Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 10. (Read 224563 times)

Hi,

Thank you for this. We are incredibly happy. We will need to clear up some distinctions and make sure the account is in fact Tihan's account. He can do so via confirmation in email or on skype. We also need clarification as to what "role and history mean".

1. Are Bitcoinica Consultancy and its individual members allowed to talk about the security issues and this incident without limitation? Yes/No

The NDA extends to our persons I believe.

Finally, Tihan, people seem to have questions regarding the database.

2. Are we, Bitcoinica Consultancy and it's individual members, at liberty to discuss in full detail the nature of the database? Yes/No

3A. Are we, Bitcoinica Consultancy and it's individual members, at liberty to release relevant skype logs in full without worry that information in those logs are sensitive? Yes/No

3B. If there is a "No" answer for question 3A, could you specify and clearly what we are not allowed to post (for example, content that would violate a user's privacy) and remember to claim that the list of restrictions you post is an exhaustive list.

4. Are you willing to take the short steps to nullify any NDA we may have? Yes/No

5. Can we release a full account of the security detail and practices relevant to Bitcoinica's history and this incident? Yes/No



Finally, we can certainly see the semblance of unprofessionality that Bitcoinica Consultancy was resonating. We would like to apologise for having to go to such an extreme. We were urged against making such statements by Tihan and Zhou as they would hurt everyone's reputation, including our own. The circumstances were such that we had no real ability to respond to misinformation and misrepresentation. We full well knew that our immediate reputation would suffer greatly. In matters like this, things often need to get worse before they can get better. However, it seems we will be finally be successful in providing full disclosure for everyone. We were talking with Tihan about trying to clear up misrepresentations for a long time and with Zhou as well. Unfortunately, we were not granted the ability to clear up the relevant issues (possibly until now) and Zhou kept making and continues to make false statements and wildly misrepresenting the facts. We are very happy with the turn of events as we are certain that (as long as Tihan's comment wasn't intentionally nondescript or ambiguous) we will be able to set the record straight.


We are not pursuing this matter at the expense of the reclaims process. However, when we have time, we will (in great detail) show that many statements that have been made have been malicious and false.

What is the "official stance" of the officials "owners" ?

The more i read this topic the more it gets confusing.
I have been patiently waiting for answers but the lack of precise answers is starting to get worrysome.

Have any users gotten back funds yet ? (and if you did, can you tell us how many ?)

bitcoinica socket puppet much? Every single post that you made in this thread is somehow an attack on those who wants transparency and REAL answers/solutions.

Now I'm really afraid that noone will receive their funds. People have asked several times about the backups, and every Bitcoinica former or current member conveniently avoided this topic. If there were any backups, I'm sure they'd want to answer their customers concerns as soon as possible. Avoiding this topic whatsoever is really, really fishy.

I lol'd

That makes perfect sense, Zhou. BTW, I'm going on record and state that I'm on Zhou's side and will remain so until I state otherwise. I'm going by actions but, moreover, feelings in my decision.

~Bruno~

How do a few passports help link usernames and passwords to account funds? They don't help. At all.



thanks for this! lol.

Have you talked to the hacker, or are you speculating on his reaction and the steps he went through.

http://www.youtube.com/watch?v=aoMmbUmKN0E

I think you are a little bit confused.


Zhou Tong's hands are tied, because he no longer has access to the systems - as far as I can tell from what he has posted. He has also offered to take over the claims process and make everything right, but that was also rejected. Attacking him and his reputation isn't the way to proceed here.

If this is the case, I blame zhou for that. A 17-year old boy with zero contingency plans, twice demonstrated (shame on me). (and furthermore, I will never use his new domain manager service or any other).

How does he suppose to process claims without a user database backup is my only lingering question?

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.

Seems like it would be short list of who had root on vps. Without root cannot do much at all on vps.

Well that kind of does narrow it down, at least a tiny bit, no? Have you any guesses as to the identity of this pasty little twerp that was unoriginal enough to commit this crime?

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.

You gave out root access to vps? Attacker uses su to be your username and then simply
 ssh into email server? But as reg user cannot read everyones email...
Or you put root ssh key on email server which allowed full ownage of email server combined
With giving out root access? You trust people on irc or this forum?

The fail is great with this situation. Figures this hack took no real skills. It is rare person who can code 0day and if
They could you can sell it for same amount stolen in hack if 31337 elite linux remote root on popular daemon
Like apache or email daemon.

the plot thickens. 

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails.

The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account.

EDIT:

I didn't blame Patrick for the email compromise. It's the hacker's fault, not his.

But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either.

If I was adding everyone to the mailing list, that would be unacceptable. But I added [email protected] (which he told me), and you're telling me I should treat it as personal email and non-critical.

+i
Tired of you.