[Emergency ANN] Bitcoinica site is taken offline for security investigation - page 4.

repentance

hero member

Activity: 868

Merit: 1000

Quote from: rdponticelli on May 25, 2012, 06:19:07 PM

Please?

This thread has some fun, I can't deny it. Is nice to read it sometimes. But it would be better if you start something like Bitcoinica Claim Process, or something alike, more focused on updates for those trying to know how everything's going, don't you think?

It's been explicitly stated several times that Bitcoinica Consultancy alone is handling the claims process, so perhaps the request for a dedicated thread needs to be made of them - even though they seem totally unable to communicate in a timely and comprehensible manner. It would be valuable if they listed specific times when people can expect updates on the process.

I also notice that the question of whether this intrusion has been reported to law enforcement remains unanswered. There is no reason whatsoever for a legitimate enterprise not reporting the theft of its database, regardless of the contents of that database. In the past, there have been investigations into and charges laid over the theft of in-game items in virtual worlds - it's not necessary to define Bitcoin as a currency or a commodity in order to determine both that it has value and ownership. That the operators of Bitcoinica are willing to reimburse customer losses doesn't mean that the theft shouldn't be formally investigated.

hazek

legendary

Activity: 1078

Merit: 1003

Quote from: LightRider on May 25, 2012, 04:42:17 PM

If there is a lesson to be learned here, it is that you can't make the world a better place in the context of a monetary system. The only wealth we have is our relationships with our fellow human beings. Any technological advancement that is outside the context of making such relationships healthier works to degrade that wealth. Zhou is making the right call in recognizing that he cannot pursue his desires to make society better while working in a sick game of token exchange.

looool Nothing like a Zeitgeister to top this thread off. Roll Eyes

rdponticelli

sr. member

Activity: 325

Merit: 250

Our highest capital is the Confidence we build.

Quote from: rdponticelli on May 24, 2012, 06:12:07 PM

Can anybody involved setup a communication thread where we can have some information without so much noise?

Quote from: BadBitcoin (James Sutton) on May 25, 2012, 05:45:25 PM

Quote from: zhoutong on May 25, 2012, 04:03:03 PM

Site note:

You can safely delete Bitcoinica from your Google Authenticator app.

The GA keys were stored in plain text, so we can't use it as an authentication method. In OTP authentication, we have to use the same key that was added to your smartphone to verify your OTP.

'

zhou, is there any way to get updated information on the progression of these claims without having to sift through this forum thread every few hours?

Please?

This thread has some fun, I can't deny it. Is nice to read it sometimes. But it would be better if you start something like Bitcoinica Claim Process, or something alike, more focused on updates for those trying to know how everything's going, don't you think?

Otoh

donator

Activity: 3108

Merit: 1166

Quote from: zhoutong on May 25, 2012, 03:26:46 PM

Quote from: N12 on May 25, 2012, 03:12:08 PM

Quote from: rjk on May 25, 2012, 03:09:17 PM

Quote from: N12 on May 25, 2012, 02:59:31 PM

YOU BETTER SOMEHOW RETRIEVE THE DB FROM THE HACKER OR THIS IS GOING TO END UP IN DISASTER!

It's not a disaster already?

I mean insolvency style disaster. 18.5k BTC is nothing.

What are they going to do if (and it is not really "if" – when it comes to money, people will do it if they can get away with it) there are a few hundred cunning people like me who thought the same on 20th of May? Read my IRC log.

What are they going to do once the deposit claims total 500k BTC, most of them being from 100+ points users?

There are only so many funds, and the fight over them is ON.

Better find a way to retrieve the database before they go broke, no?

We have all kinds of accounting reports. They are outdated and incomplete to restore trading, but far current enough to identify fake claims.

Tihan is a careful person and he keeps all the logs when he runs his stats program.

Submitting false claims will only result in delay of fund returns. The point system I proposed is used to save time and effort for people with accurate records. There isn't any reason to verify people with verified Bitcoinica account and only 1 BTC balance (and our record proves so). We should just refund the customer in full immediately.

The claim process involves subjective judgements, and that's why I request for take-over. I'm obviously more familiar with the user base and I should provide as much assistance as I can.

I have requested again for takeover in the Skype group and provided my working plan. If they approve within 8 hours from now I'll probably start refunding customers by early next week and finish by the end of next week.

zhoutong
VIP
Hero Member
******
Founder, CEO
& hopes to be the
Official Receiver
of Bitcoinica Grin

Bitcoinica Memorial Day anyone, when we remember those brave & contagious souls who risked their all in a dodgy margin trading scheme, we recall those funds that were for ever lost, mislaid or indefinitely detained without due process, we vow never to repeat such a madness ever again, or at least not until Kronos.io opens for business next week

BadBitcoin (James Sutton)

donator

Activity: 452

Merit: 252

Quote from: zhoutong on May 25, 2012, 04:03:03 PM

Site note:

You can safely delete Bitcoinica from your Google Authenticator app.

The GA keys were stored in plain text, so we can't use it as an authentication method. In OTP authentication, we have to use the same key that was added to your smartphone to verify your OTP.

'

zhou, is there any way to get updated information on the progression of these claims without having to sift through this forum thread every few hours?

JusticeForYou

vip

Activity: 490

Merit: 271

Well I've written ISO ISM manuals in the past.

So why not a wiki?

Start ISO 31337 and a Bitcoin ISM

I'm sure crowd sourced contributions that are voted on would come up with something pretty reasonable.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Coinoisseur on May 25, 2012, 04:59:45 PM

Quote from: rjk on May 25, 2012, 04:47:22 PM

Quote from: Coinoisseur on May 25, 2012, 04:26:56 PM

Quote from: rjk on May 25, 2012, 04:11:55 PM

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.

You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.

Not even government based, but just a wiki somewhere.

Many of the FIPS-140-2 guidelines are extremely applicable though.

Coinoisseur

sr. member

Activity: 336

Merit: 250

You are describing financial regulations, for that you should deal with financially regulated companies. I personally have no wish to see BTC taken over by any government's financial framework. It's a tough problem, imo this is a great opportunity to see if open sourcing security completely would actually be effective. If the whole process is completely transparent then people can decide for themselves whether to use a BTC service.

Quote from: rjk on May 25, 2012, 04:47:22 PM

Quote from: Coinoisseur on May 25, 2012, 04:26:56 PM

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Quote from: rjk on May 25, 2012, 04:11:55 PM

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.

RandyMarsh

full member

Activity: 237

Merit: 100

Quote from: zhoutong on May 25, 2012, 03:26:46 PM

We have all kinds of accounting reports. They are outdated and incomplete to restore trading, but far current enough to identify fake claims.

My last deposit was made about an hour before this happened... Does this mean the info I can provide about that deposit is useless in making my claim?

And its the last deposit specifically the claim form asks for...

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Coinoisseur on May 25, 2012, 04:26:56 PM

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Quote from: rjk on May 25, 2012, 04:11:55 PM

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Very true. And, the "how" often changes so rapidly that maintaining a comprehensive resource on it is not workable. What I want to see is a list of minimum standards that should be expected from businesses dealing with our money. Simply a framework of technologies that you have to stir together in the right proportions, and a list of potential consequences of omitting one or more of them.

LightRider

legendary

Activity: 1500

Merit: 1022

I advocate the Zeitgeist Movement & Venus Project.

If there is a lesson to be learned here, it is that you can't make the world a better place in the context of a monetary system. The only wealth we have is our relationships with our fellow human beings. Any technological advancement that is outside the context of making such relationships healthier works to degrade that wealth. Zhou is making the right call in recognizing that he cannot pursue his desires to make society better while working in a sick game of token exchange.

Coinoisseur

sr. member

Activity: 336

Merit: 250

Reason there isn't a consolidated resource is because people and companies make a lot of money in the computer security sector. You can find a lot of good information piecemeal but the "how" of putting it all together has extra value from the hoarding of that knowledge.

Quote from: rjk on May 25, 2012, 04:11:55 PM

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

So how about starting a wiki on the framework for recoverable and resilient systems? For instance, binlogging to an encrypted disk on a server in a different datacenter, because that would fix issues with deleted databases. And HSM devices or some equivalent for storing private keys. And daily and hourly backups to systems outside of the core network. Encrypted of course.
What other ideas do people have?

Coinoisseur

sr. member

Activity: 336

Merit: 250

Even if they re-acquired the database, it's worthless for purposes of payouts, the trust chain is broken. Unless they kept up to date hash information on the database information they could verify records with, extremely unlikely.

IMO, they should have had an EULA that said "this site is for entertainment purposes only, no losses will be covered". This is also why non-financial institutions like to sell you a point system such as MS Points, Riot Points, whatever Sony's is called instead of keep a currency account open. Because buried in the terms for their points is the legal equivalent of "no guarantees".

Quote from: N12 on May 25, 2012, 03:35:40 PM

@zhoutong
So the accounting stuff says I had some past balance or deposit and the amount of funds I claimed was in the ballpark of this. What now? My fake claim still goes through.

Let me make myself very clear here.

There is but ONE solution where Bitcoinica does not necessarily go bust.

You have to retrieve the database!

Do it either by posting a bounty or by catching the hacker.

Every passing day without database increases the likelihood for it to be entirely forged once it is released!

Blitz out.

zhoutong

vip

Activity: 490

Merit: 502

Site note:

You can safely delete Bitcoinica from your Google Authenticator app.

The GA keys were stored in plain text, so we can't use it as an authentication method. In OTP authentication, we have to use the same key that was added to your smartphone to verify your OTP.

zhoutong

vip

Activity: 490

Merit: 502

Quote from: N12 on May 25, 2012, 03:35:40 PM

@zhoutong
So the accounting stuff says I had some past balance or deposit and the amount of funds I claimed was in the ballpark of this. What now? My fake claim still goes through.

Let me make myself very clear here.

There is but ONE solution where Bitcoinica does not necessarily go bust.

You have to retrieve the database!

Do it either by posting a bounty or by catching the hacker.

Every passing day without database increases the likelihood for it to be entirely forged once it is released!

Blitz out.

Your fake claim going through doesn't mean it will be approved. Everything is going to be reviewed by a human.

Of course getting the database back will be a good thing, but it's definitely not worth 18k BTC (even paying everyone 10% more will be cheaper than that).

Whether the hacker chooses to release the database or not it's his personal matter. I personally prefer the hacker not to leak anything though.

Your money will be returned. Just don't worry about it.

You can assume that we have the database now. The reconstruction work is much simpler than what I thought.

JusticeForYou

vip

Activity: 490

Merit: 271

Quote from: kokjo on May 25, 2012, 03:39:27 PM

Quote from: N12 on May 25, 2012, 03:35:40 PM

You have to retrieve the database!

no. and it would be a very stupid idea to relie on the database now, that hacker would have messed it up already(i would at least).
the db is more then useless right now, its directly misleading.

It's compromised, not totally useless.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: N12 on May 25, 2012, 03:35:40 PM

You have to retrieve the database!

no. and it would be a very stupid idea to relie on the database now, that hacker would have messed it up already(i would at least).
the db is more then useless right now, its directly misleading.

N12

donator

Activity: 1610

Merit: 1010

@zhoutong
So the accounting stuff says I had some past balance or deposit and the amount of funds I claimed was in the ballpark of this. What now? My fake claim still goes through.

Let me make myself very clear here.

There is but ONE solution where Bitcoinica does not necessarily go bust.

You have to retrieve the database!

Do it either by posting a bounty or by catching the hacker.

Every passing day without database increases the likelihood for it to be entirely forged once it is released!

Blitz out.

proudhon

legendary

Activity: 2198

Merit: 1311

Quote from: Raoul Duke on May 25, 2012, 02:10:56 PM

Quote from: SgtSpike on May 25, 2012, 01:53:49 PM

Zhou, I don't remember if I had a balance on Bitcoinica or not. If I did, it was a rather old balance. I submitted a claim when the claims form was revealed, and put 0 btc in everything since I had no clue if I had anything in there or not. Should I take any additional steps? Resubmit a claim with different balances?

It was a small amount if any (I think 1 BTC or 5 BTC), so not a huge deal, just wondering what I should do to be sure I get back anything I did have in there.

You should be asking that to Mr. Hacker. He's the only one who knows your Bitcoinica balance now lol

When is the hacker's claims page gonna be up?

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 4. (Read 224563 times)