Bitcoin Forum
March 19, 2024, 10:48:43 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 [70] 71 72 73 74 75 76 77 78 79 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 224549 times)
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 25, 2012, 03:19:41 AM
 #1381

randoms from #c++ IRC, people from this forum, beginners I was teaching .etc
Well that kind of does narrow it down, at least a tiny bit, no? Have you any guesses as to the identity of this pasty little twerp that was unoriginal enough to commit this crime?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
1710845323
Hero Member
*
Offline Offline

Posts: 1710845323

View Profile Personal Message (Offline)

Ignore
1710845323
Reply with quote  #2

1710845323
Report to moderator
1710845323
Hero Member
*
Offline Offline

Posts: 1710845323

View Profile Personal Message (Offline)

Ignore
1710845323
Reply with quote  #2

1710845323
Report to moderator
1710845323
Hero Member
*
Offline Offline

Posts: 1710845323

View Profile Personal Message (Offline)

Ignore
1710845323
Reply with quote  #2

1710845323
Report to moderator
"Your bitcoin is secured in a way that is physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter a majority of miners, no matter what." -- Greg Maxwell
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710845323
Hero Member
*
Offline Offline

Posts: 1710845323

View Profile Personal Message (Offline)

Ignore
1710845323
Reply with quote  #2

1710845323
Report to moderator
fcmatt
Legendary
*
Offline Offline

Activity: 2058
Merit: 1001


View Profile
May 25, 2012, 03:29:49 AM
 #1382

randoms from #c++ IRC, people from this forum, beginners I was teaching .etc
Well that kind of does narrow it down, at least a tiny bit, no? Have you any guesses as to the identity of this pasty little twerp that was unoriginal enough to commit this crime?

Seems like it would be short list of who had root on vps. Without root cannot do much at all on vps.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
May 25, 2012, 03:31:12 AM
 #1383

the plot thickens.  Shocked

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.

If this is the case, I blame zhou for that. A 17-year old boy with zero contingency plans, twice demonstrated (shame on me). (and furthermore, I will never use his new domain manager service or any other).

How does he suppose to process claims without a user database backup is my only lingering question?

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.

College of Bucking Bulls Knowledge
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 25, 2012, 03:41:06 AM
 #1384

the plot thickens.  Shocked

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.

If this is the case, I blame zhou for that. A 17-year old boy with zero contingency plans, twice demonstrated (shame on me). (and furthermore, I will never use his new domain manager service or any other).

How does he suppose to process claims without a user database backup is my only lingering question?

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.
I think you are a little bit confused.

Your passports are in my private repository (AES-256 encrypted), and the previous API access key was revoked. I'm the only person with access to such information now. Patrick et al. can request for the repository once they need it, but currently they don't.

Zhou Tong's hands are tied, because he no longer has access to the systems - as far as I can tell from what he has posted. He has also offered to take over the claims process and make everything right, but that was also rejected. Attacking him and his reputation isn't the way to proceed here.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
MrTeal
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 25, 2012, 03:42:08 AM
 #1385

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.
http://www.youtube.com/watch?v=aoMmbUmKN0E
MrTeal
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 25, 2012, 03:44:21 AM
 #1386

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails.

The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account.

EDIT:

I didn't blame Patrick for the email compromise. It's the hacker's fault, not his.

But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either.

If I was adding everyone to the mailing list, that would be unacceptable. But I added patrick@bitcoinconsultancy.com (which he told me), and you're telling me I should treat it as personal email and non-critical.

Have you talked to the hacker, or are you speculating on his reaction and the steps he went through.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
May 25, 2012, 03:58:14 AM
 #1387

I think you are a little bit confused.

Your passports are in my private repository (AES-256 encrypted), and the previous API access key was revoked. I'm the only person with access to such information now. Patrick et al. can request for the repository once they need it, but currently they don't.

Zhou Tong's hands are tied, because he no longer has access to the systems - as far as I can tell from what he has posted. He has also offered to take over the claims process and make everything right, but that was also rejected. Attacking him and his reputation isn't the way to proceed here.

How do a few passports help link usernames and passwords to account funds? They don't help. At all.


genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.
http://www.youtube.com/watch?v=aoMmbUmKN0E


thanks for this! lol.

College of Bucking Bulls Knowledge
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
May 25, 2012, 04:06:22 AM
 #1388

Full Disclosure: I AM (or is it I'm?) NOT A WORDSMITH!

But I know grammatical errors when I see/read them and I'm seeing/reading a hell of a lot them in all these official/nonofficial posts. It's like I'm reading shit written by young adults who don't have a rudimentary command of the English language but keep trying their damndest to come across as educated blokes. Now, I'm not necessarily speaking of Zhou, for obvious reasons, but I feel (not sure) that his writting style has changed, as if somebody else is posting in his name. Reason I say this is because I've read words of which he's spelled correctly in the past, coupled with his current delivery seems odd (to me).

Forgive me if this has already been address, but I'm now only catching up, about nine pages out.

Back to reading this CF.

~Bruno~


After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.

That makes perfect sense, Zhou. BTW, I'm going on record and state that I'm on Zhou's side and will remain so until I state otherwise. I'm going by actions but, moreover, feelings in my decision.

~Bruno~
da2ce7
Legendary
*
Offline Offline

Activity: 1222
Merit: 1016


Live and Let Live


View Profile
May 25, 2012, 04:34:38 AM
 #1389


One off NP-Hard.
DiabloD3
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


DiabloMiner author


View Profile WWW
May 25, 2012, 05:03:32 AM
 #1390



I lol'd

Garr255
Legendary
*
Offline Offline

Activity: 938
Merit: 1000


What's a GPU?


View Profile
May 25, 2012, 05:17:30 AM
 #1391


“First they ignore you, then they laugh at you, then they fight you, then you win.”  -- Mahatma Gandhi

Average time between signing on to bitcointalk: Two weeks. Please don't expect responses any faster than that!
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
May 25, 2012, 06:37:20 AM
 #1392

Now I'm really afraid that noone will receive their funds. People have asked several times about the backups, and every Bitcoinica former or current member conveniently avoided this topic. If there were any backups, I'm sure they'd want to answer their customers concerns as soon as possible. Avoiding this topic whatsoever is really, really fishy.
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
May 25, 2012, 08:03:23 AM
 #1393

Up until yesterday you people were screaming about the owner, that you want to know who he is, several pages of bitching, now that he showed up, and he is not the criminal mastermind you expected him to be, you started with the backups, I wonder what you will come up with next.

bitcoinica socket puppet much? Every single post that you made in this thread is somehow an attack on those who wants transparency and REAL answers/solutions.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
DarkEmi
Full Member
***
Offline Offline

Activity: 223
Merit: 100



View Profile
May 25, 2012, 08:36:05 AM
 #1394

What is the "official stance" of the officials "owners" ?

The more i read this topic the more it gets confusing.
I have been patiently waiting for answers but the lack of precise answers is starting to get worrysome.

Have any users gotten back funds yet ? (and if you did, can you tell us how many ?)

ProProfi.com
The first home improvement service cryptocurrency project
ICO | Discuss on Forum
Bitcoinica Consultancy
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
May 25, 2012, 09:07:16 AM
 #1395

Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.

Hi,

Thank you for this. We are incredibly happy. We will need to clear up some distinctions and make sure the account is in fact Tihan's account. He can do so via confirmation in email or on skype. We also need clarification as to what "role and history mean".

1. Are Bitcoinica Consultancy and its individual members allowed to talk about the security issues and this incident without limitation? Yes/No

The NDA extends to our persons I believe.

Finally, Tihan, people seem to have questions regarding the database.

2. Are we, Bitcoinica Consultancy and it's individual members, at liberty to discuss in full detail the nature of the database? Yes/No

3A. Are we, Bitcoinica Consultancy and it's individual members, at liberty to release relevant skype logs in full without worry that information in those logs are sensitive? Yes/No

3B. If there is a "No" answer for question 3A, could you specify and clearly what we are not allowed to post (for example, content that would violate a user's privacy) and remember to claim that the list of restrictions you post is an exhaustive list.

4. Are you willing to take the short steps to nullify any NDA we may have? Yes/No

5. Can we release a full account of the security detail and practices relevant to Bitcoinica's history and this incident? Yes/No



Finally, we can certainly see the semblance of unprofessionality that Bitcoinica Consultancy was resonating. We would like to apologise for having to go to such an extreme. We were urged against making such statements by Tihan and Zhou as they would hurt everyone's reputation, including our own. The circumstances were such that we had no real ability to respond to misinformation and misrepresentation. We full well knew that our immediate reputation would suffer greatly. In matters like this, things often need to get worse before they can get better. However, it seems we will be finally be successful in providing full disclosure for everyone. We were talking with Tihan about trying to clear up misrepresentations for a long time and with Zhou as well. Unfortunately, we were not granted the ability to clear up the relevant issues (possibly until now) and Zhou kept making and continues to make false statements and wildly misrepresenting the facts. We are very happy with the turn of events as we are certain that (as long as Tihan's comment wasn't intentionally nondescript or ambiguous) we will be able to set the record straight.


We are not pursuing this matter at the expense of the reclaims process. However, when we have time, we will (in great detail) show that many statements that have been made have been malicious and false.
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
May 25, 2012, 09:09:07 AM
 #1396


So I take this as, you or you and others you represent are Venture Capitalists that put Bitcoin Consultancy in charge of your investment. e.g. Cisco but the team you put in charge flubbed up somewhere.
 

Interestingly, Bitcoin Consultancy took over Bitcoinica the same day that Tihan's CoinLab venture secured $500,000 of VC for investment in Bitcoin projects.

http://www.forbes.com/sites/jonmatonis/2012/04/24/coinlab-attracts-500000-in-venture-capital-for-bitcoin-projects/

http://www.geekwire.com/2012/bitcoin-startup-coinlab-lands-funding-tim-draper-monetize-games/

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
May 25, 2012, 09:10:58 AM
Last edit: May 25, 2012, 09:25:55 AM by Vladimir
 #1397

Seriously? Are you guys talking with your financier on this forum and asking him here to confirm details of your NDA terms? This is getting much closer to that russian comedy youtube videos standard now than ever before!

Who is this guy "Bitcoinica Consultancy"? I was wrong, Bitcoin's entertainment value is not 50$ it is 100$ now.

Here we go guys, all those who were asking all the time what is Bitcoin backed by, you now have your answer. Bitcoin is backed by non-stop entertainment.


Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.

Hi,

Thank you for this. We are incredibly happy. We will need to clear up some distinctions and make sure the account is in fact Tihan's account. He can do so via confirmation in email or on skype. We also need clarification as to what "role and history mean".

1. Are Bitcoinica Consultancy and its individual members allowed to talk about the security issues and this incident without limitation? Yes/No

The NDA extends to our persons I believe.

Finally, Tihan, people seem to have questions regarding the database.

2. Are we, Bitcoinica Consultancy and it's individual members, at liberty to discuss in full detail the nature of the database? Yes/No

3A. Are we, Bitcoinica Consultancy and it's individual members, at liberty to release relevant skype logs in full without worry that information in those logs are sensitive? Yes/No

3B. If there is a "No" answer for question 3A, could you specify and clearly what we are not allowed to post (for example, content that would violate a user's privacy) and remember to claim that the list of restrictions you post is an exhaustive list.

4. Are you willing to take the short steps to nullify any NDA we may have? Yes/No

5. Can we release a full account of the security detail and practices relevant to Bitcoinica's history and this incident? Yes/No



Finally, we can certainly see the semblance of unprofessionality that Bitcoinica Consultancy was resonating. we would like to apologise for having to go to such an extreme. We were urged against making such statements by Tihan and Zhou as they would hurt everyone's reputation, including our own. The circumstances were such that we had no real ability to respond to misinformation and misrepresentation. We full well knew that our immediate reputation would suffer greatly. In matters like this, things often need to get worse before they can get better. However, it seems we will be finally be successful in providing full disclosure for everyone. We were talking with Tihan about trying to clear up misrepresentations for a long time and with Zhou as well. Unfortunately, we were not granted the ability to clear up the relevant issues (possibly until now) and Zhou kept making and continues to make false statements and wildly misrepresenting the facts. We are very happy with the turn of events as we are certain that (as long as Tihan's comment wasn't intentionally nondescript or ambiguous) we will be able to set the record straight.


We are not pursuing this matter at the expense of the reclaims process. However, when we have time, we will (in great detail) show that many statements that have been made have been malicious and false.

-
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
May 25, 2012, 09:21:32 AM
 #1398

Seriously? Are you guys talking with your financier on this forum and asking him here to confirm details of your NDA terms? This is getting much closer to that russian comedy youtube videos standard now than ever before?

Who is this guy "Bitcoinica Consultancy"?

Guess they missed this part of Tihan's post.

Quote
I’m unable to follow most public postings here, but you can reach me through this forum by private message. Questions about processing of funds should be directed to Bitcoin Consultancy as they alone control that process.

It's a bit alarming if they signed an NDA without understanding exactly what "Bitcoinica's proprietary systems and processes" means - lawyers normally nail that shit down.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
May 25, 2012, 09:30:19 AM
 #1399

All this NDA talk just seems like fancy ways to sound overly important and stall things indefinitely.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
geebus
Sr. Member
****
Offline Offline

Activity: 258
Merit: 250



View Profile WWW
May 25, 2012, 09:34:30 AM
 #1400

I don't know how you seem to believe that Zhou is misrepresenting everything so badly when his comments seem to correlate with the comments that were also made by genjix and Tihan (in respect to the comments made by them, that is)...

It seems kind of chickenshit to me. Just sayin'...

Feel like donating to me? BTC Address: 14eUVSgBSzLpHXGAfbN9BojXTWvTb91SHJ
Pages: « 1 ... 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 [70] 71 72 73 74 75 76 77 78 79 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!