On Sun, 11 Mar 2001 20:11:33 -0000 "Daran" <[EMAIL PROTECTED]> wrote:
> Hi all. I'm new to the list, but I've been GIMPING for just over two years.
> I'd been thinking about possible security risks myself just before I joined
> the list, so it's a bit of a coincidence that this was the first thread I
> read.
Let me suggest there are two situations to be evaluated for exposure:
1. Attacks using the Prime95 communication protocols -
I believe it is the CLIENT that initiates all GIMPS communications.
In other words, there is __no__ daemon which is listening to random
incoming messages. (Buffer overflow attacks are usually directed
at programs which accept messages from anywhere on the internet.)
To make use of the GIMPS communication protocols, the attacker
might have to WAIT for the user's Prime95 program to initiate
contact, and would then have to SPOOF being the Primenet server.
In my opinion, there are easier pickings on the 'net for attacks.
In my opinion it would be easier to spoof the "Manual Entry"
Primenet server, which uses a browser interface rather than the
"below-the-covers" interface of the Prime95 client. But the risk
of using a browser to access Primenet should be no greater than
the risk of using a browser to access any other site on the 'net.
2. Attacks facilitated by being on-line in the first place -
I cut my teeth at distributed computing with the RC5 project,
which has much shorter reporting intervals. Because I live in
the boonies, I do __not__ have a reliable connection to the 'net.
I found that allowing RC5 (or Prime!) to AUTOMATICALLY connect to
the server would randomly become a horror story (my name for the
spectacle is to call it a "stark-raving-mad dialer" aberration).
So for BOTH projects, my computers have run OFF-LINE, and WITHOUT
any automatic reporting or check-in. When I need new work, I
connect to the internet, then connect to the server, then
communicate, then disconnect. That does not leave much time for
an attacker to start probing my ports, or to send ovesize buffers.
The good part about both RC5 and GIMPS is that work assignments
can be downloaded "ahead of use" (that is, at a time when I have
verified that my connection is good, rather than at a time when
the computer has reached a certain point). I've looked at some
other distributed networks - they only send the next unit after
the previous unit is completed - participants in such a network
might "run out of work to do" if they happen to be off-line.
My opinion: Compared to someone who is off-line most of the time,
someone who chooses to stay connected in order to participate in
a distributed project __will__ be at security risk of being
attacked, MERELY because there exists an IP-address to be probed.
The ONLY help I know of is to interpose the most paranoid firewall
one can find !!!
mikus
_________________________________________________________________________
Unsubscribe & list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
