Bitcoin Forum
December 05, 2016, 08:39:46 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 ... 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 [70] 71 72 73 74 75 76 77 78 79 80 81 82 »
  Print  
Author Topic: [Payout Updates] Bitcoinica site is taken offline for security investigation  (Read 145653 times)
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 03:33:29 AM
 #1381

If more money gets stolen its less he needs to pay out. No wonder he didnt change the password Smiley

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480970386
Hero Member
*
Offline Offline

Posts: 1480970386

View Profile Personal Message (Offline)

Ignore
1480970386
Reply with quote  #2

1480970386
Report to moderator
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 14, 2012, 03:34:56 AM
 #1382

Secure more VC? He provides VC!

The two aren't mutually exclusive.  

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 03:58:29 AM
 #1383




Mushoz
Hero Member
*****
Offline Offline

Activity: 686


Bitbuy


View Profile WWW
July 15, 2012, 03:23:23 PM
 #1384

So how is this latest disaster going to affect the payouts? When will the payouts resume?

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
HorseRider
Donator
Legendary
*
Offline Offline

Activity: 1582


View Profile
July 15, 2012, 03:28:40 PM
 #1385

it's really astonishing for me that after 70+ pages of dicussion, genjix has been able to remain silence.

16SvwJtQET7mkHZFFbJpgPaDA1Pxtmbm5P
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
July 15, 2012, 03:33:08 PM
 #1386

it's really astonishing for me that after 70+ pages of dicussion, genjix has been able to remain silence.

What else is there to say, really?
Vod
Legendary
*
Offline Offline

Activity: 1848


Licking my boob since 1970


View Profile WWW
July 15, 2012, 03:40:25 PM
 #1387

What else is there to say, really?

July 15, 2012 - We are sad to report someone has broken into our home and taken our laptop containing the cold storage wallet for the remainder of the bitcoinica funds.  We didn't think to encrypt the wallet because we thought it was safe.  Sorry  Sad

I'm into creating universes, smiting people, writing holy books and listening to prayers.
If you want your prayers answered, you must donate to 1CDyx8AUTiYXS1ThcBU3vy4SJWQq6pdFMH
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 15, 2012, 03:44:29 PM
 #1388

Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?

And if Intersango guys uploaded that code and password to the public?

WTF!!

I see why police will not be called....


For several hours last night, I conducted a lot of research and meant to comment on this post before calling it a night. I, too, find it odd that Bitcoinica's security audit was conducted by Intersango. That's akin to Mt Gox having their exchange audited by their own (made-up) Security: The Gathering.

~Bruno~
Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
July 15, 2012, 05:19:05 PM
 #1389

Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 15, 2012, 06:21:27 PM
 #1390

Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?

And if Intersango guys uploaded that code and password to the public?

WTF!!

I see why police will not be called....



Tihan said in his first post that Intersango was brought in to do a security audit in March.  No-one has disputed that.  When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code.  All of this was publicly known prior to the MtGox intrusion.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 15, 2012, 06:32:08 PM
 #1391

Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?

And if Intersango guys uploaded that code and password to the public?

WTF!!

I see why police will not be called....


Tihan said in his first post that Intersango was brought in to do a security audit in March.  No-one has disputed that.  When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code.  All of this was publicly known prior to the MtGox intrusion.

Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica then owned by the same team.

http://en.wikipedia.org/wiki/Information_security_audit

Quote
  • Meet with IT management to determine possible areas of concern
  • Review the current IT organization chart
  • Review job descriptions of data center employees
  • Research all operating systems, software applications and data center equipment operating within the data center
  • Review the company’s IT policies and procedures
  • Evaluate the company’s IT budget and systems planning documentation
  • Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)
tbcoin
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW
July 15, 2012, 06:41:23 PM
 #1392

So how is this latest disaster going to affect the payouts? When will the payouts resume?


(no comments)
Bitcoinica will reimburse 100% of claims before 2013?
http://betsofbitco.in/item?id=499

Sorry for my bad english Wink
Bitcoin card for deposit and payment + Little POS
Donations:1N65efiNUhH6sEQg7Z6oUC76kJS9Yhevyf
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 15, 2012, 06:53:17 PM
 #1393



Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica owned by the same team.


The Intersango guys were not the owners of Bitcoinica when they were brought in to do the security audit.  That's a rather important point in itself because it means that they assumed responsibility for operating the company knowing there were existing vulnerabilities.  Whether Bitcoinica should have been taken offline at that (ie, prior to the Rackspace intrusion) point until those vulnerabilities were addressed is an interesting question.


All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 15, 2012, 06:57:04 PM
 #1394

I would speculate that "CTO with specialisation in information security" thought that "Information Security Audit" = "code audit for SQL injection and XSS and such" plus maybe a port scan.

Given all that we know now this would be the most plausible and simple explanation.




-
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
July 15, 2012, 06:58:12 PM
 #1395

What else is there to say, really?

July 15, 2012 - We are sad to report someone has broken into our home and taken our laptop containing the cold storage wallet for the remainder of the bitcoinica funds.  We didn't think to encrypt the wallet because we thought it was safe.  Sorry  Sad

They might as well hurry up and get on with that announcement then.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 15, 2012, 07:03:23 PM
 #1396

Quote
  • Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)

Basically Information Security is mostly concerned with so called CIA of data.
i.e.
confidentiality, integrity, availability (CIA) of data.

Integrity is one of the major goals here and "offsite backups"  is always the very first thing one looks into when dealing with data integrity.

From my point of view they blew not 1 of of 7, but 3 out of 3.



-
Blind
Full Member
***
Offline Offline

Activity: 235



View Profile
July 15, 2012, 08:03:54 PM
 #1397

Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.

Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.


Government is not the solution to our problem. Government is the problem. -- Ronald Reagan
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 15, 2012, 09:57:28 PM
 #1398

Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.

Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.


No. LastPass allows several Yubikeys to be used on a single account, I believe the limit is 6 or 8. However, this would have been an issue with MtGox, unless they used GA and shared the GA secret.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
almackska
Guest

July 16, 2012, 03:45:01 AM
 #1399

Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
July 16, 2012, 04:11:19 AM
 #1400

Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!

Last week was before another ~$350,000 was stolen.  I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Pages: « 1 ... 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 [70] 71 72 73 74 75 76 77 78 79 80 81 82 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!