[Emergency ANN] Bitcoinica site is taken offline for security investigation

[kiba]

So, you are still not in control of Bitcoinica?
Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?

Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.

[1713969913]

1713969913

[1713969913]

1713969913

[zhoutong]

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

[rjk]

https://i.imgur.com/qAv0i.png

lollerskates

[zhoutong]

So, you are still not in control of Bitcoinica?
Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?

Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.

Same here. I think reimbursing is the right way to go, even if we are shutting down the business at a huge loss.

[unclescrooge]

Please stop bullshiting, what you says doesn't make any sense.

Bitcoinica got hacked, so what, it happens all the time to lots of compagny. I don't see how this devalues bitcoin, I don't see how bitcoinica activities devalues bitcoin, and... fuck I don't understand your points.

If ebay get hacked that devalues dollars?

I see you must be quite new to Bitcoin. Have you experienced what happened when MyBitcoin was allegedly robbed? MtGox? Bitcoin7? Hell, I don’t even know many of them anymore.

No I'm not new. And when the mtgox thing happen, I was already telling people the same thing.

And one year later, I have more confidence in bitcoin, and only see this as a potential buying opportunities

Don't worry, it will hurt bitcoinica, but it won't hurt the bitcoin economy

[terrytibbs]

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

You're handling it very well, keep it up.

[Vladimir]

Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).

FFS! it does not change anything! Insiders still have physicall access to their computers, or management access for instance via KVMs, they still can arrange to get themselves untracked access, leak passwords etc, they still can take your wallets.

Linode lesson was not "go to dedi", it was to go to a well locked colo and control physical and management access to servers. Owning the DC would be even better. Banks do not host their critical infrastructure on cheapest VPS's nor do they use the most expencive dedis either.  Take a hint.

Better yet hire someone who can do information security professionally and this time listen to what they tell you.

[Clipse]

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Sorry but in any structured business if something goes wrong then someone either didnt do their job or did a shitty job.

In the case of being hacked, it is the security "expert" fault and he should be held accountable for the loss.

[rjk]

This: http://en.wikipedia.org/wiki/Port_knocking Plus this: https://code.google.com/p/google-authenticator/ Plus this: http://en.wikipedia.org/wiki/Virtual_private_network Plus this: http://www.duosecurity.com/vpn

....equals win!

[Raoul Duke]

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

[zhoutong]

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

[kiba]

Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).

Personally, I find erring for convenience over security to be a questionable practice.

[rjk]

Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

Doesn't Rackspace offer you the option of requiring more than one person to sign off on a password change?

[kiba]

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

Would it make sense to require 2-factor authentication for everybody?

[DeathAndTaxes]

It's really hard to believe that after the linode debacle, you guys are
still leaving that many coins on hosted systems.

Please learn about offline transactions and how to properly decouple
the wallet from your trading system.

This.  It is insane to me.

The cost of a secure co-location cage with dedicated hardware firewall, and private switch, and private servers.  Every single piece of hardware owned and configured by you.  The exchange and wallet should be on seperate servers and the wallet server should have no insecure connections. 

Come on it is 2012 guys.  IPMI makes doing secure remote co-location a lot easier.  VPN secure KVM over IP, bios upgrades, hardware monitoring, remote power control, even remote media loading.

No reason for anyone to have access to the cage.  Any good colocation provider can enforce user specified cage access protocol (i.e. requires 2 whitelisted users, and auto-notification of everyone on the whitelist w/ 2 hour delay).


On edit:

password resets? What the fuck are password resets?  This isn't a facebook account. Your admin loses his password well he can't login.  Period.  If he keeps doing it you fire his ass and hire someone who is more capable.   

Logins should be password + cert and limited to a dedicated NIC.  Your own personally owned and configured hardware firewall limits connections to the login NIC based on whitelisted IP addresses.

[realnowhereman]

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

This is ridiculous.  Password reset emails are okay for forums; but not for anything which needs real security.

Emails are postcards; it doesn't need an email account compromise to do this, just someone sitting on the appropriate router with a traffic sniffer.

[Raize]

Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?

[Raoul Duke]

Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?

What does that have to do with this?

[Raoul Duke]

Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.
In fact I shouldn't even be nagging him so much. There's time for that if he decides to walk the wrong path.

[Raoul Duke]

Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.

cant short  grrrrrr

OH, LOL