BitFloor Joins List of Compromised BitCoin Exchanges 232
hypnosec writes "An attacker managed to access an unencrypted backup of wallet keys and steal 24,000 BTC (worth more than a quarter million USD), following which Bitcoin exchange Bitfloor has been shut down while the investigation of the theft is going on. The attack was carried out sometime last night. In a forum post, Shtylman pleads with Bitcoin users that BitFloor needs their help."
Another week Another ... (Score:2, Insightful)
post about bitcoin service being hacked ,
raspberry Pi's not being delivered
Re:Not surprised ... (Score:5, Insightful)
The actual Bitcoin protocol looks quite secure, it's just that every website using it seems to be run by the kind of people I wouldn't trust with a toaster oven.
For God's sake, the largest Bitcoin exchange is MTGox. That's the site formerly known as "Magic The Gathering Online Exchange".
Re:Why ever use Bitcoin in the first place? (Score:0, Insightful)
You haven't heard of SilkRoad have you?
Inexperienced exchange providers (Score:5, Insightful)
This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.
Re:Not surprised ... (Score:5, Insightful)
But, that's kind of the core of the problem.
In the real world, the banking and trading system is monitored by people with the power to enforce, have long histories and memories of what can go wrong, and is generally policed by governments cooperating.
But the internet equivalent makes it sound like a bunch of shady, back alley people doing financial transactions outside of the normal system.
So for me, there's simply no basis to trust "Bob's online brokerage and clearing house for virtual currency", or the entire BitCoin system.
Much like PayPal isn't a bank, but does many bank-like things -- it isn't regulated like a bank, and doesn't offer you the same legal protections. It's hard not to see this as more of the same -- but since the currency still has real world value, people will treat it as such. The tendency to lie, cheat and steal doesn't go away because it's virtual currency.
LOL, like I said, "Bob's online brokerage" ... why should I trust them? They're completely unregulated, outside of the normal banking system, and not really accountable to anybody. What could possibly go wrong?
I view this as being pretty close to walking up to someone running a lemon-aid stand who claims to be a bank, and depositing a bunch of money. When the guy with the lemon-aid stand proves to have little or no security, or is completely dishonest ... well, good luck getting your money back.
OK, I really don't get BitCoin... (Score:2, Insightful)
Its not anonymous, but pseudonomous. Its actually the opposite of anonymous, as EVERY transaction is recorded in public.
It can't scale.
The major use beyond geek things is buying drugs (Silk Road etc). Heck, even illegal arms sales weren't profitable in BitCoin land!
The believers seem to have a huge amount of "goldbug variation", obsessing about a fixed currency supply.
Hardly any exchange or similar service has remained unhacked.
And 5% of ALL bitcoins ended up in a 6 month, blatenly obvious pyramid scheme run by an anonymous individual named PIRATE!!!!
The only saving grace is bitcoin is remarkably small: with only ~10M bitcoins in existence, the delusionary notional value is small.
Re:Why ever use Bitcoin in the first place? (Score:5, Insightful)
It filled the need for an anti-corporate moral superiority.
BitCoin was developed from the start to screw over large companies, who invariably require a trail of some kind for significant transactions. It's promoted as the digital equivalent of cash, and just like cash, the only way to trust a transaction is when you implicitly trust the other party. That kind of trust is only feasible for a small business dealing with a small client base, where the natural urge for social behavior still trumps the natural human urge for antisocial greed.
Sure, maybe BitCoin could eventually work... but it'll first evolve a traceable "BitCoin Certificate" that will be exchangeable for BitCoins at a particular place, and those certificates will have a booming economy grow around their trade, because they're easier to secure than actual BitCoins. Then certificates will be created for BitCoins that don't actually exist, but they'll be paired with certificates for BitCoin debt, and BitCoins will be loaned. Eventually, the BitCoins will just be a meaningless wallet locked away on a server, and the certificates will be the real money, and the demand for certificates will fluctuate in relation to the actual value of the BitCoins. Then someone will gripe about how these certificates are no longer fixed to the BitCoin standard, and they're traceable, and we should make a new currency to solve the problems, that's not controlled by Big BitCoin...
Re:Not surprised ... (Score:5, Insightful)
If PayPal isn't regulated like a bank in your country, then thats a failing of your country - in the UK, PayPal is regulated by the Financial Services Authority, and is registered as a bank within the European Economic Area.
Re:Aaaaaand It's Gone!!! (Score:5, Insightful)
Re:Inexperienced exchange providers (Score:4, Insightful)
But, that's the problem.
In the real world, banks are regulated, covered under some oversight, and insured.
If this parallel banking system doesn't have any of these controls, then there's simply no way you can trust the system as a whole.
So, me, I'll stick to having my money backed by real banks, with an actual transaction processing backed by major players, and which all of the players understand the risks and their own liability.
Trusting the internet with my money is like trusting a crackhead to guard my house. What you're describing is that any idiot can come along and try to get into the game. No thanks.
This may not be a specific issue with the currency, but the entire "banking" ecosystem around it sounds like something I'd fundamentally have zero trust in.
Re:Not surprised ... (Score:3, Insightful)
Except... it isn't anymore, since 2007 it's been a Luxemborg bank outside UK regulation.
http://tamebay.com/2007/05/paypal-becomes-a-bank-no-longer-under-fsa.html [tamebay.com]
Re:Aaaaaand It's Gone!!! (Score:5, Insightful)
Reminds me of a friend who was of a similar mind. He stored hundreds of rolls of toilet paper in a storage area cleverly located in the ceiling of his covered deck. Basically wasted space until he decided it would be a perfect place for that bulky but absolutely essential aspect of modern life.
His plan worked fine until a windstorm tore the roof off said deck and scattered the hundreds of rolls of toilet paper over a huge swath of scrub pine and chaparral downwind to the cabin. You know, it's damn hard to pick up hundreds of rolls of TP stuck in the brush. Would have made a great little picture on Google Earth, had it existed back then.
Moral of the story: Although TP is important to modern sensibilities, it's not something most people can safely store for extended periods of time. Leaves, OTOH just grow on trees although winter tends to be a bit harder concept to deal with.
The Difference (Score:5, Insightful)
A lot of my friends had similar experiences with their 401K plans.
401k Operator: Hello there welcome to your 401k how can I help you today? ... ... ... and ...
Customer: Well, I was calling about my Vanguard mutual funds that I had a diversified portfolio in but with the recent housing and financial crisis I
401k Operator: AAAAAAND IT'S GONE!
Customer: What? No, actually, I mean the worth is very low at this point -- not even a third of what it was before the crisis but I'm logged into your site right now and I still have the same number of stocks in this mutual fund.
401k Operator: There must be something wrong, sir, all of your money is supposed to be gone.
Customer: Well, I mean actually I was thinking about taking another $10,000 I have of liquid assets and investing in a post tax fund of these same stocks since they're so low right now.
401k Operator: Why on Earth would you do that? These are worthless and your money is all gone.
Customer: No, I mean, I haven't realized these losses yet, the number of shares is still the same and I'd like to buy more of them with some of my savings. I mean, if these things are truly worthless -- they represent huge cross sections of the biggest companies and industries in America. If these things are worthless, this $10,000 isn't going to be of any value to me anyway. Price anarchy will take hold and the economy will grind to a halt. The only people this is really bad for are those that are retiring between now and when/if the price rebounds.
401k Operator: Listen sir, if you're not going to let me say AAAAAAND IT'S GONE, I'm going to use your address here to find you and
Customer: Okay okay, jeez, um, oh, I just drank the last of my coffee and
401k Operator: *long sigh* It's not the same. I need to be alone now, goodbye.
Re:Not surprised ... (Score:4, Insightful)
Because the difference is meaningless to the users of it? If all the places that you can use to exchange bitcoin are insecure it really doesn't make a difference whether or not the protocol is secure. If bitcoin is only secure as long as you don't use an exchange then it becomes worthless as a currency for... exchanging money.
Re:Aaaaaand It's Gone!!! (Score:5, Insightful)
You've clearly never gone camping in the winter. Winter is much easier to deal with; just grab a snowball. Cleaner than toilet paper.
I don't think you know what "easier to deal with" means.
Re:Inexperienced exchange providers (Score:5, Insightful)
If you put it in the bank, the bank can fail and take your deposits with it
No, it can't, at least not in the United States. Under the FDIC [wikipedia.org], depositors are protected by the federal government for up to $250,000 even if the bank goes bust. The Glass-Steagall Act of 1933, which established the FDIC, was passed specifically to prevent this kind of scenario from happening, which it previously had done with some regularity. (Glass-Steagall also banned some dangerous practices like commingling retail and investment banking; unfortunately, by the 1990s, people had forgotten why these regulations were a good idea, and they were repealed, setting the stage for the financial crisis of 2008.)
Re:Not surprised ... (Score:4, Insightful)
Wow, Silk Road is still functioning? I would have through with all the publicity it has gotten it wouldn't be trustworthy anymore....
Very trustworthy still. It's basically a service where some people want to buy drugs; and other people want to sell drugs. Add to that the idea that a user rates their purchase (eBay-like) and it's pretty easy to distinguish a legitimate seller from a fake one (theoretically, someone COULD set up a seller account; a bunch of other accounts and then rate themselves on transactions; but so far that doesn't seem to be common, and is usually quite easy to spot).
Publicity only seems to have improved things in general.
Right now, there is a problem with high prices, since a lot of sellers haven't changed their prices since bitcoins were worth half to 3/4 of what they are now; but I suspect that will level out once business starts dropping and they realise they'll make more by lowering their prices somewhat.
Disclaimer: I am only an infrequent purchaser, since I tend to only buy LSD and in lots of 25 tabs for personal use (which means one purchase lasts me a LONG time (my last purchase was around Christmas last year)). I have a friend who also uses it more frequently though, and his experiences are also good (other than the recent price issues).
Re:Another week Another ... (Score:5, Insightful)
"Another post about bitcoin service being hacked..."
But have you noticed? Just like with the banks and finance companies, the big data breaches haven't been due to "hacking" accounts... they have almost invariably been related to gaining access to unencrypted data... which is a failure of the "victim" institution. I would not even be surprised if most of them were inside jobs.
Similar example: a bank some years ago "lost" some hard drives containing an unencrypted backup, while they were being transported to off-site storage. They didn't even claim it was stolen... just somehow "lost". Well, what the hell, eh? Any money that got stolen as a result is guaranteed by the government.
Bitcoin is a secure protocol. The recent "hacks" had to do with other data that was not adequately protected by the holders of the bitcoins. Those people are fully responsible. It is not a failure on the part of Bitcoins themselves.
Human failure is where this so-called "web of trust" breaks down. Stuff sent over the internet is (or can be, anyway), pretty darned secure. What happens to it once it gets there is where the big point of failure has been.
A "web of trust" means nothing if the people you are ultimately supposed to trust are careless with your data once they get it.