Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: [Emergency ANN] Bitcoinica site is taken offline for security investigation
by
bitcoinBull
on 25/05/2012, 02:10:30 UTC
Quote from: genjix on May 25, 2012, 01:38:31 AM
What have you done?

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

My only quibble is that seems overstated and exaggerated at times. Your claim to have written a second implementation of the bitcoin protocol "from scratch" is arguable (I highly doubt that you wrote libbitcoin without referencing anything but Satoshi's whitepaper, but I don't care enough to perform code analysis/comparison with the satoshi client under gavin's management). And to nitpick even further, a couple lines of bash script included in the bitcoin core project doesn't quite qualify one as a core bitcoin developer, strictly speaking, to my mind. That is all.


Quote from: genjix on May 25, 2012, 01:52:15 AM
To the person above, here's what happened:
- Bitcoinica has an internet mailing list called info@bitcoinica.com
- It was the email for the website and all sensitive accounts.
- You could request a password for that email. In a production system, that should never be possible.
- Several people had access to this mailing list (non-admins and business people included).
- Patrick got added.
- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.
- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Thank you genjix. This honesty and forwardness is what inspires confidence.


Now, how about the bitcoinica user database? Are there any copies?


EDIT: one additional note just because, with this new disclosure, I do agree with genjix's original post that Zhou was dragging their name through the mud. Everyone remember zhou's original excuse for losing the 40k BTC in the Linode compromise? It was because "the ruby gem didn't support wallet encryption". Zhou has a lot more to learn to than he likes to admit.