Topic: About Mt. Gox flaw from a security expert - page 11. (Read 34165 times)

no freebsd has less discovered bugs..

and now you are talking about openbsd instead of freebsd.
either you are stupid or you dont know what you are talking about.
openbsd is maybe the most paranoid OS in the world, yes thats right.

and...? uptime != security

i have never said that. you are the one waving the freebsd flag.

i say you are a troll.

Sorry, by saying FreeBSD I mean *BSD. Is just that I'm working on a big FreeBSD project and I have this name in my mind.


You are totally right by saying that OpenBSD is safer than FreeBSD

Well i think OpenBSD is more secure..

Are you american right?

Next time you fill your tax form aks to pay the same ammount as donald trump. Personal wealth doesn't matter, right?

You see what you want to see, I read somewhere

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.

So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.

Were You asking  me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...

re: hate. Come again? the example (not the only one, I understand) that I read what I wanted to read in your posts is that you read too much hate in my posts? huh?

But enough hatred, I know I have an attitude problem as all that had to deal directly with me can attest to. Too much good, positive attitude and a complete lack of capability of making simple ironic remarks I'm a long time professional at what I do, and that is not trolling nor is it security. You are obviously better than me on both accounts so if you can refrain from replying to my post here, I promise I'll behave and not make hatred filled remarks on any other altruistic comment coming from you on this thread.

I read so much hate in these forums. People please, chill out.

please explain...

Let's try to sum up:

FreeBSD has less bugs than Linux (one fold less).

FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The production machines with the best uptime are FreeBSD based.


Still you think that Linux is safer than FreeBSD?

the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

I already posted the reasons why I said this in public. Please read my posts more carefully.


Anyhow, just for you, not for the other readers, I wrote a simple script to spoof Mt. Gox passwords. Here.

drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


The latter. I do lock my house, but not my car. And the reason I lock my house is that my miner machine is inside, and you can't really trust a community like Bitcoin that has people reasoning like you... someone might take my computer and then post on the forum saying "for a small 5 digit fee I'll teach you about the best locks for you door".


I need no proof at all. I believe you, I have no reason not to. Of course any random guy making over 300 million dollars yearly will sniff and spoof, and not steal to then arm wrestle a small fee... I wonder what kind of "security" you are expert on, though...


Oh... so you run an exchange, one that is totally secure. Now I'm getting really puzzled... which one was it again? Tell the good developers that potentially lost a bunch of bitcoins, something that could have been prevented if you would just help competition for free. I promise noone will try to hurt you, and I'm sure noone will be capable of anyway :p


Yep, no doubt. And once someone hacks it you'll provide information about how you already knew and could have prevented it, if only you would get paid the (relative) peanuts you require, but you only require them as a matter of principle, you REALLY don't need them.

Enough trolling, have fun with your buzzword magic. You might be a security expert (and failed to present any proof of it, but you aren't in the PR business anyway, so who cares) but I'm still not sure you are a human being.

You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations!

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

Finally someone discussing about this SERIOUS issue rather than trying to start a flamewar.

Let's rephrase my previous sentence: As a human being, I'm programmed to try to make some profit, so that my offspring will have a better chance in the real world.


Anyhow, given the chance to sell the bitcoin community for the personal gain, I would say no.



I was trying to prove to you that stealing a large bitcoin sum is the best way to make the price crash, thus making the theft stupid.


I think that, given how understaffed exchanges are, maybe the email would have been read by the same person who is responsible for the development/management, thus it would have been overlooked.

I think also that by posting it here not only I'm advising users, but I'm also putting pressure behind ALL the exchanges to fix this ASAP.


Do you think that I ever thought for a single instant, that I would have been paid?

Do you think that if that was my real intention, I would have posted my request in public?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

A five digit is a very small fee for someone making 100.000$+ a day.


Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"




Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!


why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.


I can provide new ways to hack it

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check with the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.