Bisq Wiki - User contributions [en]

Security Team

2020-06-10T16:47:47Z

Freimair: /* Duties */

The Security Team is responsible for keeping an eye on Bisq's needs for security - hunt bugs, design counter measures, be a point of contact for security related topics.

__TOC__

== Roles ==
* [[Security Team Lead]]

==Infrastructure==

===GitHub===

====Team====

[https://github.com/orgs/bisq-network/teams/security @bisq-network/security]

====Repositories====
* https://github.com/bisq-network/security

=== Chat ===

* [[Keybase]] <code>bisq.security</code> subteam

== Goals ==

=== What does "security" in "Security Team" mean ===

* Optimize information footprint
* Hardening of the Bisq app, services, protocols, down to code

=== Duties ===

* Maintain an overview of Bisq from a security perspective
* Find attack vectors
* Design counter strategies
* Act as a think-tank, consortium and knowledge base for security-related stuff
* Firefighting
* No feature implementation work, because that is the realm of either [[Dev Team]] or [[Ops Team]].

=== Mode of operation ===

Results and work of the security team might not be shared with the general public immediately. Simply because it makes no sense to publish a security vulnerability before it has been patched up. This is why the various channels of communication are invite-only.

=== General Roadmap ===
* Do security audits. Use appropriate tools to find vulnerabilities. Even leave the beaten path of Java if it is the reasonable thing to do.
* Up testing efforts. Technical dept is causing all sorts of issues already. More test coverage might just reveal more vulnerabilities.
* Implement means for a responsible disclosure process, either fed by the efforts of the security team or fed by external sources.
* Create and maintain an overview of Bisq from a security perspective
* Prioritize and design countermeasures to be implemented by the [[Dev Team]]/[[Ops Team]]

[[Category:Teams]]

Security Team

2020-06-10T16:46:50Z

Freimair:

The Security Team is responsible for keeping an eye on Bisq's needs for security - hunt bugs, design counter measures, be a point of contact for security related topics.

__TOC__

== Roles ==
* [[Security Team Lead]]

==Infrastructure==

===GitHub===

====Team====

[https://github.com/orgs/bisq-network/teams/security @bisq-network/security]

====Repositories====
* https://github.com/bisq-network/security

=== Chat ===

* [[Keybase]] <code>bisq.security</code> subteam

== Goals ==

=== What does "security" in "Security Team" mean ===

* Optimize information footprint
* Hardening of the Bisq app, services, protocols, down to code

=== Duties ===

* Find attack vectors
* Design counter strategies
* Act as a think-tank, consortium and knowledge base for security-related stuff
* Firefighting
* No feature implementation work, because that is the realm of either [[Dev Team]] or [[Ops Team]].

=== Mode of operation ===

Results and work of the security team might not be shared with the general public immediately. Simply because it makes no sense to publish a security vulnerability before it has been patched up. This is why the various channels of communication are invite-only.

=== General Roadmap ===
* Do security audits. Use appropriate tools to find vulnerabilities. Even leave the beaten path of Java if it is the reasonable thing to do.
* Up testing efforts. Technical dept is causing all sorts of issues already. More test coverage might just reveal more vulnerabilities.
* Implement means for a responsible disclosure process, either fed by the efforts of the security team or fed by external sources.
* Create and maintain an overview of Bisq from a security perspective
* Prioritize and design countermeasures to be implemented by the [[Dev Team]]/[[Ops Team]]

[[Category:Teams]]

Security Team

2020-06-10T16:35:23Z

Freimair:

Security Team

2020-06-10T16:31:56Z

Freimair:

Security Team Lead

2020-06-10T16:28:30Z

Freimair: /* Duties */

This article documents the ''Security Team Lead'' [[Role|role]].

__TOC__

== Issue ==
* [https://github.com/bisq-network/roles/issues/108 Security Team Lead #108]

== Team ==
===github===
* [https://github.com/orgs/bisq-network/teams/team-leads Team Leads team]
* [https://github.com/orgs/bisq-network/teams/security Security Team]
===wiki===
* [[Security_Team|Security Team]]

== Duties ==

* Review Team's [[Compensation]] requests as per Process.
* Maintain security roadmap and track efforts
* Be official point of contact for reported security issues

== Rights ==


== Bonding ==
N/A

[[Category:Roles]]

Security Team

2020-06-10T16:22:30Z

Freimair: Created page with "The Security Team is responsible for keeping an eye on Bisq's needs for security - hunt bugs, design counter measures, be a point of contact for security related topics. __TO..."

Security Team Lead

2020-06-10T16:22:05Z

Freimair: Created page with "This article documents the ''Security Team Lead'' role. __TOC__ == Issue == * [https://github.com/bisq-network/roles/issues/108 Security Team Lead #108] == Team ==..."

This article documents the ''Security Team Lead'' [[Role|role]].

__TOC__

== Issue ==
* [https://github.com/bisq-network/roles/issues/108 Security Team Lead #108]

== Team ==
===github===
* [https://github.com/orgs/bisq-network/teams/team-leads Team Leads team]
* [https://github.com/orgs/bisq-network/teams/security Security Team]
===wiki===
* [[Security_Team|Security Team]]

== Duties ==

* Review Team's [[Compensation]] requests as per Process.
* Maintain security roadmap and track efforts
* Be official point of contact for reporting security issues

== Rights ==


== Bonding ==
N/A

[[Category:Roles]]

Running Bisq on Tails

2020-04-10T13:24:15Z

Freimair:

In order to use Bisq on the Tails OS, a few manual steps are required.

== Preparations ==

* configure a [https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/ administration password] when installing Bisq
* configure [https://tails.boum.org/install/inc/steps/create_persistence.inline/index.en.html persistent storage]

== Install ==

Go to https://github.com/bisq-network/bisq/releases using your Tor Browser and download the <code>Bisq-64bit-[version].deb</code> and <code>.asc</code> files.

You may have to use <code>wget</code>, because <code>curl</code> may not use Tor and therefore is blocked from internet access.

=== Verify your download ===

* <code>wget https://bisq.network/pubkey/[keyid].asc</code> should result in a file <code>[keyid].asc</code> in your working directory
* import the key to gpg by <code>gpg --import [keyid].asc</code>
* check the signature with <code>gpg --digest-algo SHA256 --verify [yourbinaryhere]{.asc*,}</code> which should give you something like this
<code>
[snip]
gpg: Good signature from "Christoph Atteneder...
[snip]
</code>

=== Install Bisq ===

do a simple <code>sudo dpkg -i [yourbinaryhere]</code>

== Configure ==

* make authcookie readable:
<pre>sudo chmod o+r /var/run/tor/control.authcookie</pre>

* configure <code>onion-grater</code>
Create a file <code>/etc/onion-grater.d/bisq.yml</code> with contents:
<pre>
---
- apparmor-profiles:
- '/opt/Bisq/Bisq'
users:
- 'amnesia'
commands:
AUTHCHALLENGE:
- 'SAFECOOKIE .*'
SETEVENTS:
- 'CIRC WARN ERR'
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
GETINFO:
- 'net/listeners/socks'
ADD_ONION:
- pattern: 'NEW:(\S+) Port=9999,(\S+)'
replacement: 'NEW:{} Port=9999,{client-address}:{}'
- pattern: '(\S+):(\S+) Port=9999,(\S+)'
replacement: '{}:{} Port=9999,{client-address}:{}'
DEL_ONION:
- '.+'
HSFETCH:
- '.+'
events:
CIRC:
suppress: true
ORCONN:
suppress: true
INFO:
suppress: true
NOTICE:
suppress: true
WARN:
suppress: true
ERR:
suppress: true
HS_DESC:
response:
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
replacement: '650 HS_DESC UPLOADED {} {} redacted'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
- pattern: '.*'
replacement: ''
HS_DESC_CONTENT:
suppress: true
</pre>
and restart the <code>onion-grater</code> service by
<pre>service onion-grater restart</pre>

* In <code>/usr/share/applications/Bisq.desktop</code> replace
<pre>Exec=/opt/Bisq/Bisq</pre>
with
<pre>Exec=/opt/Bisq/Bisq --torControlPort 9051 --torControlCookieFile=/var/run/tor/control.authcookie --torControlUseSafeCookieAuth</pre>

== Run Bisq ==

* click '''[Applications]'''->'''[Other]'''->'''[Bisq]'''
* via terminal: <code>/opt/Bisq/Bisq --torControlPort 9051 --torControlCookieFile=/var/run/tor/control.authcookie --torControlUseSafeCookieAuth</code>

[[Category:Guides]]

Running Bisq on Tails

2020-04-10T13:21:42Z

Freimair: Release candidate 1

Running Bisq on Tails

2020-04-10T12:35:40Z

Freimair:

[WIP]

In order to use Bisq on the Tails OS, a few manual steps are required.

== Preparations ==

* configure a [https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/ administration password] when installing Bisq
* configure [https://tails.boum.org/install/inc/steps/create_persistence.inline/index.en.html persistent storage]

== Install ==

Go to https://github.com/bisq-network/bisq/releases using your Tor Browser and download the <code>Bisq-64bit-[version].deb</code> and <code>.asc</code> files.

You may have to use <code>wget</code>, because <code>curl</code> may not use Tor and therefore is blocked from internet access.

=== Verify your download ===

* <code>wget https://bisq.network/pubkey/[keyid].asc</code> should result in a file <code>[keyid].asc</code> in your working directory
* import the key to gpg by <code>gpg --import [keyid].asc</code>
* check the signature with <code>gpg --digest-algo SHA256 --verify [yourbinaryhere]{.asc*,}</code> which should give you something like this
<code>
[snip]
gpg: Good signature from "Christoph Atteneder...
[snip]
</code>

=== Install Bisq ===

do a simple <code>sudo dpkg -i [yourbinaryhere]</code>

== Configure ==

* make authcookie readable:
<pre>sudo chmod o+r /var/run/tor/control.authcookie</pre>

* configure <code>onion-grater</code>
Create a file <code>/etc/onion-grater.d/bisq.yml</code> with contents:
<pre>
---
- apparmor-profiles:
- '/opt/Bisq/Bisq'
users:
- 'amnesia'
commands:
SETEVENTS:
- 'CIRC WARN ERR'
- 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
GETINFO:
- 'net/listeners/socks'
ADD_ONION:
- pattern: 'NEW:(\S+) Port=9999,(\S+)'
replacement: 'NEW:{} Port=9999,{client-address}:{}'
- pattern: '(\S+):(\S+) Port=9999,(\S+)'
replacement: '{}:{} Port=9999,{client-address}:{}'
DEL_ONION:
- '.+'
HSFETCH:
- '.+'
events:
CIRC:
suppress: true
ORCONN:
suppress: true
INFO:
suppress: true
NOTICE:
suppress: true
WARN:
suppress: true
ERR:
suppress: true
HS_DESC:
response:
- pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
- pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*'
replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
- pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+'
replacement: '650 HS_DESC UPLOADED {} {} redacted'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
- pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
- pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
- pattern: '.*'
replacement: ''
HS_DESC_CONTENT:
suppress: true
</pre>

* In <code>/usr/share/applications/Bisq.desktop</code> replace
<pre>Exec=/opt/Bisq/Bisq</pre>
with
<pre>Exec=/opt/Bisq/Bisq --torControlPort 9052 --torControlCookieFile=/var/run/tor/control.authcookie --useTorForBtc=True</pre>

Running Bisq on Tails

2020-04-10T11:42:25Z

Freimair:

[WIP]

In order to use Bisq on the Tails OS, a few manual steps are required.

== Preparations ==

* configure a [https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/ administration password] when installing Bisq
* configure [https://tails.boum.org/install/inc/steps/create_persistence.inline/index.en.html persistent storage]

== Install ==

Go to https://github.com/bisq-network/bisq/releases using your Tor Browser and download the <code>Bisq-64bit-[version].deb</code> and <code>.asc</code> files.

You may have to use <code>wget</code>, because <code>curl</code> may not use Tor and therefore is blocked from internet access.

=== Verify your download ===

* <code>wget https://bisq.network/pubkey/[keyid].asc</code> should result in a file <code>[keyid].asc</code> in your working directory
* import the key to gpg by <code>gpg --import [keyid].asc</code>
* check the signature with <code>gpg --digest-algo SHA256 --verify [yourbinaryhere]{.asc*,}</code> which should give you something like this
<code>
[snip]
gpg: Good signature from "Christoph Atteneder...
[snip]
</code>

=== Install Bisq ===

do a simple <code>sudo dpkg -i [yourbinaryhere]</code>

== Configure ==

* make authcookie readable:
<pre>sudo chmod o+r /var/run/tor/control.authcookie</pre>

* configure <code>onion-grater</code>
<code>wget https://raw.githubusercontent.com/Whonix/onion-grater/master/usr/share/doc/onion-grater-merger/examples/40_bisq.yml</code>

* In <code>/usr/share/applications/Bisq.desktop</code> replace
<pre>Exec=/opt/Bisq/Bisq</pre>
with
<pre>Exec=/opt/Bisq/Bisq --torControlPort 9052 --torControlCookieFile=/var/run/tor/control.authcookie --torControlUseSafeCookieAuth --useTorForBtc=True</pre>

* TODO
* do we need that in startup args?
<pre>socks5ProxyBtcAddress=127.0.0.1:9050 --socks5ProxyHttpAddress=127.0.0.1:9050</pre>
seems like tails will do that anyways because all traffic from tails goes over tor
* added iptables rules to connect to nodes:
<pre>
sudo iptables -I OUTPUT 3 -d 127.0.0.1 -o lo -p tcp --dport 8333 --syn -m owner --uid-owner amnesia -j ACCEPT # bisq
sudo iptables -I OUTPUT 3 -d 127.0.0.1 -o lo -p tcp --dport 8000 --syn -m owner --uid-owner amnesia -j ACCEPT # bisq
</pre>
seems to me that this has been used to allow connecting to seed nodes while using the localhostforp2p (which means there is no tor involved for Bisq at all)

Running Bisq on Tails

2020-04-10T10:30:34Z

Freimair: Created page with "[WIP] In order to use Bisq on the Tails OS, a few manual steps are required. == Preparations == * configure a [https://tails.boum.org/doc/first_steps/welcome_screen/adminis..."