muad_dib (OP)
Member
 Offline
Activity: 140
Merit: 10
|
 |
June 20, 2011, 06:44:50 AM
Last edit: June 20, 2011, 08:37:58 AM by muad_dib |
|
Dear Bitcoiners, I'm sorry to hear that some people have had their account stolen, but I was expecting it. The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow. The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to: 1) Use the right software. IIS is a big no-no  Also Linux should frowned upon. Unix is the way to go. 2) Update the software. You cant leave a known root escalation bug for 6 days!!!! 3) Have your code reviewed by a third party. 4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines. 5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin. If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least. |
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
June 20, 2011, 06:47:17 AM |
|
Yes, security is important. FYI: Their site was not even hacked. It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback |
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 06:48:16 AM |
|
P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.
To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.
|
|
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 06:49:21 AM |
|
for a small fee, and the promise of not being persecuted, I can send your apache config file. |
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
June 20, 2011, 06:50:43 AM |
|
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.
What - the auditor lost his laptop you mean?  |
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
June 20, 2011, 06:51:26 AM |
|
for a small fee, and the promise of not being persecuted, I can send your apache config file. No thanks, I can find it myself.  |
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 06:53:43 AM |
|
No thanks, I can find it myself. (K) Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army. |
|
|
|
|
pancakes
Newbie
Offline
Activity: 29
Merit: 0
|
|
June 20, 2011, 07:26:03 AM |
|
If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...
for a small fee, and the promise of not being persecuted...
The problem with this community is it's full of people trying to make money. |
|
|
|
|
done
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 20, 2011, 07:51:20 AM |
|
No thanks, I can find it myself. (K) Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army. Listen to this man. He has hit this right on the nose. It should also tip you on to the perceived potential value of bitcoins. |
|
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 08:15:40 AM |
|
The problem with this community is it's full of people trying to make money.
trust me: if I were in the bitcoin business for the money, I would have stolen the bitcoin from the mtgox accounts I violated. With the actual design of most of the Bitcoin exchanges password can be spoofed anytime you connect via a wireless network. Bitcoin exchanges needs to take further steps to secure their customers, and need not to copy other people design, as it could propagate flaws in the market. |
|
|
|
|
ShadowOfHarbringer
Legendary
Offline
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
|
|
June 20, 2011, 09:09:44 AM |
|
@muad_dib At first your post seemed wise, but 1) Use the right software. IIS is a big no-no Also Linux should frowned upon. Unix is the way to go. I stopped reading right here. I don't know who you are, but you know nothing about security. |
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
June 20, 2011, 09:17:16 AM |
|
(K)
Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.
I am the most eminent member of the bitcoin community? Ummm... I will humbly step down from my position now. My first reply to you was: Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib. |
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 09:21:04 AM |
|
@muad_dib At first you post seemed wise, but 1) Use the right software. IIS is a big no-no Also Linux should frowned upon. Unix is the way to go. I stopped reading right here. I don't know who you are, but you know nothing about security. I will not start a flamewar here, I just want to make you a quick question: Here's a list of the most reliable hosting solutions. The first 3 spots, are linux or unix? |
|
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 09:22:58 AM |
|
Ummm... I will humbly step down from my position now. My first reply to you was: Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib. Sorry I thought you were the owner of the exchange |
|
|
|
|
Grinder
Legendary
Offline
Activity: 1284
Merit: 1001
|
|
June 20, 2011, 09:41:37 AM |
|
Here's a list of the most reliable hosting solutions. The first 3 spots, are linux or unix? As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list. |
|
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 10:00:17 AM |
|
As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.
Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure). The table show us that if you want to be the most reliable, you need to choose unix. Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd. Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison. Or you can do very rough estimation: Google "Hacked by"+ linux: 2.3 millions results Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!) Anyhow let's put this way: My opinion is that FreeBSD is the most secure, reliable and scalable OS. You think that Linux is more secure than FreeBSD. |
|
|
|
|
|
|
|
|
|
Horkabork
|
|
June 20, 2011, 11:03:02 AM |
|
As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.
Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure). The table show us that if you want to be the most reliable, you need to choose unix. Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd. Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison. Or you can do very rough estimation: Google "Hacked by"+ linux: 2.3 millions results Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!) Anyhow let's put this way: My opinion is that FreeBSD is the most secure, reliable and scalable OS. You think that Linux is more secure than FreeBSD. I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy. Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results. Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals. Obviously, this is all coded in COBOL. It's the safest language. |
|
|
|
muad_dib (OP)
Member
Offline
Activity: 140
Merit: 10
|
|
June 20, 2011, 11:06:18 AM |
|
even though being freebsd smaller, this is a biased comparison.
I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy. [more flamewar] Maybe you should read more carefully my posts. |
|
|
|
|
|
