Best practices for exchange / website operators?

[kasimir]

Given the recent strings of cold/hot wallets not being implemented correctly resulting in massive losses for all sorts of websites, is there a best-practices guide or something for exchange / website operators?  Something maybe with a formal analysis behind it demonstrating some degree of correctness?  It seems like if some group put something like this together, and people actually followed it, the overall bitcoin community could raise the bar significantly for the attackers.

I mean something like: statistical methods for determining when to halt upon suspicious transactions, architecture for crypto systems and placement of the cold / hot wallets, Linux / BSD lock-down techniques for the cold wallet server, to keep away from VPS / non-dedicated servers for the cold wallet, protocol description for cold wallet interactions, etc.  It really doesn't seem like these should be trade secrets!

I haven't done a literature search to see what's out there, so I'd love to hear if such an article exists   If not, I think it would be good for people who really know their stuff to put something like this together.

[Stephen Gornick]

is there a best-practices guide or something for exchange / website operators?  

Well, not any statistical methods but some relevant sources of information:

 - http://bitcoinarmory.com/index.php/using-offline-wallets-in-armory
 - http://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

 Improving Offline Wallets (i.e. cold-storage)
 - http://bitcointalk.org/index.php?topic=68482.0


Well, technically, this would be a statistic:

Bitcoins Stolen From Me In My Lifetime: 0   - Casascius

Handle a Wasp and you will not get stung! Practice Safe Bitcoin
 - http://bitcointalk.org/index.php?topic=105824.0



Other related:

Two-person cold storage using the raw transactions API
 - http://bitcointalk.org/index.php?topic=94959.0

Proposal for safe blockchain storage pools (for exchanges, using multisig)
 - http://bitcointalk.org/index.php?topic=96391.0

Proposal for Security Standards for Bitcoin Exchanges
 - http://bitcointalk.org/index.php?topic=95745.0

Double signed wallet with a patternlock
 - http://bitcointalk.org/index.php?topic=107074.0

Secure Transaction Handling for an Exchange
 - http://bitcointalk.org/index.php?topic=106420.0

[Edit: edited list of links.]

[kasimir]

The last link seems the most promising, but I'm really thinking about something that has a lot more theory / analysis behind it.  I guess I'm more familiar with a technical report / academic paper style, but I mean something that a group of people spend 3-6 months researching, culminating in a "best practices" paper or report.  It would probably be something around 30 pages long...

(The last link (the only remotely applicable one), for example, doesn't even make sense from the first point: an AES-256 key being generated from a "salt" just shows a lack of understanding of crypto.)

Edit: Things changed since I started writing this!  When I say "last post", I'm referencing "Secure Transaction Handling for an Exchange".  The post "Proposal for Security Standards for Bitcoin Exchanges" has the same issues.

Edit:  Thanks for this collection of links!  Certainly answers my question about what's out there well   I still feel there's a need for such a report.  Is anyone interested / think this would be helpful as well?