I have it established in my personal preferences NOT to display the PC's running this BOINC project, yet in my personal profile, there they are.

What is the issue with that ?

Please correct it so the proper server or setting is operating so when I run updates it corrects for this, else I will have to pull it off of my systems for security reasons.

---

Rosetta@home member since 28 Oct 2005
Country United States
Total credit 2,609.19
Recent average credit 65.72
Team US Navy
Computers hidden
Message board posts 3
Profile View

The project doesn't hide them from you... only everybody else. Also, please click on my name and view my computers. The information that is public, even when you _don't_ hide them, is hardly a security risk, and is very helpful when debugging.

---

[oops. double post again - sorry]

...The project doesn't hide them from you... only everybody else...

If after looking at Bill's boxes you still have any doubt about this, you can also log out and go back and look at your own machines as a 'visitor'.

This is confusing to newcomers. I suggested soem time ago that when computers are hidden the relaevant fields are marked "hidden to others" on the users webpage just to make this clear. I still think that would help, but can see that the good folks at BOINC have more pressing priorities.

I always wonder when I see a post like yours, how many others have left for that same reason, but without asking about it so without knowing that the system is more secure than it seems. Security matters to some users and it is no surprise that it matters to someone whose made a career in the navy.

So thanks for asking and not just walking out.


It is also a concern to sme that the client exports the hostname & IP address at all, even if the website does not relaease it.

If you connect through a masquerading firewall the whole point is that nobody outside the firewall should be able to see your internal IP address. The fact that the webserver can reflect it back (rather than the masq'd address) means that at the very least the admins of the Rosetta webserver now know a machine address on your LAN. In my opinion this setting, or another new prefs setting, should optionally to inhibit the client from exporting IP & hostname info at all. where that option was in force boxes would be identified by their Rosetta host number alons.

Is this info transferred over https, or just over http? If the latter, then the admins of any box the IP packets pass through can sniff out this info as well. Not ideal if you want to keep details of the LAN away from the bad guys (whoever your own bad guys might be...)

River~~

[quote]Rosetta@home member since 28 Oct 2005
Country United States
Total credit 2,609.19
Recent average credit 65.72
Team US Navy
Computers hidden
Message board posts 3
Profile View

The risk is minimal and would requires someone to fake or insert my number into traffic related to the particular BOINC or known lojical port while traffic is going back and forth, it's a long shot but I think it's possible so that is why I prefer to hide the numbers of my systems. Anyway , short story is that the numbers ARE hidden and I appologize for any ruckus I may have caused.

---

[quote][quote]Rosetta@home member since 28 Oct 2005
Country United States
Total credit 2,609.19
Recent average credit 65.72
Team US Navy
Computers hidden
Message board posts 3
Profile View

"known lojical port while traffic is going back and forth, "

OOPS - logical (it's almost 0130 EST)

---

The risk is minimal and would requires someone to fake or insert my number into traffic related to the particular BOINC or known lojical port while traffic is going back and forth, it's a long shot but I think it's possible so that is why I prefer to hide the numbers of my systems. Anyway , short story is that the numbers ARE hidden and I appologize for any ruckus I may have caused.

Not a ruckus. But, when you ask for help it is harder to give it with the systems hidden. Of course, you can unhide them when needed and then hide them again.

The risk is considered so small that the networking folks that do this for a living are not concerned and have never raised this as a possible security hole. Again, not a problem if you are concerned. :)

Feel free to look at mine ... :)

---

The risk is minimal and would requires someone to fake or insert my number into traffic related to the particular BOINC or known logical port while traffic is going back and forth, it's a long shot but I think it's possible so that is why I prefer to hide the numbers of my systems.

Are you referring to the IP address? Or what "numbers of my systems"? If you have not looked at my computers to see what is visible to others, please do so. I think you are concerned about information being revealed that is _not_ visible to anyone but you, hidden or not.

---

The risk is minimal and would requires someone to fake or insert my number into traffic related to the particular BOINC or known logical port while traffic is going back and forth, it's a long shot but I think it's possible so that is why I prefer to hide the numbers of my systems.

Are you referring to the IP address? Or what "numbers of my systems"? If you have not looked at my computers to see what is visible to others, please do so. I think you are concerned about information being revealed that is _not_ visible to anyone but you, hidden or not.

The numbers I refer to are the system numbers assigned by the BOINC program to ID each computer/host. If a packet can be "spoofed" the old fasioned way, then I consider it possible that someone who can read the data in a disassembled datagram from a captured packet could insert a program sequence into a reassembled datagram. Reinsert it to a properly built packet with the proper Host ID number and the BOINC program could be suceptable to run the instruction.

Like I said slim but there you go. If the host ID is incorrect then the BOINC program will most likely ignore the datagram once it gets to the session/presentation layer.

---

The numbers I refer to are the system numbers assigned by the BOINC program to ID each computer/host.

Okay, I follow what you mean - I just don't buy it as a threat. To get a packet to your computer, someone would have to "hijack" the project's server so that when your host requested something, it would respond with this malware. In that instance, they would _have_ your host ID, as it's in the packet you sent.

BOINC just doesn't "listen" for packets with your host ID, it only receives them as a result of a request. To even send a packet "unrequested", someone would have to have _both_ your host ID _and_ your IP address, and even then I don't see how anything could happen, because nothing on your end would respond.

I'm not a networking or security expert, so I won't swear that you're wrong in your concerns... but there are many networking AND security experts on the various boards, and I've never heard anyone express any issues (other than if a server got taken over) about BOINC.

Regardless, showing or hiding your computers is your decision; the _negative_ to having them hidden is that it severely limits the information we can get to in order to help solve any problems you may have. As long as you're willing to do the research yourself when asked, that's fine.



(Don't panic - look at the source... :-) Just couldn't resist.)

---

I just wish you had picked one that honestly knew which browser I was using. I DON'T use IE as it thinks.

---

I just wish you had picked one that honestly knew which browser I was using. I DON'T use IE as it thinks.

Ah, but then with that info, _I_ can tell you what you're using... it's one of two. Safari with debug menu activated and "spoof as IE" set, or Firefox with "IE compatibility" turned on. :-)

That site just echoes whatever information your browser sends it or has stored locally; if your browser lies, it can't tell. :-)

---

.......I DON'T use IE as it thinks.

Should that be 'stinks'? ;-))

---

Well, I also think it stinks ... which is one reason I don't use if possible.

And Bill, it is neither, Opera ...

Opera is the only one that does not seem to "hang" when editing the BOINC message boards. I don't know what was done to the software a few months ago, but, for some time now, Safari and FireFox both will post an edit and then "hang" for up to 5 minutes before they will reload a page from the site. It is not constant, but reasonably consistent, and annoying.

---

I never have a 'hanging' problem on here with IE6.....:shrug

---

The numbers I refer to are the system numbers assigned by the BOINC program to ID each computer/host.

Okay, I follow what you mean - I just don't buy it as a threat. To get a packet to your computer, someone would have to "hijack" the project's server so that when your host requested something, it would respond with this malware.

The hijack is easy enough for anyone en route between thw two boxes - it listens in to existing traffic, then in a later connection expoits what it has learnt by replacing some of the packets in the datastream.

Alternatively I hijack the connection by spoofing the DNS for bakerlab, so that anyone using the spoofed DNS comes to me instead, and I then forward all the packets to bakerlab, reading then as they go through. There are many strategies that can be used in these mitm (man-in-the-middle) attacks.

Where Bill is right is that if someone did that then they would already have access to id number of your computer as it is sent in the outbound packet. To avoid that, every connection would have to be https or equivalent.

I still think the security risk (small tho it is) lies in releasing the internal IP addresses to anyone who does mount that man-in-the-middle attack. This info would not be used to attack boinc but to gain info to attack the firewall. It would potentially be found by shiffing all outgoing packets for teext that looks like an IP address - the same way you'd find a credit card number during a Mitm attack.

River~~

The hijack is easy enough for anyone en route between thw two boxes - it listens in to existing traffic, then in a later connection expoits what it has learnt by replacing some of the packets in the datastream.

Alternatively I hijack the connection by spoofing the DNS for bakerlab, so that anyone using the spoofed DNS comes to me instead, and I then forward all the packets to bakerlab, reading then as they go through. There are many strategies that can be used in these mitm (man-in-the-middle) attacks.

Where Bill is right is that if someone did that then they would already have access to id number of your computer as it is sent in the outbound packet. To avoid that, every connection would have to be https or equivalent.

I still think the security risk (small tho it is) lies in releasing the internal IP addresses to anyone who does mount that man-in-the-middle attack. This info would not be used to attack boinc but to gain info to attack the firewall. It would potentially be found by shiffing all outgoing packets for teext that looks like an IP address - the same way you'd find a credit card number during a Mitm attack.

River~~

You appear to know things you should not. What do you do in your spare time? Do you have a secret hobby perhaps?

The numbers I refer to are the system numbers assigned by the BOINC program to ID each computer/host.

Okay, I follow what you mean - I just don't buy it as a threat. To get a packet to your computer, someone would have to "hijack" the project's server so that when your host requested something, it would respond with this malware. In that instance, they would _have_ your host ID, as it's in the packet you sent.

BOINC just doesn't "listen" for packets with your host ID, it only receives them as a result of a request. To even send a packet "unrequested", someone would have to have _both_ your host ID _and_ your IP address, and even then I don't see how anything could happen, because nothing on your end would respond.

I'm not a networking or security expert, so I won't swear that you're wrong in your concerns... but there are many networking AND security experts on the various boards, and I've never heard anyone express any issues (other than if a server got taken over) about BOINC.

Regardless, showing or hiding your computers is your decision; the _negative_ to having them hidden is that it severely limits the information we can get to in order to help solve any problems you may have. As long as you're willing to do the research yourself when asked, that's fine.



(Don't panic - look at the source... :-) Just couldn't resist.)

Thanks for the look over, Zaphod. As was pointed out yes it's thin, but not impossible. BTW the IP address is that of the Gateway and not the Host, but that's what a good Admin does anyway.
God Bless.

---

The hijack is easy enough for anyone en route between thw two boxes - it listens in to existing traffic, then in a later connection expoits what it has learnt by replacing some of the packets in the datastream.

Alternatively I hijack the connection by spoofing the DNS for bakerlab, so that anyone using the spoofed DNS comes to me instead, and I then forward all the packets to bakerlab, reading then as they go through. There are many strategies that can be used in these mitm (man-in-the-middle) attacks.

Where Bill is right is that if someone did that then they would already have access to id number of your computer as it is sent in the outbound packet. To avoid that, every connection would have to be https or equivalent.

I still think the security risk (small tho it is) lies in releasing the internal IP addresses to anyone who does mount that man-in-the-middle attack. This info would not be used to attack boinc but to gain info to attack the firewall. It would potentially be found by shiffing all outgoing packets for teext that looks like an IP address - the same way you'd find a credit card number during a Mitm attack.

River~~

You appear to know things you should not. What do you do in your spare time? Do you have a secret hobby perhaps?

In River's defense, in order to be a good Jedi "white hat", you sometimes have to go "grey" to know the ways of the Sith "black hat". LOL.

---

You appear to know things you should not. What do you do in your spare time? Do you have a secret hobby perhaps?

One of the things that has taken up most of my holiday is fighting off a denial of service attack on our local network - it comes from somewhere internal and haven't figured out yet if it is an honest mistake, a deliberate attack by an insider, or a take over of an insider's box by an outside attacker. Could easily be any of the three

We have a network of ~100 computers in 80 different flats in six blocks of social housing in city centre, Manchhester England, all on a LAN and with two different ADSL connections to get out. It is all done on a volunteer basis, some of the hubs are in flats where the powere meter cuts off till the people buy more credit, etc etc.

And then there are the "co-operative" members who don't pay, get cut off, and try to figure out ways to keep their connections without paying. IP spoofing, MAC spoofing, and even running a long piece of cat5 into the wrong side of a router...

And the endless struggle to give people some peer to peer (because that is what *everyone* wants or they don't think it counts as an internet connection) but to apply traffic control to keep the bandwidth usable for everyone else.

But in the long distant past, in the days when Arpanet ended at Eik in Norway and before Internet Protocol was invented, I could get from Manchester England to most of the US universities - and before the days of routers you had to talk to each mainframe on the way and set up the next connection, and persuade the satlink at Eik to let you across the pond into Arpanet...

So lets just say it is a case of poacher turned gamekeeper ;-)

In River's defense, in order to be a good Jedi "white hat", you sometimes have to go "grey" to know the ways of the Sith "black hat". LOL.

or to have come back from the dark side ;-)

---