Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bitcoin Ops & Security Primer

Avatar for Russell Smith Russell Smith
April 07, 2014
Technology
1
170

Bitcoin Ops & Security Primer

Avatar for Russell Smith

Russell Smith

April 07, 2014
Tweet

More Decks by Russell Smith

See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
Avatar for Russell Smith ukd1
0
120
3 Infrastructure + workflow lessons from an early stage startup
Avatar for Russell Smith ukd1
0
110
Gearman & Kohana
Avatar for Russell Smith ukd1
2
960
Geo & capped collections with MongoDB
Avatar for Russell Smith ukd1
1
140
Cassandra London UG July 2011 - Riak vs Cassandra
Avatar for Russell Smith ukd1
1
290
MongoDB - Map Reduce
Avatar for Russell Smith ukd1
2
210
MongoDB London UG, April 2011 - MongoDB Introduction
Avatar for Russell Smith ukd1
1
99
MongoDB London 2011 - MongoDB Command Line Tools
Avatar for Russell Smith ukd1
1
190
Seedhack 2011 - Introducing MongoDB
Avatar for Russell Smith ukd1
1
120

Other Decks in Technology

See All in Technology
組織全員で向き合うAI Readyなデータ利活用
Avatar for harry gappy50
4
1.4k
入院医療費算定業務をAIで支援する:包括医療費支払い制度とDPCコーディング (公開版)
Avatar for Takashi Nishibayashi hagino3000
0
120
AI-Readyを目指した非構造化データのメダリオンアーキテクチャ
Avatar for R-Miura r_miura
1
340
スタートアップの現場で実践しているテストマネジメント #jasst_kyushu
Avatar for Makky makky_tyuyan
0
140
.NET 10のBlazorの期待の新機能
Avatar for tkym htkym
0
150
QA業務を変える(!?)AIを併用した不具合分析の実践
Avatar for ma2ri__ ma2ri
0
160
だいたい分かった気になる 『SREの知識地図』 / introduction-to-sre-knowledge-map-book
Avatar for katsuhisa_ katsuhisa91
PRO
3
1.5k
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
Avatar for emi emiki
0
250
AI時代の開発を加速する組織づくり - ブログでは書けなかったリアル
Avatar for Hiro hiro8ma
2
340
OTEPsで知るOpenTelemetryの未来 / Observability Conference Tokyo 2025
Avatar for Arthur arthur1
0
300
ざっくり学ぶ 『エンジニアリングリーダー 技術組織を育てるリーダーシップと セルフマネジメント』 / 50 minute Engineering Leader
Avatar for iwashi iwashi86
4
1.8k
仕様駆動開発を実現する上流工程におけるAIエージェント活用
Avatar for sergicalsix sergicalsix
4
1.2k

Featured

See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
9
930
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.6k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.3k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.2k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7.2k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Done Done
Avatar for chrislema chrislema
185
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.7k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.7k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.1k

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks

  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers

  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12

  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort

  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)

  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff

  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege

  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

  51. rainforest @rainforestqa Questions? @rainforestqa @rhs