Pages:
Author

Topic: What have we all learnt from the Mt Gox incident? (Read 6350 times)

member
Activity: 76
Merit: 10
Aside from the fact that I'm glad I used a unique password for my Mt. Gox account, I look at this incident in much the same way I look at the Amazon Web Services outage of a couple months ago (which I was also affected by.) Some AWS users left claiming they had lost faith in Amazon's ability to keep their systems up, even though up to that time Amazon's record had been exemplary. My feeling was and still is that this sort of thing would only strengthen Amazon, and that while failures do inevitably happen, this failure would be extremely unlikely to happen ever again, and a whole class of related potential failures would never happen at all. So, unless Amazon, and by the same argument Mt. Gox, shows a repeated pattern of failures in the same category, I think it wise to stick with them.

There's a lot of truth in Nietzsche's statement, "That which does not kill me makes me stronger."



You're comparing Amazon.com with Magic The Gathering Online eXchange.

One of them is the biggest success of the internet age that employs the most talented computer scientists in the world to tackle the most difficult business and technical challenges on the internet.

The other is a glorified calculator, providing a service that was already perfected long ago, in a very amateur and incompetent way. They've made errors that freshman computer science students know not to make. They've proven their deep incompetence.

AWS went down because AWS is like the space shuttle of internet technology. It is cutting edge: AWS EBS is trying to solve a problem that most other experts literally consider impossible. Despite their downtime, they haven't even violated their SLA.

Magic The Gather Online eXchange is too incompetent to use bcrypt and not expose their fucking accounts database to insecure parties. Magic The Gathering doesn't even have an SLA. Because they are fucking incompetent and untrustworthy.


AWS did violate their SLA and did in fact compensate customers like me in the wake of their outage. I expect that Mt. Gox will also do right by their customers, including formalizing some sort of guarantee if necessary, although I wasn't aware that commodity exchanges had SLAs.

Meanwhile, although you're right that AWS and Mt. Gox aren't really comparable in terms of current scale, my point was not about scale, but about adaptability.

And besides, Amazon started out as just an online bookstore. It will be interesting to see where Mt. Gox is 5 or 10 years from now. You think they'll be dead. I'll wait and see.

Early days yet, people. Growing pains are expected.
full member
Activity: 196
Merit: 101
Windows 7 is very secure.
member
Activity: 72
Merit: 10
Windows is fine, and is more secure than linux. If linux would receive the same amount of malicious attacks that windows receive, linux would become unusable and would require patches for years. The security on some of the linux distros is atrocious. Linux security is achieved through obscurity. An attacker isn't going to bother writing attacks against an OS that less than 1% of people use, and those that do use linux are likely to be highly technical.
I think you're misusing the phrase "security by obscurity". Security by obscurity means that the technical details of your system are guarded closely from potential attackers. As long as you can keep the outside world from understanding how your system works, they will be unable to exploit flaws in your system. This was a large part of Sony's strategy to keep homebrewers from getting root on the PS3 (which ultimately failed).

The phrase "Given enough eyeballs, all bugs are shallow" applies to linux because bugs (and security flaws) are not hidden, they are openly shared so that they can be recognized and fixed. Linux is the complete opposite of "security by obscurity"!
newbie
Activity: 45
Merit: 0
Aside from the fact that I'm glad I used a unique password for my Mt. Gox account, I look at this incident in much the same way I look at the Amazon Web Services outage of a couple months ago (which I was also affected by.) Some AWS users left claiming they had lost faith in Amazon's ability to keep their systems up, even though up to that time Amazon's record had been exemplary. My feeling was and still is that this sort of thing would only strengthen Amazon, and that while failures do inevitably happen, this failure would be extremely unlikely to happen ever again, and a whole class of related potential failures would never happen at all. So, unless Amazon, and by the same argument Mt. Gox, shows a repeated pattern of failures in the same category, I think it wise to stick with them.

There's a lot of truth in Nietzsche's statement, "That which does not kill me makes me stronger."



You're comparing Amazon.com with Magic The Gathering Online eXchange.

One of them is the biggest success of the internet age that employs the most talented computer scientists in the world to tackle the most difficult business and technical challenges on the internet.

The other is a glorified calculator, providing a service that was already perfected long ago, in a very amateur and incompetent way. They've made errors that freshman computer science students know not to make. They've proven their deep incompetence.

AWS went down because AWS is like the space shuttle of internet technology. It is cutting edge: AWS EBS is trying to solve a problem that most other experts literally consider impossible. Despite their downtime, they haven't even violated their SLA.

Magic The Gather Online eXchange is too incompetent to use bcrypt and not expose their fucking accounts database to insecure parties. Magic The Gathering doesn't even have an SLA. Because they are fucking incompetent and untrustworthy.
newbie
Activity: 42
Merit: 0
Linux and Windows are built from the same circuit hardware and same logistic languages and can be coded and hacked the same ways.

Windows is just more popular.
Windows has more ignorant users.
Windows is mainstream.

Prime target for hackers who think it's funny to fuck with people. The larger the population, the higher the probability of at least 1 fool falling for their trick.

Only reason Linux is more secure is because nobody is interested in coding viruses for them yet.

Yeah naturally I was joking... Windows is way less secure.  Mac has 10% market share and its users are foolish enough to pay way over the odds for a machine just because it has an Apple badge on it.  There would be plenty more Mac viruses already if your argument held any water, but it doesn't of course.
full member
Activity: 154
Merit: 100
Pretty impressed overall with Gox's handling of this.  It wasn't even their site itself that was hacked, and they are taking all necessary steps to ensuring it's brought back up securely and with enough notice before the exchange opens.  

I anticipated this sort of thing happening a few weeks ago after BTC shot up to $30, so luckily I changed my Gox pass then to a unique one that is 14 char with all 4 categories covered.

No site/business/network is 100% secure.  Anyone that does security audits will tell you that it's not a matter of IF, but a matter of WHEN they will gain access to some components of the system.

Gox should enforce password complexity requirements, IMO.
hero member
Activity: 616
Merit: 500
Windows is fine, and is more secure than linux. If linux would receive the same amount of malicious attacks that windows receive, linux would become unusable and would require patches for years. The security on some of the linux distros is atrocious. Linux security is achieved through obscurity. An attacker isn't going to bother writing attacks against an OS that less than 1% of people use, and those that do use linux are likely to be highly technical.

Total utter nonsense! The real reason Windows is more secure is because of the billion-dollar anti-virus and malware protection industry that protects its users.  There is just no decent anti-virus software for linux!  You have to be crazy to install an OS like that. 

Linux and Windows are built from the same circuit hardware and same logistic languages and can be coded and hacked the same ways.

Windows is just more popular.
Windows has more ignorant users.
Windows is mainstream.

Prime target for hackers who think it's funny to fuck with people. The larger the population, the higher the probability of at least 1 fool falling for their trick.

Only reason Linux is more secure is because nobody is interested in coding viruses for them yet.
newbie
Activity: 42
Merit: 0
Windows is fine, and is more secure than linux. If linux would receive the same amount of malicious attacks that windows receive, linux would become unusable and would require patches for years. The security on some of the linux distros is atrocious. Linux security is achieved through obscurity. An attacker isn't going to bother writing attacks against an OS that less than 1% of people use, and those that do use linux are likely to be highly technical.

Total utter nonsense! The real reason Windows is more secure is because of the billion-dollar anti-virus and malware protection industry that protects its users.  There is just no decent anti-virus software for linux!  You have to be crazy to install an OS like that. 
legendary
Activity: 1806
Merit: 1003
i just received a mail from Tongue MtGox with a self extracting archive ( .exe ) purporting to be a certificate to help combat this.... no way am i opening it, it got captured by my spam services anyhow but really.. who the hell is gonna trust an executable from them now ?

Not for them.
From: can be trivially spoofed.
Don't run any .exe
Don't use windows.
Don't touch windows with 20 meter stick while doing anything related to security of more then few bucks.

Jesus, guys.



Windows is fine, and is more secure than linux. If linux would receive the same amount of malicious attacks that windows receive, linux would become unusable and would require patches for years. The security on some of the linux distros is atrocious. Linux security is achieved through obscurity. An attacker isn't going to bother writing attacks against an OS that less than 1% of people use, and those that do use linux are likely to be highly technical.
legendary
Activity: 2408
Merit: 1121

I am not a trader, I develop trading systems software. I've worked on systems that cleaned up the mess when trades get busted, so my attitude is less cavalier than yours. Admittedly, I've dealt only with institutional and larger hedge fund trades that don't typically involve lightly traded securities, so these massive rollbacks could be a more common occurence than I thought.


If you're interested, check out the NANEX folks. They do some interesting plots of issues that have had the same distressing behavior as the indexes when the flash-crash occurred in May. What is alarming is it seems to point the blame at some "alpha testing in the wild" by High Frequency Algorithms, as the patterns produced by sub-pennying bids and offers become apparent.

I've worked on automated trading software, but not like these guys - I actually just want to emulate good trading decisions, not spam an exchange with 1,000 orders a second.

Good luck on your efforts.

full member
Activity: 140
Merit: 100
I am not a trader, I develop trading systems software. I've worked on systems that cleaned up the mess when trades get busted, so my attitude is less cavalier than yours. Admittedly, I've dealt only with institutional and larger hedge fund trades that don't typically involve lightly traded securities, so these massive rollbacks could be a more common occurence than I thought.

That pretty much says it. I do both, trade and develop trading systems.

There have been repeated incidents in the last months on some US securities where trading systems went totally out of control, smacking the price from 28 USD to 2800 USD within a minute, or down to cents.

In all cases the complete set of trades was cancelled.

Last year you had the famous flash crash - also a lot of executions got cancelled.

I suggest looking at http://www.zerohedge.com/search/node/nanex for an idea about what happens there. Nanex is a quite good (my favourite) data provider (though they dont care the wannabe trader - no symbols, only complete exchange feeds) and they always make their analysis available Wink QUITE a good read.

I suggest  for a start:
http://www.zerohedge.com/article/todays-flash-crash-690-009-two-seconds
http://www.zerohedge.com/article/2880-2600-two-second-thank-you-skynet
http://www.zerohedge.com/article/102-001-under-one-second (that is 120 USDS per share to 1 cent)
http://www.zerohedge.com/article/6-1-milliseconds-ambo-first-flash-crash-du-jour

In any case exchanges do waht they are there for: reestablish an orderly market and basically cancel the trades done outside the orderly market.
newbie
Activity: 56
Merit: 0

Quote
Also, Mt. Gox needs a public relations person stat. These conspiracy theories are getting out of hand and they need to be smacked down in one, official, one-stop stickied FAQ thread. The worst thing that you can do in these situations is make it practically impossible for your users to decipher truth from fiction, especially after a few days of claims of hacked accounts that very senior members here dismissed. And especially after it took far too long for Mt. Gox to acknowledge that the user database in the wild was real.
sounds to me like they already have a public relations person.
full member
Activity: 140
Merit: 100
I've learned that, after incidents like this, lots of people come out of the woodwork claiming to be experts on pretty much everything, usually followed by statements that utterly disprove their assertion.

Also, Mt. Gox needs a public relations person stat. These conspiracy theories are getting out of hand and they need to be smacked down in one, official, one-stop stickied FAQ thread. The worst thing that you can do in these situations is make it practically impossible for your users to decipher truth from fiction, especially after a few days of claims of hacked accounts that very senior members here dismissed. And especially after it took far too long for Mt. Gox to acknowledge that the user database in the wild was real.

Responding to people is almost as important as repairing the security issues, because trust has been broken nearly as badly.

Not to mention that, without a clear voice of Mt. Gox here in the aftermath, we're going to see a plethora of horribly erroneous media articles this week because journalists will be writing articles based on second-hand knowledge and heresay that they can't easily verify or dismiss.
newbie
Activity: 56
Merit: 0
1. Flocking to a central exchange to trade a decentralised currency is a bad idea.

Continue on ...

+1

We definitely need LOTS more exchanges and different ways to convert between BTC and other currencies. That's part of the maturing process of the Bitcoin ecosystem.

the war FOREX is set up is that each bank is an exchange itself but they also trade with each other.
the existing exchanges should develop an interface that allows them to exchange quotes and trade with each other - which increases liquidity and makes it easier to start many exchanges - anyone, like your local bank could start one then, just by feeding you the quotes of MtGox but your money is actually with them.
member
Activity: 94
Merit: 10

Oanda is taken seriously. They have also been known to roll back trades.

Speaking of Oanda, it's be insanely awesome if they added BTC as a currency to their systems.

Some still say Oanda is a bucketshop, albeit a respectable one.

Rolling back trades is not the issue I have with Mt Gox. Just the sheer size of the rollback and the fact that they got themselves into a state where this is the only best solution.
member
Activity: 94
Merit: 10

Hey, you. Over there. Yeah, the one who talks big and doesn't know jack.

Guess what the exchanges do every day they have a mini-flash-crash? That's right, there are plenty of smaller stocks that trade say at $12 that get smacked down to 30 cents. The HFT guys are the usual culprit, but all the trades get busted within a certain percentage. Mt. Gox is just following best practices here.

Sorry you don't get it - but you would if you really did 'work on a real exchange'.

Take my trading cards clerk, and get me a hoagie while you run that crap to the back office. Clerk Failpile.

I am not a trader, I develop trading systems software. I've worked on systems that cleaned up the mess when trades get busted, so my attitude is less cavalier than yours. Admittedly, I've dealt only with institutional and larger hedge fund trades that don't typically involve lightly traded securities, so these massive rollbacks could be a more common occurence than I thought.








legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
I learnt that during bitcoin shitstorms, whatever you say, some will find it's the more intelligent message of the week, others will bash you to the death
member
Activity: 70
Merit: 10
i just received a mail from Tongue MtGox with a self extracting archive ( .exe ) purporting to be a certificate to help combat this.... no way am i opening it, it got captured by my spam services anyhow but really.. who the hell is gonna trust an executable from them now ?

Not for them.
From: can be trivially spoofed.
Don't run any .exe
Don't use windows.
Don't touch windows with 20 meter stick while doing anything related to security of more then few bucks.

Jesus, guys.

hero member
Activity: 586
Merit: 501
ive been writing this wherever i can.

all bitcoin exchanges need to have a circuit breaker = stop the market when its down 10% or more for 12 hours or something like in all major stock markets.this will discourage short-selling and market manipulation and prevent things like that happen ever again.

making a coin which gives heart attacks to customers,users and merchants is not very smart.

hero member
Activity: 523
Merit: 500
That a lot of bitcoin users are acting like 13-17 years old kids. Maybe they are  Shocked  Grin
MtGox is handling this very good.

But dont keep all your coins at MtGox.









Pages:
Jump to: