Pages:
Author

Topic: About Mt. Gox flaw from a security expert - page 7. (Read 34182 times)

legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo


Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.


I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.

So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.
member
Activity: 140
Merit: 10

Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words?

Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)


Picking a high confidence level (0.99), we can say that H1 is false.

Quote
Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.


No it is a statistic, or a function over a sample.

[

full member
Activity: 140
Merit: 100
It looks like you have a lot of spare time Smiley
Maybe you should find yourself a job, this would also reduce the hate in your posts.

Ooooh snap!  Yawn.  Where's that argument you were trying to make? Oh let me guess it's all the readers fault...and you're being *sniff* insulted and you're bored...anything else?  Sheeesh I rarely see someone spend as much time saying nothing as you have in this thread.

full member
Activity: 140
Merit: 100
What happened to talking about facts?  That's just conjecture.
I got bored of you flamers.
What there was less than 10 min between your assertion that you were talking about facts.  I guess that's what you say when you can't defend your position?  That and assertions that people can't read the language you obviously have only marginal competence writing in?

Quote
You discuss like you're an expert about selinux, still you missed that it isn't just for linux.
Depends on what you mean.  As is becoming your habit you just make vague statements rather than facts.  Actually make an argument for a change and we'll talk...but of course that would open you up to being wrong.   Which is a good reason why you won't. ;-)
legendary
Activity: 1050
Merit: 1003
Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Quote

Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words? Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.
member
Activity: 140
Merit: 10


I think this point stands mousey!

It looks like you have a lot of spare time Smiley

Maybe you should find yourself a job, this would also reduce the hate in your posts.

Maybe you're enough qualified for this job. I don't know. Anyhow I'm sure they will be more than happy to receive your application.
member
Activity: 84
Merit: 10
Ahhhh, little mouse, still boxing with shadows when you could be saving the world?  I expected better of an Atreides.
full member
Activity: 140
Merit: 100
i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  
Please, go to the authors of Wayland and stop them while you're still in time!!!
X can be patched! we dont need wayland!!!!

Well I guess you don't win any reading awards.

Quote
ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.
Quote
the fact is that the website is not safe TODAY not tommorrow.
If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down.  Then the site will be up whether they are re-writing the code or not.  So you might as well write the new code.  Clearly your experience with SDLC is a little thin.


Quote
These two assumptions make me wonder if you've every really been involved in large-scale development work.

I think this point stands mousey!
member
Activity: 140
Merit: 10

What happened to talking about facts?  That's just conjecture.

I got bored of you flamers.


You discuss like you're an expert about selinux, still you missed that it isn't just for linux.


You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you Smiley
member
Activity: 140
Merit: 10

I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.


You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.
member
Activity: 140
Merit: 10

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  


Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!

Quote

ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.


the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.

Quote

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.
full member
Activity: 140
Merit: 100
Maybe you missed all the insults I got.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset".  Seems like you need reading lessons.
edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  

you simply need to read better my posts. If you lack basic reading skills is not my fault.
And yet you said: "It's a question of counting flaws and measuring uptime."  Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one).  Is with the writer not your readers.

Quote from: malapropism_dib
The web frontend needs to run on bsd, FOR SURE
What happened to talking about facts?  That's just conjecture.
member
Activity: 140
Merit: 10


Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.


I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.
member
Activity: 140
Merit: 10


You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.  

Maybe you missed all the insults I got.


edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  




you simply need to read better my posts. If you lack basic reading skills is not my fault.


 1.  I am a Redhat Certified Engineer,


And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.
member
Activity: 84
Merit: 10
Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit.  Keep your enemies closer, as they say, what weapons do they wield?
full member
Activity: 140
Merit: 100
Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security.  Even if you are a bank.  At the trust company I worked at we used VM/CMS.  Why?  Because we had an S/390 and we had a huge and profitable piece of software written for it.  Was the system secure?  Who knew? Although as time went on the edge systems were converted to AIX.

member
Activity: 84
Merit: 10
And to the little mouse in the moon.  Arrogance will get you lots of places, but history says that you were blind.
member
Activity: 84
Merit: 10
Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.
sr. member
Activity: 364
Merit: 250

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.
newbie
Activity: 39
Merit: 0
Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
:]
Pages:
Jump to: