to the actual value of the BitCoins. Then someone will gripe about how these certificates are no longer fixed to the BitCoin standard, and they're traceable, and we should make a new currency to solve the problems, that's not controlled by Big BitCoin...
You do not have a moral or legal right to do absolutely anything you want.
If PayPal isn't regulated like a bank in your country, then thats a failing of your country - in the UK, PayPal is regulated by the Financial Services Authority, and is registered as a bank within the European Economic Area.
Except that article is incorrect - because its registered within the European Economic Area, it is still FSA registered and falls under the FSAs regulatory umbrella.
PayPal (Europe) Sarl et Cie SCA is registered with the FSA under the registration number 226056.
The fact that it moved to Luxembourg doesn't change the fact that it is regulated within the UK.
A lot of my friends had similar experiences with their 401K plans.
401k Operator: Hello there welcome to your 401k how can I help you today? ... ... ... and ...
Customer: Well, I was calling about my Vanguard mutual funds that I had a diversified portfolio in but with the recent housing and financial crisis I
401k Operator: AAAAAAND IT'S GONE!
Customer: What? No, actually, I mean the worth is very low at this point -- not even a third of what it was before the crisis but I'm logged into your site right now and I still have the same number of stocks in this mutual fund.
401k Operator: There must be something wrong, sir, all of your money is supposed to be gone.
Customer: Well, I mean actually I was thinking about taking another $10,000 I have of liquid assets and investing in a post tax fund of these same stocks since they're so low right now.
401k Operator: Why on Earth would you do that? These are worthless and your money is all gone.
Customer: No, I mean, I haven't realized these losses yet, the number of shares is still the same and I'd like to buy more of them with some of my savings. I mean, if these things are truly worthless -- they represent huge cross sections of the biggest companies and industries in America. If these things are worthless, this $10,000 isn't going to be of any value to me anyway. Price anarchy will take hold and the economy will grind to a halt. The only people this is really bad for are those that are retiring between now and when/if the price rebounds.
401k Operator: Listen sir, if you're not going to let me say AAAAAAND IT'S GONE, I'm going to use your address here to find you and
Customer: Okay okay, jeez, um, oh, I just drank the last of my coffee and
401k Operator: *long sigh* It's not the same. I need to be alone now, goodbye.
My work here is dung.
Because the difference is meaningless to the users of it? If all the places that you can use to exchange bitcoin are insecure it really doesn't make a difference whether or not the protocol is secure. If bitcoin is only secure as long as you don't use an exchange then it becomes worthless as a currency for... exchanging money.
"Another post about bitcoin service being hacked..."
But have you noticed? Just like with the banks and finance companies, the big data breaches haven't been due to "hacking" accounts... they have almost invariably been related to gaining access to unencrypted data... which is a failure of the "victim" institution. I would not even be surprised if most of them were inside jobs.
Similar example: a bank some years ago "lost" some hard drives containing an unencrypted backup, while they were being transported to off-site storage. They didn't even claim it was stolen... just somehow "lost". Well, what the hell, eh? Any money that got stolen as a result is guaranteed by the government.
Bitcoin is a secure protocol. The recent "hacks" had to do with other data that was not adequately protected by the holders of the bitcoins. Those people are fully responsible. It is not a failure on the part of Bitcoins themselves.
Human failure is where this so-called "web of trust" breaks down. Stuff sent over the internet is (or can be, anyway), pretty darned secure. What happens to it once it gets there is where the big point of failure has been.
A "web of trust" means nothing if the people you are ultimately supposed to trust are careless with your data once they get it.