Bitcoin Forum
December 11, 2016, 02:40:22 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 »  All
  Print  
Author Topic: About Mt. Gox flaw from a security expert  (Read 32145 times)
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 05:18:37 AM
 #121

I actually had to skim after the third page...any of you "experts" running VMS?  If you're going to pose and strut about security and all.
1481424022
Hero Member
*
Offline Offline

Posts: 1481424022

View Profile Personal Message (Offline)

Ignore
1481424022
Reply with quote  #2

1481424022
Report to moderator
1481424022
Hero Member
*
Offline Offline

Posts: 1481424022

View Profile Personal Message (Offline)

Ignore
1481424022
Reply with quote  #2

1481424022
Report to moderator
1481424022
Hero Member
*
Offline Offline

Posts: 1481424022

View Profile Personal Message (Offline)

Ignore
1481424022
Reply with quote  #2

1481424022
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481424022
Hero Member
*
Offline Offline

Posts: 1481424022

View Profile Personal Message (Offline)

Ignore
1481424022
Reply with quote  #2

1481424022
Report to moderator
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 05:27:16 AM
 #122

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 05:56:59 AM
 #123

Unfortunately this topic has turned into a dick-measuring contest.

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
dr.bitcoin
Newbie
*
Offline Offline

Activity: 28


View Profile
June 21, 2011, 05:57:43 AM
 #124

Wow, this thread was fun to read...
 Smiley Grin Angry Tongue Cry
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 06:01:35 AM
 #125

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I'm not an expert (someone with some particular level of expertise), I'm a professional (someone who does this for a living).  I haven't touched VMS since I was eighteen and was hired to develop for the Ministry of Education's 8530.  I admit I found DCL's parameters and qualifiers rather intuitive and I think I've always had some admiration for Cutler.

My only opinion here is that systems like these are difficult to compare.   For example VMS has a bunch of security certifications which is might be okay when comparing it against other proprietary systems with money behind them but few Linux distros would bother getting an E3 certification.  Especially since the common criteria covers IIRC hardware and software.   So it's not enough to certify Linux but if memory serves you would be certifying some collection of server + OS.  Which makes it of more value to those vendors who have control of the hardware and the software.

Otherwise what do we compare on?

Do we count flaws?  Hardly fair even if these counts existed since these systems are not nearly as widely used as Linux.
Features?  Does it do ASLR? Who knows? How much entropy is in their implementation?
See what I mean?

It's not as clear as comparing a Non-Stop system to a Linux system.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
CubedRoot
Sr. Member
****
Offline Offline

Activity: 295


View Profile
June 21, 2011, 06:05:23 AM
 #126

Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 21, 2011, 06:08:10 AM
 #127

Unfortunately this topic has turned into a dick-measuring contest.
Yeah, the waters cold aint it?
:]

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 21, 2011, 06:12:47 AM
 #128


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:13:53 AM
 #129

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:26:22 AM
 #130

And to the little mouse in the moon.  Arrogance will get you lots of places, but history says that you were blind.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 06:37:06 AM
 #131

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security.  Even if you are a bank.  At the trust company I worked at we used VM/CMS.  Why?  Because we had an S/390 and we had a huge and profitable piece of software written for it.  Was the system secure?  Who knew? Although as time went on the edge systems were converted to AIX.


I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 06:57:33 AM
 #132

Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit.  Keep your enemies closer, as they say, what weapons do they wield?
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:21:01 AM
 #133



You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.  

Maybe you missed all the insults I got.


edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  




you simply need to read better my posts. If you lack basic reading skills is not my fault.


 1.  I am a Redhat Certified Engineer,


And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:22:36 AM
 #134



Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.


I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:39:48 AM
 #135

Maybe you missed all the insults I got.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset".  Seems like you need reading lessons.
Quote from: misdirecting_dib
edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  

you simply need to read better my posts. If you lack basic reading skills is not my fault.
And yet you said: "It's a question of counting flaws and measuring uptime."  Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one).  Is with the writer not your readers.

Quote from: malapropism_dib
The web frontend needs to run on bsd, FOR SURE
What happened to talking about facts?  That's just conjecture.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:41:54 AM
 #136


i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  


Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!

Quote

ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.


the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.

Quote

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:50:47 AM
 #137


I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.


You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:52:17 AM
 #138


What happened to talking about facts?  That's just conjecture.

I got bored of you flamers.


You discuss like you're an expert about selinux, still you missed that it isn't just for linux.


You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you Smiley
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:52:26 AM
 #139

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  
Please, go to the authors of Wayland and stop them while you're still in time!!!
X can be patched! we dont need wayland!!!!

Well I guess you don't win any reading awards.

Quote
ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.
Quote
the fact is that the website is not safe TODAY not tommorrow.
If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down.  Then the site will be up whether they are re-writing the code or not.  So you might as well write the new code.  Clearly your experience with SDLC is a little thin.


Quote
These two assumptions make me wonder if you've every really been involved in large-scale development work.

I think this point stands mousey!

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
BBanzai
Member
**
Offline Offline

Activity: 84



View Profile
June 21, 2011, 07:53:56 AM
 #140

Ahhhh, little mouse, still boxing with shadows when you could be saving the world?  I expected better of an Atreides.
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 14 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!