More on the BIPS hack

This weekend BIPS released more information on their recent hack which they posted on the Bitcointalk forums. Let us here go through their announcement sentence by sentence and see what we can learn.

It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.

When something has been demonstrated to be fundamentally broken, restoring functionality of the horribly broken thing should probably not be on the list of priorities.

The wallet part of BIPS was a free service to make payments easier for users.

The BIPS wallet service seems to actually have been rather expensive for its users and the extent to which it was a service is debatable.

Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.

With the number of web wallets that have been hacked and the number of people who have lost coins to web wallet hacks, web wallets seem to not be fit for even this purpose. A particular problem with this is that what seems to be a small value in Bitcoin tends to not be so small the next year or even next month. Also with a traditional wallet holding paper cash generally only one person loses their money in each mugging. With a web wallet one theft takes everybody's money.

Hence we offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.

Paper wallets can indeed be useful for this purpose, if they are generated and printed offline. A paper wallet generated on a computer that isn't offline is no more secure than any other online1 wallet. A paper wallet generated on a server and delivered to the end user over the internet, even using an https connection should probably be treated as less secure than even a software wallet maintained locally on a user's internet connected machine. For near absolute security suitable for large numbers of coins you need an airgap. Not Schneier's fake "tor is nearly as good as not being connected to the internet" but actually never connected to the Internet. The developer of the Armory Bitcoin client has a decent guide for setting up a wallet split between an online computer for watching balances and an offline computer for signing transactions. The biggest improvement I can think of from the official Armory guide is instead of passing transactions with digital media like USB sticks use printers and scanners with decent OCR abilities.

We will be contacting all affected users as already proclaimed.

Proclaimed seems an awfully grand word given the situation.

We will need their consent to hand over information to the authorities for further investigation, which hopefully can assist in catching the thief.

Okay.

Those who were not affected and have a bitcoin balance will also be contacted.

Hopefully this includes purchasing advertising spreads in all of the popular media where you apologize for your incompetence and rail against the evils of web wallets. A two page spread in the first section of the Wall Street Journal should work.

Most balances left are minuscule, but if you had more than a few satoshi’s in your wallet you are affected, and will be contacted.

So the thieves took everything that wasn't unspendable dust.

Another priority is doing forensics data recovery to be able to investigate and assist authorities in finding the attacker.

Hopefully the parties conducting this are capable enough to not require Excel for this task, and are not actually just you guys jacking off to sever logs and calling it a forensic recovery.

Technical information will not be disclosed for security reasons.

Seems awfully selfish seeing as you shouldn't be having security reasons anymore as you shouldn't continue operating any payment system more complicated than perhaps this and definitely should not be doing such a thing on the behalf of other people.

Stolen coins have been isolated and server logs have been retrieved from data recovery:
https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs

So, nearly four times as much Bitcoin was taken from Inputs.io when they were hacked and you remain too pretentious to even change the title of the pages on your website to a frowning emoticon. Even adjusting for the change in Bitcoin value in between the hacks the operator commonly known as TradeFortress managed to have a larger amount taken from his service's hot wallet whether accounted for in BTC or dollars. On the other hand the operators of BIPS at least have the courtesy to report their customer's losses to Law Enforcement.

Please be advised that attacks are not isolated to us and if you are storing larger amounts of coins with any third party you may want to find alternative storage solutions as soon as possible, preferably cold storage if you do not need immediate access to those coins:
www.coindesk.com/hacker-attack-polands-bitcoin-exchange/
www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/

It is nice to bring up other examples of web wallet services getting hacked, but limiting the list of failures to just this month's is rather disingenuous. The history of this sort of thing happening goes way back to the earliest of web wallets.


  1. and not necessarily web hosted  

One thought on “More on the BIPS hack

  1. Pingback: How Silicon Valley could learn to Bitcoin: Part 1 | Bingo Blog

Leave a Reply

Your email address will not be published. Required fields are marked *