About Mt. Gox flaw from a security expert

[minerX]

now i got proof he is a stupid troll
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.

[jgraham]

now i got proof he is a stupid troll
HE IS NO SECURITY EXPERT!
proof:
he dont even know the "man" command.
http://forums.speedguide.net/showthread.php?246598-SSH-tunnel-over-SQUID <- ...
http://www.nntpnews.info/threads/10211241-MySQLdb-SSH-Tunnel <- RTFM
http://www.embeddedrelated.com/usenet/embedded/show/125019-1.php <- here he a difficulties fuguring out what a serial port is lulz

Dude I said this like 100 page ago.  Even reviewing his bitcoin.org forum posts outside this thread it's very clear he has no idea what he is talking about.  He might have some buddy who is telling him random snippets of information to make him seem credible, but otherwise he is completely full of shit.

Troll.

Also...quoting from wikipedia and a textbook he downloaded.  I wonder if the other guy talking stats with him (equally vapidly) was his friend.

[Jack of Diamonds]

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

[minerX]

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.

[jgraham]

Why are you calling yourself a security expert?

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

This thread is some hilarious stuff. In a nutshell, he just keeps googling things he has no idea about.
Someone should save it in case he starts deleting his posts in embarrassment

Strangely enough it started as him quoting a security expert.  It has now regressed into HIM being the security expert. 

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.

Really did he edit his posts or was that from another thread.

Besides he's kind of out-of-date.  Last year was the year every third person I met was a security consultant...this year they're all "Cloud Services" consultants. :-)

[Horkabork]

I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.

[iBTC]

Hope that helps.

It did help, thanks

[BBanzai]

Disclaimer: I am not a programmer.  But I know how to find out about industry standards:  "the marketing director of Compaq's OpenVMS Systems Group states that there are over 400,000 systems running OpenVMS, supporting over 10 million users. Sample VMS customer sites include: numerous stock exchanges, Bank Austria, Government Securities Clearing Corporation (GSCC), International Securities Exchange, Hydro Quebec, and Northern Light. Intel's fabrication plants rely on the use of VMS in the fabrication of their Pentium 4 and Merced class chips"  
  I have, however, attempted beating up a VAX.  I won, barely, but this was 20 years ago.  They have been improving it since then.

I never had the chance to play with Itanium.


Anyhow I'm not sure that there's a real need for Itanium. It's so overpriced that many times it is out of the market.

Take this as an example: Do you really think that a closed source OS, deployed just on 400.000 machines, is going to be safer or more reliable that an open source OS on x86, at same level of cost?

I am slow to respond, but I'm beating the same drum.  What equipment are your enemies using?  Which O.S.? Can you fight them as efficiently with your Linux Ninja stars and spears and your virtual drums?.  Not recognizing that you, yourself, personally, are at war is the damndest downside to considering oneself an expert.  I'm not saying that you cannot win, just drawing attention to what I see as a basic problem.

[muad_dib]

But I seriously don't think he will delete his posts.  He is the type that thinks he is right no matter what, even if the whole forum world is against him.

Well if the objectors say that they can read 10 millions lines of code, well, is a good thing not to change your opinion on their statements.

Changing opinion following what most people think, means you are a sheep.

[muad_dib]

I just found out that, according to these standards, I am now apparently a security expert! Oh man I'm totally going to put this on my resume. I even know the "ls" command in linux. One time, I actually understood and laughed at an XKCD comic that said "sudo go make me a sandwich". That's like top level security expert qualifications right there.

No first you need to buy a paper and call yourself an engineer.


So much hate in these posts.... I bet most of the people here are unemployed and unemployable....

[Jack of Diamonds]

So much hate in these posts.... I bet most of the people here are unemployed and unemployable....

What is your work experience in the security field?
What academical qualifications do you have besides googling concepts?

Who can vouch for your skills or known projects in any white or blackhat forum?
Do you know anything at all about programming a secure site or platform?

If you can't answer any of these questions then you're just another video game playing kid
in his mom's basement who was overwhelmed by 2 books on programming & tries to be something he's not.

It might work on your senile parents but you are in the real world now.

[muad_dib]

Do you have some work experience or public credentials besides a neckbeard and an old laptop?

Some people in this thread thinks that SElinux is a flexible linux distribution.

If this is the standard for this thread, then I'm a top notch hacker.

[muad_dib]

What is your work experience in the security field?

I work with vending machines and payments solutions (POS, ATMs, ....)

What academical qualifications do you have besides googling concepts?

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Who can vouch for your skills or known projects in any white or blackhat forum?

I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

Do you know anything at all about programming a secure site or platform?

I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).

[marcus_of_augustus]

What is your work experience in the security field?

I work with vending machines and payments solutions (POS, ATMs, ....)

What academical qualifications do you have besides googling concepts?

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Who can vouch for your skills or known projects in any white or blackhat forum?

I thought that we were having a discussion, thus arguments and sources are what matters.

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

Do you know anything at all about programming a secure site or platform?

I'm not a web developer, I frown upon PHP and some other web technologies.

I know Matlab, Java, PETSC, Python, C (in order of confidence) but I'm not a CS.

I'm the guy who build a statistical model, so that you can study the behavior of your complex system (a market, a cryptography algorithm, a network, ...).

So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

[muad_dib]

So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage

[marcus_of_augustus]

So have you built bitcoind on BSD yet ... be interested to know your thoughts on the statistical probability of it getting hacked ...

send through the makefile when you have done it so we know you are not just bullshitting everyone.

1) People need to read more carefully my posts and hate less

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

3) I never said I have any software ready yet.

4) I am here just to point two facts:

a) Recently someone entered MtGox, and MtGox thinks he is not responsabile for password leakage

b) MtGox use very weak measures to prevent password leakage

I'm not trying to hate but you're making it pretty easy .... before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....
i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please ...

[Vladimir]

2) I never said you need BSD for bitcoind. You need BSD to expose your services.

I do run all my bitcoind's on FreeBSD, works great!

3) I never said I have any software ready yet.

it's in /usr/ports/*/bitcoin , easy...


And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

[muad_dib]

I'm not trying to hate but you're making it pretty easy ....

I think it mostly depends on the barrier language and the fact that some people started hating a lot, building a hating spree.

before claiming expertise maybe you should try building bitcoind on a system, any system will do, run some tests, get some data .....

Expertise in what? I never stated expertise in Bitcoin.

I have anyhow a strong expertise with credit cards and ATMs. I think I might know a few things about secure financial transaction.

i mean really how are we meant to take your expert opinion on anything bitcoin related if you don't know jack about bitcoind??

By discussing about facts and sources. I'm more than happy to discuss and even being criticized.

Anyhow I invite you to read again the first two pages of this discussion, and tell me if you see even one constructive critic.

that would be just wrong. Roll your sleeves up, do a little learning and doing and then come and spout off as much as you please otherwise you're just whacking off in public, not pretty.

Let's analyze a  few facts:

1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times


I think that by considering all these facts, it is clear we should push the Bitcoin community, both as exchanges or final users, to much stricter security measures.

The only way to do this is to spread awareness, and put public pressure on exchanges.

[muad_dib]

And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.

[Vladimir]

And again... it is not the choice of OS which makes a system secure, it is how sysadmin's hands are attached...

Are you telling me that an IIS+Windows machine can be made as safe as a FreeBSD+Apache one?

I'm sorry but I disagree with you.

Well... I personally do not know any sysadmins with "correctly attached hands" who run windows servers, but surely there are some out there... I guess that windows+apache can be made as safe as whatever+apache. (let's get IIS out of the picture for simplicity).  This probably would involve a server version of windows and some severe balls cutting. Not that I am an expert on this to be sure.

I do not mind if you disagree. Maybe a few decades from now you'll be less categorical and more tolerant.