Vulnerability Development mailing list archives
Re: distributed.net and seti@home
From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Sat, 29 Jan 2000 02:14:58 -0800
Robert, (and list :) -- with distributed.net and seti@home, I am not so concerned with open ports -- the client goes to the trouble of downloading input data all on its own, so an open port would be superfluous. (sp?) I am thinking more along the lines of a buffer overflow, or "u17r4-s3cr3t-31337-b@ckd00r", or something like that. My personal guess is both distributed.net and seti@home are secure enough for most everyone's purposes. But, that is a guess, and I haven't seen anyone try to see if there is a way to get either of them to execute code through malformed (or perfectly-formed :) data downloads. It would make me feel a lot better if someone out there (whitehat :) would take the trouble to try to find holes to be exploited -- because I know of a LOT of machines that could be compromised in extremely vulnerable positions -- all with the blessings of system administrators trying to be politically active or just hoping to find aliens. :) Wouldn't it be annoying to wake up one day to find your whole organization has been 0wned as a result of running rc5 from distributed.net? I am not saying it would be easy, or even practical, but it might be worth checking into. :) Thanks On Sat, Jan 29, 2000 at 01:21:09AM -0500, Robert Wojciechowski Jr. wrote:
----- Original Message ----- From: Seth R Arnold [SMTP:sarnold () WILLAMETTE EDU] Reply To: Seth R Arnold [SMTP:sarnold () WILLAMETTE EDU] Sent: Friday, January 28, 2000, 21:41:04 To: VULN-DEV () SECURITYFOCUS COM Subject: distributed.net and seti@home Hello. I have seen many reports of insecurities of ICQ, and while this is A Good Thing, a program that would likely be in use on more computers is distributed.net's rc5 (or other) programs, or seti@home's client. They are often installed by default on server farms, lab machines, as well as countless home machines. Has anyone taken a close look at these programs? I sure haven't. It might be a good thing to check on... :) ----- End Of Original Message -----Seth, I think that programs such as the distributed.net and seti@home clients don't have open ports, they just contact the servers when they need more blocks to process, and send blocks to the servers when complete. I haven't checked myself if there are open ports (someone can find this out easily by viewing what ports are open on their computer in listen mode), but I doubt there are. Anyone care to check? Robert S. Wojciechowski Jr. robertw () wojo com
-- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Current thread:
- distributed.net and seti@home Seth R Arnold (Jan 28)
- Re: distributed.net and seti@home Justin Lintz (Jan 28)
- Re: distributed.net and seti@home CyberPsychotic (Jan 30)
- <Possible follow-ups>
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 28)
- Re: distributed.net and seti@home Seth R Arnold (Jan 29)
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 29)
- Re: distributed.net and seti@home Blue Boar (Jan 30)
- Re: distributed.net and seti@home Shashi Dookhee (Jan 30)
- Re: distributed.net and seti@home Matthew Pemble (Jan 30)
- Re: distributed.net and seti@home hypnos (Jan 30)
- Oracle liberal world (Jan 30)
- Re: distributed.net and seti@home Bryce Walter (Jan 30)