nwtrades



Offline



Activity: 37

Merit: 0







NewbieActivity: 37Merit: 0 Bitcoin Security Standards Audit [BSSA] March 05, 2014, 02:33:54 AM

Last edit: March 05, 2014, 02:47:54 AM by nwtrades #1 Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust. The media is jumping over every hack story that comes out and shouting that it's insecure. You can't blame people for thinking this way, because at this point it's a legitimate fear.



There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom. If you know of some sort of external security company that already does this, feel free to post.



Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit. Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.



Items to address in audit:



- Source code, deployment and version control procedures

- Bitcoin software and protocol implementation

- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)

- Emergency shutdown and startup procedures

- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)

- Use of AML / KYC procedures and encrypted offsite storage of client documents

- Offsite cold storage (multiple locations) and use of keys, with logs of all activity

- Onsite hot wallet and use of keys

- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts

- Options for clients to set a withdrawal limit on their account (similar to a bank)

- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals

- Staff background checks

- Staff fraud prevention training

- On-site restrictions for staff electronics and storage devices

- Restricted access areas for developers and system-critical staff

- Procedures for reporting illegal or suspicious activity to law enforcement



I will add to this as more feedback comes in. PLEASE contribute! This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

Bob Derber



Offline



Activity: 44

Merit: 0







NewbieActivity: 44Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 02:41:22 AM #2 +1



As long as this is a voluntary program, and combined with a recognition that the exchange can capitalize on for complying with the program so that it is also worth their while - I am up for this.











































Petopas



Offline



Activity: 18

Merit: 0







NewbieActivity: 18Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 03:09:46 AM #3 very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...



some addition: the granted award must be valid only for a limited period, lets say 6 months.

nwtrades



Offline



Activity: 37

Merit: 0







NewbieActivity: 37Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 03:17:45 AM #5 Quote from: Petopas on March 05, 2014, 03:09:46 AM very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...



some addition: the granted award must be valid only for a limited period, lets say 6 months.



The Bitcoin Foundation's focus is on the Bitcoin protocol itself, in terms of standardizing, protecting and promoting it. External exchanges have never been a highlighted priority to date. The general consensus to date has been "it's a free market" so the exchanges decide their own standards and ways of doing business. Unfortunately we've seen a very poor security track record as a result. Now it's blown up into a bigger issue than most people imagined it would be.

The Bitcoin Foundation's focus is on the Bitcoin protocol itself, in terms of standardizing, protecting and promoting it. External exchanges have never been a highlighted priority to date. The general consensus to date has been "it's a free market" so the exchanges decide their own standards and ways of doing business. Unfortunately we've seen a very poor security track record as a result. Now it's blown up into a bigger issue than most people imagined it would be.

nwtrades



Offline



Activity: 37

Merit: 0







NewbieActivity: 37Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 03:24:43 AM #6 Quote from: QuestionAuthority on March 05, 2014, 03:16:34 AM



How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit.

Sounds great but can we use a real company instead of Ed's uncle Fred.How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle. There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts. As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox. Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle. There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts. As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

acoindr



Offline



Activity: 1050

Merit: 1001







LegendaryActivity: 1050Merit: 1001 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 03:53:24 AM #8



The better approach is to teach people to be responsible for their own coins, and create enabling technology for them to do it. Additionally, companies can and probably will begin to have insurance/recoup options. These things are on the way naturally, but

Then what happens when coins are lost from one of these stamp approved companies? The problem with theft or loss is it only takes one mistake or hole. Nothing is 100% secure.The better approach is to teach people to be responsible for their own coins, and create enabling technology for them to do it. Additionally, companies can and probably will begin to have insurance/recoup options. These things are on the way naturally, but as I explain here , they take time. In the meantime, we need to do a better job educating people on how to protect their coins.

opet



Offline



Activity: 57

Merit: 0







NewbieActivity: 57Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 06:21:45 AM #11 Quote from: nwtrades on March 05, 2014, 03:24:43 AM There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts. As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

I tweeted Andreas the other day with a similar idea following his audit of Coinbase. Unfortunately, he never responded (I definitely respect that he's a busy guy, so I won't hold that against him... lol).



My idea is to solicit the community for experts to step forward, be vetted by the community itself, and then get selected at random to participate in such audits. I haven't fleshed out the entire concept, but it seems to me that this type of voluntary self-regulation would be a perfect fit for the bitcoin ecosystem.



I'd gladly throw my hat (and my resume) into the ring if this idea gains reaction. I tweeted Andreas the other day with a similar idea following his audit of Coinbase. Unfortunately, he never responded (I definitely respect that he's a busy guy, so I won't hold that against him... lol).My idea is to solicit the community for experts to step forward, be vetted by the community itself, and then get selected at random to participate in such audits. I haven't fleshed out the entire concept, but it seems to me that this type of voluntary self-regulation would be a perfect fit for the bitcoin ecosystem.I'd gladly throw my hat (and my resume) into the ring if this idea gains reaction.

gweedo



Offline



Activity: 1484

Merit: 1000







LegendaryActivity: 1484Merit: 1000 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 06:37:45 AM #15 Quote from: amspir on March 05, 2014, 06:30:20 AM Quote from: gweedo on March 05, 2014, 05:36:31 AM Quote from: nwtrades on March 05, 2014, 02:33:54 AM - Staff background checks



This is scary that people even want this, because background checks give up no information. They are useless if they were useful then murders would be down.

This is scary that people even want this, because background checks give up no information. They are useless if they were useful then murders would be down.

In a theoretical scenario, if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it? I personally think it would be grounds to sue on gross negligence.

In a theoretical scenario, if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it? I personally think it would be grounds to sue on gross negligence.

You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe. I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway. So I would be completely ok with it. You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe. I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway.So I would be completely ok with it.

amspir



Offline



Activity: 112

Merit: 10







MemberActivity: 112Merit: 10 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 07:41:58 AM #17 Quote from: gweedo on March 05, 2014, 06:37:45 AM You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe.

For a security consultant brought in to test a system for weakness, sure. As the person supervising other programmers and writing code with no one looking over his shoulder, and that at one time crossed the line and invaded the computer systems of a company that he had no permission to invade, HELL NO. The same reason police departments shouldn't hire murderers, rapists and robbers. Usually such people will work with the police as paid informants, not police officers.



Karpeles was demonstrably a scam artist when he maliciously cheated a French business out of 15,000 EUR and fled the country. This should have been discovered and publicized before MtGox got as big as it got, so only idiots would put money into that scam.



Quote So I would be completely ok with it.

I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway.So I would be completely ok with it.

If you are implying that these people have drug charges, then the problem is that they would have relationships with criminals in the drugs and money laundering business. At this point in bitcoin's history, with the authorities casting an evil eye towards bitcoin, such employees would be a liability -- a federal prosecutor could find a way to connect the company with criminal activity, seizing and raiding it, thus killing it. i.e. Shrem. You have to be a big bank like HCSB to actually get away with it. For a security consultant brought in to test a system for weakness, sure. As the person supervising other programmers and writing code with no one looking over his shoulder, and that at one time crossed the line and invaded the computer systems of a company that he had no permission to invade, HELL NO. The same reason police departments shouldn't hire murderers, rapists and robbers. Usually such people will work with the police as paid informants, not police officers.Karpeles was demonstrably a scam artist when he maliciously cheated a French business out of 15,000 EUR and fled the country. This should have been discovered and publicized before MtGox got as big as it got, so only idiots would put money into that scam.If you are implying that these people have drug charges, then the problem is that they would have relationships with criminals in the drugs and money laundering business. At this point in bitcoin's history, with the authorities casting an evil eye towards bitcoin, such employees would be a liability -- a federal prosecutor could find a way to connect the company with criminal activity, seizing and raiding it, thus killing it. i.e. Shrem. You have to be a big bank like HCSB to actually get away with it.

securityguy



Offline



Activity: 35

Merit: 0







NewbieActivity: 35Merit: 0 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 08:41:21 AM #18 In the credit card world there is PCI DSS. However even companies which are compliant to this standard get hacked from time to time and news of this hits the media of the thousands of credit cards stolen.





maaku



Offline



Activity: 905

Merit: 1003







LegendaryActivity: 905Merit: 1003 Re: Bitcoin Security Standards Audit [BSSA] March 05, 2014, 08:52:30 AM #19 no capability to lose client funds.



I laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:



http://www.reddit.com/r/Bitcoin/comments/1zgbza/i_am_building_a_free_and_fair_trustless_exchange/ No, no, and please no. This is not what bitcoin needs. We need trustless exchanges which don't have to be audited because there isI laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:

If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP I'm an independent developer working on bitcoin-core , making my living off community donations.If you like my work, please consider donating yourself: