Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 6. (Read 34182 times)

sr. member
Activity: 350
Merit: 250
This thread is pointless, since the 'auditor' handed over database access to somebody through total carelessness so breach would've happened regardless of OS. I bet the auditor had it lying around his gmail account or unencrypted on the desktop in a file called 'STEALTHIS.TXT'




legendary
Activity: 1050
Merit: 1000
You are WRONG!

sorry for the bad estimate... it is still only 5% of the code that is relevant.



so 5% is most of the code?

Please define relevant.
stuff in:
the core code: http://lxr.linux.no/linux+v2.6.39/kernel/
the arch code for x86: http://lxr.linux.no/linux+v2.6.39/arch/x86/
some of the fs code(ext*, vfat, nfs): http://lxr.linux.no/linux+v2.6.39/fs/
the mm: http://lxr.linux.no/linux+v2.6.39/mm/
and the ipv* stacks: http://lxr.linux.no/linux+v2.6.39/net/ipv4/ , http://lxr.linux.no/linux+v2.6.39/net/ipv6/
and a few drivers from: http://lxr.linux.no/linux+v2.6.39/drivers/

i have also build my own little kernel, some time ago. it sucks, true. but it can start and print out a lot of information about the computer. (NO! it not just a custom build linux kernel, its a real os from the bottom).
hero member
Activity: 602
Merit: 500
Look can we all just run Windows and be happy already...  Cheesy
legendary
Activity: 1050
Merit: 1000
You are WRONG!

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

+1
member
Activity: 140
Merit: 10

sorry for the bad estimate... it is still only 5% of the code that is relevant.



so 5% is most of the code?

Please define relevant.
member
Activity: 140
Merit: 10


Okay much improved (B+), but here are some things to remember before you take your exam.

1) The statistic Psi-hat(linux) is a random variable that is an unbiased estimate of the constant parameter Psi(linux).

Not only it is unbiased, but it is asymptotically consistent.

Anyhow I would like to point you that a statistic IS NOT a random variable.

Quote
2) You are using random variables (sample statistics) to test a hypotheses about the constant parameters Psi(linux) and Psi (BSD)
    [Not testing a hypothesis about these random variables]

I'm not sure I understand you here, maybe it's just my english.

Quote
3) The parameter Psi(linux) is a constant, and is therefore not correlated with anything.

It's a function over a sample. Change the sample, and the statistic change. We take this statistic to measure the correlation between the proprieties of two samples.


Quote
4) If your TA is an ass, they will dock you points for not using the conventional labels H0 and H1

that's ture



Quote
Much More Important Lesson: Don't mix in random jargon about topics you don't fully understand to impress other people. Focus on your core competencies and people will take you more seriously.

Maybe you missed the fact of how many insults I got, and how many "engineers" were trying to educate me.
legendary
Activity: 1050
Merit: 1000
You are WRONG!

yes thats many lines. but not in the core code, that excludes all the drivers(90%),

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats

Quote
and all the archs(5-8%)(except x86 and arm).

I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.

Quote
the FreeBSD source only did confuse me.

I think your confusion might not arise from BSD.
sorry for the bad estimate... it is still only 5% of the code that is relevant.
and the archs is not only handlet by the compiler, proof: http://lxr.linux.no/linux+v2.6.39/arch/
every platform needs to be written, it includes all the lowlevel functions for that arch: MMU, task sẃitching, detection of hardware, whole the startup stuff ...
legendary
Activity: 1050
Merit: 1003

Quote
Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)


Picking a high confidence level (0.99), we can say that H1 is false.

Quote
Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.


No it is a statistic, or a function over a sample.

Okay much improved (B+), but here are some things to remember before you take your exam.

1) The statistic Psi-hat(linux) is a random variable that is an unbiased estimate of the constant parameter Psi(linux).
2) You are using random variables (sample statistics) to test a hypotheses about the constant parameters Psi(linux) and Psi (BSD)
    [Not testing a hypothesis about these random variables]
3) The parameter Psi(linux) is a constant, and is therefore not correlated with anything.
4) If your TA is an ass, they will dock you points for not using the conventional labels H0 and H1

Much More Important Lesson: Don't mix in random jargon about topics you don't fully understand to impress other people. Focus on your core competencies and people will take you more seriously.


full member
Activity: 140
Merit: 100
No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

LOL YOU choose the confidence level. The higher it is, the more meaningful your conclusion are.

Oh so *that's* what you're blathering about.  That's not exactly the case.  For example if your sample size is fixed (like it is here).  Choosing the CL alters your CI.  If you make your CL 'better' the CI becomes wider.   Now if, for example you haven't done your experiment yet and you are fixing your CI and your CL.  Your sample size changes.  It's a rookie mistake the kind I'd expect a non-math person to do.  "Meaningful" is also a kind of ambiguous word it's something a frequentist would say.

So again, so what dataset are you using here?
member
Activity: 140
Merit: 10
Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips"  
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?
member
Activity: 84
Merit: 10
Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
Deep too.
full member
Activity: 140
Merit: 100
If the paper you bought says you're an engineer, and you say SElinux is just for linux, I'm not going to argue. You the boss, boss.
Where did anyone (other than this loser) say anything like that?

Quote
You're now in ignore, let's see how many other people I have to ignore to stop this flamewar.
Uh, at any point in time you could have provided a rational defense of your position instead of....flaming people.
Seems a little like you didn't *want* to talk about the issues when it came down to brass tacks.
full member
Activity: 140
Merit: 100
you simply lack any basic knowledge of statistics. Sorry.

No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.
member
Activity: 140
Merit: 10


No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

LOL YOU choose the confidence level. The higher it is, the more meaningful your conclusion are.

LOLOLOL.



Guess I'm getting under your skin.  That's pretty forced laughter there.  Sure, what does that have to do with anything that we've been talking about with regard to SELinux?



If the paper you bought says you're an engineer, and you say SElinux is just for linux, I'm not going to argue. You the boss, boss.




You're now in ignore, let's see how many other people I have to ignore to stop this flamewar.
full member
Activity: 140
Merit: 100

Depends on what you mean.

LOLOLOLOL
Guess I'm getting under your skin.  That's pretty forced laughter there.  Sure, what does that have to do with anything that we've been talking about with regard to SELinux?

Quote
Obviously when you people bought the paper that allows to call yourself an engineer, they forgot to tell you that if you want to be a good professional you need to be able to read, not only have money to make stupid tests.

Well considering your writing is pretty horrible it's not surprising that your meaning wasn't conveyed.  As Randal would say...
member
Activity: 140
Merit: 10


So what are you doing now?

You have assumed that some variable is strongly connected to some vaguely defined concept.  Then without defining the mapping between that and your sample set (just because A correlates with B doesn't mean it's 1:1).  Then you look like you are just assuming that the R is .99?

Ever hear of showing your work?


you simply lack any basic knowledge of statistics. Sorry.

Start here:

http://www.amazon.com/Statistics-Dummies-Math-Science/dp/0470911085/ref=sr_1_1?ie=UTF8&qid=1308643898&sr=8-1


p.s.: the indicator is not mine. It is taken from another source.

http://www.amazon.com/Statistical-Process-Control-Industry-Implementation/dp/0792355709/ref=sr_1_2?ie=UTF8&qid=1308644011&sr=8-2
member
Activity: 140
Merit: 10


So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.

I ported android to the vending machines. And if you have a barely knowledge of how android is structured, you would know how complex is this task. Obviusly I was not alone.


Anyhow, did this change anything? Are we speaking about facts or people?
full member
Activity: 140
Merit: 100
Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

So what are you doing now?

You have assumed that some variable is strongly connected to some vaguely defined concept.  Then without defining the mapping between that and your sample set (just because A correlates with B doesn't mean it's 1:1).  Then you look like you are just assuming that the R is .99?

Ever hear of showing your work?
member
Activity: 140
Merit: 10

Depends on what you mean.

LOLOLOLOL

Third line on wikipedia:


Quote

It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD.



Obviously when you people bought the paper that allows to call yourself an engineer, they forgot to tell you that if you want to be a good professional you need to be able to read, not only have money to make stupid tests.

LOLOLOL
member
Activity: 84
Merit: 10
Something about a "stoneburner" as I recall, you wouldn't be in Japan by chance?
Pages:
Jump to: