Theres an old saying that a backup doesnt exist untill its in 3 separate places 
thats a good saying.
Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 2. (Read 224562 times)
May 27, 2012, 04:34:03 AM
thats a good saying.
May 27, 2012, 02:57:49 AM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Not at all.
User gets hacked, hackers withdraw using user's interface. No other user is affected other than the hacked user, who's responsible of his own account.
This is like someone got the passwords to your bank account online interface from you and pwned you. You are responsible of not revealing your passwords. Sure, allowing such massive withdrawals is probably over the top but it's most likely something the user decided or agreed to.
May 27, 2012, 02:54:24 AM
Theres an old saying that a backup doesnt exist untill its in 3 separate places
May 27, 2012, 02:35:25 AM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Not at all. This is not a case where just a customer's account was hacked.http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.~Bruno~
Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.
Dude, that means I'm/we're counting to 63,000,000 with images in that Newbie thread. That'll take forever!
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well
I guess that's what I meant--proper backups. While we're at it, I think all backups should be open-source so that we can all see that they're backup. We're going to see them anyway, but at least then a hacker wouldn't have anything to do, unless they all pooled their resources and hacked via adding funds to databases, coupled with becoming Grammar Nazis.
May 27, 2012, 02:03:26 AM
Yes, believe it or not, but your posts and PMs on this forum are actually safer than your current balance at Bitcoinica.
I lol'd.
May 27, 2012, 02:01:55 AM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Not at all. This is not a case where just a customer's account was hacked.http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.~Bruno~
Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.
May 27, 2012, 01:59:57 AM
There should be a prediction market where you can bet which site will get hacked next
Just like assassination markets except for websites....
Just like assassination markets except for websites....
That would be cool, but only if owners of websites could take the other side of the bets. This would kind of allow some to finance information security efforts. LOL.
May 27, 2012, 12:48:39 AM
There should be a prediction market where you can bet which site will get hacked next
Just like assassination markets except for websites....
Just like assassination markets except for websites....
May 27, 2012, 12:43:43 AM
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well
May 27, 2012, 12:40:40 AM
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
Remember that in this case the hacker was able to delete the backup, so I don't think that exchanges saying that they have a backup means much. How often they make back ups and how they back up are pretty critical to their ability to recover from a critical incident and who has access to the back ups determines whether they are also vulnerable.
May 27, 2012, 12:35:19 AM
Haven't been following this. Is it clear yet, you know, that anyone will get any coins back or not?
Roughly 20% of the Bitcoins they held were lost but USD are apparently fine. One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.
They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted. While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.
Hmmm, ok. I guess I'm just going to let this cook for a while and move on. Maybe in a few weeks I'll get a surprise email that their ready to return my coins. In the meantime, I still want to try this new BitInstant thing and buy a few more coins. I've only got a few hundred coins in any exchange now. Everything else has been moved to paper and brain wallets. I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.
~Bruno~
May 27, 2012, 12:27:08 AM
Haven't been following this. Is it clear yet, you know, that anyone will get any coins back or not?
Roughly 20% of the Bitcoins they held were lost but USD are apparently fine. One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.
They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted. While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.
Hmmm, ok. I guess I'm just going to let this cook for a while and move on. Maybe in a few weeks I'll get a surprise email that their ready to return my coins. In the meantime, I still want to try this new BitInstant thing and buy a few more coins. I've only got a few hundred coins in any exchange now. Everything else has been moved to paper and brain wallets. I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.
May 27, 2012, 12:21:58 AM
...without the database the process [of determining remuneration] is tedious
Ha ha, that's one way to describe it.
May 27, 2012, 12:19:58 AM
Haven't been following this. Is it clear yet, you know, that anyone will get any coins back or not?
Roughly 20% of the Bitcoins they held were lost but USD are apparently fine. One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.
They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted. While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.
May 27, 2012, 12:16:25 AM
the remaining funds excl. 18k btc should be there .
I guess its not a matter of IF but HOW they refund as without the database the process is tedious
I guess its not a matter of IF but HOW they refund as without the database the process is tedious
May 26, 2012, 11:45:50 PM
No backups. I guess this explains why the whole process of officially acknowledging the hack (via the bitcoinica web site) and the claims process has been so slow.
Missed this earlier. So it's settled then? Nobody is getting anything back. Next.
May 26, 2012, 10:59:01 PM
Haven't been following this. Is it clear yet, you know, that anyone will get any coins back or not?
May 26, 2012, 10:06:01 PM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Likely completely irrelevant as it's an application of US state law. It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.
They would more likely better use some arbitration platform like judge.me in such a case.
May 26, 2012, 09:52:00 PM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Likely completely irrelevant as it's an application of US state law. It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.
May 26, 2012, 09:19:46 PM
Is this relative/relevant?
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Jump to: