Topic: Zhoutong (Read 3022 times)

Step 1 - fix the code.

Flaws were already being found in the code. That was the logical first step. That the environment ended up being exploited is simply hindsight. I would prefer not changing a working environment until after knowing how the code operates. An example is that the early Intersango accidentally made out a 500 BTC payment when the file permissions were too strict. Similarly changing an aspect of Bitcoinica without proper insight could have had grave consequences.

First you understand the code. Then you run the code. You experiment with a test system. Make improvements. Deploy changes. Change production environment.

The Bitcoinica plan was to do the above while creating a new platform to replace it in the long term.

I think what people are having trouble with is the idea that you didn't expect another attack using a similar method to the one which was used the first time around and that no-one ensured that the new hosting service you chose had a way to lock an attacker out in the event of an intrusion.  Those things seem like massive oversights for people whose reputation is one of being security specialists.  It seems like changes to prevent further attacks are not something which should have been implemented gradually - they're something which should have been a top priority given how often further attacks (whether by the same person or by others) occur following an initial successful intrusion .

If you don't know how much is in cold storage, how in the world can you guarantee 98% of deposits?!


You may not be liable legally, but you are responsible. How long was bitcoinica consultancy (patrick) on the [email protected] mailing list? The announcement was only made on April 25:


you didn't?

Sure anyone could start one (for now) but if the increasingly aggressive forum moderators don't like it it'll be burried.

---

FTR, I remain relatively impressed with the 'moderation in moderation' on the forum though there does seem to be the beginnings of a shift toward increasing censorship of unpopular lines of thought.

Absolutely! It is in hindsight, no arguments here. But note that I am not attacking you at all. I am just pointing out how unreasonable it is to attack Zhou.

Frankly, the only thing I could fault Zhou for, big time, is not taking my information security related advise early on and accepting my resignation over that.

At least since then I had multiply opportunities to enjoy "I told you so" moments.

Sincerely Yours,
Captain Gloat. LOL

Man up.

Your post is so hindsight is 20/20.

It is bad practice to make sudden disruptive changes overnight to a production system. Instead the theory was a very gradual replacing of the system while observing changes. Bitcoinica was already very fragile. I still think that was a good decision.

Just wondering why there'd be one on Zhoutong first. He seems to by far handle all of this more professionally. I hope they let him take over the claims process. Otherwise, I'd doubt we'll ever see any money returned to us. Instead some lawyers and courts will be paid with what's left because the so called consultancy already needs a week for a simple statement let alone finishing a claims process.

There's nothing stopping you from starting one if you believe one should exist.

Why hasn't anyone started a new thread in General Discussion about InterScamgo yet??? Really, they deserve to be put out of business in any case.

On the plus side, VCs are notorious for micro-managing the financials of the enterprises in which they invest so it's likely that extremely detailed financial records were sought prior to Tihan signing on and that they've been closely analysed ever since.  Even in non-financial businesses, one of the first things you do during the transition process is revoke everyone's physical and electronic access and issue new credentials/keys/codes only to those who need currently need them in order to do their job - it's the only way you can be certain of controlling who has current access.  Anyone who's ever had a key could have had it copied and anyone who's ever had a code could have shared it with someone else - and you always assume that they have.

Right, here is a VC backed company with Bitcoin developers and "with specialisation in information security" CTO on board who own and operate a service that got hacked. And you think that it is all fault of a 17 yo who they have hired and who was an employee and later got effectively fired.

Good luck convincing any judge or anyone with a modicum of common sense.

I don't exactly understand your questions. But well, the email compromise has been confirmed by everyone, and the system is solely controlled by Bitcoinica Consultancy.

You can say whatever you want if you have concrete evidence or proof. I have already listed the 15 verifiable points in the other thread and you're welcome to challenge any statement that you believe is wrong.


I communicated with them immediately and they locked down all the servers. However, I was in a false confidence that the data won't be affected because I can't do anything on the servers. I don't blame Rackspace for the hack, but it's a design flaw that resulted in missing the opportunity to recover data. (If they can't suspend the servers, I could probably download the backup immediately to my machine.)
I don't have. I don't even know how much we have in cold storage before the hack.

They were all offline when the thing happened and I was exactly online (at about 10pm UTC+10). I told Tihan and Patrick, but not Amir. I have never communicated with Amir before the hack. I was not even recognised as the employee of Bitcoinica.

I'm not the owner of Bitcoinica and I'm not liable for anything that happened.

I decided to move to Australia in November 2011.

I don't know them.

I never claimed something like that. Citation?
Yes, my Mac autocorrects. Like "organisation" instead of "organization". This was pointed out by Bruno as "wrong spelling".

I didn't even initiate the interest system. Bitcoinica make profits when people trade, not when people deposit.

You don't have to trust me. I can't get a single cent if you trust me.

It's easy to sit behind the computer and throw tomatoes, but my feelings do resonate with the OP.

I've already made some tough accusation at Zhou with a disclaimer that I was speculating.
My gut tells me something is seriously wrong with the way things happened and he's literally getting away with the "perfect crime".
Yes a crime, but I have no evidence so my suspicions don't mean much.

I didn't have any money with Bitcoinica, but I did at one time. It just felt things were going to end in disaster and unfortunately I was right.

Quote from: zhoutong on May 24, 2012, 10:02:57 AM
"I actually LOL'd when I see the mess I'm creating.
...[snip]...
Just that the whole thing is quite funny if I look back. :-D"

Doesn't this say a lot!?!

This reminds me when Flexcoin was up for sale. I was going to buy it.
I was in the middle of negotiating through email and over the phone.
It was almost a done deal until he gave me his proposed timeline for the transition. He wanted to make it happen in a month. I had a different idea.
here's what i had in mind:
1)I buy it, and he continues to operate as normal and I pay him to continue its operations.
2)Notify all the customers of the sale and who I am so they can choose if they want to
  hold their funds there during a lengthy transition.
3)After that, I was hoping to get a copy of the wallet service without any customer data or bitcoins so I had time to familiarize myself
  with how it works and its operations without causing any alarm to the customers.
4)After a couple of months of learning the system, I wanted to yet again let all users know in advance that the new owner was about to get admin access to the server and if they had any issue with this then they should withdraw.
5)Then I hoped to be able to work with the flexcoin team in a positive manner helping them out and slowly taking on more of the operation myself.
6)Finally, I would Take over completely. All password would be reset and only known by me and the team I had hoped to form. And also take over the offline wallet. Again, all this with advance notice to the customers.

So, what happened? The owner was looking to hand it off much sooner as it was a huge distraction to projects that he felt were more important; so, he sold it to another guy the very day I was preparing to send him my more detailed and lengthy timeline. No animosity, He did what he had to do.

There were a couple of reasons I wanted to do it this way. First, I wasn't prepared. Second, I didn't want to alarm the clients and I wanted to give them ample opportunity to discontinue the service if there was something they didn't feel comfortable about. And lastly, there was a perfect opportunity to commit a serious crime and get away with it.
The handing off of server privilege with bitcoins to another is a huge opportunity to steel and blame it on the other guy.

The time I had spent preparing all these contingency plans for a takeover really are hitting home with me as I watch this bitcoinica disaster unfold.

Yes, it looks really bad for a "security team" to have a "security breach", but do realize the ball was dropped in the absolute worst time possible in the worst way possible which was during the hand off. Both are at fault! What proof do they really have that it was an email hack? It was probably the only hole they could find after the hack and had to assume that is where the breech happened, but what if it was something else? You know, Zhou.

Who had the most to loose if there were records in Bitcoinica that pointed to fraud on Zhou's part. Or maybe it wasn't monetary fraud, but simply a big ego damaged!
Who had the ability to send the keys to the server and simultaneously "hack" the server?
Who had the ability to communicate directly with rackspace and potentially find some residue of the servers and databases before it was too late?
Who has the keys to the offline cold storage wallet?
Who was the first to know of the breach and then notify the forum/community, but not even tell his team?
Who conveniently went back to school and didn't have time for us anymore?
Who recently made a huge move to Australia and is getting the hell out of dodge?
Why are there a few bitcointalk accounts that continue to attack the Consultancy (no, I'm not taking their side) very venomously that were created after the first security audit of the Bitcoinica? Planned in advance maybe?
Why does Zhou so boldy claim that these accounts are not him and dares us to compare writing styles, but in another post says he has language software that gives him the ability to write in many different forms or something to that effect?

Yeah, I know. Just a good conspiracy theory, but man I'm sure glad I followed my gut feeling a long time ago and pulled the little I had and resisted the temptation to deposit more even with the cool interest rates they had.

I've lost all trust in Zhou. Maybe I'm wrong, but it will take a whole lot of convincing.

In retrospect, Bitcoin businesses are not ready to survive their original creators/operators/owners.
The only way is to shut down and let the next guy restart it and grow it again.

Shit, that's better than the spread used to be if I recall correctly from when I was playing around with the system.  What's not to love!?!

You can complain all you want, but it's not going to solve the problem.

I have a way to make sure that at least 98% of all customers are satisfied with refunds (including you) while not incurring additional liability for the company. I have no legal obligation to resolve because I'm neither the General Partner of Bitcoinica nor a paid employee. (My employment status is unknown, but I was not paid for work since April 1.)

Bitcoinica Consultancy has three people including two technical experts. They have been working in Bitcoinica for more than one month. And they're assumed to bear all liabilities of Bitcoinica LP.

However, I have offered to take over the dispute resolution for no compensation, no future financial interest in the company, and no additional liability required. I want to be responsible for this even though I'm not legally required to do so.

Honestly, the whole situation is unfair for Bitcoinica Consultancy since they only took over the company a few weeks ago. They didn't make a single cent of profit before incurring such huge losses. I believe that Tihan chose to compensate personally (when he's not legally required to do so) because of the same consideration.

From the information I have, the data we still possess is more than enough to come up a net value for everyone within 5% range. When coupled with the claimed figures, we can even figure out the exact net value for most of the accounts. I believe that Bitcoinica Consultancy also has the ability and expertise to execute the dispute resolution process independently without my help.

You trusted a 17 y/o with your money. Let's forget about age of consent for a moment; even if Zhou Tong is a very intelligent person, he doesn't have the qualification nor the experience to handle complex business needs, yet. Let him do the best he can to fix this then just let him grow up without this being a black mark against him.

One of zhoutong's last posts was to the effect that database recovery is easier than they thought it would be. I'm guessing there is a recent backup to be had, but I don't know. Perhaps you should calm down and have a tad bit more patience.

While you can be pissed of at Zhoutang personally, you should be even more pissed off that the "security experts" who were running the company did not have proper procedures for backing up in place and that they chose to continue using a hosting service which couldn't even kick a hacker off the server in the case of an intrusion.  Why did their security audit not reveal the need for multiple backups in several locations - why had they not implemented such a procedure.  In terms of "things self-proclaimed security experts should be ashamed of and embarrassed by" this is right up there with the H B Gary intrusion by Anonymous.

I don't think it's productive for Zhou to make "I suggested this..." type statements because he has no controlling interest in the company and the decisions will be made by those who do.  There's really little to be gained by maintaining a running log of suggestions he's made which have been rejected, although I understand his inclination to protect himself from personal attack over choices which were not and are not his to make.

Nobody is going to come out of this looking good.  Not even Tihan because he's the one who engaged Bitcoin Consultancy on the basis of their "expertise" and they failed to deliver - a decision he's now stuck with justifying to his investors.

Yes, no doubt Bitcoin Consultancy fucked up too. It was a fatal combination.

But I'm tired of the "rah-rah zhou" / "all bitcoin consultancy's fault" stuff. Bitcoin consultancy can be blamed for the loss of another 18k btc. But the situation is much, much worse than that. And that is (more or less) entirely zhou's fault.