Bitcoin Forum
December 05, 2016, 08:54:57 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 »  All
  Print  
Author Topic: About Mt. Gox flaw from a security expert  (Read 32081 times)
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 21, 2011, 06:50:07 PM
 #181

I agree that you largely understand what you are talking about (as far as statistics) and that your English could be the primary cause of residual confusion. However, you are still making
overly confident statements, without taking a 'wikipedia moment' to verifiy them.

Quote
Anyhow I would like to point you that a statistic IS NOT a random variable.
http://en.wikipedia.org/wiki/Statistic

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480971297
Hero Member
*
Offline Offline

Posts: 1480971297

View Profile Personal Message (Offline)

Ignore
1480971297
Reply with quote  #2

1480971297
Report to moderator
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 06:52:24 PM
 #182



LOL *rolls on floor laughing*. That's a good one! You do realise that we're talking about kernels here, right? Compilers don't know about page tables, or context switching, or power management, or interrupts (on most platforms), or any of a number of important architecture-specific things that kernels need to manage. The code to handle this is in the architecture-dependant arch/ directories of the Linux kernel. (I believe the BSDs handle the seperation between architecture-independant and architecture-specific code differently. Never used them though.)


I'm not saying the code is the same. I'm saying that the toolchain handle this.


Quote
Android is not Linux. Developing Android drivers and porting it to a new hardware platform is not that similar to developing Linux drivers and porting that to a new platform. Android's based on the Linux kernel, but it has enough fundamental changes to the driver APIs that they're not really compatible.

I'm not sure I see your point.

jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:07:27 PM
 #183

I agree that you largely understand what you are talking about (as far as statistics)


Uh really?  So you really think that calculation is meaningful?   How about you tell me why you think that.

Sorry if I'm making a broad assumption here but I'm getting the idea that you two are just trading wikipedia references.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 21, 2011, 07:17:33 PM
 #184

I agree that you largely understand what you are talking about (as far as statistics)

I'm grateful that I'm not the only one who tries to step down this flamewar


 

Quote
and that your English could be the primary cause of residual confusion.
However, you are still making
overly confident statements,

You probably are true, still I see some of the posters of this thread as haters.

When I say:

Quote
Also Linux should frowned upon

I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro, or who states to be able to read 10 millions of code as if it was water.

Quote
without taking a 'wikipedia moment' to verifiy them. Anyhow I would like to point you that a statistic IS NOT a random variable.
http://en.wikipedia.org/wiki/Statistic
[/quote]

I love wikipedia, but I have to say that is not the most reliable source when you're dealing with science.

The fact that wikipedia says:

A statistic is an observable random variable

moreover writing observable in italic, should suggest you that the author is trying to explain a very complex concept with a very short description.

Behind this there's one of the biggest problem of modern mathematics, behind the name of theory of measure.

I do personally refuse to accept the Kolmogorovian axioms or the existence of real numbers, and this force me to use a much stricter formulation of statistical theory. But even without these two problems, defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
June 21, 2011, 07:25:07 PM
 #185

Come on people, argument what is more secure Linux or BSD is so irrelevant when the sysadmin has hands growing out of his backside. And frankly, in the real world the later is usually the case.

-
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 07:28:50 PM
 #186

I'm grateful that I'm not the only one who tries to step down this flamewar
There actually isn't a flamewar going on.   The alternation between your off-the-chart arrogance combined with your refusal to elucidate (and your pretty compulsive need to denigrate folks).  You have painted yourself as the provocateur while taking on the role of the victim.  Perhaps you only see a fight because you are looking for one eh?
 
Quote
You probably are true, still I see some of the posters of this thread as haters.
Actually that's a good illustration there.  The last thing I read you labeled as an "insult" was how I had said you "betrayed your skillset".  Sound like that could easily be you looking for an opportunity to take offense.
Quote
I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Good choice of words.  "Refuse to accept" this illustrates well how what we are observing with you is a non-rational process.

Quote
Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro,

Hmmm...again you are kind of making things up.  There's nowhere where anyone said or implied that.

Quote
Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

That's an old horse isn't it?  The old "Well you just have to read this book" dodge.  LOL.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Webengers
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 21, 2011, 08:29:43 PM
 #187


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 21, 2011, 08:56:57 PM
 #188

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

...or the places where FreeBSD had to take stuff from Linux to secure itself.

As I've been saying from the beginning anyone who asserts there is some clear winner in "security".  Will probably fail in one of two things:


i) Defining "security' generally.

Muad_Dip while he did provide a definition.   It's rather incomplete he said that "It's a matter of counting flaws and uptime".  Especially when you consider he is talking about reported flaws (the vast majority of which have been fixed).  Not taking into account standard modeling practices.   Or providing a reference as to if uptime (or how much) is the result of security events.   In fact as you can see from the way he tends to use data that he assumes that not only is ALL uptime security related but with almost zero variance.

ii) Defending the point that system X is actually better by these criteria.

Similarly Muad_Dip gave us very little.  A database of flaws that are largely fixed.   No rationale as to why that means anything and some top 40 hosting services reliability index with no rational reason why things like DNS latency should be considered part of the equation.  A constant reference to the "top three' but a casual ignoring of the  bottom two FreeBSD machines which were an order of magnitude worse than any other system at all.  Oh and some silly evaluation from ten years ago with rather subjective and unweighted evaluations....using "smiley" and "frowny" faces as the markers of better or worse systems.   Really.   He even called this "objective" data.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
akcom
Newbie
*
Offline Offline

Activity: 5


View Profile
June 21, 2011, 10:47:32 PM
 #189

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

As for this linux *bsd debate, I see a lot of people talking out their rear.  Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period.  Google bsd security if you don't believe me.
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 22, 2011, 01:13:34 AM
 #190

Quote
defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 01:15:19 AM
 #191

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.
Soooooo if it was hacked why did most of the transactions come from one account?  If they had kept them all separate and made separate withdraws it would have increased their take and slowed their discovery.   Instead they took a whole extra step to consolidate all their accounts.

Quote
As for this linux *bsd debate, I see a lot of people talking out their rear.

Me too.

Quote
Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period. 
Similarly saying "first chioce" doesn't make it so.  Saying "period" doesn't really make your case any stronger.   In fact asserting things when allegedly the evidence is easily found but somehow you just couldn't bring yourself to link to it....Kind of weakens your case doesn't it?

FreeBSD is a fine operating system, so is OpenBSD.  At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.   Feature parity is reached and some of Theo D's decisions over the last five years have been...idiosyncratic. 

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 01:19:50 AM
 #192

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

Lots of book quoting there.   Any chance you'll get around to answering my question?

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
June 22, 2011, 01:40:30 AM
 #193


[/quote]

Lots of book quoting there.   Any chance you'll get around to answering my question?
[/quote]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

I don't know anything about OS security and I don't have an opinion about the OP's OS security argument. Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric.

Not responding anymore to this thread, so please bait someone else.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 02:14:01 AM
 #194

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.
My question was also about his use of terminology.  I asked you how you found any of the statistical information muab_dib posted actually meaningful.  Most of the time he seemed to just be splattering statistical terms without any consideration as to what outcome he was trying to determine.  He used terms like hypothesis testing, confidence levels but was clearly missing knowledge like he didn't seem to understand that you can't just arbitrarily choose a CL post-hoc and make your result more "meaningful".  So it didn't really seem  he knew how to apply them  or what their limitations are.

There's a salient difference between someone who actually *does* statistics and someone who simply *performs* them.   The former understands how the operations they are performing actually work.  So they reflexively know the limitations, what kind of data you need, what kind of tests get what kind of result.  If you talk to this kind of person the first words out of their mouth are about framing the problem and the next are about framing the data.  I found it interesting that instead of criticizing his almost entire lack of explanation of how the statistical operations he alluded to actually gave *any* kind of meaningful result.  You wanted to talk about the definition of the term "statistic" - over and over again. 

Quote
Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric\

Actually I didn't necessarily ask if it was a good metric.  I just asked what made you think what he said was meaningful.   You would, or should know that to a point you can analyze the approach someone is taking.  This would drive you to want to know about their data.  You had no questions about that at all.  All you were on about were things that you could validate if you say...read a web page about statistics.
Quote
Not responding anymore to this thread, so please bait someone else.
Guess you had to get out of this jam somehow.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
muad_dib
Member
**
Offline Offline

Activity: 84


View Profile
June 22, 2011, 06:18:06 AM
 #195



Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123


This is a simplification. The author correctly say that SOME probabilist  does this. Even if most mathematician accept Real number this doesn't mean they exist.

I couldn't find the book you refer to in the torrent, so let's take again wikipedia:

http://en.wikipedia.org/wiki/Random_variable#Functions_of_random_variables

Quote
If we have a random variable  on  and a Borel measurable function , then  will also be a random variable on , since the composition of measurable functions is also measurable.

What if my statistic is a composition of measurable and non-measurable functions?

It can be non measurable for many reason:

1) The statistic domain is non-measurable

2) The statistic itself is non-measurable

3) The statistic works on infinite vector spaces

The situation is much more complex then how you want to picture it.

Quote
I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

I don't have a good answer for this. Again I see people making wrong affirmations and insulting others, still I'm the one to calm down?

Just like you're doing now: you don't know my background, still you accuse me of being over my head. If I were in the university I would take out my papers and my citations, and I would ask you to do the same. On the internet is different, so please refrain to speak about people's ability, if you are not sure.
iBTC
Jr. Member
*
Offline Offline

Activity: 39


View Profile
June 22, 2011, 11:30:43 AM
 #196

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

I won't mind if you sent me some BTC.
1UeuQxKG3dYgmT6FsbXrFJgdfFmwkczgM
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 22, 2011, 12:05:36 PM
 #197

@maud_dib:
i am now going to cut it out for you:

if you look at wikipedia: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers
you can see that the usage of BSD i between 2.4% and 5.35%.
and linux is between 16.9% and 74.29%

we can therefor conclude that linux is more used then freebsd.
and we can assume that linux is getting more attention from hackers and security experts.
because of that we and assume that linux will be exploited more.
and if there are more security holes found in linux, they will also be fixed.

in freebsd which does not get as much attention as linux, we can assume that people are not finding the hacks/exploits.
and the holes will not get fixed!

if you cant follow my very simple argument, please feel free to ask.

@to all others:
HE IS A TROLL!

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 03:03:03 PM
 #198

Quote from: trollboy
Even if most mathematician accept Real number this doesn't mean they exist.
There are plenty of deep thoughts about the "reality" of the reals.  Even some fun ones like Borel's all-knowing number but your argument is essentially is claiming that cunicula is making an ad populum fallacy.   All that aside, what few mathematicians would deny is the necessity of the reals.  Which is, incidentally all that's required to talk about - you know - your approach and metrics with regard to security.  

Quote from: trollboy
What if my statistic is a composition of measurable and non-measurable functions?
Why not give us a concrete example from a field of our choice of this kind of statistic?

Quote from: trollboy
I don't have a good answer for this. Again I see people making wrong affirmations

How do you know they're wrong?  Perhaps you're drawing wrong conclusions based on your poor language skills?  Like you did with the exchanges about SELinux.  Hmm...a concrete example of you being wrong but...no examples of these other people making "wrong affirmations".  Strange!

Quote from: trollboy
and insulting others,
Where "insult" can mean just about anything I guess.  Given again that to you "betraying your skillset" can be an insult.  Rather than simply an example of you not understanding the term.  Also considering that you have laid out as many or more (real) insults - in some case to people who had not insulted you.  (Oh and you continue to send them to me privately - very classy!)  
Do you really think you've got any moral high ground left here?

Here's a real gem:

Quote from: trollboy
Please respect my objective opinion. I will respect your personal belief.

....and somehow you think you thought this would go over well.

Quote from: trollboy
still I'm the one to calm down?

Are you admitting you're not calm here?  Anyway, I'd say that you need to simply be open to explaining yourself.  You know like you haven't been doing this entire time.  Your arguments should stand on your own.  Not turn into some nonsense expression of your arrogance.  That somehow everyone must bow to your opinion - with little or no explanation.   Yeah, real humble.

Quote from: trollboy
Just like you're doing now: you don't know my background, still you accuse me of being over my head.
...and by the same token.  You don't know his so how do you know he is wrong?

Quote from: trollboy
If I were in the university I would take out my papers and my citations, and I would ask you to do the same.

Who cares.  As someone who works in academia there are plenty of profs who talk through their asses.  Especially if, for example they are talking outside of their field. i.e. While engineers, medical researchers, and even some lowly security personnel are bright people and use statistics daily - sometimes even correctly ;-).   They are still 'out-of-field' when talking *about* statistics.  In the same way that people who drive a car to work every day doesn't make them a mechanic.

Quote from: trollboy
On the internet is different, so please refrain to speak about people's ability, if you are not sure.
Shall I quote all the places you've done this about other people in this thread without having objective evidence?  Hmmm?  All the insults you laid out to people like kokjo?

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.
But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

Sorry if this is a broader answer than you were wanting but...
I don't have an opinion on the security of say OpenBSD in a broad sense because I don't have a useful general definition of "security".  

What I do see is that OpenBSD has similar *mechanisms* to secure itself when compared against say Linux. There is also a group of people concerned with the security of the OS and there exists a body of knowledge on securing the system.  These are all positive things.   There may be various advantages and disadvantages to individual elements but it's not always easy to judge this kind of thing.

For example: lets focus on one talking point I've mentioned a number of times (or perhaps 'harped on' ;-) ).  ASLR - PaX (which is available through a series of patches to the Linux kernel or pre-patched sources from the Gentoo hardened branch or from pre-compiled kernels) does the most complete job of address randomization. Better than execshield (which is what RH and other Linux's use OOTB), and W^X (in OpenBSD).  For example the bit size for stack randomization in PaX is double that of W^X.  There are also fewer guarantees as to what will or won't be protected using W^X.  Especially with regard to the Kernel - as of the last release I looked at.  A problem with the kernel stack will not be prevented by W^X.

That said PaX needs to be enabled whereas  W^X is available out of the box (so is execshield btw).  This is a double-edged sword.  In one case W^X protects everything in userspace because it's patched not the Kernel calls but malloc.  The downside is that this breaks compatibility.  So W^X becomes a kind of all-or-nothing game.  If you had a piece of code for which there was no source and was incompatible with W^X then your whole system would have to not use W^X.  In a lot of cases this doesn't matter because OpenBSD doesn't allow things that Linux does like binary-only drivers.  However often enough you as the security professional don't get to make that choice.  For example I can set and enforce (sometimes ;-) ) standards but I rarely can dictate their implementation details to them vis-a-vis "Never use binary drivers".  

Non-trivial isn't it?...and that's comparing just. one. mechanism.  While I think ASLR is a great idea because it is one of the few *proactive* mechanisms that have come out in the last ten years.  I'd be an idiot if I were to treat it as the only thing that matters.

So as I've said before comparison of operating system "security" is subtle and nuanced and anyone who suggests it's cut-and-dried is probably telling you out of some combination of ignorance and/or deceit.  OpenBSD is good (Especially if you're writing code, I love having a rich crypto API guaranteed to be on any install), FreeBSD is good (but lacks some mechanisms that other OS's or even BSD's have), Linux is good (When patched with PaX and some kind of RBAC).  All of them can be secured by someone with the right knowledge.  Whether they can be secured to the needs of a particular project obviously depends on a myriad of other factors.

Hope that helps.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
June 22, 2011, 07:38:08 PM
 #199

now i got proof he is a stupid troll Cheesy
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is Smiley lulz

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 22, 2011, 11:25:42 PM
 #200

So given all the "BSD is hands down superior to Linux in terms of security" trash talk that's been going on around here.  See statements like this:

"*bsd is the first choice when security is the major concern, period. "
"I refuse to accept that BSD is as safe as linux."
"Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon."
"My opinion is that FreeBSD is the most secure"
"it's well known that BSD is more stable, secure"

Imply to me (correctly or incorrectly) that Linux *can't* be secured as well as a BSD box.   Remember the context in all these posts was about Mt. Gox or enterprise systems in general.  So the idea that we are talking about some out-of-the-box hobbyist install seems unreasonable.  Clearly Mt. Gox hardened their system before deployment.   Likewise anyone deploying a system which contains sensitive information but is going to be on the internet to do the same.

So to hold such an opinion rationally.  Suggests that such folk must Know some way to circumvent a secured Linux box.

...and given what a kind-hearted gent I am I'd like to give them a chance to show me how.  So I'd like to discuss a B&E contest.  With some kind of prize say 20-30 BTC?  Off the top of my head the system should be a typical edge device (HTTP and/or email).

If you're interested post here with comments, questions or concerns (or perhaps I'll start a new thread).

Psst...BSD affectionados? That slapping sound? It's a gauntlet crossing your face. ;-)*

*Yes I know some of the excuses will be that it's not enough money or too much time...I'll just say "whatever" to those now.  Just to save time.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!