Pages:
Author

Topic: MtGox source code leaked ... - page 4. (Read 19047 times)

full member
Activity: 140
Merit: 100
March 03, 2014, 01:52:05 PM
#31
If they were hacked that means something wasn't working properly (Is this really confirmed?). And obviously they didn't know how to handle bitcoin transactions properly. By no means has there been no problems, even if we ignore poor coding practises.

The reason and the how to of the hack might not be poor [or not] web backend. It could also be bad sys admin and bad system security or even just internal.
legendary
Activity: 1204
Merit: 1015
March 03, 2014, 01:47:30 PM
#30
Are you sur this code was not theft back in 2011 ?
That was my thought. Does anyone know what the Eligius-MtGox partnership was formed? I know that it was it 2011, I just don't know the exact day.

It was estimated that MtGox was hacked by no less than 10 separate groups back in 2011 (one of which leaked the user DB, as we all know), so this could absolutely still be fallout from that.
legendary
Activity: 1190
Merit: 1004
March 03, 2014, 01:46:42 PM
#29
If they were hacked that means something wasn't working properly (Is this really confirmed?). And obviously they didn't know how to handle bitcoin transactions properly. By no means has there been no problems, even if we ignore poor coding practises.
sr. member
Activity: 364
Merit: 257
March 03, 2014, 01:43:51 PM
#28
Quote
don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

I don't know PHP but for me in this code , you have not check for SQL inject in the SQL requests ?

By what i see the SQL queries in the source do not use any user provided data, so it does not require an injection check 'cause there is no such risk.

Edit: there is user provided data, but as of now i can't find any that could be used for injection, i.e. $btc would generate an error if it is anything other than an interger number.
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
March 03, 2014, 01:38:06 PM
#27
As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!

Let me tell u that I have worked with ING code and they use GOTO !!! This code is fine if it were written by Jed.
newbie
Activity: 42
Merit: 0
March 03, 2014, 01:34:06 PM
#26
Quote
don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

I don't know PHP but for me in this code , you have not check for SQL inject in the SQL requests ?
sr. member
Activity: 364
Merit: 257
March 03, 2014, 01:29:23 PM
#25
I don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

Regarding that, the banking system is much worse, still lots of source using 'go to' labels in COBOL. Hopefully writen in the best programming practices from 1967.
legendary
Activity: 1258
Merit: 1027
March 03, 2014, 01:23:16 PM
#24
Hey folks, new here and happen to also be a LAMP developer (not considering creating an exchange yet Wink...

I just wanted to jump in here and defend LAMP stacks.

Linux/Apache/MySQL/PHP (LAMP) CAN be highly secure depending on how the code is written.

This forum runs on PHP, most major banking site's fronted is PHP...

The problem comes in when people write insecure code, you can just as easily write insecure C+ or Python as insecure PHP...

I guess my point is dont bash the platform, bash the developer Wink
newbie
Activity: 42
Merit: 0
March 03, 2014, 01:22:24 PM
#23
Are you sur this code was not theft back in 2011 ?
legendary
Activity: 1386
Merit: 1053
Please do not PM me loan requests!
March 03, 2014, 01:20:43 PM
#22
 Oh fuck. Now there is going to be a bunch of mini mtgoxes.
donator
Activity: 1218
Merit: 1079
Gerald Davis
March 03, 2014, 01:19:17 PM
#21
I prefer one monster super class...

Well I think we are done. 
sr. member
Activity: 364
Merit: 257
March 03, 2014, 01:14:55 PM
#20
Mark Karpeles   Mobile: 03-4550-1529
            [email protected] 
legendary
Activity: 2142
Merit: 1010
Newbie
March 03, 2014, 01:06:57 PM
#19
Stop protecting Gox.

I don't protect Gox. Their coding paradigm was heavily used before invention of OOP and I don't see why it can't be used nowadays.
legendary
Activity: 2142
Merit: 1010
Newbie
March 03, 2014, 01:05:12 PM
#18
I do on an exchange, and I did initially did code it all myself.  I still used concepts like separation of concerns to be used.  One programmer or one hundred there are reasons code is broken into logical groupings not one monster horribly do everything super class.  It allows unit testing, bug fixing, and discrete upgrades.

Hm, guys upthread do the same. Perhaps it's me who is wrong. I prefer one monster super class...
legendary
Activity: 2674
Merit: 2965
Terminated.
March 03, 2014, 01:00:32 PM
#17
Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.
Stop protecting Gox.
hero member
Activity: 672
Merit: 500
March 03, 2014, 12:59:15 PM
#16
Oh and it gets worse

Quote
From the IRC chat of Nanashi and other hackers, it seems that the hacker also have access to a 20GB data dump of customer data along with passport scans.

This is much worse.  A whole new slew of lawsuits heading their way.
donator
Activity: 1218
Merit: 1079
Gerald Davis
March 03, 2014, 12:58:20 PM
#15
Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

I do own (well partially) an exchange, and I did initially did code it all myself.  I still used concepts like scope delineation, separation of concerns, encapsulation of internal details, test driven development (unit tests), mocking, inversion of control, etc to be used.  These aren't just academic ideals, they are used every day in millions of software projects.  One programmer or one hundred there are reasons code is broken into logical groupings not one monster horribly do everything superclass.  The later produces fragile, unmaintainable, untestable code with the very obvious and expected end result.

I am not gods gift to software engineering but I have written hobbyist projects which had better design.

I think the articles sums it up
Quote
To sum up function _Route_getStats($path): XML production, JSON production, file writing, business logic, SQL commands, HTTP header fiddling, hard coded paging limits, multiple exit points...
All these things don't belong in the same class.  The http header generator doesn't need to know about the business logic, the SQL connectivity doesn't need to know about the routing.  Good software is hard, the capabilities of the computers, and languages already push the limits of what humans can process effectively.  Software developers use design tools to help the human manage the code/project.  You could write a web application in machine code if you wanted to, ultimately it all ends up there anyways but try spotting a bug in something low level like that.  High level languages were developed to allow a better code view.

Personally I am no fan of php for a variety of reasons but php doesn't mean you have to write code like the leaked gox source.  It is possible to write good (or at least better) php.  The major issue isn't the choice of language but how that language was (mis)used.
full member
Activity: 238
Merit: 100
March 03, 2014, 12:57:36 PM
#14
More: php uses weak/'implicit' typing which means you never really know what type you are dealing with, unless you explicitly state so in the code. This might be fine for simple web-servers or some forum software, but it makes php inherently useless for high security applications.

^This is amateur grade code at best, and now we see the result...

edit: @gollum: Exactly!!
sr. member
Activity: 434
Merit: 250
In Hashrate We Trust!
March 03, 2014, 12:55:05 PM
#13
As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!
Bitcoinica failed for the same reason - bad coding and no security.
full member
Activity: 238
Merit: 100
March 03, 2014, 12:52:44 PM
#12
As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!
Pages:
Jump to: