Saturday, April 7, 2012

Watch Bitcoin Robbery in Slow Motion

By Jon Matonis
Forbes
Monday, April 2, 2012

http://www.forbes.com/sites/jonmatonis/2012/04/02/watch-bitcoin-robbery-in-slow-motion/

Bank robberies of the future may not reveal the traditional security camera shot of the ski-masked gun holder but rather we will watch them evolve slowly in front of our eyes as the money hops around the globe. It's not so much where is the money but when is the money? The public and transparent nature of the bitcoin transaction ledger ensures that all transactions are known by date, time, amount, and block number although not necessarily by the who or the where. Contrary to conventional opinion, this is not a negative for the protocol because bitcoin liberates cash by putting it online.


On March 1st, a total of 46,703 bitcoin worth $228,845 at the time was stolen from customer accounts at VPS hosting company Linode. As described in a Linode Security Incident Report:
"This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to 'bitcoin'.  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins."
The victims were not exactly banks but, in the bitcoin world, they come pretty close to being banks because they hold significant quantities of deposited bitcoin for various purposes. Of course, we may never know who or how many individuals were involved in the heist, but that doesn't stop us from seeing how the loot was divvied up. The slow motion heist of bitcoin stored at Linode can be viewed by methodically clicking through web-based block chain information in a weird voyeuristic game of 'follow-the-money' (click on the dendrogram's orange circles to follow the money).

The 25,000 bitcoin in the real dendrogram example represent only a portion of the total 43,554 bitcoin stolen from leveraged trading house Bitcoinica that was transferred from servers at Linode to many IP addresses scattered around the world. Bitcoinica was by far the victim that suffered the greatest and admirably they have pledged to cover all losses on behalf of their customers which should give you an indication of their daily positive cash flow. Bitcoin mining pool Slush and the Bitcoin Faucet were two of the other theft victims.

Does bitcoin possess the property of fungibility? I believe it does through sufficient mixing, plausible offline transactions, and the absence of a software-enforcing address black list. Just as we don't examine that gold Krugerrand for who had previously held it, we don't do so with bitcoin. As some have commented in the community, obviously the lack of anonymity and lack of untraceability will lead us straight to the thief's doorstep. Famously, Fergal Reid and Martin Harrigan have even observed that "the actions of many users are far from anonymous" in their 2011 research paper "Bitcoin is Not Anonymous".

So then, has the thief been apprehended yet? Not exactly, but that is because public traceability does not always equate to real-world identity and therefore the transactions themselves are still reasonably anonymous. Reid and Harrigan state that they are not law enforcement officials and they don't really have subpoena power but that sloppy thieves can indeed leave a digital trail, like an unmasked static IP address or a known public key, that would link them to a real-world identity. In other words, anonymity is not built-in to the protocol as lead core bitcoin developer Gavin Andresen warns:
"Unless you are very careful in the way you use Bitcoin (and you have the technical know-how to use it with other anonymizing technologies like Tor or i2p), you should assume that a persistent, motivated attacker will be able to associate your IP address with your bitcoin transactions."
Andresen adds that multisignature capability is technically possible for bitcoin security purposes and it's on the horizon in one form or another. Bitcoin private keys stored on a "hot wallet" in the cloud are like physical paper banknotes left on your kitchen table and this really is an emerging policy and procedures issue for network security managers. Clearly, it's a whole new world for electronic money especially when that money comes with the powerful irreversibility of cash. But that's not a bug -- it's a feature.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.