Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 11. (Read 34182 times)

legendary
Activity: 1050
Merit: 1000
You are WRONG!
Quote
FreeBSD has less bugs than Linux (one fold less).
no freebsd has less discovered bugs..

Quote
FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
and now you are talking about openbsd instead of freebsd.
either you are stupid or you dont know what you are talking about.
openbsd is maybe the most paranoid OS in the world, yes thats right.

Quote
The production machines with the best uptime are FreeBSD based.
and...? uptime != security

Quote
Still you think that Linux is safer than FreeBSD?
i have never said that. you are the one waving the freebsd flag.

i say you are a troll.
member
Activity: 140
Merit: 10
Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Well i think OpenBSD is more secure..


Sorry, by saying FreeBSD I mean *BSD. Is just that I'm working on a big FreeBSD project and I have this name in my mind.


You are totally right by saying that OpenBSD is safer than FreeBSD
newbie
Activity: 39
Merit: 0
Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Well i think OpenBSD is more secure..
member
Activity: 140
Merit: 10


You see what you want to see, I read somewhere Smiley

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.

Are you american right?

Next time you fill your tax form aks to pay the same ammount as donald trump. Personal wealth doesn't matter, right? Smiley
legendary
Activity: 1540
Merit: 1002

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...


So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.

You see what you want to see, I read somewhere Smiley

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.
member
Activity: 140
Merit: 10

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...


So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.
member
Activity: 140
Merit: 10
Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.
please explain...

Were You asking  me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant
legendary
Activity: 1540
Merit: 1002


drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...

re: hate. Come again? the example (not the only one, I understand) that I read what I wanted to read in your posts is that you read too much hate in my posts? huh?

But enough hatred, I know I have an attitude problem as all that had to deal directly with me can attest to. Too much good, positive attitude and a complete lack of capability of making simple ironic remarks Smiley I'm a long time professional at what I do, and that is not trolling nor is it security. You are obviously better than me on both accounts so if you can refrain from replying to my post here, I promise I'll behave and not make hatred filled remarks on any other altruistic comment coming from you on this thread.
member
Activity: 140
Merit: 10
I read so much hate in these forums. People please, chill out.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.
please explain...
member
Activity: 140
Merit: 10


more fixed bugs are better then more unfound bugs.



Let's try to sum up:

FreeBSD has less bugs than Linux (one fold less).

FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The production machines with the best uptime are FreeBSD based.


Still you think that Linux is safer than FreeBSD?
member
Activity: 140
Merit: 10


drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.
member
Activity: 140
Merit: 10

You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations! Roll Eyes

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

I already posted the reasons why I said this in public. Please read my posts more carefully.


Anyhow, just for you, not for the other readers, I wrote a simple script to spoof Mt. Gox passwords. Here.
legendary
Activity: 1540
Merit: 1002

A five digit is a very small fee for someone making 100.000$+ a day.


drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?

Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"

The latter. I do lock my house, but not my car. And the reason I lock my house is that my miner machine is inside, and you can't really trust a community like Bitcoin that has people reasoning like you... someone might take my computer and then post on the forum saying "for a small 5 digit fee I'll teach you about the best locks for you door".

Quote
Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

I need no proof at all. I believe you, I have no reason not to. Of course any random guy making over 300 million dollars yearly will sniff and spoof, and not steal to then arm wrestle a small fee... I wonder what kind of "security" you are expert on, though...

Quote
why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

Oh... so you run an exchange, one that is totally secure. Now I'm getting really puzzled... which one was it again? Tell the good developers that potentially lost a bunch of bitcoins, something that could have been prevented if you would just help competition for free. I promise noone will try to hurt you, and I'm sure noone will be capable of anyway :p

Quote
I can provide new ways to hack it Smiley

Yep, no doubt. And once someone hacks it you'll provide information about how you already knew and could have prevented it, if only you would get paid the (relative) peanuts you require, but you only require them as a matter of principle, you REALLY don't need them.

Enough trolling, have fun with your buzzword magic. You might be a security expert (and failed to present any proof of it, but you aren't in the PR business anyway, so who cares) but I'm still not sure you are a human being.
legendary
Activity: 2618
Merit: 1007
A five digit is a very small fee for someone making 100.000$+ a day.
You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations! Roll Eyes

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye
member
Activity: 140
Merit: 10


You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check without the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.

Finally someone discussing about this SERIOUS issue rather than trying to start a flamewar.
member
Activity: 140
Merit: 10


1) So then you are in it for the money?


Let's rephrase my previous sentence: As a human being, I'm programmed to try to make some profit, so that my offspring will have a better chance in the real world.


Anyhow, given the chance to sell the bitcoin community for the personal gain, I would say no.


Quote
What does your question have to do with anything?

I was trying to prove to you that stealing a large bitcoin sum is the best way to make the price crash, thus making the theft stupid.

Quote
If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP.

I think that, given how understaffed exchanges are, maybe the email would have been read by the same person who is responsible for the development/management, thus it would have been overlooked.

I think also that by posting it here not only I'm advising users, but I'm also putting pressure behind ALL the exchanges to fix this ASAP.

Quote
And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  Wink

Do you think that I ever thought for a single instant, that I would have been paid?

Do you think that if that was my real intention, I would have posted my request in public?
legendary
Activity: 1050
Merit: 1003
Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.
member
Activity: 140
Merit: 10

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:

A five digit is a very small fee for someone making 100.000$+ a day.

Quote
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places

- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it


Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"



Quote
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords

Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

Quote
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)

why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

Quote
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

I can provide new ways to hack it Smiley
member
Activity: 126
Merit: 10
What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.

Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?

Am I the only concerned?

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check with the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.
Pages:
Jump to: