Bitcoin Forum
September 18, 2019, 04:33:51 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 [33] 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 ... 112 »
641  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: June 05, 2012, 09:16:26 PM
3 June 23:20: We're adding extra fields to the claims database (should be finished soon)

Would it be safe to assume this is pretty much done by now?

Yes it's done. The problem is not technical but bureaucratic. Anyway hopefully this gets resolved quickly. Don't really have much more to add right now.
642  Economy / Trading Discussion / Re: Bitcoin Consultancy: site down? on: June 04, 2012, 11:16:57 AM
It was taken down while investigating the compromise of Bitcoinica. No-one has the time to put it back up yet because of managing these payouts to people
643  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: June 03, 2012, 11:25:16 PM
03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.
644  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: June 03, 2012, 09:22:57 PM
03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.
645  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: June 02, 2012, 07:28:04 PM
02 June 2012 21:26: The process is at an impasse because of some legal wrangling.
646  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 31, 2012, 09:35:43 PM
Genjix, is it okay if I use your public PGP key to encrypt the data before sending it to verify@bitcoinica.com?
And if so, what public key would you like me to use? Thanks.

Hey, this is my valid key: CCF588E3. The other one is old and I need to revoke it. Make sure you mention it's encrypted for me.

Also avoid sending things to my personal email if you want to keep it secure. That email is used on public terminals and is not secure - it's a personal email. Otherwise if you don't mind then you can CC me, but make sure it does actually get sent to verify@bitcoinica.com
647  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 31, 2012, 01:30:45 AM
In general, I support the hybrid approach.

I support expediting those people who have verifiable information and reputations.

I do not now, nor have I really ever, regarded "number of forum posts" as any sort of legitimate indicator of the trustworthiness of any individual. OTC ratings, yes. Verifiable forum trades, yes. Number of times some fool wrote "sub" in a thread? Not very worthwhile.

None of those are a factor as to whether we have a high degree of certainty in a person. We are not using a trust metric, but simply extraditing the process for people with a high degree of certainty.

Quote
I do not support expediting those with largest balances. In most cases, I suspect, this is disproportionate with the actual need. I also do not support expediting those with the smallest balances, for the same basic reason. (ofc, in the cases where the largest/smallest balances are the most verifiable, w/ best reps, hopefully, /obviously/ the latter applies more)

People with the largest balances may in fact take longer to verify.

Quote
I do not really support you keeping 20% for any longer on accounts you can verify with a reasonable degree of accuracy. We've made a long enough forced loan to you. I'm sure you've made enough off the interest to start paying the legal bills from this escapade.

Bitcoinica does not make money off of holding people's money. If anything it costs us in terms of time.

The reason Bitcoinica used to give people interest was to encourage people to let their money sit there so that Bitcoinica does not need to hedge as often between USD and BTC (which is costly and expensive given MtGox's fees).

Quote
I do not support the continued lack of communication with your customers. A forum thread is, at this point far less than sufficient, or acceptable. I'm really sick of having to dig around to find out what the hell is going on. Is it really that harmful to your process to send a damn email?

I'm also sick to death about hearing the badmouthing on forum and irc from the bitcoinica players. On the forum one side speaks, and on irc the other.  Just keep it to yourselves.

Anyhow....I'll believe the money when it's really seen, by more than just the bitcoinica owner's friends and favorites. Until then, this is just more in a long line of words.

I never said anything on IRC nor bad-mouthed anyone.

About email: not everyone appreciates constant small updates sent to their inbox. However once we are ready to move forwards, a mass email will be sent detailing everything.
648  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 30, 2012, 10:24:36 PM
* How many claims has Bitcoinica received? How does this stack up against the total amount of customers?
* Does the amount of claims exceed the amount of deposits? If so by what margin?

I don't know since I don't have full access to Bitcoinica's records (Tihan has those). But I can see the claims and the total net value is $1.1 million. I don't know what the full amount previously was (Patrick or Zhou knows) but I do know it is a few times less than the total claims.
649  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 30, 2012, 10:16:51 PM
No part of the claim form asked for a link to any other community.  Please explain how you are securely linking claims to "community reputation".

We aren't doing that though. We are not using a trust metric, but simply extraditing the process for people with a high degree of certainty.

Also if you do have a forum nickname, and somehow feel it helps you then feel free to email it to the claims email.
650  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 30, 2012, 10:03:00 PM
Define 'A high rating in the community'

...

Smacks like favoritism to me.

You're totally right. I dislike this too, but it is the most amicable solution available.

if you guys would like wire transfer numbers I have mine somewhere for nearly the exact amount in my account (minus fees), if that helps speed up the process I'll gladly send that along.

If you have anything that can help, then email verify@bitcoinica.com

There's an internal system being used to collate and organise all this information.
651  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 30, 2012, 09:50:10 PM
Quote
Were they given preferential treatment?

Yes. People with a high rating within the community. These people are having their process expedited.

Originally Zhou favoured simply paying people out based on reputation (trust-based approach) whereas we (me and Patrick) supported divvying funds up accordingly among people (pro-rata). That was the nature of the disagreement and why Zhou was saying he could do immediate payouts quickly if we handed over the process. We did not think this was fair despite people calling for him to handle the process. The final method that's been mutually agreed upon by all is a hybrid method - using both approaches.

That's why I said one method is fast but inaccurate, while the other is slower but more accurate. It's a difficult decision though. And despite the criticism, I'm going to perform the payouts in the way that I personally think is most fair for all. There are a lot of people on this forum who don't have a voice so it would be unfair to simply payout to people based on reputation alone.
652  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 30, 2012, 09:33:37 PM
Sorry about the above. It was a slip up by me. Tihan is correct.

30 May 23:30: We're going to proceed with payouts of the few people we have verified hopefully tomorrow for 80% of their claims (the remaining 20% will be refunded later). A more lengthy process will be applied to everyone else.

EDIT: I was under the impression he was acting strictly on behalf of the decision makers due to our conversations and the decisions that have been made thus far. I will confirm that we indeed have the ability to make this decision regarding the claims.
653  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 29, 2012, 11:54:17 PM
30 May 01:52: Consensus seems to have been reached. Waiting for final confirmation to move ahead so we can work out the actual payout implementation specifics.
654  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 29, 2012, 05:37:06 PM
it is necessary or not to send to the verify@bitcoinica.com notification of the мтгокс? or (I have to write verify@bitcoinica.com information confirming my account \ translations?)  is it safe? please comment on officials

I would actually email verify@bitcoinica.com and ask them.
655  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 28, 2012, 06:21:01 AM
I was deliberately vague. It isn't which payment system to use, but which method of selecting payees (people to be paid) to ensure accurate or fast delivery (it is a bit of a sliding scale). Maybe I can post more specifics, but I want to ask first in case I somehow jeopardise the prospect of a speedy recovery for everyone. Also I'd want to make sure what I write is correct.
656  Bitcoin / Bitcoin Discussion / Re: [Emergency ANN] Bitcoinica site is taken offline for security investigation on: May 28, 2012, 06:08:29 AM
I'll post updates here: https://bitcointalk.org/index.php?topic=84042

That's the new thread.
657  Economy / Service Announcements / Re: [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 28, 2012, 06:06:08 AM
Historic posts detailing progress:

https://bitcointalk.org/index.php?topic=81045.0
Today, we have discovered a suspicious Bitcoin transaction that doesn't seem to be initiated by any one of the company owners. Some of them are not online at the moment so this is not conclusive.

Suspicious transaction:

  {
        "account" : "",
        "address" : "182tGyiczhXSSCTciVujNRkkMw1zQxUVhp",
        "category" : "send",
        "amount" : -18547.66867623,
        "fee" : 0.00000000,
        "blockhash" : "00000000000003f6bfd3e2fcbf76091853b28be234b5473a67f89b9d5bee019c",
        "blockindex" : 1,
        "txid" : "7a22917744aa9ed740faf3068a2f895424ed816ed1a04012b47df7a493f056e8",
        "time" : 1336738723
    },

We have contacted Rackspace to suspend all our servers and lock down our accounts. All your trading and financial data is safe (as far as I know), apart from the Bitcoin loss.

Thank you for your patience and understanding while we investigate this issue in detail.

https://bitcointalk.org/index.php?topic=81045.msg921159#msg921159
No database backups. Sorry for avoiding the question.

I hoped someone else could clarify this. I don't have all the full details, and would hate to make incorrect statements. I also didn't want to jeopardise efforts to refund people.

From what I gather, there are no backups of the database. Only partial records for accounting which is being used to extrapolate balances. I'm not sure of the exact details, but I think they need a full view of the claims before payouts begin (like a big jigsaw puzzle) to properly cross match records. Hopefully someone better informed will post more details.

zhou: ah, ok. I don't know the exact details and I'll avoid commenting further.
I think Patrick assumed they were not critical hence me saying: "The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.". I do appreciate that several times, you told people I wasn't involved with Bitcoinica in this thread. I always assume good faith which is why I think it was a fatal miscommunication between team members.

bitcoinBullbear: that's fine. It does annoy me a little that people assume that a decentralised system like Bitcoin consists of a single piece of kosher software. bitcoin.org lists several clients. When security flaws were found, me, Mike Hearn and justmoon helped fix problems on the internal security mailing list. justmoon in fact was very instrumental in many cases for clarifying and proposing fixes for BIP 16. There was a long technical history that led to libbitcoin's creation and it has taken 8 months so far.

That picture is funny. I like it.

rjk, nope. Everyone had root. One person was installing a database, another installed Jenkins.

The anger here is justified. If this happened to me, then I would be extremely mad. I was very pissed at MtGox when they had their problems. It sucks to be no better than MtGox.

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Bitcoinica took us on to help secure them.

We decided it was bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

Step 1 - fix the code.

Flaws were already being found in the code. That was the logical first step. That the environment ended up being exploited is simply hindsight. I would prefer not changing a working environment until after knowing how the code operates. An example is that another website accidentally made out a 500 BTC payment when the file permissions were too strict. Similarly changing an aspect of Bitcoinica without proper insight could have had grave consequences.

First you understand the code. Then you run the code. You experiment with a test system. Make improvements. Deploy changes. Change production environment.

The Bitcoinica plan was to do the above while creating a new platform to replace it in the long term.

Close all bets, give us our money back.

No database, a huge mass of data (much of it useless) and a number of false claims that could push out legitimate claims. The data makes sense only as a whole which makes payouts difficult (you have to build a case and gather evidence based on the known data). Being careless and paying people without being sure is stupid as you cannot reverse payments if more evidence later ends up contradicting your early guess.

That's why the initial payouts so far have been for only 50%. And only for people we're highly certain of. I support extending that to more, but the others are understandably taking more caution. If people are paid out, then it's realised there is a mistake in our assumptions, that means legitimate people will not get paid (the pool of money for payouts is limited). $1 erroneously paid out, is $1 of someone else's money. The honest and correct decision here is being as certain as possible for people you pay out, and no amount of shouting will speed up the process. The records for making the payouts are incredibly bad and inefficient. It might take 15 mins to check a single person before you realise that the records on hand for that person are useless/contradictory. Now multiply this by 100s of people.

Someone earlier mentioned hiring people but that's not an option here. I would not trust a relative unknown with this data and the time/effort involved with finding a new person who would be competent does not make it a positive tradeoff.

Any news on when people that are marked as "accurate" get (part of) their funds? You said some people already received 50% of their funds. How was it decided that they could get a payment, while other people with an account marked as "accurate" received nothing so far?

People are divided into different classes depending on how certain we are of their claim. As we move through verifying accounts, we become more certain. Once everyone is refunded for 50% we then double back through all refunds and refund the last 50% at the very end.

I want to explain the logic behind 50% initial payments:

For each claim you have a certainty of its validity. You have the sum of funds from before the site had the database stolen which is equal to the site's previous balance. This sum must be distributed among claims somehow.

Ideally you would mark claims that you thought were accurate and those that weren't (based on what the data indicates to us). Then you would end up with some total value which you compare to the total funds available.

If less than the total funds, then be more permissive and allow certain more claims in. Repeat the above step.

If more than the total funds, then knock out low certainty claims and maybe redistribute funds among lower certainty claims (better that someone who is maybe legitimate, gets something rather than nothing).

You then end up with claims that are refunded with a best-fit according to the available data.

However people demand funds quickly. So as a compromise, we make 50% payouts initially (for claims we are highly certain are accurate). This allows an error margin so that in the final step we can still juggle balances around to resolve payments for everybody. The only downside is that you cannot decide to pay someone 0% after you've paid them 50%.

Then once people have been refunded for 50% and the final balances are decided, the process goes back over payees and refunds them for the remaining amount. I assume the final step should not take long given that it's just making payments out for known beneficiaries.

Anyways shorts close @ 4.9 longs @ 5.1

Transisto is maintaining a helpful thread detailing all Bitcoinica posts and notable posts: https://bitcointalk.org/index.php?topic=89782.0
658  Economy / Service Announcements / [Payout Updates] Bitcoinica site is taken offline for security investigation on: May 28, 2012, 06:04:52 AM
I will post information here as I receive it.

28 May 07:00: Discussion right now is centered on the nature of selecting payess. There is the question of what nature the system for choosing payees should take with different people favouring 1 of 2 approaches (one is fast and unreliable, the other slow and reliable). I can't say more than that for technical reasons. Everyone wants to pay everyone back, but have a differing opinion how it will work.

30 May 01:52: Consensus seems to have been reached. Waiting for final confirmation to move ahead so we can work out the actual payout implementation specifics.

30 May 23:30: We're going to proceed with payouts of the few people we have verified hopefully tomorrow for 80% of their claims (the remaining 20% will be refunded later). A more lengthy process will be applied to everyone else.

3 June 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

13 June 15:00: Initial payouts have been made to verified people for 50% of their claim.

Transisto is maintaining a helpful thread detailing all Bitcoinica posts and notable posts: https://bitcointalk.org/index.php?topic=89782.0

Claims can be made via: https://claims.bitcoinica.com/
For enquiries email: bitcoinica.reimburse@gmail.com
659  Economy / Trading Discussion / Re: Zhoutong on: May 27, 2012, 02:27:27 AM
Step 1 - fix the code.

Flaws were already being found in the code. That was the logical first step. That the environment ended up being exploited is simply hindsight. I would prefer not changing a working environment until after knowing how the code operates. An example is that the early Intersango accidentally made out a 500 BTC payment when the file permissions were too strict. Similarly changing an aspect of Bitcoinica without proper insight could have had grave consequences.

First you understand the code. Then you run the code. You experiment with a test system. Make improvements. Deploy changes. Change production environment.

The Bitcoinica plan was to do the above while creating a new platform to replace it in the long term.
660  Economy / Trading Discussion / Re: Zhoutong on: May 26, 2012, 01:04:51 PM
Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

Your post is so hindsight is 20/20.

It is bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 [33] 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 ... 112 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!