[Monero-defcon] Re: MSB license assistance for ATM operation

Michael, Here's my additional thoughts. cryptocurrency exchanger so unless there is evidence of risk we'll probably trust one another to make the arrangement work, unless anyone objects with a better alternative. I think that their KYC process has to allow for something to handle this. I'm willing to submit my documentation to them (ID, pay stub, etc.) so that they'll at least have full information about one point of contact. by a insurance policy for any particular thing? Should I make the question general (stating no particular thing?) Yes. It's important that we know what exposures and coverage we have. We know that our hardware is at risk and I suppose we could all recover without them, but the BATM is both a prime target for thieves and not our personal property. Let's get as much information on insurance and the theft reporting process as we can. hotel room after hours is maybe a good idea. This is a viable alternative to trusting the conference security. We can decide on this when we get everything in hand. is that just my imagination? I don't recall that decision, but it's consistent with the village theme. We should ask the ATM operator about this, as I assume they will want to have all coins turned on since that's how they'll make more profit. To fill in some of the empty time slots on the educational tasks, I've put in a few hours for this demonstration. I'll work on some ideas like this to fill in the time. sometimes manipulated, so this is a valid concern. It would be good if you and me to both state in email that there is increased risk and we recommend limiting transactions in time (one per 5 minutes?) or amount (maximum 50 USD) or both. We can recommend that they keep a maximum (100-200 XMR?) in the machine's server. We can limit the XMR provider's (operator or manufacturer) risk as well by turning the machine on only when a staff person is standing next to it. Yes, this is smart. We will have to work with the ATM operator to make sure they understand this. On Mon, Jul 16, 2018 at 1:05 PM, Michael Schloh von Bennewitz < michael(a)getmonero.org&gt; wrote: > Hello Sean, > > On 16.07.2018 at 17:28 Sean Coughlin wrote: > > Thanks for working on this and getting in contact with the manufacturer. > > I think I should be the contact person since I plan to take > responsibility > > for setting up and guarding the machine itself. > > > Thanks for the time and attention to be the contact person, I think all > or most of us agree you are the perfect choice. > > > My thoughts & concerns are as follows: > > > > - What level of trust do we have with the ATM operator? > > > The operator is a good customer according to the ATM manufacturer. If > you want, I can ask specific questions like 'how long have they been a > customer?' or 'how many machines do they operate?' > > > - Do they have experience working with 3rd parties who handle the > > security of the ATM? > > > Once you become involved in the email flow, you can ask them this > question. I don't know the answer, and am waiting for permission to add > you to the thread. > > > - Will the ATM operator allow us to have exclusive control over the > ATM > > and keep the door keys? > > > They have not yet answered my question in which I 'request that we > maintain control over the machine'. It's likely that both parties trust > one another enough to share control. It's possible (likely?) that we > retain full control and they get none. > > > - If so, how do we assure the ATM operator that we won't steal > their > > cash? > > > There is likely a log that they can access to see what cash they deserve > and will simply ask us for it. > > cryptocurrency exchanger so unless there is evidence of risk we'll > probably trust one another to make the arrangement work, unless anyone > objects with a better alternative. > > > - Note that if they don't return to pick up their cash on Sunday > > then we can send it to their address by certified mail, which > > protects us legally. > > > I guess so. This would need to follow some neglect on their part, and > it's unlikely we forget to tell them of the possibility. > > > - If not, how do we ensure that the ATM operator will return the > > keys and pick up their cash on Sunday? > > > There is no way to ensure that the operator returns keys or takes their > money. You can probably soon ask them yourself, what method we have to > ensure that they take the money out of our village. > > > - If we can't open the machine then we can't send it on to its > > next destination and we will be in legal trouble. > > > > - What do we do if someone steals the BATM during the conference > > or overnight? > > > The same procedure for all day and overnight theft. > > > - Does the hotel have insurance to protect us, and if so do we have > > to work with hotel security for this? > > > There is no contract between the hotel and the Monero Project. I haven't > heard of any insurance against fire, theft, injury, or worse. It's > possible that all the villages are missing this insurance, or that some > of them have it. > > by a insurance policy for any particular thing? Should I make the > question general (stating no particular thing?) > > > - Should I move the BATM offsite overnight to prevent this, and > > should I get security to make sure there's no criminal activity > involved? > > > hotel room after hours is maybe a good idea. > > The hotel security already has a list of priorities, which we cannot > influence. It's almost certain that avoiding criminal activity is one of > their priorities. > > Don't forget that there are only two people with keys to our evening > locked doors (aside from the hotel staff.) That is our floor manager and > the Defcon village contact. > > Hotel security guards patrol the village doors and areas after hours, > but I don't think there is a guard stationed at each village. They > circulate to ensure there is no after hours activity. > > > - Can we have a daily/nightly cash out with the ATM operator to > > reduce this risk? > > > This is a good idea as well, and you should ask them once active on the > email thread. > > > - What do we do if a hardware hacker hijacks the device while at > the > > conference causing some violation? > > > We should probably document the violation in the usual theft reporting > way (look up police recommendations for reporting theft) and inform the > operator and General Bytes. They have had exposure for a long time and > can likely provide a good answer. > > > - Does the ATM operator work allow Monero transactions? If not, what > > value is this? > > > I've informed them that we will possibly configure the machine to serve > only Monero transactions. There is no default configuration for the > machine, so we must decide on which speech languages to support as well > as cryptocurrencies. > > is that just my imagination? > > > - What types of demonstrations should we give to show off the BATM? > > > One type is to simply open it and tell people to look inside. > > Another type is to allow people to guess which operating system is > running and encourage software discussion. > > Hands on, there is only so much to demonstrate with a BATM. Probably > once in a while (intermissions between presentations) we announce that a > staff person is going to make a ATM wallet withdrawal. > > 1) The staff person walks to the ATM > 2) The staff person presses the screen twice > 3) The staff person inserts bills > 4) The staff person withdraws the paper wallet > 5) The staff person makes a photo of the screen > 6) The staff person scans the paper wallet QR with Monerujo > 7) The staff person walks away > > IMPORTANT > > Regarding demonstrations, the manufacturer has gone a long way to > accommodate us with wallet research, and has retrofitted our loan BATM > with a NFC reader and supporting software to empower our decision for or > against using NFC wallets. Some BATM machines can dispense black plastic > NFC cards. > > Everything else relating to NFC transmitted hardware wallets will be > disclosed on site to a very small group, in a demonstration. It is > forbidden to encourage use of village badges for financial applications. > > > I might be a bit more worried than I need to be but this is going to be > the > > most hostile environment imaginable for a high-tech ATM to run. I think > > that if the manufacturer and the ATM operator understand the 'dangerous' > > situation this is, then we'll be better off. > > > sometimes manipulated, so this is a valid concern. It would be good if > you and me to both state in email that there is increased risk and we > recommend limiting transactions in time (one per 5 minutes?) or amount > (maximum 50 USD) or both. We can recommend that they keep a maximum > (100-200 XMR?) in the machine's server. We can limit the XMR provider's > (operator or manufacturer) risk as well by turning the machine on only > when a staff person is standing next to it. > > Cheers, > Michael > > -- > Michael Schloh von Bennewitz > Software Development Engineer > Europalab Networks R&D, Munich > Office: +49(89)44239885 UTC+2 > Mobile: Same as 'Office' > Web: http://michael.schloh.com/ > _______________________________________________ > Monero-defcon mailing list -- monero-defcon(a)lists.getmonero.org > To unsubscribe send an email to monero-defcon-leave(a)lists.getmonero.org >