kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
May 11, 2012, 02:36:34 PM |
|
So, you are still not in control of Bitcoinica? Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?
Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.
|
|
|
|
zhoutong (OP)
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
May 11, 2012, 02:36:53 PM |
|
Please don't blame genjix. It's definitely not his fault.
He's not in our mailing list so it couldn't be him.
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 11, 2012, 02:37:13 PM |
|
|
|
|
|
zhoutong (OP)
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
May 11, 2012, 02:38:03 PM |
|
So, you are still not in control of Bitcoinica? Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?
Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude. Same here. I think reimbursing is the right way to go, even if we are shutting down the business at a huge loss.
|
|
|
|
unclescrooge
|
|
May 11, 2012, 02:38:55 PM |
|
Please stop bullshiting, what you says doesn't make any sense.
Bitcoinica got hacked, so what, it happens all the time to lots of compagny. I don't see how this devalues bitcoin, I don't see how bitcoinica activities devalues bitcoin, and... fuck I don't understand your points.
If ebay get hacked that devalues dollars?
I see you must be quite new to Bitcoin. Have you experienced what happened when MyBitcoin was allegedly robbed? MtGox? Bitcoin7? Hell, I don’t even know many of them anymore. No I'm not new. And when the mtgox thing happen, I was already telling people the same thing. And one year later, I have more confidence in bitcoin, and only see this as a potential buying opportunities Don't worry, it will hurt bitcoinica, but it won't hurt the bitcoin economy
|
|
|
|
terrytibbs
|
|
May 11, 2012, 02:39:29 PM |
|
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
You're handling it very well, keep it up.
|
|
|
|
Vladimir
|
|
May 11, 2012, 02:40:04 PM |
|
Sorry to hear about this again.
It seems Bitcoinica got swindled for another 100k$, this time they got "smarter", instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).
FFS! it does not change anything! Insiders still have physicall access to their computers, or management access for instance via KVMs, they still can arrange to get themselves untracked access, leak passwords etc, they still can take your wallets.
Linode lesson was not "go to dedi", it was to go to a well locked colo and control physical and management access to servers. Owning the DC would be even better. Banks do not host their critical infrastructure on cheapest VPS's nor do they use the most expencive dedis either. Take a hint.
Better yet hire someone who can do information security professionally and this time listen to what they tell you.
|
-
|
|
|
Clipse
|
|
May 11, 2012, 02:41:12 PM |
|
Please don't blame genjix. It's definitely not his fault.
He's not in our mailing list so it couldn't be him.
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
Sorry but in any structured business if something goes wrong then someone either didnt do their job or did a shitty job. In the case of being hacked, it is the security "expert" fault and he should be held accountable for the loss.
|
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 11, 2012, 02:43:14 PM |
|
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
May 11, 2012, 02:43:54 PM |
|
Please don't blame genjix. It's definitely not his fault.
He's not in our mailing list so it couldn't be him.
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault. But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are. Take a hint from TradeHill.
|
|
|
|
zhoutong (OP)
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
May 11, 2012, 02:51:47 PM |
|
Please don't blame genjix. It's definitely not his fault.
He's not in our mailing list so it couldn't be him.
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault. But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are. Take a hint from TradeHill. Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
May 11, 2012, 02:52:39 PM |
|
Sorry to hear about this again.
It seems Bitcoinica got swindled for another 100k$, this time they got "smarter", instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).
Personally, I find erring for convenience over security to be a questionable practice.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 11, 2012, 02:53:06 PM |
|
Please don't blame genjix. It's definitely not his fault.
He's not in our mailing list so it couldn't be him.
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault. But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are. Take a hint from TradeHill. Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause. Doesn't Rackspace offer you the option of requiring more than one person to sign off on a password change?
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
May 11, 2012, 02:54:02 PM |
|
Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
Would it make sense to require 2-factor authentication for everybody?
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 11, 2012, 02:57:08 PM Last edit: May 11, 2012, 03:17:05 PM by DeathAndTaxes |
|
It's really hard to believe that after the linode debacle, you guys are still leaving that many coins on hosted systems.
Please learn about offline transactions and how to properly decouple the wallet from your trading system.
This. It is insane to me. The cost of a secure co-location cage with dedicated hardware firewall, and private switch, and private servers. Every single piece of hardware owned and configured by you. The exchange and wallet should be on seperate servers and the wallet server should have no insecure connections. Come on it is 2012 guys. IPMI makes doing secure remote co-location a lot easier. VPN secure KVM over IP, bios upgrades, hardware monitoring, remote power control, even remote media loading. No reason for anyone to have access to the cage. Any good colocation provider can enforce user specified cage access protocol (i.e. requires 2 whitelisted users, and auto-notification of everyone on the whitelist w/ 2 hour delay). On edit: password resets? What the fuck are password resets? This isn't a facebook account. Your admin loses his password well he can't login. Period. If he keeps doing it you fire his ass and hire someone who is more capable. Logins should be password + cert and limited to a dedicated NIC. Your own personally owned and configured hardware firewall limits connections to the login NIC based on whitelisted IP addresses.
|
|
|
|
realnowhereman
|
|
May 11, 2012, 02:57:37 PM |
|
Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
This is ridiculous. Password reset emails are okay for forums; but not for anything which needs real security. Emails are postcards; it doesn't need an email account compromise to do this, just someone sitting on the appropriate router with a traffic sniffer.
|
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
May 11, 2012, 03:05:33 PM |
|
Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
May 11, 2012, 03:07:18 PM |
|
Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?
What does that have to do with this?
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
May 11, 2012, 03:15:21 PM |
|
Z can u put now the site up ?
Without finding the breach i don't think it would be a good idea... Are you in a hurry to withdraw, or? Relax dude, i'm certain ZhouTong will do the right thing. In fact I shouldn't even be nagging him so much. There's time for that if he decides to walk the wrong path.
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
May 11, 2012, 03:17:01 PM |
|
Z can u put now the site up ?
Without finding the breach i don't think it would be a good idea... Are you in a hurry to withdraw, or? Relax dude, i'm certain ZhouTong will do the right thing. cant short grrrrrr OH, LOL
|
|
|
|
|