About Mt. Gox flaw from a security expert

[Grinder]

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

So your cherry picking of data points is objective, but pointing out the obvious fact that you're cherry picking is subjective?

Also, I have never said anywhere that Linux is more secure than *BSD.

[muad_dib]

So your cherry picking of data points is objective, but pointing out the obvious fact that you're cherry picking is subjective?

Also, I have never said anywhere that Linux is more secure than *BSD.

I'm not sure what we are discussing about.


Quoting a reliability chart is cherry picking?

Quoting a vulnerability chart is cherry picking?

Maybe my sources were biased?

Are you suggesting that there is no significant statistical difference between Linux/FreeBSD reliability/security?


My opinion is that this is just free polemic. Maybe I'm wrong.

[Grinder]

Maybe my sources were biased?

Except for the sales piece made by a FreeBSD fan they probably weren't, but the way you use them is.

[muad_dib]

Maybe my sources were biased?

Except for the sales piece made by a FreeBSD fan they probably weren't, but the way you use them is.

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

[Sukrim]

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

As "serious" is not defined and subjective and the number of running systems is not known/hard to estimate (Linux gets used in embedded environments too, where it will never show up in "server statistics") I can only say with 0.99 confidence level, that you are far off topic by now.

[muad_dib]

As "serious" is not defined and subjective

check better

and the number of running systems is not known/hard to estimate (Linux gets used in embedded environments too, where it will never show up in "server statistics")

Also BSD is implemented in EE. Anyhow since we're speaking of webservers, we have good estimators for this quantity.

I can only say with 0.99 confidence level, that you are far off topic by now.

Lol (L)

[Rob P.]

P.s.: If, as I suspect, that there has been an injection and possibly a root escalation on mt. gox, expect to see this problem happening soon.

To be safe, Mt. gox need a complete rewrite of their code, plus the use of a stronger infrastructure. But they wont do this, because it would cost them Millions to keep the server offline for 1 month.

Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

[FooDSt4mP]

I'm with you maud_dib... All my opinions are totally objective too

Also, in my objective opinion more discovered vulnerabilities != less secure.  More eyes find more bugs.  I know you're talking freebsd, but look at openbsd.  It had a backdoor for years exactly because less people audit the code.

[kokjo]

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

freebsd is also less used so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

[ShadowOfHarbringer]

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Especially when you're picking data as selectively as you do.

I'm not going to start a flamewar. Please respect my objective opinion. I will respect your personal belief.

http://people.freebsd.org/~murray/bsd_flier.html

http://www.cvedetails.com/vendor/6/Freebsd.html

http://www.cvedetails.com/vendor/33/Linux.html

Not only freebsd has less vulnerabilities, but they are also less serious (check exploit or data execution)

freebsd is also less used so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

+1

Everything that i wanted to say was already said here.

muad_dib, you have no idea what you are talking about. There isn't any 100% proof that BSD is either more secure or more reliable than Linux.

[muad_dib]

Rewrite of their code?  They weren't hacked with a SQL Injection.  Someone who had access from their laptop had their laptop compromised.  They need better security measures, but they aren't from the site standpoint.

that's what they say.


Anyhow also taking this as true, I think it has been evident that bitcoin greatly outgrown the original expectations, and thus we need stronger security policy.



One example: Do you think that by compromising any of the laptop of any or all of the admins of the Visa Network, could you access any valuable information?

[muad_dib]

freebsd is also less used so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

[JJG]

If you own an exchange and would like to be safer, for a small fee (in the 5 figures)...

for a small fee, and the promise of not being persecuted...

The problem with this community is it's full of people trying to make money.

And the problem with most 'security experts' is that they think they walk on water.  

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

[kokjo]

freebsd is also less used so there might be more bugs and exploits to discover.
i acatualy like that there has been more holes in linux, because it means that they are fixed.

so windows has top-notch security?

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

[Capitan]

@muad_dib

At first you post seemed wise, but

1) Use the right software. IIS is a big no-no Also Linux should frowned upon. Unix is the way to go.

I stopped reading right here.

I don't know who you are, but you know nothing about security.

I will not start a flamewar here, I just want to make you a quick question:

Here's a list of the most reliable hosting solutions.


The first 3 spots, are linux or unix?

That list proves nothing about the security of any OS over any other OS. There is no mention of how big of a factor the OS/platform's security plays into the ranking. From what I read on that page, a lot of other things can play into the ranking, including the level of managed service (e.g., the competence and response time of the sysadmins of those hosting services), the network quality, speed of their servers, etc.

So that link proves nothing about Linus being better than windows, or Unix being more secure than Linux.

[muad_dib]

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

[muad_dib]

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.

[JJG]

Even worse when they're in it for the money (5 figures of it, a 'small fee' for his great services). This guy has every incentive to showboat and attempt to show that he's a security expert, and nothing to lose. muad_dib, would you care to give us some background or show some of your previous work?

Really I'm in for the money? I could make much more by moving the bitcoins in the accounts I spoofed.

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

[muad_dib]

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

[finack]

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

Don't get me wrong, we're all very impressed you can lift cookies over wifi.