Pages:

Author

Topic: About Mt. Gox flaw from a security expert - page 7. (Read 34165 times)

marcus_of_augustus

legendary

Activity: 3920

Merit: 2349

Eadem mutata resurgo

Quote from: muad_dib on June 21, 2011, 02:22:36 AM

Quote from: marcus_of_augustus on June 20, 2011, 08:52:02 PM

Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.

I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.

The web frontend needs to run on bsd, FOR SURE.

So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.

muad_dib

member

Activity: 140

Merit: 10

Quote from: cunicula on June 21, 2011, 02:56:10 AM

Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words?

Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)

Picking a high confidence level (0.99), we can say that H1 is false.

Quote

Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.

No it is a statistic, or a function over a sample.

[

jgraham

full member

Activity: 140

Merit: 100

Quote from: muad_dib on June 21, 2011, 02:55:58 AM

It looks like you have a lot of spare time

Maybe you should find yourself a job, this would also reduce the hate in your posts.

Ooooh snap! Yawn. Where's that argument you were trying to make? Oh let me guess it's all the readers fault...and you're being *sniff* insulted and you're bored...anything else? Sheeesh I rarely see someone spend as much time saying nothing as you have in this thread.

jgraham

full member

Activity: 140

Merit: 100

Quote from: muad_dib on June 21, 2011, 02:52:17 AM

Quote from: jgraham on June 21, 2011, 02:39:48 AM

What happened to talking about facts? That's just conjecture.

I got bored of you flamers.

What there was less than 10 min between your assertion that you were talking about facts. I guess that's what you say when you can't defend your position? That and assertions that people can't read the language you obviously have only marginal competence writing in?

Quote

You discuss like you're an expert about selinux, still you missed that it isn't just for linux.

Depends on what you mean. As is becoming your habit you just make vague statements rather than facts. Actually make an argument for a change and we'll talk...but of course that would open you up to being wrong. Which is a good reason why you won't. ;-)

cunicula

legendary

Activity: 1050

Merit: 1003

Quote

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi = [ ( # of serious security flaws - 1 ) / ( # of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99, the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Quote

Were You asking me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant

Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words? Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.

muad_dib

member

Activity: 140

Merit: 10

Quote from: jgraham on June 21, 2011, 02:52:26 AM

I think this point stands mousey!

It looks like you have a lot of spare time

Maybe you should find yourself a job, this would also reduce the hate in your posts.

Maybe you're enough qualified for this job. I don't know. Anyhow I'm sure they will be more than happy to receive your application.

BBanzai

member

Activity: 84

Merit: 10

Ahhhh, little mouse, still boxing with shadows when you could be saving the world? I expected better of an Atreides.

jgraham

full member

Activity: 140

Merit: 100

Quote from: muad_dib on June 21, 2011, 02:41:54 AM

Quote from: jgraham on June 20, 2011, 07:19:56 PM

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app. New code tends to mean new bugs. It's often a case of the devil you know vs. the devil you don't.

Please, go to the authors of Wayland and stop them while you're still in time!!!
X can be patched! we dont need wayland!!!!

Well I guess you don't win any reading awards.

Quote

ii) It seems to imply that you couldn't just do a parallel development. MG definitely has money and they are hiring. No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.

Quote

the fact is that the website is not safe TODAY not tommorrow.

If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down. Then the site will be up whether they are re-writing the code or not. So you might as well write the new code. Clearly your experience with SDLC is a little thin.

Quote

These two assumptions make me wonder if you've every really been involved in large-scale development work.

I think this point stands mousey!

muad_dib

member

Activity: 140

Merit: 10

Quote from: jgraham on June 21, 2011, 02:39:48 AM

What happened to talking about facts? That's just conjecture.

I got bored of you flamers.

You discuss like you're an expert about selinux, still you missed that it isn't just for linux.

You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you

muad_dib

member

Activity: 140

Merit: 10

Quote from: CubedRoot on June 20, 2011, 11:07:27 PM

I realized this guy was a dumbass when I read number 1. I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee). Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is. Its a shame there are so many self declared "security experts" involved with Bitcoin. I am no expert, but I do know my ass from a hole in the ground.

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.

You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.

muad_dib

member

Activity: 140

Merit: 10

Quote from: jgraham on June 20, 2011, 07:19:56 PM

Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!

Quote

the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.

Quote

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.

jgraham

full member

Activity: 140

Merit: 100

Quote from: muad_dib on June 21, 2011, 02:21:01 AM

Maybe you missed all the insults I got.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset". Seems like you need reading lessons.

Quote from: jgraham on June 20, 2011, 07:17:46 PM

edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.

you simply need to read better my posts. If you lack basic reading skills is not my fault.

And yet you said: "It's a question of counting flaws and measuring uptime." Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one). Is with the writer not your readers.

Quote from: malapropism_dib

The web frontend needs to run on bsd, FOR SURE

What happened to talking about facts? That's just conjecture.

muad_dib

member

Activity: 140

Merit: 10

Quote from: marcus_of_augustus on June 20, 2011, 08:52:02 PM

Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.

I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.

The web frontend needs to run on bsd, FOR SURE.

muad_dib

member

Activity: 140

Merit: 10

Quote from: minerX on June 20, 2011, 07:07:19 PM

You sound like a deuchebag. Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.

Maybe you missed all the insults I got.

Quote from: jgraham on June 20, 2011, 07:17:46 PM

edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.

you simply need to read better my posts. If you lack basic reading skills is not my fault.

Quote from: CubedRoot on June 20, 2011, 11:07:27 PM

1. I am a Redhat Certified Engineer,

And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.

BBanzai

member

Activity: 84

Merit: 10

Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit. Keep your enemies closer, as they say, what weapons do they wield?

jgraham

full member

Activity: 140

Merit: 100

Quote from: BBanzai on June 21, 2011, 01:13:53 AM

Its been "Open" VMS for quite some time now. I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS. So go hack, kids. And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it. But if you want a sword and a suit of armor, learn VMS.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security. Even if you are a bank. At the trust company I worked at we used VM/CMS. Why? Because we had an S/390 and we had a huge and profitable piece of software written for it. Was the system secure? Who knew? Although as time went on the edge systems were converted to AIX.

BBanzai

member

Activity: 84

Merit: 10

And to the little mouse in the moon. Arrogance will get you lots of places, but history says that you were blind.

BBanzai

member

Activity: 84

Merit: 10

cuddlefish

sr. member

Activity: 364

Merit: 250

Quote from: muad_dib on June 20, 2011, 05:00:17 AM

Quote from: Grinder on June 20, 2011, 04:41:37 AM

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.

Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)

Anyhow let's put this way: My opinion is that FreeBSD is the most secure, reliable and scalable OS. You think that Linux is more secure than FreeBSD.

The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

iBTC

newbie

Activity: 39

Merit: 0

Quote from: CubedRoot on June 21, 2011, 01:05:23 AM

Quote from: iBTC on June 21, 2011, 12:56:59 AM

Unfortunately this topic has turned into a dick-measuring contest.

Yeah, the waters cold aint it?