Message du 23/03/14 03:56 De : "Lodewijk andré de la porte" A : tpb-crypto@laposte.net Copie à : "Troy Benjegerdes" , "cypherpunks@cpunks.org" Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!"
2014-03-23 3:14 GMT+01:00 :
I can't answer to all your concerns separately as it seems you have got one very big problem: you are into computers, but you have trouble compiling - merely compiling - programs for OpenBSD.
Given the amount of unix knowledge involved I don't think that judges me at all. Maybe you judge me for my lack of unix skills, which I would easily admit are lacking.
You are in the same boat of Karpeles and Ulbricht, they also were barely able to code some interpreted language and they were overwhelmed by the intricacies of the systems they were building. Until they finally brought disaster for themselves and everyone that depended on them.
I don't feel comfortable being put at the advanced PHP magic level. I doubt it's fair to my skill. Ulbricht actually did pretty well. Bringing disaster is also avoidable on many different levels.
In order to grasp the seriousness of things, you gotta start with something simpler which doesn't require so many security skills, like games. Then you build up your knowledge until one day you can make your own exchange.
Making games will not help you learn security at all. It might make you learn coding fast and dirty. They're totally different styles.
But until that point, it is irresponsible to try as you have well noticed.
Do or do not. There is no try.
Regarding the rest of your concerns, everything can be dealt with properly, but it takes years of learning. There's a reason computer security professionals are amongst the most well paid employees which big corporations and rich governments only can hire.
It's most likely the lack of appeal of a security job. It takes more than learning actually, it takes inventing.
Many people think that if Facebook and Wikipedia use PHP, then PHP may be secure enough to work with money. Meanwhile raw money provides a much bigger bounty than hacking Facebook or Wikipedia, which probably have security holes in numbers that are orders of magnitude more than any small Bitcoin exchange. That's why properly coded C and Cobol are used by most financial institutions, yes Cobol, as incredible is it may seem, it powers most financial transactions behind fancy web browsers. Because even if a banking system is simpler than a Wikipedia, its security will be tried many, many, many more times than Wikipedia. While a hack into Wikipedia is something to be concerned about, it won't destroy it, while taking all the money away will destroy a business. When I referred to games, I was referring to simpler and non-serious systems that people will try to hack in for fun. If you build such system, any system, that's training for some serious stuff in the future. Ulbricht only knew some PHP coding and looked for help in order to create more advanced stuff, worse yet he had his servers discovered and mirrored and probably exploited before he would even notice it. How can one be so low in their opsec that he doesn't ship a server for colocation with its USB ports desoldered and plied away? Or at least disabled in the firmware? All your concerns are valid, meanwhile think about how you could work around every single one of them and note them down. Then once in a while you review your list, until you have solved most theoretical issues. Then you build a non-serious system and offer bounties for finding exploits and people will find them, because you will never manage to plug all holes and the invader has just to find one hole open.