Pages:
Author

Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 8. (Read 224563 times)

N12
donator
Activity: 1610
Merit: 1010
I read his suggestion, and it makes sense because some of the info he is suggesting to use for claims cannot be faked. Very good suggestions, too.
Nonsense, I would easily have gotten >100 points filing my fake claim. The only thing that stopped me was my conscience.

Where is the money going to come from the other depositors will be missing? This is why I say I see no way around insolvency without the database.

You guys go ahead, though. I’ll get the popcorn for when people with 100+ points are requesting 500k BTC. Grin Grin Grin

edit: rjk, no need for that. I can get over 100 despite that missing. Also I doubt they have that email data.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Haha, I knew I would be accused of that.

Have you read through zhoutong’s suggestion? I could have easily done the claim and raked in a few k BTC. I didn’t because it would be theft, but I guarantee you there are enough people here who would get enough "points" to get refunded immediately, lack any morals, and had the foresight to file a fake claim before the db loss was admitted.

I simply see no other way around insolvency.
I read his suggestion, and it makes sense because some of the info he is suggesting to use for claims cannot be faked. Very good suggestions, too.
donator
Activity: 980
Merit: 1000
Blitz: relax.

In any case you shouldn't trust a database that may have been tampered with. This wasn't a fancy encrypted or otherwise secured database. This was a Ruby on Rails step-by-step tutorial kind of database.

It doesn't make sense to be offering fat bounties around. Not that the hacker would likely take the risk.

So, take it easy.
N12
donator
Activity: 1610
Merit: 1010
Haha, I knew I would be accused of that.

Have you read through zhoutong’s suggestion? I had no funds at Bitcoinica and considered faking a claim a few days ago, as I suspected a db loss. I could have easily done the claim and raked in a few k BTC. I didn’t because it would be theft, but I guarantee you there are enough people here who would get enough "points" to get refunded immediately, lack any morals, and had the foresight to file a fake claim before the db loss was admitted.

I simply see no other way around insolvency.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Intersango/(My)Bitcoin(ica) Consultancy, you guys better offer a nice fat 18.5k BTC bounty for the database or you will likely be sued into insolvency!

There were already plenty of people who suspected a database loss. I was tempted to file a false claim a few days ago myself. Do you really think there is a way for you not to overpay some, and therefore underpay others without the database?

It is an absolute bargain since there is no other way to allocate funds without risking losing MORE funds than deposited. I hope the hacker will accept an initial offer and not abuse his position. I also hope he will not tamper with the database (maybe you can offer him another bounty since people will try to bribe their way in). Is there perhaps a checksum to prove it is the original?

Do it or die.
Are you the hacker looking to double your money? A bargain indeed. Right.
N12
donator
Activity: 1610
Merit: 1010
Intersango/(My)Bitcoin(ica) Consultancy, you guys better offer a nice fat 18.5k BTC bounty for the database or you will likely be sued into insolvency!

There were already plenty of people who suspected a database loss. I was tempted to file a false claim a few days ago myself. Do you really think there is a way for you not to overpay some, and therefore underpay others without the database?

It is an absolute bargain since there is no other way to allocate funds without risking losing MORE funds than deposited. I hope the hacker will accept an initial offer and not abuse his position. I also hope he will not tamper with the database (maybe you can offer him another bounty since people will try to bribe their way in). Is there perhaps a checksum to prove it is the original?

Do it or die.
vip
Activity: 490
Merit: 502
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

The database isn't worth 18.5k.

No, it is actually worth much more than that, since quite a few people will be suing Bitcoinica if their balance does not satisfy them.

You better negotiate a good deal with the hacker, or you are pretty sure to be made insolvent.

edit:

bulanula, there are ways to anonymously release the database along with a Bitcoin address.

Assume that 99% of the balances have already been claimed, the extra loss due to over-claims is less than 18.5k BTC. This is my speculation based on the information I have though. I haven't verified them.

The following is my suggestion to Bitcoinica, I can disclose it because it won't make resolving problems more difficult:

Now the thing needed to do is to filter the false claims using the resources we already have, including:

- Support emails
- Outgoing transactional emails (deposit, withdrawal and order execution notifications)
- Previous accounting reports
- Partner records, including Mt. Gox, BitInstant, banks
- Block chain (We roughly know what addresses we have based on the transactional emails)

The reputation of the account owner can also be taken into consideration, i.e. if you have demonstrated consistent integrity in the community, you should get your funds back at first opportunity. If the database (which might be leaked) records suggest discrepancies, you should feel comfortable returning the extra.

If the claimed account balance is tiny, such as 1 BTC or $1 USD, you should also receive a refund as long as the account ownership can be verified.

If there are no outgoing transactional emails sent (within 60 days), no support emails ever, no passport photo uploaded, we will have to use extra evidence (Bitcoin address ownership and Mt. Gox code history) to prove account ownership. Most likely the claims are illegitimate. We have unlikely to have inactive users with large amount funds.

The most questionable claims will be the ones without reported positions but with large balances from people who are not reputable. Most likely these people are trying to hide their unrealized losses in the claims after knowing that database has been deleted.

I know there's some personal judgement involved in the suggestion, but that will be my way of handling this. It will keep the majority of people happy while reducing most false positives. If my suggestion is accepted, the general rule is, you can get your funds more fully (partial payments are possible), sooner and less evidence is required if:

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

If there are no transactional emails or support emails ever sent to the claimed address, 0 Points for now.

If you get >= 100 Points, you should be refunded immediately.
If you get >= 50 Points, you can expect partial refunds first. The percentage of partial payments will be calculated using the formula (let P be the points you get):

Partial payment in % = (P/10)^2

e.g. If you get 90 Points, you receive 81% of the claimed amount first. If you get 50 Points, you receive 25% of the claimed amount first.

The rest of the claimed amount will be honored after every request has been processed. Then we can use cross reference to match the remainder records, and hopefully a copy of database can be obtained or leaked. If needed, we can also use external moderation to decide asset ownership.

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Per standard practice, Bitcoin Consultancy entered into a non-disclosure agreement which extends to Bitcoinica's proprietary systems and processes. They are free to discuss their role and history with the company.
Thank you for this. We are incredibly happy. We will need to clear up some distinctions and make sure the account is in fact Tihan's account. He can do so via confirmation in email or on skype. We also need clarification as to what "role and history mean".
Heh, it would be kind of ironic if someone was actually running a sock donator account under his name. At least you are covering that angle to be sure it is him.
donator
Activity: 980
Merit: 1000
Remember when I said I had already pulled all my moniez from Bitcoinica? I was kidding, actually I had 10000 BTC.

*Runs to fill the claim*  Grin
full member
Activity: 182
Merit: 100
By the way, good luck to ever get a VC company or individual to ever invest in a Bitcoin project, ever again!

Thank you InsterSCAMgo! You have further fucked Bitcoin's future by your gross negligence!
hero member
Activity: 518
Merit: 500
Bitcoins are as much of a property as WoW Gold, potatoes or USD, you retard. The law doesn’t care what it is, as long as a contract exists.

BTW, don’t you have 25 BTC to repay?

BTC is electrons in a computer mate as far as the law is concerned or a crypto message not money or a possession.

Stop trying to divert the discussion offtopic and show me one entity that has been brought to justice due to "stealing" BTC.

Not shakaru, not mybitcoin, not MrMoon, not bitcoin7, not bitomat, not bitcoinica ...

What did the security "investimagation" reveal as according to the topic title. The hacker couldn't have erased all the logs. There must be some IPs left. Where the police called to investigate ?

Maybe Rackspace had some logs left from him accessing the control panel ?
N12
donator
Activity: 1610
Merit: 1010
Bitcoins are as much of a property as WoW Gold, potatoes or USD, you retard. The law doesn’t care what it is, as long as a contract exists.

BTW, don’t you have 25 BTC to repay?
hero member
Activity: 518
Merit: 500
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

The database isn't worth 18.5k.

No, it is actually worth much more than that, since quite a few people are going will be suing Bitcoinica if their balance does not satisfy them.

You better negotiate a good deal with the hacker, or you are pretty sure to be made insolvent.

Show me one case where people have been sued due to BTC otherwise you are FUDging.

Sue for USD ? Most likely but if tomorrow Intersango ran with all the BTC they had nobody could do a thing.
N12
donator
Activity: 1610
Merit: 1010
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

The database isn't worth 18.5k.

No, it is actually worth much more than that, since quite a few people will be suing Bitcoinica if their balance does not satisfy them.

You better negotiate a good deal with the hacker, or you are pretty sure to be made insolvent.

edit:

bulanula, there are ways to anonymously release the database along with a Bitcoin address.
hero member
Activity: 518
Merit: 500
Offer a bounty for the database ? The hacker would be most stupid to release it as that could identify him pretty quickly.

Also, it seems to me that zhoutong is not at fault here but the incompetence of "InterSCAMgo" as shadow puts it.

Too bad there are no other UK exchanges ...  
hero member
Activity: 686
Merit: 500
Shame on everything; regret nothing.
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

Effectively paying the hacker 36.5K BTC ?   Huh

well you've been sarcastic about this before.  yes let's pay all the haxors and shorting all teh coinz   Grin
hero member
Activity: 504
Merit: 502
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.

The database isn't worth 18.5k.  Your suggestion would just add another cost.

A bounty isn't crazy though; enough to cover the cost of the manual work of restoration and perhaps a bit extra for the benefit to goodwill.
hero member
Activity: 686
Merit: 500
Shame on everything; regret nothing.

Seems to me the hacker is a small group of people from which an individual should easily be identified.

Why has this not happened ? It is not like the hacker was some unknown entity out of the blue.


Gooooooooood question; like most good questions though, it needs to be asked more than once or twice.  So yeah I am wondering this as well.

Read the thread : the only thing I had in the bucket shop is $1 bonus I got from zhoutong Cheesy

Not going to give my info to a bunch of incompetents to get it back anyway.

yeah nah dude i've read every letter -- right there with ya.  just joshin' around, munchin' my corn   Smiley
N12
donator
Activity: 1610
Merit: 1010
Suggestion:

Offer a 18.5k BTC bounty for whoever releases a copy of the database.
hero member
Activity: 504
Merit: 502
I wasn't sure whether talking about the database was even permitted, so I skipped such questions. Now genjix has already said that, because either:

- He didn't communicate much with the rest of the team (i.e. doesn't understand why we are hiding)
Or
- He was granted the right to talk (I don't know)

I see you're ignoring my (and others) advice to stop airing your internal business disagreements publicly.

Throughout the whole event, I have always been following Bitcoinica Consultancy's standard of disclosure. The reason that database deletion was not disclosed is that they were afraid of inaccurate claims that would worsen the losses.

That's understandable, but irrelevant.  As muyuu points out: the loss of the database had been guessed at (unless you think people where asking about the database backups because they were totally confident it existed?).

I believe that any claims or claims modifications submitted after this point should be treated as false unless very concrete evidence has been given.

I'm afraid that this attitude reveals your naivete on security.  All claims should be treated as false unless concrete evidence is available.  Not "after this point"... all of them.  You don't trust anything or anyone.  What other way is there of running a secure system?

The hacker later restored the emergency image so he should possess a copy of the database. After that, he deleted all servers and all files in Cloud Files (like S3) including server backups.

If only the hacker had lived up to his promise that we should "expect a mass leak", eh?  His copy of that database would come in very handy.  Are you listening Mr Hacker?  Do us all a favour and drop a copy somewhere.  You've had your money; and you've effectively destroyed Bitcoinica's business... now you're just making life for the rest of us difficult.

According to the information I have, returning funds to clients is not impossible. I suggested some ideas but they were rejected by Bitcoinica Consultancy for different reasons. I understand their situation though, and my offer to take over remains open.

To be honest; now that we know what the difficulty is, I really don't see what magic wand you think you can wave to recreate records faster than the Bitcoin Consultancy team.  To me, it seems that this is going to be a matter of a long hard slog of manually reconciling claim requests with deposit and withdrawal records.

Further, despite your wonderboy reputation, it seems that you are the more fundamentally at fault (technically) here than Bitcoin Consultancy -- it's true that they left the door open to their own systems, but it's you who have had many months to prepare for and mitigate against disasters and didn't.  Even without considering hackers; what if Rackspace had gone unexpectedly bust?  What if a natural disaster wiped out electricity to their datacentre?  Mistakes in the heat of the moment are forgivable, mistakes made with time available for consideration are less so -- especially when they are easily foreseen mistakes.

Pages:
Jump to: