They have a reassuring security page[0]. It's nice to see they're enforcing good practices, I especially appreciate their "no-link email policy" where they will never send you links in emails, which seems like a great way to head off phishing attempts. I hope they actually present this to users in some way during sign-up though, or it won't be of much help unless a user manually navigates to the security page and reads through most of it.
I'm a little disappointed that they only have level 2[1] HSMs in the cloud, as I would be uncomfortable protecting my hot wallet keys with only tamper evident protections, rather than level 3+ that actually attempt to detect intrusion and delete keys. Bitcoin makes for very quick stealing once you have keys, so reactive defenses against key loss don't help much as you're literally in a race condition with the attacker to empty the wallet (you into a non-compromised one, the attacker into their own). But I would assume they weighed cost/risk and I've never heard of a security compromise of Amazon's HSMs so it was probably a reasonable choice.
edit: I should also applaud their use of PGP and (explicit) respect for responsible disclosure.
I personally know many of the engineers at Gemini and have worked with some of them in the recent past. If I were going to choose a team to build a bitcoin exchange, the people I know at Gemini would be on it. If you're into bitcoin, I think this is the place to put your money.
Looking at Coinbase and Gemini as a user I would probably prefer Gemini marginally because their bullshit about using HSM. They both seem to be hosted in AWS which from my POV is a major fuckup. Gemini and Coinbase are basically running a CTF where if you can find a hypervisor exploit and get lucky you can drain their hot wallet.
I saw a presentation at OWASP a couple of weeks ago by Coinbase, where they stated that the BTC are stored on air gapped servers, and that 97% of the Bitcoins never exist on routable servers.
I don't understand Amazon's cloud HSM product. Amazon says they don't have access to your HSM but presumably they do if they wanted to. Also, how does HSM protect the hot wallet if an attacker is able to get access to a machine that is using the HSM for signing? Your only hope is that you can obscure the credentials for the HSM from the attacker.
HSM for the hot wallet probably provides greater security than no HSM for the hot wallet but I don't think it gives you that much extra security.
The value proposition of an HSM is that sensitive key material never leaves the hardware in plaintext (or at all, in the case of the SafeNet HSMs used by Amazon). An attacker who compromises a machine with access to the HSM is therefore able to perform whatever operations that machine is authorized to perform, but nothing more. Crucially, they cannot steal the key material and then go off and use it elsewhere. They have to stay connected to the machine that has the access they need. Protecting against offline attacks is a pretty big gain.
> Amazon says they don't have access to your HSM but presumably they do if they wanted to.
I wouldn't be so sure. As far as I can tell, once you've provisioned an HSM from Amazon you have full administrator access. That includes control over all trusted SSH certs, users, etc. Of course Amazon has physical access, but that doesn't give them access to the HSM's crypto functions or the key material.
The problem is that an attacker who compromises a machine that has access to the HSM will have the privilege to drain the wallet. Unless there is some rate limit or some higher access control the attacker will be able to initiate a bunch of BTC transactions that will dump the wallet. Also if they are intelligent about it they will batch the signatures and release them to the network in one hit.
If Amazon is a bad actor they trivially have access to the HSM because they could just write some software that pretends to be the HSM. However, this is probably not in the threat model because the amount Amazon loses by fucking a client like this is much more than the amount they would gain by fucking a client. The real thread is rogue Amazon employees and I guess it would be be hard for them to MITM the HSM from the start.
Your only protection for the hot wallet is to obscure the credentials you use to connect to HSM. Good luck with that against and a determined adversary that has a lot to gain from dumping the HSM key. (if it is not clear this 'only protection' thing is when the adversary has root access to your machine)
Oh.. and if you are a gemini dev. Obscure your code encrypt your HSM credentials in memory. :) Security through obscurity is actually a useful thing against attackers.
I don't know enough about the SafeNet HSMs to elaborate on that, but they claim:
> This manufacturer-validated devicee identification mechanism enables a strong trust model whereby customers can be assured that they are communicating with specific SafeNet hardware units in a way that cannot be spoofed.
Also, there was a great post on /r/bitcoinmarkets by the CTO of another exchange, picking apart Gemini's technical setup. Worth a read if you're into modern frontend web development.
I'm not sure if 'picking apart Gemini's technical setup' is the right way to describe it, I tend to think of 'picking apart' being negative while the comments are entirely positive.
I would not consider going over their frontend assets and request headers anything close to picking apart their technical setup though. For anyone a little more knowledgeable that post is just a collection of random facts about the apps visible front-end.
Yes, that's true - it was a loosely categorized collection of my thoughts while going through the frontend. The frontend architecture is very similar to that of BitMEX, the exchange that I built, so I am very interested in the choices they've made, why they chose them, and what's different.
Gemini is a spot exchange (simple buy/sell) while we're a derivatives exchange with much more complex requirements, so you'd expect a different set of decisions and tradeoffs, which is what I found. Gemini's real value (at this point) is in its ability to navigate regulatory capture, not necessarily in its technology. But their technology is a cut above what you usually see in Bitcoin exchanges. The exchange landscape has been plagued with unreliable/buggy exchanges, like the late Mt.Gox and the still-limping Bitfinex (which is much more complex).
On the whole, basic spot exchanges without leverage are relatively easy to create. I would love to do a more complete analysis but of course I don't have any inside information. I would be very interested in their backend, which appears to (possibly) be Scala. No clues as to whether they're using a SQL database or something more specialized like KDB+, which we use and love.
I find this kind of analysis way more interesting than highscalability. Different audiences, but these kind of frontend-centric articles are incredibly actionable.
interesting...
still doesnt talk about the actual API stack though. Conformal is using golang and Coinbase is using Ruby... wonder what these guys are using.
Hey - author of that post here. I can't tell for sure what the stack is by looking at its output, but judging by common experience in the LinkedIn profiles of the engineers, it looks most likely that it's Scala.
From Tyler Winklevoss's answer on the Product Hunt page for Gemini:
"Gemini is a New York state limited liability trust company, we did not apply for or have a BitLicense which is a much lower standard. As a limited liability trust company we are a fiduciary, which allows us to accept both individual and institutional customers under New York Banking Law (unlike the BitLicense, which does not convey such fiduciary powers). In short, we can work with both Main Street and Wall Street."
So the difference is that they're trying to play nice with regulators from day 1, rather than breaking the rules and rolling with the legal punches in order to serve early adopters?
Yeah, another to way to put it is they aim for legitimacy so they can be the bitcoin counterparty of choice for Fortune 500s and wall street. And generally run things like any sane financial institution dealing with volatile securities.
Not running a bitcoin cafe out of customer funds...
> Yeah, another to way to put it is they aim for legitimacy so they can be the bitcoin counterparty of choice for Fortune 500s and wall street.
According to Coinbase, the total value of all Bitcoin is currently about $3.5 billion. This is a tiny, tiny market for "Fortune 500s and Wall Street" and is equivalent to the value of a single (smaller) mid-cap company. Even at its peak, the total value of all Bitcoin was only around $14 billion.
Daily Bitcoin transaction volume hasn't exceeded $100 million since July and has been as low as $33 million recently[1]. For comparison, daily volume in the FX markets exceeds $5 trillion.
Blockchain technology might be important but Bitcoin itself is about as interesting as the Burmese kyat or Gambian dalasi.
I'm not a real trader... but i can see the value in trading something that goes up and down 30% in a quarter..
EDIT: those currencies you mention are under prolonged inflation and are tied to the economic output of some small countries... bitcoin isn't either of those
You can trade equity options and gain or lose far more than 30% in well under 90 days.
The problem with Bitcoin is liquidity and market depth. Even if you're a small-time trader, there are better trading markets to focus your time and energy on.
Regarding the random currencies I mentioned in jest: I was making the point that any obscure currency or security is just about as interesting as Bitcoin.
If you take the view that Bitcoin is just the start and the popularity of the blockchain to secure financial transactions will grow and become mainstream over time then this has first mover advantage written all over it.
> ...this has first mover advantage written all over it.
No, it doesn't. Major financial institutions invest significantly in technology and many are already actively exploring the blockchain[1].
I wouldn't go so far as to say that the Winklevii can't stake out a position in the broader blockchain market, but a Bitcoin exchange isn't likely to help them establish a meaningful position.
Perhaps 'early' mover advantage might be a better choice of words.
> Major financial institutions invest significantly in technology...
That they may be, but that's no guarantee of success or domination. That's the whole point of the risk of startup. Also the reason for the explosion of interest.
I'm not suggesting that Gemini will win, but they are in the space, at the beginning, unencumbered by old tech (as the larger institutions are) and are making overtures to the established order. We don't know where that will lead.
The most viable opportunity relates to the application of blockchain technology to existing markets that are already dominated by major financial institutions. There is no doubt room for new companies to become blockchain technology providers to these financial institutions, but if you look at the Winklevii's investments and ventures, they are predominantly "Bitcoin as a big asset class" as opposed to "pure blockchain technology."
That's not to say that some of the technology they develop can't be repurposed for resale to other institutions, but a lot of others are already playing in the blockchain technology space and they don't have the burdens of trying to create and manage exchanges, ETFs, etc. for an "asset class" that is miniscule and heading in the wrong direction.
Yeah they are. They wern't originally but they launched 'Coinbase Exchange' a while back and now offer both their traditional broker service as well as Exchange services.
Not quite; there are two separate attacks currently ongoing against Bitcoin:
* The malleability attack: a transaction relayer is able to change the hash of the transactions, thus confusing senders or receivers who rely on this hash to check if the transaction has confirmed. This creates a nuisance, but all money arrive where they are supposed to. This attack does not affect memory usage on nodes, and it's an old and well-known issue.
* A transaction spam attack (misleadingly called a "stress test") where a shady group called coinwallet.eu creates a large amount of big transactions. These mostly have appopriate fees so that regular users who want their transactions to confirm in a timely manner has to out-bid the spammer. All the unconfirmed transactions are stored in the memory of nodes, so this severely affects memory usage (currently about 1 GB on some nodes).
Nifty. I think this is the first BTC operation I've seen where words like "compliance" are used in a serious fashion, and a direct aim at institutional investors is presented. Institutional investors are Very Serious Business, so it should be a fun ride.
Instead of requiring a scan of your driver's license or other identifying document, they ask you for questions about your history. I've seen a similar process used at etrade.
> Gemini operates fully in the United States. We work exclusively with American banks; your dollars are eligible for FDIC insurance and never leave the country
Is this just for the cash balance with the exchange or the bitcoin balance as well? I can't imagine it does, but it would be a strong selling point if it did. If its not, its pretty misleading as written.
> FDIC insurance covers all types of deposits received at an insured bank, including deposits in a checking account, negotiable order of withdrawal (NOW) account, savings account, money market deposit account (MMDA), time deposit such as a certificate of deposit (CD), or an official item issued by a bank, such as a cashier's check or money order.
> FDIC insurance covers depositors' accounts at each insured bank, dollar-for-dollar, including principal and any accrued interest through the date of the insured bank's closing, up to the insurance limit.The FDIC does not insure money invested in stocks, bonds, mutual funds, life insurance policies, annuities or municipal securities, even if these investments are purchased at an insured bank.
I think it is written fairly. Bitcoins and not dollars, and the rest of those things you listed that are covered by FDIC insurance are denominated in dollars. If someone (not you specifically) cannot understand the difference between dollars and bitcoins, they shouldn't be trading currencies.
Well, some people want exposure to bitcoins without necessarily understanding the block chain, recourse or anything really. That's the whole pitch behind everything the Winklevosses do in this domain. That's why they opened a bitcoin exchange traded fund and that's probably their rationale behind this exchange. Saying that "your dollars are eligible for FDIC insurance and never leave the country" makes someone think that their bitcoin balance is FDIC insured. I wasn't sure at first either and stock exchanges very explicitly state that their products are not FDIC insured and may lose value. Maybe the exchange has a similar disclaimer when you buy bitcoins on the exchange but I still think its a bit misleading to have that basically front and center.
Nothing wrong with wanting to invest in bitcoins without fully understanding them.
I didn't mean in the sense of not understanding Bitcoin itself. Rather, I meant that the FDIC isn't in the business of insuring Bitcoins, the same as they aren't into insuring RMB or any other non-USD currency.
> Well, some people want exposure to bitcoins without necessarily understanding the block chain, recourse or anything really. That's the whole pitch behind everything the Winklevosses do in this domain.
Yes and no. They initially wanted to open up the bitcoin market to institutional investors who want exposure without having to change anything in the trading software they use, the accounting structures etc. This meant: provide a bitcoin security that can be traded by wall street typically, such as an ETF on the NYSE or NASDAQ or something to that effect.
Barry Silbert's Second Market (definitely a wall street player) got there first in terms of accounting structures. They created a bitcoin security that anyone can buy and put on the books just like any other security (like some oil or wheat derivatives or whatever). But that was still sort of an old-fashion security that you buy on the phone rather than on an automated exchange. Not something that pension funds, university endowment funds etc can easily get into and scale up, but it opened up the bitcoin market to say small family wealth funds that wanted some exposure to the bitcoin price. Bitcoin is one of those things that is likely to either go to $0 or become 3 orders of magnitude more valuable. So if you believe there's a 10% chance that'll happen, investing $100k has an expected value of $9.9m, of course these are just made up numbers but this is often the rationale for investing even modest amounts of money. Silbert's GBTC (marketed under Grayscale) did fairly well but in wall street terms it's a really tiny fund (iirc about $50m or so).
The 'holy grail' for bitcoin investment right now would probably be an ETF. Basically the above security, but then traded on an exchange, a derivative of bitcoins trading on mainstream exchanges (i.e. exposure to bitcoin's price potential traded on exchanges where anyone can easily and automatically buy in without having to know anything about bitcoin or change accounting/audit practices). The Winklevoss's pitch was always to set up that ETF, which they're still working on, and the fact they just launched a normal exchange tells me they're either 1) building up the orderbooks, building relations with investors and building up liquidity etc a bit for a potential ETF launch later down the line or 2) the ETF is facing major, perhaps insurmountable roadblocks so they're pivoting to something less ambitious which is launch their own exchange. (which generally sucks because 1) there are major established players, like Coinbase, which are true software companies with half a billion dollar valuations, solid engineering teams and a big headstart, and 2) because none of the big players, like an investment fund, will be likely to register for your tiny exchange just to trade some bitcoin. They did get a lot of the legal frameworks right though, so it may be an interesting partner for investors nonetheless.)
As for security... well bitcoins are obviously not FDIC insured, but their security looks really tight, I'd feel very comfortable trading with them. [0][1] They still offer the 'you don't need to know anything about bitcoin or worry about security' pitch, but you still need to register with them rather than just select their security on the NYSE and click 'buy', and that doesn't fly for most big investment funds with strict auditing and accounting practices and automated trading teams. We'll see how it works out.
Also, FDIC insurance isn't for "if" your assets are lost, it's for "when". You can trust security and safety all you want, it's when things go wrong that you need insurance.
I really hope they get private insurance, because just like making sure there are enough lifeboats on the Titanic, hindsight is always 20/20.
Honestly when banks have crappy websites it makes me really feel like the engineers doing the backend work are terrible. I know this is a horrible bias but still if you can't spend the time to make a good website who says they didn't cut corners on security?
A local Credit Union had CAPTCHA's like, "4n1m4l" and (believe it or not) "b4nK3r". When I complained they snidely remarked that they were pretty sure they knew how to handle security.
That may be, but they no longer have my money.
Though, for what its worth, the biggest reason I left them is because they wanted to charge me a fee to deposit cash that my kids had saved up. "Because that's what Loomis Fargo charges us." So? Cost of doing business.
The irony that they were CHARGING ME TO GIVE THEM MONEY was completely lost on that particular teller.
It was incredibly slow here. The tab locked up the entire browser for a full 7 seconds before I could begin scrolling. The rendering frame rate of scrolling was 3-4 FPS, and only jumped back up to a fluid rate once I scrolled down past all of the images. Late 2013 MacBook Pro running Chrome.
That was a fun read--thanks for the link. So basically the sellers are pissed because they MAYBE could have gotten more cash if they had held out longer, and Zuck obfuscated who was buying. Any claims against the agent aside, sounds like a major case of sour grapes.
I'm a little disappointed that they only have level 2[1] HSMs in the cloud, as I would be uncomfortable protecting my hot wallet keys with only tamper evident protections, rather than level 3+ that actually attempt to detect intrusion and delete keys. Bitcoin makes for very quick stealing once you have keys, so reactive defenses against key loss don't help much as you're literally in a race condition with the attacker to empty the wallet (you into a non-compromised one, the attacker into their own). But I would assume they weighed cost/risk and I've never heard of a security compromise of Amazon's HSMs so it was probably a reasonable choice.
edit: I should also applaud their use of PGP and (explicit) respect for responsible disclosure.
[0]: https://exchange.gemini.com/security
[1]: https://en.wikipedia.org/wiki/FIPS_140-2#Level_2