[klodolph]

I'm not really sure why people are trying to store bitcoins on a VPS in the first place. You can't process credit cards on a VPS and be PCI compliant (it's against the rules), but any moron can do what they want with bitcoins.

[darklajid]

I'd argue this isn't about bitcoins. A (popular) VPS provider, according to that article, had a security problem that allowed some idividuals to access the VPS management interface for any machine they cared for.

They could've defaced your site in high traffic times. They could've logged in and delete your projects on the VPS. Depending on your setup (they had root) they could've searched for your backups. They could've read your mail, if that machine is your infrastructure service - and continue from there (password reset, amazon, buy expensive stuff. password reset, twitter, damage your reputation).

In this case the bits modified were part of a virtual currency and had a more or less clear value. I'd say there could've been worse results of that security hole though and 'don't put anything on a vps' is not a solution.

[klodolph]

It's not about "don't put anything on a VPS", it's about "don't put money on a VPS."

[darklajid]

I'm sorry, but you just said the same thing again that I was arguing against. 'Money' is not as clear cut as you'd like it to be.

Bitcoins are no real recognized currency. So you can trade them for USD -> Don't store it?

What about this great project I'm working on? All my stuff on the VPS, because that's convenient and accessible from everywhere. I spent a double digit number of days on it. I have a daily rate for working as a programmer. Don't store it?

You totally ignored (so hard, that I think you didn't read it fully) my post about issues that are harder to value even. Access to your mail can be devastating. Even if you don't store 'money' on that VPS. Putting a dent into your online reputation by messing with your life on the net is hard to value, but certainly damaging. Again, no 'money' stored.

Bottom line: You ignored my point or didn't read my post at all. You picked a line out of context and refuted it with a pointer to the argument _I explicitly tried to prove wrong_.

[TomGullen]

Bad comparison in my opinion, BitCoins can be stolen (taken away and become unrecoverable) whilst your project you've been working on is recoverable.

Also the value something is worth is what someone else will pay for it. You can't value a project you're working on as your hourly rate * hours worked, it doesn't really work like that.

[darklajid]

1) Recoverable: Only if I have backups (which I excluded in my comparison, and would be a fault on my side. But go with me here..). Otherwise I'd need to invest (see the word I used here?) time to create it from scratch. That's equivalent to an amount of money (the exact amount is hard to define, granted).

2) 'You can't value a project you're working on as your hourly rate * hours worked, it doesn't really work like that.' Right. But it's totally okay to value ~worthless~ stuff you have according to market rates, although you didn't sell them yet? Why are we talking about ~12k USD here? That's just a couple of bits and bytes on a disk. Yes, he _could've sold_ that at a specific time for a specific amount equaling ~12k USD. He didn't. Why do you assign this value to a highly fluctuating 'currency' on your disk, but don't like me assigning value to a 'yet to be successful' project on disk?

[TomGullen]

Point 1 isn't really debatable in my opinion, you make work, you back it up and if someone deletes it off your server you just move it back on. Bitcoins by design don't allow you to recover them.

Point 2, back in the day when currency was backed by gold reserves would you have said the coins and notes people had were also worthless? As they are not 'sold' yet into gold?

Also I don't say a project on your disk has no value, a project on your disk has worth, the amount it's worth is how much someone will pay for it. Because the project on your disk doesn't really abide by any fixed standards you will probably find it's quite difficult to sell it.

[res0nat0r]

Then this conversation should be about the security breach and the BitCoin aspect should be a side note. The data lost is not what is important, just how the breach should be resolved and prevented in the future yes?

[sgornick]

Or passwords, or medical records, or anything confidential or of value?

[bigiain]

I bet people think twice before storing medical records on services like Linode. At least I _hope_ they do?

[dfc]

Are you sure? I think that you may be mistaken. The bar is just set higher in a "virtualized environment"...

"In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE.

These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."

From: https://www.pcisecuritystandards.org/documents/Virtualizatio...

Amazon:

http://aws.amazon.com/security/

[nirvdrum]

Amazon getting a PCI compliance pass was a big deal. The last time I looked, you needed to be able to ensure secure access to the facility, enumerate who has physical access to the hardware and when, and things of that effect. And you need to be able prove all that in the event you're ever compromised.

[ceejayoz]

> The last time I looked, you needed to be able to ensure secure access to the facility, enumerate who has physical access to the hardware and when, and things of that effect. And you need to be able prove all that in the event you're ever compromised.

None of that should be particularly difficult for a VPS provider as large as Linode.

[epochwolf]

> you needed to be able to ensure secure access to the facility

This part isn't doable if you don't own the datacenter. Slicehost has a problem with this because they never owned the datacenters they used.

[orofino]

You don't need to own the datacenter, but you do need your own, secured space in a datacenter.

[dfc]

Securing physical access is a requirement for anyone wishing to obtain pci compliance.

[mvanveen]

This strikes me as a really good point. The onus for proof of merit is on the decentralized currency.

Simply put, people trust Visa and MasterCard to safely manage transactions, for better or for worse. Regulation like PCI helps ensure that this trust is sound.

The Bitcoin community at large could really benefit from a set of published best practices for managing transactions. Anybody possessing an insecure wallet is ultimately a liability to the credibility of the currency.

[gravitronic]

But all that regulation is evil and it's the freedom of bitcoin that gives it the power*

*for hackers to get away with the entertaining virtual train robberies we've seen in the last year

[darklajid]

Show me your wallet with a good amount of cash and leave the room for a while.

Afterwards, let's talk about your comparison. Is 'can be stolen' really something that the state can protect you against? Let's discuss it over dinner. Depending on the contents of the wallet I'd pay.

On a more serious note: Your mockery, while amusing, is unrelated to the problem at hand. 'Stealing amounts of $currency from private persons' is not a new idea or something that bitcoin is supposed to change?

[icebraining]

What state? PCI DSS is private regulation.

[darklajid]

Two problems.

1) I don't think PCI is relevant here. If you store bitcoins somewhere and they get stolen then this is, in my world, cash. It's your very own digital cash. Not a credit card. That's why I constructed a (probably poorly implemented) example of someone leaving a wallet full of shiny $currency notes out there.

2) 'What state?' WTH? Can I reply with 'What kind of question is that?' The state I'm coming from is called 'Northrhine-Westfalia' [1]. Now I'm living elsewhere and there are no 'states' here. I can offer the district 'Tel-Aviv'? The point is, 'what state' is invoking aggressive feelings towards your US-centered mindset.

1: https://en.wikipedia.org/wiki/Northrhine-Westfalia

[icebraining]

Oh, FFS. I meant "what state?" as in, "why are you talking about the state?", since you said:

    (...) something that the state can protect (...)

and since the PCI (which was what we were talking about) is private, it doesn't make sense to talk about the State.

US-centered mindset

The fuck? Firstly, I'm European. Secondly, I assumed you were talking about the State[1], not a particular state.

[1]: https://en.wikipedia.org/wiki/State_(polity)

[darklajid]

First and foremost: I'm sorry. We clearly didn't talk about the same thing and I misunderstood what you wrote.

My take: Someone was mocking Bitcoins with "But all that regulation is evil and it's the freedom of bitcoin that gives it the power" and I tried to make a point saying that _no regulation is involved here_ (laws? certainly). This is a wallet, it got stolen. Your credit cards are protected, your cash is gone for good.

You invoked PCI and I was (and am) unable to make the connection, maybe again because of a misunderstanding? I'm talking cash. Bitcoins are cash in my world (or - at least their value is equivalent to cash, if you choose to sell them).

From there we went downhill and I overreacted. Yes, for me 'state' is exactly what you posted. Again, sorry for the lapse.

[ceejayoz]

I believe some states have laws requiring parts of PCI DSS to be implemented.

[kiba]

To be fair, websites were all continuously compromised last years, many of which have nothing to do with bitcoin.

Even so, bitcoin seems to attract every shark in a one thousand mile radius.

[lhnn]

It'd be worth it if more people used Bitcoins. No, we don't NEED regulation. We need competence and standards, which can come about without incompetent government intervention.

[icebraining]

Nobody said anything about government intervention. PCI DSS is private regulation.

[kylebrown]

They were coins of a mining pool (slush pool - mining.bitcoin.cz - one of the largest three). And they were only the 'hot coins' left on-line for user withdrawals. The majority of the coins are kept offline/cold, as a common security measure for any bitcoin service.