[rc5] V3 Questions and Concerns

Chris Arguin Chris.Arguin at unh.edu
Fri Oct 24 13:29:54 EDT 1997


One of the nicer features that will apparently be in V3 is the ability to
pick and choose your project. Supposedly, this is all doable using the
same client. That implies that the client downloads the code necessary for
that project at startup. If not, then the rest of this message is wrong,
and I would like to know how this is handled.

That being the case, we are then downloading and executing programs in an
unsupervised fashion. Now, I know that there is relatively little risk.
Someone would either have to subvert one of the proxies (of which there
are only a few, well-known ones), or interrupt the program-transfer
mid-stream to send their own, potentially malicious program. Even so, as
long as the client doesn't require root access (and it shouldn't), most
OSes will be relatively protected.

But it would be horrible for distributed.net to go down because one idiot
scared everyone away. Maybe the developers have already realized and
covered this issue. But I did want to bring it up just in case. Besides,
not all users realize how unlikely this is, and all it would take is
somebody posting a message about it to make some users worry (like this
message, for instance :( ).

To solve this issue, we get into all sorts of the traditional problems
involved with secure communications. Probably the simplest thing is to
sign the program with a PGP key, that the client then can verify
before running said program.

I don't really know for sure how to best handle this, and maybe it's even
less of a problem than I think it is, but we should prepare for the
future, in which distributed.net is much larger, and not all the users are
so nice :)

--
Chris Arguin                 | "...All we had were Zeros and Ones -- And 
Chris.Arguin at unh.edu         |  sometimes we didn't even have Ones."
                             +--------------+	- Dilbert, by Scott Adams
http://leonardo.sr.unh.edu/arguin/home.html |


----
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.



More information about the rc5 mailing list