[ISN] 'Distributed' Web Projects Raise Security Issues

From: InfoSec News (isnat_private)
Date: Mon Feb 25 2002 - 00:41:32 PST

  • Next message: InfoSec News: "Re: [ISN] Disclosure Guidelines For Bug-Spotters Proposed"

    http://www.newsbytes.com/news/02/174660.html
    
    By Ariana Eunjung Cha, Washington Post
    WASHINGTON, D.C., U.S.A.,
    21 Feb 2002, 6:57 AM CST
     
    The projects' creators describe them as akin to digital ant colonies. 
    
    They are networks composed of millions of computers working together
    across the Internet to solve some of the world's most intractable
    problems: analyzing possible cures for cancer or AIDS, scouting the
    universe for signs of life, or even cracking a code for prize money.
     
    The machines are ordinary PCs. Volunteers need only download a free
    screensaver to participate. The software program harnesses any
    leftover processing power, without interrupting a volunteer's normal
    activities, and diverts it to tackle some large computing problem. In
    this way, average citizens are helping scientists help the world.
    
    The projects have already managed to aid researchers in analyzing
    global climate changes and to find new prime numbers. They've also
    screened a series of compounds with the potential to render anthrax
    toxins harmless; that project, sponsored by Oxford University, United
    Devices, Microsoft and Intel, among others, was completed in just 24
    days.
    
    But just as these "distributed computing" projects are beginning to
    yield results, new concerns about security have put many efforts in
    jeopardy.
    
    Since Sept. 11, companies large and small have begun stripping the
    software from machines out of fear they create an open channel to the
    Internet that could be exploited by terrorist hackers. Richard
    Chambers, the former inspector general at the Tennessee Valley
    Authority, America's largest public power company, and other
    government officials have declared the projects a risk to computer
    security and banned them from their systems. And in an unusual case
    that has riled up the high-tech community, a technician at the DeKalb
    Technical Institute, a public, two-year college in Clarkston, Ga., was
    charged by authorities with computer theft and trespass after
    installing such a program on several school machines.
    
    Tim Mullen, chief software architect for software firm AnchorIS.Com
    and a columnist for the SecurityFocus.com site, is among those who
    tell clients to remove those programs from their machines.
    
    "Unless you have people onboard who are going to do a code-level
    review for security on what's going in that screensaver, it's not
    worth the risk," he said.
    
    The companies that make such software -- firms such as Fairfax-based
    Parabon Computation Inc. and United Devices Inc. in Austin -- insist
    their products are safe. Indeed, in an testament to at least one of
    these systems, a well-known hacker-group-turned-security-consultancy
    @Stake l0pht has loaned out 86 PCs to work on a math puzzle called the
    Optimal Golomb ruler. A Golomb ruler is a special ruler where all
    marks have unique distances from each other with no duplications.  
    These rulers can help determine positions of antenna in an array for a
    radio telescope, among other applications.
    
    Many of the researchers who have constructed the screensavers as
    largely academic projects brush aside possible risks as unimportant
    given the value they potentially bring to society.
    
    That includes the directors of SETI@Home, which analyzes data from a
    radiotelescope for signs of alien life and, with 3.5 million users, is
    probably the largest distributed computing project.
    
    In June of last year, when hackers gained access to its volunteer
    database and escaped with information about 50,000 users, the
    administrators said they would not rewrite the software to add more
    security because it is a nonprofit project without the time or
    resources to do so.
    
    David Anderson, the director of SETI@Home, said the screensaver itself
    has been bug-free for 2 1/2 years -- hackers had gained access to the
    project's central servers. Still, he supports decisions by some
    administrators to remove the screensaver from their workers' machines
    for security reasons. For instance, "any computer that's connected
    with a nuclear power plant shouldn't be running any extra things," he
    said.
    
    The number of active users of the program has dropped off by a few
    tens of thousands since September. But Anderson attributes the decline
    mostly to congestion on the University of California at Berkeley
    network that his project runs on. As students trade a growing number
    of digital music and other electronic files, the resulting traffic is
    preventing SETI@Home from being able to communicate effectively with
    its network of computers because some messages are not getting
    through.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 03:59:04 PST