Bitcoin Forum
March 19, 2024, 11:50:40 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 [71] 72 73 74 75 76 77 78 79 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 224549 times)
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
May 25, 2012, 09:43:05 AM
 #1401

All this NDA talk just seems like fancy ways to sound overly important and stall things indefinitely.

My inner voyeur want to see the logs, but the whole "it wasn't our fault but we can't tell you what really happened because we're sworn to secrecy" line comes across as whiny teenager shit and it's highly unprofessional.  The best way for anyone involved in this clusterfuck to vindicate themselves and restore their reputation is to quickly process claims and ensure that users are compensated as soon as possible.  Arguing about who did what first distracts from that process and it's going to make the Bitcoin community question how professionally Bitcoinica will be run going forward.  

While it's great for Tihan to step up and accept responsibility, it's Bitcoin Consultancy who will be operating the business - it doesn't matter a damn if people trust Tihan if they don't trust the people who will be in charge of the organisation's day to day operations.  That they're not picking up the phone and talking to each other is hardly confidence inspiring.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
1710849040
Hero Member
*
Offline Offline

Posts: 1710849040

View Profile Personal Message (Offline)

Ignore
1710849040
Reply with quote  #2

1710849040
Report to moderator
Each block is stacked on top of the previous one. Adding another block to the top makes all lower blocks more difficult to remove: there is more "weight" above each block. A transaction in a block 6 blocks deep (6 confirmations) will be very difficult to remove.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710849040
Hero Member
*
Offline Offline

Posts: 1710849040

View Profile Personal Message (Offline)

Ignore
1710849040
Reply with quote  #2

1710849040
Report to moderator
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
May 25, 2012, 09:49:02 AM
Last edit: May 27, 2012, 02:29:39 AM by genjix
 #1402

No database backups. Sorry for avoiding the question.

I hoped someone else could clarify this. I don't have all the full details, and would hate to make incorrect statements. I also didn't want to jeopardise efforts to refund people.

From what I gather, there are no backups of the database. Only partial records for accounting which is being used to extrapolate balances. I'm not sure of the exact details, but I think they need a full view of the claims before payouts begin (like a big jigsaw puzzle) to properly cross match records. Hopefully someone better informed will post more details.

zhou: ah, ok. I don't know the exact details and I'll avoid commenting further.
I think Patrick assumed they were not critical hence me saying: "The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.". I do appreciate that several times, you told people I wasn't involved with Bitcoinica in this thread. I always assume good faith which is why I think it was a fatal miscommunication between team members.

bitcoinBullbear: that's fine. It does annoy me a little that people assume that a decentralised system like Bitcoin consists of a single piece of kosher software. bitcoin.org lists several clients. When security flaws were found, me, Mike Hearn and justmoon helped fix problems on the internal security mailing list. justmoon in fact was very instrumental in many cases for clarifying and proposing fixes for BIP 16. There was a long technical history that led to libbitcoin's creation and it has taken 8 months so far.

That picture is funny. I like it.

rjk, nope. Everyone had root. One person was installing a database, another installed Jenkins.

The anger here is justified. If this happened to me, then I would be extremely mad. I was very pissed at MtGox when they had their problems. It sucks to be no better than MtGox.

To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Bitcoinica took us on to help secure them.

We decided it was bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

Step 1 - fix the code.

Flaws were already being found in the code. That was the logical first step. That the environment ended up being exploited is simply hindsight. I would prefer not changing a working environment until after knowing how the code operates. An example is that another website accidentally made out a 500 BTC payment when the file permissions were too strict. Similarly changing an aspect of Bitcoinica without proper insight could have had grave consequences.

First you understand the code. Then you run the code. You experiment with a test system. Make improvements. Deploy changes. Change production environment.

The Bitcoinica plan was to do the above while creating a new platform to replace it in the long term.
vampire
Hero Member
*****
Offline Offline

Activity: 574
Merit: 500



View Profile
May 25, 2012, 09:56:51 AM
 #1403

Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.

Hi,

Thank you for this. We are incredibly happy. We will need to clear up some distinctions and make sure the account is in fact Tihan's account. He can do so via confirmation in email or on skype. We also need clarification as to what "role and history mean".

1. Are Bitcoinica Consultancy and its individual members allowed to talk about the security issues and this incident without limitation? Yes/No

The NDA extends to our persons I believe.

Finally, Tihan, people seem to have questions regarding the database.

2. Are we, Bitcoinica Consultancy and it's individual members, at liberty to discuss in full detail the nature of the database? Yes/No

3A. Are we, Bitcoinica Consultancy and it's individual members, at liberty to release relevant skype logs in full without worry that information in those logs are sensitive? Yes/No

3B. If there is a "No" answer for question 3A, could you specify and clearly what we are not allowed to post (for example, content that would violate a user's privacy) and remember to claim that the list of restrictions you post is an exhaustive list.

4. Are you willing to take the short steps to nullify any NDA we may have? Yes/No

5. Can we release a full account of the security detail and practices relevant to Bitcoinica's history and this incident? Yes/No



Finally, we can certainly see the semblance of unprofessionality that Bitcoinica Consultancy was resonating. We would like to apologise for having to go to such an extreme. We were urged against making such statements by Tihan and Zhou as they would hurt everyone's reputation, including our own. The circumstances were such that we had no real ability to respond to misinformation and misrepresentation. We full well knew that our immediate reputation would suffer greatly. In matters like this, things often need to get worse before they can get better. However, it seems we will be finally be successful in providing full disclosure for everyone. We were talking with Tihan about trying to clear up misrepresentations for a long time and with Zhou as well. Unfortunately, we were not granted the ability to clear up the relevant issues (possibly until now) and Zhou kept making and continues to make false statements and wildly misrepresenting the facts. We are very happy with the turn of events as we are certain that (as long as Tihan's comment wasn't intentionally nondescript or ambiguous) we will be able to set the record straight.


We are not pursuing this matter at the expense of the reclaims process. However, when we have time, we will (in great detail) show that many statements that have been made have been malicious and false.

Please write in simpler english or write in proper english, this post is ridden with mistakes. It's very hard to read it. I don't think a lot of people care about the "logs", such things are open to interpretations. Keep them for courts where they may matter.

Just refund Bitcoinica's customers.

edit: as per genjix's post - now I understand what happened. Complete compromise, all cloud instances were deleted, all up-to-date backups gone. It will take months to refund the customers.
Serge
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
May 25, 2012, 09:58:52 AM
 #1404

assuming rackspace has no image backups either?
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1039


View Profile
May 25, 2012, 10:04:40 AM
 #1405

Incidentally, this is why I never sign NDAs, even though they are sometimes presented as "standard practice".

(Lots of people don't sign them, actually. If you go to a job interview at Google, you will be asked to sign an NDA. But if you don't sign the NDA, you still get the interview.)

An NDA is not needed when the parties are all acting in good faith. And if one of the parties is not acting in good faith, the NDA can be used to stop the good guys from doing what they should be doing.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1001


-


View Profile
May 25, 2012, 10:06:43 AM
 #1406

I personally learned from ribuck to do just that too and advise all others to consider as a standard practice to never sign any NDA's ever personally.


-
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
May 25, 2012, 10:08:02 AM
 #1407

I personally learned from ribuck to do just that too and advise all others to consider as a standard practice to never sign any NDA's ever personally.

yeah, that was a mistake on my part.
Serge
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
May 25, 2012, 10:11:02 AM
 #1408

if there are no backups at all, that's a serious blow for all involved, only viable solution at this point would be to restore account balances based on deposit/withdraw records (blockchain/mtgox logs/etc)

good luck!
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 25, 2012, 10:18:02 AM
 #1409

No database backups. Sorry for avoiding the question.

At last.  All is explained.

  • Passwords are gone, so they are no use.
  • 80% of BTC funds are (I assume, please confirm) still under Bitcoinica's control.
  • 100% of USD funds are (I assume, please confirm) still under Bitcoinica's control.
  • The problem is you just have a big pool of money and no way of knowing who owns what.
  • That entirely explains the crappy claims page.
  • That entirely explains the delay in processing claims.
  • For we customers: this isn't perfect news, obviously, but it does at least give us some hope that we haven't lost everything.
  • If the investor really is doing the decent thing and funding the 20% BTC losses out of their own pocket, then we should all appreciate that and let that be an end to all the legal shouting.
  • Certainly no amount of shouting is going to recreate a database that doesn't exist.

In light of some of the above comments, can I reiterate my suggestion to the Bitcoin Consultancy and Zhou Tong?  Stop airing your dirty laundry in public.  Shut up about it right now.  Regardless of whether you feel there's "just one more thing that needs addressing"... button it.  The fastest way to restore your reputations from here (and there is plenty of restoration needed) is to sort the customers out as quickly as possible.  After that is done (and only after), will it be prudent to start your war-of-logs.

I'd also second Vladimir's comment: you really shouldn't be communicating with you business partner using an Internet forum (I would guess you wanted us to be able to appreciate the difficult position you are in: tough luck, keep it to yourselves and take the insults on the chin).  It doesn't inspire confidence that you don't have (a) each other's phone numbers (b) each other's email addresses (c) a good enough relationship that you can talk with each other privately.  Even if (a), (b) or (c) are not true; a professional shouldn't let the customers see how the sausages are made.  Companies are aptly named: you are all one, and letting us see your internal fistfights is extremely damaging.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
May 25, 2012, 10:38:57 AM
 #1410

  • Passwords are gone, so they are no use.
  • 80% of BTC funds are (I assume, please confirm) still under Bitcoinica's control.
  • 100% of USD funds are (I assume, please confirm) still under Bitcoinica's control.
  • The problem is you just have a big pool of money and no way of knowing who owns what.
  • That entirely explains the crappy claims page.
  • That entirely explains the delay in processing claims.
  • For we customers: this isn't perfect news, obviously, but it does at least give us some hope that we haven't lost everything.
  • If the investor really is doing the decent thing and funding the 20% BTC losses out of their own pocket, then we should all appreciate that and let that be an end to all the legal shouting.
  • Certainly no amount of shouting is going to recreate a database that doesn't exist.

I honestly don't know. Those more involved can hopefully clarify these points. Anything I say would be guesswork.

I'll stop posting now. I've stated everything I know already.
zhoutong (OP)
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
May 25, 2012, 11:02:19 AM
 #1411

I wasn't sure whether talking about the database was even permitted, so I skipped such questions. Now genjix has already said that, because either:

- He didn't communicate much with the rest of the team (i.e. doesn't understand why we are hiding)
Or
- He was granted the right to talk (I don't know)

Throughout the whole event, I have always been following Bitcoinica Consultancy's standard of disclosure. The reason that database deletion was not disclosed is that they were afraid of inaccurate claims that would worsen the losses.

I believe that any claims or claims modifications submitted after this point should be treated as false unless very concrete evidence has been given.

We had automated backups to back up the database and the wallet. During the hacking, I also created an emergency backup to preserve the current database. However, I was misled by one Rackspace support guy who claims that the hacker "can't do anything" to the servers which are suspended by engineers. All command buttons are disabled. I never noticed the hidden feature to delete the server. (i.e. if you're hacked, they can't log the hacker out, instead, they suspend all the servers so the hacker can't do anything but delete them.)

The hacker later restored the emergency image so he should possess a copy of the database. After that, he deleted all servers and all files in Cloud Files (like S3) including server backups.

It's my fault to not set up a offline backup schedule. Tihan used to run the accounting reports regularly (which is like offline backups) but he stopped doing so when I created a stats graph generator for him to automate the reportings. The most current record we have is his previous reports. This is my fault.

According to the information I have, returning funds to clients is not impossible. I suggested some ideas but they were rejected by Bitcoinica Consultancy for different reasons. I understand their situation though, and my offer to take over remains open.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 25, 2012, 11:06:53 AM
 #1412

I said as much in an earlier post.

The fact that they asked for the things they asked was quite suspicious in regards to having the passwords or not.

BUT, it makes absolute sense that they didn't tell. You cannot tell people that you really don't know exactly what they had. That leads to a very obvious tragedy of the commons kind of situation if everybody starts claiming for more than they really had.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
May 25, 2012, 11:34:54 AM
 #1413

* Goes to get the popcorn and claim $ 1 million on claims.bitcoinica.com *

What's up ? Cheesy

In all seriousness, how long do you think this will take ( months / weeks ) ?

This is all affecting the price even if I don't have anything in Bitcoinica.
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Shame on everything; regret nothing.


View Profile
May 25, 2012, 11:39:53 AM
 #1414

* Goes to get the popcorn and claim $ 1 million on claims.bitcoinica.com *

What's up ? Cheesy

In all seriousness, how long do you think this will take ( months / weeks ) ?

This is all affecting the price even if I don't have anything in Bitcoinica.

You don't need anything in Bitcoinica when you just took them for 18K BTC ...

hey man i'm just doing what your sig told me to  Grin

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
May 25, 2012, 11:43:41 AM
 #1415

* Goes to get the popcorn and claim $ 1 million on claims.bitcoinica.com *

What's up ? Cheesy

In all seriousness, how long do you think this will take ( months / weeks ) ?

This is all affecting the price even if I don't have anything in Bitcoinica.

You don't need anything in Bitcoinica when you just took them for 18K BTC ...

hey man i'm just doing what your sig told me to  Grin

Seems to me the hacker is a small group of people from which an individual should easily be identified.

Why has this not happened ? It is not like the hacker was some unknown entity out of the blue.

Read the thread : the only thing I had in the bucket shop is $1 bonus I got from zhoutong Cheesy

Not going to give my info to a bunch of incompetents to get it back anyway.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 25, 2012, 11:46:04 AM
 #1416

I wasn't sure whether talking about the database was even permitted, so I skipped such questions. Now genjix has already said that, because either:

- He didn't communicate much with the rest of the team (i.e. doesn't understand why we are hiding)
Or
- He was granted the right to talk (I don't know)

I see you're ignoring my (and others) advice to stop airing your internal business disagreements publicly.

Throughout the whole event, I have always been following Bitcoinica Consultancy's standard of disclosure. The reason that database deletion was not disclosed is that they were afraid of inaccurate claims that would worsen the losses.

That's understandable, but irrelevant.  As muyuu points out: the loss of the database had been guessed at (unless you think people where asking about the database backups because they were totally confident it existed?).

I believe that any claims or claims modifications submitted after this point should be treated as false unless very concrete evidence has been given.

I'm afraid that this attitude reveals your naivete on security.  All claims should be treated as false unless concrete evidence is available.  Not "after this point"... all of them.  You don't trust anything or anyone.  What other way is there of running a secure system?

The hacker later restored the emergency image so he should possess a copy of the database. After that, he deleted all servers and all files in Cloud Files (like S3) including server backups.

If only the hacker had lived up to his promise that we should "expect a mass leak", eh?  His copy of that database would come in very handy.  Are you listening Mr Hacker?  Do us all a favour and drop a copy somewhere.  You've had your money; and you've effectively destroyed Bitcoinica's business... now you're just making life for the rest of us difficult.

According to the information I have, returning funds to clients is not impossible. I suggested some ideas but they were rejected by Bitcoinica Consultancy for different reasons. I understand their situation though, and my offer to take over remains open.

To be honest; now that we know what the difficulty is, I really don't see what magic wand you think you can wave to recreate records faster than the Bitcoin Consultancy team.  To me, it seems that this is going to be a matter of a long hard slog of manually reconciling claim requests with deposit and withdrawal records.

Further, despite your wonderboy reputation, it seems that you are the more fundamentally at fault (technically) here than Bitcoin Consultancy -- it's true that they left the door open to their own systems, but it's you who have had many months to prepare for and mitigate against disasters and didn't.  Even without considering hackers; what if Rackspace had gone unexpectedly bust?  What if a natural disaster wiped out electricity to their datacentre?  Mistakes in the heat of the moment are forgivable, mistakes made with time available for consideration are less so -- especially when they are easily foreseen mistakes.


1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
N12
Donator
Legendary
*
Offline Offline

Activity: 1610
Merit: 1010



View Profile
May 25, 2012, 11:49:03 AM
 #1417

Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Shame on everything; regret nothing.


View Profile
May 25, 2012, 11:49:50 AM
 #1418


Seems to me the hacker is a small group of people from which an individual should easily be identified.

Why has this not happened ? It is not like the hacker was some unknown entity out of the blue.


Gooooooooood question; like most good questions though, it needs to be asked more than once or twice.  So yeah I am wondering this as well.

Read the thread : the only thing I had in the bucket shop is $1 bonus I got from zhoutong Cheesy

Not going to give my info to a bunch of incompetents to get it back anyway.

yeah nah dude i've read every letter -- right there with ya.  just joshin' around, munchin' my corn   Smiley

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 25, 2012, 11:50:36 AM
 #1419

Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

The database isn't worth 18.5k.  Your suggestion would just add another cost.

A bounty isn't crazy though; enough to cover the cost of the manual work of restoration and perhaps a bit extra for the benefit to goodwill.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Shame on everything; regret nothing.


View Profile
May 25, 2012, 11:51:51 AM
 #1420

Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

Effectively paying the hacker 36.5K BTC ?   Huh

well you've been sarcastic about this before.  yes let's pay all the haxors and shorting all teh coinz   Grin

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
Pages: « 1 ... 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 [71] 72 73 74 75 76 77 78 79 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!