Bitcoin Forum
March 29, 2024, 10:12:32 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Security standards for bitcoin commerce sites and applications  (Read 1383 times)
matt.collier (OP)
Member
**
Offline Offline

Activity: 105
Merit: 10



View Profile
May 18, 2011, 01:20:40 AM
Last edit: May 18, 2011, 01:34:51 PM by matt.collier
 #1

We are seeing an ever increasing number of bitcoin related financial services being offered.  We have a number of exchanges, eWallets, tip jars, escrow services, credit unions, and countless offline apps.  Some of these services are tasked with safeguarding user's bitcoins.

For the sake of discussion, let's consider an online eWallet system.  A successful eWallet system, one that has many users and a large quantity of bitcoin on deposit, is basically a huge pile of cash sitting inside a computer.  Where is that computer?  Is it in a highly secure NOC somewhere or in somebody's kitchen.  Are backups being performed, if so how often?  Where and how are the backups stored, are they secure?  The list is endless.

A hacker doesn't need to steal the private key / bitcoin wallet.  They would just need to use it long enough to make a very large transfer to their own account.

If there's a million bitcoin sitting on a computer somewhere worth worth who knows how much fiat currency, we are going to see a hacker challenge the likes of which the world has never seen!

The people participating in this forum are laying the foundation for a new economy.  A large scale theft would be a major setback to the bitcoin project.  

I see a great need for developing security recommendations and best practices for any entity offering services that involve storing bitcoin on behalf of their owner.  After that's done, organizations can be formed to audit these entities to ensure compliance (another new business opportunity).

Is anyone here interested in working on this?
1711750352
Hero Member
*
Offline Offline

Posts: 1711750352

View Profile Personal Message (Offline)

Ignore
1711750352
Reply with quote  #2

1711750352
Report to moderator
1711750352
Hero Member
*
Offline Offline

Posts: 1711750352

View Profile Personal Message (Offline)

Ignore
1711750352
Reply with quote  #2

1711750352
Report to moderator
BitcoinCleanup.com: Learn why Bitcoin isn't bad for the environment
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711750352
Hero Member
*
Offline Offline

Posts: 1711750352

View Profile Personal Message (Offline)

Ignore
1711750352
Reply with quote  #2

1711750352
Report to moderator
1711750352
Hero Member
*
Offline Offline

Posts: 1711750352

View Profile Personal Message (Offline)

Ignore
1711750352
Reply with quote  #2

1711750352
Report to moderator
1711750352
Hero Member
*
Offline Offline

Posts: 1711750352

View Profile Personal Message (Offline)

Ignore
1711750352
Reply with quote  #2

1711750352
Report to moderator
altoid
Jr. Member
*
Offline Offline

Activity: 48
Merit: 9


View Profile
May 18, 2011, 05:12:07 AM
 #2

great topic, I would love to hear from those more knowledgeable than I am on it.  I'd imagine it comes down to server security.  putting reserves on different drives is probably a good idea and then just transferring funds in when the active drive gets low and out when there is surplus
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
May 18, 2011, 03:12:01 PM
 #3

My advice:  don't reinvent the wheel.  There are already standards and organizations dedicated to security practices surrounding currency, both physical and virtual, and financial transactions.  It doesn't really matter if the currency is bhat or bitcoin, the principles will be the same.


How often do you get the chance to work on a potentially world-changing project?
matt.collier (OP)
Member
**
Offline Offline

Activity: 105
Merit: 10



View Profile
May 18, 2011, 03:54:59 PM
 #4

I agree, that  we don't need to reinvent the wheel.  However, an individual like myself with enough money to buy a domain name and a months worth of bargain basement web hosting does not present themselves to the world as a bank or a credit union.

Gavin, your ClearCoin project holds bitcoins on deposits.  Can you direct me to the security standards that you are adhering to?  Has a 3rd party audit been peformed to ensure that your organization is adhering to those standards?  Have you subjected your infrastructure to any kind of penetration tests?  If I have 1000 btc in escrow at ClearCoin and an act of God wipes out your server at 2:15PM on a Sunday afternoon, is money safe and recoverable?

As a startup, I do not have the resources (financial or expertise) that Bank of America has to devote to network security.  My website is hosted on a server somewhere in Los Angeles California.  I have no idea who has physical access to the server my site is hosted on.  Even if I'm not going to rely on backups that my hosting company makes, I do know that they make them.  I have no idea if backup media or server hardware is disposed of in a secure manner.

Can anyone recommend a hosting company that adheres to security practices worthy of providing hosting for a bitcoin financial institution?

More to the point, how can I or anyone affordably provide the same kind of fault tolerance and data security that a traditional banking institution would?
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
May 18, 2011, 05:24:25 PM
 #5

Gavin, your ClearCoin project holds bitcoins on deposits.  Can you direct me to the security standards that you are adhering to?  Has a 3rd party audit been peformed to ensure that your organization is adhering to those standards?  Have you subjected your infrastructure to any kind of penetration tests?  If I have 1000 btc in escrow at ClearCoin and an act of God wipes out your server at 2:15PM on a Sunday afternoon, is money safe and recoverable?

No, no, no and yes.  I'm planning on making the answers to all of those questions "yes" within the next six months, although I need to look at how many bitcoins are contained at any given time in the ClearCoin wallet; it might make more sense to send double or triple that amount of bitcoin to a publicly verifiable address, prove I own the coins, and guarantee any losses due to ClearCoin getting hacked.

(note: I just looked, and right now there are 540 bitcoins in the ClearCoin wallet, so spending $50,000 to protect them really wouldn't make sense).

Quote
More to the point, how can I or anyone affordably provide the same kind of fault tolerance and data security that a traditional banking institution would?

Yet another bitcoin chicken-and-egg problem that will get solved by investors taking a risk and giving bitcoin entrepreneurs the resources to do security right (or wealthy entrepreneurs stepping up and making the investment themselves).

How often do you get the chance to work on a potentially world-changing project?
matt.collier (OP)
Member
**
Offline Offline

Activity: 105
Merit: 10



View Profile
June 19, 2011, 08:33:17 PM
 #6

Perhaps this topic might seem a little more interesting now?
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!