[Emergency ANN] Bitcoinica site is taken offline for security investigation

[Phinnaeus Gage]

Let me play it another way, How can anyone now be sure that you didnt setup the whole process to cashout profitably since you knew this wont last for you anymore ?

Since there is a certain lack of transparency and now apparently no liability on you side, this could just have been a massive cashout process for you and everyone else is holding a bag of shit ?

Of course the owner is important, if someone have a ton of money that may go the way of the DODO they would want to know who to hold accountable one way or another since its apparently not you anymore.

What I find most disturbing from your recent comments is the fact that you seem to think that it shouldnt matter who the owners are.

Exactly what I though when I read it. I may need to be corrected on this statement/question, but... How does a person who doesn't own a company communicate with Rackspace to have another company's site shut down? (hopefully, one understands the gist of the question)

[1714811428]

1714811428

[1714811428]

1714811428

[1714811428]

1714811428

[1714811428]

1714811428

[hazek]

how destructive moral hazard to a market is

Maybe just this one, since I still don't understand it. I understand each word separately but it just reads like word salad to me.

You know you could google "moral hazard" if you really wanted to learn.. and find the first link going here: http://en.wikipedia.org/wiki/Moral_hazard

In short it's a theory that says that if you remove risk from a market transaction you create an environment where there is an added incentive for committing fraud or simply doing stupid things. Risk is what keeps greed in check and without it you have moral hazard and a lot more bad outcomes.

Thank you for some interesting reading.

FYI I couldn't google it because I wasn't sure which part of the phrase was important. Destructive moral? Or hazard to a market? I just didn't follow your jargon.

I apologize, 'the curse of knowledge' got the best of me I'm afraid. ('curse of knowledge' also is a thing that you might find interesting to learn about )

[neofutur]

We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!

use mtgox code for any withdrawals above 500 btc /24h

that or better, as a customer I would accept that any withdrawal above 100 btc / day will be delayed up to 24 hours, ( only 100 /day/customer is immediate ).

[giszmo]

Today, we have discovered a suspicious Bitcoin transaction that doesn't seem to be initiated by any one of the company owners.

If I have a wallet to run my business, how can it be a good idea to have more than one person having access to the private keys? In this case at least 4 people (owners and zhoutong) had officially access to the key, a dozen others to the server physically and many others had access to root-password-reset-email-account-servers. Any theft is perfectly deniable by the thief if it's any of them.

Bitcoinica can have mechanisms when cashing out that put certain amounts on hold if they look fishy by some metrics but that's application layer and with the unencrypted keys on the machine many people can just circumvent that layer.

If I wanted to do it right, how should I do it? Keep the private keys at home providing signatures to the application after sanitizing? This way I could reduce the access to the wallet from many to one. I could have a fraction of the wallet in each owner's machine or one takes full responsibility. Then the attacker would have to forge legit api requests to sign transactions flying under the radar and the parameters of the radar would not be public. Worst case would be pissed customers waiting longer than necessary and apparently legit cash outs that weren't but that will not sum up to 20k in one day. If one customer cashes out 20kBTC, I call him. Twice. And he will thank me for the nice chat.

On my "laptop" with the wallet I could have a service running that constantly polls a bitcoinica api for transactions to be signed. Small amounts summing up to less than x BTC get cleared automatically, bigger amounts get delayed by an hour for random review and checkpot amounts are put on hold indefinitely until clearing them manually.

This would not require any trust to more than one person and the PC at home would not even require to accept inbound traffic.

Warning - while you were typing 20 new replies have been posted. You may wish to review your post.

... crazy ...

[paraipan]

I'm not very fond of bitcoinica, like some of you already know, but i only hope this issue is resolved in a professional manner by whoever is in charge right now and the bitcoin ecosystem continue evolving at it's normal course. I will be following updates on this thread.

[Littleshop]

I don't get it. Not so long ago Bitcoinica lost 40k BTC due to Linode hack, and they could afford to fully reimburse the amount and continue normal site operations. Now they've lost "only" less than half of it, and they're closing down? What did change in the meantime?

My guess is that before the FIRST loss hey had a bunch of BTC due to the quite high fees they charge.  After the loss they were probably doing fractional reserve and rebuilding but had enough to cover what people wanted to withdraw.  My guess is now they do not have enough to cover the expected withdrawals and would need to 'invest' real money into bitcoinica to re-start it.

[Raoul Duke]

What is this mass leak crap

Sounds like some sort of covert/psy-ops crap. OMG let's all freak out because the cracker is trying to create a fake viral rumour of a myth that Bitcoin has some terrible undiscovered weakness! Everybody panic!!

I think it's Bitcoinica's database that will be leaked
If they are really nasty they'll leak their codebase also lol

[N12]

we are lucky IF they reimburse...

they are registered and i had all my balance is USD not bitcoins the law is on my side

MyBitcoin was a registered company (LLC) too. Pretty useless if you ask me.

I do believe the Intersango people will make everything whole again though.

[Raoul Duke]

What is this mass leak crap

Sounds like some sort of covert/psy-ops crap. OMG let's all freak out because the cracker is trying to create a fake viral rumour of a myth that Bitcoin has some terrible undiscovered weakness! Everybody panic!!

I think it's Bitcoinica's database that will be leaked
If they are really nasty they'll leak their codebase also lol

I don't know, but OMG I think I may have just had some sort of psychic connection with the cracker. When I came to, I realised I had cut myself and written the following binary code on my Mum's basement wall, using my own blood:

01110100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01101010 01110101
01110011 01110100 00100000 01110100 01101000 01100101 00100000 01100010 01100101 01100111
01101001 01101110 01101110 01101001 01101110 01100111

 
I'm no good with binary. Does anybody know what it could mean?

It will be time who'll prove if I'm right or wrong, not your schizophrenic ramblings.
But I'm quoting your text and reserving the right to call you out when I'm proved right...

[bulanula]

What I love about these hacks :

-no IPs posted
-no logs
-no other evidence except zhoutong's transaction proving he got 18k richer imho

I got hacked as well !!! Where's my intersango bailout folks

[JusticeForYou]

The important thing is who is liable for the customer deposits.

It is Bitcoin. The original owners are liable for their 'own' bitcoins. If they chose to give that responsibility to someone else, it is on them.

If we start holding 'others' responsible for the control of our money, lets just stick with the FED, Banks, CU's. They have a system already in place and there is no need to re-invent the wheel.

Everyone likes pointing fingers but quite often forget to look in the mirror. The key word in the above quote is 'customer'. If the business wants to keep them, they'll come up with a solution to make them happy and relatively soon. But the 'customers' knew what Bitcoinica was when they put money into them, so it is their liability.

Did anyone ever lose a wallet with everything in it?  Who are you the most mad at? Be honest. Yourself.

[Cluster2k]

I haven't been a great fan of Bitcoinica in the past.  The service introduced, at times, great volatility into bitcoin's price and I felt bitcoin itself was too immature to sustain a leveraged short selling system.

But I do admire what Zhoutong and the team he works with have achieved, and I hope they get the site running within a few weeks.  No doubt there will be many sleepless nights ahead.  There seems to be a lot of criticism aimed at Zhoutong at the moment regarding the hack.  Some probably justified, but let's all remember that Bitcoinica is the victim.  There's a thief out there with quite a bit of stolen money.

[Raoul Duke]

There's a thief out there with quite a bit of stolen money.

Don't worry. Soon enough you'll have some of it in your wallet also, wether you want it or not

[cryptoanarchist]

The best part about this is that its a so called "registered FSP"...just shows what that amounts to.

[allten]

The important thing is who is liable for the customer deposits.

It is Bitcoin. The original owners are liable for their 'own' bitcoins. If they chose to give that responsibility to someone else, it is on them.

If we start holding 'others' responsible for the control of our money, lets just stick with the FED, Banks, CU's. They have a system already in place and there is no need to re-invent the wheel.

Everyone likes pointing fingers but quite often forget to look in the mirror. The key word in the above quote is 'customer'. If the business wants to keep them, they'll come up with a solution to make them happy and relatively soon. But the 'customers' knew what Bitcoinica was when they put money into them, so it is their liability.

Did anyone ever lose a wallet with everything in it?  Who are you the most mad at? Be honest. Yourself.

So easy to say when it's not you that lost coins, but it is true.

As much as I liked Bitcoinica and wished for their success, I never felt uncomfortable leaving
deposits with them for an extended period of time.

Just be grateful for any reimbursement you get.

I'm now hoping for some competition to rise out of this dust.

[Raoul Duke]

I'm now hoping for some competition to rise out of this dust.

Totally. Thieves should be given a choice on who to steal from. It's not funny doing it to the same dudes over and over

[paraipan]

What is this mass leak crap

Sounds like some sort of covert/psy-ops crap. OMG let's all freak out because the cracker is trying to create a fake viral rumour of a myth that Bitcoin has some terrible undiscovered weakness! Everybody panic!!

I think it's Bitcoinica's database that will be leaked
If they are really nasty they'll leak their codebase also lol

I don't know, but OMG I think I may have just had some sort of psychic connection with the cracker. When I came to, I realised I had cut myself and written the following binary code on my Mum's basement wall, using my own blood:

01110100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01101010 01110101
01110011 01110100 00100000 01110100 01101000 01100101 00100000 01100010 01100101 01100111
01101001 01101110 01101110 01101001 01101110 01100111

 
I'm no good with binary. Does anybody know what it could mean?

this is just the beginning

http://www.theskull.com/javascript/ascii-binary.html

[bbit]

Why can't they just "disable" stolen bitcoins. I mean we are in the 21st century we should use the digital aspect of this to our advantage yes?

this would also raise the value of bitcoins if we can say "stolen proof" also 

[BadBear]

Why can't they just "disable" stolen bitcoins. I mean we are in the 21st century we should use the digital aspect of this to our advantage yes?

this would also raise the value of bitcoins if we can say "stolen proof" also  

And who decides what coins should be disabled? And who makes sure that those people in charge aren't corrupted or influenced? And how do they enforce it, and how could others be prevented from exploiting it?

[JusticeForYou]

Why can't they just "disable" stolen bitcoins. I mean we are in the 21st century we should use the digital aspect of this to our advantage yes?

this would also raise the value of bitcoins if we can say "stolen proof" also 

Are you serious?

The value would go to Zero. Heck, the negative Bitcoins would be spent.