Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 12. (Read 34182 times)

JJG
member
Activity: 70
Merit: 20


Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

1) So then you are in it for the money?


What does your question have to do with anything? If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP. And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  Wink
member
Activity: 140
Merit: 10


We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

You are not forced to post in my thread Smiley
legendary
Activity: 1540
Merit: 1002

Am I the only concerned?

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places
- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

Kudos to you for making all this with a straight face... or did you? :p
newbie
Activity: 42
Merit: 0
You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.


Quote
Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.
legendary
Activity: 1050
Merit: 1000
You are WRONG!

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)


so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.
yes:

more fixed bugs are better then more unfound bugs.

and you cant trust closed source code: microsoft could have put a backdoor in windows, so that NSA could gain eazy access to any windows system. (I like conspiracy teories  Smiley )

member
Activity: 140
Merit: 10
You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.


Quote
Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?
member
Activity: 126
Merit: 10
You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

Don't get me wrong, we're all very impressed you can lift cookies over wifi.
member
Activity: 140
Merit: 10


Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)
JJG
member
Activity: 70
Merit: 20


Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!
member
Activity: 140
Merit: 10

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)


so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.
member
Activity: 140
Merit: 10


Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.
member
Activity: 112
Merit: 10
@muad_dib

At first you post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?

That list proves nothing about the security of any OS over any other OS. There is no mention of how big of a factor the OS/platform's security plays into the ranking. From what I read on that page, a lot of other things can play into the ranking, including the level of managed service (e.g., the competence and response time of the sysadmins of those hosting services), the network quality, speed of their servers, etc.

So that link proves nothing about Linus being better than windows, or Unix being more secure than Linux.
legendary
Activity: 1050
Merit: 1000
You are WRONG!

freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

Smiley
LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)
JJG
member
Activity: 70
Merit: 20
If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.

And the problem with most 'security experts' is that they think they walk on water.  Wink

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?
member
Activity: 140
Merit: 10

freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

Smiley
member
Activity: 140
Merit: 10


Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

that's what they say.


Anyhow also taking this as true, I think it has been evident that bitcoin greatly outgrown the original expectations, and thus we need stronger security policy.



One example: Do you think that by compromising any of the laptop of any or all of the admins of the Visa Network, could you access any valuable information?
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

+1

Everything that i wanted to say was already said here.

muad_dib, you have no idea what you are talking about. There isn't any 100% proof that BSD is either more secure or more reliable than Linux.

legendary
Activity: 1050
Merit: 1000
You are WRONG!

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.
full member
Activity: 182
Merit: 100
I'm with you maud_dib... All my opinions are totally objective too Wink

Also, in my objective opinion more discovered vulnerabilities != less secure.  More eyes find more bugs.  I know you're talking freebsd, but look at openbsd.  It had a backdoor for years exactly because less people audit the code.
member
Activity: 84
Merit: 10
P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.

Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.
Pages:
Jump to: