About Mt. Gox flaw from a security expert

[cunicula]

I agree that you largely understand what you are talking about (as far as statistics) and that your English could be the primary cause of residual confusion. However, you are still making
overly confident statements, without taking a 'wikipedia moment' to verifiy them.

Anyhow I would like to point you that a statistic IS NOT a random variable.

http://en.wikipedia.org/wiki/Statistic

[1715036419]

1715036419

[1715036419]

1715036419

[1715036419]

1715036419

[muad_dib]

LOL *rolls on floor laughing*. That's a good one! You do realise that we're talking about kernels here, right? Compilers don't know about page tables, or context switching, or power management, or interrupts (on most platforms), or any of a number of important architecture-specific things that kernels need to manage. The code to handle this is in the architecture-dependant arch/ directories of the Linux kernel. (I believe the BSDs handle the seperation between architecture-independant and architecture-specific code differently. Never used them though.)

I'm not saying the code is the same. I'm saying that the toolchain handle this.

Android is not Linux. Developing Android drivers and porting it to a new hardware platform is not that similar to developing Linux drivers and porting that to a new platform. Android's based on the Linux kernel, but it has enough fundamental changes to the driver APIs that they're not really compatible.

I'm not sure I see your point.

[jgraham]

I agree that you largely understand what you are talking about (as far as statistics)

Uh really?  So you really think that calculation is meaningful?   How about you tell me why you think that.

Sorry if I'm making a broad assumption here but I'm getting the idea that you two are just trading wikipedia references.

[muad_dib]

I agree that you largely understand what you are talking about (as far as statistics)

I'm grateful that I'm not the only one who tries to step down this flamewar


 

and that your English could be the primary cause of residual confusion.
However, you are still making
overly confident statements,

You probably are true, still I see some of the posters of this thread as haters.

When I say:

Also Linux should frowned upon

I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro, or who states to be able to read 10 millions of code as if it was water.

without taking a 'wikipedia moment' to verifiy them. Anyhow I would like to point you that a statistic IS NOT a random variable.

http://en.wikipedia.org/wiki/Statistic
[/quote]

I love wikipedia, but I have to say that is not the most reliable source when you're dealing with science.

The fact that wikipedia says:

A statistic is an observable random variable

moreover writing observable in italic, should suggest you that the author is trying to explain a very complex concept with a very short description.

Behind this there's one of the biggest problem of modern mathematics, behind the name of theory of measure.

I do personally refuse to accept the Kolmogorovian axioms or the existence of real numbers, and this force me to use a much stricter formulation of statistical theory. But even without these two problems, defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

[Vladimir]

Come on people, argument what is more secure Linux or BSD is so irrelevant when the sysadmin has hands growing out of his backside. And frankly, in the real world the later is usually the case.

[jgraham]

I'm grateful that I'm not the only one who tries to step down this flamewar

There actually isn't a flamewar going on.   The alternation between your off-the-chart arrogance combined with your refusal to elucidate (and your pretty compulsive need to denigrate folks).  You have painted yourself as the provocateur while taking on the role of the victim.  Perhaps you only see a fight because you are looking for one eh?
 

You probably are true, still I see some of the posters of this thread as haters.

Actually that's a good illustration there.  The last thing I read you labeled as an "insult" was how I had said you "betrayed your skillset".  Sound like that could easily be you looking for an opportunity to take offense.

I'm not saying that linux is not secure. But just as I refuse to think that IIS+windows is as safe as LAMP, I refuse to accept that BSD is as safe as linux.

Good choice of words.  "Refuse to accept" this illustrates well how what we are observing with you is a non-rational process.

Moreover if the subject is defended by people who thinks that SElinux is a flexible linux distro,

Hmmm...again you are kind of making things up.  There's nowhere where anyone said or implied that.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

That's an old horse isn't it?  The old "Well you just have to read this book" dodge.  LOL.

[Webengers]

As an expert you should be aware that security and reliability is not the same thing. Also, if you look at the full table, the bottom two providers with a lot higher outage than everybody else run FreeBSD. If you calculate an average, FreeBSD will be much worse than the other solutions. Basically you can pretty much get any result you want from this list.

Reliability in strongly connected to Security. If you need to patch, reboot, or manage an intrusion then your reliability goes down. It also means that there is less security maintenance (even though freebsd update process is more obscure).

The table show us that if you want to be the most reliable, you need to choose unix.


Or you can count privilege escalation: 61 bugs in the last 7 years for linux, 3 for freebsd.

Or you can count vulnerabilities, even thought being freebsd smaller, this is a biased comparison.

Or you can do very rough estimation:

Google "Hacked by"+ linux: 2.3 millions results

Google "Hacked by"+ Freebsd: 230.000 results (one fold less!!!)


Anyhow let's put this way: My opinion is that FreeBSD is the most secure,  reliable and scalable OS. You think that Linux is more secure than FreeBSD.

I totally agree with you on this metric. Obviously, it follows with what I, a bona-fide security expert grade III red belt level with tactical upgrades and laser vision (tm), have always said: The most reliable, least vulnerable way to serve webpages is through a modified vintage 1995 Nintendo Virtual Boy.

Google agrees with me, as "Hacked by"+"virtual boy" has a mere 61,300 results.

Prove me wrong. I dare you, because I just bought a pair of x-pert system II zookas and a nintendo power glove. It's hooked to my keytar, with a wii wammy bar and a silicon 3d aggregator nanostruts mashup through UG ajax immersion portals.

Obviously, this is all coded in COBOL. It's the safest language.

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

[jgraham]

Haha, Agreed. I'm not a Linux fanboy, but as soon as he started touting the security benefits of FreeBSD over the security Benefits of Linux he loses all credibility. The services that are normally exploited are generally run by multiple Unix clones. Securing a system takes an experienced *nix sysadmin and someone who understands networking and routing thoroughly, that's it.

...or the places where FreeBSD had to take stuff from Linux to secure itself.

As I've been saying from the beginning anyone who asserts there is some clear winner in "security".  Will probably fail in one of two things:


i) Defining "security' generally.

Muad_Dip while he did provide a definition.   It's rather incomplete he said that "It's a matter of counting flaws and uptime".  Especially when you consider he is talking about reported flaws (the vast majority of which have been fixed).  Not taking into account standard modeling practices.   Or providing a reference as to if uptime (or how much) is the result of security events.   In fact as you can see from the way he tends to use data that he assumes that not only is ALL uptime security related but with almost zero variance.

ii) Defending the point that system X is actually better by these criteria.

Similarly Muad_Dip gave us very little.  A database of flaws that are largely fixed.   No rationale as to why that means anything and some top 40 hosting services reliability index with no rational reason why things like DNS latency should be considered part of the equation.  A constant reference to the "top three' but a casual ignoring of the  bottom two FreeBSD machines which were an order of magnitude worse than any other system at all.  Oh and some silly evaluation from ten years ago with rather subjective and unweighted evaluations....using "smiley" and "frowny" faces as the markers of better or worse systems.   Really.   He even called this "objective" data.

[akcom]

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

As for this linux *bsd debate, I see a lot of people talking out their rear.  Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period.  Google bsd security if you don't believe me.

[cunicula]

defining a statistic as a random variable is a stretch.

Maybe if you have this book (it's the bible of statistic, it can be easily found in any scientific library) I could point you to some deeper analysis.

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

[jgraham]

You people get so caught up arguing over every unimportant little nuance you've forgotten the point: mtgox is completely unsecure.  Do you really believe someone had 500,000 BTC in their account? Yeah right.  mtgox's account was hacked.  They're making tons of money but make no investment to fix their piss poor security.

Soooooo if it was hacked why did most of the transactions come from one account?  If they had kept them all separate and made separate withdraws it would have increased their take and slowed their discovery.   Instead they took a whole extra step to consolidate all their accounts.

As for this linux *bsd debate, I see a lot of people talking out their rear.

Me too.

Reading wikipedia does not make you a security expert.  Running gentoo does not make you a linux expert.  And neither of these things qualify you to speak on the topic of network security.  *bsd is the first choice when security is the major concern, period. 

Similarly saying "first chioce" doesn't make it so.  Saying "period" doesn't really make your case any stronger.   In fact asserting things when allegedly the evidence is easily found but somehow you just couldn't bring yourself to link to it....Kind of weakens your case doesn't it?

FreeBSD is a fine operating system, so is OpenBSD.  At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.   Feature parity is reached and some of Theo D's decisions over the last five years have been...idiosyncratic. 

[jgraham]

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

Lots of book quoting there.   Any chance you'll get around to answering my question?

[cunicula]

[/quote]

Lots of book quoting there.   Any chance you'll get around to answering my question?
[/quote]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

I don't know anything about OS security and I don't have an opinion about the OP's OS security argument. Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric.

Not responding anymore to this thread, so please bait someone else.

[jgraham]

Sorry, the topic of my posts was the OP's use of statistical terms and how misuse of terminology might make him appear to readers.

My question was also about his use of terminology.  I asked you how you found any of the statistical information muab_dib posted actually meaningful.  Most of the time he seemed to just be splattering statistical terms without any consideration as to what outcome he was trying to determine.  He used terms like hypothesis testing, confidence levels but was clearly missing knowledge like he didn't seem to understand that you can't just arbitrarily choose a CL post-hoc and make your result more "meaningful".  So it didn't really seem  he knew how to apply them  or what their limitations are.

There's a salient difference between someone who actually *does* statistics and someone who simply *performs* them.   The former understands how the operations they are performing actually work.  So they reflexively know the limitations, what kind of data you need, what kind of tests get what kind of result.  If you talk to this kind of person the first words out of their mouth are about framing the problem and the next are about framing the data.  I found it interesting that instead of criticizing his almost entire lack of explanation of how the statistical operations he alluded to actually gave *any* kind of meaningful result.  You wanted to talk about the definition of the term "statistic" - over and over again. 

Need to know a lot about the data generating process to assess whether a raw correlation is meaningful. OP's data (if they exist) might not be from a random sample. Even if they are, operating system use is a choice variable (not randomly assigned). Security metric used by OP may or may not be a good metric\

Actually I didn't necessarily ask if it was a good metric.  I just asked what made you think what he said was meaningful.   You would, or should know that to a point you can analyze the approach someone is taking.  This would drive you to want to know about their data.  You had no questions about that at all.  All you were on about were things that you could validate if you say...read a web page about statistics.

Not responding anymore to this thread, so please bait someone else.

Guess you had to get out of this jam somehow.

[muad_dib]

Don't have that text on my computer, but surely you would accept a quote from the same author's "Introduction to Mathematical Statistics."

Definition 1. A function of one or more random variables that does not depend upon any unknown parameter is called a statistic. ...
It is quite clear that a statistic is a random variable. In fact, some probabilsts avoid the use of the word "statistic" altogether, and they refer to a measurable function of random variables as a random variable."
Ch 4. p122-123

This is a simplification. The author correctly say that SOME probabilist  does this. Even if most mathematician accept Real number this doesn't mean they exist.

I couldn't find the book you refer to in the torrent, so let's take again wikipedia:

http://en.wikipedia.org/wiki/Random_variable#Functions_of_random_variables

If we have a random variable  on  and a Borel measurable function , then  will also be a random variable on , since the composition of measurable functions is also measurable.

What if my statistic is a composition of measurable and non-measurable functions?

It can be non measurable for many reason:

1) The statistic domain is non-measurable

2) The statistic itself is non-measurable

3) The statistic works on infinite vector spaces

The situation is much more complex then how you want to picture it.

I think you are selling yourself short. Why talk out of your ass like nobody's business? You know some stuff, but not anywhere near as much as you claim. Are you surprised that this ignites a flame war? Take a humbler approach to introducing yourself and turn down the bullshit dial, people may be more welcoming.

I don't have a good answer for this. Again I see people making wrong affirmations and insulting others, still I'm the one to calm down?

Just like you're doing now: you don't know my background, still you accuse me of being over my head. If I were in the university I would take out my papers and my citations, and I would ask you to do the same. On the internet is different, so please refrain to speak about people's ability, if you are not sure.

[iBTC]

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.

But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

[kokjo]

@maud_dib:
i am now going to cut it out for you:

if you look at wikipedia: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers
you can see that the usage of BSD i between 2.4% and 5.35%.
and linux is between 16.9% and 74.29%

we can therefor conclude that linux is more used then freebsd.
and we can assume that linux is getting more attention from hackers and security experts.
because of that we and assume that linux will be exploited more.
and if there are more security holes found in linux, they will also be fixed.

in freebsd which does not get as much attention as linux, we can assume that people are not finding the hacks/exploits.
and the holes will not get fixed!

if you cant follow my very simple argument, please feel free to ask.

@to all others:
HE IS A TROLL!

[jgraham]

Even if most mathematician accept Real number this doesn't mean they exist.

There are plenty of deep thoughts about the "reality" of the reals.  Even some fun ones like Borel's all-knowing number but your argument is essentially is claiming that cunicula is making an ad populum fallacy.   All that aside, what few mathematicians would deny is the necessity of the reals.  Which is, incidentally all that's required to talk about - you know - your approach and metrics with regard to security.  

What if my statistic is a composition of measurable and non-measurable functions?

Why not give us a concrete example from a field of our choice of this kind of statistic?

I don't have a good answer for this. Again I see people making wrong affirmations

How do you know they're wrong?  Perhaps you're drawing wrong conclusions based on your poor language skills?  Like you did with the exchanges about SELinux.  Hmm...a concrete example of you being wrong but...no examples of these other people making "wrong affirmations".  Strange!

and insulting others,

Where "insult" can mean just about anything I guess.  Given again that to you "betraying your skillset" can be an insult.  Rather than simply an example of you not understanding the term.  Also considering that you have laid out as many or more (real) insults - in some case to people who had not insulted you.  (Oh and you continue to send them to me privately - very classy!)  
Do you really think you've got any moral high ground left here?

Here's a real gem:

Please respect my objective opinion. I will respect your personal belief.

....and somehow you think you thought this would go over well.

still I'm the one to calm down?

Are you admitting you're not calm here?  Anyway, I'd say that you need to simply be open to explaining yourself.  You know like you haven't been doing this entire time.  Your arguments should stand on your own.  Not turn into some nonsense expression of your arrogance.  That somehow everyone must bow to your opinion - with little or no explanation.   Yeah, real humble.

Just like you're doing now: you don't know my background, still you accuse me of being over my head.

...and by the same token.  You don't know his so how do you know he is wrong?

If I were in the university I would take out my papers and my citations, and I would ask you to do the same.

Who cares.  As someone who works in academia there are plenty of profs who talk through their asses.  Especially if, for example they are talking outside of their field. i.e. While engineers, medical researchers, and even some lowly security personnel are bright people and use statistics daily - sometimes even correctly ;-).   They are still 'out-of-field' when talking *about* statistics.  In the same way that people who drive a car to work every day doesn't make them a mechanic.

On the internet is different, so please refrain to speak about people's ability, if you are not sure.

Shall I quote all the places you've done this about other people in this thread without having objective evidence?  Hmmm?  All the insults you laid out to people like kokjo?

At one time OpenBSD would have been the top of the heap for security but as I've said times have changed.

But -in your opinion- it's still a good security-wise, right?
If not, do you care to explain more?

Sorry if this is a broader answer than you were wanting but...
I don't have an opinion on the security of say OpenBSD in a broad sense because I don't have a useful general definition of "security".  

What I do see is that OpenBSD has similar *mechanisms* to secure itself when compared against say Linux. There is also a group of people concerned with the security of the OS and there exists a body of knowledge on securing the system.  These are all positive things.   There may be various advantages and disadvantages to individual elements but it's not always easy to judge this kind of thing.

For example: lets focus on one talking point I've mentioned a number of times (or perhaps 'harped on' ;-) ).  ASLR - PaX (which is available through a series of patches to the Linux kernel or pre-patched sources from the Gentoo hardened branch or from pre-compiled kernels) does the most complete job of address randomization. Better than execshield (which is what RH and other Linux's use OOTB), and W^X (in OpenBSD).  For example the bit size for stack randomization in PaX is double that of W^X.  There are also fewer guarantees as to what will or won't be protected using W^X.  Especially with regard to the Kernel - as of the last release I looked at.  A problem with the kernel stack will not be prevented by W^X.

That said PaX needs to be enabled whereas  W^X is available out of the box (so is execshield btw).  This is a double-edged sword.  In one case W^X protects everything in userspace because it's patched not the Kernel calls but malloc.  The downside is that this breaks compatibility.  So W^X becomes a kind of all-or-nothing game.  If you had a piece of code for which there was no source and was incompatible with W^X then your whole system would have to not use W^X.  In a lot of cases this doesn't matter because OpenBSD doesn't allow things that Linux does like binary-only drivers.  However often enough you as the security professional don't get to make that choice.  For example I can set and enforce (sometimes ;-) ) standards but I rarely can dictate their implementation details to them vis-a-vis "Never use binary drivers".  

Non-trivial isn't it?...and that's comparing just. one. mechanism.  While I think ASLR is a great idea because it is one of the few *proactive* mechanisms that have come out in the last ten years.  I'd be an idiot if I were to treat it as the only thing that matters.

So as I've said before comparison of operating system "security" is subtle and nuanced and anyone who suggests it's cut-and-dried is probably telling you out of some combination of ignorance and/or deceit.  OpenBSD is good (Especially if you're writing code, I love having a rich crypto API guaranteed to be on any install), FreeBSD is good (but lacks some mechanisms that other OS's or even BSD's have), Linux is good (When patched with PaX and some kind of RBAC).  All of them can be secured by someone with the right knowledge.  Whether they can be secured to the needs of a particular project obviously depends on a myriad of other factors.

Hope that helps.

[kokjo]

now i got proof he is a stupid troll
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is lulz

[jgraham]

So given all the "BSD is hands down superior to Linux in terms of security" trash talk that's been going on around here.  See statements like this:

"*bsd is the first choice when security is the major concern, period. "
"I refuse to accept that BSD is as safe as linux."
"Use the right software. IIS is a big no-no Smiley Also Linux should frowned upon."
"My opinion is that FreeBSD is the most secure"
"it's well known that BSD is more stable, secure"

Imply to me (correctly or incorrectly) that Linux *can't* be secured as well as a BSD box.   Remember the context in all these posts was about Mt. Gox or enterprise systems in general.  So the idea that we are talking about some out-of-the-box hobbyist install seems unreasonable.  Clearly Mt. Gox hardened their system before deployment.   Likewise anyone deploying a system which contains sensitive information but is going to be on the internet to do the same.

So to hold such an opinion rationally.  Suggests that such folk must Know some way to circumvent a secured Linux box.

...and given what a kind-hearted gent I am I'd like to give them a chance to show me how.  So I'd like to discuss a B&E contest.  With some kind of prize say 20-30 BTC?  Off the top of my head the system should be a typical edge device (HTTP and/or email).

If you're interested post here with comments, questions or concerns (or perhaps I'll start a new thread).

Psst...BSD affectionados? That slapping sound? It's a gauntlet crossing your face. ;-)*

*Yes I know some of the excuses will be that it's not enough money or too much time...I'll just say "whatever" to those now.  Just to save time.