Bitcoin Forum
November 13, 2024, 06:31:11 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 [34] 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 224562 times)
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 14, 2012, 09:27:02 AM
 #661

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

  • How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
  • Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
  • What raving lunatic has a password reset system going to a mailing list?
  • A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
  • How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
  • Is this more than just an email server? What other services were running on this compromised machine?


- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
zhoutong (OP)
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
May 14, 2012, 09:35:04 AM
 #662

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

  • How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
  • Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
  • What raving lunatic has a password reset system going to a mailing list?
  • A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
  • How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
  • Is this more than just an email server? What other services were running on this compromised machine?


- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?


We don't have control over the password reset emails. They are sent by Rackspace. Basically, if you have access to one's email, you have access to all his Rackspace servers and Cloud Files.

We use a mailing list for info@bitcoinica.com for an obvious reason, everyone of us wants to know any email sent to this address. We are registering every single web service with this email address. It's like an automatic mail forwarder that forwards to multiple recipients. It's hosted by Google Apps for Business and Patrick is the only external recipient.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
May 14, 2012, 09:37:51 AM
 #663

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

  • How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
  • Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
  • What raving lunatic has a password reset system going to a mailing list?
  • A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
  • How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
  • Is this more than just an email server? What other services were running on this compromised machine?


- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?


http://bgp.he.net/dns/intersango.com#_whois
http://bgp.he.net/dns/intersango.com#_ipinfo
http://bgp.he.net/dns/intersango.com#_dns

At least you can find who they use for hosting, administrative contact and from where they send their emails...
As for the wallet, only they can answer
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 14, 2012, 09:53:22 AM
 #664


http://bgp.he.net/dns/intersango.com#_whois
http://bgp.he.net/dns/intersango.com#_ipinfo
http://bgp.he.net/dns/intersango.com#_dns

At least you can find who they use for hosting, administrative contact and from where they send their emails...
As for the wallet, only they can answer

That doesn't mean much. Rackspace also offers local unmanaged and colo servers in the UK.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 14, 2012, 10:05:31 AM
 #665

We don't have control over the password reset emails. They are sent by Rackspace. Basically, if you have access to one's email, you have access to all his Rackspace servers and Cloud Files.

Well that's okay then -- it's all rackspace's fault?

Ask yourself -- do you think complete access to HSBC's financial computing system can be obtained if you can see one email (bear in mind that a compromised email server is not required to read other people's emails, they travel in plain text through multiple systems)? Would you guess that a virus on the CEO of CitiBank's home laptop would let you transfer all the customer's cash to a Nigerian "prince"?

Anyway; it's easy to be wise after the event.  I'm more concerned at the ease of attack of the massive financial institutions of Bitcoin; and the apparent non-recognition of a single point of weakness.  More importantly though: an inability to learn from the past.  How was the Linode theft achieved -- oh yes, by busting into the VPS management account.  How was this theft achieved -- busting into the VPS management account.  Did anyone there or at Bitcoin Consultancy not think "changing VPS provider doesn't alter the attack vector, we are as vulnerable as we were"?

(You had multiple people with the root password -- at the very least you could have demanded that rackspace disable the password reset feature for your account.)

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
jixapori
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
May 14, 2012, 10:17:48 AM
Last edit: May 14, 2012, 10:35:03 AM by jixapori
 #666

without getting into details, obviously these types of compromises can be nipped in the bud in a properly setup system... too late now...

in any case if people are reimbursed then they have nothing to complain about, if they wont be then i assume they are simply out of luck (unless their funds were somehow insured), there is always risk in finance, nothing special about bitcoins in that regard

BTW just in case someone suddenly gets the urge to open their own bank or something, even just an email system requires multiple dedicated machines and i mean more than one or two or three. you can just forget about gmail, vps providers, etc.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
May 14, 2012, 12:28:02 PM
 #667


Good to see the pretenders and lightweights are getting weeded out as need be. Better to go through these kind of stresses, shall we call it 'testing', while the experiment is still beta.

Now anyone who has received 'dirty' coins and wants to give those 'tainted' coins back, if they feel it is the right thing to do, can send them to zhou or who? That weak fungibility is almost worth a bug report or do we need to see it happen a few more times?

caston
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile WWW
May 14, 2012, 12:49:33 PM
 #668

I think I can see some bitconica spin off filling the void. Hey even vircurex has a open API... why not make an alt-coinica?

bitcoin BTC: 1MikVUu1DauWB33T5diyforbQjTWJ9D4RF
bitcoin cash: 1JdkCGuW4LSgqYiM6QS7zTzAttD9MNAsiK

-updated 3rd December 2017
blablahblah
Hero Member
*****
Offline Offline

Activity: 775
Merit: 1000


View Profile
May 14, 2012, 01:05:58 PM
 #669


Good to see the pretenders and lightweights are getting weeded out as need be. Better to go through these kind of stresses, shall we call it 'testing', while the experiment is still beta.

Now anyone who has received 'dirty' coins and wants to give those 'tainted' coins back, if they feel it is the right thing to do, can send them to zhou or who? That weak fungibility is almost worth a bug report or do we need to see it happen a few more times?

Wasn't 'tainting' a MtGox speciality because of supposed regulatory pressure? I think their own security breach must've left a few scars. Perhaps there's a niche for some kind of decentralised/P2P exchange that the banking cronies can't bully?

guruvan
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
May 14, 2012, 01:12:06 PM
 #670

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"Huh

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
May 14, 2012, 01:14:49 PM
 #671

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"Huh

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Look at the guy on here called "meelba". He never got anywhere trying to sue Bitcoinica ...

Good luck though !
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 14, 2012, 01:23:29 PM
 #672

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Well... this is what I was talking about before. If they don't hurry up and the valuation of BTC swings substantially, they can be looking at a massive amount of damages to pay.

Look: those who're losing money on their position will want their loss forfeited since they're forced to close it prematurely. Those who're winning, they'll want the profit.
There is no way they can pay that and it will be worse every bit the valuation moves.

We are going to need to be reasonable here. At the end of the day it's going to be very hard for you to get anything at all if they call it quits.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Nyaaan
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile WWW
May 14, 2012, 01:30:42 PM
 #673

-18547.66867623?
Shouldn't it be just 18547.66867623 (positive coins)?
Correct me if I'm wrong or just ignorant.
guruvan
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
May 14, 2012, 01:39:21 PM
 #674

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Well... this is what I was talking about before. If they don't hurry up and the valuation of BTC swings substantially, they can be looking at a massive amount of damages to pay.

Look: those who're losing money on their position will want their loss forfeited since they're forced to close it prematurely. Those who're winning, they'll want the profit.
There is no way they can pay that and it will be worse every bit the valuation moves.

We are going to need to be reasonable here. At the end of the day it's going to be very hard for you to get anything at all if they call it quits.

If?

Sue? Hell no, why waste my time. The amount of money I will lose is not significant enough to do that.

However, since they're keeping money, I do think it's time that the regulatory agencies that they're subject to become informed of this potentially criminal action.

TBH, the whole thing looks staged to me. I'm really not buying the story much. I think that this should be investigated by the "proper authorities" 

zhoutong (OP)
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
May 14, 2012, 01:54:50 PM
 #675

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"Huh

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

I have emphasized this more than once. If you are too impatient to read the posts carefully please don't be so angry.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 14, 2012, 01:56:53 PM
 #676

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

I have emphasized this more than once. If you are too impatient to read the posts carefully please don't be so angry.
People around here are a bit impatient lol.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
thezerg
Legendary
*
Offline Offline

Activity: 1246
Merit: 1010


View Profile
May 14, 2012, 02:02:09 PM
 #677

Nice to see that the BTC price has barely twitched.  But has it been too stable over the past few months?  Does it signify some large investor with an open buy order at 5 USD?

jixapori
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
May 14, 2012, 02:08:45 PM
 #678

Quote
We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

well if your db itself was hacked then it was probably altered... dont forget to filter out all the fake accounts/positions before paying people back  Smiley
hatshepsut
Member
**
Offline Offline

Activity: 63
Merit: 10



View Profile
May 14, 2012, 04:00:11 PM
 #679

Quote
We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

So what happens when we spike up?

like right now?

Are you returning all balances AND our unrealized P/L as if we never had a position to begin with?
jjiimm_64
Legendary
*
Offline Offline

Activity: 1876
Merit: 1000


View Profile
May 14, 2012, 04:02:57 PM
 #680

Quote
We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

So what happens when we spike up?

like right now?

Are you returning all balances AND our unrealized P/L as if we never had a position to begin with?

4.998    4.99854   is a spike up ??

and here I got all excited when I read your 'spike up post'  just to find out the market moved like 1% from last night!

1jimbitm6hAKTjKX4qurCNQubbnk2YsFw
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 [34] 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!