Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Topic OP
Bitcoin Operations and Security Standard (BOSS)
by
1QaZxSw2
on 27/07/2012, 18:19:41 UTC
If any of us want bitcoin to succeed, we need to achieve the following:

Establish security and auditing standards that bitcoin companies and comply with. This can be publicly posted and edited and companies can post a statement of compliance such as: Complies with bitcoin security standard V2.1

The goal of this is to ensure bitcoin can self-regulate instead of running to the government and begging to be saved from the bad guys. I'm not anti-government regulations per se, but calling in the government to regulate a brand new industry will most certainly stifle innovation.

While there seems to be circumstantial evidence to suggest ZT may have either been a naughty boy or just plain stupid, we need to proceed judiciously. Note that accusations are easy, and tomorrow anyone here with any business could be accused of wrong doing should something go wrong.

We need to put in place transparency and self-regulation so that rampant speculation will have no place.

The fiat financial world is heavily regulated because they had to learn all their lessons the hard way. We don't need to. We should simply apply the lessons here and make BTC a far better product.

For example:
V0.1 of Bitcoin Operations & Security Standard (BOSS 0.1)

Goals of BOSS:

1. Set a standard expectation regarding security and operating procedures.
2. Eliminate, reduce and mitigate losses due to theft or corporate wrongdoing
3. Eliminate, reduce and mitigate losses due to customer action or fraud.
4. Ensure the most up to date security mechanisms are in place.

Users:
1. Every account has 2-factor authentication. [This prevents fraudulent claims of password theft etc]
2. All passwords are salted and hashed. Use state of the art password protection as available using zero knowledge encryption. The unencrypted password should not travel beyond the user's device. Example: blockchain.info [Mitigates loss due to/claim of lost password db]
3. All users who store more than 1000BTC or $10000 USD need to provide scanned copy of govt id. [Large amounts attract theft. Disclosing your identity may be the only way to protect yourself. Prevents Govt coming after corporations for money laundering.]
4. Maximum daily withdrawals are set based on corporate policy. 1000BTC and $10000 recommended. Larger amounts may be allowed after a phone call and verification. [This prevents large losses in case of password theft]
4.a. Optional: withdrawals should go to the same wallet deposits were made from. Customer can always withdraw full amount to the originating wallet, change the designated outgoing wallet and replace the funds as necessary for financial privacy and security. [For some businesses such as mixing services, this makes no sense]

Companies:
5. All Corporate funds are strictly separated from Customer funds. [This makes embezzlement easy to detect and prevents accidental losses]
6. Most BTC are stored in cold wallets. [Prevents large losses due to root privilege compromise]
7. The cold wallets containing more than 1000BTC keys are split among at least 2 officers of the company, so that no one person can withdraw from a cold wallet. Steps should be taken to ensure that these keys portions are not shared and not lost if one of the officers dies or exits the company.
8. Other cold wallets have a maximum amount of 1000BTC beyond which it should split into two cold wallets. [This puts an upper limit on loss from actions of an unscrupulous officer of a company.]
9. Companies will take user privacy very seriously and will not air issues in a public forum. As appropriate, resolve issues with the customer or contact law enforcement. [This will build confidence in bitcoin businesses and prevent slander/accusations of slander]
10. Where appropriate, companies should insure against losses of user funds from theft, loss of keys, disruption of operations, etc. This does not apply to trading losses caused by user's own actions. [Builds confidence and permits outside entity, i.e. the insurance company to audit security procedures]

Added per suggestions:
11. All operational data including user data, financial transactions, software state and configs should be encrypted and backed up to at least one geographically separate location. 2 copies in two geographically isolated locations recommended. [Everything is gone! is no longer a valid argument]