Bitcoin Forum

folks,

i think that it is time that we, at a minimum, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

How about first we make a comprehension and simple to understand guid on how to secure your own bitcoins.

both of these things would be hugely useful, right?

maybe they can be on the same wiki. ;-)

I think some actually accredited security professionals should produce said guide.

If you don't have a need to IMMEDIATELY do transactions with bitcoin:

Here how it would works:

1. Put all your bitcoin in a cold wallet and place it in a safe.
2. Open it once a day to process all the pending transactions.
3. Put the cold wallet back in the safe.

What it need:

1. Several USB drives.
2. Software to keep transactions request and query the blockchain and then write to USB drive.
3. Making sure you have enough public keys on hand.
4. At least one airgapped computer dedicated to processing the data in the USB drive.

Anybody who knows security, feel free to points out any flaw.

no, i think WE need to produce what we can of it, and then let security professionals audit that. otherwise it is never going to get done.

it's obvious that the most interesting bitcoin apps are probably always going to be those where "hot" exchanges are pretty important. what about that?

The truth is "bitcoin apps" are not the problem.

The problem is improper security handling. Take the Linode hack for example. Bitcoinica and several other bitcoin related sites had bitcoins stolen. There wasn't a specific "bug" that left these apps vulnerable. The Linode hack was probably an inside job by someone at Linode.

There was ONE poster with Linode however that said wasn't affected because he didn't store funds on a server controlled by someone else.

The problem here is not app security, it's lacking proper forethought.

Another example from this latest breach:


ALL passwords should have been changed. Even basic security 101 says change your password ever so often, even without any breach, ESPECIALLY if funds are related to it.

The problem is high value funds being left vulnerable by people who don't take adequate security care and forethought.

BitcoinArmory.com is an example of GREAT security forethought, and is probably the safest way to cold store bitcoins in existence.

There definitively needs to be a Standard Operating Procedure or ISO that EVERY shop that handles Bitcoin can follow.

This isn't a bitcoin specific problem.  Many books have been written on how to secure a web server.  I'm not sure if a universal guide would be useful.  Different architectures require different security measures. 

What would be nice is a preconfigured server optimized for bitcoin security and privacy.  Something like  tails (https://tails.boum.org/) except designed for running a simple bitcoin web app. 

The barriers to entry need to be lower.  Developing bitcoin-accepting websites shouldn't be an exclusive privilege of security experts.

let's just say for the moment that whether it's basic security or 'bitcoin security' doesn't matter. we NEED to provide our community with great guides so that enthusiastic young people, even inexperienced, can read it and build according to standard.

and that means the rest of the community can say to them, hey, did you run through part X of our procedure? please publish your results.

i don't imagine something so advanced as a 'test suite' for all sites (impossible, i'm sure), but i do think we could at least start to imagine standards.

How would that have helped this latest Mt.Gox password incompetence, or the earlier Linode (likely inside job) hack?

it's hard to know without a full audit.

look i know everyone is upset about this, but the solutions are simply more hand-holding, more documentation, and less stupidity (on part of both the developers AND the users).

Okay, but RULE 1 of the guide is that you are only as secure as your weakest link.

Bitcoinica Hack #1 Linode = probably an inside job at Linode

Bitcoinca Hack #2 = Moved to Rackspace; Patrick's email server was compromised, oops!

Bitcoinca Mt.Gox Hack =  We didn't change a password Tihan re-used, sorry!

Edit: I should change the word "hack" above because no hacking was even required. Thieves without computer knowledge could have executed all of the above thefts.

i think it's perfectly sensible to start such a guide with this kind of stuff, although i would drop the conspiratorial tone (even if it proves to be true).

How to make a secure bitcoin application.

CHAP 1: Why is security crucial when making bitcoin applications?
CHAP 1A: Security anecdotes from bitcoin's history (aka Stupid Mistakes)
CHAP 2: Basic server security
CHAP 3: Hot wallets vs Cold Wallets

etc

i think it is also important to have a chapter/section about your personal security habits as a developer, and why one hole in the security chain causes the whole thing to crumble (again, anecdotes would be a Good Thing).

is anyone actually going to make this? i think we need it. i would do it myself if i felt technically competent enough (and i really don't).

I'm not against a guide. I just think the focus should be less about the technical, and more about common sense.

During one of the last hack discussions a forum member posted that he properly secured his server, citing various technical precautions. He mentioned he did this to protect the X amount of funds stored on the server, and he was glad for the high bandwidth line to his office allowing him to have the server there.

Another poster said er it's probably not a good idea to tell people where your server holding these funds is at. For example, one could look up where you are located and pay the cleaning lady 10K to look the other way.  That would be worth it for a theft worth say 60K plus.

Low tech security precautions shouldn't be ignored in favor of high tech ones.

i wonder if it would be possible to 'hide' the hot wallet server by putting it on its own box, and only allowing tor hidden service connections in.

that way, the IP at least would never be known...

Again, you're thinking a lack of high tech solutions is the problem. It's not. In the example about the cleaning lady there are other ways to go about finding the location to commit the crime. For example, if it was me I would start collecting information on the target. I'd do several things first:

1. Do a WHOIS lookup on the member's domain name; unless intentionally obscured this will provide the member's real name or company name...
2. Click the forum member's profile, see what else I can learn about him, like an email address (which I might try to phish email)
3. Do a forum search of all the member's posts; did he ever mention where he was located?

Only after starting with the above would I even get into tracking down IP addresses. See? Low tech is often FAR more effective.

high tech is not the solution to the problems in your previous emails, but my comment was a bit of a sidetrack (that i wish to drop from this thread after this point is made):

i was strictly talking about an idea of how to hide a hot wallet server, disconnected from your previous points. the above, provided some basic precaution on part of the developer, would not reveal a means into the wallet server.

Oh, gotcha :)

Yes, securing hot wallets has been discussed, but I don't know the thread off hand.

imho those kinds of threads should be collected and organized into a wiki per this thread:

https://bitcointalk.org/index.php?topic=93115.0;topicseen (https://bitcointalk.org/index.php?topic=93115.0;topicseen)

Do trading sites like MtGox, BTC-E, BitStamp, Intersango, bitFloor, GLBSE, etc need a hot wallet at all?

It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive.

But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.

They just need automation.


It does. Having a balance with mtgox is effectively a hot wallet.

I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.

https://en.bitcoin.it/wiki/Securing_online_services (https://en.bitcoin.it/wiki/Securing_online_services)

+1 for this initiative

I like the whole idea of Standard Operating Procedures (SOP), Transparency, Disclosures, Best Practices, etc for sites that take custody of customers funds. Not so much as a requirement for starting the site but as a way for potential/current customers to evaluate the risk involved when dealing with them.

The Bitcoin Protocol is innovative but financial institutions on the other hand have been around for a very long time.

Caveat emptor

You're right, I guess. Even if the bitcoin were offline, the thief could have wait and wait until the balances were loaded into mtgox and use to pay customers or the site start operating.

oh, great start! i see that it was started in may.

may we use this as the base, and expand it as discussed?

Don't know what you're goal is, but anything can be hacked with time. Using proper security techniques help, but anything can be by-passed. I.E 2-factor auth, dont use same passwords etc... Simple, logical things...

Tip, Don't believe everyone that says they are a security expert without any proof... I.E Patrick from Bitconica...

Mike Hearn was the author
https://bitcointalk.org/index.php?topic=82098.msg904743#msg904743 (https://bitcointalk.org/index.php?topic=82098.msg904743#msg904743)

Hi Paulie,

the advice you want people to use already exists,

the Open Web Application Security Project

https://www.owasp.org/index.php/Main_Page

you will find professional people, who are very good at what they do.  These people may even be persuaded to work on bitcoin - that place is like a repository of web app security.  if  a company does not follow thier advice...

go check it out. get some people interested...

bitcoin is a blockchain and interaction with this chain.  it is not securing web apps.

sorry to be a miserable git.

steve

here's a place to start maybe:

http://blog.ircmaxell.com/2012/07/secure-programmers-pledge.html

Starting with OWASP is good advice.

But if you are holding other people's bitcoins, just securing the app is not enough. You need people who have experience securing money telling you how to create processes to make sure you're not the victim of embezzlement, that you are complying with legal requirements, keeping adequate records, keeping customers' funds separate from the funds used to pay expenses, that regular audits are done to detect problems early, and so on.

+1