Bitcoin Forum
May 25, 2017, 03:31:35 AM *
News: Latest stable version of Bitcoin Core: 0.14.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 [All]
  Print  
Author Topic: MtGox source code leaked ...  (Read 16502 times)
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 03, 2014, 05:17:39 PM
 #1

http://www.techworm.net/2014/03/mtgox-source-code-leaked-by-hacker-on.html

As a developer all I can say is ...
I have nothing to say just stunned silence that this was the codebase used to process millions of dollars and BTC everyday.
1495683095
Hero Member
*
Offline Offline

Posts: 1495683095

View Profile Personal Message (Offline)

Ignore
1495683095
Reply with quote  #2

1495683095
Report to moderator
1495683095
Hero Member
*
Offline Offline

Posts: 1495683095

View Profile Personal Message (Offline)

Ignore
1495683095
Reply with quote  #2

1495683095
Report to moderator
1495683095
Hero Member
*
Offline Offline

Posts: 1495683095

View Profile Personal Message (Offline)

Ignore
1495683095
Reply with quote  #2

1495683095
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 03, 2014, 05:19:02 PM
 #2

Oh and it gets worse

Quote
From the IRC chat of Nanashi and other hackers, it seems that the hacker also have access to a 20GB data dump of customer data along with passport scans.
bitjoint
Sr. Member
****
Offline Offline

Activity: 330


Commander of the Hodl Legions


View Profile
March 03, 2014, 05:28:17 PM
 #3

Oh and it gets worse

Quote
From the IRC chat of Nanashi and other hackers, it seems that the hacker also have access to a 20GB data dump of customer data along with passport scans.

Thanks god I never signed up for that crappy site...
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
March 03, 2014, 05:30:23 PM
 #4

It's a pile of garbage.
If I had know this before, I would have NEVER trusted them with a single BTC, yubikey or not!

Mysql? php??? For a multi-million dollar website?!?!?!? WTF!!!

Releasing source code should be mandatory for bitcoin exchanges!
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1596

Newbie


View Profile
March 03, 2014, 05:36:56 PM
 #5

I have nothing to say just stunned silence that this was the codebase used to process millions of dollars and BTC everyday.

Bitcoin code written by Satoshi is not perfect too but u still use it.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1596

Newbie


View Profile
March 03, 2014, 05:39:25 PM
 #6

Mysql? php??? For a multi-million dollar website?!?!?!? WTF!!!

This explains why u r still not a b/millionaire...

PS: http://www.warriorforum.com/programming-talk/497316-what-programming-language-facebook-written.html
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 03, 2014, 05:39:36 PM
 #7

I have nothing to say just stunned silence that this was the codebase used to process millions of dollars and BTC everyday.

Bitcoin code written by Satoshi is not perfect too but u still use it.

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.
gollum
Sr. Member
****
Offline Offline

Activity: 434


In Hashrate We Trust!


View Profile
March 03, 2014, 05:40:19 PM
 #8

http://www.techworm.net/2014/03/mtgox-source-code-leaked-by-hacker-on.html

As a developer all I can say is ...
I have nothing to say just stunned silence that this was the codebase used to process millions of dollars and BTC everyday.
I hope this is a joke Wink
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1596

Newbie


View Profile
March 03, 2014, 05:44:01 PM
 #9

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.
st4nl3y
Legendary
*
Offline Offline

Activity: 1050


View Profile
March 03, 2014, 05:47:36 PM
 #10

i wouldn't be surprised if the alleged 20GB of data comes up for sale
gollum
Sr. Member
****
Offline Offline

Activity: 434


In Hashrate We Trust!


View Profile
March 03, 2014, 05:48:49 PM
 #11

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.
That's why you split up a system in separate parts so you easily can track bugs, or security flaws.
Even if you don't trust other coders.
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
March 03, 2014, 05:52:44 PM
 #12

As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!
gollum
Sr. Member
****
Offline Offline

Activity: 434


In Hashrate We Trust!


View Profile
March 03, 2014, 05:55:05 PM
 #13

As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!
Bitcoinica failed for the same reason - bad coding and no security.
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
March 03, 2014, 05:57:36 PM
 #14

More: php uses weak/'implicit' typing which means you never really know what type you are dealing with, unless you explicitly state so in the code. This might be fine for simple web-servers or some forum software, but it makes php inherently useless for high security applications.

^This is amateur grade code at best, and now we see the result...

edit: @gollum: Exactly!!
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 03, 2014, 05:58:20 PM
 #15

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

I do own (well partially) an exchange, and I did initially did code it all myself.  I still used concepts like scope delineation, separation of concerns, encapsulation of internal details, test driven development (unit tests), mocking, inversion of control, etc to be used.  These aren't just academic ideals, they are used every day in millions of software projects.  One programmer or one hundred there are reasons code is broken into logical groupings not one monster horribly do everything superclass.  The later produces fragile, unmaintainable, untestable code with the very obvious and expected end result.

I am not gods gift to software engineering but I have written hobbyist projects which had better design.

I think the articles sums it up
Quote
To sum up function _Route_getStats($path): XML production, JSON production, file writing, business logic, SQL commands, HTTP header fiddling, hard coded paging limits, multiple exit points...
All these things don't belong in the same class.  The http header generator doesn't need to know about the business logic, the SQL connectivity doesn't need to know about the routing.  Good software is hard, the capabilities of the computers, and languages already push the limits of what humans can process effectively.  Software developers use design tools to help the human manage the code/project.  You could write a web application in machine code if you wanted to, ultimately it all ends up there anyways but try spotting a bug in something low level like that.  High level languages were developed to allow a better code view.

Personally I am no fan of php for a variety of reasons but php doesn't mean you have to write code like the leaked gox source.  It is possible to write good (or at least better) php.  The major issue isn't the choice of language but how that language was (mis)used.
CurbsideProphet
Hero Member
*****
Offline Offline

Activity: 672


View Profile
March 03, 2014, 05:59:15 PM
 #16

Oh and it gets worse

Quote
From the IRC chat of Nanashi and other hackers, it seems that the hacker also have access to a 20GB data dump of customer data along with passport scans.

This is much worse.  A whole new slew of lawsuits heading their way.

1ProphetnvP8ju2SxxRvVvyzCtTXDgLPJV
Lauda
Legendary
*
Offline Offline

Activity: 1498


Psychotic Bitch™


View Profile WWW
March 03, 2014, 06:00:32 PM
 #17

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.
Stop protecting Gox.

Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1596

Newbie


View Profile
March 03, 2014, 06:05:12 PM
 #18

I do on an exchange, and I did initially did code it all myself.  I still used concepts like separation of concerns to be used.  One programmer or one hundred there are reasons code is broken into logical groupings not one monster horribly do everything super class.  It allows unit testing, bug fixing, and discrete upgrades.

Hm, guys upthread do the same. Perhaps it's me who is wrong. I prefer one monster super class...
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1596

Newbie


View Profile
March 03, 2014, 06:06:57 PM
 #19

Stop protecting Gox.

I don't protect Gox. Their coding paradigm was heavily used before invention of OOP and I don't see why it can't be used nowadays.
bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 03, 2014, 06:14:55 PM
 #20

Mark Karpeles   Mobile: 03-4550-1529
            magicaltux@gmail.com 
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 03, 2014, 06:19:17 PM
 #21

I prefer one monster super class...

Well I think we are done. 
Taras
Legendary
*
Offline Offline

Activity: 980



View Profile WWW
March 03, 2014, 06:20:43 PM
 #22

 Oh fuck. Now there is going to be a bunch of mini mtgoxes.

this is a good signature
virtualprofit
Jr. Member
*
Offline Offline

Activity: 42


View Profile
March 03, 2014, 06:22:24 PM
 #23

Are you sur this code was not theft back in 2011 ?
windpath
Legendary
*
Offline Offline

Activity: 1092


View Profile WWW
March 03, 2014, 06:23:16 PM
 #24

Hey folks, new here and happen to also be a LAMP developer (not considering creating an exchange yet Wink...

I just wanted to jump in here and defend LAMP stacks.

Linux/Apache/MySQL/PHP (LAMP) CAN be highly secure depending on how the code is written.

This forum runs on PHP, most major banking site's fronted is PHP...

The problem comes in when people write insecure code, you can just as easily write insecure C+ or Python as insecure PHP...

I guess my point is dont bash the platform, bash the developer Wink

bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 03, 2014, 06:29:23 PM
 #25

I don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

Regarding that, the banking system is much worse, still lots of source using 'go to' labels in COBOL. Hopefully writen in the best programming practices from 1967.
virtualprofit
Jr. Member
*
Offline Offline

Activity: 42


View Profile
March 03, 2014, 06:34:06 PM
 #26

Quote
don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

I don't know PHP but for me in this code , you have not check for SQL inject in the SQL requests ?
BitCoinDream
Legendary
*
Offline Offline

Activity: 1204

The revolution will be digital


View Profile
March 03, 2014, 06:38:06 PM
 #27

As a website dealing with millions of user funds, their security should have been on par with that of big banks.

Does Deutsche Bank use php? Does HSBC use fucking MYSQL??? Do any of those banks comment out lines in production code for debugging?!?!?!?HuhHuh

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.

That's exactly the problem, it shouldn't be written by only one clueless guy!!!

Let me tell u that I have worked with ING code and they use GOTO !!! This code is fine if it were written by Jed.

bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 03, 2014, 06:43:51 PM
 #28

Quote
don't see any problem with the code,  the issues reported in the articles are just modern recommended programming practices. They do not mean the code by itself is wrong or unsafe.

I don't know PHP but for me in this code , you have not check for SQL inject in the SQL requests ?

By what i see the SQL queries in the source do not use any user provided data, so it does not require an injection check 'cause there is no such risk.

Edit: there is user provided data, but as of now i can't find any that could be used for injection, i.e. $btc would generate an error if it is anything other than an interger number.
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
March 03, 2014, 06:46:42 PM
 #29

If they were hacked that means something wasn't working properly (Is this really confirmed?). And obviously they didn't know how to handle bitcoin transactions properly. By no means has there been no problems, even if we ignore poor coding practises.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
March 03, 2014, 06:47:30 PM
 #30

Are you sur this code was not theft back in 2011 ?
That was my thought. Does anyone know what the Eligius-MtGox partnership was formed? I know that it was it 2011, I just don't know the exact day.

It was estimated that MtGox was hacked by no less than 10 separate groups back in 2011 (one of which leaked the user DB, as we all know), so this could absolutely still be fallout from that.

rayfloyd
Full Member
***
Offline Offline

Activity: 140


View Profile
March 03, 2014, 06:52:05 PM
 #31

If they were hacked that means something wasn't working properly (Is this really confirmed?). And obviously they didn't know how to handle bitcoin transactions properly. By no means has there been no problems, even if we ignore poor coding practises.

The reason and the how to of the hack might not be poor [or not] web backend. It could also be bad sys admin and bad system security or even just internal.

acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
March 03, 2014, 06:52:50 PM
 #32

Hey folks, new here and happen to also be a LAMP developer (not considering creating an exchange yet Wink...

I just wanted to jump in here and defend LAMP stacks.

Linux/Apache/MySQL/PHP (LAMP) CAN be highly secure depending on how the code is written.

This forum runs on PHP, most major banking site's fronted is PHP...

The problem comes in when people write insecure code, you can just as easily write insecure C+ or Python as insecure PHP...

I guess my point is dont bash the platform, bash the developer Wink

I agree. I'm getting a bit tired of people who language bash. For example, DeathAndTaxes, whom I respect is killing MtGox in this thread, but he hasn't once faulted the language of choice. Often people who bash don't have much achievement of their own which they can point to, which is telling.

Mysql? php??? For a multi-million dollar website?!?!?!? WTF!!!

Umm, Facebook was built on PHP and they just bought a company for $19 billion. Magento, also built on PHP, was bought by eBay for $180 million. Which apps have you done lately that are worth millions of dollars?

A good programmer can usually do well with most any language, although some may be better fits for a given application. It depends more on style and preference, which is why Google, which probably knows a thing or two about software, allows people to write in the language of their choice for their annual Code Jam with $15K prize. They are not so ignorant as to think various programming languages, which are just tools, can't be used effectively.
romerun
Legendary
*
Offline Offline

Activity: 1078


Bitcoin is new, makes sense to hodl.


View Profile
March 03, 2014, 06:58:37 PM
 #33

no wonder why they could not turn LTC switch on, their code is too mess to add another currency
noob2001
Hero Member
*****
Offline Offline

Activity: 602


View Profile WWW
March 03, 2014, 06:59:23 PM
 #34

cool.
i can use this to setup my own exchange
zunath
Newbie
*
Offline Offline

Activity: 14


View Profile
March 03, 2014, 07:04:19 PM
 #35

I think what concerns me more than anything is that they're rounding some of their values.

17vReNbHa6AY7hbwioUNCn56oJ4oaZfoZG
MashRinx
Sr. Member
****
Offline Offline

Activity: 390



View Profile
March 03, 2014, 09:06:50 PM
 #36

I think what concerns me more than anything is that they're rounding some of their values.


lemfuture
Sr. Member
****
Offline Offline

Activity: 434


View Profile
March 03, 2014, 09:11:03 PM
 #37

i thought the ceo is a tensai?

hahaha
kuroman
Hero Member
*****
Offline Offline

Activity: 518


View Profile
March 03, 2014, 09:16:20 PM
 #38

Glad I didn't complet my registration ont heir website, I was about to sent them my passport, and what's not info, and when I saw how complex the process compared back I back peddaled and didn't confirm the uploaded documents I uploaded at the time
QuestionAuthority
Legendary
*
Offline Offline

Activity: 1624


You lead and I'll watch you walk away.


View Profile
March 03, 2014, 09:30:20 PM
 #39

Isn't it convenient that the Gox source code is leaked right after his appeal to the bankruptcy court. That seems to substantiate Karpeles claim that he was hacked and just a poor innocent victim. Very tidy.

cozk
Hero Member
*****
Offline Offline

Activity: 616


View Profile
March 03, 2014, 09:44:11 PM
 #40

Isn't it convenient that the Gox source code is leaked right after his appeal to the bankruptcy court. That seems to substantiate Karpeles claim that he was hacked and just a poor innocent victim. Very tidy.

+1

Hes a rich man now.
Bit_Happy
Legendary
*
Offline Offline

Activity: 1568


A Great Time to Start Something!


View Profile
March 03, 2014, 09:49:30 PM
 #41

Hey folks, new here and happen to also be a LAMP developer (not considering creating an exchange yet Wink...

I just wanted to jump in here and defend LAMP stacks.

Linux/Apache/MySQL/PHP (LAMP) CAN be highly secure depending on how the code is written.

This forum runs on PHP, most major banking site's fronted is PHP...

The problem comes in when people write insecure code, you can just as easily write insecure C+ or Python as insecure PHP...

I guess my point is dont bash the platform, bash the developer Wink


Good point, you win 40 GoxCoins  Cheesy

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
Bit_Happy
Legendary
*
Offline Offline

Activity: 1568


A Great Time to Start Something!


View Profile
March 03, 2014, 09:51:47 PM
 #42

This does look ugly:

 Some random red flags:

- There's a class with the name of the application. (Issues: Scope, SRP)

- There's a class with 1708 lines of code. (Scope)

- There's a switch-case statement that runs over 150 LOC (readability, maintainability)

- There's a string parsing function in the same class as transaction processing (Separation of concerns)

- There are segments of code commented out (are they not using source control?)

- There's inlined SQL (maintainability, security)

- There's JSON being generated manually & inline (SoC, DRY)
- There's XML being generated manually & inline (SoC, DRY)
- To sum up function _Route_getStats($path): XML production, JSON production, file writing, business logic, SQL commands, HTTP header fiddling, hard coded paging limits, multiple exit points...
The amount of refactoring needed here to bring this code up to acceptable quality is simply staggering.

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
March 03, 2014, 09:59:30 PM
 #43

Umm, Facebook was built on PHP

Yeah, maybe once upon a time back then. But much less so today. And nobody in their right mind would trust friggin nsabook with their wealth...
user311
Newbie
*
Offline Offline

Activity: 18


View Profile
March 03, 2014, 10:02:36 PM
 #44

i wouldn't be surprised if the alleged 20GB of data comes up for sale
I guarantee you it is. There is no doubt the encrypted passwords (if gox even encrypted the database) are being sent through the grinder as we speak. Everyone should change their passwords if they used the same one on Gox!

Glad I didn't complet my registration ont heir website, I was about to sent them my passport, and what's not info, and when I saw how complex the process compared back I back peddaled and didn't confirm the uploaded documents I uploaded at the time
haha. SO... you uploaded your personal information to their servers (Now take time to think about that) but didnt click accept to complete the process. My advice: Get lifelock.
crazy_rabbit
Legendary
*
Offline Offline

Activity: 1162


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile
March 03, 2014, 10:17:20 PM
 #45

oh man, please don't let this be legit.....

more or less retired.
meanig
Hero Member
*****
Offline Offline

Activity: 529


View Profile
March 03, 2014, 10:25:49 PM
 #46

Is there anything in the code to suggest that the cold wallet was actually online?
CompNsci
Sr. Member
****
Offline Offline

Activity: 321


View Profile
March 03, 2014, 10:36:47 PM
 #47

My impression was that supposedly they implemented a new trading engine to speed up transactions after the meltdown.

Does the PHP code look like a new sped up trading engine? Or is it more likely the code used prior to that time?

crazy_rabbit
Legendary
*
Offline Offline

Activity: 1162


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile
March 03, 2014, 10:37:36 PM
 #48

My impression was that supposedly they implemented a new trading engine to speed up transactions after the meltdown.

Does the PHP code look like a new sped up trading engine? Or is it more likely the code used prior to that time?



I think the trading engine was in the backend. Correct me if I'm wrong, but this looks like the front end to me?

more or less retired.
bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 03, 2014, 10:41:29 PM
 #49

My impression was that supposedly they implemented a new trading engine to speed up transactions after the meltdown.

Does the PHP code look like a new sped up trading engine? Or is it more likely the code used prior to that time?



I think the trading engine was in the backend. Correct me if I'm wrong, but this looks like the front end to me?

it is the more like the  "back" but not exaclty it, that's a class with their full colection of functions...there is no code with the front(or back) end logic using those functions. But everything is there to do so.
cAPSLOCK
Legendary
*
Online Online

Activity: 1395


Is it true? ®


View Profile
March 03, 2014, 10:45:56 PM
 #50

Um this goes far beyond "not perfect".  It essentially breaks every rule in software design, resulting in a fragile, unmaintainable mess.

Projects written by a single person don't need to be developed as academics say. If u were an owner of an exchange and didn't trust to any other coder u would go the same way.


YipYip
Hero Member
*****
Offline Offline

Activity: 574



View Profile
March 03, 2014, 11:26:04 PM
 #51

I prefer one monster super class...

Well I think we are done. 

Php ....lolz

MySQL...lolz

SpagettiCode...lolz

What does this all of the above bullshit add upto ....loss of 450million ++

All code should be loosely coupled & highly cohesive ... i.e dependency injection, discreete components that have no depenceys on each other.... break down of the layers UI,Business logic, middleware ...repos...etc etc etc

Gox was a darwin experiment that shows a decrepid , disabled piece of shit is destined to die

GOX IS DEAD.... LONG LIVE THE DEATH OF GOX Tongue


OBJECT NOT FOUND
vit1988
Sr. Member
****
Offline Offline

Activity: 315


i ♥ coinichiwa


View Profile WWW
March 04, 2014, 12:00:55 AM
 #52

I've seen so much bad code in my life... even in enterprise systems... this one looks quite average  Grin

But not using curly brackets alone is something a developer should goto hell for.

elebit
Sr. Member
****
Offline Offline

Activity: 415


View Profile
March 04, 2014, 12:04:25 AM
 #53

Does Deutsche Bank use php? Does HSBC use fucking MYSQL???

I can assure you that there are many MySQL instances inside any bank you could point your finger at. Several of them business critical for their respective environments.

It is guaranteed to be a lot of PHP too, just not customer facing. Banks are big things with lots of IT.
Cluster2k
Legendary
*
Offline Offline

Activity: 1525


View Profile
March 04, 2014, 12:24:41 AM
 #54

If people are shocked by the quality of code seen from MtGox, you should stop using your bank, abandon your car and ditch your mobile phone.  There are mountains of legacy spaghetti code out there that are completely written against proper academic rules.  You use the code every day for critical applications.

Do not send bitcoins to me: 16b8s7pBJ9rUmsExNW25qD5VUqVqRPZuXu
100% solar powered bitcoin generation
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 04, 2014, 01:05:46 AM
 #55

If people are shocked by the quality of code seen from MtGox, you should stop using your bank, abandon your car and ditch your mobile phone.  There are mountains of legacy spaghetti code out there that are completely written against proper academic rules.  You use the code every day for critical applications.

MtGox was created in 2010, it was a greenfield project.  Most developers relish the idea of working on a greenfield projects because it doesn't require them to drag forward decades of legacy cludge and instead allows them to do it right (at least initially).  Kinda hard to compare that to a banking system which may have its roots going back forty years and be the net results of multiple acquired and merged systems.  For long runnning enterprise applications, developers are rarely given the option to make a clean break.  MtGox didn't have that problem.  It started with an empty text file and ended up resembling systems which get that way after decades of hacks, workarounds, and patches. 

Sometimes a spade is a spade and you can just call it that.  MtGox's transaction engine was so bad it would choke at 5 tps despite running on server hardware capable of 1000x that (two very high end dedicated servers).  Yes facebook's early roots were in php (it has long since been converted to C++) but facebook would never have scaled to even a million users if its codebase was this bad.  Today we would be saying "facebook who?" instead of it being a household name if the code wasn't scalable.   

There is no excuse or justification for code this bad.  None.  Period.  Anyone offering it just looks silly.
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
March 04, 2014, 01:15:51 AM
 #56

Does Deutsche Bank use php? Does HSBC use fucking MYSQL???

I can assure you that there are many MySQL instances inside any bank you could point your finger at. Several of them business critical for their respective environments.

It is guaranteed to be a lot of PHP too, just not customer facing. Banks are big things with lots of IT.
No wonder they are all collapsing, needing a bail out every 5 minutes...

Let me tell u that I have worked with ING code and they use GOTO !!!
*closes account*
YipYip
Hero Member
*****
Offline Offline

Activity: 574



View Profile
March 04, 2014, 01:54:00 AM
 #57

Does Deutsche Bank use php? Does HSBC use fucking MYSQL???

I can assure you that there are many MySQL instances inside any bank you could point your finger at. Several of them business critical for their respective environments.

It is guaranteed to be a lot of PHP too, just not customer facing. Banks are big things with lots of IT.

Hmmmm.... not really ...not in the golden circle of large blue chip banks

A bank will have a core apps platform maybe 30-100 apps and I gurantee there wont be mysql & php kicking around

OBJECT NOT FOUND
YipYip
Hero Member
*****
Offline Offline

Activity: 574



View Profile
March 04, 2014, 01:56:52 AM
 #58

If people are shocked by the quality of code seen from MtGox, you should stop using your bank, abandon your car and ditch your mobile phone.  There are mountains of legacy spaghetti code out there that are completely written against proper academic rules.  You use the code every day for critical applications.

MtGox was created in 2010, it was a greenfield project.  Most developers relish the idea of working on a greenfield projects because it doesn't require them to drag forward decades of legacy cludge and instead allows them to do it right (at least initially).  Kinda hard to compare that to a banking system which may have its roots going back forty years and be the net results of multiple acquired and merged systems.  For long runnning enterprise applications, developers are rarely given the option to make a clean break.  MtGox didn't have that problem.  It started with an empty text file and ended up resembling systems which get that way after decades of hacks, workarounds, and patches. 

Sometimes a spade is a spade and you can just call it that.  MtGox's transaction engine was so bad it would choke at 5 tps despite running on server hardware capable of 1000x that (two very high end dedicated servers).  Yes facebook's early roots were in php (it has long since been converted to C++) but facebook would never have scaled to even a million users if its codebase was this bad.  Today we would be saying "facebook who?" instead of it being a household name if the code wasn't scalable.   

There is no excuse or justification for code this bad.  None.  Period.  Anyone offering it just looks silly.

+ Agreed

OBJECT NOT FOUND
itsunderstood
Sr. Member
****
Offline Offline

Activity: 364


American1973


View Profile
March 04, 2014, 02:08:13 AM
 #59

Hmmmm.... not really ...not in the golden circle of large blue chip banks

A bank will have a core apps platform maybe 30-100 apps and I gurantee there wont be mysql & php kicking around

And assloads more capital due to fractionalized fiat debtmonies, yes.

No way can an average human compete with the corporate model, especially in finance.

Check out my prescient ATS thread from 2008: "Windows XP: End the Cyberwar, Open the Code Now!" http://www.abovetopsecret.com/forum/thread411978/pg1
thelema93
Full Member
***
Offline Offline

Activity: 126


View Profile
March 04, 2014, 02:49:31 AM
 #60

http://www.techworm.net/2014/03/mtgox-source-code-leaked-by-hacker-on.html

As a developer all I can say is ...
I have nothing to say just stunned silence that this was the codebase used to process millions of dollars and BTC everyday.

I have one word to say:

French
bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 04, 2014, 02:51:03 AM
 #61

There is nothing wrong with PHP or any other language, they all do absolutely the same thing. Banking systems are mostly ancient writen in obsolete languages, and they do work fine. It is up to the programmer, not the language.
itsunderstood
Sr. Member
****
Offline Offline

Activity: 364


American1973


View Profile
March 04, 2014, 03:10:09 AM
 #62

I am going to take this code and learn from it.  I haven't ever really had much interest in programming because most all software is shit.  So, I guess if one is to learn, may as well start with the SHIT THAT MADE 500 MILLION USD?

PHP all the way + Python, you kiddin me?  This is a no brainer.  

Okay, so, we probably can agree that what is the real problem is: dickhead intentioned persons who break code, i.e. SQL inject, etc.  And Also I bet you would agree with me that these ones will always succeed UNLESS you got VC $$$ with which to test and parse and manage your code.

No way will anything grassroots be done, unless it is one dude typing furiously at his keyboard.  WITNESS the code which made functionality happen.  Haha, it is so cute to me that programmers think they can obfuscate their trade and call for centralized code and wag their finger at Tron-style creativitiy.  Okay, sure, when you look at it, it's dogshit.  But when I look at it, I want to learn it.

Everybody interested in making a better PHP world, go ahead and PM line by line as to where th vuln's are in this code, because, I didn't see anyone of you do an exploit that got his wallets, or did you??

I mean, in some ways, if you build cars so that they can withstand rocket-launchers-type-attacks, you are going to have to build tanks rather than cars.  So, then that again means that Ike was right about science-money taking over the world.  If you do not build better software designers, then there will simply be a whole new generation of them. And eventually they will decide to de-obfuscate all code everywhere.  So anyway, I am learning PHP and Python, because I don't see that programming C++ and making shithot web apps, is really doable in a practical sense.  Just my .02 as a desktop tech who writes .bat files but supports low IQ money-based programmers imported from other countries.  I agree with those who say the world runs on lousy code --it does, and yet, that it won't be fixed is a frightening truth.

Check out my prescient ATS thread from 2008: "Windows XP: End the Cyberwar, Open the Code Now!" http://www.abovetopsecret.com/forum/thread411978/pg1
Zeeks
Member
**
Offline Offline

Activity: 76



View Profile
March 04, 2014, 03:20:44 AM
 #63

Why does the MtGox code send e-mails to Luke-Jr? He has a rather "colorful" past around here, he was tampering with blocks passing through his pool.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 04, 2014, 03:25:18 AM
 #64

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.
smooth
Legendary
*
Offline Offline

Activity: 1428



View Profile
March 04, 2014, 03:40:18 AM
 #65

There is a lot of wisdom here. Worse is better. Programming is not (always) art.

But I'll say this. it isn't clear that Mark made 500 million with this code. If we go by the leaked (maybe authentic, maybe not) financials, MtGox really didn't make that much money. It may be that the code made 500 million USD (or perhaps some much smaller amount if the coins were stolen earlier and valued at lower prices) for someone else. If Mark stole 500 million USD and got away with it using this code, then I would agree you are on to something. That's hardly proven.

I am going to take this code and learn from it.  I haven't ever really had much interest in programming because most all software is shit.  So, I guess if one is to learn, may as well start with the SHIT THAT MADE 500 MILLION USD?

PHP all the way + Python, you kiddin me?  This is a no brainer.  

Okay, so, we probably can agree that what is the real problem is: dickhead intentioned persons who break code, i.e. SQL inject, etc.  And Also I bet you would agree with me that these ones will always succeed UNLESS you got VC $$$ with which to test and parse and manage your code.

No way will anything grassroots be done, unless it is one dude typing furiously at his keyboard.  WITNESS the code which made functionality happen.  Haha, it is so cute to me that programmers think they can obfuscate their trade and call for centralized code and wag their finger at Tron-style creativitiy.  Okay, sure, when you look at it, it's dogshit.  But when I look at it, I want to learn it.

Everybody interested in making a better PHP world, go ahead and PM line by line as to where th vuln's are in this code, because, I didn't see anyone of you do an exploit that got his wallets, or did you??

I mean, in some ways, if you build cars so that they can withstand rocket-launchers-type-attacks, you are going to have to build tanks rather than cars.  So, then that again means that Ike was right about science-money taking over the world.  If you do not build better software designers, then there will simply be a whole new generation of them. And eventually they will decide to de-obfuscate all code everywhere.  So anyway, I am learning PHP and Python, because I don't see that programming C++ and making shithot web apps, is really doable in a practical sense.  Just my .02 as a desktop tech who writes .bat files but supports low IQ money-based programmers imported from other countries.  I agree with those who say the world runs on lousy code --it does, and yet, that it won't be fixed is a frightening truth.
itsunderstood
Sr. Member
****
Offline Offline

Activity: 364


American1973


View Profile
March 04, 2014, 03:47:00 AM
 #66

There is a lot of wisdom here. Worse is better. Programming is not (always) art.

But I'll say this. it isn't clear that Mark made 500 million with this code. If we go by the leaked (maybe authentic, maybe not) financials, MtGox really didn't make that much money. It may be that the code made 500 million USD (or perhaps some much smaller amount if the coins were stolen earlier and valued at lower prices) for someone else. If Mark stole 500 million USD and got away with it using this code, then I would agree you are on to something. That's hardly proven.

Thanks friend.

And I do not intend to defraud, because, if my exchange goes south, I will turn the damn thing off.

But, since you are all very smart, I would also suggest this:  There is no way to make Android safe.  And there is no way to stop the tablet-tsunami, with crapware standard.  So?

If you got all the programmers in a room, I don't think the public could stand to be in that room.

edit

Also the person who said that A: The Gox customer list, and now B: This code being dupe'd all around Earth, could open severe vectors for crime that smack cryptocoin in the face for years even (tho we know it will always rebound and/or have value).

So, in terms of any cred on the programmer-class of persons on Earth, I am not sure they can agree amongst themselves, as the good/shitty ones are good/bad enough to make a ton of cash either way, and then they bail and retire at 40, good for them!  Awesome.  But you can't build a world on that kind of code, can you?

Check out my prescient ATS thread from 2008: "Windows XP: End the Cyberwar, Open the Code Now!" http://www.abovetopsecret.com/forum/thread411978/pg1
Finnminer
Member
**
Offline Offline

Activity: 74


View Profile
March 04, 2014, 07:52:38 AM
 #67

I've seen so much bad code in my life... even in enterprise systems... this one looks quite average  Grin
I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

Has someone had the time to study the code more carefully? At first glance it seems to me like they are encrypting all the private keys using the same encryption keys and storing them in a database. So if someone would get access to the database and the master key (likely to be hardcoded in a php file somewhere...) they could steal all the money from all the addresses. I haven't spent much time looking at the code so I might be interpreting it wrong.
bitjoint
Sr. Member
****
Offline Offline

Activity: 330


Commander of the Hodl Legions


View Profile
March 04, 2014, 08:11:04 AM
 #68


Mysql? php??? For a multi-million dollar website?!?!?!? WTF!!!


Not a good point... Bitstamp is using php. The difference is that it seems bitstamp is built with a proper framework, and Gox was built with a crappy/old CMS... that's why I never trusted them.
bananas
Sr. Member
****
Offline Offline

Activity: 266


View Profile
March 04, 2014, 08:20:12 AM
 #69

I wonder why the SQL dump to create the database was not leaked, the actual sources using the class were not leaked either. It is not like "hey, i leaked it so you can just run it or fully analyze", 'cause you can't.

It is like Karpeles himself leaked that for some malicious reason
elebit
Sr. Member
****
Offline Offline

Activity: 415


View Profile
March 04, 2014, 09:08:59 AM
 #70

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

It's all those "rockstar programmers" who spend more time reading blogs than working. Only the object oriented design pattern de jour is the way to go, everything else sucks beyond belief, apparently.

Meanwhile, COBOL code sprinkled with GO TOs run their banks and steer their satellites. The only thing that matters is if the code 1) works and 2) is readable (and most hipster frameworks fail on both accounts).

The difference between serious and amateurish outfits like MtGox is testing, testing, testing and testing. Did I mention testing? And a bunch of people who do not consider themselves rockstars or other silly things who work these systems daily.
mami
Jr. Member
*
Offline Offline

Activity: 59


View Profile
March 04, 2014, 12:09:03 PM
 #71

I've seen so much bad code in my life... even in enterprise systems... this one looks quite average  Grin
I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

The code is not particularly readable, therefore it probably has some subtle bugs. OO PHP is some of the worst looking code out there, but it mostly works... Honestly, what else is anyone suggesting people USE to make this type of site?

Surely NOT Ruby (way more scary than PHP), and probably not C++/CGI (too esoteric and crashworthy), probably not Python/web (still not ready for the bigtime), and don't even mention Java (the world will be a better place when people finally stop using it).
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 04, 2014, 01:14:21 PM
 #72

Surely NOT Ruby (way more scary than PHP), and probably not C++/CGI (too esoteric and crashworthy), probably not Python/web (still not ready for the bigtime), and don't even mention Java (the world will be a better place when people finally stop using it).

Nothing wrong with Java running server side.  The security hell that is java applets needs to die.  I personally don't install java client side not because it is any direct risk but out of fear that some browser exploit will enable java applet access.  If java applets were killed off an no longer supported by modern browsers I would have no issue with java client side either.  Most financial institutions and large enterprises use java server side. 

The issue isn't so much PHP as the way it was used.  As a side note, you can shoot of your own foot with any programming language, PHP just makes it easier than others.  I would use Python over PHP because dynamic typing and implicit (warningless) conversion between types just makes it to easy to create bugs which only occur run time.  Combine that with no test driven development and you got a recipe for hard to identify bugs.

Someone up thread said testing, testing, and testing.  That doesn't mean let me try to manually "test the hell out of this" it means things like unit testing, code coverage, mocking, automated test validation in build process, etc.  That is impossible with the code as written.  The code as written is untestable, unmaintainable, and undocumented.  Everything is a bunch of static methods, magic constants spread throughout, SQL code interspersed with business logic, mixed with formatting.  The few places where a constant should be used they decided to use a literal 100000000 for conversion from satoshi to Bitcoins.  Money values are handled as floats.  Everything is tightly coupled and poorly documented so if Mark ever did bring on additional programmers that would just be a timebomb waiting to go off.  You can get god's gift to programming but if other "lesser" programmers can make fatal mistakes with your code because it is fragile ... it is bad code.
spin
Sr. Member
****
Offline Offline

Activity: 355


View Profile
March 04, 2014, 02:05:38 PM
 #73

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

If you liked this post buy me a beer.  Beers are quite cheap where I live!
194YjsiwmGm3hcbPcJWWyzRAS9CQLX1fJL
PassTheAmmo
Newbie
*
Offline Offline

Activity: 23


View Profile
March 04, 2014, 03:08:28 PM
 #74

I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

It's all those "rockstar programmers" who spend more time reading blogs than working. Only the object oriented design pattern de jour is the way to go, everything else sucks beyond belief, apparently.

Meanwhile, COBOL code sprinkled with GO TOs run their banks and steer their satellites. The only thing that matters is if the code 1) works and 2) is readable (and most hipster frameworks fail on both accounts).

The difference between serious and amateurish outfits like MtGox is testing, testing, testing and testing. Did I mention testing? And a bunch of people who do not consider themselves rockstars or other silly things who work these systems daily.

The code isnt't testable in its current state which is exactly for the reasons already mentioned. It is not separated into components. That would have a lot of advantages, one og them being testability. The reason that COBOL works in banks is because the code has been running for decades, not because better tools don't exist now.

And OO has been questioned for a long time now with new programming languages even boosting about being non-OO.

You seem to be arguing against your own misconceptions.

I have a hard time believing that someone who's proficient in multiple programming languages would choose PHP for THIS particular job, but it would easily be the right choice if that's the only language he was fluent in.
QuestionAuthority
Legendary
*
Offline Offline

Activity: 1624


You lead and I'll watch you walk away.


View Profile
March 04, 2014, 03:11:13 PM
 #75

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

spin
Sr. Member
****
Offline Offline

Activity: 355


View Profile
March 04, 2014, 03:16:36 PM
 #76

 I remember seeing something irc where gmaxwell said that the code is likely old.  

Rather than get personal about any members it would be good to know if this older code or newer code.

If you liked this post buy me a beer.  Beers are quite cheap where I live!
194YjsiwmGm3hcbPcJWWyzRAS9CQLX1fJL
muyuu
Donator
Legendary
*
Offline Offline

Activity: 952



View Profile
March 04, 2014, 03:27:51 PM
 #77

PHP can be used as a non-OOP language, and in fact it's the way it makes most sense to use it since their OOP is an afterthought and doesn't play well with the rest of the characteristics of the language. "1 big superclass" basically fakes that. You can easily re-factor that anyway.

However this does seem like a 1-man weekend project. I wonder if they at least have some docs to go with it elsewhere.

TBF I'm willing to believe this was the production code.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
elebit
Sr. Member
****
Offline Offline

Activity: 415


View Profile
March 04, 2014, 08:23:04 PM
 #78

The code isnt't testable in its current state which is exactly for the reasons already mentioned. It is not separated into components.

But it is. Just maybe not the components you would like.

I would not choose this exact design, but it is very far from a ball of mud. It is quite clear what is does, there are methods with proper names, and nothing is obscured by dependencies. If I would be handed this as a legacy codebase to work with I wouldn't find it too bad. I've seen much worse.

What I would miss most here is tests (of course one can write tests for this code, both functional tests and unit tests) and documentation. But that's par for the course considering there seems to have been mostly one developer working on this.
melmo
Full Member
***
Offline Offline

Activity: 213


View Profile
March 04, 2014, 08:59:17 PM
 #79

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

Wow, that's harsh Smiley
QuestionAuthority
Legendary
*
Offline Offline

Activity: 1624


You lead and I'll watch you walk away.


View Profile
March 04, 2014, 09:04:57 PM
 #80

Why does the MtGox code send e-mails to Luke-Jr?

IIRC MtGox had a deal where Eligus would include their transactions.

Did that deal end at some point?  If so that may indicate the age of the source?

Collusion between Luke Dashjr and Gox alone should have been enough to keep you away from Gox. When you watch Luke Dashjr at a conference he looks and acts like one of those kids that used to get beat up a lot in school. He's very quiet, stays to himself and a little scary looking. I can see him having 15 decapitated human heads in a freezer in the back of his single wide mobile home with wooden Christian cross hanging in every room and an alter made for his long dead mother on the faux mantle piece.

Wow, that's harsh Smiley

Nah, not really. He's a bastard. Besides being a crippling force on Bitcoins development team, he has used the mining power of so many people without their knowledge to do so many bad things that I find it hard to say anything evil enough to describe him.

Nagle
Legendary
*
Offline Offline

Activity: 1204


View Profile WWW
March 04, 2014, 10:41:40 PM
 #81

Hm. Items of interest:

The code sends emails to "mark@ookoo.org" on some errors.  "ookoo.org" is owned by

Mutum Sigillum LLC
220 E. Delaware Ave., #1085
Newark, DE
US

which is a subsidiary of Mt. Gox.

On page 26, there's a private key embedded in the code as a long hex string. Requests involving that private key are rejected.

Bitcoin transactions are sent to "relay.eilgius.st" and "mtgox.relay.eligius.st". That's a mining pool. But that "eligius.st" address is registered to Mutum Sigillum LLC:

DOMAIN: eligius.st

REGISTRATION-SERVICE-PROVIDER: K.K. Tibanne
URL: http://www.tibanne.com/

created-date:    2011-05-10 00:27:33
updated-date:    2014-03-03 04:59:29
expiration-date: 2014-05-10 21:59:59

registrant-organization: Mutum Sigillum LLC
registrant-name:         David Manager (MUT525418A4EC0C7)
registrant-street:       220 E. Delaware Ave., #1085
registrant-city:         Newark
registrant-state:       
registrant-zip:          19711
registrant-country:      US
registrant-phone:       
registrant-fax:         
registrant-email:        domains@mutumsigillum.com

admin-organization: Luke Dashjr
admin-name:         Luke Dashjr (KKT5313FE423381E)
admin-street:       8512 Templeton Drive
admin-city:         Omaha
admin-state:        NE
admin-zip:          33523
admin-country:      US
admin-phone:       
admin-fax:         
admin-email:        luke+kalyhost@dashjr.org

tech-organization:
tech-name:         Luke Dashjr (KKT5313FE424A57E)
tech-street:       8512 Templeton Drive
tech-city:         Omaha
tech-state:        NE
tech-zip:          33523
tech-country:      US
tech-phone:       
tech-fax:         
tech-email:        luke+kalyhost@dashjr.org

billing-organization:
billing-name:         Luke Dashjr (KKT5313FE425CFF3)
billing-street:       8512 Templeton Drive
billing-city:         Omaha
billing-state:        NE
billing-zip:          33523
billing-country:      US
billing-phone:       
billing-fax:         
billing-email:        luke+kalyhost@dashjr.org

Mt. Gox was known to have close connections to Eligius, but this is closer than previously thought.

Definit
Sr. Member
****
Offline Offline

Activity: 357



View Profile
March 04, 2014, 11:24:23 PM
 #82

interesting
tvbcof
Legendary
*
Offline Offline

Activity: 2142


View Profile
March 04, 2014, 11:38:51 PM
 #83

Oh and it gets worse

Quote
From the IRC chat of Nanashi and other hackers, it seems that the hacker also have access to a 20GB data dump of customer data along with passport scans.

This is much worse.  A whole new slew of lawsuits heading their way.

+1.  Much worse.  I can live without the modest wire they owe me else I would not have requested it.  My ID docs, OTOH, spell a lifetime of hassles.  I have only ever sent high quality identity dox to Mt. Gox.  I they are used by any criminal I'll know exactly where they came from.

I'd estimated that after the 2011 Mt. Gox problems and all the money they should have been raking in, they would have had some professional architects and coders on staff and the data would be a little bit safe (though the support contractors would still have some access to it.)  I'll take some responsibility for mis-estimating here, but only so much.  If my dox are lost/sold, I'm coming for that fat cock sucker.  I've had the patience to HODL BTC for years, and I'll have the patience to see that Karpeles suffers for much longer than that.  And the resources to boot, especially if we see at least one more price run-up.


Definit
Sr. Member
****
Offline Offline

Activity: 357



View Profile
March 05, 2014, 01:45:51 AM
 #84

http://forums.graal.in/forums/showthread.php?7661-Is-Stephane-Portha-involved-with-MtGox

who is Stephane Portha (known scammer) and why is he connected with Mt.Gox Mark Karpeles?

http://nekoroy.com/hiddengox.html


dave111223
Hero Member
*****
Offline Offline

Activity: 812



View Profile
March 05, 2014, 03:36:54 AM
 #85

Where is the rest of the code?

This only seems to contain one PHP class which wraps other classes which are not included here?

http://pastebin.com/W8B3CGiN

mami
Jr. Member
*
Offline Offline

Activity: 59


View Profile
March 06, 2014, 06:15:54 AM
 #86

Surely NOT Ruby (way more scary than PHP), and probably not C++/CGI (too esoteric and crashworthy), probably not Python/web (still not ready for the bigtime), and don't even mention Java (the world will be a better place when people finally stop using it).

Nothing wrong with Java running server side.  The security hell that is java applets needs to die.  I personally don't install java client side not because it is any direct risk but out of fear that some browser exploit will enable java applet access.  If java applets were killed off an no longer supported by modern browsers I would have no issue with java client side either.  Most financial institutions and large enterprises use java server side.  

Well there are problems with Java server side - high memory and CPU use, slow execution, occasional required restarting of backend infrastructure, and code bloat (Karpie's Bitcoin PHP class would take 5000+ lines of Java). Also Java server architecture didn't start off HTTP/REST-based - PHP was specifically designed for it (albeit recklessly).  Finally,  Java bugs always take longer to FIND AND FIX than any other language's -  a major cost.
  
The issue isn't so much PHP as the way it was used.  As a side note, you can shoot of your own foot with any programming language, PHP just makes it easier than others.  I would use Python over PHP because dynamic typing and implicit (warningless) conversion between types just makes it to easy to create bugs which only occur run time.  Combine that with no test driven development and you got a recipe for hard to identify bugs.

very true - php5's execution is SCARILY NON-DETERMINISTIC from time to time...

Someone up thread said testing, testing, and testing.  That doesn't mean let me try to manually "test the hell out of this" it means things like unit testing, code coverage, mocking, automated test validation in build process, etc.  That is impossible with the code as written.  The code as written is untestable, unmaintainable, and undocumented.  Everything is a bunch of static methods, magic constants spread throughout, SQL code interspersed with business logic, mixed with formatting.  The few places where a constant should be used they decided to use a literal 100000000 for conversion from satoshi to Bitcoins.  Money values are handled as floats.  Everything is tightly coupled and poorly documented so if Mark ever did bring on additional programmers that would just be a timebomb waiting to go off.  You can get god's gift to programming but if other "lesser" programmers can make fatal mistakes with your code because it is fragile ... it is bad code.

Hard to argue these points - nonetheless the old industry saying of "it's not a bug unless a customer finds it" holds true... With PHP a lot of poop can be swept under the rug or offloaded to the web server...

I forgot to mention node.js as an option for web infrastructure - I am not a fan of anything google and I hate Javascript...

Karpie might be polishing his coding skills up in a cell in the US soon...
mp420
Hero Member
*****
Offline Offline

Activity: 501


View Profile
March 06, 2014, 06:36:47 AM
 #87

Using PHP for ANYTHING is a recipe for a disaster. (Yes, even using it for the thing it was originally meant for - a simple tool for beginners to make dynamic web content. Ever seen a beginner write PHP code without gaping security holes all around?) Even Perl is much more sane language. Perl at least has consistent block scope.

For web development, I'm strangely drawn toward Node.js at the moment. But anything goes if it does not have to be PHP.
Juneass
Newbie
*
Offline Offline

Activity: 28


View Profile
March 06, 2014, 07:35:06 AM
 #88

I posted about this before.
There are some doubts about its validity.

https://bitcointalk.org/index.php?topic=498341.0
nagnagnag2
Full Member
***
Offline Offline

Activity: 142


View Profile
March 06, 2014, 11:27:22 AM
 #89

this is probably the code which allowed the leak of the 800 000 bitcoins.
itsunderstood
Sr. Member
****
Offline Offline

Activity: 364


American1973


View Profile
March 07, 2014, 07:19:51 AM
 #90

This fits weel here:

Quote
http://mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html

[...]

In addition, the code was not always terribly neat, another sign that Nakamoto was not working with a team that would have cleaned up the code and streamlined it.

"Everyone who looked at his code has pretty much concluded it was a single person," says Andresen. "We have rewritten roughly 70 percent of the code since inception. It wasn't written with nice interfaces. It was like one big hairball. It was incredibly tight and well-written at the lower level but where functions came together it could be pretty messy."

So, this is a very educational thread.  Thanks all.

edit

I'll tell you what, this Satoshi guy they found, is exactly like so many programmers I have supported as a tech in the US.  He comes out and says "where's my free lunch?!"  Hahaha, a genius savant Japanese guy who will never admit to bitcoin and who write "hairball" assembly level code that changes the entire world.

Like a sir.

Check out my prescient ATS thread from 2008: "Windows XP: End the Cyberwar, Open the Code Now!" http://www.abovetopsecret.com/forum/thread411978/pg1
gollum
Sr. Member
****
Offline Offline

Activity: 434


In Hashrate We Trust!


View Profile
March 08, 2014, 03:20:02 AM
 #91

The MtGox code is worst practice of coding and security... I bet Mark Karpeles never heard about "design patterns".
https://en.wikipedia.org/wiki/Software_design_pattern

Design Patterns: Elements of Reusable Object-Oriented Software
http://www.amazon.com/Design-Patterns-Elements-Reusable-Object-Oriented/dp/0201633612
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 08, 2014, 03:22:44 AM
 #92

Well to Marks credit there is more than one anti-pattern in the code.   
Pages: 1 2 3 4 5 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!