About Mt. Gox flaw from a security expert

[kokjo]

BSD is designed. Linux is grown.

This is such a beautiful sentence.


When developing some serial drivers for a vending machines running linux, me and my team went crazy handling all the hacks, specifications and modules the kernel had. It is just a bloated monster, on a driver I found a comment:

"We don't know why it is this way, but please dont touch it"


The server controlling the vending machines instead run on FreeBSD and its much tidier and organized kernel space has been a pleasure to work with.

comments like that is because of some old hacks on very old buggy hardware, these types of comments is also in the FreeBSD sourcecode.
some people would also find it easier to run windows xp on your vending machine.
i have read most of the core code in Linux and Freebsd. and i found that linux's source is simpler.
while freeBSD kind of difficult to understand sometimes.
it just my opinion.

[1714922726]

1714922726

[muad_dib]

i have read most of the core code in Linux and Freebsd.

Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

[jgraham]

FreeBSD has less bugs than Linux (one fold less).
FreeBSD bugs went up because there has been a MAJOR review of code, both from volunteers and paid developers. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
The production machines with the best uptime are FreeBSD based.
Still you think that Linux is safer than FreeBSD?

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

[iCEBREAKER]

i have read most of the core code in Linux and Freebsd.

Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

Of course he didn't actually read "most of the core code in Linux and Freebsd."  That's absurd.

We are dealing with a poser (the worst kind of Linux fanboi is the wanna-be); notice how he splits hairs about Open vs Free BSD, yet never mentions which flavor of Linux he's jocking.

Someone who finds "freeBSD kind of difficult to understand" is probably not a *nix expert of any kind!

[kokjo]

i have read most of the core code in Linux and Freebsd.

Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

yes thats many lines. but not in the core code, that excludes all the drivers(90%), and all the archs(5-8%)(except x86 and arm). it not that many, i only have read 2-5% of the whole linux code, and only the parts that concerns me.
some of the toolchain i have also read, gcc and binutils, not all of it but some.
the FreeBSD source only did confuse me.

[kokjo]

i have read most of the core code in Linux and Freebsd.

Did you  really read MILLIONS of line of code?

Linux kernel codebase is roughly 10 millions lines of code just for the kernel (excluding the comments and the toolchain to compile it. The full system with also GUI and  other stuff is roughly 2.4 billions lines).

Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.


The eldest living compiler!

Now I understand you go around calling other people trolls. You have all the rights.


This little calculation avoided me to explain that if you really read at least some of the BSD and Linux codebase you would know how much tidier BSD kernelspace is.

Of course he didn't actually read "most of the core code in Linux and Freebsd."  That's absurd.

We are dealing with a poser (the worst kind of Linux fanboi is the wanna-be); notice how he splits hairs about Open vs Free BSD, yet never mentions which flavor of Linux he's jocking.

Someone who finds "freeBSD kind of difficult to understand" is probably not a *nix expert of any kind!

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

[jgraham]

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)

[timsmith]

Did you  really read MILLIONS of line of code?  ... Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.

You know, it is possible to be absolutely right and yet still come across as a bit of a dick... 

[kokjo]

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)

no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

[iCEBREAKER]

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

The vending machine story is a great parable of why sometimes you really, really want an OS designed by electronic engineers to be secure and robust, instead of a hobbyist's toy that is beloved by hipster dot-com wannabe types and businesses that love getting a cheap version knockoff version of genuine, authentic Unix.

Let's bring the discussion back to MtGox.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.



The fanbois really should realize there is life beyond LAMP.

[iCEBREAKER]

Did you  really read MILLIONS of line of code?  ... Imagine you read 50% of it, at one second per line (whoa, you're a living compiler), it makes 158 years.

You know, it is possible to be absolutely right and yet still come across as a bit of a dick...  

You mean like someone who implies that (surprise!) some unspecified flavor of Linux is more secure than BSD, claims to have read the source code for both, then admits he actually hasn't, all while sporting a Tux avatar?

By all means, let's indulge them and clap and sing their fanboi praises while they piss on us and say it's rain.

[jgraham]

LOL. you dont know what you are talking about.
for your information i can say that im right now on a gentoo, my home server runs ubuntu. i also have another computer which runs CentOS 5.
freebsd userland is much easier to understand then the kerneland.

I'm a Gentoo convert (from OpenBSD actually) are you using the Hardened profile?

Anywhoo, as usual the only thing I'm impressed with here is the lack of math our mouse friend has. ;-)

no not using the hardened one, i did not find it necessary on a laptop, if it was a server i would have chosen a hardened profile.

Ah didn't see that bit.  I'd also recommend the GrSecurity patches (I know that SeLinux is part and parcel of Gentoo these days but I think that in general the learning capabilities of GrSec outweigh the flexibility of SeLinux in real-world deployments).  I left OpenBSD when Theo D. seemed to becoming more unhinged than usual.  I haven't used FreeBSD since 1997 and while I'm sure it's a fine OS - some of the papers I've read show kernel i/o calls with impressively low latency.   That said there is little reason to believe that a well-deployed Linux box is any worse off than a well-deployed FreeBSD box.   Especially in such a poorly defined term like "security".  Were I you,  I'd just leave the mouse alone.  Most of the arguments I've read from him are specious.  The only impressive thing he's done is change the argument scope on you.  PM me if you have questions about Linux security.

[timsmith]

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

Actually, in my experience in the CS community I'd say that it has gone more and more Windows centric. There are good points (Windows Server is obviously a lot better than XP these days) and not so good points (et al etc etc ) to that, but it seems to be the trend regardless sadly. I'm seeing more and more "critical infrastructure" running on Windows as time goes on, even more so as people rush to outsource services (no matter how critical) to "the cloud" and similar hypervised systems. I suspect that this says more about corporate sponsorship than actual technical benefits.

If I was setting up an online exchange, I would use Red Hat Linux for the public-facing front-ends.

I would use Red Hat Linux for the database servers, both master and slaves. 

But for the critical stuff, such as the bitcoind instance, email, and SSL, etc. there is no choice except for the decision between FreeBSD and OpenBSD.  I'd go with OpenBSD for the firewall, and FreeBSD for bitcoind.  NetBSD for email.  My users would get nothing less than the most secure set-up available outside NSA.

I wouldn't. I wouldn't do any of that. Far from it, the first and only thing I'd do is outsource all the technical requirements to a third-party company. Probably one such as the one you own/work for. Then I'd put in place a whole load of over the top SLAs so that when (not "if") the brown stuff hits the fan, I can pass all the blame on to you.

The biggest danger in the world of the internet is not whether one uses Windows or Linux or OS X or FreeBSD. The biggest danger are one-man armies who think that they can knock things like this together all by themselves. No matter how clever you are, or how much experience or qualifications you have, you still need to eat, sleep and visit the toilet.

The reason that we get so many up-start disasters like this is precisely because they are set up by people who think that they are going to do one better than the last person. And there is always someone waiting to come along who will think of something you didn't think of. You can have the best operating system in the world, but if Doris the cleaner unplugs the box to put the vacuum cleaner on, it all goes down. Taking responsibility for other people's money is a dangerous game wrought with risk, and I wouldn't touch it to begin with.

[jgraham]

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

[timsmith]

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".

Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection"

[jgraham]

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".

Aah too true, ethereal propaganda at its finest.

They work well on management types as well:
"All your competitors use X because it's known to be more secure"
"You need to use Y because it is proven to be more efficient"
"Recent research has shown that Z has the best uptime"

For less technically savvy managers, consider replacing "secure" with "virus-proof", "efficient" with "virus-resistant" and "uptime" with "virus protection"

Ok, Tim don't take this the wrong way but I love you.

I'm well familiar with that situation.  Some of the research these "whitepapers" quote ranges from funny to insulting.   I remember once someone gave me some vendor rag that said "Model XXX rackmounted server is 15% more power efficient than the average for it's class".  I wish I could have been the math teacher for the writer of that article...so I could fail him.

It gets worse.  I used to get a bunch of security trades (because as soon as that word gets attached to your title people want to start selling you stuff).  I read a comparison of Email filter appliances and it ranked them on about four pieces of criteria....except how they filtered email.

I canceled all my subscriptions.

[muad_dib]

May I ask, to the poster of this topic, if any of you ever deployed a PCI DSS compliant infrastructure?

[iCEBREAKER]

Your original point seemed to be that FreeBSD is more secure than Linux.  I'd say you haven't made your point.

He doesn't really need to.  

I contend that if you are making an argument then it's up to you to support it.   Clearly, he doesn't need to convince you.  That's well and good but it still leaves the point as conjecture.

In the CS community, it's well known that BSD is more stable, secure, and the best OS for critical infrastructure, while Linux is more friendly, flexible, and better for hobbyists or businesses that can save money (by hiring cheaper Linux fanboi rather than expensive real computer scientists).

I always find it interesting that people want to refer to the outcome of applying a complex and nuanced term like "security" to some product as being "well known".  Speaking as a member of the aforementioned "CS community" (a la Dijkstra :-) )

Referring to a commonly known fact, such as the security of BSD vs Linux, is not an argument.

Even if there happens to be a gainsaying fanboi present to dispute the widely recognized consensus reality.

I always find it interesting that people want to refer to the principal concepts of a conversation as "complex" and "nuanced" as a way appear more deeply thoughtful than the other participants.

BSD is not merely a security "product" it's the platform that the internet, and later the web, was built on and still runs on, to a large extent.

Please re-read my use of the phrase "well-known" in its proper context of me speaking about the real CS community.  And by "real" I mean EECS engineers and computer scientists, not cloud-happy corporate consultants and l33t Geek Squad linux fanboi.

[muad_dib]

yes thats many lines. but not in the core code, that excludes all the drivers(90%),

drivers dont account for that much. They are roughly 55%

http://cityblogger.com/archives/2008/06/16/linux-kernel-stats

and all the archs(5-8%)(except x86 and arm).

I'm sure you know that source code doesn't depends on archs, as archs are handled by compilers.

But I'm sure you know that.

the FreeBSD source only did confuse me.

I think your confusion might not arise from BSD.

[muad_dib]

some people would also find it easier to run windows xp on your vending machine.

Good luck running xp on arm. Without a GUI.

Or trying to get PCI DSS compliance for XP.