Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 8. (Read 224563 times)

Nonsense, I would easily have gotten >100 points filing my fake claim. The only thing that stopped me was my conscience.

Where is the money going to come from the other depositors will be missing? This is why I say I see no way around insolvency without the database.

You guys go ahead, though. I’ll get the popcorn for when people with 100+ points are requesting 500k BTC.

edit: rjk, no need for that. I can get over 100 despite that missing. Also I doubt they have that email data.

I read his suggestion, and it makes sense because some of the info he is suggesting to use for claims cannot be faked. Very good suggestions, too.

Blitz: relax.

In any case you shouldn't trust a database that may have been tampered with. This wasn't a fancy encrypted or otherwise secured database. This was a Ruby on Rails step-by-step tutorial kind of database.

It doesn't make sense to be offering fat bounties around. Not that the hacker would likely take the risk.

So, take it easy.

Haha, I knew I would be accused of that.

Have you read through zhoutong’s suggestion? I had no funds at Bitcoinica and considered faking a claim a few days ago, as I suspected a db loss. I could have easily done the claim and raked in a few k BTC. I didn’t because it would be theft, but I guarantee you there are enough people here who would get enough "points" to get refunded immediately, lack any morals, and had the foresight to file a fake claim before the db loss was admitted.

I simply see no other way around insolvency.

Are you the hacker looking to double your money? A bargain indeed. Right.

Intersango/(My)Bitcoin(ica) Consultancy, you guys better offer a nice fat 18.5k BTC bounty for the database or you will likely be sued into insolvency!

There were already plenty of people who suspected a database loss. I was tempted to file a false claim a few days ago myself. Do you really think there is a way for you not to overpay some, and therefore underpay others without the database?

It is an absolute bargain since there is no other way to allocate funds without risking losing MORE funds than deposited. I hope the hacker will accept an initial offer and not abuse his position. I also hope he will not tamper with the database (maybe you can offer him another bounty since people will try to bribe their way in). Is there perhaps a checksum to prove it is the original?

Do it or die.

Assume that 99% of the balances have already been claimed, the extra loss due to over-claims is less than 18.5k BTC. This is my speculation based on the information I have though. I haven't verified them.

The following is my suggestion to Bitcoinica, I can disclose it because it won't make resolving problems more difficult:

Now the thing needed to do is to filter the false claims using the resources we already have, including:

- Support emails
- Outgoing transactional emails (deposit, withdrawal and order execution notifications)
- Previous accounting reports
- Partner records, including Mt. Gox, BitInstant, banks
- Block chain (We roughly know what addresses we have based on the transactional emails)

The reputation of the account owner can also be taken into consideration, i.e. if you have demonstrated consistent integrity in the community, you should get your funds back at first opportunity. If the database (which might be leaked) records suggest discrepancies, you should feel comfortable returning the extra.

If the claimed account balance is tiny, such as 1 BTC or $1 USD, you should also receive a refund as long as the account ownership can be verified.

If there are no outgoing transactional emails sent (within 60 days), no support emails ever, no passport photo uploaded, we will have to use extra evidence (Bitcoin address ownership and Mt. Gox code history) to prove account ownership. Most likely the claims are illegitimate. We have unlikely to have inactive users with large amount funds.

The most questionable claims will be the ones without reported positions but with large balances from people who are not reputable. Most likely these people are trying to hide their unrealized losses in the claims after knowing that database has been deleted.

I know there's some personal judgement involved in the suggestion, but that will be my way of handling this. It will keep the majority of people happy while reducing most false positives. If my suggestion is accepted, the general rule is, you can get your funds more fully (partial payments are possible), sooner and less evidence is required if:

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

If there are no transactional emails or support emails ever sent to the claimed address, 0 Points for now.

If you get >= 100 Points, you should be refunded immediately.
If you get >= 50 Points, you can expect partial refunds first. The percentage of partial payments will be calculated using the formula (let P be the points you get):

Partial payment in % = (P/10)^2

e.g. If you get 90 Points, you receive 81% of the claimed amount first. If you get 50 Points, you receive 25% of the claimed amount first.

The rest of the claimed amount will be honored after every request has been processed. Then we can use cross reference to match the remainder records, and hopefully a copy of database can be obtained or leaked. If needed, we can also use external moderation to decide asset ownership.

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

Heh, it would be kind of ironic if someone was actually running a sock donator account under his name. At least you are covering that angle to be sure it is him.

Remember when I said I had already pulled all my moniez from Bitcoinica? I was kidding, actually I had 10000 BTC.

*Runs to fill the claim* 

By the way, good luck to ever get a VC company or individual to ever invest in a Bitcoin project, ever again!

Thank you InsterSCAMgo! You have further fucked Bitcoin's future by your gross negligence!

BTC is electrons in a computer mate as far as the law is concerned or a crypto message not money or a possession.

Stop trying to divert the discussion offtopic and show me one entity that has been brought to justice due to "stealing" BTC.

Not shakaru, not mybitcoin, not MrMoon, not bitcoin7, not bitomat, not bitcoinica ...

What did the security "investimagation" reveal as according to the topic title. The hacker couldn't have erased all the logs. There must be some IPs left. Where the police called to investigate ?

Maybe Rackspace had some logs left from him accessing the control panel ?

Bitcoins are as much of a property as WoW Gold, potatoes or USD, you retard. The law doesn’t care what it is, as long as a contract exists.

BTW, don’t you have 25 BTC to repay?

Show me one case where people have been sued due to BTC otherwise you are FUDging.

Sue for USD ? Most likely but if tomorrow Intersango ran with all the BTC they had nobody could do a thing.

No, it is actually worth much more than that, since quite a few people will be suing Bitcoinica if their balance does not satisfy them.

You better negotiate a good deal with the hacker, or you are pretty sure to be made insolvent.

edit:

bulanula, there are ways to anonymously release the database along with a Bitcoin address.

Offer a bounty for the database ? The hacker would be most stupid to release it as that could identify him pretty quickly.

Also, it seems to me that zhoutong is not at fault here but the incompetence of "InterSCAMgo" as shadow puts it.

Too bad there are no other UK exchanges ...  

Effectively paying the hacker 36.5K BTC ?  

well you've been sarcastic about this before.  yes let's pay all the haxors and shorting all teh coinz  

The database isn't worth 18.5k.  Your suggestion would just add another cost.

A bounty isn't crazy though; enough to cover the cost of the manual work of restoration and perhaps a bit extra for the benefit to goodwill.

Gooooooooood question; like most good questions though, it needs to be asked more than once or twice.  So yeah I am wondering this as well.


yeah nah dude i've read every letter -- right there with ya.  just joshin' around, munchin' my corn  

Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

I see you're ignoring my (and others) advice to stop airing your internal business disagreements publicly.


That's understandable, but irrelevant.  As muyuu points out: the loss of the database had been guessed at (unless you think people where asking about the database backups because they were totally confident it existed?).


I'm afraid that this attitude reveals your naivete on security.  All claims should be treated as false unless concrete evidence is available.  Not "after this point"... all of them.  You don't trust anything or anyone.  What other way is there of running a secure system?


If only the hacker had lived up to his promise that we should "expect a mass leak", eh?  His copy of that database would come in very handy.  Are you listening Mr Hacker?  Do us all a favour and drop a copy somewhere.  You've had your money; and you've effectively destroyed Bitcoinica's business... now you're just making life for the rest of us difficult.


To be honest; now that we know what the difficulty is, I really don't see what magic wand you think you can wave to recreate records faster than the Bitcoin Consultancy team.  To me, it seems that this is going to be a matter of a long hard slog of manually reconciling claim requests with deposit and withdrawal records.

Further, despite your wonderboy reputation, it seems that you are the more fundamentally at fault (technically) here than Bitcoin Consultancy -- it's true that they left the door open to their own systems, but it's you who have had many months to prepare for and mitigate against disasters and didn't.  Even without considering hackers; what if Rackspace had gone unexpectedly bust?  What if a natural disaster wiped out electricity to their datacentre?  Mistakes in the heat of the moment are forgivable, mistakes made with time available for consideration are less so -- especially when they are easily foreseen mistakes.