Linode Compromised; Bitcoins Stolen

Aldryic

And this is why complete anonymity will bite you in the ass :P

Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC ("hot" coins ready for payouts). Cold backup was not affected in any way by this hack.

It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.

Robery of Bitcoins has no impact to pool users, I'm covering the loss from my own income (although it means that many months of my work is wasted Roll Eyes ).

Read More || Another Article || WHT Thread

Aldryic

This is also a prime example of just how much access your host has over your VMs. Choose your providers carefully, folks.

Maounique

You never quit, do you ? This is what control freaks cant stop anyway: http://www.usatoday.com/money/perfi/credit/2009-01-21-visa-mastercard-credit-security-breach_N.htm http://blogs.computerworld.com/node/4405 One from major payment systems, one from an individual, some random search for 2 seconds which yielded some million hits. Good luck using VISA/EUROPAY/PayPal... One day the boogie man will run with your money and pay some child porn site. I hope they are very kind with child molesters in the jail, or at least they will believe your story... Besides, you can be mugged in the street, good luck tracing your 1$ bill series. Or you dont use cash also since it can be used in crime rings ? Besides, who doesnt keep data in an encrypted container, mounted remotely only, deserves that fate. Also, using encrypted communication, etc. M

Aldryic

@Maounique said: You never quit, do you ?

No, I'm merely pointing out that had this been PayPal, 1) it would be MUCH easier to trace the offender, and 2) there's a pretty good chance the guy would've gotten his cash back.

Get off your high horse, kid.

gsrdgrdghd

Our investigation has revealed a customer support interface was used to access your account Well that sucks, clearly Linode will have to repay the 12k€ in loss.

But why wouldn't some support guy in India that gets paid 1€ an hour or so just take the 12k€?

Aldryic

@gsrdgrdghd said: But why wouldn't some support guy in India that gets paid 1€ an hour or so just take the 12k€?

Accountability, I guess. If you hire third-party support (from a reputable company, anyways) you're at least going to have records of who's doing what, unlike an outside compromise.

vedran

That's why I love small VPS providers: if something like this happens you know whom you have to introduce with your crowbar in a dark alley, you can't do that with unnamed "compromised credentials".

We appreciate your business and certainly want to keep you as a happy and satisfied customer. If there is anything we can do to make this up to you, certainly let us know.

You just lost 12k due to our incapability, but hey, we'll give you a free month and it's all good.

subigo

I'm surprised Linode hasn't made a public statement about this yet...

Aldryic

This is pretty recent; they're probably still in the 'oh shit' phase of planning just how to announce it.

kalam

I was just looking at purchasing a Linode, maybe I'll hold off for a while longer.

subigo

Here's my guess... It was an employee (ex-employee) who specifically targeted servers running bitcoind. Linode will make a long blog post, stating they screwed up and will be changing the way the backend works and who has access to it. They will refund this guy for his lost bitcoins (or they will wish they did after the backlash).

xonion

@Aldryic said: This is also a prime example of ...

... why I prefer anonymity - providers are unable to keep my data save :P

Aldryic

Heheh, good point. :P That's why I tend to ridiculously overdo our own security.

Damian

Well at least they didn't lose any real money. :X

gsrdgrdghd

I'm curious, is stealing bitcoins really as easy as just getting the private key from the server? That seems like a pretty sloppy way to handle that much money.

NanoG6

... why I prefer anonymity - providers are unable to keep my data save :P

Ya I love anonymity, but that love has made me rejected by MaxMind :P

Spirit

@vedran said: That's why I love small VPS providers: if something like this happens you know whom you have to introduce with your crowbar in a dark alley, you can't do that with unnamed "compromised credentials".

With little problem. Ocean between you and them :)

-

btw. is 3094 BTC a lot? I am not familiar with virtual/real btc value.

Damian

3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

Kairus

@Damian said: 3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

That sucksssssssssssss.

Spirit

Damn. I feel sorry for this guy and his work invested into this.

Francisco

@Damian said: 3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

There's brokers for it, that's not a problem.

'coins are used a lot for drugs deals since there's no paper trail anywhere

Aldryic

Update: http://status.linode.com/2012/03/manager-security-incident.html

BuzzPoet

I actually have a Linode, but I use it to host podcasts, nothing mission critical.

@Aldryic "This is also a prime example of just how much access your host has over your VMs. Choose your providers carefully, folks."

Actually, this is a good example of why the only reliable hosting is self-hosting, as Eben Moglen has been pointing out for 2 years now:

hxxp://www.youtube.com/watch?v=QOEMv0S8AcA

hxxp://www.youtube.com/watch?v=9bDDUyJSQ9s

(Edit: I didn't know that would actually embed. Sorry.)

The "cloud", or "putting your data in someone else's hands", is fundamentally insecure.

The home is the last place in civilized society that still requires a warrant, so it's the best legally protected place to host data, and potentially the most technically secure and private, given a competent admin (nobody else gets to see your logs).

The only problem with that is the terrible uplink for high bandwidth sites. In other words, we need fiber to the home.

(BTW, the Diaspora social network was inspired by the first talk, since the devs were sitting in the audience.)

Derek

Man, that is horrible. Really sad to hear.

subigo

"All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin"."

I called it. Now, do they refund the idiot who thought it was a good idea to keep $12k worth of bitcoins on a $20/month vps or do they deal with the backlash that will follow if they don't?

subigo

@BuzzPoet said: Actually, this is a good example of why the only reliable hosting is self-hosting

Exactly. Nobody should be setting up a server with $12k worth of data on a vps, anywhere.

yomero

So, I don't get it. Linode was the culprit? A worker on Linode? Or just a security bug in their panel?

subigo

@yomero said: So, I don't get it. Linode was the culprit? A worker on Linode? Or just a security bug in their panel?

They haven't said, but I would assume it was an employee. And if it was an employee, they should easily be able to track down who did it and repay this guy. If it was not an employee, it will most likely mean they guy is out $12k and Linode's panel has an exploit in the wild.

Kairus

@subigo said: If it was not an employee, it will most likely mean they guy is out $12k and Linode's panel has an exploit in the wild.

Or one of their employees didn't have secure enough information? Maybe got a keylogger on his computer, a lot of possibilities.

KuJoe

@BuzzPoet said: The "cloud", or "putting your data in someone else's hands", is fundamentally insecure.

"Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)" - Linus Torvald

:D

yomero

So, dedicated servers FTW?

And, how Linode let you run this ultra cpu abusive Bitcoin stuff?