[RC5] Quick question

Ryan Dumperth woodie at indy.net
Wed Nov 19 21:32:36 EST 1997


Tim Charron wrote:
>Actually, there is a mechanism in the client that will allow it to
>know when the contest is over.  A change will be written to the ini
>file.  When the client is started, it will see this and immediately
>exit.  No, it doesn't remove & delete itself, but it's better than
>continuing to run blindly.

I hope everyone makes the connection between this feature and the lack of
full source availability. If someone wanted to do serious harm to
distributed.net, knowing what to tell the clients to turn themselves off,
and mucking with DNS would allow someone to act as rc5proxy.distributed.net
and turn off every client that queried it. Even if it only went on for
twelve hours, many thousands of clients could be knocked out.

I certainly don't think this attack is easy, nor is it at all likely. But
distributed.net is getting very large, and people know about us. Our irc
channel was taken over. Our servers are attacked off and on by people
trying to spam blocks either for their team's benefit, or to distrupt our
progress. If everyone could find out how to kill the clients, someone would
surely try. Decency and common sense are usually at odds with human nature,
as this list so effectively demonstrates.

Such an attack should be impossible with V3 as any such command would be
signed in a cryptographically strong manner, such that the client would
only recognize that or any other command when it was issued by a certified
authority. Spoofing would have no benefit, as the attacker would still be
unable to properly authenticate the command.

I'm not trying to start another source thread; this client feature is
simply a very compelling reason for the current V2 policy. The threat is
certainly more compelling than any offsetting benefit gained by having
blocks the few people who refuse to run precompiled software on their
machines. While unix in all its incarnations is more widely known among
d.net participants, and among nettish people in general, the fact remains
that it is *not* the norm. Most people, including the majority of people
running the RC5 client have no idea what "compiling" even means. V3 source
will be available not so much to satisfy the paranoid among us as to
satisfy those who wish to utilize the protocol for their own purposes, or
to get other public projects going.

Hooray for the return of the stats, etc.

Ryan

-================================================-
Public Key: http://keys.pgp.com:11371/pks/lookup?op=get&search=0x8D98E677
PGP Key Fingerprint: 4913 67E3 BCA8 6326 F404  6005 6C1B D2D8 8D98 E677
PGP, use it or lose it.


--
To unsubcribe, send 'unsubscribe rc5' to majordomo at llamas.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list