To spell it out for you:
Incompetence is either acted as such to conceal a scam or real in which case your money isn't safe either. Anyway I'm jumping off at the first sign of trouble which probably is too early but at least not too late...
nuff said.
You decide to do whatever you like with your funds, but don't spread useless FUD, there's already enough. Do you use 2-factor auth on your mtgox account? Is your mtgox API key hardcoded on in your production code? (It should be stored in memory so it is not accessible after a system reboot). How about your instaforex account API key? [...]
Don't worry for now about our methods to protecting from price spikes, they are tested throughly as they are an important part of the CFD trading system itself.
[...]
Obviously your system was not and is not thoroughly tested. If it was then, you would not have had wrong volume figures. [...]
The positions table was corrupted entirely because of wrong volume figures, impossible to recover, hence we took decision to reset. This won't happen again as we have fixed a bug that was previously unknow.
Are you using that new agile motto for success? Fail quickly and fail often. |
|
|
|
Reviewing the dendrogram of the theft( https://blockchain.info/tree/11978606), these hackers seem more careless, If I'm right they move bitcoins between addresses that have been used, with multiple transactions that reveal more addresses of the same wallet, addresses that receive payments from pools etc ... Given that more than an planned attack was opportunism in the wake of the publication of source code, it may have been precipitated. If someone bothers to report them may even catch. They are giving away some funds already, 100btc went to zhoutong's new donation wallet (zhou is promising to match donated funds). But yes, this individual is much less sophisticated than the linode hacker and therefore more likely to be identified (and we know he's reading this forum). |
|
|
|
clearly, 7.22 is resistance and prices may pause there for a while, but as I explained in the subscriber section, this is not required for many reasons.
As per "plan" bitcoin prices sliced through 7.22 like butter. Good call. I expected the same, seeing most of the resistance take place around $6.8. What's your opinion on the lack of effect of the latest Bitcoinica loss? Others have mentioned, the market seems to have written it off without much of a sell-off, which rather surprised me. It leaves me wondering if there could be a delayed response to these kinds of news events. I can't decide yet if it was good or bad that it happened right after making the year's new high. |
|
|
|
What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.
Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?
You are so delusional! No such thing was ever said. But if it had, it would look like the below. It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account.
I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds.
Shit.. June 06 zhoutong confirms that funds were moved from cold storage. The source was leaked approximately June July 08. And the withdrawal made on June July 12. That's at least 36 days on MtGox without two-factor auth. edit: fixed dates |
|
|
|
When should we expect issue #2 of the magazine?
#2 is already done (although we reserve the right to replace current articles if they become "untimely"), #3 is almost done, still hammering out the issues with a proper timely digital release. The online catalog to order #2 will be up shortly to allow orders. Great! looking forward to them, issue #1 was gorgeous by the way. My only quibble was that I saw the same author for most of the articles.. are you guys recruiting more writers or accepting submissions? |
|
|
|
What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.
Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?
Good question. And when the 18k were stolen, genjix's first response was "There shouldn't even be that much money in the live wallet." And we see Patrick's comments on #bitcoin-dev talking about "amateur hour" while probing bitcoinica, and demanding respect just a few days ago. Then they were put in control of bitcoinica's MtGox account (Tihan confirmed this, he gave them all the passwords in the info@bitcoinica.com LastPass account), and in the months since they didn't even turn on 2-factor auth. Its literally a miracle that Intersango is still in business (at least they did accidentally leak all Intersango users e-mail addresses). |
|
|
|
|
When should we expect issue #2 of the magazine?
|
|
|
|
[...]
Of course, we probably don't know anything close to the full story yet.
However, anyone who got any money back from Bitcoinica should be aware that this money could be subject to clawbacks. Once Bitcoinica knew that they couldn't make full repayments, they had an obligation to prioritize their debts and protect the interests of other creditors. If they paid some people 100% of the money they held once they knew they couldn't pay back everyone, that could be subject to a clawback.
Well, they only found out they couldn't make full repayments since just before genjix's announcement in the first post of this thread. So from what you say, the repayments made before that aren't subject to clawback. I would like to hear from Tihan (or Andrew Thornbury, or whoever the owner is) whether they intend for users to take the 30% cut of their funds. As the owners, they are legally obligated to return users 100% of their funds. That Bitcoinica Consultancy was in charge of security doesn't matter, Tihan is equally at fault since he assigned them the job. Tihan invested $500k in CoinLab, he should get that back for bitcoinica users if his VC fund is out of funds. CoinLab was a waste of money (mining coins with gamer's GPUs isn't close to competitive with FPGA's and ASICs). |
|
|
|
something tells me that you guys should add videos to accompany these kinds of announcements. people need to be able to see into your eyes and see your sorrow and regret, to know that you're telling the truth.
we'd not have so much of this finger-pointing if that were the case, i'll bet.
this That doesn't matter. Everyone saw Bruce Wagner's video after mybitcoin but many still think he's Tom Williams. |
|
|
|
|
Bitcoin Consultancy/Intersango/Bitcoinica Consultancy don't own bitcoinica so its not up to them.
Nobody is stopping Tihan, Andrew Thornbury, or whoever bought bitcoinica from launching the site. They're venture capitalists and can certainly afford $300k to give the bitcoinica users 100% of their funds. As far as I'm concerned, they are legally obligated to do so and have been so since the moment they bought bitcoinica from zhoutong. If they trusted bitcoin consultancy with their mtgox password and no 2-factor auth, then its as much their fault that it was stolen.
Tihan/Thornbury can bear this cost and make it back from profits after they re-launch. Tihan should post and acknowledge whether they will bear the cost, or whether they intend for customers to bear a 30% loss.
|
|
|
|
@BitcoinBull I assume by 'box' you mean his personal computer?
More likely his VPS (virtual private server), which he explained was the cause of the last breach. He said he gives many "noobs" from #C++, etc access to that VPS. genjix's box was hacked? Who told you that?  So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?  Given his history, I think incompetence is more likely than malice, definitely in genjix's case. That patrick would walk away right now looks suspicious, if he were a smart thief he would come back and finish the claims so everyone gets their 66% (like myBitcoin). So in a counter-intuitive way, I think that he "walked away" in anger/frustration is actually a sign that it wasn't an inside job. Its very plausible and at least equally likely that there was another thief IMO (see below)... I think the probability is about the same as finding a sha-256 collision in bitcoin  So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red. -MarkM- I didnt see a "lastpass master pasword " label on that string. This. Was ANYONE here even aware that the bitcoinica source code had been leaked, prior to genjix's OP on this thread? Plugging the file URL into Google gives only a handful of results, with this thread being the earliest incidence of it, as far as I can tell. That, plus the fact that the tar file appears to have been packed by username genjix. Additionally, there's the fact that the lastpass password was supposedly the MtGOX KEY (username) and not the SECRET. A bizarre thing to do, which smells more like it's a fuck-up in an attempt to make up a plausible hack story. The whole story is just too cute for me. The source code was leaked on reddit almost a week ago (0 points from 9 downvotes, that's why I personally missed it). It is plausible that someone would try the mtgox api key as the LastPass password. A very lucky someone could've confirmed months ago that info@bitcoinica.com was a LastPass account, because LastPass tells you if you try log-in with an invalid username/e-mail ("Unknown e-mail address") or if its a valid LastPass account ("Invalid password"). So when the source code was leaked, they saw the API key and decided to try it. |
|
|
|
Therefore, I would like to know WHOSE LastPass got compromised.
Tihan created the LastPass account (I believe from reading his post). My guess, Tihan set the password by copy-pasting the mtgox api key, which was in a text file given to him by zhoutong. Tihan shared the LastPass account and password with Bitcoin Consultancy, who "assumed" it was "secure", so he's blaming them because they didn't tell Tihan to change it. I agree with Tihan, they should have recognized it as the API key and changed it, both because they hyphens are suggestive of an API key and because they should have already seen the same string in the bitcoinica source code (failed to put 1 + 1 together). In any case, they should have changed it. |
|
|
|
How did the hacker also get access to genjix account on github ?
that is what I am wondering, with following that part of the thread.. It wasn't from genjix's github account. Genjix cloned the github repo to his own box <genjix@nite.(none)>. It was accessed from there. But how did you get this to claim that he packed it: drwxr-xr-x genjix/genjix 0 2012-07-07 20:18 bitcoinica_legacy/ You are implying that genjix intentionally leaked the code. I can't confirm that. This $ tar -jtvf bit.tar.bz2 | head -n1 gives this drwxr-xr-x genjix/genjix 0 2012-07-07 20:18 bitcoinica_legacy/ which means that the bitcoinica_legacy folder that was packed to the encrypted file had the owner genjix from group genjix and was last modified at 2012-07-07 20:18 I posted all you needed to do to. Not sure why you're asking lol Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked. |
|
|
|
So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file 0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting  And look at who packed it... surprise surprise drwxr-xr-x genjix/genjix 0 2012-07-07 20:18 bitcoinica_legacy/ That's not the encoded file. You're still looking at genjix's re-pack. [...] After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit. Try it yourself. You're right, my mistake. This line is in the original encoded file. 0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git This shows that somebody accessed genjix's copy of the bitcoinica source code (maybe it was on that VPS which also had the SSH key which was re-used on the consultancy's e-mail server for the prior breach). But how did you get this to claim that he packed it: drwxr-xr-x genjix/genjix 0 2012-07-07 20:18 bitcoinica_legacy/ You are implying that genjix intentionally leaked the code. I can't confirm that. |
|
|
|
So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file 0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200 clone: from git@github.com:bitcoinica/bitcoinica_legacy.git Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting And look at who packed it... surprise surprise drwxr-xr-x genjix/genjix 0 2012-07-07 20:18 bitcoinica_legacy/ That's not the encoded file. You're still looking at genjix's re-pack. |
|
|
|
That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails? Doesn't explain why the passwords were the same though. I guess laziness and hubris. How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure? -MarkM- That's right, you can't sync LastPass without the master password. I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked? |
|
|
|
Gold seems to be having a nice day today Because its strongly correlated with stocks/equities. |
|
|
|
On ycombinator zhoutong claims he didn't set the LastPass password: http://news.ycombinator.com/item?id=4240408Well I do agree with you that Bitcoinica was not 100% secure. This hack really has nothing to do with the app or its infrastructure.
- I didn't set the password. - I didn't have the power to change the password. - I shouldn't have access to the account.
The root cause is LastPass account being stolen.
Then who chose to set the LastPass password as the mtgox api key? Tihan? |
|
|
|
no effect on price?
Yep, looks like the market has already written off bitcoinica and all the shit surrounding it. This is actually the most surprising thing about the event. It was announced just after a new high for the year, and is still sitting there rather comfortably. It's not clear what was done with the US$40k that was stolen but is it possible (likely) that they were used to buy bitcoins with to allow the bitcoins to be withdrawn thus driving the price up yesterday.
i.e. the hacker sent US$40k to some dummy account, immediately converts to bitcoins at whatever rate is available (pushing the price higher), then withdraws the bitcoin.
So this hack might have resulted in some "false" buying pressure. The hacker bought the bitcoins not because they were bullish about the value of bitcoin but rather because it is the most convenient and anonymous way to withdraw the money.
Most likely the $40k USD was withdrawn to Liberty Reserve. |
|
|
|
Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them). The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication. As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance? Ah, somebody downloaded LastPass and sync'd it with an accoung using info@bitcoinica.com as the log-in using the revoked mtGox API key as the password. This gave them all the passwords for that account, including the regular MtGox password (no 2-factor auth). And it sounds like three separate people/groups had full access to the info@bitcoinica.com LastPass account: zhoutong (who presumably set it up), Tihan (who passed it to "bitcoin consultancy"), and bitcoin consultancy. That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
I don't think there is a separate encryption passphrase for LastPass, the master password is the encryption passphrase. https://lastpass.com/features_free.php Your sensitive data is encrypted on your PC. Only your LastPass password can unlock your data and only YOU have it.
|
|
|
|
|
Show Posts
