Thanks for the update.
- Later we found out that Patrick's email server was compromised, and since he is in our mailing list, all emails sent to
info@bitcoinica.com were delivered to his compromised email account.
I normally don't go in for mud slinging, but Patrick has history. This is "Patrick the self-proclaimed security expert"? This is "Patrick who released all the emails of Intersango's customer base"?
- How hard is it to secure an email server? Jeez, the days of ten sendmail hacks a month are long behind us.
- Again: emails are postcards; can all you supposed security experts stop treating them as if they are secure point-to-point communications? Why wasn't gpg used for these reset emails?
- What raving lunatic has a password reset system going to a mailing list?
- A "security expert" with a compromised email server doesn't sound good to me. In all the time he was penetration testing all the other exchanges, he couldn't have done a bit to secure his own servers?
- How long has this server been compromised? Is it the Intersango email server? Have all Intersango communications been compromised too?
- Is this more than just an email server? What other services were running on this compromised machine?
- We are now working on a settlement plan. Patrick is in charge of the claim page.
You'll forgive me if, given the current situation, that that doesn't inspire me with confidence.
So much so, that I think we should all start asking for considerably more detail about how Intersango is organised internally? How much is in the hot wallet there? How is that hot wallet secured? Is Intersango VPS hosted as well? Is it Rackspace too?