Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 45. (Read 224562 times)

Here is an interesting dicussion.  

https://bitcointalksearch.org/topic/what-can-really-be-done-about-server-hacking-81341

The info on the Thales links offers some interesting solutions for the security minded.

http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules/nShield%20Edge.aspx

JoelKatz also had an interesting solution a few pages back:
/quote/
The correct solution is really never to use a hot wallet at all. There is no reason a key ever needs to be on a machine with Internet access. Methods to sign something with a key while preventing theft of the key or signing of bogus data are well understood since certificate authorities worked them all out. The irony is that CAs frequently ignore these well-understood security practices too.

One way is to a have a machine that is physically secure whose sole purpose is to sign transactions. It can talk over a serial port to a machine with Internet access. The software on the physically-secure machine controls the signing of transactions and is the only machine that can actually process a withdrawal. Any thief could, at most, compromise the machine at the other end of the serial port and would be limited to the commands that exist over the serial link. He could never extract a key that can sign Bitcoin transactions nor can he process a transaction that doesn't meet your security requirements. Yet transactions that do meet those requirements can process without human intervention.
/quote/

I agree. I have been in this forum since September 2010 regularly, and this is the worst handling of an issue. Even more worrying is that amir taaki who I respect and who is with intersango is quiet like a mouse.
This is not a sign of "customer is king attitude" I would have expected

I think that Bitcoinica should join this NZ financial service providers arbitration/dispute resolution service

http://www.fdr.org.nz/

& Zhou I'm waiting to hear back from you on your main Bitcoinica thread where you offered to refund me for the considerable swaps fees when they were first introduced ages ago - thanks

< begin troll  >

For all we know, intersango is the culprit!   2weeks!

< / end trolling >

I've said it all along.  People shouldshouldn't have to dig through news articles and forum threads to know what is going on.  It should be on a splash page on the website.

Agreed, this is being handled terribly, if it weren't for zhoutong we wouldn't know anything at all.

good news, Pirate's Btc S&T interest payments have not been effected by the Btca lockdown I'm most happy to report

just out of curiosity I wonder if these latest hackers were also the Linode ones & used inside info gathered in that server rape to plan & execute the email server hack

well. obviously, those who had profitable positions would be upset to not close out with those profits (since it's a FORCED liquidation)
and of course, those with unprofitable position would be upset to lose the money by having their positions force liquidated unexpectedly.

It seems that the way to retain the most honorable position is to pay them out to the customer's advantage. To do otherwise suggests that the payouts are to bitcoinica's advantage (even if this is not the case, the lack of transparency makes this a valid concern for the customers who are suffering losses because of bitcoinica's failures)

Worst case, as I said above, bitcoinica should close out positions at their base prices.

I'm a little concern about offering people 'unrealized' gains. There is a reason they are unrealized.

You are now predicting what a person would have done in the future. Everyone knows what they would have done in the past. (i.e. maximize their profits with future knowledge.)

I think it is appropriate to return the underlying bet, not the unrealized gains.

e.g. I place a bet on 22 BLACK, someone puts the ball on 00 Green and steals the dealers chips and the placed bets. The player says: hey, I was going to place my bet on 00 Green. Pay me my unrealized gains at 35:1. NO sir. You just get your original bet back. You had $25 dollars in play, you just get $25 dollars back.

Can you please post some links because I am not aware of this happening.

I always thought ( and still think ) zhoutong was a pretty standup person on here and very honest.

He even gave me a $1 bonus for bitcoinica

I am more worried about my money at intersango right now because of this problem and them not giving any response so far to this incident

The point is, Bitcoinica is forcing you to close your position right now. If it didn't, you could liquidate your position later on, if the price were better for you.

is that price still not known?

it is hard to enter a trade elsewhere not knowing what price these now-frozen positions will be closed out at.  if there is a 10% rally, will the settlement price be set at current rates when that event happens, or will settlement price be in the range described regardless of later price moves?

I might not have the maths right in my head, but..

Assuming you had somewhere else to move your losing position to, I'm not sure it makes any difference when you close a position (assuming no spread fees, which Zhou has said they won't be charging).  Your net value is your net value.  You could take that net value and reopen the same position elsewhere couldn't you?  Or is the problem that there is nowhere to margin trade right now that we can move to?

(I'm not disagreeing, I'm genuinely asking where my mistake is)

Can you please explain how using some other software— even a HSM— could have prevented the wallet your site actively withdraws from at the request of users from being robbed by an attacker with root access to your servers?

No. Bitcoinica is responsible for their customer deposits, and their customers should not be financially liable for bitcoinica's negligence and incompetence.

I'm not that mad at the hackers. I'm definitely mad at the incompetence shown, and the negligence shown at bitcoinica. They KNEW this was a problem and failed to change either policies or systems to mitigate the problem. Now the customers suffer losses due to bitcoinica's negligence. That's bullshit.

The failure was 100% bitcoinica's - the losses should be 100% bitcoinica's.

There've been increasing red flags, including Zhou Tong cashing out $10K USD chunks a couple weeks ago. I find it NO SURPRISE there's been an incident like this and bitcoinica is closing up shop.

No harder than any other automated money transfer... don't go trying to blame bitcoind for your incompetence... it has issues, yes, but this isn't one of them.

You just gotta suck it up guruvan just like the rest of us.

Don't like how they are handling this as a FSP ? Go ahead and sue them !

I think this way of handling is extremely fair and nobody is getting cheated.

Everybody should be angry at the hackers and NOT at zhoutong.

Just because you can't attribute the hacker to some entity does not make zhoutong immediately responsible for all your ills and the market moving up etc.

IoW, what I'm saying is that bitcoinica owes people their unrealized Gains, is should eat shit on the unrealized losses if it wants to close up with no notice.

Failure to do that makes me presume that bitcoinica is being dishonest, and stealing from the customer base.

Period.

It's a spike up from 4,80 and it's only getting higher.