[Emergency ANN] Bitcoinica site is taken offline for security investigation - page 51.

elux

legendary

Activity: 1458

Merit: 1006

Quote from: zhoutong on May 13, 2012, 07:10:40 AM

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have. If they have matched, we will send Bitcoin balance to your nominated Bitcoin address within 24 hours and USD balance with unrealized P/L to your email as a Mt. Gox code. If you sent the funds to us via Wire (i.e. you don't use Mt. Gox at all), we will try our best to fulfill wire transfer requests.

Oh dear, this again? Gox June 2011. Bitcoinica May 2012.

caston

hero member

Activity: 756

Merit: 500

Were any personal documents leaked during the intrusion that could potentially be used to make fraudulent claims against accounts?

BTW for historical references here is the original post on hackernews:

http://news.ycombinator.com/item?id=2973313

zhoutong

vip

Activity: 490

Merit: 502

Quote from: hoki on May 13, 2012, 06:41:32 AM

I cannot believe it Sad

zhoutong, give us some updates, please man!

We are building an account claim page. You can submit your account information, financial information (balances) and trading information to verify your identity. We will then match with the records we have. If they have matched, we will send Bitcoin balance to your nominated Bitcoin address within 24 hours and USD balance with unrealized P/L to your email as a Mt. Gox code. If you sent the funds to us via Wire (i.e. you don't use Mt. Gox at all), we will try our best to fulfill wire transfer requests.

Current positions will all be liquidated at a settlement price. We haven't decided the price yet, but my personal estimate is 4.98 / 4.94. (All long positions can liquidate at 4.98 and all short positions can liquidate at 4.94, we pay the spread for you.) All unrealized P/L will be settled in USD. If you don't have sufficient USD balance, we will use your BTC to settle, with the mid-point exchange rate (again, we pay the spread).

The page will be up in a few days but I don't have accurate information on this. Patrick is working on the page now. Thanks for your understanding and patience.

hoki

member

Activity: 105

Merit: 10

Say BYE to tobacco taxes and bureaucratized trade.

I cannot believe it Sad

zhoutong, give us some updates, please man!

dizzy1

full member

Activity: 134

Merit: 100

Quote from: JoelKatz on May 13, 2012, 06:13:49 AM

Quote from: dizzy1 on May 13, 2012, 06:07:12 AM

Then our defenitions of a hot wallet may be different. I am thinking that a hot wallet is an online wallet with coins available for withdrawl. Which would be in constrast to a cold storage wallet. I don't believe a hot wallet has to be automated.

If the wallet is online and available for withdrawal, then a thief who compromises the machine can take all the coins in the wallet, whether your normal withdrawal path is automated or not. If the point of the human security check is that the coins *cannot* be withdrawn without the approval, then it's not a hot wallet. If the security check is just a human saying "yes", then it can still be a hot wallet, but a compromise of the machine will include the ability to bypass the withdrawal authorization.

Unless the human saying yes must enter a passphrase to temporaily decrypt the wallet to send the transaction. Either that or having a set of wallets encrypted for large withdrawls that need manual authorization and a set of encrypted but loaded wallets for smaller transactions. So if a large withdrawl is needed then it is sent manually, but for smaller one they can be sent automatically from the currently loaded smaller wallet. and if a smaller wallet is running low, then the remaining balance should be transfered to another small wallet specifically for the spare change and the wallet moved to another in the line. This way the majority of the money is very accessible and there is minimal risk to either party. This will protect against people breaking into a machine containing the wallet(s) and stealing them as they will be encrypted. The most they may get is the contents of a smaller wallet if this is properly monitored.

coinft

full member

Activity: 187

Merit: 100

Quote from: DeathAndTaxes on May 12, 2012, 02:37:30 PM

Quote from: bbit on May 12, 2012, 01:00:15 PM

Thanks I respect yours also. No, I'm just saying for big thefts like the one's that have been happening I think there would be a big consensus in favor of disabling $87,000 worth of bitcoin. Yes, I don't know all the logistics of how it would play out but I'm pretty sure we are all smart enough to figure it out.

Ok say I buy 20,000 BTC worth of Gold from you. I pay you, you get the 6 confirms. I walk away with my ~$100K in gold. Then I report the coins stolen. Oops you lose 20K BTC. Even better I cal you up and threaten to report them stolen. If you give me back 5K BTC I won't report them stolen. You lose 5K or you lose 20K. Your choice.

Worse say I did steal 20K BTC. I then buy some gold form you. Nobody has reported them stolen ... yet. I pay you, you get the 6 confirms. I walk away with $100K in gold and then the original legit owner of the coins reports them stolen. I stole the coins and lost nothing. The owner is still out 20K coins and you are out $100K in gold.

Awesome system you got there. Also there is no central agency in Bitcoin. Who decides if a coin is disabled or not? Someone with 51% of hashing power. Awesome you just gave the govt an auto kill switch. Gain 51% control of Bitcoin (even temporarily) and disable all 21M coins. Game Over.

As soon as we have a way to decide (vote) on stolen status, and we get false stolen reports, we will create a system to decide the truth of theft reports. When we can revoke false theft reports, we will soon need to revoke theft report revocations. Then we will need to be able to revoke revocations of theft report revocations. Someone will create a recursive revocation block chain. Every bitcoin will end up 50% +/- X legit since no one can determine tomorrow's status, at which point hopefully we can drop this whole mess.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: dizzy1 on May 13, 2012, 06:07:12 AM

Then our defenitions of a hot wallet may be different. I am thinking that a hot wallet is an online wallet with coins available for withdrawl. Which would be in constrast to a cold storage wallet. I don't believe a hot wallet has to be automated.

If the wallet is online and available for withdrawal, then a thief who compromises the machine can take all the coins in the wallet, whether your normal withdrawal path is automated or not. If the point of the human security check is that the coins *cannot* be withdrawn without the approval, then it's not a hot wallet. If the security check is just a human saying "yes", then it can still be a hot wallet, but a compromise of the machine will include the ability to bypass the withdrawal authorization.

dizzy1

full member

Activity: 134

Merit: 100

Quote from: JoelKatz on May 13, 2012, 05:41:41 AM

Quote from: dizzy1 on May 13, 2012, 03:08:32 AM

A hot wallet would be btc immediately available for withdrawl. In this case, how often would a transaction moving 18k btc or even just 1k btc be exucuted? Almost never. So you could have transactions past a certain limit be manually approved.

If they have to be manually approved, it's not a hot wallet. The gist of a hot wallet is that a release of coins is automated.

Then our defenitions of a hot wallet may be different. I am thinking that a hot wallet is an online wallet with coins available for withdrawl. Which would be in constrast to a cold storage wallet. I don't believe a hot wallet has to be automated.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: dizzy1 on May 13, 2012, 03:08:32 AM

A hot wallet would be btc immediately available for withdrawl. In this case, how often would a transaction moving 18k btc or even just 1k btc be exucuted? Almost never. So you could have transactions past a certain limit be manually approved.

If they have to be manually approved, it's not a hot wallet. The gist of a hot wallet is that a release of coins is automated.

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

Quote from: eleuthria on May 13, 2012, 03:30:50 AM

Except a hot wallet must store enough coins for many users to withdrawal in a reasonable time frame....

Adding extra layer of security to large BTC transfers from exchange is a must.
BTC transfer, with acceptable number of confirmations, takes forever to begin with. Is that reasonable? There is no "immediately" in BTC transfers with out a third party help.
On the other hand, I am used to get my bank transfers done in minutes and transfers between different banks, in less than an hour (usually minutes). I do not know, how fast is this done in USA, you guys still use paper cheques

If I have to transfer a large amount of money from my bank, extra layer of security is added and yes, this takes a bit more time to execute. This is acceptable to everyone in the world and eliminates fuckups like Bitcoinica just had (twice!).

Not even a large amount of cache is transferred (in a suitcase) in seconds

You count it before you let it go for good.

eleuthria

legendary

Activity: 1750

Merit: 1007

Quote from: dizzy1 on May 13, 2012, 03:08:32 AM

Quote from: JoelKatz on May 13, 2012, 03:02:22 AM

Quote from: dizzy1 on May 12, 2012, 11:47:36 PM

As some people have said, there should be a hold on large or unusual withdrawls from a hot wallet.

Then it wouldn't be a hot wallet at all.

A hot wallet would be btc immediately available for withdrawl. In this case, how often would a transaction moving 18k btc or even just 1k btc be exucuted? Almost never. So you could have transactions past a certain limit be manually approved.

Except a hot wallet must store enough coins for many users to withdrawal in a reasonable time frame. A reasonable time frame is up for debate of course. And given the size of Bitcoinica, and the supposed profits it made (since they CLAIM that the previous theft was covered by their profits up to that point), the volume is likely very high at peak times.

dizzy1

full member

Activity: 134

Merit: 100

Quote from: JoelKatz on May 13, 2012, 03:02:22 AM

Quote from: dizzy1 on May 12, 2012, 11:47:36 PM

As some people have said, there should be a hold on large or unusual withdrawls from a hot wallet.

Then it wouldn't be a hot wallet at all.

A hot wallet would be btc immediately available for withdrawl. In this case, how often would a transaction moving 18k btc or even just 1k btc be exucuted? Almost never. So you could have transactions past a certain limit be manually approved.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: dizzy1 on May 12, 2012, 11:47:36 PM

As some people have said, there should be a hold on large or unusual withdrawls from a hot wallet.

Then it wouldn't be a hot wallet at all.

stochastic

hero member

Activity: 532

Merit: 500

Quote from: M4v3R on May 13, 2012, 01:44:31 AM

^^^^^^

Very good point. The fact that the website is STILL offline, there are no status updates nowhere and there wasn't any email notification is just plain ridiculous.

People better come to terms that they are not getting their money back. None of Bitcoinica's customers even know who runs the business. The death spiral started with the theft of 40,000 bitcoins and then the transfer of responsibilities to other people was just a reminder of where Bitcoinica was heading. This recent negligence in securing their customer's accounts is the nail in the coffin.

M4v3R

hero member

Activity: 607

Merit: 500

^^^^^^

Very good point. The fact that the website is STILL offline, there are no status updates nowhere and there wasn't any email notification is just plain ridiculous.

Transisto

donator

Activity: 1731

Merit: 1008

Updates ?

I haven't seen an update in 2 days,
Maybe because :

A. I'm not keeping track of Zoutong post history
B. I'm not going to search this whole thread for clues.
D. I'm not seeing the OP being updated.
E. I'm not visiting the forum very often.
F. I'm not visiting Bitcoinica's website.
G. I cannot visit Bitcoinica's website, isn't working - AT ALL
H. Bitcoinica never sent any email notification,,, neither did they sent any about new fees structure.

Hint : Some people have better to do than go on an information hunt to know what's happening with their $/BTC.

dizzy1

full member

Activity: 134

Merit: 100

Quote from: JusticeForYou on May 12, 2012, 11:35:06 PM

Why does the wallet even need to reside on the server?

But I'd like to know if it is usual for a 18K BTC transaction to take place without review?

I mean, if I goto the bank to withdrawal 50K+ USD, I would expect a little more scrutiny.

A stepped system of checks, I believe would have, if not stopped, delayed it.

As some people have said, there should be a hold on large or unusual withdrawls from a hot wallet.

JusticeForYou

vip

Activity: 490

Merit: 271

Why does the wallet even need to reside on the server?

But I'd like to know if it is usual for a 18K BTC transaction to take place without review?

I mean, if I goto the bank to withdrawal 50K+ USD, I would expect a little more scrutiny.

A stepped system of checks, I believe would have, if not stopped, delayed it.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

http://www.reuters.com/article/2012/04/01/traders-bitcoin-idUSL6E8ET5K620120401

Quote

Zhou Tong, who is professionally advised by a forex trader and the head of a Singapore-based algorithmic trading firm, now lends his name to international slang.

I'm curious as to who the forex trader is advising Zhou Tong.

And here's a pic of ZT and two of his closest friends (partners?) taken about a couple years ago.

organofcorti

donator

Activity: 2058

Merit: 1007

Poor impulse control.

Quote from: ?? on ??

btw anyone seen the mass leak? or any updated info from bitcoinica?

I'm thinking that zhoutong had a 'mass leak' as soon as he noticed all the btc missing, poor bugger.

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 51. (Read 224562 times)