Does your computer BOINC?

Super cool!

Interesting but I wonder if you might be introducing some security concerns as what you are doing in effect is joining a bot net or so I would think.

Therefore you are kind of hoping that the project people know what they are doing so bad guys can not used this net for their own reasons.

A very fast google search indicate that my question concerning the security of computers running such programs seem to have some foundation.

Here is just one of many articles on this subject.
---------------------------------------------------------------------------------

http://boinc.berkeley.edu/trac/wiki/SecurityIssues

Security issues in volunteer computing
Many types of attacks are possible in volunteer computing.

Result falsification. Attackers return incorrect results.
Credit falsification. Attackers return results claiming more CPU time than was actually used.
Malicious executable distribution. Attackers break into a BOINC server and, by modifying the database and files, attempt to distribute their own executable (e.g. a virus program) disguised as a BOINC application.
Overrun of data server. Attackers repeatedly send large files to BOINC data servers, filling up their disks and rendering them unusable.
Theft of participant account information by server attack. Attackers break into a BOINC server and steal email addresses and other account information.
Theft of participant account information by network attack. Attackers exploit the BOINC network protocols to steal account information.
Theft of project files. Attackers steal input and/or output files.
Intentional abuse of participant hosts by projects. A project intentionally releases an application that abuses participant hosts, e.g. by stealing sensitive information stored in files.
Accidental abuse of participant hosts by projects. A project releases an application that unintentionally abuses participant hosts, e.g. deleting files or causing crashes.
BOINC provides mechanisms to reduce the likelihood of some of these attacks.

Result and credit falsification
These can be reduced using replication or other result validation methods.

Malicious executable distribution
BOINC uses code signing to prevent this. Even if attackers break into a project's BOINC server, they will not be able to cause clients to accept a false code file.

Denial of server attacks on data servers
BOINC provides an optional mechanism, upload certificates, to prevent data server attacks. Each output file has an associated maximum size. Each project has an upload authentication key pair. The public key is stored on the project's data servers. Result file descriptions are sent to clients with a digital signature, which is forwarded to the data server when the file is uploaded. The data server verifies the file description, and ensures that the amount of data uploaded does not exceed the maximum size.

Theft of participant account information by server attack
Each project must address theft of private account information (e.g. email addresses) using conventional security practices. All server machines should be protected by a firewall, and should have all unused network services disabled. Access to these machines should be done only with encrypted protocols like SSH. The machines should be subjected to regular security audits.

Projects should be undertaken only by organizations that have sufficient expertise and resources to secure their servers. A successful attack could discredit all BOINC-based projects, and volunteer computing in general.

Theft of participant account information by network attack
Attackers sniffing network traffic could get a user's account key, and use them to get the user's email address, or change the user's preferences. BOINC does nothing to prevent this.

Theft of project files
The input and output files used by BOINC applications are not encrypted. Applications can do this themselves, but it has little effect since data resides in cleartext in memory, where it is easy to access with a debugger.

Intentional abuse of participant hosts by projects
BOINC uses account-based sandboxing: applications run under a specially-created account (Mac/Linux version 5.4+, Windows version 6+). If file and directory permissions are set appropriately, applications will have no access to files outside of the BOINC directory.

Accidental abuse of participant hosts by projects
BOINC prevents some problems: for example, it detects when applications use too much disk space, memory, or CPU time, and aborts them. Projects can minimize the likelihood of causing problems by pre-released application testing. Projects should test their applications thoroughly on all platforms and with all input data scenarios before promoting them to production status.

Tags security
--------------------------------------------------------------------------------

It's been a couple of months since I ran BOINC. I always had it start up when I turned on my computer. About a couple of months ago, my computer started to freeze up immediately after turning on.

Only after a friend turned BOINC off from starting at initial boot-up did the crashing stop. Could be a coincidence. He did turn off several other programs that automatically start up when the laptop boots-up on being turned on. He checked for spyware, malware, etc.... He didn't find any or didn't tell me if he had. When I got my computer back, I turned on the BOINC program to see if it ran without crashing and perhaps it was just making the computer crash when it started on initial boot-up. It did crash my computer.

I have yet to use it again. I finally uninstalled the program and am wondering if I should redownload it again and hope a new and updated copy might be the fix. I miss my SETI@home program, et al. Should I take the risk?

It was making my computer freeze a lot, and be very slow.

Now I only let it run when I don't want to turn the computer off, but don't plan to use it for a while.

SETI puts E.T. on hold
SETI has temporarily halted one of its chief alien-hunting tools, the Allen Telescope Array, citing lack of funding.
http://www.csmonitor.com/Science/2011/0427/SETI-puts-E.T.-on-hold

This program is no more of a security concern than any other program you install on you computer. And the software is open which means that if anyone did anything really bad, it would be public news pretty quick.

this from a douchebag who includes spam in his sig line

Now if only I can get it to work on my computer once again without it crashing said computer.

I miss having SETI@home.

http://www.csmonitor.com/Science/2011/0812/Jodie-Foster-helps-in-search-for-alien-civilizations

I hope whoever calls us is cuddly like 'ET'.

Otherwise, remember.....

It's a Cookbook!!!

I've done a bit of work for Climateprediction and Cosmology. Never did anything for SETI though.

But when I switched to Windows 8, I jumped to 64-bit. And now I'm focusing only on projects that make good use of 64-bit CPUs.

I'm doing:

a) "Optimal Golumb Ruler" and "Elliptical Curve Factorization" through Yoyo@home.

b) Sieving for the Riesal subproject at PrimeGrid. (I'm not too into finding primes for the sake of finding primes, but finding primes for that particular subproject will help prove a mathematical theory.) Their Serpinsky subprojects also work toward proving theories, but they are all done sieving, so there is no more work optimized for 64-bit CPUs.

c) And ABC@home (that one is doing work towards understanding a BIG mathematical theory).



At the moment I'm running BOINC as a service install for the greater security, and that precludes letting BOINC use my graphics card, but if you have a reasonably modern graphics card, and if you don't use a service install, you should try seeing what BOINC will do with your graphics card.

The results will be absolutely stunning. Especially if it is a project that once did CPU work, and you know how long the workunits take on a CPU doing SSE3 calculations.

Moore's Law being what it is, modern graphics cards are more powerful than anything built by Cray Research before Silicone Graphics bought them out. And having your BOINC tasks processed by the equivalent of a Cray supercomputer is pretty amazing.

Your jaw will drop when you see your graphics card knocking off 10-hour workunits in less than a minute, over and over, every minute another 10 hours of work done.

In general it is pretty easy to figure out which projects are reputable. For instance, if you are helping major observatories comb through data to find neutron stars, or doing work for the Large Hadron Collider in Europe, you can probably count on it being legit work. Same also if the math department at a large university wants to help advance the field of mathematics.

World Community Grid is run by IBM, and they have their security experts vet every one of their subprojects.

Also, if you install BOINC to run as a service, it runs under an unprivileged account, so if your program goes haywire, whether through malice or by accident, the damage will be limited.

However installing BOINC to run as a service will not allow it to use your graphics card (which is a shame if your graphics card has the power of a 15 year old supercomputer).

I'm running mine as a service, even though I have such a graphics card. But oh well, security comes first.

Yes, and he also stole the entire post from BillRM.

Hello Friends,

It's easy to participate in a BOINC project: download and install BOINC. You will be asked to select a project and enter your email address and a password. That's it!
When you run BOINC on your PC, it does the following:
1. Your PC gets a set of tasks from the project's scheduling server. The tasks depend on your PC: for example, the server won't give it tasks that requires more RAM than you have. Projects can support several applications, and the server may send you tasks from any of them.
2. Your PC downloads executable and input files from the project's data server. If the project releases new versions of its applications, the executable files are downloaded automatically to your PC.
3. Your PC runs the application programs, producing output files.
4. Your PC uploads the output files to the data server.
5. Later (up to several days later, depending on your preferences) your PC reports the completed tasks to the scheduling server, and gets new tasks.

Best Regards,
Duncan Jones

By the way, if anyone thinks I'm at all exaggerating with the Cray comparisons:

Cray XMP:
0.82 gigaflops (real world)
0.94 gigaflops (theoretical)
http://www.top500.org/system/172500

Cray 2:
2.17 gigaflops (real world)
3.90 gigaflops (theoretical)
http://www.top500.org/system/167107

Cray C90:
13.70 gigaflops (real world)
15.24 gigaflops (theoretical)
http://www.top500.org/system/172830

Cray T3D:
100.50 gigaflops (real world)
153.60 gigaflops (theoretical)
http://www.top500.org/system/170942

The T3D was their first system that linked together hundreds of DEC Alpha CPUs.


And now some graphics cards:

ATI Radeon HD 3870
Released: Nov 19, 2007
99.2 gigaflops (double precision)

ATI Radeon HD 4870
Released: Jun 25, 2008
240 gigaflops (double precision)

ATI Radeon HD 5870
Released: Sep 23, 2009
544 gigaflops (double precision)

http://en.wikipedia.org/wiki/Comparison_of_AMD_graphics_processing_units