Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 76. (Read 224562 times)

donator
Activity: 826
Merit: 1060
We are waiting for the rest to wake up and check their email accounts.
You know, for something as serious as this they should be OK for you to phone and wake them up.
legendary
Activity: 1358
Merit: 1002
Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.

cant short  grrrrrr

OH, LOL Tongue
legendary
Activity: 1358
Merit: 1002
Z can u put now the site up ?

Without finding the breach i don't think it would be a good idea...
Are you in a hurry to withdraw, or?
Relax dude, i'm certain ZhouTong will do the right thing.
In fact I shouldn't even be nagging him so much. There's time for that if he decides to walk the wrong path.
legendary
Activity: 1358
Merit: 1002
Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?

What does that have to do with this? Huh
donator
Activity: 1419
Merit: 1015
Has anyone ever pulled up the old MtGox list of user accounts and hashes, compiled all the passwords from a rainbow table, then ran through common logins like Bitcoinica's to see what ones still worked?
hero member
Activity: 504
Merit: 502
Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

This is ridiculous.  Password reset emails are okay for forums; but not for anything which needs real security.

Emails are postcards; it doesn't need an email account compromise to do this, just someone sitting on the appropriate router with a traffic sniffer.

donator
Activity: 1218
Merit: 1079
Gerald Davis
It's really hard to believe that after the linode debacle, you guys are
still leaving that many coins on hosted systems.

Please learn about offline transactions and how to properly decouple
the wallet from your trading system.

This.  It is insane to me.

The cost of a secure co-location cage with dedicated hardware firewall, and private switch, and private servers.  Every single piece of hardware owned and configured by you.  The exchange and wallet should be on seperate servers and the wallet server should have no insecure connections. 

Come on it is 2012 guys.  IPMI makes doing secure remote co-location a lot easier.  VPN secure KVM over IP, bios upgrades, hardware monitoring, remote power control, even remote media loading.

No reason for anyone to have access to the cage.  Any good colocation provider can enforce user specified cage access protocol (i.e. requires 2 whitelisted users, and auto-notification of everyone on the whitelist w/ 2 hour delay).


On edit:

password resets? What the fuck are password resets?  This isn't a facebook account. Your admin loses his password well he can't login.  Period.  If he keeps doing it you fire his ass and hire someone who is more capable.   

Logins should be password + cert and limited to a dedicated NIC.  Your own personally owned and configured hardware firewall limits connections to the login NIC based on whitelisted IP addresses.
legendary
Activity: 980
Merit: 1020

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.

Would it make sense to require 2-factor authentication for everybody?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
Doesn't Rackspace offer you the option of requiring more than one person to sign off on a password change?
legendary
Activity: 980
Merit: 1020
Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).


Personally, I find erring for convenience over security to be a questionable practice.
vip
Activity: 490
Merit: 502
Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.

Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
legendary
Activity: 1358
Merit: 1002
Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Ofcourse it's not his fault... It's not your fault either. It's the hackers' fault.
But if you, as a corporation, management and operators included, decide not to reimburse your customers losses, then it's your fault and you should be labeled for what you are.
Take a hint from TradeHill.
hero member
Activity: 504
Merit: 502
Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.

Sorry but in any structured business if something goes wrong then someone either didnt do their job or did a shitty job.

In the case of being hacked, it is the security "expert" fault and he should be held accountable for the loss.
hero member
Activity: 812
Merit: 1001
-
Sorry to hear about this again.

It seems Bitcoinica got swindled for another 100k$, this time they got "smarter",  instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).

FFS! it does not change anything! Insiders still have physicall access to their computers, or management access for instance via KVMs, they still can arrange to get themselves untracked access, leak passwords etc, they still can take your wallets.

Linode lesson was not "go to dedi", it was to go to a well locked colo and control physical and management access to servers. Owning the DC would be even better. Banks do not host their critical infrastructure on cheapest VPS's nor do they use the most expencive dedis either.  Take a hint.

Better yet hire someone who can do information security professionally and this time listen to what they tell you.


hero member
Activity: 560
Merit: 501
Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
You're handling it very well, keep it up.
hero member
Activity: 868
Merit: 1000
Please stop bullshiting, what you says doesn't make any sense.

Bitcoinica got hacked, so what, it happens all the time to lots of compagny. I don't see how this devalues bitcoin, I don't see how bitcoinica activities devalues bitcoin, and... fuck I don't understand your points.

If ebay get hacked that devalues dollars?
I see you must be quite new to Bitcoin. Have you experienced what happened when MyBitcoin was allegedly robbed? MtGox? Bitcoin7? Hell, I don’t even know many of them anymore.

No I'm not new. And when the mtgox thing happen, I was already telling people the same thing.

And one year later, I have more confidence in bitcoin, and only see this as a potential buying opportunities Smiley

Don't worry, it will hurt bitcoinica, but it won't hurt the bitcoin economy
vip
Activity: 490
Merit: 502

So, you are still not in control of Bitcoinica?
Then, tell us, who are the decision makers that will decide if customers get reimbursed, as Zhou Tong already pointed out that it would not be his decision but from someone else?

Interesting. I didn't know the organizational structure of Bitcoinica changed recently. If I were in charge, I would still reimburse the dude.

Same here. I think reimbursing is the right way to go, even if we are shutting down the business at a huge loss.
vip
Activity: 490
Merit: 502
Please don't blame genjix. It's definitely not his fault.

He's not in our mailing list so it couldn't be him.

Well, shit just happens and it's not anyone's fault or incompetence here. I'm the only guy awake when the incident happens.
Pages:
Jump to: