Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 21. (Read 224563 times)

+1 Couldn't have said it better!

So basically what I said on my previous post of "be prepared for the blame-game" has now become a reality. Zhou shits on Bitcoin Consultancy. Bitcoin consultancy shits on Zhou AND the secret investor by vehemntly disagreeing with their silence ... an all out war basically between all parties involved.

Still some very important questions remain unanswered:

- Why was bitcoinconsultancy.com taken offline?
- Why is the sock puppet used on this forum named "Bitcoinica consultancy" and not "Bitcoin consultancy"?

Also, could you please confirm if you (intersango / bitcoin consultancy) are IN FACT the GENERAL PARTNER for Bitcoinica LP, or is Zhou lying on this post:

https://bitcointalksearch.org/topic/m.906647


Zhou seems to suggest that the mystery investor is the limited partner, while Bitcoin Consultancy is the general partner. Care to clarify?

Finally, Zhou claims he has not have had any access to the site, and has not even been officially recognized as a PR person for Bitcoinica for "quite some time now". You on the other hand, claim to have almost no control at all over Bitcoinica, and that have learned about a lot of what has transpired through Forum posts.

I hope you can see this sounds extremely psychotic, and it is incredibly confusing for Bitcoinica customers.

I think the post just outlined the fact that their hands are tied.  They can't talk about the situation directly, at this point.  They agree that it's BS that they can't answer the questions, but they aren't the ones to make the decision about what can and cannot be spoken about.

So let me get this straight.  You pen test a 17 year old competitors' faulty site, fine vulnerabilities and use that knowledge to muscle your way into his business.  Then it blows up in your face and you spend 13 days crafting a carefully worded "statement" which basically establishes that you are now essentially in a pissing match with this kid.  How old are you 14?  This whole think stinks.  There are 18K BTC missing and a lot of user funds tied up with this and this is how you respond.  What a fucking disaster.  No wonder bitcoin can't establish any credibility.  Your lack of clarity and inability to take any responsibility for this situation only  serves to demolish any credibility you guys may have had in this community.

First off, you switch between first and third person so often, it is difficult to know whether you speak for yourself or the consultancy.

Second, you claim the current owners have far exceeded their legal obligations.  Exactly what are those obligations?

Third, I believe your statement can be summed up with "Things are continuing.  We're disappointed with Zhou's actions. More stuff coming soon."  Great, so you just wasted a bunch of time.  You should instead try answering some of the questions raised in this thread.

Well, it's something.  At the very least, it makes me feel a bit more hopeful.  I hope everybody gets their coins back and bitcoinica can be salvaged into something more secure and more robust as a trading platform.

Let me start off by saying the information in this post is gathered from already public statements, separate knowledge or, in individual cases has been preapproved. We have been disgusted by the fact that we cannot speak liberally. Once the reclaims process is finished, if we are not allowed to speak publicly we will stop all activity with bitcoinica.

Right now, we believe the best thing for all parties involved is that we continue with the reclaims process. We have investigated many of the claims but have many left. There were still claims being filed as of at least yesterday. Our intention is to have a secure platform where users can claim their accounts and everyone will be able to claims their accounts once the claims process is finished. We cannot offer a concrete timeline for exactly when this will happen but we are working as fast as possible. Please be patient. We are truly sorry for the grave inconveniences.



As for recent incidents:

We first got involved with Bitcoinica after we discovered a security vulnerability where we could liberally withdraw and empty bitcoinica's live wallet. It became apparent to us that the site was a poorly constructed security nightmare. We started talks with bitcoinica in the hopes that they would see us as being an indispensable asset to help secure their site. The site currently is far more secure then previously.

While Zhou has made a lot of public statements, I assume his doing so has violated agreement(s) which he may have. He has stated publicly that he does have some non-disclosure agreement. Many of his posts were either untrue or certainly misleading. Many of these posts were directed at us. After being confronted on the issue, he agreed not to post anymore. After breaking that promise only hours later, we confronted him again privately.

He posted an insincere and politically worded apology.

Within the apology he made it sound as though we were trying to stop him from posting. As if he had not respected some secrecy that we wished to maintain. This of course is entirely misleading. He also posted the link to the reclaims page before it was finished and without our consent. He also continued to make very important decisions without our consent which has effected our ability to recover. In fact, even as of the 17th, we were often still in the dark and learning things through Zhou's posts on the forums. We may decide later to take action against Zhou as he has offered no public recompense. He was the owner of bitcoinica, sold bitcoinica keeping earlier profits and it seems he was paid and that he was responsible for its security until at least very recently. We even hope to release our private conversations with him if there is deemed to be no liability for us doing so. These issues should never have been made public and we took many measures speaking with him many times so that it would not get to this level. Right now though this needs to be put on the back-burner. It is immaterial until the claims process if resolved.

As for the current owners of Bitcoinica, they have by far exceeded their legal obligations in helping Bitcoinica recover from the previous hack and have pledged their continued support in seeing this incident fully resolved. I am not sure they knew how insecure the site was when they first bought it. We applaud their generosity. The inability to disclose pertinent information however we vehemently disagree with. We believe this information is critical to restoring the trust a business like bitcoinica requires.

Why would someone backup to something with the word "virtual" in the name to begin with? Might as well call it a virtual backup.

What they needed was an _actual_ backup.

Sure, backup to the virtual one, but immediately when it is done, get a copy transmitted to somewhere else that isn't 'virtual'...

just askin' for trouble.

-- Smoov

>You bring up a good way of validating something but it might not make people happy. If you funded via a Fiat currency, you should be able to show that funds >were sent there. There are 'records' via other institutions and they would be able to show fiat currencies sent back to parties. The difference could at least be >a case for refunds if in fact all data was lost. This however doesn't, initially, help people that transferred in using BTC or what they sent out using BTC.

I submitted a claim today.  I hope they validate my account.  They should be able to check the US dollar transfers from MtGox.

well obviously the US dollars were encrypted with Truecrypt and stored offline.

As an optional extra, I think that means backups in general. However, the machine images and all associated backups were deleted when the VMs were removed, so I don't know if there was an additional layer of backups somewhere, or whether they are lost to the aether.

In about three seconds of looking I see it is an optional item (as I suspected.)

If I were storing a significant amount of value or sufficiently valuable secrets it is unlikely that I would trust Rackspace (or any provider) to do my backups since I could not control the tapes or whatever technology they might be using.  I'd roll my own targeted and maintainable off-site solution making appropriate use of encryption and I would test it regularly.  In fact that's exactly what I do in my work even though I don't even deal with data of particular value (which is itself not entirely accidental)

I have used Rackspace in the distant past and never expected them to provide much by way disaster recovery.  I selected redundancy where I needed it and relied on my ability to re-construct software deployments and retrieve critical data from off-site backups.

Yeah, it's likely they would only keep a day or a week's worth of backups.  Hopefully, that was on the forefront of whoever was dealing with this mess on day 1.  I know backups would've been the first thing I would ask about in the event that all of my servers got deleted.

Glad I'm not the only one thinking this.  Rackspace should have had their own set of backups for business continuity reasons (they don't want to tell a bunch of their clients that a server died and had data loss) so if a person contacts them ASAP, there's chance of recovery.  I also know they won't want to keep many versions, so a guy will want to contact them sooner than later.  In fact, if the consultancy hasn't already contacted them to ask, its probably too late.  Just my .02 btc.

Wonder if Rackspace can retrieve deleted backups...

I dunno... if the records about who had which BTC has indeed been deleted, I imagine those same records also kept track of how much USD/EUR/etc was in everyone's accounts too.

The fact that they even bothered to put up a claims page at all, suggests that they have no idea at all who is supposed to get what. Otherwise, there would be little reason to put up a claims page since they'd still have the records of who gets what.

-- Smoov

How about chex mix?

Better yet... how about MY FUCKING MONEY??   

Watching this mess.

Where is my popcorn ?

That is why I keep coming to this forum ( and the mining aspect ) : the drama. Just like SolidCoin !

At this point, I think it is not very likely people will get their BTCs back.

USD ? Sure they will 100% but they can steal all the BTCs and nobody can do a thing. 

And, you guys weren't able to just put the post up on your own home page, and post a link to it here, instead?

Guys, I've stayed pretty quiet through this whole mess, but, ya keep dropping the ball, and don't seem to be trying very hard.

So the post was long.

Post it somewhere else, and link to it.

Break it up into a couple parts, and post it that way.

There are ways to do it. Just giving up, with a "limited in our capacities", is starting to speak more about other capacities that you are limited in, that have nothing to do with forum limitations.

I'm sorry folks, but this is becoming a circus, and you're going to have to do better than this.

-- Smoov

I think what your missing is the difference between USD positions and BTC positions on Bitcoinica is the same. They were just numbers on a machine that was compromised. So, poof gone like magic if the data to all positions was lost. There was no physical cash on the system, just the positions and to whom it belonged. The cash, for the most part, is in the bank if they had cash to store in the bank.

So, yes presumably there is 'cash' somewhere but who it belongs to is another matter and part of the problem as I see it.

However,

You bring up a good way of validating something but it might not make people happy. If you funded via a Fiat currency, you should be able to show that funds were sent there. There are 'records' via other institutions and they would be able to show fiat currencies sent back to parties. The difference could at least be a case for refunds if in fact all data was lost. This however doesn't, initially, help people that transferred in using BTC or what they sent out using BTC.

Without data and proof of accounts and positions, this is/could be one big mess.

We're all speculating here though. Not much in the way of official communications from those in authoritative positions.