|
Unfortunately it is not that easy to secure a hot wallet.
The game plan should be:
1. Minimise amount of bitcoins to be held in hot wallet.
2. Have complete control over physical and management access to hardware and OS. It sucks but this requires extending trust to a few trusted people. This is the weakest link.
3. Definitely do not have ANY 3rd parties anywhere in the loop with any kind of access to the hot wallet server in either management or physical access capacity.
4. Obviously, having secure web interfacing code, with all user supplied data sanitised and hardened server helps a lot. But this is relatively trivial matter.
5. Using multisig functionality could help a lot. For example, say, a "offline" second sig server, which also has some monitoring code and freeze withdrawals based on some set of rules, until manual intervention resolves the flagged issues."
- Hosting your own email could help too in some cases.
- Securing cold wallets is another topic.
This basically means, decent colo setup with a few nuts and bolts on top of it. Hello! Big news! It was pretty much brought to Bitconica's attention in August/September 2011. I hope others will be able to learn from this.
This also means no hosting any wallets with nontrivial amounts of bitcoins on any:
- VPS's (generally, the bigger the company operating those VPS's, the more random dudes have root access, the more risk you take)
- dedicated servers are effectively the same VPS with all kinds of management access hosters have, however encrypted partitions could help a lil bit in this scenario, i.e. attacker would need to access it without rebooting.
(The above assumes VPS's and dedi's hosted by 3rd parties)
In other words, if you do not know who EXACTLY has or can have root access, say bye bye to your hot wallet.
Tough titty, "google search based sysadmins" and "flying in the clouds" generation! You simply cannot google up 10-20 years of professional experience and once you start relying blindly on all those cloud services you are screwed again.
Bitcoinica's "Zero sysadmin" policy in action. Enjoy!
|
|
|
|
eh! it was j/k lol
LOL, my sense of humour is failing me today. |
|
|
|
So, you use the root account to perform pings(!), and the machine is called boris... Very secure indeed, Vladimir!
Who ha! If you read some dogmatic 30 year old BS addressed to noobs a-la "do not use root accounts" 1000 times, this does not mean that using a root account for pings (or whatever) on a machine(physical or virtual and of unknown to you configuration, location and purpose) is necessarily insecure. Security, my friend, is not a state it is a process. |
|
|
|
|
root@boris:~>ping bitcoinica.com
PING bitcoinica.com (50.56.4.62): 56 data bytes
64 bytes from 50.56.4.62: icmp_seq=0 ttl=48 time=102.786 ms
64 bytes from 50.56.4.62: icmp_seq=1 ttl=48 time=101.933 ms
64 bytes from 50.56.4.62: icmp_seq=2 ttl=48 time=102.374 ms
^C
|
|
|
|
|
Ever tried to google "asymptotically approaching" ?
|
|
|
|
...
It's maybe the email provider, not rackspace. Hotmail? Yahoo? Gmail?
Or maybe this is NSA guys, who have access to all those emails, are messing with you. |
|
|
|
This is why. You guys completely ignore the magnitude of this, and completely ignore that Bitcoin is an unestablished currency. Being an unestablished currency, it needs a positive sum game far greater than those of established ones to ever hope to compete. Systematically allocating wealth from wealth creators to wealth destroyers as is being done in the Bitcoin world is unsustainable if Bitcoin is to have any value, since it represents a negative sum game in which wealth is continuosly destroyed.
Relax. It is geek currency, hackers are geeks. So they get their share one way or another. In long run it is utterly immaterial for Bitcoin how initial distribution/emission of money is done and who are "early adopters". Actually, the quicker "early adopter" lion share of Bitcoin is diluted, the better. |
|
|
|
I have repeatedly told people that Bitcoinica is a scam and that Bitcoinica staff should be banned from the forums.
Maybe now people will actually listen.
Bitcoinica is a regulated entity, verifiable by government records. We are one of the most legitimate businesses in Bitcoin community, by any standard. What is it with all the anonymous/pseudonymous guys on this forum repeatedly attacking every NAMED (and easily verified) individual and company and labelling every project run by those most legitimate operators as a scam? Insane! Grow a brain or something. |
|
|
|
|
Sorry to hear about this again.
It seems Bitcoinica got swindled for another 100k$, this time they got "smarter", instead of cheapest possible VPS, they went for most expensive possible Dedicated (or is it still vps's?).
FFS! it does not change anything! Insiders still have physicall access to their computers, or management access for instance via KVMs, they still can arrange to get themselves untracked access, leak passwords etc, they still can take your wallets.
Linode lesson was not "go to dedi", it was to go to a well locked colo and control physical and management access to servers. Owning the DC would be even better. Banks do not host their critical infrastructure on cheapest VPS's nor do they use the most expencive dedis either. Take a hint.
Better yet hire someone who can do information security professionally and this time listen to what they tell you.
|
|
|
|
IANAL, but it seems that anyone who lost any money on GLBSE has a valid claim against someone, probably GLBSE (they potentially could be considered as UK agents of all the offshore issuers of "securities"). I take it if you are located in UK and lost anything on GLBSE you can ask FSA to make you whole (at expense of GLBSE, most likely). I would guess it is pretty much the same in most jurisdictions. here is some fun reading: https://www.google.co.uk/search?q=financial+promotion+acthttp://www.legislation.gov.uk/uksi/2001/1335/contents/madehttp://www.salans.com/en-GB/Locations/~/media/Assets/Salans/Publications/2006/20060407-Making-financial-promotions-in-the-UK.ashx (just random comment on the relevant legislation, no affiliation) P.S. Argument that Bitcoin is not money or that it has no value and therefore you can promote unlawfully or illegally assets denominated in BTC is just silly. P.P.S. It is a criminal offence to fail to comply with the FSMA [Financial Services and Markets Act 2000], the enforcement of which is overseen by the Financial Services Authority P.P.P.S. any breach of the Financial Promotion Restriction can be punishable by an unlimited fine and up to two years’ imprisonment; and � the same penalties can be applied to all officers who have consented to the breach. |
|
|
|
|
Should qualify as "abandoned property" perhaps?
Or like a planted gun... or self planted gun maybe?
|
|
|
|
|
What is it with some people? Control freaks all around us just don't give up. You have a "simple" and elegant system that is Bitcoin, why would anyone want to add all the kinds of stupid rules to it? What is it with this endless desire to turn a simple and elegant system into a bloated monster?
Feel free to fork Bitcoin and add any kind of BS rules to it, then let the fittest survive. It is good that such proposals have no chance to be implemented in Bitcoin itself.
On the second thought, float this idea to Solid Coin N.0 crowd, they may just go for it.
BTW. Today is "Star Wars Day", May the 4th be with you.
|
|
|
|
|
Selling Bitcoin via SMS is a losing proposition. Carriers/processors will charge you exorbitant fees while not carrying any risk themselves and offloading it all onto you. Think about it as selling bitcoins for paypal and/or credit cards by proxy and paying 10 times larger fees.
SMS are only good for selling useless tat, like Facebook credits, virtual sheep and ringtones. Those supposedly irreversible Canadian mintchips sound as a much better proposition for medium of conversion of fiat into bitcoins. It is until the mint discontinues it due to all the fraudsters rushing to convert all the stolen credit card numbers into bitcoins via mintchips.
|
|
|
|
I'm guessing this post isn't targetting me, but in case I understand this and submit something can you confirm what I need to do?
I just make a picture with some sore of bitcoin related announcement and e-mail that picture to the e_mail address above?
And I can win bitcoins? I will totally do that, but please correct me if I'm confused about something...
Thanks! Ciao
Yep just like that. But note this is non-commercial, i.e. make and ad for Bitcoin itself or something that is in Bitcoin community interests. For example, "do not mine in pools that have more than 50% of all mining power" as opposed to "come mine in my pool". |
|
|
|
Attack pending….
Delivering a magazine might be a nice first step.  I know. |
|
|
|
|
PSA competition is discontinued due to lack of interest. Thank You.
|
|
|
|
|
You are going to have to get yourself some low cost SSD drives. This is a quick and easy solution. The alternative is RMA's, messing with BIOS updates etc...
|
|
|
|
|
I would like to thank everyone who responded in this thread and elsewhere, be it compliments, suggestions, criticism (constructive or otherwise).
At the moment I am having a series of meetings with investors, accountants, lawyers and other "professionals" trying to figure out subtle details of "the plan". As soon as there is some better clarity on our exact plans it will be announced. Until then I will be mostly quiet.
Thank You all, again. Your feedback both positive and negative is very much appreciated.
|
|
|
|
1. You need investors to take you on trust that you actually have a technical solution that works to the claimed specification, right? I presume you know that a PLC is significantly different to a normal limited company that can get away without audits (and how auditors will account for BTC 'profits' is unknown)? BFL suffered from this, big claims up-front to get *fiat* investment;
This matter of existence of technical solution and specific details will be discussed privately and covered by NDA's where required. How auditors would account for BTC? I suppose exactly the same as they would account for potatoes. Imagine a company which pays dividend in potatoes that it grows. These are open questions how BTC's will be accounted for, whether there will be dividends payable in Bitcoins or not, and it is for accountants to figure out. 2. What sounds questionable is *fiat* investment with the prospect of *fiat* dividends, when the hashpower potentially gathered could, as mentioned repeatedly on this thread, reduce the value of the BTC. Mining all the blocks will put you as the main seller on the exchanges, and knowing that will help traders drive your price down. I'd invest if divvies were paid in BTC because you'd clearly be maximising the effectiveness of the economy. Accepting fiat and extracting fiat sounds like draining the value of the BTC economy dry, and there's not enough value in that economy to give a useful ROI on the numbers required for ASIC development (AFAIK);
"Accepting fiat and extracting fiat" for me sounds as neutral. I am discussing with advisers our options of having both fiat and Bitcoin dividends. This is not a trivial matter considering dividend taxation and VAT. It was also suggested that it would be bad idea to commit to a fixed dividend schedule as this would put the company and shareholders at disadvantage and it would be difficult to react to changing market conditions. We do not know yet how exactly the company will be structured, there are no investment prospectus prepared yet. It is complicated. We are working on it. 3. What is the first Bitcoin REIT? The acronym means 'real estate investment trust'. These invest capital in property, and distribute the rental income to the investors. The REIT always has a residual value if the income collapses since the property can be sold. Custom ASICs would leave investors with no return of capital if the income stream dries up;
REIT is a pipe dream for now. Not going to happen before the company is listed on main market of LSE, and this in turn would not make any sense unless the company is wildly successful and Bitcoin's market cap is measured in billions. Even if it would be accepted that racks of ASIC mining gear is a new sort of "real estate". However, it is rather rare than companies that are less than 3 years old are listed on public exchanges. Considering how quickly Bitcoin is developing, the future is uncertain. Should it happen that in 3 years time Bitcoin will be in mass adoption stage already, the best time to start thinking about being the first Bitcoin company that goes public is now. The legality of the fund is equally complex, and the up-front cost of establishing a PLC (minimum turnover required... where's that coming from?) as opposed to a normal LTD, plus the legal fees, plus the fund setup advice, etc. - you're going to need a LOT of capital. If you're very rich and you're putting it all up yourself, fair enough. But after Madoff, you're not going to fool the UHNW crowd and the institutional fund-of-hedge-fund crowd either.
I do not think that this is a fund. This is a company that operates Bitcoin mining hardware on large scale. There is no requirement for minimum turnover for a PLC in UK, to the best of my knowledge. You perhaps mean a listed PLC when you refer to turnover requirements. If so, then we talk about different things. Of course, if you really meant 'Limited Company' rather than PLC (think about that turnover limit again), then you can be gone as soon as the investments roll in. And I never thought that of you, so what *really* is the master plan here? I'm interested as an investor, simply to hedge my moderate FPGA investments... most of my savings  Hey, high risk, high reward.... No, I do not mix private and public, plc and ltd, (they are both limited) , I founded quite a few of ltd's and do know the difference. However, plv vs ltd matter is being discussed behind the closed doors and there are good arguments for both routes. EDIT: Catfish, I have one question for you. Do you think that Bitcoin mining will be confined to the "garage" stage forever? |
|
|
|
Will there be an opportunity for small time investors to get in on this?
We are talking with legal bods about this. This is our goal to allow "small time investors" in. At this stage it is not possible. We are in talks with a number of "funds" some of which are considering using GLBSE. We will do what we can to allow small investors to participate, but it is neither simple nor quick process. |
|
|
|
|
Show Posts
