This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

primary risk isn’t with the protcol; it’s with the security on the websites where trading takes place

hackers love bitcoin because have cash if can get into it

Identify theft

• a lot of people try to buy bitcoin with a stolen identify
• identity theft can be 100% virtual
• Most common way is to steal online banking password
• Or compromise your email
• One password rules your whole identity
• 7% of US resident ages 16+ are victims of identity theft in 2012. 85% involved use of existing credit card of bank account
• Only 7% of users lost over $100
• Payment companies have operational cost for reversals but don’t lose much. It’s merchants who eat the loss (when charge back within 60 days). If takes 60+ days, credit card user eats the loss.

Automated clearing houses not designed for internet. Hacked on after. That’s why we verify a bank account by verifying the amount of two small transactions.

Credit card is like private key. Everytime you use your credit card, it’s like handing over your private key.

Fraud detection is like wack-a-mole. Have to catch each instance of the problem. Fraud industry is like duct tape.

No incentives for bank and email to create better account security. They don’t take any loss and push liability to someone else.

Bitcoin

• Psuedonymous – don’t know who received bitcoin
• Peer to peer
• Irreversable – legacy payments are pull. Bitcoin is push so can’t redebit and never learn private key
• Instant

There’s theft – like with cash. It’s not identity theft; it’s like regular theft.

Risk moves to consumers and payment companies. For example, if have Bitcoin on computer and have malware, it can be stolen.

Many bitcoin hacks in past few years. Steal money directly. Don’t need to launder money.

Coinbase wallet architecture
Double moat model. Meant to be hard to get past the whole thing. Admin accounts have same security as user accounts have.

Assumptions and how address

• Passwords will leak
• Emails are compromised
• Users will be phished
• Computers will be left open and unlocked
• There will be social engineering

How address

• 2 factor on everything. Login, sending money, changing things. Send SMS message when sending money so on separate channel.
• Rate limit to minimize danger
• Device verification required. Must authorize to continue
• Added five minute delay on transfering money after changing password to avoid using that token to transfer money
• Optional vault with extra security features – time delayed withdrawals, alerts to two verified emails and confirm from both, SMS notifications, cancel at any time, banner reminders to enable,option for M-of-N management (3/5 people must authenticate)
• Train support really well on social engineering
• Multi-sig vault – only for technical users, key splitting architecture. cold stoarge as a service. three keys – user key, coinbase key and shared key that is encrypted key with password that only user knows. Need two of three keys to get access to bitcoin

Largest targets of phishing – paypal, google, yahoo, bank of america, wells fargo

Bitcoin aligns incentives between users, payment companies and merchants. Forces payment companies to design better security and educate users on how it works. The savings go to the users and merchants.

Q&A

• For passport story, how figure out who was who? A lot of looking at logs. Also confirmed by phone
• Can you take bitcoin back if theft? At moment of theft, can look at theft and see IP if leaked anything. Can’t get it back though
• How much training for support staff so don’t open something malicious? A lot! Training and setup. Support staff all on Chromebooks so can’t open zip file anyway.
• Can you go after attackers legally? Usually on a different continent with a different legal system
• Bitcoin price volatility. More steady in last 6 months than in past. [that’s not long to predict future]

Impressions: great last session of the day. Liked the real examples of attacks against their compmany. And how to prevent assorted issues. I thought it would be more about the blockchain, but this was interesting too.

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

ES2015 being approved now. Then comes ES 2016 and working on yearly releases. Train model like Eclipse. The train leaves the station once a year and mature proposals get on the train.

To get on release train must have multiple interoperabl implemntations. Avoids “breaks the web” features. Ensures really are mature. Also must have tests. (test 262 collateral)

Timeline

• 1995 – Mocca/JavaScript was born
• 1999 Edition 3 standard. Used by IE 6
• ES 4 didn’t pan out. Then commitee couldn’t agree on anything for a decade
• 2009 – ES5 came out. Added strict mode, getters/setters, minor array features. Small release
• June 2015 – ES 2015
• June 2016 – ES 2016

Disclaimer: Everything is a work in progress and subject to change

s.at(0)
unicode support – how long is an emoji?

Functions

• return a single value synchronously with functions
• return many values synchronously with generator functions
• return a single value asynchronously with promises:
  async function f() { …}
  f().then(f => { …}
  async (a,b) => await a + await b;
• >return many values asynchronously with observables
  let observer = {
  next(value) {},
  throw(error) {},
  return() }let d= new Observable( a => { …});
  d.subscribe(observer());

  Observerables should fel like arrays. Call forEach(), etc.

Math.pow(10,2) becomes 10 ** 2

SIMD (single instruction mutliple data)

• Hardware instructions for number crunching
• Uses data parallelism to perform multiple calclulation simulatnenously
• Good for things like 3D graphics where can use scalar math
• let a = SIMD.int32x4(0,1,2,3);
  let b =SIMD.int32x4(4,5,6,7);
  let c = SIMD.add(a,b);
  let zero = SIMD.init32x4.zero();

‘a’.lpad(4) and ‘a’.rpad(4)

Decorators

• Can decorate classes, properties, functions
• Like a function wrapper. [like an aspect or Ruby active record]
• Annotation to use

Value types

• New primitive typs – Int64, Bignum, Decimal, Complex, Rational,SIMD typs, TypedArray types
• Factory let int8 = Int8(254)
• Literal suffixes let i64= 0L; let bigNum b = 0n; etc
• Primitves are better for serializing across frames
• Still immutable like other primitives
• === compares by value
• Custom primitive types – export let Yard – ValueType(Symbol(“Yard”), Float64)
• Can overload operators on new custom primitives: Reflect.defineOperator(‘+’, f, Yard,Yard)

Q & A

• What about value types in JSON? No plans. JSON is frozen. Can’t break JSON parse and it is used everywhere.
• Opportunity for confusion when assign value types to a JSON object. Would convert back to regular primitives and throw an error if can’t do safely

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

The speaker discovered the Target breach.

Technology evolving faster than user education. We use different keys for our house/car/etc, but use same passwords repeatedly.

Car brakes are by feet for historical reasons. Used to need all body strength to make are go/stop. Now there because people used to it. Retraining would be too hard.

We defend with tools/people/compliance.

Hackers

• state/corporate sponsored
• hacktivists (political/social)
• profit seekers – if something can be monetized, of higher value
• revenge
• employees

Anthem breach might have been China. No way to monetize that many medical records, but could be looking for spies. [I thought medical number theft was a thing]. Sony might have been revenge from Russia.

Most hackers located in countries without extradition treaties with US

99% of hackers fail, get arrested, etc

A spam operation typically involves 10-20 people

Even for a bad hacker who desn’t steal data, have to declare PCI breach, notify customers, re-issue credit cards, etc.

Russian hackers – war of stereotypes – holy war egainst the west

Target breach
Started almost a year before actual breach. Learned from bad experience with BlackPOS with Verifone POS attempted breach in Russia. Then planned for seeral months. A week before Black Friday did large trial run spending $40 million of own money.

The POS malware auhtor was looking for a $12/hour programming job. Couldn’t get one so turned to hacker community. Thorough. Cared about error handling and working on multiple platforms. “Just a job”. His employer cared about the monetization.

Cybervor breach
1.2 billion credentials from 420K sites. Got all data via SQL Injections. Only looked for user id and passwords. Idea of stealing a little bit from different places grew to largest hack to date. Could have gotten credit card data, but chose not to.

Defense 101
Credit card theft on decline because credit card companies see patterns faster and act. For example, Chase flagged Home Depot uses quickly and hackers stopped buying the numbers.

Need to understand patterns.

Biggest vectors – viruses, zero day vulnerabilities(heartbleed, shellshock), stolen/reused credentials

Quantitiative analysis-how much of data is tranfered? What is normal? Learn to look at stats. If usually transfer 20KB on a page, set a limit of 100KB so know have a breach.

Honeypot – using a SQL Injection flaw as honeypot in your system allows detecting hack. Rather than a separate system. The idea is that hackers will think it is real and spend time on it. A zero day attack might be revealed via honeypot. Early warning system to alert you. Having fake data that can be identified as yours but looks normal. Not mymail+hack@gmail.com. Hackers know about the + technique.

Auditors can get you in trouble with your boss. Hackers can get your company in trouble and end your career.

Assume you hae been breached already. Look for your data online. Look for a unique identifier. Search for “/logout” on your company’s site to see if spidered and people can use google cache to navigae. [doesn’t work on coderanch – the word shows up a lot in questions]

Treat security issues as risks; not just bugs/defects. A risk has to be addressed or mitigated. A bug can drag on for years.