[Emergency ANN] Bitcoinica site is taken offline for security investigation

[S3052]

the remaining funds excl. 18k btc should be there .
I guess its not a matter of IF but HOW they refund as without the database the process is tedious

[repentance]

Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.

[fivebells]

...without the database the process [of determining remuneration] is tedious

Ha ha, that's one way to describe it. 

[proudhon]

Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.

Hmmm, ok.  I guess I'm just going to let this cook for a while and move on.  Maybe in a few weeks I'll get a surprise email that their ready to return my coins.  In the meantime, I still want to try this new BitInstant thing and buy a few more coins.  I've only got a few hundred coins in any exchange now.  Everything else has been moved to paper and brain wallets.  I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.

[Phinnaeus Gage]

Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.

Hmmm, ok.  I guess I'm just going to let this cook for a while and move on.  Maybe in a few weeks I'll get a surprise email that their ready to return my coins.  In the meantime, I still want to try this new BitInstant thing and buy a few more coins.  I've only got a few hundred coins in any exchange now.  Everything else has been moved to paper and brain wallets.  I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

[repentance]

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

Remember that in this case the hacker was able to delete the backup, so I don't think that exchanges saying that they have a backup means much.  How often they make back ups and how they back up are pretty critical to their ability to recover from a critical incident and who has access to the back ups determines whether they are also vulnerable.

[Serge]

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well

[Bitcoin Oz]

There should be a prediction market where you can bet which site will get hacked next

Just like assassination markets except for websites....

[Vladimir]

There should be a prediction market where you can bet which site will get hacked next

Just like assassination markets except for websites....

That would be cool, but only if owners of websites could take the other side of the bets. This would kind of allow some to finance information security efforts.  LOL.

[Maged]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Not at all. This is not a case where just a customer's account was hacked.

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.

Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.

[DiabloD3]

Yes, believe it or not, but your posts and PMs on this forum are actually safer than your current balance at Bitcoinica.

I lol'd.

[Phinnaeus Gage]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Not at all. This is not a case where just a customer's account was hacked.

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.

Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.

Dude, that means I'm/we're counting to 63,000,000 with images in that Newbie thread. That'll take forever! 

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~

they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well

I guess that's what I meant--proper backups. While we're at it, I think all backups should be open-source so that we can all see that they're backup. We're going to see them anyway, but at least then a hacker wouldn't have anything to do, unless they all pooled their resources and hacked via adding funds to databases, coupled with becoming Grammar Nazis.

[Bitcoin Oz]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

[muyuu]

Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html

Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Not at all.

User gets hacked, hackers withdraw using user's interface. No other user is affected other than the hacked user, who's responsible of his own account.

This is like someone got the passwords to your bank account online interface from you and pwned you. You are responsible of not revealing your passwords. Sure, allowing such massive withdrawals is probably over the top but it's most likely something the user decided or agreed to.

[cypherdoc]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

thats a good saying.

[David_Benz]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

VERY good saying.

[rjk]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

thats a good saying.

Additionally, rjk's Third Law Of Backups states that if your backup procedures are rigorous and the backups are stored in at least 3 locations, you will never ever have to recover from them. If however they suddenly disappear due to a freak accident, that is the day you are guaranteed to need them the most.

Kind of like the Law Of Extra Parts also by rjk: if you need 5 screws to complete a project, and you bring only 5, you are guaranteed to lose one of them. If however you bring 6 screws to a project that needs only 5, you are guaranteed to always have 1 left over.

[DiabloD3]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

thats a good saying.

Additionally, rjk's Third Law Of Backups states that if your backup procedures are rigorous and the backups are stored in at least 3 locations, you will never ever have to recover from them. If however they suddenly disappear due to a freak accident, that is the day you are guaranteed to need them the most.

Kind of like the Law Of Extra Parts also by rjk: if you need 5 screws to complete a project, and you bring only 5, you are guaranteed to lose one of them. If however you bring 6 screws to a project that needs only 5, you are guaranteed to always have 1 left over.

The generic version of that is just Diablo's Rule #1: Redundancy in planning is not paranoia.

[paraipan]

Yes, believe it or not, but your posts and PMs on this forum are actually safer than your current balance at Bitcoinica.

I lol'd.

Great, seems like some people would have done a better job by asking you guys how it's done. 

[JusticeForYou]

Theres an old saying that a backup doesnt exist untill its in 3 separate places

Nice to see the Rule of 3 is still a universal constant.

Guy: How many guys have you slept with?
Girl: 2

Answer: 2*3=6



Girl: How many girls have you slept with?
Guy: 9

Answer: 9/3=3


How many back-ups should you have?

Answer: 3