Exactly. Low-tech ways of stealing bitcoins is precisely what we are seeing the most in the community right now. Thieves who merely sweet-talk people on the forum and convince them to invest in their "businesses" (ponzi schemes, fake ASIC preorders, etc), then receiving the money, and running away.

Cost for the thief: at most $100 (setting up a website to advertise the fake business).

For example just 2 months ago, a fraudster advertised his company selling Bitcoin ASIC mining hardware (www.labsnovo.com, now taken down) by posting a comment to my blog... This is very sad to see because every freaking time, some people fall for it. You may have 4 out of 5 posts on the forums reporting one of these scheme as a "LIKELY FRAUD" in all caps, yet there are always a few people who ignore these warnings and just try to invest anyway. sigh

If so, why ? And how is it different (at least in the eyes of the law) than stealing a wand from someone in Ultima Online ?

In fact, let me go further - does not a "real" currency issuer have a vested interest in not judging bitcoin theft to be illegal ? If it's illegal, that bestows a certain legitimacy ...

Obviously if you were to steal it ingame that would not be illegal.

It's almost certainly illegal to steal bitcoins.

I guess I'm referring to US law here, but I would expect it to be illegal in any country that has computer crime laws.

And sure it is in the currency issuer's interest to do do that, if think in strict terms of maximising the value of the issued currency. But that doesn't mean the currency issuer will take every action available to do so. The bigger picture is much more complicated than that.

After all X bitcoins does have a monetary value, since people will trade you money for it.

Or, to rephrase the standard pitch for Bitcoin: a bitcoin is as easy to steal as a credit card number, and as untraceable when it disappears as cash. ;)

Edit: I just want to add that I think its really silly that most of the online transactions are still done by a series of numbers that can be easily copied and re-used by whoever gets them. We should have much better solutions by now.

This is not true in the case of at least one major brokerage firm in the United States for account thefts via cyber-attack (I know this through first-hand experience helping the victim file reports with various LE and regulatory agencies), and all brokerage firms if my read of the regulatory requirements is correct. As the regulatory environment stands today in the United States, if your account is broken into via computer hacking and drained, then you have no recourse other than to appeal to the brokerage institution. It is completely up to the institution whether or not to engage restitution, when (in the case I'm familiar with, no word other than "we're still investigating" for the past five months), and in what manner they treat the case and communicate with you.

Elsewhere in this thread, patio11 already pointed out the cost to mount various attacks. After some quiet questions around some Wall Street contacts confirmed other accounts (but not a massive number of accounts) were also drained at the same institution, I'm reasonably convinced that at least one black hat or black hat team has figured out to use this regulatory hole to their advantage, to wit:

Drain only a few accounts, and the institutions externalize the cost of the poor security upon the account holders themselves.

This points out an interesting problem: apart from sheer trust in traditions of financial institutions, how does an account holder prove that they themselves did not drain their own account, when the financial institution's own computer systems and potentially even their logs have been subverted?

If you are a tech journalist that wants to research this story, I'm happy to respond to questions over PM, and direct you to the actual victim.

A chargeback system is a protocol requiring centralized trust. A company will no doubt implement this.

Centralized trust is of course necessary. One could argue that it defeats the point of bitcoin. Yet that's not true, if you think of bitcoin as being a currency (rather than a "secure" currency, or any other label). If it's a currency, then a chargeback protocol is simply a company waiting to happen. And the company would necessarily have to be large, because it has to bear the cost of fraud. Luckily, PayPal has already done a lot of the homework necessary to pull off such an endeavor.

Lastly, it doesn't matter what normal people use. It matters what will become convenient for normal people to use. That's a subtle distinction, because it means as soon as infrastructure is built then people may start using it by default.

[1] https://en.bitcoin.it/wiki/BIP_0011

Funny, I was under the impression that it was customers of "The financial system" that were footing the bill for fraud.

I submit that that hasn't happened because financial institutions don't in fact pass these costs straight back to consumers.

Do they? It looks to me like the industry has treated the fraud problem (which they created) as an opportunity to sell more services (credit monitoring, fraud protection, etc.) without addressing the security problems with their antiquated technology.

That's because it isn't really a competitive market.

I'd much rather to simply pay insurance to cover for fraud, or avoid paying that if I know that I'm storing my money securely - mostly offline and encrypted with a password that only exists in my head, and small amounts for day-to-day usage somewhere more accessible.

The question isn't whether systems are or aren't secure. Security is a function of the capital invested in making systems secure. The question is who bears the cost of securing systems. The financial system puts much of the burden of that cost onto the financial system itself; it is thus incentivized to mitigate fraud.

"Find any combination of inputs (say, of the executable script that Bitcoin runs by design) which gives you an RCE on one instance of the satoshi client, fan out the attacker-chosen code to the entire network, root (a large percentage of) the network at once." is my usual example of a hypothetical attack. People keep telling me that this can't happen. Your call on whether you find them or me more credible. I have no particular dog in that fight -- no change in the Bitcoin price affects my net worth. (If Bitcoin imploding would cause me to be impoverished, I might buy a pair of the rose-tinted lenses that some folks seem to be wearing.)

Wouldn't it be great if Bitcoin worked? Wouldn't it be great if it didn't take several days to move a few grand from one account to another? Wouldn't it be great if no one could take your money without your permission? Wouldn't it be great if you never had to touch physical currency again? Wouldn't it be great if you didn't have to fill out a piece of paper and sign it to give someone else a significant amount of money? And then they didn't have to scan it into their phone, or shove it in an ATM or wait in line to deposit it? Why do I still have to do that? Wouldn't it be great if it wasn't so expensive to send money with Paypal?

Bitcoin has a sordid history of theft and fraud -- not more sordid than any other currency/commodity I can think of though. There will continue to be thefts and fraud. People will probably pay for better security. Who knows maybe people will end up paying as much for bitcoin security as they do now for the privilege of using visa/mastercard/etc.

Let people play with their Bitcoins -- the results might not be all bad.

Wouldn't it be great if it didn't take several days to move a few grand from one account to another?

Absolutely not! I want the bulk of my life savings kept in an asset that is only liquid on the timescale of days, or even longer. I have seriously contemplated trying to find a broker that has no web presence at all, one that would refuse to execute a trade unless I turn up in person - ideally with three forms of ID and a DNA sample.

I'm not a criminal, I don't live in a failed state and the odds that I'll need to flee the country on 24 hours notice are very low. So I want my retirement money to be hard to move.

If one day I decide otherwise - perhaps taking up high-stakes casino gambling, or day trading - I'll withdraw a bunch of cash and bury it in the backyard or something. This will take considerable time and preparation, making it very hard for me to take up high-stakes gambling on a whim at 3am late one night, but that is not a bug but a feature.

Wouldn't it be great if no one could take your money without your permission?

What defines "my permission"? Is Bitcoin a mindreading technology? If someone steals and/or cracks my computer with my Bitcoins on it, they don't get my Bitcoins? Or, rather, deprive me of my Bitcoins, which is exactly as bad from my perspective?

If Bitcoin were a mindreading technology, even that would only go so far. We don't even need to invoke wacky movie-plot truth-serum scenarios, or torturers armed with five-dollar wrenches, to see the problem: I have, alas, extensive life experience with Alzheimer's patients who slowly but surely stopped being "themselves". There's a large and evil cottage industry built around bilking such people. As someone with no kids and no plans to have any, this is actually an important practical issue in my life: I'm going to grow old (hopefully!), I may well become senile, and the day may come when the safest place for my money is in a trust, where even I can't give permission to spend it without first convincing an independent trustee.

Okay, the problem with this argument is that it is technically valid on any network of any kind. If I invent magic exploit that lets me execute any code I choose, then I can gain control of entire network because I now can execute any code I choose on it. Sure. That much is obvious, but not specific to Bitcoin.

You originally put the price of "Subtle bug in the Satoshi client C code: $100,000" but without giving any meaningful reason behind this number. You know that throwing money at finding bugs doesn't actually find them, right? If the bug does not exist, then it cannot be exploited, no matter how much money is thrown at the problem.

Now, I'm not saying that there is no such bug, because I have no idea whether there is or not. However, when the existence of said bug translates directly into a money-stealing opportunity, in the most literal possible way I can imagine, then there is a rather large incentive amongst those concerned to make sure no such bug exists. I wouldn't be particularly surprised if that particular piece of code wasn't the most ridiculously oversecured thing you can imagine.

Now, obviously flaws can exist elsewhere, and often do. But you're pointing to something that is fundamental to the network and saying "what if it has a flaw", and that seems too obvious to actually be meaningful or insightful to me. Anything can have flaws. The useful question is not "what if there's a flaw?", but "does it have a flaw?".

It depends on what you mean by "forex site". If you mean "a bucket shop, which uses as its source of random numbers currency fluctuations", then a forex site is approximately as risky as a bitcoin exchange, modulo the fact that the forex frontend almost certainly has no lever on it which will actually cause outgoing wires and the bitcoin exchange almost certainly does. That's actually a pretty big modulo, come to think of it. [Edit to add: This is just talking about software security. Bitcoin exchanges have a legal security problem which forex sites don't, because you can use Bitcoin exchanges to move money and you can't conveniently do that with forex sites.] If by "forex site" you mean e.g. a bank's foreign currency trading desk, you're asking me to compare the US Army and the Boy Scouts in terms of potential to conquer arbitrary nations.

what do you mean with major result in cryptography?

SHA-256 has some time complexity associated with it. A major result in cryptography gives some variant of attack against it with radically lower time complexity than we currently think attacking it requires: say, it allows a speedup of 2X, 4X, etc etc. (It is unlikely, but conceivable, that it would go to O(1) all at once.) This is like every other cryptographic algorithm. Producing major cryptographic results is hard. Weaponizing them is harder, still: 2X improvement probably doesn't make any attacks practical which weren't practical before, it just posts a "Warning: this algorithm will die in the foreseeable future, transition off at the earliest convenience" notice to all interested parties.

But, again, Bitcoin advocates love wrapping themselves up in crypto because it makes them feel secure. Crypto is one teeny tiny little bit of their systemic security. It isn't the important bit. That's a very impressive looking deadbolt you have, there, and defeating it would probably be pretty difficult, but the pane of unreinforced glass right next to it looks a little promising and, if you check with your 17-year old architect who is doing this in his spare time, he might be able to confirm that your house only has two walls and no ceiling.

Therefore, compromising the exchange doesn't necessarily mean the end of the world since the "front office" (place where trading happens) is logically separated from the "back office" (place where money changes hands etc). As an aside, this is why France is in the process of regulating the movement of employees between the back office and the front office. If you are familiar with how both systems work then it becomes trivial to start hiding your trading activities and positions. The most damning part about compromising, say, a forex exchange, is that you get to take a peek at everyones trading history and hidden orders. So if you compromise the exchange and see that fund X has an open resting order for 20b EUR/USD @ some price you can then use this information to profit from. Or alternatively based upon the data you abscond with, it then becomes possible to reverse engineer their trading strategies.

This is a bit different than a bitcoin exchange as my understanding is that the clearing and trading occur all at once and there is no separation. E.g. the exchange occurs as soon as the two parties agree. Although this eliminates counterparty risk it poses significant (insurmountable?) problems for the way automated trading currently works today.

Another difference is that the vast majority of forex trading volume happens between institutional investors (usually on behalf of a corporate which is just trying to pay workers in another country) or other hedge funds. This makes security vastly easier since all of these servers are walled off from the public internet and the traffic they exchange never hits the public internet. Additionally it is also reasonable to expect that the system administrators of the end users understand how to operate a computer and keep it relatively secure :). Not always the case, but the assumption.

Edit: Additionally, the clearing is handled by the counterparties themselves and not the exchange. With bitcoin the exchange handles everything and thus is the central point of failure.

Could you elaborate on this? I'm interested to understand why this presents a problem. Isn't it a good thing for both parties?

Edit: I wasn't 100% exact. It gives you more [1] than easily mining blocks, but still not that much power so that I would call it "Winning".

[1] https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_...

1) Attacker starts mining a fork offline (ie. doesn't publish blocks)

2) Attacker sends payment to merchant but does not include payment in fork in (1)

3) Attacker waits 6 confirmations then receives goods.

4) Attacker double spends the money in the fork (1).

5) Attacker releases fork when it is longer than the main chain.

If they have greater than 51% they will always be able to do (5) because at some point they'll be longer than the main chain. It doesn't matter how many confirmations the merchant waits for.

Not saying that the bitcoin blockchain or protocol suffers from this, but implementation and protocol flaws are often a far more fruitful source of compromises. If BTC has none of those then colour me impressed because at some point or other most of the big name systems (OpenSSH and OpenSSL spring to mind) have had revisions for various exploit-related reasons. We won't know for some years of course.