Why hasn't anyone started a new thread in General Discussion about InterScamgo yet??? Really, they deserve to be put out of business in any case.
There's nothing stopping you from starting one if you believe one should exist. |
|
|
|
|
Did the hacker also retrieve the username using the compromised email account - you need the username in order to reset the password for cloud hosting services and you need the account number/username to reset the password for managed services.
|
|
|
|
Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.
Good luck convincing any judge or anyone with a modicum of common sense.
On the plus side, VCs are notorious for micro-managing the financials of the enterprises in which they invest so it's likely that extremely detailed financial records were sought prior to Tihan signing on and that they've been closely analysed ever since. Even in non-financial businesses, one of the first things you do during the transition process is revoke everyone's physical and electronic access and issue new credentials/keys/codes only to those who need currently need them in order to do their job - it's the only way you can be certain of controlling who has current access. Anyone who's ever had a key could have had it copied and anyone who's ever had a code could have shared it with someone else - and you always assume that they have. |
|
|
|
From previous Hacker News thread, in which zhoutong participated. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. http://news.ycombinator.com/item?id=2974770 |
|
|
|
really? why make this thread?
Because i'm pissed that he didn't make any backups of the database. And I see a pattern in his behavior where he blames everything and everyone else for his (and now collectively our) problems. Most people don't have time to go through everything and might miss this pattern. But I believe its important to have an accurate, summarized record of history. While you can be pissed of at Zhoutang personally, you should be even more pissed off that the "security experts" who were running the company did not have proper procedures for backing up in place and that they chose to continue using a hosting service which couldn't even kick a hacker off the server in the case of an intrusion. Why did their security audit not reveal the need for multiple backups in several locations - why had they not implemented such a procedure. In terms of "things self-proclaimed security experts should be ashamed of and embarrassed by" this is right up there with the H B Gary intrusion by Anonymous. I don't think it's productive for Zhou to make "I suggested this..." type statements because he has no controlling interest in the company and the decisions will be made by those who do. There's really little to be gained by maintaining a running log of suggestions he's made which have been rejected, although I understand his inclination to protect himself from personal attack over choices which were not and are not his to make. Nobody is going to come out of this looking good. Not even Tihan because he's the one who engaged Bitcoin Consultancy on the basis of their "expertise" and they failed to deliver - a decision he's now stuck with justifying to his investors. |
|
|
|
|
Regardless of any short-comings in the way Zhoutang originally set things up, Bitcoin Consultancy was engaged to a "comprehensive security audit" prior to becoming the owners and operators of Bitcoinica in late April.
Either their security audit failed to detect the vulnerability or they failed to address it - neither option is really excusable from an entity which promotes itself as being "expert" in security, and it's precisely the kind of vulnerability they should have been looking for in the wake of the Linode debacle. They cannot blame Zhoutang for their own failure to detect and address vulnerabilities or the fact that those vulnerabilities remained undetected and/or unaddressed after they assumed ownership and control of operations - a second intrusion is precisely what they were brought in to prevent.
|
|
|
|
para 3 - So now 90% of sequestrated funds will go to lawyers, accountants, receivers, loss adjusters, etc & the process will take years, really just throw it to Zhou Tong to fix as best he can, it won't be perfect but at least he will try & do the right thing by everyone & fast then move on
One of Tihan's partners in CoinLab already spoke publicly about how raising VC for their projects was made more difficult by the fact that they involved Bitcoin. If Bitcoin businesses continue to be seen as entities which just do whatever they want when something goes wrong rather than following established business practice, they will continue to have problems attracting venture capital. It should not take an accountant (and there's already one associated with Bitcoinica and it's FSP, even if he might not have anticipated having to actually do something in relation to the business beyond setting it up) very long to communicate to Bitcoinica Consultancy the essential elements which must be considered when processing and disbursing claims. This is not a business whose financial practices are not subject to external scrutiny - they are a registered financial services provider and that means they can't just do whatever the hell they want in terms of financial activity and accounting practices. Messes like this one happen in part because many Bitcoin enterprises start out as one man operations and when they expand appropriate professional standards are not applied to their operations - areas in which the founder has little expertise often get ignored until something goes wrong. Bitcoina's technical security was inadequate. It should not compound an already bad situation by implementing a claims process which is also inadequate and which has no independent oversight. |
|
|
|
No database backups. Sorry for avoiding the question.
OMG. The first rule of computer using is that you *always* make backups. You backup early and you backup often, on-site and off-site. I learned that the hard way in the early years of my 30-year computer programming career. If you don't do this then eventually you can get a *really big problem* like Bitcoinica has now. It's still extremely bizarre that Rackspace had no way to log the hacker out and that he was still able to delete the emergency backup in spite of the servers supposedly being suspended. That's a huge security flaw for a hosting service to have and you do have to wonder whether the hacker was aware of that "hidden feature". Whatever mistakes were made by Bitcoinica were certainly compounded by the inability of Rackspace to totally lock down the compromised servers. Zhou, I notice that you are focusing primarily on what is technically possible. For a whole lot of reasons, the claims process must also have integrity from an accounting point of view. The principals have little choice but to assume that the manner in which they process user claims may be the subject of legal action in the future and to ensure that the process complies with recognised business and accounting standards (in fact, the process should really be independently audited). While your proposals have merit, they need to be considered in a broader business context and it would be foolish of the principals to implement them without first obtaining professional advice. |
|
|
|
Please?
This thread has some fun, I can't deny it. Is nice to read it sometimes. But it would be better if you start something like Bitcoinica Claim Process, or something alike, more focused on updates for those trying to know how everything's going, don't you think?
It's been explicitly stated several times that Bitcoinica Consultancy alone is handling the claims process, so perhaps the request for a dedicated thread needs to be made of them - even though they seem totally unable to communicate in a timely and comprehensible manner. It would be valuable if they listed specific times when people can expect updates on the process. I also notice that the question of whether this intrusion has been reported to law enforcement remains unanswered. There is no reason whatsoever for a legitimate enterprise not reporting the theft of its database, regardless of the contents of that database. In the past, there have been investigations into and charges laid over the theft of in-game items in virtual worlds - it's not necessary to define Bitcoin as a currency or a commodity in order to determine both that it has value and ownership. That the operators of Bitcoinica are willing to reimburse customer losses doesn't mean that the theft shouldn't be formally investigated. |
|
|
|
All this NDA talk just seems like fancy ways to sound overly important and stall things indefinitely.
My inner voyeur want to see the logs, but the whole "it wasn't our fault but we can't tell you what really happened because we're sworn to secrecy" line comes across as whiny teenager shit and it's highly unprofessional. The best way for anyone involved in this clusterfuck to vindicate themselves and restore their reputation is to quickly process claims and ensure that users are compensated as soon as possible. Arguing about who did what first distracts from that process and it's going to make the Bitcoin community question how professionally Bitcoinica will be run going forward. While it's great for Tihan to step up and accept responsibility, it's Bitcoin Consultancy who will be operating the business - it doesn't matter a damn if people trust Tihan if they don't trust the people who will be in charge of the organisation's day to day operations. That they're not picking up the phone and talking to each other is hardly confidence inspiring. |
|
|
|
Seriously? Are you guys talking with your financier on this forum and asking him here to confirm details of your NDA terms? This is getting much closer to that russian comedy youtube videos standard now than ever before?
Who is this guy "Bitcoinica Consultancy"?
Guess they missed this part of Tihan's post. I’m unable to follow most public postings here, but you can reach me through this forum by private message. Questions about processing of funds should be directed to Bitcoin Consultancy as they alone control that process. It's a bit alarming if they signed an NDA without understanding exactly what "Bitcoinica's proprietary systems and processes" means - lawyers normally nail that shit down. |
|
|
|
Hi All,
I would like to remind you all that i was advised by my lawyers to reframe from making any comments in public, this is why i have kept silent until now i am very sorry and it was frustrating for me watching my personal details get posted by users here, some also have mentioned my family which Im not at all happy with you wouldn't like it if i posted your personal info here. ( remember I have your personal info)
Thanks Andre
Hi Andre, All of the personal information on you that was posted was already publicly available (as opposed to the personal info you have on us). If your website had the correct company and contact details, we would not have had to go digging. Could you please PM me your current business address (in Qld, not old one in Vic) for further correspondence on this matter. I truly and deeply feel for the stress you are going through with this, but in my opinion the fact that you have been defrauded does not give you the right or excuse to defraud legitimate users of your exchange. Regards. Interesting that Andre claims that the database has been erased but also claims to have users' personal information. |
|
|
|
I deposited cash into your wbx account and have the receipt for that transaction. If all fraudulent activity was bank transfers then no one has the right to hold my money. There is no way my deposit would be considered fraudulent. Who can I contact? This should be a straight forward and easy refund. You should at least enquire on my behalf as I do believe they should only be concerned about bank wire transfers!
If the matter has been reviewed by the Financial Services Ombudsman then that is who you need to contact. You need to remember that the WBX bank account would have been hit twice - by the fraudster to fund transactions on his WBE account before the fraud was detected and then by the bank reversing the deposits. Poor risk management protocols essentially meant that "your" money and that of other customers is what the fraudster used to conduct his or her transactions. |
|
|
|
-Are there any backups left?: Is the database intact?
This is the key question. The following is pure speculation. I'm speculating that there were and are no offsite backups of the database. This would make the claim process nearly impossible (or maybe there is one but it is old, and the older it is the more difficult the claims process). (the hacker is probably submitting claims for each account from various IP addresses, just for lulz). If there were a backup of the database, users could claim their funds simply and quickly using their passwords, which were securely encrypted in the database. (there is of course the possibility of complications making this more difficult, eg if the hacker captured some passwords in plaintext before deleting the database). If there is no recent offsite database backup is zhou's fault and he knows it, but he is doing damnedest to throw mud at Bitcoin Consultancy and save his ego. If he made no offsite backup could be blamed on his plain-as-day arrogance (why boast that he made the site in four days?) combined with lack of experience (after all, the Linode theft wasn't his fault but at the same could have been prevented had he done sufficient contingency planning). There's other weird stuff going on which may or may not involve Bitcoin Consultancy. The WBX website has been revised and references to the founder and external parties other than Intersango and Bitcoin Consultancy have been removed. The founder is now claiming that i have been advised the current database has been erased this happened last week There is no mention of how the database came to be erased or who was in control of it when it was erased. Andre admits to having no control over the exchange site any more but he offers no information about who does have that control or when he relinquished it. If Bitcoin Consultancy is not actively involved with WBX, it would be in their best interests to publicly say so at this point. |
|
|
|
What I'm trying to work out is who I can contact to get information. You say it's the bank and banking ombudsman, and refer to what your lawyer said, but then say it's out of your hands. If the banks have taken "it all", how much, what's their process for the claim. The wall and exclusion isn't helpful, therefore, there needs to be someone I can deal with (or have my lawyers deal with).
Again, in the absence of any better resolution, I can just throw this to a collection agency.
I'd contact both the Qld and the Federal Financial Services Ombudsman. They can at least investigate and confirm that the bank confiscated money from the account in question. It's also possible that any residual funds in the account were transferred to one of the "unclaimed monies" funds by the bank. This is what FPSs often do when an account is closed due to suspicious activity (places like PayPal and Technocash explicitly state in their ToS that they will do this). The Ombudsman would be able to tell you if this is the case and which fund to contact (there are several). Who currently has control of the site? If you put me in touch with them, I can tell them how to get me the information I need to pay people back. If it's Intersango/Bitcoin Consultancy then they need to make that public. Their deception regarding their stake in Bitcoinica has generated an enormous amount of ill-will and distrust. While references to other parties (including Andre and Chris) have been removed from the WBX webiste, references to Intersango and Bitcoin Consultancy remain. Right now, two businesses with which Bitcoin Consultancy and Intersango are associated have had their databases deleted recently and in both cases the presumed owners of those businesses no longer have operational control. In both cases, the transfer of control was not disclosed until after it occurred. You might want to contact Andre's lawyers before making any refunds and get something in writing from them authorising you to do so and outlining the return process (ie, whether everyone owed money will get a percentage of their account balance paid out as BTC or whether people whose accounts show a BTC balance will be paid out in full and those who had dollar balances will be SOL). ...as i have been advised the current database has been erased this happened last week. I suspect people would like more information about how this came about and who had control of the database when it happened. |
|
|
|
Cross-posting from Trading for the benefit of those who'd given up on hearing anything further. Hi All
I no longer have full control over the exchange site, a update on the recovery of all exchange member funds, recent correspondence with our banks and the banking ombudsman is the bank is entitled to hold all exchange funds as they were fraudulently taken from bank accounts across the country and deposited into my exchange account, the source of the fraud activity came from Germany a i can't tell you much more than that.
This being said Chris has the only funds (assets) of the exchange, they will need to be returned to the exchange members. https://bitcointalk.org/index.php?topic=65867.msg920163#msg920163 |
|
|
|
repentance, Mr Heaslip is most likely simply a nomini shareholder and director. This means that Bitcoinica LP general parhner decided to pay extra 1000-2000 a year to obfuscate how is indeed General Partner of Bitcoinica LP.
This also means that we do not know exactly who is General Partner is and when it changes. It could be any kind of a chain of offshore trusts and companies for all we know.
It still looks like Core Credit is a shelf company, though - there've been no constitution documents lodged. While it's not uncommon for accountants to set up enterprises in the way you've described, ownership is often transferred down the track because for as long as the accountant or lawyer remains an office-bearer in the company they still have legal liability for its actions (and risk professional sanctions if they don't exercise appropriate oversight). Heaslip's speciality is taxation, and Bitcoin related businesses certainly have plenty of reasons to structure their enterprises in a manner which minimises any tax burden. Bitcoin is also fraught with fraud, AML and CTF risks and it would be risky for any accountant to put themselves in a position of liability for such risks if they didn't intend to play any role in ensuring compliance in those areas. Being a nominal director doesn't exempt you from legal liability. |
|
|
|
Hi all. I'm making my first post here to offer my heartfelt apology to those affected by the security breach at Bitcoinica.
The investment fund I work with first put money into Bitcoinica because I had identified it as a promising start-up in this exciting space. It is my job to find potential investments and conduct related due diligence. In doing so, I learned a lot about bitcoin trading and Bitcoinica.
Like many early stage companies, Bitcoinica experienced growing pains as its success outgrew the capacity of its initial founder to handle alone. It was I who sought out expanded management to help take Bitcoinica forward.
I chose the Bitcoin Consultancy team due to their early involvement with bitcoin, their experience operating an exchange, and their reputations for expertise in online security.
Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27 and they became owners and operators of Bitcoinica LP on April 24. As General Partner, they have exclusive legal authority to manage the company.
Because their time with the company is relatively short, the present situation is especially challenging. Zhou Tong has continued to assist in an unofficial capacity. I've offered what insights I can based on my knowledge of the business. In spite of the challenges, I know the Bitcoin Consultancy team would like to bring about the best possible outcome.
Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.
For those who wish to blame someone, blame me. Perhaps if I'd pushed for expanded management sooner or in a different way, the incident might have been avoided.
For avoidance of confusion, I wish to reiterate Bitcoinica Consultancy's prior statement: Mr. Heaslip is an accounting professional who assisted with company formation. He has his own business interests in New Zealand which are otherwise unrelated. I have facilitated investments in dozens of other companies, including some in the bitcoin space. Those companies are also unrelated.
I’m unable to follow most public postings here, but you can reach me through this forum by private message. Questions about processing of funds should be directed to Bitcoin Consultancy as they alone control that process.
I've advised Bitcoin Consultancy to focus their efforts on processing claims rather than public debate. Please extend them your continued patience.
So was Core Credit essentially a shelf company which no longer had any involvement with Bitcoinica when the hack happened? This seems unlikely given that Core Credit's bank account was being used for wire transfers on 5 May. Has another party/entity assumed Mr Heaslip's stake in Core Credit/Bitcoinica? |
|
|
|
|
Show Posts
