About Mt. Gox flaw from a security expert

[muad_dib]

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?

[1713986655]

1713986655

[1713986655]

1713986655

[kokjo]

LOL
No. they are afraid if they open source the code, they will have 100 exploits/day.
Windows is not opensource.
you can compare linux and *bsd, and you can compare windows and mac. but not linux with windows.

windows also uses a lot of security though obscurity, which means it sucks.
(sorry all you windows fanbois, its not to start a flamewar)

so you can compare open source code and say that more bugs are better, while you cant compare open source and closed source?

I'm not sure I follow you.

yes:

more fixed bugs are better then more unfound bugs.

and you cant trust closed source code: microsoft could have put a backdoor in windows, so that NSA could gain eazy access to any windows system. (I like conspiracy teories   )

[tehcodez]

You don't sound like an expert to me. How about "About Mt. Gox flaw from a guy who's picked up some stuff about security browsing the net"

I totally respect your opinion.

Don't get me wrong, we're all very impressed you can lift cookies over wifi.

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.


Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?


Am I the only concerned?

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

[nelisky]

Am I the only concerned?

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:
- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places
- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it
- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords
- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)
- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

Kudos to you for making all this with a straight face... or did you? :p

[muad_dib]

We all the only concerned.

Take that faux-expertise to someone who needs half-empty glass a.

You are not forced to post in my thread

[JJG]

Bravo! Now that you're not in it for the money, I assume you'll be helping Bit_Happy patch whatever security vulnerability you found that exposed his apache config for free?

That's very noble of you. Thanks!

1) Maybe I dont want to help other exchange for free?

2) Maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible?


Tell me. If you were able to steal all the bitocoin from mtgox, what would you do? (I'm not saying I can)

1) So then you are in it for the money?


What does your question have to do with anything? If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP. And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  

[finack]

What I'm impressed about, is that such as simple flaw isn't prevented by a system who moves millions of dollars. That's such a noobish mistake. Moreover that they blame users for a flaw of their system.

Even worse, while I'm sure Mt. gox can pay handsomely an admin to prevent too much of this abuse, other exchanges without the same liquidity copied mt. gox, flaws included.

Someone evil-minded might use this to make the bitcoin market crash. Dont you all see the negative implications of this?

Am I the only concerned?

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check with the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.

[muad_dib]

Not at all, look at all the threads!

You are, however, from my own subjective analysis, the only one saying that a five digit small fee should be paid to you for saying you have spoofed mtgox accounts by eavesdropping wifi connections and not taking monetary advantage of it. So as far as I can see that's:

A five digit is a very small fee for someone making 100.000$+ a day.

- you sniffed open or badly closed wifi connections, which is eavesdropping and forbidden in most places

- you used that information to explore issues in a bitcoin exchange, which is illegal anyway you cut it

Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"

- you provide no proof of doing any of the above, but you certainly use good bragging buzzwords

Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

- you failed to provide information to the site owner to prevent the current situation (heck, you might be the one behind all this, for all you said you were capable of doing)

why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

- now you require hard money for your expert services, which amount to saying that something is hackable after it has been hacked

I can provide new ways to hack it

[cunicula]

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

[muad_dib]

1) So then you are in it for the money?

Let's rephrase my previous sentence: As a human being, I'm programmed to try to make some profit, so that my offspring will have a better chance in the real world.


Anyhow, given the chance to sell the bitcoin community for the personal gain, I would say no.

What does your question have to do with anything?

I was trying to prove to you that stealing a large bitcoin sum is the best way to make the price crash, thus making the theft stupid.

If I found a serious security vulnerability, I would forward the information on to the appropriate parties so they can fix the holes ASAP.

I think that, given how understaffed exchanges are, maybe the email would have been read by the same person who is responsible for the development/management, thus it would have been overlooked.

I think also that by posting it here not only I'm advising users, but I'm also putting pressure behind ALL the exchanges to fix this ASAP.

And I wouldn't even demand a small fee (5 figures) because maybe I like the bitcoin project, so maybe I would like to see as little bitcoin frauds as possible.  

Do you think that I ever thought for a single instant, that I would have been paid?

Do you think that if that was my real intention, I would have posted my request in public?

[muad_dib]

You're right that session cookies over http is a noobish mistake for a financial site. I'm guessing that you didn't watch the only one TV show last night that had both people from tradehill and Adam and Mark from Mt. Gox on. I'm not trying to be mean here, but it's clear to me that they're all at least somewhat if not way out of their depth. Tradehill came across somewhat better than Mt. Gox, but they all felt very unprepared and taken by surprise by the situation. Reacting, not acting etc.

Bottom line is that just a few months ago these exchanges were nothing more than hobby systems at best. They started getting real transaction flows quickly but competency generally lags behind such moves. Consider that tradehill apparently has 3 people working full time, which as far as I can tell makes them the best staffed in the business. That's smaller than even one of many small security teams at any traditional equity or fx broker, and that's not even considering the mountains of people exchanges throw at the problem.

Bottom line is that I'd expect these issues to continue for some time. Simply hiring one security minded admin won't make a ton of difference unless you happen to find someone very abnormally good at their job.

As an aside, when I look at tradehill it's entirely https - is that just because I have a force https and auto HSTS extension? They certainly seem to support all traffic over TLS at least, even if they don't force it themselves. I thought I recalled Mt. Gox doing the same but I can't check without the site down. In the big picture only having TLS be optional probably isn't the biggest deal, at least as compared with CSRF issues and live database access on poorly secured PC's.

Finally someone discussing about this SERIOUS issue rather than trying to start a flamewar.

[Sukrim]

A five digit is a very small fee for someone making 100.000$+ a day.

You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations!

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

[nelisky]

A five digit is a very small fee for someone making 100.000$+ a day.

drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?

Still this wont stop thieves from using this technique. One question: when you go out, do you close your door, or do you leave it open because "entering in other people houses is a crime?"

The latter. I do lock my house, but not my car. And the reason I lock my house is that my miner machine is inside, and you can't really trust a community like Bitcoin that has people reasoning like you... someone might take my computer and then post on the forum saying "for a small 5 digit fee I'll teach you about the best locks for you door".

Which proof do you need? The wifi spoofing attack is such a simple one that it needs no proof... you can set one up in less than 60 minutes!

I need no proof at all. I believe you, I have no reason not to. Of course any random guy making over 300 million dollars yearly will sniff and spoof, and not steal to then arm wrestle a small fee... I wonder what kind of "security" you are expert on, though...

why the hell should I help competition for free?!?!??! I post a public warning so that THEY can take the steps needed. It's not my task to debug their code, sorry.

Oh... so you run an exchange, one that is totally secure. Now I'm getting really puzzled... which one was it again? Tell the good developers that potentially lost a bunch of bitcoins, something that could have been prevented if you would just help competition for free. I promise noone will try to hurt you, and I'm sure noone will be capable of anyway :p

I can provide new ways to hack it

Yep, no doubt. And once someone hacks it you'll provide information about how you already knew and could have prevented it, if only you would get paid the (relative) peanuts you require, but you only require them as a matter of principle, you REALLY don't need them.

Enough trolling, have fun with your buzzword magic. You might be a security expert (and failed to present any proof of it, but you aren't in the PR business anyway, so who cares) but I'm still not sure you are a human being.

[muad_dib]

You just wasted more than a "five digit sum" by the time you spent posting and reading in this thread then, congratulations!

You have 3 options:
[ ] Disclose fully (in public)
[ ] Disclose privately (only to the site in danger)
[ ] Keep your mouth shut and do nothing/exploit the issue yourself

You chose option 4:
[X] Spread FUD

Reasons for this can be that you either don't have anything substancial, you tried to get more money from a site than the owner wanted to pay and now you want to put up pressure while still being able to get some money or you're just a troll with neither a securuty hole in the back hand nor the means to find one.

As you seem to easily divert the topic to things that are NOT relevant at all and won't lead much further to getting money from a site owner, I vote for "Troll".

kthxbye

I already posted the reasons why I said this in public. Please read my posts more carefully.


Anyhow, just for you, not for the other readers, I wrote a simple script to spoof Mt. Gox passwords. Here.

[muad_dib]

drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?

the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

[muad_dib]

more fixed bugs are better then more unfound bugs.

Let's try to sum up:

FreeBSD has less bugs than Linux (one fold less).

FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

The production machines with the best uptime are FreeBSD based.


Still you think that Linux is safer than FreeBSD?

[kokjo]

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

please explain...

[muad_dib]

I read so much hate in these forums. People please, chill out.

[nelisky]

drooolll... seriously? good for you, maybe you can then waive the 5 digit small fee and make this a better place for all of us, you included?

the one making 100.000$+ is mt. gox, not me. I'm not this big by ANY means.


 I read too much hate in your posts, this is not the only example where you read what you wanted to read in my posts.

re: 100k, aha, good. So that explains why asking 5 digit fees is small, because they (we all that use it) can pay? Ok, now you sound more like a real security expert, or a lawyer, or a politician...

re: hate. Come again? the example (not the only one, I understand) that I read what I wanted to read in your posts is that you read too much hate in my posts? huh?

But enough hatred, I know I have an attitude problem as all that had to deal directly with me can attest to. Too much good, positive attitude and a complete lack of capability of making simple ironic remarks I'm a long time professional at what I do, and that is not trolling nor is it security. You are obviously better than me on both accounts so if you can refrain from replying to my post here, I promise I'll behave and not make hatred filled remarks on any other altruistic comment coming from you on this thread.

[muad_dib]

Ok. Let's rephrase my previous sentence:

Given that a Serious security flaw is a flaw that permits privilege escalation, or leakage of database.

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Okay, now you're really making yourself look stupid. Please no one pay this guy anything.

please explain...

Were You asking  me?

http://en.wikipedia.org/wiki/Statistical_hypothesis_testing

http://en.wikipedia.org/wiki/Statistic

http://en.wikipedia.org/wiki/Confidence_level

http://en.wikipedia.org/wiki/Statistically_significant