Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 11. (Read 224563 times)

full member
Activity: 182
Merit: 100
Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

Nah, don't apologize. These three desperados didn't do much other than some brilliant marketing on themselves. Oh, and lie about them being general partners of Bitcoinica. Oh and also take down their shitty "Bitcoin Consultancy" website to cover their asses.

They are the three stooges of the Bitcoin world as they clearly demonstrated by their inefficacy and the multiple retarded posts on this thread.
legendary
Activity: 826
Merit: 1001
rippleFanatic
What have you done?

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

My only quibble is that seems overstated and exaggerated at times. Your claim to have written a second implementation of the bitcoin protocol "from scratch" is arguable (I highly doubt that you wrote libbitcoin without referencing anything but Satoshi's whitepaper, but I don't care enough to perform code analysis/comparison with the satoshi client under gavin's management). And to nitpick even further, a couple lines of bash script included in the bitcoin core project doesn't quite qualify one as a core bitcoin developer, strictly speaking, to my mind. That is all.


To the person above, here's what happened:
- Bitcoinica has an internet mailing list called [email protected]
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that [email protected] did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Thank you genjix. This honesty and forwardness is what inspires confidence.


Now, how about the bitcoinica user database? Are there any copies?


EDIT: one additional note just because, with this new disclosure, I do agree with genjix's original post that Zhou was dragging their name through the mud. Everyone remember zhou's original excuse for losing the 40k BTC in the Linode compromise? It was because "the ruby gem didn't support wallet encryption". Zhou has a lot more to learn to than he likes to admit.
legendary
Activity: 1232
Merit: 1076
To the person above, here's what happened:
- Bitcoinica has an internet mailing list called [email protected]
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that [email protected] did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.
legendary
Activity: 1232
Merit: 1076
Of course, Bitcoin Consultancy shares equal blame and the mud sticks. I've had my doubts about them ever since I first heard them claiming to be "core bitcoin developers" (I found precisely one commit by genjix to the satoshi client code, and it was a bash script). Refactoring the satoshi client into libbitcoin wouldn't exactly be easy, but a more productive (and difficult) project would've been bitcoinjs. Patrick may be able to find some vulnerabilities, but he didn't secure his own mail server. Also funky that he would offer a bounty to fix a bug in 80 lines of javascript because he is "not interested in chasing bugs in something I'm not familiar with". Aside from creating and operating Intersango (which by itself is commendable, obviously), they haven't done much to inspire confidence that they can handle running bitcoinica (quite the opposite recently).

This is so stupid and retarded.

There are 2 full implementations of the Bitcoin protocol, and I wrote one from scratch in C++: https://gitorious.org/libbitcoin

bitcoin-js is unmaintained, and BitCoinJava is a lightclient. I also wrote the first alternative frontend GUI: https://gitorious.org/freecoin and worked with jaromil on many freecoin improvements. I wrote most of the Wiki pages like the Getting started and PHP developer intro: https://en.bitcoin.it/wiki/Main_Page as well as largely writing the original Bitcoin Wikipedia page. That's before I started libbitcoin as a way for developers to easily make alternative Bitcoin clients. I'm also a contributor to Electrum: https://gitorious.org/electrum/server and was one of the people (along with slush and ThomasV) to define the Stratum spec used in it. I am also responsible for the BIP (Bitcoin Improvement Proposal) process: https://en.bitcoin.it/wiki/Bitcoin_Improvement_Proposals (see the title), and have authored 4 BIPs.

What have you done?

I organised the conference, and have written a plethora of articles and tutorials for the community on Bitcoin Media like this. I also helped write the initial stock exchange client for GLBSE and started many other Bitcoin projects that are defunct now but all released as OpenSource including the early version of Intersango - Britcoin. Ironically releasing the source for Britcoin hurt us as people assumed we were connected to third parties that used our software like WBX. We also hired and paid people from the community, and put our own money into growing Bitcoin (and still are). For instance, the conference lost us money and other Bitcoin projects or people we paid went nowhere.
hero member
Activity: 868
Merit: 1000
-Are there any backups left?: Is the database intact?

This is the key question. The following is pure speculation.

I'm speculating that there were and are no offsite backups of the database. This would make the claim process nearly impossible (or maybe there is one but it is old, and the older it is the more difficult the claims process). (the hacker is probably submitting claims for each account from various IP addresses, just for lulz). If there were a backup of the database, users could claim their funds simply and quickly using their passwords, which were securely encrypted in the database. (there is of course the possibility of complications making this more difficult, eg if the hacker captured some passwords in plaintext before deleting the database).

If there is no recent offsite database backup is zhou's fault and he knows it, but he is doing damnedest to throw mud at Bitcoin Consultancy and save his ego. If he made no offsite backup could be blamed on his plain-as-day arrogance (why boast that he made the site in four days?) combined with lack of experience (after all, the Linode theft wasn't his fault but at the same could have been prevented had he done sufficient contingency planning).

There's other weird stuff going on which may or may not involve Bitcoin Consultancy.  The WBX website has been revised and references to the founder and external parties other than Intersango and Bitcoin Consultancy have been removed.  The founder is now claiming that

Quote from: Andre
i have been advised the current database has been erased this happened last week

There is no mention of how the database came to be erased or who was in control of it when it was erased.  Andre admits to having no control over the exchange site any more but he offers no information about who does have that control or when he relinquished it.  If Bitcoin Consultancy is not actively involved with WBX, it would be in their best interests to publicly say so at this point.
legendary
Activity: 826
Merit: 1001
rippleFanatic
-Are there any backups left?: Is the database intact?

This is the key question. The following is pure speculation.

I'm speculating that there were and are no offsite backups of the database. This would make the claim process nearly impossible (or maybe there is one but it is old, and the older it is the more difficult the claims process). (the hacker is probably submitting claims for each account from various IP addresses, just for lulz). If there were a backup of the database, users could claim their funds simply and quickly using their passwords, which were securely encrypted in the database. (there is of course the possibility of complications making this more difficult, eg if the hacker captured some passwords in plaintext before deleting the database).

If there is no recent offsite database backup is zhou's fault and he knows it, but he is doing damnedest to throw mud at Bitcoin Consultancy and save his ego. If he made no offsite backup could be blamed on his plain-as-day arrogance (why boast that he made the site in four days?) combined with lack of experience (after all, the Linode theft wasn't his fault but at the same could have been prevented had he done sufficient contingency planning).

Of course, Bitcoin Consultancy shares equal blame and the mud sticks. I've had my doubts about them ever since I first heard them claiming to be "core bitcoin developers" (I found precisely one commit by genjix to the satoshi client code, and it was a bash script). Refactoring the satoshi client into libbitcoin wouldn't exactly be easy, but a more productive (and difficult) project would've been bitcoinjs. Patrick may be able to find some vulnerabilities, but he didn't secure his own mail server. Also funky that he would offer a bounty to fix a bug in 80 lines of javascript because he is "not interested in chasing bugs in something I'm not familiar with". Aside from creating and operating Intersango (which by itself is commendable, obviously), they haven't done much to inspire confidence that they can handle running bitcoinica (quite the opposite recently).

One optimistic possibility is that Zhou did make an offsite backup, but he is not sharing it with Bitcoin Consultancy out of pure anger and spite at their fuck-up (Patrick not securing his own e-mail). If he has one, that would make it easy to for him to process claims (they probably do have plenty of coin in cold storage).

If he already shared it with Bitcoin Consultancy, god knows why they are dragging their feet in such an incredibly lame way instead of just processing the claims. (maybe they thought they could buy time so they can re-launch the site before users withdraw their claims and deposit them with competitors supposedly launching soon).
full member
Activity: 182
Merit: 100
After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.

Actually Bruno might be onto something. It kinda seems your English got a million times better overnight, and I am talking about sentence construction and structure, not just grammar.
sr. member
Activity: 325
Merit: 250
Our highest capital is the Confidence we build.
Can anybody involved setup a communication thread where we can have some information without so much noise?
vip
Activity: 490
Merit: 502
Full Disclosure: I AM (or is it I'm?) NOT A WORDSMITH!

But I know grammatical errors when I see/read them and I'm seeing/reading a hell of a lot them in all these official/nonofficial posts. It's like I'm reading shit written by young adults who don't have a rudimentary command of the English language but keep trying their damndest to come across as educated blokes. Now, I'm not necessarily speaking of Zhou, for obvious reasons, but I feel (not sure) that his writting style has changed, as if somebody else is posting in his name. Reason I say this is because I've read words of which he's spelled correctly in the past, coupled with his current delivery seems odd (to me).

Forgive me if this has already been address, but I'm now only catching up, about nine pages out.

Back to reading this CF.

~Bruno~


After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.
hero member
Activity: 812
Merit: 1001
-
you have missed that he is also a sole shareholder
hero member
Activity: 868
Merit: 1000
repentance, Mr Heaslip is most likely simply a nomini shareholder and director. This means that Bitcoinica LP general parhner decided to pay extra 1000-2000 a year to obfuscate how is indeed General Partner of Bitcoinica LP.

This also means that we do not know exactly who is General Partner is and when it changes. It could be any kind of a chain of offshore trusts and companies for all we know.

It still looks like Core Credit is a shelf company, though - there've been no constitution documents lodged.  While it's not uncommon for accountants to set up enterprises in the way you've described, ownership is often transferred down the track because for as long as the accountant or lawyer remains an office-bearer in the company they still have legal liability for its actions (and risk professional sanctions if they don't exercise appropriate oversight).  Heaslip's speciality is taxation, and Bitcoin related businesses certainly have plenty of reasons to structure their enterprises in a manner which minimises any tax burden.  Bitcoin is also fraught with fraud, AML and CTF risks and it would be risky for any accountant to put themselves in a position of liability for such risks if they didn't intend to play any role in ensuring compliance in those areas.  Being a nominal director doesn't exempt you from legal liability.
newbie
Activity: 23
Merit: 0
I have about 700 BTC in bitcoinica. I will be willing to sell this debt to anyone for a reasonable price. Need the BTC to be in play right now.

You can create a bond on GLBSE with a face value of 700 BTC. You will pay the nominal amount if and when Bitcoinica release your funds. You can auction the bond so that you will get whatever the market thinks the debt is worth.

This would be very interesting, since the price of the bond should approximate whatever the market thinks is the probability of Bitcoinica refunding their customers. Prediction market on GLBSE!
hero member
Activity: 812
Merit: 1001
-
repentance, Mr Heaslip is most likely simply a nomini shareholder and director. This means that Bitcoinica LP general partner decided to pay extra 1000-2000 a year to obfuscate who is indeed General Partner of Bitcoinica LP.

This also means that we do not know exactly who is General Partner is and when it changes. It could be any kind of a chain of offshore trusts and companies for all we know.


hero member
Activity: 868
Merit: 1000
Hi all. I'm making my first post here to offer my heartfelt apology to those affected by the security breach at Bitcoinica.

The investment fund I work with first put money into Bitcoinica because I had identified it as a promising start-up in this exciting space. It is my job to find potential investments and conduct related due diligence. In doing so, I learned a lot about bitcoin trading and Bitcoinica.

Like many early stage companies, Bitcoinica experienced growing pains as its success outgrew the capacity of its initial founder to handle alone. It was I who sought out expanded management to help take Bitcoinica forward.

I chose the Bitcoin Consultancy team due to their early involvement with bitcoin, their experience operating an exchange, and their reputations for expertise in online security. 

Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27 and they became owners and operators of Bitcoinica LP on April 24. As General Partner, they have exclusive legal authority to manage the company.

Because their time with the company is relatively short, the present situation is especially challenging. Zhou Tong has continued to assist in an unofficial capacity. I've offered what insights I can based on my knowledge of the business. In spite of the challenges, I know the Bitcoin Consultancy team would like to bring about the best possible outcome.

Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.

For those who wish to blame someone, blame me. Perhaps if I'd pushed for expanded management sooner or in a different way, the incident might have been avoided.

For avoidance of confusion, I wish to reiterate Bitcoinica Consultancy's prior statement: Mr. Heaslip is an accounting professional who assisted with company formation. He has his own business interests in New Zealand which are otherwise unrelated. I have facilitated investments in dozens of other companies, including some in the bitcoin space. Those companies are also unrelated.

I’m unable to follow most public postings here, but you can reach me through this forum by private message. Questions about processing of funds should be directed to Bitcoin Consultancy as they alone control that process.

I've advised Bitcoin Consultancy to focus their efforts on processing claims rather than public debate. Please extend them your continued patience.


So was Core Credit essentially a shelf company which no longer had any involvement with Bitcoinica when the hack happened?  This seems unlikely given that Core Credit's bank account was being used for wire transfers on 5 May.  Has another party/entity assumed Mr Heaslip's stake in Core Credit/Bitcoinica?

full member
Activity: 182
Merit: 100
The forums where filled with the same hatred towards MtGox when they got hacked and look who is still the most popular exchange. They learnt and improved, so will Bitcoin Consultancy.

LOL People still fucking hate MtGox, and they are loosing volume by the day to other exchangers (btc-e notably, run by a russian scammer/cheater).

Mark though, should be noted, is an honest person (although highly inept), unlike the liars and manipulators at InterSCAMgo.

Making some serious acusations there mate.

Care to back them up ?

Anybody received a claim yet and got his $$$ back or BTC back ?

Why is BTC-E a scam / cheat Huh



I ain't backing up shit palooka. Believe what you will, just as people in this thread believed (or not) when I said that Bitcoin Consultancy OWNED Bitcoinica. I personally don't give two shits if BTC-e becomes the #1 bitcoin exchanger.

I know who "Alexi" is. So those half the people involved at ShadowCrew back in the day. Carders have good memory Smiley.
hero member
Activity: 518
Merit: 500
The forums where filled with the same hatred towards MtGox when they got hacked and look who is still the most popular exchange. They learnt and improved, so will Bitcoin Consultancy.

LOL People still fucking hate MtGox, and they are loosing volume by the day to other exchangers (btc-e notably, run by a russian scammer/cheater).

Mark though, should be noted, is an honest person (although highly inept), unlike the liars and manipulators at InterSCAMgo.

Making some serious acusations there mate.

Care to back them up ?

Anybody received a claim yet and got his $$$ back or BTC back ?

Why is BTC-E a scam / cheat Huh

full member
Activity: 182
Merit: 100
The forums where filled with the same hatred towards MtGox when they got hacked and look who is still the most popular exchange. They learnt and improved, so will Bitcoin Consultancy.

LOL People still fucking hate MtGox, and they are loosing volume by the day to other exchangers (btc-e notably, run by a russian scammer/carder).

Mark though, should be noted, is an honest person (although highly inept), unlike the liars and manipulators at InterSCAMgo.
full member
Activity: 182
Merit: 100
I second that Yankee would make a great PR guy for Intersango or should at least be on the board of directors.

I would not mind  Smiley

Try and remember this, when TradeHill announced they are shutting down everyone flipped out about wether they were getting their money back.

I constantly acted as middle man between TH and this community. We build an automated system so everyone can withdraw their funds via check or into another exchange. We had to manually verify every single customer for AML requirements which was not easy.

Furthermore, we also arbitrated dozens of disputes between TH and customers, all which are now resolved.

As soon as I knew an update, I posted it on these forums and recieved phone calls day and night of customers seeking assurance even though I had no stake in tradehill whatsoever

I plan on doing the same for Bitcoinica.


I hope after the transvestite of a show Bitcoin Consultancy put out on this forum, and after their lies, you would seriously reconsider this. Roger Ver (your partner if I am not mistaken?) is already taking distance from these fools and suggesting that Zhou manage the claim process.

By the way, on a previous post you claimed you knew the true owners of Bitcoinica. Then you claimed also you had 20K stuck with them. What's up with that? Aparently, and according to the capitalist that arranged the investment, Bitcoin consultancy owns and operates Bitcoinica since April 24th.

I respect you and Bitinstant, so I think it would be awesome if you could give an honest reply to this whole mess.
full member
Activity: 182
Merit: 100
Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27 and they became owners and operators of Bitcoinica LP on April 24. As General Partner, they have exclusive legal authority to manage the company.

SO AS I SAID EVEN BEFORE THIS WAR GOT STARTED: BITCOIN CONSULTANCY OWNS AND OPERATES BITCOINICA!

And like I said before, take your funds out of INTERSANGO NOW!!

There is no NDA THEY NEED TO RESPECT because they are the GENERAL PARTNERS.

They are just stalling and buying time for their ATTORNEYS to help them run with YOUR MONEY.

Amir, Donald, Patrick: YOU are a bunch of LIARS, and you have been OUTED.
legendary
Activity: 1358
Merit: 1002
Is this true, psy, that your friend has yet to receive a single email from Bitcoinia? Has anybody else here received an email from Bitcoinia? Does Bitcoinia have a single email address at their disposal? How is Bitcoinia communicating with all those poor souls that don't frequent this forum?

I just checked my email and I got 0 emails from Bitcoinica. The last one was from Feb when I withdrew my balance.



same.  i have filed the claim page about 3 times now in the past few days and when i hit submit i dont get any confirmation nor email.  wtf...

You shoud check the form fields for errors. I read in this thread that when that happens it's some error you have in there and you aren't seeing it because it's not in red. lol
Pages:
Jump to: