Well,
After long and hard thought on this (approximately 30 seconds), I have
the following suggestion:
Each team account (could apply to accounts with just one machine as
well) should have 2 passwords.
A master password that could be used on the web pages to manage
exponents on all team machines, and also a per-machine password (could
be automatically generated when a new machine gets an exponent).
There's really no reason I can think of why a password would be required
to have a machine join a team, is there? I mean, someone could sign
their machine up to some team and reserve a bunch of exponents with no
intention of working on them, but hey, someone could do that anyway
right now by just setting up their own team...
So a team account master password could unreserved exponents on any
machine, and then the machine password could be used to work with
exponents for only that one machine.
Well, at any rate, that would keep individual team members from wreaking
havoc by this shared password scheme currently in place, while still
allowing a team leader to unreserve exponents or do other things from
the web page.
Just a thought, and again, this is just my 30-second attempt to come up
with an idea. I'm sure it can and will be improved upon.
Aaron (aka I'm-not-a-hacker-I'm-a-math-geek)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:mersenne-invalid-
[EMAIL PROTECTED]] On Behalf Of George Woltman
Sent: Tuesday, February 12, 2002 12:29 PM
To: [EMAIL PROTECTED]
Subject: Re: Mersenne: Missing assignement
Hi all,
At 08:10 PM 2/12/2002 +0100, Ignacio Larrosa CaƱestro wrote:
In my personal account report of yesterday could be read:
Assignment overdue check-in is set at 60.0 days (0.0 days to expire)
But now this exponent is missing. How is it possible??
OK, the cat is out of the bag.
In late January, one of the more productive teams was hacked.
Prime95/Primenet has some security holes. One of these holes
is that a team must make its password public for new members to join.
Someone exploited this hole. This loser thought it would be cute to
unreserve all the team's exponents (a few hundred) via the manual web
pages. Brad Scott patched the manual forms and embarked on
implementing a more permanent solution. A week ago, they struck again
using prime95 itself to again unreserve some of the team's exponents.
Unfortunately, rather than hurting the team, the hacker ended up
hurting
ordinary users. The server reassigned all the unreserved exponents.
Since the team's computers had a head start on these exponents they
are
likely to finish them first. When they report a result, your
assignment
will
disappear from the active assignments list. GIMPS, of course, can
use
your result for double-checking.
Brad/Scott have now changed server so that none of this team's
exponents
can be unreserved. They are still working on making this feature
available
to all teams to prevent this in the future.
Brad Scott are better able to comment on this, but I think that this
is
the first hacker attack on the reservation system. There have been
many
denial of service attacks and attempts at defacing the web pages
(don't
people have better things to do with their time?)
Are there other security holes? Yes. For obvious reasons I don't
know if
we should discuss these in a mailing list. Beefing up security costs
time
and
money. These are limited resources in an all-volunteer,
not-for-profit,
zero-revenue project. We'll try to do the best we can given our
limitations.
Always remember
GIMPS is just for fun,
George
_
Unsubscribe list info -- http://www.ndatech.com/mersenne/signup.htm
Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
