Bitcoin Forum

Dear Bitcoiners,

I'm sorry to hear that some people have had their account stolen, but I was expecting it.

The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.


The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:


1) Use the right software. IIS is a big no-no :) Also Linux should frowned upon. Unix is the way to go.

2) Update the software. You cant leave a known root escalation bug for 6 days!!!!

3) Have your code reviewed by a third party.

4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.

5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.

If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.

for a small fee, and the promise of not being persecuted, I can send your apache config file.

What - the auditor lost his laptop you mean?  ;D

No thanks, I can find it myself.   :D

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.

The problem with this community is it's full of people trying to make money.

Listen to this man. He has hit this right on the nose. It should also tip you on to the perceived potential value of bitcoins.

trust me: if I were in the bitcoin business for the money, I would have stolen the bitcoin from the mtgox accounts I violated.


With the actual design of most of the Bitcoin exchanges password can be spoofed anytime you connect via a wireless network.


Bitcoin exchanges needs to take further steps to secure their customers, and need not to copy other people design, as it could propagate flaws in the market.

@muad_dib

At first your post seemed wise, but


I stopped reading right here.

I don't know who you are, but you know nothing about security.

I am the most eminent member of the bitcoin community?
Ummm... I will humbly step down from my position now.   :D

My first reply to you was:
Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib.

I will not start a flamewar here, I just want to make you a quick question:

Here's (http://news.netcraft.com/archives/2011/03/01/most-reliable-hosting-company-sites-in-february-2011.html) a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?

Sorry I thought you were the owner of the exchange :)

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Maybe you should read more carefully my posts.

So your cherry picking of data points is objective, but pointing out the obvious fact that you're cherry picking is subjective?

Also, I have never said anywhere that Linux is more secure than *BSD.

I'm not sure what we are discussing about.


Quoting a reliability chart is cherry picking?

Quoting a vulnerability chart is cherry picking?

Maybe my sources were biased?

Are you suggesting that there is no significant statistical difference between Linux/FreeBSD reliability/security?


My opinion is that this is just free polemic. Maybe I'm wrong.

Except for the sales piece made by a FreeBSD fan they probably weren't, but the way you use them is.

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

As "serious" is not defined and subjective and the number of running systems is not known/hard to estimate (Linux gets used in embedded environments too, where it will never show up in "server statistics") I can only say with 0.99 confidence level, that you are far off topic by now. ::)

check better :)


Also BSD is implemented in EE. Anyhow since we're speaking of webservers, we have good estimators for this quantity.




Lol (L)

Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

I'm with you maud_dib... All my opinions are totally objective too ;)

Also, in my objective opinion more discovered vulnerabilities != less secure.  More eyes find more bugs.  I know you're talking freebsd, but look at openbsd.  It had a backdoor for years exactly because less people audit the code.

freebsd is also less used :P so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

+1

Everything that i wanted to say was already said here.

muad_dib, you have no idea what you are talking about. There isn't any 100% proof that BSD is either more secure or more reliable than Linux.

that's what they say.


Anyhow also taking this as true, I think it has been evident that bitcoin greatly outgrown the original expectations, and thus we need stronger security policy.



One example: Do you think that by compromising any of the laptop of any or all of the admins of the Visa Network, could you access any valuable information?

so windows has top-notch security?

:)

And the problem with most 'security experts' is that they think they walk on water.  ;)

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

That list proves nothing about the security of any OS over any other OS. There is no mention of how big of a factor the OS/platform's security plays into the ranking. From what I read on that page, a lot of other things can play into the ranking, including the level of managed service (e.g., the competence and response time of the sysadmins of those hosting services), the network quality, speed of their servers, etc.

So that link proves nothing about Linus being better than windows, or Unix being more secure than Linux.

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

I totally respect your opinion.



What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?

yes:

more fixed bugs are better then more unfound bugs.

and you cant trust closed source code: microsoft could have put a backdoor in windows, so that NSA could gain eazy access to any windows system. (I like conspiracy teories  :) )

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places
- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

Kudos to you for making all this with a straight face... or did you? :p

You are not forced to post in my thread :)

1) So then you are in it for the money?


What does your question have to do with anything? If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP. And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  ;)

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check with the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.

A five digit is a very small fee for someone making 100.000$+ a day.


Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"




Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!


why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.


I can provide new ways to hack it :)

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

Let's rephrase my previous sentence: As a human being, I'm programmed to try to make some profit, so that my offspring will have a better chance in the real world.


Anyhow, given the chance to sell the bitcoin community for the personal gain, I would say no.



I was trying to prove to you that stealing a large bitcoin sum is the best way to make the price crash, thus making the theft stupid.


I think that, given how understaffed exchanges are, maybe the email would have been read by the same person who is responsible for the development/management, thus it would have been overlooked.

I think also that by posting it here not only I'm advising users, but I'm also putting pressure behind ALL the exchanges to fix this ASAP.


Do you think that I ever thought for a single instant, that I would have been paid?

Do you think that if that was my real intention, I would have posted my request in public?

Finally someone discussing about this SERIOUS issue rather than trying to start a flamewar.

You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations! ::)

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


The latter. I do lock my house, but not my car. And the reason I lock my house is that my miner machine is inside, and you can't really trust a community like Bitcoin that has people reasoning like you... someone might take my computer and then post on the forum saying "for a small 5 digit fee I'll teach you about the best locks for you door".


I need no proof at all. I believe you, I have no reason not to. Of course any random guy making over 300 million dollars yearly will sniff and spoof, and not steal to then arm wrestle a small fee... I wonder what kind of "security" you are expert on, though...


Oh... so you run an exchange, one that is totally secure. Now I'm getting really puzzled... which one was it again? Tell the good developers that potentially lost a bunch of bitcoins, something that could have been prevented if you would just help competition for free. I promise noone will try to hurt you, and I'm sure noone will be capable of anyway :p


Yep, no doubt. And once someone hacks it you'll provide information about how you already knew and could have prevented it, if only you would get paid the (relative) peanuts you require, but you only require them as a matter of principle, you REALLY don't need them.

Enough trolling, have fun with your buzzword magic. You might be a security expert (and failed to present any proof of it, but you aren't in the PR business anyway, so who cares) but I'm still not sure you are a human being.

I already posted the reasons why I said this in public. Please read my posts more carefully.


Anyhow, just for you, not for the other readers, I wrote a simple script to spoof Mt. Gox passwords. Here (http://goo.gl/YrTT5).

the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

Let's try to sum up:

FreeBSD has less bugs than Linux (one fold less).

FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The production machines with the best uptime are FreeBSD based.


Still you think that Linux is safer than FreeBSD?

please explain...

I read so much hate in these forums. People please, chill out.

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...

re: hate. Come again? the example (not the only one, I understand) that I read what I wanted to read in your posts is that you read too much hate in my posts? huh?

But enough hatred, I know I have an attitude problem as all that had to deal directly with me can attest to. Too much good, positive attitude and a complete lack of capability of making simple ironic remarks :) I'm a long time professional at what I do, and that is not trolling nor is it security. You are obviously better than me on both accounts so if you can refrain from replying to my post here, I promise I'll behave and not make hatred filled remarks on any other altruistic comment coming from you on this thread.

Were You asking  me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant

So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.

You see what you want to see, I read somewhere :)

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.

Are you american right?

Next time you fill your tax form aks to pay the same ammount as donald trump. Personal wealth doesn't matter, right? :)

Well i think OpenBSD is more secure..

Sorry, by saying FreeBSD I mean *BSD. Is just that I'm working on a big FreeBSD project and I have this name in my mind.


You are totally right by saying that OpenBSD is safer than FreeBSD

no freebsd has less discovered bugs..

and now you are talking about openbsd instead of freebsd.
either you are stupid or you dont know what you are talking about.
openbsd is maybe the most paranoid OS in the world, yes thats right.

and...? uptime != security

i have never said that. you are the one waving the freebsd flag.

i say you are a troll.

oh im not hateing, just using my mind. and it tells me that you are a stupid troll. (sorry)

What about DragonflyBSD? The Hurd? Or what about Haiku?!

Seriously! Stop feeding this troll, he won't share his "wisdom" anyways, neither here nor to anyone else who won't pay his little 5-digit sum.

Yes, Bitcoin exchanges were more or less overrun by users in the past few months - whoever didn't know this (there are charts, people!) does know now.

It's hard to configure stuff on it even for someone familiar with *nix but still it's worth it.

What are you working on btw i am a bit curious  ;D

the flaw is stated multiple time in this thread. Just read carefully.


Will you give me 5 BTC If I can link 5 post from 5 different users in THIS thread that explain which is the flaw?



Read better, hate less.

but... but.. its funny to feed him :D

Nope, not American at all. And yes, I would love to pay the same as donald trump for each unit of taxable income, he is much richer than I am and I pay much more per earned unit. Or was that your argument?

Ah, right, you are a troll, you make no arguments, only read hatred :)

You guys are pretty far off track arguing about socialism and BSD.

On that same TV show last night, Adam from Mt. Gox (adam@mtgox.com I believe) stated that they were looking to hire an app and systems security guy. It sounded like they wanted a full time employee, but they're liable to be fine with a consultant considering the bind they're in and how hard it would be to lure a full time type asset in Tokyo. If you're interested and looking for work maybe you should email them and set something up. It seems like that'd be a lot more productive than posting here about IIS vs. apache vs. ngix or session cookies.

after a major review.


Because FreeBSD and OpenBSD has a totally different codebase, and the bugs
increase after the review is just a coincidence.



You = wrong

Unless you don't touch your server when an intrusion is detected.

I am just sorry that I wont be able to get these 10 minutes back!!

It doesn't really matter what OS you use, it is important that you really "know" the OS you have chosen, I mean really "know" your sh*t about the OS.

FreeBSD/Linux can be set up poorly with tons of security holes.
Windows Server can be set up with rock solid security and nearly impossible to break.

It just depends on how well you know security, the OS and programming.

Amusingly, more or less right after defending tradehill by saying they allowed me to use ssl for everything, they changed their site so that it now gives mixed content warnings for script elements. This means that anyone who was sniffing my network could probably just pull the session cookie off of the script requests, and even if they've correctly set it to ssl cookie, any attacker running a MITM or on your local network could insert a modified script resource that could steal your account credentials or take control of your logged in account.

I'm sure they did this for performance reasons as their site is running slow as shit right now, but it doesn't give me any faith that tradehill is conducting themselves with a better security posture than anyone else.

http://img10.imageshack.us/img10/1506/tradehillmixedscriptcro.png

Linux is used more than *BSD as a desktop OS by fangurlz with Tux The Penguin avatars (excluding OSX).
Linux is used more than *BSD as a server OS by businesses that hire fangurlz with Tux The Penguin avatars.

On the other hand, when me move into the world of the critical systems that keep the Linux kiddies' interwebs running smoothly, we find that *BSD has been used for much longer and with greater success:


The reason for this is that:

You do know that without BIND and BSD, there would never have been any Linux or Tux, right?

You do know that the root nameservers have always and will always run BIND on BSD, right?

So why don't you write to the Internet Assigned Numbers Authority about how your magical Tux so much more secure and popular than BSD.

I'm sure they'll be blown away by the force of your irrefutable, highly technical argument that "bugs, holes, and exploits are good."

linux are used more on servers and desktops. true!
FreeBSD is not the only thing that runs the root nameservers, core routers, etc...
NSD is also running instead of BIND on some root servers.

btw. linux is designed and BSD is grown, take a look at the unix family tree:
http://upload.wikimedia.org/wikipedia/commons/5/50/Unix_history-simple.png
linux is a strait line from 1991 to now, and *BSD history goes back 1969 from unics.
its true that *BSD is older then linux. but its grown.

btw. the quote:
is taken from freebsd website, and is therefor heavily biased. :)

i think you are a troll too. all your arguments are wrong.

This is such a beautiful sentence.


When developing some serial drivers for a vending machines running linux, me and my team went crazy handling all the hacks, specifications and modules the kernel had. It is just a bloated monster, on a driver I found a comment:

"We don't know why it is this way, but please dont touch it"


The server controlling the vending machines instead run on FreeBSD and its much tidier and organized kernel space has been a pleasure to work with.

comments like that is because of some old hacks on very old buggy hardware, these types of comments is also in the FreeBSD sourcecode.
some people would also find it easier to run windows xp on your vending machine.
i have read most of the core code in Linux and Freebsd. and i found that linux's source is simpler.
while freeBSD kind of difficult to understand sometimes.
it just my opinion.

Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

Of course he didn't actually read "most of the core code in Linux and Freebsd."  That's absurd.

We are dealing with a poser (the worst kind of Linux fanboi is the wanna-be); notice how he splits hairs about Open vs Free BSD, yet never mentions which flavor of Linux he's jocking.

Someone who finds "freeBSD kind of difficult to understand" is probably not a *nix expert of any kind!

yes thats many lines. but not in the core code, that excludes all the drivers(90%), and all the archs(5-8%)(except x86 and arm). it not that many, i only have read 2-5% of the whole linux code, and only the parts that concerns me.
some of the toolchain i have also read, gcc and binutils, not all of it but some.
the FreeBSD source only did confuse me.

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)

You know, it is possible to be absolutely right and yet still come across as a bit of a dick...  ::)

no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

He doesn't really need to.  

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

The vending machine story is a great parable of why sometimes you really, really want an OS designed by electronic engineers to be secure and robust, instead of a hobbyist's toy that is beloved by hipster dot-com wannabe types and businesses that love getting a cheap version knockoff version of genuine, authentic Unix.

Let's bring the discussion back to MtGox.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.

http://www.geekytattoos.com/wp-content/uploads/2008/12/joey_linux_bsd.jpg

The fanbois really should realize there is life beyond LAMP.

You mean like someone who implies that (surprise!) some unspecified flavor of Linux is more secure than BSD, claims to have read the source code for both, then admits he actually hasn't, all while sporting a Tux avatar?

By all means, let's indulge them and clap and sing their fanboi praises while they piss on us and say it's rain.

Ah didn't see that bit.  I'd also recommend the GrSecurity patches (I know that SeLinux is part and parcel of Gentoo these days but I think that in general the learning capabilities of GrSec outweigh the flexibility of SeLinux in real-world deployments).  I left OpenBSD when Theo D. seemed to becoming more unhinged than usual.  I haven't used FreeBSD since 1997 and while I'm sure it's a fine OS - some of the papers I've read show kernel i/o calls with impressively low latency.   That said there is little reason to believe that a well-deployed Linux box is any worse off than a well-deployed FreeBSD box.   Especially in such a poorly defined term like "security".  Were I you,  I'd just leave the mouse alone.  Most of the arguments I've read from him are specious.  The only impressive thing he's done is change the argument scope on you.  PM me if you have questions about Linux security.

Actually, in my experience in the CS community I'd say that it has gone more and more Windows centric. There are good points (Windows Server is obviously a lot better than XP these days) and not so good points (et al etc etc ;D) to that, but it seems to be the trend regardless sadly. I'm seeing more and more "critical infrastructure" running on Windows as time goes on, even more so as people rush to outsource services (no matter how critical) to "the cloud" and similar hypervised systems. I suspect that this says more about corporate sponsorship than actual technical benefits.

I wouldn't. I wouldn't do any of that. Far from it, the first and only thing I'd do is outsource all the technical requirements to a third-party company. Probably one such as the one you own/work for. Then I'd put in place a whole load of over the top SLAs so that when (not "if") the brown stuff hits the fan, I can pass all the blame on to you.

The biggest danger in the world of the internet is not whether one uses Windows or Linux or OS X or FreeBSD. The biggest danger are one-man armies who think that they can knock things like this together all by themselves. No matter how clever you are, or how much experience or qualifications you have, you still need to eat, sleep and visit the toilet.

The reason that we get so many up-start disasters like this is precisely because they are set up by people who think that they are going to do one better than the last person. And there is always someone waiting to come along who will think of something you didn't think of. You can have the best operating system in the world, but if Doris the cleaner unplugs the box to put the vacuum cleaner on, it all goes down. Taking responsibility for other people's money is a dangerous game wrought with risk, and I wouldn't touch it to begin with.

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection" 8)

Ok, Tim don't take this the wrong way but I love you.

I'm well familiar with that situation.  Some of the research these "whitepapers" quote ranges from funny to insulting.   I remember once someone gave me some vendor rag that said "Model XXX rackmounted server is 15% more power efficient than the average for it's class".  I wish I could have been the math teacher for the writer of that article...so I could fail him.

It gets worse.  I used to get a bunch of security trades (because as soon as that word gets attached to your title people want to start selling you stuff).  I read a comparison of Email filter appliances and it ranked them on about four pieces of criteria....except how they filtered email.

I canceled all my subscriptions.

May I ask, to the poster of this topic, if any of you ever deployed a PCI DSS compliant infrastructure?

Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.

Even if there happens to be a gainsaying fanboi present to dispute the widely recognized consensus reality.

I always find it interesting that people want to refer to the principal concepts of a conversation as "complex" and "nuanced" as a way appear more deeply thoughtful than the other participants.

BSD is not merely a security "product" it's the platform that the internet, and later the web, was built on and still runs on, to a large extent.

Please re-read my use of the phrase "well-known" in its proper context of me speaking about the real CS community.  And by "real" I mean EECS engineers and computer scientists, not cloud-happy corporate consultants and l33t Geek Squad linux fanboi.

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats


I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.


I think your confusion might not arise from BSD.

Good luck running xp on arm. Without a GUI.

Or trying to get PCI DSS compliance for XP.

PCi compliance for XP is easy.  SP3 is compliant if properly virus protected.
Before just touting stuff, at least provide your sources.

From:  http://www.transactpos.com/Integrations/VeriFone/PCICompliance/tabid/146/Default.aspx

Windows is not compliant itself. It is the combination of the software used and OS.

Compliance is very expensive, and it is much more expensive on windows than linux.


Sorry, but quickly googling this time didnt cut >)

If it were a fact, then you would be able to point to some clear and objective evidence of that right?  (Keep in mind that because you are referring to 'security' as some kind of blanket term you'd be responsible for providing that kind of evidence for the majority of aspects of the term and of course how exactly you know that your set of aspects is the majority).

Nice labeling there mac.  This isn't gainsaying.  I, simply as a IT security professional and the holder of a degree in computer science, have seen no set of well-defined, broadly scoped evidence that BSD is superior in "security" to Linux.  Nor in my conversation with other security professionals or members of the CS community (like my alumni, Usenix attendees)  see any clear consensus as to the superiority of BSD.  I have, certainly met people who make that claim but they always seem to fall down when trying to come up with a general definition of security or if they do they fall down in substantiating it with regard to their favored OS/Platform/Giant Spider.  Ergo it seems reasonable to me to call such a term "complex" furthermore given that even the most secure systems from a theoretical point of view can be entirely undone in implementation (such as EMF side-channel attacks on QKDS) it seems again reasonable to me to call such a system "nuanced".  Given these two facts (using the term correctly here).  I think it is entirely justified to be mistrustful of any and all who consider "security' as an open and shut case for product (or platform or giant spider) X over product (you get the idea) Y.

What do you want from me here guy? The two sentences above tell me to look at your use of the term "well-known" as: your opinion of the opinions of two very large groups of which your sample size is probably so small and poorly randomized it's useless.  Not to mention that even if the majority of those two groups held the opinion you claim it still isn't necessarily meaningful   Computer Science and EECS people do not always have a background in computer security.   Making their opinion anywhere from questionable to useless.   Given the size of the groups and the variance in the population's skill set you could easily be getting the opinion of the least qualified people. I mean would you really rank the opinion of someone's who's focus was in Combinatorics or AI or Queuing Theory as equal or greater than Bruce Schneier or (going old school) D. J. Bernstien when it comes to an application or operating systems "security".  If you don't then how many Combinatoricists, AI researchers or Queuing Theorists make one Bruce or Dan?  

Not to mention it's not hard to find high-profile people in computer security who disagree on "well-known" concepts.

Still don't see your sources, maybe I missed them.  You've probably never actually gotten PCI compliance for an entire organization.
Oh, and Windows IS compliant itself, running nothing but anti-virus, desktop firewall enabled, having automatic screen lockouts, currently patched, and rotating passwords in a timely (< 90 day) fashion.  Just because the example I cited is one talking about an application, doesn't invalidate that Windows XP can be compliant, something you stated it could not be.


As stated above, piece of cake.

for an entire organization no.

For a bank yes.

Maybe bank are not safe enough for you.



you just forgot the credit card part.

I think you've betrayed your skillset (again).  Level 1 vendor compliance is expensive.   It's not just expensive in CAPEX it's also expensive in OPEX.   Many vending machines would only need level 4 compliance.

So number of security flaws doesn't matter, because the more bugs you have, the better it is.

Uptime doesn't matter, because you dont need to reboot after a privilege escalation.

Design choices doesn't matter, because .... (insert stupid reason here)

Which evidence do you want? The holy spirit telling you that BSD runs your infrastructure?




Security is not a concept.

It's a question of counting flaws and measuring uptime.

I'm tired of all the arrogance you can find in this forum. I'm not paid to educate you.

If you want my opinion, please try not to be offensive.

You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.   

edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  As there is no mention as to *what* you're counting.  A DoS vulnerability may not be worth patching for a machine in your MZ running a service that's only used for a few hours every day.  Especially if it means dispatching a tech to a CO in Nowhereville USA.   This is part of your security profiling procedure where the company decides what are the things it's trying to protect.  Is it uptime?  Is it data integrity? Is it different for different servers?  On top of that "counting" is lame because it assumes that every flaw is of equal weight.  However in the *real* security world we don't think that way.   The term-du-jour is "modeling" but all this is is taking a page out of risk management's book.  Here we use MS's model DREAD - http://msdn.microsoft.com/en-us/library/ff648644.aspx . Essentially we assign every flaw a bunch of criteria like how frequently this could be taken advantage of or the skillset required to pull it off.   On top of that there is always remediation.  That is, is there a workaround or fix?  Can we use a firewall or our BGP equipment to mitigate the risk?

...and that's just for the group of outstanding flaws.  IIRC the little mouse was actually referring to bugs that either were closed or being addressed.  That metric is probably pretty close to useless.  It's almost an example of the gamblers fallacy.


Depends on where in the stack the escalation takes place and again if there are ways to mitigate it.  Uptime is a statistic that might tell you something about security but it can just as easily tell you something about funding, business goals, overall admin philosophy.   So it's not likely to be a very *good* indicator of security.

Again it depends, for example a microkernel architecture could be considered a security design choice but the BSD's manage fine without it.

Actually that statement didn't say it was.   All that sentence said is that security *contains* concepts.


Like for example the idea that some mice might have that "security" is based purely on two metrics - is a concept.
Do you really need me to explain how those two metrics: Number of flaws and Uptime don't necessarily tell you anything about security?
Not to mention some of the postings you've made of these kinds of metrics makes me think you've never taken a statistics class.

By far the most demonstrably arrogant person is you.  Just listen to yourself.

"I'm not paid to educate you".  No indication of humility there (the very idea that the little mouse would get some education is out of the question!)
"It's a question of counting flaws and measuring uptime." - no humility there either (can't possibly be anything else)
"I think your confusion might not arise from BSD." - oooh snap but not humble.
"Read better, hate less." - Yes, can't possibly be your writing.  Everyone else just reads you wrong.  That's really humble...no wait...the other thing...arrogant.   That's it.

That's actually kind of interesting from a security perspective.  In my experience:

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  
ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.

Ok I admit that I'm going to cherry pick some specific features here but just reading over some of the security features in FreeBSD

RBAC: FreeBSD has a more sophisticated MAC but at least as far as the documentation I've seen there's no real "out of the box" solution there.  Available in Linux via GrSecurity since 2001.
FLASK: Yes, but they used the SELinux code to do it. (So obviously Linux had it first)
ASLR: OpenBSD yes (First OS to have it on by default).  FreeBSD, seemingly not-yet.  Linux has had this since 2000 via GrSecurity.

Kinda interesting for a "more secure than Linux" (by some as yet undefined standard) OS as endorsed by CS and CSEE professionals.

Anyway the point here isn't to bash BSD.  As I mentioned earlier I ran my systems on OpenBSD until about 2004.  For years I would have considered OpenBSD the best choice due to the attitude of those who worked on the project.   But it's not 1999 anymore and featurewise UINX-Like OS's are all getting close to parity.  What you need, IMHO is an experienced security professional to set down policies, procedures, practices and baselines based on your business assets and if you can't afford a third-party audit agency then they should try to fill that role.  They should be versed not just in CISSP style creation of policies but also have relatively low-level understanding of security on your platform of choice.

Interesting Read. Seems to be a lot of angst of OS.

The bottom line is though, OS are only as strong or weak as the people hardening them.

Anyways, don't want to highjack the thread but for those would like to help contribute towards a Bitcoin Stock Exchange Security Standar,  I have created a thread here http://forum.bitcoin.org/index.php?topic=20377.0

I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

Warning. Total derail attempt. Warning.

Do the RCE exams still have a in-class practical portion?  I just finished the LPIC-1 - could have done it in my sleep.
Also do you or your peers have a lot of interactions with auditors on the system security side?  I keep finding places where inappropriate security policies (like 90 day password cycling) are being enforced not by admins but by auditors because said policy made it into someones best practices book.

I'm inclined to agree ....  yet the number of people building bitcoind on a RH system or derivative numbers in the tens, if that ... absolutely no support that I can find for RH bitcoind ... except this howto for CentOS http://www.austinheap.com/assets/coins/531b6341e653b7b57a8f7f5cc3da79d9.pdf ....

C'mon you RH guys get in here and show them how its done, we need you. hware/OS/sware are the three-legs of security ... people have fogotten about 1 and 2 in the rush to make money I fear.

Not true, prove it.

The RHCE exams are pretty hardcore.  There are no multiple choice BS like most certification exams, hence why they are more valued across the industry as a defacto standard.  The RHCE exam is 100% lab based, and your work is judged by an examiner upon completion.  You simply dont plop down and choose from A through E on an exam. You have 4 hours to complete the exam, and usually everyone works up to the clock to complete.  There is also a a very small success rate on the exam, it hovers around 44% of folks that take it, pass it on their first attempt.

I was hoping to go to the Southeast Linux Fest in Spartanburg that happened a week or so ago and take the LPIC 1 and LPIC 2 tests, but life got in the way and I had to cancel my trip plans :(

At my company, we have a 90 day password expiration, and we enforce minimum 12 char alpha-numeric requirements for all production machines.  One of my colleagues is an RHCSS (Redhat Certified Security Specialist) and he works with SELinux contexts daily.  It is simply amazing what can be achieved with SELinux.  

See I like that approach rather than regurgitating the command options for three different package managers ;-) (and the one I actually use of course).  Nothing shows competence better than proving you can do the work.  My team has even given up on written tests in job interviews.  We've switched to doing "virtual labs".


You will breeze through the 1.   I haven't read over the 2 yet.   The main reason I took them is that I'm taking a wack at teaching them in the fall.


Yes, I wasn't trying to imply that 90 day cycles are generally inappropriate.   For example Windows domain admin accounts have so much power by default and are so widely used in the industry that we enforce heavy password rules.   However for regular users 90 day cycles with three iteration memories tends to have them writing the password down.  So we enforce complexity but not cycling.


SELinux is incredibly flexible in my opinion but I think you hit the nail on the head there.  It's real power is in the hands of experts.   Which is why I tend to recommend GrSecurity - gradm can be run in a "learning" mode to create your RBACs for you.  I guess on the flipside PaX is more robust than execshield but not nearly as transparent in operation.  Other than those points I find it a matter of taste. 

I actually had to skim after the third page...any of you "experts" running VMS?  If you're going to pose and strut about security and all.

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

Unfortunately this topic has turned into a dick-measuring contest.

Wow, this thread was fun to read...
 :) ;D >:( :P :'(

I'm not an expert (someone with some particular level of expertise), I'm a professional (someone who does this for a living).  I haven't touched VMS since I was eighteen and was hired to develop for the Ministry of Education's 8530.  I admit I found DCL's parameters and qualifiers rather intuitive and I think I've always had some admiration for Cutler.

My only opinion here is that systems like these are difficult to compare.   For example VMS has a bunch of security certifications which is might be okay when comparing it against other proprietary systems with money behind them but few Linux distros would bother getting an E3 certification.  Especially since the common criteria covers IIRC hardware and software.   So it's not enough to certify Linux but if memory serves you would be certifying some collection of server + OS.  Which makes it of more value to those vendors who have control of the hardware and the software.

Otherwise what do we compare on?

Do we count flaws?  Hardly fair even if these counts existed since these systems are not nearly as widely used as Linux.
Features?  Does it do ASLR? Who knows? How much entropy is in their implementation?
See what I mean?

It's not as clear as comparing a Non-Stop system to a Linux system.

Yeah, the waters cold aint it?

:]

The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

And to the little mouse in the moon.  Arrogance will get you lots of places, but history says that you were blind.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security.  Even if you are a bank.  At the trust company I worked at we used VM/CMS.  Why?  Because we had an S/390 and we had a huge and profitable piece of software written for it.  Was the system secure?  Who knew? Although as time went on the edge systems were converted to AIX.

Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit.  Keep your enemies closer, as they say, what weapons do they wield?

Maybe you missed all the insults I got.



you simply need to read better my posts. If you lack basic reading skills is not my fault.



And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.

I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset".  Seems like you need reading lessons.
And yet you said: "It's a question of counting flaws and measuring uptime."  Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one).  Is with the writer not your readers.

What happened to talking about facts?  That's just conjecture.

Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!


the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.


this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.


You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.

I got bored of you flamers.


You discuss like you're an expert about selinux, still you missed that it isn't just for linux.


You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you :)

Well I guess you don't win any reading awards.

If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down.  Then the site will be up whether they are re-writing the code or not.  So you might as well write the new code.  Clearly your experience with SDLC is a little thin.



I think this point stands mousey!

Ahhhh, little mouse, still boxing with shadows when you could be saving the world?  I expected better of an Atreides.

It looks like you have a lot of spare time :)

Maybe you should find yourself a job, this would also reduce the hate in your posts.

Maybe you're enough qualified for this (http://www.geeksquad.com/careers/) job. I don't know. Anyhow I'm sure they will be more than happy to receive your application.

What there was less than 10 min between your assertion that you were talking about facts.  I guess that's what you say when you can't defend your position?  That and assertions that people can't read the language you obviously have only marginal competence writing in?

Depends on what you mean.  As is becoming your habit you just make vague statements rather than facts.  Actually make an argument for a change and we'll talk...but of course that would open you up to being wrong.   Which is a good reason why you won't. ;-)

Ooooh snap!  Yawn.  Where's that argument you were trying to make? Oh let me guess it's all the readers fault...and you're being *sniff* insulted and you're bored...anything else?  Sheeesh I rarely see someone spend as much time saying nothing as you have in this thread.

Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)


Picking a high confidence level (0.99), we can say that H1 is false.


No it is a statistic, or a function over a sample.

[

So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.

Something about a "stoneburner" as I recall, you wouldn't be in Japan by chance?

LOLOLOLOL

Third line on wikipedia:




Obviously when you people bought the paper that allows to call yourself an engineer, they forgot to tell you that if you want to be a good professional you need to be able to read, not only have money to make stupid tests.

LOLOLOL

So what are you doing now?

You have assumed that some variable is strongly connected to some vaguely defined concept.  Then without defining the mapping between that and your sample set (just because A correlates with B doesn't mean it's 1:1).  Then you look like you are just assuming that the R is .99?

Ever hear of showing your work?

I ported android to the vending machines. And if you have a barely knowledge of how android is structured, you would know how complex is this task. Obviusly I was not alone.


Anyhow, did this change anything? Are we speaking about facts or people?

you simply lack any basic knowledge of statistics. Sorry.

Start here:

http://www.amazon.com/Statistics-Dummies-Math-Science/dp/0470911085/ref=sr_1_1?ie=UTF8&qid=1308643898&sr=8-1


p.s.: the indicator is not mine. It is taken from another source.

http://www.amazon.com/Statistical-Process-Control-Industry-Implementation/dp/0792355709/ref=sr_1_2?ie=UTF8&qid=1308644011&sr=8-2

Guess I'm getting under your skin.  That's pretty forced laughter there.  Sure, what does that have to do with anything that we've been talking about with regard to SELinux?


Well considering your writing is pretty horrible it's not surprising that your meaning wasn't conveyed.  As Randal would say...
http://imgs.xkcd.com/comics/words_that_end_in_gry.png

LOL YOU choose the confidence level. The higher it is, the more meaningful your conclusion are.

LOLOLOL.



If the paper you bought says you're an engineer, and you say SElinux is just for linux, I'm not going to argue. You the boss, boss.




You're now in ignore, let's see how many other people I have to ignore to stop this flamewar.

No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

Where did anyone (other than this loser) say anything like that?

Uh, at any point in time you could have provided a rational defense of your position instead of....flaming people.
Seems a little like you didn't *want* to talk about the issues when it came down to brass tacks.

Deep too.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?

Oh so *that's* what you're blathering about.  That's not exactly the case.  For example if your sample size is fixed (like it is here).  Choosing the CL alters your CI.  If you make your CL 'better' the CI becomes wider.   Now if, for example you haven't done your experiment yet and you are fixing your CI and your CL.  Your sample size changes.  It's a rookie mistake the kind I'd expect a non-math person to do.  "Meaningful" is also a kind of ambiguous word it's something a frequentist would say.

So again, so what dataset are you using here?

Okay much improved (B+), but here are some things to remember before you take your exam.

1) The statistic Psi-hat(linux) is a random variable that is an unbiased estimate of the constant parameter Psi(linux).
2) You are using random variables (sample statistics) to test a hypotheses about the constant parameters Psi(linux) and Psi (BSD)
    [Not testing a hypothesis about these random variables]
3) The parameter Psi(linux) is a constant, and is therefore not correlated with anything.
4) If your TA is an ass, they will dock you points for not using the conventional labels H0 and H1

Much More Important Lesson: Don't mix in random jargon about topics you don't fully understand to impress other people. Focus on your core competencies and people will take you more seriously.

sorry for the bad estimate... it is still only 5% of the code that is relevant.
and the archs is not only handlet by the compiler, proof: http://lxr.linux.no/linux+v2.6.39/arch/
every platform needs to be written, it includes all the lowlevel functions for that arch: MMU, task sẃitching, detection of hardware, whole the startup stuff ...

Not only it is unbiased, but it is asymptotically consistent.

Anyhow I would like to point you that a statistic IS NOT a random variable.


I'm not sure I understand you here, maybe it's just my english.


It's a function over a sample. Change the sample, and the statistic change. We take this statistic to measure the correlation between the proprieties of two samples.



that's ture




Maybe you missed the fact of how many insults I got, and how many "engineers" were trying to educate me.

so 5% is most of the code?

Please define relevant.

+1

Look can we all just run Windows and be happy already...  :D

stuff in:
the core code: http://lxr.linux.no/linux+v2.6.39/kernel/
the arch code for x86: http://lxr.linux.no/linux+v2.6.39/arch/x86/
some of the fs code(ext*, vfat, nfs): http://lxr.linux.no/linux+v2.6.39/fs/
the mm: http://lxr.linux.no/linux+v2.6.39/mm/
and the ipv* stacks: http://lxr.linux.no/linux+v2.6.39/net/ipv4/ , http://lxr.linux.no/linux+v2.6.39/net/ipv6/
and a few drivers from: http://lxr.linux.no/linux+v2.6.39/drivers/

i have also build my own little kernel, some time ago. it sucks, true. but it can start and print out a lot of information about the computer. (NO! it not just a custom build linux kernel, its a real os from the bottom).

This thread is pointless, since the 'auditor' handed over database access to somebody through total carelessness so breach would've happened regardless of OS. I bet the auditor had it lying around his gmail account or unencrypted on the desktop in a file called 'STEALTHIS.TXT'

they absolutely need to take steps so this CANT happen again.

I loled a lot on this one and I completely agree. Even if I prefer nginx or apache to run software and get an extra level of security you can also secure an IIS very easily, and this without knowing a lot about computer security. Look how much flaw from new nginx and apache have been reported and look how much flaw on IIS have been reported (securityfocus) you'll see that what you say is completely out of bound...

Also php / perl / etc can be attacked if badly codded, daemon running on linux can easyly be attacked too, so this is complete no-sense.

Sorry for the double post, BSD system is A LOT less used than nux system that's why you,ll see less vulnerability. I'm a vulnerability researcher and I can ensure that when I have time to research for something I won't be loosing my time doing research for software not used a lot, I'll do research for IE / Firefox / Real Network etc... Of course the BSD are designed to be more secure but if you badly use it or you do not know how to use it, it will be less safer than running a nux or windows with good security mechanism on it.

But if you know what to do and need maximum reliability and security, without going Itanium, then BSD is a very good choice.

I would like to make you a question: why do you think that BSD had the 3 top spots in the reliability chart?

Do you think that the fourth company wasn't as good as the first three?

I'd agree that OpenBSD has security as an imperative for it's dev team and while ASLR isn't the be-all of security.   I would contend that it does show a team taking a proactive approach to security rather than simply reactive patching.  As far as I can tell even FreeBSD 9 doesn't have it committed to the roadmap (it was suggested years ago though).

Really?  Perhaps you can explain to me what you think he's trying to do here.

To me, even if "reliability" (as defined by Netcraft) was correlated with "security" (whatever we mean by that).   The kind of analysis you'd want to do here is a simple comparison of categoricals.  So ANOVA is the tool of choice.   Looking at the Netcraft data linked to early on it's pretty clear that things like failed requests, DNS latency, connect latency and first byte latency have little to do with uptime.  Sure you could make up a way they could be related to a security event (like say connect time or failed requests are related to DoS attacks but you wouldn't be able to differentiate between that and every other event).  What's left after that?  Outage - which might be related to a security event requiring a reboot but there almost everyone is at zero.  Except for two BSD sysetms and one linux system.

So I don't even have to boot up R to tell you that the correlation coefficient here is going to be next to nothing (and probably bad for BSD).

From where I stand this is an "shows promise" mark and where I grew up that's a C. ;-)

Jono

Edit: So drudging back through his morass of poor English.  It sounds like all this nonsense is actually about counting "serious" flaws per system over some time period? Exactly how does *that* become a security metric?  Not to mention that using the "flaws" metric is very likely not going to follow the kind of probability density function one is expecting.

I'd like to take a moment to say that math isn't magic.  The numbers you put in need to be meaningful and the operations you perform on them need to say something...*shakes head*
He might as well have taken the square root of spiders and integrated it by batman...
http://img63.exs.cx/img63/148/batman61rb.jpg

OMFG! you are now comparing a chip to a operation system.

Because the latency for DNS, first byte and connect were lower.   Exactly where is the data that those strongly correlate to security events?  Nowhere.
For all you know this has nothing at all to do with the OS.  Cluster size, hardware config, network organization (such as the composition and placement of edge devices).  Heck we don't even know that all of these systems are under the same load.   All effect these kinds of statistics and considering that we are talking about averages without any idea as to their VARIANCE the placement might well be random.

Guess the mouse dropped out of stats?

I'm sorry for you.

you really are a troll.

You just joined ignoreland alnog with the jgraham.


Even if I dont reply to you, please keep on posting, to keep the lulz up :)

#Lulzsec

Lulz (http://nyan.cat/) for life.

LOL *rolls on floor laughing*. That's a good one! You do realise that we're talking about kernels here, right? Compilers don't know about page tables, or context switching, or power management, or interrupts (on most platforms), or any of a number of important architecture-specific things that kernels need to manage. The code to handle this is in the architecture-dependant arch/ directories of the Linux kernel. (I believe the BSDs handle the seperation between architecture-independant and architecture-specific code differently. Never used them though.)

Android is not Linux. Developing Android drivers and porting it to a new hardware platform is not that similar to developing Linux drivers and porting that to a new platform. Android's based on the Linux kernel, but it has enough fundamental changes to the driver APIs that they're not really compatible.

I agree that you largely understand what you are talking about (as far as statistics) and that your English could be the primary cause of residual confusion. However, you are still making
overly confident statements, without taking a 'wikipedia moment' to verifiy them.

http://en.wikipedia.org/wiki/Statistic

I'm not saying the code is the same. I'm saying that the toolchain handle this.



I'm not sure I see your point.

Uh really?  So you really think that calculation is meaningful?   How about you tell me why you think that.

Sorry if I'm making a broad assumption here but I'm getting the idea that you two are just trading wikipedia references.

I'm grateful that I'm not the only one who tries to step down this flamewar


 


You probably are true, still I see some of the posters of this thread as haters.

When I say:


I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro, or who states to be able to read 10 millions of code as if it was water.

http://en.wikipedia.org/wiki/Statistic
[/quote]

I love wikipedia, but I have to say that is not the most reliable source when you're dealing with science.

The fact that wikipedia says:

A statistic is an observable random variable

moreover writing observable in italic, should suggest you that the author is trying to explain a very complex concept with a very short description.

Behind this there's one of the biggest problem of modern mathematics, behind the name of theory of measure.

I do personally refuse to accept the Kolmogorovian axioms or the existence of real numbers, and this force me to use a much stricter formulation of statistical theory. But even without these two problems, defining a statistic as a random variable is a stretch.

Maybe if you have this book (http://www.amazon.com/Probability-Statistical-Inference-Robert-Hogg/dp/0321584759/ref=sr_1_1?s=books&ie=UTF8&qid=1308683146&sr=1-1) (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Come on people, argument what is more secure Linux or BSD is so irrelevant when the sysadmin has hands growing out of his backside. And frankly, in the real world the later is usually the case.

There actually isn't a flamewar going on.   The alternation between your off-the-chart arrogance combined with your refusal to elucidate (and your pretty compulsive need to denigrate folks).  You have painted yourself as the provocateur while taking on the role of the victim.  Perhaps you only see a fight because you are looking for one eh?
 
Actually that's a good illustration there.  The last thing I read you labeled as an "insult" was how I had said you "betrayed your skillset".  Sound like that could easily be you looking for an opportunity to take offense.

Good choice of words.  "Refuse to accept" this illustrates well how what we are observing with you is a non-rational process.


Hmmm...again you are kind of making things up.  There's nowhere where anyone said or implied that.


That's an old horse isn't it?  The old "Well you just have to read this book" dodge.  LOL.

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

...or the places where FreeBSD had to take stuff from Linux to secure itself.

As I've been saying from the beginning anyone who asserts there is some clear winner in "security".  Will probably fail in one of two things:


i) Defining "security' generally.

Muad_Dip while he did provide a definition.   It's rather incomplete he said that "It's a matter of counting flaws and uptime".  Especially when you consider he is talking about reported flaws (the vast majority of which have been fixed).  Not taking into account standard modeling practices.   Or providing a reference as to if uptime (or how much) is the result of security events.   In fact as you can see from the way he tends to use data that he assumes that not only is ALL uptime security related but with almost zero variance.

ii) Defending the point that system X is actually better by these criteria.

Similarly Muad_Dip gave us very little.  A database of flaws that are largely fixed.   No rationale as to why that means anything and some top 40 hosting services reliability index with no rational reason why things like DNS latency should be considered part of the equation.  A constant reference to the "top three' but a casual ignoring of the  bottom two FreeBSD machines which were an order of magnitude worse than any other system at all.  Oh and some silly evaluation from ten years ago with rather subjective and unweighted evaluations....using "smiley" and "frowny" faces as the markers of better or worse systems.   Really.   He even called this "objective" data.

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

As for this linux *bsd debate, I see a lot of people talking out their rear.  Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period.  Google bsd security if you don't believe me.

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

Soooooo if it was hacked why did most of the transactions come from one account?  If they had kept them all separate and made separate withdraws it would have increased their take and slowed their discovery.   Instead they took a whole extra step to consolidate all their accounts.


Me too.

Similarly saying "first chioce" doesn't make it so.  Saying "period" doesn't really make your case any stronger.   In fact asserting things when allegedly the evidence is easily found but somehow you just couldn't bring yourself to link to it....Kind of weakens your case doesn't it?

FreeBSD is a fine operating system, so is OpenBSD.  At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.   Feature parity is reached and some of Theo D's decisions over the last five years have been...idiosyncratic. 

Lots of book quoting there.   Any chance you'll get around to answering my question?

[/quote]

Lots of book quoting there.   Any chance you'll get around to answering my question?
[/quote]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

I don't know anything about OS security and I don't have an opinion about the OP's OS security argument. Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric.

Not responding anymore to this thread, so please bait someone else.

My question was also about his use of terminology.  I asked you how you found any of the statistical information muab_dib posted actually meaningful.  Most of the time he seemed to just be splattering statistical terms without any consideration as to what outcome he was trying to determine.  He used terms like hypothesis testing, confidence levels but was clearly missing knowledge like he didn't seem to understand that you can't just arbitrarily choose a CL post-hoc and make your result more "meaningful".  So it didn't really seem  he knew how to apply them  or what their limitations are.

There's a salient difference between someone who actually *does* statistics and someone who simply *performs* them.   The former understands how the operations they are performing actually work.  So they reflexively know the limitations, what kind of data you need, what kind of tests get what kind of result.  If you talk to this kind of person the first words out of their mouth are about framing the problem and the next are about framing the data.  I found it interesting that instead of criticizing his almost entire lack of explanation of how the statistical operations he alluded to actually gave *any* kind of meaningful result.  You wanted to talk about the definition of the term "statistic" - over and over again. 


Actually I didn't necessarily ask if it was a good metric.  I just asked what made you think what he said was meaningful.   You would, or should know that to a point you can analyze the approach someone is taking.  This would drive you to want to know about their data.  You had no questions about that at all.  All you were on about were things that you could validate if you say...read a web page about statistics.
Guess you had to get out of this jam somehow.

This is a simplification. The author correctly say that SOME probabilist  does this. Even if most mathematician accept Real number this doesn't mean they exist.

I couldn't find the book you refer to in the torrent, so let's take again wikipedia:

http://en.wikipedia.org/wiki/Random_variable#Functions_of_random_variables


What if my statistic is a composition of measurable and non-measurable functions?

It can be non measurable for many reason:

1) The statistic domain is non-measurable

2) The statistic itself is non-measurable

3) The statistic works on infinite vector spaces

The situation is much more complex then how you want to picture it.


I don't have a good answer for this. Again I see people making wrong affirmations and insulting others, still I'm the one to calm down?

Just like you're doing now: you don't know my background, still you accuse me of being over my head. If I were in the university I would take out my papers and my citations, and I would ask you to do the same. On the internet is different, so please refrain to speak about people's ability, if you are not sure.

But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

@maud_dib:
i am now going to cut it out for you:

if you look at wikipedia: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers
you can see that the usage of BSD i between 2.4% and 5.35%.
and linux is between 16.9% and 74.29%

we can therefor conclude that linux is more used then freebsd.
and we can assume that linux is getting more attention from hackers and security experts.
because of that we and assume that linux will be exploited more.
and if there are more security holes found in linux, they will also be fixed.

in freebsd which does not get as much attention as linux, we can assume that people are not finding the hacks/exploits.
and the holes will not get fixed!

if you cant follow my very simple argument, please feel free to ask.

@to all others:
HE IS A TROLL!

There are plenty of deep thoughts about the "reality" of the reals.  Even some fun ones like Borel's all-knowing number but your argument is essentially is claiming that cunicula is making an ad populum fallacy.   All that aside, what few mathematicians would deny is the necessity of the reals.  Which is, incidentally all that's required to talk about - you know - your approach and metrics with regard to security.  

Why not give us a concrete example from a field of our choice of this kind of statistic?


How do you know they're wrong?  Perhaps you're drawing wrong conclusions based on your poor language skills?  Like you did with the exchanges about SELinux.  Hmm...a concrete example of you being wrong but...no examples of these other people making "wrong affirmations".  Strange!

Where "insult" can mean just about anything I guess.  Given again that to you "betraying your skillset" can be an insult.  Rather than simply an example of you not understanding the term.  Also considering that you have laid out as many or more (real) insults - in some case to people who had not insulted you.  (Oh and you continue to send them to me privately - very classy!)  
Do you really think you've got any moral high ground left here?

Here's a real gem:


....and somehow you think you thought this would go over well.


Are you admitting you're not calm here?  Anyway, I'd say that you need to simply be open to explaining yourself.  You know like you haven't been doing this entire time.  Your arguments should stand on your own.  Not turn into some nonsense expression of your arrogance.  That somehow everyone must bow to your opinion - with little or no explanation.   Yeah, real humble.

...and by the same token.  You don't know his so how do you know he is wrong?


Who cares.  As someone who works in academia there are plenty of profs who talk through their asses.  Especially if, for example they are talking outside of their field. i.e. While engineers, medical researchers, and even some lowly security personnel are bright people and use statistics daily - sometimes even correctly ;-).   They are still 'out-of-field' when talking *about* statistics.  In the same way that people who drive a car to work every day doesn't make them a mechanic.

Shall I quote all the places you've done this about other people in this thread without having objective evidence?  Hmmm?  All the insults you laid out to people like kokjo?


Sorry if this is a broader answer than you were wanting but...
I don't have an opinion on the security of say OpenBSD in a broad sense because I don't have a useful general definition of "security".  

What I do see is that OpenBSD has similar *mechanisms* to secure itself when compared against say Linux. There is also a group of people concerned with the security of the OS and there exists a body of knowledge on securing the system.  These are all positive things.   There may be various advantages and disadvantages to individual elements but it's not always easy to judge this kind of thing.

For example: lets focus on one talking point I've mentioned a number of times (or perhaps 'harped on' ;-) ).  ASLR - PaX (which is available through a series of patches to the Linux kernel or pre-patched sources from the Gentoo hardened branch or from pre-compiled kernels) does the most complete job of address randomization. Better than execshield (which is what RH and other Linux's use OOTB), and W^X (in OpenBSD).  For example the bit size for stack randomization in PaX is double that of W^X.  There are also fewer guarantees as to what will or won't be protected using W^X.  Especially with regard to the Kernel - as of the last release I looked at.  A problem with the kernel stack will not be prevented by W^X.

That said PaX needs to be enabled whereas  W^X is available out of the box (so is execshield btw).  This is a double-edged sword.  In one case W^X protects everything in userspace because it's patched not the Kernel calls but malloc.  The downside is that this breaks compatibility.  So W^X becomes a kind of all-or-nothing game.  If you had a piece of code for which there was no source and was incompatible with W^X then your whole system would have to not use W^X.  In a lot of cases this doesn't matter because OpenBSD doesn't allow things that Linux does like binary-only drivers.  However often enough you as the security professional don't get to make that choice.  For example I can set and enforce (sometimes ;-) ) standards but I rarely can dictate their implementation details to them vis-a-vis "Never use binary drivers".  

Non-trivial isn't it?...and that's comparing just. one. mechanism.  While I think ASLR is a great idea because it is one of the few *proactive* mechanisms that have come out in the last ten years.  I'd be an idiot if I were to treat it as the only thing that matters.

So as I've said before comparison of operating system "security" is subtle and nuanced and anyone who suggests it's cut-and-dried is probably telling you out of some combination of ignorance and/or deceit.  OpenBSD is good (Especially if you're writing code, I love having a rich crypto API guaranteed to be on any install), FreeBSD is good (but lacks some mechanisms that other OS's or even BSD's have), Linux is good (When patched with PaX and some kind of RBAC).  All of them can be secured by someone with the right knowledge.  Whether they can be secured to the needs of a particular project obviously depends on a myriad of other factors.

Hope that helps.

now i got proof he is a stupid troll :D
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is :) lulz

So given all the "BSD is hands down superior to Linux in terms of security" trash talk that's been going on around here.  See statements like this:

"*bsd is the first choice when security is the major concern, period. "
"I refuse to accept that BSD is as safe as linux."
"Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon."
"My opinion is that FreeBSD is the most secure"
"it's well known that BSD is more stable, secure"

Imply to me (correctly or incorrectly) that Linux *can't* be secured as well as a BSD box.   Remember the context in all these posts was about Mt. Gox or enterprise systems in general.  So the idea that we are talking about some out-of-the-box hobbyist install seems unreasonable.  Clearly Mt. Gox hardened their system before deployment.   Likewise anyone deploying a system which contains sensitive information but is going to be on the internet to do the same.

So to hold such an opinion rationally.  Suggests that such folk must Know some way to circumvent a secured Linux box.

...and given what a kind-hearted gent I am I'd like to give them a chance to show me how.  So I'd like to discuss a B&E contest.  With some kind of prize say 20-30 BTC?  Off the top of my head the system should be a typical edge device (HTTP and/or email).

If you're interested post here with comments, questions or concerns (or perhaps I'll start a new thread).

Psst...BSD affectionados? That slapping sound? It's a gauntlet crossing your face. ;-)*

*Yes I know some of the excuses will be that it's not enough money or too much time...I'll just say "whatever" to those now.  Just to save time.

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.

Also...quoting from wikipedia and a textbook he downloaded.  I wonder if the other guy talking stats with him (equally vapidly) was his friend.

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.

Really did he edit his posts or was that from another thread.

Besides he's kind of out-of-date.  Last year was the year every third person I met was a security consultant...this year they're all "Cloud Services" consultants. :-)

I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.

It did help, thanks ;D

I am slow to respond, but I'm beating the same drum.  What equipment are your enemies using?  Which O.S.? Can you fight them as efficiently with your Linux Ninja stars and spears and your virtual drums?.  Not recognizing that you, yourself, personally, are at war is the damndest downside to considering oneself an expert.  I'm not saying that you cannot win, just drawing attention to what I see as a basic problem.

Well if the objectors say that they can read 10 millions lines of code, well, is a good thing not to change your opinion on their statements.

Changing opinion following what most people think, means you are a sheep.

No first you need to buy a paper and call yourself an engineer.


So much hate in these posts.... I bet most of the people here are unemployed and unemployable....

What is your work experience in the security field?
What academical qualifications do you have besides googling concepts?

Who can vouch for your skills or known projects in any white or blackhat forum?
Do you know anything at all about programming a secure site or platform?

If you can't answer any of these questions then you're just another video game playing kid
in his mom's basement who was overwhelmed by 2 books on programming & tries to be something he's not.

It might work on your senile parents but you are in the real world now.

Some people in this thread thinks that SElinux is a flexible linux distribution.

If this is the standard for this thread, then I'm a top notch hacker.

I work with vending machines and payments solutions (POS, ATMs, ....)



I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.


I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.


I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).

So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage

I'm not trying to hate but you're making it pretty easy .... before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....
i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please ...

I do run all my bitcoind's on FreeBSD, works great!


it's in /usr/ports/*/bitcoin , easy...


And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

I think it mostly depends on the barrier language and the fact that some people started hating a lot, building a hating spree.


Expertise in what? I never stated expertise in Bitcoin.

I have anyhow a strong expertise with credit cards and ATMs. I think I might know a few things about secure financial transaction.


By discussing about facts and sources. I'm more than happy to discuss and even being criticized.

Anyhow I invite you to read again the first two pages of this discussion, and tell me if you see even one constructive critic.




Let's analyze a  few facts:

1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times


I think that by considering all these facts, it is clear we should push the Bitcoin community, both as exchanges or final users, to much stricter security measures.

The only way to do this is to spread awareness, and put public pressure on exchanges.

Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.

Well... I personally do not know any sysadmins with "correctly attached hands" who run windows servers, but surely there are some out there... I guess that windows+apache can be made as safe as whatever+apache. (let's get IIS out of the picture for simplicity).  This probably would involve a server version of windows and some severe balls cutting. Not that I am an expert on this to be sure.

I do not mind if you disagree. Maybe a few decades from now you'll be less categorical and more tolerant.

1) not necessarily, bitcoin could do just fine as a niche currency for people who actually know how their computers work ... (handing matches to children can be dangerous)

2) monetary scams are all over the globe, crime is rampant on Wall St., is it affecting "dollar adoption"?

3) 3 months ago 400k btc wasn't worth squat and nobody would have cared ... in bigger scheme it is still peanuts .... GS got clean away with more than $100 bill and all they got was some schmuck dancing in front of the senators for few hours

4) MtGov is not equal to bitcoin, they are a curious sideshow

5) Most people are idiots and probably are not qualified to handle bitcoin technology at this stage in their evolution .... it is like when TCP-IP was released ... do you think it would have been a good thing if every tom dick and harry was trying to hook-up their own routing ....??

All in all it makes for some great laughs but you maybe taking it a little too seriously ... people quickly become irrational when money is involved ... you won't taking your bitcoins with you when you pass on ...

Meaning you refill them?  
Seriously that doesn't necessitate knowing about secure coding or securing machines.


Doubtful.  At least not from a real university.  

I mean look at this:

Assuming there is some complete definition somewhere for "serious".   This gives us the number of flaws per system squared.  
While there is zero explanation as to what he's attempting do here.  This looks, on the surface anyway like something from manufacturing QA where you would have various kind of potential equipment failures.   Which you could determine a rough upper bound from by say running a thousand widgets through their paces.   Then it might make sense to distribute these flaws across the number of machines in the field to get some kind of statistic about the probability that an individual machine would fail.  

However I think it's obvious to most of us that software flaws don't work that way.  Given a particular purpose (web server) and an operating system of a particular vintage with no other security devices present.  All systems would possess any unpatched bugs.   This of course begs the question that maud_dib was counting bugs that were, for the vast majority patched instead of unpatched bugs.   It's also far more difficult to find the upper bound for the number of security flaws.  You can't just run a bunch of Linux boxes in a room and see which ones get hacked.

So, on the surface anyway this looks like someone who has lifted a formula out of some book (IIRC he even specified one on quality control or something) and has wrongly applied it to software development.   Like I said before math isn't magic: the integral of "Batman" isn't "Bruce Wayne"

On to exhibit B:


Again zero information as to what he is trying to do here but given that he's only specifying what the confidence level is without telling us how that affects the confidence interval.  It's questionable that he really knows what he's doing.

Just to give you an idea as to how these statistics might be used. Here's an example: Suppose I had a sample of 100 Linux machines from a population of 10000 and also suppose I had a similarly qualifed sample of 100 FreeBSD machines from a population of 1000. Now also suppose I know that 50% of the Linux machines had a compromise in the last year but only 45% of the BSD machines were compromised.  It would be useful to know if this difference is significant:

Assuming our populations are normally distributed we can determine that the confidence interval for both figures is around +/- 12% (there are lots of calculators on the net that will do this for you).  So that means that the "real" ratio of Linux compromises is from 38%-62% and the FreeBSD compromises is around 33%-57%.  This is what some might call "More differentiation within the groups than between the groups" which is a sign that the difference is not significant.

Then he starts talking about correlation which again if we're talking about categoricals (values that are assigned to a particular category like 1 = Linux, 2 = BSD)  and you had some outcome like system uptime the usual way to approach that is with an ANOVA.  


If it is it would be nice for him to cite which version, which document and which page...just sayin'


No, this is a complete lie.   The mention of his PSI formula, as anyone can see comes well before his mention of PCI-DSS.

Again, he isn't clear who he's talking about but when he mentioned that PCI compliance is very expensive.  I countered that Tier 4 compliance is actually not very difficult or expensive.  These classifications have to do with the number of transactions processed.   So a vending machine is probably not going to process six million visa transactions annually.  This doesn't mean I have intimate understanding of PCI-DSS literature but it did show that he didn't understand the compliance requirements.

So were I to guess....this guy is probably an engineer.  Makes sense since he really seems to get ticked off at the use of that word and it's the kind of guy who you would hire for this kind of job - writing code for vending machines.

Now of course I could be wrong but rather than spelling out his use of math here.  He constantly shifts between various dodges.

"People are making assumptions" - You know a good way to stop that?  Clarify yourself.
"People are insulting me" - As I've mentioned earlier he has pretty much lost the moral high ground there.
"Some people in this thread thinks that SElinux is a flexible linux distribution." - This is very likely untrue - I well understood that like GrSecurity, SELinux is a series of patches - I assume that the person I was talking with knew that too.

muad_dib is either too smart or too  ??? ???

If you want to stay x86 I would go BSD.

Which flavor? Many of them. You need several layer of security in your infrastructure, so there's space for the coexistence of FreeBSD and OpenBSD, and also linux,

A first layer of security made by a firewall and IDPS, maybe based on NetBSD or a commercial UNIX version, a second layer in the form of a DMZ with the webservers on FreeBSD or OpenBSD, and a local database, accessible just by local IP, which might also linux based.




- Past track record

- Recently BSD underwent a very deep third party review. That's a big plus for security.

- BSD has proactive security, Linux security is reactive

- BSD is designed from the ground for security, Linux instead has a more chaotic architecture

I wonder if anyone ever gets tired of hearing blowhards like maud_dib who provide zero evidence for their ridiculous assumptions.

Past track record of not being securable as a BSD box?  Where is that?  Oh right.  Nowhere.
If not that then past track record of what exactly?  Candy bar sales?  I guess you'd know about that.

A one time security audit is a a good thing but I'm taking away your math degree (if you have one) since it doesn't say anything about relative merit.

Untrue.  FreeBSD doesn't even have one of the most common proactive security features ASLR.  This means that there are whole classes of exploit that FreeBSD needs to patch for but Linux does not.   Linux has GrSecurity and PaX as well as SELinux.


OpenBSD *says* that they do this but they don't really provide much detail on what this means or how it actually protects anything.  For example OpenBSD used to say "X years without a remote root exploit in the base install" which is nice but:

a) Doesn't say anything about all the installs out there.  How many people run an OpenBSD box with no other services installed at all.  Probably not many.
b) Doesn't say anything about OpenBSD code.  For all we know it's just they activate less in the default install.  Which is probably a good thing for hobbyists but doesn't really say anything about enterprise usage.

The real proof of his statements would be him taking me up on my challenge.   There was even ~$500 in it for him if he happens to be right.

No, i think someone walked off with the dick measuring ruler and now its just a bunch of guys standing around with their dicks hanging out ....

You're pretty much all idiots for arguing about linux vs. bsd vs. dick size for twelve pages. Anyone who actually knew what they were talking about would have given up long ago - when you actually know what's up you don't need to prove it to everyone.

I totally agree with you. Infact I started ignoring the flamers a few posts ago.

Now I answer just to the legitimate questions.

uhhh...did you forget that they're talking about you?

Just pointing out one more factual error from the silly maud_dib.   Actually yes, it is just for Linux.   Parts of it, as I noted much earlier have been ported to things like TrustedBSD (which is why my response was 'it depends' but you can't just apply the kernel patches (possibly you could try to compile the userspace libraries under the Linux compatibility layer ... but I doubt that would work without the kernel layer to support it.

Kind of illustrates where he gets most of his information from.  eh?

As evidence (that thing that maud_db rarely provides) I offer you the following from the NSA's archives of the mailing list: http://www.nsa.gov/research/selinux/list-archive/0108/thread_body15.shtml

> 2. I read in the FAQ that selinux can be installed on an existing
> linux install. Can it be installed on a Freebsd system with linux
> compatibility? Is anyone working on a port for freebsd or openbsd?

no. its massive kernel changes, things that emulation ont matter at all about. for freebsd look into the trustedbsd project,


But thanks for the heads-up maud-dib....the Wiki is now corrected.

guys, you may have more servers, but my fiber is longer!  ;D
WTF are we trying to accomplish with this thread? go buy a security book, take a couple classes, and spend a few months/years in the wild.
the rest is, sorry, just conversations  ;D

I can only speak for myself here.  If you're getting at the idea that the question of "what is more secure Linux or some form of BSD" is probably difficult or impossible to answer and it's stupid to try.   I agree.   

However here's what I see here.  A few people (mostly maud_dib) seem to be saying "Linux can not possibly in any reasonable circumstance be as secure as FreeBSD" (although maud_dib hedged his bet a bit after he googled about OpenBSD and now just says BSD).  That statement I think is a little different and can be falsified.  I think that would be clear if the people involved just showed some backbone and tried to support their arguments.   

I also think it's worthwhile, for the sake of the community to stand up to people who bully people with terminology prejudices and pseudo-expertise.

On the subject of security books....do you have a favorite?  On the subject of actually exploiting security holes.  I'd recommend picking up the Shellcoder's Handbook: http://www.amazon.ca/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&qid=1308916045&sr=8-1

It's a great intro to the subject.

See that never happens to me because the next thing she says is:

"Come to bed or I'll stab you in the eye!"

...and I like my eyes.

Let the Little Mouse in the moon rest, he started this, none of us have to continue it.  Kid needs his sleep, whether he knows it or not.  I don't look at security from either an engineer's or a mathematician's point of view, although at times I have been both in my own little ways.  Locks aren't designed to be unbreakable, just nuisances, something other than low-hanging fruit.  Security systems get hacked for two main reasons.  They are commonly used, or they are known to be used specifically by stupid rich people.  Macs have their very own fake antivirus attack going on right now, and its a pretty big deal.  It isn't buffer overflows and unsalted brute-forceable encryption passwords that is the day to day problem for most users. 
Its not knowing that the internet is at war with them.  Not seeing that that you don't have to run faster than the bear, you just have to run faster than your neighbor.  Basic tactics.  Which brings me back to my question about obscure operating systems.  All specific knowledge of kernel coding and security models and statistics (heaven forfend) aside...what operating systems do the actual commercial exchanges use?  Again, basic tactics. Don't bring a gun into an argument about a knife fight seems to be what I hear from the Linuxists. A gunslinger can secure any operating system, which was the Little Mouse's argument about SELinux, as far as I can tell.  He did not prove that he was a gunslinger, but it is a valid point.  So, again, what are the professionals using and why?  And how?

Mt. Gox Uses FreeBSD.

At this point, that is not exactly a strong draw...although I will say again that the BSD's in general have always had a notably better reputation for security.  At a certain point, out of the box features become meaningless when you become a likely target.  Recognizing that change in your own world is where MTGox dropped the ball.  I can relate.  I tend to trust people and always think that smarter people are kinder as a result of their intelligence.  It has taken me most of my life to realize that there is zero correlation between the two.

Well the fact that BSD is compatible with other license is also a plus. Running a RaidZ is a plus for security. It has alos better link aggregation protocols (something which lags a little behind in linux).

Maybe you should go to them and tell that it's not true, linux is as safe as BSD, maybe even better. I'm sure they will be more than happy to follow your, jgraham and the other linux kid advices.

Compatible with other license (sic)?  You don't need a license.  You need a bigger fence.  Or an electrified one.  Or an automated laser guided grenade launching robotic monster attack dog.  Oh, hell, Boston Dynamics has that, why don't you?  The real tactics of the military and the government are not primarily designed by theoreticians.  They are designed by story-tellers and engineers.  Why do old churches have gargoyles on their parapets?  The people like you did the math for the archways, the people that like scaring the credulous did the gargoyles, the people like me said "Imma need a slot to shoot through."

I have a silly question, DON'T CHEAT, do it by hand on paper....what is 11010110101011001011111001000111 xor'ed with 00101001010100110100000110111000?  This is not a quiz, it is an exercise.

Good lord, this damn Bitcoin thing is making me remember what I used to know - I'm serious, Little Mouse, if you are going to be quoting random stuff about RAID but have never known what logic-gates were by building, testing, and debugging them yourself,if you insist on talking about security perimeters...I mean parameters, without having written bad code yourself and been embarrassed enough to fix it BEFORE you handed it in, have never had your own FreeBSD (I always thought OpenBSD was slightly better, but that was 10 years ago) get its ass handed to you from the get-go because your video-card wasn't handled properly by the stable X Server version that was out that year.....you have to fail by trying, and you have to understand that this is how we all learn.  You weren't criticised so much for your ignorance as for your attitude.  Although the pretense of experience was in there too, it was the lesser offense.

alot of ones: 11111....

Yay!!!!!!  That would either be very true or an exceedingly large number.

Meh, unless you say how (which is kind of the thing that you keep "forgetting" to do here) it's not much of a point.

RAIDZ in terms of it's disk layout isn't significantly different (in function) from a number of other dynamically expandable RAIDs system.  The fact it is part of ZFS means that it has the checksum and copy-on-write facilities which make it a good choice for preventing accidental loss of data integrity. However that's not really what we're talking about when we mean 'security'.   What does ZFS really bring to the security party though?  Assuming all the solaris stuff came with it into FreeBSD - ACLs? What doesn't have at least some ACL support these days? although I'm not positive how the various features trade off between systems e.g. delegation.  For the record I'm running ZFS on my gentoo box.

(For reference the above is closer to an actual discussion on the security merits of RAIDZ as opposed to just calling it "a plus" which is more of a lame pontification).


You have (temporarily?) confused yourself...who's advising to switch from FreeBSD to Linux?  Nobody.  Who's arguing that someone who needs a secure environment switch from Linux to FreeBSD - you.   Just to look at the logic.   Assuming I'm right and a properly secured Linux box is as good as a properly secured FreeBSD box (although in each case 'properly secured' would mean different things).   There would be zero advantage in moving (assuming the existing platform is meeting their needs).

People, this isn't about Linux vs FreeBSD. 

This is about good sysadmins vs mediocre (or even bad) ones.

The latter make life difficult for the entire world, particularly when they manage machines that a) deal with $$$ and b) have a large user base.

Bravo.  The devil may be in the details, but the more important part is that Mt Gox was overly optimistic and got lazy - I still think Bitcoins are a toy, but they will be far more than that when non-technical people can expect that the technical people won't let their stored value be secured by a kiss and a promise.

You, BB, and Tux may huff, puff, insult, gainsay, and dissemble until blue in the face, but that won't change anything in reality.

Bickering and playing word games don't cut it, especially when a statistical modeling expert (specialized in computer security) is schooling you on the facts and logic of the issue at hand.  Thanks Maud-dib, for attempting to educate these stubborn script kiddies (1337 RHEL cert notwithstanding, LOL!).

I repeat: Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.


I've met Linus Torvalds in person.  He's a nice guy, and it sucks his baby is being represented here by fanboi suffering from Tiny E-peen Complex.

Very well put; an elegant statement.

I love that some ITT Tech foolio is questioning the methodology of a trained statistical modeler.

It's entertaining how, when his on-topic nonsense is corralled and put down, he simply disputes whether or not you *really* have an MS in stat. 

The word for when someone contradicts everything you write is called 'gainsaying.'  It's not a polite or nice thing to do, and hence is often considered trolling or flamebaiting.

You've led the donkeys to water, but the stubborn asses won't drink.

No wonder you've added the 3 Stooges to your plonk file (wish BTCforum would add an 'ignore' feature).

It didn't have to be this difficult:

http://tinyurl.com/3lfxm4x

im finding it interesting that you are quoting answers.com are you serious?

Do you understand what this means, Professor Gainsayer?



It's called 'Answers.com' for a reason!

True but I'm hardly doing any of those things.  ;D

What, other than Maud-dibs say-so has you thinking he's any kind of expert in statistics?  I mean other than that he appears to agree with you.  Can you point me to a specific, well supported point he has made?  From where I sit if there was an award for uninformative posts.   I think maud_dib would be a contender.


Actually it is.  We call it an implied argument from popularity.  It's no more compelling than people who say: "It's a well known fact that <racial/ethnic group X> is <deficiency Y>".  


I think you must be pulling my leg here...any reason that you take the word of this random person on the internet?  I mean other than that they appear to agree with you?   


This reads a lot like someone who heard a college lecture and is making "broken telephone" mistakes in repeating it.  I've heard this used as a theoretical example.  That is, a system which has no contact with people or machines at all is secure by definition but that's because 'security' is probably being defined as 'Allowing only the right people access to the right things'.  Allowing nobody access to anything is clearly conforming to that definition.  However that is also an example of the most useless system.   So sometimes people use this example to refer to attacks that are network related.  So again, yes removing the ability to talk on the network is yet again, conforming to our definition.    However the network isn't the only way people gain access to information.  Ergo while a non-networked computer is immune to network attacks.   It doesn't mean it's immune from the wrong people getting access to information.   A computer could have no network card but be physically available.   Terminals in our university library were able to access some machines without using a network connection.   As they were hardwired into a serial console connected to the computer.

Using a DVD player as an example is either wrong, dated or unclear.  DVD Players allow physical access and some even allow network access.


Actually this isn't quite correct.  The actual tagline was:

"Only two remote holes in the default install, in a heck of a long time!" (emphasis mine)

I addressed this already.  The best argument you can make here is that an OpenBSD box with nothing else installed is secure from a remote attack.  However that doesn't really tell you much about OpenBSD code, review procedure, or their overall security model.   So it doesn't say the average OpenBSD box is secure nor anything about how secure an OpenBSD box would be when running a common application in a production environment and it sure doesn't say anything about when compared to a Linux machine that has been secured by someone qualified to do so. 

What OpenBSD attempts to do is commendable but the statement is closer to marketing hype than a useful security metric.


Linus has publicly been more critical of the OpenBSD development model than I have been in any of my posts.  In case you keep missing it.  I simply deny that there is clear evidence that in any real-world environment a secured OpenBSD (or a FreeBSD) box is more secure than a secured Linux box.  That isn't saying that OpenBSD isn't good, nor is it saying that Linux is the best.


...and inaccurate.  I've already given examples as to how OpenBSD has avoided proactive security measures either because they consider their existing security sufficient or Theo D. has gone a little nuts.


First, your use of "statistical modeler" instead of simply "statistician" is adorable!  Second I think it's more me saying "Where exactly *is* your methodology?" and maud_dib kind of pretending that methodological transparency isn't important.


This article is all over the place.  At first he says there is evidence to suggest but he doesn't say what that is,   The only thing he seems to mention is the OpenBSD tagline (which says nothing about FreeBSD).  He does make this other interesting quote later on:


Isn't this one of the two primary metrics that maud_dib espoused?  According to this guy he says maud_dib 'doesn't understand security'.   I've already given my rationale for why these rates aren't such a good metric.

He goes on to mention a few more metrics without any rational why these are particularly useful.


i) I don't agree with this as prima facie it's difficult to express it as a metric.   What units does "code quality auditing" come in?
ii) Likewise this is hard to express usefully as a number and it's really only meaningful to people who are in the habit of deploying systems in their default configs.
iii) If by 'quality' we mean a binary condition consisting of: a) Does it fix the security problem b) Does it cause another security problem.   This is a metric I actually like but there's no information as to how FreeBSD, Linux and OpenBSD differ in this respect.
iv) Again I like this idea but it's difficult to express in units.   Perhaps some categorical?



...so on your Internet nobody pretends they're something they're not?  I can see how security seems so easy over there then.  Just make your login sequence ask: "Hey are you *really* supposed to be accessing this system?" since where you are everyone is completely honest.  All attackers will be forced to say "No".  Then you can log them out.

Where I am people regularly attempt to fake it.   As I've already said my position is simple.  Maud_dib has provided very little in the way of what he was attempting to do with his "psi", how it was meaningful to computer security and what data he was supplying to it.  He has had multiple opportunities to clear up some very simple questions.  I think that means the alleged statistician has earned some skepticism.

Besides I've provided a dearth of information as to why I hold the positions I do and I'm open to argument on those points.   So far all you want to say is your position is a "fact" and therefore requires no support.   Which is fine, have any sort of religion about computers you want but it's hardly surprising when those of us above the age of seventeen think the world is a little more complicated than you suggest.

Of course they do. 

It's been the OS of choice for the security-conscious crowd since long before the first generation of cryptocash.

I'd like to see the 3 Stooges who insulted, attacked, and ran you off try to browbeat MtGox into switching to Linux, using similar thug tactics of ganging up and gainsaying everything said to them.

That would be funny!

I wonder why they, who know compsec ever-so-much-better than MtGox, Muad-dib, and myself, simply don't start up their own clearinghouse and compete with MtGox.

MtTux would be 100% Linux, and therefore immune to the security problems presented by BSD (all TWO of them, LOL).

Adorable?  Thanks.  I guess you have a thing for articulate nerds with a deep understanding of both math and language.

Let's break it down into simple chunks that will be easier for you to digest.

1.  All statistical modelers are statisticians.

2.  Not all statisticians are statistical modelers.

Now just wait a second, and don't get all upset or confused before letting me resolve this seemingly inexplicable paradox of connotation versus denotation.

You see, statistical modeling is part of what's called 'applied statistics.'

To do applied statistics (in the form of modeling) you first need a background in what's called 'theoretical statistics.'

Once you have that, you can stay in the world of theory and be an ivory-tower egghead statistician, or you can enter the real world and help build statistical models of real things (like computer security) by applying your theoretical background, as a statistical modeler.

Some statisticians do leave academia and enter the private sector, but do not build statistical models.  They remain statisticians, and do not become statistical modelers.

Here is some further reading for you, to gratify your demonstrated deep curiosity regarding this mysterious, crucial, and often misunderstood distinction.  Enjoy!

If by "professionals" we mean people who are in an industry where security is prioritized.   It's not always clear cut.   The financial institutions I worked for used OS/390 machines simply because they had invested huge amounts of money into them.  Not because of any pretense of security.


I think you have officially entered the twilight zone now.   It was maud_dib who chastised Mt. Gox for using Linux.  Now of course, he says they don't so if we assume, like you have that his opinion was evidence based that is there was something that made him think the OS was at fault (after all he's a "trained statistical modeler" :-)  ) Then either those selfsame indicators would apply to FreeBSD OR the opinion was not evidence based it was assumed based on his presumption that Linux is insecure by comparison.  An opinion neither you nor maud_dib has provided any useful objective evidence for.

But we don't talk about that....just like you don't talk about maud_dibs done more than his fair share of insults...We just talk about the insults he's received.  Am I clear on where you are coming from?

Anyway your implied question has already been answered oh delusional one.  If Linux is as good as BSD then there is little reason to switch.


Well, Mt. Gox has made some noobish mistakes but they were all, from my understanding policy and implementation errors.  Unlike maud_dib (initially) I don't have a problem with their choice of OS.  I don't really know anything about starting up a monetary exchange and my side-projects already consume enough of my time.  I really don't see why in your opinion everyone who understands computer security needs to start monetary exchanges but perhaps I'm just not drinking heavily enough.

On the other hand I've already proposed $500 USD in BTC as a prize for a contest for breaking into a hardened Linux box.     The way you talk it would be easy money but considering the way you act I suspect it isn't.  ;D

Maybe you'll answer that now.

No but I'll let you know when you start showing signs of either of those. :-)


Name something from statistics which is not a model of something or a modeling tool.  ;D  If you read your own article you'd see that both the so-called Pure statistician and Applied statistician are modeling something.   The only difference is the kind of validation they are willing to consider.  So the "pure" statistical model is considered valid (in this case) when it conforms to some dogma about colinearity and the "applied" model is valid when (among other things) it succeeds in predicting something.

Anyway you're cute when you just shovel barely applicable google cites and pretend that somehow makes your point.

But in the interests of you actually contributing something....I'll try to keep in mind that when you say "statistical modeler" you mean "Applied statistician".  Not that you show much understanding of what the second term means anyway.

I already know that I'm a bit of a troll, being a bohunk, backwoods IT guy and all...but the biggest problem I had with math wasn't the math.  It was the conclusion that because your math was brilliant that it must therefore also be true.  The only real things in this world do not just exist in your mind.  What physics do engineers do?

(I may be casting my vote for Messr. Graham's arguments, in few words)  Just because it looks good on paper, don't mean it flies.  Doing your homework means trying it yourself, not quoting "authoritative" sources like, oh, Wikipedia.  Don't get me wrong.  I check WP all the time.  And the articles' reference materials.

Dang it jgraham, stop being so funny or we might end up as friends or something!   >:(

I'm glad you finally accepted that the tension between your overly strict denotation of "statistical modeler" and the common, widespread informal connotation of "applied statistician"  is best resolved, in popular usage (check the job postings for both terms), by the simple understanding that "statistician" implies more theoretical or academic work while "statistical modeler" implies a more applied or industrial frame of reference.

My approach is superior because it preserves linguistic information, while your misinterpretation destroys the sometimes subtle distinction between a working statistician (ie statistical modeler) and the purely theoretical academic egghead (ie capitol-S Statistician).

You seemed to be claiming that 'all statisticians use statistical models, therefore all terms referring to them are all interchangeable, no matter their particular function, specialty, talent, or role.'

That's why I showed you the differences with the copypasta illustrating and demonstrating their existence at length, and in excruciating detail.

I knew that would win you over.   ;D

Cheers brah!

/Hella Laim Flaimwar

Your prejudicial language aside.  I think you misread my post.  I accept that when you use the term 'statistical modeler' you are referring to some idealized trope identified as "applied statistician" by some person on the internet.  For whom the term doesn't really denote a presence or absence of statistical modeling just some polarized ideas about model validation.


Not really.  Your approach is simply to assume that you are unquestionably correct for something where 'correct' is difficult to ascertain and without citing any useful corroborating evidence.  Which is just what you did with regard to the opinion of some group about the security of FreeBSD (or perhaps BSD's in general).   It's not much of an approach but I can see how it might fool the locals.

Wheras what I did was just recognize that language is fluid and, your prescriptivism aside allow for your particular definition to stand for the discussion I am having with you.   Back at the office your postings are a subject of much derision by the (few) other mathematicians we employ.  Just sayin...


In the words of BB's icon...."You keep using those words.  I do not think it means what you think it means."  I think it's kind of obvious that you didn't understand much of what you read.  Since the only thing that was strongly contrasted in your article between these two hypothesized opposites is something you didn't mention and everything else was not directly covered.

"excruciating detail" - I guess, to someone who doesn't understand what they read. - absolutely precious.  If I could keep you like a pet I would.

So now for the second time I accept how you are using the term...any chance you will actually contribute something?  Probably not.

I will take that as a compliment.  What masks we choose to wear is sometimes as informative as just going around wearing our own faces.

Specifically, I went to school to understand theory.  It was pure, uncontaminated by "random" errors in measurement, precise to a degree that only real mathematicians can see.  Along the way, I noticed that it was disconnected from the world, it existed in pure minds as a silver blade that was perfect for fighting ghosts, should you find yourself plagued by ghosts.  Perfect for dismantling the arguments of those dimmer folk that crawl along the walls of the ivory tower, and perfect for claiming intellectual victory over those less informed.  Those with less clarity of mind.

It was also false.  Mental masturbation on a higher level.  A symptom of having the tools of math and engineering in your belt more than a sign of them.  Engineers do not quote theory, they make engines.  So I say again to the community.  Buy stuff sold for bitcoins.  Make stuff you cann sell for bitcoins.  Do not trust either the theorists or the engineers in this game.  If you happen to be one of those, be attentive to the limitations of your skill-set as well as to the advantages.

well gentlemen, that was one hell of a conversation.

thank you all kindly.  as a lowly network designer, i learned a lot.  didn't cost anything, either.

whattaya youse guys think of Qubes, and their 'security by isolation' approach?

i've got no dog in the fight - but i'd really like to know what your opinions are.

it will work, as long as:
a) the hypervisor is not compromised
b) the machines does not interact with each other, or share the same passwords.

My $0.02.  

I only just read over this and someone correct me if I'm wrong but this appears to be using Xen to isolate (groups of) applications in their own VM on a single host.

My short answer:

This is at best a one trick pony and it's possibly the wrong approach.

Why (or my long answer):

I'm going to talk about some  "classes" of defense here (and these are terms I just made up so feel free to take some shots at them):

i) A defense which foils an attack (or some significant percentage of attacks) forcing attackers to use a completely different approach (ALSR - I'm sure everyones sick of me mentioning this)
ii) A defense which introduces a measurable and significant increase in difficulty to exploiting an existing flaw. (Password complexity rules, firewalls)
iii) A defense that removes one attack vector with known problems and replaces it with another which is less known. (Switching from IIS to Apache in an IIS shop)

I submit that i) is intrinsically superior to ii) and both are superior to iii)

VM isolation is at best a "Type II" defense, as it introduces the problem of detecting and compromising the hypervisor before compromising the machine and at worst it could be considered a Type III defense.  My assumption here is that a successful attack on the hypervisor means complete ownership of the machine.  Ergo,  we have reduced the problem for attackers from attacking application X from a very large selection of applications.   To attacking Hypervisor X for which the list is much smaller.    The upside is that - hopefully this also reduces the attack surface for the defenders.   This would normally be a good thing but it's only true if you assume the hypervisior is more secure than your other applications.

e.g. If I had a machine that had to run a webserver and Tomcat to provide a very simple web service to a very targeted application.  Removing that and replacing it with a few lines of well audited code could be considered reducing the attack surface of that machine.   However the hypervisor isn't a small piece of software and it's attack surface isn't well known.

It might be safer if I couldn't already do half the job: Detect running in a VM.   For lots of people who haven't installed the vmware tools on their host a simple check of the time with an external source will tell you that you're running on a VM.   Depending on the guest OS I've read about at least fifty different markers for VM detection.

Also it's worth noting that the point of Qubes seems to be the antithesis of what I understand to be best practice with regard to VM's these days.  Some of us think that depending on VM isolation is a bad idea.  It violates the principle of DiD.  So, like in my shop we consider it a bad idea to mix VMs with differing security privileges on the same host.  In other words we don't run the payment gateway software on a VM on the same machine we are running the Drupal VM.  Yet this seems to be the whole point of Qubes.  

This is a good presentation. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

More info on the VMChat teaser at the end: http://www.foolmoon.net/cgi-bin/blog/index.cgi?category=Security%20News

thanks for that.

i do like the bare-metal approach, but yes - "My assumption here is that a successful attack on the hypervisor means complete ownership of the machine."

i also like that networking runs in an untrusted security ring.

i've got a play machine ready to install, and i guess i'll have to see how it goes with the newly released beta.  the isolation rule sets appear to be key.  oughtta be fun, anyway...

I'm sure this conversation should be allowed to die an ugly and painful death...but I've been away from the thread for several days and just realised that I (and others) have been accused of dismissing MuadDib's arguments out of hand.  As you might have noticed, I agree that OpenBSD has an excellent reputation and has had one for many years.  A similar argument about reputation was why I brought up VMS to begin with.  But that is not the point.  Real security lies in the administrator, not in the operating system.  Its a worldview issue more than a coding issue.  Out of the box features are great specifically because out of the box admins are morons.  By and large.