Bitcoin Forum

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

+1

As long as this is a voluntary program, and combined with a recognition that the exchange can capitalize on for complying with the program so that it is also worth their while - I am up for this.

very good idea. Isn't the bitcoin foundation thought to do something like this? At least I thought they might be interesting in doing such things but somehow one of the biggest failures was a gold member of them...

some addition: the granted award must be valid only for a limited period, lets say 6 months.

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm (http://www.deloitte.com/view/en_US/us/index.htm)

The Bitcoin Foundation's focus is on the Bitcoin protocol itself, in terms of standardizing, protecting and promoting it.  External exchanges have never been a highlighted priority to date.  The general consensus to date has been "it's a free market" so the exchanges decide their own standards and ways of doing business.  Unfortunately we've seen a very poor security track record as a result.  Now it's blown up into a bigger issue than most people imagined it would be.

Deloitte is a possibility of course for audits similar to traditional financial services companies, but then the issue arises around their expertise regarding the Bitcoin protocol, software and security practices of which they would have no clue how to handle.  There may need to be a hybrid approach, or perhaps an entirely new compliance organization started with Bitcoin developers and security experts.  As an example of such an individual, Andreas Antonopoulos recently did security checks for companies like Coinbase and Mt. Gox.

+1.   Great idea.

But will someone carry this through, and make it a network-wide thing?  Do you have the stamina and the resources to make it happen?

Possible suggestion:   Require insurance service of some sort.  Elliptic.  Lloyds of London is very forward thinking with Bitcoin.

-B-

Then what happens when coins are lost from one of these stamp approved companies? The problem with theft or loss is it only takes one mistake or hole. Nothing is 100% secure.

The better approach is to teach people to be responsible for their own coins, and create enabling technology for them to do it. Additionally, companies can and probably will begin to have insurance/recoup options. These things are on the way naturally, but as I explain here (https://bitcointalk.org/index.php?topic=500972.msg5518265#msg5518265), they take time. In the meantime, we need to do a better job educating people on how to protect their coins.

You do realize Deloitte does management consulting and audits for businesses, governments and military facilities worldwide, right? I don't think the little Bitcoin software will confuse them much. LOL

A prohibition on fractional banking.
Real-time or at least daily auditing of client BTC balances.

I tweeted Andreas the other day with a similar idea following his audit of Coinbase.  Unfortunately, he never responded (I definitely respect that he's a busy guy, so I won't hold that against him... lol).

My idea is to solicit the community for experts to step forward, be vetted by the community itself, and then get selected at random to participate in such audits.  I haven't fleshed out the entire concept, but it seems to me that this type of voluntary self-regulation would be a perfect fit for the bitcoin ecosystem.

I'd gladly throw my hat (and my resume) into the ring if this idea gains reaction.

In a theoretical scenario,  if the lead programmer had a hacking charges, the company's compliance officer had identity theft charges, and the CFO had financial fraud charges, and the company never performed background checks to find this out before the hires, you would be completely OK with it?  I personally think it would be grounds to sue on gross negligence.

We could create something like the UL (Underwriters Laboratories) (http://en.wikipedia.org/wiki/UL_(safety_organization)) of Bitcoin.

There is no central authority.

We now see one of the major downsides of this. If the bitcoin fundation would create something similar to what OP suggests we propably wouldn't have to go through all those thefts.

You do know a lot of companies hire hackers who have been charged or found guilty in a court of law to head up security for the company. So where you are quick to judge, they are actually helping you stay safe. I also know of two bitcoin companies that have people with charges (not hacking) against them and you probably use them in someway. ;) So I would be completely ok with it.

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

For a security consultant brought in to test a system for weakness, sure.  As the person supervising other programmers and writing code with no one looking over his shoulder, and that at one time crossed the line and invaded the computer systems of a company that he had no permission to invade, HELL NO.  The same reason police departments shouldn't hire murderers, rapists and robbers.  Usually such people will work with the police as paid informants, not police officers.

Karpeles was demonstrably a scam artist when he maliciously cheated a French business out of 15,000 EUR and fled the country.  This should have been discovered and publicized before MtGox got as big as it got, so only idiots would put money into that scam.


If you are implying that these people have drug charges, then the problem is that they would have relationships with criminals in the drugs and money laundering business.  At this point in bitcoin's history, with the authorities casting an evil eye towards bitcoin, such employees would be a liability -- a federal prosecutor could find a way to connect the company with criminal activity, seizing and raiding it, thus killing it.  i.e. Shrem.  You have to be a big bank like HCSB to actually get away with it.

In the credit card world there is PCI DSS.  However even companies which are compliant to this standard get hacked from time to time and news of this hits the media of the thousands of credit cards stolen.

No, no, and please no. This is not what bitcoin needs. We need trustless exchanges which don't have to be audited because there is no capability to lose client funds.

I laughed and then made a depressing sigh when I heard about Andreas Antonopoulos' "audit" of CoinBase. He basically said "I approve of stucking your money with these folks" -- but you shouldn't have to trust *anybody* with your money. That's the whole point of bitcoin! We have the technology to build trustless exchanges, we just need to focus the resources to do it:

http://www.reddit.com/r/Bitcoin/comments/1zgbza/i_am_building_a_free_and_fair_trustless_exchange/

From your reddit posting;

Users deposit bitcoins and other crypto assets by means of an audited gateway or pegging mechanism.

It seems your plan requires auditing too.

There's a substantial difference between some fallible humans giving a "trust us, it's secure!" stamp of approval (what the OP is asking for), and a cryptographic receipt that can be automatically checked by your client to provide up-to-the-minute assurances of solvency (what I'm talking about in the reddit thread).

once you rip away all the FUD speculation that people think it is and then look at what the business model actually does

https://coinvalidation.com/

is what was talked about last year. try to research them, dont start tin foil hatting the business from fud that the company blacklists users. they just deal with businesses and you will realise they do alot of things listed above.

From a social engineers stand point i can point out that some very large mining pools and exchange sites make for pretty easy targets.
I've contacted a few about it but never got a reply.

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards.  IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

Great work, I applaud it, the initiative shows a genuine concern for the fundamentals of the system. 

I will add that to: https://bitcointalk.org/index.php?topic=492776.0;topicseen

One problem with this is that a company can advertise as meeting the BSSA standards by simply lying, or by bribing some random guy to pretend that he's audited them and done a good job of it.

Effective auditing in a free market hinges on the reputation of the auditor.  This is one reason why I don't think a standard is at all appropriate.

That's unfair.  OP's proposition is relatively sympathetic to the notions of voluntary exchange.

They show signs of impatience and make several absolutist claims ("There is no question..." cracked me up) but they've done much better than most other "let's regulate Bitcoin" thread starters these days.

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

With the amount of fly by night exhanges I still don't see why this is a bad idea...  It should be shouted from the roof tops no exhange is ever safe ever..  However, why not have a very simple minimum standard exhanges can meet to say they are BSSA compliant.  I was thinking the BSSA requirements are based on the resillance of the exhange to be hacked and that's it.  I dunno something like a group of hackers that attempt to hack the exhange and if they can't it get's BSSA.  Furthermore the BSSA could push the idea your coins are only safe if they are offline.

With the introduction of standards govs might not consider regulations.. although I doubt it lol.

So they leave the central banking to a central authority telling them it is safe. This is the same thing, they will not leave at all cause it offers the same exact thing as a central banking system.

The difference is your talking about auditing solvency which is a good thing, but this forum thread is about auditing systems security which is another matter altogether.

The BSSA should simply imply the exhange isn't a POS that a 5th grader could hack.  Just like my CET designation, all it says is I passed an ethics test and the odds are higher I won't do something dirty.  That's it.

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

systems security and host security are also different as it covers business systems and processes and not just a server.    In yout reddit post you say the following about a gateway;

As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.

How do you determine if a gateways published bank statements are legitimate or forged?

Ask the bank.

Due to privacy laws in countries if a 3rd party asks a bank about someones account they will tell you they can't disclose such information.  Even if you could ask the bank you have to "trust" the bank is telling you the truth.

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

request a certified return -- essentially a sword statement as to the truth of the facts


 

You still have to "trust" the person who made the sworn statement.   Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

All the Big 4 audit firms doesn't audit properly. This includes PWC, E&Y, Deloitte and KPMG.

This is the opposite of what we need. When it comes to security and crypto, several independent peer reviews is the only trustworthy source.
I demand the same principle as open source projects inherently has, a thousand eyeballs is always better than two.

are you looking for a business situation in which you won't have to exercise any degree of trust?

You can't have a system interact with fiat without some degree of trust. That's just the nature of the game. You can, however, reduce the necessary trust down to something very basic, e.g. a sworn statement from a prestigious bank that has much more to lose from lying. If that doesn't satsify you, it should more than do to satisfy Lloyd's of London or some other insurance company which will happily insure those deposits against a bank theft.

No, I was just commenting on maaku's trustless exchange design.

that's how you enable the oil to reach the chain that turn the wheels that move the vehicle that brings everyone to where they want to go faster and easier than an untrustworthy system whose brand new chain keeps falling off resulting in a really unstable, unreliable, and uncomfortable trip.

It would work well. The problem is no one is willing to pay for quality. They would much rather bitch that they lost it all rather than pay a high fee. These fucking idiots don't deserve Deloitte or Price Waterhouse. They deserve exactly what they get - worthless fucking peer review. Two respected TBF members went to help MtFux in 2011, found a shambles with a clueless CEO and said nothing about it to anyone.

Your quality comparison reminds me of another problem.  Ask a Big 4 firm to audit a company that maintains deposits, and they're going to want to confirm the balance of those deposits with an investor.  This will be done by mailing a letter to the depositor's home address.  Accounting firms cannot just confirm balances through email, meaning the exchange would have to collect and maintain actual names and addresses for all depositors.  So in addition to the fees, people would now have to attach their true identity to their account.

Gox was already doing that and collected a photo ID from everyone with an account. It was part of their mandatory legal requirements. Problem is, they got hacked and the database was stolen because their software was written by a fat idiot with the intellect of a 12 year old with a Starbucks addiction. Now everyone's Photo ID and personal information are loose on the web. Isn't that special! We want to make sure we review these people ourselves. For Christ's sake, don't let an independent impartial respected third party with a reputation to protect do it. They'll fuck it all up.

the simple fact is Deloitte knows less than a 1/1000th of what this community knows about btc, the fact is all this community needs is organization to solve ALL of it's current problems

all of the answers are in the blockchain if the community scrubbed it they will find all of the answers,
the blockchain could be used in many different ways

I think BSSA might work, it should be like the Open Web Application Security Project (OWASP).

But the Big 4 is definitely not the answer. They are corrupt and crap. I know how they work. If there are any non compliance in their audit. They will not write them down. Because they want to keep good relationship with the client. So in order to keep the clients, they will say their client are compliance. 

I know these shit, I worked with them before.

Hello,

I want to make this a reality!

I have started http://www.bitcoinsecuritystandards.org/ (http://www.bitcoinsecuritystandards.org/) to give the security experts a place to discuss their ideas and the implementers a place to understand what, why, and how to secure their sites and services.

Thank you,

-- Thomas F.

Hi Thomas, thank for your taking the effort to set that up!  It's great to see.  I had a small additional thought - what do you think about adding a wiki?  This way all members of the community serious about this can participate in drafting some things together as a collaborative effort.  The forums are nice for an informal place to chat around ideas but a wiki (or something similar) might be very helpful as a formal resource.

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

That is bullshit, in my career in Information Security for over 20 years. 99.9%of the backend are even less secured then the frontend.

+0.5

Deloitte's is pretty much the top one. but id say for the first 6 months they could get away with using another accredited accountant/auditor, just so they can atleast start making a profit and not be tempted to eat into peoples deposits to pay wages.
(although i also think if they dont have enough finances upfront to cover costs, then being given customer funds is risky, so i see both sides of it)

and also have the exchanges put a reserve/security into the lloyds of london insurance elliptic vault as their collateral. (separate from customer funds which need to move freely instead of being locked in).

we dont need basement dwellers trying to look legit, yet have no credentials..

if its going to be done, atleast get it done honourably and right

Physical attacks hardly occur on them (or say attacker hardly do physical attacks - way is controlling back-end from front-end), so they think they are secure. Most of the time back-end get targeted from front-end.

Once you penetrate the front end, the back end have no defense. That is what I have notice. And when you go in a do an audit and pen test, they always try to justify that no one is going to be able to get into the back end. So many fools.

Yes, that is why i wrote that explicitly. Few days back - was working with a Bitcoin exchnage in Securing them.. After multi Front-end issues (say client-side more).. They said "The problem is that we did not make the front-end program perfect" and i was life WTF - they talked about Security?

I've said this myself in past but not with as much depth and detail.  This is an  obvious needed step for platform of trust to be built upon for newer users.

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

I quite agree with what you said. You said is very reasonable, very good.

Then we need a list of requirements so that startups needs to compliance to in order to have this badge. It will be a bit like the ISO and OWASP standards. Where they need regular audit and pen test.

Agree with you.