Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation - page 9. (Read 224562 times)

Seems to me the hacker is a small group of people from which an individual should easily be identified.

Why has this not happened ? It is not like the hacker was some unknown entity out of the blue.

Read the thread : the only thing I had in the bucket shop is $1 bonus I got from zhoutong

Not going to give my info to a bunch of incompetents to get it back anyway.

You don't need anything in Bitcoinica when you just took them for 18K BTC ...

hey man i'm just doing what your sig told me to 

* Goes to get the popcorn and claim $ 1 million on claims.bitcoinica.com *

What's up ?

In all seriousness, how long do you think this will take ( months / weeks ) ?

This is all affecting the price even if I don't have anything in Bitcoinica.

I said as much in an earlier post.

The fact that they asked for the things they asked was quite suspicious in regards to having the passwords or not.

BUT, it makes absolute sense that they didn't tell. You cannot tell people that you really don't know exactly what they had. That leads to a very obvious tragedy of the commons kind of situation if everybody starts claiming for more than they really had.

I wasn't sure whether talking about the database was even permitted, so I skipped such questions. Now genjix has already said that, because either:

- He didn't communicate much with the rest of the team (i.e. doesn't understand why we are hiding)
Or
- He was granted the right to talk (I don't know)

Throughout the whole event, I have always been following Bitcoinica Consultancy's standard of disclosure. The reason that database deletion was not disclosed is that they were afraid of inaccurate claims that would worsen the losses.

I believe that any claims or claims modifications submitted after this point should be treated as false unless very concrete evidence has been given.

We had automated backups to back up the database and the wallet. During the hacking, I also created an emergency backup to preserve the current database. However, I was misled by one Rackspace support guy who claims that the hacker "can't do anything" to the servers which are suspended by engineers. All command buttons are disabled. I never noticed the hidden feature to delete the server. (i.e. if you're hacked, they can't log the hacker out, instead, they suspend all the servers so the hacker can't do anything but delete them.)

The hacker later restored the emergency image so he should possess a copy of the database. After that, he deleted all servers and all files in Cloud Files (like S3) including server backups.

It's my fault to not set up a offline backup schedule. Tihan used to run the accounting reports regularly (which is like offline backups) but he stopped doing so when I created a stats graph generator for him to automate the reportings. The most current record we have is his previous reports. This is my fault.

According to the information I have, returning funds to clients is not impossible. I suggested some ideas but they were rejected by Bitcoinica Consultancy for different reasons. I understand their situation though, and my offer to take over remains open.

I honestly don't know. Those more involved can hopefully clarify these points. Anything I say would be guesswork.

I'll stop posting now. I've stated everything I know already.

At last.  All is explained.

• Passwords are gone, so they are no use.
• 80% of BTC funds are (I assume, please confirm) still under Bitcoinica's control.
• 100% of USD funds are (I assume, please confirm) still under Bitcoinica's control.
• The problem is you just have a big pool of money and no way of knowing who owns what.
• That entirely explains the crappy claims page.
• That entirely explains the delay in processing claims.
• For we customers: this isn't perfect news, obviously, but it does at least give us some hope that we haven't lost everything.
• If the investor really is doing the decent thing and funding the 20% BTC losses out of their own pocket, then we should all appreciate that and let that be an end to all the legal shouting.
• Certainly no amount of shouting is going to recreate a database that doesn't exist.

In light of some of the above comments, can I reiterate my suggestion to the Bitcoin Consultancy and Zhou Tong?  Stop airing your dirty laundry in public.  Shut up about it right now.  Regardless of whether you feel there's "just one more thing that needs addressing"... button it.  The fastest way to restore your reputations from here (and there is plenty of restoration needed) is to sort the customers out as quickly as possible.  After that is done (and only after), will it be prudent to start your war-of-logs.

I'd also second Vladimir's comment: you really shouldn't be communicating with you business partner using an Internet forum (I would guess you wanted us to be able to appreciate the difficult position you are in: tough luck, keep it to yourselves and take the insults on the chin).  It doesn't inspire confidence that you don't have (a) each other's phone numbers (b) each other's email addresses (c) a good enough relationship that you can talk with each other privately.  Even if (a), (b) or (c) are not true; a professional shouldn't let the customers see how the sausages are made.  Companies are aptly named: you are all one, and letting us see your internal fistfights is extremely damaging.

if there are no backups at all, that's a serious blow for all involved, only viable solution at this point would be to restore account balances based on deposit/withdraw records (blockchain/mtgox logs/etc)

good luck!

yeah, that was a mistake on my part.

I personally learned from ribuck to do just that too and advise all others to consider as a standard practice to never sign any NDA's ever personally.

Incidentally, this is why I never sign NDAs, even though they are sometimes presented as "standard practice".

(Lots of people don't sign them, actually. If you go to a job interview at Google, you will be asked to sign an NDA. But if you don't sign the NDA, you still get the interview.)

An NDA is not needed when the parties are all acting in good faith. And if one of the parties is not acting in good faith, the NDA can be used to stop the good guys from doing what they should be doing.

assuming rackspace has no image backups either?

Please write in simpler english or write in proper english, this post is ridden with mistakes. It's very hard to read it. I don't think a lot of people care about the "logs", such things are open to interpretations. Keep them for courts where they may matter.

Just refund Bitcoinica's customers.

edit: as per genjix's post - now I understand what happened. Complete compromise, all cloud instances were deleted, all up-to-date backups gone. It will take months to refund the customers.

No database backups. Sorry for avoiding the question.

I hoped someone else could clarify this. I don't have all the full details, and would hate to make incorrect statements. I also didn't want to jeopardise efforts to refund people.

From what I gather, there are no backups of the database. Only partial records for accounting which is being used to extrapolate balances. I'm not sure of the exact details, but I think they need a full view of the claims before payouts begin (like a big jigsaw puzzle) to properly cross match records. Hopefully someone better informed will post more details.

zhou: ah, ok. I don't know the exact details and I'll avoid commenting further.
I think Patrick assumed they were not critical hence me saying: "The assumption here was that [email protected] did not have access to critical infrastructure.". I do appreciate that several times, you told people I wasn't involved with Bitcoinica in this thread. I always assume good faith which is why I think it was a fatal miscommunication between team members.

bitcoinBullbear: that's fine. It does annoy me a little that people assume that a decentralised system like Bitcoin consists of a single piece of kosher software. bitcoin.org lists several clients. When security flaws were found, me, Mike Hearn and justmoon helped fix problems on the internal security mailing list. justmoon in fact was very instrumental in many cases for clarifying and proposing fixes for BIP 16. There was a long technical history that led to libbitcoin's creation and it has taken 8 months so far.

That picture is funny. I like it.

rjk, nope. Everyone had root. One person was installing a database, another installed Jenkins.

The anger here is justified. If this happened to me, then I would be extremely mad. I was very pissed at MtGox when they had their problems. It sucks to be no better than MtGox.


Bitcoinica took us on to help secure them.

We decided it was bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

Step 1 - fix the code.

Flaws were already being found in the code. That was the logical first step. That the environment ended up being exploited is simply hindsight. I would prefer not changing a working environment until after knowing how the code operates. An example is that another website accidentally made out a 500 BTC payment when the file permissions were too strict. Similarly changing an aspect of Bitcoinica without proper insight could have had grave consequences.

First you understand the code. Then you run the code. You experiment with a test system. Make improvements. Deploy changes. Change production environment.

The Bitcoinica plan was to do the above while creating a new platform to replace it in the long term.

My inner voyeur want to see the logs, but the whole "it wasn't our fault but we can't tell you what really happened because we're sworn to secrecy" line comes across as whiny teenager shit and it's highly unprofessional.  The best way for anyone involved in this clusterfuck to vindicate themselves and restore their reputation is to quickly process claims and ensure that users are compensated as soon as possible.  Arguing about who did what first distracts from that process and it's going to make the Bitcoin community question how professionally Bitcoinica will be run going forward.  

While it's great for Tihan to step up and accept responsibility, it's Bitcoin Consultancy who will be operating the business - it doesn't matter a damn if people trust Tihan if they don't trust the people who will be in charge of the organisation's day to day operations.  That they're not picking up the phone and talking to each other is hardly confidence inspiring.

I don't know how you seem to believe that Zhou is misrepresenting everything so badly when his comments seem to correlate with the comments that were also made by genjix and Tihan (in respect to the comments made by them, that is)...

It seems kind of chickenshit to me. Just sayin'...

All this NDA talk just seems like fancy ways to sound overly important and stall things indefinitely.

Guess they missed this part of Tihan's post.


It's a bit alarming if they signed an NDA without understanding exactly what "Bitcoinica's proprietary systems and processes" means - lawyers normally nail that shit down.

Seriously? Are you guys talking with your financier on this forum and asking him here to confirm details of your NDA terms? This is getting much closer to that russian comedy youtube videos standard now than ever before!

Who is this guy "Bitcoinica Consultancy"? I was wrong, Bitcoin's entertainment value is not 50$ it is 100$ now.

Here we go guys, all those who were asking all the time what is Bitcoin backed by, you now have your answer. Bitcoin is backed by non-stop entertainment.

Interestingly, Bitcoin Consultancy took over Bitcoinica the same day that Tihan's CoinLab venture secured $500,000 of VC for investment in Bitcoin projects.

http://www.forbes.com/sites/jonmatonis/2012/04/24/coinlab-attracts-500000-in-venture-capital-for-bitcoin-projects/

http://www.geekwire.com/2012/bitcoin-startup-coinlab-lands-funding-tim-draper-monetize-games/