Boinc distro computing, how is this secure?

[unit321]

According to seti@home (setiathome.berkeley.edu) they are switching to the boinc client/platform. Boinc is a distributed app, which allows you to participate in several projects at once, although i cant connect. One of the reasons seti is switching is it says it is more secure... i dont understand this. Some code is open source, allowing for viruses to spread, bogus versions will be distributed, and its new. Its definetley going to havesecurity failures just like the classic client. The problem is, since ALL the boinc servers run the same BOINC software, if one exploit is discovered the (soon to be) massive web of them are all vulnerable. SETI@home just got DOSed according to zone-h. Now usually DOSing is because people are pissed, or theres a lawsuit or something, the motive seems to be lacking here. Did the aliens do it?
Alien1: Hey man, there gonna find us...
Alien2: Well, maybe we should dos them..
Alien1: What?
Alien1: ouch!
Maybe SCO and microsoft were for good reasons. Also, the BOINC client had more options than the seti client, enabling MORE ways to attack the server.
I would like some opinions on this/these matters. (also, what projects are running, i only know of scripps and seti (for boinc))

[CXGJarrod]

Its definetley going to havesecurity failures just like the classic client.

I do some DC projects. (Mainly D20L and Seti Classic) I think that it will be a good thing to be able to run more than one project using one program. Seti @ Home has been reasonably secure in the past (with only one or two real security problems). The main thing is that all the programs are programmed to do is process a small amount of data with your processor and then return it. I dont see a huge potential to do that much harm. It might not be for your corporate network, but it should be fine at home.

SETI@home just got DOSed according to zone-h.

Anyone can DOS the seti website with a couple thousand zombie computers, so I dont see how this makes the client insecure.

Edit:

One of the reasons seti is switching is it says it is more secure...

Yes, it is supposively more private and secure. They can also have you process a lot more data with the new client.

[unit321]

Im not saying this is a bad thing persay. It might not be for your corporate network, but it should be fine at home. Im not talking about the security of the application, im talking about the security of the BOINC servers. The same code is used on all of them, one worm could bring them all down, one bug, etc. etc. etc. I dont think the DOS vuln makes it insecure, im just wondering why they picked seti and not microsoft, or other sites, because they usually have a purpose. Yes, it is supposively more private and secure. They can also have you process a lot more data with the new client. , thats like saying linux is more secure, its very suggesttive, most viruses attack microsoft because most ppl use windows, if everybody used linux, it would be hell. Linux is open source like boinc and since you can mod the kernel, system hijacking would be a HUGE problem. The fact that its open source enables everybody and their mother to find holes. Im not saying linux is insecure, but it would be if we all ran it. In this way, boinc secuity may end up bieng a huge problem, however, i think boinc is a great idea, i wish dnet, fightaids, grid etc. would switch to it, DNET is hogging my processor,grrrr.... thanks for the response. Any other opinions?

[CXGJarrod]

Originally posted here by unit321
thats like saying linux is more secure, its very suggesttive, most viruses attack microsoft because most ppl use windows, if everybody used linux, it would be hell. Linux is open source like boinc and since you can mod the kernel, system hijacking would be a HUGE problem. The fact that its open source enables everybody and their mother to find holes. Im not saying linux is insecure, but it would be if we all ran it. In this way, boinc secuity may end up bieng a huge problem, however, i think boinc is a great idea, i wish dnet, fightaids, grid etc. would switch to it, DNET is hogging my processor,grrrr.... thanks for the response. Any other opinions?

I never said it was secure, (and I would not know unless I looked at the code myself) however Berkeley has had a decent record of staying online. As far as motives for the person DOS'ing the site. It could be as easy as some lamer who got an account banned trying to retaliate.

[Und3ertak3r]

I think Berkley has more problems with BOINC than just plain ol security..
If their servers can keep running for more than a couple of hours per week best I have seen, since the System went live, is 6 hours in one day.
And based on their history I would be worried about malware getting into the main serevrs.. The system had a drive problem and their most recent backup was about a month old.. If basics like bakups are not taken care of then what about more important things..

As for the user or the Client Application.. When I had 20 machines running the beta versions, i ran scans against some of the boxes.. No external holes were discovered.. then I turned the FIREWALL off and the only holes in the Windows machines were those that were not PATCHED, Which dosen't suprise me as the BOINC Client isn't listening on any ports, and only opens a port when it needs to report back or d/l new WU's .

The point is.. Boinc is as secure as the Admins at Berkley. And for the client application.. if it isn't listening, the box is as secure as how the user has made it.. I can see ppl using BOINC Client as a avenue of attack on the user machine and the BOINC Server, but they would be using Social engineering, phishing etc ..ie user vullnerabilities to carry this out..

BOINC is a nice idea, the software seems good.. the Administraters are IDIOTS..

[Tiger Shark]

the Administraters are IDIOTS..

Undies: is this the first time you came across this phenomenon in any aspect of computing?

I don't participate in SETI but I would suggest that the admins focus is more on the results than the potential detrimental effects on the client they are "using"...... Which is a large part of the reason I don't participate..... I can't really trust it....