On 6 Nov 2001, at 16:09, Gerry Snyder wrote: > In a recent ethics briefing I was told that running seti@home on work > PC's was a no-no because there had been three break-ins to computers > using that program as a back door. > > No idea whether that is really the case, and no idea what > communication scheme seti@home uses. Anyone familiar with this > perceived problem?
I went & checked this out. There do appear to have been a few incidents involving seti@home. In one of these the server was hacked & details of the participants were "stolen"; at least some of the e-mail addresses were subsequently used by spammers. This is of course a serious incident, but nowhere near as serious as the disclosure of credit card numbers and other personal information which happened last weekend due to a security breach of the Microsoft Passport system. In at least one other case a number of systems at a site were compromised by installation of the seti@home client - but only because a "Back Orifice" type trojan had somehow become attatched to the copy of the client concerned - N.B. _not_ a direct download from the seti@home site. This sort of thing has reportedly also happened several times with the RC5 client. Note that the risk of "unofficial replacement" of clients downloaded from the net can be virtually eliminated by computing the MD5 checksum of "official" binary images and posting this somewhere _before_ the binary itself is made available. The point is that it is almost impossible to modify a binary image without changing the MD5 checksum - in fact, to the best of my knowledge, this has not been demonstrated, even in a laboratory environment - a very great deal of trial and error would be required to match the 256 bit checksum; unlike some checksum algorithms, MD5 was designed to be reasonably quick to compute once, but impossibly expensive to compute a very large number of times. Virus checkers are pretty effective at detecting trojans, provided the virus database is kept up to date. Finally, reasonable configuration of a firewall (even a personal firewall product installed on the workstation itself) will prevent exploitation of a Back Orifice type trojan, even if one does manage to sneak in unnoticed - these work by creating a listener which allows those "in the know" to connect to the system using telnet, ssh or a similar protocol, using a non-standard port number. I have been unable to trace any instances of security breaches of user systems due to running "official" copies of the seti@home client, or dependent in any way on client/server communications. Regards Brian Beesley _________________________________________________________________________ Unsubscribe & list info -- http://www.ndatech.com/mersenne/signup.htm Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers