Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 4. (Read 34165 times)

full member
Activity: 140
Merit: 100
I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.
full member
Activity: 140
Merit: 100
Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.
Really did he edit his posts or was that from another thread.

Besides he's kind of out-of-date.  Last year was the year every third person I met was a security consultant...this year they're all "Cloud Services" consultants. :-)
newbie
Activity: 56
Merit: 0
Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.
sr. member
Activity: 252
Merit: 251
Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment
full member
Activity: 140
Merit: 100
now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.
Also...quoting from wikipedia and a textbook he downloaded.  I wonder if the other guy talking stats with him (equally vapidly) was his friend.
newbie
Activity: 56
Merit: 0
now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.
full member
Activity: 140
Merit: 100
So given all the "BSD is hands down superior to Linux in terms of security" trash talk that's been going on around here.  See statements like this:

"*bsd is the first choice when security is the major concern, period. "
"I refuse to accept that BSD is as safe as linux."
"Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon."
"My opinion is that FreeBSD is the most secure"
"it's well known that BSD is more stable, secure"

Imply to me (correctly or incorrectly) that Linux *can't* be secured as well as a BSD box.   Remember the context in all these posts was about Mt. Gox or enterprise systems in general.  So the idea that we are talking about some out-of-the-box hobbyist install seems unreasonable.  Clearly Mt. Gox hardened their system before deployment.   Likewise anyone deploying a system which contains sensitive information but is going to be on the internet to do the same.

So to hold such an opinion rationally.  Suggests that such folk must Know some way to circumvent a secured Linux box.

...and given what a kind-hearted gent I am I'd like to give them a chance to show me how.  So I'd like to discuss a B&E contest.  With some kind of prize say 20-30 BTC?  Off the top of my head the system should be a typical edge device (HTTP and/or email).

If you're interested post here with comments, questions or concerns (or perhaps I'll start a new thread).

Psst...BSD affectionados? That slapping sound? It's a gauntlet crossing your face. ;-)*

*Yes I know some of the excuses will be that it's not enough money or too much time...I'll just say "whatever" to those now.  Just to save time.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz
full member
Activity: 140
Merit: 100
At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

Sorry if this is a broader answer than you were wanting but...
I don't have an opinion on the security of say OpenBSD in a broad sense because I don't have a useful general definition of "security".  

What I do see is that OpenBSD has similar *mechanisms* to secure itself when compared against say Linux. There is also a group of people concerned with the security of the OS and there exists a body of knowledge on securing the system.  These are all positive things.   There may be various advantages and disadvantages to individual elements but it's not always easy to judge this kind of thing.

For example: lets focus on one talking point I've mentioned a number of times (or perhaps 'harped on' ;-) ).  ASLR - PaX (which is available through a series of patches to the Linux kernel or pre-patched sources from the Gentoo hardened branch or from pre-compiled kernels) does the most complete job of address randomization. Better than execshield (which is what RH and other Linux's use OOTB), and W^X (in OpenBSD).  For example the bit size for stack randomization in PaX is double that of W^X.  There are also fewer guarantees as to what will or won't be protected using W^X.  Especially with regard to the Kernel - as of the last release I looked at.  A problem with the kernel stack will not be prevented by W^X.

That said PaX needs to be enabled whereas  W^X is available out of the box (so is execshield btw).  This is a double-edged sword.  In one case W^X protects everything in userspace because it's patched not the Kernel calls but malloc.  The downside is that this breaks compatibility.  So W^X becomes a kind of all-or-nothing game.  If you had a piece of code for which there was no source and was incompatible with W^X then your whole system would have to not use W^X.  In a lot of cases this doesn't matter because OpenBSD doesn't allow things that Linux does like binary-only drivers.  However often enough you as the security professional don't get to make that choice.  For example I can set and enforce (sometimes ;-) ) standards but I rarely can dictate their implementation details to them vis-a-vis "Never use binary drivers".  

Non-trivial isn't it?...and that's comparing just. one. mechanism.  While I think ASLR is a great idea because it is one of the few *proactive* mechanisms that have come out in the last ten years.  I'd be an idiot if I were to treat it as the only thing that matters.

So as I've said before comparison of operating system "security" is subtle and nuanced and anyone who suggests it's cut-and-dried is probably telling you out of some combination of ignorance and/or deceit.  OpenBSD is good (Especially if you're writing code, I love having a rich crypto API guaranteed to be on any install), FreeBSD is good (but lacks some mechanisms that other OS's or even BSD's have), Linux is good (When patched with PaX and some kind of RBAC).  All of them can be secured by someone with the right knowledge.  Whether they can be secured to the needs of a particular project obviously depends on a myriad of other factors.

Hope that helps.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
@maud_dib:
i am now going to cut it out for you:

if you look at wikipedia: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers
you can see that the usage of BSD i between 2.4% and 5.35%.
and linux is between 16.9% and 74.29%

we can therefor conclude that linux is more used then freebsd.
and we can assume that linux is getting more attention from hackers and security experts.
because of that we and assume that linux will be exploited more.
and if there are more security holes found in linux, they will also be fixed.

in freebsd which does not get as much attention as linux, we can assume that people are not finding the hacks/exploits.
and the holes will not get fixed!

if you cant follow my very simple argument, please feel free to ask.

@to all others:
HE IS A TROLL!
newbie
Activity: 39
Merit: 0
At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?
member
Activity: 140
Merit: 10


Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123


This is a simplification. The author correctly say that SOME probabilist  does this. Even if most mathematician accept Real number this doesn't mean they exist.

I couldn't find the book you refer to in the torrent, so let's take again wikipedia:

http://en.wikipedia.org/wiki/Random_variable#Functions_of_random_variables

Quote
If we have a random variable  on  and a Borel measurable function , then  will also be a random variable on , since the composition of measurable functions is also measurable.

What if my statistic is a composition of measurable and non-measurable functions?

It can be non measurable for many reason:

1) The statistic domain is non-measurable

2) The statistic itself is non-measurable

3) The statistic works on infinite vector spaces

The situation is much more complex then how you want to picture it.

Quote
I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

I don't have a good answer for this. Again I see people making wrong affirmations and insulting others, still I'm the one to calm down?

Just like you're doing now: you don't know my background, still you accuse me of being over my head. If I were in the university I would take out my papers and my citations, and I would ask you to do the same. On the internet is different, so please refrain to speak about people's ability, if you are not sure.
full member
Activity: 140
Merit: 100
Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.
My question was also about his use of terminology.  I asked you how you found any of the statistical information muab_dib posted actually meaningful.  Most of the time he seemed to just be splattering statistical terms without any consideration as to what outcome he was trying to determine.  He used terms like hypothesis testing, confidence levels but was clearly missing knowledge like he didn't seem to understand that you can't just arbitrarily choose a CL post-hoc and make your result more "meaningful".  So it didn't really seem  he knew how to apply them  or what their limitations are.

There's a salient difference between someone who actually *does* statistics and someone who simply *performs* them.   The former understands how the operations they are performing actually work.  So they reflexively know the limitations, what kind of data you need, what kind of tests get what kind of result.  If you talk to this kind of person the first words out of their mouth are about framing the problem and the next are about framing the data.  I found it interesting that instead of criticizing his almost entire lack of explanation of how the statistical operations he alluded to actually gave *any* kind of meaningful result.  You wanted to talk about the definition of the term "statistic" - over and over again. 

Quote
Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric\

Actually I didn't necessarily ask if it was a good metric.  I just asked what made you think what he said was meaningful.   You would, or should know that to a point you can analyze the approach someone is taking.  This would drive you to want to know about their data.  You had no questions about that at all.  All you were on about were things that you could validate if you say...read a web page about statistics.
Quote
Not responding anymore to this thread, so please bait someone else.
Guess you had to get out of this jam somehow.
legendary
Activity: 1050
Merit: 1003

[/quote]

Lots of book quoting there.   Any chance you'll get around to answering my question?
[/quote]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

I don't know anything about OS security and I don't have an opinion about the OP's OS security argument. Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric.

Not responding anymore to this thread, so please bait someone else.
full member
Activity: 140
Merit: 100
I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

Lots of book quoting there.   Any chance you'll get around to answering my question?
full member
Activity: 140
Merit: 100
You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.
Soooooo if it was hacked why did most of the transactions come from one account?  If they had kept them all separate and made separate withdraws it would have increased their take and slowed their discovery.   Instead they took a whole extra step to consolidate all their accounts.

Quote
As for this linux *bsd debate, I see a lot of people talking out their rear.

Me too.

Quote
Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period. 
Similarly saying "first chioce" doesn't make it so.  Saying "period" doesn't really make your case any stronger.   In fact asserting things when allegedly the evidence is easily found but somehow you just couldn't bring yourself to link to it....Kind of weakens your case doesn't it?

FreeBSD is a fine operating system, so is OpenBSD.  At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.   Feature parity is reached and some of Theo D's decisions over the last five years have been...idiosyncratic. 
legendary
Activity: 1050
Merit: 1003
Quote
defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.
newbie
Activity: 24
Merit: 0
You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

As for this linux *bsd debate, I see a lot of people talking out their rear.  Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period.  Google bsd security if you don't believe me.
full member
Activity: 140
Merit: 100
Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

...or the places where FreeBSD had to take stuff from Linux to secure itself.

As I've been saying from the beginning anyone who asserts there is some clear winner in "security".  Will probably fail in one of two things:


i) Defining "security' generally.

Muad_Dip while he did provide a definition.   It's rather incomplete he said that "It's a matter of counting flaws and uptime".  Especially when you consider he is talking about reported flaws (the vast majority of which have been fixed).  Not taking into account standard modeling practices.   Or providing a reference as to if uptime (or how much) is the result of security events.   In fact as you can see from the way he tends to use data that he assumes that not only is ALL uptime security related but with almost zero variance.

ii) Defending the point that system X is actually better by these criteria.

Similarly Muad_Dip gave us very little.  A database of flaws that are largely fixed.   No rationale as to why that means anything and some top 40 hosting services reliability index with no rational reason why things like DNS latency should be considered part of the equation.  A constant reference to the "top three' but a casual ignoring of the  bottom two FreeBSD machines which were an order of magnitude worse than any other system at all.  Oh and some silly evaluation from ten years ago with rather subjective and unweighted evaluations....using "smiley" and "frowny" faces as the markers of better or worse systems.   Really.   He even called this "objective" data.
newbie
Activity: 42
Merit: 0

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.
Pages:
Jump to: