Interview With Bitwasp Founder & Developer – Security, DarkNetMarkets & Future Development

Interviews



Following all the marketplaces that got hacked, and the fact that many of them were based on the Bitwasp software, we were very happy when the founder of Bitwasp contacted us and offered to answer some questions regarding Bitwasp, DarkNet uses, Security and the latest & future developments of the Bitwasp market software, we have spoken to the Bitwasp team:

Cameron Ruggles as Founder Thomas Kerin as Developer Harris Kalash as the UI designer

If you feel like helping to the Bitwasp project and contribute for the future development of better marketplaces you can donate to this bitcoin address: 19EkDTAaGWySZv1QsWxyWwYMZpo7jpvPYe The developer is working full time on this project, is unemployed and living off the donations so he would really appreciate donations! You can find more information here: http://bitwasp.co/

So, What can you tell us about the new finished, but beta version of Bitwasp?

Thomas: Our major milestone will be publishing a full version of the Bitwasp code running multisig. Multisig will remove the trust users need to have in the site operator, and at each step of making payment and signing, the user has all the information they need to make an informed decision before proceeding. Users will never pay to an address that one party has control over, meaning less exposure when operators setting up a site. No one wants to be responsible for losing coin, as there’s often little recourse. But with multisig, even if the site experiences downtime, once buyers and sellers can communicate on another channel they can recover the funds.

Multisig, or P2SH addresses, have been supported since 2012, so it’s insane that there isn’t more support for it. Bitwasp will be one of the first few sites to implement multisig, let alone publish all the code behind it.

The code itself has been effectively been implemented behind the scenes, however a lot of work remains before it’s finalized, and ready to be published. The software still needs a lot of work, but most of the ground work is done.

But this release will see a huge change – no live wallet, or notion of ‘user balances’. An admin configures an electrum master public key to create public keys/addresses, vendors upload a list of them, buyers enter them on a per-order basis. The order process essentially guides users through steps of a multisiganture transaction.

Once buyers pay to the multisig address, an unsigned transaction is created which pays the vendor, and the operators fee. In an up-front payment, the buyer must sign the transaction immediately after paying, and the vendor signs and broadcasts to indicate they’ve dispatched. In an escrow order, after payment is made, vendors would sign to indicate dispatch, and the buyer signs and broadcasts once they receive the goods. Otherwise a dispute is made, and the admin will talk it out with the buyer/seller. A new transaction is created by the admin when an acceptable solution is found. Recently a feedback system was built in, to further assist trustless transacting.

The effort of creating public keys in advance is something that I’d love to change, but I don’t think it’s reasonable to ask everyone for an Electrum MPK.. Support for BIP32 extended public keys ( M/k’ ) to automate this for all users is another milestone in the future – with this users could enter their extended key, allowing Bitwasp to generate public keys/addresses for multisig keys/receiving money, but ultimately means keys are all deterministically derived from one single seed.

Here is a gallery showing the process of placing an order using the new multisig:

How large is the community around Bitwasp and how do you reach broader audience? (as we know with Opensource this is the most important factor when it comes to development)

[nggallery id=3]

Cameron: It’s difficult to say. We only recently found out that over 10 Darknet Bitwasp marketplaces have been setup. I’d say it is pretty large considering we haven’t done much promotion, yet our Facebook page as over 400 likes – and considering what appears to be the main interest, most people wouldn’t like such a page with their Facebook account. Additionally 140 members are on our forum. That isn’t a lot but it is a decent number considering the incredibly small amounts of advertising we’ve done. I suspect it will easily grow orders of magnitude larger once we release a finished product, even if it is in alpha or beta and also have our Bitwasp.co site launched.

Thomas: The forums usually sees new people coming and going, a few faces hanging around for longer.

Is there some business plan behind it or it will stay completely free and open source?

Cameron: We are planning on launching our own marketplace at Bitwasp.co and hope to see apps for Bitwasp being sold, along side various other legal items. We will also be selling items on our site as well. Hopefully it will become the next well known legal bitcoin marketplace.

Do you consider the use of the current version as Wreckless and disappointing behavior?

Thomas: Bitwasp is highly experimental software, and it should be regarded that any Bitwasp implementation running a live wallet is taking unnecessary risks with user funds. We have never made an alpha release, and typically the only change to the software in site’s we’ve seen is they remove the ‘NOT IN PRODUCTION, USE ONLY ON TESTNET’ notice. Until http://test.bit-wasp.org no longer has this banner, people shouldn’t trust them.

Will you offer bounties for discovering exploits?

Cameron: Since protecting security and privacy while facilitating transactions is our primary goal it is important that people are motivated audit our software and report these bugs and exploits to us so they can be fixed.

The best way to motivate people is money. So we will be rewarding the person who finds the most exploits, and other issues with 3 bitcoins. The winner will be determined by a point system, whoever has the most points win. Exploits that can take bitcoins from the site or the users are worth 3 points, exploits that can access the database and read messages or other data provided by users are worth 2 points, and any other general bugs or exploits that don’t really jeopardize privacy, security or bitcoins are worth 1 point. This contest will be held after our first release and go for a month.

Will You have all these SQL Injections issues sorted in the new version? How come they are not sorted till now?

Cameron: Give us more info on this SQL injections… what have you heard about them? We’ve gotten little to no feedback in this area as far as I know.

I don’t know much about them, only that they exists, i have reached out to couple of the security guys who have experienced with Bitwasp Injections and offered that they will contact you. but here is one example taken from a previous published post about security exploits:

I don’t know much about them, only that they exists, i have reached out to couple of the security guys who have experienced with Bitwasp Injections and offered that they will contact you. but here is one example taken from a previous published post about security exploits:
sql injection

Thomas: Hard to say without details. Most likely an error in the items by categories / locations pages. I’ve noticed that most of the ‘hacked’ accusations take place on reddit, little technical detail is ever gven.

Do you get the inputs from all the hacked markets (i mean on the technical level) about stuff that needs to be fixed?

Cameron: No. I think the only one we even knew how it got hacked was FloMarket and it was an issue we had already known about.

Can you elaborate on how Flomarket Got hacked technically? assuming its fixed now. (we are still happy to know it was hacked and not a scam and that the admin was telling the truth in the interview we have done with him)

Cameron: This question needs to be answered by the developer. http://bit-wasp.org/index.php?topic=28.90) but in the next version It is fixed because we’ve entirely changed the way transactions are processed via 2/3 multisignature transactions. This way private keys or bitcoins are never held by the Bitwasp site admins or on the servers.

Thomas: In the copy of Bitwasp that Flole used, there was an issue whereby when orders were being added to the database, if the bitcoin amount was out of range (say, 0.0001 satoshis), value like 99 would be entered. It was a subtle type error with disastrous consequences, as obviously if this order was cancelled, the buyer would be credited with 99BTC. Or that’s what we believe. This has been fixed now, since refactoring order system around multisig. Flomarket was really a sign of how the future would go if Bitwasp didn’t remove live wallets.

Have you seen any markets nowadays that are based on Bitwasp that you can say are secured?

Cameron: Nope, but we haven’t really looked. We didn’t even realize very many people were using our clearly unfinished software. The longest lasting seems to be Tor Bazaar but we’re not sure about that either.

5 Comments

Write a comment

  1. March 26, 2014 at 1:54 am Bondi

    Since when has DDW become the new self-imposed certifying authority on DNMs? Anyone is free to run and operate a marketplace with bitwasp or not. They ought to be fully well aware of the risks involved by doing so. The onus is just as much as on the site users to take due diligence and precuations and by encrypting all their communications. As well as for which markets they sign up for, users should never take the operators word for good measure. If people are dumb enough to continue to use SR2 and the likes it’s only evident that they’d never be shortage of morons and that there is their incentive.

    The bolded word in the post above should rather be on “Live wallet’ instead, as with DNMs we’ve seen enough hacks and scams over it. Every one of them including all these so called closed-source markets which were ‘built from scratch’ and bragged about their security, one too many to name them (can be viewed in the hall of shame link, for further reading.)

    As much as the developers do not seem to acknowledge it, but I’d wager my bet that the entire development of BitWasp would have come through such markets and through their technical contributions along the way, as well as by going belly up which would have been the learning curve. As I see it that’s the silver lining and had it not been for such hacks, the team at BitWasp would have never been looking towards implementing multi sigs or for patching some of these critical issues.

    Besides some of your question put forth were dumb as, to say the least. Asking developers on curernt markets security was outright stupid. For beyond the application layer, for how would they even be remotely aware to comment on any of the operators and on their servers and/or overall security?

    Do not be disheartened all you wanna-be BitWasp market operators. There will never be a shortage of morons to signup. For all junkies want, is their fix. Most of the average joe here struggles with pgp, and proper implementation of multi sigs and support for it is a light year away and way beyond their pea-sized brains but on personal note, do implement it as it goes a long way show your true intentions and commitment.

    0 0
    Reply this comment

    Before reply this comment! read the guidelines   X


  2. March 25, 2014 at 2:50 pm HollyHo

    @the admin: You surely need a proof reader, your english and grammar seriously suck. I wouldn’t be surprised if you work part-time at a call centre in India. As on the topic, good to hear from the folks behind the application and their views on it. I’d think to just single out bitwasp based markets is unfair as at the moment ANY DarkNet market running with hot wallets is criminal (what isn’t)! SR2, BMR, Pandora,TM and pretty much all others had their coins stolen for it or have claimed so. Closed source or open source almost every one of them markets have been hacked and coins stolen so multi sigs are the way to go and kudos to the developers for implementing it. The rest boils down to operators to secure their networks and plug in the loopholes and iron out the bugs.

    0 0
    Reply this comment

    Before reply this comment! read the guidelines   X


    • March 25, 2014 at 2:57 pm DeepDotWebAuthor

      Ahh known problem. I am not a native english speaker, its listed in our about page and in some of our articles, although not from india, and my job is much better than call center i can tell you that :)

      We would love to get someone to proof read if anyone is interested and is very quick to deliver.

      0 0
      Reply this comment

      Before reply this comment! read the guidelines   X


      • March 25, 2014 at 7:46 pm Me

        I would be willing to proof read/edit articles going forward. Starting for free and maybe negotiating a small per article fee if my work is up to par.

        I spend most of my free time reading about DNM anyways, and I’m a huge fan of the site.

        You can contact me via Reddit if you’re interested. My username is toodlespoodles1

        If not, keep up the good work!

        0 0
        Reply this comment

        Before reply this comment! read the guidelines   X


        • March 25, 2014 at 8:30 pm DeepDotWebAuthor

          Thanks! We have someone already taking care of this one, will keep your contact for future ones :)

          0 0
          Reply this comment

          Before reply this comment! read the guidelines   X


Write a Comment

view all comments
Read before write a comment! Read the guidelines