[Emergency ANN] Bitcoinica site is taken offline for security investigation

[tvbcof]

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

I hope you learned something here today, Mike

[carlerha]

Is the support@bitcoinica.com address still supposed to be operative? Doesn't seem to be…

[casascius]

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

Instead, what if the platform simply initiated withdraw requests (messages essentially), which were then carried out manually, automatically, or a little bit of both from some other remote location?  In other words, you press Withdraw on Bitcoinica, and rather than a transaction being emitted from Rackspace hosting, instead a request is e-mailed or otherwise delivered or made available to Zhou, and he funds your withdrawal request completely disconnected from the Bitcoinica platform - from his laptop in his bedroom in his underwear if necessary.  To keep him from getting bogged down by minutiae, the trading platform could emit requests to Zhou, where a script (not running on Rackspace) would auto-approve a certain number of requests under a certain amount, but then wait for him to give the nod to anything bigger.

If the only way for those requests to get from the hosted platform to Zhou were, for example, Zhou or his script logging in over Tor, then nobody would ever be likely to gain access to whatever machine kept all the private keys.  The most they could do is break into the platform and then create bogus requests in the hopes that Zhou would collect them and carry them out without noticing anything amiss.

[DiabloD3]

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

For example, mtgox makes several thousand transactions a day. I wouldn't want to manually handle that.

[Matthew N. Wright]

Who needs a hot wallet to begin with?

They don't. That's why anything in the future will likely use ZipConf instead.

[RandyMarsh]

Hi I haven't been following this load of shit, because its just gotten old, despite the fact that I transferred 1000 USD to my Bitcoinica account literally one hour before shit went down, and I'm now stuck with some 1800USD on the line and a open long position.

Can somebody please explain to me why we have to claim to get back our... accounts? Bitcoins? USD's? If all that happened was somebody robbed Bitcoinica's money... ??

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

[DiabloD3]

Who needs a hot wallet to begin with?

They don't. That's why anything in the future will likely use ZipConf instead.

So THATS what ZipConf is. Okay.

[zhoutong]

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

Nope. I wouldn't handle things like this.

[caston]

You wouldn't dry hump a a girl in a nightclub?

[tvbcof]

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

Nope. I wouldn't handle things like this.

Yikes.  That does not sound to promising.  I wonder if I will lose my entire $9.00 or whatever it was I had in that hole.  How will I survive?

So. Z. Heading back to Singapore?  Seems like the dream destination for a lot of folks, but maybe that's just the old rich ones?

[RandyMarsh]

Ah hey, sorry I doubted your abiities Z, didnt realise there was a change up in management, in fairness you did an excellent job as far as I can see... I just want my moneys back

[JusticeForYou]

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

Yep. That's what we do with Liberty Reserve, etc.. at our site. Sometimes we might get 30-40K  overnight and I don't want to have it laying in there till I wake up. Leave 10K for immediate needs. when the balance goes over 15K the software sends to LR account solely there for cold storage, with no API access, etc.

By the way, your miner kicks ass

Explaining the details of your operations might not be a wise thing to do in public.

[BadBitcoin (James Sutton)]

Ok, easy fix for you intersango/zhou.

Convert all the btc to mtgox codes, I know how much you guys love your precious btc and would hate to see it converted to dollars, but this is serious, if you have the same amount of money locked up in bitcoinica like I do, I'm going to assume you feel the same way.
Get rid of most of your website, its going in the trash anyways, no ereason to leave things that can be exploited, however keep the login system.

When person A logs in, give them a mtgox code for the valuation of their account in USD, and then your done, no fancy anti-theft bullshit, just take the site down and facilitate our refunds.

You guys have been pussy footing around for almost an entire week (including the weekends, since I'm going to make the guess that you didn't just take the weekend off after something like this happening.)

If you were a legitimate brick and mortar company, you would have been sued PER DAY that you have not allowed our funds to be withdrawn, now i'm not advocating this, but a certain level of professionalism is what I'd expect from a multi million dollar financial institution (based in the US I might add.)

Now I know a few of you are going to get angry at me over being angry, but I'll make a bet the people angry at me are the ones with next to nothing in their bitcoinica account.

[jarsumarsu]

Btw. all those who had a lot of money at bitcoinica had already forgotten this:
https://bitcointalk.org/index.php?topic=33835.msg422420#msg422420

[guruvan]

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)

[Clipse]

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)

Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

[imsaguy]

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)

Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

There was a time when I used bitcoinica and I would make a change in one direction or another and I would see 50btc sales/buys hit mtgox at the exact same time.  It could have been coincidence, it could have been them actually passing my order because they had nothing to match against.  Either way, I swore them off a long time ago because of the "funnybusiness" going on.

[hatshepsut]

More importantly, are they going to steal from their customers and force liquidate or are they going to give us our money back in full? 

[jgarzik]

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

Quite true...  In the Real Banking World, my withdrawals from a well known brokerage to a well known US bank can take 24-48 hours, or longer on weekends.

It only seems logical that dealing with large amounts of withdrawals would lead one to introduce delays for the purposes of security.

If you are withdrawing $10,000, it surely seems beneficial to all customers if your withdrawal is delayed a bit to enable additional fraud validations.

The bigger the withdrawal, the larger the validation.  It costs the same for the network to transmit 10 bitcoins as 100,000 bitcoins... but that does not mean that large values should have the same lax security as small values.

Sometimes I think programmers (like myself!) have a mental weakness:  programmers want to treat all customers, all transactions, all $Whatever equally.  Simple rules make coding easier to validate, debug, and run

But when you're dealing with money, the simple obvious truth of "more money means more fraud, makes you a bigger target" means a lot of special-case coding and additional business [non-coding] procedures.

[muyuu]

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

Told you so:

LOL. At this point, I no longer care if Bitcoinica returns the funds. I'm taking this up with the authorities, since they're too fucking irresponsible to actually communicate with users in any meaningful way.

You are a keyboard warrior and as such you are going to do fuck all.

More importantly, are they going to steal from their customers and force liquidate or are they going to give us our money back in full? 

LOL good try.