'Distributed' Projects Raise Security Issues

http://www.washtech.com/news/netarch/15278-1.html

The projects' creators describe them as akin to digital ant colonies.

They are networks composed of millions of computers working together across the Internet to solve some of the world's most intractable problems: analyzing possible cures for cancer or AIDS, scouting the universe for signs of life, or even cracking a code for prize money.

The machines are ordinary PCs. Volunteers need only download a free screensaver to participate. The software program harnesses any leftover processing power, without interrupting a volunteer's normal activities, and diverts it to tackle some large computing problem. In this way, average citizens are helping scientists help the world.

The projects have already managed to aid researchers in analyzing global climate changes and to find new prime numbers. They've also screened a series of compounds with the potential to render anthrax toxins harmless; that project, sponsored by Oxford University, United Devices, Microsoft and Intel, among others, was completed in just 24 days.

But just as these "distributed computing" projects are beginning to yield results, new concerns about security have put many efforts in jeopardy.

Since Sept. 11, companies large and small have begun stripping the software from machines out of fear they create an open channel to the Internet that could be exploited by terrorist hackers. Richard Chambers, the former inspector general at the Tennessee Valley Authority, America's largest public power company, and other government officials have declared the projects a risk to computer security and banned them from their systems. And in an unusual case that has riled up the high-tech community, a technician at the DeKalb Technical Institute, a public, two-year college in Clarkston, Ga., was charged by authorities with computer theft and trespass after installing such a program on several school machines.

Tim Mullen, chief software architect for software firm AnchorIS.Com and a columnist for the SecurityFocus.com site, is among those who tell clients to remove those programs from their machines.

"Unless you have people onboard who are going to do a code-level review for security on what's going in that screensaver, it's not worth the risk," he said.

The companies that make such software — firms such as Fairfax-based Parabon Computation Inc. and United Devices Inc. in Austin — insist their products are safe. Indeed, in an testament to at least one of these systems, a well-known hacker-group-turned-security-consultancy @Stake l0pht has loaned out 86 PCs to work on a math puzzle called the Optimal Golomb ruler. A Golomb ruler is a special ruler where all marks have unique distances from each other with no duplications. These rulers can help determine positions of antenna in an array for a radio telescope, among other applications.

Many of the researchers who have constructed the screensavers as largely academic projects brush aside possible risks as unimportant given the value they potentially bring to society.

That includes the directors of SETI@Home, which analyzes data from a radiotelescope for signs of alien life and, with 3.5 million users, is probably the largest distributed computing project.

In June of last year, when hackers gained access to its volunteer database and escaped with information about 50,000 users, the administrators said they would not rewrite the software to add more security because it is a nonprofit project without the time or resources to do so.

David Anderson, the director of SETI@Home, said the screensaver itself has been bug-free for 2 1/2 years — hackers had gained access to the project's central servers. Still, he supports decisions by some administrators to remove the screensaver from their workers' machines for security reasons. For instance, "any computer that's connected with a nuclear power plant shouldn't be running any extra things," he said.

The number of active users of the program has dropped off by a few tens of thousands since September. But Anderson attributes the decline mostly to congestion on the University of California at Berkeley network that his project runs on. As students trade a growing number of digital music and other electronic files, the resulting traffic is preventing SETI@Home from being able to communicate effectively with its network of computers because some messages are not getting through.

 

I guess that ANY application that opens a port to the internet at ANY time can be exploited SOMEHOW (no matter HOW secure it is claimed to be) - but on non-mission-critical computers, I do believe the benefits from this sort of distributed computing (in areas like discovering a cure for cancer, etc.) can far outweigh the *potential* risks.

Again, realistically, you would NOT want to run something like this on a computer controlling a nuclear power plant...but then again, why ANY application that could access the internet in ANY insecure way would be running on a computer controlling a nuclear power plant is beyond me...

 

Yep, such a computer should not be connected to the internet IMHO.

 

ditto on the powerplant pc.

but people who think it is unsafe to run genome@home but then surf the net and receive email are "nanners"