Somehow, I don't think that posting "the speech" - even in shortened form - is going to encourage people to go and see the movie.  I would have happily listened to Richard Burton read the phone book but I don't think there's any actor, living or dead, who could have made that speech riveting and compelling.

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.

You really don't want to do this.  It's fine to have a system doing preliminary flagging, but you really need humans reviewing what the system outputs.  I once worked as a credit analyst for a major revolving credit provider.  On my floor alone, we had 200 credit analysts reviewing accounts which had been frozen by the system (there were other sections of a similar size doing the same thing).  Every single day, we reviewed about 16,000 frozen accounts.  Large as my organisation was, had those flagged accounts not been reviewed by humans we would have run out of customers very quickly if the system had the final say.

It doesn't matter what algorithm you design, it's always going to be flawed in some respect and either flag people as untrustworthy who aren't or "approve" people as trustworthy who don't deserve it.  Many of you have probably experienced the consequences of computer algorithms making decisions about your trustworthiness when dealing with your credit card companies and having your lines of credit cut on the basis of predictive analytics.

FTFY.

People can certainly file criminal complaints.  The extent to which those complaints are investigated and whether any investigations lead to criminal charges is another matter entirely and not determined by the complainants.  People's theories (including mine) about what happened are not evidence.

They mean a suspicion as defined by AML/CTF requirements.  They're legally obliged to make the report if the transaction fits certain "suspicious" criteria.  Some things must be reported no matter what.  Others are less clear cut and may not need to be reported if the user can supply information which proves the transaction is legitimate.

It would help a lot if they re-wrote that part of their policy to make its meaning clearer.

That's only worthwhile if you suspect that they have personal assets which could be used to pay creditors.  A liquidator would examine whether the directors of the GP have any personal liability anyway.

Zhou did not sell the Delaware entity (xWaylab Inc).


Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

Can you confirm that Wendon owns the Bitcoinica domain and IP (you said a while ago that those were what you sold and Patrick's IRC comments which were quoted here strongly suggest that Wendon was the buyer)?

People are often creatures of habit, too.  If you know one mistake they've made, you can often take an educated guess at other mistakes they may have made.

We know that an email account was breached in order to effect the Rackspace compromise.  That would have given the Rackspace hacker to the email communications for the mailing list, among other things.  I have little doubt that the existence of the LastPass account has probably been discussed in internal emails.

Again, Zhou has already said that whoever perpetrated the Rackspace hack had enough information to compromise the MtGox account.  They may have waited to make an attempt until they knew funds had been moved there (which was obvious once refunds were being made).  Just because you assume that people will change credentials after an attack doesn't mean it will happen, and there's nothing to be lost by seeing if the credentials you've obtained will work.  The source code leak confirmed that the MtGox API key hadn't been changed - this could have encouraged the Rackspace hacker (or someone else with whom he shared the information he'd obtained during the hack) to see what else hadn't been changed.

To a large extent, exploiting vulnerabilities involves a lot of poking around for holes you don't expect to find rather than creating sophisticated means to overcome security measures which do exist.

Because they needed to make those transfers from a hot wallet and ever since the Linode hack people had been screaming at them about keeping their hot wallet on their own servers (and suggesting that it should be kept on MtGox for security).  Doing it through MtGox would also help give them a better record of the transactions if something went wrong with their own systems.  Remember that people were also asking to be paid in MtGox codes.

I don't understand why the LastPass account wasn't nuked as soon as it became known it was compromised.  All of the passwords it contained should have been changed anyway and the new passwords stored somewhere totally unrelated to the LastPass account.

How many Bitcoiners are now trying to log into the LastPass account using the API key?

My understanding is that the API key was also the password to the LastPass account - which contained the password for the MtGox account, among other things.

It's possible sensitive information other than passwords was stored in the LastPass account, too.

Was the 12 July password change done by one of the principals after the hack or by the hacker?  (The 0.0.0.0 IP would make sense if the LastPass account owners got LastPass to revert a password which had been changed without authorisation).  

Honestly, at this point the only smart thing to assume is that the credentials for absolutely everything have been compromised and to lock everything down.

Was LastPass Premium being used, or the free version?

When a non-trivial amount of your users have likely been using your service to commit financial offences, then you sure as shit want to be consulting your lawyers when deciding how to proceed after a theft.



Was the 12 July master password change after the hack (hack was announced on 13 July)?

It's concerning that anyone would revert the password.

Which is what most people assume they did.  You get 5 attempts before it locks you out for 5 minutes and sends an email.  If the list of compromised passwords the hacker had wasn't especially long, then they didn't have a lot to lose by trying the duplicates - if one of them was right, there was every chance they'd be into the LastPass account before anyone read the email.


This is equally true when conventional companies go out of business.

A court would order the Official Assignee to take control of the assets of the business and liquidate them, period.  The manner in which the liquidated assets must be distributed is laid down by law and unsecured creditors are actually at the bottom of that list.

Until otherwise established by a court ruling, Bitcoinica LP is the only entity responsible for returning user funds.  Any legal action to make people liable at an individual level hasn't yet taken place, may be quite pointless to pursue and would not necessarily succeed.

To be honest, I think this is the killer app which Bitcoin lacks - many methods for cashing out Bitcoins are just too damned slow at the moment.