Bitcoin Forum
November 10, 2024, 12:52:53 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 224562 times)
tvbcof
Legendary
*
Offline Offline

Activity: 4746
Merit: 1282


View Profile
May 17, 2012, 05:34:00 AM
 #881

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

I hope you learned something here today, Mike Wink


sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
carlerha
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
May 17, 2012, 06:27:25 AM
 #882

Is the support@bitcoinica.com address still supposed to be operative? Doesn't seem to be…
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
May 17, 2012, 07:33:08 AM
 #883

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

Instead, what if the platform simply initiated withdraw requests (messages essentially), which were then carried out manually, automatically, or a little bit of both from some other remote location?  In other words, you press Withdraw on Bitcoinica, and rather than a transaction being emitted from Rackspace hosting, instead a request is e-mailed or otherwise delivered or made available to Zhou, and he funds your withdrawal request completely disconnected from the Bitcoinica platform - from his laptop in his bedroom in his underwear if necessary.  To keep him from getting bogged down by minutiae, the trading platform could emit requests to Zhou, where a script (not running on Rackspace) would auto-approve a certain number of requests under a certain amount, but then wait for him to give the nod to anything bigger.

If the only way for those requests to get from the hosted platform to Zhou were, for example, Zhou or his script logging in over Tor, then nobody would ever be likely to gain access to whatever machine kept all the private keys.  The most they could do is break into the platform and then create bogus requests in the hopes that Zhou would collect them and carry them out without noticing anything amiss.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
DiabloD3
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


DiabloMiner author


View Profile WWW
May 17, 2012, 07:45:50 AM
 #884

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

For example, mtgox makes several thousand transactions a day. I wouldn't want to manually handle that.

Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500


Hero VIP ultra official trusted super staff puppet


View Profile
May 17, 2012, 07:52:03 AM
 #885

Who needs a hot wallet to begin with?

They don't. That's why anything in the future will likely use ZipConf instead.

RandyMarsh
Full Member
***
Offline Offline

Activity: 237
Merit: 100



View Profile
May 17, 2012, 07:54:01 AM
 #886

Hi I haven't been following this load of shit, because its just gotten old, despite the fact that I transferred 1000 USD to my Bitcoinica account literally one hour before shit went down, and I'm now stuck with some 1800USD on the line and a open long position.

Can somebody please explain to me why we have to claim to get back our... accounts? Bitcoins? USD's? If all that happened was somebody robbed Bitcoinica's money... ??

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

Stan?! STAN?!?!
DiabloD3
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


DiabloMiner author


View Profile WWW
May 17, 2012, 07:59:43 AM
 #887

Who needs a hot wallet to begin with?

They don't. That's why anything in the future will likely use ZipConf instead.

So THATS what ZipConf is. Okay.

zhoutong (OP)
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
May 17, 2012, 08:05:55 AM
 #888

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

Nope. I wouldn't handle things like this.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
caston
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile WWW
May 17, 2012, 08:14:52 AM
 #889

You wouldn't dry hump a a girl in a nightclub?


bitcoin BTC: 1MikVUu1DauWB33T5diyforbQjTWJ9D4RF
bitcoin cash: 1JdkCGuW4LSgqYiM6QS7zTzAttD9MNAsiK

-updated 3rd December 2017
tvbcof
Legendary
*
Offline Offline

Activity: 4746
Merit: 1282


View Profile
May 17, 2012, 08:27:25 AM
 #890

Thanks in advance to all the wonderful people of this forum, and at the risk of biting the hand that once sort of fed me, Bitcoinica, wtf dudes? at least put up a place holderpage at bitcoinica.com to explain your position, very unprofessional, is this show still being run by a 17 year old? Cause I remember 17, I wasn't a financial wizard, I was in the back of a night club dry humping some girl I barley know.

Nope. I wouldn't handle things like this.

Yikes.  That does not sound to promising.  I wonder if I will lose my entire $9.00 or whatever it was I had in that hole.  How will I survive?

So. Z. Heading back to Singapore?  Seems like the dream destination for a lot of folks, but maybe that's just the old rich ones?


sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
RandyMarsh
Full Member
***
Offline Offline

Activity: 237
Merit: 100



View Profile
May 17, 2012, 08:32:43 AM
 #891

Ah hey, sorry I doubted your abiities Z, didnt realise there was a change up in management, in fairness you did an excellent job as far as I can see... I just want my moneys back Sad

Stan?! STAN?!?!
JusticeForYou
VIP
Sr. Member
*
Offline Offline

Activity: 490
Merit: 271



View Profile
May 17, 2012, 11:28:14 AM
 #892

How about just ... Not keeping bitcoins on the server?

How bad would it be if all non-trivial withdraws needed up to 24h to be done manually?  Where the platform issued pgp signed and encrypted withdrawal requests that were reviewed and performed manually, offsite?

Well, with any site that needs to send bitcoins back out you need whats known as a hot wallet, ie, a wallet that ONLY has enough to do day to day business... you setup your software to send excess coins to a cold wallet (offline or otherwise hidden on another machine), and message you if you need to manually transfer from cold to hot.

No one has $90k worth of coins in their hot wallet.

Yep. That's what we do with Liberty Reserve, etc.. at our site. Sometimes we might get 30-40K  overnight and I don't want to have it laying in there till I wake up. Leave 10K for immediate needs. when the balance goes over 15K the software sends to LR account solely there for cold storage, with no API access, etc.

By the way, your miner kicks ass Smiley

Explaining the details of your operations might not be a wise thing to do in public.


.
..1xBit.com   Super Six..
▄█████████████▄
████████████▀▀▀
█████████████▄
█████████▌▀████
██████████  ▀██
██████████▌   ▀
████████████▄▄
███████████████
███████████████
███████████████
███████████████
███████████████
▀██████████████
███████████████
█████████████▀
█████▀▀       
███▀ ▄███     ▄
██▄▄████▌    ▄█
████████       
████████▌     
█████████    ▐█
██████████   ▐█
███████▀▀   ▄██
███▀   ▄▄▄█████
███ ▄██████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████▀▀▀█
██████████     
███████████▄▄▄█
███████████████
███████████████
███████████████
███████████████
███████████████
         ▄█████
        ▄██████
       ▄███████
      ▄████████
     ▄█████████
    ▄███████
   ▄███████████
  ▄████████████
 ▄█████████████
▄██████████████
  ▀▀███████████
      ▀▀███
████
          ▀▀
          ▄▄██▌
      ▄▄███████
     █████████▀

 ▄██▄▄▀▀██▀▀
▄██████     ▄▄▄
███████   ▄█▄ ▄
▀██████   █  ▀█
 ▀▀▀
    ▀▄▄█▀
▄▄█████▄    ▀▀▀
 ▀████████
   ▀█████▀ ████
      ▀▀▀ █████
          █████
       ▄  █▄▄ █ ▄
     ▀▄██▀▀▀▀▀▀▀▀
      ▀ ▄▄█████▄█▄▄
    ▄ ▄███▀    ▀▀ ▀▀▄
  ▄██▄███▄ ▀▀▀▀▄  ▄▄
  ▄████████▄▄▄▄▄█▄▄▄██
 ████████████▀▀    █ ▐█
██████████████▄ ▄▄▀██▄██
 ▐██████████████    ▄███
  ████▀████████████▄███▀
  ▀█▀  ▐█████████████▀
       ▐████████████▀
       ▀█████▀▀▀ █▀
.
Premier League
LaLiga
Serie A
.
Bundesliga
Ligue 1
Primeira Liga
.
..TAKE PART..
BadBitcoin (James Sutton)
Donator
Sr. Member
*
Offline Offline

Activity: 452
Merit: 252



View Profile
May 17, 2012, 02:11:54 PM
 #893

Ok, easy fix for you intersango/zhou.

Convert all the btc to mtgox codes, I know how much you guys love your precious btc and would hate to see it converted to dollars, but this is serious, if you have the same amount of money locked up in bitcoinica like I do, I'm going to assume you feel the same way.
Get rid of most of your website, its going in the trash anyways, no ereason to leave things that can be exploited, however keep the login system.

When person A logs in, give them a mtgox code for the valuation of their account in USD, and then your done, no fancy anti-theft bullshit, just take the site down and facilitate our refunds.

You guys have been pussy footing around for almost an entire week (including the weekends, since I'm going to make the guess that you didn't just take the weekend off after something like this happening.)

If you were a legitimate brick and mortar company, you would have been sued PER DAY that you have not allowed our funds to be withdrawn, now i'm not advocating this, but a certain level of professionalism is what I'd expect from a multi million dollar financial institution (based in the US I might add.)

Now I know a few of you are going to get angry at me over being angry, but I'll make a bet the people angry at me are the ones with next to nothing in their bitcoinica account.
jarsumarsu
Donator
Full Member
*
Offline Offline

Activity: 134
Merit: 100


View Profile
May 17, 2012, 02:48:00 PM
 #894

Btw. all those who had a lot of money at bitcoinica had already forgotten this:
https://bitcointalk.org/index.php?topic=33835.msg422420#msg422420
guruvan
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
May 17, 2012, 03:07:33 PM
 #895

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)


Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
May 17, 2012, 03:11:45 PM
 #896

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)


Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
imsaguy
General failure and former
VIP
Hero Member
*
Offline Offline

Activity: 574
Merit: 500

Don't send me a pm unless you gpg encrypt it.


View Profile WWW
May 17, 2012, 03:26:48 PM
 #897

Last night I spoke w/ Yankee (bitinstant) who's assured me that he (whom I trust) is working with bitcoinica (whom I do not) to provide an orderly method of reclaiming funds. Yankee has assured me that bitcoinica does actually have (at least most of) our money and will return it asap - and while currently bitcoinica's word isn't worth the electrons it's printed with, Yankee's is as good as gold to me.

At least now, someone with a clue how to handle money appropriately will be assisting.

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

On another note, if bitcoinica closing had ZERO effect on the market, and volume is largely unchanged since their closure......WTF were they doing? They're apparently out of cash after this robbery. If they weren't actively trading (and hedging customer positions) WHERE is the profit from the the astronomical spread and predatory (larcenous!) pricing bot? Really? only $18K in 3 months? That smells fishy. Ah well. The whole thing smells rotten to me. But you guys know that.

Thanks again, Yankee.

Zhou Tong, perhaps I was too harsh in directing my words at you - you may well have not deserved any of it, and have been suffering the brunt of something you have no control over. I know you'd have handled this better. (and, that's really saying something that I trust a 17yo guy to be more responsible than a team of adults)


Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

There was a time when I used bitcoinica and I would make a change in one direction or another and I would see 50btc sales/buys hit mtgox at the exact same time.  It could have been coincidence, it could have been them actually passing my order because they had nothing to match against.  Either way, I swore them off a long time ago because of the "funnybusiness" going on.

Coming Soon!™ © imsaguy 2011-2013, All rights reserved.

EIEIO:
https://bitcointalk.org/index.php?topic=60117.0

Shades Minoco Collection Thread: https://bitcointalk.org/index.php?topic=65989
Payment Address: http://btc.to/5r6
hatshepsut
Member
**
Offline Offline

Activity: 63
Merit: 10



View Profile
May 17, 2012, 03:32:48 PM
 #898

More importantly, are they going to steal from their customers and force liquidate or are they going to give us our money back in full?  Angry
jgarzik
Legendary
*
Offline Offline

Activity: 1596
Merit: 1100


View Profile
May 17, 2012, 04:13:40 PM
 #899

Who needs a hot wallet to begin with?

The point I am trying to make is, is it really that bad (from a customer service perspective) if withdrawals aren't immediate?  Why do the withdrawals have to come from the platform in the first place?  Ideally, the platform should not have any private keys on it whatsoever.

Quite true...  In the Real Banking World, my withdrawals from a well known brokerage to a well known US bank can take 24-48 hours, or longer on weekends.

It only seems logical that dealing with large amounts of withdrawals would lead one to introduce delays for the purposes of security.

If you are withdrawing $10,000, it surely seems beneficial to all customers if your withdrawal is delayed a bit to enable additional fraud validations.

The bigger the withdrawal, the larger the validation.  It costs the same for the network to transmit 10 bitcoins as 100,000 bitcoins... but that does not mean that large values should have the same lax security as small values.

Sometimes I think programmers (like myself!) have a mental weakness:  programmers want to treat all customers, all transactions, all $Whatever equally.  Simple rules make coding easier to validate, debug, and run Smiley

But when you're dealing with money, the simple obvious truth of "more money means more fraud, makes you a bigger target" means a lot of special-case coding and additional business [non-coding] procedures.


Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 17, 2012, 04:14:38 PM
 #900

I still think that closing out positions at losses is theft. But I guess bitcoinica is still entitled to their profit, right? or does that just make up their losses?

Told you so:
LOL. At this point, I no longer care if Bitcoinica returns the funds. I'm taking this up with the authorities, since they're too fucking irresponsible to actually communicate with users in any meaningful way.

You are a keyboard warrior and as such you are going to do fuck all.

More importantly, are they going to steal from their customers and force liquidate or are they going to give us our money back in full?  Angry

LOL good try.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!