Bitcoin Forum
December 04, 2016, 08:08:55 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Forming Bitcoin Policies for exchanges  (Read 791 times)
allten
Sr. Member
****
Offline Offline

Activity: 447



View Profile
September 13, 2011, 08:08:23 PM
 #1

This thread is in response to a previous one that I began

Full Blown MtGox Audit - Get Ready To participate. Starting Sept 25th
https://bitcointalk.org/index.php?topic=43484.0


The sentiment in the previous thread was pretty much the proposal was a crazy and "preposterous".
Ok Ok Ok. Learning from mistakes and continuing forward.

So, the best way for an audit to occur is by encouraging any competitor to be audited.
If the market responds positively to that exchange with an audit, more than likely, all competitors will follow its lead.

However, the big question that popped into my mind is "what exactly would they be auditing?!?"
The obvious one is if all funds are accounted for, but isn't there much more that could be audited?

There are no exchanges (that I am aware of) that have their policies and standards of operation posted.
In order for a full company audit to occur, it seams apparent that there needs to be a set of guidelines to look at.

So, finally, the purpose of this post is to brainstorm the following
        1) what practices could an exchange execute that would be undesirable for the market? (i.e manipulate the price)

        2) From the ideas above, what policies and standards would you like to see an exchange adopt?

My goal is to form a well written document that any exchange could adopt or even adapt for their own.
From there, we would have a good idea of what kind of information an audit should contain.

Thanks for your criticism and input.
1480838935
Hero Member
*
Offline Offline

Posts: 1480838935

View Profile Personal Message (Offline)

Ignore
1480838935
Reply with quote  #2

1480838935
Report to moderator
1480838935
Hero Member
*
Offline Offline

Posts: 1480838935

View Profile Personal Message (Offline)

Ignore
1480838935
Reply with quote  #2

1480838935
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480838935
Hero Member
*
Offline Offline

Posts: 1480838935

View Profile Personal Message (Offline)

Ignore
1480838935
Reply with quote  #2

1480838935
Report to moderator
1480838935
Hero Member
*
Offline Offline

Posts: 1480838935

View Profile Personal Message (Offline)

Ignore
1480838935
Reply with quote  #2

1480838935
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 13, 2011, 08:09:03 PM
 #2

Google SAS 70 Type II audit...many things can be audited.

It's not just a matter of "is the money there?" and we're done.  The audit seeks to document how critical processes are handled - such as backups and security - as well as separation of powers among individuals within the organization.

For backups and security, the audit may seek to know in a general sense who is responsible and how it's done and how often the backups are tested and verified to be good.  And who personally verifies that workstation and server OS's are up to date on patches, and if there's a reason they're not, why not.

By separation of powers I mean for example, if all of the programmers can also manipulate rows in the database at will, and can make changes to code running in production without oversight or any recordkeeping as to the change... this is the kind of thing that such an audit seeks to document.

All of this is confidence building.  Generally these auditors aren't looking to write a crappy report (or they might never get repeat business)... often a SAS 70 type II engagement is to come out at the beginning of some time period and again at the end of it.  (the beginning visit often results in a lot of consulting as to what needs to be done to avoid having to have negative items in the report).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
allten
Sr. Member
****
Offline Offline

Activity: 447



View Profile
September 15, 2011, 05:18:45 PM
 #3

@ casascius,
     I appreciate the response. I really like the sound of the SAS 70.
I found this page most helpful:
http://sas70.com/sas70_overview.html

Hopefully sound audits will become common place in the future with some of the more successful BTC business (more notably exchanges).

-------------------------------------------------------------
It did dawn on me that it would be nice if there was more documentation provided up front by those who handle money.
By documentation I mean "Terms of Service", Policies an procedures, model of operation, etc.

A short example of what could be posted on exchange sites:
          1) All bitcoins and USD (or whatever currecny) is backed 100% a 100% of the time.
              There is no fractional reserve lending. We do not speculate with you bitcoins or money
              any market.
           2) All volume reported by this exchange is from customer transactions only. transaction internal
               to the company are not reported.
            There's so much more..........................................

realizing that many of these business are just trying to get started and avoid costly security misshaps, this kind of undertaking is probably a low priority;
however, it is very important to the people putting their money into these businesses such as myself.
The goal of this thread is to generate the trivial and obvious wording that could be adopted by these businesses thereby helping BTC mature even more.



         




im3w1l
Sr. Member
****
Offline Offline

Activity: 280


View Profile
September 15, 2011, 08:18:23 PM
 #4

I would want an audit to check that the website is hard to hack:
  • hashed and salted passwords
  • updated software
  • input sanitization
  • balances on a separate box from website
I would also welcome info about who to sue when shit hits the fan.
Elwar
Legendary
*
Offline Offline

Activity: 1932


www.bitpools.com


View Profile WWW
September 15, 2011, 09:03:30 PM
 #5

Seems like a good business model for someone.

Bitcoin site accredidation.

Just set it up so you can put "Verified by X company" on the page with a link to verification on their site.

Several companies can be set up and if someone gets hacked and they are accredited by a certain company then that company would lose credibility.

http://www.bitpools.com
Pool your bitcoins with others. Vote on solutions using the Bitcoin blockchain. Keep your bitcoins in your cold storage until you find a solution you like.
Links and Reviews of useful every day places to spend bitcoins: https://bitcointalk.org/index.php?topic=943143.0
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
September 16, 2011, 11:33:45 AM
 #6

Seems like a good business model for someone.

Bitcoin site accredidation.

Just set it up so you can put "Verified by X company" on the page with a link to verification on their site.

Several companies can be set up and if someone gets hacked and they are accredited by a certain company then that company would lose credibility.

Bitcoin Accredidation: Now why hasn't anybody else thought of that?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!