Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 2. (Read 224562 times)

legendary
Activity: 1764
Merit: 1002
Theres an old saying that a backup doesnt exist untill its in 3 separate places Smiley

thats a good saying.
donator
Activity: 980
Merit: 1000
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Not at all.

User gets hacked, hackers withdraw using user's interface. No other user is affected other than the hacked user, who's responsible of his own account.

This is like someone got the passwords to your bank account online interface from you and pwned you. You are responsible of not revealing your passwords. Sure, allowing such massive withdrawals is probably over the top but it's most likely something the user decided or agreed to.
hero member
Activity: 686
Merit: 500
Wat
Theres an old saying that a backup doesnt exist untill its in 3 separate places Smiley
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Not at all. This is not a case where just a customer's account was hacked.
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~
We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.

Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.

Dude, that means I'm/we're counting to 63,000,000 with images in that Newbie thread. That'll take forever!  Grin


I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~


they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well

I guess that's what I meant--proper backups. While we're at it, I think all backups should be open-source so that we can all see that they're backup. We're going to see them anyway, but at least then a hacker wouldn't have anything to do, unless they all pooled their resources and hacked via adding funds to databases, coupled with becoming Grammar Nazis.
legendary
Activity: 1162
Merit: 1000
DiabloMiner author
Yes, believe it or not, but your posts and PMs on this forum are actually safer than your current balance at Bitcoinica.

I lol'd.
legendary
Activity: 1204
Merit: 1015
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Not at all. This is not a case where just a customer's account was hacked.
I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~
We're not an exchange, but I'll go on record as saying that Bitcointalk.org has daily backups mirrored to at least 2 different locations other than the datacenter that we're hosted at. This is in addition to industry standard backup and recovery solutions deployed onsite.

Yes, believe it or not, but your posts and PMs on this forum are actually better preserved than your current balance at Bitcoinica.
hero member
Activity: 812
Merit: 1001
-
There should be a prediction market where you can bet which site will get hacked next Smiley

Just like assassination markets except for websites....

That would be cool, but only if owners of websites could take the other side of the bets. This would kind of allow some to finance information security efforts.  LOL.
hero member
Activity: 686
Merit: 500
Wat
There should be a prediction market where you can bet which site will get hacked next Smiley

Just like assassination markets except for websites....
legendary
Activity: 1050
Merit: 1000

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~


they need daily off-site backups at the very least, not just a (single) backup. these daily backups should be kept very safe as well
hero member
Activity: 868
Merit: 1000


I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~


Remember that in this case the hacker was able to delete the backup, so I don't think that exchanges saying that they have a backup means much.  How often they make back ups and how they back up are pretty critical to their ability to recover from a critical incident and who has access to the back ups determines whether they are also vulnerable.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.

Hmmm, ok.  I guess I'm just going to let this cook for a while and move on.  Maybe in a few weeks I'll get a surprise email that their ready to return my coins.  In the meantime, I still want to try this new BitInstant thing and buy a few more coins.  I've only got a few hundred coins in any exchange now.  Everything else has been moved to paper and brain wallets.  I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.

I guess this would be a perfect time to ask the operators of every single Bitcoin exchange if they have a backup of their database. Each and every one of them should go on record stating that they do. I suggest that this should be done within the next 48 hours. Any exchange that does not go on record in stating that they do within this time frame, users of those exchanges should immediately remove their funds from those exchanges.

~Bruno~
legendary
Activity: 2198
Merit: 1311
Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.

Hmmm, ok.  I guess I'm just going to let this cook for a while and move on.  Maybe in a few weeks I'll get a surprise email that their ready to return my coins.  In the meantime, I still want to try this new BitInstant thing and buy a few more coins.  I've only got a few hundred coins in any exchange now.  Everything else has been moved to paper and brain wallets.  I'm keeping one hot wallet with small amounts for day to day stuff, but otherwise everything else is is staying locked up tight.
sr. member
Activity: 462
Merit: 250
...without the database the process [of determining remuneration] is tedious

Ha ha, that's one way to describe it. 
hero member
Activity: 868
Merit: 1000
Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?

Roughly 20% of the Bitcoins they held were lost but USD are apparently fine.  One of the VCs with a silent interest in Bitcionica has said that the losses will be covered and I'd be inclined to believe him as they just received half a million dollars in seed funding for their Bitcoin projects and need to be seen to be reputable in order to grow their CoinLab business.

They do have accounting records, even though they don't have an image of the database as it stood at the time it was deleted.  While that's not a perfect record, it's nowhere near as catastrophic as having no records would be - it might just take a bit longer to piece the information needed to return funds and Bitcoins to users together.
legendary
Activity: 2100
Merit: 1000
the remaining funds excl. 18k btc should be there .
I guess its not a matter of IF but HOW they refund as without the database the process is tedious
legendary
Activity: 2198
Merit: 1311
No backups.  I guess this explains why the whole process of officially acknowledging the hack (via the bitcoinica web site) and the claims process has been so slow.

Missed this earlier.  So it's settled then?  Nobody is getting anything back.  Next.
legendary
Activity: 2198
Merit: 1311
Haven't been following this.  Is it clear yet, you know, that anyone will get any coins back or not?
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Likely completely irrelevant as it's an application of US state law.  It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.

They would more likely better use some arbitration platform like judge.me in such a case.
hero member
Activity: 868
Merit: 1000
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.

Likely completely irrelevant as it's an application of US state law.  It "might" have some relevance if Bitcoinica tried to sue Rackspace but international lawsuits are a costly pain in the ass.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Is this relative/relevant?

http://boingboing.net/2011/06/08/ocean-bank-lost-3000.html
Quote
Ocean Bank, which allowed hackers to withdraw more than $300,000 from a customer's account, won't have to cover the loss. A Maine judge said its account security was "not optimal," but ultimately ruled for it because hackers obtained account credentials using malicious software installed on the customer's computers. Ocean asserted that its due diligence was covered by verifying a password.
Pages:
Jump to: