Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Linode Compromised; Bitcoins Stolen - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Linode Compromised; Bitcoins Stolen

2

Comments

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    They aren't.

    All of the bitcoin stuff is just the 'banks', so it's just a simple PHP website that stores the hashes.

    Francisco

  • Meh it was bitcoin... there for imho it was worthless money, not real money anyway. You don't see any legitimate company accepting bc.

  • NateN34NateN34 Member
    edited March 2012

    @ yomero

    I don't see how dedicated servers would be any different.

    You can just hookup a monitor and keyboard......change a few things in the startup lines and change the root password, then get full access to the machine easily.

    @BuzzPoet

    That also has security issues. A "friend" could come over and tamper with it. OR someone could just break into your house and steal the whole darn box.

  • yomeroyomero Member
    edited March 2012

    @NateN34 said: You can just hookup a monitor and keyboard......change a few things in the startup lines and change the root password, then get full access to the machine easily.

    Ahm yes, but is more obvious. The datacenters are secure environments. They have cameras, controlled access, etc.
    Also, if you cypher your hard disks there is no way to retrieve the info.

    @Francisco said: All of the bitcoin stuff is just the 'banks', so it's just a simple PHP website that stores the hashes.

    So, this bitcoin stuff isn't the same as the bitcoin mining, right?

  • netomxnetomx Moderator, Veteran

    So, a little offtopic... can we use Raspberry Pi to calculate hashes and make bitcoins?

  • debugdebug Member

    @yomero said: So, this bitcoin stuff isn't the same as the bitcoin mining, right?

    From what I read, their just storing the wallets (which is the cash). They don't do the mining on the servers.

  • BTW, the talk at the water cooler is that a Linode employee did it. That's why the status update mentioned "credentials" being revoked. A hacker has no credentials, and certainly none that would apply to 8 independent clients. No technical security in the world can stop an evil admin, which is why, once again, no mission critical data should be left in the hands of someone else.

    If it's that critical, you either host it on your own property, or you buy your own hardware and physically secure it against tampering before you ever ship it to the data center. Putting $15K on a VPS was just dumb. Doesn't matter who the host is.

  • @BuzzPoet said: That's why the status update mentioned "credentials" being revoked. A hacker has no credentials, and certainly none that would apply to 8 independent clients.

    Unless a Linode staffer, or the active account of a former staffer, had a weak/reused password. For instance... let's say you're using the same password here and on some other 3rd party forum. Say the admin of said forum isn't very honest, and is storing passwords in plaintext for the purpose of social mining. He suddenly has your password to both accounts. It could be a similar situation with Linode... especially if their admins can request pass resets. It's no good simply changing a password if someone has access to the email account tied to that admin login, they can just reset and get the new pass.

  • @Aldryic said: It's no good simply changing a password if someone has access to the email account tied to that admin login, they can just reset and get the new pass.

    Google authenticator<3.

  • It has now been confirmed that multiple containers were exploited and over $250k in bitcoins were stolen.

    On a side note, people put over $250k worth of ANYTHING on a vps. LMAO.

  • MaouniqueMaounique Host Rep, Veteran

    @subigo said: On a side note, people put over $250k worth of ANYTHING on a vps. LMAO.

    Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container. It was a big exploit, many customers compromised at Linode, they will have a lot of trouble washing the eggs off their face.
    M

  • @Maounique said: Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container.

    Wrong... one of them had almost $200k.

  • fanfan Veteran

    I've been mining for a short period and the result was: 1 PTC each 3 to 5 days, not even worth the cost to run a computer fulltime. :-D

    Anyway both sides hold responsibility for this disaster, Linode can fix their system but the PTC's are gone, and not coming back.

  • vedranvedran Veteran

    Damn, $250k. I don't think Linode will pay that back.

    If Linode can screw up this badly, imagine how your $1/m VPS is secure.

  • MaouniqueMaounique Host Rep, Veteran
    edited March 2012

    @subigo said: @Maounique said: Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container.

    Wrong... one of them had almost $200k.

    This sonds like some ppl we know...
    I say nobody store 250 k on same container, and you say, wrong, someone actually has less than 200 k...
    M

  • My God... please give this forum an ignore user option...

  • MaouniqueMaounique Host Rep, Veteran
    edited March 2012

    @Aldryic said: @Maounique said: You never quit, do you ?

    No, I'm merely pointing out that had this been PayPal, 1) it would be MUCH easier to trace the offender, and 2) there's a pretty good chance the guy would've gotten his cash back.

    Get off your high horse, kid.

    To make the comparison correct, it means the guy store his paypal credentials unencrypted in the vps.
    1. Cool, so PayPal would have known how the data was compromised, who the user behind the open anonymous proxies, botnets, VPS/VPNs bought with fake CC/PayPal, open wi-fi or WEP ones, hacked sites, whatever, was.
    Linode, on the other hand, knows who did it.
    2. Sure, PayPal gives the money back to anyone which has his account data compromised, especially when we deal with hundreds of thousands.
    On the other hand, Linode, which accepted responsibility from what I know, has some chance to do that.

    [@vedran said] If Linode can screw up this badly, imagine how your $1/m VPS is secure.

    Well, depends who the host is, some ppl here never make mistakes. They forbid all kinds of services to make it sure, except static pages hosted on bullet-proof web servers, such as boa, since apache2 is not exactly known to be flawless. They also inspect the content 24/7 to make sure every data there is legally owned and legal to be displayed so the hardware will never be seized by the cops during some investigation.
    M

  • MaouniqueMaounique Host Rep, Veteran

    @liam said: Also by choosing providers who own their servers, it shows they're commited.

    Yes, but Linode does own their servers, while most LEB ppl dont, including those that bragg around here. They still failed and anyone can fail, even VeriSign issued fake Microsoft certificates, there are hundreds of failure cases for the most reputable companies.
    Nobody can be safe out there, no matter the precautions taken, if we try to be 100% safe we dont host even on home computers.
    M

  • MaouniqueMaounique Host Rep, Veteran
    edited March 2012

    And I was merely expanding that, bottom of line is this:
    1. No VPS is secure or could ever be;
    2. No dedicated server is secure or could ever be;
    3. No home hosting is secure or could ever be;
    4. Some providers are less risky than others, but if you have really valuable data, encrypt it hard no matter where you hold it.
    M

  • NickWNickW Member

    $200K stored on a VPS or not, this is not the fault of the customer. Anybody who knows Bitcoins knows that a wallet has to be stored somewhere. Even with cold storage, it would be pretty silly to only have a personal copy at your own address. If the private key data is lost, all associated Bitcoins are permanently and irrecoverably lost. Once Bitcoins have been "spent"/"stolen" (i.e. sent to another Bitcoin address), the transaction is 100% irreversible, unlike all other transfer methods and currencies since there is no central authority. This fundamental way that Bitcoins are "issued" and are transferred is cryptographically very secure and the only way against it is if there's a vulnerability in the hashing algorithms OR a rogue party has access to a monumental amount of processing power. At the moment we're talking significantly more than any government supercomputer, and the system only gets stronger as more people get involved.

    If you're running some kind of application using Bitcoins then at least some of it has to be at some sort of online service. Before today, which VPS company would you trust with critical data more then Linode? Provided you back things up elsewhere of course.

    Yes, a customer should assume that a breach inside the company they are trusting is possible, but if/when it happens it is beyond the control/fault of the customer. This kind of breach is theoretically possible wherever you host it. Even a rogue employee at a dedicated server host could walk up to your server and pull all of the data off your HDD.

  • MaouniqueMaounique Host Rep, Veteran

    Exactly, but you can defend against that by:
    1. Have it in more sites than 1, and this includes email;
    2. Have it always encrypted with cascading algorithms and long passes which dont necesarily need to look like hashes, but be very long indeed. Or use some file as key, also stored in some mails, for example, an innocent file you got from someone else, 2 years ago, for instance.
    It doesnt cost anything and can be very effective, barring some miracles or someone constraining you to give out the key.
    M

  • @Maounique said: encrypt it hard no matter where you hold it.

    How exactly would they encrypt data on a VPS?

    From what i understand they were some automatic payment processor or so, therefore they would need their wallt information online somewhere to send payments.

  • NickWNickW Member

    @Maounique, the issue here is "hot" wallets, rather than cold storage. You should always assume that anything in hot storage can be easily stolen in this manner. If anything this is a huge lesson about only keeping what is required hot and readily accessible. It seems that this is essentially the case with slush, as 3000 is probably a single figure percentage of their total coins and that amount is probably needed hot in case a few large miners cash out in a short period of time. I'm not sure how much 43,000 BTC is relative to Bitcoinica's daily volume.

  • MaouniqueMaounique Host Rep, Veteran
    edited March 2012

    Easily, is a bit harsh, it can still be encrypted, even so, but I was not talking about this case per se (tho the amount for hot storage looks a bit high, 200 k for only one wallet is probably more than what was needed, if someone wants to cash in much at a time, should put a 24 h notice, IMO)
    I was talking about storing the regular wallet or some other small info ppl want to keep private but still dont want to have in only one place.
    I was merely generalizing this incident and gave some possible solutions to some speciffic cases.
    In this case, the "hot" can be stored some other place, encrypted, reading the info over SSL by the actual processing server, there can be solutions for this, if you have 200 k turnover for a day, you should invest a bit more in securing the stuff, even tho, here, it is not the fault of the customer, but it could have been in other situations (such as exploitable payment processing software).
    All in all, nothing is secure, not even giants of the online payment system, there have been countless frauds and, most important, there will be more. Especially in-house sabotage. Almost nothing is safe against that.
    M

  • Ouch, feel sorry for the guys.
    No matter how shady bitcoins can be, a loss is still a loss.

    @subigo said: My God... please give this forum an ignore user option...

    This.

  • @vedran said: If Linode can screw up this badly, imagine how your $1/m VPS is secure.

    • data lost
    • fly by night
      -- deadpool

    :D

    oh wait a sec... out of stock. :P

  • justinbjustinb Member
    edited March 2012

    fyi - bitcoin users have a very long history of being absolute retards.

    like the bitcoin exchange that ran off of amazon EC2, refused to pay for persistent disk storage because it was too expensive, and rebooted their wallet into a black hole.

    to steal "bitcoins", all you do is copy a wallet.dat file (and most idiots don't bother encrypting this even) and sweep all coins into your own address.

    i used to write code for bitcoin exchanges, and literally everyone i've seen is utter shit apart from tradehill (acceptable, code audited iirc and nothing obvious) and mtgox (edited code from a magic the gathering online card exchange that has been running for a while, but still, lol, has gotten hacked numerous times..)

    bitcoinica is literally run by a minor and hosted on cheap cloud vps.

    bitcoins aren't insured because they are quite literally worthless data.

  • ZettaZetta Member

    I have a question. If you use an encrypted partition on a KVM VPS, would that be safe, as in protected from an incident like this?

  • @Zetta said: If you use an encrypted partition on a KVM VPS, would that be safe, as in protected from an incident like this?

    Don't leave root logged in via VNC and you are pretty safe.

  • @Zetta is the partition mounted? Everything that is the memory of the VPS can be accessed from the node too. Although i am not aware of any tools that make this access easy, it is not impossible to write them.

Sign In or Register to comment.