Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 48. (Read 224562 times)

You forgot step 2: Post the drama thread, divert attention from the real problem and walk away with almost everybody patting you on the back and telling you what a great guy you are.

That gives you the worst of both worlds. No automated withdrawals are ever possible, and an attacker can just wait until a transaction is approved to snatch the keys out of memory.

That's what happens when someone steals from a hot wallet. They get all the money that was available for automated transactions, plus any additional funds in wallets whose keys they were able to find in transient storage.

The correct solution is really never to use a hot wallet at all. There is no reason a key ever needs to be on a machine with Internet access. Methods to sign something with a key while preventing theft of the key or signing of bogus data are well understood since certificate authorities worked them all out. The irony is that CAs frequently ignore these well-understood security practices too.

One way is to a have a machine that is physically secure whose sole purpose is to sign transactions. It can talk over a serial port to a machine with Internet access. The software on the physically-secure machine controls the signing of transactions and is the only machine that can actually process a withdrawal. Any thief could, at most, compromise the machine at the other end of the serial port and would be limited to the commands that exist over the serial link. He could never extract a key that can sign Bitcoin transactions nor can he process a transaction that doesn't meet your security requirements. Yet transactions that do meet those requirements can process without human intervention.

Using this as context for Zhous words, his story sounds weird.

Hacker deleted all the evidence mate. The only evidence we have is the 18K TX. What more do you want

Are we getting payed the interest on our USD while this is going ? Can they afford to really buy 18K BTC again to compensate ? I doubt it.

just posted a claim pre-dating all these on the original Bitcoinica thread

https://bitcointalksearch.org/topic/m.898334

it's about $5,000 that you took me for - appreciate if you could fast track that Zhou, many thanks  

you can send it at any time to the address in my sig & move on or you can choose not to, do as you would be done by

The requirement to send your personal info to get your wire transfer would cover that.

A hacker who'd tampered his own position/balance wouldn't send his credentials.

In any case, by the looks of it they are in damage control mode and forced liquidation at market prices seems the least damaging option if putting the site back online is for any reason out of the question.

I took all my coins out shortly after the first fiasco. The more I heard about the decisions behind the system, the more convinced I was it wasn't ready for the kind of "attention" it was bound to bring (*esp. after he decided to make it mandatory to send your real credentials to the site... I wouldn't want them to store my data). This is a clear force majeure case, I'd count my lucky stars with just having a position force-liquidated over just saying goodbye to all my balance, if I were in your position.

Is there such a thing?  WOW... who would have thunk it.

From what Zhou posted I assume Bitcoinica was using plain old MySQL, so no luck with this.

EDIT: Unless they have done daily offsite database backups. That would help - you would just compare it to existing DB to check if it was tampered with.

I see both sides here. However, if you don't respect his/her privacy as instructed, give back his/her money.

If only database technology was available for financial services where there is the ability to store transactions with auditable history as well as there being an archive log such that recovery to a point in time is possible.  If only such a thing existed ....

They don't want to risk it.

They don't want to take even further damage on an insecure system, by the looks of it.

I'm pretty sure they would put it back online right now if they could, their time offline is costly for them. They lose prospective users and credibility by the minute. So I guess they just cannot trust the system to put it online even for a minute.

Anyway you do well in voicing your suggestions. Maybe they can actually afford to give it a try, we'll see tomorrow I guess.

It's a bit confusing that they decided to take their blog offline as well. I wonder what are they up to right now. They could do a bit better in the communication front.

I believe even MT requires to be woken up in the middle of the night on large movements. Sometimes, I believe, by actually talking to the owner.

What is preventing them from putting the site up? If they worry about the attacker logging into customer accounts (which, because they claim the passwords are salted & hashed with bcrypt seems not probable) they could just reset all users' passwords and let them log in using activation code. People that have 2nd auth via Google Authenticator will be even more secure this way*. Doing it like this would enable users to decide for themselves if they want to shut down their positions or not. Doing it on behalf of users against their will is just wrong to me.

*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered with and which wasn't, so either way they're in pretty hot water.

What is your alternative if Bitcoinica's going offline and coming back with a new system in a matter of months? do you prefer to keep your position for that long without the option to change it? did you consider that when the "expected mass leak" happens your position and everybody else's will be disclosed and you can get zhoutonged for real?

The least disruptive course of action is precisely the one ZT described. That much is clear. Unless he can enable the site selectively which appears not to be the case.

Christmas 2015 Edition?

I can't wait to read all about this in the Bitcoin Magazine.

Still waiting for the logs.................................................

I would not mind  

Try and remember this, when TradeHill announced they are shutting down everyone flipped out about wether they were getting their money back.

I constantly acted as middle man between TH and this community. We build an automated system so everyone can withdraw their funds via check or into another exchange. We had to manually verify every single customer for AML requirements which was not easy.

Furthermore, we also arbitrated dozens of disputes between TH and customers, all which are now resolved.

As soon as I knew an update, I posted it on these forums and recieved phone calls day and night of customers seeking assurance even though I had no stake in tradehill whatsoever

I plan on doing the same for Bitcoinica.

We already have a withdrawal system in place where anyone can withdraw their Bitcoinica funds to another exchange within minutes for fees ranging between 0.89%-1.29%

We are finishing up a check withdrawal option so you can get a check in 3 days, in addition to the wire and local bank transfer withdrawal option we're building.



I see here that your anger at Bitcoinica is being directed at me, for that I have nothing left to say to you.

My responses to you were not 'funny' they were meant to lighten the solemn mood. I have over $20,000 held up in my Bitcoinica account and I won't be getting it back anytime sooner then you will. We are all in the same boat pal.

If the Bitcoinica team allows me, I plan on updating this community as much as I can and I will be glad to help in any disputes.

I hope my past and future services to this community have build enough trust with you all, and I'm humbled to be apart of Bitcoin

-Charlie

This is just plain wrong. I have had mid- and long-term positions there. Some were in the green, but some were in the red. I didn't have any intention to touch them now, let alone liquidate them fully! Forcing me to do that is nothing more than taking forcefully my money with you. I really hope you reconsider this.

Frankly I dont care what you think about my response, Im not here to lick the ass of any company be it big or small. Alot of serious questions were raised in here and you responded with apparent knowledge of all the people in the know-how however you choose to essentially laugh it off with your recent response(before my response) where you could have responded that you will let the "powers in charge" know about everyones concerns.

Why is zhou updating anyone? He isnt the one accountable anymore(his own words) nor is he even working for bitcoinica anymore(he stated he is posting since everyone know him from bitcoinica and nothing more) so why do all of us have to wait for him to respond if he is in fact not even a part of bitcoinica main ownership/employees anymore.

Again, if you know the people in charge, let them know that people are worried about their bitcoinica balances.