we need a comprehensive guide for making SAFE bitcoin apps!!

[acoindr]

high tech is not the solution to the problems in your previous emails, but my comment was a bit of a sidetrack (that i wish to drop from this thread after this point is made):

i was strictly talking about an idea of how to hide a hot wallet server, disconnected from your previous points. the above, provided some basic precaution on part of the developer, would not reveal a means into the wallet server.

Oh, gotcha

Yes, securing hot wallets has been discussed, but I don't know the thread off hand.

[paulie_w]

imho those kinds of threads should be collected and organized into a wiki per this thread:

https://bitcointalk.org/index.php?topic=93115.0;topicseen

[EnergyVampire]

Do trading sites like MtGox, BTC-E, BitStamp, Intersango, bitFloor, GLBSE, etc need a hot wallet at all?

[acoindr]

Do trading sites like MtGox, BTC-E, BitStamp, Intersango, bitFloor, GLBSE, etc need a hot wallet at all?

It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive.

But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.

[kiba]

It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive.

They just need automation.

But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.

It does. Having a balance with mtgox is effectively a hot wallet.

[acoindr]

It does. Having a balance with mtgox is effectively a hot wallet.

I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.

[World]

folks,
start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

https://en.bitcoin.it/wiki/Securing_online_services

[EnergyVampire]

+1 for this initiative

I like the whole idea of Standard Operating Procedures (SOP), Transparency, Disclosures, Best Practices, etc for sites that take custody of customers funds. Not so much as a requirement for starting the site but as a way for potential/current customers to evaluate the risk involved when dealing with them.

The Bitcoin Protocol is innovative but financial institutions on the other hand have been around for a very long time.

Caveat emptor

[kiba]

I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.

You're right, I guess. Even if the bitcoin were offline, the thief could have wait and wait until the balances were loaded into mtgox and use to pay customers or the site start operating.

[paulie_w]

folks,
start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.

who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!

so how about it?

https://en.bitcoin.it/wiki/Securing_online_services

oh, great start! i see that it was started in may.

may we use this as the base, and expand it as discussed?

[h00ters]

Don't know what you're goal is, but anything can be hacked with time. Using proper security techniques help, but anything can be by-passed. I.E 2-factor auth, dont use same passwords etc... Simple, logical things...

Tip, Don't believe everyone that says they are a security expert without any proof... I.E Patrick from Bitconica...

[World]

oh, great start! i see that it was started in may.
may we use this as the base, and expand it as discussed?

Mike Hearn was the author
https://bitcointalk.org/index.php?topic=82098.msg904743#msg904743

[mistfpga]

Hi Paulie,

the advice you want people to use already exists,

the Open Web Application Security Project

https://www.owasp.org/index.php/Main_Page

you will find professional people, who are very good at what they do.  These people may even be persuaded to work on bitcoin - that place is like a repository of web app security.  if  a company does not follow thier advice...

go check it out. get some people interested...

bitcoin is a blockchain and interaction with this chain.  it is not securing web apps.

sorry to be a miserable git.

steve

[paulie_w]

here's a place to start maybe:

http://blog.ircmaxell.com/2012/07/secure-programmers-pledge.html

[Gavin Andresen]

Starting with OWASP is good advice.

But if you are holding other people's bitcoins, just securing the app is not enough. You need people who have experience securing money telling you how to create processes to make sure you're not the victim of embezzlement, that you are complying with legal requirements, keeping adequate records, keeping customers' funds separate from the funds used to pay expenses, that regular audits are done to detect problems early, and so on.

The Bitcoin Protocol is innovative but financial institutions on the other hand have been around for a very long time.

+1