Topic: About Mt. Gox flaw from a security expert - page 3. (Read 34165 times)

I wonder if anyone ever gets tired of hearing blowhards like maud_dib who provide zero evidence for their ridiculous assumptions.

Past track record of not being securable as a BSD box?  Where is that?  Oh right.  Nowhere.
If not that then past track record of what exactly?  Candy bar sales?  I guess you'd know about that.

A one time security audit is a a good thing but I'm taking away your math degree (if you have one) since it doesn't say anything about relative merit.

Untrue.  FreeBSD doesn't even have one of the most common proactive security features ASLR.  This means that there are whole classes of exploit that FreeBSD needs to patch for but Linux does not.   Linux has GrSecurity and PaX as well as SELinux.


OpenBSD *says* that they do this but they don't really provide much detail on what this means or how it actually protects anything.  For example OpenBSD used to say "X years without a remote root exploit in the base install" which is nice but:

a) Doesn't say anything about all the installs out there.  How many people run an OpenBSD box with no other services installed at all.  Probably not many.
b) Doesn't say anything about OpenBSD code.  For all we know it's just they activate less in the default install.  Which is probably a good thing for hobbyists but doesn't really say anything about enterprise usage.

The real proof of his statements would be him taking me up on my challenge.   There was even ~$500 in it for him if he happens to be right.

Hey guys -- just checking in. Has the undisputed winner of this thread been declared yet?

If you want to stay x86 I would go BSD.

Which flavor? Many of them. You need several layer of security in your infrastructure, so there's space for the coexistence of FreeBSD and OpenBSD, and also linux,

A first layer of security made by a firewall and IDPS, maybe based on NetBSD or a commercial UNIX version, a second layer in the form of a DMZ with the webservers on FreeBSD or OpenBSD, and a local database, accessible just by local IP, which might also linux based.




- Past track record

- Recently BSD underwent a very deep third party review. That's a big plus for security.

- BSD has proactive security, Linux security is reactive

- BSD is designed from the ground for security, Linux instead has a more chaotic architecture

muad_dib is either too smart or too 

Meaning you refill them?  
Seriously that doesn't necessitate knowing about secure coding or securing machines.


Doubtful.  At least not from a real university.  

I mean look at this:

Assuming there is some complete definition somewhere for "serious".   This gives us the number of flaws per system squared.  
While there is zero explanation as to what he's attempting do here.  This looks, on the surface anyway like something from manufacturing QA where you would have various kind of potential equipment failures.   Which you could determine a rough upper bound from by say running a thousand widgets through their paces.   Then it might make sense to distribute these flaws across the number of machines in the field to get some kind of statistic about the probability that an individual machine would fail.  

However I think it's obvious to most of us that software flaws don't work that way.  Given a particular purpose (web server) and an operating system of a particular vintage with no other security devices present.  All systems would possess any unpatched bugs.   This of course begs the question that maud_dib was counting bugs that were, for the vast majority patched instead of unpatched bugs.   It's also far more difficult to find the upper bound for the number of security flaws.  You can't just run a bunch of Linux boxes in a room and see which ones get hacked.

So, on the surface anyway this looks like someone who has lifted a formula out of some book (IIRC he even specified one on quality control or something) and has wrongly applied it to software development.   Like I said before math isn't magic: the integral of "Batman" isn't "Bruce Wayne"

On to exhibit B:


Again zero information as to what he is trying to do here but given that he's only specifying what the confidence level is without telling us how that affects the confidence interval.  It's questionable that he really knows what he's doing.

Just to give you an idea as to how these statistics might be used. Here's an example: Suppose I had a sample of 100 Linux machines from a population of 10000 and also suppose I had a similarly qualifed sample of 100 FreeBSD machines from a population of 1000. Now also suppose I know that 50% of the Linux machines had a compromise in the last year but only 45% of the BSD machines were compromised.  It would be useful to know if this difference is significant:

Assuming our populations are normally distributed we can determine that the confidence interval for both figures is around +/- 12% (there are lots of calculators on the net that will do this for you).  So that means that the "real" ratio of Linux compromises is from 38%-62% and the FreeBSD compromises is around 33%-57%.  This is what some might call "More differentiation within the groups than between the groups" which is a sign that the difference is not significant.

Then he starts talking about correlation which again if we're talking about categoricals (values that are assigned to a particular category like 1 = Linux, 2 = BSD)  and you had some outcome like system uptime the usual way to approach that is with an ANOVA.  


If it is it would be nice for him to cite which version, which document and which page...just sayin'


No, this is a complete lie.   The mention of his PSI formula, as anyone can see comes well before his mention of PCI-DSS.

Again, he isn't clear who he's talking about but when he mentioned that PCI compliance is very expensive.  I countered that Tier 4 compliance is actually not very difficult or expensive.  These classifications have to do with the number of transactions processed.   So a vending machine is probably not going to process six million visa transactions annually.  This doesn't mean I have intimate understanding of PCI-DSS literature but it did show that he didn't understand the compliance requirements.

So were I to guess....this guy is probably an engineer.  Makes sense since he really seems to get ticked off at the use of that word and it's the kind of guy who you would hire for this kind of job - writing code for vending machines.

Now of course I could be wrong but rather than spelling out his use of math here.  He constantly shifts between various dodges.

"People are making assumptions" - You know a good way to stop that?  Clarify yourself.
"People are insulting me" - As I've mentioned earlier he has pretty much lost the moral high ground there.
"Some people in this thread thinks that SElinux is a flexible linux distribution." - This is very likely untrue - I well understood that like GrSecurity, SELinux is a series of patches - I assume that the person I was talking with knew that too.

1) not necessarily, bitcoin could do just fine as a niche currency for people who actually know how their computers work ... (handing matches to children can be dangerous)

2) monetary scams are all over the globe, crime is rampant on Wall St., is it affecting "dollar adoption"?

3) 3 months ago 400k btc wasn't worth squat and nobody would have cared ... in bigger scheme it is still peanuts .... GS got clean away with more than $100 bill and all they got was some schmuck dancing in front of the senators for few hours

4) MtGov is not equal to bitcoin, they are a curious sideshow

5) Most people are idiots and probably are not qualified to handle bitcoin technology at this stage in their evolution .... it is like when TCP-IP was released ... do you think it would have been a good thing if every tom dick and harry was trying to hook-up their own routing ....??

All in all it makes for some great laughs but you maybe taking it a little too seriously ... people quickly become irrational when money is involved ... you won't taking your bitcoins with you when you pass on ...

Well... I personally do not know any sysadmins with "correctly attached hands" who run windows servers, but surely there are some out there... I guess that windows+apache can be made as safe as whatever+apache. (let's get IIS out of the picture for simplicity).  This probably would involve a server version of windows and some severe balls cutting. Not that I am an expert on this to be sure.

I do not mind if you disagree. Maybe a few decades from now you'll be less categorical and more tolerant.

Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.

I think it mostly depends on the barrier language and the fact that some people started hating a lot, building a hating spree.


Expertise in what? I never stated expertise in Bitcoin.

I have anyhow a strong expertise with credit cards and ATMs. I think I might know a few things about secure financial transaction.


By discussing about facts and sources. I'm more than happy to discuss and even being criticized.

Anyhow I invite you to read again the first two pages of this discussion, and tell me if you see even one constructive critic.




Let's analyze a  few facts:

1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times


I think that by considering all these facts, it is clear we should push the Bitcoin community, both as exchanges or final users, to much stricter security measures.

The only way to do this is to spread awareness, and put public pressure on exchanges.

I do run all my bitcoind's on FreeBSD, works great!


it's in /usr/ports/*/bitcoin , easy...


And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

I'm not trying to hate but you're making it pretty easy .... before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....
i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please ...

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage

So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

I work with vending machines and payments solutions (POS, ATMs, ....)



I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.


I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.


I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).

Some people in this thread thinks that SElinux is a flexible linux distribution.

If this is the standard for this thread, then I'm a top notch hacker.

What is your work experience in the security field?
What academical qualifications do you have besides googling concepts?

Who can vouch for your skills or known projects in any white or blackhat forum?
Do you know anything at all about programming a secure site or platform?

If you can't answer any of these questions then you're just another video game playing kid
in his mom's basement who was overwhelmed by 2 books on programming & tries to be something he's not.

It might work on your senile parents but you are in the real world now.

No first you need to buy a paper and call yourself an engineer.


So much hate in these posts.... I bet most of the people here are unemployed and unemployable....

Well if the objectors say that they can read 10 millions lines of code, well, is a good thing not to change your opinion on their statements.

Changing opinion following what most people think, means you are a sheep.

I am slow to respond, but I'm beating the same drum.  What equipment are your enemies using?  Which O.S.? Can you fight them as efficiently with your Linux Ninja stars and spears and your virtual drums?.  Not recognizing that you, yourself, personally, are at war is the damndest downside to considering oneself an expert.  I'm not saying that you cannot win, just drawing attention to what I see as a basic problem.

It did help, thanks