Linode Exploit Caused Theft of Thousands of Bitcoins

Sabbetus writes "Popular web hosting service Linode had a serious exploit earlier today. Apparently the super admin password for their server management panel was leaked and allowed a malicious attacker to target multiple Bitcoin-related servers. The biggest loss happened to a major Bitcoin mining pool that lost over 3000 BTC, which is currently worth almost 15 000 USD. Now the question is, will Linode compensate for lost bitcoins?" Update: The 3000 BTC theft was not even close to being the biggest, Bitcoin trading site Bitcoinica lost over 40,000 BTC.

Linode Terms of Service

[Laebshade]

http://www.linode.com/tos.cfm [linode.com]

Section 9, paragraph 1:

Subscriber acknowledges that the service provided is of such a nature that service can be interrupted for many reasons other than the negligence of Linode.com and that damages resulting from any interruption of service are difficult to ascertain. Therefore, subscriber agrees that Linode.com shall not be liable for any damages arising from such causes beyond the direct and exclusive control of Linode.com. Subscriber further acknowledges that Linode.com's liability for its own negligence may not in any event exceed an amount equivalent to charges payable by subscriber for services during the period damages occurred. In no event shall Linode.com be liable for any special or consequential damages, loss or injury. Linode.com is not responsible for any damages your business may suffer. Linode.com does not make implied or written warranties for any of our services. Linode.com denies any warranty or merchantability for a specific purpose. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all service interruptions caused by Linode.com.

overblown news story, here's the real truth

[slashmydots]

Oh the drama. As an actual bitcoin miner, let me fill you in on the real story instead of that media fluff that's purposely inflated to overdramatic proportions. Almost all bitcoin mining pool websites are configured to pay people every time 1 BTC is reached. That's around $5 US and takes a mediocre mining rig approximately 2 days to generate. So the most that the average person probably lost is $0.01 - $5.00. NOBODY keeps massive piles of BTC sitting around at the pool itself. The exchanges, yeah, but not the pools. They're known for lax security too. At the #1 biggest mining pool, your miners' login passwords are listed as plaintext on the page because what are people going to do, mine for you? And none of your money stay there for long so nobody really cares.
What really doesn't add up is the 3000 BTC estimate. Even Deepbit, the largest pool, doesn't have 6000 members, which would be the number required to, at any given point in time, have an average of 3000 BTC on-hand. So it likely was the site owner's profit pool that got robbed the most heavily.

Re:overblown news story, here's the real truth

[godofpumpkins]

What about the 43,000 coins bitcoinica reported stolen in the same breach? Still overblown? https://bitcointalk.org/index.php?topic=66979.0 [bitcointalk.org]

Re:$15000 USD????

[repapetilto]

Here is a place that accepts bitcoins for videogames:
http://gamerkeys.net/ [gamerkeys.net]

Here is an ebay-like auction site:
http://bitmit.net/en/shop/c/13-pc-and-video-games/2-pc-games [bitmit.net]

There are no chargebacks with bitcoins, so you need to do research on the rep of various sellers and merchants. You save money on fees you would otherwise pay to cover chargebacks, etc.

Re:Free Insurance

[bmo]

> let's make ISP's fully responsible for all incidental and consquential damages.

Strawman: Hi, you didn't say this, but I'm going to say that you want to have ISPs responsible for content and then I'm going to attack it.

False dichotomy: "obviously" some regulation leads to regulation of everything down to the most minor minutia, implying that you can either have no regulation at all or intrusive regulation, excluding the middle.

Reductio ad absurdum: "I'm going to take what you said and invent a mythical case (ISPs responsible for content) that would never exist in reality and somehow this is proof of something"

All three of these are related. Can you guess how?

In case you can't, I'll put it in simple terms: You are putting words in the parent's mouth that were never said. In even simpler terms, it's a lie.

>Calling you out on bullshit isn't allowed

Oh yes it is.

Good Day.

--
BMO

Section 9: Limitation of Liability

[coldsalmon]

Like any vendor, Linode has included language in their contract which limits their liability. This is standard language, and it operates according to the following principal, which originated in landlord/tenant law: Linode has no control over the value or sensitivity of the property that you store on its site, so you must get insurance against the loss of this property yourself. No landlord/host wants to act as an insurance company, and they are in no position to do so. I can put anything I want in a rented space; it could be a $5,000,000.00 supercomputer, or a $30,000,000.00 Van Gogh. If there is a leak in my landlord's roof and a drop of water destroys the supercomputer, I must look to my own insurance policy, because I am the one why owns this property. If I want to store $15,000 in cash, I am not going to rent a storage unit and leave it lying all over the floor (the equivalent of what these Linode users did). I am going to put it in a BANK, which is a business specifically designed to store one type of thing, and which provides insurance against its loss.

Here's a link to the TOS: http://www.linode.com/tos.cfm [linode.com]

THIS POST DOES NOT CONSTITUTE LEGAL ADVICE OR CREATE AN ATTORNEY-CLIENT RELATIONSHIP. ANY LEGAL ADVICE MUST BE TAILORED TO YOUR INDIVIDUAL NEEDS BY AN ATTORNEY LICENSED IN YOUR JURISDICTION.