Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bitcoin Ops & Security Primer
Search
Russell Smith
April 07, 2014
Technology
1
150
Bitcoin Ops & Security Primer
Russell Smith
April 07, 2014
Tweet
Share
More Decks by Russell Smith
See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
ukd1
0
110
3 Infrastructure + workflow lessons from an early stage startup
ukd1
0
99
Gearman & Kohana
ukd1
2
950
Geo & capped collections with MongoDB
ukd1
1
130
Cassandra London UG July 2011 - Riak vs Cassandra
ukd1
1
270
MongoDB - Map Reduce
ukd1
2
200
MongoDB London UG, April 2011 - MongoDB Introduction
ukd1
1
91
MongoDB London 2011 - MongoDB Command Line Tools
ukd1
1
170
Seedhack 2011 - Introducing MongoDB
ukd1
1
110
Other Decks in Technology
See All in Technology
Navigation3でViewModelにデータを渡す方法
mikanichinose
0
220
Amazon S3標準/ S3 Tables/S3 Express One Zoneを使ったログ分析
shigeruoda
3
440
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
brainpadpr
1
160
AWS テクニカルサポートとエンドカスタマーの中間地点から見えるより良いサポートの活用方法
kazzpapa3
2
450
JSX - 歴史を振り返り、⾯⽩がって、エモくなろう
pal4de
4
1.1k
Clineを含めたAIエージェントを 大規模組織に導入し、投資対効果を考える / Introducing AI agents into your organization
i35_267
4
1.5k
Azure AI Foundryでマルチエージェントワークフロー
seosoft
0
170
PostgreSQL 18 cancel request key長の変更とRailsへの関連
yahonda
0
120
米国国防総省のDevSecOpsライフサイクルをAWSのセキュリティサービスとOSSで実現
syoshie
2
960
CSS、JSをHTMLテンプレートにまとめるフロントエンド戦略
d120145
0
270
VCpp Link and Library - C++ breaktime 2025 Summer
harukasao
0
240
PHPでWebブラウザのレンダリングエンジンを実装する
dip_tech
PRO
0
190
Featured
See All Featured
Embracing the Ebb and Flow
colly
86
4.7k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Documentation Writing (for coders)
carmenintech
71
4.9k
Product Roadmaps are Hard
iamctodd
PRO
53
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
Transcript
rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage
attacks
@rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous
QA’ Built for PMs and Developers
@rainforestqa rainforest Us Team of 6 in SoMa All developers
YC S12
@rainforestqa rainforest Understanding risk
rainforest @rainforestqa Understand the trade off More secure generally means
more effort
@rainforestqa rainforest Risk vs Exposure
@rainforestqa rainforest High Risks Hot wallets / key storage Outgoing
payments Physically shipped items Reversible payments (e.g. chargebacks)
@rainforestqa rainforest …more risks Shared hosting / VPS / “physical”
security Staff
@rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold
wallets, where poss Principle of least privilege
@rainforestqa rainforest What risks?
rainforest @rainforestqa Internet connected = hackable (Though, the NSA can
spy on you, even if you're not connected to the Internet)
@rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode
(Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area
@rainforestqa rainforest Top 3 reasons:
@rainforestqa rainforest Badly configured servers / services
@rainforestqa rainforest Poorly written software
@rainforestqa rainforest Exploits
@rainforestqa rainforest Attack vectors Your service Your customers You &
your team
@rainforestqa rainforest Your service Domain Email Servers (app, db, etc)
Network External services Backups
@rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /
Typo-squatting Renewals
@rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +
IDS
@rainforestqa rainforest Email DKIM / SPF Account state Clear email
policies Lockout policy
@rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo
>
@rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing
Have a security program
@rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)
@rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both
ways) -complex-
@rainforestqa rainforest External services Verify SSL certs Limit IPs Work
out what + who you can trust
@rainforestqa rainforest Backups Major security issue Encrypt them Test them
@rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits
Policies KYC
@rainforestqa rainforest Primer
@rainforestqa rainforest Educate yourself
@rainforestqa rainforest Pick secure by default tech
@rainforestqa rainforest 2FA
@rainforestqa rainforest Avoid shared servers
@rainforestqa rainforest Honey pots
@rainforestqa rainforest Automate deployment
@rainforestqa rainforest Use SSH keys, rotate them
@rainforestqa rainforest Use a Firewall
@rainforestqa rainforest Use an IDS
@rainforestqa rainforest Encrypt (and take!) backups
@rainforestqa rainforest Subscribe to security lists
@rainforestqa rainforest Do as little as possible
@rainforestqa rainforest Staff opsec
@rainforestqa rainforest Principle of least privilege
@rainforestqa rainforest Split your servers
@rainforestqa rainforest Or consider LXC / KVM
@rainforestqa rainforest Split your app
@rainforestqa rainforest Server: partitions + noexec + nosuid split running
users disable root remove packages SELinux
@rainforestqa rainforest Starting points Figure out your risk + exposure
Implement low hanging fruit Reduce surface Plan the rest
@rainforestqa rainforest Conclusions Simpler = better Understand your exposure and
limit it
@rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:
http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
rainforest @rainforestqa Questions? @rainforestqa @rhs