[Emergency ANN] Bitcoinica site is taken offline for security investigation

[realnowhereman]

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

• How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
• Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
• What raving lunatic has a password reset system going to a mailing list?
• A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
• How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
• Is this more than just an email server? What other services were running on this compromised machine?

- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?

[zhoutong]

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

• How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
• Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
• What raving lunatic has a password reset system going to a mailing list?
• A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
• How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
• Is this more than just an email server? What other services were running on this compromised machine?

- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?

We don't have control over the password reset emails. They are sent by Rackspace. Basically, if you have access to one's email, you have access to all his Rackspace servers and Cloud Files.

We use a mailing list for info@bitcoinica.com for an obvious reason, everyone of us wants to know any email sent to this address. We are registering every single web service with this email address. It's like an automatic mail forwarder that forwards to multiple recipients. It's hosted by Google Apps for Business and Patrick is the only external recipient.

[Raoul Duke]

Thanks for the update.

- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to info@bitcoinica.com were delivered to his compromised email account.

I normally don't go in for mud slinging, but Patrick has history.  This is "Patrick the self-proclaimed security expert"?  This is "Patrick who released all the emails of Intersango's customer base"?

• How hard is it to secure an email server?  Jeez, the days of ten sendmail hacks a month are long behind us.
• Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications?  Why wasn't gpg used for these reset emails?
• What raving lunatic has a password reset system going to a mailing list?
• A "security expert" with a compromised email server doesn't sound good to me.  In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
• How long has this server been compromised?  Is it the Intersango email server?  Have all Intersango communications been compromised too?
• Is this more than just an email server? What other services were running on this compromised machine?

- We are now working on a settlement plan. Patrick is in charge of the claim page.

You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.

So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally?  How much is in the hot wallet there?  How is that hot wallet secured?  Is Intersango VPS hosted as well?  Is it Rackspace too?

http://bgp.he.net/dns/intersango.com#_whois
http://bgp.he.net/dns/intersango.com#_ipinfo
http://bgp.he.net/dns/intersango.com#_dns

At least you can find who they use for hosting, administrative contact and from where they send their emails...
As for the wallet, only they can answer

[muyuu]

http://bgp.he.net/dns/intersango.com#_whois
http://bgp.he.net/dns/intersango.com#_ipinfo
http://bgp.he.net/dns/intersango.com#_dns

At least you can find who they use for hosting, administrative contact and from where they send their emails...
As for the wallet, only they can answer

That doesn't mean much. Rackspace also offers local unmanaged and colo servers in the UK.

[realnowhereman]

We don't have control over the password reset emails. They are sent by Rackspace. Basically, if you have access to one's email, you have access to all his Rackspace servers and Cloud Files.

Well that's okay then -- it's all rackspace's fault?

Ask yourself -- do you think complete access to HSBC's financial computing system can be obtained if you can see one email (bear in mind that a compromised email server is not required to read other people's emails, they travel in plain text through multiple systems)? Would you guess that a virus on the CEO of CitiBank's home laptop would let you transfer all the customer's cash to a Nigerian "prince"?

Anyway; it's easy to be wise after the event.  I'm more concerned at the ease of attack of the massive financial institutions of Bitcoin; and the apparent non-recognition of a single point of weakness.  More importantly though: an inability to learn from the past.  How was the Linode theft achieved -- oh yes, by busting into the VPS management account.  How was this theft achieved -- busting into the VPS management account.  Did anyone there or at Bitcoin Consultancy not think "changing VPS provider doesn't alter the attack vector, we are as vulnerable as we were"?

(You had multiple people with the root password -- at the very least you could have demanded that rackspace disable the password reset feature for your account.)

[jixapori]

without getting into details, obviously these types of compromises can be nipped in the bud in a properly setup system... too late now...

in any case if people are reimbursed then they have nothing to complain about, if they wont be then i assume they are simply out of luck (unless their funds were somehow insured), there is always risk in finance, nothing special about bitcoins in that regard

BTW just in case someone suddenly gets the urge to open their own bank or something, even just an email system requires multiple dedicated machines and i mean more than one or two or three. you can just forget about gmail, vps providers, etc.

[marcus_of_augustus]

Good to see the pretenders and lightweights are getting weeded out as need be. Better to go through these kind of stresses, shall we call it 'testing', while the experiment is still beta.

Now anyone who has received 'dirty' coins and wants to give those 'tainted' coins back, if they feel it is the right thing to do, can send them to zhou or who? That weak fungibility is almost worth a bug report or do we need to see it happen a few more times?

[caston]

I think I can see some bitconica spin off filling the void. Hey even vircurex has a open API... why not make an alt-coinica?

[blablahblah]

Good to see the pretenders and lightweights are getting weeded out as need be. Better to go through these kind of stresses, shall we call it 'testing', while the experiment is still beta.

Now anyone who has received 'dirty' coins and wants to give those 'tainted' coins back, if they feel it is the right thing to do, can send them to zhou or who? That weak fungibility is almost worth a bug report or do we need to see it happen a few more times?

Wasn't 'tainting' a MtGox speciality because of supposed regulatory pressure? I think their own security breach must've left a few scars. Perhaps there's a niche for some kind of decentralised/P2P exchange that the banking cronies can't bully?

[guruvan]

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

[bulanula]

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Look at the guy on here called "meelba". He never got anywhere trying to sue Bitcoinica ...

Good luck though !

[muyuu]

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Well... this is what I was talking about before. If they don't hurry up and the valuation of BTC swings substantially, they can be looking at a massive amount of damages to pay.

Look: those who're losing money on their position will want their loss forfeited since they're forced to close it prematurely. Those who're winning, they'll want the profit.
There is no way they can pay that and it will be worse every bit the valuation moves.

We are going to need to be reasonable here. At the end of the day it's going to be very hard for you to get anything at all if they call it quits.

[Nyaaan]

-18547.66867623?
Shouldn't it be just 18547.66867623 (positive coins)?
Correct me if I'm wrong or just ignorant.

[guruvan]

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

Well... this is what I was talking about before. If they don't hurry up and the valuation of BTC swings substantially, they can be looking at a massive amount of damages to pay.

Look: those who're losing money on their position will want their loss forfeited since they're forced to close it prematurely. Those who're winning, they'll want the profit.
There is no way they can pay that and it will be worse every bit the valuation moves.

We are going to need to be reasonable here. At the end of the day it's going to be very hard for you to get anything at all if they call it quits.

If?

Sue? Hell no, why waste my time. The amount of money I will lose is not significant enough to do that.

However, since they're keeping money, I do think it's time that the regulatory agencies that they're subject to become informed of this potentially criminal action.

TBH, the whole thing looks staged to me. I'm really not buying the story much. I think that this should be investigated by the "proper authorities" 

[zhoutong]

I think everyone should keep in mind that the real person/group to be angry with is the hackers, not Bitcoinica.
Anyone who is smart enough to figure out how to steal 18K BTC from Bitcoinica is more than smart enough to do honest work.  I hope Zhou goes on to have a long successful career while the hackers and other thieves burn in hell.

Direct your anger towards the hackers!

My anger is directed at the incompetent staff of Bitcoinica, ESPECIALLY their new hires/owners (or w/e the fuck is going on!)

My anger is directed at those, who through their incompetence, will make me lose money on my position

You thieves should be returning everyone's money AT THEIR BASE PRICE and eatin shit yourselves, Bitcoinica. You're making your customers eat shit for your negligence and incompetence.

Can you say "criminal"

or are we too busy congratulating the bitcoinica team members on such a job well done

Sorry, ZT, I don't wish you well until you PAY BACK ALL THE FUCKING MONEY YOU'RE STEALING.

Returning my current account balance is BULLSHIT since you're keeping the unrealized P/L. That's actually criminal in most jurisdictions, and I will be pursuing it in mine since bitcoinica has served Americans.

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

I have emphasized this more than once. If you are too impatient to read the posts carefully please don't be so angry.

[rjk]

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

I have emphasized this more than once. If you are too impatient to read the posts carefully please don't be so angry.

People around here are a bit impatient lol.

[thezerg]

Nice to see that the BTC price has barely twitched.  But has it been too stable over the past few months?  Does it signify some large investor with an open buy order at 5 USD?

[jixapori]

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

well if your db itself was hacked then it was probably altered... dont forget to filter out all the fake accounts/positions before paying people back 

[hatshepsut]

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

So what happens when we spike up?

like right now?

Are you returning all balances AND our unrealized P/L as if we never had a position to begin with?

[jjiimm_64]

We are returning all balances AND your unrealized P/L. And we are glad to settle at a negative-spread price, i.e. if you have a profitable position, your get even more; if you have a losing position, you lose less.

So what happens when we spike up?

like right now?

Are you returning all balances AND our unrealized P/L as if we never had a position to begin with?

4.998    4.99854   is a spike up ??

and here I got all excited when I read your 'spike up post'  just to find out the market moved like 1% from last night!