1 2017-12-10 01:21:42 <eck> if you set up rpc auth, you can force the requests to be authenticated
2 2017-12-10 01:22:38 <eck> there's a script called share/rpcuser/rpcuser.py in the bitcoin source code, run that and it will generate a password for you and an rpcauth line you can put in your bitcoin.conf
3 2017-12-10 01:24:04 <eck> that said, if you are using the wallet functionality of bitcoind it's probably wise not to expose it to the internet, even if you have rpcauth enabled
4 2017-12-10 16:38:20 <cd0x23> anyone have an idea how services like coinbase that don't let you access your private keys, handle keys on their end? (key generations, transactions etc.)
5 2017-12-10 20:11:09 <eck> cd0x23: a lot of that is proprietary, but i know a little about what some of the exchanges are doing
6 2017-12-10 20:11:55 <eck> a number of the exchanges use bitgo, which basically sells bitcoin key escrow as a service
7 2017-12-10 20:12:06 <eck> coinbase does not, they have their own in house system but i don't know the details of how it works
8 2017-12-10 20:12:24 <eck> the really big exchanges are using hardware security modules
9 2017-12-10 20:13:12 <cd0x23> @eck oh I did not know such services as bitgo existed, I just assumed everyone used HSM's
10 2017-12-10 20:14:36 <eck> one of the major threats for exchangs, the biggest IMO, is that an internal rogue employee could try to steal the private keys
11 2017-12-10 20:15:21 <eck> to protect against this you need to use multisig wallets so one person can't walk away with the funds
12 2017-12-10 20:16:29 <cd0x23> eck do you know if the standart way to handle keys is hierarchical deterministic wallets for such services as coinbase?
13 2017-12-10 20:16:37 <eck> i do not know
14 2017-12-10 20:17:00 <cd0x23> eck thanks for all the input though, appreciate it