i really respect your opinion and feedback steve, so don't take this the wrong way:
i completely agree that there are incredible levels of detail to this, which are not covered by a blanket term like 'auditor'. however, i think that we need not get bogged down by this for the time being: what we need right now is smart people, documenting and talking about this openly, so that we can CREATE _bitcoin_ auditors. it's clear that not many people really know what that means yet, but i DO NOT mean to imply in my suggestion, that we suddenly generate a class of people with whom we suddenly give all kinds of trust.
trust and reputation must be earned, but we need to start somewhere, and i don't think we can wait for the perfect solution to manifest.
No problem, nothing taken the wrong way. I am pretty thick skinned anyway.
I am now not too sure what your goal is. Audit is a word that means something, and it is not really applicable in the sense that I think you mean it. I strongly feel that to misuse this word now will end up in a whole world of pain later. I do not think that you will be able to retrospectivly change peoples already misunderstood idea.
One of the main purpose/ipmact of having auditable critetria is to stop schysters and snake oil sales men. (Unfortunatly they are also used as a pillow for execs to sleep at night.)
The ability to audit something is granted to an indvidual or company by an overseeing body. The certification bodies will all have different requirements to pass and different levels to which a person can 'graduate too'.
These bodies (certification providers) define standards, and issue best practices (for those who cannot afford or are not able to get a 3rd party to do their due dilligence).
This is kinda against the whole idea of bitcoin - a central authority who says who can and who cannot play. (well to me anyway, who polices the police? this problem was solved by satoshi by not having any police, only and algo, and public record of everything.)
The only real auditable thing I can see in bitcoin is the blockchain and the blockchain interaction. This is something I am trying to build into the bitcoin testing project from the start.
however I feel most of this post is irrelevant because I think what you are after is a list of people who are qualified to be able to do due diligence regarding bitcoin business. I imagine these people would be CISSP/pentester/etc.
I dont think the problem is the lack of these people and their desire to work, it is more people do not want to hire them, we will keep seeing more and more hacks until people realise it is cheaper in the long run. The day a bitcoin exchange gets insurance is the day bitcoin will be here to stay. I am doing my best to develop hardware to bring this day forward.
Basic security practices would include a security model, which can be reviewed. and pen tested. but this would have to be a case by case basis... _your_ security model is unique to _you_ I am 100% sure if genix saw these documents (they cannot be written retrospectivly) none of the issues would have happened.
If your post was to solve the bitcoinia debacles, then all, every single compromise would have been caught multipule times. and these are stuff like FIPS, etc. it is just in the bitcoin world there is no law saying you need to be audited. unlike Finacial Institutions. Real current releveant audits with real legal implications that would have caught all of the issues were not done.
but saying that, a documented security model would have caught all of them too. (again each one more than once)
The problem was the foundations were broken from the start (think win95) and there was no security model to start.
the iso 90001 test process was more or less devised so people could audit testing. an auditor would not be able to tell you that your product is good or bad, just they will all be identical. (by ridgily sticking to the guiidelines)
The good thing about having the auditable testcases and test requirements handled in the QA project space means that we can have bitcoin auditors, and genuine ones, no trust requirement needed.
It can present a clear a defititive security model open to peer review, peer implmentation and will allow mom and pop stores (i am english, its just i like that phrase) will be able to get johnny 5 stars from pc world to check over their setup, or even set it up.) but to make sure it is secure you have to do due diligence and/or trust a thrid party.
A bitcoin auditor would only focus on the blockchain, like the website (CHECK/CREST/whatever) bloke uses OWASP.
I think I might have drunk a bit too much caffeine, sorry if i am rambling. but audit means audit.
cheers,
steve
I dont normally do adverts, but this is the best caffeine buzz I have had in ages, and I am not twitchy... he takes bitcoin, I have used him for years, he is a stand up guy.
thanks mh-uk. I make this in one of those coffee plunger things, leave to brew for 15 mins. you can add hot water 3 times (therefore brew 3 times) the second brew being the best tasting i think
my recipie
3 tablespoons Guayusa - caffeine and others (Ilex Guayusa)
http://mh-uk.net/page22/page22.html (save 10% with bitcoin)
2 teaspoons Blue lotus - added for flavour
http://www.mh-uk.net/page38/page45/page45.html (save 10% with bitcoin)
2 teaspoons damania - flavour and calming
http://www.mh-uk.net/page37/page37.html (save 10% with bitcoin)
