Dear Bitcoiners,
I'm sorry to hear that some people have had their account stolen, but I was expecting it.
The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.
The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:
1) Use the right software. IIS is a big no-no
Also Linux should frowned upon. Unix is the way to go.
2) Update the software. You cant leave a known root escalation bug for 6 days!!!!
3) Have your code reviewed by a third party.
4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.
5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.
If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.
I'm sorry to hear that some people have had their account stolen, but I was expecting it.
The problem of Mt. Gox is that it grown too fast, without the correct investment in customer safety. The design of the site is not thought for security, and it is evident even from the API. Basic cornerstones like input validation, or safe data exchange are omitted, as if that was a blog and not a sensitive web application. Luckily Mt. Gox makes enough money to pay admins to control the money-flow.
The bigger problem anyhow, is that other exchanges have blatantly copied the design of mt. Gox, along with its flaws, and with a smaller budget. Thus I expect more security breaches. And this is a big problem for the credibility of bitcoins. Thus I invite exchange owners to:
1) Use the right software. IIS is a big no-no
Also Linux should frowned upon. Unix is the way to go.2) Update the software. You cant leave a known root escalation bug for 6 days!!!!
3) Have your code reviewed by a third party.
4) PHP security isnt too difficult, http://phpsec.org/projects/guide/ , still you missed most of the BASIC guidelines.
5) For god sake, you're moving hundred of thousand of dollars. Use a fucking dedicated server for the database. Accessible only by a local IP. If you wonder why I know this, then you should fire your admin.
If you own an exchange and would like to be safer, for a small fee (in the 5 figures) PM me, and I will tell you if your site is flawed, and if it is I can show you how I can have root access on the webserver at least.
I realized this guy was a dumbass when I read number 1. I am a Redhat Certified Engineer, and I have several close friends and co-workers that are Linux Administrators for DoD, ORNL, and Y-12 (All in Tennessee). Here is a reason why every single freaking one of these institutions rely on LINUX (mostly RHEL) for the utmost security. The OP has obviously no idea what SELinux is or just how actually secure it is. Its a shame there are so many self declared "security experts" involved with Bitcoin. I am no expert, but I do know my ass from a hole in the ground.
I'm inclined to agree .... yet the number of people building bitcoind on a RH system or derivative numbers in the tens, if that ... absolutely no support that I can find for RH bitcoind ... except this howto for CentOS http://www.austinheap.com/assets/coins/531b6341e653b7b57a8f7f5cc3da79d9.pdf ....
C'mon you RH guys get in here and show them how its done, we need you. hware/OS/sware are the three-legs of security ... people have fogotten about 1 and 2 in the rush to make money I fear.