Bitcoin Forum
December 04, 2016, 10:27:50 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 ... 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 [77] 78 79 80 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 201523 times)
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
May 25, 2012, 11:40:12 PM
 #1521


Please?

This thread has some fun, I can't deny it. Is nice to read it sometimes. But it would be better if you start something like Bitcoinica Claim Process, or something alike, more focused on updates for those trying to know how everything's going, don't you think?

It's been explicitly stated several times that Bitcoinica Consultancy alone is handling the claims process, so perhaps the request for a dedicated thread needs to be made of them - even though they seem totally unable to communicate in a timely and comprehensible manner.  It would be valuable if they listed specific times when people can expect updates on the process.

I also notice that the question of whether this intrusion has been reported to law enforcement remains unanswered.  There is no reason whatsoever for a legitimate enterprise not reporting the theft of its database, regardless of the contents of that database.  In the past, there have been investigations into and charges laid over the theft of in-game items in virtual worlds - it's not necessary to define Bitcoin as a currency or a commodity in order to determine both that it has value and ownership.  That the operators of Bitcoinica are willing to reimburse customer losses doesn't mean that the theft shouldn't be formally investigated.  

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
1480847270
Hero Member
*
Offline Offline

Posts: 1480847270

View Profile Personal Message (Offline)

Ignore
1480847270
Reply with quote  #2

1480847270
Report to moderator
1480847270
Hero Member
*
Offline Offline

Posts: 1480847270

View Profile Personal Message (Offline)

Ignore
1480847270
Reply with quote  #2

1480847270
Report to moderator
Transactions can optionally carry transaction fees. Whoever mines the block which ends up containing your transaction will get the fee. The Bitcoin client will sometimes force you to pay a fee when it thinks that no miner will accept your transaction otherwise.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480847270
Hero Member
*
Offline Offline

Posts: 1480847270

View Profile Personal Message (Offline)

Ignore
1480847270
Reply with quote  #2

1480847270
Report to moderator
Mageant
Legendary
*
Offline Offline

Activity: 1079



View Profile WWW
May 25, 2012, 11:53:36 PM
 #1522

No database backups. Sorry for avoiding the question.

OMG.

The first rule of computer using is that you *always* make backups. You backup early and you backup often, on-site and off-site.

I learned that the hard way in the early years of my 30-year computer programming career. If you don't do this then eventually you can get a *really big problem* like Bitcoinica has now.

  ►  NEW ECONOMY MOVEMENT  ◄ 
  100% built from scratch • revolutionary forging mechanism • fairly distributed

BIETCOIN.DE - Kleinanzeigenmarkt für Bitcoin
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
May 26, 2012, 12:11:51 AM
 #1523

No database backups. Sorry for avoiding the question.

OMG.

The first rule of computer using is that you *always* make backups. You backup early and you backup often, on-site and off-site.

I learned that the hard way in the early years of my 30-year computer programming career. If you don't do this then eventually you can get a *really big problem* like Bitcoinica has now.

It's still extremely bizarre that Rackspace had no way to log the hacker out and that he was still able to delete the emergency backup in spite of the servers supposedly being suspended.  That's a huge security flaw for a hosting service to have and you do have to wonder whether the hacker was aware of that "hidden feature".  Whatever mistakes were made by Bitcoinica were certainly compounded by the inability of Rackspace to totally lock down the compromised servers.

Zhou, I notice that you are focusing primarily on what is technically possible.  For a whole lot of reasons, the claims process must also have integrity from an accounting point of view.  The principals have little choice but to assume that the manner in which they process user claims may be the subject of legal action in the future and to ensure that the process complies with recognised business and accounting standards (in fact, the process should really be independently audited).  While your proposals have merit, they need to be considered in a broader business context and it would be foolish of the principals to implement them without first obtaining professional advice.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
May 26, 2012, 12:43:22 AM
 #1524

No database backups. Sorry for avoiding the question.

OMG.

The first rule of computer using is that you *always* make backups. You backup early and you backup often, on-site and off-site.

I learned that the hard way in the early years of my 30-year computer programming career. If you don't do this then eventually you can get a *really big problem* like Bitcoinica has now.

It's still extremely bizarre that Rackspace had no way to log the hacker out and that he was still able to delete the emergency backup in spite of the servers supposedly being suspended.  That's a huge security flaw for a hosting service to have and you do have to wonder whether the hacker was aware of that "hidden feature".  Whatever mistakes were made by Bitcoinica were certainly compounded by the inability of Rackspace to totally lock down the compromised servers.

Zhou, I notice that you are focusing primarily on what is technically possible.  For a whole lot of reasons, the claims process must also have integrity from an accounting point of view.  The principals have little choice but to assume that the manner in which they process user claims may be the subject of legal action in the future and to ensure that the process complies with recognised business and accounting standards (in fact, the process should really be independently audited).  While your proposals have merit, they need to be considered in a broader business context and it would be foolish of the principals to implement them without first obtaining professional advice.

para 1 - The only person involved it seems with the slightest understanding of even kinder garden level of security was the hacker here

para 2 - Indeed, why didn't they just do as in the Bond films & pull the mains plug, internet cable, cut some wires etc

para 3 - So now 90% of sequestrated funds will go to lawyers, accountants, receivers, loss adjusters, etc & the process will take years, really just throw it to Zhou Tong to fix as best he can, it won't be perfect but at least he will try & do the right thing by everyone & fast then move on

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
May 26, 2012, 01:18:56 AM
 #1525


para 3 - So now 90% of sequestrated funds will go to lawyers, accountants, receivers, loss adjusters, etc & the process will take years, really just throw it to Zhou Tong to fix as best he can, it won't be perfect but at least he will try & do the right thing by everyone & fast then move on

One of Tihan's partners in CoinLab already spoke publicly about how raising VC for their projects was made more difficult by the fact that they involved Bitcoin.  If Bitcoin businesses continue to be seen as entities which just do whatever they want when something goes wrong rather than following established business practice, they will continue to have problems attracting venture capital.

It should not take an accountant (and there's already one associated with Bitcoinica and it's FSP, even if he might not have anticipated having to actually do something in relation to the business beyond setting it up) very long to communicate to Bitcoinica Consultancy the essential elements which must be considered when processing and disbursing claims.  This is not a business whose financial practices are not subject to external scrutiny - they are a registered financial services provider and that means they can't just do whatever the hell they want in terms of financial activity and accounting practices.

Messes like this one happen in part because many Bitcoin enterprises start out as one man operations and when they expand appropriate professional standards are not applied to their operations - areas in which the founder has little expertise often get ignored until something goes wrong.  Bitcoina's technical security was inadequate.  It should not compound an already bad situation by implementing a claims process which is also inadequate and which has no independent oversight.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
May 26, 2012, 02:29:35 AM
 #1526

It sounds like there were too many people in charge at Bitcoinica.  Zhou kinda operated it, there was some main owner, and now some Bitcoin Consultancy general partners.  I am always against forming partnerships for this reason.  It is like getting married.  Instead of giving part of the company to someone, just give part of the profits.

Make one person in charge and then delegate other responsibilities to everyone else.  Don't let everyone in the company make public statements about the company.

Introducing constraints to the economy only serves to limit what can be economical.
chsados
Hero Member
*****
Offline Offline

Activity: 652



View Profile
May 26, 2012, 02:44:40 AM
 #1527


So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?
Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.
Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.
You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.

well wouldnt the open source nature of the bitcoin protocol be somewhat similar?  the bitcoin protocol is out there for anyone to view.  why cant their be a wiki style of tested and proven security methods?
DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
May 26, 2012, 03:49:38 AM
 #1528

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?
Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.
Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.
You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.
Not even government based, but just a wiki somewhere.

Many of the FIPS-140-2 guidelines are extremely applicable though.

If you're just talking about data storage, there are commercially available FIPS-140-2 level 3 devices that can be unlocked under Linux such as IronKey: http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/ (the S200 series is SLC, D200 is MLC, and Enterprise includes remote wipe next time its plugged in performed by the unlocking software).

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 26, 2012, 03:51:56 AM
 #1529

If you're just talking about data storage, there are commercially available FIPS-140-2 level 3 devices that can be unlocked under Linux such as IronKey: http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/ (the S200 series is SLC, D200 is MLC, and Enterprise includes remote wipe next time its plugged in performed by the unlocking software).
That's cool, I'd heard of them but didn't realize they were level 3 certified. Maybe I should get one to play with.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
World
Hero Member
*****
Offline Offline

Activity: 746



View Profile
May 26, 2012, 07:39:39 AM
 #1530

well wouldnt the open source nature of the bitcoin protocol be somewhat similar?  the bitcoin protocol is out there for anyone to view.  why cant their be a wiki style of tested and proven security methods?

https://en.bitcoin.it/wiki/Securing_online_services

Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
May 26, 2012, 08:03:05 AM
 #1531


From previous Hacker News thread, in which zhoutong participated.

Quote
There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people.

http://news.ycombinator.com/item?id=2974770


All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
May 26, 2012, 09:39:42 AM
 #1532

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.

repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
May 26, 2012, 09:55:03 AM
 #1533

Did the hacker also retrieve the username using the compromised email account - you need the username in order to reset the password for cloud hosting services and you need the account number/username to reset the password for managed services.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 26, 2012, 10:23:54 AM
 #1534

Did the hacker also retrieve the username using the compromised email account - you need the username in order to reset the password for cloud hosting services and you need the account number/username to reset the password for managed services.

The hacker didn't know anything about Bitcoinica. He first requested the username, then requested a password reset. I have to say that Rackspace Cloud's security protection for customers is not very up to standard - you can re-use the password reset link after it's already used! And password changes don't have any effect on the sessions. (Usually everyone should be logged out once there's a password change, but it didn't happen at all.) I'm not blaming Rackspace here. Just a kind warning to those who wish to use them for anything serious.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
May 26, 2012, 11:30:36 AM
 #1535

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.


I have no idea about Kronos and its operation, but Bitcoinica was run terribly. I don't know why would anyone extrapolate what happened to Bitcoinica to any other business, while still keeping the slightest degree of trust in Bitcoinica. Just doesn't make sense.

So Bitcoinica was running on a cheap cloud server, got hacked and learnt absolutely nothing from the incident. Got hacked again, while in another cheap cloud server (in Rackspace, who also offers several more secure options including one aimed at financial security standards - yet they opted to be cheap again despite the massive running profits) and you somehow still give them more credibility than you'd give to a new service that, for starters, had a beta testing period. Which Bitcoinica didn't. Bitcoinica was running, apparently, less than 1 week after ZhouTong laid the first line of code. To top it off, they made significant changes to their core business structure in complete secrecy, and when asked about particular details they repeatedly lied. It simply doesn't get much worse or unprofessional than this.

As with any other "financial" bitcoin operation, not running under any regulations and not liable, obviously I'd put any amount of BTC in Kronos at my own risk. If you're not ready to lose them, don't put them there. This should apply to any business not offering you any sort of legal guarantee over your funds.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
May 26, 2012, 01:07:11 PM
 #1536

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.



As with any other "financial" bitcoin operation, not running under any regulations and not liable, obviously I'd put any amount of BTC in Kronos at my own risk. If you're not ready to lose them, don't put them there. This should apply to any business not offering you any sort of legal guarantee over your funds.

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
May 26, 2012, 01:13:18 PM
 #1537

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
disclaimer201
Legendary
*
Offline Offline

Activity: 1316


View Profile
May 26, 2012, 02:00:50 PM
 #1538

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

Well good luck then, it's never too late to lose your money at some new Bitcoinica clone. Waiting to see how they operate won't make their service any more secure. I'm sure you've found out their identities before you trust them, say from their "who we are" page - but wait, there isn't one.

muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
May 26, 2012, 02:11:33 PM
 #1539

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

Well good luck then, it's never too late to lose your money at some new Bitcoinica clone. Waiting to see how they operate won't make their service any more secure. I'm sure you've found out their identities before you trust them, say from their "who we are" page - but wait, there isn't one.

You can find them here in the forums. Information upon which I think I will keep my BTC at bay  Grin

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Cluster2k
Legendary
*
Offline Offline

Activity: 1512


View Profile
May 26, 2012, 06:17:37 PM
 #1540

No backups.  I guess this explains why the whole process of officially acknowledging the hack (via the bitcoinica web site) and the claims process has been so slow.

Do not send bitcoins to me: 16b8s7pBJ9rUmsExNW25qD5VUqVqRPZuXu
100% solar powered bitcoin generation
Pages: « 1 ... 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 [77] 78 79 80 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!