Topic: MtGox source code leaked ... - page 4. (Read 19023 times)

The reason and the how to of the hack might not be poor [or not] web backend. It could also be bad sys admin and bad system security or even just internal.

That was my thought. Does anyone know what the Eligius-MtGox partnership was formed? I know that it was it 2011, I just don't know the exact day.

It was estimated that MtGox was hacked by no less than 10 separate groups back in 2011 (one of which leaked the user DB, as we all know), so this could absolutely still be fallout from that.

If they were hacked that means something wasn't working properly (Is this really confirmed?). And obviously they didn't know how to handle bitcoin transactions properly. By no means has there been no problems, even if we ignore poor coding practises.

By what i see the SQL queries in the source do not use any user provided data, so it does not require an injection check 'cause there is no such risk.

Edit: there is user provided data, but as of now i can't find any that could be used for injection, i.e. $btc would generate an error if it is anything other than an interger number.

Let me tell u that I have worked with ING code and they use GOTO !!! This code is fine if it were written by Jed.

I don't know PHP but for me in this code , you have not check for SQL inject in the SQL requests ?

I don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

Regarding that, the banking system is much worse, still lots of source using 'go to' labels in COBOL. Hopefully writen in the best programming practices from 1967.

Hey folks, new here and happen to also be a LAMP developer (not considering creating an exchange yet ...

I just wanted to jump in here and defend LAMP stacks.

Linux/Apache/MySQL/PHP (LAMP) CAN be highly secure depending on how the code is written.

This forum runs on PHP, most major banking site's fronted is PHP...

The problem comes in when people write insecure code, you can just as easily write insecure C+ or Python as insecure PHP...

I guess my point is dont bash the platform, bash the developer

Are you sur this code was not theft back in 2011 ?

 Oh fuck. Now there is going to be a bunch of mini mtgoxes.

Well I think we are done. 

Mark Karpeles   Mobile: 03-4550-1529
            [email protected] 

I don't protect Gox. Their coding paradigm was heavily used before invention of OOP and I don't see why it can't be used nowadays.

Hm, guys upthread do the same. Perhaps it's me who is wrong. I prefer one monster super class...

Stop protecting Gox.

This is much worse.  A whole new slew of lawsuits heading their way.

I do own (well partially) an exchange, and I did initially did code it all myself.  I still used concepts like scope delineation, separation of concerns, encapsulation of internal details, test driven development (unit tests), mocking, inversion of control, etc to be used.  These aren't just academic ideals, they are used every day in millions of software projects.  One programmer or one hundred there are reasons code is broken into logical groupings not one monster horribly do everything superclass.  The later produces fragile, unmaintainable, untestable code with the very obvious and expected end result.

I am not gods gift to software engineering but I have written hobbyist projects which had better design.

I think the articles sums it up
All these things don't belong in the same class.  The http header generator doesn't need to know about the business logic, the SQL connectivity doesn't need to know about the routing.  Good software is hard, the capabilities of the computers, and languages already push the limits of what humans can process effectively.  Software developers use design tools to help the human manage the code/project.  You could write a web application in machine code if you wanted to, ultimately it all ends up there anyways but try spotting a bug in something low level like that.  High level languages were developed to allow a better code view.

Personally I am no fan of php for a variety of reasons but php doesn't mean you have to write code like the leaked gox source.  It is possible to write good (or at least better) php.  The major issue isn't the choice of language but how that language was (mis)used.

More: php uses weak/'implicit' typing which means you never really know what type you are dealing with, unless you explicitly state so in the code. This might be fine for simple web-servers or some forum software, but it makes php inherently useless for high security applications.

^This is amateur grade code at best, and now we see the result...

edit: @gollum: Exactly!!

Bitcoinica failed for the same reason - bad coding and no security.

As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?


That's exactly the problem, it shouldn't be written by only one clueless guy!!!