This is what you get when you have amateurs try and develop security systems. While I applaud them for at least trying, and I realize that hiring an actual security consultant is unlikely to happen, it pains me to see their security system as described.
A half-decent systems security architect (in the whole scheme of things) is not that expensive - I'm sure someone like @tptacek would provide a referral to someone charging less than $1000/hour who could, in a matter of two or three weeks, architect an actual secure solution, with HSMs, XofY authorization procedures and so on, that the good people at coinbase could (or not) go off and design/deploy.
[edit: Part of my pain at looking at this system, is seeing all the many, obvious flaws, that other industries that need security (military, banking, smart grids) have had to deal with and have solved in elegant, secure, reliable ways. I work in an industry where no one individual can be allowed to have excessive rights, privileges, or power over the system under their control. The many, many, many layers of security, audits, rights management, and AAA we have in place do so are impressive (though, ironically, one of the elements does involve acid-free 100 year paper in Safe Deposit boxes). Reading through the coinbase description though, is akin to reading about the encryption system created by someone who had never taken a cryptography course.
The outputs from both groups can be trivially shown to be completely flawed by those who've had the opportunity to see how it's properly done.
I think this is a bit of an unfair, perhaps even elitist post, and certainly seems a bit against the culture here at HN.
Why so much text devoted to tearing down without a single suggestion as to how they could do better, or where their flaws are now? Is it that you can't give $1000/hr advice for free, but instead have to defend the value of that $1000/hr?
I am most definitely not a security expert, but this sure seems like a step forward, and has some really interesting aspects to it from a Bitcoin perspective. (that they can deposit to the offline storage without actually touching the offline storage is one)
Yes, the most glaring issue is there is only one offline storage site. But if the person with the decryption key is different than the person with the safe deposit key (and I suppose more than one of each) then I don't see the glaring issue.
Please offer constructive criticism instead of just tearing it down.
These people are proposing to manage people's money, without having a serious understanding of how to secure it. For me, it's akin to watching someone build a bridge that people's cars are going to be driving across without having a background in civil engineering. I may not be able to tell them how to build the bridge, but I sure know it's going to end poorly when they try to do it themselves.
As a first step, add an NofM authentication process with a pair of sophos/utimaco HSMs doing rate/key/encryption management.
Thanks, that is nice to actually have a suggestion.
One note is that I think you vastly overestimate the competency level of organizations. Just because they are large and have an air of security does not mean their systems are terribly secure. I can speak from personal experience that huge government organizations that ought to know better have absolutely glaring security holes.
But yes, we should all strive to do better. I think NofM encryption in particular would be a great improvement.
> I think this is a bit of an unfair, perhaps even elitist post, and certainly seems a bit against the culture here at HN.
Maybe it's just my impression, but a lot of security-related discussions evoke the "comic book guy voice".
Speaking of... any of you security guys want to recommend a good book that talks about different solutions and common situations when they're useful? Not a "how to...", but a "know that this thing is available, and here's when it might be useful".
You're aware that two weeks * 40 hours/week * $1000/hour = $80 000 (plus HSMs and ongoing costs imposed by additional security), and that the Bitcoin breaches we've heard of so far cost $100 000 - 300 000? The level of security you're proposing seems excessive.
(Also, their "team" page seems to list one person. It's very hard to make XofY security work in really small organizations.)
All that said, Bitcoin security is amateur hour, and you're right that there's a lot they could learn from people who have solved such problems before.
Shouldn't it worry (terrify?) you that a small group of two or three people could coordinate with each other and abscond with your money? Isn't the fact that $80,000 worth of consulting costs is considered an investment too large to consider making also a pretty big red flag?
I'm genuinely curious what you think the most likely attack vector currently is and what the next most low-hanging security fruit for coinbase are.
From my perspective it looks like coinbase is currently the most secure and redundant way to store your bitcoins. Of course everyone could store them on their own and design my own security system, but I doubt many people can do better than what the OP describes.
Security concerns that occupy 90%+ of our architects' minds:
o What happens if one or more employees goes rogue?
o What happens if an employee is "hit by a truck"?
o What happens if an employee is blackmailed/extorted?
o What happens if your offsite archive is vandalized/broken
into/crashed into by a plane?
These all have solutions that have been in place for 20+ years in the military/banking industry.
Thanks for the reference. I have just activated "verified by visa" feature on my primary card, but it appears to be a nonsense again:
"After you activate Verified by Visa, your card will be recognized when you buy at participating online stores. You'll enter your password in the Verified by Visa window, your identity will be verified, and the transaction will be completed. In stores that are not yet participating in Verified by Visa, your Visa card will continue to work as usual."
basically, everyone still has the power to charge me, when it knows my card number. The feature seems to be protecting merchants, not customers (yes, I understand that my bank will likely refund all stolen funds, but I would prefer a sane solution)
Unfortunately chip and pin is not as secure as the industry wants you to believe. --There have been several examples of where people have modified card terminals to allow the chip and pin information to be intercepted and used elsewhere.
Any links? All the breaches I've seen so far have been either to fool the user to fall back to magstripe (after having them enter their PIN), or to fake the display of the amount you're charging.
IIRC there was one problem where the encryption used between the card and the bank was bad or the card's chip still had its write pins exposed but I think that was solved by replacing the cards with newer ones.
And by disclosing that amateurish procedure and a barely "anonymized" picture of one of their employees, they are basically inviting criminals to have a go at your third scenario.
Part of professional security schemes is protecting your employees and their families. That's why money messengers don't have keys to the boxes they transport. That's why there are deposit-only safes.
1) Actually, removing as much risk as possible, limiting risk to a small subset of wealth, at the expense of latency in some cases, is a perfect solution here (I'm not charging $1k/yr yet...). Coinbase presumably has a certain amount of risk they'll cover internally, and some level they can't or won't cover, so making sure the worst case breach doesn't exceed their risk tolerance is necessary and brilliant.
Any insurer would require a solution like this, on top of any other audit and control measures. The only weakness with the system as it stands now is documentation (which the blog post accomplishes, to some extent) -- the next step is to develop legal and technical measures (possibly using threshold cryptography, HSMs, etc., as well as multiple contracted parties like law firms, escrow agents, etc.) to enforce the fundamental principle of reducing value at risk to a reasonable level.
2) Please give me an example of ANYTHING the military, banking, or smart grids has solved "elegantly", especially in security. Elegance is the opposite of how those industries work -- they solve things with brute force.
3) This solution is elegant in that it's a simple hack and accomplishes the goals using the resources available.
It's not a general solution to the computer security problem, but took advantage of a compromise (latency) they could make.
CAs, for a long time, actually did a lot of work using laptops stored in bank vaults, rather than HSMs, since there was no good way to run all the code they needed in-HSM, or they needed to use kinds of keys not supported in HSM. Later, they bought HSMs for the keys themselves (mainly to do multi-party access control), and kept the laptop too.
These "other" industries are not so perfect. In the military, for example, it is common for single individuals to have excessive access to confidential information. When they go rogue, bad things happen, eg. http://en.wikipedia.org/wiki/Bradley_manning
This is both awesome and hilarious at the same time.
The whole point of bitcoin was to decouple currency from institutions (banks/governments etc.).
Instead they're right back where they started - only they've replaced gold/currency with bits that can be easily copied and stolen.
> "Oh but the government can't inflate us away!"
No, but they sure as hell can take away your "safety" deposit box.
> "But private property rights! Rule of law!"
Ever heard of the quote: "The guy with the gun make the rules"?
Rights don't exist separate from external force (aka the government, corporations, military, mafia etc.). Neither do laws. They are merely useful abstractions - but don't mistake map for territory.
Rights/laws are, quite simply, power group sanctioned specific use of deadly force for the benefit of one or another specific group (dictator/oligopoly/the people etc.).
They don't actually exist. Like money, land titles, contracts and bitcoins.
Actually, now that I come to think of it a lot of things in society don't actually exist - honour, respect, gods, free markets, meritocracy, a just world and oh so much more - but let's not get ahead of ourselves shall we.
I'm limiting myself to shattering only one illusion per day.
>"The whole point of bitcoin was to decouple currency from institutions (banks/governments etc.).">
The above statement is incorrect.
The "whole point of bitcoin" per http://bitcoin.org/about.html :
>"Bitcoin is designed around the idea of using cryptography to control the creation and transfer of money, rather than relying on central authorities."
As you can see - the intent is not to decouple the currency itself from institutions, but the creation and transfer of the currency from central authorities.
To address your other points:
Bitcoin is on equal footing compared to other currencies with regard to many things including: government confiscation, individual risk, and institutional risk.
Other currencies have the advantage of: far greater acceptance, low barrier to use (you just physically hand something to someone else)
Bitcoin has the advantage of: no central bank, no central banking inflation (by design, creation and transfer is via cryptography)
Control by definition is centralized to those with power.
What you mean is the delegation of control by those in power should occur - e.g. Let people make their own choices for houses, clothes, food, land, family and work to make our economies more efficient.
But don't ever think that control can ever be decentralized.
It can only be delegated and it can be revoked at any time (see the Internet).
I don't understand - what part of what I have said has anything to do with a) being a zealot or b) revolutionary.
My statements were firmly on the side of the status quo police/militarily enforced liberal/social/democratic/capitalist western societies, and are, in and of themselves, neither surprising, controversial nor patently false.
FYI, the state of California has been known to escheat the contents of safe deposit boxes under certain circumstances. It has been known to happen by mistake or in cases where it obviously shouldn't have. If the box is escheated, the papers would be immediately shredded, and the USB keys auctioned off. You'd end up with a few cents from the state (for the USB keys, pennies to the dollar) and absolutely no recourse.
I would highly recommend getting a 2nd safe deposit box with a different bank and store the exact same contents in both (or better, get 3+ total and use m-of-n encryption... but in reality the effort involved would not be practical unless you rarely dip into offline funds).
PS: you're saying I only need to search banks in the bay area for one with that color scheme, floor tile, and banker, then drill/blast the box shown and make off with 90% of Coinbase's deposits in untraceable cash? Free tip #2: change boxes, soon.
[EDIT: that said, I appreciate spreading the word about offline storage. It would have been better to do a blog post (maybe a follow-up?) on how others can do the same thing with Armory running on a live-cd.]
> PS: you're saying I only need to search banks in the bay area for one with that color scheme, floor tile, and banker, then drill/blast the box shown and make off with 90% of Coinbase's deposits in untraceable cash?
You'll also need to AES-256 decrypt the contents of the box.
This is a little OT, but I am confused. I just opened an account at MtGox and it is asking me for a verification step, one which will include all my personal data, and a image of my face or scan of an ID card.
I thought the one aspect of bitcoins was anonymity?
They also have been the victim of at least one, probably more, hacking escapades. Why would anyone be inclined to give them this information?
What is a good recommended place to purchase a few coins just for fun? And then do most people xfer then to this CoinBase?
Most people keep bitcoins in their own wallets on their own computer, USB sticks, whatever. Make multiple copies of your wallet, and encrypt them if there is any risk of other people getting your wallet. Or test out services like coinbase if you feel comfortable trusting someone else with your money.
I thought the one aspect of bitcoins was anonymity?
It's not (only pseudo-anonymity), but in any case, MtGox is not bitcoin, but a service on top of it. If you want something closer to anonymity (yet not real anonymity either), you need to run your own client and do all the things that prevent others from tracking it back to you (run it through Tor, use an anonymous gateway, etc).
And even if you achieve that, chances are that you won't be able to do much with your bitcoins.
The private keys are still vulnerable when they existed on the servers. It would be possible for their servers to be unknowingly breached. Moving the private keys offline won't help if they've been maliciously copied. The thief could wait a while (months, year) before stealing the funds.
The private keys need never have existed on that server. On the occasions which they are used, they need never touch the server, and the machine they're actually used on (likely a laptop with a LiveCD) doesn't need to directly communicate with the server so identifying and targeting it would be futile.
I can't believe that with 45 comments, no one has mentioned BlockChain.info or other "zero-trust" solutions like Electrum.
That way your "funds" are in the BitCoin block chain, and no person, website or service provider can steal them from you, as long as you're certain of the security of the environment you're entering your key in.
Really cool program, and readily available on the debian repo, too! In case anyone tries this out of curiosity, like I did, be sure to include the generated index number as part of the share. I failed to include the index number and couldn't get it to work until I realized it was necessary to input the entire string, not just the hash.
I don't get why you write "Not a full 'give me three shares'...secret key tool". That seems like exactly what this is. Are you saying it would work better if you could provide the share "passwords" yourself, instead of the machine generating them?
This seems like it would be a great way to encrypt the encrypting key used for the bitcoin wallet in this instance. Security professionals? Do the algorithms used look robust?
Interesting, but I suspect "real" banks have a long time ago devised a better solution: instead of storing money, they lend it out to other people. That is presumably how they make most of their money.
But perhaps the old school "let's store money in a vault" thing becomes viable again with BitCoin, will be interesting to see.