Bitcoin Forum
November 15, 2024, 07:33:08 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
Author Topic: About Mt. Gox flaw from a security expert  (Read 34162 times)
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 06:44:50 AM
Last edit: June 20, 2011, 08:37:58 AM by muad_dib
 #1

Dear Bitcoiners,

I'm sorry to hear that some people have had their account stolen, but I was expecting it.

The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.


The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:


1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

2) Update the software. You cant leave a known root escalation bug for 6 days!!!!

3) Have your code reviewed by a third party.

4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.

5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.

If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.
Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
June 20, 2011, 06:47:17 AM
 #2

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 06:48:16 AM
 #3

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 06:49:21 AM
 #4

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

for a small fee, and the promise of not being persecuted, I can send your apache config file.
Oldminer
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001



View Profile
June 20, 2011, 06:50:43 AM
 #5


It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.

What - the auditor lost his laptop you mean?  Grin

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
June 20, 2011, 06:51:26 AM
 #6

Yes, security is important.
FYI: Their site was not even hacked.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

for a small fee, and the promise of not being persecuted, I can send your apache config file.

No thanks, I can find it myself.   Cheesy

muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 06:53:43 AM
 #7



No thanks, I can find it myself.   Cheesy

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.
pancakes
Newbie
*
Offline Offline

Activity: 29
Merit: 0



View Profile
June 20, 2011, 07:26:03 AM
 #8

If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.
done
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 20, 2011, 07:51:20 AM
 #9



No thanks, I can find it myself.   Cheesy

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.


Listen to this man. He has hit this right on the nose. It should also tip you on to the perceived potential value of bitcoins.
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 08:15:40 AM
 #10



The problem with this community is it's full of people trying to make money.


trust me: if I were in the bitcoin business for the money, I would have stolen the bitcoin from the mtgox accounts I violated.


With the actual design of most of the Bitcoin exchanges password can be spoofed anytime you connect via a wireless network.


Bitcoin exchanges needs to take further steps to secure their customers, and need not to copy other people design, as it could propagate flaws in the market.
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


Bringing Legendary Har® to you since 1952


View Profile
June 20, 2011, 09:09:44 AM
 #11

@muad_dib

At first your post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
June 20, 2011, 09:17:16 AM
 #12

(K)

Please just be safe, remember you are the most eminent member of the bitcoin community. Remember you are not playing against simple hackers, you are playing against the top level security like the intelligence or the PRC army.

I am the most eminent member of the bitcoin community?
Ummm... I will humbly step down from my position now.   Cheesy

My first reply to you was:
Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib.

muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 09:21:04 AM
 #13

@muad_dib

At first you post seemed wise, but

1) Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 09:22:58 AM
 #14


Ummm... I will humbly step down from my position now.   Cheesy

My first reply to you was:
Yes, security is important. & then I quoted and linked to a message on the MtGox site. I am not the owner of the exchange, but welcome to the forum muad_dib.

Sorry I thought you were the owner of the exchange Smiley

Grinder
Legendary
*
Offline Offline

Activity: 1284
Merit: 1001


View Profile
June 20, 2011, 09:41:37 AM
 #15

Here's a list of the most reliable hosting solutions.

The first 3 spots, are linux or unix?
As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 10:00:17 AM
 #16


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.
Grinder
Legendary
*
Offline Offline

Activity: 1284
Merit: 1001


View Profile
June 20, 2011, 10:34:53 AM
 #17

The table show us that if you want to be the most reliable, you need to choose unix.
http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 10:37:34 AM
 #18


http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)
Horkabork
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile
June 20, 2011, 11:03:02 AM
 #19


As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.


I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
muad_dib (OP)
Member
**
Offline Offline

Activity: 140
Merit: 10


View Profile
June 20, 2011, 11:06:18 AM
 #20



 even though being freebsd smaller, this is a biased comparison.



I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.


[more flamewar]


Maybe you should read more carefully my posts.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!