[Emergency ANN] Bitcoinica site is taken offline for security investigation - page 68.

EhVedadoOAnonimato

hero member

Activity: 630

Merit: 500

This is awful.

I think some people are being too harsh on Zhou. He has proven to be an honest person, with greater achievements in life than most, if not all, the participants of this thread. And that even before completing 18 years old! He deserves a lot of respect.

Quote from: PawShaker on May 11, 2012, 01:06:31 PM

What about a setup where hot wallet is on separate machine which periodically fetches instructions for transfers.

That with a Tor circuit in between, to make it particularly hard to find the machine holding the keys. Plus a larger percentage of funds in cold storage, of course.

pirateat40

sr. member

Activity: 378

Merit: 250

"Yes I am a pirate, 200 years too late."

Quote from: bulanula on May 11, 2012, 03:27:22 PM

Somehow I believe that blogpost is fake.

Especially after zhoutong himself said "if" they compensate and the word "shutdown" ...

No official confirmation is making this even more of a joke Shocked

If they had 80% of funds stored offline then surely they would compensate the stolen 20% you would think.

Funds does not equal profit. Sad

DarkEmi

full member

Activity: 223

Merit: 100

Each time my trust in bitcoin raises it get kinda crush by a new hacking scandal. This scare me as I invested quite a lot in bitcoin both financially and in my expectations.

In my humble opinion, one of the best solution agaisnt the theft is this proposal I made earlier (and went largely unoticed) :

https://bitcointalksearch.org/topic/m.794810

Btw, are multi key address already in the protocol by now ?

mistfpga

member

Activity: 86

Merit: 13

Quote from: DeathAndTaxes on May 11, 2012, 12:36:18 PM

There always is a server. Bitcoind has to be somewhere. If you have access to the server you have access to the keys. Period.*

It appear the attackers gained access to the server. Ergo they had access to the private keys.

* Well in theory maybe not with a HSM or TPM. But even then if the attacker has gained access to the wallet server your security model has already failed, it is just you could get lucky and avoid losing a lot of funds.

Hi Death and Taxes,

This is not quite true. if by HSM you mean Hardware Security Modules 8000 or a PayShield 9000 then both of these would have been fine. the tamper on those badboys is _really_ good. Most of the worlds interbanking transactions run on this kit... but I am not sure how they would handle bitcoin transactions... however for bitcoin we do not need one of those, one of these is a tenth of the price and will do everything that is needed. including purge the keys if they come under threat.

http://www.thales-esecurity.com/Products/Hardware%20Security%20Modules/nShield%20Edge.aspx

I still do not understand why people do not shred/purge the seceret keys from the disk when the server alarms go off... restoring a key is much cheaper...

If anyone wants to talk about this further, please feel free to email me, my email is in my profile.

(sorry if someone said all this already, I havent finished reading the thread)

regards,

steve

I feel sad for those that lost money, it isnt their fault. What we need now is positive steps on how to avoid this in future.

bulanula

hero member

Activity: 518

Merit: 500

Somehow I believe that blogpost is fake.

Especially after zhoutong himself said "if" they compensate and the word "shutdown" ...

No official confirmation is making this even more of a joke Shocked

If they had 80% of funds stored offline then surely they would compensate the stolen 20% you would think.

girlsgonebitcoin

member

Activity: 99

Merit: 10

Quote

You have absolutely no idea what your talking about.

Furthermore, you make yourself look quite pathetic being completely ignorant.

I feel stupid for ever responding to your post and giving it justice

I know all the owners of Bitcoinca personally, in fact I spoke to one of them not a few hours ago.
They have families, live in house, and are not going anywhere.

there is really no reason to get butt hurt by this. This is the 2nd failure from a bitcoin business this is a normal reaction from its consumer base to question what is really going on is it not ?

S3052

legendary

Activity: 2100

Merit: 1000

The short selling option at bitcoinica is actually helping avoiding bigger sell offs, as short sellers MUST eventually buy back to avoid getting wiped out.

Now, with bitcoinica down, no one has to buy (=cover shorts) any more, and selling pressure could mount.

WhatsHappening

newbie

Activity: 23

Merit: 0

When bitcoinica is going to restart ? Is it ? Zhou ?

davout

legendary

Activity: 1372

Merit: 1008

1davout

Quote from: ?? on ??

So are you going to spend the next several hours responding to each point individually?

Yes.
What are you going to do about it ?

Nothing, except note that you are nothing more than a cheap spammer.

But everyone knows that already, and you're
therefore on your way to join me.

Haha, headshot

davout

legendary

Activity: 1372

Merit: 1008

1davout

Quote from: ?? on ??

Quote from: zhoutong on May 11, 2012, 08:46:36 AM

Interacting with the official client is painful.

Hire people who know what they're doing.
You can afford it.

I know exactly what I'm doing, I'm using the official (with a couple of patches) bitcoind. It's painful in some respects but much more mature than any other client.

davout

legendary

Activity: 1372

Merit: 1008

1davout

Quote from: ?? on ??

Quote from: zhoutong on May 11, 2012, 08:46:36 AM

Quote from: Clipse on May 11, 2012, 08:44:04 AM

Honestly, I know people want to be able to withdraw in "real-time" but why is it so terrible to have a pending period for large transfers? Surely this would avoid such massive withdrawals in near "real-time" without you being able to suspend it in case of hacks/theft?

We really wanted to keep the blockchain and wallet in MySQL database.

That is really not very smart.

I think it is a very good idea that would open lots of possibilities.

zellfaze

full member

Activity: 141

Merit: 101

Security Enthusiast

Quote from: muyuu on May 11, 2012, 01:58:34 PM

Quote from: zellfaze on May 11, 2012, 01:52:50 PM

Quote from: muyuu on May 11, 2012, 01:49:52 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Obviously Zhoutong also has the private keys. He could proceed to move the remaining funds to an uncompromised account and save them.

If you get somebody else's private keys and you want to steal the funds, you need to move them before they find out.

I feel like the only reason he found out this time was because of the massive withdrawl.

I would sit on them if I had them. Sit on them and drain them for their worth slowly.

Well... at least that is what I would do if I was a malicious person, which I am not.

Are you serious? you are assuming they're that incompetent at book-keeping?

That is true. A business, particularly one like that, ought to keep good books. I hadn't even thought about that.

I was serious, not so much anymore.

muyuu

donator

Activity: 980

Merit: 1000

Quote from: zellfaze on May 11, 2012, 01:52:50 PM

Quote from: muyuu on May 11, 2012, 01:49:52 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Obviously Zhoutong also has the private keys. He could proceed to move the remaining funds to an uncompromised account and save them.

If you get somebody else's private keys and you want to steal the funds, you need to move them before they find out.

I feel like the only reason he found out this time was because of the massive withdrawl.

I would sit on them if I had them. Sit on them and drain them for their worth slowly.

Well... at least that is what I would do if I was a malicious person, which I am not.

Are you serious? you are assuming they're that incompetent at book-keeping?

terrytibbs

hero member

Activity: 560

Merit: 501

Quote from: ?? on ??

What are you going to do about it ?

Hahaha, this is gold.

bbulker

full member

Activity: 124

Merit: 100

Quote from: rjk on May 11, 2012, 01:21:05 PM

You can't reset the root password on a mounted filesystem, and you can't access an encrypted filesystem after a reboot without the password.
EDIT: I might as well make it crystal clear that you can't reset the root password on a mounted filesystem externally without access to the password itself.

If the host is still in control of the OS can't they just do it internally with the backdoor?

zellfaze

full member

Activity: 141

Merit: 101

Security Enthusiast

Quote from: muyuu on May 11, 2012, 01:49:52 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Obviously Zhoutong also has the private keys. He could proceed to move the remaining funds to an uncompromised account and save them.

If you get somebody else's private keys and you want to steal the funds, you need to move them before they find out.

I feel like the only reason he found out this time was because of the massive withdrawl.

I would sit on them if I had them. Sit on them and drain them for their worth slowly.

Well... at least that is what I would do if I was a malicious person, which I am not.

Quote from: Raoul Duke on May 11, 2012, 01:50:48 PM

Quote from: zellfaze on May 11, 2012, 01:47:24 PM

Quote from: Raoul Duke on May 11, 2012, 01:44:31 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Quote from: Raoul Duke on May 11, 2012, 01:28:49 PM

Quote from: ?? on ??

Quote from: ataranlen on May 11, 2012, 08:36:50 AM

This is very interesting. Hopefully someone actually knows about the transfer.

And hopefully someone will finally learn a lesson from this.

You're probably right. Someone will. If not Bitcoinica, the users. lol

http://blockchain.info/tx-index/5441766/51fa68b27169195618ba30a9b1f12d5590ed4c544e01699929260f0990ca5a2f

More 0.31337 BTC... Is it a message from the thieves or someone congratulating them? Wink

Yeah that one was me actually. I figured it was a pretty 1337 hack.

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Sign a message with the private key of the address 114t2bCfrmw44qgZQijNzVU75YphuyZCGk and I'll believe it was you.

As it was an address on my phone I can't easily do that. Instead I'll just send you an 31337 amount of coins.

Money sent to 1PKyq6aMKcCwn8cmb9Jc5SkNydLsQb5n7K.

Crazy. lol Address confirmed Grin

I'll send it back to you once they confirm Wink

No problem. Tongue

You can keep them if you want. 0.31337 isn't much BTC in the grand scheme of things. I have a hundred or so sitting around right now.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: zellfaze on May 11, 2012, 01:47:24 PM

Quote from: Raoul Duke on May 11, 2012, 01:44:31 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Quote from: Raoul Duke on May 11, 2012, 01:28:49 PM

Quote from: ?? on ??

Quote from: ataranlen on May 11, 2012, 08:36:50 AM

This is very interesting. Hopefully someone actually knows about the transfer.

And hopefully someone will finally learn a lesson from this.

You're probably right. Someone will. If not Bitcoinica, the users. lol

http://blockchain.info/tx-index/5441766/51fa68b27169195618ba30a9b1f12d5590ed4c544e01699929260f0990ca5a2f

More 0.31337 BTC... Is it a message from the thieves or someone congratulating them? Wink

Yeah that one was me actually. I figured it was a pretty 1337 hack.

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Sign a message with the private key of the address 114t2bCfrmw44qgZQijNzVU75YphuyZCGk and I'll believe it was you.

As it was an address on my phone I can't easily do that. Instead I'll just send you an 31337 amount of coins.

Money sent to 1PKyq6aMKcCwn8cmb9Jc5SkNydLsQb5n7K.

Crazy. lol Address confirmed Grin

I'll send it back to you once they confirm Wink

Answering your little withdrawal method. That wouldn't work. They(Bitcoinica) would probably notice unauthorized transactions and sweep the entire balance themselves leaving the thieves with almost nothing.
Like this they swept the entire balance and problem solved.

muyuu

donator

Activity: 980

Merit: 1000

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Obviously Zhoutong also has the private keys. He could proceed to move the remaining funds to an uncompromised account and save them.

If you get somebody else's private keys and you want to steal the funds, you need to move them before they find out.

zellfaze

full member

Activity: 141

Merit: 101

Security Enthusiast

Quote from: Raoul Duke on May 11, 2012, 01:44:31 PM

Quote from: zellfaze on May 11, 2012, 01:41:19 PM

Quote from: Raoul Duke on May 11, 2012, 01:28:49 PM

Quote from: ?? on ??

Quote from: ataranlen on May 11, 2012, 08:36:50 AM

This is very interesting. Hopefully someone actually knows about the transfer.

And hopefully someone will finally learn a lesson from this.

You're probably right. Someone will. If not Bitcoinica, the users. lol

http://blockchain.info/tx-index/5441766/51fa68b27169195618ba30a9b1f12d5590ed4c544e01699929260f0990ca5a2f

More 0.31337 BTC... Is it a message from the thieves or someone congratulating them? Wink

Yeah that one was me actually. I figured it was a pretty 1337 hack.

Anyhow. If they stole the private keys why would they make such a huge withdrawl? I would import those private keys into another bitcoind and make lots and lots of smaller withdrawls over the course of the next few months.

Sign a message with the private key of the address 114t2bCfrmw44qgZQijNzVU75YphuyZCGk and I'll believe it was you.

As it was an address on my phone I can't easily do that. Instead I'll just send you an 31337 amount of coins.

Money sent to 1PKyq6aMKcCwn8cmb9Jc5SkNydLsQb5n7K.

proudhon

legendary

Activity: 2198

Merit: 1311

This is the bitcoin I've missed for the past couple months.

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 68. (Read 224562 times)