we need a comprehensive guide for making SAFE bitcoin apps!! - page 2.

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: acoindr on July 13, 2012, 01:40:34 PM

Quote from: paulie_w on July 13, 2012, 01:34:59 PM

let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

Okay, but RULE 1 of the guide is that you are only as secure as your weakest link.

Bitcoinica Hack #1 = probably an inside job at Linode

Bitcoinca Hack #2 = Patrick's email server was compromised, oops!

Bitcoinca Mt.Gox Hack = We didn't change a password Tihan re-used, sorry!

i think it's perfectly sensible to start such a guide with this kind of stuff, although i would drop the conspiratorial tone (even if it proves to be true).

How to make a secure bitcoin application.

CHAP 1: Why is security crucial when making bitcoin applications?
CHAP 1A: Security anecdotes from bitcoin's history (aka Stupid Mistakes)
CHAP 2: Basic server security
CHAP 3: Hot wallets vs Cold Wallets

etc

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: paulie_w on July 13, 2012, 01:34:59 PM

let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

Okay, but RULE 1 of the guide is that you are only as secure as your weakest link.

Bitcoinica Hack #1 Linode = probably an inside job at Linode

Bitcoinca Hack #2 = Moved to Rackspace; Patrick's email server was compromised, oops!

Bitcoinca Mt.Gox Hack = We didn't change a password Tihan re-used, sorry!

Edit: I should change the word "hack" above because no hacking was even required. Thieves without computer knowledge could have executed all of the above thefts.

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: acoindr on July 13, 2012, 01:36:23 PM

Quote from: Timo Y on July 13, 2012, 01:32:38 PM

What would be nice is a preconfigured server optimized for bitcoin security and privacy.

How would that have helped this latest Mt.Gox password incompetence, or the earlier Linode (likely inside job) hack?

it's hard to know without a full audit.

look i know everyone is upset about this, but the solutions are simply more hand-holding, more documentation, and less stupidity (on part of both the developers AND the users).

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: Timo Y on July 13, 2012, 01:32:38 PM

What would be nice is a preconfigured server optimized for bitcoin security and privacy.

How would that have helped this latest Mt.Gox password incompetence, or the earlier Linode (likely inside job) hack?

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: acoindr on July 13, 2012, 12:52:03 PM

The truth is "bitcoin apps" are not the problem.

The problem is improper security handling. Take the Linode hack for example. Bitcoinica and several other bitcoin related sites had bitcoins stolen. There wasn't a specific "bug" that left these apps vulnerable. The Linode hack was probably an inside job by someone at Linode.

There was ONE poster with Linode however that said wasn't affected because he didn't store funds on a server controlled by someone else.

The problem here is not app security, it's lacking proper forethought.

Another example from this latest breach:

Quote from: genjix on July 13, 2012, 04:00:07 AM

While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged.

ALL passwords should have been changed. Even basic security 101 says change your password ever so often, even without any breach, ESPECIALLY if funds are related to it.

The problem is high value funds being left vulnerable by people who don't take adequate security care and forethought.

BitcoinArmory.com is an example of GREAT security forethought, and is probably the safest way to cold store bitcoins in existence.

let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

Timo Y

legendary

Activity: 938

Merit: 1001

bitcoin - the aerogel of money

This isn't a bitcoin specific problem. Many books have been written on how to secure a web server. I'm not sure if a universal guide would be useful. Different architectures require different security measures.

What would be nice is a preconfigured server optimized for bitcoin security and privacy. Something like tails except designed for running a simple bitcoin web app.

The barriers to entry need to be lower. Developing bitcoin-accepting websites shouldn't be an exclusive privilege of security experts.

unclemantis

member

Activity: 98

Merit: 10

(:firstbits => "1mantis")

There definitively needs to be a Standard Operating Procedure or ISO that EVERY shop that handles Bitcoin can follow.

acoindr

legendary

Activity: 1050

Merit: 1002

The truth is "bitcoin apps" are not the problem.

The problem is improper security handling. Take the Linode hack for example. Bitcoinica and several other bitcoin related sites had bitcoins stolen. There wasn't a specific "bug" that left these apps vulnerable. The Linode hack was probably an inside job by someone at Linode.

There was ONE poster with Linode however that said wasn't affected because he didn't store funds on a server controlled by someone else.

The problem here is not app security, it's lacking proper forethought.

Another example from this latest breach:

Quote from: genjix on July 13, 2012, 04:00:07 AM

While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged.

ALL passwords should have been changed. Even basic security 101 says change your password ever so often, even without any breach, ESPECIALLY if funds are related to it.

The problem is high value funds being left vulnerable by people who don't take adequate security care and forethought.

BitcoinArmory.com is an example of GREAT security forethought, and is probably the safest way to cold store bitcoins in existence.

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: kiba on July 13, 2012, 11:07:00 AM

If you don't have a need to IMMEDIATELY do transactions with bitcoin:

Here how it would works:

1. Put all your bitcoin in a cold wallet and place it in a safe.
2. Open it once a day to process all the pending transactions.
3. Put the cold wallet back in the safe.

What it need:

1. Several USB drives.
2. Software to keep transactions request and query the blockchain and then write to USB drive.
3. Making sure you have enough public keys on hand.
4. At least one airgapped computer dedicated to processing the data in the USB drive.

Anybody who knows security, feel free to points out any flaw.

it's obvious that the most interesting bitcoin apps are probably always going to be those where "hot" exchanges are pretty important. what about that?

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: Coinabul on July 13, 2012, 11:02:14 AM

I think some actually accredited security professionals should produce said guide.

no, i think WE need to produce what we can of it, and then let security professionals audit that. otherwise it is never going to get done.

kiba

legendary

Activity: 980

Merit: 1020

If you don't have a need to IMMEDIATELY do transactions with bitcoin:

Here how it would works:

1. Put all your bitcoin in a cold wallet and place it in a safe.
2. Open it once a day to process all the pending transactions.
3. Put the cold wallet back in the safe.

What it need:

1. Several USB drives.
2. Software to keep transactions request and query the blockchain and then write to USB drive.
3. Making sure you have enough public keys on hand.
4. At least one airgapped computer dedicated to processing the data in the USB drive.

Anybody who knows security, feel free to points out any flaw.

Coinabul

hero member

Activity: 588

Merit: 500

Coinabul - Gold Unbarred

I think some actually accredited security professionals should produce said guide.

paulie_w

sr. member

Activity: 420

Merit: 250

both of these things would be hugely useful, right?

maybe they can be on the same wiki. ;-)

proudhon

legendary

Activity: 2198

Merit: 1311

Quote from: paulie_w on July 13, 2012, 10:42:28 AM

folks,

i think that it is time that we, at a minimum, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

How about first we make a comprehension and simple to understand guid on how to secure your own bitcoins.

paulie_w

sr. member

Activity: 420

Merit: 250

folks,

i think that it is time that we, at a minimum, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

Topic: we need a comprehensive guide for making SAFE bitcoin apps!! - page 2. (Read 2513 times)