[Emergency ANN] Bitcoinica site is taken offline for security investigation

[Tuxavant]

I second that Yankee would make a great PR guy for Intersango or should at least be on the board of directors.

+1

[1715368702]

1715368702

[1715368702]

1715368702

[1715368702]

1715368702

[Clipse]

I know all the owners of Bitcoinca personally, in fact I spoke to one of them not a few hours ago.
They have families, live in house, and are not going anywhere.

Are you empowered to speak for them?  How do you happen to know them all personally when its been the ultimate secret for 6 months?  Did the BitInstant trio buy Bitcoinica?

Only God empowers me  

I've spent alot of money and time traveling around the world meeting most of the owners of exchanges, merchants, and platforms. Since Bitinstant works with them all, we take risk and I'm required to do my own due diligence.

I can confirm that we did not buy Bitcoinica. We have no intention of becoming or owning an exchange at this point.

I can confirm I do know the current owners and the team running Bitcoinica. I know their families, have eaten meals with them, have hosted them when they came to NY. Intersango is running Bitcoinica in conjunction with the owners. Anything else I'm bound legally to keep within our company walls.

Oh, Bitinstant is not a trio- there are 6 of us now  

Do you think this discussion is funny in any way? You have an absolute smug approach to serious questions posed which I find distasteful at best.

Since you have so much contact with the owners and partners and whatnot, get them to be proactive and post about the shitstorm they put their clients in and stop hiding behind their pseudo-criminal anonymity.

I don't think its funny in anyway, in fact I answered every question with as much detail I'm legally allowed to, so you should be saying Thank You.

Funny? I have over $20,000 held up in my Bitcoinica account and I won't be getting it back anytime sooner then you will. We are all in the same boat pal.

Smug Approach? I think you forget how we helped all of TradeHill's customers withdraw their money when TH closed down. We actually lost money on that gig. Please don't lecture me about Bitinstant's contributions to this community. I'm actually insulted by your condescending attitude towards me right now.

I can assure you the Intersango team is working around the clock to get this resolved as soon as possible. I think Zhou said he will update everyone on Monday and today is Sunday.

Frankly I dont care what you think about my response, Im not here to lick the ass of any company be it big or small. Alot of serious questions were raised in here and you responded with apparent knowledge of all the people in the know-how however you choose to essentially laugh it off with your recent response(before my response) where you could have responded that you will let the "powers in charge" know about everyones concerns.

Why is zhou updating anyone? He isnt the one accountable anymore(his own words) nor is he even working for bitcoinica anymore(he stated he is posting since everyone know him from bitcoinica and nothing more) so why do all of us have to wait for him to respond if he is in fact not even a part of bitcoinica main ownership/employees anymore.

Again, if you know the people in charge, let them know that people are worried about their bitcoinica balances.

[M4v3R]

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have. If they have matched, we will send Bitcoin balance to your nominated Bitcoin address within 24 hours and USD balance with unrealized P/L to your email as a Mt. Gox code. If you sent the funds to us via Wire (i.e. you don't use Mt. Gox at all), we will try our best to fulfill wire transfer requests.

Current positions will all be liquidated at a settlement price. We haven't decided the price yet, but my personal estimate is 4.98 / 4.94. (All long positions can liquidate at 4.98 and all short positions can liquidate at 4.94, we pay the spread for you.) All unrealized P/L will be settled in USD. If you don't have sufficient USD balance, we will use your BTC to settle, with the mid-point exchange rate (again, we pay the spread).

The page will be up in a few days but I don't have accurate information on this. Patrick is working on the page now. Thanks for your understanding and patience.

This is just plain wrong. I have had mid- and long-term positions there. Some were in the green, but some were in the red. I didn't have any intention to touch them now, let alone liquidate them fully! Forcing me to do that is nothing more than taking forcefully my money with you. I really hope you reconsider this.

[Yankee (BitInstant)]

I second that Yankee would make a great PR guy for Intersango or should at least be on the board of directors.

+1

I would not mind  

Try and remember this, when TradeHill announced they are shutting down everyone flipped out about wether they were getting their money back.

I constantly acted as middle man between TH and this community. We build an automated system so everyone can withdraw their funds via check or into another exchange. We had to manually verify every single customer for AML requirements which was not easy.

Furthermore, we also arbitrated dozens of disputes between TH and customers, all which are now resolved.

As soon as I knew an update, I posted it on these forums and recieved phone calls day and night of customers seeking assurance even though I had no stake in tradehill whatsoever

I plan on doing the same for Bitcoinica.

We already have a withdrawal system in place where anyone can withdraw their Bitcoinica funds to another exchange within minutes for fees ranging between 0.89%-1.29%

We are finishing up a check withdrawal option so you can get a check in 3 days, in addition to the wire and local bank transfer withdrawal option we're building.

Frankly I dont care what you think about my response, Im not here to lick the ass of any company be it big or small. Alot of serious questions were raised in here and you responded with apparent knowledge of all the people in the know-how however you choose to essentially laugh it off with your recent response(before my response) where you could have responded that you will let the "powers in charge" know about everyones concerns.

Why is zhou updating anyone? He isnt the one accountable anymore(his own words) nor is he even working for bitcoinica anymore(he stated he is posting since everyone know him from bitcoinica and nothing more) so why do all of us have to wait for him to respond if he is in fact not even a part of bitcoinica main ownership/employees anymore.

Again, if you know the people in charge, let them know that people are worried about their bitcoinica balances.

I see here that your anger at Bitcoinica is being directed at me, for that I have nothing left to say to you.

My responses to you were not 'funny' they were meant to lighten the solemn mood. I have over $20,000 held up in my Bitcoinica account and I won't be getting it back anytime sooner then you will. We are all in the same boat pal.

If the Bitcoinica team allows me, I plan on updating this community as much as I can and I will be glad to help in any disputes.

I hope my past and future services to this community have build enough trust with you all, and I'm humbled to be apart of Bitcoin

-Charlie

[legitnick]

Still waiting for the logs.................................................

[LightRider]

I can't wait to read all about this in the Bitcoin Magazine.

[Raoul Duke]

I can't wait to read all about this in the Bitcoin Magazine.

Christmas 2015 Edition?

[muyuu]

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have. If they have matched, we will send Bitcoin balance to your nominated Bitcoin address within 24 hours and USD balance with unrealized P/L to your email as a Mt. Gox code. If you sent the funds to us via Wire (i.e. you don't use Mt. Gox at all), we will try our best to fulfill wire transfer requests.

Current positions will all be liquidated at a settlement price. We haven't decided the price yet, but my personal estimate is 4.98 / 4.94. (All long positions can liquidate at 4.98 and all short positions can liquidate at 4.94, we pay the spread for you.) All unrealized P/L will be settled in USD. If you don't have sufficient USD balance, we will use your BTC to settle, with the mid-point exchange rate (again, we pay the spread).

The page will be up in a few days but I don't have accurate information on this. Patrick is working on the page now. Thanks for your understanding and patience.

This is just plain wrong. I have had mid- and long-term positions there. Some were in the green, but some were in the red. I didn't have any intention to touch them now, let alone liquidate them fully! Forcing me to do that is nothing more than taking forcefully my money with you. I really hope you reconsider this.

What is your alternative if Bitcoinica's going offline and coming back with a new system in a matter of months? do you prefer to keep your position for that long without the option to change it? did you consider that when the "expected mass leak" happens your position and everybody else's will be disclosed and you can get zhoutonged for real?

The least disruptive course of action is precisely the one ZT described. That much is clear. Unless he can enable the site selectively which appears not to be the case.

[M4v3R]

What is preventing them from putting the site up? If they worry about the attacker logging into customer accounts (which, because they claim the passwords are salted & hashed with bcrypt seems not probable) they could just reset all users' passwords and let them log in using activation code. People that have 2nd auth via Google Authenticator will be even more secure this way*. Doing it like this would enable users to decide for themselves if they want to shut down their positions or not. Doing it on behalf of users against their will is just wrong to me.

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

[JusticeForYou]

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have.

If only there were some technology that used a second form of authentication, perhaps a one time password delivered to a mobile, as sufficient verification of identity.  Oh wait .... there is.

I believe even MT requires to be woken up in the middle of the night on large movements. Sometimes, I believe, by actually talking to the owner.

[muyuu]

What is preventing them from putting the site up? If they worry about the attacker logging into customer accounts (which, because they claim the passwords are salted & hashed with bcrypt seems not probable) they could just reset all users' passwords and let them log in using activation code. People that have 2nd auth via Google Authenticator will be even more secure this way*. Doing it like this would enable users to decide for themselves if they want to shut down their positions or not. Doing it on behalf of users against their will is just wrong to me.

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered and which wasn't, so either way they're in pretty hot water.

They don't want to risk it.

They don't want to take even further damage on an insecure system, by the looks of it.

I'm pretty sure they would put it back online right now if they could, their time offline is costly for them. They lose prospective users and credibility by the minute. So I guess they just cannot trust the system to put it online even for a minute.

Anyway you do well in voicing your suggestions. Maybe they can actually afford to give it a try, we'll see tomorrow I guess.

It's a bit confusing that they decided to take their blog offline as well. I wonder what are they up to right now. They could do a bit better in the communication front.

[Stephen Gornick]

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

If only database technology was available for financial services where there is the ability to store transactions with auditable history as well as there being an archive log such that recovery to a point in time is possible.  If only such a thing existed ....

[JusticeForYou]

We have new (old) information on this, though:

In November, an investor approached me to acquire Bitcoinica. Due to regulatory concerns, I agreed to the deal and signed the agreement. Bitcoinica was sold for a good price. However, since the investor is unable to arrange for a replacement team, I continued to become the sole operator until Team Intersango took over two weeks ago. The investor let me keep all profits until late January, the official handover time. After handover, he continued to offer generous salary and performance bonus every month. The investor demands his identity to be protected so I won't share more information on this.

This does not sound like Intersango hold most of the shares. I fully disagree with guruvan’s sentiment, in my view at the very least genjix (Amir Taaki) and phantomcircuit (Patrick Strateman) are some of the most trustworthy people around here. I would distrust this ominous investor if I was you.

Especially since he demands privacy.

I see both sides here. However, if you don't respect his/her privacy as instructed, give back his/her money.

[M4v3R]

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

If only database technology was available for financial services where there is the ability to store transactions with auditable history as well as there being an archive log such that recovery to a point in time is possible.  If only such a thing existed ....

From what Zhou posted I assume Bitcoinica was using plain old MySQL, so no luck with this.

EDIT: Unless they have done daily offsite database backups. That would help - you would just compare it to existing DB to check if it was tampered with.

[JusticeForYou]

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

If only database technology was available for financial services where there is the ability to store transactions with auditable history as well as there being an archive log such that recovery to a point in time is possible.  If only such a thing existed ....

Is there such a thing?  WOW... who would have thunk it.

[muyuu]

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

If only database technology was available for financial services where there is the ability to store transactions with auditable history as well as there being an archive log such that recovery to a point in time is possible.  If only such a thing existed ....

From what Zhou posted I assume Bitcoinica was using plain old MySQL, so no luck with this.

EDIT: Unless they have done daily offsite database backups. That would help - you would just compare it to existing DB to check if it was tampered with.

The requirement to send your personal info to get your wire transfer would cover that.

A hacker who'd tampered his own position/balance wouldn't send his credentials.

In any case, by the looks of it they are in damage control mode and forced liquidation at market prices seems the least damaging option if putting the site back online is for any reason out of the question.

I took all my coins out shortly after the first fiasco. The more I heard about the decisions behind the system, the more convinced I was it wasn't ready for the kind of "attention" it was bound to bring (*esp. after he decided to make it mandatory to send your real credentials to the site... I wouldn't want them to store my data). This is a clear force majeure case, I'd count my lucky stars with just having a position force-liquidated over just saying goodbye to all my balance, if I were in your position.

[Otoh]

just posted a claim pre-dating all these on the original Bitcoinica thread

https://bitcointalk.org/index.php?topic=42267.msg898334#msg898334

it's about $5,000 that you took me for - appreciate if you could fast track that Zhou, many thanks  

you can send it at any time to the address in my sig & move on or you can choose not to, do as you would be done by

[bulanula]

Still waiting for the logs.................................................

Hacker deleted all the evidence mate. The only evidence we have is the 18K TX. What more do you want

Are we getting payed the interest on our USD while this is going ? Can they afford to really buy 18K BTC again to compensate ? I doubt it.

[R-]

I'm only an employee at Acme Coins (acmecoins.com) and when I woke this morning and logged on, I noticed some strange transactions. Since everybody else was still sleeping, I called Rackspace and had the website shut down. Then I went to AcmeCoinTalk, the forum for said company, and posted what I did. I have yet to post on my official blog or put up a page on the official website because...

Using this as context for Zhous words, his story sounds weird.

[JoelKatz]

Unless the human saying yes must enter a passphrase to temporaily decrypt the wallet to send the transaction.

That gives you the worst of both worlds. No automated withdrawals are ever possible, and an attacker can just wait until a transaction is approved to snatch the keys out of memory.

Either that or having a set of wallets encrypted for large withdrawls that need manual authorization and a set of encrypted but loaded wallets for smaller transactions. So if a large withdrawl is needed then it is sent manually, but for smaller one they can be sent automatically from the currently loaded smaller wallet. and if a smaller wallet is running low, then the remaining balance should be transfered to another small wallet specifically for the spare change and the wallet moved to another in the line. This way the majority of the money is very accessible and there is minimal risk to either party. This will protect against people breaking into a machine containing the wallet(s) and stealing them as they will be encrypted. The most they may get is the contents of a smaller wallet if this is properly monitored.

That's what happens when someone steals from a hot wallet. They get all the money that was available for automated transactions, plus any additional funds in wallets whose keys they were able to find in transient storage.

The correct solution is really never to use a hot wallet at all. There is no reason a key ever needs to be on a machine with Internet access. Methods to sign something with a key while preventing theft of the key or signing of bogus data are well understood since certificate authorities worked them all out. The irony is that CAs frequently ignore these well-understood security practices too.

One way is to a have a machine that is physically secure whose sole purpose is to sign transactions. It can talk over a serial port to a machine with Internet access. The software on the physically-secure machine controls the signing of transactions and is the only machine that can actually process a withdrawal. Any thief could, at most, compromise the machine at the other end of the serial port and would be limited to the commands that exist over the serial link. He could never extract a key that can sign Bitcoin transactions nor can he process a transaction that doesn't meet your security requirements. Yet transactions that do meet those requirements can process without human intervention.