Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Bitcoin Ops & Security Primer

Avatar for Russell Smith Russell Smith
April 07, 2014
Technology
1
170

Bitcoin Ops & Security Primer

Avatar for Russell Smith

Russell Smith

April 07, 2014
Tweet

More Decks by Russell Smith

See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
Avatar for Russell Smith ukd1
0
130
3 Infrastructure + workflow lessons from an early stage startup
Avatar for Russell Smith ukd1
0
110
Gearman & Kohana
Avatar for Russell Smith ukd1
2
970
Geo & capped collections with MongoDB
Avatar for Russell Smith ukd1
1
140
Cassandra London UG July 2011 - Riak vs Cassandra
Avatar for Russell Smith ukd1
1
300
MongoDB - Map Reduce
Avatar for Russell Smith ukd1
2
230
MongoDB London UG, April 2011 - MongoDB Introduction
Avatar for Russell Smith ukd1
1
110
MongoDB London 2011 - MongoDB Command Line Tools
Avatar for Russell Smith ukd1
1
190
Seedhack 2011 - Introducing MongoDB
Avatar for Russell Smith ukd1
1
130

Other Decks in Technology

See All in Technology
Karate+Database RiderによるAPI自動テスト導入工数をCline+GitLab MCPを使って2割削減を目指す! / 20251206 Kazuki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
730
MLflowダイエット大作戦
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
100
AWS re:Invent 2025で見たGrafana最新機能の紹介
Avatar for 濱田孝治 hamadakoji
0
360
ChatGPTで論⽂は読めるのか
Avatar for Spatial AI Network spatial_ai_network
8
28k
AWS CLIの新しい認証情報設定方法aws loginコマンドの実態
Avatar for wkm2 wkm2
6
720
Ruby で作る大規模イベントネットワーク構築・運用支援システム TTDB
Avatar for Taketo Takashima taketo1113
1
280
Reinforcement Fine-tuning 基礎〜実践まで
Avatar for Morita ch6noota
0
180
Oracle Cloud Infrastructure IaaS 新機能アップデート 2025/09 - 2025/11
Avatar for oracle4engineer oracle4engineer
PRO
0
100
AWSセキュリティアップデートとAWSを育てる話
Avatar for cm-usuda-keisuke cmusudakeisuke
0
250
AWS Trainium3 をちょっと身近に感じたい
Avatar for Yasutaka OHMURA bigmuramura
1
140
コンテキスト情報を活用し個社最適化されたAI Agentを実現する4つのポイント
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
0
870
新 Security HubがついにGA!仕組みや料金を深堀り #AWSreInvent #regrowth / AWS Security Hub Advanced GA
Avatar for MasahiroKawahara masahirokawahara
1
1.9k

Featured

See All Featured
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
5
800
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
7k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
140k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
246
13k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.2k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.7k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
19k

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks

  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers

  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12

  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort

  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)

  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff

  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege

  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

  51. rainforest @rainforestqa Questions? @rainforestqa @rhs