Topic: About Mt. Gox flaw from a security expert - page 9. (Read 34165 times)

I think you've betrayed your skillset (again).  Level 1 vendor compliance is expensive.   It's not just expensive in CAPEX it's also expensive in OPEX.   Many vending machines would only need level 4 compliance.

for an entire organization no.

For a bank yes.

Maybe bank are not safe enough for you.



you just forgot the credit card part.

Still don't see your sources, maybe I missed them.  You've probably never actually gotten PCI compliance for an entire organization.
Oh, and Windows IS compliant itself, running nothing but anti-virus, desktop firewall enabled, having automatic screen lockouts, currently patched, and rotating passwords in a timely (< 90 day) fashion.  Just because the example I cited is one talking about an application, doesn't invalidate that Windows XP can be compliant, something you stated it could not be.


As stated above, piece of cake.

If it were a fact, then you would be able to point to some clear and objective evidence of that right?  (Keep in mind that because you are referring to 'security' as some kind of blanket term you'd be responsible for providing that kind of evidence for the majority of aspects of the term and of course how exactly you know that your set of aspects is the majority).

Nice labeling there mac.  This isn't gainsaying.  I, simply as a IT security professional and the holder of a degree in computer science, have seen no set of well-defined, broadly scoped evidence that BSD is superior in "security" to Linux.  Nor in my conversation with other security professionals or members of the CS community (like my alumni, Usenix attendees)  see any clear consensus as to the superiority of BSD.  I have, certainly met people who make that claim but they always seem to fall down when trying to come up with a general definition of security or if they do they fall down in substantiating it with regard to their favored OS/Platform/Giant Spider.  Ergo it seems reasonable to me to call such a term "complex" furthermore given that even the most secure systems from a theoretical point of view can be entirely undone in implementation (such as EMF side-channel attacks on QKDS) it seems again reasonable to me to call such a system "nuanced".  Given these two facts (using the term correctly here).  I think it is entirely justified to be mistrustful of any and all who consider "security' as an open and shut case for product (or platform or giant spider) X over product (you get the idea) Y.

What do you want from me here guy? The two sentences above tell me to look at your use of the term "well-known" as: your opinion of the opinions of two very large groups of which your sample size is probably so small and poorly randomized it's useless.  Not to mention that even if the majority of those two groups held the opinion you claim it still isn't necessarily meaningful   Computer Science and EECS people do not always have a background in computer security.   Making their opinion anywhere from questionable to useless.   Given the size of the groups and the variance in the population's skill set you could easily be getting the opinion of the least qualified people. I mean would you really rank the opinion of someone's who's focus was in Combinatorics or AI or Queuing Theory as equal or greater than Bruce Schneier or (going old school) D. J. Bernstien when it comes to an application or operating systems "security".  If you don't then how many Combinatoricists, AI researchers or Queuing Theorists make one Bruce or Dan?  

Not to mention it's not hard to find high-profile people in computer security who disagree on "well-known" concepts.

Windows is not compliant itself. It is the combination of the software used and OS.

Compliance is very expensive, and it is much more expensive on windows than linux.


Sorry, but quickly googling this time didnt cut >)

PCi compliance for XP is easy.  SP3 is compliant if properly virus protected.
Before just touting stuff, at least provide your sources.

From:  http://www.transactpos.com/Integrations/VeriFone/PCICompliance/tabid/146/Default.aspx

Good luck running xp on arm. Without a GUI.

Or trying to get PCI DSS compliance for XP.

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats


I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.


I think your confusion might not arise from BSD.

Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.

Even if there happens to be a gainsaying fanboi present to dispute the widely recognized consensus reality.

I always find it interesting that people want to refer to the principal concepts of a conversation as "complex" and "nuanced" as a way appear more deeply thoughtful than the other participants.

BSD is not merely a security "product" it's the platform that the internet, and later the web, was built on and still runs on, to a large extent.

Please re-read my use of the phrase "well-known" in its proper context of me speaking about the real CS community.  And by "real" I mean EECS engineers and computer scientists, not cloud-happy corporate consultants and l33t Geek Squad linux fanboi.

May I ask, to the poster of this topic, if any of you ever deployed a PCI DSS compliant infrastructure?

Ok, Tim don't take this the wrong way but I love you.

I'm well familiar with that situation.  Some of the research these "whitepapers" quote ranges from funny to insulting.   I remember once someone gave me some vendor rag that said "Model XXX rackmounted server is 15% more power efficient than the average for it's class".  I wish I could have been the math teacher for the writer of that article...so I could fail him.

It gets worse.  I used to get a bunch of security trades (because as soon as that word gets attached to your title people want to start selling you stuff).  I read a comparison of Email filter appliances and it ranked them on about four pieces of criteria....except how they filtered email.

I canceled all my subscriptions.

Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection"

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

Actually, in my experience in the CS community I'd say that it has gone more and more Windows centric. There are good points (Windows Server is obviously a lot better than XP these days) and not so good points (et al etc etc ) to that, but it seems to be the trend regardless sadly. I'm seeing more and more "critical infrastructure" running on Windows as time goes on, even more so as people rush to outsource services (no matter how critical) to "the cloud" and similar hypervised systems. I suspect that this says more about corporate sponsorship than actual technical benefits.

I wouldn't. I wouldn't do any of that. Far from it, the first and only thing I'd do is outsource all the technical requirements to a third-party company. Probably one such as the one you own/work for. Then I'd put in place a whole load of over the top SLAs so that when (not "if") the brown stuff hits the fan, I can pass all the blame on to you.

The biggest danger in the world of the internet is not whether one uses Windows or Linux or OS X or FreeBSD. The biggest danger are one-man armies who think that they can knock things like this together all by themselves. No matter how clever you are, or how much experience or qualifications you have, you still need to eat, sleep and visit the toilet.

The reason that we get so many up-start disasters like this is precisely because they are set up by people who think that they are going to do one better than the last person. And there is always someone waiting to come along who will think of something you didn't think of. You can have the best operating system in the world, but if Doris the cleaner unplugs the box to put the vacuum cleaner on, it all goes down. Taking responsibility for other people's money is a dangerous game wrought with risk, and I wouldn't touch it to begin with.

Ah didn't see that bit.  I'd also recommend the GrSecurity patches (I know that SeLinux is part and parcel of Gentoo these days but I think that in general the learning capabilities of GrSec outweigh the flexibility of SeLinux in real-world deployments).  I left OpenBSD when Theo D. seemed to becoming more unhinged than usual.  I haven't used FreeBSD since 1997 and while I'm sure it's a fine OS - some of the papers I've read show kernel i/o calls with impressively low latency.   That said there is little reason to believe that a well-deployed Linux box is any worse off than a well-deployed FreeBSD box.   Especially in such a poorly defined term like "security".  Were I you,  I'd just leave the mouse alone.  Most of the arguments I've read from him are specious.  The only impressive thing he's done is change the argument scope on you.  PM me if you have questions about Linux security.

You mean like someone who implies that (surprise!) some unspecified flavor of Linux is more secure than BSD, claims to have read the source code for both, then admits he actually hasn't, all while sporting a Tux avatar?

By all means, let's indulge them and clap and sing their fanboi praises while they piss on us and say it's rain.

He doesn't really need to.  

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

The vending machine story is a great parable of why sometimes you really, really want an OS designed by electronic engineers to be secure and robust, instead of a hobbyist's toy that is beloved by hipster dot-com wannabe types and businesses that love getting a cheap version knockoff version of genuine, authentic Unix.

Let's bring the discussion back to MtGox.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.



The fanbois really should realize there is life beyond LAMP.

no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

You know, it is possible to be absolutely right and yet still come across as a bit of a dick... 

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)