Team autofounding on new projects is a bug, not a feature

Message boards : Web interfaces : Team autofounding on new projects is a bug, not a feature
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Saenger
Avatar

Send message
Joined: 9 Nov 05
Posts: 123
Germany
Message 12512 - Posted: 15 Sep 2007, 13:13:22 UTC

The new TeamImport "feature" is a bug, as it creates accounts for founders in new projects, without any access for those founders to their accounts, the team info is unchangable for at least 2 month, if any of the new participants hits the founder transfer button, otherwise even longer, 2 month from the time a change is warranted.

There is no possibility to get the email address of the founder to the new project without a major break of data protection. So the "founder" in the teams, that are autocreated in new projects are not able to do anything, they can't even use the management functions themself.

This feature has to abolished, as it's not possible to implement without even minor data protection.

BOINCtrac ticket
Thread in NQueens
Thread in BOINCstats

Gruesse vom Saenger

For questions about Boinc look in the BOINC-Wiki
ID: 12512 · Report as offensive
[BOINCstats] Willy

Send message
Joined: 28 Jun 06
Posts: 12
Netherlands
Message 12513 - Posted: 15 Sep 2007, 13:58:44 UTC
Last modified: 15 Sep 2007, 13:59:16 UTC

I do not think this is a useless feature.

But I do think that along with creating the founder account, the email address of the founders account should be copied along with a random password generated passwd_hash.

This password with a link to the projects account home page can be send to the email address.

Also possible is copying passwd_hash as well, which makes it possible for the founder to log in with the password he entered on the teams page. That way a new project doesn't have to reveal itself prematurely to all team founders.


BOINCstats | BAM!
ID: 12513 · Report as offensive
Profile Saenger
Avatar

Send message
Joined: 9 Nov 05
Posts: 123
Germany
Message 12514 - Posted: 15 Sep 2007, 14:43:45 UTC - in response to Message 12513.  
Last modified: 15 Sep 2007, 14:44:45 UTC

I do not think this is a useless feature.

But I do think that along with creating the founder account, the email address of the founders account should be copied along with a random password generated passwd_hash.

This password with a link to the projects account home page can be send to the email address.

Also possible is copying passwd_hash as well, which makes it possible for the founder to log in with the password he entered on the teams page. That way a new project doesn't have to reveal itself prematurely to all team founders.

The problem is not revealing the project to the founders but revealing the confidential data of the founders (email address) to random project founders, i.e. possible spammers.

The email address of the founders must never be shared with some random project admins, that's a major break of security.

And as this is impossible, the founder has no chance to contact his new account, not even to delete it.
Gruesse vom Saenger

For questions about Boinc look in the BOINC-Wiki
ID: 12514 · Report as offensive
Profile Saenger
Avatar

Send message
Joined: 9 Nov 05
Posts: 123
Germany
Message 12516 - Posted: 15 Sep 2007, 18:18:22 UTC
Last modified: 15 Sep 2007, 18:18:45 UTC

I just learned, that the email addresses of the founders are accessible for everyone, in a nearly unprotected xml.
Imho this list has to be deleted asap. This is a serious breach of confidentiality. Who had the stupid idea to publicise a list of valid email addresses? I can't imagine how this can even be contemplated, let alone be implemented, it's so far off any serious behaviour.
Gruesse vom Saenger

For questions about Boinc look in the BOINC-Wiki
ID: 12516 · Report as offensive
Profile KSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 12517 - Posted: 15 Sep 2007, 18:40:57 UTC - in response to Message 12516.  
Last modified: 15 Sep 2007, 18:41:16 UTC

I just learned, that the email addresses of the founders are accessible for everyone, in a nearly unprotected xml.
Imho this list has to be deleted asap. This is a serious breach of confidentiality. Who had the stupid idea to publicise a list of valid email addresses? I can't imagine how this can even be contemplated, let alone be implemented, it's so far off any serious behaviour.



http://boinc.berkeley.edu/teams/

That's the page in question.

It says on the page

Notes:

* The email address and team name you use on this site should never be changed (if you change them, you'll need to manually change them on every BOINC project in order for updates to work). Pick an email address that won't go away any time soon.
* The email address you use will be publicly visible in the download file. It's in a munged form, so spammers won't see it, but nonetheless you might want to not use your primary email address.
* In case of disputes over team names, whoever created the team first (on some BOINC project) has rights to it. Contact David Anderson to resolve such disputes.



It is an opt in, not an automatic thing. So if you're a team founder, you're not going to automatically find yourself on that list. If you're not comfortable with that, then don't opt in.


This is my personal opinion... I'd never use anything but a "throw away address" for BOINC. In fact, I have a bunch of throw away addresses that I use for various sites on the internet. My primary email is available only to family and friends.
Kathryn :o)
ID: 12517 · Report as offensive
Profile Saenger
Avatar

Send message
Joined: 9 Nov 05
Posts: 123
Germany
Message 12523 - Posted: 16 Sep 2007, 9:31:16 UTC

I just created an account for this new bug..eeehhh...feature, and could have created any team that's not already in there (and only 40 are in there currently). I tried BOINC@Heidelberg, because I know some of them and they have some ATAs, I probably would have succeeded if I had saved it, of course I didn't do it, I won't do such things, but as anyone can found any team here, where is the better security for the teams and their names?
Gruesse vom Saenger

For questions about Boinc look in the BOINC-Wiki
ID: 12523 · Report as offensive
ThEfT

Send message
Joined: 26 Apr 06
Posts: 2
Germany
Message 12524 - Posted: 16 Sep 2007, 9:43:27 UTC

There's definitely a problem with the "first load" and I'm sure David will have to fight a lot of disputes with that.
ID: 12524 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 12537 - Posted: 17 Sep 2007, 2:31:31 UTC - in response to Message 12517.  

* The email address you use will be publicly visible in the download file. It's in a munged form, so spammers won't see it, but nonetheless you might want to not use your primary email address.


It is an opt in, not an automatic thing. So if you're a team founder, you're not going to automatically find yourself on that list. If you're not comfortable with that, then don't opt in.


But the initial list was made from already-existing teams, I guess from SETI database. None of those teams' founders read the "rules" saying the email addresses would be there, yet they are there. They didn't opt-in.

In any case, this is yet another made-in-a-rush-without-thinking BOINC feature. (Simple view is another; every single user I have "recruited" into BOINC said it looked ugly and confusing)
ID: 12537 · Report as offensive
Profile KSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 12541 - Posted: 17 Sep 2007, 3:23:35 UTC - in response to Message 12537.  

But the initial list was made from already-existing teams, I guess from SETI database. None of those teams' founders read the "rules" saying the email addresses would be there, yet they are there. They didn't opt-in.


AFAIK, TFFE isn't on the list. I need to get in touch with Keith about it though.

Regardless, there are like 40 teams on the list (or so I've heard). There are a whole lot more than 40 teams at Seti. I highly doubt the list was taken from Seti.
Kathryn :o)
ID: 12541 · Report as offensive
[BOINCstats] Willy

Send message
Joined: 28 Jun 06
Posts: 12
Netherlands
Message 12544 - Posted: 17 Sep 2007, 5:10:39 UTC

Speaking for myself I really want this feature to succeed. There are a number of projects where I'm not the founder of my team and it remains to be seen if I ever get foundership of these teams.

As with this feature, anyone can create a team with the name of one of the big teams in new projects, and later change it to team NeverHeardOfBeforeAndGoneAreYourCredits.

So, when choosing out of two bad options, I choose this new feature.

BTW: I did put BOINCstats on the list myself.


BOINCstats | BAM!
ID: 12544 · Report as offensive
Profile KSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 12547 - Posted: 17 Sep 2007, 5:36:49 UTC - in response to Message 12544.  

BTW: I did put BOINCstats on the list myself.


Thanks for that information.

Kathryn :o)
ID: 12547 · Report as offensive
zombie67
Avatar

Send message
Joined: 14 Feb 06
Posts: 136
United States
Message 12555 - Posted: 17 Sep 2007, 9:40:25 UTC

My team (in the top 30) "founder" was pulled from SETI@home, as far as I can tell. He has only "SETI Classic" credits. I can't find him anywhere in BOINCstats. Now this person will be made the founder for all new projects? And now we have to go through the 2 month waiting period for every new project?
Reno, NV
Team: SETI.USA
ID: 12555 · Report as offensive
zombie67
Avatar

Send message
Joined: 14 Feb 06
Posts: 136
United States
Message 12556 - Posted: 17 Sep 2007, 9:46:13 UTC - in response to Message 12544.  

Speaking for myself I really want this feature to succeed. There are a number of projects where I'm not the founder of my team and it remains to be seen if I ever get foundership of these teams.

That's not a tech problem, right? It sounds like a political problem. If the founder is gone, just use the initiate transfer protocol. Or am I missing something?
Reno, NV
Team: SETI.USA
ID: 12556 · Report as offensive
[BOINCstats] Willy

Send message
Joined: 28 Jun 06
Posts: 12
Netherlands
Message 12564 - Posted: 17 Sep 2007, 17:21:48 UTC - in response to Message 12556.  
Last modified: 17 Sep 2007, 17:23:50 UTC

Speaking for myself I really want this feature to succeed. There are a number of projects where I'm not the founder of my team and it remains to be seen if I ever get foundership of these teams.

That's not a tech problem, right? It sounds like a political problem. If the founder is gone, just use the initiate transfer protocol. Or am I missing something?


The problem is that somebody who got an account before me at those projects created the team, and didn't transfer the founder to me. When this feature works, I (the "true" founder) will be the founder of "my" team in all projects, the way it should be.

Now how cool would it be for a almost non-existent team to claim "SETI.Germany" or "SETI.USA" in a new project. Just wait for the members to join, get a shitload of credit, then change to name to the almost non-existent team name.

That's what this feature should prevent.

Almost forgot: if you don't want to, don't use this feature, then what is the harm that others do?


BOINCstats | BAM!
ID: 12564 · Report as offensive
zombie67
Avatar

Send message
Joined: 14 Feb 06
Posts: 136
United States
Message 12726 - Posted: 24 Sep 2007, 21:53:35 UTC

So we went ahead with this feature anyway, I see.

http://boinc.berkeley.edu/all_news.php#228
Reno, NV
Team: SETI.USA
ID: 12726 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 12727 - Posted: 24 Sep 2007, 22:27:55 UTC - in response to Message 12726.  

So we went ahead with this feature anyway, I see.

http://boinc.berkeley.edu/all_news.php#228

It was added to the team page on projects too: team_manage.php changeset 13644.

I gotta make sure the change doesn't reach imp@home when I upgrade... (although I'm not running team_import anyway).
ID: 12727 · Report as offensive
zombie67
Avatar

Send message
Joined: 14 Feb 06
Posts: 136
United States
Message 12728 - Posted: 24 Sep 2007, 22:51:20 UTC
Last modified: 24 Sep 2007, 23:10:42 UTC

Help me understand. Lets say that for team X, person A is the founder at project 1, and person B is the founder at project 2. Then person C goes to http://boinc.berkeley.edu/teams/, and creates team X, with himself as the founder. Will person C then be automatically made the founder at projects 1 and 2?

Edit: Follow-up questions: A new project (3) is created. It is an invitation-only project, allowing only some people to join. Person C is not allowed to join. How is C supposed to manage the team at project 3? What is to prevent some other person at project 3, from initiating transfer, waiting 2 months, and taking over the team?
Reno, NV
Team: SETI.USA
ID: 12728 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 12729 - Posted: 24 Sep 2007, 22:57:51 UTC - in response to Message 12728.  

Help me understand. Lets say that for team X, person A is the founder at project 1, and person B is the founder at project 2. Then person C goes to http://boinc.berkeley.edu/teams/, and creates team X, with himself as the founder. Will person C then be automatically made the founder at projects 1 and 2?

I have no idea (and I wonder if the devs do)
ID: 12729 · Report as offensive
[BOINCstats] Willy

Send message
Joined: 28 Jun 06
Posts: 12
Netherlands
Message 12740 - Posted: 25 Sep 2007, 20:40:39 UTC - in response to Message 12728.  

Help me understand. Lets say that for team X, person A is the founder at project 1, and person B is the founder at project 2. Then person C goes to http://boinc.berkeley.edu/teams/, and creates team X, with himself as the founder. Will person C then be automatically made the founder at projects 1 and 2?

No, this only work with (new) projects where the admin manually runs a script that imports the teams.

Edit: Follow-up questions: A new project (3) is created. It is an invitation-only project, allowing only some people to join. Person C is not allowed to join. How is C supposed to manage the team at project 3? What is to prevent some other person at project 3, from initiating transfer, waiting 2 months, and taking over the team?

This I don't know.





BOINCstats | BAM!
ID: 12740 · Report as offensive

Message boards : Web interfaces : Team autofounding on new projects is a bug, not a feature

Copyright © 2021 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.