About Mt. Gox flaw from a security expert

[BBanzai]

I actually had to skim after the third page...any of you "experts" running VMS?  If you're going to pose and strut about security and all.

[BBanzai]

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

[iBTC]

Unfortunately this topic has turned into a dick-measuring contest.

[dr.bitcoin]

Wow, this thread was fun to read...
 

[jgraham]

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips" 
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I'm not an expert (someone with some particular level of expertise), I'm a professional (someone who does this for a living).  I haven't touched VMS since I was eighteen and was hired to develop for the Ministry of Education's 8530.  I admit I found DCL's parameters and qualifiers rather intuitive and I think I've always had some admiration for Cutler.

My only opinion here is that systems like these are difficult to compare.   For example VMS has a bunch of security certifications which is might be okay when comparing it against other proprietary systems with money behind them but few Linux distros would bother getting an E3 certification.  Especially since the common criteria covers IIRC hardware and software.   So it's not enough to certify Linux but if memory serves you would be certifying some collection of server + OS.  Which makes it of more value to those vendors who have control of the hardware and the software.

Otherwise what do we compare on?

Do we count flaws?  Hardly fair even if these counts existed since these systems are not nearly as widely used as Linux.
Features?  Does it do ASLR? Who knows? How much entropy is in their implementation?
See what I mean?

It's not as clear as comparing a Non-Stop system to a Linux system.

[CubedRoot]

Unfortunately this topic has turned into a dick-measuring contest.

Yeah, the waters cold aint it?

[iBTC]

Unfortunately this topic has turned into a dick-measuring contest.

Yeah, the waters cold aint it?

:]

[cuddlefish]

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.

The Linux kernel uptime rolls over at 497 days. The system doesn't go down, the uptime is just reset.

Linux, incidentally, has more eyes, so more seen bugs.

I like freebsd, but linux is much better for sysadmins.

[BBanzai]

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

[BBanzai]

And to the little mouse in the moon.  Arrogance will get you lots of places, but history says that you were blind.

[jgraham]

Its been "Open" VMS for quite some time now.  I lost my hardon for programming about the time 386's became defacto...but as far as I can tell, real banks use VMS.  So go hack, kids.  And use a man's knife...I agree that the BSD's are hardened better than walking around scratching Linux, and Solaris is perhaps a better choice, again, because of who uses it.  But if you want a sword and a suit of armor, learn VMS.

So are the default admin credentials still system/master on VMS?

Like I say it's not really that cut-and-dried are dozens of reasons to use an operating system that have nothing at all to do with security.  Even if you are a bank.  At the trust company I worked at we used VM/CMS.  Why?  Because we had an S/390 and we had a huge and profitable piece of software written for it.  Was the system secure?  Who knew? Although as time went on the edge systems were converted to AIX.

[BBanzai]

Admittedly outside of my experience, but I'm embarrassed by the "experts" in here that are experts at catching low-hanging fruit.  Keep your enemies closer, as they say, what weapons do they wield?

[muad_dib]

You sound like a deuchebag.  Your original post and subsequent posts made me look at your posting history, and yup, you don't know shit.  

Maybe you missed all the insults I got.

edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  

you simply need to read better my posts. If you lack basic reading skills is not my fault.

 1.  I am a Redhat Certified Engineer,

And I won a nobel for having the longest dick.

I'm sorrry but buying a certificate is not going to make you a more educated person. In my country we have something called "College Degree"

Moreover here we're discussing about facts, not people.

[muad_dib]

Got a makefile for your *BSD bitcoind build you'd like to share?

Would help the community with more/different OS builds out there.

I don't think we need to run bitcoind on BSD. You can or you can't, depends on your choice.


The web frontend needs to run on bsd, FOR SURE.

[jgraham]

Maybe you missed all the insults I got.

The most recent thing you labeled a "insult" was my statement that you "betrayed your skillset".  Seems like you need reading lessons.

edit: I'm going to re-write this bit:
The problems with counting flaws are myriad.  

you simply need to read better my posts. If you lack basic reading skills is not my fault.

And yet you said: "It's a question of counting flaws and measuring uptime."  Perhaps your huge ego has some room to accept the possibility that your problem with communication (and it's pretty clear you have one).  Is with the writer not your readers.

The web frontend needs to run on bsd, FOR SURE

What happened to talking about facts?  That's just conjecture.

[muad_dib]

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  

Please, go to the authors of Wayland and stop them while you're still in time!!!

X can be patched! we dont need wayland!!!!

ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.

the fact is that the website is not safe TODAY not tommorrow.

With all the money they have, they can buy a lot of manhours for debugging.

These two assumptions make me wonder if you've every really been involved in large-scale development work.

Anyway looks like the mouse has taken his ball and gone home...

this sentence give me the proof that not only you lack basic reading skills, but you also lack reasoning skills.

[muad_dib]

I realized this guy was a dumbass when I read number 1.  I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee).  Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is.  Its a shame there are so many self declared "security experts" involved with Bitcoin.  I am no expert, but I do know my ass from a hole in the ground. 

You know? You're funny.

You call yourself engineer because you bought a piece of paper, still you dont know that SElinux is not only for linux. But obviously you saw linux in the name, and tried to make a conclusion.


You call yourself an engineer, still you don't know that there are much better ways to secure a webserver, which aren't going to stop some of your services.

[muad_dib]

What happened to talking about facts?  That's just conjecture.

I got bored of you flamers.


You discuss like you're an expert about selinux, still you missed that it isn't just for linux.


You can't know how funny your people are.

The problem is that I can't joke all day long, I've got a job. Unlike some of you

[jgraham]

i) Re-writes are rarely the answer and if you must do them targeted re-writes are better than whole app.  New code tends to mean new bugs.  It's often a case of the devil you know vs. the devil you don't.  

Please, go to the authors of Wayland and stop them while you're still in time!!!
X can be patched! we dont need wayland!!!!

Well I guess you don't win any reading awards.

ii) It seems to imply that you couldn't just do a parallel development.  MG definitely has money and they are hiring.  No reason why you couldn't put the current code on maintenance and move your best talent to make the new branch.

the fact is that the website is not safe TODAY not tommorrow.

If it will take a month to rewrite the code from scratch, do all end-to-end testing and it is considered infeasible to take the site down.  Then the site will be up whether they are re-writing the code or not.  So you might as well write the new code.  Clearly your experience with SDLC is a little thin.

These two assumptions make me wonder if you've every really been involved in large-scale development work.

I think this point stands mousey!

[BBanzai]

Ahhhh, little mouse, still boxing with shadows when you could be saving the world?  I expected better of an Atreides.