Pages:
Author

Topic: we need a comprehensive guide for making SAFE bitcoin apps!! - page 2. (Read 2519 times)

sr. member
Activity: 420
Merit: 250
let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

Okay, but RULE 1 of the guide is that you are only as secure as your weakest link.

Bitcoinica Hack #1 = probably an inside job at Linode

Bitcoinca Hack #2 = Patrick's email server was compromised, oops!

Bitcoinca Mt.Gox Hack =  We didn't change a password Tihan re-used, sorry!

i think it's perfectly sensible to start such a guide with this kind of stuff, although i would drop the conspiratorial tone (even if it proves to be true).

How to make a secure bitcoin application.

CHAP 1: Why is security crucial when making bitcoin applications?
CHAP 1A: Security anecdotes from bitcoin's history (aka Stupid Mistakes)
CHAP 2: Basic server security
CHAP 3: Hot wallets vs Cold Wallets

etc
legendary
Activity: 1050
Merit: 1002
let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

Okay, but RULE 1 of the guide is that you are only as secure as your weakest link.

Bitcoinica Hack #1 Linode = probably an inside job at Linode

Bitcoinca Hack #2 = Moved to Rackspace; Patrick's email server was compromised, oops!

Bitcoinca Mt.Gox Hack =  We didn't change a password Tihan re-used, sorry!

Edit: I should change the word "hack" above because no hacking was even required. Thieves without computer knowledge could have executed all of the above thefts.
sr. member
Activity: 420
Merit: 250
What would be nice is a preconfigured server optimized for bitcoin security and privacy. 

How would that have helped this latest Mt.Gox password incompetence, or the earlier Linode (likely inside job) hack?

it's hard to know without a full audit.

look i know everyone is upset about this, but the solutions are simply more hand-holding, more documentation, and less stupidity (on part of both the developers AND the users).
legendary
Activity: 1050
Merit: 1002
What would be nice is a preconfigured server optimized for bitcoin security and privacy. 

How would that have helped this latest Mt.Gox password incompetence, or the earlier Linode (likely inside job) hack?
sr. member
Activity: 420
Merit: 250
The truth is "bitcoin apps" are not the problem.

The problem is improper security handling. Take the Linode hack for example. Bitcoinica and several other bitcoin related sites had bitcoins stolen. There wasn't a specific "bug" that left these apps vulnerable. The Linode hack was probably an inside job by someone at Linode.

There was ONE poster with Linode however that said wasn't affected because he didn't store funds on a server controlled by someone else.

The problem here is not app security, it's lacking proper forethought.

Another example from this latest breach:

While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged.

ALL passwords should have been changed. Even basic security 101 says change your password ever so often, even without any breach, ESPECIALLY if funds are related to it.

The problem is high value funds being left vulnerable by people who don't take adequate security care and forethought.

BitcoinArmory.com is an example of GREAT security forethought, and is probably the safest way to cold store bitcoins in existence.

let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.
legendary
Activity: 938
Merit: 1001
bitcoin - the aerogel of money
This isn't a bitcoin specific problem.  Many books have been written on how to secure a web server.  I'm not sure if a universal guide would be useful.  Different architectures require different security measures. 

What would be nice is a preconfigured server optimized for bitcoin security and privacy.  Something like  tails except designed for running a simple bitcoin web app. 

The barriers to entry need to be lower.  Developing bitcoin-accepting websites shouldn't be an exclusive privilege of security experts.
member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
There definitively needs to be a Standard Operating Procedure or ISO that EVERY shop that handles Bitcoin can follow.
legendary
Activity: 1050
Merit: 1002
The truth is "bitcoin apps" are not the problem.

The problem is improper security handling. Take the Linode hack for example. Bitcoinica and several other bitcoin related sites had bitcoins stolen. There wasn't a specific "bug" that left these apps vulnerable. The Linode hack was probably an inside job by someone at Linode.

There was ONE poster with Linode however that said wasn't affected because he didn't store funds on a server controlled by someone else.

The problem here is not app security, it's lacking proper forethought.

Another example from this latest breach:

While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged.

ALL passwords should have been changed. Even basic security 101 says change your password ever so often, even without any breach, ESPECIALLY if funds are related to it.

The problem is high value funds being left vulnerable by people who don't take adequate security care and forethought.

BitcoinArmory.com is an example of GREAT security forethought, and is probably the safest way to cold store bitcoins in existence.
sr. member
Activity: 420
Merit: 250
If you don't have a need to IMMEDIATELY do transactions with bitcoin:

Here how it would works:

1. Put all your bitcoin in a cold wallet and place it in a safe.
2. Open it once a day to process all the pending transactions.
3. Put the cold wallet back in the safe.

What it need:

1. Several USB drives.
2. Software to keep transactions request and query the blockchain and then write to USB drive.
3. Making sure you have enough public keys on hand.
4. At least one airgapped computer dedicated to processing the data in the USB drive.

Anybody who knows security, feel free to points out any flaw.

it's obvious that the most interesting bitcoin apps are probably always going to be those where "hot" exchanges are pretty important. what about that?
sr. member
Activity: 420
Merit: 250
I think some actually accredited security professionals should produce said guide.

no, i think WE need to produce what we can of it, and then let security professionals audit that. otherwise it is never going to get done.
legendary
Activity: 980
Merit: 1020
If you don't have a need to IMMEDIATELY do transactions with bitcoin:

Here how it would works:

1. Put all your bitcoin in a cold wallet and place it in a safe.
2. Open it once a day to process all the pending transactions.
3. Put the cold wallet back in the safe.

What it need:

1. Several USB drives.
2. Software to keep transactions request and query the blockchain and then write to USB drive.
3. Making sure you have enough public keys on hand.
4. At least one airgapped computer dedicated to processing the data in the USB drive.

Anybody who knows security, feel free to points out any flaw.
hero member
Activity: 588
Merit: 500
Coinabul - Gold Unbarred
I think some actually accredited security professionals should produce said guide.
sr. member
Activity: 420
Merit: 250
both of these things would be hugely useful, right?

maybe they can be on the same wiki. ;-)
legendary
Activity: 2198
Merit: 1311
folks,

i think that it is time that we, at a minimum, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

How about first we make a comprehension and simple to understand guid on how to secure your own bitcoins.
sr. member
Activity: 420
Merit: 250
folks,

i think that it is time that we, at a minimum, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?
Pages:
Jump to: