I work with vending machines and payments solutions (POS, ATMs, ....)

Meaning you refill them?

Seriously that doesn't necessitate knowing about secure coding or securing machines.

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Doubtful. At least not from a real university.

I mean look at this:

Given that parameter Psi = [ ( # of serious security flaws - 1 ) / ( # of running systems )^2 ] remapped in [0, 1]

Assuming there is some complete definition somewhere for "serious". This gives us the number of flaws per system squared.

While there is zero explanation as to what he's attempting do here. This looks, on the surface anyway like something from manufacturing QA where you would have various kind of potential equipment failures. Which you could determine a rough upper bound from by say running a thousand widgets through their paces. Then it might make sense to distribute these flaws across the number of machines in the field to get some kind of statistic about the probability that an individual machine would fail.

However I think it's obvious to most of us that software flaws don't work that way. Given a particular purpose (web server) and an operating system of a particular vintage with no other security devices present. All systems would possess any unpatched bugs. This of course begs the question that maud_dib was counting bugs that were, for the vast majority patched instead of unpatched bugs. It's also far more difficult to find the upper bound for the number of security flaws. You can't just run a bunch of Linux boxes in a room and see which ones get hacked.

So, on the surface anyway this looks like someone who has lifted a formula out of some book (IIRC he even specified one on quality control or something) and has wrongly applied it to software development. Like I said before math isn't magic: the integral of "Batman" isn't "Bruce Wayne"

On to exhibit B:

Do you agree that, with a confidence level of 0.99, the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Again zero information as to what he is trying to do here but given that he's only specifying what the confidence level is without telling us how that affects the confidence interval. It's questionable that he really knows what he's doing.

Just to give you an idea as to how these statistics might be used. Here's an example: Suppose I had a sample of 100 Linux machines from a population of 10000 and also suppose I had a similarly qualifed sample of 100 FreeBSD machines from a population of 1000. Now also suppose I know that 50% of the Linux machines had a compromise in the last year but only 45% of the BSD machines were compromised. It would be useful to know if this difference is significant:

Assuming our populations are normally distributed we can determine that the confidence interval for both figures is around +/- 12% (there are lots of calculators on the net that will do this for you). So that means that the "real" ratio of Linux compromises is from 38%-62% and the FreeBSD compromises is around 33%-57%. This is what some might call "More differentiation within the groups than between the groups" which is a sign that the difference is not significant.

Then he starts talking about correlation which again if we're talking about categoricals (values that are assigned to a particular category like 1 = Linux, 2 = BSD) and you had some outcome like system uptime the usual way to approach that is with an ANOVA.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

If it is it would be nice for him to cite which version, which document and which page...just sayin'

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

No, this is a complete lie. The mention of his PSI formula, as anyone can see comes well before his mention of PCI-DSS.

Again, he isn't clear who he's talking about but when he mentioned that PCI compliance is very expensive. I countered that Tier 4 compliance is actually not very difficult or expensive. These classifications have to do with the number of transactions processed. So a vending machine is probably not going to process six million visa transactions annually. This doesn't mean I have intimate understanding of PCI-DSS literature but it did show that he didn't understand the compliance requirements.

So were I to guess....this guy is probably an engineer. Makes sense since he really seems to get ticked off at the use of that word and it's the kind of guy who you would hire for this kind of job - writing code for vending machines.

Now of course I could be wrong but rather than spelling out his use of math here. He constantly shifts between various dodges.

"People are making assumptions" - You know a good way to stop that? Clarify yourself.

"People are insulting me" - As I've mentioned earlier he has pretty much lost the moral high ground there.

"Some people in this thread thinks that SElinux is a flexible linux distribution." - This is very likely untrue - I well understood that like GrSecurity, SELinux is a series of patches - I assume that the person I was talking with knew that too.