[RC5] newbie question

mgarriss mgarriss at earthlink.net
Sat Aug 23 10:30:37 EDT 2003


Bruce Wilson wrote:

>Regarding the security issues, bovine has an in depth discussion of
>why security is so complicated for distributed projects at
>http://www.distributed.net/source/specs/opcodeauth.html.
>
Thanks for the link.  Interesting reading to say the least.

>In short, there is a key difference between the SSH model and the
>distributed computing model.
>
>With SSH, you and another trusted party are trying to communicate
>without others intercepting, injecting, interrupting or impersonating
>one of the parties.  Both parties have a motive to keep the connection
>as clean as possible.  If either party chooses to then forward the
>data to another person, that capability is already there.  Modifying
>the source code to introduce weaknesses or add forged packets would
>not benefit either party.
>

I was trying to say (rather poorly) that an open source project can keep 
more secure in the long run then a closed source project.  I think this 
is mostly a result of the fact that when a security hole is found, a 
much larger number of people can work on it.  Also holes are found more 
quickly.  Although it seems anti-intuitive at times, this model has made 
SHH a very good/secure project.  I did not mean to imply that the actual 
security models of Dnet (and indeed, as you point out, distributed 
computing in general) and SHH match.

>In the distributed computing realm, we are faced with the reality of
>untrusted participants (they're out there) who would want to send back
>forged work.  If we release the source code to the
>networking/transport-crypto portions of our client, these people could
>generate packets with a false "found it" flag on RC5 projects as a
>denial of service, or just pump up their stats by sending back packets
>as finished without doing the work.  Adding a public/private key to
>the client confers no extra protection, as every participant would
>still need the public key, so forged clients could use the same key.
>As I mentioned, bovine discuss this fully in the link above.
>

Now I  see the unique problems that distributed computing presents.  
These problems however are not what I'm worried about (although I would 
like to see the 'false' reporters go away for sure).   Any code that 
actively runs on the client machine and is open to receiving data from a 
server (making the client a type of server in a way) is vulnerable to 
attack.  The number of people using these systems are small (relative 
to, say, Outlook users) and what they are doing is considered 'cool' 
among the hacker community so they/we are safe but one day someone in 
the distributed community is going to upset one of those basement trolls 
and the game will be on.  Those trolls are VERY crafty.

>I can't speak for the other projects, but we are very open to
>supporting additional platforms (as evidenced by our already broad
>platform support).  All we need is someone who has access to such a
>system so we can compile, test and optimize the client appropriately.
>
>
>__
>Bruce Wilson <bwilson at distributed.net>
>PGP KeyID: 5430B995, http://www.toomuchblue.com/ 
>
>"I want to move to Theory. Everything works in Theory."
>    --John Cash, id Software
>
>_______________________________________________
>rc5 mailing list
>rc5 at lists.distributed.net
>http://lists.distributed.net/mailman/listinfo/rc5
>
>  
>




More information about the rc5 mailing list