

Ruxum: Wall Street-Level Security Comes to Bitcoin - jsherry
http://techcrunch.com/2011/07/18/ruxum-wall-street-level-security-comes-to-bitcoin-with-new-exchange/

======
tptacek
Their security claim appears to revolve around signing up with "Trust Guard":

<http://www.trust-guard.com/>

I can sum up my take on this by saying I've never heard of "Trust Guard".

~~~
Xk
They have an XSS on <https://secure.trust-guard.com/> (enter a username like
<img src=g onerror=alert(1)> \-- yes, it won't work with chrome's XSS
filter)... somehow I'm inclined to believe they are not so great.

(An attacker could exploit that in a number of ways. Here's a simple one:
create a site with a domain name that looks really similar.
<http://secure.trustt-guard.com> or something, it doesn't matter. When a user
visits, autosubmit a form to <https://secure.trust-guard.com> with the
malicious payload; the first thing it does is hide the error message and
incorrect username. The user then enters username/password and attacker reads
the values and sends it back to his site.)

What's worse, I can't find any way to report this. Does anyone see a link?

~~~
zwp
> They have an XSS

Oh dear.

The (short) audio clips on their site are... interesting. Trust Guard's
emphasis/value appears to be sales conversions, not security per se.

<https://www.trust-guard.com/category-s/3.htm>

First sentences from the two co-founders:

"We really really try to help our customers increase their conversion rate"

"People spend a lot of time and a lot of money getting people to their site
then they don't do the things that increase conversion"

~~~
jerf
"Trust Guard's emphasis/value appears to be sales conversions, not security
per se."

The first startup I worked for was a PCI-compliance company. So I can tell you
that the only way to sell "PCI-compliance" is that the credit card companies
_require_ it, and the only way to _differentiate_ your service is by hyping
the conversions it will help with. The reason is that these companies are
fundamentally selling a check in the checklist that their customers otherwise
do not care about. (Alas, even requiring people to care about security doesn't
actually make them care about security.) For their front page, this isn't
necessarily a surprise, it really doesn't tell you anything about the company
either way.

Now, XSS on their front page... conclude away.

------
jerf
Goals aren't results. Ruxum has the _goal_ of bringing "Wall Street-level"
security to BitCoin trading. We won't have a good idea of whether they've
_succeeded_ until they've come under sustained attack by intelligent hackers
for long periods of time, and stood up. (And note I said "good idea" even so,
not "proof".)

I also read the security policy at <https://x.ruxum.com/security> . It's nice
and all, and does sound to be off on a better track, but being really, really
secure is hard. I'm not saying they haven't succeeded, I really don't know (or
much care). I'm just commenting on how phrasing it as if it's a done deal,
rather than a _goal_ , is cognitively hazardous.

------
evilswan
In light of recent years' events, I hope "Wall Street-Level Security" is taken
to mean "Not very secure".

~~~
nbpoole
> _Just passed a 47,000 point security check by an independent 3rd party. Our
> platform is also now PCI DSS compliant. Daily tests starting now_

<https://twitter.com/#!/ruxum/status/86827701381496833>

In other words, <https://secure.trust-guard.com/certificates/www.ruxum.com>

Personally, I don't consider that to be "Wall Street-Level Security."

~~~
chadp
That is one thing, some other here <https://x.ruxum.com/security>

~~~
nbpoole
Yes, with a lot of vague, generic statements.

" _Security measures have been built into the design and setup of our
infrastructure._ " tells you absolutely nothing. Neither does " _Disasters are
never nice events and we hope they don’t happen. We also expect one will
happen and have plans to recover when it does._ " (although it's not strictly
a security issue either).

------
noonespecial
"Wall Street Level" means insured against loss. Bcrypt is good security
practice. Taking responsibility for the money you hold for people is "Wall
Street Level".

------
ebaysucks
I'm building my own Bitcoin Exchange as we speak and I can tell you, these
security measures are nice (we had most of them planned too, plus some) but
real Wall Street level security is only affordable in a more mature market.

~~~
adrianwaj
Have you seen this? <https://github.com/macourtney/Dark-Exchange>

edit: this is not my repo!

~~~
ebaysucks
This is a github repo I think we missed.

Have shared it with the team.

We are making some chenges to the bitcoin client to make our centralized
exchange more secure, but a distributed exchange is a promising model too.

We ended up not pursuing that route as we didn't find a user friendly way of
decentralizing the deposits and withdrawals.

Will get back to you later to discuss your repo and maybe we can work together
in the near future. Good luck with your project!

------
rheide
Another centralized institution profiting from the decentralized-ness of
Bitcoin. Perhaps it's the direction Bitcoin will have to grow in, in order to
stay alive/popular.

------
ScottBurson
This is the second new Bitcoin exchange I've seen recently. The first was
CampBX: <http://campbx.com/>

(Don't ask me why a business that's trying to get itself taken seriously as a
financial exchange would choose a name containing the word "camp".)

Anyway, for the moment, as far as security goes, these new exchanges don't
necessarily need "Wall Street-level" security; they just need to be perceived
as probably being more secure than Mt. Gox, which, given recent events,
shouldn't be difficult.

But to attract traders, they also need liquidity, which they don't have much
of yet.

------
travem
Assuming that their claim is true it wouldn't protect the value of bitcoins in
the event of a similar incident to Mt. Gox occurring in a different exchange,
would it? The value would still crash dramatically.

~~~
ebaysucks
Depends on whether they have an automated circuit breaker in place.

------
dguido
Contrast this with TradeHill which recently announced a two-factor login
option powered by DUO Security. I'll take a guess and say that tptacek at
least knows who runs DUO :-).

<https://www.tradehill.com/>

<http://www.duosecurity.com/about>

------
SlyShy
You can sign-up using the invitation code "techcrunch", but there are only
five hundred open spaces.

<https://x.ruxum.com/users/sign_up>

