Linode has cost me more than 3000 BTC (nearly 12k EUR at current rates) due to a security flaw in their platform. Linode is a cloud computing and web service providing company that is a popular hoster of web services throughout the world. Today I woke up to find my hot wallet on the backup server had all its coins stolen. As a security measure, merchant sites keep the majority of funds offline with just enough in a ‘hot wallet’ to keep operations running smoothly.
Rest assured: I am covering Linode’s mistake from my own income. That means months of my work is wasted and I’m crushed.
Especially upsetting is that I went to great pains to keep everything as secure as possible. But that was all rendered worthless when somebody hacker the upper level service provider. All that time of mine has gone down the drain for nothing.
It seems that also the user database has been compromised. Although passwords are stored using SHA1 with a salt, I strongly recommend to change your pool password immediately.
How it went down
This morning I received an emergency SMS notification that my pool’s bitcoin balance was low. I started investigating and the chain of events turned up strange anomalies. I then noticed 3094 BTC moving out of the pool wallet. I could only sit helpless as the money got confirmed by the network.
While watching the logs, it did not look like the server had been compromised at all.
Then I found that two of my Linode machines has been restarted half a hour ago, too, and the root passwords had been changed. I changed the passwords and found that there was malicious activity on the machines. Then I discover that the passwords were changed over Linode Manager (Linode web management), because there was record about the password change in the Host Job queue (last activity done over the Manager).
I reported accident to Linode staff and asked for log of recent logins to Manager. To my surprise, there were only my own log attempts and last login before the attack was on 08/02/2012! I reported to Linode that something is terribly wrong, because I had been using strong password for my Linode Manager (because I know it’s basically backdoor to my machines) and I didn’t use this password on different places.
Full log of support ticket is here.
I’m still waiting what they’ll find.
Linode is a top provider and lot of people trust them with serious business (like me until now). If they’ll see that Linode is trying to hide this issue, maybe people change their mind.
As a respected hosting provider, I hope they do the correct thing and refund me for this liability due to their error. Many people trust Linode, and they have proven themselves as a serious contender for hosting critical sensitive operations on the internet. I would hate to not see them live up to that reputation.
I am not the only person affected by this. A few hours ago another guy contacted me that his Linode machine has been attacked and his coins was moved to the same wallet, asking me if I knew what happened (because he found that the 1Mining2 address is mine). We found that our issues are the same – changed password in Manager, stolen coins & Linode staff is telling they have no security issue on their side.
It looks like attackers found some vulnerability of Linode Manager and used it to infiltrate Linodes with running bitcoind (we both had bitcoind running on the machine), to gain maximum profit for the least exposure; it does not seem many other machines were compromised, and we found no information on Twitter or anywhere else. It looks like the attackers were interested only in Bitcoins, because they left Namecoins untouched, although they had the same chance to steal them.
The Bitcoin faucet (Gavin Andresen) has also had its coins stolen.
From the attacker’s wallet it looks there were more people affected by this Linode hack, maybe they’ll know anything more?
There’s no reason to think that pool itself was hacked. I changed all passwords everywhere (mainly to database), moved coins to new wallet and everything is working fine. Backup machine didn’t contain keys for accessing pool server, so there’s no need to reinstall pool to another machine. I’m covering all financial loss from my own money, to keep pool users out of this stupid issue. It is between me and Linode.
Update:
Linode has confirmed that the error was due to a fault on their side.
Hello Marek-
We were alerted to the suspicious activity and have identified and corrected the issue. Our investigation has revealed a customer support interface was used to access your account. The compromised credentials have been restricted and we are discussing policy changes to prevent this from recurring.
We regret that this incident has occurred, and apologize for the unnecessary work this may have caused you.
We appreciate your business and certainly want to keep you as a happy and satisfied customer. If there is anything we can do to make this up to you, certainly let us know.
Regards,
Thomas Asaro
Vice President
They’ve made a security announcement on their website which also confirms the error, and alerts their customers of the risk. Linode says they are performing an in-depth audit on their Linode Manager software to confirm the risk.
Bitcoinica
Zhoutong of Bitcoinica, confirmed he has lost 43,554 BTC (~200,000 USD) from this recent Linode theft.
We lost 43,554 BTC from this incident and we will reimburse our customers for the full amount.
- Customer funds will not be affected.
Bitcoinica is committed to absorbing any loss. The thief stole from us, not you.
- Customer data is safe.
The compromised server was entirely dedicated to holding our bitcoin “hot wallet” only. Thankfully, this function is the –only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
Gavin reporting that the Linode VPS that held the bitcoins for the Faucet was also rebooted, and coins stolen.
Underaged anus will make us all feel better … Bitcoin conference at my place!
Mr. Wagner, such a pleasure to see you here!
Are the hosted machines administered by plesk?
See here:
http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-exploited-1446587.html
Linodes don’t come with Plesk by default. If you want it, you have to install it yourself.
I’m not using Plesk and I don’t know if Linode is using Plesk inside. Actually it looks like, because plesk exploit was published later today.
Linode is using Xen
Oh sorry, I didn’t notice that Plesk is control panel only for Parallels.
Using Xen has nothing to do with what control panel software is used and does not rule out a specific hosting control panel.
Linnode provides no control panels other than their own basic one. Pretty much anyone using linnode knows how to admin a *nix system from the shell.
All the security theatre worth something only as long as you trust your hardware + people who maintain it. VPS and cloud coumputing is just surrending all your data and computation to someone else.
Doing something important? DIY.
Because every one-off hosting service – probably administered by overburdened staff – is more secure than a service that has been examined by hundreds of users over years..
Having used it, I’m not surprised that Linode Manager was owned, but don’t throw the whole industry out.
The forum thread on BitcoinTalk.org for this is:
– http://bitcointalk.org/index.php?topic=66916.40
Does this mean that hosting providers will ban bitcoin services?
bitcoin = huge liability
Doesn’t look like a liability at all. I haven’t read Linode refunding anybody their lost BTC, nor have I seen any offers of free hosting as compensation. From what I read here, their liability was writing an e-mail that says “WHOOPS! Won’t happen again!
”
Dear slush: I’m very sorry you were robbed. You didn’t deserve such a loss.
In what way is doing a bunch of useless math on background processes work? You “miners” are enabling huge fraud and money laundering by organized criminals.
Maintaining a mining rig isn’t just plug and go. There is quite a lot of time spent on maintenance and management to keep uptime as high as possible, not to mention the continual efforts to manage the heat generated. I wish it was just flip a switch and close the door, but it’s not. I’ll stick with my bitcoins, and you stick with your inflating fiat money.
Thanks, I will stick with my “inflating fiat money” and will remember to laugh my ass off in a few months time when I read the next article bemoaning the plummeting “value” of your entirely fake money.
> You “miners” are enabling huge fraud and money laundering by organized criminals.
What about higher ranking criminals that use normal currencies, offshore societies, banks, and get real assets from their activity? Shouldn’t we start making it difficult for the most dangerous ones? Nope, we have international treaties that say money must flow unhindered, no matter the social costs. Who benefits?
…and the banks and intelligence agencies ARE NOT???? Hell, the only way to REALLY stop money laundering is to declare ALL cash transactions as illegal. Read the book Thieves’ World: The Threat of the New Global Network of Organized Crime by Claire Sterling
Sorry, for your loss but I have a security qustion. Could you have evaded this by encrypting the home directory for the user you run bitcoin on? I’m not experienced in computer security at all, but it seems to me that encryption allows one to easily evade comprimise from host systems in a virtual environment.
When user logged in, his home folder decrypted. And root user can get access to user’s encrypted home folder unless this user logged out. Since bitcoind client require constantly updating wallet.dat and block chain files, user have to be logged in. And this essentially means that root user can get access to decrypted files.
did they give you a compensation?
> If there is anything we can do to make this up to you, certainly let us know.
Yes, pay you 12k euros…
How many rounds of sha1 are the passwords stored with? If it’s just a single-round with a salt that’s not at all secure.
And as far as how this can be prevented in the future? Multisignature:
– http://bitcoinmedia.com/the-truth-behind-bip-16-and-17
Multisig does nothing to prevent this.
It seems to me that this is why companies have insurance. I’d work on filing a claim.
+1
And You think that insurance company will refund a virtual money?
So are they accepting liability. I am guessing they don’t and they can point to something in their terms and conditions that you accepted. Were you mining on there or using it for storage?
So, they admitted to the problem and will pay you back? What kind of SLAs and other agreements are in place? I mean, you do have some sort of agreement with your provider, right?
“Our investigation has revealed a customer support interface was used to access your account” <- WTF was the support interface doing exposed to the internet? Surely access should be restricted to only authorized hosts?
When they say “support interface” they may very well mean “console access.” They don’t necessarily mean a gui or web interface.
I have the impression it was done in-house. As in: a Tech working internally for Linode is believed to have committed the act.
Now that’s bitcoins for you.
Let’s say you had $12k in your Paypal account; would you leave your Paypal username and password in plaintext in your home directory on a VPS? Tough call—personally, I might be stupid and do that, overly trusting the VPS.
A lot of web applications have API keys for Paypal accounts on the servers, because it’s the only way how to handle funds automatically.
…but stealing from Paypal accounts sounds stupid, because Paypal transfers are reversible; that’s probably why it’s not going to happen so often.
Theo De Raadt has been warning admins not to take the cheaper Vps/virtualization route for real security for sometime now. The ‘cloud’ is a scam unless you use it for low security hosting
Isn’t it also the case that Linode has the possibility for you to restrict access to your management interface to access via SSH keys you provide? It makes things more secure, but wouldn’t necessarily have helped you, if their customer service interface can bypass that interface.
My first thought.
It’s not Linode’s fault. You should have elected to use a hosting service that cannot reset your password or access your machine (e.g. Amazon EC2).
what makes you think ec2 admins can’t access your machine?
Who in hell would decide to host their bitcoin wallet on public servers on which you have no idea what security policies are maintained and applied?
You tried to play big bank and you got burned for it, badly. This is NOT Linode’s problem; it’s your poor decision making.
So really, Linode hasn’t “cost you more than 3000BTC”, you did. You and others hinting that Linode should compensate I say; you are out of your MINDS.
It is NOT Linode’s responsibility, NOT their problem that some of their users make bad choices. Hosting your hello kitty website? Sure. Hosting sensitive information? No no.
It’s his “hot wallet”, and he needs to generate addresses and give out money: he’s hosting a Bitcoin mining pool
I’m not sure what point you are trying to make.
I understand it’s his “hot” wallet. A bitcoin wallet, whatever you call it, remains a bitcoin wallet, subject to theft if you don’t take sufficient measures to protect it.
He chose to back up a bitcoin wallet somewhere that he could not trust, someone gained access and made a sizable transaction on his behalf, and that’s it.
Yikes. Have you had any discussion as to if this just affected you or other customers?
I know about thee other affected Linode’s customers: Gavin Andresen’s Bitcoin faucet, Bitcoinica and one other guy from bitcoin forum.
That’s really tough… but letting anyone else have root access to a box containing 1000s of bitcoins probably isn’t a great idea. Here’s what I’d do:
1. Full hard drive encryption.
2. Login via ssh public-key only.
3. Logins restricted by IP address.
3. Dedicated server, physically secured.
I think I might allow a DRAC for remote access so the server can be rebooted (and encryption password entered) remotely, that would need to be limited by IP address again.
Perhaps mandos?
https://wiki.recompile.se/wiki/Mandos
Bitcoinica has over 10K BTC — $50K USD at about current market level stolen too: https://bitcointalk.org/index.php?topic=66961.msg778254#msg778254
It was me, Bruce Wagner … Sorry guys … I need the money for a sex change operation … Im a woman trapped in a man’s body who is attracted to men … I hope you all understand … Only love!
Sounds like you’ve been watching too many reruns of ‘Dog Day Afternoon’.
Sorry for loss, but it was not a very smart decision to host them on a publicly accessible server. I mean c’mon. It sucks that they were vulnerable to such attack, but every hosting provider is vulnerable. It’s impossible to prevent 100% of all attacks, aside from disconnecting your machine from the internet… not really a possibility for hosting providers is it?
You’re basically spreading a fear campaign against current Linode customers and it’s not fair to the company. Sure they had a vulnerability, but go look at past Apache or Nginx exploits. They’re found, and they’re patched. Same as Linode will do.
Next time make a better decision if it hurts so much to lose your bitcoins and all your “hard work” if that’s what you want to call it…
*palmface*
Slush runs a mining pool. They weren’t his coins, they were the coins of the people mining at the pool, so technically it’s their fault that they left them in the pool account and didn’t remove them to their own wallets. That aside, he’s runs a pool. There’s a lot of work, risk, liability tied to that. Would you say the same if it had been paypal instead of Slush?
what I don’t get is what does someone do with the bitcoins? It’s not like they can cash it out because that could be possibly flagged?
True, bitcoins are not entirely untraceable, but with a few extra, phony transactions in between, it isn’t that hard to effectively launder them. It is unlikely than bitcoin thieves will be hunted down and apprehended. Great for people who have privacy concerns, legitimate or clandestine.
More from Linode : http://status.linode.com/2012/03/manager-security-incident.html
Wow, Bitcoinica lost 43,554 BTC from Linode compromise!
https://bitcointalk.org/index.php?topic=66979.0
I really don’t think it’s fair that people are bashing him for hosting on a VPS. Sure it’s not the best idea but there is a bare minimum of service that Linode is responsible for, part of which is not giving away (in this case resetting and giving away) your root password.
Linode is certainly not alone in this regard, there are countless companies who have failed, Dropbox comes to mind. After all software is created by humans and humans are far from perfect. At this point it’s simply an insurance issue. This is precisely what business insurance is for, the insurance co should pay, and their premiums should go up.
What happens next is really more of a concern to me. I truly hope Linode will first close the hole, perform a full (peer verified) audit to see who was effected, implement policy and code to prevent this from happening again, all the while while being perfectly transparent and open about this issue. I personally have a fair amount vested in them and was considering moving another dozen or so VPSs their way but until this issue is dealt with I’m in a serious holding pattern.
It looks like while I was writing this they released an initial incident report. This is precisely the sort of open and clear communication I’ve come to expect from Linode.
Business insurance is essential, but if the insurance company investigates and is of the opinion that you were grossly negligent, good luck getting them to pay up! Not saying anyone was grossly negligent here, but if the insurance company *thinks* you were reckless, you’re going to have one hell of a fight on your hands.
the fartman
If they don’t talk liable with you, you have every write to sue.
That depends on the agreement they signed with Linode. The service agreement may state that Linode’s liability extends to “Whoops. Sorry.”
No matter what the ToS says, it doesn’t necessarily absolve all responsibility. If for instance, they were deemed criminally negligent… even if the ToS said “we are not responsible for our own criminal negligence” it wouldn’t make a difference.
Lots of companies use ToS that are either illegal or at least legally unenforceable. That can say whatever they want in the ToS, but you have some rights that are hard or impossible to waive.
I’m glad that at least Linode was open about it- if it was Sony.. well, you know the story on that one
I would think that the max limit of Linode (if they were feeling generous) would be the money that you’ve paid them. That’s a pretty standard (in the US) liability limit.
Bummer that it happened, but I do question why you would host something like this on a system that you don’t have control over.
Bitcoinica now confirms the amount stolen from them at over 43K BTC worth about $200K USD: http://bitcointalk.org/index.php?topic=66979.msg778578#msg778578
How is that a “hot” wallet? Do they really need to have the ability to pay out 43K BTC at an instants notice?
You are an idiot. Bitcoin is like cash. You have to protect it. I’ve been using bitcoin for around 6 months and I keep my bitcoin OFFLINE. To put that much bitcoin in a public hosting provider like linode is just insane.
Linode’s confirmation: http://status.linode.com/2012/03/manager-security-incident.html
This is hilarious.. I cannot say I’m sorry this happened. Actually find it kind of gratifying.
Really? Like banks failing? Find that gratifying too? Had Marek not stepped up to cover it, that’s partly my money too.
Excellent job alerting Linode of the problem. Linode customers salute you.
Slush, you should do what eligius do, pay out btc immediately. U are not a bank. I’m sorry for your loss buddy. Look on the bright side, things can only get better from here
I’m glad you got hacked. 3000 BTC of your profit made in just a few months, sounds greedy as fuck to me. Pools run themselves for the most part. Trying lowering your fee and *maybe* I’ll use your pool. Until then, I’ll be on one of the 0% or 1% fee pools. The only one that’s worse than you is deepbit.
Slush’s pool is big enough. If I had that much hashpower on Eligius, I’d be increasing the fee if anything to encourage people to use other pools.
He’s one of the top pool operators in bitcoin mining. He has enormous responsibility and enables a huge amount of hashing to be directed to bitcoin. His revenues are in no way unfair.
Go start your own pool if you think it’s so easy.
Comedy is tragedy + bitcoins.
I don’t know if I’d class Linode as a “top provider”. They’re great if you want a few standalone dinky VPSs, but the moment you want to do anything “serious” (i.e. have your hosts talk to one another, build an infrastructure, have *real* redundancy) they’re worse than useless. 50Mb/s bandwidth cap, with massive latency and jitter? Support staff who just go around and around in circles of bullshit? No thanks. We moved to AWS. We’ve not had a *second* of downtime since, and my hair is no longer falling out in chunks.
She who gives up liberty for security deserves neither
Your opening sentence is incorrect.
Your poor decision making skills cost you $12,000. You were an incompetent idiot for putting something of value (and whose value is remotely detectable) in a location that meant that anybody who found any flaws in their platform (and there are always flaws in the platforms) could steal your money.
You’re an idiot.
Linode had a bug in some software, and you were dumb enough to put yourself in a situation where any such bug would lead to what is apparently a substantial financial loss for you.
This is your fault.
Yours. Not Linodes. Yours.
man up and take responsibility for your enormous fucking incompetence, you putz.
p.s. I hope you sue them, because it’ll be hilarious to watch you spend thousands on a lawyer and lose because you’re a fucking IDIOT.
Thank you for the comedy goldmine.
This is horrible.
You’re showing yourself to be a reliable business partner in covering these huge losses.
How can someone became such an ruthless ass? You must live in US.
But what could be done to stop this from happening again? If you encrypted all the disks then they wouldn’t be accessible from outside the VPS, which means you would have to log in to it to see the files. In this case the root password was changed externally to do just that, but what if you enabled SE-Linux to limit root’s access? Then even if the root password was reset the decrypted files could not be accessed by the root user.
Since cash exists, bank robberies also do. Arguably the shift to central bank databases has been pushed to avoid those: remember those stickers saying “our employees cannot take money out of machines” in many flavors?
Bitcoin will not be safe from this, being electronic cash, it will offer all advantages and disadvantages of cash. You need to take care of your wallet, cowboy. This might help by scripting it further http://tomb.dyne.org
However this episode suggests there can still be a smaller market for service providers that offer high security and an amount of liability on values stored. Said that, I honestly would not use Linode not even to host my public software repository…
Slush: go learn some basic English.
Obedient bye, genial chum
As a faucet supplier,we have enough superiority to introduce our faucets .
More than 20 years experience to produce faucet
1.Usual Faucet Series (including bathroom faucet, basin faucet, kitchen faucet,bidet faucet,bathtub faucet…)
2.Antique Faucet Series
3.Plastic Faucet (ABS Faucet ) Series
4.all kinds of accessories
I sincerely hope to build strongtly cooperation with you !
Best regards
Amanda
Taizhou Bobao Industry & Trade Co.,LTD.
No. 607, E Building, Xintai Plaza, Jiaojiang District,
Taizhou, Zhejiang, P.R.China Zip:318000
Tel: 0086-576-88551635
Fax:0086-576-88551632
skype:amanda88551635
MSN:amanda88551635
Web: http://www.tzbobao.com
E-mail: bobao7@tzbobao.com
1Jk2n3hBMJKW98RYTe4Xwi93qkGBZ9TuFs
PLEASE DONATE