I now understand that BitCoin is actually an experiment to teach people basic economics and why many of today's rules and institutions (e.g., banks) exist. Sorry for criticizing it. BitCoin is an awesome educational tool.
Bitcoin is not money on the bank, but cash. If your wallet is stolen, the bank will not refund you, either. You can, however, go to the police and that is what the victim here is doing as well. There is, of course, a much lower chance of catching the thief than there would be with real cash.
It's interesting to consider why that is. I could start a BitCoin deposit insurance company, for example: you'd pay me X% of your balance each month, and I'd make you whole in the event of fraud.
Of course, I'd want all sorts of regulations on how you set this up; I might sell you some kind of extra-secure system for managing your balance, for example. At that point, the market would basically be putting a price on BitCoin security.
Obviously, my deposit insurance scheme could go broke, if I price it wrong. That's theoretically a risk with SIPC. It's not a risk with the FDIC, since that is ultimately backed by the government's ability to print an unlimited amount of money.
So it might make more sense to say that deposit insurance is a feature of unstable currencies: if anyone's dollar-denominated debt can be 100% guaranteed by the government, then the value of everyone's dollar-denominated assets will face an inflation tax to pay for this guarantee.
The thing I find more dangerous than that is anyone with your wallet.dat file can go and do whatever with your account.
There really should be additional checks. Having to sign your transfer requests and allow people to impose a voluntary delay on their transactions to allow time for cancellation would help significantly.
Seems fairly inevitable: if I sat by the window of my house, talking to anyone who walked by about having a large cache of money, which it was clear was also in my house... well, I would probably want to do one or all of: (a) invest in some quality locks; (b) stop talking about it; (c) keep my money somewhere else
Correct me if I'm wrong, but given the P2P nature of bitcoin, wouldn't it effectively give someone interested in malicious activity a list of target IP addresses? In theory he could set up his own P2P, watch for large transactions, and then he has an ip running a bitcoin client who (potentially) has a large wallet.
Then it's just a matter of running common exploits (or new ones, if you have them) in order to access the machine and the bitcoin wallet.
I've thought about that as well. But I would imagine if you have the technical chops to do that (I'd be interested in seeing a distribution of Mac/Linux/Windows users for BitCoin as well), you'd have the technical chops to get more money from other ways than stealing a few bitcoins. That said if I were a botnet master I'd put in some code to search for a wallet as a 'bonus'.
That's the account record of the address that supposedly stole the huge amount of bitcoin. The maximum balance I see it have is 400 blocks. Is it missing from the record or is a bitcoin block larger than 1 BTC?
This reminds me of the "come from" statement. COMEFROM is a long-running joke, it's a flow control statement which is intentionally confusing. It works like a GOTO but backwards. There is no indication in the area being jumped from that flow control is about to go somewhere else in the program. https://secure.wikimedia.org/wikipedia/en/wiki/COMEFROM
I think, when parts of your currency start to resemble any part of INTERCAL, you have a big problem :-)
This guy's experience reads like something out of a William Gibson novel. If BTC takes off, I wouldn't be surprised if the world got several orders of magnitude nastier, malware-wise. If the value of breaking into someone's machine is not merely the computer's connectivity or, worse, information to enable identity theft but actual, untraceable value-holding currency, you know the incentive to compromise computers is going to skyrocket.
The worst part of this is how irreversible it is. With a bank you might be able to get it back, with cash nobody can just siphon the actual paper money remotely, but with bitcoin you're out of luck.
I'm not sure that's true. As I mentioned in another comment, the CHAPS payment system doesn't allow transactions to be reversed, and the other major system in the UK, Faster Payments, I believe has a 24 window for banks to request a reversal, usually in case they transmit something by mistake.
Honestly, I think we place too much faith in banks sometimes.
Traceability in the real world banking institutions has its advantages. As a business owner I've once had a mistaken transactions that resulted in erroneous withdrawal of +10,000 from business bank account. A phone call to the bank and a bit of investigation fixed things and I don't think the bank was out any money either, it was just a wrong account number issue.
With bitcoin, things are not at all reversible.
Also I expect bitcoin to be shutdown because it could be a great way to fund terrorist activities. (There are major federal investments in anti-money laundering systems that monitor bank transactions, bitcoin transactions operate outside of this system and thus will be suspect.)
Only if it hasn't been transferred elsewhere and laundered and whatnot. Then all the bank is doing is penalizing its other customers to make you whole.
The design of BitCoin only includes very weak anonymity. A medium-to-large scale network analysis could most likely break any anonymity people thought they had.
For a bunch of DIY hackers, I'm sort of surprised you guys are so willing to hand your money and control over its security over to the government and financial institutions. Then again, I was a computer security guy for the government and online financial institutions, so I guess I'm comfortable with my ability to protect my (very very small amount of) money, or I'm just more cynical about them.
Western Union is irreversible, and would probably have been shut down if it wasn't so well-established. Most other US payment systems are reversible, which is why you have holds on getting the money out of those systems - they want time to detect fraud and reverse the fraudulent transaction. This requirement for reversibility seeps through the system, which makes anonymity very difficult, and causes a lot of friction on anything that changes a reversible payment into a non-reversible payment, since that's where you eat the fraud. Now you know why it's hard to get cash equivalents out of the system, especially to a remote party.
The point here is that once the money is in a non-reversible network, you can accept a payment and know that it's good very very quickly. If you make bitcoin reversible, you might as well just use one of the old payment systems, where the money might disappear later (and you'll be out your privacy, goods, cash and services), or you'll be paying transaction fees based on your charge-back rates, and unable to charge more for the reversible payments than the non-reversible ones due to contracts you have to sign to be part of the payment network - and thus the non-reversible payers subsidize the reversible payers. What a racket.
As we used to say, "there's no good guys in payment processing, only bad guys and less-bad guys".
Sounds to me like a BTC bank should be set up, with corresponding accounts. Instead of 'you' holds all your BTC, your BANK holds most of your BTC in a secured location, and you can make withdrawals to your account on demand.
Of course, this would effectively require an insurance corp also set up in such a fashion that integrity of the bank could be configured.
He then proceeds to say that he backed up his unencrypted wallet to "dropbox, wuala, and spideroak", which doesn't strike me as extremely clever when you're talking about something in the half a million price range.
On the other end it's a good cautionary tale. I'm quite curious about this bitcoin thing, but this reminds me I definitely don't want to secure all my money myself without any insurance or guarantees. A stupid mistake and shazam you lost all your money.
Regarding the issue of whether the application should encrypt the wallet by default, it'd probably be a good thing to have but I'm not sure it would have helped in this case. The wallet would have to be decrypted in order to mine or execute any transaction and the attacker was obviously targeting the bitcoin wallet specifically, so it could just have installed a keylogger or whatever to catch the passphrase, like they do with banking sites (or wait until the walled is decrypted and dump it then, or install a backdoored version of the bitcoin client...).
I doubt that encrypting the wallet on the HD would have helped much. It sounds like allinvain's computer was compromised. The attacker could have copied the decryption key when it was used legitimately by allinvain.
It seems to me that Bitcoin requires an actual wallet. A physical device that will store your "money" ie. verifiable account info, the way a general purpose computer is storing it now.
I just got hacked - any help is welcome!
allinvain
June 13, 2011, 08:47:05 pm
Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:
1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg
Transaction date: 6/13/2011 12:52 (EST)
I feel like killing myself now. This get me so f'ing pissed off. If only the wallet file was encrypted on the HD. I do feel like this is my fault somehow for now moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something has direct access to my computer somehow.
The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG
Block explorer is down so I cannot even see where the funds went.
I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.
Needles to say I feel like I have lost faith in bitcoin.
Anyone have any ideas what I can do besides just jump off a bridge?!
---------------
[snipping out posts that don't contribute much]
---------------
Re: I just got hacked - any help is welcome!
June 13, 2011, 09:05:04 pm
allinvain
First thing that I noticed is that my slush's pool account got hacked into and someone changed the payout address to this:
15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f
I then changed the password and proceeded to run some antivirus and anti malware scans. Some stuff was found, but they were all cleaned up and they were all in my windows user profile temp dir which I deleted all the temp files. God I can't even type properly. Sorry folks I'm a bit emotional now.
I then left another virus scanner running and went to sleep. When I woke up I check my bitcoin wallet. I leave the client running to help the network, and I notice -25,000 (and a transaction fee) gone.
Fuck, I really should've moved the coins to a vmware linux session I have running. But the question is was it already too late? Could someone had my access to my wallet.dat for a long time and now just decided to "cash out"
It's not really $500,000 though is it? As soon as you exchange a small amount of that into dollars you crash the exchange and the value drops significantly. I'd estimate it at about $30,000 worth.
On June 12th, $3,5M were exchanged on MtGox. For 8 of the last 10 days, the daily volume has been above $1M. I think that you could get these $500K in small chunks in a few days, provided you do it full time.
Granted the market is easy to manipulate with small transactions that can start large swings; as well it would be difficult to find a buyer if you wanted to liquidate a lump sum of this size without a solid discount.
That said, I think you're overstating the impact this would have. The recent downswing from ~$30 to ~$10 in a period of a couple days was speculated to be due to MtGox consolidating 20 times this amount.
The Merchant trade in Europe came up with three valued things:
1. Corporations
2. Insurance
3. Banks
Those three items are related to one another. While its true that due to the anonymous nature BitCoin is biased towards illegal mafia-like formation of banks and such for illegal activities as soon as legal activities start using them as trade banks, insurance, etc will form as a nature evolution.
[+] [-] tybris|15 years ago|reply
[+] [-] ch0wn|15 years ago|reply
[+] [-] byrneseyeview|15 years ago|reply
More interestingly: are the features that let you set up a dollar-denominated bank features or bugs?
[+] [-] ansy|15 years ago|reply
That's one thing about bitcoins. There's no FDIC or SIPC watching your back. It's the wild west with train robberies and stage coach heists in all.
[+] [-] byrneseyeview|15 years ago|reply
Of course, I'd want all sorts of regulations on how you set this up; I might sell you some kind of extra-secure system for managing your balance, for example. At that point, the market would basically be putting a price on BitCoin security.
Obviously, my deposit insurance scheme could go broke, if I price it wrong. That's theoretically a risk with SIPC. It's not a risk with the FDIC, since that is ultimately backed by the government's ability to print an unlimited amount of money.
So it might make more sense to say that deposit insurance is a feature of unstable currencies: if anyone's dollar-denominated debt can be 100% guaranteed by the government, then the value of everyone's dollar-denominated assets will face an inflation tax to pay for this guarantee.
[+] [-] astrodust|15 years ago|reply
There really should be additional checks. Having to sign your transfer requests and allow people to impose a voluntary delay on their transactions to allow time for cancellation would help significantly.
[+] [-] cheez|15 years ago|reply
This guy wasn't using a bank, he wasn't encrypting his wallet, so that is inevitable.
[+] [-] hullo|15 years ago|reply
[+] [-] mrcharles|15 years ago|reply
Then it's just a matter of running common exploits (or new ones, if you have them) in order to access the machine and the bitcoin wallet.
[+] [-] cosgroveb|15 years ago|reply
[+] [-] Jach|15 years ago|reply
[+] [-] Astrohacker|15 years ago|reply
[+] [-] gravitronic|15 years ago|reply
That's the account record of the address that supposedly stole the huge amount of bitcoin. The maximum balance I see it have is 400 blocks. Is it missing from the record or is a bitcoin block larger than 1 BTC?
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] sp332|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] sp332|15 years ago|reply
I think, when parts of your currency start to resemble any part of INTERCAL, you have a big problem :-)
[+] [-] astrodust|14 years ago|reply
[+] [-] makmanalp|15 years ago|reply
[+] [-] edw|15 years ago|reply
Are we prepared to live in that world?
[+] [-] wmf|15 years ago|reply
[+] [-] StavrosK|15 years ago|reply
[+] [-] mootothemax|15 years ago|reply
I'm not sure that's true. As I mentioned in another comment, the CHAPS payment system doesn't allow transactions to be reversed, and the other major system in the UK, Faster Payments, I believe has a 24 window for banks to request a reversal, usually in case they transmit something by mistake.
Honestly, I think we place too much faith in banks sometimes.
[+] [-] imjustatechguy|15 years ago|reply
With bitcoin, things are not at all reversible.
Also I expect bitcoin to be shutdown because it could be a great way to fund terrorist activities. (There are major federal investments in anti-money laundering systems that monitor bank transactions, bitcoin transactions operate outside of this system and thus will be suspect.)
[+] [-] gwern|15 years ago|reply
Only if it hasn't been transferred elsewhere and laundered and whatnot. Then all the bank is doing is penalizing its other customers to make you whole.
[+] [-] BigZaphod|15 years ago|reply
[+] [-] chopsueyar|15 years ago|reply
http://www.wired.com/threatlevel/2011/06/bank-ach-theft/
[+] [-] lukejduncan|15 years ago|reply
[+] [-] stipes|15 years ago|reply
[+] [-] william42|15 years ago|reply
[+] [-] insulation|14 years ago|reply
Western Union is irreversible, and would probably have been shut down if it wasn't so well-established. Most other US payment systems are reversible, which is why you have holds on getting the money out of those systems - they want time to detect fraud and reverse the fraudulent transaction. This requirement for reversibility seeps through the system, which makes anonymity very difficult, and causes a lot of friction on anything that changes a reversible payment into a non-reversible payment, since that's where you eat the fraud. Now you know why it's hard to get cash equivalents out of the system, especially to a remote party.
The point here is that once the money is in a non-reversible network, you can accept a payment and know that it's good very very quickly. If you make bitcoin reversible, you might as well just use one of the old payment systems, where the money might disappear later (and you'll be out your privacy, goods, cash and services), or you'll be paying transaction fees based on your charge-back rates, and unable to charge more for the reversible payments than the non-reversible ones due to contracts you have to sign to be part of the payment network - and thus the non-reversible payers subsidize the reversible payers. What a racket.
As we used to say, "there's no good guys in payment processing, only bad guys and less-bad guys".
[+] [-] pnathan|15 years ago|reply
Of course, this would effectively require an insurance corp also set up in such a fashion that integrity of the bank could be configured.
/hmm... maybe I should do this!
[+] [-] cheez|15 years ago|reply
> If only the wallet file was encrypted on the HD.
Yep. Anyone who doesn't do this is stupid.
[+] [-] simias|15 years ago|reply
On the other end it's a good cautionary tale. I'm quite curious about this bitcoin thing, but this reminds me I definitely don't want to secure all my money myself without any insurance or guarantees. A stupid mistake and shazam you lost all your money.
Regarding the issue of whether the application should encrypt the wallet by default, it'd probably be a good thing to have but I'm not sure it would have helped in this case. The wallet would have to be decrypted in order to mine or execute any transaction and the attacker was obviously targeting the bitcoin wallet specifically, so it could just have installed a keylogger or whatever to catch the passphrase, like they do with banking sites (or wait until the walled is decrypted and dump it then, or install a backdoored version of the bitcoin client...).
[+] [-] berberich|15 years ago|reply
[+] [-] DrewHintz|15 years ago|reply
[+] [-] BoppreH|15 years ago|reply
If so, that's a lot easier to deal with than losing everything outright, but not risk proof.
[+] [-] atakan_gurkan|14 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] llimllib|15 years ago|reply
[+] [-] DrewHintz|15 years ago|reply
Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:
1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg
Transaction date: 6/13/2011 12:52 (EST)
I feel like killing myself now. This get me so f'ing pissed off. If only the wallet file was encrypted on the HD. I do feel like this is my fault somehow for now moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something has direct access to my computer somehow.
The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG
Block explorer is down so I cannot even see where the funds went.
I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.
Needles to say I feel like I have lost faith in bitcoin.
Anyone have any ideas what I can do besides just jump off a bridge?!
--------------- [snipping out posts that don't contribute much] --------------- Re: I just got hacked - any help is welcome! June 13, 2011, 09:05:04 pm allinvain
First thing that I noticed is that my slush's pool account got hacked into and someone changed the payout address to this:
15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f
I then changed the password and proceeded to run some antivirus and anti malware scans. Some stuff was found, but they were all cleaned up and they were all in my windows user profile temp dir which I deleted all the temp files. God I can't even type properly. Sorry folks I'm a bit emotional now.
I then left another virus scanner running and went to sleep. When I woke up I check my bitcoin wallet. I leave the client running to help the network, and I notice -25,000 (and a transaction fee) gone.
Fuck, I really should've moved the coins to a vmware linux session I have running. But the question is was it already too late? Could someone had my access to my wallet.dat for a long time and now just decided to "cash out"
[+] [-] pavel_lishin|15 years ago|reply
[+] [-] chopsueyar|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] Vitaly|15 years ago|reply
[+] [-] mrvc|15 years ago|reply
[+] [-] pygy_|15 years ago|reply
On June 12th, $3,5M were exchanged on MtGox. For 8 of the last 10 days, the daily volume has been above $1M. I think that you could get these $500K in small chunks in a few days, provided you do it full time.
Edit -- Source: http://bitcoincharts.com/charts/mtgoxUSD#rg30zigDailyzvzcvzl...
[+] [-] brandall10|15 years ago|reply
That said, I think you're overstating the impact this would have. The recent downswing from ~$30 to ~$10 in a period of a couple days was speculated to be due to MtGox consolidating 20 times this amount.
[+] [-] roel_v|15 years ago|reply
[+] [-] shareme|15 years ago|reply
The Merchant trade in Europe came up with three valued things:
1. Corporations 2. Insurance 3. Banks
Those three items are related to one another. While its true that due to the anonymous nature BitCoin is biased towards illegal mafia-like formation of banks and such for illegal activities as soon as legal activities start using them as trade banks, insurance, etc will form as a nature evolution.