I lost 5 bitcoins today when the server holding the Bitcoin Faucet's wallet was hacked. Unfortunately, I wasn't alone-- at least one other customer of the web hosting company (Linode.com) had their wallet stolen, too. According to Linode: Our investigation has revealed a customer support interface was used to access your account. The compromised credentials have been restricted and we are discussing policy changes to prevent this from recurring.I knew that using a shared hosting service was a risk, which is why I kept so few bitcoins in the Faucet's wallet. It made sense to spend $30/month on web hosting where I risked losing $25 worth of bitcoins rather than spending a couple hundred dollars a month on a dedicated ultra-secure server or tens of thousands of dollars on full-time system administrator managing my own hardware. It is annoying, though. I've got to create a new wallet for the Faucet, do some work on it's web pages to give a new donation address (any new donations to the old Faucet address could be stolen by the thief), and decide if I trust that Linode really will be more careful about who has access to their customer support interface in the future. It is also very preventable; I've been pushing as hard as I can for the last six months or so for "multisignature transactions" as a standard part of the Bitcoin infrastructure. Here's how a future version of the Faucet will work to prevent an incident like today's:
If a hacker compromised the first machine and got the wallet, it wouldn't do them any good because they only have 1 of 2 keys required to spend. If they compromised the machine and tried to generate a transaction to send them all the bitcoins in the wallet the second machine would notice and stop them.
They might compromise the first machine and send themselves a little trickle of coins so they don't get noticed, but that would be a lot of work and I would pretty soon notice that more coins were leaving the wallet than I expect.
Compromising just the second machine doesn't help; they can't modify transactions before signing them, so they can't steal any coins. They'd only be able to steal the Bitcoins if they somehow managed to get both sets of keys from both machines.
Multisignature support is, unfortunately, still several months away. Until then, I'll continue to keep only small amounts of Bitcoin in the Faucet's new wallet. |