Pages:
Author

Topic: [Payout Updates] Bitcoinica site is taken offline for security investigation - page 12. (Read 156711 times)

hero member
Activity: 486
Merit: 500
Well we can officially say bitcoincia is dead. They have no plans on reopening up, who would ever deposit anything with them when they can't even refund customer funds or even give a update on what they are gonna do with the remaining 70% funds.
legendary
Activity: 1596
Merit: 1100

More gross negligence then.  They can't use customer deposits to pay for legal defense, so what is their excuse for not paying refunds?  Childish revenge?

It is irrelevant whether or not the funds would be used for legal defense (one presumes they would not).

If lawsuits are threatened, as another mentioned, most lawyers would advise stopping refunds until all legal challenges are completed and the court settles refund amounts and claimants.  Bitcoinica would not want to refund, and then have a court show they should not have refunded X amount to Y person.

So, good show, chaps.  You have now delayed your refunds for at least another year or two.

legendary
Activity: 1526
Merit: 1001
Well, well, well. Say I had this customer's account full of money but no money myself, and I knew more than a couple big fish are going to sue me. Or maybe just this one guy with over 20k Bitcoins lost that gave me a one day ultimatum to repay him before he starts legal actions. I might be tempted to leave my MtGox account unlocked for just one more "hacker" attack. Pure self-defense and desperation. People will blame it on genjix for leaking the source code. He's being set up I guess, and the only one near Patrick, Donald, Tihan, and Weldon who I think is innocent here.
donator
Activity: 544
Merit: 500
More gross negligence then.  They can't use customer deposits to pay for legal defense, ...
This is a very interesting point and I'll surely bring it to the attention of others. This did not occur to me. Thank you for bringing this up.

... so what is their excuse for not paying refunds?  Childish revenge?
I don't know and it's becoming less and less likely that anyone will even care. I was trying to stay out of it, in fact I said that there can be a reasonable explanation why the communication appears to be weird and the payouts are slow: https://bitcointalksearch.org/topic/m.903915

Then I wrote Genjix that I highly recommend they hire professionals because people are unhappy and it might not end up well. That was last Thursday. The next day, poof!, another hack. I am a patient man, but my patience is not infinite. Surely there are plenty of others who are much less patient than me.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970

More gross negligence then.  They can't use customer deposits to pay for legal defense, so what is their excuse for not paying refunds?  Childish revenge?
legendary
Activity: 1652
Merit: 1128
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!

Last week was before another ~$350,000 was stolen.  I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
I am afraid they will completely stop the payouts because of this: https://bitcointalksearch.org/topic/class-action-litigation-vs-bitcoinica-consultancy-ltd-intersango-ltd-93109


They probably will. I can't imagine anyone with any sense would touch the money that's left with all that's going on, at least until the lawyers get through with discovery and work something out.
hero member
Activity: 868
Merit: 1000

It could also get messy if the limited partner sues the general partner.  There really aren't any good options any more, only least worst ones.
aq
full member
Activity: 238
Merit: 100
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!

Last week was before another ~$350,000 was stolen.  I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
I am afraid they will completely stop the payouts because of this: https://bitcointalksearch.org/topic/class-action-litigation-vs-bitcoinica-consultancy-ltd-intersango-ltd-93109
hero member
Activity: 868
Merit: 1000
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!

Last week was before another ~$350,000 was stolen.  I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
Activity: -
Merit: -
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.

Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.


No. LastPass allows several Yubikeys to be used on a single account, I believe the limit is 6 or 8. However, this would have been an issue with MtGox, unless they used GA and shared the GA secret.
full member
Activity: 235
Merit: 100
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.

Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.

hero member
Activity: 812
Merit: 1001
-
Quote
  • Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)

Basically Information Security is mostly concerned with so called CIA of data.
i.e.
confidentiality, integrity, availability (CIA) of data.

Integrity is one of the major goals here and "offsite backups"  is always the very first thing one looks into when dealing with data integrity.

From my point of view they blew not 1 of of 7, but 3 out of 3.


legendary
Activity: 2198
Merit: 1311
What else is there to say, really?

July 15, 2012 - We are sad to report someone has broken into our home and taken our laptop containing the cold storage wallet for the remainder of the bitcoinica funds.  We didn't think to encrypt the wallet because we thought it was safe.  Sorry  Sad

They might as well hurry up and get on with that announcement then.
hero member
Activity: 812
Merit: 1001
-
I would speculate that "CTO with specialisation in information security" thought that "Information Security Audit" = "code audit for SQL injection and XSS and such" plus maybe a port scan.

Given all that we know now this would be the most plausible and simple explanation.



hero member
Activity: 868
Merit: 1000


Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica owned by the same team.


The Intersango guys were not the owners of Bitcoinica when they were brought in to do the security audit.  That's a rather important point in itself because it means that they assumed responsibility for operating the company knowing there were existing vulnerabilities.  Whether Bitcoinica should have been taken offline at that (ie, prior to the Rackspace intrusion) point until those vulnerabilities were addressed is an interesting question.

legendary
Activity: 1022
Merit: 1000
So how is this latest disaster going to affect the payouts? When will the payouts resume?


(no comments)
Bitcoinica will reimburse 100% of claims before 2013?
http://betsofbitco.in/item?id=499
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?

And if Intersango guys uploaded that code and password to the public?

WTF!!

I see why police will not be called....


Tihan said in his first post that Intersango was brought in to do a security audit in March.  No-one has disputed that.  When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code.  All of this was publicly known prior to the MtGox intrusion.

Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica then owned by the same team.

http://en.wikipedia.org/wiki/Information_security_audit

Quote
  • Meet with IT management to determine possible areas of concern
  • Review the current IT organization chart
  • Review job descriptions of data center employees
  • Research all operating systems, software applications and data center equipment operating within the data center
  • Review the company’s IT policies and procedures
  • Evaluate the company’s IT budget and systems planning documentation
  • Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)
hero member
Activity: 868
Merit: 1000
Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?

And if Intersango guys uploaded that code and password to the public?

WTF!!

I see why police will not be called....



Tihan said in his first post that Intersango was brought in to do a security audit in March.  No-one has disputed that.  When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code.  All of this was publicly known prior to the MtGox intrusion.
donator
Activity: 3108
Merit: 1166
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.

This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.

Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
Pages:
Jump to: