Topic: [Payout Updates] Bitcoinica site is taken offline for security investigation - page 12. (Read 156693 times)
July 16, 2012, 11:15:42 AM
Well we can officially say bitcoincia is dead. They have no plans on reopening up, who would ever deposit anything with them when they can't even refund customer funds or even give a update on what they are gonna do with the remaining 70% funds.
July 16, 2012, 10:55:42 AM
they will completely stop the payouts because of this: https://bitcointalksearch.org/topic/class-action-litigation-vs-bitcoinica-consultancy-ltd-intersango-ltd-93109
More gross negligence then. They can't use customer deposits to pay for legal defense, so what is their excuse for not paying refunds? Childish revenge?
It is irrelevant whether or not the funds would be used for legal defense (one presumes they would not).
If lawsuits are threatened, as another mentioned, most lawyers would advise stopping refunds until all legal challenges are completed and the court settles refund amounts and claimants. Bitcoinica would not want to refund, and then have a court show they should not have refunded X amount to Y person.
So, good show, chaps. You have now delayed your refunds for at least another year or two.
July 16, 2012, 10:28:23 AM
Well, well, well. Say I had this customer's account full of money but no money myself, and I knew more than a couple big fish are going to sue me. Or maybe just this one guy with over 20k Bitcoins lost that gave me a one day ultimatum to repay him before he starts legal actions. I might be tempted to leave my MtGox account unlocked for just one more "hacker" attack. Pure self-defense and desperation. People will blame it on genjix for leaking the source code. He's being set up I guess, and the only one near Patrick, Donald, Tihan, and Weldon who I think is innocent here.
July 16, 2012, 10:01:51 AM
More gross negligence then. They can't use customer deposits to pay for legal defense, ...
This is a very interesting point and I'll surely bring it to the attention of others. This did not occur to me. Thank you for bringing this up.... so what is their excuse for not paying refunds? Childish revenge?
I don't know and it's becoming less and less likely that anyone will even care. I was trying to stay out of it, in fact I said that there can be a reasonable explanation why the communication appears to be weird and the payouts are slow: https://bitcointalksearch.org/topic/m.903915Then I wrote Genjix that I highly recommend they hire professionals because people are unhappy and it might not end up well. That was last Thursday. The next day, poof!, another hack. I am a patient man, but my patience is not infinite. Surely there are plenty of others who are much less patient than me.
July 16, 2012, 09:10:26 AM
they will completely stop the payouts because of this: https://bitcointalksearch.org/topic/class-action-litigation-vs-bitcoinica-consultancy-ltd-intersango-ltd-93109
More gross negligence then. They can't use customer deposits to pay for legal defense, so what is their excuse for not paying refunds? Childish revenge?
July 16, 2012, 07:43:19 AM
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
Last week was before another ~$350,000 was stolen. I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
They probably will. I can't imagine anyone with any sense would touch the money that's left with all that's going on, at least until the lawyers get through with discovery and work something out.
July 16, 2012, 05:40:52 AM
I am afraid they will completely stop the payouts because of this: https://bitcointalksearch.org/topic/class-action-litigation-vs-bitcoinica-consultancy-ltd-intersango-ltd-93109
It could also get messy if the limited partner sues the general partner. There really aren't any good options any more, only least worst ones.
July 16, 2012, 05:20:42 AM
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
Last week was before another ~$350,000 was stolen. I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
July 16, 2012, 12:11:19 AM
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
Last week was before another ~$350,000 was stolen. I suspect that everyone will now be waiting more than a few additional days for the processing of claims to resume.
July 15, 2012, 11:45:01 PM
Wheres my money!!! I sent you all my bitcoinica emails, all my mtgox codes (Only method used to fund account), I filed a claim and haven received ANY emails back. I talked to phantomcircuit in IRC and he told me that my account was small and i should wait an additional 3-4 days. That was two weeks ago. Not getting paid is one thing, not getting a SINGLE REPLY from my emails is another. WTF is taking so long! I want my M*therF*cking MONEY!
July 15, 2012, 05:57:28 PM
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.
July 15, 2012, 04:03:54 PM
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
Is it possible that 2FA would prevent them from having shared access to accounts, so they skipped it? Still bad practice, but at least provides some explanation for this madness.
July 15, 2012, 03:03:23 PM
Quote
- Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)
Basically Information Security is mostly concerned with so called CIA of data.
i.e.
confidentiality, integrity, availability (CIA) of data.
Integrity is one of the major goals here and "offsite backups" is always the very first thing one looks into when dealing with data integrity.
From my point of view they blew not 1 of of 7, but 3 out of 3.
July 15, 2012, 02:58:12 PM
What else is there to say, really?
July 15, 2012 - We are sad to report someone has broken into our home and taken our laptop containing the cold storage wallet for the remainder of the bitcoinica funds. We didn't think to encrypt the wallet because we thought it was safe. Sorry
They might as well hurry up and get on with that announcement then.
July 15, 2012, 02:57:04 PM
I would speculate that "CTO with specialisation in information security" thought that "Information Security Audit" = "code audit for SQL injection and XSS and such" plus maybe a port scan.
Given all that we know now this would be the most plausible and simple explanation.
Given all that we know now this would be the most plausible and simple explanation.
July 15, 2012, 02:53:17 PM
Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica owned by the same team.
The Intersango guys were not the owners of Bitcoinica when they were brought in to do the security audit. That's a rather important point in itself because it means that they assumed responsibility for operating the company knowing there were existing vulnerabilities. Whether Bitcoinica should have been taken offline at that (ie, prior to the Rackspace intrusion) point until those vulnerabilities were addressed is an interesting question.
July 15, 2012, 02:41:23 PM
So how is this latest disaster going to affect the payouts? When will the payouts resume?
(no comments)
Bitcoinica will reimburse 100% of claims before 2013?
http://betsofbitco.in/item?id=499
July 15, 2012, 02:32:08 PM
Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?
And if Intersango guys uploaded that code and password to the public?
WTF!!
I see why police will not be called....
And if Intersango guys uploaded that code and password to the public?
WTF!!
I see why police will not be called....
Tihan said in his first post that Intersango was brought in to do a security audit in March. No-one has disputed that. When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code. All of this was publicly known prior to the MtGox intrusion.
Exactly! Tihan Seale bought in the Intersango team to do a security audit on Bitcoinica then owned by the same team.
http://en.wikipedia.org/wiki/Information_security_audit
Quote
- Meet with IT management to determine possible areas of concern
- Review the current IT organization chart
- Review job descriptions of data center employees
- Research all operating systems, software applications and data center equipment operating within the data center
- Review the company’s IT policies and procedures
- Evaluate the company’s IT budget and systems planning documentation
- Review the data center’s disaster recovery plan (they may have missed this one, but 6(?) outta 7 ain't bad)
July 15, 2012, 02:21:27 PM
Intersango guys were paid to do a review of the source code. I got this personally from an Intersango guy. If they checked this out and left the password in the code? Umm? WTF?
And if Intersango guys uploaded that code and password to the public?
WTF!!
I see why police will not be called....
And if Intersango guys uploaded that code and password to the public?
WTF!!
I see why police will not be called....
Tihan said in his first post that Intersango was brought in to do a security audit in March. No-one has disputed that. When asked about why the Rackspace hack happened after they'd completed the audit and become general partners, they said they'd been focusing on the fixing the code. All of this was publicly known prior to the MtGox intrusion.
July 15, 2012, 01:19:05 PM
Please to excuse me if someone has already asked about this as I don't wish to wade through the entire thread, (I have now & it doesn't seem to have been brought up as yet), but it has just stuck me that in addition to not using the free Lastpass 2FA or the Yubi key that comes with a pro-account which Lastpass promote heavily & is an obvious must, they also can't have had any 2FA on their Mt. Gox account like the Mt. Gox Yubi key that is needed for both logging on & for withdrawals.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
This has got to be deliberate imo to leave such a stash of client's cash just sitting there & then to not use the most basic protections that secure it, looks like a clear case of leaving plausible deny-ability to me - that is if anyone could imagine them being so negligent about the funds they were meant to be looking after in the first place.
Of course with the Yubi keys it would need a staged physical break in to pull off - far too risky, police have to be informed etc, so playing the incompetence card instead imo, Oh we put it all in this Online wallet & didn't bother to secure it or the access to it just like last time & the time before, even Inspector Clueless might just have spotted a pattern here.
Jump to: