Pages:
Author

Topic: Bitcoinica MtGox account compromised - page 41. (Read 156012 times)

legendary
Activity: 1428
Merit: 1000
July 13, 2012, 04:21:13 AM
#10
you shouldn't be trusted with money anymore.

you claim you are security experts and didn't lock all api keys? are you kidding me?

why didnt you just move it to another account?
why didnt you revoked all api access? - i see no need for it as bitcoinica is OFFLINE

btw: i dont really care about that theft.
its just another story why we should wait for OUR money and why we should be nice to you.
legendary
Activity: 1372
Merit: 1008
1davout
July 13, 2012, 04:15:31 AM
#9
You had 40K BTC or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?
The theft was authenticated using an API token that doesn't require a second authentication factor.
That's by design, otherwise APIs wouldn't be able to work in an automated fashion.

On the other you can set specific constraints on what the API can do (if you authenticate with an API token you do not necessarily have the same access rights/limits as the ones you have when authenticating with a username+password+2nd factor)

EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.
legendary
Activity: 2940
Merit: 1090
July 13, 2012, 04:15:21 AM
#8
Seems like each instance of criminal negligence (or conscious conspiracy with thieves or whatever the exact crime turns out to be) ends up back at this Tihan character then eh?

-MarkM-
sr. member
Activity: 250
Merit: 250
July 13, 2012, 04:14:40 AM
#7
Erm wtf?? this script is playing out like some retarded hollywood spy film plot.

Thank god I only had 15btc in this joke of a site...
hero member
Activity: 868
Merit: 1000
July 13, 2012, 04:12:18 AM
#6
I'm glad I had 0 money on Bitcoinica, those who had substantional funds there, I'm sure is not that happy.

There's much that could be said about the current Bitcoinica situation, but I'm pretty sure anything that I could say would not cause more harmony in the community, so I keep my mouth shut! Smiley
legendary
Activity: 2506
Merit: 1010
July 13, 2012, 04:12:00 AM
#5
This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits)

You had 40K BTC / $40K USD or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?
legendary
Activity: 1372
Merit: 1008
1davout
July 13, 2012, 04:11:53 AM
#4
legendary
Activity: 1615
Merit: 1000
July 13, 2012, 04:09:48 AM
#3
I remained hopeful I'd see the BTC I had on Bitcoinica once more. Now, not so much.
donator
Activity: 1731
Merit: 1008
July 13, 2012, 04:02:54 AM
#2
legendary
Activity: 1232
Merit: 1076
July 13, 2012, 04:00:07 AM
#1
We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

LastPass contains all your passwords. The username was [email protected]. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.

The operators of Bitcoinica probably did not think to change it because they may have assumed that the LastPass password was not the same password as the MtGox API key. Such a flaw is a huge security breach. The original hacker could have compromised the funds on May 11th or any day thereafter.

Such security practices resulted in the initial theft. By the time we took over the claims process it was under information that the LastPass password was secure. This was infact supposed to be the secure way the new passwords were communicated.

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC and 40K USD - the mtgox daily limits)

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb 
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
Sourcecode download link: http://depositfiles.com/files/2p6zvadzs

The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.

Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. They gained access to MtGox. They transferred a third of the refund money, presumably to themselves. Bitcoinica has had at least 5 major security breaches since it's start. We had recommended that their codebase be entirely rewritten but were not aware of their security practices.

I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.

Edit: The API key was changed, but someone had a LastPass account with the same password as that, and was actively updating it with new passwords.

40k USD and 40k BTC were stolen (~350k USD).

For those who doubt we were not the GP, you can run 'git log' in the sourcecode. We had no responsibility to take on payments, but we did (and finalised the formation of Bitcoinica Consultancy to do so).  The payments process was looking good, but now Patrick has walked away and I'm unsure what happens next. The sourcecode illustrates the magnitude of the problems involved with Bitcoinica (passwords all over the source, bad design, flawed code).

We were not privy to all the problems when taking on Bitcoinica. Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it's incomplete and there's problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP - the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That's why payments were initially complicated and delayed.

I will post another update once I know more. I'm guessing that payments will have to take a forced 30% cut. This has cost everyone a lot of money, time and stress dealing with this mess. We are actively losing money from dealing with the payouts.

Update: here's the facts from my point of view:

- Patrick quit.
- Zhou quit.
- Tihan was fired, and no longer acting on behalf of Bitcoinica LP.
- Bitcoinica Consultancy were the new operators coming onboard, and the company was formed after the compromise to facilitate payments out.
- Bitcoinica LP is the owner.

The payments process is at a deadlock. Technically when a company is in debt, and cannot pay off its debtors in full, it hands the process to the government (called receivership). Bitcoinica LP would have to make a police report, and hand over the payments process as the owners.

That's it basically. Just a standstill.

has anyone been paid out after the latest mtgox theft?

No.

Update 19th July: payments are still stuck at 38%. Considering that those are 50% payouts, that means a good 76% of the claims. That's not 76% of claimants, but 76% of the total funds.

However given that nobody is doing anything, I've been talking with some of the people with large claims. They've proposed helping take over the process with me. I suppose we need to get written consent that Bitcoinica Consultancy doesn't exist or that if it does that the members resign. This allows Bitcoinica LP to take over and hand the payouts process to us. Technically Bitcoinica LP owns the assets.
Pages:
Jump to: