Bitcoin Forum
December 09, 2016, 05:44:56 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 [36] 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 201817 times)
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 966


BCJ


View Profile
May 14, 2012, 06:15:00 PM
 #701

If anything of the following happened this would be prevented:
[...]
- We should not use the official Bitcoin client because it's very hard to secure it without large investments and affecting instant withdrawals in large amounts.

Can you please explain how using some other software— even a HSM— could have prevented the wallet your site actively withdraws from at the request of users from being robbed by an attacker with root access to your servers?


Here is an interesting dicussion.  

https://bitcointalk.org/index.php?topic=81341

The info on the Thales links offers some interesting solutions for the security minded.

http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules/nShield%20Edge.aspx

JoelKatz also had an interesting solution a few pages back:
/quote/
The correct solution is really never to use a hot wallet at all. There is no reason a key ever needs to be on a machine with Internet access. Methods to sign something with a key while preventing theft of the key or signing of bogus data are well understood since certificate authorities worked them all out. The irony is that CAs frequently ignore these well-understood security practices too.

One way is to a have a machine that is physically secure whose sole purpose is to sign transactions. It can talk over a serial port to a machine with Internet access. The software on the physically-secure machine controls the signing of transactions and is the only machine that can actually process a withdrawal. Any thief could, at most, compromise the machine at the other end of the serial port and would be limited to the commands that exist over the serial link. He could never extract a key that can sign Bitcoin transactions nor can he process a transaction that doesn't meet your security requirements. Yet transactions that do meet those requirements can process without human intervention.
/quote/
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481305496
Hero Member
*
Offline Offline

Posts: 1481305496

View Profile Personal Message (Offline)

Ignore
1481305496
Reply with quote  #2

1481305496
Report to moderator
1481305496
Hero Member
*
Offline Offline

Posts: 1481305496

View Profile Personal Message (Offline)

Ignore
1481305496
Reply with quote  #2

1481305496
Report to moderator
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
May 14, 2012, 06:47:56 PM
 #702

What is preventing them from putting the site up? If they worry about the attacker logging into customer accounts (which, because they claim the passwords are salted & hashed with bcrypt seems not probable) they could just reset all users' passwords and let them log in using activation code. People that have 2nd auth via Google Authenticator will be even more secure this way*. Doing it like this would enable users to decide for themselves if they want to shut down their positions or not. Doing it on behalf of users against their will is just wrong to me.

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered and which wasn't, so either way they're in pretty hot water.

They don't want to risk it.

They don't want to take even further damage on an insecure system, by the looks of it.

I'm pretty sure they would put it back online right now if they could, their time offline is costly for them. They lose prospective users and credibility by the minute. So I guess they just cannot trust the system to put it online even for a minute.

Anyway you do well in voicing your suggestions. Maybe they can actually afford to give it a try, we'll see tomorrow I guess.

It's a bit confusing that they decided to take their blog offline as well. I wonder what are they up to right now. They could do a bit better in the communication front.

Is this true? Is their blog, assumingly hosted elsewhere, offline? This would make no sense to me if true. A/the blog, in conjunction with this forum, would/should be the main source of communication to their users for them.

Please correct me if I'm mistaken.

~Bruno~
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 14, 2012, 06:50:45 PM
 #703

Is this true? Is their blog, assumingly hosted elsewhere, offline? This would make no sense to me if true. A/the blog, in conjunction with this forum, would/should be the main source of communication to their users for them.
The blog was put up and taken down the same day.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
girlsgonebitcoin
Member
**
Offline Offline

Activity: 99



View Profile WWW
May 14, 2012, 06:52:18 PM
 #704

Quote
I agree. I have been in this forum since September 2010 regularly, and this is the worst handling of an issue. Even more worrying is that amir taaki who I respect and who is with intersango is quiet like a mouse.
This is not a sign of "customer is king attitude" I would have expected[/color]

The last thing he said about this matter on this thread that I find interesting is this ...

"I am angry that our name is being dragged through the mud for something we had no part in."

Isn't this his company? LOL
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
May 14, 2012, 06:59:38 PM
 #705

If ANY Bicoin related service has a problem with maintaining an announcement page on their website (say, because it is hacked). The owner of the service can always contact me, give me HTML or text of announcement for status page. I will quickly set up a static web server listening on a dedicated IP address, and all they would need to do is to point their DNS to a given IP address temporarily. The result will be static status page on their website. Once ready to resume the service, the DNS can be changed back at any time.

Or did you guys lost control of DNS as well?

Or one can use a service like "google sites" for this.

There is no excuse for not communicating with users via the website (domain name) whether it is hacked or not.

The only explanation of lack of communication is that they do not want to tell users anything just yet.

Also if the SSL cert was not encrypted, perhaps it makes sense to revoke it and get a new one. Most CA's will do it for you for free.



-
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
May 14, 2012, 07:05:22 PM
 #706

Quote
I agree. I have been in this forum since September 2010 regularly, and this is the worst handling of an issue. Even more worrying is that amir taaki who I respect and who is with intersango is quiet like a mouse.
This is not a sign of "customer is king attitude" I would have expected[/color]

The last thing he said about this matter on this thread that I find interesting is this ...

"I am angry that our name is being dragged through the mud for something we had no part in."

Isn't this his company? LOL

Well, it seems, the initial line was that Intersango just have taken over Bitcoinica management two weeks before the hack and they implied that it is not their fault and therefore it is unfair that their name "is being dragged through the mud".

However, various later reports suggest that this episode is indeed a direct result of Intersango's mismanagement.

This issue is clear as mud. Intersango or "Bitcoinica LP" should really start talking, silence is deafening. Zhou's statements are not enough until it is acknowledged that he is an official company spokesman.

For all we know Zhou Tong is a FORMER developer and owner and employee of Bitcoinica. Hence we have to assume that whatever he said publicly about this incident is unofficial and no official statement by Bitcoinica LP (NZ) owner and operator of Bitcoinica.com has been issued yet.

Dear Bitcoinica LP, while you are silent the public is quite justified in making the worst possible assumptions and drugging you through the mud.





-
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 14, 2012, 07:20:06 PM
 #707

Quote
I agree. I have been in this forum since September 2010 regularly, and this is the worst handling of an issue. Even more worrying is that amir taaki who I respect and who is with intersango is quiet like a mouse.
This is not a sign of "customer is king attitude" I would have expected[/color]

The last thing he said about this matter on this thread that I find interesting is this ...

"I am angry that our name is being dragged through the mud for something we had no part in."

Isn't this his company? LOL

Well, it seems, the initial line was that Intersango just have taken over Bitcoinica management two weeks before the hack and they implied that it is not their fault and therefore it is unfair that their name "is being dragged through the mud".

However, various later reports suggest that this episode is indeed a direct result of Intersango's mismanagement.

This is issue is clear as mud. Intersango or "Bitcoinica LP" should really start talking, silence is deafening. Zhou's statements are not enough until it is acknowledged that he is an official company spokesman.

For all we know Zhou Tong is a FORMER developer and owner and employee of Bitcoinica. Hence we have to assume that whatever he said publicly about this incident is unofficial and no official statement by Bitcoinica LP (NZ) owner and operator of Bitcoinica.com has been issued yet.







Sort of agree. However, he is an acting 'agent' of the company. So what he says does hold weight. e.g. If Prudential's Insurance Agent says: "This policy is going to pay for Meteor strikes." Prudential is obligated to honor any reasonable expectations of that policy as presented even though they didn't actually cover said meteors.

He is an employee, err was.

Curiously, after transfer of knowledge, did he continue to have access to the system? If so, that would be a bad procedure.

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
guruvan
Hero Member
*****
Offline Offline

Activity: 518

ShastaFarEye Prospectors mazaclub & mazacha.in


View Profile WWW
May 14, 2012, 07:38:49 PM
 #708

It looks more and more like a criminal act the long and longer we wait for ANY real action from bitcoinica.

If zhoutong is not the owner, or a decision maker in that company, I don't CARE what he says. I only care what the OWNERS say.

But, wait. The ownership of bitcoinica is a secret? That suggests impropriety in the first place.

Owners and technical managers are silent? That suggests something is seriously wrong.

Yes, we're justified in making any kind of assumptions when the company in question still holds funds in the the form of what is now either a theft, or a "forced loan"

How many trades are taking place with our money right now while bitcoinica shores up it's personal losses to make good on everyone account balance?

Seriously, this smacks of some of the recent wall street type debacles. Trading with customer funds was one of my biggest concerns with bitcoinica. The longer they take with making good on the account balances, the more I suspect that this (criminal act) has taken place.



Mine at the Maza Club! with ShastaFarEye Prospectors! Mazacoin PPS & P2pool mining, and more services coming soon!
Maza Means Money! Check yours at the mazacha.in!

Please contact me  on my  OTC registered GPG (A54E87F2) Key's email address or guruvan@shastafareye.net  and encrypt all correspondence.
bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
May 14, 2012, 07:43:25 PM
 #709

It looks more and more like a criminal act the long and longer we wait for ANY real action from bitcoinica.

If zhoutong is not the owner, or a decision maker in that company, I don't CARE what he says. I only care what the OWNERS say.

But, wait. The ownership of bitcoinica is a secret? That suggests impropriety in the first place.

Owners and technical managers are silent? That suggests something is seriously wrong.

Yes, we're justified in making any kind of assumptions when the company in question still holds funds in the the form of what is now either a theft, or a "forced loan"

How many trades are taking place with our money right now while bitcoinica shores up it's personal losses to make good on everyone account balance?

Seriously, this smacks of some of the recent wall street type debacles. Trading with customer funds was one of my biggest concerns with bitcoinica. The longer they take with making good on the account balances, the more I suspect that this (criminal act) has taken place.

You can suspect anything but can you prove it ?

Most likely no. And even if you could prove it, I bet nobody would do anything. The FSP means absolutely nothing in the context of BTC ( only USD funds matter ).

The fact the owners are not stepping up, zhoutong is doing the PR ( and his goodbye bitcoin post ), nobody knows what really happened in terms of the compromise is very disturbing indeed.

Patrick was the guy that made a coding error and sent 512 BTC by mistake to a guy on here. I would be very worried indeed because it seems his email server got compromised.

Add to that the recent "scam" reports about intersango and his deals with mementoVPS that had loads of problems. I am not confident they will set up.

Anything zhoutong is saying about balances is moot since he owns nothing about bitcoinica and only a simple employee AFAIK.
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
May 14, 2012, 07:48:33 PM
 #710

It looks more and more like a criminal act the long and longer we wait for ANY real action from bitcoinica.

If zhoutong is not the owner, or a decision maker in that company, I don't CARE what he says. I only care what the OWNERS say.

But, wait. The ownership of bitcoinica is a secret? That suggests impropriety in the first place.

Owners and technical managers are silent? That suggests something is seriously wrong.

Yes, we're justified in making any kind of assumptions when the company in question still holds funds in the the form of what is now either a theft, or a "forced loan"

How many trades are taking place with our money right now while bitcoinica shores up it's personal losses to make good on everyone account balance?

Seriously, this smacks of some of the recent wall street type debacles. Trading with customer funds was one of my biggest concerns with bitcoinica. The longer they take with making good on the account balances, the more I suspect that this (criminal act) has taken place.




Considering that the attack came through an 'email server', I would assume the attacker(s) have the emails. So all the behind the scene information will be coming to light. (i.e. Expect Mass Leaks Soon) Unless, the 'owners' pay off the attacker(s) to not release said information.

One wonders if they encrypted their emails between principle parties?


Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
muyuu
Donator
Legendary
*
Offline Offline

Activity: 924



View Profile
May 14, 2012, 07:55:10 PM
 #711

Loads of speculation, it's late Monday UK time and still no definite news. No reimbursements AFAIK, no claim page, no deadlines.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
May 14, 2012, 08:15:57 PM
 #712

It looks more and more like a criminal act the long and longer we wait for ANY real action from bitcoinica.

If zhoutong is not the owner, or a decision maker in that company, I don't CARE what he says. I only care what the OWNERS say.

But, wait. The ownership of bitcoinica is a secret? That suggests impropriety in the first place.

Owners and technical managers are silent? That suggests something is seriously wrong.

Yes, we're justified in making any kind of assumptions when the company in question still holds funds in the the form of what is now either a theft, or a "forced loan"

How many trades are taking place with our money right now while bitcoinica shores up it's personal losses to make good on everyone account balance?

Seriously, this smacks of some of the recent wall street type debacles. Trading with customer funds was one of my biggest concerns with bitcoinica. The longer they take with making good on the account balances, the more I suspect that this (criminal act) has taken place.




Considering that the attack came through an 'email server', I would assume the attacker(s) have the emails. So all the behind the scene information will be coming to light. (i.e. Expect Mass Leaks Soon) Unless, the 'owners' pay off the attacker(s) to not release said information.

One wonders if they encrypted their emails between principle parties?



I think you are reading too much into it.  I a guessing AN email account was compromised that allowed for reset password into the server with the wallet. 

A simple page really should have been put up for now on bitcoincia.com   There are so many easy ways of doing it, even if it just said, were were hacked, we will respond next week.   Leaving nothing on that page for this long is not fair to the users.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 14, 2012, 08:31:22 PM
 #713

I think you are reading too much into it.  I a guessing AN email account was compromised that allowed for reset password into the server with the wallet. 

A simple page really should have been put up for now on bitcoincia.com   There are so many easy ways of doing it, even if it just said, were were hacked, we will respond next week.   Leaving nothing on that page for this long is not fair to the users.
- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.
Read Zhoutong's last posts for the info.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
imsaguy
General failure and former
VIP
Hero Member
*
Offline Offline

Activity: 574

Don't send me a pm unless you gpg encrypt it.


View Profile WWW
May 14, 2012, 09:15:51 PM
 #714

I won't be using Intersango's exchange until they post a reply in here.  Even then, it isn't likely that I will resume using their exchange.  You'll note that on their website they have:

"Intersango offers a secure and reliable way to buy and sell bitcoins. It is developed and run by Bitcoin Consultancy, who have been featured in the news by BBC, CNBC, Wall Street Journal (SmartMoney), Reuters and others. Intersango allows users peace of mind to be confident in our service and their transactions. Our support team is available by email at support@intersango.com to quickly answer any questions you may have. Please feel free to contact us. We are happy to help."

Perhaps emails to their support email would initiate a response?  Assuming, of course, it hasn't been compromised.

Coming Soon!™ © imsaguy 2011-2013, All rights reserved.

EIEIO:
https://bitcointalk.org/index.php?topic=60117.0

Shades Minoco Collection Thread: https://bitcointalk.org/index.php?topic=65989
Payment Address: http://btc.to/5r6
teflone
Hero Member
*****
Offline Offline

Activity: 770


You're fat, because you dont have any pics on FB


View Profile
May 14, 2012, 09:22:44 PM
 #715

You all were scammed..

Zhou is washing his hands of it..  Coincidence he's leaving bitcoin ?   lmao

Hello!!!, wake up...

They dont even have enough respect for their customers to make a static page to make people aware of the situation..

The page alone would calm a lot of nerves..



For Canadians by Canadians: Canada's Bitcoin Community - https://www.coinforum.ca/
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686


Shame on everything; regret nothing.


View Profile
May 14, 2012, 09:23:01 PM
 #716

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have. If they have matched, we will send Bitcoin balance to your nominated Bitcoin address within 24 hours and USD balance with unrealized P/L to your email as a Mt. Gox code. If you sent the funds to us via Wire (i.e. you don't use Mt. Gox at all), we will try our best to fulfill wire transfer requests.

Current positions will all be liquidated at a settlement price. We haven't decided the price yet, but my personal estimate is 4.98 / 4.94. (All long positions can liquidate at 4.98 and all short positions can liquidate at 4.94, we pay the spread for you.) All unrealized P/L will be settled in USD. If you don't have sufficient USD balance, we will use your BTC to settle, with the mid-point exchange rate (again, we pay the spread).

The page will be up in a few days but I don't have accurate information on this. Patrick is working on the page now. Thanks for your understanding and patience.

This is just plain wrong. I have had mid- and long-term positions there. Some were in the green, but some were in the red. I didn't have any intention to touch them now, let alone liquidate them fully! Forcing me to do that is nothing more than taking forcefully my money with you. I really hope you reconsider this.

Yup.  I'm still reading through all this but I just wanted to interject here and let everyone know -- I'm kinda really pissed off.

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686


Shame on everything; regret nothing.


View Profile
May 14, 2012, 09:31:12 PM
 #717

<level headed speech>
I don't want to sound like I'm overly defending anyone here, because I'm merely trying to calm the tension here...

It seems the websites (Bitcoinica, the blog, BitcoinConsultancy) are down because they were all hosted with RackSpace (?) and as Zhou said in the OP, they had the servers shut down.

It's part of the process. The MtGox hack, Tradehill Closing, and now this, are all giant clusterfuck situations, but they get dealt with in time. I know it's not an assurance, and no warm-fuzzy feelings are being generated by this, but it's only been a matter of days and I'm sure everyone involved is still trying to get a grip on exactly what may have been compromised, especially with the ominous threat of a "mass leak" overhead, and presumably, far more USD at risk than the BTC that was stolen (Admittedly, my own assumption.) Look at the bright side though, they have stated they are working on methods to reimburse their customers... this is leagues better than something like the MyBitcoin fiasco.

Personally, I still have accounts at Gox that were never recovered.
I still have an open balance at TH that was never recovered.
I probably wont get my Bitcoinica balance back...

...but the reality of the situation is, you can't blame the chieftain of the village you live in if raiders loot and pillage everything in the middle of the night. You can, however, realize that you made the conscious choice to have your BTC/USD held with a 3rd-party, and be cooperative, understanding and patient when it comes to getting it back.

Honestly, I hope everyone gets their money back, myself included, but pitchforks and torches don't help.

My condolences go out to Zhou his team.
</level headed speech>

Alright... commence with the "OMGWTFBBQ?!?!?"

THERE'D BETTER BE BISON BURGERS... BLALLALSHDLFHALDHFOISDHFOSH!!!!!!!!!!!!!!!!!!!!!!!!!!1111111111111

btw... when is the cole slaw coming in the mail???

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
bitstory
Jr. Member
*
Offline Offline

Activity: 35


View Profile
May 14, 2012, 09:32:26 PM
 #718

They dont even have enough respect for their customers to make a static page to make people aware of the situation..

The page alone would calm a lot of nerves..


bigassmessage.com/02c95
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 14, 2012, 09:50:06 PM
 #719

http://bigassmessage.com/b2ce5

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
May 14, 2012, 09:51:28 PM
 #720

Bitcoinica is making news already https://bitcointalk.org/index.php?topic=81784

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 [36] 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!