Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 21. (Read 224562 times)

full member
Activity: 182
Merit: 100
So let me get this straight.  You pen test a 17 year old competitors' faulty site, fine vulnerabilities and use that knowledge to muscle your way into his business.  Then it blows up in your face and you spend 13 days crafting a carefully worded "statement" which basically establishes that you are now essentially in a pissing match with this kid.  How old are you 14?  This whole think stinks.  There are 18K BTC missing and a lot of user funds tied up with this and this is how you respond.  What a fucking disaster.  No wonder bitcoin can't establish any credibility.  Your lack of clarity and inability to take any responsibility for this situation only  serves to demolish any credibility you guys may have had in this community.

+1 Couldn't have said it better!
full member
Activity: 182
Merit: 100
So basically what I said on my previous post of "be prepared for the blame-game" has now become a reality. Zhou shits on Bitcoin Consultancy. Bitcoin consultancy shits on Zhou AND the secret investor by vehemntly disagreeing with their silence ... an all out war basically between all parties involved.

Still some very important questions remain unanswered:

- Why was bitcoinconsultancy.com taken offline?
- Why is the sock puppet used on this forum named "Bitcoinica consultancy" and not "Bitcoin consultancy"?

Also, could you please confirm if you (intersango / bitcoin consultancy) are IN FACT the GENERAL PARTNER for Bitcoinica LP, or is Zhou lying on this post:

https://bitcointalksearch.org/topic/m.906647

Quote
Undoubtedly, I felt upset about some confusing commenters. I objectively disagreed with Intersango guys' ways of doing things and I think if Bitcoinica is still under my control, some of our customers' immediate issues can be addressed in a more timely manner.

However, I want to express my sincere apology to the General Partners of Bitcoinica LP, because I should not have criticized them when I should bear part of the responsibility by not doing my best in securing the system. The direct cause of the issue is not important, we shouldn't argue about "if someone didn't do X this thing wouldn't have happened", instead, we should say more about "if I did X this thing could be prevented". In this case, I can express these statements...

.....

I am also extremely grateful for the Limited Partner (an investment group) of Bitcoinica LP for exceeding their legal obligation to bear the full cost of both recent attacks. Without their active support, Bitcoinica couldn't have survived until today to serve our customers well.


Zhou seems to suggest that the mystery investor is the limited partner, while Bitcoin Consultancy is the general partner. Care to clarify?

Finally, Zhou claims he has not have had any access to the site, and has not even been officially recognized as a PR person for Bitcoinica for "quite some time now". You on the other hand, claim to have almost no control at all over Bitcoinica, and that have learned about a lot of what has transpired through Forum posts.

I hope you can see this sounds extremely psychotic, and it is incredibly confusing for Bitcoinica customers.

legendary
Activity: 1400
Merit: 1005
I think the post just outlined the fact that their hands are tied.  They can't talk about the situation directly, at this point.  They agree that it's BS that they can't answer the questions, but they aren't the ones to make the decision about what can and cannot be spoken about.
BCB
vip
Activity: 1078
Merit: 1002
BCJ
So let me get this straight.  You pen test a 17 year old competitors' faulty site, fine vulnerabilities and use that knowledge to muscle your way into his business.  Then it blows up in your face and you spend 13 days crafting a carefully worded "statement" which basically establishes that you are now essentially in a pissing match with this kid.  How old are you 14?  This whole think stinks.  There are 18K BTC missing and a lot of user funds tied up with this and this is how you respond.  What a fucking disaster.  No wonder bitcoin can't establish any credibility.  Your lack of clarity and inability to take any responsibility for this situation only  serves to demolish any credibility you guys may have had in this community.
vip
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
Let me start off by saying the information in this post is gathered from already public statements, separate knowledge or, in individual cases has been preapproved. We have been disgusted by the fact that we cannot speak liberally. Once the reclaims process is finished, if we are not allowed to speak publicly we will stop all activity with bitcoinica.

Right now, we believe the best thing for all parties involved is that we continue with the reclaims process. We have investigated many of the claims but have many left. There were still claims being filed as of at least yesterday. Our intention is to have a secure platform where users can claim their accounts and everyone will be able to claims their accounts once the claims process is finished. We cannot offer a concrete timeline for exactly when this will happen but we are working as fast as possible. Please be patient. We are truly sorry for the grave inconveniences.



As for recent incidents:

We first got involved with Bitcoinica after we discovered a security vulnerability where we could liberally withdraw and empty bitcoinica's live wallet. It became apparent to us that the site was a poorly constructed security nightmare. We started talks with bitcoinica in the hopes that they would see us as being an indispensable asset to help secure their site. The site currently is far more secure then previously.

While Zhou has made a lot of public statements, I assume his doing so has violated agreement(s) which he may have. He has stated publicly that he does have some non-disclosure agreement. Many of his posts were either untrue or certainly misleading. Many of these posts were directed at us. After being confronted on the issue, he agreed not to post anymore. After breaking that promise only hours later, we confronted him again privately.

He posted an insincere and politically worded apology.

Within the apology he made it sound as though we were trying to stop him from posting. As if he had not respected some secrecy that we wished to maintain. This of course is entirely misleading. He also posted the link to the reclaims page before it was finished and without our consent. He also continued to make very important decisions without our consent which has effected our ability to recover. In fact, even as of the 17th, we were often still in the dark and learning things through Zhou's posts on the forums. We may decide later to take action against Zhou as he has offered no public recompense. He was the owner of bitcoinica, sold bitcoinica keeping earlier profits and it seems he was paid and that he was responsible for its security until at least very recently. We even hope to release our private conversations with him if there is deemed to be no liability for us doing so. These issues should never have been made public and we took many measures speaking with him many times so that it would not get to this level. Right now though this needs to be put on the back-burner. It is immaterial until the claims process if resolved.

As for the current owners of Bitcoinica, they have by far exceeded their legal obligations in helping Bitcoinica recover from the previous hack and have pledged their continued support in seeing this incident fully resolved. I am not sure they knew how insecure the site was when they first bought it. We applaud their generosity. The inability to disclose pertinent information however we vehemently disagree with. We believe this information is critical to restoring the trust a business like bitcoinica requires.

First off, you switch between first and third person so often, it is difficult to know whether you speak for yourself or the consultancy.

Second, you claim the current owners have far exceeded their legal obligations.  Exactly what are those obligations?

Third, I believe your statement can be summed up with "Things are continuing.  We're disappointed with Zhou's actions. More stuff coming soon."  Great, so you just wasted a bunch of time.  You should instead try answering some of the questions raised in this thread.
legendary
Activity: 2198
Merit: 1311
Let me start off by saying the information in this post is gathered from already public statements, separate knowledge or, in individual cases has been preapproved. We have been disgusted by the fact that we cannot speak liberally. Once the reclaims process is finished, if we are not allowed to speak publicly we will stop all activity with bitcoinica.

Right now, we believe the best thing for all parties involved is that we continue with the reclaims process. We have investigated many of the claims but have many left. There were still claims being filed as of at least yesterday. Our intention is to have a secure platform where users can claim their accounts and everyone will be able to claims their accounts once the claims process is finished. We cannot offer a concrete timeline for exactly when this will happen but we are working as fast as possible. Please be patient. We are truly sorry for the grave inconveniences.



As for recent incidents:

We first got involved with Bitcoinica after we discovered a security vulnerability where we could liberally withdraw and empty bitcoinica's live wallet. It became apparent to us that the site was a poorly constructed security nightmare. We started talks with bitcoinica in the hopes that they would see us as being an indispensable asset to help secure their site. The site currently is far more secure then previously.

While Zhou has made a lot of public statements, I assume his doing so has violated agreement(s) which he may have. He has stated publicly that he does have some non-disclosure agreement. Many of his posts were either untrue or certainly misleading. Many of these posts were directed at us. After being confronted on the issue, he agreed not to post anymore. After breaking that promise only hours later, we confronted him again privately.

He posted an insincere and politically worded apology.

Within the apology he made it sound as though we were trying to stop him from posting. As if he had not respected some secrecy that we wished to maintain. This of course is entirely misleading. He also posted the link to the reclaims page before it was finished and without our consent. He also continued to make very important decisions without our consent which has effected our ability to recover. In fact, even as of the 17th, we were often still in the dark and learning things through Zhou's posts on the forums. We may decide later to take action against Zhou as he has offered no public recompense. He was the owner of bitcoinica, sold bitcoinica keeping earlier profits and it seems he was paid and that he was responsible for its security until at least very recently. We even hope to release our private conversations with him if there is deemed to be no liability for us doing so. These issues should never have been made public and we took many measures speaking with him many times so that it would not get to this level. Right now though this needs to be put on the back-burner. It is immaterial until the claims process if resolved.

As for the current owners of Bitcoinica, they have by far exceeded their legal obligations in helping Bitcoinica recover from the previous hack and have pledged their continued support in seeing this incident fully resolved. I am not sure they knew how insecure the site was when they first bought it. We applaud their generosity. The inability to disclose pertinent information however we vehemently disagree with. We believe this information is critical to restoring the trust a business like bitcoinica requires.

Well, it's something.  At the very least, it makes me feel a bit more hopeful.  I hope everybody gets their coins back and bitcoinica can be salvaged into something more secure and more robust as a trading platform.
newbie
Activity: 14
Merit: 0
Let me start off by saying the information in this post is gathered from already public statements, separate knowledge or, in individual cases has been preapproved. We have been disgusted by the fact that we cannot speak liberally. Once the reclaims process is finished, if we are not allowed to speak publicly we will stop all activity with bitcoinica.

Right now, we believe the best thing for all parties involved is that we continue with the reclaims process. We have investigated many of the claims but have many left. There were still claims being filed as of at least yesterday. Our intention is to have a secure platform where users can claim their accounts and everyone will be able to claims their accounts once the claims process is finished. We cannot offer a concrete timeline for exactly when this will happen but we are working as fast as possible. Please be patient. We are truly sorry for the grave inconveniences.



As for recent incidents:

We first got involved with Bitcoinica after we discovered a security vulnerability where we could liberally withdraw and empty bitcoinica's live wallet. It became apparent to us that the site was a poorly constructed security nightmare. We started talks with bitcoinica in the hopes that they would see us as being an indispensable asset to help secure their site. The site currently is far more secure then previously.

While Zhou has made a lot of public statements, I assume his doing so has violated agreement(s) which he may have. He has stated publicly that he does have some non-disclosure agreement. Many of his posts were either untrue or certainly misleading. Many of these posts were directed at us. After being confronted on the issue, he agreed not to post anymore. After breaking that promise only hours later, we confronted him again privately.

He posted an insincere and politically worded apology.

Within the apology he made it sound as though we were trying to stop him from posting. As if he had not respected some secrecy that we wished to maintain. This of course is entirely misleading. He also posted the link to the reclaims page before it was finished and without our consent. He also continued to make very important decisions without our consent which has effected our ability to recover. In fact, even as of the 17th, we were often still in the dark and learning things through Zhou's posts on the forums. We may decide later to take action against Zhou as he has offered no public recompense. He was the owner of bitcoinica, sold bitcoinica keeping earlier profits and it seems he was paid and that he was responsible for its security until at least very recently. We even hope to release our private conversations with him if there is deemed to be no liability for us doing so. These issues should never have been made public and we took many measures speaking with him many times so that it would not get to this level. Right now though this needs to be put on the back-burner. It is immaterial until the claims process if resolved.

As for the current owners of Bitcoinica, they have by far exceeded their legal obligations in helping Bitcoinica recover from the previous hack and have pledged their continued support in seeing this incident fully resolved. I am not sure they knew how insecure the site was when they first bought it. We applaud their generosity. The inability to disclose pertinent information however we vehemently disagree with. We believe this information is critical to restoring the trust a business like bitcoinica requires.
hero member
Activity: 504
Merit: 500
Scattering my bits around the net since 1980
As an optional extra, I think that means backups in general. However, the machine images and all associated backups were deleted when the VMs were removed, so I don't know if there was an additional layer of backups somewhere, or whether they are lost to the aether.
Why would someone backup to something with the word "virtual" in the name to begin with? Might as well call it a virtual backup.

What they needed was an _actual_ backup.

Sure, backup to the virtual one, but immediately when it is done, get a copy transmitted to somewhere else that isn't 'virtual'...

just askin' for trouble.

-- Smoov
legendary
Activity: 1868
Merit: 1023
>You bring up a good way of validating something but it might not make people happy. If you funded via a Fiat currency, you should be able to show that funds >were sent there. There are 'records' via other institutions and they would be able to show fiat currencies sent back to parties. The difference could at least be >a case for refunds if in fact all data was lost. This however doesn't, initially, help people that transferred in using BTC or what they sent out using BTC.

I submitted a claim today.  I hope they validate my account.  They should be able to check the US dollar transfers from MtGox.
hero member
Activity: 812
Merit: 1000
I only have US dollars at Bitcoinica.  I'm hoping that US dollar accounts were unaffected by this.  How were the US dollars stored?

Seriously? Can't tell if a joke or not.

well obviously the US dollars were encrypted with Truecrypt and stored offline.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
As an optional extra, I think that means backups in general. However, the machine images and all associated backups were deleted when the VMs were removed, so I don't know if there was an additional layer of backups somewhere, or whether they are lost to the aether.
legendary
Activity: 4690
Merit: 1276
Wonder if Rackspace can retrieve deleted backups...

Glad I'm not the only one thinking this.  Rackspace should have had their own set of backups for business continuity reasons (they don't want to tell a bunch of their clients that a server died and had data loss) so if a person contacts them ASAP, there's chance of recovery.  I also know they won't want to keep many versions, so a guy will want to contact them sooner than later.  In fact, if the consultancy hasn't already contacted them to ask, its probably too late.  Just my .02 btc.
Yeah, it's likely they would only keep a day or a week's worth of backups.  Hopefully, that was on the forefront of whoever was dealing with this mess on day 1.  I know backups would've been the first thing I would ask about in the event that all of my servers got deleted.

In about three seconds of looking I see it is an optional item (as I suspected.)

If I were storing a significant amount of value or sufficiently valuable secrets it is unlikely that I would trust Rackspace (or any provider) to do my backups since I could not control the tapes or whatever technology they might be using.  I'd roll my own targeted and maintainable off-site solution making appropriate use of encryption and I would test it regularly.  In fact that's exactly what I do in my work even though I don't even deal with data of particular value (which is itself not entirely accidental)

I have used Rackspace in the distant past and never expected them to provide much by way disaster recovery.  I selected redundancy where I needed it and relied on my ability to re-construct software deployments and retrieve critical data from off-site backups.

legendary
Activity: 1400
Merit: 1005
Wonder if Rackspace can retrieve deleted backups...

Glad I'm not the only one thinking this.  Rackspace should have had their own set of backups for business continuity reasons (they don't want to tell a bunch of their clients that a server died and had data loss) so if a person contacts them ASAP, there's chance of recovery.  I also know they won't want to keep many versions, so a guy will want to contact them sooner than later.  In fact, if the consultancy hasn't already contacted them to ask, its probably too late.  Just my .02 btc.
Yeah, it's likely they would only keep a day or a week's worth of backups.  Hopefully, that was on the forefront of whoever was dealing with this mess on day 1.  I know backups would've been the first thing I would ask about in the event that all of my servers got deleted.
vip
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
Wonder if Rackspace can retrieve deleted backups...

Glad I'm not the only one thinking this.  Rackspace should have had their own set of backups for business continuity reasons (they don't want to tell a bunch of their clients that a server died and had data loss) so if a person contacts them ASAP, there's chance of recovery.  I also know they won't want to keep many versions, so a guy will want to contact them sooner than later.  In fact, if the consultancy hasn't already contacted them to ask, its probably too late.  Just my .02 btc.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Wonder if Rackspace can retrieve deleted backups...
hero member
Activity: 504
Merit: 500
Scattering my bits around the net since 1980
At this point, I think it is not very likely people will get their BTCs back.

USD ? Sure they will 100% but they can steal all the BTCs and nobody can do a thing.  Undecided
I dunno... if the records about who had which BTC has indeed been deleted, I imagine those same records also kept track of how much USD/EUR/etc was in everyone's accounts too.

The fact that they even bothered to put up a claims page at all, suggests that they have no idea at all who is supposed to get what. Otherwise, there would be little reason to put up a claims page since they'd still have the records of who gets what.

-- Smoov
hero member
Activity: 686
Merit: 500
Shame on everything; regret nothing.
Watching this mess.

Where is my popcorn ? Cheesy


How about chex mix?

Better yet... how about MY FUCKING MONEY??   Angry
hero member
Activity: 518
Merit: 500
Watching this mess.

Where is my popcorn ? Cheesy

That is why I keep coming to this forum ( and the mining aspect ) : the drama. Just like SolidCoin !

At this point, I think it is not very likely people will get their BTCs back.

USD ? Sure they will 100% but they can steal all the BTCs and nobody can do a thing.  Undecided

hero member
Activity: 504
Merit: 500
Scattering my bits around the net since 1980
We had written a long post however we are prevented from posting it due to limitations. We are very sorry. We are trying to resolve this matter however we are limited in our capacities.
And, you guys weren't able to just put the post up on your own home page, and post a link to it here, instead?

Guys, I've stayed pretty quiet through this whole mess, but, ya keep dropping the ball, and don't seem to be trying very hard.

So the post was long.

Post it somewhere else, and link to it.

Break it up into a couple parts, and post it that way.

There are ways to do it. Just giving up, with a "limited in our capacities", is starting to speak more about other capacities that you are limited in, that have nothing to do with forum limitations.

I'm sorry folks, but this is becoming a circus, and you're going to have to do better than this.

-- Smoov
vip
Activity: 490
Merit: 271
>I only have US dollars at Bitcoinica.  I'm hoping that US dollar accounts were unaffected by this.  How were >the US dollars stored?

>>Seriously? Can't tell if a joke or not.

Not a joke.   There has been a lack of information for users whose primary assets are in US dollars.  Most of the discussion is centered on BTC and I'm wondering if US dollars are a different situation?

I guess the US dollars have to be stored in an account somewhere and are probably secure. But if they were on a credit card account or paypal, I'm guessing they could be compromised just like BTC could.  Although they should be returned by charge backs.

Were they storing the US dollars on MtGox?    If so, they could have been converted to BTC and withdrawn.

I think what your missing is the difference between USD positions and BTC positions on Bitcoinica is the same. They were just numbers on a machine that was compromised. So, poof gone like magic if the data to all positions was lost. There was no physical cash on the system, just the positions and to whom it belonged. The cash, for the most part, is in the bank if they had cash to store in the bank.

So, yes presumably there is 'cash' somewhere but who it belongs to is another matter and part of the problem as I see it.

However,

You bring up a good way of validating something but it might not make people happy. If you funded via a Fiat currency, you should be able to show that funds were sent there. There are 'records' via other institutions and they would be able to show fiat currencies sent back to parties. The difference could at least be a case for refunds if in fact all data was lost. This however doesn't, initially, help people that transferred in using BTC or what they sent out using BTC.

Without data and proof of accounts and positions, this is/could be one big mess.

We're all speculating here though. Not much in the way of official communications from those in authoritative positions.
Pages:
Jump to: