[BOUNTY 22 btc] lulzSec secure, private exchange

[M4v3R]

Does BitMarket.eu (because it doesn't have money deposits) count?

[Ian Maxwell]

I'm interested in developing a secure exchange platform. Not so sure what you mean by private---is it just that there's no public record of deposits/withdrawals/trades?

I think the stored-password-hash system is ultimately not secure enough for something like this. What I'd like to build is a stored-public-key system something like that for the #bitcoin-otc web of trust. A client sending a command to the exchange server would timestamp it and sign it with his public key, and the server would verify the signature before carrying out the command. I see no theoretical barrier to implementing this in Javascript so that, to the user, it looks just like entering a password at any other site---but it sounds hard, and you'd have to figure out where to store the private key on the client's end. Building a standalone client application that calls GPG for the signing would be easier but probably less used.

[marcus_of_augustus]

Does BitMarket.eu (because it doesn't have money deposits) count?

Not sure ... are you suggesting we request lulzSec to run a 'test' on Bitmarket.eu?

What is BitMarket.eu's privacy and security policies on storing customer records, transaction records, etc?

If an attacker was to infiltrate and publish records would it lead to compromised security situation or embarassment of clients using it?

[JTaBitCoinKing]

Didn't Lulzsex just admit to being behind the attack at MTGox? I think they just admitted it on their twitter; Hackavism for Silk Road no doubt, but they probably won't admit that.

I wonder if they really are messing with the FBI like they say they are? Or is that just social engineering?

[fellowtraveler]

I'm interested in developing a secure exchange platform. Not so sure what you mean by private---is it just that there's no public record of deposits/withdrawals/trades?

I think the stored-password-hash system is ultimately not secure enough for something like this. What I'd like to build is a stored-public-key system something like that for the #bitcoin-otc web of trust. A client sending a command to the exchange server would timestamp it and sign it with his public key, and the server would verify the signature before carrying out the command. I see no theoretical barrier to implementing this in Javascript so that, to the user, it looks just like entering a password at any other site---but it sounds hard, and you'd have to figure out where to store the private key on the client's end. Building a standalone client application that calls GPG for the signing would be easier but probably less used.

I recommend you start with my API:

https://github.com/FellowTraveler/Open-Transactions/wiki

[RodeoX]

And when L/S says it's been tested and all threats have been addressed... Your going to put your money in? After they have had a chance to check it all out?  No thanks.

[GeniuSxBoY]

Sending btc/money to LuLz is LuLz.

That's like paying off the mafia not to attack your business.

[M4v3R]

Does BitMarket.eu (because it doesn't have money deposits) count?

Not sure ... are you suggesting we request lulzSec to run a 'test' on Bitmarket.eu?

What is BitMarket.eu's privacy and security policies on storing customer records, transaction records, etc?

If an attacker was to infiltrate and publish records would it lead to compromised security situation or embarassment of clients using it?

Compromising security always leads to embarassment of the site that get's compromised.
We don't store any details on our members beside of their logins, emails and hashed passwords. The database is only readable by one user, which has very long and secure password. Database admin interface is not viewable from outside. We use a non-default SSH port. We make offsite backups of both our wallets and the db. I'm not sure what else you expect? We'll happily adapt to more security measures that we could not thought of.

[phantomcircuit]

What you're asking for is basically impossible to do while simultaneously following anti money laundering and anti terrorism laws and eliminating counter party risk.

[ctoon6]

Lulz Security® is not an entity you request, hackers are not people you want to associate yourself with.

[TraderTimm]

@bitcoin_bug

I've thought about how to implement this, but it all comes down to how you redeem bitcoins to < insert currency of choice > on the edges. Here's a sample idea that I was trying to work with:



However, as it says - there are plenty of things to be worked out. Storing trades via blockchain is all well and good, but it wouldn't be particularly fast. Not sure what the best implementation would be at this point.

[ctoon6]

@bitcoin_bug

I've thought about how to implement this, but it all comes down to how you redeem bitcoins to < insert currency of choice > on the edges. Here's a sample idea that I was trying to work with:

http://farm6.static.flickr.com/5061/5898790520_fda447e331_b.jpg

However, as it says - there are plenty of things to be worked out. Storing trades via blockchain is all well and good, but it wouldn't be particularly fast. Not sure what the best implementation would be at this point.

How do you make sure that the people actually have the USD they are trading for BC.

[TraderTimm]

How do you make sure that the people actually have the USD they are trading for BC.

Exactly. The edges are where it falls apart. Not sure how to address this.

[ctoon6]

Exactly. The edges are where it falls apart. Not sure how to address this.

The issue is addressed via centralization, or simply trading in person in your area, or via mail.

I just don't see your idea working.

[imperi]

How do you make sure that the people actually have the USD they are trading for BC.

Exactly. The edges are where it falls apart. Not sure how to address this.

You could have a decentralized 'reputation' for each address that's used for trading, maybe.

[Oldminer]

wow what a fucked up thread

[wumpus]

LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.

That's simply not true. From what I understand it's basically a free-for-all, so there's bound to be a lot of dumb teenagers, but also smarter (and sometimes older) hacktivists. They all use the name "anonymous" (or lulzsec) so you'd never know. It's a pretty interesting strategy as it allows them to hide in the crowd.

Then again, a lot of "professional" penetration testers also simply fire up their exploit scanner and then charge you big $$$ per hour. So I don't see the problem in letting a hacker group doing it for free

[TraderTimm]

Exactly. The edges are where it falls apart. Not sure how to address this.

The issue is addressed via centralization, or simply trading in person in your area, or via mail.

I just don't see your idea working.

Yeah, I know. The whole trading transaction thing is all well and good - but I don't know how to handle the edges where a level of trust is required.

Just threw it out there in case someone has a 'satoshi' and figures it out.

[ctoon6]

LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.

That's simply not true. From what I understand it's basically a free-for-all, so there's bound to be a lot of dumb teenagers, but also smarter (and sometimes older) hacktivists. They all use the name "anonymous" (or lulzsec) so you'd never know. It's a pretty interesting strategy as it allows them to hide in the crowd.

Then again, a lot of "professional" penetration testers also simply fire up their exploit scanner and then charge you big $$$ per hour. So I don't see the problem in letting a hacker group doing it for free

Lulz Security® is not part of anonymous, just like wikileaks is not part of anonymous. they are all separate entities, although they may have similar goals and ways of working. and anyone who thinks they are simply just some script kiddies, you would have to be wrong in a lot of cases, sure a lot of script kiddy anons exist, but a lot of them are also very good, like the sony hack(s).