Zhoutong

[bitcoinBull]

1. I play no part in Bitcoinica. If you get your money late, it's Bitcoinica Consultancy's fault.

 Nope, it's your fault too.

Both major incidents happen due to bitcoind problems (while we are trying to find alternate solutions), and there are tons of small incidents happening during development stage, majority are due to bitcoind problems as well.

Blaming bitcoind? No, the majority of the problems are due to you.

If anything of the following happened this would be prevented:

- Patrick's email was not added to the mailing list, and he used Bitcoinica email instead.
- Rackspace should just terminate the sessions then at least the database would be safe.
- We should not use the official Bitcoin client because it's very hard to secure it without large investments and affecting instant withdrawals in large amounts.

Blame email. Blame Rackspace. Blame the bitcoin client.

I made a mistake not to advise the previous owner to stop the negotiation. I only asked him to check their actual technical abilities.

Your continual mistake is a lack of honest self-reflection.

They did an intensive code review and dig out a Nginx vulnerability that someone notified me earlier but I forgot to address. (This was really my fault! Luckily no one exploited it.)

Luckily.

The hacker almost gained access to our Mt. Gox API keys, before I revoke them!

He could get 30,000+ BTC easily if I was asleep, or busy.

So all bitcoinica's MtGox funds were on one account and unsecured by yubikey? Good thing you were on top of things.

Well, shit just happens and it's not anyone's fault or incompetence here.

I disagree. It is your fault for not thinking ahead, having contingency plans, and back-ups.

I know you've made statements accepting responsibility elsewhere, but these conflicting statements reveal your actual attitude. You got yourself into this mess entirely on your own, zhou.

Nope. I wouldn't handle things like this.

But you did.

I'm taking all the responsibility here.
...[snip]...
I might be immature (I have no age privilege to disprove this). I might just suck at PR. I might be the 17-year-old kid causing endless troubles for you. I'm truly sorry.

You are? are you truly?

I actually LOL'd when I see the mess I'm creating.
...[snip]...
Just that the whole thing is quite funny if I look back. :-D

[1714971982]

1714971982

[1714971982]

1714971982

[1714971982]

1714971982

[chsados]

really?  why make this thread? 

[repentance]

Regardless of any short-comings in the way Zhoutang originally set things up, Bitcoin Consultancy was engaged to a "comprehensive security audit" prior to becoming the owners and operators of Bitcoinica in late April.

Either their security audit failed to detect the vulnerability or they failed to address it - neither option is really excusable from an entity which promotes itself as being "expert" in security, and it's precisely the kind of vulnerability they should have been looking for in the wake of the Linode debacle.  They cannot blame Zhoutang for their own failure to detect and address vulnerabilities or the fact that those vulnerabilities remained undetected and/or unaddressed after they assumed ownership and control of operations - a second intrusion is precisely what they were brought in to prevent.

[bitcoinBull]

really?  why make this thread? 

Because i'm pissed that he didn't make any backups of the database.

And I see a pattern in his behavior where he blames everything and everyone else for his (and now collectively our) problems. Most people don't have time to go through everything and might miss this pattern. But I believe its important to have an accurate, summarized record of history.

[bitcoinBull]

Regardless of any short-comings in the way Zhoutang originally set things up, Bitcoin Consultancy was engaged to a "comprehensive security audit" prior to becoming the owners and operators of Bitcoinica in late April.

...[snip]...

Yes, no doubt Bitcoin Consultancy fucked up too. It was a fatal combination.

But I'm tired of the "rah-rah zhou" / "all bitcoin consultancy's fault" stuff. Bitcoin consultancy can be blamed for the loss of another 18k btc. But the situation is much, much worse than that. And that is (more or less) entirely zhou's fault.

[repentance]

really?  why make this thread? 

Because i'm pissed that he didn't make any backups of the database.

And I see a pattern in his behavior where he blames everything and everyone else for his (and now collectively our) problems. Most people don't have time to go through everything and might miss this pattern. But I believe its important to have an accurate, summarized record of history.

While you can be pissed of at Zhoutang personally, you should be even more pissed off that the "security experts" who were running the company did not have proper procedures for backing up in place and that they chose to continue using a hosting service which couldn't even kick a hacker off the server in the case of an intrusion.  Why did their security audit not reveal the need for multiple backups in several locations - why had they not implemented such a procedure.  In terms of "things self-proclaimed security experts should be ashamed of and embarrassed by" this is right up there with the H B Gary intrusion by Anonymous.

I don't think it's productive for Zhou to make "I suggested this..." type statements because he has no controlling interest in the company and the decisions will be made by those who do.  There's really little to be gained by maintaining a running log of suggestions he's made which have been rejected, although I understand his inclination to protect himself from personal attack over choices which were not and are not his to make.

Nobody is going to come out of this looking good.  Not even Tihan because he's the one who engaged Bitcoin Consultancy on the basis of their "expertise" and they failed to deliver - a decision he's now stuck with justifying to his investors.

[rjk]

One of zhoutong's last posts was to the effect that database recovery is easier than they thought it would be. I'm guessing there is a recent backup to be had, but I don't know. Perhaps you should calm down and have a tad bit more patience.

[cbeast]

You trusted a 17 y/o with your money. Let's forget about age of consent for a moment; even if Zhou Tong is a very intelligent person, he doesn't have the qualification nor the experience to handle complex business needs, yet. Let him do the best he can to fix this then just let him grow up without this being a black mark against him.

[zhoutong]

You can complain all you want, but it's not going to solve the problem.

I have a way to make sure that at least 98% of all customers are satisfied with refunds (including you) while not incurring additional liability for the company. I have no legal obligation to resolve because I'm neither the General Partner of Bitcoinica nor a paid employee. (My employment status is unknown, but I was not paid for work since April 1.)

Bitcoinica Consultancy has three people including two technical experts. They have been working in Bitcoinica for more than one month. And they're assumed to bear all liabilities of Bitcoinica LP.

However, I have offered to take over the dispute resolution for no compensation, no future financial interest in the company, and no additional liability required. I want to be responsible for this even though I'm not legally required to do so.

Honestly, the whole situation is unfair for Bitcoinica Consultancy since they only took over the company a few weeks ago. They didn't make a single cent of profit before incurring such huge losses. I believe that Tihan chose to compensate personally (when he's not legally required to do so) because of the same consideration.

From the information I have, the data we still possess is more than enough to come up a net value for everyone within 5% range. When coupled with the claimed figures, we can even figure out the exact net value for most of the accounts. I believe that Bitcoinica Consultancy also has the ability and expertise to execute the dispute resolution process independently without my help.

[tvbcof]

...
From the information I have, the data we still possess is more than enough to come up a net value for everyone within 5% range.
...

Shit, that's better than the spread used to be if I recall correctly from when I was playing around with the system.  What's not to love!?!

[allten]

It's easy to sit behind the computer and throw tomatoes, but my feelings do resonate with the OP.

I've already made some tough accusation at Zhou with a disclaimer that I was speculating.
My gut tells me something is seriously wrong with the way things happened and he's literally getting away with the "perfect crime".
Yes a crime, but I have no evidence so my suspicions don't mean much.

I didn't have any money with Bitcoinica, but I did at one time. It just felt things were going to end in disaster and unfortunately I was right.

Quote from: zhoutong on May 24, 2012, 10:02:57 AM
"I actually LOL'd when I see the mess I'm creating.
...[snip]...
Just that the whole thing is quite funny if I look back. :-D"

Doesn't this say a lot!?!

This reminds me when Flexcoin was up for sale. I was going to buy it.
I was in the middle of negotiating through email and over the phone.
It was almost a done deal until he gave me his proposed timeline for the transition. He wanted to make it happen in a month. I had a different idea.
here's what i had in mind:
1)I buy it, and he continues to operate as normal and I pay him to continue its operations.
2)Notify all the customers of the sale and who I am so they can choose if they want to
  hold their funds there during a lengthy transition.
3)After that, I was hoping to get a copy of the wallet service without any customer data or bitcoins so I had time to familiarize myself
  with how it works and its operations without causing any alarm to the customers.
4)After a couple of months of learning the system, I wanted to yet again let all users know in advance that the new owner was about to get admin access to the server and if they had any issue with this then they should withdraw.
5)Then I hoped to be able to work with the flexcoin team in a positive manner helping them out and slowly taking on more of the operation myself.
6)Finally, I would Take over completely. All password would be reset and only known by me and the team I had hoped to form. And also take over the offline wallet. Again, all this with advance notice to the customers.

So, what happened? The owner was looking to hand it off much sooner as it was a huge distraction to projects that he felt were more important; so, he sold it to another guy the very day I was preparing to send him my more detailed and lengthy timeline. No animosity, He did what he had to do.

There were a couple of reasons I wanted to do it this way. First, I wasn't prepared. Second, I didn't want to alarm the clients and I wanted to give them ample opportunity to discontinue the service if there was something they didn't feel comfortable about. And lastly, there was a perfect opportunity to commit a serious crime and get away with it.
The handing off of server privilege with bitcoins to another is a huge opportunity to steel and blame it on the other guy.

The time I had spent preparing all these contingency plans for a takeover really are hitting home with me as I watch this bitcoinica disaster unfold.

Yes, it looks really bad for a "security team" to have a "security breach", but do realize the ball was dropped in the absolute worst time possible in the worst way possible which was during the hand off. Both are at fault! What proof do they really have that it was an email hack? It was probably the only hole they could find after the hack and had to assume that is where the breech happened, but what if it was something else? You know, Zhou.

Who had the most to loose if there were records in Bitcoinica that pointed to fraud on Zhou's part. Or maybe it wasn't monetary fraud, but simply a big ego damaged!
Who had the ability to send the keys to the server and simultaneously "hack" the server?
Who had the ability to communicate directly with rackspace and potentially find some residue of the servers and databases before it was too late?
Who has the keys to the offline cold storage wallet?
Who was the first to know of the breach and then notify the forum/community, but not even tell his team?
Who conveniently went back to school and didn't have time for us anymore?
Who recently made a huge move to Australia and is getting the hell out of dodge?
Why are there a few bitcointalk accounts that continue to attack the Consultancy (no, I'm not taking their side) very venomously that were created after the first security audit of the Bitcoinica? Planned in advance maybe?
Why does Zhou so boldy claim that these accounts are not him and dares us to compare writing styles, but in another post says he has language software that gives him the ability to write in many different forms or something to that effect?

Yeah, I know. Just a good conspiracy theory, but man I'm sure glad I followed my gut feeling a long time ago and pulled the little I had and resisted the temptation to deposit more even with the cool interest rates they had.

I've lost all trust in Zhou. Maybe I'm wrong, but it will take a whole lot of convincing.

In retrospect, Bitcoin businesses are not ready to survive their original creators/operators/owners.
The only way is to shut down and let the next guy restart it and grow it again.

[zhoutong]

Who had the most to loose if there were records in Bitcoinica that pointed to fraud on Zhou's part. Or maybe it wasn't monetary fraud, but simply a big ego damaged!


Who had the ability to send the keys to the server and simultaneously "hack" the server?

I don't exactly understand your questions. But well, the email compromise has been confirmed by everyone, and the system is solely controlled by Bitcoinica Consultancy.

You can say whatever you want if you have concrete evidence or proof. I have already listed the 15 verifiable points in the other thread and you're welcome to challenge any statement that you believe is wrong.

Who had the ability to communicate directly with rackspace and potentially find some residue of the servers and databases before it was too late?

I communicated with them immediately and they locked down all the servers. However, I was in a false confidence that the data won't be affected because I can't do anything on the servers. I don't blame Rackspace for the hack, but it's a design flaw that resulted in missing the opportunity to recover data. (If they can't suspend the servers, I could probably download the backup immediately to my machine.)

Who has the keys to the offline cold storage wallet?

I don't have. I don't even know how much we have in cold storage before the hack.

Who was the first to know of the breach and then notify the forum/community, but not even tell his team?

They were all offline when the thing happened and I was exactly online (at about 10pm UTC+10). I told Tihan and Patrick, but not Amir. I have never communicated with Amir before the hack. I was not even recognised as the employee of Bitcoinica.

Who conveniently went back to school and didn't have time for us anymore?

I'm not the owner of Bitcoinica and I'm not liable for anything that happened.

Who recently made a huge move to Australia and is getting the hell out of dodge?

I decided to move to Australia in November 2011.

Why are there a few bitcointalk accounts that continue to attack the Consultancy (no, I'm not taking their side) very venomously that were created after the first security audit of the Bitcoinica? Planned in advance maybe?

I don't know them.

Why does Zhou so boldy claim that these accounts are not him and dares us to compare writing styles, but in another post says he has language software that gives him the ability to write in many different forms or something to that effect?

I never claimed something like that. Citation?
Yes, my Mac autocorrects. Like "organisation" instead of "organization". This was pointed out by Bruno as "wrong spelling".

Yeah, I know. Just a good conspiracy theory, but man I'm sure glad I followed my gut feeling a long time ago and pulled the little I had and resisted the temptation to deposit more even with the cool interest rates they had.

I didn't even initiate the interest system. Bitcoinica make profits when people trade, not when people deposit.

I've lost all trust in Zhou. Maybe I'm wrong, but it will take a whole lot of convincing.

You don't have to trust me. I can't get a single cent if you trust me.

[Vladimir]

Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

[repentance]

Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

On the plus side, VCs are notorious for micro-managing the financials of the enterprises in which they invest so it's likely that extremely detailed financial records were sought prior to Tihan signing on and that they've been closely analysed ever since.  Even in non-financial businesses, one of the first things you do during the transition process is revoke everyone's physical and electronic access and issue new credentials/keys/codes only to those who need currently need them in order to do their job - it's the only way you can be certain of controlling who has current access.  Anyone who's ever had a key could have had it copied and anyone who's ever had a code could have shared it with someone else - and you always assume that they have.

[disclaimer201]

Why hasn't anyone started a new thread in General Discussion about InterScamgo yet??? Really, they deserve to be put out of business in any case.

[repentance]

Why hasn't anyone started a new thread in General Discussion about InterScamgo yet??? Really, they deserve to be put out of business in any case.

There's nothing stopping you from starting one if you believe one should exist.

[disclaimer201]

Why hasn't anyone started a new thread in General Discussion about InterScamgo yet??? Really, they deserve to be put out of business in any case.

There's nothing stopping you from starting one if you believe one should exist.

Just wondering why there'd be one on Zhoutong first. He seems to by far handle all of this more professionally. I hope they let him take over the claims process. Otherwise, I'd doubt we'll ever see any money returned to us. Instead some lawyers and courts will be paid with what's left because the so called consultancy already needs a week for a simple statement let alone finishing a claims process.

[genjix]

Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

Your post is so hindsight is 20/20.

It is bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

[muyuu]

Man up.

[Vladimir]

Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

Your post is so hindsight is 20/20.

It is bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

Absolutely! It is in hindsight, no arguments here. But note that I am not attacking you at all. I am just pointing out how unreasonable it is to attack Zhou.

Frankly, the only thing I could fault Zhou for, big time, is not taking my information security related advise early on and accepting my resignation over that.

At least since then I had multiply opportunities to enjoy "I told you so" moments.

Sincerely Yours,
Captain Gloat. LOL