Bitcoin Forum
March 19, 2024, 10:26:19 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 82 »
  Print  
Author Topic: [Payout Updates] Bitcoinica site is taken offline for security investigation  (Read 156623 times)
chsados
Hero Member
*****
Offline Offline

Activity: 662
Merit: 545



View Profile
June 03, 2012, 07:17:41 PM
 #161


30 May 23:30: We're going to proceed with payouts of the few people we have verified hopefully tomorrow for 80% of their claims (the remaining 20% will be refunded later). A more lengthy process will be applied to everyone else.


Have these "few people" gotten paid yet?

Genjix - I had a measly $11 in bitcoinica all transfered via mtgoxUSD code.  It should be very easy to confirm this shouldn't it?  Has MtGox been willing to cooperate?   I'm starting to get annoyed in the lack of updates/ no response from verify@bitcoinica.com, and the fact that we got to come to a forum to get any type of news.  I understand I am not a user with thousands of dollars tied up and they may take precedence.   But this is just starting to get redonkulous.  

Even in the event that an attacker gains more than 50% of the network's computational power, only transactions sent by the attacker could be reversed or double-spent. The network would not be destroyed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710843979
Hero Member
*
Offline Offline

Posts: 1710843979

View Profile Personal Message (Offline)

Ignore
1710843979
Reply with quote  #2

1710843979
Report to moderator
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


I heart thebaron


View Profile
June 03, 2012, 07:25:29 PM
 #162

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

Quote
We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!
https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

ssaCEO
Hero Member
*****
Offline Offline

Activity: 568
Merit: 500



View Profile WWW
June 03, 2012, 07:36:29 PM
 #163

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

Quote
We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!
https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

I do, A. And moreover, what was in USD should never have been online at all.
The more likely explanation was that they had a major position in the market when they were hacked, and were leveraging all their customer funds. Or that the hack was an inside job and the plan was to use a mere $90k theft to cover $1M+ in vanished money.
The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
June 03, 2012, 07:38:08 PM
 #164

Just going to leave this here, where it will get more eyes watching it Wink
Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix
Quote
03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


I heart thebaron


View Profile
June 03, 2012, 07:46:02 PM
 #165

The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

My point exactly. THEY FUCKED UP....and this 'theft' is nothing more than an 'opportunity'......

Atleast they still 'have' ~75,000 BTC in offline storage, as was stated by ZT....with the theft being the 20% amount of total that is.

coinjedi
Full Member
***
Offline Offline

Activity: 184
Merit: 100



View Profile WWW
June 03, 2012, 07:47:01 PM
 #166

Just going to leave this here, where it will get more eyes watching it Wink
Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix
Quote
03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol

I think we should be extremely careful not to turn this into an baseless witch hunt.  But in case somebody wants to contact I think this seems to be the person you are trying to reach:
https://plus.google.com/116237107120834353559/posts

Bets of Bitcoin
http://betsofbitco.in/
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


I heart thebaron


View Profile
June 03, 2012, 08:08:16 PM
 #167

Sub  Shocked

Naughty...

Are you an Intersango sock puppet ?

Hello all,
I'll be incorporating here in the UK and setting up bank accounts in England to accept sterling and Ireland to accept Euros. There doesn't seem to be any easy way accept US dollars without substantial wire fees.

...sorry. Had to ask.

rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
June 03, 2012, 08:11:09 PM
 #168

psy, I don't think ageis is the guy you are looking for. Just sayin'.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
June 03, 2012, 08:30:54 PM
Last edit: June 03, 2012, 08:43:10 PM by psy
 #169

psy, I don't think ageis is the guy you are looking for. Just sayin'.

Then I guess he will have no problem explaining to us what does this mean
Code:
08:09.44 *** ageis materializes into BitcoinicaHacker
08:09.46 *** BitcoinicaHacker materializes into ageis
08:15.44 *** ageis materializes into B1tcoinz
08:15.51 *** B1tcoinz materializes into ageis
http://ibot.rikers.org/20120521.html.gz

Also:

Last post from him here in the forum: on: April 18, 2012, 12:06:25 AM
https://bitcointalk.org/index.php?topic=76239.msg855980#msg855980

Now for the final touch: https://bitcointalk.org/index.php?action=profile;u=44466
Name:    ageisp0lis
Posts:    11
Position:    Jr. Member
Date Registered:    October 22, 2011, 02:03:34 AM
Last Active:    May 21, 2012, 08:47:58 AM

The same day of that IRC log, 30min after the username mess he made on IRC. How convenient lol
fivebells
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
June 03, 2012, 09:03:58 PM
 #170

Anyone heard from Patrick Strateman since this happened?  Anyone know him personally?  It would be interesting to hear his take on how it went down.
genjix (OP)
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
June 03, 2012, 09:22:57 PM
 #171

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
June 03, 2012, 09:39:53 PM
 #172

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

But that's still no excuse for not having offline backups. If you weren't online to notice the unauthorized rackspace session, the Rackspace admin "delete servers" bug (unable to disable) would still be an unknown bug/feature.

As for AWS, remember last year when bitomat.pl lost 17k BTC (iirc) in the blink of an eye when their AWS VPS was rebooted? MtGox bought them out and gauranteed depositor funds.

Don't trust a "cloud". (this is opposed to: first I trusted Linode, then I trusted Rackspace, and after getting burnt by Rackspace I finally decided to trust Amazon Web Services). Live and learn.

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
dancingnancy
Hero Member
*****
Offline Offline

Activity: 661
Merit: 500


View Profile
June 03, 2012, 09:52:39 PM
 #173

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490
Merit: 502


View Profile WWW
June 03, 2012, 09:57:59 PM
 #174

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

Some guys have the fate of repeating the same mistakes over and over and over again. Roll Eyes


As I said, I won't engage in Bitcoin-related projects in the foreseeable future, you shouldn't assume that I'm going to operate a hot wallet in AWS.

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup. All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
June 03, 2012, 10:38:27 PM
 #175

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
June 03, 2012, 10:42:11 PM
 #176

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

I meant data center of a different company (a different admin panel with a different password, and an append-only configuration). That's what provides a level of actual redudancy. Using a cloud service from one company protects you if a truck crashes into one of their data centers, but offers zero protection if someone gets your admin password!

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup.

Not anymore you can't!

You can make backups for cheap (backups aren't accessed, so they don't scale with the rest of the site).

All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

I'm not going to use your domain service or any other zhoutong "cloud" service because its clear that you don't have plan B (contingencies). What happens when someone deletes your AWS instances and its snapshots and logs? Has the thought even crossed your mind to try and see if its possible on the AWS admin panel?

Its a truism that at the basic level, security can't be outsourced. You have to trust someone eventually (unfortunately for us, you happened to trust bitcoin consultancy), but catastrophes can only be averted by good planning.

College of Bucking Bulls Knowledge
genjix (OP)
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
June 03, 2012, 11:25:16 PM
 #177

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.
BadBitcoin (James Sutton)
Donator
Sr. Member
*
Offline Offline

Activity: 452
Merit: 252



View Profile
June 03, 2012, 11:53:03 PM
 #178

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.

sounds good genjix, let us know if theres anything else we need to fill out, I have some stuff I want to buy D:
ssaCEO
Hero Member
*****
Offline Offline

Activity: 568
Merit: 500



View Profile WWW
June 04, 2012, 12:15:42 AM
 #179

We don't hold the funds.

Then WHO HAS ALL THE USD?

And when will you respond to emails? I want to know if my account is among the claims being processed. It's not like I say to my customers "oh sorry, can't give you your money back, Bitcoinica stole it". No. I have to pay it out of my own pocket. But I can tell them, "Bitcoinica stole your money. I was dumb enough to leave your USD with them. That would be Patrick, Zhou, Tihan, and everyone else related to that project. They say they got robbed for 18K BTC, and then all their USD magically disappeared at the same time. If you ever see anything else they do, make sure to avoid it like the plague. Now I'm paying this money personally back to you on their behalf. Hopefully they'll reimburse me, but I doubt it since they haven't responded to a single one of my emails."

bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
June 04, 2012, 12:20:34 AM
 #180

We don't hold the funds.

Then WHO HAS ALL THE USD?

And when will you respond to emails? I want to know if my account is among the claims being processed. It's not like I say to my customers "oh sorry, can't give you your money back, Bitcoinica stole it". No. I have to pay it out of my own pocket. But I can tell them, "Bitcoinica stole your money. I was dumb enough to leave your USD with them. That would be Patrick, Zhou, Tihan, and everyone else related to that project. They say they got robbed for 18K BTC, and then all their USD magically disappeared at the same time. If you ever see anything else they do, make sure to avoid it like the plague. Now I'm paying this money personally back to you on their behalf. Hopefully they'll reimburse me, but I doubt it since they haven't responded to a single one of my emails."

No need to get angry mate. It doesn't reflect well on your business if you don't keep it civil.

I am sure they will pay it back ... at some point.

Anyone up for 4-6 weeks of waiting time Cheesy

The strangest issue is : why were the USD not paid back immediately ?

I understand the BTC issue is more delicate with an erased balance but the USD should be easy to source as none were stolen !?
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 82 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!