Bitcoin Forum
December 11, 2016, 02:31:56 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 ... 80 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 201934 times)
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
May 11, 2012, 02:36:34 PM
 #61


So, you are still not in control of Bitcoinica?
Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?

Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.

1481423516
Hero Member
*
Offline Offline

Posts: 1481423516

View Profile Personal Message (Offline)

Ignore
1481423516
Reply with quote  #2

1481423516
Report to moderator
1481423516
Hero Member
*
Offline Offline

Posts: 1481423516

View Profile Personal Message (Offline)

Ignore
1481423516
Reply with quote  #2

1481423516
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481423516
Hero Member
*
Offline Offline

Posts: 1481423516

View Profile Personal Message (Offline)

Ignore
1481423516
Reply with quote  #2

1481423516
Report to moderator
1481423516
Hero Member
*
Offline Offline

Posts: 1481423516

View Profile Personal Message (Offline)

Ignore
1481423516
Reply with quote  #2

1481423516
Report to moderator
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 11, 2012, 02:36:53 PM
 #62

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 11, 2012, 02:37:13 PM
 #63

lollerskates

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 11, 2012, 02:38:03 PM
 #64


So, you are still not in control of Bitcoinica?
Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?

Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.

Same here. I think reimbursing is the right way to go, even if we are shutting down the business at a huge loss.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
unclescrooge
aka Raphy
Hero Member
*****
Offline Offline

Activity: 868


View Profile
May 11, 2012, 02:38:55 PM
 #65

Please stop bullshiting, what you says doesn't make any sense.

Bitcoinica got hacked, so what, it happens all the time to lots of compagny. I don't see how this devalues bitcoin, I don't see how bitcoinica activities devalues bitcoin, and... fuck I don't understand your points.

If ebay get hacked that devalues dollars?
I see you must be quite new to Bitcoin. Have you experienced what happened when MyBitcoin was allegedly robbed? MtGox? Bitcoin7? Hell, I don’t even know many of them anymore.

No I'm not new. And when the mtgox thing happen, I was already telling people the same thing.

And one year later, I have more confidence in bitcoin, and only see this as a potential buying opportunities Smiley

Don't worry, it will hurt bitcoinica, but it won't hurt the bitcoin economy

terrytibbs
Hero Member
*****
Offline Offline

Activity: 560



View Profile
May 11, 2012, 02:39:29 PM
 #66

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
You're handling it very well, keep it up.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
May 11, 2012, 02:40:04 PM
 #67

Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).

FFS! it does not change anything! Insiders still have physicall access to their computers, or management access for instance via KVMs, they still can arrange to get themselves untracked access, leak passwords etc, they still can take your wallets.

Linode lesson was not "go to dedi", it was to go to a well locked colo and control physical and management access to servers. Owning the DC would be even better. Banks do not host their critical infrastructure on cheapest VPS's nor do they use the most expencive dedis either.  Take a hint.

Better yet hire someone who can do information security professionally and this time listen to what they tell you.



-
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
May 11, 2012, 02:41:12 PM
 #68

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Sorry but in any structured business if something goes wrong then someone either didnt do their job or did a shitty job.

In the case of being hacked, it is the security "expert" fault and he should be held accountable for the loss.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 11, 2012, 02:43:14 PM
 #69

This: http://en.wikipedia.org/wiki/Port_knocking Plus this: https://code.google.com/p/google-authenticator/ Plus this: http://en.wikipedia.org/wiki/Virtual_private_network Plus this: http://www.duosecurity.com/vpn

....equals win!

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
May 11, 2012, 02:43:54 PM
 #70

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 11, 2012, 02:51:47 PM
 #71

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
May 11, 2012, 02:52:39 PM
 #72

Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).


Personally, I find erring for convenience over security to be a questionable practice.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 11, 2012, 02:53:06 PM
 #73

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
Doesn't Rackspace offer you the option of requiring more than one person to sign off on a password change?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
May 11, 2012, 02:54:02 PM
 #74


Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

Would it make sense to require 2-factor authentication for everybody?

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 11, 2012, 02:57:08 PM
 #75

It's really hard to believe that after the linode debacle, you guys are
still leaving that many coins on hosted systems.

Please learn about offline transactions and how to properly decouple
the wallet from your trading system.

This.  It is insane to me.

The cost of a secure co-location cage with dedicated hardware firewall, and private switch, and private servers.  Every single piece of hardware owned and configured by you.  The exchange and wallet should be on seperate servers and the wallet server should have no insecure connections. 

Come on it is 2012 guys.  IPMI makes doing secure remote co-location a lot easier.  VPN secure KVM over IP, bios upgrades, hardware monitoring, remote power control, even remote media loading.

No reason for anyone to have access to the cage.  Any good colocation provider can enforce user specified cage access protocol (i.e. requires 2 whitelisted users, and auto-notification of everyone on the whitelist w/ 2 hour delay).


On edit:

password resets? What the fuck are password resets?  This isn't a facebook account. Your admin loses his password well he can't login.  Period.  If he keeps doing it you fire his ass and hire someone who is more capable.   

Logins should be password + cert and limited to a dedicated NIC.  Your own personally owned and configured hardware firewall limits connections to the login NIC based on whitelisted IP addresses.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504



View Profile
May 11, 2012, 02:57:37 PM
 #76

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

This is ridiculous.  Password reset emails are okay for forums; but not for anything which needs real security.

Emails are postcards; it doesn't need an email account compromise to do this, just someone sitting on the appropriate router with a traffic sniffer.


1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
Raize
Donator
Legendary
*
Offline Offline

Activity: 1375


View Profile
May 11, 2012, 03:05:33 PM
 #77

Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
May 11, 2012, 03:07:18 PM
 #78

Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?

What does that have to do with this? Huh

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
May 11, 2012, 03:15:21 PM
 #79

Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.
In fact I shouldn't even be nagging him so much. There's time for that if he decides to walk the wrong path.

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
May 11, 2012, 03:17:01 PM
 #80

Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.

cant short  grrrrrr

OH, LOL Tongue

Pages: « 1 2 3 [4] 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 ... 80 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!