The part that intrigues me is the whole security aspect of it. Take your average bright guy and say "Lets set up a place where people can store and move around gold coins. All the gold coins are going to sit in your living room, and of course if anyone were to get there hands on those coins they could melt them down into pieces and resell them so that you never knew where they went. There is going to be more than a million dollars worth of coins in your living room, do you think you're door lock is up to it?"
Ok so its a stretch, but Bitcoin has two interesting properties, one it is pretty fungible, and two most if not all governments consider it about as 'real' as the gold in World of Warcraft. If CFAA doesn't apply (say the server is outside the US) then what exactly would you even charge someone with who "stole" 1000 BTC? It isn't recognized as currency by any jurisdiction on the planet as far as I can tell, so what got stolen? Numbers? Block chain data?
This fairly unique combination of properties quite possibly make Bitcoin the ideal target for thieves. Better than cash, better than raw gemstones, better than pretty much anything except possibly bearer bonds [1]. Have you seen how much security there is around vaults that hold bearer bonds?
And yet people create exchanges or wallet services or whatnot and then seem shocked when they get compromised by very sophisticated programmers [2], that steal all their BTC? You are surprised?
Given these huge thefts where is the money going? I mean is there a steady stream of redemptions at exchanges? Is there a note in the chain when the coin is transacted for cash? Should there be?
Thanks for the link, the reasoning from the ruling [1] is a bit more precise however. For the purposes of establishing standing the SEC to prosecute. The judge reasoned to that in part with this:
"First, the Court must determine whether the BTCST investments constitute an investment of money. It is clear that Bitcoin can be used as money. It can be used to purchase goods or services, and as Shavers stated, used to pay for individual living expenses. The only limitation of Bitcoin is that it is limited to those places that accept it as currency. However, it can also be exchanged for conventional currencies, such as the U.S. dollar, Euro, Yen, and Yuan. Therefore, Bitcoin is a currency or form of money, and investors wishing to invest in BTCST provided an investment of money."
The key here is that the judge is trying to understand if the transactions involved met the standard of being an 'investment of money.' Which he reasons to by establishing that you can convert currency to and from BTC and you can buy products with BTC. He doesn't address the question of people who create BTC out of the act of 'mining' it. Let's say Van Gough was alive today, you could use his paintings as "money" in exactly the same way, except Van Gough could make new money just by painting something. Which makes other things more complicated (are bottles of tide "money" if you can trade them for drugs? [2]) It sounds like this ruling simply allowed the SEC to move forward with their case, but I'll be interested to watch it to see if it gets appealed (the ruling). Clearly ruling to overly broad here would put the onus on people with collectibles to follow FinCen rules when trading them, which to date they have largely avoided.
Wow that is a the saddest ponzi scheme I've come across so far... it really makes you wonder how bad our educational system is if our ponzi schemes are getting so poorly designed and managed.
That technical explanation sounds almost like word salad. How did a DDoS hit your SAN in the first place and how did your SAN blowing up allow a compromise?
If you are new to bitcoin-related sites, you might find this story close to legitimate. But anyone that reads the article will see there is this "basic" flaw mentioning that DDoS attacks gave access to the server. If you read past (paid) articles about this very same service, you will see claims about how secure the system is, and how expert everyone that developed it is. The same was claimed by inputs.io, I'm sure you have read about that story earlier.
The thing is, if you want to use bitcoin, you cannot trust third parties to hold your coins for you. If you want to support bitcoin in your business, you cannot trust other sites to handle the payment for you. Yes, it is not convenient. But you have everything available to handle this yourself and, yes, you will need someone competent to do that for you if you are not into it. Bitcoin is not meant for the average user or the unaware merchant and it might never be, people need to start accepting this fact.
Reading between the lines you are suggesting that this vector of attack had to come internally from BIPS? Given how much bitcoin price soared it is not unreasonable to question whether one of the engineers there had his price named.
I don't think they're suggesting that, more just gross incompetence on the part of the developer, and a little bit of liberty about how "secure" the systems they have created actually are. It's a lot like inputs.io, a web wallet compromised because the developer used Linode to protect millions of dollars. The developer of that particular service paid back about the half the funds then disappeared.
> BIPS was built by passionate bitcoiners and talented developers. BIPS is hosted in our private server facilities. Passwords are stored with a double salted SHA-512 hashing algorithm. Our entire website is protected with AES RIJNDAEL 256 encryption and we have encryption of data traffic with 2048-bit, highest assurance Extended Validation SSL certificate, with 99.9% Browser Recognition.
> BIPS protects your payment information with industry-leading security and fraud protection.
On top of this, our server/database is regularly stored on tape backups. For added security you can also enable Secure Card and Google Authenticator at any time for up to 3 levels of authentication.
Is it just me, or is some excited "Look we encrypt everything, and look, we even use good algorithms and look at those key sizes!" becoming a red flag about the security of a service? Most of the times it seems to be someone being excited about using state of the art encryption and forgetting that encryption is only as hard as the system and the humans surrounding it.
There's a lot of incompetence on display in that technical description.
"Our private server facilities" sounds like they were trying to run their own facility for some misbegotten reason.
"A double salted SHA-512 hashing algorithm" sounds like a weak homegrown password hash. I'm guessing it was something along the lines of SHA512(salt1 + SHA512(salt2 + password)), which is pitifully weak compared to any sort of iterated hash (bcrypt, scrypt, PBKDF2, etc). It could also mean SHA512(salt1 + password + salt2), which would be even worse in a kind of sad, hilarious way.
"AES RIJNDAEL 256 encryption" is a perfectly normal SSL cipher. Referring to it as "RIJNDAEL" is a bit of a tipoff, though: Rijndael is not an acronym, so it shouldn't be capitalized, and it's simply an older name for AES, so it's entirely redundant in this phrase.
"2048-bit, highest assurance Extended Validation SSL certificate" is something you can get from any number of vendors. It isn't actually any more secure than any other SSL certificate.
"Industry-leading security and fraud protection" probably means nothing. Or, at most, possibly that they're using an off-the-shelf fraud detection service like Maxmind - which would have done little to nothing to protect them from a determined fraudster, let alone an attacker.
"Tape backups" just make it sound like they're using equipment from the 90s.
"Secure Card and Google Authenticator" are both decent features to implement, but suggesting that they result in "up to 3 levels of authentication" is amusing. Multiple possession factors ("something you have", like a security token or a cell phone with Authenticator) don't add together; to have three factors, you'd need a knowledge factor (a password), a possession factor, and a biometric factor. And they definitely don't have the last one.
Appearing to be incompetent in some circumstances may be a pretty good cover. If you are a security guard at an art museum, and buddies with some art thieves, then it might be in your best interest to get yourself a reputation for sleeping on the job.
So if he gotten over 50% of stolen funds as his `fee` he could end up ahead? But yeah, given that he paid back half of stolen funds this angle does look weak.
Is it possible to launder stolen bitcoins on Chinese exchange?
Just to clarify, yes, I meant exactly that (and that is why I love this place, people actually get it).
And the inputs.io guy is not even close to paying half to what was "stolen". The inputs.io guy was also running coinlender and other services, which are all gone -- including himself.
How can we be sure that the attack wasn't inspired/originated by the site itself? Similar to how an EVE bank exited with everyone's funds after operating for almost a year[0]
I've heard of DDoS attacks used to divert the admins attention while a real attack is occurring. Also I know packet flooding can cause some network hardware to switch into a lower security mode in an attempt to handle the load. I'm not sure if either of those apply in this case, though. I definitely am not a network or security expert.
Right, they're used as distractions fairly often. The rest of the explanation makes no sense though; that is, I don't see how the DDoS would then "make the system vulnerable" to Bitcoin theft. Unless it was something like where the attackers already had access, but most everything was kept in cold storage and they wanted to force them to move a lot of BTC into their live wallets.
Re: pure magic: perhaps the SAN is willing to talk to whoever sends it packets, and/or to be administered by whoever can enter admin:admin into a poorly-secured web interface as soon as it loses the appropriate connection/reboots due to overload/..?
I agree with my sibling comment that this seems an odd way to install a SAN.
Since every bitcoin transaction is in public, why don't we build a public blacklist for these addresses with stolen coins (and all addresses these bitcoins further transferred to)? such that the hackers cannot get too much from their actions
The moment we start maintaining a list of blacklisted/tainted/marked coins that are not accepted everywhere is when bitcoin will start failing. The list will start off innocent enough but when(not if) it starts being abused, it'll be all over. It'll start with blatant thefts like this, but the blacklist-maintainers, whoever they are, will eventually attract the attention of the law enforcement. The definition of theft will expand and expand. Eventually these blacklist-maintainers and/or GOV will decide which coins are valid are which are not. Coins will be seized just because of some random political agenda and bitcoin will just be a mess. The only way to stay off the blacklist will be to register with some authority and basically bitcoin will be no different from a regular bank. Then everyone will abandon it and go to Litecoin.
Seriously, the moment I hear about a blacklist of coins on bitcoin is the same day I buy $5,000USD of Litecoin. I'll be a millionaire within 8 months.
if you could get such a thing in place, couldn't everyone just roll back transactions?
I feel like having such a system in place would probably end up breaking a lot of the legitimacy (since you'd need over half of miners to agree to it, in which case some sort of "central" entity would exist)
You could to a point, but you would need a lot of mining power and the ability to act quickly.
BIPS didn't announce that they'd been compromised until over a week since the funds were sent out, so it's completely impossible at this point. If you wanted to get a transaction with one confirmation reversed, you would need to convince the two largest pools (ghash.io and btcguild) to mine a fork that doesn't contain your blacklisted transaction in under 10 minutes, and even then they'd create a very noticeable reorganisation. You'd also then have to race to get your funds out, as you know your keys have been compromised.
1295 bitcoin stolen with a value of x dollar. See, they didn't care about the bitcoin they cared about the dollars behind it. As long as a bitcoin its value is measured in dollars and accepting bitcoin is merely done because it is at a high dollar rate, how can this possibly be a viable alternative currency? Apart from the whole fluctuation on steroids, bitcoin is nothing more than a wrapper for American dollars.
Because, at the end of the day, you have to pay for your groceries and mortgage in dollars. B-but muh Subway sandwich
Honestly, let's think a little bit here. If this story was reported on in China, what currency would it be converted to for the readership?
If a story about American dollars being stolen was reported on in China, what currency would it be reported in? Is the dollar just a wrapper for the Yuan?
The submitter is doing this. The person representing BIPS on the forum is speaking in terms of Bitcoins. Probably makes it easier to downplay because even the most avid bitcoin users perceive it as a secondary currency.
A good question to be asking. I agree with this sentiment:
> Every time a company loses somebody else's bitcoins, the main assumption should be that it was an inside job. It's way too easy for a company to take the money and say that they were hacked.
Here's their security page: https://bips.me/security -- "industry-leading security" .. "BIPS ... does not store bitcoin on its servers".
Is it time for a PCI-like consortium that will validate your bitcoin storage security procedures? (Not that PCI is guarantee of anything, but at least following it prevents you from having full credit card data lying around in files).
I.e. analyze your fail-safes (which seem to be lacking) and validate that unless someone is holding a gun to the owner's head, that your 1000 bitcoins held for you in their "vault" cannot be sent off to a random address.
> It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.
The wallet part of BIPS was a free service to make payments easier for users.
Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.
Hence we offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.
"Oh, we never said that our food is screened against infection - if you wanted that you should have checked out the premium section!"
ddos can run over a rather long period of time and come and go fairly quick. cutting the internet connection just is no viable solution for an online service.
Your analogy is wrong. A riot inside your store would be a compromised server. What you want to do is to close your store every time someone who looks like a burglar walks by, in front of your store. After no time the competing store on the other side of the street will hire an actor to walk by your store and shut you down just with walking in front of your store.
It's super easy for every competitor to get you out of business forever if you just shut down. DDoS is not like something especially hard or expensive to set up (depending on your service of course), but again, shutting down is not an option as a standard countermeasure.
How would an attacker exploit a service while it was inaccessible because they're DDoSing it? Why would someone draw attention to themselves like that?
Maybe the attacker stole the coins and then DDoS'd the site?
It's all speculation, we're pretty light on details, but the whole DDoS-as-a-distraction thing seems a little out there to me.
The part that intrigues me is the whole security aspect of it. Take your average bright guy and say "Lets set up a place where people can store and move around gold coins. All the gold coins are going to sit in your living room, and of course if anyone were to get there hands on those coins they could melt them down into pieces and resell them so that you never knew where they went. There is going to be more than a million dollars worth of coins in your living room, do you think you're door lock is up to it?"
Ok so its a stretch, but Bitcoin has two interesting properties, one it is pretty fungible, and two most if not all governments consider it about as 'real' as the gold in World of Warcraft. If CFAA doesn't apply (say the server is outside the US) then what exactly would you even charge someone with who "stole" 1000 BTC? It isn't recognized as currency by any jurisdiction on the planet as far as I can tell, so what got stolen? Numbers? Block chain data?
This fairly unique combination of properties quite possibly make Bitcoin the ideal target for thieves. Better than cash, better than raw gemstones, better than pretty much anything except possibly bearer bonds [1]. Have you seen how much security there is around vaults that hold bearer bonds?
And yet people create exchanges or wallet services or whatnot and then seem shocked when they get compromised by very sophisticated programmers [2], that steal all their BTC? You are surprised?
Given these huge thefts where is the money going? I mean is there a steady stream of redemptions at exchanges? Is there a note in the chain when the coin is transacted for cash? Should there be?
[1] http://www.investopedia.com/articles/bonds/08/bearer-bond.as...
[2] When the payoff is huge, the risk small, you can pay someone a lot of money if they are good to get you the coins.