Bitcoin Forum
November 19, 2017, 09:31:10 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [All]
  Print  
Author Topic: About Mt. Gox flaw from a security expert  (Read 33812 times)
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 06:44:50 AM
 #1

Dear Bitcoiners,

I'm sorry to hear that some people have had their account stolen, but I was expecting it.

The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.


The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:


1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

2) Update the software. You cant leave a known root escalation bug for 6 days!!!!

3) Have your code reviewed by a third party.

4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.

5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.

If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.
1511083870
Hero Member
*
Offline Offline

Posts: 1511083870

View Profile Personal Message (Offline)

Ignore
1511083870
Reply with quote  #2

1511083870
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511083870
Hero Member
*
Offline Offline

Posts: 1511083870

View Profile Personal Message (Offline)

Ignore
1511083870
Reply with quote  #2

1511083870
Report to moderator
1511083870
Hero Member
*
Offline Offline

Posts: 1511083870

View Profile Personal Message (Offline)

Ignore
1511083870
Reply with quote  #2

1511083870
Report to moderator
1511083870
Hero Member
*
Offline Offline

Posts: 1511083870

View Profile Personal Message (Offline)

Ignore
1511083870
Reply with quote  #2

1511083870
Report to moderator
Bit_Happy
Legendary
*
Offline Offline

Activity: 1638


A Great Time to Start Something!


View Profile
June 20, 2011, 06:47:17 AM
 #2

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 06:48:16 AM
 #3

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 06:49:21 AM
 #4

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

for a small fee, and the promise of not being persecuted, I can send your apache config file.
Oldminer
Legendary
*
Offline Offline

Activity: 1022



View Profile
June 20, 2011, 06:50:43 AM
 #5


It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.

What - the auditor lost his laptop you mean?  Grin

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
Bit_Happy
Legendary
*
Offline Offline

Activity: 1638


A Great Time to Start Something!


View Profile
June 20, 2011, 06:51:26 AM
 #6

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

for a small fee, and the promise of not being persecuted, I can send your apache config file.

No thanks, I can find it myself.   Cheesy

muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 06:53:43 AM
 #7



No thanks, I can find it myself.   Cheesy

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.
pancakes
Newbie
*
Offline Offline

Activity: 29



View Profile
June 20, 2011, 07:26:03 AM
 #8

If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.
done
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 20, 2011, 07:51:20 AM
 #9



No thanks, I can find it myself.   Cheesy

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.


Listen to this man. He has hit this right on the nose. It should also tip you on to the perceived potential value of bitcoins.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 08:15:40 AM
 #10



The problem with this community is it's full of people trying to make money.


trust me: if I were in the bitcoin business for the money, I would have stolen the bitcoin from the mtgox accounts I violated.


With the actual design of most of the Bitcoin exchanges password can be spoofed anytime you connect via a wireless network.


Bitcoin exchanges needs to take further steps to secure their customers, and need not to copy other people design, as it could propagate flaws in the market.
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Harฎ to you since 1952


View Profile
June 20, 2011, 09:09:44 AM
 #11

@muad_dib

At first your post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

Bit_Happy
Legendary
*
Offline Offline

Activity: 1638


A Great Time to Start Something!


View Profile
June 20, 2011, 09:17:16 AM
 #12

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.

I am the most eminent member of the bitcoin community?
Ummm... I will humbly step down from my position now.   Cheesy

My first reply to you was:
Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib.

muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 09:21:04 AM
 #13

@muad_dib

At first you post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 09:22:58 AM
 #14


Ummm... I will humbly step down from my position now.   Cheesy

My first reply to you was:
Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib.

Sorry I thought you were the owner of the exchange Smiley

Grinder
Legendary
*
Offline Offline

Activity: 1285


View Profile
June 20, 2011, 09:41:37 AM
 #15

Here's a list of the most reliable hosting solutions.

The first 3 spots, are linux or unix?
As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 10:00:17 AM
 #16


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Grinder
Legendary
*
Offline Offline

Activity: 1285


View Profile
June 20, 2011, 10:34:53 AM
 #17

The table show us that if you want to be the most reliable, you need to choose unix.
http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 10:37:34 AM
 #18


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 20, 2011, 11:03:02 AM
 #19


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:06:18 AM
 #20



 even though being freebsd smaller, this is a biased comparison.



I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.


[more flamewar]


Maybe you should read more carefully my posts.
Grinder
Legendary
*
Offline Offline

Activity: 1285


View Profile
June 20, 2011, 11:37:08 AM
 #21

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.
So your cherry picking of data points is objective, but pointing out the obvious fact that you're cherry picking is subjective?

Also, I have never said anywhere that Linux is more secure than *BSD.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:42:14 AM
 #22


So your cherry picking of data points is objective, but pointing out the obvious fact that you're cherry picking is subjective?

Also, I have never said anywhere that Linux is more secure than *BSD.


I'm not sure what we are discussing about.


Quoting a reliability chart is cherry picking?

Quoting a vulnerability chart is cherry picking?

Maybe my sources were biased?

Are you suggesting that there is no significant statistical difference between Linux/FreeBSD reliability/security?


My opinion is that this is just free polemic. Maybe I'm wrong.
Grinder
Legendary
*
Offline Offline

Activity: 1285


View Profile
June 20, 2011, 12:16:29 PM
 #23

Maybe my sources were biased?
Except for the sales piece made by a FreeBSD fan they probably weren't, but the way you use them is.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 12:42:02 PM
 #24

Maybe my sources were biased?
Except for the sales piece made by a FreeBSD fan they probably weren't, but the way you use them is.

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?


Sukrim
Legendary
*
Offline Offline

Activity: 2184


View Profile
June 20, 2011, 01:29:25 PM
 #25

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

As "serious" is not defined and subjective and the number of running systems is not known/hard to estimate (Linux gets used in embedded environments too, where it will never show up in "server statistics") I can only say with 0.99 confidence level, that you are far off topic by now. Roll Eyes

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 01:52:42 PM
 #26


As "serious" is not defined and subjective

check better Smiley

Quote

and the number of running systems is not known/hard to estimate (Linux gets used in embedded environments too, where it will never show up in "server statistics")

Also BSD is implemented in EE. Anyhow since we're speaking of webservers, we have good estimators for this quantity.


Quote
I can only say with 0.99 confidence level, that you are far off topic by now. Roll Eyes


Lol (L)
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
June 20, 2011, 02:04:16 PM
 #27

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.

Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
FooDSt4mP
Full Member
***
Offline Offline

Activity: 182


View Profile
June 20, 2011, 02:05:07 PM
 #28

I'm with you maud_dib... All my opinions are totally objective too Wink

Also, in my objective opinion more discovered vulnerabilities != less secure.  More eyes find more bugs.  I know you're talking freebsd, but look at openbsd.  It had a backdoor for years exactly because less people audit the code.

As we slide down the banister of life, this is just another splinter in our ass.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 02:24:42 PM
 #29


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Harฎ to you since 1952


View Profile
June 20, 2011, 02:53:07 PM
 #30


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

+1

Everything that i wanted to say was already said here.

muad_dib, you have no idea what you are talking about. There isn't any 100% proof that BSD is either more secure or more reliable than Linux.


muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 02:55:20 PM
 #31



Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

that's what they say.


Anyhow also taking this as true, I think it has been evident that bitcoin greatly outgrown the original expectations, and thus we need stronger security policy.



One example: Do you think that by compromising any of the laptop of any or all of the admins of the Visa Network, could you access any valuable information?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 02:57:00 PM
 #32


freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

Smiley
JJG
Member
**
Offline Offline

Activity: 70


View Profile
June 20, 2011, 03:25:44 PM
 #33

If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.

And the problem with most 'security experts' is that they think they walk on water.  Wink

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 03:31:04 PM
 #34


freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

Smiley
LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 03:45:26 PM
 #35

@muad_dib

At first you post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?

That list proves nothing about the security of any OS over any other OS. There is no mention of how big of a factor the OS/platform's security plays into the ranking. From what I read on that page, a lot of other things can play into the ranking, including the level of managed service (e.g., the competence and response time of the sysadmins of those hosting services), the network quality, speed of their servers, etc.

So that link proves nothing about Linus being better than windows, or Unix being more secure than Linux.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 03:55:01 PM
 #36



Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:01:42 PM
 #37


LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)


so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.
JJG
Member
**
Offline Offline

Activity: 70


View Profile
June 20, 2011, 04:03:35 PM
 #38



Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:06:05 PM
 #39



Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 20, 2011, 04:06:48 PM
 #40

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

Don't get me wrong, we're all very impressed you can lift cookies over wifi.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:11:43 PM
 #41

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.


Quote
Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 04:17:22 PM
 #42


LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)


so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.
yes:

more fixed bugs are better then more unfound bugs.

and you cant trust closed source code: microsoft could have put a backdoor in windows, so that NSA could gain eazy access to any windows system. (I like conspiracy teories  Smiley )


"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
tehcodez
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 20, 2011, 04:21:21 PM
 #43

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.


Quote
Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
June 20, 2011, 04:23:27 PM
 #44


Am I the only concerned?

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places
- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

Kudos to you for making all this with a straight face... or did you? :p
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:23:37 PM
 #45



We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

You are not forced to post in my thread Smiley
JJG
Member
**
Offline Offline

Activity: 70


View Profile
June 20, 2011, 04:24:53 PM
 #46



Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

1) So then you are in it for the money?


What does your question have to do with anything? If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP. And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  Wink
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 20, 2011, 04:27:46 PM
 #47

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.

Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?

Am I the only concerned?

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check with the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:31:29 PM
 #48


Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:

A five digit is a very small fee for someone making 100.000$+ a day.

Quote
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places

- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it


Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"



Quote
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords

Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

Quote
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)

why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

Quote
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

I can provide new ways to hack it Smiley
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 20, 2011, 04:34:14 PM
 #49

Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:41:46 PM
 #50



1) So then you are in it for the money?


Let's rephrase my previous sentence: As a human being, I'm programmed to try to make some profit, so that my offspring will have a better chance in the real world.


Anyhow, given the chance to sell the bitcoin community for the personal gain, I would say no.


Quote
What does your question have to do with anything?

I was trying to prove to you that stealing a large bitcoin sum is the best way to make the price crash, thus making the theft stupid.

Quote
If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP.

I think that, given how understaffed exchanges are, maybe the email would have been read by the same person who is responsible for the development/management, thus it would have been overlooked.

I think also that by posting it here not only I'm advising users, but I'm also putting pressure behind ALL the exchanges to fix this ASAP.

Quote
And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  Wink

Do you think that I ever thought for a single instant, that I would have been paid?

Do you think that if that was my real intention, I would have posted my request in public?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:42:56 PM
 #51



You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check without the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.

Finally someone discussing about this SERIOUS issue rather than trying to start a flamewar.
Sukrim
Legendary
*
Offline Offline

Activity: 2184


View Profile
June 20, 2011, 04:43:30 PM
 #52

A five digit is a very small fee for someone making 100.000$+ a day.
You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations! Roll Eyes

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
June 20, 2011, 04:46:35 PM
 #53


A five digit is a very small fee for someone making 100.000$+ a day.


drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?

Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"

The latter. I do lock my house, but not my car. And the reason I lock my house is that my miner machine is inside, and you can't really trust a community like Bitcoin that has people reasoning like you... someone might take my computer and then post on the forum saying "for a small 5 digit fee I'll teach you about the best locks for you door".

Quote
Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

I need no proof at all. I believe you, I have no reason not to. Of course any random guy making over 300 million dollars yearly will sniff and spoof, and not steal to then arm wrestle a small fee... I wonder what kind of "security" you are expert on, though...

Quote
why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

Oh... so you run an exchange, one that is totally secure. Now I'm getting really puzzled... which one was it again? Tell the good developers that potentially lost a bunch of bitcoins, something that could have been prevented if you would just help competition for free. I promise noone will try to hurt you, and I'm sure noone will be capable of anyway :p

Quote
I can provide new ways to hack it Smiley

Yep, no doubt. And once someone hacks it you'll provide information about how you already knew and could have prevented it, if only you would get paid the (relative) peanuts you require, but you only require them as a matter of principle, you REALLY don't need them.

Enough trolling, have fun with your buzzword magic. You might be a security expert (and failed to present any proof of it, but you aren't in the PR business anyway, so who cares) but I'm still not sure you are a human being.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:47:24 PM
 #54


You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations! Roll Eyes

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

I already posted the reasons why I said this in public. Please read my posts more carefully.


Anyhow, just for you, not for the other readers, I wrote a simple script to spoof Mt. Gox passwords. Here.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:50:15 PM
 #55



drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:55:12 PM
 #56



more fixed bugs are better then more unfound bugs.



Let's try to sum up:

FreeBSD has less bugs than Linux (one fold less).

FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The production machines with the best uptime are FreeBSD based.


Still you think that Linux is safer than FreeBSD?
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 04:55:30 PM
 #57

Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.
please explain...

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:56:02 PM
 #58

I read so much hate in these forums. People please, chill out.
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
June 20, 2011, 04:56:54 PM
 #59



drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?


the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...

re: hate. Come again? the example (not the only one, I understand) that I read what I wanted to read in your posts is that you read too much hate in my posts? huh?

But enough hatred, I know I have an attitude problem as all that had to deal directly with me can attest to. Too much good, positive attitude and a complete lack of capability of making simple ironic remarks Smiley I'm a long time professional at what I do, and that is not trolling nor is it security. You are obviously better than me on both accounts so if you can refrain from replying to my post here, I promise I'll behave and not make hatred filled remarks on any other altruistic comment coming from you on this thread.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 04:59:17 PM
 #60

Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.
please explain...

Were You asking  me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 05:02:05 PM
 #61


re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...


So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
June 20, 2011, 05:07:46 PM
 #62


re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...


So you think that poor people and rich people should be paid the same for things?


I might be an incurable socialist, but I see this as wrong.


I still see too much hate in your posts.

You see what you want to see, I read somewhere Smiley

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 05:10:38 PM
 #63



You see what you want to see, I read somewhere Smiley

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.

Are you american right?

Next time you fill your tax form aks to pay the same ammount as donald trump. Personal wealth doesn't matter, right? Smiley
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 20, 2011, 05:12:31 PM
 #64

Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Well i think OpenBSD is more secure..

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 05:15:34 PM
 #65

Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Well i think OpenBSD is more secure..


Sorry, by saying FreeBSD I mean *BSD. Is just that I'm working on a big FreeBSD project and I have this name in my mind.


You are totally right by saying that OpenBSD is safer than FreeBSD
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 05:18:00 PM
 #66

Quote
FreeBSD has less bugs than Linux (one fold less).
no freebsd has less discovered bugs..

Quote
FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
and now you are talking about openbsd instead of freebsd.
either you are stupid or you dont know what you are talking about.
openbsd is maybe the most paranoid OS in the world, yes thats right.

Quote
The production machines with the best uptime are FreeBSD based.
and...? uptime != security

Quote
Still you think that Linux is safer than FreeBSD?
i have never said that. you are the one waving the freebsd flag.

i say you are a troll.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 05:19:32 PM
 #67

I read so much hate in these forums. People please, chill out.
oh im not hateing, just using my mind. and it tells me that you are a stupid troll. (sorry)

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
Sukrim
Legendary
*
Offline Offline

Activity: 2184


View Profile
June 20, 2011, 05:19:42 PM
 #68

What about DragonflyBSD? The Hurd? Or what about Haiku?!

Seriously! Stop feeding this troll, he won't share his "wisdom" anyways, neither here nor to anyone else who won't pay his little 5-digit sum.

Yes, Bitcoin exchanges were more or less overrun by users in the past few months - whoever didn't know this (there are charts, people!) does know now.

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 20, 2011, 05:21:19 PM
 #69

Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Well i think OpenBSD is more secure..


Sorry, by saying FreeBSD I mean *BSD. Is just that I'm working on a big FreeBSD project and I have this name in my mind.


You are totally right by saying that OpenBSD is safer than FreeBSD
It's hard to configure stuff on it even for someone familiar with *nix but still it's worth it.

What are you working on btw i am a bit curious  Grin

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 05:21:53 PM
 #70

What about DragonflyBSD? The Hurd? Or what about Haiku?!

Seriously! Stop feeding this troll, he won't share his "wisdom" anyways, neither here nor to anyone else who won't pay his little 5-digit sum.

Yes, Bitcoin exchanges were more or less overrun by users in the past few months - whoever didn't know this (there are charts, people!) does know now.

the flaw is stated multiple time in this thread. Just read carefully.


Will you give me 5 BTC If I can link 5 post from 5 different users in THIS thread that explain which is the flaw?



Read better, hate less.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 05:21:58 PM
 #71

What about DragonflyBSD? The Hurd? Or what about Haiku?!

Seriously! Stop feeding this troll, he won't share his "wisdom" anyways, neither here nor to anyone else who won't pay his little 5-digit sum.

Yes, Bitcoin exchanges were more or less overrun by users in the past few months - whoever didn't know this (there are charts, people!) does know now.
but... but.. its funny to feed him Cheesy

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
June 20, 2011, 05:22:03 PM
 #72



You see what you want to see, I read somewhere Smiley

I do think that people should be paid the same for the same task, regardless of them being poor or rich. I also think that your hatred made you state the wrong idea. You mean rich people should not PAY the same as poor people, right? not GET PAID?

regardless, yes, I think a thing is a thing and has a value regardless of who pays and who gets paid. It's how much you are willing to pay that makes the price, not how wealthy you are, in my personal opinion. But I'm sure you are correct, and that's why the world is as it is today.

Are you american right?

Next time you fill your tax form aks to pay the same ammount as donald trump. Personal wealth doesn't matter, right? Smiley

Nope, not American at all. And yes, I would love to pay the same as donald trump for each unit of taxable income, he is much richer than I am and I pay much more per earned unit. Or was that your argument?

Ah, right, you are a troll, you make no arguments, only read hatred Smiley
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 20, 2011, 05:22:13 PM
 #73

You guys are pretty far off track arguing about socialism and BSD.

On that same TV show last night, Adam from Mt. Gox (adam@mtgox.com I believe) stated that they were looking to hire an app and systems security guy. It sounded like they wanted a full time employee, but they're liable to be fine with a consultant considering the bind they're in and how hard it would be to lure a full time type asset in Tokyo. If you're interested and looking for work maybe you should email them and set something up. It seems like that'd be a lot more productive than posting here about IIS vs. apache vs. ngix or session cookies.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 05:25:29 PM
 #74



no freebsd has less discovered bugs..


after a major review.

Quote

and now you are talking about openbsd instead of freebsd.
either you are stupid or you dont know what you are talking about.
openbsd is maybe the most paranoid OS in the world, yes thats right.


Because FreeBSD and OpenBSD has a totally different codebase, and the bugs
increase after the review is just a coincidence.

Quote
and...? uptime != security



You = wrong

Unless you don't touch your server when an intrusion is detected.
jjiimm_64
Legendary
*
Offline Offline

Activity: 1862


View Profile
June 20, 2011, 05:34:38 PM
 #75


I am just sorry that I wont be able to get these 10 minutes back!!

1jimbitm6hAKTjKX4qurCNQubbnk2YsFw
kokojie
Legendary
*
Offline Offline

Activity: 1694



View Profile
June 20, 2011, 05:54:50 PM
 #76

It doesn't really matter what OS you use, it is important that you really "know" the OS you have chosen, I mean really "know" your sh*t about the OS.

FreeBSD/Linux can be set up poorly with tons of security holes.
Windows Server can be set up with rock solid security and nearly impossible to break.

It just depends on how well you know security, the OS and programming.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 20, 2011, 06:18:11 PM
 #77

Amusingly, more or less right after defending tradehill by saying they allowed me to use ssl for everything, they changed their site so that it now gives mixed content warnings for script elements. This means that anyone who was sniffing my network could probably just pull the session cookie off of the script requests, and even if they've correctly set it to ssl cookie, any attacker running a MITM or on your local network could insert a modified script resource that could steal your account credentials or take control of your logged in account.

I'm sure they did this for performance reasons as their site is running slow as shit right now, but it doesn't give me any faith that tradehill is conducting themselves with a better security posture than anyone else.

iCEBREAKER
Legendary
*
Offline Offline

Activity: 1834


[LOL2X]


View Profile WWW
June 20, 2011, 07:46:32 PM
 #78


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

Linux is used more than *BSD as a desktop OS by fangurlz with Tux The Penguin avatars (excluding OSX).
Linux is used more than *BSD as a server OS by businesses that hire fangurlz with Tux The Penguin avatars.

On the other hand, when me move into the world of the critical systems that keep the Linux kiddies' interwebs running smoothly, we find that *BSD has been used for much longer and with greater success:

Quote
Over ten years of work have been put into enhancing BSD, adding industry-leading SMP, multithreading, and network performance, as well as new management tools, file systems, and security features. As a result, FreeBSD may be found across the Internet, in the operating system of core router products, running root name servers, hosting major web sites, and as the foundation for widely used desktop operating systems.

The reason for this is that:

Quote
BSD is designed. Linux is grown.
You do know that without BIND and BSD, there would never have been any Linux or Tux, right?

You do know that the root nameservers have always and will always run BIND on BSD, right?

So why don't you write to the Internet Assigned Numbers Authority about how your magical Tux so much more secure and popular than BSD.

I'm sure they'll be blown away by the force of your irrefutable, highly technical argument that "bugs, holes, and exploits are good."


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 08:27:33 PM
 #79


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
freebsd is also less used Tongue so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

Linux is used more than *BSD as a desktop OS by fangurlz with Tux The Penguin avatars (excluding OSX).
Linux is used more than *BSD as a server OS by businesses that hire fangurlz with Tux The Penguin avatars.

On the other hand, when me move into the world of the critical systems that keep the Linux kiddies' interwebs running smoothly, we find that *BSD has been used for much longer and with greater success:

Quote
Over ten years of work have been put into enhancing BSD, adding industry-leading SMP, multithreading, and network performance, as well as new management tools, file systems, and security features. As a result, FreeBSD may be found across the Internet, in the operating system of core router products, running root name servers, hosting major web sites, and as the foundation for widely used desktop operating systems.

The reason for this is that:

Quote
BSD is designed. Linux is grown.
You do know that without BIND and BSD, there would never have been any Linux or Tux, right?

You do know that the root nameservers have always and will always run BIND on BSD, right?

So why don't you write to the Internet Assigned Numbers Authority about how your magical Tux so much more secure and popular than BSD.

I'm sure they'll be blown away by the force of your irrefutable, highly technical argument that "bugs, holes, and exploits are good."
linux are used more on servers and desktops. true!
FreeBSD is not the only thing that runs the root nameservers, core routers, etc...
NSD is also running instead of BIND on some root servers.

btw. linux is designed and BSD is grown, take a look at the unix family tree:

linux is a strait line from 1991 to now, and *BSD history goes back 1969 from unics.
its true that *BSD is older then linux. but its grown.

btw. the quote:
Quote
Over ten years of work have been put into enhancing BSD, adding industry-leading SMP, multithreading, and network performance, as well as new management tools, file systems, and security features. As a result, FreeBSD may be found across the Internet, in the operating system of core router products, running root name servers, hosting major web sites, and as the foundation for widely used desktop operating systems.
is taken from freebsd website, and is therefor heavily biased. Smiley

i think you are a troll too. all your arguments are wrong.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 08:34:56 PM
 #80


Quote
BSD is designed. Linux is grown.

This is such a beautiful sentence.


When developing some serial drivers for a vending machines running linux, me and my team went crazy handling all the hacks, specifications and modules the kernel had. It is just a bloated monster, on a driver I found a comment:

"We don't know why it is this way, but please dont touch it"


The server controlling the vending machines instead run on FreeBSD and its much tidier and organized kernel space has been a pleasure to work with.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 08:46:47 PM
 #81


Quote
BSD is designed. Linux is grown.

This is such a beautiful sentence.


When developing some serial drivers for a vending machines running linux, me and my team went crazy handling all the hacks, specifications and modules the kernel had. It is just a bloated monster, on a driver I found a comment:

"We don't know why it is this way, but please dont touch it"


The server controlling the vending machines instead run on FreeBSD and its much tidier and organized kernel space has been a pleasure to work with.
comments like that is because of some old hacks on very old buggy hardware, these types of comments is also in the FreeBSD sourcecode.
some people would also find it easier to run windows xp on your vending machine.
i have read most of the core code in Linux and Freebsd. and i found that linux's source is simpler.
while freeBSD kind of difficult to understand sometimes.
it just my opinion.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 08:57:35 PM
 #82


i have read most of the core code in Linux and Freebsd.


Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 09:09:48 PM
 #83

FreeBSD has less bugs than Linux (one fold less).
FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
The production machines with the best uptime are FreeBSD based.
Still you think that Linux is safer than FreeBSD?

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1834


[LOL2X]


View Profile WWW
June 20, 2011, 09:11:54 PM
 #84


i have read most of the core code in Linux and Freebsd.


Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

Of course he didn't actually read "most of the core code in Linux and Freebsd."  That's absurd.

We are dealing with a poser (the worst kind of Linux fanboi is the wanna-be); notice how he splits hairs about Open vs Free BSD, yet never mentions which flavor of Linux he's jocking.

Someone who finds "freeBSD kind of difficult to understand" is probably not a *nix expert of any kind!



██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 09:15:59 PM
 #85


i have read most of the core code in Linux and Freebsd.


Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.
yes thats many lines. but not in the core code, that excludes all the drivers(90%), and all the archs(5-8%)(except x86 and arm). it not that many, i only have read 2-5% of the whole linux code, and only the parts that concerns me.
some of the toolchain i have also read, gcc and binutils, not all of it but some.
the FreeBSD source only did confuse me.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 09:22:51 PM
 #86


i have read most of the core code in Linux and Freebsd.


Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

Of course he didn't actually read "most of the core code in Linux and Freebsd."  That's absurd.

We are dealing with a poser (the worst kind of Linux fanboi is the wanna-be); notice how he splits hairs about Open vs Free BSD, yet never mentions which flavor of Linux he's jocking.

Someone who finds "freeBSD kind of difficult to understand" is probably not a *nix expert of any kind!


LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 09:28:15 PM
 #87

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
timsmith
Newbie
*
Offline Offline

Activity: 27


View Profile
June 20, 2011, 09:35:32 PM
 #88

Did you  really read MILLIONS of line of code?  ... Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.
You know, it is possible to be absolutely right and yet still come across as a bit of a dick...  Roll Eyes
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 20, 2011, 09:35:55 PM
 #89

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)
no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1834


[LOL2X]


View Profile WWW
June 20, 2011, 09:39:06 PM
 #90

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

The vending machine story is a great parable of why sometimes you really, really want an OS designed by electronic engineers to be secure and robust, instead of a hobbyist's toy that is beloved by hipster dot-com wannabe types and businesses that love getting a cheap version knockoff version of genuine, authentic Unix.

Let's bring the discussion back to MtGox.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.



The fanbois really should realize there is life beyond LAMP.


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1834


[LOL2X]


View Profile WWW
June 20, 2011, 09:47:27 PM
 #91

Did you  really read MILLIONS of line of code?  ... Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.
You know, it is possible to be absolutely right and yet still come across as a bit of a dick...  Roll Eyes

You mean like someone who implies that (surprise!) some unspecified flavor of Linux is more secure than BSD, claims to have read the source code for both, then admits he actually hasn't, all while sporting a Tux avatar?

By all means, let's indulge them and clap and sing their fanboi praises while they piss on us and say it's rain.


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 09:48:32 PM
 #92

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)
no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

Ah didn't see that bit.  I'd also recommend the GrSecurity patches (I know that SeLinux is part and parcel of Gentoo these days but I think that in general the learning capabilities of GrSec outweigh the flexibility of SeLinux in real-world deployments).  I left OpenBSD when Theo D. seemed to becoming more unhinged than usual.  I haven't used FreeBSD since 1997 and while I'm sure it's a fine OS - some of the papers I've read show kernel i/o calls with impressively low latency.   That said there is little reason to believe that a well-deployed Linux box is any worse off than a well-deployed FreeBSD box.   Especially in such a poorly defined term like "security".  Were I you,  I'd just leave the mouse alone.  Most of the arguments I've read from him are specious.  The only impressive thing he's done is change the argument scope on you.  PM me if you have questions about Linux security.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
timsmith
Newbie
*
Offline Offline

Activity: 27


View Profile
June 20, 2011, 09:51:59 PM
 #93

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).
Actually, in my experience in the CS community I'd say that it has gone more and more Windows centric. There are good points (Windows Server is obviously a lot better than XP these days) and not so good points (et al etc etc Grin) to that, but it seems to be the trend regardless sadly. I'm seeing more and more "critical infrastructure" running on Windows as time goes on, even more so as people rush to outsource services (no matter how critical) to "the cloud" and similar hypervised systems. I suspect that this says more about corporate sponsorship than actual technical benefits.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.
I wouldn't. I wouldn't do any of that. Far from it, the first and only thing I'd do is outsource all the technical requirements to a third-party company. Probably one such as the one you own/work for. Then I'd put in place a whole load of over the top SLAs so that when (not "if") the brown stuff hits the fan, I can pass all the blame on to you.

The biggest danger in the world of the internet is not whether one uses Windows or Linux or OS X or FreeBSD. The biggest danger are one-man armies who think that they can knock things like this together all by themselves. No matter how clever you are, or how much experience or qualifications you have, you still need to eat, sleep and visit the toilet.

The reason that we get so many up-start disasters like this is precisely because they are set up by people who think that they are going to do one better than the last person. And there is always someone waiting to come along who will think of something you didn't think of. You can have the best operating system in the world, but if Doris the cleaner unplugs the box to put the vacuum cleaner on, it all goes down. Taking responsibility for other people's money is a dangerous game wrought with risk, and I wouldn't touch it to begin with.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 09:58:51 PM
 #94

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).
I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
timsmith
Newbie
*
Offline Offline

Activity: 27


View Profile
June 20, 2011, 10:07:04 PM
 #95

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".
Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection" Cool
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 10:14:27 PM
 #96

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".
Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection" Cool

Ok, Tim don't take this the wrong way but I love you.

I'm well familiar with that situation.  Some of the research these "whitepapers" quote ranges from funny to insulting.   I remember once someone gave me some vendor rag that said "Model XXX rackmounted server is 15% more power efficient than the average for it's class".  I wish I could have been the math teacher for the writer of that article...so I could fail him.

It gets worse.  I used to get a bunch of security trades (because as soon as that word gets attached to your title people want to start selling you stuff).  I read a comparison of Email filter appliances and it ranked them on about four pieces of criteria....except how they filtered email.

I canceled all my subscriptions.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 10:55:01 PM
 #97

May I ask, to the poster of this topic, if any of you ever deployed a PCI DSS compliant infrastructure?
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1834


[LOL2X]


View Profile WWW
June 20, 2011, 11:03:41 PM
 #98

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).
I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.

Even if there happens to be a gainsaying fanboi present to dispute the widely recognized consensus reality.

I always find it interesting that people want to refer to the principal concepts of a conversation as "complex" and "nuanced" as a way appear more deeply thoughtful than the other participants.

BSD is not merely a security "product" it's the platform that the internet, and later the web, was built on and still runs on, to a large extent.

Please re-read my use of the phrase "well-known" in its proper context of me speaking about the real CS community.  And by "real" I mean EECS engineers and computer scientists, not cloud-happy corporate consultants and l33t Geek Squad linux fanboi.


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:13:41 PM
 #99


yes thats many lines. but not in the core code, that excludes all the drivers(90%),

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats

Quote
and all the archs(5-8%)(except x86 and arm).

I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.

Quote
the FreeBSD source only did confuse me.

I think your confusion might not arise from BSD.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:15:53 PM
 #100


some people would also find it easier to run windows xp on your vending machine.

Good luck running xp on arm. Without a GUI.

Or trying to get PCI DSS compliance for XP.
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
June 20, 2011, 11:32:52 PM
 #101


some people would also find it easier to run windows xp on your vending machine.

Good luck running xp on arm. Without a GUI.

Or trying to get PCI DSS compliance for XP.

PCi compliance for XP is easy.  SP3 is compliant if properly virus protected.
Before just touting stuff, at least provide your sources.

From:  http://www.transactpos.com/Integrations/VeriFone/PCICompliance/tabid/146/Default.aspx
Quote
What versions of Windows are PCI Compliant?
     Vista Business Edition (32-Bit)
     Vista Home Premium (32-Bit)
     Vista Home Basic Edition (32-Bit)
     Windows XP Professional Edition (32-Bit)
     Windows 2003 Server Edition (32-Bit)

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:40:42 PM
 #102



Before just touting stuff, at least provide your sources.

Windows is not compliant itself. It is the combination of the software used and OS.

Compliance is very expensive, and it is much more expensive on windows than linux.


Sorry, but quickly googling this time didnt cut >)
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 11:44:05 PM
 #103

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).
I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.
If it were a fact, then you would be able to point to some clear and objective evidence of that right?  (Keep in mind that because you are referring to 'security' as some kind of blanket term you'd be responsible for providing that kind of evidence for the majority of aspects of the term and of course how exactly you know that your set of aspects is the majority).

Quote
Even if there happens to be a gainsaying fanboi present to dispute the widely recognized consensus reality.
Nice labeling there mac.  This isn't gainsaying.  I, simply as a IT security professional and the holder of a degree in computer science, have seen no set of well-defined, broadly scoped evidence that BSD is superior in "security" to Linux.  Nor in my conversation with other security professionals or members of the CS community (like my alumni, Usenix attendees)  see any clear consensus as to the superiority of BSD.  I have, certainly met people who make that claim but they always seem to fall down when trying to come up with a general definition of security or if they do they fall down in substantiating it with regard to their favored OS/Platform/Giant Spider.  Ergo it seems reasonable to me to call such a term "complex" furthermore given that even the most secure systems from a theoretical point of view can be entirely undone in implementation (such as EMF side-channel attacks on QKDS) it seems again reasonable to me to call such a system "nuanced".  Given these two facts (using the term correctly here).  I think it is entirely justified to be mistrustful of any and all who consider "security' as an open and shut case for product (or platform or giant spider) X over product (you get the idea) Y.
Quote
Please re-read my use of the phrase "well-known" in its proper context of me speaking about the real CS community.  And by "real" I mean EECS engineers and computer scientists, not cloud-happy corporate consultants and l33t Geek Squad linux fanboi.

What do you want from me here guy? The two sentences above tell me to look at your use of the term "well-known" as: your opinion of the opinions of two very large groups of which your sample size is probably so small and poorly randomized it's useless.  Not to mention that even if the majority of those two groups held the opinion you claim it still isn't necessarily meaningful   Computer Science and EECS people do not always have a background in computer security.   Making their opinion anywhere from questionable to useless.   Given the size of the groups and the variance in the population's skill set you could easily be getting the opinion of the least qualified people. I mean would you really rank the opinion of someone's who's focus was in Combinatorics or AI or Queuing Theory as equal or greater than Bruce Schneier or (going old school) D. J. Bernstien when it comes to an application or operating systems "security".  If you don't then how many Combinatoricists, AI researchers or Queuing Theorists make one Bruce or Dan?  

Not to mention it's not hard to find high-profile people in computer security who disagree on "well-known" concepts.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
June 20, 2011, 11:46:33 PM
 #104



Before just touting stuff, at least provide your sources.

Windows is not compliant itself. It is the combination of the software used and OS.

Compliance is very expensive, and it is much more expensive on windows than linux.


Sorry, but quickly googling this time didnt cut >)

Still don't see your sources, maybe I missed them.  You've probably never actually gotten PCI compliance for an entire organization.
Oh, and Windows IS compliant itself, running nothing but anti-virus, desktop firewall enabled, having automatic screen lockouts, currently patched, and rotating passwords in a timely (< 90 day) fashion.  Just because the example I cited is one talking about an application, doesn't invalidate that Windows XP can be compliant, something you stated it could not be.

Or trying to get PCI DSS compliance for XP.

As stated above, piece of cake.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:49:39 PM
 #105



Still don't see your sources, maybe I missed them.  You've probably never actually gotten PCI compliance for an entire organization.

for an entire organization no.

For a bank yes.

Maybe bank are not safe enough for you.


Quote
Oh, and Windows IS compliant itself, running nothing but anti-virus, desktop firewall enabled, having automatic screen lockouts, currently patched, and rotating passwords in a timely (< 90 day) fashion.

you just forgot the credit card part.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 11:49:48 PM
 #106



Before just touting stuff, at least provide your sources.

Windows is not compliant itself. It is the combination of the software used and OS.

Compliance is very expensive, and it is much more expensive on windows than linux.


Sorry, but quickly googling this time didnt cut >)

I think you've betrayed your skillset (again).  Level 1 vendor compliance is expensive.   It's not just expensive in CAPEX it's also expensive in OPEX.   Many vending machines would only need level 4 compliance.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:53:21 PM
 #107


If it were a fact, then you would be able to point to some clear and objective evidence of that right?  (Keep in mind that because you are referring to 'security' as some kind of blanket term you'd be responsible for providing that kind of evidence for the majority of aspects of the term and of course how exactly you know that your set of aspects is the majority).


So number of security flaws doesn't matter, because the more bugs you have, the better it is.

Uptime doesn't matter, because you dont need to reboot after a privilege escalation.

Design choices doesn't matter, because .... (insert stupid reason here)

Which evidence do you want? The holy spirit telling you that BSD runs your infrastructure?



Quote
Not to mention it's not hard to find high-profile people in computer security who disagree on "well-known" concepts.

Security is not a concept.

It's a question of counting flaws and measuring uptime.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 20, 2011, 11:54:51 PM
 #108



I think you've betrayed your skillset (again).


I'm tired of all the arrogance you can find in this forum. I'm not paid to educate you.

If you want my opinion, please try not to be offensive.
minerX
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 21, 2011, 12:07:19 AM
 #109



I think you've betrayed your skillset (again).


I'm tired of all the arrogance you can find in this forum. I'm not paid to educate you.

If you want my opinion, please try not to be offensive.


You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.   
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 12:17:46 AM
 #110

So number of security flaws doesn't matter, because the more bugs you have, the better it is.
edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  As there is no mention as to *what* you're counting.  A DoS vulnerability may not be worth patching for a machine in your MZ running a service that's only used for a few hours every day.  Especially if it means dispatching a tech to a CO in Nowhereville USA.   This is part of your security profiling procedure where the company decides what are the things it's trying to protect.  Is it uptime?  Is it data integrity? Is it different for different servers?  On top of that "counting" is lame because it assumes that every flaw is of equal weight.  However in the *real* security world we don't think that way.   The term-du-jour is "modeling" but all this is is taking a page out of risk management's book.  Here we use MS's model DREAD - http://msdn.microsoft.com/en-us/library/ff648644.aspx . Essentially we assign every flaw a bunch of criteria like how frequently this could be taken advantage of or the skillset required to pull it off.   On top of that there is always remediation.  That is, is there a workaround or fix?  Can we use a firewall or our BGP equipment to mitigate the risk?

...and that's just for the group of outstanding flaws.  IIRC the little mouse was actually referring to bugs that either were closed or being addressed.  That metric is probably pretty close to useless.  It's almost an example of the gamblers fallacy.


Quote
Uptime doesn't matter, because you dont need to reboot after a privilege escalation.
Depends on where in the stack the escalation takes place and again if there are ways to mitigate it.  Uptime is a statistic that might tell you something about security but it can just as easily tell you something about funding, business goals, overall admin philosophy.   So it's not likely to be a very *good* indicator of security.

Quote
Design choices doesn't matter, because .... (insert stupid reason here)
Again it depends, for example a microkernel architecture could be considered a security design choice but the BSD's manage fine without it.

Quote
Security is not a concept.
Actually that statement didn't say it was.   All that sentence said is that security *contains* concepts.

Quote
It's a question of counting flaws and measuring uptime.

Like for example the idea that some mice might have that "security" is based purely on two metrics - is a concept.
Do you really need me to explain how those two metrics: Number of flaws and Uptime don't necessarily tell you anything about security?
Not to mention some of the postings you've made of these kinds of metrics makes me think you've never taken a statistics class.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 12:19:56 AM
 #111

I think you've betrayed your skillset (again).
I'm tired of all the arrogance you can find in this forum. I'm not paid to educate you.
If you want my opinion, please try not to be offensive.
By far the most demonstrably arrogant person is you.  Just listen to yourself.

"I'm not paid to educate you".  No indication of humility there (the very idea that the little mouse would get some education is out of the question!)
"It's a question of counting flaws and measuring uptime." - no humility there either (can't possibly be anything else)
"I think your confusion might not arise from BSD." - oooh snap but not humble.
"Read better, hate less." - Yes, can't possibly be your writing.  Everyone else just reads you wrong.  That's really humble...no wait...the other thing...arrogant.   That's it.

Quote from: muad_dib
To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.
That's actually kind of interesting from a security perspective.  In my experience:

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  
ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2436



View Profile
June 21, 2011, 01:52:02 AM
 #112


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.

jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 03:50:58 AM
 #113

Ok I admit that I'm going to cherry pick some specific features here but just reading over some of the security features in FreeBSD

RBAC: FreeBSD has a more sophisticated MAC but at least as far as the documentation I've seen there's no real "out of the box" solution there.  Available in Linux via GrSecurity since 2001.
FLASK: Yes, but they used the SELinux code to do it. (So obviously Linux had it first)
ASLR: OpenBSD yes (First OS to have it on by default).  FreeBSD, seemingly not-yet.  Linux has had this since 2000 via GrSecurity.

Kinda interesting for a "more secure than Linux" (by some as yet undefined standard) OS as endorsed by CS and CSEE professionals.

Anyway the point here isn't to bash BSD.  As I mentioned earlier I ran my systems on OpenBSD until about 2004.  For years I would have considered OpenBSD the best choice due to the attitude of those who worked on the project.   But it's not 1999 anymore and featurewise UINX-Like OS's are all getting close to parity.  What you need, IMHO is an experienced security professional to set down policies, procedures, practices and baselines based on your business assets and if you can't afford a third-party audit agency then they should try to fill that role.  They should be versed not just in CISSP style creation of policies but also have relatively low-level understanding of security on your platform of choice.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
ikonic
Newbie
*
Offline Offline

Activity: 15


View Profile
June 21, 2011, 03:59:22 AM
 #114

Interesting Read. Seems to be a lot of angst of OS.

The bottom line is though, OS are only as strong or weak as the people hardening them.

Anyways, don't want to highjack the thread but for those would like to help contribute towards a Bitcoin Stock Exchange Security Standar,  I have created a thread here http://forum.bitcoin.org/index.php?topic=20377.0
CubedRoot
Sr. Member
****
Offline Offline

Activity: 295


View Profile
June 21, 2011, 04:07:27 AM
 #115

Dear Bitcoiners,

I'm sorry to hear that some people have had their account stolen, but I was expecting it.

The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.


The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:


1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

2) Update the software. You cant leave a known root escalation bug for 6 days!!!!

3) Have your code reviewed by a third party.

4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.

5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.

If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.


I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 04:31:47 AM
 #116

I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

Warning. Total derail attempt. Warning.

Do the RCE exams still have a in-class practical portion?  I just finished the LPIC-1 - could have done it in my sleep.
Also do you or your peers have a lot of interactions with auditors on the system security side?  I keep finding places where inappropriate security policies (like 90 day password cycling) are being enforced not by admins but by auditors because said policy made it into someones best practices book.




I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2436



View Profile
June 21, 2011, 04:38:46 AM
 #117

Dear Bitcoiners,

I'm sorry to hear that some people have had their account stolen, but I was expecting it.

The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.


The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:


1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

2) Update the software. You cant leave a known root escalation bug for 6 days!!!!

3) Have your code reviewed by a third party.

4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.

5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.

If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.


I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

I'm inclined to agree ....  yet the number of people building bitcoind on a RH system or derivative numbers in the tens, if that ... absolutely no support that I can find for RH bitcoind ... except this howto for CentOS http://www.austinheap.com/assets/coins/531b6341e653b7b57a8f7f5cc3da79d9.pdf ....

C'mon you RH guys get in here and show them how its done, we need you. hware/OS/sware are the three-legs of security ... people have fogotten about 1 and 2 in the rush to make money I fear.




iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 04:41:29 AM
 #118

but look at openbsd.  It had a backdoor for years exactly because less people audit the code.
Not true, prove it.

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
CubedRoot
Sr. Member
****
Offline Offline

Activity: 295


View Profile
June 21, 2011, 04:52:08 AM
 #119

The RHCE exams are pretty hardcore.  There are no multiple choice BS like most certification exams, hence why they are more valued across the industry as a defacto standard.  The RHCE exam is 100% lab based, and your work is judged by an examiner upon completion.  You simply dont plop down and choose from A through E on an exam. You have 4 hours to complete the exam, and usually everyone works up to the clock to complete.  There is also a a very small success rate on the exam, it hovers around 44% of folks that take it, pass it on their first attempt.

I was hoping to go to the Southeast Linux Fest in Spartanburg that happened a week or so ago and take the LPIC 1 and LPIC 2 tests, but life got in the way and I had to cancel my trip plans Sad

At my company, we have a 90 day password expiration, and we enforce minimum 12 char alpha-numeric requirements for all production machines.  One of my colleagues is an RHCSS (Redhat Certified Security Specialist) and he works with SELinux contexts daily.  It is simply amazing what can be achieved with SELinux.  
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 05:10:37 AM
 #120

The RHCE exams are pretty hardcore.  There are no multiple choice BS like most certification exams, hence why they are more valued across the industry as a defacto standard.  The RHCE exam is 100% lab based, and your work is judged by an examiner upon completion.  You simply dont plop down and choose from A through E on an exam. You have 4 hours to complete the exam, and usually everyone works up to the clock to complete.  There is also a a very small success rate on the exam, it hovers around 44% of folks that take it, pass it on their first attempt.

See I like that approach rather than regurgitating the command options for three different package managers ;-) (and the one I actually use of course).  Nothing shows competence better than proving you can do the work.  My team has even given up on written tests in job interviews.  We've switched to doing "virtual labs".

Quote
I was hoping to go to the Southeast Linux Fest in Spartanburg that happened a week or so ago and take the LPIC 1 and LPIC 2 tests, but life got in the way and I had to cancel my trip plans Sad

You will breeze through the 1.   I haven't read over the 2 yet.   The main reason I took them is that I'm taking a wack at teaching them in the fall.

Quote
At my company, we have a 90 day password expiration, and we enforce minimum 12 char alpha-numeric requirements for all production machines.

Yes, I wasn't trying to imply that 90 day cycles are generally inappropriate.   For example Windows domain admin accounts have so much power by default and are so widely used in the industry that we enforce heavy password rules.   However for regular users 90 day cycles with three iteration memories tends to have them writing the password down.  So we enforce complexity but not cycling.

Quote
One of my colleagues is an RHCSS (Redhat Certified Security Specialist) and he works with SELinux contexts daily.  It is simply amazing what can be achieved with SELinux.  

SELinux is incredibly flexible in my opinion but I think you hit the nail on the head there.  It's real power is in the hands of experts.   Which is why I tend to recommend GrSecurity - gradm can be run in a "learning" mode to create your RBACs for you.  I guess on the flipside PaX is more robust than execshield but not nearly as transparent in operation.  Other than those points I find it a matter of taste. 

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 05:18:37 AM
 #121

I actually had to skim after the third page...any of you "experts" running VMS?  If you're going to pose and strut about security and all.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 05:27:16 AM
 #122

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 05:56:59 AM
 #123

Unfortunately this topic has turned into a dick-measuring contest.

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
dr.bitcoin
Newbie
*
Offline Offline

Activity: 28


View Profile
June 21, 2011, 05:57:43 AM
 #124

Wow, this thread was fun to read...
 Smiley Grin Angry Tongue Cry
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 06:01:35 AM
 #125

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I'm not an expert (someone with some particular level of expertise), I'm a professional (someone who does this for a living).  I haven't touched VMS since I was eighteen and was hired to develop for the Ministry of Education's 8530.  I admit I found DCL's parameters and qualifiers rather intuitive and I think I've always had some admiration for Cutler.

My only opinion here is that systems like these are difficult to compare.   For example VMS has a bunch of security certifications which is might be okay when comparing it against other proprietary systems with money behind them but few Linux distros would bother getting an E3 certification.  Especially since the common criteria covers IIRC hardware and software.   So it's not enough to certify Linux but if memory serves you would be certifying some collection of server + OS.  Which makes it of more value to those vendors who have control of the hardware and the software.

Otherwise what do we compare on?

Do we count flaws?  Hardly fair even if these counts existed since these systems are not nearly as widely used as Linux.
Features?  Does it do ASLR? Who knows? How much entropy is in their implementation?
See what I mean?

It's not as clear as comparing a Non-Stop system to a Linux system.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
CubedRoot
Sr. Member
****
Offline Offline

Activity: 295


View Profile
June 21, 2011, 06:05:23 AM
 #126

Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 06:08:10 AM
 #127

Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
:]

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
cuddlefish
Sr. Member
****
Offline Offline

Activity: 364


The future of Dental Care


View Profile
June 21, 2011, 06:12:47 AM
 #128


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.



              ▄▄▄▄█████▄▄▄▄
          ▄█████████ █████████▄▄
       ▄███████████   ███████████▄
     ▄████████████▌   ██████████████
   ▄██████████████     ██████████████▄
  ▄██████████████      ▐███████████████
 ▐██████████████▀       ███████████████▌
 ███████████████         ███████████████
▐█████████████▌          `██████████████▌
▐████████████▌      ▄     ▐█████████████▌
▐███████████▌      ███     ▀████████████▌
 ██████████▌      ▐███▌     ▐███████████
 ▀█████████       █████       █████████▀
  ▐██████▀       ██████▌       ███████▀
   ▀████▀       ████████        ▀████`
     ▀█▀       ▐█████████        ▀█▀
               ███████████
              █████████████
                ▀▀▀▀▀▀▀▀▀
DENTACOIN




The New Global Currency
FacebookSteemitMediumSlack







                                 ▄▄▄     
                       ▐█████▄▄▄█▀▀▀█▄ 
                      ▄██      █▄   ██   
                      ██        ▀███▀     
                  ▄▄▄███                 
      ▄▄▄  ▄▄███▀▀▀▀▀▀▀▀▀▀▀███▄▄  ▄▄▄▄ 
    █▀  ███▀                   ▀███  ▀█▄
   █▌ ▄█▀      ▄▄         ▄▄      ▀█▄ ▐█
   ▐█▄█       ████       ████       ███▀
     █▌       ▀██▀       ▀██▀       ▐█
     █▌                             ▐█   
     ██▄       ▄▄         ▄▄       ▄█▀
       ▀█▄      ▀█████████▀      ▄█▀
         ▀▀██▄               ▄██▀▀
             ▀▀▀▀█████████▀▀▀▀
                                         
   ▄                    ▄▄████████▄    ▄▄▀
  ███                 ▄█████████████████▀ 
  █████▄             ▐███████████████████▀
  █████████▄         ██████████████████▀
   █████████████▄▄▄ ▄██████████████████   
  ▄ ▀██████████████████████████████████
  ████████████████████████████████████
   ███████████████████████████████████
    ▀████████████████████████████████
     ▄▄█████████████████████████████
      █████████████████████████████
        ▀████████████████████████▀
           ▐███████████████████▀
       ▄▄████████████████████
  ▀██████████████████████▀
       ▀▀▀███████▀▀▀▀
             ▄▄███████████▄▄
         ▄█████████████████████▄
      ▄███████████████████████████▄
    ▄███████████████████████████████▄
   ██████▌   ▀▀██▀▀▀▀▀▀▀▀█▀▀   ▀██████
  ███████                      ████████
 █████████                      ████████
▐███████                         ███████▌
███████▌                         ▐███████
███████▌                         ▐███████
████████                         ████████
▐████████                       ▄███████▌
 █████████▄                  ,▄█████████
  ████▄`▀██████▄        ▄▄█████████████
   ▀████  █████▀         ▐███████████▀
     ▀███▄               ▐██████████'
       ▀███████▌         ▐███████▀
          ▀▀███▌         ▐████▀

BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:13:53 AM
 #129

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:26:22 AM
 #130

And to the little mouse in the moon.  Arrogance will get you lots of places, but history says that you were blind.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 06:37:06 AM
 #131

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security.  Even if you are a bank.  At the trust company I worked at we used VM/CMS.  Why?  Because we had an S/390 and we had a huge and profitable piece of software written for it.  Was the system secure?  Who knew? Although as time went on the edge systems were converted to AIX.


I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:57:33 AM
 #132

Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit.  Keep your enemies closer, as they say, what weapons do they wield?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:21:01 AM
 #133



You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.  

Maybe you missed all the insults I got.


edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  




you simply need to read better my posts. If you lack basic reading skills is not my fault.


 1.  I am a Redhat Certified Engineer,


And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:22:36 AM
 #134



Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.


I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:39:48 AM
 #135

Maybe you missed all the insults I got.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset".  Seems like you need reading lessons.
Quote from: misdirecting_dib
edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  

you simply need to read better my posts. If you lack basic reading skills is not my fault.
And yet you said: "It's a question of counting flaws and measuring uptime."  Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one).  Is with the writer not your readers.

Quote from: malapropism_dib
The web frontend needs to run on bsd, FOR SURE
What happened to talking about facts?  That's just conjecture.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:41:54 AM
 #136


i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  


Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!

Quote

ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.


the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.

Quote

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:50:47 AM
 #137


I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.


You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:52:17 AM
 #138


What happened to talking about facts?  That's just conjecture.

I got bored of you flamers.


You discuss like you're an expert about selinux, still you missed that it isn't just for linux.


You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you Smiley
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:52:26 AM
 #139

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  
Please, go to the authors of Wayland and stop them while you're still in time!!!
X can be patched! we dont need wayland!!!!

Well I guess you don't win any reading awards.

Quote
ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.
Quote
the fact is that the website is not safe TODAY not tommorrow.
If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down.  Then the site will be up whether they are re-writing the code or not.  So you might as well write the new code.  Clearly your experience with SDLC is a little thin.


Quote
These two assumptions make me wonder if you've every really been involved in large-scale development work.

I think this point stands mousey!

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 07:53:56 AM
 #140

Ahhhh, little mouse, still boxing with shadows when you could be saving the world?  I expected better of an Atreides.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:55:58 AM
 #141



I think this point stands mousey!

It looks like you have a lot of spare time Smiley

Maybe you should find yourself a job, this would also reduce the hate in your posts.

Maybe you're enough qualified for this job. I don't know. Anyhow I'm sure they will be more than happy to receive your application.
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 21, 2011, 07:56:10 AM
 #142

Quote
Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Quote

Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words? Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:57:40 AM
 #143

What happened to talking about facts?  That's just conjecture.
I got bored of you flamers.
What there was less than 10 min between your assertion that you were talking about facts.  I guess that's what you say when you can't defend your position?  That and assertions that people can't read the language you obviously have only marginal competence writing in?

Quote
You discuss like you're an expert about selinux, still you missed that it isn't just for linux.
Depends on what you mean.  As is becoming your habit you just make vague statements rather than facts.  Actually make an argument for a change and we'll talk...but of course that would open you up to being wrong.   Which is a good reason why you won't. ;-)

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:02:23 AM
 #144

It looks like you have a lot of spare time Smiley
Maybe you should find yourself a job, this would also reduce the hate in your posts.

Ooooh snap!  Yawn.  Where's that argument you were trying to make? Oh let me guess it's all the readers fault...and you're being *sniff* insulted and you're bored...anything else?  Sheeesh I rarely see someone spend as much time saying nothing as you have in this thread.


I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:03:15 AM
 #145


Sorry i don't understand how this to relates to these websites. Could you explain what your hypothesis is and how you would go about testing it in words?

Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)


Picking a high confidence level (0.99), we can say that H1 is false.

Quote
Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.


No it is a statistic, or a function over a sample.

[

marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2436



View Profile
June 21, 2011, 08:05:46 AM
 #146



Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.


I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.

So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.

BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 08:06:12 AM
 #147

Something about a "stoneburner" as I recall, you wouldn't be in Japan by chance?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:07:38 AM
 #148


Depends on what you mean.

LOLOLOLOL

Third line on wikipedia:


Quote

It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD.



Obviously when you people bought the paper that allows to call yourself an engineer, they forgot to tell you that if you want to be a good professional you need to be able to read, not only have money to make stupid tests.

LOLOLOL
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:10:01 AM
 #149

Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

So what are you doing now?

You have assumed that some variable is strongly connected to some vaguely defined concept.  Then without defining the mapping between that and your sample set (just because A correlates with B doesn't mean it's 1:1).  Then you look like you are just assuming that the R is .99?

Ever hear of showing your work?

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:10:29 AM
 #150



So, have you actually built bitcoind on any linux OS (particularly RH or BSD) ... besides downloaded the pre-chewed windows binaries or ubuntu packages?

Seems you are making lots of sweeping statements without actually getting your hands dirty here.

I ported android to the vending machines. And if you have a barely knowledge of how android is structured, you would know how complex is this task. Obviusly I was not alone.


Anyhow, did this change anything? Are we speaking about facts or people?
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:14:18 AM
 #151



So what are you doing now?

You have assumed that some variable is strongly connected to some vaguely defined concept.  Then without defining the mapping between that and your sample set (just because A correlates with B doesn't mean it's 1:1).  Then you look like you are just assuming that the R is .99?

Ever hear of showing your work?


you simply lack any basic knowledge of statistics. Sorry.

Start here:

http://www.amazon.com/Statistics-Dummies-Math-Science/dp/0470911085/ref=sr_1_1?ie=UTF8&qid=1308643898&sr=8-1


p.s.: the indicator is not mine. It is taken from another source.

http://www.amazon.com/Statistical-Process-Control-Industry-Implementation/dp/0792355709/ref=sr_1_2?ie=UTF8&qid=1308644011&sr=8-2
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:16:16 AM
 #152


Depends on what you mean.

LOLOLOLOL
Guess I'm getting under your skin.  That's pretty forced laughter there.  Sure, what does that have to do with anything that we've been talking about with regard to SELinux?

Quote
Obviously when you people bought the paper that allows to call yourself an engineer, they forgot to tell you that if you want to be a good professional you need to be able to read, not only have money to make stupid tests.

Well considering your writing is pretty horrible it's not surprising that your meaning wasn't conveyed.  As Randal would say...

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:18:30 AM
 #153



No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

LOL YOU choose the confidence level. The higher it is, the more meaningful your conclusion are.

LOLOLOL.



Guess I'm getting under your skin.  That's pretty forced laughter there.  Sure, what does that have to do with anything that we've been talking about with regard to SELinux?



If the paper you bought says you're an engineer, and you say SElinux is just for linux, I'm not going to argue. You the boss, boss.




You're now in ignore, let's see how many other people I have to ignore to stop this flamewar.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:20:10 AM
 #154

you simply lack any basic knowledge of statistics. Sorry.

No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:22:59 AM
 #155

If the paper you bought says you're an engineer, and you say SElinux is just for linux, I'm not going to argue. You the boss, boss.
Where did anyone (other than this loser) say anything like that?

Quote
You're now in ignore, let's see how many other people I have to ignore to stop this flamewar.
Uh, at any point in time you could have provided a rational defense of your position instead of....flaming people.
Seems a little like you didn't *want* to talk about the issues when it came down to brass tacks.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 08:23:45 AM
 #156

Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
Deep too.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:28:13 AM
 #157

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips"  
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:29:12 AM
 #158

No, actually you are probably lying.  In fact you seem to be making up how you're getting an R of .99.  

Again, I'm asking you to show your work...but instead you seem to be dodging the point.

LOL YOU choose the confidence level. The higher it is, the more meaningful your conclusion are.

Oh so *that's* what you're blathering about.  That's not exactly the case.  For example if your sample size is fixed (like it is here).  Choosing the CL alters your CI.  If you make your CL 'better' the CI becomes wider.   Now if, for example you haven't done your experiment yet and you are fixing your CI and your CL.  Your sample size changes.  It's a rookie mistake the kind I'd expect a non-math person to do.  "Meaningful" is also a kind of ambiguous word it's something a frequentist would say.

So again, so what dataset are you using here?

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 21, 2011, 08:34:37 AM
 #159


Quote
Sure. We take a statistic (Psi) which in our hypothesis is strongly connected to security. Then we take a probability space given by (Critical flaws, Running servers).

Of this space we take a sample (2005-2011 for example), and on this sample we make a measure using the statistic.

We build then an hypotesis test:

H1: Psi(linux) = Psi(BSD)

H2: Psi(linux) > Psi(BSD)


Picking a high confidence level (0.99), we can say that H1 is false.

Quote
Is this Psi you mention a random variable? I thought you said it was a parameter? But then it is a constant, no? I'm really confused. Please, OP help me out? This statistics stuff is confusing.


No it is a statistic, or a function over a sample.

Okay much improved (B+), but here are some things to remember before you take your exam.

1) The statistic Psi-hat(linux) is a random variable that is an unbiased estimate of the constant parameter Psi(linux).
2) You are using random variables (sample statistics) to test a hypotheses about the constant parameters Psi(linux) and Psi (BSD)
    [Not testing a hypothesis about these random variables]
3) The parameter Psi(linux) is a constant, and is therefore not correlated with anything.
4) If your TA is an ass, they will dock you points for not using the conventional labels H0 and H1

Much More Important Lesson: Don't mix in random jargon about topics you don't fully understand to impress other people. Focus on your core competencies and people will take you more seriously.



▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 21, 2011, 08:37:12 AM
 #160


yes thats many lines. but not in the core code, that excludes all the drivers(90%),

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats

Quote
and all the archs(5-8%)(except x86 and arm).

I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.

Quote
the FreeBSD source only did confuse me.

I think your confusion might not arise from BSD.
sorry for the bad estimate... it is still only 5% of the code that is relevant.
and the archs is not only handlet by the compiler, proof: http://lxr.linux.no/linux+v2.6.39/arch/
every platform needs to be written, it includes all the lowlevel functions for that arch: MMU, task sẃitching, detection of hardware, whole the startup stuff ...

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:41:48 AM
 #161



Okay much improved (B+), but here are some things to remember before you take your exam.

1) The statistic Psi-hat(linux) is a random variable that is an unbiased estimate of the constant parameter Psi(linux).

Not only it is unbiased, but it is asymptotically consistent.

Anyhow I would like to point you that a statistic IS NOT a random variable.

Quote
2) You are using random variables (sample statistics) to test a hypotheses about the constant parameters Psi(linux) and Psi (BSD)
    [Not testing a hypothesis about these random variables]

I'm not sure I understand you here, maybe it's just my english.

Quote
3) The parameter Psi(linux) is a constant, and is therefore not correlated with anything.

It's a function over a sample. Change the sample, and the statistic change. We take this statistic to measure the correlation between the proprieties of two samples.


Quote
4) If your TA is an ass, they will dock you points for not using the conventional labels H0 and H1

that's ture



Quote
Much More Important Lesson: Don't mix in random jargon about topics you don't fully understand to impress other people. Focus on your core competencies and people will take you more seriously.

Maybe you missed the fact of how many insults I got, and how many "engineers" were trying to educate me.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 08:45:48 AM
 #162


sorry for the bad estimate... it is still only 5% of the code that is relevant.



so 5% is most of the code?

Please define relevant.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 21, 2011, 08:50:09 AM
 #163


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

+1

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
TheGer
Hero Member
*****
Offline Offline

Activity: 602



View Profile
June 21, 2011, 08:51:05 AM
 #164

Look can we all just run Windows and be happy already...  Cheesy

Burst Asset manager for HalogenV1:  GPU + HDD mining(135 Mh/s, 28TB), 2 BTC Trading Account, 10k Bitconnect Loan, Asset dividends.  Asset pays out weekly at 70%
ASSET ID: 11867939260933214548

https://forums.burst-team.us/topic/7867/ann-halogenv1-burst-asset-gpu-hdd-mining-trading-account-burst-asset-dividends-payout-70-weekly
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 21, 2011, 09:02:19 AM
 #165


sorry for the bad estimate... it is still only 5% of the code that is relevant.



so 5% is most of the code?

Please define relevant.
stuff in:
the core code: http://lxr.linux.no/linux+v2.6.39/kernel/
the arch code for x86: http://lxr.linux.no/linux+v2.6.39/arch/x86/
some of the fs code(ext*, vfat, nfs): http://lxr.linux.no/linux+v2.6.39/fs/
the mm: http://lxr.linux.no/linux+v2.6.39/mm/
and the ipv* stacks: http://lxr.linux.no/linux+v2.6.39/net/ipv4/ , http://lxr.linux.no/linux+v2.6.39/net/ipv6/
and a few drivers from: http://lxr.linux.no/linux+v2.6.39/drivers/

i have also build my own little kernel, some time ago. it sucks, true. but it can start and print out a lot of information about the computer. (NO! it not just a custom build linux kernel, its a real os from the bottom).

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
zer0
Sr. Member
****
Offline Offline

Activity: 350



View Profile
June 21, 2011, 09:20:38 AM
 #166

This thread is pointless, since the 'auditor' handed over database access to somebody through total carelessness so breach would've happened regardless of OS. I bet the auditor had it lying around his gmail account or unencrypted on the desktop in a file called 'STEALTHIS.TXT'




muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 09:24:39 AM
 #167

This thread is pointless, since the 'auditor' handed over database access to somebody through total carelessness so breach would've happened regardless of OS. I bet the auditor had it lying around his gmail account or unencrypted on the desktop in a file called 'STEALTHIS.TXT'




they absolutely need to take steps so this CANT happen again.
BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
June 21, 2011, 12:50:37 PM
 #168

@muad_dib

At first your post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I loled a lot on this one and I completely agree. Even if I prefer nginx or apache to run software and get an extra level of security you can also secure an IIS very easily, and this without knowing a lot about computer security. Look how much flaw from new nginx and apache have been reported and look how much flaw on IIS have been reported (securityfocus) you'll see that what you say is completely out of bound...

Also php / perl / etc can be attacked if badly codded, daemon running on linux can easyly be attacked too, so this is complete no-sense.

BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
June 21, 2011, 01:00:19 PM
 #169


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

Sorry for the double post, BSD system is A LOT less used than nux system that's why you,ll see less vulnerability. I'm a vulnerability researcher and I can ensure that when I have time to research for something I won't be loosing my time doing research for software not used a lot, I'll do research for IE / Firefox / Real Network etc... Of course the BSD are designed to be more secure but if you badly use it or you do not know how to use it, it will be less safer than running a nux or windows with good security mechanism on it.

muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 01:44:55 PM
 #170



Sorry for the double post, BSD system is A LOT less used than nux system that's why you,ll see less vulnerability. I'm a vulnerability researcher and I can ensure that when I have time to research for something I won't be loosing my time doing research for software not used a lot, I'll do research for IE / Firefox / Real Network etc... Of course the BSD are designed to be more secure but if you badly use it or you do not know how to use it, it will be less safer than running a nux or windows with good security mechanism on it.


But if you know what to do and need maximum reliability and security, without going Itanium, then BSD is a very good choice.

I would like to make you a question: why do you think that BSD had the 3 top spots in the reliability chart?

Do you think that the fourth company wasn't as good as the first three?
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 01:50:49 PM
 #171


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
Sorry for the double post, BSD system is A LOT less used than nux system that's why you,ll see less vulnerability. I'm a vulnerability researcher and I can ensure that when I have time to research for something I won't be loosing my time doing research for software not used a lot, I'll do research for IE / Firefox / Real Network etc... Of course the BSD are designed to be more secure but if you badly use it or you do not know how to use it, it will be less safer than running a nux or windows with good security mechanism on it.
I'd agree that OpenBSD has security as an imperative for it's dev team and while ASLR isn't the be-all of security.   I would contend that it does show a team taking a proactive approach to security rather than simply reactive patching.  As far as I can tell even FreeBSD 9 doesn't have it committed to the roadmap (it was suggested years ago though).

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 02:03:46 PM
 #172

Okay much improved (B+), but here are some things to remember before you take your exam.

Really?  Perhaps you can explain to me what you think he's trying to do here.

To me, even if "reliability" (as defined by Netcraft) was correlated with "security" (whatever we mean by that).   The kind of analysis you'd want to do here is a simple comparison of categoricals.  So ANOVA is the tool of choice.   Looking at the Netcraft data linked to early on it's pretty clear that things like failed requests, DNS latency, connect latency and first byte latency have little to do with uptime.  Sure you could make up a way they could be related to a security event (like say connect time or failed requests are related to DoS attacks but you wouldn't be able to differentiate between that and every other event).  What's left after that?  Outage - which might be related to a security event requiring a reboot but there almost everyone is at zero.  Except for two BSD sysetms and one linux system.

So I don't even have to boot up R to tell you that the correlation coefficient here is going to be next to nothing (and probably bad for BSD).

From where I stand this is an "shows promise" mark and where I grew up that's a C. ;-)

Jono

Edit: So drudging back through his morass of poor English.  It sounds like all this nonsense is actually about counting "serious" flaws per system over some time period? Exactly how does *that* become a security metric?  Not to mention that using the "flaws" metric is very likely not going to follow the kind of probability density function one is expecting.

I'd like to take a moment to say that math isn't magic.  The numbers you put in need to be meaningful and the operations you perform on them need to say something...*shakes head*
He might as well have taken the square root of spiders and integrated it by batman...


I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 21, 2011, 02:05:37 PM
 #173



Sorry for the double post, BSD system is A LOT less used than nux system that's why you,ll see less vulnerability. I'm a vulnerability researcher and I can ensure that when I have time to research for something I won't be loosing my time doing research for software not used a lot, I'll do research for IE / Firefox / Real Network etc... Of course the BSD are designed to be more secure but if you badly use it or you do not know how to use it, it will be less safer than running a nux or windows with good security mechanism on it.


But if you know what to do and need maximum reliability and security, without going Itanium, then BSD is a very good choice.

I would like to make you a question: why do you think that BSD had the 3 top spots in the reliability chart?

Do you think that the fourth company wasn't as good as the first three?
OMFG! you are now comparing a chip to a operation system.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 02:07:11 PM
 #174

I would like to make you a question: why do you think that BSD had the 3 top spots in the reliability chart?

Do you think that the fourth company wasn't as good as the first three?

Because the latency for DNS, first byte and connect were lower.   Exactly where is the data that those strongly correlate to security events?  Nowhere.
For all you know this has nothing at all to do with the OS.  Cluster size, hardware config, network organization (such as the composition and placement of edge devices).  Heck we don't even know that all of these systems are under the same load.   All effect these kinds of statistics and considering that we are talking about averages without any idea as to their VARIANCE the placement might well be random.

Guess the mouse dropped out of stats?

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 02:56:14 PM
 #175


OMFG! I like to embarrass myself in public.

I'm sorry for you.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 21, 2011, 03:02:11 PM
 #176


OMFG! I like to embarrass myself in public.

I'm sorry for you.
you really are a troll.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 03:05:56 PM
 #177


I'm sorry for you.

you really are a troll. Anyhow I'm too busy to see that because I'm still reading most of the linux kernel source. I just need 148 years more.


You just joined ignoreland alnog with the jgraham.


Even if I dont reply to you, please keep on posting, to keep the lulz up Smiley
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 03:11:10 PM
 #178


I'm sorry for you.

you really are a troll. Anyhow I'm too busy to see that because I'm still reading most of the linux kernel source. I just need 148 years more.


You just joined ignoreland alnog with the jgraham.


Even if I dont reply to you, please keep on posting, to keep the lulz up Smiley
#Lulzsec

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 03:13:15 PM
 #179



You just joined ignoreland alnog with the jgraham.


Even if I dont reply to you, please keep on posting, to keep the lulz up Smiley
#Lulzsec

Lulz for life.
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
June 21, 2011, 06:34:03 PM
 #180

I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

LOL *rolls on floor laughing*. That's a good one! You do realise that we're talking about kernels here, right? Compilers don't know about page tables, or context switching, or power management, or interrupts (on most platforms), or any of a number of important architecture-specific things that kernels need to manage. The code to handle this is in the architecture-dependant arch/ directories of the Linux kernel. (I believe the BSDs handle the seperation between architecture-independant and architecture-specific code differently. Never used them though.)

I ported android to the vending machines. And if you have a barely knowledge of how android is structured, you would know how complex is this task. Obviusly I was not alone.
Android is not Linux. Developing Android drivers and porting it to a new hardware platform is not that similar to developing Linux drivers and porting that to a new platform. Android's based on the Linux kernel, but it has enough fundamental changes to the driver APIs that they're not really compatible.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 21, 2011, 06:50:07 PM
 #181

I agree that you largely understand what you are talking about (as far as statistics) and that your English could be the primary cause of residual confusion. However, you are still making
overly confident statements, without taking a 'wikipedia moment' to verifiy them.

Quote
Anyhow I would like to point you that a statistic IS NOT a random variable.
http://en.wikipedia.org/wiki/Statistic

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 06:52:24 PM
 #182



LOL *rolls on floor laughing*. That's a good one! You do realise that we're talking about kernels here, right? Compilers don't know about page tables, or context switching, or power management, or interrupts (on most platforms), or any of a number of important architecture-specific things that kernels need to manage. The code to handle this is in the architecture-dependant arch/ directories of the Linux kernel. (I believe the BSDs handle the seperation between architecture-independant and architecture-specific code differently. Never used them though.)


I'm not saying the code is the same. I'm saying that the toolchain handle this.


Quote
Android is not Linux. Developing Android drivers and porting it to a new hardware platform is not that similar to developing Linux drivers and porting that to a new platform. Android's based on the Linux kernel, but it has enough fundamental changes to the driver APIs that they're not really compatible.

I'm not sure I see your point.

jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:07:27 PM
 #183

I agree that you largely understand what you are talking about (as far as statistics)


Uh really?  So you really think that calculation is meaningful?   How about you tell me why you think that.

Sorry if I'm making a broad assumption here but I'm getting the idea that you two are just trading wikipedia references.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 21, 2011, 07:17:33 PM
 #184

I agree that you largely understand what you are talking about (as far as statistics)

I'm grateful that I'm not the only one who tries to step down this flamewar


 

Quote
and that your English could be the primary cause of residual confusion.
However, you are still making
overly confident statements,

You probably are true, still I see some of the posters of this thread as haters.

When I say:

Quote
Also Linux should frowned upon

I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro, or who states to be able to read 10 millions of code as if it was water.

Quote
without taking a 'wikipedia moment' to verifiy them. Anyhow I would like to point you that a statistic IS NOT a random variable.
http://en.wikipedia.org/wiki/Statistic
[/quote]

I love wikipedia, but I have to say that is not the most reliable source when you're dealing with science.

The fact that wikipedia says:

A statistic is an observable random variable

moreover writing observable in italic, should suggest you that the author is trying to explain a very complex concept with a very short description.

Behind this there's one of the biggest problem of modern mathematics, behind the name of theory of measure.

I do personally refuse to accept the Kolmogorovian axioms or the existence of real numbers, and this force me to use a much stricter formulation of statistical theory. But even without these two problems, defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
June 21, 2011, 07:25:07 PM
 #185

Come on people, argument what is more secure Linux or BSD is so irrelevant when the sysadmin has hands growing out of his backside. And frankly, in the real world the later is usually the case.

-
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:28:50 PM
 #186

I'm grateful that I'm not the only one who tries to step down this flamewar
There actually isn't a flamewar going on.   The alternation between your off-the-chart arrogance combined with your refusal to elucidate (and your pretty compulsive need to denigrate folks).  You have painted yourself as the provocateur while taking on the role of the victim.  Perhaps you only see a fight because you are looking for one eh?
 
Quote
You probably are true, still I see some of the posters of this thread as haters.
Actually that's a good illustration there.  The last thing I read you labeled as an "insult" was how I had said you "betrayed your skillset".  Sound like that could easily be you looking for an opportunity to take offense.
Quote
I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Good choice of words.  "Refuse to accept" this illustrates well how what we are observing with you is a non-rational process.

Quote
Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro,

Hmmm...again you are kind of making things up.  There's nowhere where anyone said or implied that.

Quote
Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

That's an old horse isn't it?  The old "Well you just have to read this book" dodge.  LOL.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Webengers
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 21, 2011, 08:29:43 PM
 #187


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:56:57 PM
 #188

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

...or the places where FreeBSD had to take stuff from Linux to secure itself.

As I've been saying from the beginning anyone who asserts there is some clear winner in "security".  Will probably fail in one of two things:


i) Defining "security' generally.

Muad_Dip while he did provide a definition.   It's rather incomplete he said that "It's a matter of counting flaws and uptime".  Especially when you consider he is talking about reported flaws (the vast majority of which have been fixed).  Not taking into account standard modeling practices.   Or providing a reference as to if uptime (or how much) is the result of security events.   In fact as you can see from the way he tends to use data that he assumes that not only is ALL uptime security related but with almost zero variance.

ii) Defending the point that system X is actually better by these criteria.

Similarly Muad_Dip gave us very little.  A database of flaws that are largely fixed.   No rationale as to why that means anything and some top 40 hosting services reliability index with no rational reason why things like DNS latency should be considered part of the equation.  A constant reference to the "top three' but a casual ignoring of the  bottom two FreeBSD machines which were an order of magnitude worse than any other system at all.  Oh and some silly evaluation from ten years ago with rather subjective and unweighted evaluations....using "smiley" and "frowny" faces as the markers of better or worse systems.   Really.   He even called this "objective" data.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
akcom
Newbie
*
Offline Offline

Activity: 5


View Profile
June 21, 2011, 10:47:32 PM
 #189

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

As for this linux *bsd debate, I see a lot of people talking out their rear.  Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period.  Google bsd security if you don't believe me.
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 22, 2011, 01:13:34 AM
 #190

Quote
defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 01:15:19 AM
 #191

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.
Soooooo if it was hacked why did most of the transactions come from one account?  If they had kept them all separate and made separate withdraws it would have increased their take and slowed their discovery.   Instead they took a whole extra step to consolidate all their accounts.

Quote
As for this linux *bsd debate, I see a lot of people talking out their rear.

Me too.

Quote
Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period. 
Similarly saying "first chioce" doesn't make it so.  Saying "period" doesn't really make your case any stronger.   In fact asserting things when allegedly the evidence is easily found but somehow you just couldn't bring yourself to link to it....Kind of weakens your case doesn't it?

FreeBSD is a fine operating system, so is OpenBSD.  At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.   Feature parity is reached and some of Theo D's decisions over the last five years have been...idiosyncratic. 

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 01:19:50 AM
 #192

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

Lots of book quoting there.   Any chance you'll get around to answering my question?

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
cunicula
Hero Member
*****
Offline Offline

Activity: 784


Stack-overflow Guru


View Profile WWW
June 22, 2011, 01:40:30 AM
 #193


[/quote]

Lots of book quoting there.   Any chance you'll get around to answering my question?
[/quote]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

I don't know anything about OS security and I don't have an opinion about the OP's OS security argument. Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric.

Not responding anymore to this thread, so please bait someone else.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 02:14:01 AM
 #194

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.
My question was also about his use of terminology.  I asked you how you found any of the statistical information muab_dib posted actually meaningful.  Most of the time he seemed to just be splattering statistical terms without any consideration as to what outcome he was trying to determine.  He used terms like hypothesis testing, confidence levels but was clearly missing knowledge like he didn't seem to understand that you can't just arbitrarily choose a CL post-hoc and make your result more "meaningful".  So it didn't really seem  he knew how to apply them  or what their limitations are.

There's a salient difference between someone who actually *does* statistics and someone who simply *performs* them.   The former understands how the operations they are performing actually work.  So they reflexively know the limitations, what kind of data you need, what kind of tests get what kind of result.  If you talk to this kind of person the first words out of their mouth are about framing the problem and the next are about framing the data.  I found it interesting that instead of criticizing his almost entire lack of explanation of how the statistical operations he alluded to actually gave *any* kind of meaningful result.  You wanted to talk about the definition of the term "statistic" - over and over again. 

Quote
Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric\

Actually I didn't necessarily ask if it was a good metric.  I just asked what made you think what he said was meaningful.   You would, or should know that to a point you can analyze the approach someone is taking.  This would drive you to want to know about their data.  You had no questions about that at all.  All you were on about were things that you could validate if you say...read a web page about statistics.
Quote
Not responding anymore to this thread, so please bait someone else.
Guess you had to get out of this jam somehow.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 22, 2011, 06:18:06 AM
 #195



Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123


This is a simplification. The author correctly say that SOME probabilist  does this. Even if most mathematician accept Real number this doesn't mean they exist.

I couldn't find the book you refer to in the torrent, so let's take again wikipedia:

http://en.wikipedia.org/wiki/Random_variable#Functions_of_random_variables

Quote
If we have a random variable  on  and a Borel measurable function , then  will also be a random variable on , since the composition of measurable functions is also measurable.

What if my statistic is a composition of measurable and non-measurable functions?

It can be non measurable for many reason:

1) The statistic domain is non-measurable

2) The statistic itself is non-measurable

3) The statistic works on infinite vector spaces

The situation is much more complex then how you want to picture it.

Quote
I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

I don't have a good answer for this. Again I see people making wrong affirmations and insulting others, still I'm the one to calm down?

Just like you're doing now: you don't know my background, still you accuse me of being over my head. If I were in the university I would take out my papers and my citations, and I would ask you to do the same. On the internet is different, so please refrain to speak about people's ability, if you are not sure.
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 22, 2011, 11:30:43 AM
 #196

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 22, 2011, 12:05:36 PM
 #197

@maud_dib:
i am now going to cut it out for you:

if you look at wikipedia: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers
you can see that the usage of BSD i between 2.4% and 5.35%.
and linux is between 16.9% and 74.29%

we can therefor conclude that linux is more used then freebsd.
and we can assume that linux is getting more attention from hackers and security experts.
because of that we and assume that linux will be exploited more.
and if there are more security holes found in linux, they will also be fixed.

in freebsd which does not get as much attention as linux, we can assume that people are not finding the hacks/exploits.
and the holes will not get fixed!

if you cant follow my very simple argument, please feel free to ask.

@to all others:
HE IS A TROLL!

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 03:03:03 PM
 #198

Quote from: trollboy
Even if most mathematician accept Real number this doesn't mean they exist.
There are plenty of deep thoughts about the "reality" of the reals.  Even some fun ones like Borel's all-knowing number but your argument is essentially is claiming that cunicula is making an ad populum fallacy.   All that aside, what few mathematicians would deny is the necessity of the reals.  Which is, incidentally all that's required to talk about - you know - your approach and metrics with regard to security.  

Quote from: trollboy
What if my statistic is a composition of measurable and non-measurable functions?
Why not give us a concrete example from a field of our choice of this kind of statistic?

Quote from: trollboy
I don't have a good answer for this. Again I see people making wrong affirmations

How do you know they're wrong?  Perhaps you're drawing wrong conclusions based on your poor language skills?  Like you did with the exchanges about SELinux.  Hmm...a concrete example of you being wrong but...no examples of these other people making "wrong affirmations".  Strange!

Quote from: trollboy
and insulting others,
Where "insult" can mean just about anything I guess.  Given again that to you "betraying your skillset" can be an insult.  Rather than simply an example of you not understanding the term.  Also considering that you have laid out as many or more (real) insults - in some case to people who had not insulted you.  (Oh and you continue to send them to me privately - very classy!)  
Do you really think you've got any moral high ground left here?

Here's a real gem:

Quote from: trollboy
Please respect my objective opinion. I will respect your personal belief.

....and somehow you think you thought this would go over well.

Quote from: trollboy
still I'm the one to calm down?

Are you admitting you're not calm here?  Anyway, I'd say that you need to simply be open to explaining yourself.  You know like you haven't been doing this entire time.  Your arguments should stand on your own.  Not turn into some nonsense expression of your arrogance.  That somehow everyone must bow to your opinion - with little or no explanation.   Yeah, real humble.

Quote from: trollboy
Just like you're doing now: you don't know my background, still you accuse me of being over my head.
...and by the same token.  You don't know his so how do you know he is wrong?

Quote from: trollboy
If I were in the university I would take out my papers and my citations, and I would ask you to do the same.

Who cares.  As someone who works in academia there are plenty of profs who talk through their asses.  Especially if, for example they are talking outside of their field. i.e. While engineers, medical researchers, and even some lowly security personnel are bright people and use statistics daily - sometimes even correctly ;-).   They are still 'out-of-field' when talking *about* statistics.  In the same way that people who drive a car to work every day doesn't make them a mechanic.

Quote from: trollboy
On the internet is different, so please refrain to speak about people's ability, if you are not sure.
Shall I quote all the places you've done this about other people in this thread without having objective evidence?  Hmmm?  All the insults you laid out to people like kokjo?

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

Sorry if this is a broader answer than you were wanting but...
I don't have an opinion on the security of say OpenBSD in a broad sense because I don't have a useful general definition of "security".  

What I do see is that OpenBSD has similar *mechanisms* to secure itself when compared against say Linux. There is also a group of people concerned with the security of the OS and there exists a body of knowledge on securing the system.  These are all positive things.   There may be various advantages and disadvantages to individual elements but it's not always easy to judge this kind of thing.

For example: lets focus on one talking point I've mentioned a number of times (or perhaps 'harped on' ;-) ).  ASLR - PaX (which is available through a series of patches to the Linux kernel or pre-patched sources from the Gentoo hardened branch or from pre-compiled kernels) does the most complete job of address randomization. Better than execshield (which is what RH and other Linux's use OOTB), and W^X (in OpenBSD).  For example the bit size for stack randomization in PaX is double that of W^X.  There are also fewer guarantees as to what will or won't be protected using W^X.  Especially with regard to the Kernel - as of the last release I looked at.  A problem with the kernel stack will not be prevented by W^X.

That said PaX needs to be enabled whereas  W^X is available out of the box (so is execshield btw).  This is a double-edged sword.  In one case W^X protects everything in userspace because it's patched not the Kernel calls but malloc.  The downside is that this breaks compatibility.  So W^X becomes a kind of all-or-nothing game.  If you had a piece of code for which there was no source and was incompatible with W^X then your whole system would have to not use W^X.  In a lot of cases this doesn't matter because OpenBSD doesn't allow things that Linux does like binary-only drivers.  However often enough you as the security professional don't get to make that choice.  For example I can set and enforce (sometimes ;-) ) standards but I rarely can dictate their implementation details to them vis-a-vis "Never use binary drivers".  

Non-trivial isn't it?...and that's comparing just. one. mechanism.  While I think ASLR is a great idea because it is one of the few *proactive* mechanisms that have come out in the last ten years.  I'd be an idiot if I were to treat it as the only thing that matters.

So as I've said before comparison of operating system "security" is subtle and nuanced and anyone who suggests it's cut-and-dried is probably telling you out of some combination of ignorance and/or deceit.  OpenBSD is good (Especially if you're writing code, I love having a rich crypto API guaranteed to be on any install), FreeBSD is good (but lacks some mechanisms that other OS's or even BSD's have), Linux is good (When patched with PaX and some kind of RBAC).  All of them can be secured by someone with the right knowledge.  Whether they can be secured to the needs of a particular project obviously depends on a myriad of other factors.

Hope that helps.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 22, 2011, 07:38:08 PM
 #199

now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 11:25:42 PM
 #200

So given all the "BSD is hands down superior to Linux in terms of security" trash talk that's been going on around here.  See statements like this:

"*bsd is the first choice when security is the major concern, period. "
"I refuse to accept that BSD is as safe as linux."
"Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon."
"My opinion is that FreeBSD is the most secure"
"it's well known that BSD is more stable, secure"

Imply to me (correctly or incorrectly) that Linux *can't* be secured as well as a BSD box.   Remember the context in all these posts was about Mt. Gox or enterprise systems in general.  So the idea that we are talking about some out-of-the-box hobbyist install seems unreasonable.  Clearly Mt. Gox hardened their system before deployment.   Likewise anyone deploying a system which contains sensitive information but is going to be on the internet to do the same.

So to hold such an opinion rationally.  Suggests that such folk must Know some way to circumvent a secured Linux box.

...and given what a kind-hearted gent I am I'd like to give them a chance to show me how.  So I'd like to discuss a B&E contest.  With some kind of prize say 20-30 BTC?  Off the top of my head the system should be a typical edge device (HTTP and/or email).

If you're interested post here with comments, questions or concerns (or perhaps I'll start a new thread).

Psst...BSD affectionados? That slapping sound? It's a gauntlet crossing your face. ;-)*

*Yes I know some of the excuses will be that it's not enough money or too much time...I'll just say "whatever" to those now.  Just to save time.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
minerX
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 22, 2011, 11:29:11 PM
 #201

now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 11:32:14 PM
 #202

now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.
Also...quoting from wikipedia and a textbook he downloaded.  I wonder if the other guy talking stats with him (equally vapidly) was his friend.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Jack of Diamonds
Sr. Member
****
Offline Offline

Activity: 252



View Profile
June 23, 2011, 12:43:51 AM
 #203

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
minerX
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 23, 2011, 02:09:00 AM
 #204

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 23, 2011, 02:21:45 AM
 #205

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.
Really did he edit his posts or was that from another thread.

Besides he's kind of out-of-date.  Last year was the year every third person I met was a security consultant...this year they're all "Cloud Services" consultants. :-)

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 23, 2011, 02:31:09 AM
 #206

I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 23, 2011, 05:55:42 AM
 #207

Hope that helps.
It did help, thanks Grin

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 23, 2011, 06:18:33 AM
 #208

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips"  
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?
I am slow to respond, but I'm beating the same drum.  What equipment are your enemies using?  Which O.S.? Can you fight them as efficiently with your Linux Ninja stars and spears and your virtual drums?.  Not recognizing that you, yourself, personally, are at war is the damndest downside to considering oneself an expert.  I'm not saying that you cannot win, just drawing attention to what I see as a basic problem.
muad_dib
Member
**
Offline Offline

Activity: 112


View Profile
June 23, 2011, 08:34:05 AM
 #209