|
I wasn't sure whether talking about the database was even permitted, so I skipped such questions. Now genjix has already said that, because either:
- He didn't communicate much with the rest of the team (i.e. doesn't understand why we are hiding)
Or
- He was granted the right to talk (I don't know)
Throughout the whole event, I have always been following Bitcoinica Consultancy's standard of disclosure. The reason that database deletion was not disclosed is that they were afraid of inaccurate claims that would worsen the losses.
I believe that any claims or claims modifications submitted after this point should be treated as false unless very concrete evidence has been given.
We had automated backups to back up the database and the wallet. During the hacking, I also created an emergency backup to preserve the current database. However, I was misled by one Rackspace support guy who claims that the hacker "can't do anything" to the servers which are suspended by engineers. All command buttons are disabled. I never noticed the hidden feature to delete the server. (i.e. if you're hacked, they can't log the hacker out, instead, they suspend all the servers so the hacker can't do anything but delete them.)
The hacker later restored the emergency image so he should possess a copy of the database. After that, he deleted all servers and all files in Cloud Files (like S3) including server backups.
It's my fault to not set up a offline backup schedule. Tihan used to run the accounting reports regularly (which is like offline backups) but he stopped doing so when I created a stats graph generator for him to automate the reportings. The most current record we have is his previous reports. This is my fault.
According to the information I have, returning funds to clients is not impossible. I suggested some ideas but they were rejected by Bitcoinica Consultancy for different reasons. I understand their situation though, and my offer to take over remains open.
|
|
|
|
To the person above, here's what happened: - Bitcoinica has an internet mailing list called info@bitcoinica.com- It was the email for the website and all sensitive accounts. - You could request a password for that email. In a production system, that should never be possible. - Several people had access to this mailing list (non-admins and business people included). - Patrick got added. - His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers. - Attacker was able to request a new password and login to rackspace. The assumption here was that info@bitcoinica.com did not have access to critical infrastructure. Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails. Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails. The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account. EDIT: I didn't blame Patrick for the email compromise. It's the hacker's fault, not his. But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either. If I was adding everyone to the mailing list, that would be unacceptable. But I added patrick@bitcoinconsultancy.com (which he told me), and you're telling me I should treat it as personal email and non-critical. |
|
|
|
yesterday I received this reply from ZT by PM which I'm sure he won't mind me quoting here: You need to contact Bitcoinica Consultancy for this, and make sure you outline all the losses you incurred.
I started the swap system under Bitcoinica LP's approval and I was a full power representative at that time. However I did not have financial incentive - I can't touch a single cent of your swap money.
OK, now I need to think about this & how to proceed, I don't actually really even understand it, any helpful input would be welcome, many thanks ZT for responding, so it seems though that Bitcoin Consultancy which I now guess is called Bitcoinica Consultancy were not the owners & operators until after Zhou Tong's promise of the 22nd March 2012 to refund for swaps, but that he had already secretly sold Bitcoinica = Bitcoinica LP to T. Seale's investment group & was at that time effectively an employee of them "Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27 and they became owners and operators of Bitcoinica LP on April 24. As General Partner, they have exclusive legal authority to manage the company." - Quoted from tseale speaking for the investment group that took over from ZT I believe that when they take over the company, they should continue the unresolved disputes with customers. I designed the system because someone asked me to, and I gave the promise on behalf of the company because I had power to do so and it's consistent with Bitcoinica's usual dispute resolution attitudes. If the amount is not large, I think they will honor. Otherwise you may need to explain very carefully to make it reasonable. |
|
|
|
Full Disclosure: I AM (or is it I'm?) NOT A WORDSMITH!
But I know grammatical errors when I see/read them and I'm seeing/reading a hell of a lot them in all these official/nonofficial posts. It's like I'm reading shit written by young adults who don't have a rudimentary command of the English language but keep trying their damndest to come across as educated blokes. Now, I'm not necessarily speaking of Zhou, for obvious reasons, but I feel (not sure) that his writting style has changed, as if somebody else is posting in his name. Reason I say this is because I've read words of which he's spelled correctly in the past, coupled with his current delivery seems odd (to me).
Forgive me if this has already been address, but I'm now only catching up, about nine pages out.
Back to reading this CF.
~Bruno~
After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents. I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling. So I hope this explains something. |
|
|
|
I have a huge level of respect for Tihan because he has several times shown his honest and forth-right character. While it was unfortunate that we were muted for so long, it was needed I guess so that everyone could come to terms with what happened and make a solid action plan to move forwards rather than acting on impulse and emotion.
After the Linode problem, Tihan refunded everything from his own pocket. Again after this problem, he is again putting up the money to fund Bitcoinica. To me that commands great respect. I'm really happy we are collaborating with someone that trustworthy. Now he offers to take the blame too. If that's the case, then I should equally share in the blame what with being director for Intersango.
I could care less right now if everything we've worked on is in vain. The most important thing I feel is that everyone gets refunded. As a believer in transparency, honesty and openness, it feels good to have everything public now. Part of the problem was that the handover process was meant to be very gradual (it is very disruptive if you made sudden huge changes to a production system) but that there was some communication problems that allowed Bitcoinica to get compromised (things were assumed from both sides about its setup).
I trust the people involved with this. I would only surround myself with trustworthy dependable people. They are going to resolve this in the best manner they can with the crappy situation that exists. It's unfortunate but must be fixed.
Yes. Mr. Tihan is the hero here. I am glad he is now getting the recognition and the respect he should. He has invested heavily into the bitcoin community and without people like him we would die on the vine. Agree. He had put a lot of respectful things he had done under my name and chose to remain secret. Without his integrity and kindness I could have already been in serious trouble. I was really lucky to have the chance to meet him in person in Guangzhou, China. And I think he's the most supportive person in my business career ever. |
|
|
|
After the Linode problem, Tihan refunded everything from his own pocket. Again after this problem, he is again putting up the money to fund Bitcoinica. To me that commands great respect. I'm really happy we are collaborating with someone that trustworthy. Now he offers to take the blame too. If that's the case, then I should equally share in the blame what with being director for Intersango. Heh. A lot of people here assumed it was Zhoutong who ponied up out of his pocket and nobody ever denied that. Interesting. I was thinking that it would be paid from Bitcoinica's reserves, but that isn't the case, right? I didn't mention anything about this because Tihan requested to be anonymous at that moment. Yes, I shouldn't take the compliment from the community for something that I didn't do, but there's no way to make things transparent either. Also, I had no equity in Bitcoinica at that time and I was just the sole operator of the website under Tihan's advise. At least now we all know the whole story behind the compensation of Linode hack. |
|
|
|
IMO Zhou and Mr Seale are pretty awesome. Did the bitcoin consultancy do anything other than get hacked? What did they add to this that was productive?
Thanks.
They did an intensive code review and dig out a Nginx vulnerability that someone notified me earlier but I forgot to address. (This was really my fault! Luckily no one exploited it.) Patrick is a good guy and I believe in his security expertise. It's just that none of the new team has prior experience with Ruby on Rails. Donald, however, is a non-technical CEO. The vastly different value judgement (between a technical entrepreneur and a non-technical one) resulted in the mass debate earlier today. He has never communicated with me before the hack, so I'm not sure about his job. The whole thing is, I didn't realize soon enough that I no longer had any control over Bitcoinica, while everyone still assumed me to be the owner. Again, I don't blame them for being hacked. If I have done my job better such things wouldn't happen either. In security world any problem is everyone's problem. I was just angry about the "misrepresentation" claims that don't actually mean anything. |
|
|
|
Wow, what a show.
From what I've read on these forums over some time, I have come to pretty strong conclusion that the biggest problem with Bitcoinica is Zhou.
It reads so clearly I wish more people could see. Zhou has great technical abilities and thrives on accomplishment and glory from his peers.
At the same time, he is in no way a team player.
My speculation and observations:
The investors/owners of this venture did the most logical thing when they contracted with the Consultancy to help out with a business that was growing faster than anyone could handle. They were desperate, needed some help quick, and the Consultancy were the only ones on the block specializing in exactly what they needed. So, for Zhou, who prides in himself extensively for his technical creation, to have this new addition to the team review his work and give corrections was a severe blow to his ego and he's been having a tissy fit ever since.
We have a code repository at Github, and here's my activity:  22,750 lines of codes written/modified in six months. Bitcoinica Consultancy? Zero commits. They pointed out some security vulnerabilities, and I have acknowledged that. There were some customers pointed out other bugs and vulnerabilities too, and we have sent out some fair amount of bounties. I don't think there's any pride for technical creation - I'm just a Rails developer, what's the big deal? I have my full respect for Mr Seale for his generous investment and kindness. Without his support, Bitcoinica would have to be shut down long before today. But giving up an significant amount of equity to exchange for a technical team whose transition period lasts two months with zero LOC written can't be a good decision. |
|
|
|
We will take what Zhou has proposed into consideration and discuss it with relevant parties. The issues of misrepresentation were not amenable despite numerous talks. Our silence was called into question the same time we were being misrepresented. Despite our best efforts this was unavoidable. We apologise but we are happy that Zhou has stated many things which, if there is full disclosure, will be shown to be lies and misrepresentations.
With full disclosure I believe our actions will be understood. Without full disclosure, our reputation may remain damaged. If that is the case at least we can say we spoke up.
I have no knowledge of the "full disclosure" you're mentioning. So I shouldn't comment on it either. As I'm officially out of the dispute resolution process, these are the things we know: 1. I play no part in Bitcoinica. If you get your money late, it's Bitcoinica Consultancy's fault. You're unlikely to never get the money because they are not paying the bills anyway (so they aren't able to screw up on the financial side). 2. We have all seen how Bitcoinica Consultancy has handled the issue in the entire process. You should make your own judgement in your future business with them. (Disclaimer: I provide no advise.) 3. I have some funds in my own Bitcoinica account and I have filed the claim. I will take legal actions against Bitcoinica LP if my claim cannot be processed within 30 days. |
|
|
|
And on another side note, about pointing fingers, shit happens some times, and you really can not avoid this all the time. WHMCS.com was hacked for example using the same method it seems: It is rumoured and believed that Matt’s email account was hacked and hence the hackers gained access to the server details and the Twitter account at the same time. Nothing has been done so far to get the twitter account back, although WHMCS is back online after being hacked and defaced with a DDoS attack.
I do not believe that guy is not professional, or lacks technical skills. Yes, I always think that's unavoidable. This should be obvious to any technical person. That's why I initially claimed that one of our team members' email server was compromised, not even mentioning the name (but I knew it). I only clarified when there are overwhelming requests for more information. My attitude has always been: Everyone has a part in the problem. I don't blame anyone. But blaming me for everything is wrong. Not allowing me to clarify truths is wrong. Claiming that I'm lying without evidence is wrong. Saying that I'm the trouble-maker when the root cause is not me is wrong. Only if the dispute resolution team can do things more quickly, I'm fine with being personally liable for everything and continue being the "assumed responsible person". But they are even hiding the corporate details from me now! (They said I was lying while I only gave the information I had. It must mean that the information has changed.) |
|
|
|
let me make a point clear in case you dont get this
I dont give a f**k about your blame game, I want my money back and if you feel the need to throw s**t at each other make a f**king thread about that
I know your feeling. I actually LOL'd when I see the mess I'm creating. That's a better language skill exercise than any essays written in school. I'm not out of mind though. Just that the whole thing is quite funny if I look back. :-D |
|
|
|
+1 Waiting for Zhou to start returning the money, as he previously stated. On a side note, I have a feeling Zhou was not really happy that Team Intersango took over, but its nice to watch such nice promises, you people start to sound like Obama, and Romney. Maybe add on bitcoinica.com a status update, or maybe a list on how much you returned until now, etc, the wait is really annoying for people.
if you're GP, you're automatically granted the right to say anything you wish;
if you're not the GP, you're automatically granted the right to leave Bitcoinica as you wish (and you said you wanted to).
Dude is SO WICKED with gotchas. Fucking brilliant.
If you think the whole issue is troubling you, here's my offer:
I'll resolve the whole thing for Bitcoinica, for free. As long as Donald, Amir and Patrick are no longer involved in the dispute resolution. You're free to re-develop the site and re-launch if you wish. I just want my customers to get their money back (if your user ID is less than 4500, I'll definitely make sure you get your money back). And the dispute resolution team is not working in a way that matches my standards. This has caused severe reputation damage to me personally.
You can do whatever you want afterwards, and you get all the future proceeds. I'll resolve everything for Bitcoinica LP in a professional way. If you can't make decisions, forward this offer to your decision-maker.
EDIT:
I provide this offer because I'm suffering from reputation damage, and there's definitely no benefit in arguing with you. I'm arguing because I can't do anything to make the situation better, so I should teach you how to do PR and damage control.
Well alright then. I sure could use that money, like now. Pretty please.  I made a mistake not to advise the previous owner to stop the negotiation. I only asked him to check their actual technical abilities. But well, it's already passed so I shouldn't say anything or blame anyone. There are some vulnerabilities with my code, and they fixed that very quickly, which is a very good thing anyway. So I kept silent on the issue. If I had any control: I would like Patrick to be in the team. Donald should resign. Amir didn't involve much so I don't make any judgement. |
|
|
|
I don't have to respond to this already. Because you have no evidence at all.
You mean evidence that we can currently now share? The fact that you lied was a public admission of yours. Yes you do not have to answer and you can say "we have no evidence" The issue is clear. We would like full disclosure. It will resolve all these issues. Are you willing to publicly state that you support full disclosure? All the things I have listed do not require NDA on my part. (I have never signed any NDA this year.) I was very careful and I re-read every single agreement I have signed about Bitcoinica before posting the previous post. If you're unable to provide evidence to rebut any single statement (other than claims of "misrepresentations" without any justifications), it's unfair for you, definitely. Again, if you're GP, you're automatically granted the right to say anything you wish; if you're not the GP, you're automatically granted the right to leave Bitcoinica as you wish (and you said you wanted to). If you think the whole issue is troubling you, here's my offer: I'll resolve the whole thing for Bitcoinica, for free. As long as Donald, Amir and Patrick are no longer involved in the dispute resolution. You're free to re-develop the site and re-launch if you wish. I just want my customers to get their money back (if your user ID is less than 4500, I'll definitely make sure you get your money back). And the dispute resolution team is not working in a way that matches my standards. This has caused severe reputation damage to me personally. You can do whatever you want afterwards, and you get all the future proceeds. I'll resolve everything for Bitcoinica LP in a professional way. If you can't make decisions, forward this offer to your decision-maker. EDIT: I provide this offer because I'm suffering from reputation damage, and there's definitely no benefit in arguing with you. I'm arguing because I can't do anything to make the situation better, so I should teach you how to do PR and damage control. |
|
|
|
I don't have to respond to this already. Because you have no evidence at all.
You mean evidence that we can currently now share? The fact that you lied was a public admission of yours. Yes you do not have to answer and you can say "we have no evidence" The issue is clear. We would like full disclosure. It will resolve all these issues. Are you willing to publicly state that you support full disclosure? Yes, of course. As I said, I'm limited to list 15 statements. If there's full disclosure I can list more. |
|
|
|
Your answer is either YES, NO, or NDA.
Please! Guys can someone please pull public information from NZ companies house (even if it costs to get some by paying 10 dollars or so) and post it here. Certification of Incorporation: http://www.societies.govt.nz/scanned-images/17/BC10060962017.pdfApplication for registration of a Limited Partnership: http://www.societies.govt.nz/scanned-images/06/BC10060962006.pdfThese are public documents (free). The general partner listed is Core Credit Limited, and Bitcoinica Consultancy Limited is a reserved company name (it can be reserved for Core Credit or a new company). Since the sole shareholder of Core Credit has nothing to do with Donald, Patrick and Amir, I believe that they have private agreement or there are ownership changes that are not submitted to the register. |
|
|
|
I'm Zhou cannot even keep his word for a matter of hours. Anyone who continues to take him for his word should really consider the situation. ...And you don't give me the permission to post the private chat. The private chat starts with a greeting and was never continued after the day. It's not partial log.
I do not need to give you permission!? You need consent from whomever you've singed non disclosure agreements with in 2012 or before obviously. The private chat is extensive and covers a ton of ground. Thank you for your long list of 15 items. 3. I apologised and gave a self-criticism publicly (about my incompetency in security system). - because continued misrepresentation would lead to what has happened today. 5. Bitcoinica Consultancy's compromised system (which was already in production before Bitcoinica's transition period) is the direct cause (i.e. if the transition didn't start the problem wouldn't have happened, and the transition didn't cause the initial compromise on the email server). -Unrepresentative 7. I was prohibited from expressing anything that may damage Bitcoinica Consultancy's reputation (this is from your long post recently [1]). -You agreed not to post anymore about us. The agreement came out of a conversation based on the fact that there were many cases of cherry picking and misrepresentations. Only hours later you broke your word and even now you continue to misrepresent. 9. I have not signed any NDA with any one in 2012. - point? 12. I assume that I obtained the permission from the person who may grant you the transparency (I'm not sure) to post the apology. -You are responsible for what you post. 13. I have been asked to co-author an apology in my name. (And my own one doesn't sound sincere enough. [2]) -After you had misrepresented the situation so many times and lied, you offer to make an apology was assumed to be simply as a means to be political. We wanted to avoid further problems and misrepresentations (as seen in that thread). We wanted to avoid what is happening right now and reach an agreement with a public statement to clarify the situation. If full disclosure comes out all these details will all be addressed. I don't have to respond to this already. Because you have no evidence at all. Misrepresentations. Yes, please release the full disclosure. I'm only permitted to list 15 statements now, and you're permitted to list 0 evidence. It must be unfair to you, I can feel. I just want to ask this question: Is Bitcoinica Consultancy a General Partner of Bitcoinica LP? Your answer is either YES, NO, or NDA. Legally, if yes, then you have the permission (or Amir or Patrick). If it's NO, I will truly respect your tough situation and you can leave Bitcoinica freely without any responsibilities (and you may want to). This should be public information anyway. |
|
|
|
If you get the consent to publish both in full please do. Realise that "cherry picking" though through a partial log might not be a smart long term strategy.
I have browsed through both. I have not responded you in the group. It's just a few consecutive complaints of you about my wrong-doing. I received some advise from other people too, but the "advise" is irrelevant here. We'll never have permission to post the group chat most likely. And you don't give me the permission to post the private chat. The private chat starts with a greeting and was never continued after the day. It's not partial log. So the only person can shed some light on this all and is not bound by some NDA and has/had access to all the information is the very hacker. IIRC he has/had access to Patrick computer or at least his emails. Maybe we can convince him to publish Patricks email database. I am pretty sure he copied all of them, hackers usually do this. BTW, am I the only one that feels a little strange that apparently Patrick does the claim thing alone? The very person that shared this computer with the hacker. Now I should send him all of private data? I believe that his computer is not hacked. Only the email server was compromised. Also, I have checked the claim verification email system (I set it up and I still have some access) and the entire chain is clean and secure. We have replaced all the compromised servers and Internet accounts (we re-registered new ones). Your passports are in my private repository (AES-256 encrypted), and the previous API access key was revoked. I'm the only person with access to such information now. Patrick et al. can request for the repository once they need it, but currently they don't. |
|
|
|
LOL, Zhou is running a pro PR campain here (and winning this little PR war). Bravo! Something to learn for many parties involved.
Helps when you have truth, goodwill and honesty on your side:) Indeed! If he does not have non-competition agreement. Zhou could develop a new Bitcoinica in the next 4 days and many people would transfer deposits from old Bitcoinica to new one at the first opportunity. I can say something on this one because it's not covered by the original NDA. I had a gentleman agreement (for 12 months) to promise not to engage in market-making businesses like Bitcoinica. So it's definitely unethical and potentially illegal to do so. And more important, I'm not interested in doing that at all. I was very excited to talk so many customers and resolve their problems with their satisfaction. Such excitement just fades when time goes by. Passion really matters a lot. |
|
|
|
I think security is hard and this happens to the best of us. A place that needs to be secured a security firm is, by its very nature, likely to be a target, and hence one is likely to find this kind of irony all over the place.
I also think phantomcircuit (EDIT: Patrick Strateman) really does know his stuff.
It's just the above content-less manager-speak from the consultancy that got to me.
Yep, security experts are being compromised all the time. They are on forefront so they get hit more often. The fact of compromise is not that important as how they prepare for it, assess the risks and mitigate them on ongoing basis. I dread the moment any of my servers get compromised some day, for the first time. I agree with you. I only have some experience in web security and that's why Bitcoinica didn't even take Bitcoins initially. (Remember the original FAQ sentence "There are no deliveries of Bitcoins"?) The entire security system was outsourced to Heroku and Mt. Gox at that time (and they did an extremely well job!). We stopped doing that after some customers suggesting us not to over-rely on Mt. Gox, and we accepted the suggestions. And everything took off: internal matching, starfish, snowballs, interest system, and the hacks. The troubles started when we stopped being small and lean. I definitely bear some responsibility for the bad decisions. Not a single cent from Mt. Gox account was stolen. |
|
|
|
And instead of tending to the matters at hand that are truly important, I see childish bickering among partners(?!) in the forums
While the account is speaking for the group as a whole, it is the other two members which after many days of unrest thought it was best to break this silence. Patrick is working on the claims and right now we have to wait on Patrick before we can continue. We agree that the statements we have had to release are not the ones we would have liked to, it was the only option at our disposal. It has come after over a week of silence where we were trying to resolve the misinformation issues in a more appropriate manner. Yes, we are essentially the same. We have nothing to do here. You don't know the technical stuff, and I can't touch the technical stuff. We are both disallowed to talk too much. And we are all waiting for the same things to happen. |
|
|
|
|
Show Posts
