Bitcoin Forum
December 11, 2016, 12:16:11 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoinica security discussion from last years Hacker News.  (Read 1944 times)
elux
Legendary
*
Offline Offline

Activity: 1455



View Profile
May 13, 2012, 04:58:56 AM
 #1

Stumbled over this interesting and somewhat ominous exchange from last year.

http://news.ycombinator.com/item?id=2973313

An interesting read in light of recent events. Some excerpts:

Quote from: zhoutong
Hi HN,
I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17.
Please try it out. (I can pay $1 for you if you're not willing/able to deposit, email me at info@bitcoinica.com. :-D ) You can leave any suggestions, comments, bug reports and feature requests here. I'll look through every single comment. Thanks!

Quote from: jellicle
Without meaning to put a damper on your technical work, you should keep in mind a few things:

-- systems that work with money are attacked hard and often, by intelligent skilled people
-- in fact some of the people who attack your system are likely to be both more skilled and more intelligent than you are
-- systems that work with money that fail, fail spectacularly ("What do you mean someone withdrew $8 million last night?")
-- banking websites, Paypal, etc. are all like icebergs - you don't see 9/10ths of the things they've done to prevent spectacular failure
-- spectacular failure is your destiny if you don't work very hard to prevent it
-- spectacular failure may be your destiny even if you do work very hard to prevent it

You should plan accordingly.

Quote from: forensic
Doing your best probably isn't enough. To have any hope you'll have to hire expensive security people and buy lots of insurance.
All you need in order to be exploited is to be using software with 0day exploits. Many known exploits are not public. In a very real sense, you are only protected to the extent that you are a small target.

As the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%. Software really is THAT insecure and bitcoin thefts are not prosecuted making it basically risk-free to steal bitcoins.

Quote from: jerf
To be honest, your age isn't a problem, because the average above-average developer is still not competent to write this sort of software. If you had been doing security and financial software since birth, I might consider putting a bit of trust in the kitty to start.

I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project.

Let me put it this way: Would you be willing to convert the BitCoins in your system into cash, put it in your front window, and post daily pictures of the pile of cash to your Facebook account, set to public visibility? Because that's roughly what you're doing.

 Ah well, hindsight is 20/20.  Undecided
1481458571
Hero Member
*
Offline Offline

Posts: 1481458571

View Profile Personal Message (Offline)

Ignore
1481458571
Reply with quote  #2

1481458571
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481458571
Hero Member
*
Offline Offline

Posts: 1481458571

View Profile Personal Message (Offline)

Ignore
1481458571
Reply with quote  #2

1481458571
Report to moderator
1481458571
Hero Member
*
Offline Offline

Posts: 1481458571

View Profile Personal Message (Offline)

Ignore
1481458571
Reply with quote  #2

1481458571
Report to moderator
elux
Legendary
*
Offline Offline

Activity: 1455



View Profile
May 13, 2012, 05:39:02 AM
 #2

Here's another discussion that had me facepalming a couple of times: Hacker News: Introducing Bitcoinica API. (See the first reply for several good examples.)
stochastic
Hero Member
*****
Offline Offline

Activity: 532


View Profile
May 13, 2012, 07:36:56 AM
 #3

Stumbled over this interesting and somewhat ominous exchange from last year.

...

 Ah well, hindsight is 20/20.  Undecided

You only did your research in hindsight?  I read this when I was searching about Bitcoinica when I first learned about them.  Measure your risks first before looking at the possible return.

Introducing constraints to the economy only serves to limit what can be economical.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
May 13, 2012, 12:16:24 PM
 #4

This is quite irrelevant. When the service initially launched, we didn't have a bitcoind server at all. That's why I was quite confident about security (and the trading volume is not that huge).

Both major incidents happen due to bitcoind problems (while we are trying to find alternate solutions), and there are tons of small incidents happening during development stage, majority are due to bitcoind problems as well.

I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

I'll never handle the wallet.dat again in my life, ever.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
Ichthyo
Hero Member
*****
Offline Offline

Activity: 602


View Profile
May 13, 2012, 02:09:17 PM
 #5

I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

Hello Tong,

all your comments show us a honest, openminded young man striving for the better.
Encountering such people is really reassuring.


People staying long time in the money and the serucity business tend to become suspicious and often disaffected.
Keeping the right way of heart and mind is difficult. We can just try again and again.


For us in the bitcoin world it surely hurts you are leaving.
But you might indeed be better off learning new things now, gaining a wider field of experience
and learning some craft really inside out, heart and mind.

All the best wishes!
--Ichthyo
kangasbros
Hero Member
*****
Offline Offline

Activity: 811



View Profile
May 13, 2012, 03:08:20 PM
 #6

This is quite irrelevant. When the service initially launched, we didn't have a bitcoind server at all. That's why I was quite confident about security (and the trading volume is not that huge).

Both major incidents happen due to bitcoind problems (while we are trying to find alternate solutions), and there are tons of small incidents happening during development stage, majority are due to bitcoind problems as well.

I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

I'll never handle the wallet.dat again in my life, ever.

Do you mean that because somebody compromised the servers, and was able to access your wallet.dat (with bitcoind), or some other security issues with bitcoind?

mrb
Legendary
*
Offline Offline

Activity: 1120


View Profile WWW
May 16, 2012, 08:35:53 AM
 #7

Stumbled over this interesting and somewhat ominous exchange from last year.

http://news.ycombinator.com/item?id=2973313

[...]

Ah well, hindsight is 20/20.  Undecided

This was foresight, not hindsight.

zhoutong, these comments were relevant. You had zero excuse for being confident about Bitcoinica's security. Even if you were not running a bitcoind or managing wallets. Your site managed financial accounts with real value behind them, therefore, regardless of the implementation, these attacks and thefts were meant to happen, given you had little to no experience securing a financial website. You were warned, but you did not listen.

That said, I wish you good luck to your future endeavors.
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
May 16, 2012, 08:49:33 AM
 #8

Do you mean that because somebody compromised the servers, and was able to access your wallet.dat (with bitcoind), or some other security issues with bitcoind?
Being responsible for heaps of cash is a very stressful thing.

publio
Member
**
Offline Offline

Activity: 64


View Profile
May 16, 2012, 09:48:13 AM
 #9

Being responsible for heaps of bitcoins is a very stressful thing.

FTFY Wink

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!