While sad, this doesn't surprise me in the least. I reported probably half a dozen vulnerabilities, none of which I believe were ever fixed. I tried to stress the impact of the vulnerabilities (which ranged from CSRF to XSS to, I believe, SQLi, although I can't recall whether that was MyBitcoin or elsewhere) and it just didn't sink in.
If you're going to deal with money in any way, please for the love of god, think about security. Even if you're not going to have an external security test, at least internalize the OWASP Top 10, how to recognize and discover them, and their mitigations.
I also found mybtc unresponsive to mail -- I made a Python interface, whose source I had planned on releasing, to their SCI and needed help with one portion of it, sent a mail asking about it, and received no reply. Disappointing. :(
When will people learn that trusting a (possibly unreliable) third party with your money was exactly the sort of thing that bitcoin was supposed to obviate?
But banks offer better protection for my money than can be afforded in a home settings. Quite the opposite with BitCoins. My TrueCrypt volume with keyfiles that I keep on my person and in a safebox with my BitCoins inside is far superior to... well... ANY internet-connected service.
Out of curiosity, what size do you set your TC volume to, and what size is your wallet.dat? Is the possibility of wallet.dat exceeding the size of backup.tc a problem?
I can't imagine anyone's wallet.dat being that large... Plus you can always create new TC volumes. My wallet is under 200K right now. Alternatively, especially for such a small file, plenty of other per-file encryption schemes would be just as applicable.
but there's no reason to do it all at once. if you are trading 1 btc for money there should be an automated way to do the transfer in increasing steps, after each of which the other party would reply - so transfer 0.0001, 0.001, 0.01 etc. til you are done. You wouldn't lose much, and you could vary the rate depending on how much you trusted the other party.
But there's no reason to leave a quarter of a million dollars in BitCoins in an untrusted 3rd party's hands. Unless you're lazy or naive. It takes almost no effort to transfer them to your own wallet which can be trivially encrypted or stored on a device unconnected to the Internet.
Yes, it is: assuming you use client side encryption, an online storage company never needs to know your secrets. It's the difference between a trusted and untrusted third party.
Most Bitcoin enthusiasts are speculators. These exchanges and online wallets are popular because they allow speculators to respond instantly to opportunities.
It would be hard. Even if the disclose the wallet address that was compromised it would be hard to prove that the transfers were not done by the alleged hackers.
I wonder if this is the reason for the drop in btc price lately.
I believe this incident probably is the reason for the drop in price, along with the incident at Bitomat just before. It's just people reacting to vulnerabilities in the market though, so far there has been no evidence to suggest any of these bitcoins have been sold. If they were to be sold off in bulk then it would cause a much larger crash.
If they were to be sold off in bulk then it would cause a much larger crash.
Is there any reason why they couldn't just sit on them for a couple of month, and then start to sell them off slowly over the space of a few more month
"We are sure that, unknowingly to us, that our processing system has been used for nefarious purposes."
How can you be sure of something that is unknown to you? They're trying to disclaim responsibility while acknowledging the reality of what BTC is used for in some situations, I suppose, but it's a very strange way to phrase it. Then again, they're in "receivership" but declining to appoint an actual receiver.
[T]here are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.
If you're going to deal with money in any way, please for the love of god, think about security. Even if you're not going to have an external security test, at least internalize the OWASP Top 10, how to recognize and discover them, and their mitigations.