Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 3. (Read 34182 times)

full member
Activity: 140
Merit: 100
I wonder if anyone ever gets tired of hearing blowhards like maud_dib who provide zero evidence for their ridiculous assumptions.

Past track record
Past track record of not being securable as a BSD box?  Where is that?  Oh right.  Nowhere.
If not that then past track record of what exactly?  Candy bar sales?  I guess you'd know about that.

Quote
Recently BSD underwent a very deep third party review. That's a big plus for security.
A one time security audit is a a good thing but I'm taking away your math degree (if you have one) since it doesn't say anything about relative merit.

Quote
BSD has proactive security, Linux security is reactive
Untrue.  FreeBSD doesn't even have one of the most common proactive security features ASLR.  This means that there are whole classes of exploit that FreeBSD needs to patch for but Linux does not.   Linux has GrSecurity and PaX as well as SELinux.

Quote
BSD is designed from the ground for security, Linux instead has a more chaotic architecture

OpenBSD *says* that they do this but they don't really provide much detail on what this means or how it actually protects anything.  For example OpenBSD used to say "X years without a remote root exploit in the base install" which is nice but:

a) Doesn't say anything about all the installs out there.  How many people run an OpenBSD box with no other services installed at all.  Probably not many.
b) Doesn't say anything about OpenBSD code.  For all we know it's just they activate less in the default install.  Which is probably a good thing for hobbyists but doesn't really say anything about enterprise usage.

The real proof of his statements would be him taking me up on my challenge.   There was even ~$500 in it for him if he happens to be right.
member
Activity: 112
Merit: 10
Hey guys -- just checking in. Has the undisputed winner of this thread been declared yet?
member
Activity: 140
Merit: 10


Which unix version and from which vendor?

If you want to stay x86 I would go BSD.

Which flavor? Many of them. You need several layer of security in your infrastructure, so there's space for the coexistence of FreeBSD and OpenBSD, and also linux,

A first layer of security made by a firewall and IDPS, maybe based on NetBSD or a commercial UNIX version, a second layer in the form of a DMZ with the webservers on FreeBSD or OpenBSD, and a local database, accessible just by local IP, which might also linux based.


Quote

 What is your proof that a Linux installation can't be made secure and that any unix installation can?



- Past track record

- Recently BSD underwent a very deep third party review. That's a big plus for security.

- BSD has proactive security, Linux security is reactive

- BSD is designed from the ground for security, Linux instead has a more chaotic architecture
newbie
Activity: 39
Merit: 0
muad_dib is either too smart or too  Huh Huh
full member
Activity: 140
Merit: 100
I work with vending machines and payments solutions (POS, ATMs, ....)
Meaning you refill them?  
Seriously that doesn't necessitate knowing about secure coding or securing machines.


Quote
I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.
Doubtful.  At least not from a real university.  

I mean look at this:
Quote
Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Assuming there is some complete definition somewhere for "serious".   This gives us the number of flaws per system squared.  
While there is zero explanation as to what he's attempting do here.  This looks, on the surface anyway like something from manufacturing QA where you would have various kind of potential equipment failures.   Which you could determine a rough upper bound from by say running a thousand widgets through their paces.   Then it might make sense to distribute these flaws across the number of machines in the field to get some kind of statistic about the probability that an individual machine would fail.  

However I think it's obvious to most of us that software flaws don't work that way.  Given a particular purpose (web server) and an operating system of a particular vintage with no other security devices present.  All systems would possess any unpatched bugs.   This of course begs the question that maud_dib was counting bugs that were, for the vast majority patched instead of unpatched bugs.   It's also far more difficult to find the upper bound for the number of security flaws.  You can't just run a bunch of Linux boxes in a room and see which ones get hacked.

So, on the surface anyway this looks like someone who has lifted a formula out of some book (IIRC he even specified one on quality control or something) and has wrongly applied it to software development.   Like I said before math isn't magic: the integral of "Batman" isn't "Bruce Wayne"

On to exhibit B:

Quote
Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Again zero information as to what he is trying to do here but given that he's only specifying what the confidence level is without telling us how that affects the confidence interval.  It's questionable that he really knows what he's doing.

Just to give you an idea as to how these statistics might be used. Here's an example: Suppose I had a sample of 100 Linux machines from a population of 10000 and also suppose I had a similarly qualifed sample of 100 FreeBSD machines from a population of 1000. Now also suppose I know that 50% of the Linux machines had a compromise in the last year but only 45% of the BSD machines were compromised.  It would be useful to know if this difference is significant:

Assuming our populations are normally distributed we can determine that the confidence interval for both figures is around +/- 12% (there are lots of calculators on the net that will do this for you).  So that means that the "real" ratio of Linux compromises is from 38%-62% and the FreeBSD compromises is around 33%-57%.  This is what some might call "More differentiation within the groups than between the groups" which is a sign that the difference is not significant.

Then he starts talking about correlation which again if we're talking about categoricals (values that are assigned to a particular category like 1 = Linux, 2 = BSD)  and you had some outcome like system uptime the usual way to approach that is with an ANOVA.  

Quote

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

If it is it would be nice for him to cite which version, which document and which page...just sayin'

Quote
I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

No, this is a complete lie.   The mention of his PSI formula, as anyone can see comes well before his mention of PCI-DSS.

Again, he isn't clear who he's talking about but when he mentioned that PCI compliance is very expensive.  I countered that Tier 4 compliance is actually not very difficult or expensive.  These classifications have to do with the number of transactions processed.   So a vending machine is probably not going to process six million visa transactions annually.  This doesn't mean I have intimate understanding of PCI-DSS literature but it did show that he didn't understand the compliance requirements.

So were I to guess....this guy is probably an engineer.  Makes sense since he really seems to get ticked off at the use of that word and it's the kind of guy who you would hire for this kind of job - writing code for vending machines.

Now of course I could be wrong but rather than spelling out his use of math here.  He constantly shifts between various dodges.

"People are making assumptions" - You know a good way to stop that?  Clarify yourself.
"People are insulting me" - As I've mentioned earlier he has pretty much lost the moral high ground there.
"Some people in this thread thinks that SElinux is a flexible linux distribution." - This is very likely untrue - I well understood that like GrSecurity, SELinux is a series of patches - I assume that the person I was talking with knew that too.

legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Quote
1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times

1) not necessarily, bitcoin could do just fine as a niche currency for people who actually know how their computers work ... (handing matches to children can be dangerous)

2) monetary scams are all over the globe, crime is rampant on Wall St., is it affecting "dollar adoption"?

3) 3 months ago 400k btc wasn't worth squat and nobody would have cared ... in bigger scheme it is still peanuts .... GS got clean away with more than $100 bill and all they got was some schmuck dancing in front of the senators for few hours

4) MtGov is not equal to bitcoin, they are a curious sideshow

5) Most people are idiots and probably are not qualified to handle bitcoin technology at this stage in their evolution .... it is like when TCP-IP was released ... do you think it would have been a good thing if every tom dick and harry was trying to hook-up their own routing ....??

All in all it makes for some great laughs but you maybe taking it a little too seriously ... people quickly become irrational when money is involved ... you won't taking your bitcoins with you when you pass on ...
hero member
Activity: 812
Merit: 1001
-
And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.

Well... I personally do not know any sysadmins with "correctly attached hands" who run windows servers, but surely there are some out there... I guess that windows+apache can be made as safe as whatever+apache. (let's get IIS out of the picture for simplicity).  This probably would involve a server version of windows and some severe balls cutting. Not that I am an expert on this to be sure.

I do not mind if you disagree. Maybe a few decades from now you'll be less categorical and more tolerant.
member
Activity: 140
Merit: 10



And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...



Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.
member
Activity: 140
Merit: 10


I'm not trying to hate but you're making it pretty easy ....

I think it mostly depends on the barrier language and the fact that some people started hating a lot, building a hating spree.

Quote
before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....

Expertise in what? I never stated expertise in Bitcoin.

I have anyhow a strong expertise with credit cards and ATMs. I think I might know a few things about secure financial transaction.

Quote
i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

By discussing about facts and sources. I'm more than happy to discuss and even being criticized.

Anyhow I invite you to read again the first two pages of this discussion, and tell me if you see even one constructive critic.


Quote
that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please otherwise you're just whacking off in public, not pretty.


Let's analyze a  few facts:

1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times


I think that by considering all these facts, it is clear we should push the Bitcoin community, both as exchanges or final users, to much stricter security measures.

The only way to do this is to spread awareness, and put public pressure on exchanges.
hero member
Activity: 812
Merit: 1001
-
2) I never said you need BSD for bitcoind. You need BSD to expose your services.

I do run all my bitcoind's on FreeBSD, works great!

3) I never said I have any software ready yet.

it's in /usr/ports/*/bitcoin , easy...


And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo


So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage



I'm not trying to hate but you're making it pretty easy .... before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....
i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please ...
member
Activity: 140
Merit: 10


So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage

legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo

What is your work experience in the security field?

I work with vending machines and payments solutions (POS, ATMs, ....)


Quote
What academical qualifications do you have besides googling concepts?

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Quote
Who can vouch for your skills or known projects in any white or blackhat forum?

I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

Quote
Do you know anything at all about programming a secure site or platform?

I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).



So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.
member
Activity: 140
Merit: 10

What is your work experience in the security field?

I work with vending machines and payments solutions (POS, ATMs, ....)


Quote
What academical qualifications do you have besides googling concepts?

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Quote
Who can vouch for your skills or known projects in any white or blackhat forum?

I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

Quote
Do you know anything at all about programming a secure site or platform?

I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).

member
Activity: 140
Merit: 10


Do you have some work experience or public credentials besides a neckbeard and an old laptop?


Some people in this thread thinks that SElinux is a flexible linux distribution.

If this is the standard for this thread, then I'm a top notch hacker.
sr. member
Activity: 252
Merit: 251
So much hate in these posts.... I bet most of the people here are unemployed and unemployable....

What is your work experience in the security field?
What academical qualifications do you have besides googling concepts?

Who can vouch for your skills or known projects in any white or blackhat forum?
Do you know anything at all about programming a secure site or platform?

If you can't answer any of these questions then you're just another video game playing kid
in his mom's basement who was overwhelmed by 2 books on programming & tries to be something he's not.

It might work on your senile parents but you are in the real world now.
member
Activity: 140
Merit: 10
I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.

No first you need to buy a paper and call yourself an engineer.


So much hate in these posts.... I bet most of the people here are unemployed and unemployable....
member
Activity: 140
Merit: 10

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.

Well if the objectors say that they can read 10 millions lines of code, well, is a good thing not to change your opinion on their statements.

Changing opinion following what most people think, means you are a sheep.
member
Activity: 84
Merit: 10
Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips"  
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?
I am slow to respond, but I'm beating the same drum.  What equipment are your enemies using?  Which O.S.? Can you fight them as efficiently with your Linux Ninja stars and spears and your virtual drums?.  Not recognizing that you, yourself, personally, are at war is the damndest downside to considering oneself an expert.  I'm not saying that you cannot win, just drawing attention to what I see as a basic problem.
newbie
Activity: 39
Merit: 0
Hope that helps.
It did help, thanks Grin
Pages:
Jump to: