Bitcoin Forum
December 06, 2016, 04:20:13 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 82 »
  Print  
Author Topic: [Payout Updates] Bitcoinica site is taken offline for security investigation  (Read 145695 times)
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
June 03, 2012, 07:01:51 PM
 #161

Quote
WITH NO ROOT PASSWORDS SENT BY EMAIL

Herein lies the weakest link.

~Bruno~


Welcome to Fort Knox. The key is in the mailbox.
1481041213
Hero Member
*
Offline Offline

Posts: 1481041213

View Profile Personal Message (Offline)

Ignore
1481041213
Reply with quote  #2

1481041213
Report to moderator
1481041213
Hero Member
*
Offline Offline

Posts: 1481041213

View Profile Personal Message (Offline)

Ignore
1481041213
Reply with quote  #2

1481041213
Report to moderator
1481041213
Hero Member
*
Offline Offline

Posts: 1481041213

View Profile Personal Message (Offline)

Ignore
1481041213
Reply with quote  #2

1481041213
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
chsados
Hero Member
*****
Offline Offline

Activity: 652



View Profile
June 03, 2012, 07:17:41 PM
 #162


30 May 23:30: We're going to proceed with payouts of the few people we have verified hopefully tomorrow for 80% of their claims (the remaining 20% will be refunded later). A more lengthy process will be applied to everyone else.


Have these "few people" gotten paid yet?

Genjix - I had a measly $11 in bitcoinica all transfered via mtgoxUSD code.  It should be very easy to confirm this shouldn't it?  Has MtGox been willing to cooperate?   I'm starting to get annoyed in the lack of updates/ no response from verify@bitcoinica.com, and the fact that we got to come to a forum to get any type of news.  I understand I am not a user with thousands of dollars tied up and they may take precedence.   But this is just starting to get redonkulous.  

bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 03, 2012, 07:25:29 PM
 #163

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

Quote
We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!
https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

ssaCEO
Hero Member
*****
Offline Offline

Activity: 568



View Profile WWW
June 03, 2012, 07:36:29 PM
 #164

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

Quote
We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!
https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

I do, A. And moreover, what was in USD should never have been online at all.
The more likely explanation was that they had a major position in the market when they were hacked, and were leveraging all their customer funds. Or that the hack was an inside job and the plan was to use a mere $90k theft to cover $1M+ in vanished money.
The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
June 03, 2012, 07:38:08 PM
 #165

Just going to leave this here, where it will get more eyes watching it Wink
Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix
Quote
03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol

bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 03, 2012, 07:46:02 PM
 #166

The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

My point exactly. THEY FUCKED UP....and this 'theft' is nothing more than an 'opportunity'......

Atleast they still 'have' ~75,000 BTC in offline storage, as was stated by ZT....with the theft being the 20% amount of total that is.

coinjedi
Full Member
***
Offline Offline

Activity: 184



View Profile WWW
June 03, 2012, 07:47:01 PM
 #167

Just going to leave this here, where it will get more eyes watching it Wink
Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix
Quote
03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol

I think we should be extremely careful not to turn this into an baseless witch hunt.  But in case somebody wants to contact I think this seems to be the person you are trying to reach:
https://plus.google.com/116237107120834353559/posts

Bets of Bitcoin
http://betsofbitco.in/
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 03, 2012, 08:08:16 PM
 #168

Sub  Shocked

Naughty...

Are you an Intersango sock puppet ?

Hello all,
I'll be incorporating here in the UK and setting up bank accounts in England to accept sterling and Ireland to accept Euros. There doesn't seem to be any easy way accept US dollars without substantial wire fees.

...sorry. Had to ask.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 03, 2012, 08:11:09 PM
 #169

psy, I don't think ageis is the guy you are looking for. Just sayin'.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
June 03, 2012, 08:30:54 PM
 #170

psy, I don't think ageis is the guy you are looking for. Just sayin'.

Then I guess he will have no problem explaining to us what does this mean
Code:
08:09.44 *** ageis materializes into BitcoinicaHacker
08:09.46 *** BitcoinicaHacker materializes into ageis
08:15.44 *** ageis materializes into B1tcoinz
08:15.51 *** B1tcoinz materializes into ageis
http://ibot.rikers.org/20120521.html.gz

Also:

Last post from him here in the forum: on: April 18, 2012, 12:06:25 AM
https://bitcointalk.org/index.php?topic=76239.msg855980#msg855980

Now for the final touch: https://bitcointalk.org/index.php?action=profile;u=44466
Name:    ageisp0lis
Posts:    11
Position:    Jr. Member
Date Registered:    October 22, 2011, 02:03:34 AM
Last Active:    May 21, 2012, 08:47:58 AM

The same day of that IRC log, 30min after the username mess he made on IRC. How convenient lol

fivebells
Sr. Member
****
Offline Offline

Activity: 462


View Profile
June 03, 2012, 09:03:58 PM
 #171

Anyone heard from Patrick Strateman since this happened?  Anyone know him personally?  It would be interesting to hear his take on how it went down.
genjix
Legendary
*
Offline Offline

Activity: 1232


View Profile
June 03, 2012, 09:22:57 PM
 #172

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
June 03, 2012, 09:39:53 PM
 #173

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

But that's still no excuse for not having offline backups. If you weren't online to notice the unauthorized rackspace session, the Rackspace admin "delete servers" bug (unable to disable) would still be an unknown bug/feature.

As for AWS, remember last year when bitomat.pl lost 17k BTC (iirc) in the blink of an eye when their AWS VPS was rebooted? MtGox bought them out and gauranteed depositor funds.

Don't trust a "cloud". (this is opposed to: first I trusted Linode, then I trusted Rackspace, and after getting burnt by Rackspace I finally decided to trust Amazon Web Services). Live and learn.

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
dancingnancy
Sr. Member
****
Offline Offline

Activity: 407


View Profile
June 03, 2012, 09:52:39 PM
 #174

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW
June 03, 2012, 09:57:59 PM
 #175

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

Some guys have the fate of repeating the same mistakes over and over and over again. Roll Eyes


As I said, I won't engage in Bitcoin-related projects in the foreseeable future, you shouldn't assume that I'm going to operate a hot wallet in AWS.

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup. All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
June 03, 2012, 10:38:27 PM
 #176

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
June 03, 2012, 10:42:11 PM
 #177

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

I meant data center of a different company (a different admin panel with a different password, and an append-only configuration). That's what provides a level of actual redudancy. Using a cloud service from one company protects you if a truck crashes into one of their data centers, but offers zero protection if someone gets your admin password!

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup.

Not anymore you can't!

You can make backups for cheap (backups aren't accessed, so they don't scale with the rest of the site).

All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

I'm not going to use your domain service or any other zhoutong "cloud" service because its clear that you don't have plan B (contingencies). What happens when someone deletes your AWS instances and its snapshots and logs? Has the thought even crossed your mind to try and see if its possible on the AWS admin panel?

Its a truism that at the basic level, security can't be outsourced. You have to trust someone eventually (unfortunately for us, you happened to trust bitcoin consultancy), but catastrophes can only be averted by good planning.

College of Bucking Bulls Knowledge
genjix
Legendary
*
Offline Offline

Activity: 1232


View Profile
June 03, 2012, 11:25:16 PM
 #178

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.
BadBitcoin (James Sutton)
Donator
Sr. Member
*
Offline Offline

Activity: 451



View Profile
June 03, 2012, 11:53:03 PM
 #179

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.

sounds good genjix, let us know if theres anything else we need to fill out, I have some stuff I want to buy D:

Take a look at my  machine learning/economics/engineering blog!
www.learningann.wordpress.com
ssaCEO
Hero Member
*****
Offline Offline

Activity: 568



View Profile WWW
June 04, 2012, 12:15:42 AM
 #180

We don't hold the funds.

Then WHO HAS ALL THE USD?

And when will you respond to emails? I want to know if my account is among the claims being processed. It's not like I say to my customers "oh sorry, can't give you your money back, Bitcoinica stole it". No. I have to pay it out of my own pocket. But I can tell them, "Bitcoinica stole your money. I was dumb enough to leave your USD with them. That would be Patrick, Zhou, Tihan, and everyone else related to that project. They say they got robbed for 18K BTC, and then all their USD magically disappeared at the same time. If you ever see anything else they do, make sure to avoid it like the plague. Now I'm paying this money personally back to you on their behalf. Hopefully they'll reimburse me, but I doubt it since they haven't responded to a single one of my emails."

Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 82 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!