acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
July 13, 2012, 07:17:48 PM |
|
high tech is not the solution to the problems in your previous emails, but my comment was a bit of a sidetrack (that i wish to drop from this thread after this point is made):
i was strictly talking about an idea of how to hide a hot wallet server, disconnected from your previous points. the above, provided some basic precaution on part of the developer, would not reveal a means into the wallet server.
Oh, gotcha Yes, securing hot wallets has been discussed, but I don't know the thread off hand.
|
|
|
|
|
EnergyVampire
|
|
July 13, 2012, 07:47:40 PM |
|
Do trading sites like MtGox, BTC-E, BitStamp, Intersango, bitFloor, GLBSE, etc need a hot wallet at all?
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
July 13, 2012, 07:53:09 PM |
|
Do trading sites like MtGox, BTC-E, BitStamp, Intersango, bitFloor, GLBSE, etc need a hot wallet at all?
It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive. But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
July 13, 2012, 07:57:14 PM |
|
It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive.
They just need automation. But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.
It does. Having a balance with mtgox is effectively a hot wallet.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
July 13, 2012, 08:09:14 PM |
|
It does. Having a balance with mtgox is effectively a hot wallet.
I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.
|
|
|
|
World
|
|
July 13, 2012, 08:23:51 PM |
|
folks, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.
who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!
so how about it?
https://en.bitcoin.it/wiki/Securing_online_services
|
Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
|
|
|
EnergyVampire
|
|
July 13, 2012, 08:24:51 PM Last edit: July 13, 2012, 08:35:04 PM by EnergyVampire |
|
+1 for this initiative
I like the whole idea of Standard Operating Procedures (SOP), Transparency, Disclosures, Best Practices, etc for sites that take custody of customers funds. Not so much as a requirement for starting the site but as a way for potential/current customers to evaluate the risk involved when dealing with them.
The Bitcoin Protocol is innovative but financial institutions on the other hand have been around for a very long time.
Caveat emptor
|
|
|
|
kiba
Legendary
Offline
Activity: 980
Merit: 1020
|
|
July 13, 2012, 08:27:31 PM |
|
I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.
You're right, I guess. Even if the bitcoin were offline, the thief could have wait and wait until the balances were loaded into mtgox and use to pay customers or the site start operating.
|
|
|
|
paulie_w (OP)
|
|
July 13, 2012, 08:42:18 PM |
|
folks, start putting together a wiki guide for making secure bitcoin apps, from web to desktop to mobile.
who is competent enough to make one? maybe start to collaboratively put that together? it's really important that everyone's knowledge on the subject of security start being pooled and guided so that new people coming into the community with an enthusiasm for making great apps, don't end up like bitcoinica!
so how about it?
https://en.bitcoin.it/wiki/Securing_online_servicesoh, great start! i see that it was started in may. may we use this as the base, and expand it as discussed?
|
|
|
|
h00ters
Newbie
Offline
Activity: 22
Merit: 0
|
|
July 14, 2012, 01:34:55 AM |
|
Don't know what you're goal is, but anything can be hacked with time. Using proper security techniques help, but anything can be by-passed. I.E 2-factor auth, dont use same passwords etc... Simple, logical things...
Tip, Don't believe everyone that says they are a security expert without any proof... I.E Patrick from Bitconica...
|
|
|
|
World
|
|
July 14, 2012, 08:41:58 PM |
|
oh, great start! i see that it was started in may. may we use this as the base, and expand it as discussed?
Mike Hearn was the author https://bitcointalk.org/index.php?topic=82098.msg904743#msg904743
|
Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
|
|
|
mistfpga
Member
Offline
Activity: 86
Merit: 13
|
|
July 14, 2012, 09:23:08 PM |
|
Hi Paulie, the advice you want people to use already exists, the Open Web Application Security Project https://www.owasp.org/index.php/Main_Pageyou will find professional people, who are very good at what they do. These people may even be persuaded to work on bitcoin - that place is like a repository of web app security. if a company does not follow thier advice... go check it out. get some people interested... bitcoin is a blockchain and interaction with this chain. it is not securing web apps. sorry to be a miserable git. steve
|
|
|
|
paulie_w (OP)
|
|
July 16, 2012, 03:44:58 PM |
|
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
July 16, 2012, 06:12:43 PM |
|
Starting with OWASP is good advice. But if you are holding other people's bitcoins, just securing the app is not enough. You need people who have experience securing money telling you how to create processes to make sure you're not the victim of embezzlement, that you are complying with legal requirements, keeping adequate records, keeping customers' funds separate from the funds used to pay expenses, that regular audits are done to detect problems early, and so on. The Bitcoin Protocol is innovative but financial institutions on the other hand have been around for a very long time.
+1
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
|