Well, After long and hard thought on this (approximately 30 seconds), I have the following suggestion:
Each team account (could apply to accounts with just one machine as well) should have 2 passwords. A master password that could be used on the web pages to manage exponents on all team machines, and also a per-machine password (could be automatically generated when a new machine gets an exponent). There's really no reason I can think of why a password would be required to have a machine join a team, is there? I mean, someone could sign their machine up to some team and reserve a bunch of exponents with no intention of working on them, but hey, someone could do that anyway right now by just setting up their own team... So a team account "master password" could unreserved exponents on any machine, and then the "machine password" could be used to work with exponents for only that one machine. Well, at any rate, that would keep individual team members from wreaking havoc by this shared password scheme currently in place, while still allowing a team leader to unreserve exponents or do other things from the web page. Just a thought, and again, this is just my 30-second attempt to come up with an idea. I'm sure it can and will be improved upon. Aaron (aka "I'm-not-a-hacker-I'm-a-math-geek") > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:mersenne-invalid- > [EMAIL PROTECTED]] On Behalf Of George Woltman > Sent: Tuesday, February 12, 2002 12:29 PM > To: [EMAIL PROTECTED] > Subject: Re: Mersenne: Missing assignement > > Hi all, > > At 08:10 PM 2/12/2002 +0100, Ignacio Larrosa Caņestro wrote: > >In my personal account report of yesterday could be read: > > > >Assignment overdue check-in is set at 60.0 days (0.0 days to expire) > >But now this exponent is missing. How is it possible?? > > OK, the cat is out of the bag..... > > In late January, one of the more productive teams was hacked. > Prime95/Primenet has some security holes. One of these holes > is that a team must make its password public for new members to join. > > Someone exploited this hole. This loser thought it would be "cute" to > unreserve all the team's exponents (a few hundred) via the manual web > pages. Brad & Scott patched the manual forms and embarked on > implementing a more permanent solution. A week ago, they struck again > using prime95 itself to again unreserve some of the team's exponents. > > Unfortunately, rather than hurting the team, the hacker ended up hurting > ordinary users. The server reassigned all the unreserved exponents. > Since the team's computers had a head start on these exponents they are > likely to finish them first. When they report a result, your assignment > will > "disappear" from the active assignments list. GIMPS, of course, can use > your result for double-checking. > > Brad/Scott have now changed server so that none of this team's exponents > can be unreserved. They are still working on making this feature > available > to all teams to prevent this in the future. > > Brad & Scott are better able to comment on this, but I think that this is > the first hacker attack on the reservation system. There have been many > denial of service attacks and attempts at defacing the web pages (don't > people have better things to do with their time?) > > Are there other security holes? Yes. For obvious reasons I don't know if > we should discuss these in a mailing list. Beefing up security costs time > and > money. These are limited resources in an all-volunteer, not-for-profit, > zero-revenue project. We'll try to do the best we can given our > limitations. > > Always remember.... > > GIMPS is just for fun, > George _________________________________________________________________________ Unsubscribe & list info -- http://www.ndatech.com/mersenne/signup.htm Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
