Bitcoin Security Standards Audit [BSSA]

[maaku]

From your reddit posting;

Users deposit bitcoins and other crypto assets by means of an audited gateway or pegging mechanism.

It seems your plan requires auditing too.

There's a substantial difference between some fallible humans giving a "trust us, it's secure!" stamp of approval (what the OP is asking for), and a cryptographic receipt that can be automatically checked by your client to provide up-to-the-minute assurances of solvency (what I'm talking about in the reddit thread).

[franky1]

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

once you rip away all the FUD speculation that people think it is and then look at what the business model actually does

https://coinvalidation.com/

is what was talked about last year. try to research them, dont start tin foil hatting the business from fud that the company blacklists users. they just deal with businesses and you will realise they do alot of things listed above.

[doug]

From a social engineers stand point i can point out that some very large mining pools and exchange sites make for pretty easy targets.
I've contacted a few about it but never got a reply.

[spazzdla]

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards.  IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

[Armis]

Due to the news of rampant thefts at Bitcoin exchanges this past week (Mt. Gox, Poloniex, Flexcoin) it is becoming apparent that there's a dire need for some security standards in the Bitcoin community to ensure compliance and build client trust.  The media is jumping over every hack story that comes out and shouting that it's insecure.  You can't blame people for thinking this way, because at this point it's a legitimate fear.

There is no question that we need a standard process for third party security experts to be able to review exchange processes and software from top to bottom.  If you know of some sort of external security company that already does this, feel free to post.

Perhaps exchanges could be verified on a certain level of compliance and receive a letter or badge to post on their website for proof of audit.  Maybe someone like Andreas Antonopoulos would be interested to open this discussion further.

Items to address in audit:

- Source code, deployment and version control procedures
- Bitcoin software and protocol implementation
- Server platform (software versions, port scanning, server logging, brute force protections, DDOS protection, backups, redundancy, etc)
- Emergency shutdown and startup procedures
- Physical security (security cameras, electronic facility monitoring, alarm systems, swipe-cards, etc)
- Use of AML / KYC procedures and encrypted offsite storage of client documents
- Offsite cold storage (multiple locations) and use of keys, with logs of all activity
- Onsite hot wallet and use of keys
- Minimum of email verification or 2-Factor Authentication mandatory for withdrawals on all client accounts
- Options for clients to set a withdrawal limit on their account (similar to a bank)
- Alerts available for unusual activity on client accounts, with additional verification option (email or phone call) in case of sudden large withdrawals
- Staff background checks
- Staff fraud prevention training
- On-site restrictions for staff electronics and storage devices
- Restricted access areas for developers and system-critical staff
- Procedures for reporting illegal or suspicious activity to law enforcement

I will add to this as more feedback comes in.  PLEASE contribute!  This is a great community and the development of this ecosystem is happening and will continue happening thanks to you!

Great work, I applaud it, the initiative shows a genuine concern for the fundamentals of the system. 

I will add that to: https://bitcointalk.org/index.php?topic=492776.0;topicseen

[teukon]

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards.  IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

One problem with this is that a company can advertise as meeting the BSSA standards by simply lying, or by bribing some random guy to pretend that he's audited them and done a good job of it.

Effective auditing in a free market hinges on the reputation of the auditor.  This is one reason why I don't think a standard is at all appropriate.

[teukon]

More newbies that have no clue about free markets but yeah...

That's unfair.  OP's proposition is relatively sympathetic to the notions of voluntary exchange.

They show signs of impatience and make several absolutist claims ("There is no question..." cracked me up) but they've done much better than most other "let's regulate Bitcoin" thread starters these days.

[spazzdla]

Good idea IMO, any company that complies with the rules can advertise as meeting the BSSA standards.  IMO there should be no requirement to have it, people will just know if you are BSSA compliant your security is way more legit than an exhange that is not.

Did you read this thread, or just OP? So you rather have a group of people telling you something is safe, then cryptographic functions? Come on you people can't be serious. This is one reason bitcoin shouldn't be mainstream we get idiots like this newbie here, saying he wants a babysitter group well guess what, card credits have it and it is a broken system so go use them.

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

With the amount of fly by night exhanges I still don't see why this is a bad idea...  It should be shouted from the roof tops no exhange is ever safe ever..  However, why not have a very simple minimum standard exhanges can meet to say they are BSSA compliant.  I was thinking the BSSA requirements are based on the resillance of the exhange to be hacked and that's it.  I dunno something like a group of hackers that attempt to hack the exhange and if they can't it get's BSSA.  Furthermore the BSSA could push the idea your coins are only safe if they are offline.

With the introduction of standards govs might not consider regulations.. although I doubt it lol.

[gweedo]

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

So they leave the central banking to a central authority telling them it is safe. This is the same thing, they will not leave at all cause it offers the same exact thing as a central banking system.

[securityguy]

There's a substantial difference between some fallible humans giving a "trust us, it's secure!" stamp of approval (what the OP is asking for), and a cryptographic receipt that can be automatically checked by your client to provide up-to-the-minute assurances of solvency (what I'm talking about in the reddit thread).

The difference is your talking about auditing solvency which is a good thing, but this forum thread is about auditing systems security which is another matter altogether.

[spazzdla]

It has to be adopted by the main stream if there is any hope of leaving the central banking system.

So they leave the central banking to a central authority telling them it is safe. This is the same thing, they will not leave at all cause it offers the same exact thing as a central banking system.

The BSSA should simply imply the exhange isn't a POS that a 5th grader could hack.  Just like my CET designation, all it says is I passed an ethics test and the odds are higher I won't do something dirty.  That's it.

[maaku]

The difference is your talking about auditing solvency which is a good thing, but this forum thread is about auditing systems security which is another matter altogether.

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

[securityguy]

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

systems security and host security are also different as it covers business systems and processes and not just a server.    In yout reddit post you say the following about a gateway;

As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.

How do you determine if a gateways published bank statements are legitimate or forged?

[maaku]

Ask the bank.

[securityguy]

Ask the bank.

Due to privacy laws in countries if a 3rd party asks a bank about someones account they will tell you they can't disclose such information.  Even if you could ask the bank you have to "trust" the bank is telling you the truth.

[IrishFutbol]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

[Armis]

You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?

systems security and host security are also different as it covers business systems and processes and not just a server.    In yout reddit post you say the following about a gateway;

As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.

How do you determine if a gateways published bank statements are legitimate or forged?

request a certified return -- essentially a sword statement as to the truth of the facts


 

[securityguy]

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement.   Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

[Kenshin]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

All the Big 4 audit firms doesn't audit properly. This includes PWC, E&Y, Deloitte and KPMG.

[corebob]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

This is the opposite of what we need. When it comes to security and crypto, several independent peer reviews is the only trustworthy source.
I demand the same principle as open source projects inherently has, a thousand eyeballs is always better than two.