About Mt. Gox flaw from a security expert - page 12.

JJG

member

Activity: 70

Merit: 20

Quote from: muad_dib on June 20, 2011, 11:06:05 AM

Quote from: JJG on June 20, 2011, 11:03:35 AM

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?

Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

1) So then you are in it for the money?

What does your question have to do with anything? If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP. And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible. Wink

muad_dib

member

Activity: 140

Merit: 10

Quote from: tehcodez on June 20, 2011, 11:21:21 AM

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

You are not forced to post in my thread

nelisky

legendary

Activity: 1540

Merit: 1002

Quote from: muad_dib on June 20, 2011, 11:11:43 AM

Am I the only concerned?

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places
- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

Kudos to you for making all this with a straight face... or did you? :p

tehcodez

newbie

Activity: 42

Merit: 0

Quote from: muad_dib on June 20, 2011, 11:11:43 AM

Quote from: finack on June 20, 2011, 11:06:48 AM

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.

Quote

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.

Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?

Am I the only concerned?

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: muad_dib on June 20, 2011, 11:01:42 AM

Quote from: kokjo on June 20, 2011, 10:31:04 AM

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.

yes:

more fixed bugs are better then more unfound bugs.

and you cant trust closed source code: microsoft could have put a backdoor in windows, so that NSA could gain eazy access to any windows system. (I like conspiracy teories

)

muad_dib

member

Activity: 140

Merit: 10

Quote from: finack on June 20, 2011, 11:06:48 AM

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.

Quote

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.

Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?

Am I the only concerned?

finack

member

Activity: 126

Merit: 10

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

muad_dib

member

Activity: 140

Merit: 10

Quote from: JJG on June 20, 2011, 11:03:35 AM

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?

Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

JJG

member

Activity: 70

Merit: 20

Quote from: muad_dib on June 20, 2011, 10:55:01 AM

Quote from: JJG on June 20, 2011, 10:25:44 AM

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

muad_dib

member

Activity: 140

Merit: 10

Quote from: kokjo on June 20, 2011, 10:31:04 AM

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.

muad_dib

member

Activity: 140

Merit: 10

Quote from: JJG on June 20, 2011, 10:25:44 AM

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

Capitan

member

Activity: 112

Merit: 10

Quote from: muad_dib on June 20, 2011, 04:21:04 AM

Quote from: ShadowOfHarbringer on June 20, 2011, 04:09:44 AM

@muad_dib

At first you post seemed wise, but

Quote from: muad_dib on June 20, 2011, 01:44:50 AM

1) Use the right software. IIS is a big no-no

Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.

The first 3 spots, are linux or unix?

That list proves nothing about the security of any OS over any other OS. There is no mention of how big of a factor the OS/platform's security plays into the ranking. From what I read on that page, a lot of other things can play into the ranking, including the level of managed service (e.g., the competence and response time of the sysadmins of those hosting services), the network quality, speed of their servers, etc.

So that link proves nothing about Linus being better than windows, or Unix being more secure than Linux.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: muad_dib on June 20, 2011, 09:57:00 AM

Quote from: kokjo on June 20, 2011, 09:24:42 AM

freebsd is also less used Tongue

so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

JJG

member

Activity: 70

Merit: 20

Quote from: pancakes on June 20, 2011, 02:26:03 AM

Quote from: muad_dib on June 20, 2011, 01:44:50 AM

If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

Quote from: muad_dib on June 20, 2011, 01:49:21 AM

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.

And the problem with most 'security experts' is that they think they walk on water. Wink

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

muad_dib

member

Activity: 140

Merit: 10

Quote from: kokjo on June 20, 2011, 09:24:42 AM

freebsd is also less used Tongue

so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

muad_dib

member

Activity: 140

Merit: 10

Quote from: Rob P. on June 20, 2011, 09:04:16 AM

Rewrite of their code? They weren't hacked with a SQL Injection. Someone who had access from their laptop had their laptop compromised. They need better security measures, but they aren't from the site standpoint.

that's what they say.

Anyhow also taking this as true, I think it has been evident that bitcoin greatly outgrown the original expectations, and thus we need stronger security policy.

One example: Do you think that by compromising any of the laptop of any or all of the admins of the Visa Network, could you access any valuable information?

ShadowOfHarbringer

legendary

Activity: 1470

Merit: 1006

Bringing Legendary Har® to you since 1952

Quote from: kokjo on June 20, 2011, 09:24:42 AM

Quote from: muad_dib on June 20, 2011, 05:37:34 AM

Quote from: Grinder on June 20, 2011, 05:34:53 AM

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

freebsd is also less used Tongue

so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

+1

Everything that i wanted to say was already said here.

muad_dib, you have no idea what you are talking about. There isn't any 100% proof that BSD is either more secure or more reliable than Linux.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

Quote from: muad_dib on June 20, 2011, 05:37:34 AM

Quote from: Grinder on June 20, 2011, 05:34:53 AM

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

freebsd is also less used Tongue

so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

FooDSt4mP

full member

Activity: 182

Merit: 100

I'm with you maud_dib... All my opinions are totally objective too Wink

Also, in my objective opinion more discovered vulnerabilities != less secure. More eyes find more bugs. I know you're talking freebsd, but look at openbsd. It had a backdoor for years exactly because less people audit the code.

Rob P.

member

Activity: 84

Merit: 10

Quote from: muad_dib on June 20, 2011, 01:48:16 AM

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.

Rewrite of their code? They weren't hacked with a SQL Injection. Someone who had access from their laptop had their laptop compromised. They need better security measures, but they aren't from the site standpoint.

Topic: About Mt. Gox flaw from a security expert - page 12. (Read 34165 times)