BOINC Security Issues?

[stevem326]

I've been thinking about joining one of the BOINC projects using my home PC but all of the IT people where I work say distributed computing projects aren't safe. They say that technically you don't really know what the project is downloading to your computer, what it's actually doing when it's crunching the data, and what is being sent back to the project server once the data crunching is complete.

It seems like thousands of people participate in these very worthy projects and you never hear of any security issues, so are my IT folks just a little paranoid? Technically though, couldn't these projects be used to hack into your system and install keyloggers or spyware (if someone malicious enough was on the BOINC server end)?

I've read a lot about this issue on the web and most of the articles say that technically someone on the other end could hack into your PC but it would be very unlikely. I know the packets sent to your PC are encrypted and there's an encrypted key on your PC from BOINC that has to match the encrypted key in the packet (or something like that) so it all sounds pretty secure.

I do all of my banking and bill paying on line so my big fear is that someone could get all of my passwords and log-in info and have a field day.

Thanks a lot for any feedback, experiences, or advice!

 

[Ayah]

I've never had any problems with DC. True, you cannot control what they download, but that is where the trust comes into play.

 

[Insidious]

If I ran a corporation I wouldn't even consider compromising my proprietary information by opening up my systems to DC.

But I only crunch on my home computers and if someone wants my porn and mp3s that bad they're welcome to it!



edit: don't save your passwords or sensitive information on your HD. (That's what CDs are for.

 

[stevem326]

Originally posted by: Insidious
If I ran a corporation I wouldn't even consider compromising my proprietary information by opening up my systems to DC.

But I only crunch on my home computers and if someone wants my porn and mp3s that bad they're welcome to it!



edit: don't save your passwords or sensitive information on your HD. (That's what CDs are for.

Well, there's really nothing on my hard drive I'd be worried about someone getting. It's all backed up on an external HD and DVD's as well so it can be replaced. My biggest fear would be a keylogger. If someone installs one of those they've got the log-in credentials to my bank, credit union, credit cards, etc...

 

[BobDaMenkey]

There is that potential with ANYTHING that you download on the internet. It's a risk that you have to live with, and a question of wether or not you trust the projects that you subscribe to. I've been running DC for some months now and haven't had any issues with it yet.

 

[Insidious]

Originally posted by: stevem326

Originally posted by: Insidious
If I ran a corporation I wouldn't even consider compromising my proprietary information by opening up my systems to DC.

But I only crunch on my home computers and if someone wants my porn and mp3s that bad they're welcome to it!



edit: don't save your passwords or sensitive information on your HD. (That's what CDs are for.

Well, there's really nothing on my hard drive I'd be worried about someone getting. It's all backed up on an external HD and DVD's as well so it can be replaced. My biggest fear would be a keylogger. If someone installs one of those they've got the log-in credentials to my bank, credit union, credit cards, etc...

If you've set up a firewall and run AV you have done about all you can do. DC or not.
I think you've got yourself a little spooked here.

-Sid

edit: OOPS quoted the wrong one the first time

 

[Spacehead]

Originally posted by: BobDaMenkey
There is that potential with ANYTHING that you download on the internet. It's a risk that you have to live with, and a question of wether or not you trust the projects that you subscribe to.

Agreed.

I've been running DC projects for years & never had a problem. I always looked at it this way... there are alot of very smart people running DC projects at home & at their workplace. If anything suspicious were going on i assume that some one would notice.

Also, any legit project would take pains to make sure some outsider couldn't compromise their work. It would look very bad for that to happen to a project, & i'm sure people have tried.


You're probably 1000x more at risk checking your email.

 

[kmmatney]

I've been crunching for over 6 years, and have never heard of any issues. I guess its possible with some sketchy DC project, but the larger ones are certainly safe.

 

[BlackMountainCow]

I wouldn't know of any case describing a security issue with DC. If you stick to the bigger projects, run by universities, I guess you're as safe as you can be. I think that somebody like the University of Berkely just can't afford having a trojan DC app. But I'm not saying that the smaller projects are bad per se. Just mabye not as safe.

 

[Smoke]

If any one of the world's major distributed computing projects is ever found to have infected even one computer, then millions of computers by definition would also be infected.

That would mark the end of distributed computing for me and probably the vast majority of participants. I believe all of the distributed computing administrators realize this to be a fact.

 

[Assimilator1]

stevem326
Your IT guys are being paranoid big time!
As mentioned ,no DC project would want any of their volunteers rigs compromised as that would spell the end of that part of their research.

Also your upto date AV program,antispyware program & firewall should pick up any untoward activity ,just as it should were you to browse a dodgy website.
In fact you'd be far more at risk from surfing the net than you would be running any recognised DC project.
I've run DC for 7yrs now with no problems ,& TA has run DC for about 9yrs & AFAIK no security problems their.
The only issue I recall was SETI's email database was hacked once & some SETI users got spammed.

 

[Rattledagger]

Well, there have been some reports of viruses installing various DC-programs, but this is the "normal" kind, virus distributed with emails and so on, and a (stupid) user executes the program attacked in the email...


But, as far as BOINC goes, BOINC is open-source, meaning user can download the source himself, look-through all the lines of code for anything suspicious, and compile the BOINC-client himself.

This takes part of one half of the problem, the BOINC-client. But, appart for uploading/downloading, and scheduling various wu to crunch, the actual crunching is done by a project-specific application that is normally downloaded.
Meaning, if someone breaks-into a projects servers, or a rogue project shows-up and tricks users into attaching, they can distribute a keylogger instead of a science-application...

Even for this problem BOINC has a solution, under BOINC you can use the "anonymous platform"-mechanism, if you uses this method for a project, the BOINC client will never download the science-application, you yourself must manually install this application, and manually upgrade if needed.
For most projects the science-application is closed-source, so you'll still need to download application from the project. Still, have never tested this, but it should likely be possible to test-out on a single computer, and if after some time no problems detected with the science-application, can install this as "anonymous platform"-application on the other computers. This will block any attempts of auto-upgrading the science-application...


Atleast one project is open-source, SETI@home. Meaning, just like for the BOINC-client, user can download the source, look-through for any suspicious lines of code, and compile the application themselves. The only "missing" is the actual wu, and the result, but, SETI@home-wu is basically a small header that tells what parameters to use, and some random noise. Since user can check the seti-application before compiling it that there aren't any "if gets a string of 80 Z's, format users hd", this shouldn't be a problem.

Even if someone breaks-into the seti-servers, the only wrong can do is to instead of sending normal wu start to send 1 GB-wu taking 1 minute to crunch or something, using 1 TB disk-space and 10 GB memory, but, appart for blocking the internet-connection, nothing serious will really be done.

This also has some protections against. User can choose to only connect to internet between hours A and B. Now finally working in v5.7.xx again, user can choose to limit upload/download-speed to C and D KB. Another new feature with v5.7.xx, if memory-usage > N% of total when computer active, or M% if computer idle, the wu will be halted, or aborted if memory-usage exceeds installed memory.



Summing-up, since SETI@home is open-source, user can check every single line of code in BOINC-client and SETI-application, and choose to only run their self-compiled versions based on this checked code. The wu-file isn't executable, and is only processed by the SETI-application, and the result-file is created by the SETI-application.

This basically means, chances are whatever OS user is running is a much bigger security-risk than someones self-compiled SETI/BOINC, this is especially true if runs Windows, since for most OS user do not have any access to source-code, but accepts whatever pre-compiled code is supplied...

 

[stevem326]

Hey everyone...thanks a lot for all of the informative replies! After reading all of this, I think I'm going to join SETI or Rosetta (or one of the other large and established DC projects).

You guys brought up a very valid point that I didn't even consider and that is the fact that if one of these projects had just one single computer get infected with a bug there's a good chance that many if not all of the other participants would abandon the project and it would close. Consequently, all of the DC projects have a vested interest in making sure their servers are secure.

I've always kept my operating system up to date and I'm also running anti-spyware software, anti-virus software, and a firewall so that's about all I can do.

Anyway, I think you guys are right in that checking your email or just opening up a browser is probably more dangerous than joining a DC project.

Thanks again for all of the advice! I'm off to download the BOINC software now...

 

[Insidious]

:thumbsup:

 

[Kinslayer777]

:thumbsup: (Go Rosetta - Who needs aliens anyway?)

 

[Assimilator1]

Go with whichever project interests you the most ,& if you can't decide do both

Kinslayer
Aliens might want to crunch R@H on their quantum PCs or already have the cure