[RC5] newbie question
mgarriss at earthlink.net
Sat Aug 23 10:30:37 EDT 2003
Bruce Wilson wrote:
>Regarding the security issues, bovine has an in depth discussion of
>why security is so complicated for distributed projects at
Thanks for the link. Interesting reading to say the least.
>In short, there is a key difference between the SSH model and the
>distributed computing model.
>With SSH, you and another trusted party are trying to communicate
>without others intercepting, injecting, interrupting or impersonating
>one of the parties. Both parties have a motive to keep the connection
>as clean as possible. If either party chooses to then forward the
>data to another person, that capability is already there. Modifying
>the source code to introduce weaknesses or add forged packets would
>not benefit either party.
I was trying to say (rather poorly) that an open source project can keep
more secure in the long run then a closed source project. I think this
is mostly a result of the fact that when a security hole is found, a
much larger number of people can work on it. Also holes are found more
quickly. Although it seems anti-intuitive at times, this model has made
SHH a very good/secure project. I did not mean to imply that the actual
security models of Dnet (and indeed, as you point out, distributed
computing in general) and SHH match.
>In the distributed computing realm, we are faced with the reality of
>untrusted participants (they're out there) who would want to send back
>forged work. If we release the source code to the
>networking/transport-crypto portions of our client, these people could
>generate packets with a false "found it" flag on RC5 projects as a
>denial of service, or just pump up their stats by sending back packets
>as finished without doing the work. Adding a public/private key to
>the client confers no extra protection, as every participant would
>still need the public key, so forged clients could use the same key.
>As I mentioned, bovine discuss this fully in the link above.
Now I see the unique problems that distributed computing presents.
These problems however are not what I'm worried about (although I would
like to see the 'false' reporters go away for sure). Any code that
actively runs on the client machine and is open to receiving data from a
server (making the client a type of server in a way) is vulnerable to
attack. The number of people using these systems are small (relative
to, say, Outlook users) and what they are doing is considered 'cool'
among the hacker community so they/we are safe but one day someone in
the distributed community is going to upset one of those basement trolls
and the game will be on. Those trolls are VERY crafty.
>I can't speak for the other projects, but we are very open to
>supporting additional platforms (as evidenced by our already broad
>platform support). All we need is someone who has access to such a
>system so we can compile, test and optimize the client appropriately.
>Bruce Wilson <bwilson at distributed.net>
>PGP KeyID: 5430B995, http://www.toomuchblue.com/
>"I want to move to Theory. Everything works in Theory."
> --John Cash, id Software
>rc5 mailing list
>rc5 at lists.distributed.net
More information about the rc5