Topic: Bitcoin Security Standards Audit [BSSA] - page 3. (Read 5214 times)

From your reddit posting;

Users deposit bitcoins and other crypto assets by means of an audited gateway or pegging mechanism.

It seems your plan requires auditing too.

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

For a security consultant brought in to test a system for weakness, sure.  As the person supervising other programmers and writing code with no one looking over his shoulder, and that at one time crossed the line and invaded the computer systems of a company that he had no permission to invade, HELL NO.  The same reason police departments shouldn't hire murderers, rapists and robbers.  Usually such people will work with the police as paid informants, not police officers.

Karpeles was demonstrably a scam artist when he maliciously cheated a French business out of 15,000 EUR and fled the country.  This should have been discovered and publicized before MtGox got as big as it got, so only idiots would put money into that scam.

If you are implying that these people have drug charges, then the problem is that they would have relationships with criminals in the drugs and money laundering business.  At this point in bitcoin's history, with the authorities casting an evil eye towards bitcoin, such employees would be a liability -- a federal prosecutor could find a way to connect the company with criminal activity, seizing and raiding it, thus killing it.  i.e. Shrem.  You have to be a big bank like HCSB to actually get away with it.

From your reddit posting;

Users deposit bitcoins and other crypto assets by means of an audited gateway or pegging mechanism.

It seems your plan requires auditing too.

No, no, and please no. This is not what bitcoin needs. We need trustless exchanges which don't have to be audited because there is no capability to lose client funds.

I laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:

http://www.reddit.com/r/Bitcoin/comments/1zgbza/i_am_building_a_free_and_fair_trustless_exchange/

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

There is no central authority.

We now see one of the major downsides of this. If the bitcoin fundation would create something similar to what OP suggests we propably wouldn't have to go through all those thefts.

You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe.

I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway. So I would be completely ok with it.

No this is the beauty of bitcoin! This is why I am love with it cause no one has to give me permission to start a company. This is the free market, if you don't feel safe, don't use the service. Bad actors fade and good actors stay.

This why America is a country that power is fading away from fast, we are too quick to blame someone or have a babysitter, instead use your own commonsense.

In a theoretical scenario,  if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it?  I personally think it would be grounds to sue on gross negligence.

This is scary that people even want this, because background checks give up no information. They are useless if they were useful then murders would be down.

- Staff background checks

There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.