I know as much as Zhoutong really.
That's pretty disturbing. While zhoutang not being privy to everything that is going on behind the scenes is understandable, it's hard to think of any positive reasons why you would be excluded from the loop. Who the hell does know what is happening and when are they going to announce how user funds will be returned? This appalling lack of communication isn't just damaging the image of Bitcoinica - it's raising serious doubts about the competence of "The Intersango Guys" in general and tarnishing the reputations of their other business ventures. @repentance: you seem to be pretty versed in court matters. PLEASE contact us by PM. Perhaps you can help us build our legal framework. @Maria: I will be happy to work with you, and any other investor been owned a substantial amount. We will go after the legal structures, and the individuals involved. I think it is time to bring some sort of accountability to the bitcoin world. It is not even about the money at this point, and those familiar with our company know we have the deep pockets and the infrastructure to make it happen. I have already received 8 private messages from people interested in joining forces with us. Many of these are very well known Bitcoin players and companies. I will be having a series of meetings with the board this and next week to start putting the gears in motion. Just a heads up, you should probably verify each account owner's integrity before you take any actions. Maria didn't even submit a claim. Working with people like that will only delay your legal process. |
|
|
|
I have 6,325 BTC and 53,244.35 USD in bitcoinica. I will join forces with AurumXchange. I want MTGOX CODES for each TODAY or I will prosecute to the full extent of the law.
Maria.
Just exchanged 3,000 BTC. Everything is working smooth now. Makes me wonder, Why MTGOX does not offer instant LR payouts? Great Job www.CoinExchanger.comMaria. Good luck. PS. I can't seem to locate your claim. Where should they send the money to? Zhou Thank you for looking into it personally and for responding so fast. You can send me the MTGOX CODES in a PM this way the admins can confirm the payment. Again thank you Zhou it makes me happy to hear that the big accounts will be paid out first!! Thank you Zhou Tong!! I will keep the community posted. Maria. PS: This is the last email i received from bitcoinca. Bitcoinica's Recent Data Errors September 20 What happened? We have been constantly upgrading our algorithm to provide better services and cheaper rates to our customers. However, despite the intensive testing that has done internally, sometimes the algorithm may break under certain market conditions (such as a spike or crash). Therefore, we have also implemented a data integrity checker, which verifies the consistency and integrity of all important financial data of our customers. Today, our data integrity checker has reported an abnormally high percentage of errors. And we have also received service requests from a few customers regarding this issue. Common problems are: duplicated orders, extra orders or positions and unupdated account balance after liquidation. Why it happened? Bitcoinica has a scaling issue about two days ago. Since our site is expanding so fast, certain types of processing jobs are slower and slower due to the huge increase in database size. We have added more processes ("dynos" in Heroku term) into the application stack, and the extra concurrency seems to solve the problem. After that, we have found that it's possible to have two concurrent processes processing the same order or user at the same time. This has caused some conflicts, which result in duplication of some data entries. Some users' account balances haven't been updated correctly because of this. We have quickly added database locking to every single transaction that involves money. Database locking ensures and strictly requires concurrent processes to process data entries exclusively. However, some of our database locking was not correctly implemented. Concurrency problems still continued. Today, during the spike in BTCUSD, increased number of orders have added extra probability of processing the same order at the same time. And our system was kept busy with a long queue of tasks. Is it corrected? We have an automated system to correct these errors. In order to protect our customers, and fulfill our promise of "bear the cost of financial losses that were not caused by our customers", we have implemented this policy: If you were made worse off (less profit or more loss than expected) because of the errors, all errors have been corrected for you. If you were made better off (more profit or less loss than expected) because of the errors, we bear all the associated cost and your account remained unchanged. In the extreme cases (such as $1,000 difference in adjustment), we have reviewed on case-by-case basis and taken manual actions respectively. We hope our resolution for this recent issue is much more professional than simply reverse the trades. What should I do next? You should check your account, and make sure that all the data is correct. If there are still some incorrect data entries, please send an email to support@bitcoinica.com, including the following information: - Your username - What is incorrect - What should be the correct value We will verify your information as soon as possible. If you were made better off because of the errors, or you simply want to share part of your profit with us to help Bitcoinica grow, you can donate to Bitcoinica anonymously by sending any amount of Bitcoins to this address: 196D4C3f2MgFrjfRoAh4mkQKfALBvPEnB1 At this moment, our finances are healthy and we can absolutely afford to compensate for this issue. More importantly, we will keep Bitcoinica continued and more exciting features will be announced soon. The Bug Bounty Program We're introducing the Bug Bounty Program. If you have found any bugs, security loopholes or irregularities in our technical systems, you can report them to us and get the chance to win bounties. This is our offering: Security-related or critical loopholes: 5 - 100 BTC each Operational bugs: 1 - 25 BTC each User experience issues: 1 - 25 BTC each Please note that only the first person that reports a particular issue can win the bounty. Also, "potential improvements" are not considered as bugs as long as the features are fairly working. We will determine the amount of the bounties based on the urgency and importance of the issue. Please send any issues you have found to support@bitcoinica.com, including detailed instructions on how to reproduce the issue. Thank you! Thank you for your support! We hope that Bitcoinica can become your favorite trading platform for Bitcoins. More features are coming up soon. We will continue using newsletters to communicate with you all. Again, thank you! I'm afraid that you have to submit a claim to get your money. I'm not in charge of the refunding process so the claim site is the only way that the guys in charge can see your request. |
|
|
|
Some accounts like mine for example have not had any significant transactions for many weeks. What is the problem with verifying those? Do you have any backups at all, even if two month old?
There were no backups. If you have access to the three accounting reports, you'll get a more complete picture. I'm sure vladimir's account can be identified as "accurate" with the data on hand. |
|
|
|
is there only one unique string (password) that corresponds to a given hash? Theoretically there are are infinite number of inputs that will result in the same hash because the hash function outputs a fixed-length value but the input can be any length. Yes, thank you. Now, is this statement still true when a typical password is shorter than the 32-byte hash? For MD5: http://stackoverflow.com/a/2000014Alright, does this mean that if my password is a reasonably random string, and the unsalted hash is made public, it may be possible to "reverse" it, but it won't be possible to tell for sure that that was the actual password - there could be another string with the same hash out there. Also, does this mean that you could still type in a "wrong" password (that hashes into the proper hash), and you would be able to log in just fine, since server is ultimately comparing hashes? Sorry for silly questions, I'm not versed in this topic but I want to understand the implications of these kinds of leaks. It's almost impossible for passwords with readonable length. But yes, the server will accept anything if the hash matches. You may want to read this: http://en.wikipedia.org/wiki/Birthday_problem |
|
|
|
|
Good News:
I have found that Bitcoinica has already identified more than half of the claimed amount as "accurate". Most likely refunding process will start soon.
It's also important to note that they started from high-value accounts, which means that it may take more time to verify the smaller value accounts (much larger number of accounts for the other 50%).
|
|
|
|
I have 6,325 BTC and 53,244.35 USD in bitcoinica. I will join forces with AurumXchange. I want MTGOX CODES for each TODAY or I will prosecute to the full extent of the law.
Maria.
Just exchanged 3,000 BTC. Everything is working smooth now. Makes me wonder, Why MTGOX does not offer instant LR payouts? Great Job www.CoinExchanger.comMaria. Good luck. PS. I can't seem to locate your claim. Where should they send the money to? |
|
|
|
is there only one unique string (password) that corresponds to a given hash? Theoretically there are are infinite number of inputs that will result in the same hash because the hash function outputs a fixed-length value but the input can be any length. Yes, thank you. Now, is this statement still true when a typical password is shorter than the 32-byte hash? For MD5: http://stackoverflow.com/a/2000014 |
|
|
|
Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures. I mean it is 2012 not 1971. There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords. Security through obscurity is no security at all.
Maybe we can get such information from Bitcoin websites via public pressure.
So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?
Any volunteers?
Bitcoinica: Salted BCrypt with 20 iterations. Enforce minimum 8 characters. It can take months to crack a simple password. (And I use this for all my future app projects. Also recommend everyone to do the same.) |
|
|
|
Any official words on long/short liquidation price? Or how to determine them? Should we discuss a fair way to determine them? I would suggest average price between start of this incident and the time of actual payout, thought?
The only 100% fair determination is the lowest price and highest price in the duration, plus 6% p.a. interest (about 0.5% margin). Shorts will be liquidated at the lowest price and longs will be liquidated at the highest price. This way no one can manage to get a better deal and any "opportunity cost" claims will be invalid. However, this will result in $200,000 additional loss for Bitcoinica, and I don't think they will do that. Anyway, this could be prevented by announcing a settlement plan immediately beforehand. It's unfortunate that the losses are running so fast. |
|
|
|
you have access!!!
Just send my 60-70btc to 19PKMheiAr2Lxm2YN67pTUpTmwTW96PGvF .
lol trying to jump the line. Try not to be an idiot. Im not jumping the line. I suggested that zhou got rid of the bureaucracy. We have waited long enough, and im getting impatient. It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account. I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds. |
|
|
|
I signed up in early April before the official announcement was made. Thought it was a good idea to earn some interest on BTC, so I had no open positions whatsoever. If the company was long sold by then I critizise strongly that such mundane information as a fricking CHANGE OF OWNER was withheld from the customers for weeks if not months!!!
6 months, the company was secretly sold in November according to zhoutong. I would say the take over happened in April. Before that, even though I didn't have any financial interest, I was still recognized as CEO and most of my actions were approved by Tihan. Because I had a lot of control, it is fair for me to take respective responsibilities. However, after the take over, my control was "secretly" transferred to a bureaucratic team, without formal notice. Till today, no one knows my position at Bitcoinica and when it changed. COULD YOU PLEASE TELL US THEN??? I don't even know myself. I only know that I'm still an employee. I was not updated about the refunding for over 4 days, but I can magically access the fund account with all the customer deposits (at least 75% of total valid claims are in that account). I can't touch the money even though technically it's allowed. On the other hand, I'll have to wait for updates and instructions like everyone else. |
|
|
|
I signed up in early April before the official announcement was made. Thought it was a good idea to earn some interest on BTC, so I had no open positions whatsoever. If the company was long sold by then I critizise strongly that such mundane information as a fricking CHANGE OF OWNER was withheld from the customers for weeks if not months!!!
6 months, the company was secretly sold in November according to zhoutong. I would say the take over happened in April. Before that, even though I didn't have any financial interest, I was still recognized as CEO and most of my actions were approved by Tihan. Because I had a lot of control, it is fair for me to take respective responsibilities. However, after the take over, my control was "secretly" transferred to a bureaucratic team, without formal notice. Till today, no one knows my position at Bitcoinica and when it changed. |
|
|
|
|
Personal announcement:
I'll officially resign from Bitcoinica immediately after they have returned at least 50% of total amount owed, or when they ask me to resign, whichever is earlier.
As promised before, before my resignation, I will assist all Bitcoinica customers who signed up under my management with their claims and communication with the company. And this will be my only involvement about Bitcoin-related projects.
My new project, NameTerrific, will accept Bitcoins after the public launch in August, most likely via the new Mt. Gox merchant platform. However, if PayPal or the merchant bank objects, credit card processing will remain a priority.
|
|
|
|
The problem is, Bitcoinica LP is a Limited Partnership, with a General Partner being a limited company (it could be either Core Credit Ltd or Bitcoinica Consultancy Ltd, depending on their status and agreement). Most likely the limited company has no or very little capital. They can declare bankruptcy outright and no one will be able to do anything by legal actions.
This is so, but only if veil of limited liability cannot be pierced and this might be not impossible under the circumstances. Limited companies have been declared a sham on many occasions before. Do not believe everything formation agents tell you. All I am saying is that this all not so black and white as some might think. Alright, I would imagine a shareholder running away with all assets away leaving the debt behind for his company. The shareholder should still be liable by common sense. Essentially the company has been robbed, even though the decision-maker permits so. |
|
|
|
I'm wondering if this "legal wrangling" / bureaucratic hurdles might be Tihan (or whoever the owner is) trying to force bitcoinica consultancy out of their contract. Or maybe they're arguing over which party will be liable for the theft or potential loss of profits. Whatever it is, it feels like depositors are serving as hostages in these additional delays to the claims process.
I would also guess that inaction is going to force more people to take legal action, this making things worse and worse... -- This is all about publicly available information. Nothing should be secret or any way official. -- The problem is, Bitcoinica LP is a Limited Partnership, with a General Partner being a limited company (it could be either Core Credit Ltd or Bitcoinica Consultancy Ltd, depending on their status and agreement). Most likely the limited company has no or very little capital. They can declare bankruptcy outright and no one will be able to do anything by legal actions. The limited partner can't manage the company, so the bureaucracy isn't likely to come from Tihan. EDIT: It's worrying that the price of Bitcoin is moving. On the second day since the hack I had already advised them to immediately announce settlement plans, because there are at least 100K long and 100K short open positions (this was in publicly available charts). One cent means $2,000 disputed loss. ($0.50 means $100,000 disputed loss) The longs will want their positions to be recognised, while the shorts won't. And there will be associated opportunity costs as some people re-established their positions elsewhere to hedge, and some people didn't. There's no way to verify at all. I still hope that they can come up with something fair for most customers. It's unfortunate that they keep ignoring my advice as the ex-operator of the platform. |
|
|
|
Bitcoinica is a regulated entity, verifiable by government records. We are one of the most legitimate businesses in Bitcoin community, by any standard.
If this latter part is true, we might have a problem. Well, I feel very upset that people are not getting their funds back. But I can't do anything now. I have spent over half a year to build the brand, but it's suddenly destroyed by bureaucracy, which is something I hate the most in the business world. I learned an important lesson: Being responsible for something that I don't have control over is one of the worst things in life. I hope Bitcoinica Consultancy can do something, or at least say something immediately. |
|
|
|
I don't think I have to mention the common sense. Of course the database backups are going to be downloaded on a constant basis. Bitcoinica has accounting records, but they are not current enough to resume trading.
Of course, now! Glad to hear you are learning. We're lucky some bitcoinica accounting records survived. But what a shame the user database is gone, or this quagmire of a claims process would've been much, much easier (this claims process is doing more to damage reputations of everyone involved than a reported theft ever would have). However, I feel unfair for the reputation damage that wasn't even triggered by me.
You weren't the immediate trigger (the hacker was). But it was assumptions you made which allowed the situation to cascade into a catastrophe. (one assumption: hosting emergency-backup as a vps instance under the same rackspace account would be sufficient in the case of an emergency. another one: rackspace support guy is correct. why trust the word of a support guy? never should've had to.) That lack of preparedness is what damaged your reputation, and that's fair. To think that you were building a new domain service while simultaneously operating bitcoinica! I'll trust you to build stuff, but not to operate it. (and thanks for reading). I'll take the responsibility of not having proper backup plans. But no, it's not my fault to delay the process for weeks. The thing is, people in Bitcoinica Consultancy don't trust me with money and I have no agreement with them at all. So technically I can't be responsible if I screw up the refunding process. They are perfectly qualified to handle the whole process. But it's important for me to state a fact here: I wouldn't let everyone wait for so long. I have moderated only a few users, but they are perfectly legitimate records and they represent more than 50% of total deposits of the whole user base. It makes perfect sense to refund them immediately. I could reach this conclusion in a few days since the claim process. I take the responsibility of the lack of records, but not the responsibility of Bitcoinica Consultancy's delay in processing refunds. They are the owners of the company since April and I had no control since then (technically I have to get approval from them if I need to change the code). |
|
|
|
Okay, nice statement of outrage at being judged. How about answering the question regarding where are the USD funds? How about responding to user's emails since you are no longer busy running the service?
I have all your emails in record, and Patrick has received a copy as well. I'm not supposed to give any official replies. All I can do is give you advice on how to fill the claim form properly. I have not yet received any instructions from Bitcoinica Consultancy. |
|
|
|
We have off-site backups in a different DC. It's managed by Rackspace.
If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.
I meant data center of a different company (a different admin panel with a different password, and an append-only configuration). That's what provides a level of actual redudancy. Using a cloud service from one company protects you if a truck crashes into one of their data centers, but offers zero protection if someone gets your admin password! I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup.
Not anymore you can't! You can make backups for cheap (backups aren't accessed, so they don't scale with the rest of the site). All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.
Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.
I'm not going to use your domain service or any other zhoutong "cloud" service because its clear that you don't have plan B (contingencies). What happens when someone deletes your AWS instances and its snapshots and logs? Has the thought even crossed your mind to try and see if its possible on the AWS admin panel? Its a truism that at the basic level, security can't be outsourced. You have to trust someone eventually (unfortunately for us, you happened to trust bitcoin consultancy), but catastrophes can only be averted by good planning. I don't think I have to mention the common sense. Of course the database backups are going to be downloaded on a constant basis. Bitcoinica has accounting records, but they are not current enough to resume trading. The requirement for currency isn't very important for a non-financial project if someone else (such as a domain registry) will keep the records anyway. What I'm saying is that it's unreasonable to expect a mission-critical configuration for a project with limited financial interest involved. All possible efforts will be put into security for sure. The use of cloud services shouldn't be the argument here. If I were to build another Bitcoin project, I will definitely consider the locked cages. But until I have the funds and the security expertise, I should probably stay away from money itself. I recently got PCI Compliance for storing credit cards on the servers, and the certification has been recognized by a large business bank in Australia. AWS datacenters all have passed the physical security checks and required audits. But I still choose not to store any critical financial data at the moment. Instead I will use the vault services provided by reputable payment gateways. For any of my commercial projects: Minute-interval binlogs and at least daily backups with weekly downloads. All firewalls configured properly. Two-factor auth on AWS accounts. No injection, XSS or CSRF possibilities. No system is 100% secure. The uncompromised systems are the ones not being targeted. Outsourcing security to a responsible party will avoid the possibility of being a target as much as possible. We can already prove that Linode was not secure, but why only 8 accounts (all related to Bitcoin) were hacked? Bitcoin attracts cyber criminals and it's reasonable to expect a disproportionately frequent security attacks on Bitcoin-related projects. However, I feel unfair for the reputation damage that wasn't even triggered by me. I'm always serious about security and even though I'm not a specialised security expert, I do have some knowledge and experience of maintaining a secure system that's enough for a SaaS project. You can criticise me for trusting 3rd parties too much, but it's still my belief that the so called 3rd parties have better security skills than me. It's just that they are being targeted. (Even Sony got hacked so many times.) |
|
|
|
For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.
Some guys have the fate of repeating the same mistakes over and over and over again.  As I said, I won't engage in Bitcoin-related projects in the foreseeable future, you shouldn't assume that I'm going to operate a hot wallet in AWS. I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup. All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me. Most people choose to outsource security, it's just that in Bitcoin world everything is DIY. |
|
|
|
|
Show Posts
