About Mt. Gox flaw from a security expert

[marcus_of_augustus]

1) Most of the people here want Bitcoin to have a broader adoption.

2) If Bitcoin scams starts to spread out, then both its adoption by people and businesses will slow down

3) Recently a huge sum of money, whose amount can be only speculated about, but which is very consistent, has been stolen by Mt. Gox

4) Mt. Gox and other exchanges share a VERY WEAK authorization model

5) Most people use the same weak password multiple times

1) not necessarily, bitcoin could do just fine as a niche currency for people who actually know how their computers work ... (handing matches to children can be dangerous)

2) monetary scams are all over the globe, crime is rampant on Wall St., is it affecting "dollar adoption"?

3) 3 months ago 400k btc wasn't worth squat and nobody would have cared ... in bigger scheme it is still peanuts .... GS got clean away with more than $100 bill and all they got was some schmuck dancing in front of the senators for few hours

4) MtGov is not equal to bitcoin, they are a curious sideshow

5) Most people are idiots and probably are not qualified to handle bitcoin technology at this stage in their evolution .... it is like when TCP-IP was released ... do you think it would have been a good thing if every tom dick and harry was trying to hook-up their own routing ....??

All in all it makes for some great laughs but you maybe taking it a little too seriously ... people quickly become irrational when money is involved ... you won't taking your bitcoins with you when you pass on ...

[jgraham]

I work with vending machines and payments solutions (POS, ATMs, ....)

Meaning you refill them?  
Seriously that doesn't necessitate knowing about secure coding or securing machines.

I have a master in applied mathematics. My area of strength are numerical statistic, cryptography and game theory.

Doubtful.  At least not from a real university.  

I mean look at this:

Given that parameter Psi  = [ ( # of serious security flaws - 1 ) / ( #  of running systems )^2 ] remapped in [0, 1]

Assuming there is some complete definition somewhere for "serious".   This gives us the number of flaws per system squared.  
While there is zero explanation as to what he's attempting do here.  This looks, on the surface anyway like something from manufacturing QA where you would have various kind of potential equipment failures.   Which you could determine a rough upper bound from by say running a thousand widgets through their paces.   Then it might make sense to distribute these flaws across the number of machines in the field to get some kind of statistic about the probability that an individual machine would fail.  

However I think it's obvious to most of us that software flaws don't work that way.  Given a particular purpose (web server) and an operating system of a particular vintage with no other security devices present.  All systems would possess any unpatched bugs.   This of course begs the question that maud_dib was counting bugs that were, for the vast majority patched instead of unpatched bugs.   It's also far more difficult to find the upper bound for the number of security flaws.  You can't just run a bunch of Linux boxes in a room and see which ones get hacked.

So, on the surface anyway this looks like someone who has lifted a formula out of some book (IIRC he even specified one on quality control or something) and has wrongly applied it to software development.   Like I said before math isn't magic: the integral of "Batman" isn't "Bruce Wayne"

On to exhibit B:

Do you agree that, with a confidence level of 0.99,  the correlation between the parameter Psi and Linux is stronger than with FreeBSD?

Again zero information as to what he is trying to do here but given that he's only specifying what the confidence level is without telling us how that affects the confidence interval.  It's questionable that he really knows what he's doing.

Just to give you an idea as to how these statistics might be used. Here's an example: Suppose I had a sample of 100 Linux machines from a population of 10000 and also suppose I had a similarly qualifed sample of 100 FreeBSD machines from a population of 1000. Now also suppose I know that 50% of the Linux machines had a compromise in the last year but only 45% of the BSD machines were compromised.  It would be useful to know if this difference is significant:

Assuming our populations are normally distributed we can determine that the confidence interval for both figures is around +/- 12% (there are lots of calculators on the net that will do this for you).  So that means that the "real" ratio of Linux compromises is from 38%-62% and the FreeBSD compromises is around 33%-57%.  This is what some might call "More differentiation within the groups than between the groups" which is a sign that the difference is not significant.

Then he starts talking about correlation which again if we're talking about categoricals (values that are assigned to a particular category like 1 = Linux, 2 = BSD)  and you had some outcome like system uptime the usual way to approach that is with an ANOVA.  

In fact, if you recall my statistical indicator PSI, it is taken from the PCI DSS literature.

If it is it would be nice for him to cite which version, which document and which page...just sayin'

I quoted it because some people said they were confident with PCI DSS, still they didnt recognized this, thus showing how fake they are.

No, this is a complete lie.   The mention of his PSI formula, as anyone can see comes well before his mention of PCI-DSS.

Again, he isn't clear who he's talking about but when he mentioned that PCI compliance is very expensive.  I countered that Tier 4 compliance is actually not very difficult or expensive.  These classifications have to do with the number of transactions processed.   So a vending machine is probably not going to process six million visa transactions annually.  This doesn't mean I have intimate understanding of PCI-DSS literature but it did show that he didn't understand the compliance requirements.

So were I to guess....this guy is probably an engineer.  Makes sense since he really seems to get ticked off at the use of that word and it's the kind of guy who you would hire for this kind of job - writing code for vending machines.

Now of course I could be wrong but rather than spelling out his use of math here.  He constantly shifts between various dodges.

"People are making assumptions" - You know a good way to stop that?  Clarify yourself.
"People are insulting me" - As I've mentioned earlier he has pretty much lost the moral high ground there.
"Some people in this thread thinks that SElinux is a flexible linux distribution." - This is very likely untrue - I well understood that like GrSecurity, SELinux is a series of patches - I assume that the person I was talking with knew that too.

[iBTC]

muad_dib is either too smart or too 

[muad_dib]

Which unix version and from which vendor?

If you want to stay x86 I would go BSD.

Which flavor? Many of them. You need several layer of security in your infrastructure, so there's space for the coexistence of FreeBSD and OpenBSD, and also linux,

A first layer of security made by a firewall and IDPS, maybe based on NetBSD or a commercial UNIX version, a second layer in the form of a DMZ with the webservers on FreeBSD or OpenBSD, and a local database, accessible just by local IP, which might also linux based.

 What is your proof that a Linux installation can't be made secure and that any unix installation can?

- Past track record

- Recently BSD underwent a very deep third party review. That's a big plus for security.

- BSD has proactive security, Linux security is reactive

- BSD is designed from the ground for security, Linux instead has a more chaotic architecture

[Capitan]

Hey guys -- just checking in. Has the undisputed winner of this thread been declared yet?

[jgraham]

I wonder if anyone ever gets tired of hearing blowhards like maud_dib who provide zero evidence for their ridiculous assumptions.

Past track record

Past track record of not being securable as a BSD box?  Where is that?  Oh right.  Nowhere.
If not that then past track record of what exactly?  Candy bar sales?  I guess you'd know about that.

Recently BSD underwent a very deep third party review. That's a big plus for security.

A one time security audit is a a good thing but I'm taking away your math degree (if you have one) since it doesn't say anything about relative merit.

BSD has proactive security, Linux security is reactive

Untrue.  FreeBSD doesn't even have one of the most common proactive security features ASLR.  This means that there are whole classes of exploit that FreeBSD needs to patch for but Linux does not.   Linux has GrSecurity and PaX as well as SELinux.

BSD is designed from the ground for security, Linux instead has a more chaotic architecture

OpenBSD *says* that they do this but they don't really provide much detail on what this means or how it actually protects anything.  For example OpenBSD used to say "X years without a remote root exploit in the base install" which is nice but:

a) Doesn't say anything about all the installs out there.  How many people run an OpenBSD box with no other services installed at all.  Probably not many.
b) Doesn't say anything about OpenBSD code.  For all we know it's just they activate less in the default install.  Which is probably a good thing for hobbyists but doesn't really say anything about enterprise usage.

The real proof of his statements would be him taking me up on my challenge.   There was even ~$500 in it for him if he happens to be right.

[marcus_of_augustus]

Hey guys -- just checking in. Has the undisputed winner of this thread been declared yet?

No, i think someone walked off with the dick measuring ruler and now its just a bunch of guys standing around with their dicks hanging out ....

[finack]

You're pretty much all idiots for arguing about linux vs. bsd vs. dick size for twelve pages. Anyone who actually knew what they were talking about would have given up long ago - when you actually know what's up you don't need to prove it to everyone.

[muad_dib]

You're pretty much all idiots for arguing about linux vs. bsd vs. dick size for twelve pages. Anyone who actually knew what they were talking about would have given up long ago - when you actually know what's up you don't need to prove it to everyone.

I totally agree with you. Infact I started ignoring the flamers a few posts ago.

Now I answer just to the legitimate questions.

[jgraham]

You're pretty much all idiots for arguing about linux vs. bsd vs. dick size for twelve pages. Anyone who actually knew what they were talking about would have given up long ago - when you actually know what's up you don't need to prove it to everyone.

I totally agree with you. Infact I started ignoring the flamers a few posts ago.

Now I answer just to the legitimate questions.

uhhh...did you forget that they're talking about you?

[jgraham]

What happened to talking about facts?  That's just conjecture.

You discuss like you're an expert about selinux, still you missed that it isn't just for linux.

Just pointing out one more factual error from the silly maud_dib.   Actually yes, it is just for Linux.   Parts of it, as I noted much earlier have been ported to things like TrustedBSD (which is why my response was 'it depends' but you can't just apply the kernel patches (possibly you could try to compile the userspace libraries under the Linux compatibility layer ... but I doubt that would work without the kernel layer to support it.

Kind of illustrates where he gets most of his information from.  eh?

As evidence (that thing that maud_db rarely provides) I offer you the following from the NSA's archives of the mailing list: http://www.nsa.gov/research/selinux/list-archive/0108/thread_body15.shtml

> 2. I read in the FAQ that selinux can be installed on an existing
> linux install. Can it be installed on a Freebsd system with linux
> compatibility? Is anyone working on a port for freebsd or openbsd?

no. its massive kernel changes, things that emulation ont matter at all about. for freebsd look into the trustedbsd project,


But thanks for the heads-up maud-dib....the Wiki is now corrected.

[dr.bitcoin]

guys, you may have more servers, but my fiber is longer! 
WTF are we trying to accomplish with this thread? go buy a security book, take a couple classes, and spend a few months/years in the wild.
the rest is, sorry, just conversations 

[jgraham]

guys, you may have more servers, but my fiber is longer! 
WTF are we trying to accomplish with this thread? go buy a security book, take a couple classes, and spend a few months/years in the wild.
the rest is, sorry, just conversations 

I can only speak for myself here.  If you're getting at the idea that the question of "what is more secure Linux or some form of BSD" is probably difficult or impossible to answer and it's stupid to try.   I agree.   

However here's what I see here.  A few people (mostly maud_dib) seem to be saying "Linux can not possibly in any reasonable circumstance be as secure as FreeBSD" (although maud_dib hedged his bet a bit after he googled about OpenBSD and now just says BSD).  That statement I think is a little different and can be falsified.  I think that would be clear if the people involved just showed some backbone and tried to support their arguments.   

I also think it's worthwhile, for the sake of the community to stand up to people who bully people with terminology prejudices and pseudo-expertise.

On the subject of security books....do you have a favorite?  On the subject of actually exploiting security holes.  I'd recommend picking up the Shellcoder's Handbook: http://www.amazon.ca/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&qid=1308916045&sr=8-1

It's a great intro to the subject.

[finack]

A few people (mostly maud_dib) seem to be saying "Linux can not possibly in any reasonable circumstance be as secure as FreeBSD" (although maud_dib hedged his bet a bit after he googled about OpenBSD and now just says BSD).

[jgraham]

A few people (mostly maud_dib) seem to be saying "Linux can not possibly in any reasonable circumstance be as secure as FreeBSD" (although maud_dib hedged his bet a bit after he googled about OpenBSD and now just says BSD).

See that never happens to me because the next thing she says is:

"Come to bed or I'll stab you in the eye!"

...and I like my eyes.

[BBanzai]

Let the Little Mouse in the moon rest, he started this, none of us have to continue it.  Kid needs his sleep, whether he knows it or not.  I don't look at security from either an engineer's or a mathematician's point of view, although at times I have been both in my own little ways.  Locks aren't designed to be unbreakable, just nuisances, something other than low-hanging fruit.  Security systems get hacked for two main reasons.  They are commonly used, or they are known to be used specifically by stupid rich people.  Macs have their very own fake antivirus attack going on right now, and its a pretty big deal.  It isn't buffer overflows and unsalted brute-forceable encryption passwords that is the day to day problem for most users. 
Its not knowing that the internet is at war with them.  Not seeing that that you don't have to run faster than the bear, you just have to run faster than your neighbor.  Basic tactics.  Which brings me back to my question about obscure operating systems.  All specific knowledge of kernel coding and security models and statistics (heaven forfend) aside...what operating systems do the actual commercial exchanges use?  Again, basic tactics. Don't bring a gun into an argument about a knife fight seems to be what I hear from the Linuxists. A gunslinger can secure any operating system, which was the Little Mouse's argument about SELinux, as far as I can tell.  He did not prove that he was a gunslinger, but it is a valid point.  So, again, what are the professionals using and why?  And how?

[muad_dib]

So, again, what are the professionals using and why?  And how?

Mt. Gox Uses FreeBSD.

[BBanzai]

At this point, that is not exactly a strong draw...although I will say again that the BSD's in general have always had a notably better reputation for security.  At a certain point, out of the box features become meaningless when you become a likely target.  Recognizing that change in your own world is where MTGox dropped the ball.  I can relate.  I tend to trust people and always think that smarter people are kinder as a result of their intelligence.  It has taken me most of my life to realize that there is zero correlation between the two.

[muad_dib]

At this point, that is not exactly a strong draw...although I will say again that the BSD's in general have always had a notably better reputation for security.  At a certain point, out of the box features become meaningless when you become a likely target.

Well the fact that BSD is compatible with other license is also a plus. Running a RaidZ is a plus for security. It has alos better link aggregation protocols (something which lags a little behind in linux).

Maybe you should go to them and tell that it's not true, linux is as safe as BSD, maybe even better. I'm sure they will be more than happy to follow your, jgraham and the other linux kid advices.

[BBanzai]

Compatible with other license (sic)?  You don't need a license.  You need a bigger fence.  Or an electrified one.  Or an automated laser guided grenade launching robotic monster attack dog.  Oh, hell, Boston Dynamics has that, why don't you?  The real tactics of the military and the government are not primarily designed by theoreticians.  They are designed by story-tellers and engineers.  Why do old churches have gargoyles on their parapets?  The people like you did the math for the archways, the people that like scaring the credulous did the gargoyles, the people like me said "Imma need a slot to shoot through."