[Emergency ANN] Bitcoinica site is taken offline for security investigation

[shad0wbitz]

The forums where filled with the same hatred towards MtGox when they got hacked and look who is still the most popular exchange. They learnt and improved, so will Bitcoin Consultancy.

LOL People still fucking hate MtGox, and they are loosing volume by the day to other exchangers (btc-e notably, run by a russian scammer/cheater).

Mark though, should be noted, is an honest person (although highly inept), unlike the liars and manipulators at InterSCAMgo.

Making some serious acusations there mate.

Care to back them up ?

Anybody received a claim yet and got his $$$ back or BTC back ?

Why is BTC-E a scam / cheat

I ain't backing up shit palooka. Believe what you will, just as people in this thread believed (or not) when I said that Bitcoin Consultancy OWNED Bitcoinica. I personally don't give two shits if BTC-e becomes the #1 bitcoin exchanger.

I know who "Alexi" is. So those half the people involved at ShadowCrew back in the day. Carders have good memory .

[1714102393]

1714102393

[1714102393]

1714102393

[1714102393]

1714102393

[1714102393]

1714102393

[repentance]

Hi all. I'm making my first post here to offer my heartfelt apology to those affected by the security breach at Bitcoinica.

The investment fund I work with first put money into Bitcoinica because I had identified it as a promising start-up in this exciting space. It is my job to find potential investments and conduct related due diligence. In doing so, I learned a lot about bitcoin trading and Bitcoinica.

Like many early stage companies, Bitcoinica experienced growing pains as its success outgrew the capacity of its initial founder to handle alone. It was I who sought out expanded management to help take Bitcoinica forward.

I chose the Bitcoin Consultancy team due to their early involvement with bitcoin, their experience operating an exchange, and their reputations for expertise in online security. 

Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27 and they became owners and operators of Bitcoinica LP on April 24. As General Partner, they have exclusive legal authority to manage the company.

Because their time with the company is relatively short, the present situation is especially challenging. Zhou Tong has continued to assist in an unofficial capacity. I've offered what insights I can based on my knowledge of the business. In spite of the challenges, I know the Bitcoin Consultancy team would like to bring about the best possible outcome.

Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.

For those who wish to blame someone, blame me. Perhaps if I'd pushed for expanded management sooner or in a different way, the incident might have been avoided.

For avoidance of confusion, I wish to reiterate Bitcoinica Consultancy's prior statement: Mr. Heaslip is an accounting professional who assisted with company formation. He has his own business interests in New Zealand which are otherwise unrelated. I have facilitated investments in dozens of other companies, including some in the bitcoin space. Those companies are also unrelated.

I’m unable to follow most public postings here, but you can reach me through this forum by private message. Questions about processing of funds should be directed to Bitcoin Consultancy as they alone control that process.

I've advised Bitcoin Consultancy to focus their efforts on processing claims rather than public debate. Please extend them your continued patience.

So was Core Credit essentially a shelf company which no longer had any involvement with Bitcoinica when the hack happened?  This seems unlikely given that Core Credit's bank account was being used for wire transfers on 5 May.  Has another party/entity assumed Mr Heaslip's stake in Core Credit/Bitcoinica?

[Vladimir]

repentance, Mr Heaslip is most likely simply a nomini shareholder and director. This means that Bitcoinica LP general partner decided to pay extra 1000-2000 a year to obfuscate who is indeed General Partner of Bitcoinica LP.

This also means that we do not know exactly who is General Partner is and when it changes. It could be any kind of a chain of offshore trusts and companies for all we know.

[moneta]

I have about 700 BTC in bitcoinica. I will be willing to sell this debt to anyone for a reasonable price. Need the BTC to be in play right now.

You can create a bond on GLBSE with a face value of 700 BTC. You will pay the nominal amount if and when Bitcoinica release your funds. You can auction the bond so that you will get whatever the market thinks the debt is worth.

This would be very interesting, since the price of the bond should approximate whatever the market thinks is the probability of Bitcoinica refunding their customers. Prediction market on GLBSE!

[repentance]

repentance, Mr Heaslip is most likely simply a nomini shareholder and director. This means that Bitcoinica LP general parhner decided to pay extra 1000-2000 a year to obfuscate how is indeed General Partner of Bitcoinica LP.

This also means that we do not know exactly who is General Partner is and when it changes. It could be any kind of a chain of offshore trusts and companies for all we know.

It still looks like Core Credit is a shelf company, though - there've been no constitution documents lodged.  While it's not uncommon for accountants to set up enterprises in the way you've described, ownership is often transferred down the track because for as long as the accountant or lawyer remains an office-bearer in the company they still have legal liability for its actions (and risk professional sanctions if they don't exercise appropriate oversight).  Heaslip's speciality is taxation, and Bitcoin related businesses certainly have plenty of reasons to structure their enterprises in a manner which minimises any tax burden.  Bitcoin is also fraught with fraud, AML and CTF risks and it would be risky for any accountant to put themselves in a position of liability for such risks if they didn't intend to play any role in ensuring compliance in those areas.  Being a nominal director doesn't exempt you from legal liability.

[Vladimir]

you have missed that he is also a sole shareholder

[zhoutong]

Full Disclosure: I AM (or is it I'm?) NOT A WORDSMITH!

But I know grammatical errors when I see/read them and I'm seeing/reading a hell of a lot them in all these official/nonofficial posts. It's like I'm reading shit written by young adults who don't have a rudimentary command of the English language but keep trying their damndest to come across as educated blokes. Now, I'm not necessarily speaking of Zhou, for obvious reasons, but I feel (not sure) that his writting style has changed, as if somebody else is posting in his name. Reason I say this is because I've read words of which he's spelled correctly in the past, coupled with his current delivery seems odd (to me).

Forgive me if this has already been address, but I'm now only catching up, about nine pages out.

Back to reading this CF.

~Bruno~

After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.

[rdponticelli]

Can anybody involved setup a communication thread where we can have some information without so much noise?

[shad0wbitz]

After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.

Actually Bruno might be onto something. It kinda seems your English got a million times better overnight, and I am talking about sentence construction and structure, not just grammar.

[bitcoinBull]

-Are there any backups left?: Is the database intact?

This is the key question. The following is pure speculation.

I'm speculating that there were and are no offsite backups of the database. This would make the claim process nearly impossible (or maybe there is one but it is old, and the older it is the more difficult the claims process). (the hacker is probably submitting claims for each account from various IP addresses, just for lulz). If there were a backup of the database, users could claim their funds simply and quickly using their passwords, which were securely encrypted in the database. (there is of course the possibility of complications making this more difficult, eg if the hacker captured some passwords in plaintext before deleting the database).

If there is no recent offsite database backup is zhou's fault and he knows it, but he is doing damnedest to throw mud at Bitcoin Consultancy and save his ego. If he made no offsite backup could be blamed on his plain-as-day arrogance (why boast that he made the site in four days?) combined with lack of experience (after all, the Linode theft wasn't his fault but at the same could have been prevented had he done sufficient contingency planning).

Of course, Bitcoin Consultancy shares equal blame and the mud sticks. I've had my doubts about them ever since I first heard them claiming to be "core bitcoin developers" (I found precisely one commit by genjix to the satoshi client code, and it was a bash script). Refactoring the satoshi client into libbitcoin wouldn't exactly be easy, but a more productive (and difficult) project would've been bitcoinjs. Patrick may be able to find some vulnerabilities, but he didn't secure his own mail server. Also funky that he would offer a bounty to fix a bug in 80 lines of javascript because he is "not interested in chasing bugs in something I'm not familiar with". Aside from creating and operating Intersango (which by itself is commendable, obviously), they haven't done much to inspire confidence that they can handle running bitcoinica (quite the opposite recently).

One optimistic possibility is that Zhou did make an offsite backup, but he is not sharing it with Bitcoin Consultancy out of pure anger and spite at their fuck-up (Patrick not securing his own e-mail). If he has one, that would make it easy to for him to process claims (they probably do have plenty of coin in cold storage).

If he already shared it with Bitcoin Consultancy, god knows why they are dragging their feet in such an incredibly lame way instead of just processing the claims. (maybe they thought they could buy time so they can re-launch the site before users withdraw their claims and deposit them with competitors supposedly launching soon).

[repentance]

-Are there any backups left?: Is the database intact?

This is the key question. The following is pure speculation.

I'm speculating that there were and are no offsite backups of the database. This would make the claim process nearly impossible (or maybe there is one but it is old, and the older it is the more difficult the claims process). (the hacker is probably submitting claims for each account from various IP addresses, just for lulz). If there were a backup of the database, users could claim their funds simply and quickly using their passwords, which were securely encrypted in the database. (there is of course the possibility of complications making this more difficult, eg if the hacker captured some passwords in plaintext before deleting the database).

If there is no recent offsite database backup is zhou's fault and he knows it, but he is doing damnedest to throw mud at Bitcoin Consultancy and save his ego. If he made no offsite backup could be blamed on his plain-as-day arrogance (why boast that he made the site in four days?) combined with lack of experience (after all, the Linode theft wasn't his fault but at the same could have been prevented had he done sufficient contingency planning).

There's other weird stuff going on which may or may not involve Bitcoin Consultancy.  The WBX website has been revised and references to the founder and external parties other than Intersango and Bitcoin Consultancy have been removed.  The founder is now claiming that

i have been advised the current database has been erased this happened last week

There is no mention of how the database came to be erased or who was in control of it when it was erased.  Andre admits to having no control over the exchange site any more but he offers no information about who does have that control or when he relinquished it.  If Bitcoin Consultancy is not actively involved with WBX, it would be in their best interests to publicly say so at this point.

[genjix]

Of course, Bitcoin Consultancy shares equal blame and the mud sticks. I've had my doubts about them ever since I first heard them claiming to be "core bitcoin developers" (I found precisely one commit by genjix to the satoshi client code, and it was a bash script). Refactoring the satoshi client into libbitcoin wouldn't exactly be easy, but a more productive (and difficult) project would've been bitcoinjs. Patrick may be able to find some vulnerabilities, but he didn't secure his own mail server. Also funky that he would offer a bounty to fix a bug in 80 lines of javascript because he is "not interested in chasing bugs in something I'm not familiar with". Aside from creating and operating Intersango (which by itself is commendable, obviously), they haven't done much to inspire confidence that they can handle running bitcoinica (quite the opposite recently).

This is so stupid and retarded.

There are 2 full implementations of the Bitcoin protocol, and I wrote one from scratch in C++: https://gitorious.org/libbitcoin

bitcoin-js is unmaintained, and BitCoinJava is a lightclient. I also wrote the first alternative frontend GUI: https://gitorious.org/freecoin and worked with jaromil on many freecoin improvements. I wrote most of the Wiki pages like the Getting started and PHP developer intro: https://en.bitcoin.it/wiki/Main_Page as well as largely writing the original Bitcoin Wikipedia page. That's before I started libbitcoin as a way for developers to easily make alternative Bitcoin clients. I'm also a contributor to Electrum: https://gitorious.org/electrum/server and was one of the people (along with slush and ThomasV) to define the Stratum spec used in it. I am also responsible for the BIP (Bitcoin Improvement Proposal) process: https://en.bitcoin.it/wiki/Bitcoin_Improvement_Proposals (see the title), and have authored 4 BIPs.

What have you done?

I organised the conference, and have written a plethora of articles and tutorials for the community on Bitcoin Media like this. I also helped write the initial stock exchange client for GLBSE and started many other Bitcoin projects that are defunct now but all released as OpenSource including the early version of Intersango - Britcoin. Ironically releasing the source for Britcoin hurt us as people assumed we were connected to third parties that used our software like WBX. We also hired and paid people from the community, and put our own money into growing Bitcoin (and still are). For instance, the conference lost us money and other Bitcoin projects or people we paid went nowhere.

[genjix]

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

[bitcoinBull]

What have you done?

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

My only quibble is that seems overstated and exaggerated at times. Your claim to have written a second implementation of the bitcoin protocol "from scratch" is arguable (I highly doubt that you wrote libbitcoin without referencing anything but Satoshi's whitepaper, but I don't care enough to perform code analysis/comparison with the satoshi client under gavin's management). And to nitpick even further, a couple lines of bash script included in the bitcoin core project doesn't quite qualify one as a core bitcoin developer, strictly speaking, to my mind. That is all.

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Thank you genjix. This honesty and forwardness is what inspires confidence.


Now, how about the bitcoinica user database? Are there any copies?


EDIT: one additional note just because, with this new disclosure, I do agree with genjix's original post that Zhou was dragging their name through the mud. Everyone remember zhou's original excuse for losing the 40k BTC in the Linode compromise? It was because "the ruby gem didn't support wallet encryption". Zhou has a lot more to learn to than he likes to admit.

[shad0wbitz]

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

Nah, don't apologize. These three desperados didn't do much other than some brilliant marketing on themselves. Oh, and lie about them being general partners of Bitcoinica. Oh and also take down their shitty "Bitcoin Consultancy" website to cover their asses.

They are the three stooges of the Bitcoin world as they clearly demonstrated by their inefficacy and the multiple retarded posts on this thread.

[CleverMiner]

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

Nah, don't apologize. These three desperados didn't do much other than some brilliant marketing on themselves. Oh, and lie about them being general partners of Bitcoinica. Oh and also take down their shitty "Bitcoin Consultancy" website to cover their asses.

They are the three stooges of the Bitcoin world as they clearly demonstrated by their inefficacy and the multiple retarded posts on this thread.

+i
Tired of you.

[zhoutong]

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails.

The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account.

EDIT:

I didn't blame Patrick for the email compromise. It's the hacker's fault, not his.

But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either.

If I was adding everyone to the mailing list, that would be unacceptable. But I added patrick@bitcoinconsultancy.com (which he told me), and you're telling me I should treat it as personal email and non-critical.

[bitcoinBull]

the plot thickens. 

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

[fcmatt]

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

You gave out root access to vps? Attacker uses su to be your username and then simply
 ssh into email server? But as reg user cannot read everyones email...
Or you put root ssh key on email server which allowed full ownage of email server combined
With giving out root access? You trust people on irc or this forum?

The fail is great with this situation. Figures this hack took no real skills. It is rare person who can code 0day and if
They could you can sell it for same amount stolen in hack if 31337 elite linux remote root on popular daemon
Like apache or email daemon.

[shad0wbitz]

the plot thickens. 

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.