If someone had their masternode coins stolen it was probably due to poor security on their box.
With almost 400 masternodes I'd be shocked if someone didn't have their coins stolen.
For people's peace of mind, I still think the private keys should never need to touch the masternode. All thats needed to validate ownership of coins is a signed message. The user should be able to sign a message using Darkcoin QT on an offline computer and then transfer the signed message to the masternode using a USB drive. This signed message contains all the proof that the network needs for authorizing the masternode to receive dividends and process darksends.
That's a really good point. Excuse my ignorance though, doesn't this run into the issue of "proving" that the 1000 DRK existed at that address at the moment in time that the node is being used? Otherwise I could just sign a message for an address, transfer to a new address, rinse and repeat.
I'd like to see masternodes simply use proof of stake on an address. Send 1000DRK to an address. Tie masternode approval to that address. If that address has 4000DRK, it gets 4 entries into voting pool. If it has 3999, it gets 3. This way the node can be managed on chain instead of on [key/VM/SSH/RPC/some guy at the datacenter grabs the hard drive], and you can still spend off of it or add to it and it will update the entry count on the fly without typing any passwords. Uses existing blockchain transaction security. Prove private key for the matching public address once. After that, remove it from the server. network watches to see if that address changes and gives it the appropriate number of votes.
I think that's very close to how it's shaping up already...