Pages:
Author

Topic: Intersango HOWTO - Build your own Bitcoin Exchange Web Site! - page 2. (Read 44467 times)

legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
Guys!

 Please, read the new 8.5 step!!!

  8.5- Get the Bitcoin Address of your "default account" of your Intersango Exchange House:

 Genjix, please, upgrade the INSTALL.ubuntu file...

Best,
Thiago
hero member
Activity: 530
Merit: 500
Great stuff.

Learned one thing though.
If you want to start something up that has to do with money biz you need 4 more things then just the front-end and back-end.

1) A 24/7 lawyer
2) Alot of money
3) A couple of skilled programmers
4) A additional security expert.

THIS--^   Cheesy

You have to start somewhere. I had none of those in the beginning, slowly accumulated them and now we have that and more.

Thanks for your reply.
I get that part.
But what I maybe should have added to my statement is the fact that if you want to play safe you should arrange those four things before you start sommering up like an Bitcoin exchange.
You can do this along the way when it grows, like you did. But thats a little bit more risky on the side of getting hacked and losing all of your money.
On the other side its not risky since you don't invest as much as you would do if you want to play it safe, wich creates the possibility to stop the whole thing easier if you don't feel like running the exchange anymore.
legendary
Activity: 1232
Merit: 1076
Great stuff.

Learned one thing though.
If you want to start something up that has to do with money biz you need 4 more things then just the front-end and back-end.

1) A 24/7 lawyer
2) Alot of money
3) A couple of skilled programmers
4) A additional security expert.

THIS--^   Cheesy

You have to start somewhere. I had none of those in the beginning, slowly accumulated them and now we have that and more.
full member
Activity: 140
Merit: 100
Great stuff.

Learned one thing though.
If you want to start something up that has to do with money biz you need 4 more things then just the front-end and back-end.

1) A 24/7 lawyer
2) Alot of money
3) A couple of skilled programmers
4) A additional security expert.

THIS--^   Cheesy
legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
You might want to look into the "xm save" command, which freezes a VM and records its state to a file; that includes the contents of RAM. It would take some searching, but at least the encryption key for the disk and possibly the wallet.dat file itself would be visible in the resulting save file.

If you run "xm restore" quickly enough you may even be able to get the VM running again without being detected.

How could I be so innocent!? That's why I like to talk to several people... Sometimes we (at least I) get stuck on certain thoughts, thinking that we are right, but only one command and you (me) fall... I had completely forgotten about the "xm save" or "xe vm-checkpoint"... RAM Universe... blah blah blah... LOL!  Roll Eyes

 Lips sealed
full member
Activity: 152
Merit: 100
You might want to look into the "xm save" command, which freezes a VM and records its state to a file; that includes the contents of RAM. It would take some searching, but at least the encryption key for the disk and possibly the wallet.dat file itself would be visible in the resulting save file.

If you run "xm restore" quickly enough you may even be able to get the VM running again without being detected.
hero member
Activity: 530
Merit: 500
Great stuff.

Learned one thing though.
If you want to start something up that has to do with money biz you need 4 more things then just the front-end and back-end.

1) A 24/7 lawyer
2) Alot of money
3) A couple of skilled programmers
4) A additional security expert.
legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
Guys,

 Sometimes, talk isn't enough. So, I'll launch a challenge... To prove if I am right or not.

 I mean, to prove if Xen provides a safe environment, or not, for your Bitcoins being hosted within a encrypted virtual machine on top of it.

 The challenge prize will be 10 BTC (or 50 BTC). But you will must get it by your own.


 Brief of the My Challenge:

 Hack the Virtual Machine called "bitcoin" and get the BTCs for you!


 Scope:

 1- A Xen hypervisor on a physical server, called "xenserver";

 2- A Xen Virtual Machine on it, called "bitcoin", with a encrypted file system (only I will have the encrypted volume password) and no network access;

 3- The Bitcoin client will be always running within "bitcoin" virtual machine, with 50 BTC on its balance;

 4- I'll give to everybody, full root access to the "xenserver";

 5- If somebody have the knowledge, he or she will be able to win the prize, sending those 50 BTC to itself;

 6- The challenge will be valid for 10 days;

 7- If somebody shuts down the "bitcoin" virtual machine, challenge over (because you are "detected");

 8- If somebody shuts down the "xenserver", challenge over (because you are "detected");

 That's it!


 Of course, those 10 or 50 BTC, the wallet.dat it self, will be copied in my own safe place, if somebody just delete the "bitcoin" virtual machine to vandalize the challenge...

 But honestly, today I have only 2 BTC in my wallet...I pretty much just knowing about the existence of Bitcoins, precisely on June 15, 2011 at 9AM, I met the Bitcoin for the first time. So, this challenge will take longer to become active.

 Anybody wants to fund it?! I'm sure no one will be able to win the prize...  Grin So, the 50 BTC will be back to the funder at the end of the challenge. But it I'm wrong, I must pay for it.  Wink

 What do you guys think?!

 I know this is out of the scope of "Intersango HOWTO" but, I have mentioned that Xen is safe enough for leaving your Bitcoins within a Virtual Machine hosted on top of it... Sorry the "OFFTOPIC"...

 BTW, I do not want to do this alone in my house... I appreciate any help, tips, ideas, etc... To make this challenge visible to the public, for example...

Cheers!
Thiago
legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
Yes, host your wallet.dat within a Xen virtual machine is pretty safe, because the manager of the physical machine can't access your portion of RAM memory. That's because the Xen provides a security through isolation. Do not believe if somebody says that virtual machine are unsafe, this affirmation can be true for vmware and for virtualbox, but not for Xen.

Say... what ? That a bit like claiming that since the Linux provides isolation between processes, than you are safe from spying via the root account. Guess what, the root account can dump the memory of any process, and even if it lacked that ability it can write it's own memory descriptors and dump the full contents of the physical RAM. Even if it lacked that ability too, by simply doing a warm reset and booting off custom media without wiping the RAM has 99.5% chance to reveal you private key. Let's not even bring RAM freezing into discussion.

Bottom line, the way you run a financial site is on hardware you own, control and store in a physically secure data center (The Bunker etc.). As some unfortunate pole found out the hard way, a 10$ virtual server just doesn't cut the mustard.

When deploying a Xen system, one must be sure to secure the management domain (Domain-0) as much as possible. If the management domain is comprimised, all other domains are also vunerable. The following are a set of best practices for Domain-0:

Run the smallest number of necessary services the less things that are present in management partition the better. Remember, a service running as root in the management domain has full access to all other domains on the system.
Use a firewall to restrict the traffic to the management domain a firewall with default-reject rules will help prevent attacks on the management domain.
Do not allow users to access Domain-0 the Linux kernel has been known to have local-user root exploits. If you allow normal users to access Domain-0 (even as unprivileged users) you run the risk of a kernel exploiting making all of your domains vunerable.

I must admit, you are right and, I did not express myself right too.

My point with Xen, in comparison with VMware and VirtualBox or even KVM, is:

1- The Xen, when it boots the dom0, shrinks the physical RAM of the Domain0, so, the Linux called Domain0, only can see its own portion of RAM memory. He thinks that there is only a small amount of RAM (392MB in my case), even if my physical server has 8192MB of RAM;

2- The Linux Domain0 is unable to read the RAM memory of ANY onther Virtual Machines from within itself. It is more or less like us trying to see a parallel Universe, from within our own Universe.

The only way for somebody who have domain 0 root access, to access the virtual machine's contents is turning it off and mounting its root file system within the dom0.

And here, we have the "second level of security", I mean, the wallet.dat within the virtual machine will be hosted within a encrypted file system, so, even if somebody tries to mounts this file system at dom0, well, it is encrypted, no way to mount it. Even running in a Live CD. You can not access it, even if you're from FBI.

Well, when a virtual machine is running, the dom0 can't read its RAM, because it is jailed within its own "RAM Universe". When a virtual machine is off, the disk is encrypted. BTW, the VM must be secured against network attacks, with no SSH open, etc...

So, how to access the data?!

The only way I see is, cracking the Xen itself, wich is less than a microkernel, reboot te entire server with your modified Xen, and try to access the RAM memory of running virtual machines from by the Xen, not from Linux dom0. But honestly, who will do that without any major "system alarms"?! Or, without shutting down the VM too, leaving its encrypted file system unmounted...   Huh

I really sorry if I say something wrong, incomplete or confuse sometimes... I'm from Brazil and it is pretty hard for me to express myself in english...   \o/

Thanks!
Thiago
legendary
Activity: 1232
Merit: 1076
We discussed here, and our general idea would be to move our site's repo off that project on gitorious and open that repo on gitorious to be open to the community.

If everybody wants that.
legendary
Activity: 1372
Merit: 1008
1davout
Done! BTW, if you have a repo and tell me certain commits that may be useful then we can pull them into the master Smiley
Yup, https://github.com/davout/bitcoin-central.git
You can pull pretty much everything XD
sr. member
Activity: 504
Merit: 250
Yes, host your wallet.dat within a Xen virtual machine is pretty safe, because the manager of the physical machine can't access your portion of RAM memory. That's because the Xen provides a security through isolation. Do not believe if somebody says that virtual machine are unsafe, this affirmation can be true for vmware and for virtualbox, but not for Xen.

Say... what ? That a bit like claiming that since the Linux provides isolation between processes, than you are safe from spying via the root account. Guess what, the root account can dump the memory of any process, and even if it lacked that ability it can write it's own memory descriptors and dump the full contents of the physical RAM. Even if it lacked that ability too, by simply doing a warm reset and booting off custom media without wiping the RAM has 99.5% chance to reveal you private key. Let's not even bring RAM freezing into discussion.

Bottom line, the way you run a financial site is on hardware you own, control and store in a physically secure data center (The Bunker etc.). As some unfortunate pole found out the hard way, a 10$ virtual server just doesn't cut the mustard.

When deploying a Xen system, one must be sure to secure the management domain (Domain-0) as much as possible. If the management domain is comprimised, all other domains are also vunerable. The following are a set of best practices for Domain-0:

Run the smallest number of necessary services the less things that are present in management partition the better. Remember, a service running as root in the management domain has full access to all other domains on the system.
Use a firewall to restrict the traffic to the management domain a firewall with default-reject rules will help prevent attacks on the management domain.
Do not allow users to access Domain-0 the Linux kernel has been known to have local-user root exploits. If you allow normal users to access Domain-0 (even as unprivileged users) you run the risk of a kernel exploiting making all of your domains vunerable.

legendary
Activity: 1232
Merit: 1076
Done! BTW, if you have a repo and tell me certain commits that may be useful then we can pull them into the master Smiley
legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
WOW! MASSIVE INTERSANGO UPGRADE AT GITORIOUS!! AWESOME!!!

Guys!!

The step 10 is wrong!!

change:

Code:
chown 666 /var/tmp/error-reports.log

to:

Code:
chmod 666 /var/tmp/error-reports.log

Sorry.... \o/
legendary
Activity: 1232
Merit: 1076
Fellas!

 I forgot one thing, the bank statement parser...

 Until now, you must access your Internet Banking and export your bank statement to a CSV or TXT file, to import it into Internsango using some scripts under the intersango/cron directory.

 BTW, this is the only missing part for my own Intersango installation here in Brazil, I'm working on it!

 Maybe the Intersango guys can help us! We post here our bank statement as a example, and somebody adjust the parser for us, I can pay in Bitcoins for this job...

Cheers!
Thiago

Generally the gbp branch is more up to date and newer... I keep trying to migrate things over but occasionally forget but phantom won't let me delete the master branch -_- since he says others should use it.

Anyway I copied over more bank stuff for you,

https://gitorious.org/intersango/intersango/commits/master

You should mainly be interested in import_csv_hsbc.py

It imports CSV files by accounting for overlap and duplicate entries.

phantom also wrote the parse_deposits.py which searches for anything that looks like the deposit reference on that line.

Hmmm, might be a good idea for v2 that the deposit reference starts with DPsk32jkjs to make finding it easier, and then a script that generically finds the amount somehow...
legendary
Activity: 1232
Merit: 1076
It would be cool if we're not the only stewards but we have lots of groups collaborating, pushing and pulling from each other to build a repository of scripts up for dealing with all the different bank variants and so forth.
newbie
Activity: 30
Merit: 0
Excellent instructions.  Can't wait to try it out.

Thank you!
legendary
Activity: 2940
Merit: 1333
Typically, you:

1) 'clone repository' on the gitorious site
2) 'git clone git://gitorious.org/~yourname/intersango/yourname-intersango.git' in a terminal
3) make the branch in your local repository, work on it, commit your changes
4) 'git push' to send your local changes back to your gitorious clone
5) 'request merge' on the gitorious site, to ask the bitcoinconsultancy guys to merge your changes back to their repository

That's the way things generally go with git - you work in your own repository and send merge requests.

Your clone doesn't have to be on gitorious.  I find github.com works a lot faster for me and has an issues tracker.  You don't have to use a website to host your repository at all, but it's nice to have an offsite backup.
legendary
Activity: 1204
Merit: 1000
฿itcoin: Currency of Resistance!
AWESOME!!   Grin

 Did you know how can I made a intersango branch at gitorious for my currency (BRL)?
 I already have my local branch called "brl" and it´s working... And I have a Gitorious account too...

Thanks!
Thiago
hero member
Activity: 574
Merit: 513
I converted your howto as INSTALL.ubuntu in the repository.   Feel free to update it in the repo as well if you would liek.
Pages:
Jump to: