Bitcoin Forum

In light of on-going exchange security issues (this goes back to the beginning for MTGOX if you read the archives) I'm going to start a bounty for development of a secure, private exchange for bitcoin. If someone else wants to have a go then lulzSec will be requested to white-hat attack it as the first test.

i)   exchange (multiple currencies incl. BTC)
ii)  secure, (impenetrable in reasonable time (20 years) to lulzSec)
iii) commercially private, (blinded transactions or similar divorcing account holders from BTC addresses)

I pledge 20 BTC.

Why the fuck should LulzSec care about Bitcoin or anything else for that matter? They're in it for the lulz and would most likely applaud the guy who caused all this drama, they aren't white hats.

How would this work?  I'll pledge 1BTC if I get to have the result and run the exchange and take all of the profit?

https://gitorious.org/intersango/

Used on Britcoin

We're working on v2.0 of it too:
http://bitcoinconsultancy.com/wiki/index.php/Intersango

They're sitting on (or at least were given) a somewhat sizable amount of donations in BTC. Assuming they haven't cashed it out for more easily traced dollars, they have some interest in keeping Bitcoin somewhat useful.

I really don't think they do. My money would be on that they're at least wealthy enough to be doing what they're doing, and the fact that people are giving them an anonymous e-cash reward for something they do out of the pure hilarity of it is almost certainly just icing on the cake.

Why do people take hackers like Anonymous, LulzSec, etc, and then turn them into some imaginary white knight?

Today's pirates will be tomorrow's queen's guards.

Thanks genjix, hadn't seen this. It is the OS version of s/ware that Britcoin runs on I'm assuming?

Will it be incorporating any privacy layers by default for individuals information security?

E.G; like OT https://github.com/FellowTraveler/Open-Transactions or BlindBitcoinTransfers use https://blindbitcoin.com/technical.html

i) what makes you think they would accept your request
ii) If they do accept, what makes you think they wouldn't just say "nope, no problems" wait till people start using it then attack it, that would be lulzy

You clearly have a very broken understanding of what lulzsec is. They are, in fact, pretty much the exact opposite of what you're looking for.

Really? So put down zero bounty pledge from you then?

Everybody has their price.

Oh, I'm quite sure you could get them to take money from you. They'd probably even act like you were doing a smart thing. Taking cash that's openly offered to you for doing work when the only thing you're known for is screwing people over is pretty lulzy. Actually doing the work wouldn't be lulzy at all.

What you're actually interested in hiring is known as an app sec consultancy. There are many, almost any of them having the ability to find the simple SQLi's and CSRF that mt. gox fell to. As an added bonus, most of them won't currently be involved in committing federal felonies on a daily or weekly basis. Here's an example of such a firm that's well thought of: http://www.matasano.com/

The problem with hiring people who are actively robbing banks to design your vault is that you really have no excuse to give when they come back and rob you.

LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.

I put down a pledge of 100 bitcoins for a 50% stake in the company, the 100btc being payable 10 years after the exchange first starts up.

you decided to use unparameterized sql queries inline in the code?

I pledge 2 BTCs.

Bitcoins will turn them in Robin Hood.  :D

Hey! This thread got featured on TechCrunch!

Cool, might get more than measly 22 btc bounty pledges ... I guess no one really wants a secure exchange after all. :'(

And the lulz grows.

lulz

Does BitMarket.eu (because it doesn't have money deposits) count? :)

I'm interested in developing a secure exchange platform. Not so sure what you mean by private---is it just that there's no public record of deposits/withdrawals/trades?

I think the stored-password-hash system is ultimately not secure enough for something like this. What I'd like to build is a stored-public-key system something like that for the #bitcoin-otc web of trust. A client sending a command to the exchange server would timestamp it and sign it with his public key, and the server would verify the signature before carrying out the command. I see no theoretical barrier to implementing this in Javascript so that, to the user, it looks just like entering a password at any other site---but it sounds hard, and you'd have to figure out where to store the private key on the client's end. Building a standalone client application that calls GPG for the signing would be easier but probably less used.

Not sure ... are you suggesting we request lulzSec to run a 'test' on Bitmarket.eu?

What is BitMarket.eu's privacy and security policies on storing customer records, transaction records, etc?

If an attacker was to infiltrate and publish records would it lead to compromised security situation or embarassment of clients using it?

Didn't Lulzsex just admit to being behind the attack at MTGox? I think they just admitted it on their twitter; Hackavism for Silk Road no doubt, but they probably won't admit that.

I wonder if they really are messing with the FBI like they say they are? Or is that just social engineering?

I recommend you start with my API:

https://github.com/FellowTraveler/Open-Transactions/wiki

And when L/S says it's been tested and all threats have been addressed... Your going to put your money in? After they have had a chance to check it all out?  No thanks.

Sending btc/money to LuLz is LuLz.

That's like paying off the mafia not to attack your business.

Compromising security always leads to embarassment of the site that get's compromised.
We don't store any details on our members beside of their logins, emails and hashed passwords. The database is only readable by one user, which has very long and secure password. Database admin interface is not viewable from outside. We use a non-default SSH port. We make offsite backups of both our wallets and the db. I'm not sure what else you expect? We'll happily adapt to more security measures that we could not thought of.

What you're asking for is basically impossible to do while simultaneously following anti money laundering and anti terrorism laws and eliminating counter party risk.

Lulz Security® is not an entity you request, hackers are not people you want to associate yourself with.

@bitcoin_bug

I've thought about how to implement this, but it all comes down to how you redeem bitcoins to < insert currency of choice > on the edges. Here's a sample idea that I was trying to work with:

http://farm6.static.flickr.com/5061/5898790520_fda447e331_b.jpg

However, as it says - there are plenty of things to be worked out. Storing trades via blockchain is all well and good, but it wouldn't be particularly fast. Not sure what the best implementation would be at this point.

How do you make sure that the people actually have the USD they are trading for BC.

Exactly. The edges are where it falls apart. Not sure how to address this.

The issue is addressed via centralization, or simply trading in person in your area, or via mail.

I just don't see your idea working.

You could have a decentralized 'reputation' for each address that's used for trading, maybe.

wow what a fucked up thread

That's simply not true. From what I understand it's basically a free-for-all, so there's bound to be a lot of dumb teenagers, but also smarter (and sometimes older) hacktivists. They all use the name "anonymous" (or lulzsec) so you'd never know. It's a pretty interesting strategy as it allows them to hide in the crowd.

Then again, a lot of "professional" penetration testers also simply fire up their exploit scanner and then charge you big $$$ per hour. So I don't see the problem in letting a hacker group doing it for free :)

Yeah, I know. The whole trading transaction thing is all well and good - but I don't know how to handle the edges where a level of trust is required.

Just threw it out there in case someone has a 'satoshi' and figures it out.

Lulz Security® is not part of anonymous, just like wikileaks is not part of anonymous. they are all separate entities, although they may have similar goals and ways of working. and anyone who thinks they are simply just some script kiddies, you would have to be wrong in a lot of cases, sure a lot of script kiddy anons exist, but a lot of them are also very good, like the sony hack(s) (http://hassonybeenhackedthisweek.com/history).