What are Privacy Coins

Mar11
by Shahid Sharif on March 11, 2018 at 4:37 pm
Posted In: Cryptocurrencies, Privacy Coins, Security

Introduction

Today I will be talking about privacy coins or privacy cryptocurrencies. I prefer calling them tokens and not cryptocurrency or coins as they are not issued by a central government and are not a stable store of value. At the moment all the tokens are mere experiments, just like Bitcoin was until speculators took over.

Tokens, Fiat, Crypto, Electronic currencies

The idea of tokens is not new, it has existed for a while only that those tokens were valid in a specific ecosystem. For instance, when you went to fairs or video arcades, you bought a bunch of tokens, which you could use within the boundaries of the business, and outside of that business, they were pretty useless. Then came the Casino tokens, which are worth more than the fair or video arcade tokens, but again they are valid within a particular Casino.

We have been using electronic money for a while now, ever since credit cards and debit cards came into existence in late 70’s to early 80’s. You purchase goods/services and you pay with your Debit/Credit card, and money gets transferred from one entity to another.

Prior to debit cards and credit cards, the only way to track peoples spending activities was via their bank accounts and cheques. Although Cheques are less prevalent now, as electronic funds transfer mechanisms have taken hold.

Privacy, Anonymity & Fungibility

Anytime we exchange fiat currency, we never know who used this bill before us, all we can say is I got this bill from A and I gave it to B, that is it, and even that information is not written anywhere, it is all in our head. The only issue with fiat is that it is controlled by governments, and they can print as much as they want which results in devaluation. Just think of how much your $10 bill is worth now vs twenty years ago.

Bitcoin was an experiment to create a payment instrument that did not have a central body controlling it. When you transacted in Bitcoin, people thought that their transactions were anonymous just like when using fiat. The issue is that the Bitcoin distributed ledger, called the blockchain, maintains each and every transaction since that particular block was mined.

Since public blockchains such as LiteCoin, Bitcoin, Ethereum, etc. are open ledgers you can go to the particular blockchain explorer site, such as http://blockchain.info, and trace all activities related to the particular public address. Once you identify a person to that address, their activities can be easily traced.

The other issue with Bitcoin is, fungibility since all transactions are recorded in the blockchain, all activities related to a particular token can be traced. This allows organizations to check if a particular token was used for illicit purposes if it was then they can refuse to accept it. With existing fiat no one checks against a list where did the $5 bill came from, you never know who the owner of that particular bill was before the person who gave it to you and you don’t even bother to ask for the details either. It is common understanding all $5 bills have the same value regardless of who owned it or what it was used for.

Some Privacy Tokens

To address this very issue privacy coins or privacy tokens have come into existence.

All these tokens are different implementations of the same requirement, making crypto token transactions untraceable for both the receiver and the sender.

Following is a list of tokens that I could find so far, and there are many more.

Name

Symbol

TPS

Forked From

Fork Block

Total Supply

Founded

Mining Algorithm

Privacy Algorithm

Protocol

Send Options

ByteCoin

BCN

N/A

184.46billion

1-Jul-2012

CryptoNight

Ring Signatures

CryptoNote

Monero

XMR

1000

ByteCoin

Unlimited

18-Apr-2014

CryptoNight-POW

Ring Signature

CryptoNote

Verge

XVG

100

Dogecoin

16.5billion

1-Oct-2014

Scrypt, x17, groestl, blake2s & lyra2rev2

Wriath

DASH

DASH

56

Litecoin

18million

18-Jan-2015

Coin Join

Instant, Private

PIVX

PIVX

50

DASH

Unlimited

1-Feb-2016

POS

zPIV

SwiftX

Zcash

ZEC

Bitcoin

21million

28-Oct-2016

Equihash-POW

zk-SNARKs

Zerocoin

Transparent Address, Shielded Address

Zclassic

ZCL

Zcash

21million

5-Nov-2016

Equihash-POW

ZenCash

ZEN

Zclassic

110,000

21million

23-May-2017

Deep Onion

ONION

62.5

N/A

19.4million

1-Jul-2017

POS+POW

zk-SNARKs, Coin Join, Ring Signatures

DeepSend

Bitcoin Private

BTCP

Bitcoin & Zclassic

511346/272991

2-Mar-2018

Equihash-POW

zk-SNARKs

└ Tags: , , , , , , , , , , , ,
Comments Off on What are Privacy Coins

What to do after the Audit report has been issued?

Feb09
by Shahid Sharif on February 9, 2018 at 4:00 pm
Posted In: Audit, Risk Management

Introduction

At the conclusion of an audit, the third party audit firm issues an audit report to the organization. If the report is unqualified, it is a great achievement for everyone involved in the audit program. Usually the client prime from the compliance team, who manages the audit and maintains engagement with the internal teams and external auditors gets the credit for the unqualified report, while the rest of the participants don’t really get recognized as much.

In most cases this is what happens.

  • External auditors identify the exception with the control, which may or may not lead to qualification.
  • Control owners are notified of the exception, most times the control owners immediately start working on remediation.

If you notice in the above steps that the compliance team prime has not really done anything heavy lifting has been done by the external auditors and the control owner teams. The compliance team prime is just acting as the project manager. Most of the guidance on how to remediate is provided by the external auditor and once completed is tested by the external auditor.

Hence my reluctance on giving the compliance team prime all the accolades for an unqualified report.

Suggested Approach

In my eyes the compliance team audit prime will be worthy of receiving the accolades if the following two processes are included in the Compliance Program.

Post Audit Remediation

Ideally if the compliance team is managing the compliance program well, this is what they should be doing:

  • Once the current audit report has been issued a list of items that need attention should be prepared, and the items on this list can be of the following types:
    • Observation/Opportunity for Improvement (OFI)
    • Exception
    • Qualification
  • Once the audit firm issues the Management Letter Points, it should be checked against the list and anything that is missing in the list should be added.
  • A meeting should be conducted with control owner leadership usually at the VP level to bring awareness to them about the identified gaps and get their and their teams support in remediation.
  • The senior leader/VP should ensure that they send an email to their teams, informing them to provide full support to the compliance team.
  • The compliance team then meets with each of the control owners and identifies a deadline by which the remediation should be complete.
  • A Project manager then should take over to ensure tracking and reporting is done upwards and downwards.
  • As the remediation is completed, the compliance team must ensure they test the control to ensure it indeed will be able to pass external auditors scrutiny.

Continuous Compliance

While the above activities are in flight it is key that the organization also embrace a continuous compliance program where:

  • Audit evidence collection is happening throughout the year.
  • The evidence must be collected and uploaded to the central repository by the control owners.
  • Compliance team prime must review and sign-off on the evidence as meeting the control objectives.
  • If control objectives are not being met, then work with the control owner(s) to implement remediation plan immediately.

If Post Audit Remediation and Continuous Compliance are practised as mentioned this is where the success of Compliance program surfaces and indeed there should be no shame in providing accolades to the audit prime and to the whole team involved in ensuring they meet the control requirements.

The Continuous Compliance ensures most of the evidence has already been collected which ultimately ensures control owners and audit primes don’t face audit fatigue and face less pressure from compliance perspective.

└ Tags: , , , , , , ,
Comments Off on What to do after the Audit report has been issued?

SOC2 Reporting & Management Response

Feb02
by Shahid Sharif on February 2, 2018 at 4:00 pm
Posted In: Audit, Podcast, Risk Management

Introduction

When a SOC 2 report is issued, I have seen that in “Description of Tests of Controls and Results of Testing” section, if a control has an exception or a qualification, a management response is included.  It explains how the exception or the qualification risk is being managed. Proponents of this approach say that it helps avoid questions from customers.

Issue

Talking from experience, these are the issues I see with this approach.

  • First of all, 90% of the time, customers totally ignore the management response. They need further details via a meeting or email.
  • If the management response is for an exception, the reason it is an exception is because the control is addressing most of risk as designed and operated. Hence,  a management response within the report does not make sense. In most cases the management response has been put together rather hurriedly and most of the time without management’s blessing.  While the audit is in progress, it is difficult for the control owners to work on the audit and offer guidance on how the risk is being managed and producing a so-called management response verbiage. Remember, although this is called a management response, because of tight timelines, management might not have really blessed it. Why, because everyone is busy collecting evidence for the audit and preparing the audit report trying to meet the deadline to issue the audit report on time.
  • If the management response is for a qualification, then it is even more important to tread carefully before committing to a resolution, who knows what the actual implementation will look like.

Suggested Approach

My suggested approach is to issue the audit report without including management responses in “Description of Tests of Controls and Results of Testing” section.

Within thirty days of audit report issuance, the compliance should meet with the control owners ensure :

  • Agreement on remediation approach.
  • Identification of timelines.
  • Management (VP’s, Directors, Managers) are on-board with remediation plan.
  • Assignment of a Project Manager to track and report on the remediation progress regularly.

After all of the above activities are complete, the management response letter should be prepared.  It should state the remediation plan and timelines. This letter is signed by the business owner of the audit, usually the VP.

Then, whenever a customer query comes in ,share the letter with them. This proves to the customer that your organization is serious about managing risks and are on top of addressing them.

Management letter is re-issued as remediation is completed or timelines change.

These actions ensure a successful compliance program, as all stakeholders are on-board.

Most of the times management is not aware of the remediation requirements, hence operational teams are not focused on remediation.  As as a result remediation does not get implemented prior to the next audit cycle, resulting in a qualified audit report or repeating exceptions.

└ Tags: , , , , , , ,
Comments Off on SOC2 Reporting & Management Response

As Bitcoin Reaches New Price Highs, Network Congestion and Fees Spike – Bitcoin News

Nov07
by Dude on November 7, 2017 at 5:12 pm
Posted In: Bitcoin, Cryptocurrences, Distributed Ledgers

The straw that broke camels back. 

As Bitcoin price soars, more investors are joining the bandwagon. Unfortunately Bitcoin blockchain is facing performance issues that is causing transaction confirmation delays and rising transaction fees.  Currently there are 26000 unconfirmed transactions and transaction fees sitting at around $5-$10.  With such high transaction fees the main reason behind Bitcoin seems to be loosing ground. 

https://news.bitcoin.com/as-bitcoin-reaches-new-price-highs-network-congestion-and-fees-spike/?utm_source=OneSignal%20Push&utm_medium=notification&utm_campaign=Push%20Notifications

└ Tags: , ,
Comments Off on As Bitcoin Reaches New Price Highs, Network Congestion and Fees Spike – Bitcoin News

A Simple Guide to What Bitcoin Forks Are and Why They Happen – Bitcoin News

Nov05
by Dude on November 5, 2017 at 7:45 pm
Posted In: Security

https://news.bitcoin.com/a-guide-to-what-a-bitcoin-fork-is-and-why-they-happen/?utm_source=OneSignal%20Push&utm_medium=notification&utm_campaign=Push%20Notifications

Comments Off on A Simple Guide to What Bitcoin Forks Are and Why They Happen – Bitcoin News