Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bitcoin Ops & Security Primer
Search
Russell Smith
April 07, 2014
Technology
1
170
Bitcoin Ops & Security Primer
Russell Smith
April 07, 2014
Tweet
Share
More Decks by Russell Smith
See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
ukd1
0
120
3 Infrastructure + workflow lessons from an early stage startup
ukd1
0
110
Gearman & Kohana
ukd1
2
960
Geo & capped collections with MongoDB
ukd1
1
140
Cassandra London UG July 2011 - Riak vs Cassandra
ukd1
1
290
MongoDB - Map Reduce
ukd1
2
210
MongoDB London UG, April 2011 - MongoDB Introduction
ukd1
1
99
MongoDB London 2011 - MongoDB Command Line Tools
ukd1
1
190
Seedhack 2011 - Introducing MongoDB
ukd1
1
120
Other Decks in Technology
See All in Technology
組織全員で向き合うAI Readyなデータ利活用
gappy50
4
1.4k
入院医療費算定業務をAIで支援する:包括医療費支払い制度とDPCコーディング (公開版)
hagino3000
0
120
AI-Readyを目指した非構造化データのメダリオンアーキテクチャ
r_miura
1
340
スタートアップの現場で実践しているテストマネジメント #jasst_kyushu
makky_tyuyan
0
140
.NET 10のBlazorの期待の新機能
htkym
0
150
QA業務を変える(!?)AIを併用した不具合分析の実践
ma2ri
0
160
だいたい分かった気になる 『SREの知識地図』 / introduction-to-sre-knowledge-map-book
katsuhisa91
PRO
3
1.5k
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
emiki
0
250
AI時代の開発を加速する組織づくり - ブログでは書けなかったリアル
hiro8ma
2
340
OTEPsで知るOpenTelemetryの未来 / Observability Conference Tokyo 2025
arthur1
0
300
ざっくり学ぶ 『エンジニアリングリーダー 技術組織を育てるリーダーシップと セルフマネジメント』 / 50 minute Engineering Leader
iwashi86
4
1.8k
仕様駆動開発を実現する上流工程におけるAIエージェント活用
sergicalsix
4
1.2k
Featured
See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
9
930
Become a Pro
speakerdeck
PRO
29
5.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
RailsConf 2023
tenderlove
30
1.3k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.2k
Raft: Consensus for Rubyists
vanstee
140
7.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Done Done
chrislema
185
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.7k
Building Applications with DynamoDB
mza
96
6.7k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
Transcript
rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage
attacks
@rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous
QA’ Built for PMs and Developers
@rainforestqa rainforest Us Team of 6 in SoMa All developers
YC S12
@rainforestqa rainforest Understanding risk
rainforest @rainforestqa Understand the trade off More secure generally means
more effort
@rainforestqa rainforest Risk vs Exposure
@rainforestqa rainforest High Risks Hot wallets / key storage Outgoing
payments Physically shipped items Reversible payments (e.g. chargebacks)
@rainforestqa rainforest …more risks Shared hosting / VPS / “physical”
security Staff
@rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold
wallets, where poss Principle of least privilege
@rainforestqa rainforest What risks?
rainforest @rainforestqa Internet connected = hackable (Though, the NSA can
spy on you, even if you're not connected to the Internet)
@rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode
(Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area
@rainforestqa rainforest Top 3 reasons:
@rainforestqa rainforest Badly configured servers / services
@rainforestqa rainforest Poorly written software
@rainforestqa rainforest Exploits
@rainforestqa rainforest Attack vectors Your service Your customers You &
your team
@rainforestqa rainforest Your service Domain Email Servers (app, db, etc)
Network External services Backups
@rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /
Typo-squatting Renewals
@rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +
IDS
@rainforestqa rainforest Email DKIM / SPF Account state Clear email
policies Lockout policy
@rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo
>
@rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing
Have a security program
@rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)
@rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both
ways) -complex-
@rainforestqa rainforest External services Verify SSL certs Limit IPs Work
out what + who you can trust
@rainforestqa rainforest Backups Major security issue Encrypt them Test them
@rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits
Policies KYC
@rainforestqa rainforest Primer
@rainforestqa rainforest Educate yourself
@rainforestqa rainforest Pick secure by default tech
@rainforestqa rainforest 2FA
@rainforestqa rainforest Avoid shared servers
@rainforestqa rainforest Honey pots
@rainforestqa rainforest Automate deployment
@rainforestqa rainforest Use SSH keys, rotate them
@rainforestqa rainforest Use a Firewall
@rainforestqa rainforest Use an IDS
@rainforestqa rainforest Encrypt (and take!) backups
@rainforestqa rainforest Subscribe to security lists
@rainforestqa rainforest Do as little as possible
@rainforestqa rainforest Staff opsec
@rainforestqa rainforest Principle of least privilege
@rainforestqa rainforest Split your servers
@rainforestqa rainforest Or consider LXC / KVM
@rainforestqa rainforest Split your app
@rainforestqa rainforest Server: partitions + noexec + nosuid split running
users disable root remove packages SELinux
@rainforestqa rainforest Starting points Figure out your risk + exposure
Implement low hanging fruit Reduce surface Plan the rest
@rainforestqa rainforest Conclusions Simpler = better Understand your exposure and
limit it
@rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:
http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
rainforest @rainforestqa Questions? @rainforestqa @rhs