Bitcoin Security Standards Audit [BSSA]

[Armis]

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement.   Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

are you looking for a business situation in which you won't have to exercise any degree of trust?

[maaku]

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement.   Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

You can't have a system interact with fiat without some degree of trust. That's just the nature of the game. You can, however, reduce the necessary trust down to something very basic, e.g. a sworn statement from a prestigious bank that has much more to lose from lying. If that doesn't satsify you, it should more than do to satisfy Lloyd's of London or some other insurance company which will happily insure those deposits against a bank theft.

[securityguy]

are you looking for a business situation in which you won't have to exercise any degree of trust?

No, I was just commenting on maaku's trustless exchange design.

[Armis]

request a certified return -- essentially a sword statement as to the truth of the facts

You still have to "trust" the person who made the sworn statement.   Do you trust an entity setup whose purpose is to defraud you by making false sworn statements?

You can't have a system interact with fiat without some degree of trust. That's just the nature of the game. You can, however, reduce the necessary trust down to something very basic, e.g. a sworn statement from a prestigious bank that has much more to lose from lying. If that doesn't satsify you, it should more than do to satisfy Lloyd's of London or some other insurance company which will happily insure those deposits against a bank theft.

that's how you enable the oil to reach the chain that turn the wheels that move the vehicle that brings everyone to where they want to go faster and easier than an untrustworthy system whose brand new chain keeps falling off resulting in a really unstable, unreliable, and uncomfortable trip.

[QuestionAuthority]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

It would work well. The problem is no one is willing to pay for quality. They would much rather bitch that they lost it all rather than pay a high fee. These fucking idiots don't deserve Deloitte or Price Waterhouse. They deserve exactly what they get - worthless fucking peer review. Two respected TBF members went to help MtFux in 2011, found a shambles with a clueless CEO and said nothing about it to anyone.

[IrishFutbol]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

It would work well. The problem is no one is willing to pay for quality. They would much rather bitch that they lost it all rather than pay a high fee. These fucking idiots don't deserve Deloitte or Price Waterhouse. They deserve exactly what they get - worthless fucking peer review. Two respected TBF members went to help MtFux in 2011, found a shambles with a clueless CEO and said nothing about it to anyone.

Your quality comparison reminds me of another problem.  Ask a Big 4 firm to audit a company that maintains deposits, and they're going to want to confirm the balance of those deposits with an investor.  This will be done by mailing a letter to the depositor's home address.  Accounting firms cannot just confirm balances through email, meaning the exchange would have to collect and maintain actual names and addresses for all depositors.  So in addition to the fees, people would now have to attach their true identity to their account.

[QuestionAuthority]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

It would work well. The problem is no one is willing to pay for quality. They would much rather bitch that they lost it all rather than pay a high fee. These fucking idiots don't deserve Deloitte or Price Waterhouse. They deserve exactly what they get - worthless fucking peer review. Two respected TBF members went to help MtFux in 2011, found a shambles with a clueless CEO and said nothing about it to anyone.

Your quality comparison reminds me of another problem.  Ask a Big 4 firm to audit a company that maintains deposits, and they're going to want to confirm the balance of those deposits with an investor.  This will be done by mailing a letter to the depositor's home address.  Accounting firms cannot just confirm balances through email, meaning the exchange would have to collect and maintain actual names and addresses for all depositors.  So in addition to the fees, people would now have to attach their true identity to their account.

Gox was already doing that and collected a photo ID from everyone with an account. It was part of their mandatory legal requirements. Problem is, they got hacked and the database was stolen because their software was written by a fat idiot with the intellect of a 12 year old with a Starbucks addiction. Now everyone's Photo ID and personal information are loose on the web. Isn't that special! We want to make sure we review these people ourselves. For Christ's sake, don't let an independent impartial respected third party with a reputation to protect do it. They'll fuck it all up.

[Armis]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

Probably wouldn't work.

1. It would be more than a couple hundred thousand.  Deloitte would want a fee for the audit, and then they would demand that the company hire a ton of staff and create a compliance department to ensure these controls were maintained throughout the year.  Additionally, a company would have to hire additional staff to handle all of the annual documentation around the controls (Deloitte won't just want to see that a company has controls, Deloitte will want to see evidence for every transaction that the control is being followed).

2. If it's not industry wide, people will flock to the unaudited exchanges.  Unaudited exchanges, or exchanges audited by non-reputable firms like the guy who audited Madoff, will be able to charge lower transaction fees than any exchange audited by a major auditor.  People currently have no issue throwing cash into unaudited exchanges, so what makes you think people would suddenly pay more to go into an audited exchange?

It would work well. The problem is no one is willing to pay for quality. They would much rather bitch that they lost it all rather than pay a high fee. These fucking idiots don't deserve Deloitte or Price Waterhouse. They deserve exactly what they get - worthless fucking peer review. Two respected TBF members went to help MtFux in 2011, found a shambles with a clueless CEO and said nothing about it to anyone.

the simple fact is Deloitte knows less than a 1/1000th of what this community knows about btc, the fact is all this community needs is organization to solve ALL of it's current problems

all of the answers are in the blockchain if the community scrubbed it they will find all of the answers,
the blockchain could be used in many different ways

[Kenshin]

I think BSSA might work, it should be like the Open Web Application Security Project (OWASP).

But the Big 4 is definitely not the answer. They are corrupt and crap. I know how they work. If there are any non compliance in their audit. They will not write them down. Because they want to keep good relationship with the client. So in order to keep the clients, they will say their client are compliance. 

I know these shit, I worked with them before.

[ThomasF]

Hello,

I want to make this a reality!

I have started http://www.bitcoinsecuritystandards.org/ to give the security experts a place to discuss their ideas and the implementers a place to understand what, why, and how to secure their sites and services.

Thank you,

-- Thomas F.

[nwtrades]

Hello,

I want to make this a reality!

I have started http://www.bitcoinsecuritystandards.org/ to give the security experts a place to discuss their ideas and the implementers a place to understand what, why, and how to secure their sites and services.

Thank you,

-- Thomas F.

Hi Thomas, thank for your taking the effort to set that up!  It's great to see.  I had a small additional thought - what do you think about adding a wiki?  This way all members of the community serious about this can participate in drafting some things together as a collaborative effort.  The forums are nice for an informal place to chat around ideas but a wiki (or something similar) might be very helpful as a formal resource.

[xb0x]

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

[Kenshin]

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

That is bullshit, in my career in Information Security for over 20 years. 99.9%of the backend are even less secured then the frontend.

[franky1]

Sounds great but can we use a real company instead of Ed's uncle Fred.

How about Deloitte? They shouldn't cost more than a few hundred thousand for a full audit. http://www.deloitte.com/view/en_US/us/index.htm

+0.5

Deloitte's is pretty much the top one. but id say for the first 6 months they could get away with using another accredited accountant/auditor, just so they can atleast start making a profit and not be tempted to eat into peoples deposits to pay wages.
(although i also think if they dont have enough finances upfront to cover costs, then being given customer funds is risky, so i see both sides of it)

and also have the exchanges put a reserve/security into the lloyds of london insurance elliptic vault as their collateral. (separate from customer funds which need to move freely instead of being locked in).

we dont need basement dwellers trying to look legit, yet have no credentials..

if its going to be done, atleast get it done honourably and right

[xb0x]

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

That is bullshit, in my career in Information Security for over 20 years. 99.9%of the backend are even less secured then the frontend.

Physical attacks hardly occur on them (or say attacker hardly do physical attacks - way is controlling back-end from front-end), so they think they are secure. Most of the time back-end get targeted from front-end.

[Kenshin]

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

That is bullshit, in my career in Information Security for over 20 years. 99.9%of the backend are even less secured then the frontend.

Physical attacks hardly occur on them (or say attacker hardly do physical attacks - way is controlling back-end from front-end), so they think they are secure. Most of the time back-end get targeted from front-end.

Once you penetrate the front end, the back end have no defense. That is what I have notice. And when you go in a do an audit and pen test, they always try to justify that no one is going to be able to get into the back end. So many fools.

[xb0x]

Front-end security measures for exchanges .. Most of the hack occurs because of lack of proper front-end security.
I have worked with multi - exchanges in matter of their web security, i usually find most of them are vulnerable to one or another type of simple attacks. When i contact them regarding this some realize it and fix vulnerability after proper reports while some simply keep ignoring.

Some even told to me that they have good security measures at their back-end but not in front-end cz they don't think it is important and my question for them is: User/Client interacts with your front-end or back-end? They see your website not the physical location of your server or cold storage. Hackers hack into your front-end (website then using that escalate their authority on server and compromise everything.. Or use them in a non-interacting way to attack users. (CSRF? a single visit to crafted site and your coins are gone till their is multi-step protection with double authorization and proper validation.

SO, admin of exchanges must needs to understand this otherwise hack will keep happening again and again.

That is bullshit, in my career in Information Security for over 20 years. 99.9%of the backend are even less secured then the frontend.

Physical attacks hardly occur on them (or say attacker hardly do physical attacks - way is controlling back-end from front-end), so they think they are secure. Most of the time back-end get targeted from front-end.

Once you penetrate the front end, the back end have no defense. That is what I have notice. And when you go in a do an audit and pen test, they always try to justify that no one is going to be able to get into the back end. So many fools.

Yes, that is why i wrote that explicitly. Few days back - was working with a Bitcoin exchnage in Securing them.. After multi Front-end issues (say client-side more).. They said "The problem is that we did not make the front-end program perfect" and i was life WTF - they talked about Security?

[counter]

I've said this myself in past but not with as much depth and detail.  This is an  obvious needed step for platform of trust to be built upon for newer users.

[xiaohuolv]

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

[bananahoho]

I agree with this, however I also like the concept of the original post. Everyone would still be able to start a company, but if their service is solvent and reliable and the can prove they would be rewarded with some official recognition. Just like the Bitcoin Foundation has members, some sort of team would set some requirements. If a website qualifies then let's say that they would receive a sticker.

This would help non advanced users avoid risky services and also promote solid ones over less reliable ones. In my opinion this can only make a market better.

I quite agree with what you said. You said is very reasonable, very good.