Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bitcoin Ops & Security Primer

Russell Smith
April 07, 2014
Technology
1
150

Bitcoin Ops & Security Primer

Russell Smith

April 07, 2014
Tweet

More Decks by Russell Smith

See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
ukd1
0
100
3 Infrastructure + workflow lessons from an early stage startup
ukd1
0
90
Gearman & Kohana
ukd1
2
930
Geo & capped collections with MongoDB
ukd1
1
120
Cassandra London UG July 2011 - Riak vs Cassandra
ukd1
1
260
MongoDB - Map Reduce
ukd1
2
190
MongoDB London UG, April 2011 - MongoDB Introduction
ukd1
1
81
MongoDB London 2011 - MongoDB Command Line Tools
ukd1
1
160
Seedhack 2011 - Introducing MongoDB
ukd1
1
100

Other Decks in Technology

See All in Technology
改めて学ぶ Trait の使い方 / phpcon odawara 2025
meihei3
1
570
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM, Prompt Engineering and Building Tutors
ks91
PRO
1
210
やさしいMCP入門
minorun365
PRO
147
95k
JPOUG Tech Talk #12 UNDO Tablespace Reintroduction
nori_shinoda
1
120
Langchain4j y Ollama - Integrando LLMs con programas Java @ Commit Conf 2025
deors
1
130
入社後SREチームのミッションや課題の整理をした話
morix1500
1
250
アジャイル脅威モデリング#1(脅威モデリングナイト#8)
masakane55
3
160
50人の組織でAIエージェントを使う文化を作るためには / How to Create a Culture of Using AI Agents in a 50-Person Organization
yuitosato
6
3.2k
Classmethod AI Talks(CATs) #21 司会進行スライド(2025.04.17) / classmethod-ai-talks-aka-cats_moderator-slides_vol21_2025-04-17
shinyaa31
0
450
LangfuseでAIエージェントの 可観測性を高めよう!/Enhancing AI Agent Observability with Langfuse!
jnymyk
0
170
Beyond {shiny}: The Future of Mobile Apps with R
colinfay
1
370
ウォンテッドリーにおける Platform Engineering
bgpat
0
190

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
522
39k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
119
51k
Faster Mobile Websites
deanohume
306
31k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
How GitHub (no longer) Works
holman
314
140k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Statistics for Hackers
jakevdp
798
220k
Unsuck your backbone
ammeep
670
57k
Rails Girls Zürich Keynote
gr2m
94
13k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.6k
KATA
mclloyd
29
14k

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks

  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers

  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12

  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort

  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)

  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff

  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege

  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

  51. rainforest @rainforestqa Questions? @rainforestqa @rhs