[Emergency ANN] Bitcoinica site is taken offline for security investigation

[chsados]

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.

You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.

well wouldnt the open source nature of the bitcoin protocol be somewhat similar?  the bitcoin protocol is out there for anyone to view.  why cant their be a wiki style of tested and proven security methods?

[DiabloD3]

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.

You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.

Not even government based, but just a wiki somewhere.

Many of the FIPS-140-2 guidelines are extremely applicable though.

If you're just talking about data storage, there are commercially available FIPS-140-2 level 3 devices that can be unlocked under Linux such as IronKey: http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/ (the S200 series is SLC, D200 is MLC, and Enterprise includes remote wipe next time its plugged in performed by the unlocking software).

[rjk]

If you're just talking about data storage, there are commercially available FIPS-140-2 level 3 devices that can be unlocked under Linux such as IronKey: http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/ (the S200 series is SLC, D200 is MLC, and Enterprise includes remote wipe next time its plugged in performed by the unlocking software).

That's cool, I'd heard of them but didn't realize they were level 3 certified. Maybe I should get one to play with.

[World]

well wouldnt the open source nature of the bitcoin protocol be somewhat similar?  the bitcoin protocol is out there for anyone to view.  why cant their be a wiki style of tested and proven security methods?

https://en.bitcoin.it/wiki/Securing_online_services

[repentance]

Relevant Hacker News thread: https://news.ycombinator.com/item?id=4026255

From previous Hacker News thread, in which zhoutong participated.

There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people.

http://news.ycombinator.com/item?id=2974770

[disclaimer201]

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.

[repentance]

Did the hacker also retrieve the username using the compromised email account - you need the username in order to reset the password for cloud hosting services and you need the account number/username to reset the password for managed services.

[zhoutong]

Did the hacker also retrieve the username using the compromised email account - you need the username in order to reset the password for cloud hosting services and you need the account number/username to reset the password for managed services.

The hacker didn't know anything about Bitcoinica. He first requested the username, then requested a password reset. I have to say that Rackspace Cloud's security protection for customers is not very up to standard - you can re-use the password reset link after it's already used! And password changes don't have any effect on the sessions. (Usually everyone should be logged out once there's a password change, but it didn't happen at all.) I'm not blaming Rackspace here. Just a kind warning to those who wish to use them for anything serious.

[muyuu]

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.

I have no idea about Kronos and its operation, but Bitcoinica was run terribly. I don't know why would anyone extrapolate what happened to Bitcoinica to any other business, while still keeping the slightest degree of trust in Bitcoinica. Just doesn't make sense.

So Bitcoinica was running on a cheap cloud server, got hacked and learnt absolutely nothing from the incident. Got hacked again, while in another cheap cloud server (in Rackspace, who also offers several more secure options including one aimed at financial security standards - yet they opted to be cheap again despite the massive running profits) and you somehow still give them more credibility than you'd give to a new service that, for starters, had a beta testing period. Which Bitcoinica didn't. Bitcoinica was running, apparently, less than 1 week after ZhouTong laid the first line of code. To top it off, they made significant changes to their core business structure in complete secrecy, and when asked about particular details they repeatedly lied. It simply doesn't get much worse or unprofessional than this.

As with any other "financial" bitcoin operation, not running under any regulations and not liable, obviously I'd put any amount of BTC in Kronos at my own risk. If you're not ready to lose them, don't put them there. This should apply to any business not offering you any sort of legal guarantee over your funds.

[disclaimer201]

...Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week


Who would be crazy enough to put another Satoshi into Kronos.io after what happened to the most renowned trading platform out there??? For all I care such hacks could be staged and there could be the same secret investors opening the same page under a new name preparing for the same heist once again. It's obviously untrue but are people truly so naive to think they can be successful now with the same business model- after what just happened TWICE, and with a solution for full security yet to be found???

+1 btw for handing over all claims to Zhoutong ASAP, at least the kid has some kind of a strategy to deal with refunds even though he deceived us about Bitcoinica's ownership for a long time.

As with any other "financial" bitcoin operation, not running under any regulations and not liable, obviously I'd put any amount of BTC in Kronos at my own risk. If you're not ready to lose them, don't put them there. This should apply to any business not offering you any sort of legal guarantee over your funds.

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

[muyuu]

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

[disclaimer201]

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

Well good luck then, it's never too late to lose your money at some new Bitcoinica clone. Waiting to see how they operate won't make their service any more secure. I'm sure you've found out their identities before you trust them, say from their "who we are" page - but wait, there isn't one.

[muyuu]

I'm not ready to lose any more funds, and so should you. I don't trust Bitcoinica more than the next man. But why should Kronos be more trustworthy? I don't see how any such business earns any trust at the moment.

I haven't lost a cent in Bitcoinica. I will continue doing my own risk assessment and yes, most if not all investments involve risk.

You seem to be making wrong connections here, placing trust over those who have screwed you over above those who haven't. Once I see how they operate their business I will make a decision (obviously they can also lie about this, you have to factor everything).

Well good luck then, it's never too late to lose your money at some new Bitcoinica clone. Waiting to see how they operate won't make their service any more secure. I'm sure you've found out their identities before you trust them, say from their "who we are" page - but wait, there isn't one.

You can find them here in the forums. Information upon which I think I will keep my BTC at bay 

[Cluster2k]

No backups.  I guess this explains why the whole process of officially acknowledging the hack (via the bitcoinica web site) and the claims process has been so slow.

[Herodes]

No database backups. Sorry for avoiding the question.

Oh dear, bitomat.pl all over again.

I sincerely hope that the community will learn from this.

And good luck in sorting out this mess.

[Phinnaeus Gage]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

[repentance]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Likely completely irrelevant as it's an application of US state law.  It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.

[paraipan]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Likely completely irrelevant as it's an application of US state law.  It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.

They would more likely better use some arbitration platform like judge.me in such a case.

[proudhon]

Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

[proudhon]

No backups.  I guess this explains why the whole process of officially acknowledging the hack (via the bitcoinica web site) and the claims process has been so slow.

Missed this earlier.  So it's settled then?  Nobody is getting anything back.  Next.