On 12 Feb 2002, at 13:21, Aaron Blosser wrote: > After long and hard thought on this (approximately 30 seconds), I have > the following suggestion: > > Each team account (could apply to accounts with just one machine as > well) should have 2 passwords. > > A master password that could be used on the web pages to manage > exponents on all team machines, and also a per-machine password (could > be automatically generated when a new machine gets an exponent).
That sort of works - but it's messy, and makes it hard for an individual team member to unreserve an exponent for some legitimate reason. A better solution is to have every PrimeNet client identified in three ways: system id, user name & team name. Team name blank means the user is not a participant in any team. The password is associated with the user name, not the team. Now the user can do what the hell (s)he likes with his/her own assignments, but cannot bugger up assignments belonging to other team members. A side effect of implementing this is that team members can desert (maybe joining a different team) even in the middle of an assignment, so team total CPU time could not be computed by simply adding the CPU time contributed by current members. Instead it would be neccessary to keep seperate running totals for each named team, adding the contribution from each completed assignment to whichever team the user is currently attatched to (instead of, or as well as, to the individual user?) as and when results are submitted. > > In late January, one of the more productive teams was hacked. > > Prime95/Primenet has some security holes. One of these holes > > is that a team must make its password public for new members to join. > > > > Someone exploited this hole. This loser thought it would be "cute" to > > unreserve all the team's exponents (a few hundred) via the manual web > > pages. Brad & Scott patched the manual forms and embarked on > > implementing a more permanent solution. A week ago, they struck again > > using prime95 itself to again unreserve some of the team's exponents. > > > > Unfortunately, rather than hurting the team, the hacker ended up > hurting > > ordinary users. The server reassigned all the unreserved exponents. > > Since the team's computers had a head start on these exponents they > are > > likely to finish them first. When they report a result, your > assignment > > will > > "disappear" from the active assignments list. GIMPS, of course, can > use > > your result for double-checking. So there's no loss at all, for LL assignments. > > > > Brad/Scott have now changed server so that none of this team's > exponents > > can be unreserved. They are still working on making this feature > > available > > to all teams to prevent this in the future. As I pointed out above, there may be legitimate reasons for an individual team member to unreserve their own assignments. > > > > Brad & Scott are better able to comment on this, but I think that this > is > > the first hacker attack on the reservation system. There have been > many > > denial of service attacks and attempts at defacing the web pages > (don't > > people have better things to do with their time?) I think _every_ web site sees attempts to do such things. Some morons apparently consider operational, undefaced web sites in the same way as graffiti artists see a blank wall. Expect also to see sustained probing to find any of the large number of known vulnerabilities in software and/or insecure misconfigurations common to various web servers. Regards Brian Beesley _________________________________________________________________________ Unsubscribe & list info -- http://www.ndatech.com/mersenne/signup.htm Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
