Author

Topic: Bitcoinica security discussion from last years Hacker News. (Read 2146 times)

member
Activity: 64
Merit: 10
Being responsible for heaps of bitcoins is a very stressful thing.

FTFY Wink
legendary
Activity: 1372
Merit: 1008
1davout
Do you mean that because somebody compromised the servers, and was able to access your wallet.dat (with bitcoind), or some other security issues with bitcoind?
Being responsible for heaps of cash is a very stressful thing.
mrb
legendary
Activity: 1512
Merit: 1028
Stumbled over this interesting and somewhat ominous exchange from last year.

http://news.ycombinator.com/item?id=2973313

[...]

Ah well, hindsight is 20/20.  Undecided

This was foresight, not hindsight.

zhoutong, these comments were relevant. You had zero excuse for being confident about Bitcoinica's security. Even if you were not running a bitcoind or managing wallets. Your site managed financial accounts with real value behind them, therefore, regardless of the implementation, these attacks and thefts were meant to happen, given you had little to no experience securing a financial website. You were warned, but you did not listen.

That said, I wish you good luck to your future endeavors.
hero member
Activity: 812
Merit: 1006
This is quite irrelevant. When the service initially launched, we didn't have a bitcoind server at all. That's why I was quite confident about security (and the trading volume is not that huge).

Both major incidents happen due to bitcoind problems (while we are trying to find alternate solutions), and there are tons of small incidents happening during development stage, majority are due to bitcoind problems as well.

I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

I'll never handle the wallet.dat again in my life, ever.

Do you mean that because somebody compromised the servers, and was able to access your wallet.dat (with bitcoind), or some other security issues with bitcoind?
hero member
Activity: 602
Merit: 500
I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

Hello Tong,

all your comments show us a honest, openminded young man striving for the better.
Encountering such people is really reassuring.


People staying long time in the money and the serucity business tend to become suspicious and often disaffected.
Keeping the right way of heart and mind is difficult. We can just try again and again.


For us in the bitcoin world it surely hurts you are leaving.
But you might indeed be better off learning new things now, gaining a wider field of experience
and learning some craft really inside out, heart and mind.

All the best wishes!
--Ichthyo
vip
Activity: 490
Merit: 502
This is quite irrelevant. When the service initially launched, we didn't have a bitcoind server at all. That's why I was quite confident about security (and the trading volume is not that huge).

Both major incidents happen due to bitcoind problems (while we are trying to find alternate solutions), and there are tons of small incidents happening during development stage, majority are due to bitcoind problems as well.

I'm only a web developer and I know my limitations. This is how I justify the original Hacker News comments.

I'll never handle the wallet.dat again in my life, ever.
hero member
Activity: 532
Merit: 500
Stumbled over this interesting and somewhat ominous exchange from last year.

...

 Ah well, hindsight is 20/20.  Undecided

You only did your research in hindsight?  I read this when I was searching about Bitcoinica when I first learned about them.  Measure your risks first before looking at the possible return.
legendary
Activity: 1458
Merit: 1006
Here's another discussion that had me facepalming a couple of times: Hacker News: Introducing Bitcoinica API. (See the first reply for several good examples.)
legendary
Activity: 1458
Merit: 1006
Stumbled over this interesting and somewhat ominous exchange from last year.

http://news.ycombinator.com/item?id=2973313

An interesting read in light of recent events. Some excerpts:

Quote from: zhoutong
Hi HN,
I'm the creator of Bitcoinica. I'm not so established here. To be honest, I'm only 17.
Please try it out. (I can pay $1 for you if you're not willing/able to deposit, email me at [email protected]. :-D ) You can leave any suggestions, comments, bug reports and feature requests here. I'll look through every single comment. Thanks!

Quote from: jellicle
Without meaning to put a damper on your technical work, you should keep in mind a few things:

-- systems that work with money are attacked hard and often, by intelligent skilled people
-- in fact some of the people who attack your system are likely to be both more skilled and more intelligent than you are
-- systems that work with money that fail, fail spectacularly ("What do you mean someone withdrew $8 million last night?")
-- banking websites, Paypal, etc. are all like icebergs - you don't see 9/10ths of the things they've done to prevent spectacular failure
-- spectacular failure is your destiny if you don't work very hard to prevent it
-- spectacular failure may be your destiny even if you do work very hard to prevent it

You should plan accordingly.

Quote from: forensic
Doing your best probably isn't enough. To have any hope you'll have to hire expensive security people and buy lots of insurance.
All you need in order to be exploited is to be using software with 0day exploits. Many known exploits are not public. In a very real sense, you are only protected to the extent that you are a small target.

As the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%. Software really is THAT insecure and bitcoin thefts are not prosecuted making it basically risk-free to steal bitcoins.

Quote from: jerf
To be honest, your age isn't a problem, because the average above-average developer is still not competent to write this sort of software. If you had been doing security and financial software since birth, I might consider putting a bit of trust in the kitty to start.

I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project.

Let me put it this way: Would you be willing to convert the BitCoins in your system into cash, put it in your front window, and post daily pictures of the pile of cash to your Facebook account, set to public visibility? Because that's roughly what you're doing.

 Ah well, hindsight is 20/20.  Undecided
Jump to: