|
repentance
|
 |
July 24, 2012, 12:44:38 AM |
|
Was the 12 July master password change after the hack (hack was announced on 13 July)?
It's concerning that anyone would revert the password.
It should be. I can't answer with definite answers because I didn't change it. It's concerning because an email account with admin rights of the entire Google Apps domain and also the domain name itself is stored in LastPass. The hacker can easily remove any critical email notifications by changing the settings of the mailing list info@bitcoinica.com. Was the 12 July password change done by one of the principals after the hack or by the hacker? (The 0.0.0.0 IP would make sense if the LastPass account owners got LastPass to revert a password which had been changed without authorisation). Honestly, at this point the only smart thing to assume is that the credentials for absolutely everything have been compromised and to lock everything down. Was LastPass Premium being used, or the free version? |
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
|
|
|
"In a nutshell, the network works like a distributed
timestamp server, stamping the first transaction to spend a coin. It
takes advantage of the nature of information being easy to spread but
hard to stifle." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
zhoutong
VIP
Hero Member
 Offline
Activity: 490
Merit: 502
|
|
July 24, 2012, 12:59:37 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
And LastPass didn't log the IP that reverted the master password. It's so weird.
From my understanding, it doesn't matter if the hacker didn't log into a LastPass account. That's because API key is the same password for a MtGox account. No. The Mt. Gox account is stored in the LastPass. It's a different password. |
|
|
|
|
repentance
|
|
July 24, 2012, 01:07:47 AM |
|
That's because API key is the same password for a MtGox account. My understanding is that the API key was also the password to the LastPass account - which contained the password for the MtGox account, among other things. It's possible sensitive information other than passwords was stored in the LastPass account, too. |
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
koin
Legendary
Offline
Activity: 873
Merit: 1000
|
|
July 24, 2012, 01:14:48 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
you resigned from the company yet continue to access company accounts? |
|
|
|
|
|
Bitcoin Oz
|
|
July 24, 2012, 01:16:36 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
you resigned from the company yet continue to access company accounts?  |
|
|
|
|
repentance
|
|
July 24, 2012, 01:21:43 AM |
|
How many Bitcoiners are now trying to log into the LastPass account using the API key?
|
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
|
Bitcoin Oz
|
|
July 24, 2012, 01:22:10 AM |
|
How many Bitcoiners are now trying to log into the LastPass account using the API key?
All of them ? |
|
|
|
|
stochastic
|
|
July 24, 2012, 01:28:37 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
you resigned from the company yet continue to access company accounts? A clue? |
Introducing constraints to the economy only serves to limit what can be economical.
|
|
|
|
repentance
|
|
July 24, 2012, 01:35:45 AM |
|
I don't understand why the LastPass account wasn't nuked as soon as it became known it was compromised. All of the passwords it contained should have been changed anyway and the new passwords stored somewhere totally unrelated to the LastPass account.
|
All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
|
|
|
zhoutong
VIP
Hero Member
Offline
Activity: 490
Merit: 502
|
|
July 24, 2012, 01:36:58 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
you resigned from the company yet continue to access company accounts? The username and password are public knowledge. I tried it for fun. I didn't see any records. EDIT: I resigned from the company and they still charge my credit cards. And they haven't deleted my email access (and I can't delete myself). They haven't even responded to the resignation. |
|
|
|
|
Bitcoin Oz
|
|
July 24, 2012, 02:56:31 AM |
|
I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!
you resigned from the company yet continue to access company accounts? The username and password are public knowledge. I tried it for fun. I didn't see any records. EDIT: I resigned from the company and they still charge my credit cards. And they haven't deleted my email access (and I can't delete myself). They haven't even responded to the resignation. What the actual fuck. |
|
|
|
|
LoupGaroux
|
|
July 24, 2012, 03:34:38 AM
Last edit: July 24, 2012, 11:46:13 PM by LoupGaroux |
|
So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?
Believe that?
And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.
Believe that?
And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?
Believe that?
And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?
Believe that?
Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.
Or we can call nonsense when we see it. You insult us by throwing out the same bullshit story. You stole the money.
|
|
|
|
|
|
stochastic
|
|
July 24, 2012, 03:38:13 AM |
|
So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?
Believe that?
And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.
Believe that?
And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?
Believe that?
And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?
Believe that?
Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.
Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.
With you. Why do many stores ask to see their customers receipts before leaving the store? So they can check their employees things because businesses lose more money to employee theft than customers. |
Introducing constraints to the economy only serves to limit what can be economical.
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
July 24, 2012, 03:45:17 AM |
|
So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?
Believe that?
And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.
Believe that?
And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?
Believe that?
And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?
Believe that?
Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.
Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.
I'm not going to agree or disagree, but I will note down a few facts that you might not have been aware of. First, the API key WAS the password for LastPass, and apparently still is (!). Second, the withdrawal was done through the web interface and not via the API, because the MtGox password was stored in LastPass, which had it's password supposedly compromised. Third, the supposed breach did not occur until after the source code of Bitcoinica V1 was released. Fourth, the source code contained the API key (which was used as the LasTPass master password as per point 1). The conclusion being drawn is that the source release with the password caused the breach. In my opinion, this is believable, although extremely stupid (redact the source release, derp) and irresponsible (releasing something whose ownership is still disputed? Mega derp.) |
|
|
|
|
Clipse
|
|
July 24, 2012, 04:08:11 AM |
|
Here is my ultimate nail in this obvious scam.
Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.
Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting another exchange involved in this mess, hell only knows.
|
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
|
Bitcoin Oz
|
|
July 24, 2012, 04:15:29 AM |
|
Here is my ultimate nail in this obvious scam.
Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.
Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting another exchange involved in this mess, hell only knows.
They wouldnt want to tarnish the security record of intersango of course by stealing from their own exchange  |
|
|
|
RicePicker
Full Member
Offline
Activity: 216
Merit: 100
RicePicker
|
|
July 24, 2012, 04:17:15 AM |
|
So Zhou, who had almost exonerated himself by showing lots of good faith information distribution to the victims of his incompetence and his partner's lies and obfuscation, admits that while he "doesn't work for them" and "hasn't had access since 2011" is still able to log into company accounts after two to four ownership changes?
Believe that?
And the entire brain trust behind the acquisition of Bitcoinica, in whatever uber venture capitalist/hostile takeover/white hat rescue ranger configuration they used pulled off stealing the company away from the minor that was running it on the basis of their vastly superior security protocols and ability to prevent the very technique used to allegedly steal from them 6 months after they announced their brilliant level of talent to change the entire Bitcoinica world.
Believe that?
And somehow there is a master hacker who can correctly guess an API key password to one single account within 5 tries, steals thousands of dollars in both bitcoin AND US dollars, that he is able to mask from the block chain, AND doesn't have the common sense to change the password or leave a back door so he can come back and clean out the rest of their account?
Believe that?
And that this wunder-kind hackzor, who can defeat lengthy random digit passwords, only chooses to violate one single account after successfully entering Mt. Gox? And doesn't touch a single dime other than the funds ear-marked for restitution to the folks fleeced by Zhou and his magic pyramid machine?
Believe that?
Why do we have cancer, hunger, losing football teams, sub-Saharan droughts and famine when there is pure genius like that on this planet? Seriously now, this amazing hacker would be able to solve pretty much any crisis or need just by blinking and twitching his nose they would have us believe.
Or we can call nonsense when we see it. You insult us by throwing pout the same bullshit story. You stole the money.
The problem of you stating that zhoutong stole the money is that he was the one proposing the operators of bitcoinica to return the funds immediately after the hacking. Even if zhoutong stole the money, you have to blame who ever was in charge of the claim process of being so hesitant and delaying for so long. Just because everyone is frustrated about not receiving their funds because of bitcoinica's bullshit owners and their lack of updates, stop blaming people that are actually communicating with us. The only people I am blaming for this hack is the hacker and everyone on the intersango team for their incompetence and the suspects for the stolen funds. |
Everyone is entitled to their own opinion. It's just that yours is stupid! =D
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1014
|
|
July 24, 2012, 04:19:49 AM |
|
They wouldnt want to tarnish the security record of intersango of course by stealing from their own exchange Don't matter. Their reputation is ruined. |
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1014
|
|
July 24, 2012, 04:26:48 AM |
|
Here is my ultimate nail in this obvious scam.
A real scam would have the team running away real fast to avoid capture from the police. However, their names and faces are known and they are not running away. At least one individual even contributed code to the bitcoin codebase. Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.
Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting an
other exchange involved in this mess, hell only knows.
The intersango team didn't keep the fund, Tihan did, and he did it in the worst possible way you can. Stupidity is easier than intelligent actions. |
|
|
|
|
Clipse
|
|
July 24, 2012, 04:33:38 AM |
|
Here is my ultimate nail in this obvious scam.
A real scam would have the team running away real fast to avoid capture from the police. However, their names and faces are known and they are not running away. At least one individual even contributed code to the bitcoin codebase. Bitcoinica is now managed by Intersango guys but they somehow decide to move the refundable coins/USD over to their biggest competitor MTGOX.
Why didnt they move the funds over to their own exchange for safekeeping, is this perhaps their way of distorting progress by getting an
other exchange involved in this mess, hell only knows.
The intersango team didn't keep the fund, Tihan did, and he did it in the worst possible way you can. Stupidity is easier than intelligent actions. That is a scam that wants people to chase them down. Staying in public and handling this like idiots just creates an illusion that this all is just a huge fuckup and not something they(or one of them) decided to carry out. This whole fiasco is a much better way to run a scam than to collect and run away. Tihan noted in the pastebin post that he gave the funds to intersango guys who then had to distribute it to the users and this is where intersango seemingly moved the funds to mtgox which then got stolen or so they say. |
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
|
