Bitcoin Security Standards Audit [BSSA] - page 2.

maaku

legendary

Activity: 905

Merit: 1012

Quote from: securityguy on March 05, 2014, 06:39:59 PM

Quote from: Armis on March 05, 2014, 06:03:05 PM

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement. Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

You can't have a system interact with fiat without some degree of trust. That's just the nature of the game. You can, however, reduce the necessary trust down to something very basic, e.g. a sworn statement from a prestigious bank that has much more to lose from lying. If that doesn't satsify you, it should more than do to satisfy Lloyd's of London or some other insurance company which will happily insure those deposits against a bank theft.

Armis

hero member

Activity: 588

Merit: 501

Quote from: securityguy on March 05, 2014, 06:39:59 PM

Quote from: Armis on March 05, 2014, 06:03:05 PM

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement. Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

are you looking for a business situation in which you won't have to exercise any degree of trust?

corebob

full member

Activity: 238

Merit: 100

Quote from: QuestionAuthority on March 04, 2014, 10:16:34 PM

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

This is the opposite of what we need. When it comes to security and crypto, several independent peer reviews is the only trustworthy source.
I demand the same principle as open source projects inherently has, a thousand eyeballs is always better than two.

Kenshin

sr. member

Activity: 280

Merit: 250

Quote from: QuestionAuthority on March 04, 2014, 10:16:34 PM

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

All the Big 4 audit firms doesn't audit properly. This includes PWC, E&Y, Deloitte and KPMG.

securityguy

newbie

Activity: 35

Merit: 0

Quote from: Armis on March 05, 2014, 06:03:05 PM

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement. Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

Armis

hero member

Activity: 588

Merit: 501

Quote from: securityguy on March 05, 2014, 04:23:12 PM

Quote from: maaku on March 05, 2014, 03:58:20 PM

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

systems security and host security are also different as it covers business systems and processes and not just a server. In yout reddit post you say the following about a gateway;

As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.

How do you determine if a gateways published bank statements are legitimate or forged?

request a certified return -- essentially a sword statement as to the truth of the facts

IrishFutbol

member

Activity: 70

Merit: 10

Quote from: QuestionAuthority on March 04, 2014, 10:16:34 PM

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand. Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year. Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges. Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor. People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

securityguy

newbie

Activity: 35

Merit: 0

Quote from: maaku on March 05, 2014, 04:40:24 PM

Ask the bank.

Due to privacy laws in countries if a 3rd party asks a bank about someones account they will tell you they can't disclose such information. Even if you could ask the bank you have to "trust" the bank is telling you the truth.

maaku

legendary

Activity: 905

Merit: 1012

Ask the bank.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: Armis on March 05, 2014, 03:05:33 PM

Great work, I applaud it, the initiative shows a genuine concern for the fundamentals of the system.

I will add that to: https://bitcointalk.org/index.php?topic=492776.0;topicseen

More newbies that have no clue about free markets but yeah...

securityguy

newbie

Activity: 35

Merit: 0

Quote from: maaku on March 05, 2014, 03:58:20 PM

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

systems security and host security are also different as it covers business systems and processes and not just a server. In yout reddit post you say the following about a gateway;

As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.

How do you determine if a gateways published bank statements are legitimate or forged?

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: spazzdla on March 05, 2014, 02:19:03 PM

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards. IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

Did you read this thread, or just OP? So you rather have a group of people telling you something is safe, then cryptographic functions? Come on you people can't be serious. This is one reason bitcoin shouldn't be mainstream we get idiots like this newbie here, saying he wants a babysitter group well guess what, card credits have it and it is a broken system so go use them.

maaku

legendary

Activity: 905

Merit: 1012

Quote from: securityguy on March 05, 2014, 03:53:42 PM

The difference is your talking about auditing solvency which is a good thing, but this forum thread is about auditing systems security which is another matter altogether.

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

spazzdla

legendary

Activity: 1722

Merit: 1000

Quote from: gweedo on March 05, 2014, 03:50:13 PM

Quote from: spazzdla on March 05, 2014, 03:47:28 PM

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

So they leave the central banking to a central authority telling them it is safe. This is the same thing, they will not leave at all cause it offers the same exact thing as a central banking system.

The BSSA should simply imply the exhange isn't a POS that a 5th grader could hack. Just like my CET designation, all it says is I passed an ethics test and the odds are higher I won't do something dirty. That's it.

securityguy

newbie

Activity: 35

Merit: 0

Quote from: maaku on March 05, 2014, 04:24:43 AM

There's a substantial difference between some fallible humans giving a "trust us, it's secure!" stamp of approval (what the OP is asking for), and a cryptographic receipt that can be automatically checked by your client to provide up-to-the-minute assurances of solvency (what I'm talking about in the reddit thread).

The difference is your talking about auditing solvency which is a good thing, but this forum thread is about auditing systems security which is another matter altogether.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: franky1 on March 05, 2014, 04:36:25 AM

once you rip away all the FUD speculation that people think it is and then look at what the business model actually does

https://coinvalidation.com/

is what was talked about last year. try to research them, dont start tin foil hatting the business from fud that the company blacklists users. they just deal with businesses and you will realise they do alot of things listed above.

Yeah ok you want to believe that them connecting identities with bitcoin addresses is just for business, I have a bridge to sell you. Just like Mike Hearn was saying how he was just "Giving an idea" these are the people that are out to ruin bitcoin. Yifu is a trader and Mike Hearn is a trader to this community. I have actually ripped bitcoinj out of every project I did with it and use bitcoin-OMG it took me a long time but shows how serious I am about this.

If you think that they are working with governments to be friendly and help them understand bitcoin you are wrong. It will be sad cause people will trust coinvalidation and think I need to register with it. It will be the largest honey pot in bitcoin, and if you think you register their without any issue you are wrong.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: spazzdla on March 05, 2014, 03:47:28 PM

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

So they leave the central banking to a central authority telling them it is safe. This is the same thing, they will not leave at all cause it offers the same exact thing as a central banking system.

spazzdla

legendary

Activity: 1722

Merit: 1000

Quote from: gweedo on March 05, 2014, 03:00:34 PM

Quote from: spazzdla on March 05, 2014, 02:19:03 PM

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards. IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

Did you read this thread, or just OP? So you rather have a group of people telling you something is safe, then cryptographic functions? Come on you people can't be serious. This is one reason bitcoin shouldn't be mainstream we get idiots like this newbie here, saying he wants a babysitter group well guess what, card credits have it and it is a broken system so go use them.

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

With the amount of fly by night exhanges I still don't see why this is a bad idea... It should be shouted from the roof tops no exhange is ever safe ever.. However, why not have a very simple minimum standard exhanges can meet to say they are BSSA compliant. I was thinking the BSSA requirements are based on the resillance of the exhange to be hacked and that's it. I dunno something like a group of hackers that attempt to hack the exhange and if they can't it get's BSSA. Furthermore the BSSA could push the idea your coins are only safe if they are offline.

With the introduction of standards govs might not consider regulations.. although I doubt it lol.

teukon

legendary

Activity: 1246

Merit: 1011

Quote from: gweedo on March 05, 2014, 03:26:28 PM

More newbies that have no clue about free markets but yeah...

That's unfair. OP's proposition is relatively sympathetic to the notions of voluntary exchange.

They show signs of impatience and make several absolutist claims ("There is no question..." cracked me up) but they've done much better than most other "let's regulate Bitcoin" thread starters these days.

teukon

legendary

Activity: 1246

Merit: 1011

Quote from: spazzdla on March 05, 2014, 02:19:03 PM

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards. IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

One problem with this is that a company can advertise as meeting the BSSA standards by simply lying, or by bribing some random guy to pretend that he's audited them and done a good job of it.

Effective auditing in a free market hinges on the reputation of the auditor. This is one reason why I don't think a standard is at all appropriate.

Topic: Bitcoin Security Standards Audit [BSSA] - page 2. (Read 5214 times)