Building a trading bot for the "trust no-one" guys .

[advanced]

Hi everybody,
Some time ago I  released a node.js online bot for buying/selling BTC when price changes.

As I received good (and bad) feedback, I'm currently working to build a better bot for the "trust no-one" kind of traders.
I'm one of those guys  I'd never give my api keys away to someone else.

This time I can't distribute the source-code ( this is not negotiable ) .
Therefore the topic becomes not trivial. I know its not feasible to get a full-trust without seeing the code, but yet optimising the trust-level between this boundaries is a mind-challenging problem.
 I don't want you to trust me, I just want you to feel safe-enough to use the application. Here is what I have now

• Anonymous : no registration needed whatsoever.
• Offline : you need to download an application that runs locally .You will never give me your API keys, they will be stored locally on your machine.
• It comes with a firewall : for the paranoid guys, I'm distributing the application with a third-party firewall (ipchains script, little snitch, etc) , pre-configured to block all outgoing connections of my application towards websites different from mtgox,btc-e, and others.
• Community tested: I'm currently recruiting beta-testers from the community. I give access to the source-code. (Get in touch if you want to be one of them - PM me). I will let them perform network traffic test to see how the traffic is only directed to mtgox.
• Gox API v2 : uses the new and better-designed version of mtgox APIs to minimize risks related to resource saturation.
• I'm considering getting some other sort of certifications. http://www.truste.com/?

EDIT : Ideas from this discussion

• Proof of my real identity : The application will come with a proof of my real identity
• Outgoing traffic tested by the community at network layer : When released the application will have to go through an open contest. I'll offer 1000 BTC to people able to spot any connection going somewhere different that data.mtgox.com . Use sniffers, or whatever you want.
• Binaries distributed by someone else : I will recruit 10 members of the community from this thread to independently review the source code, compile it on their own machine, compute the md5 checksum and send the application to me. I will then distribute those binaries together with the md5 checksum.
• You name it : < there is still space>

Since you will be among early-adopters (and many of you already wrote their own trading bot), I'm here to ask you to help me make you feel safe.

What else would you like to have to feel safer?

Nicolò.

[daybyter]

It has to be javascript? We are working on a java lib for trading...

[Malawi]

It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

[advanced]

It has to be javascript? We are working on a java lib for trading...

nope, indeed is Java(FX)

[advanced]

It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind

So you wouldn't use a bot only because the language it is written to?

[bezzeb]

It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind

So you wouldn't use a bot only because the language it is written to?

I think Malawi is confusing browser context with local application context.  Common misunderstanding amongst lay-public.

To those who don't know:
1. Java in a browser is hard (as is anything in a browser) because one must keep it contained in the browser to prevent it from gaining local execution rights on your machine.  This is the security headache Oracle (and much of the world) is now fighting to prevent the act of simply visiting a website from installing evil local software on your machine.

2. If you are running a program on your local computer written in Java (*or any language*) - it already can erase your hard drive if it wants to.  So like ANY program:  make sure you trust it before running it.  To do otherwise is unsanitary and you shouldn't be surprised if you catch e-diseases.

And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!   

[advanced]

And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!  

Hi Mr. bezzeb, loving hearing from you

Totally agree on every single word. Ideal is open source, but let's try to engineer some smart-ass solution without distributing the code.

I knew mine was a non-trivial question (indeed you are the first answering it after more than 26h of uptime)  I'm looking forward to hear some smart ideas from some of you.  I want to open my source to some of you to validate it. I will let you compile it, sign it, PGP it, and whatever it takes to makes the other feel confident.

People that can write malicious code to go around firewalls can write their own bot. They are not my target-users. Why would they? But I have already 20 BTC owner (techie-people-who-cant-write-code-themselves) pushing me every single day to give them the bot I'm using, and I know personally only half of them.
I want to provide them (and other users) the best possible level of trust without giving away a code they can't even understand.

I would love to hear some smart-ass solution to make it as-safe-as-possible without distributing the code in the wild.  I guess it involves trusted third-parties, but can't figure out how.



PS: I'm not malicious enough to know how to go around a well-configured system firewall preventing me from transmitting any data outsite of localhost. Enlighten me (or not) if you want !

PPS: This will be a lot easier if freaking mtg and other allows third party applications. In that case I'm not storing your keys, I need to be validated by mtg authority, and all the problems would be solved. I asked mtgox about it: the answer? "No ETA". Lets try to figure something out in the meantime.

[daybyter]

Why not selling a trading strategy for an existing tradebot?

[🏰 TradeFortress 🏰]

Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

[advanced]

Why not selling a trading strategy for an existing tradebot?

that's a good idea and this is why I'm making the strategy exportable in json/xml files Up!

[advanced]

Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

Thanks for the feedback TradeFortress, I will consider getting TFO. However I'm not forcing you (nor anybody else) to use it. I totally understand your point of view. If you have something else to add on the topic help me out!

PS: since you care so much about security, why would you be logged in as root on a ubuntu machine?

Sincerely, Nicolò

[advanced]

You don't trust firewalls. Ok, it makes sense to a certain degree.
Lets try to add some layers to the security and see if you'd change the attitude:

• What if 10 indipendent members of the community gets paid to analise outgoing traffic using tools to sniff the packets going in and out from the network interface ?  (Wireshark et.al.)
• What if I make an open contest with 1000 BTC price for whose of you who find something which is not from/to data.mtgox.com?
  Would you trust the bot after some power-nerd spend many hours around it? (Do you think I could get around the network interface? Maybe with some pigeon I could deliver some coins at my door in paperwallet format )
• What if I distribute the source code to ,say, 10 third-party entities (someone really paranoid with their coins) who checks it,approve it, compile it on their machines while creating a MD5 signature and then I distribute those binaries?

Can't really think about anything else at the moment, but I hope you got the idea.

Would you 'trust' it then? I mean, I don't care about ALL the community. Its ok to be diffident (I keep my coins offline in the stomach of a giant whale ). I just want to see if there is something I can do to convince some "trust-no-one" dude out there.

C'mon  

nonetheless this is a fun mental experiment, isn't it?

[joshki]

You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.

[advanced]

If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'.  

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.

Thank you for the feedback, it made me realize I need to edit the first post.

[Zedster]

OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.

One more question.  Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?

[joshki]

If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'. 

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.

The problem is this.  Nobody knows who you are.  Nobody knows who the developers of *most* open source software are -- but we can open the source code and review it, and eventually enough people have done that to give that software some level of trust from the community.

With commercial software, if Microsoft does something bad with their software, everybody knows who they are, and they have some level of trust based on who they are, and the consequences if they do something they shouldn't.

You're a guy posting on an internet board.  If you want trust from this kind of community, you have little option other than to open your source.

[advanced]

OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.

Hi Zedster, nice to meet you!

Yes you can definetly have someone to test and certificate your application. I used to work in a online gambling company. Back then, we had to comply with several certifications (than can cost up to some hundred-thousands $/€).  I want to see what is that people actually trust... For instance, I am reading up on truste.com, but I want to hear from the community first. As you can see the paranoia-level is quite high, and with reasons

Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?

I'm on it. Would you be interested in trying it out?

[advanced]

The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer?


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. I can't have a beer with everyone of you...
So, here I am, asking you what it takes to 'trust' me, in a software-developer kind of way.

[joshki]

The problem is this.  Nobody knows who you are. 

Interesting.

Does it imply that you'd trust using my application if you knew who I am? 
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer?


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.

Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.

[advanced]

The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer?


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.

Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.

I see.

The CS was only an example to say that here we don't have anything like a karma (HN or Reddit style). Whether those approach works, is an open topic. However here the 'number of post' doesn't tell me anything about trustworthiness. As I said before the target user of people I want to reach, cannot even understand how to test a source-code. And the one who have time/skills to search deep through my code looking for obfuscated malicious code could write their own bot. Or test mine using wireshark etc. Some people can make a malicious open-source application and it'd take months for a community to spot it i.e. http://www.ioccc.org/2000/anderson.c (unless it is a piece of software with much interests on it).