Is there a significant chance of misuse of the BOINC system?


Advanced search

Message boards : Questions and problems : Is there a significant chance of misuse of the BOINC system?
Message board moderation

To post messages, you must log in.

AuthorMessage
mhsquire83

Send message
Joined: 31 Jul 18
Posts: 1
United States
Message 87390 - Posted: 31 Jul 2018, 12:19:28 UTC

Cracking passwords or getting roped into bot net for instance.

I was logging into my BOINC account manager and noticed that two of my three hosts were not reporting any credits since they were added to the manager. I think this is probably just a configuration issue. Then I put on my tin foil hat and thought about what the possibilities for an attack on the clients might be.

First one seemed unlikely. The idea that a project was actually a front for some nefarious work. Password cracking, Bitcoin mining or DDOS. I doubt that this would happen centrally because we can generally trust the institutions that are behind BOINC. Also, it wouldn't explain why I am not getting my credit on my two hosts, why wouldn't you get credit for fake work in this instance?

Second one seemed more plausible albeit trickier to pull off. One could hack the client, post it to the website, and insert themselves as a proxy. This would explain why my host reports to the BAM! service but then never gets credit for what it works on. This is because the projects never send actual work to my client, as it's intercepted and fake work is given to my client instead. The work was rejected so the project server never updates my points.

What security measures are in place to prevent this?

When I upgrade a client I have to download it every time for Mac and Windows (The two problem hosts that I have) this means that I have to at least verify the checksum. Except... there is no checksum to verify...

Here is another question, when the client requests work from a server does it have some way to verify who it's talking to? This could be another issue as the BOINC network could be hacked in some scheme to siphon off work units from compromised servers.

As black helicopters swirled about in my head I thought about who I could trust. Certainly not myself as I apparently will install anything on a windows or mac machine without verifying the SHA256. So, can we implement this, you know, for world peace and stability? It's entirely my fault for not building from original sources after carefully examining each line of code.

Is there some other non-standard security that I am missing because I haven't looked at the client code? The only host that is returning any results is my linux server and I am pretty sure that was built from original sources and at least is a verified download.
ID: 87390 · Report as offensive

Message boards : Questions and problems : Is there a significant chance of misuse of the BOINC system?

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.