Category Archives: Bitcoin

Why Even Cyber Criminals Need Web App Security

Back in October 2013, this guy Ross Ulbricht (AKA Dread Pirate Roberts – DPR) who was in charge of the popular website Silk Road was arrested by the FBI in a San Francisco library. His laptop had about 45 million bucks in Bitcoin on it and he was charged with a bunch or stuff ranging from planned murder to breaking just about everything in the Computer Fraud and Abuse Act.

Nice message from FBI we saw when Silk Road was seized

It was a bit of a surprise when he got arrested because he was very careful. He hid behind a bunch of Tor nodes, hid everything he did, and went out of his way to remain anonymous. Many thought that the Tor network was suddenly hackable by the FBI and that they used illegal means to arrest him. Well, the nice folks at the FBI recently told us what really happened; he was a web app security noob of ginormous proportions. But hey, before you start calling him that, remember that you probably are too (heck, this site is built on WordPress).

DPR got caught because he used a captcha on his site as everyone should when authenticating users. However, the captcha verification resolved to his main website server directly instead of going through Tor like the rest of his site (LOL!). This was probably going on for a stupid amount time but no one ever really figured it out. It’s one of those things that are just so stupid that you would never think to check it.

Ok! Ok! I must have, I must have put a decimal point in the wrong place
or something. Shit. I always do that. I always mess up some mundane
detail.

In my professional opinion (if you can call it that), if DPR had taken the time to have security professionals look into the security of his site, he wouldn’t have gotten caught so fast. I guess that even if you’re running a seedy and most likely illegal online enterprise, security should still matter. Probably more than ever.

Here is how the test by a professional would have gone assuming they know anonymity is a priority:

  1. They would setup a proxy for the Silk Road website and observe traffic
  2. They would see that most traffic goes to TOR nodes
  3. It would be easy to see that the Captcha verification always resolves to the same IP
  4. Notify DPR that they know where his site is hosted

Case solved… 45 million bucks saved for the time being.

Share

The Hard Thing About Hard Things

I am at an interesting point in my life. I am transitioning from being in a consulting role to becoming CTO of a Payments/Bitcoin startup. This prospect is both extremely exciting and a bit terrifying at the same time.

I have also been working on making myself more of a well-rounded individual. Since my rising interest in Bitcoin, I have become increasingly interested in the world of finance, entrepreneurship, and dare I say…politics (gross). I was recommended a book written by Ben Horowitz, the ex CEO and a very successful VC and entrepreneur. After googling the first chapter and reading it, I decided to buy the book.

There were many things in Ben’s early life that I could personally relate to so the book was an easy and entertaining read for me. For example, we both come from very humble beginnings. My family and I are refugees from Bosnia that had to start from scratch after moving to the states. My parents were 40 years old at the time and I don’t know about you, but I can’t imagine moving somewhere at 40 with only what you could pack into a suitcase and starting over – never mind being successful (all with young children and not speaking a lick of English). Ben mentions his parents being card-carrying communists which was particularly interesting to me since I was born in communist Yugoslavia and I always noticed how my parents were affected having grown up in that form of government. When I was growing up in Kentucky my father would always ask me if I had my “documents” every time I ventured outdoors to play with my friends. There were many other similarities that I won’t go into but the one thing I believe is that when you don’t come up in a privileged environment, you have to grow up fast and be able to adapt very quickly. This definitely seems to be a theme throughout Ben’s book.

The book goes through Ben’s version of the crazy roller coaster ride that is the venture capital lifestyle that’s so prevalent in Silicon Valley. What really keeps you on the edge of your seat is the insane number of choices a CEO has to make regularly that could mean the life or death of the company. The book also highlights how the leadership position is a very lonely place. The CEO often makes decisions and they are never popular with everyone. The book goes into many of the tougher decisions that a leader has to make whether it’s firing a close friend or a manager that has significant influence at the company. What I really liked about this book is that there weren’t any chapters that I read and thought the content was common sense. Ben did a great job of cutting out the bullshit and providing the reader with content that really matters.

Overall I think the book is a great read no matter who you are. I’ve seen multiple reviews that criticize the book by saying that it’s geared toward CEO’s and other top level executives. I whole-heartedly disagree because to me the book has great advice on how to be a leader and how to take responsibility when being put in a position where your decisions affect those around you. My only criticism is that I would have liked to read more examples of failures that Ben and others in the industry have had and how they have successfully recovered from them.

I would definitely recommend the read.

Amazon Link to Book
Annotated First Chapter on Genius.com
Ben’s Twitter

Share

Engineers Perspective of The NYDFS BitLicense Regulatory Framework

A few minutes ago, Ben Lawsky from NYDFS released the Proposed BitLicense Regulatory Framework. I’m sure lots of very smart lawyers, regulators, and finance folks will have a thorough analysis of the proposal. However, I wanted to check it out to see how this proposal would affect virtual currency related implementations for engineers.

There is no doubt that this will affect business and regulatory requirements for many Bitcoin software and hardware startups. So lets look at some of the points.

Anti Money Laundering & Cyber Security

  1. Provide for independent testing for compliance with, and the effectiveness of, the anti-money laundering program to be conducted by qualified personnel of the Licensee or by a qualified outside party, at least annually – This will affect almost every Bitcoin based business. Engineers will have to implement a robust logging and auditing feature that monitors all their business’ transactions so that at the end of the year they can provide a complete log of what went on. There are many security implications for this. For one, this will most likely contain Personally Identifiable Information (PII) and will have to be kept safe. I could see potential businesses popping up just to provide this service for Bitcoin companies.
  2. Provide ongoing training for appropriate personnel to ensure they have a fulsome understanding of anti-money laundering requirements – Yeah, that won’t happen anywhere. If it does, it will be some e-learning program that everyone forgets within minutes of watching it. But hey, that’s compliance!
  3. Records of Virtual Currency transactions. Each Licensee shall maintain the following information for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of Virtual Currency: the identity and physical addresses of the parties involved, the amount or value of the transaction, including in what denomination purchased, sold, or transferred, the method of payment, the date(s) on which the transaction was initiated and completed, and a description of the transaction – This is a doozie. I think this is what will give companies the most headache. The two that give me the most pause is the fact that you have to have the physical address of the parties involved and a description of the transaction. It basically means that if you’re a BitLicense holder and you’re doing business with a person or entity, they not only have to provide you with their address but also a description of what the transaction is for. We’re already seeing this added at companies like Coinbase where whenever you take BTC out of your wallet, they ask you where it’s going. It seems quite intrusive to me and might turn away many people from Bitcoin. On the technical side of things, engineers will have to make sure that the data they collect is valid and compensate for the fact that transactions just went from simply putting in a Bitcoin address and hitting send to having to provide physical addresses and detailed descriptions. How do you validate these descriptions? There will need to be a protocol or system in place that allows merchants and businesses to whitelist Bitcoin addresses and that leads to a huge privacy issue in itself.
  4. Each Licensee shall file Suspicious Activity Reports – This is hard. Engineering this can be a total nightmare. There will be a lot of false positives and Bitcoin startups will struggle to keep up with the customer relations nightmare this might cause.
  5. Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. – Thank you Jesus! This is probably the most important aspect of this entire section. Unfortunately Fortune 500 businesses fail miserably at this, what makes us think Bitcoin startups with college dropouts for Engineers can do it? I actually have more faith in them than I do in the financial industry.
  6. Each Licensee shall designate a qualified employee to serve as the Licensee’s Chief Information Security Officer (“CISO”) – This is a neat idea. This expense will be huge for small Bitcoin companies. They simply cannot afford penetration tests, code reviews, and other items in this section. A huge amount of their funding may have to be spent on security which in turn might reduce time to market significantly if not done extremely efficiently.

Overall thoughts

I think NYDFS definitely took a lot of caution when writing this. It’s a thin line for sure because if they are too strict with their framework it will drive innovation and jobs out of the state and possibly this country. As a New York resident, I’m not terribly disappointed by the proposal. It seems doable. The simple fact of the matter is that most people will have no issue adhering to this BitLicense. None of the items seem to be any more intrusive than the credit card industry and the merchants still get the benefit of irreversible transactions that protect them from chargebacks and fraud.

Engineers will have their work cut out for them as they should. The security items outlined in the proposal are robust. While it will definitely increase cost from both a staffing and infrastructure perspective, it will encourage Bitcoin companies to think about security before something bad happens. Frameworks will have to be put in place to secure, audit, and monitor all virtual currency activity in an organization. This will be tough at first but I think services and tools will become available to aid businesses in doing this.

I think the Bitcoin community is innovative enough to find cost effective solutions to meet all these proposed regulations in a way that does not stifle innovation too much. However, I also think that the process to meet these regulations will “separate the men from the boys” when people start thinking about starting a Bitcoin business.

You can view the full thing here: http://www.dfs.ny.gov/about/press2014/pr1407171-vc.pdf

Share

Freezing, Cold, Brisk, Warm, and Hot Bitcoin Storage

I get a lot of people asking me about the proper way to do cold storage of their Bitcoins. These are commonly folks who are building a Bitcoin startup and are taking preventative measures. I like to think these are the people that will be successful. Unlike Mt. Gox and many other Bitcoin startups who neglect to think about their customers.

Anyway, I’ve devised a scheme for this on the Bitcoin Security Project organization that I run. In my security engineer duties I’ve had to design many secure architectures and I certainly think that this is one of them. If you disagree, contact me.

The scheme is a multi-tier architecture that I believe to be suitable for small to large Bitcoin companies. The basics are simple:

  1. Keep only a small amount in hot storage that wouldn’t ruin you if you lose it.
  2. Require strong authorization and authentication from multiple people when moving Bitcoin between tiers.
  3. Give some training to the folks who have control of your Bitcoin, please.
  4. Use common sense and do not automate withdrawal from cold storage. Servers get hacked all the time ya know.

Below is the scheme if you’re too lazy to check out the link above.

Multi Tiered Cold Storage Solution

Share

The Aegis Bitcoin Wallet

I’ve been using Bitcoin for a couple of years now. It’s gone from a curiosity to somewhat of an obsession. Anyway, my mobile device of choice is an Android and I haven’t been able to find a wallet that I can use and trust at the same time. So I decided to create one.

I designed it from the ground up for security. Lots of help was given by the guys at specularX.com especially in the NFC department. They also did an awesome job coordinating and coming through on the UI design. Admittedly, I am more of an engineer and definitely not a UI designer.

The wallet has a ton of features. For security, it encrypts all keys that are on the device. In order to send money, you either have to provide a password or an NFC tag that has an encryption value stored on it.

You can download the wallet at the play store or you can visit the site here: http://aegiswallet.com

You can check out the code on github at https://github.com/bsimic0001/AegisWallet. Please contribute if you can. All help is appreciated.

Aegis Home Screen

Share