RE: SETI@Home - Safe or Exploitable?

[Tim Donahue <TDonahue () haynesconstruction com>]

Last time I checked, SETI@home only downloads the raw data files, so the
exploit would probalby have to come from the program. I don't remember off
the top of my head, but I think that there is an automatic update function
that could be exploited in the same manner that Windows Update could
theoretically be exploited. (sending a trojaned, etc program through it)

Tim Donahue

> -----Original Message-----
> From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie] 
> Sent: Thursday, October 24, 2002 5:22 AM
> To: counterpol () shaw ca
> Cc: security-basics () securityfocus com
> Subject: RE: SETI@Home - Safe or Exploitable?
>
>
> I know that products like Ettercap can spoof DNS to trick a 
> workstation into going to one site when it wanted to go to 
> another.  If someone was to set this up knowing that your 
> workstation will want to go to Seti and then they direct them 
> to another site.  Could they trick your computer into 
> downloading files.  I think Seti might do MD5 checks on the 
> files but worth checking.  After that how would they get the 
> falsly downloaded files to run if they were executable???.  
> Purely a theory but I wonder????
>
> Trevor Cushen
> Sysnet Ltd
>
> www.sysnet.ie
> Tel: +353 1 2983000
> Fax: +353 1 2960499
>
>
>
> -----Original Message-----
> From: counterpol () shaw ca [mailto:counterpol () shaw ca] 
> Sent: 22 October 2002 19:55
> To: security-basics () securityfocus com
> Subject: Re: SETI@Home - Safe or Exploitable?
>
>
> In-Reply-To: 
> <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAt/2qR/Xdb06rl3
> cHeaFPJsKA
> AAAQAAAA8MAsuxLIM0Wec26NJ8lGagEAAAAA () gwstephens com>
>
>
>
> > Never gave this too strong a consideration until I read a 
> TechRepublic
>
> > article pondering the safety of running distributed 
> computing programs
>
> > on corporate computers.  While I discourage our employees from
>
> > installing personal software on company computers and I monitor our
>
> > workstations for unapproved installations, I do not want to be
>
> > completely dictatorial and allow some seemingly innocuous software to
> > be
>
> > installed once I satisfy my own security/licensing/stability issues.
>
> > Seti@Home is one such program.  While it is understandable that there
>
> > could be some concern caused by the use of this program because it
>
> > remotely sends and retrieves data for processing, I have 
> never heard of
>
> > SETI being exploited.  Any thoughts, opinions, or facts the community
>
> > would like to share would be appreciated.
>
>
>
> I don't run SETI@home but recall a couple of years ago that 
> there was once 
>
> reports of a vulnerability and exploit using SETI based on user 
>
> information in SETI files stored on the user's PC, I believe. See
http://www.arstechnica.com/archive/2001/0501-1.html. Another reference, 

http://seti.sentry.net/archive/public/1999/6-99/0195.html, asks a similar 

question but you will note no one answered it in the seti mail list.



Regards

counterpol



****************************************************************************
**********

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

****************************************************************************
**********