SETI@Home A Security Threat, Says TVA

evenprime writes: "Richard Chambers, the Inspector General of the Tennessee Valley Authority, has declared that employee use of SETI@Home on TVA computers compromises computer security. I'm wondering why using SETI@Home on PCs with access to the internet would be a problem. As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop, and so no form of malware could affect their machines used for power generation and/or managment."

Job satisfaction is same as stealing from company

"Job satisfaction is the same as stealing from the company". - From a Dilbert cartoon.

Programming jobs at your company better have some aspect of fun to it or you will go bankrupt. No human is capable of being creative on demand for 8 hours per day. Creativity happens in bursts. And some game playing or net surfing when your in a mind-block can get the creative juices flowing again.

They might row faster if you *stop* cracking the whip so often.

Re:Two PCs on every desk?

Two PCs on every desk?

Great, two Bill Gates.

Re:*sigh*

> YOU won't fire me if I don't let you download WebShots, but when you download a screensaver that was uploaded to a silently cracked web site by evil hackers and which transferred the contents of C:\My Documents\ to (insert cracker URL here), resulting in massive litigation against the firm for violation of attorney-client privilege, THEN I'm going to get fired.

Nice to know for the next time one of us get a threatening letter over some software of our site. It should be very easy to put a couple of ActiveX'es on our website which make positively sure attorney-client privilege is thoroughly violated if ever an access or download happens from a *.*-law.com address. Hopefully, this will teach lawyer's IT departments to discourage lawyers to litigate against hackers: it's bad for security!

No its not

The security threat is the operating system your running Seti on. Especially if it begins with a W.

Re:Company computers are for work.

But when the sysadmin kicks your teeth in for garbaging up a stable system it costs the company in insurance premiums. So there.

Re:*giggle* Nope, you're wrong

[mark]

I'm not entirely certain why you think that having your air-separated email-specific PC 0wn3d doesn't present a massive security risk..? Or maybe there should be a third PC, for email that's not work related?

typo

[Trepidity]

I assume you meant "set up us."

Re:typo

[ErikTheRed]

What you say? Please excuse my misuse of bad grammar.

yeah, heartless bastard astrophysicists...

[bobalu]

.. how DARE they not open their source to you! They're plotting even now to take over the universe! They even ADMIT it! No, world domination is NOT enuf!

Here's a clue as to what it does: it crunches data. Gotta degree in astrophyics? I'm sure you could figure it out.

Geez, give it a break man.

Re:It's the economy, stupid...

[Kevin]

exactly...earnings are important. besides the cost of the pc itself, there is a kvm switch (or a seperate monitor); plus you have to make sure you have enough network drops for each additional computer...and then supporting all these extra "for fun" computers.

run seti at home if you like. f* aliens.

Re:Stealing as well

[Faceprint]

Did you ever think of turning them OFF? No security risk, and saves plenty of power! ;-)

interesting situation

[Faceprint]

I've got an interesting situation. I work on my personal machine at my job. I don't work from home, I just took my machine to work with me. My machine, both monitors, speakers, the whole set. I leave my machine on 24/7 (mind you, I tend to be working on it about 16/6 of that).

Am I stealing from the company? Technically, I guess I am. Am I security risk? Probably. I'm not as anal as I should be about my system. Hell, I'm such a power user that I get the pleasure of being outside the firewall, and I get to run my OS of choice instead of w2kpro.

If you were my employer, how would you feel? Happy, that I saved you the cost of another PC? Or mad that I don't fit nicely into the cookie cutter for employees?

Re:Perhaps....

[castanaveras]

Actually the aliens use PPC - that was a Mac laptop the virus was getting uploaded from.

Though thinking back I vaguely recall the screenshot looking like java.

Re:Risk? Uh... yeah??

[matty]

Except that you can't stop breathing (without dying :). TVA employees can avoid installing SETI without ill effects. As a matter of fact, it will (minimally) increase the TVA's bottom line due to lower electricity usage.

It's a completely controllable risk (by not installing SETI), and well within their rights since they own the computers.

I don't know what you do for a living, but I'm a Network Admin and for myself and all the people I know who do PC support, one of the most annoying things is users thinking they can install whatever they want on their computers.

Not trolling, not flaming, just my 2 cents.......

Re:WOW

[pudge]

So as long as there is a legtimate business interest in being provably, significantly, insecure, that's better than no business interest in something that has not been proven to be insecure at all? Um, OK.

WOW

[pudge]

If this dweeb wants to investigate and remove the use of programs that pose potential security risks, how about starting with Explorer and Outlook. What a complete waste of time and money.

Re:Open Source has the same problem

[larien]

the importance of downloading your code from a "mainstream" high-use site

Hence the common use of FTP sites. That way, you can get the code from "Joe Stranger's Fly-by-night FTP Site" and be fairly certain that your code matches the versions available from the main FTP sites.

The main thing is that most people are fairly near (in net terms) a major FTP site (eg, I tend to use sunsite.doc.ic.ac.uk), so there's really very little need to go outside those channels.
--

Re:Open Source has the same problem

[larien]

*sigh* I'm not thinking straight; I meant to say "the common use of MD5 Sums".

Blame it on the fact I've just had win2k inflicted on me....
--

Umm try this page...

[Archfeld]

It is actually the title of the book, published in 1965, and yes several times but like the above guy mentions I transposed the final scene of the movie with that of the book, and yes even though I remember it being short it is in fact a novel....

http://www.umich.edu/~engb415/literature/cyberza ch /Dick/elecsheep.html

what's the problem with this

[Archfeld]

Even SETI states, make sure your employer is OK with this before installing any software.

Seems very straight forward to me, security breach or not.

TVA anal retentive ? alien attacks ?

[freaker_TuC]

"press article: Aliens hack user pc's on planet Earth.

Seti@home provided data to the terminal of a user PC running on the background as a screensaver.

the radiosignals decoded to binary sent by Seti to the userpc's where in fact all code that formed one evil alien-trojan even more powerful than the known trojans netbus etc..."

-or-

"Press article: Spooks where able to put a program inside a lot of administrative pc's of different companies (including but not limited to TVA, PWA, USER PC's, OSDN and MICROSOFT).

This way people where thinking running a screensaver to find alien babes, but in real life they where exploiting your PC by sending all your precious private data to the spooks at the "so called seti" while showing up as a screensaver with random numbers".

Guess they really have distributed computing to their power then :) aliens will be using our pc's as their puppets or spooks are using our computing resources :))

the irony of it all ...

If it's alien, it could modify your processor so it bakes out alien lifeform in microbacterialminiscoulous forms and they are going to eat-you-alive! ...

... that's the security risk! there it is ...

.. the horror

(i'm just being in a boring mood at a boring time looking to a matrix screensaver after 15 minutes of no-typing) ...


Freaker / TuC

Re:sure

[BrookHarty]

Good point, they should charge for the spare cpu cycles. Goverment should be looking for every way to save/make money.

WTF is up with these Dipshit Senior Mangement?

[BrookHarty]

Anthony Smith, a senior manager of TVA's computer system, said the inspector general's office first detected the SETI programs on TVA computers, and managers made sure all were deleted.

The use of the SETI program on 17 TVA computers presented "some kind of risk," Smith said.
snip..
But SETI uses a high level of protective encryption, he found, so there was "a relatively low risk" to TVA.
Still, he said, the incident prompted managers to conduct a massive computer security awareness campaign.

Very freaking trival matter. They just found out about SETI@HOME over a year on some production boxes? If security was thier main concern, why didn't they use network security management software? There seems to be alot of personal Crusades by management on very trival matters. With companies understaffed and overworked, Some Senior Mangement opens his mouth and makes lame ass policy that has no bearing on the subject.

Security means more than banning some software to look like your on the ball. (Your not). How about getting off your fat ass, and fix your damn firewalls with decent ACLS, patch your damn DNS servers, and proxy your Internet connections.

--
the osi is missing a layer - layer 8 = politics

Re:WTF is up with these Dipshit Senior Mangement?

[penguinboy]

Very freaking trival matter. They just found out about SETI@HOME over a year on some production boxes? If security was thier main concern, why didn't they use network security management software?

Being incompetent in the past means someone is forbidden to start doing the right thing?

Re:WTF is up with these Dipshit Senior Mangement?

[rtaylor]

If you allow web access, seti will run. Even through proxied web connections.... You would have to block the seti servers specifically and any anonymizer services.

Re:WTF is up with these Dipshit Senior Mangement?

[jotaeleemeese]

You are an incompetent admin.

You forgot the floppy drives and CD readers.

;-) (half jockingly dead serious).

Re:I can see it now

[pointwood]

I would recommend supporting the Folding@Home or Genome@Home project.

More info can be found here.

Greetings Pointwood

Re:No, clueless users...

[NMerriam]

The statements imply a significant amount of risk based on running Seti@Home.

No, it doesn't. It implies that the amount of risk is too great compared to the possible benefit.

Even though the risk is trivial, and possibly close to zero, the "benefit" to the TVA for running the software is most certainly zero, seeing as how the only purpose the sotware serves is to suck up system resources.


---------------------------------------------

sure

[NMerriam]

As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop

Sure, why not? It's only our tax dollars...

---------------------------------------------

Re:No, clueless users...

[HiThere]

Now, speaking as the owner of a company, I can understand what they're doing, and the policy statement behind the "why". But they _damn_ well better go sanitize the rest of the TVA for unauthorized software (that cutesy screen saver someone bought, or the bootleg copy of Photoshop your graphic artist is using to maintain your marcomm because you're too stingy to buy a license), or they're going to look like a really hypocritical mob. Just my two cents.


Umnh.. To whom are they going to look hypocritical? To me, perhaps, but I doubt that they care much about my opinion. To their workers, perhaps, but I doubt that many of them would contradict management by saying so. (That's dangerous to your job.)

But how will they look to the public? "We are taking proactive steps to secure our system!" Think of this as a message directed at both the employees and the public, with slightly different messages. To the employees it says "We control "your" computer. It's ours." To the public it says, "We are protecting our computer resources." It may be mainly PR rather than actual, but that may be what they are after.

What's bad about it is that they singled out a particular program that is relatively innocous, and charged it with villiany. And, practically speaking, there's no reasonable defense. There are a lot of other packages that could have more reasonably have been choosen, but that's not what they did.

If I worked there I would be quite upset with them. They may have damaged morale severely. The words arbitrary, and capricious, and arrogant come to mind. This despite that the intention may have been quite reasonable (it's hard to tell). If the statement had been, "Don't run any software we haven't approved. It's dangerous. We know you have been doing this, because we have detected SETI@Home." Then I would have few problems with it. But that doesn't seem to be what's been reported. (Then again, how trustworthy is the report? [Well, it sounds trustworthy, for what that's worth. I don't care enough to dig further.])


Caution: Now approaching the (technological) singularity.

Re:KGB agents

[HiThere]

To an extent, this is the result of living in a large country. Nearly everyone we meet is a "local". So someone from outside is much more foreign here then in, e.g., Holland.

OTOH, I wonder how Canadians feel about folk from outside? But then they've a smaller local population, and ...

Maybe all cases are special cases?

Caution: Now approaching the (technological) singularity.

Stealing as well

[Alfred]

Not only where they breaching security, they were stealing from their employer. Idle CPU time is not free, when SETI is running the CPU can't shutdown into low power mode...

Re:Stealing as well

[rde]

This is just a case of a clueless, dictatorial management. Unfortunately, the comment here that is legit so far is that they *are* the employers machines, and if they want to be clueless and dictatorial about how they're used, they have that right. But they don't have any justification.
Yes and no. While there are myriads of clueful setiathome users (your humble servant included), the fact remains that these managers - possibly Men in Black - dictated that it shouldn't be used. Speaking as a sysadmin, there's nothing worse than some asshole installing Outl^H^H^H^H something despite dire warnings. The management may have been wrong about the reasons for their decision, but once that decision was made the workers had no right - legal or moral - to run the software.
Of course, the users might have been more clueful than the sysadmins, but in my experience this never happens.

Re:Stealing as well

[vanyel]

Oh nonsense. Someone "steals" more from the company by spacing out for a few minutes a day. And its clear the whole lot of them were clueless if they're talking about "letting outsiders in" --- the data seti downloads isn't executable. The only real risk is if they downloaded a hacked binary in the first place. This is just a case of a clueless, dictatorial management. Unfortunately, the comment here that is legit so far is that they *are* the employers machines, and if they want to be clueless and dictatorial about how they're used, they have that right. But they don't have any justification.

Re:Stealing as well

[lomion]

Well you can control alot of that stuff fairly well. With unathorized software you've just taken some of those controls out of the picture. Ad and flash can be stopped in a number of ways, proxy, client side security controls, etc etc...

Re:Stealing as well

[lomion]

Not only that, but any network is only secure as its weakest link. Often times a network is broken into not from that hardened server but from a wokrstation or unsecured box on the lan.

It is a ssecurity risk when you have unauthorized software installed especially one that access the internet in some way. What happens if a trojaned version of Seti@home were installed and some ppl used that to get into the internal LAN?

Re:Stealing as well

[lomion]

That is why you control what can and cannot be installed and only let authorized copies be used. If its unauthorized software then this could happen easily. Installing Eudora from a cd is alot safer in this case or using a created disk image for the entire pc with Eudora installed as well.

Re:Stealing as well

[gad_zuki!]

I don't believe any MS OS gives HLT instructions to cool or "power down" the processor. I'm draining 70+ watts regardless if SETI is on or off. Unix is a whole other story.

If anything, the constant disk accesses will keep the HDs from shutting down and might affect auto stand-by or hibernation setups. I don't know of any business that knocks anything but laptops into a real hibernation state. As long as that space heater, err Monitor is shutting down after 10 or 15 mins of idle you're sitting pretty. The rest is pretty trivial.

You're stretching the definition of stealing more than I can tolerate. What has been taken exactly and where is it stored? Whats the *real* loss? Its one thing to go against policy its another to defent policy with accusations of criminal intent. "He knew he was stealing from the company, sir!" Might as well start charging employees who fire up the browser for bandwidth costs if you're serious about "stealing."

Re:Stealing as well

[scotch]

Not only that, but any network is only secure as its weakest link.

Not only that, but profit is the difference between revenue and expenses.

Re:Stealing as well

[n3rd]

Idle CPU time is not free

Yes it is. CPUs run at 100% usage all of the time, even if a process or processes aren't using all of the CPU. Checkout the System Idle Process in the Windows NT task manager.

when SETI is running the CPU can't shutdown into low power mode..

This is only true for Pentium 4 CPUs, which I doubt many government agencies are currently using.

Again, either a CPU is on and using X power and 100% of its capacity, or it's not.

Re:Stealing as well

[RFC959]

I would love to know how you do that, since I've always heard that SMP is incompatible with power management. Are you sure this has anything to do with ACPI, and isn't just the HLT instruction?

Re:Stealing as well

[Chester+K]

I don't believe any MS OS gives HLT instructions to cool or "power down" the processor.

Yes they do, at least Win2k. Install SoftICE and hit the break keystroke at any random time to jump into the debugger. More often than not, you'll find it's sitting on a HLT instruction.

Re:Stealing as well

[TVmisGuided]

when SETI is running the CPU can't shutdown into low power mode...

Yep...very important to a power utility. And an important message to their customers too..."don't run this software, because it'll keep your home computer from dropping to standby mode, thereby raising your electric bill...no, wait, PLEASE run this software!"

Okay, I'll shut up now...I really shouldn't respond to such as this without eating first.

Re:Stealing as well

[shepd]

What would happen if a trojaned version of Webshots, Eudora, Spinner, or Minesweeper were installed?

The same thing. Maybe they should just ask Maxtor to provide a write protect jumper on the Hard Drives, or just get rid of internet access entirely.

Re:Stealing as well

[darkith]

False. The System Idle process isn't actually a real thread, it performs no cycles and the CPU is allowed to perform a HLT instruction.

Many CPUs have power saving capability, it's a matter of correct configuration in the bios and OS. For example, my dual Celerons (not the FCPPGA Celeron 2s, but the original PPGA) do a very nice power saving operation under Win2K with ACPI enabled in the bios. Temperatures go down significantly...nice for hot days. I stopped running RC5 for just this reason.

Re:Stealing as well

[DarkEdgeX]

Yes it is. CPUs run at 100% usage all of the time, even if a process or processes aren't using all of the CPU. Checkout the System Idle Process in the Windows NT task manager.

This isn't entirely true, atleast not for laptops. I don't know what kind of systems these people were using (desktops or laptops, or a mix) but newer Pentium III based laptops DO in fact have a low-power consumption mode that switches the processor to a lower clock speed to save energy. Desktop Pentium III's don't have this feature AFAIK though, so you're right there. FYI: Intel refers to this clock-speed changing energy saving crap as "SpeedStep" technology.

Plus, atleast in the case of Windows 2000, and systems setup to support it, SETI@Home may not allow the system to enter a hibernation state or 'sleep' after X hours of idle use. (Not sure about this, in any event I think you can setup certain apps or processes to be ignored for this task.)

Re:Stealing as well

[Weh]

I'm no expert on this but I do numerical analysis type stuff at the office. It involves serious number crunching. I've got a temperature sensor on the CPU, it appears to get hotter when it has to do lots of calculations. Wouldn't that indicate that the power consumption goes up with CPU load ?

Re:Stealing as well

[tmark]

Since you yourself admit the possibility of a security risk, the employers aren't being clueless or dictatorial, and they are not without justification. And as others point out, there are other reasons why they should not allow the software to run. Installation of unsanctioned software increases all sorts of costs: administrators have to tend to machines with non-standard configurations, hard-drives may be used a bit more, network bandwidth is being consumed by transmission, employees spend time installing, playing with and otherwise dicking with the program.

Re:Stealing as well

[markmoss]

I have had far too much trouble with computers that didn't come out of stand-by mode. It's like the mfgs put in "power saving" to get a green star, but didn't feel any obligation to make it work right. At the worst, there was a box we bought as a small server in '95 where even putting the monitor in standby would take the mainframe off-line!

Maybe it's improved on the newer models, but disabling power control in CMOS setup is already a reflexive action for me. I do let my 21" spaceheater, I mean monitor, go into standby, but unless the mainframe is running on batteries, I don't want it to go down until I shutdown the OS.

Re:Stealing as well

[TheAwfulTruth]

Windows most certainly DOES idle the cpu when there are no interrupts pending, check your CPU temp with windows idle and seti NOT running. Then check it 10 minutes after seti is running. On my machine (intel) there is a 30% increase in CPU temp when running the RC5 client! That is certainly an indication of increased current usage. I finally gave it up when I realised it was costing me about $10 a month to do someone elses work :( Windows also has a comprehensive power saving system when it is set up. I now hibernate my home and work machines every night (Both desktops, works exactly the same as laptops). Unfortunately people that like to run SETI and other distributed apps are less likely to even allow their machines to go into energy saving mode and are less likely to power them off at night because they won't get their block counts. This also applies to some screen savers. We've had some people with screen savers here that are constantly going out on the web and downloading images and crap all night. Keeping the machine alive constantly. Now imagine an entire office building like that. The cost of excess power because of machines reconfigures by the employees could easily run into $1000's a year. "Stealing" may be too strong of a word, but don't underestimate the amount of "Waste" that SETI has caused...

Re:Stealing as well

[TheAwfulTruth]

"Hibernation" on Windows does turn the power completely off on desktop as well as laptop computers.

Re:Stealing as well

[NutscrapeSucks]

WinNT/2K does HLT the CPU. Win9x/ME doesn't (maybe because the CPU is unpredictably in 16-bit modes?)

On the other hand, APM/ACPI is more likely to work on any given machine under Win9x. NT 4 can't even power-save the monitor, which is something a DOS TSR could do.

Re:Stealing as well

[AmbiguousTwo]

I have run both SETI and the Think program for cancer research on my laptop (not at the same time) and both of these programs almost immediately cause the cooling fan to turn on. When I stop the program, the fan goes off within 2 seconds. That heat does not come for free, so more power must be being used.

the TVA nuclear connection

[TeknoDragon]

Oak Ridge is parially related to TVA, they do some very sensitive stuff there (like building THE bomb). I remember when I went in to one of their centers they give you a work over with the metal detectors and everything.

scary?

[TeknoDragon]

what about windows NT guarding the security of our most powerful weapons? ;->

not that I'm an expert on ORNL, but I met with a sysadmin in Oak Ridge briefly years ago when they decided to switch from Solaris to NT.

oh for crying out loud..

[redd]

ok, so they broke the company rules, but..

1) If the company has rules like that, then they're invoking procedure as being worth more than the intelligence of their employees. This can be filed under the "anal" category. (quit guys)

2) Man, if this guy thinks something as simple as seti can possibly create a security risk where outlook wouldn't, then I can only wonder how he expects to be able to reproduce.

Re:*sigh*

[dillon_rinker]

(1) You are absolutely right and don't need me to explain why.

Also,

(2) You are completely wrong and I'm about to tell you why. My job is to GUARANTEE to a group of $250/hr attorneys that their computers will work when they want to use them. I am paid good money to see to it that they don't break. One of the limitations of my job is that I don't have the time to make you happy. Sorry, I really am, because I understand completely, but I cannot risk anything, and I don't have the time to analyze everything. You don't have to agree that I'm right, but at least try to understand. See, the thing of it is that it's not my job to guarantee that YOU can do whatever you want with your computer, but that the bosses can do whatever THEY want with their computers. YOU won't fire me if I don't let you download WebShots, but when you download a screensaver that was uploaded to a silently cracked web site by evil hackers and which transferred the contents of C:\My Documents\ to (insert cracker URL here), resulting in massive litigation against the firm for violation of attorney-client privilege, THEN I'm going to get fired.

You do the math.

Re:Security

[Neoplasm]

Also Motice that it was from a little local paper, not the New York Times or the Washington Post. Even timothy's comments on the header were as clueless as a local reporter, "you'd think that TVA would have separate internet/email PCs on every desktop, and so no form of malware could affect their machines used for power generation and/or managment". Where did that conclusion come from? Nobody in the article mentioned control computers anywhere. These were the desktop PCs of office workers. I work at a wastewater treatment plant where the office network isn't even connected to the control network at all. The people in Purchasing don't need to be changing pump flow setpoints.

Uhmm

[NitsujTPU]

Part of this is that many companies allow ONLY authorized software to be installed. The company computers are for work, not for play. If one guy is downloading seti next door, the guy next to him might not think that it's a problem to download something from a less qualified site. There are a lot of viruses and such out on the net, and when you have a couple thousand people, someone is bound to get something nasty on your network if you let them run wild. The reason why companies are so worried about giving everyone a full internet condom is because most peoples' experience of browsing the net seems to be equivalent to sleeping around with prostitutes, they might get lucky, they might get... uhh, something else. I can remember a problem at work with people downloading a program that downloaded a whole STACK of backgrounds every day according to a timer. The program wasn't terribly efficient, and the bottom dropped out of the network twice a day when people's computers started downloading desktops. Unauthorized modems are one of the leading causes of breakins in corporate networks. It's all related. I'm sure that there isn't a rule that says "don't download SETI" rather, theres a rule that says that what runs on your computer is the business of the IT department, and it SHOULD be that way.

Re:Clueless seniors

[Black+Parrot]

> God, this would just be hilarious if it wasn't so pathetic.

Actually, it's real simple. SETI@home is closed source. Neither the employee running it nor TVA management has the faintest idea what it really does. Therefore the TVA can reasonably be paranoid about it.

Of course, the same logic applies equally to any other CSS software that they may be running. I think the world at large is slowly maturing to an understanding of the CSS risk, though management types will see it in "toys" like SETI@home before they see it in their precious COTS applications.

--

Re:Open Source has the same problem

[Black+Parrot]

> The same goes for open source software.

[In addition to what MWright already said...]

That is correct. And in fact I habitually download pre-compiled binaries to run on my Linux system.

But remember that there is an almost zero-sum tradeoff between convenience and security. For my Linux system at home, getting 0wned would have a small cost, so I only expend a small effort preventing it. If I operated the TVA, a business, a space shuttle, or a government or military computer system, then I would invest a lot more trouble in security.

If the quoted guy doesn't want the TVA 0wned, then he needs to invest an appropriate amount of effort in making sure he doesn't let any trojan horses in the gate. If that means having his staff read code, it's a real simple calculation of the cost of reading the code vs the cost of getting 0wned. And I would estimate that the cost associated with having the TVA get 0wned is pretty darn high.

Even for my ultra-low-security home system, I don't download a precompiled binary from just anywhere. Every time I do it I make a very conscious decision of "how much do I trust this site?" vs "how much trouble would it be to go another route, such as compiling it myself?" vs "what are the consequences of getting 0wned?". Even for my ultra-low-security site, I just get the source if the only binary kit I can find is made by Joe Stranger.

As for reading the code, no, I don't audit the code for everything I run on the system. However, I'm pretty much a middle-of-the-crowd OSS user (not at all a guru), and in spite of that I do read quite a bit of code over a year's time, because I like to submit fixes and enhancements for the OSS that I use. And I know that there are thousands, probably tens of thousands, of people just like me doing the same thing. Trojans will be found, and the news will spread like wildfire on the internet. The very threat of that will inhibit trojaneers to some extent, because of the risk of getting caught, and the consequences (permanent anathema, no one ever using your software or your download site again, etc).

[Insert note here re the importance of downloading your code from a "mainstream" high-use site, to make sure your code is actually the same code that those thousands of other eyes are looking at. If you download code from Joe Stranger's Fly-by-Night FTP Site, then you may be getting a trojan that your friends aren't looking at, because you didn't get the same code.]

Using OSS doesn't guarantee security, but it seems to me that it is a creditable threat-reduction strategy. I think in the future you will start seeing critical installations like the TVA switch over to OSS as a matter of policy (or if they do stick with COTS software, they will arrange a source agreement with the vendor, and run copies that they compiled themselves to ensure that what they saw is what they really got). We have already seen several non-US governments making noises in that direction, and I think it will become a near-universal reality as the world gets used to the idea of OSS as a quality solution, and becomes aware of the security implications of "trust" vs "knowlege". You just have to look at the number of spyware vendors that got caught in the last 18 months to realize that corporate/governmental paranoia about this kind of thing is not only justified, but perhaps even a moral imperative.

As a side note, the strategy mentioned above about getting the source to CSS directly from the vendor and compiling it is probably less safe than using OSS, because the CSS vendor will never distribute its software as widely as OSS is distributed, so there will never be as many eyes looking at it. I would agree that catching a trojan due to a many-eyes approach is probabilistic, but more eyes slant the odds in your favor.

Also, a dishonest vendor could give you code with an obfuscated trojan, and give trojan-free code to all its other customers that it didn't feel any need to spy on, with the result that the only eyes actually looking at the trojanized code would be the people on your own staff that you assign to it. Bad odds there, unless you spend a lot of money paying a big staff to read code.

As the world becomes more aware of the risks of spyware and trojanized software, and more aware of the viability of OSS for many uses, institutions that absolutely must have security will start adopting OSS, even without reference to the other benefits of sharing source code. This will probably happen sooner rather than later.

The day we see a shareholder suit against a company that lost its ass due to spyware or trojanware will also be the day we start seeing a mass migration of lower-security sites, too.

In our contract-minded society I'm sure lots of suits will try vendor indemnification rather than OSS,but when you start thinking about the dollar cost you would have to assign to having the TVA 0wned by a hostile party (terrorist, extortionist, prankster with no sense of consequences, etc.), then you'll realize that vendor indemnification would be completly meaningless. Which is why I say that society needs to run its computers on "knowlege" rather than "trust". Hopefully the world's suits and lawmakers will figure this out without having to have a incident to elucidate it for them first.

Just my opinion, as always.

--

So?

[mindstrm]

Life isn't fair. Of *course* he doesn't lock the CEO out of his computer. I never made MY manager or anyone higher up my immediate food chain do this either. I instead paid personal attention to make sure they were secure.
But you can't do that to everyone, and you have to keep things secure.

It's my job to audit new software to be run on the network, and if it access the network in some way, and you don't need it, it's not going to be approved, plain and simple.

I'm not a little hitler

[mindstrm]

And I don't tend to have rules this strict, but they are an ideal to keep in mind.
Ideally, nobody would ever install anything. Realistically, that is often difficult to enforce.
The point is, if you are in a situation where that IS the rule, and people DO follow it, why break it?

As for distraction... distraction is need? That MUST happen on the computer? No, I don't think so.

Well... are you in admin?

[mindstrm]

Just curious. Because it sounds like you don't know what you are talking about.

Lazy IT people? Not.

The plumber analogy is not correct;a plummer is like an outsourced IT guy; you bring him in when something is wrong, perhaps listen to his advice, pay him, and send him on his way.
I, on the other hand, am told that ensuring the security and integrity of the company network is my responsibility. And contrary to what you believe, it's not because I don't want to fix it that I don't want people to break it; it's beacuse the Company wants those people working, and when they break their computer, the time spent fixing it is time they aren't working.
As for security.. who said anything about not using the network? This is about running an untrusted and UNNEEDED app. I'm sorry, they don't need to run seti@home by any stretch of the imagination. It's not helping them get any work done any easier, and it's not entertaining.
Also, doing a bunch of extra work to support running somethign that has nothing to do with company business is a waste of the company's resources, because we IT types are busy, and actually have stuff to do. At least, I do.

And contrary to what you think, I *DO* have the responsibility to stop workers from using the computers in unapproved ways, *WHENEVER* I wish, just as the CFO has the responsbility to stop finance payments when he sees something amiss. Installing set@home is NOT doing your job. And they aren't telling me how to type my memos because they aren't my boss.

*sigh*

[mindstrm]

What they are saying, as I've said in past jobs...
1) Your computer is not your computer, it is the company's computer.
2) Your computer is to assist you in doing your job.
3) Security is important
4) So you don't run anything we don't approve of.

The security audit of a new app can be fairly simple.
Question #1: Do employees need to run this? NO. Jump to DENY

Anything running that access the network, unattended, is a *potential* security threat. running the most secure of secure ftp servers is still a threat if *you don't need one in the first place*.

Re:*sigh*

[frozen_crow]

Seti connects over port 80 (HTTP), and you can configure it to use a proxy. So if you allow your employees any web access, you also allow access to seti. They could probably add a rule to the proxy to block it, but if they did that every time they wanted to block something, they'd basically be implementing censorware, which we know to not work.

Re:*sigh*

[SpeelingChekka]

Many companies I know (specifically big companies) block access to any "unauthorized" web sites, you have to get permission to access specific websites, and explain why you need to for your work. I don't work at one of those places though.

Re:Hacking the TVA

[nnet]

The external web server is NOT part of the internal network, said network includes over 11,000 desktops.

Re:No, clueless users...

[Rinikusu]

/*My objection is to banning S@H, and _not_ sanitizing the rest of the organization for other unauthorized software. Is a little consistency too much to ask?*/

Considering it's really none of your business, yes.

Re:No, clueless users...

[Rinikusu]

The NSA's computers are also paid for by the taxpayer, do you presume to tell the NSA what they can and can't install on their systems?

Get bent or get a clue or get both.

Re:No, clueless users...

[Rinikusu]

Following your line of logic, go ahead and call up the NSA and give them your input.

And, btw, TVA is considered a government agency, but, like the Post Office, makes it own money. Your taxdollars are not hard at work there. Your grandparent's, probably.

Re:No, clueless users...

[Rinikusu]

http://www.tva.gov/abouttva/keyfacts.htm#howfunded

read and be enlightened.

BTW, my father is retired TVA, so I get my information first hand.

I found this para amusing...

[LocalH]

• Don Hickman, a senior manager in the TVA inspector general's office, said the staff knew the SETI program could allow hackers into a computer system and pointed to a news story showing at least one successful infiltration of SETI's Web site. (emphasis mine)

So an incident on the webserver means that the SETI@home (spell it right, ppl) is insecure? I read that and laughed my ASS off.
_______
Scott Jones
Newscast Director / ABC19 WKPT

Re:I found this para amusing...

[SuiteSisterMary]

If you can get onto the website, you can put up a binary. Oh, and change the MD5 checksum that's listed on the webpage. :-)

Re:I found this para amusing...

[TheHawke]

This problem extended from hackers posting multiple inquiries for user info into SETI@'s database to extract email addresses. There is no major threat here to TVA's security whatsoever...
I WISH that people would READ before they open up their mouths... TVA's suit simply didnt, or does not understand how SETI operates..

http://setiathome.berkeley.edu/tech_news.html

Re:Company computers are for work.

[nexthec]

Hey. It hink they should hire you with all that money they are saving on these "unwasted cycles".

the point is......they arent getting aything from running distributed apps.

Re:I can see it now

[Sierra+Charlie]

Well, this is a day late, so noone will read it, but... :)

Your reply doesn't respond to any points in particular. All it says is "We have a lot of software that already could be insecure, and I (as university network admin) have no control anyways. So, screw it and run SETI."

As I said in my post, and you seemed to ignore, you can have security risks from any software...it's a tradeoff of risk versus functionality.

From a corporate standpoint, the most sane viewpoint once you realize that is "We get no functionality from letting users run SETI on the machines and network that we paid for...we're not going to assume the risk". Just because you don't have that option in your position, doesn't mean that it's not the correct posture for the TVA.

Re:I can see it now

[Sierra+Charlie]

It all comes down to employers simply not understanding what the application is for and using it as a scape goat for any problem that comes. It happens at my university.

It may seem odd to those who have never had to administrate a network, but the TVA happens to be absolutely correct.

It's not SETI software in particular that is a problem; it's having your users downloading random, useless software from the internet and running it on company (and likely priveleged) machines.

Every time that program starts running, it can do whatever it wants. It could be detecting aliens in the vicinity of Betelgeuse or it could be streaming your password file the SETI server so that it can pass it around for decryption. You can't tell; you didn't compile it...you don't even have the source. Even if you did, the admins don't have time to check the code just so you can have a pretty E.T. phonin' screensaver.

"But we trust SETI", you say. Why? You can't speak personally for the competence and/or ethics of the SETI programmers. If you could, you still wouldn't be able to tell if the binary had been modified after it left their hands. The program is also executing around arbitrary data downloaded from the internet...could it be made to misbehave with bad data from a man-in-the-middle? I dunno.

Maybe all of that seems unlikely, but this is the same policy that guards against the Marketing department's "Dog of the day" screensavers and Trojan Horse emails. As recently evidenced, it's true that you can have backdoors in production software, but at least there's a business return in exchange for the risk.

It's too easy to scoff at this as "employers not understanding" when you don't understand big picture.

I can see it now

[macdaddy]

"Notepad compromised our security." It all comes down to employers simply not understanding what the application is for and using it as a scape goat for any problem that comes. It happens at my university. Everytime something goes wrong the network is blamed. I can't check my email. The network must be down. I can't stream my local radio station. The network is "full". I can't play my Flash games. The network in my building sucks. We're out of coffee. The network needs to be replace; we need a router in every building. Literally. I hear that shit all day long, not just from users but from co-workers within our IT department! ARGH! The agony.....

--

Re:I can see it now

[macdaddy]

It may seem odd to those who have never had to administrate a network...

Odd you mention that because that's exactly what I do. I'm the Network & Systems Manager at one of the 6 Regents universities here in the State of Kansas, which will remain nameless. I also recommend distributed.net and SETI to the users of this university and have a lab cracking on the RC5 challenge. Source? What do we care about source? Better put, are we allowed to care about the security problems found in the source of the software our users download? No. We're a university. We don't have that luxury. If we as a 4-year university could say what you can and can't install for security reasons, the first things to go would be Outlook, IE, Irix, and Windows. Do we trust MSN Messanger? AIM? ICQ? What about all the various IRC clients? MUDs? Local sploits should always be a concern? Can we say what our users can and can't install? Not a chance in hell. As a net & sysadmin you have to remember one thing. Never trust your own network. Period.

Given my placement in the arena you think I'm not in, I can very easily and with great authority comment on "employers not understanding" small parts of the big picture.

--

Re:I can see it now

[macdaddy]

Thanks. I try to write the most productive responses I can. I think that in the larger campuses (even most smaller ones) you can segment users and user types by the building they come from. For example, I know that the only non-dormite user in my dorms is the Residents Hall Director. The front desk is dormites as are all the other users. The basement labs in the dorms are again dormites. The Res Hall Dir wouldn't loose much of anything from being treated like a dormy. Give dorm drops private IPs for security reasons. This greatly inhibits the amount of damage a single student can do with a warez server. It also keeps a passive DDoS client at bay because the master can't contact the slave if it has a non-routed address. It won't do much for active DDoS clients that actively report in and listen for commands for the master, such as one using IRC to communicate. Now mind you, I would have been really upset if this had been done to me when I was in the dorms. After some reflection though I quickly realized how easy of a target my systems were at that time and how much I could have compromised security. A private IP (routed across the campus but no where else) could have prevented anything but a local sploit. This private IP business is part of that "trust level" thing you were talking about. Time and time again a few dorm residents prove that they can't be trusted. It's not all of them but you can't treat just one or two of them. You have to treat them as a whole for whatever reason (usually political). Private IPs will still easily meet the education goals of our charter while increasing MTBF and MTBH's (or MTBCS). Private IPs for printers is also a very very good thing. Printer manufacturers are very bad about embedding an *nix OS to control their printers while not actively taking a role in securing them in the present or future.

A DMZ is also a must. The larger the network the more grand it becomes. DMZ != demilitarized either. If anything it's just as secure as you local server farm, if not more secure. You just allow services from the outside to that subnet that you don't want to allow elsewhere. Once you separate your public services (DNS, SMTP relay, www) from you local services (LDAP, RADIUS, HEC machines, etc..) you can then isolate the local services and beef up security even more internally. I wouldn't say to separate the desktop and server networks although that really what you are doing in a way. In my ideal network, each building is a 3 subnets, 1 public and 2 private. The public is general use for all faculty/staff. One of the private is for our networking hardware (non-packet rewriting things like switches, wireless access points, and repeaters). The other private is broken down more for printers, labs, special machines that only need local access, etc.. Each building is an entity. Each entity is multiple subnets. Each entity is also an interface on a core router (or trunked interfaces if need be). The server farm is also an entity independent of the building it resides in. The same goes for the administrative workstations. That's an entity as well. Each entity becomes a subnet or more and an interface on the/a core router(s). Firewalling from that point on is a breeze because of the ease of which identifying nodes on a subnet has become. The entire subnet is DMZ. This subnet is dorms. This subnet is administrative workstations/personal servers. This subnet is all server farm. Breaking it down from there and applying rules just got a lot easier. :-) Now you can identify users and types of users by subnets and actual physical interfaces (even VLANs if you want to get even more fine grained). The physical distinction makes it a breeze to place the dorms behind a Packeteer or the like.

I also contract admin at my old ISP. At that place I get very anal about my host-based security. In fact all of my machines at all my places of employment and home utilize host-based packet filtering on top of heavily TCP wrapped services. Everything is up-to-date and everything is configured with security in each daemons config file. The TCP wrappers are basically a backup for my ipchains filtering . Redundancy never hurt anyone. Beyond my server farms sit a Linux Router/Firewall. That box provides even more protection. Box A is our web server and does nothing but HTTP, FTP, and SSH) so that's all you can connect to. Box B provides no external services so you can't see squat on it. Host C is a RADIUS machine. Only local subnets have access to it and more specifically only terminal servers. Being very anal about security can be a good and bad thing. Some people are so anal that they won't allow you to SSH in to your desktop machine from home. That's unreasonably anal. I'm anal enough to prohibit RPC, Netbios, direct SMTP (as in server running on desktop machine, and DNS from home to a work machine. That's much more reasonable. The anal retentive firewalling has gotten me one very good thing. I've never been hacked. Not yet anyhow. It will happen; that's garunteed. It just hasn't happened yet. I like to think that some of my measures have helped. If they haven't, it's sure been fun learning how to do what I do. Cheers

PS==> Switching switching switching....

--

Re:I can see it now

[crucini]

That was a pretty cool response. I was halfway in agreement with the control freaks here - I can certainly understand the fear of having trojaned boxes behind the firewall. But Universities continue to show that openness is possible.
My question in these situations is always, "Why do all the machines have to be at the same trust level?" Or to put it differently, maybe it's time to rely more on host-based security and less on firewalls. Given a big enough site, there must always be hostiles behind the firewall. So why not put the desktops on their own network behind a different firewall from servers? Let them infect each other. Of course, even if you completely distrust the desktop machines (best way IMO) it would still be upsetting to have SS7 on them capturing every password.
Maybe NSA's trusted linux will solve this stuff.

Re:I can see it now

[Enigma2175]

The program is also executing around arbitrary data downloaded from the internet...

No, it is not executing arbitrary data, it is analyzing the data. The only thing that is executed is the program itself. It then performs a series of mathematical calculations on the data. The data is never executed, it would be very difficult if not impossible to compromise a SETI client with a simple man-in-the-middle attack.


Enigma

Re:University != company Re:I can see it now

[macdaddy]

Each environment has its needs

Couldn't be said better. I contract admin for an ISP as well and different needs apply there. I can filter more in some respects and less in others. Since it is a very rural ISP I can filter more. Since it's an ISP, I really can only filter less than here at the university. Different places have different needs. I'm writing a modular ipchains-based firewall system. The default settings are extremely anal. All priveleged ports are blocked by default. You have to explicitly open the ones you want to allow access to. It's like a ALL: ALL TCP wrapper statement in your hosts.deny. Then you explicitly open what you want services to be accessed and from where. Banks and large corporations all have their needs as well. No one department in a large corporation will have the same needs as another coporation. No matter what way it boils down to, each department should be its own little entity and have its own set of ACLs, possibly even a dedicated firewall (see the other comments I posted in this thread about that).

99 times out of 100 management is much more ignorant than the users they are supposed to be thinking of. Sometimes it's technical incompetence. Other times they try to make it political when it doesn't have to be. Still other times they want to slap a pretty PR face on something and delay or bump up schedules on it to fit their PR whims. Pour management causes that. Managment that doesn't listen to their own employees cause that. Management that is only looking for self advancement causes that. This isn't to say that all management is bad. I've been fortunate enough to have a couple good managers in my time. Usually my super is quite good as well. I can only think of one place where the top of the stack was a knowledgable, technically competent person. What would be ideal is if management could be grown from within. Take a senior sysadmin/netadmin that everyone likes to work with and give them management training. Then give them a shot at the top. Other times the department is already so screwed up that the ultimate top of the heap of the entire business or university would have to be on crack to hire from within. I've seen that as well.

--

Security risk-- for WHO?

[marcsiry]

THEY just don't want you to know what sort of traffic is REALLY moving between the TVA and the Greys.

TVA=MIB?!?!

Re:What you don't know...

[Medieval]

At one point, foreign government spies checked out the number of pizzas being ordered by the White House to determine if there was something up at the White House. It is now policy that employees of the White House are not allowed to order food from anywhere but the White House kitchen.

Re:Security

[M-G]

Yep....it makes me wonder just how concerned they are about security if people have been running SETI for over a year before they discovered it. Why didn't they find the application sooner? Why didn't they see the processes running sooner? Why didn't they notice the freakin' traffic to and from berkeley.edu?

The security risk here isn't SETI, but rather TVA's seeming inability to notice violations of their security policies. Maybe I can pick up a Y2K surplus generator on the cheap, since now that we know how much attention they pay to their network, it's going to be a big cracking target...

From someone (sort-of) in the know...

[AllenAtUT]

Just so you know, I'm an intern working with some UNIX sysadmins at TVA this summer... Okay, folks, I understand the whole issue with SETI not being a huge security risk, but everyone who mentioned that it's a business decision is right. It's a clear violation of stated policy (see Communications practices 7 and eight). Overall, they're pretty good about personal use of the net. Basically, the standard is the same as a personal phone call, i.e. as long as it doesn't interfere with work. Yeah, desktops are pretty much locked down, EXCEPT for the screen savers... they figure people will know enough not to violate policy. Of course, even some IT managers don't listen, but that's another story. So, before everyone goes nuts over this, keep in mind that we're talking about the IG of the Agency, not necessarily an admin who knows the "right" words to use when talking to other computer folks. They mean well :). Of course, that's just my opinion.
Allen Cain

Re:Perhaps....

[Dwonis]

LOL. So I'm not the only one who noticed that... :)

"Gee, these aliens' computers are not only x86-compatible, but they run an OS that is vulnerable to viruses..."
------

Re:What you don't know...

[Tackhead]

> > Richard Chambers, TVA's inspector general, said: "If you're allowing others to tap into your computer, you have got some additional risk there."
>
> This sounds suspiciously like a comment from someone who has no idea what SETI@Home does, and is condemning a random program that happened to access the Internet.

1) You're right. There's probably a much greater security thread from spyware that comes with things like RealPlayer, and/or users installing stuff like AudioGalaxy or Comet Cursor, etc. on their machines.

2) He's also right. Maybe for the TVA, this is a little paranoid, but a keyword search on "covert channels" provides some insight.

Suppose you were a KGB agent assigned to find out when the TVA was most worried about blackouts. You'd be very interested in knowing when large numbers of TVA employees were working overtime at the head office.

Rather than hax0r the head office's computers (exposing yourself to risk), or have an agent staking out the head office (exposing the agent to risk), you'd just eyeball SETI@Home's publicly-accessible stats.

You could then deduce that something was FUBAR in Tennesee when "Team TVA", which was churning out one unit every 70 minutes from 5:00pm to 9:00am, dropped their stats precipitously - say, damn near nothing getting done until 11:00 pm, one unit every 120 minutes from 11:00 pm to 1:00am, and only going to the "regular" 70 minutes per unit from 1:00 am to 9:00am.

In fact, in the simplified case I've specified above, you could not only make an educated guess as to how many employees were working overtime, and for how long, you could even make an educated guess as to what hardware platform was being used by The Guy Who Stayed Until 1:00 In The Morning.

Like I said, for the TVA, this is probably paranoia. But for other agencies, information leaked by covert channels can be deadly serious.

(In business too -- at a small enough company, suppose you saw similar data patterns and you knew what CPU power the CFO's PC had. If the CFO's up all night, every night, on the last week of the quarter, maybe he's desperately trying to make up the numbers. Such information could be worth millions of dollars, and it wouldn't even be insider trading, because you're only making an educated guess based on the working hours of the CFO.)

I hate to side with an ignorant bureaucrat, but in this case, he's right. (Even if, in all likelihood, he hasn't the faintest clue as to why he's right ;-)

Re:Let's be realistic here...

[pipeb0mb]

You essentially matched all of my points with validation...yet you say I have no idea what I am talking about.

You're exactly right, no application can be 'hack proof'.

Again, I agree...all OS' are 'hackable', but Windows is a little less so than most. (Mainly due to the fact that it's what the script kiddies use.)

NO ONE uses signatures or the means to validate them except for the big boys, which is too bad, as it would alleviate many of the 'viruses' and 'trojans' we see on the 6 o'clock news.
Calm down; take a pill...I think we're on the same side.

how?

[taniwha]

there are 3 power grids in the continental US - basicly West, East and Texas (go figure) - TVA can't sell power to CA short of supplying an Energizer factory

Re:how?

[taniwha]

there have been a lot of newspaper articles about the distribution grids here in CA recently - this was one of the facts that has been quoted widely - (along with the fact that often we have blackouts while there's still energy to spare - the local grid is not good at moving it north-south within CA)

Re:how?

[SirGeek]

Actually there are more than that.

There is ISO New England (http://www.iso-ne.com/) that does New England.
New York ISO http://www.nyiso.com for New England
PJM Interconnectionhttp://www.pjm.com/Who handles Penn/New Jersey/Maryland
Mid West ISO (http://www.midwestiso.org/ which does most of the Mid West.

And others (You can find them at http://www.iso-ne.com/industry_links/..

These are just SOME of the players. The Grids are ALL connected (through one another). ISO New England regularly sells/buys from New York and Onterio. NY sells/purchases from PJM, etc.

Oh, the irony!

[dougmc]

When you click on the original news story, a pop-up appears with a `Task Bar Update' that downloads an application that puts `live temperature and storm warnings next to your PC clock along with live news updates'.

It also says these are `100% safe and completely free.' This program is just as dangerous as Seti@HOME could be.

TVA is right -- Seti@HOME is a risk. It's probably a small risk, but for all we know, the client could have code in it that allows Seti@HOME to take control of your box at will, for example.

It also will cause your computer to use more power, and to run slower (ok, just a tiny bit slower, but still.) All this, and it offers the company *nothing* (after all, it's not TVA's job to help SETI.)

And the boxes belong to TVA. Therefore, they're completely in their rights to ban Seti@HOME, and they're doing the right thing.

Re:Oh, the irony!

[jesser]

It's probably a small risk, but for all we know, the client could have code in it that allows Seti@HOME to take control of your box at will, for example.

A more likely problem is a potential buffer overflow in the code the client uses to communicate with the central SETI@HOME server. Then if someone were to spoof or break into the server, they would instantly be able to gain access to all computers running the SETI@HOME software. I don't know if such a hole is present in the SETI@HOME software, but remember when AOL intentionally exploited a similar hole in AIM?

SETI@Home and denial of service

[alispguru]

There might be a legitimate reason for keeping SETI@Home (or any random application) off of a major organization's computers. Go look at this issue of Risks digest. The problem described here is not a security issue, but a feature of the SETI software that can cause a few copies of it to wedge a net connection if it can't reliably get to its server.

It can be considered a conflict of interest.

[Ryokurin]

The reason why TVA is making a big issue of this is because of the fact that if the wrong person found out about it they could possibly catch hell for it.

Think about it, Although they are trying to make themselves selfsufficient, and a private company, they still depend on a little bit of goverment funding to exist. All they need is a conservative to use the existance of software that uses the machine in ways unintended from their original use of purchase as a reason to hang their asses.

Also it should be noted that they dont allow the installation of software other than their own anyway, just as most corporations, and goverment agencys dont, because one, it could make it unstable, and two it increases the chances of hacks, and three, it could be a potential conflict of interest.

Who can not say that one instances of Seti could be installed with sub7 attatched, or for that matter, what about that inspirational screensaver with something else more heinous?

Re:Right: unaudited apps + waste of (nuclear) powe

[Ryokurin]

Yes. they are anal on power comsumption, as they are the power company or a good majority of the south.

Re:California

[Ryokurin]

Heh, you better be somewhat worried about them. TVA is almost your only hope of not having more rolling blackouts this summer. They are one of the few utility companies thats going to have power to sell to California.

Not to meantion the South helped research the Atomic Bomb, A good majority of Nasa is in the south, and also missles such as the Patriot was designed, and manufactured there as well.

Hicks indeed.

What about ICQ?

[MobyDisk]

I wonder how many people in their corporate network run ICQ, MSN messenger, AOL instant messenger, Internet Explorer, or any number of other insecure apps.

If this is really an issue, then they should block the ports and/or the site.

Re:California

[kampo]

Perhaps they're just worried that when we do find the aliens they'll give us the technology for that unlimited non-polluting and free power source...

Re:No, clueless users...

[Kidbro]

A common misconception is that SETI@Home and other distributed clients for data processing are "free". It's quite simple really, a computer that does nothing consumes less power than one that's working att 100%. Plain and simple.

--

Why not use distributed computing for more?

[Crimplene+Prakman]

I am absolutely amazed that employers do not use the power of their idle PCs THEMSELVES!

There are so many applications out there already - SETI@home being one, others include a few at distributed.net, FightAids@Home.org, and there are others cropping up, supporting cancer research, some commercial projects, code-cracking. Many many popular (in a geeky or tear-jerky way) projects that interest us enough to donate our unused cycles.

Now, a company such as TVA - that would rather its employees does NOT use their cycles for such tasks - would do well to provide some other diversion to occupy the screens of its employees. Hey, they could even license the software from SETI, Entropia, or some other vendor of distributed computing solutions, tart it up to look nice with their logo, and plug in some of their own research models. I'm sure their scientists have some energy calculations that could benefit from massively parallel computing.

And what of the rest of the world's processors? In a large customer service department in any medium-large sized company - even one with no real scientific research needs - there will be many PCs available for many hours. It would be a simple matter for such a company to rent out its spare cycles, again using the same software, with suitable logos. Except this time it would be managed internally, with no risk of external network corruption. The information server could be housed safely with the rest of the company's servers, making a quiet buck in the background, with everyone happy.

Ah, but that would be too sensible, wouldn't it?

/prak
--
We may be human, but we're still animals.

Re:Why not use distributed computing for more?

[chrysrobyn]

by Crimplene Prakman (rot13 this to mail: cenx@zvaqyrff.pbz) on 18:24 Monday 18 June 2001 EST I am absolutely amazed that employers do not use the power of their idle PCs THEMSELVES! Please suspend part of your amazement. Some of us use idle cycles for lots of productive work. I couldn't get my job done without those spare cycles. To my knowledge, our tool only works on Unices, but they're the only ones with the throughput for what I need.

Re:Why not use distributed computing for more?

[Colz+Grigor]

> I'm not an accountant...

Well that's obvious. =) Maybe I can help out a bit with some understanding and answer your question. (FYI, I'm not an accountant, either, but I took many classes in accounting and taxation during my Bachelor's/MBA programs.)

First, there's some confusion in some of your terminology. When I think of the word "deductible", I think of it in the donation/income tax sense; it represents an outflow of cash (expense) that can be deducted directly from a company's net income (NI) in order to determine net income before taxes (NIBT).

Depreciation is not a deduction in this sense. Depreciation is the amount of value that has been used on an asset that has a defined life span. In other words, if a company purchases new computer equipment that they expect will last four years, rather than expense the entire value of the equipment purchase in a single accounting period, they only expense the portion of the value of the equipment that has been used during the accounting period. For example: You earn $10,000, and you buy a server for $4,000. You honestly expect to be able to use the server for about 4 years before it will no longer be able to serve your needs adequately. Rather than reporting $10,000 less $4,000 ($6,000) as your total income, you choose to report $10,000 less $1,000 (1/4 of the $4,000 value) ($9,000) as your total income, leaving $3,000 to be depreciated in the following three years.

The amount paid for electricity, on the other hand, is typically not a deduction nor can it be depreciated because it is instantaneous and has no lifespan. It's an expense, much like the $4,000 (or $1,000, if you depreciate) expense for the computer. It's an outflow of cash.

So the question remains: Could an employer deduct as a charitable donation the percent computer usage donated to such causes?

No. The employer did not have an outflow of cash for these CPU cycles and therefore it cannot be deducted. Even if the charitable CPU cycles caused a loss of overall productivity, the loss is an opportunity cost, not and actual cost, and can not be considered in financial reporting. The company would only consider opportunity cost in the decision-making process on whether it made sense to devote resources toward the charitable CPU usage. In order to do this, the CPU cycles would have a value of whatever else you were planning to do with the cycles. Since we're saying the CPU would otherwise be idle, the opportunity cost is $0.

Confused? So was I for the first three years. I've tried to be clear, here, but if you (or any other reader) are interested and I just didn't make sense, please send me e-mail and we can continue the discussion.

::Colz Grigor

--

Re:Why not use distributed computing for more?

[Colz+Grigor]

I did use the Preview button, but I managed to let this slip by:

Depreciation is the amount of value that has been used on an asset that has a defined life span.

Incorrect. Depreciation is the opposite. It is the remaining value of the asset, excluding the amount of the asset that has been used in the present and previous accounting periods.

Sorry about that.

::Colz Grigor the misspoken.

--

Re:Why not use distributed computing for more?

[ortholattice]

Oops. Before someone calls me on this - if they haven't already - of course the electricity is already deductible and can't be deducted twice. So the issue is whether the donated computer usage, vs. depreciation, would be allowable and economically advantageous. I'm not an accountant or lawyer :)

Re:Why not use distributed computing for more?

[ortholattice]

I am absolutely amazed that employers do not use the power of their idle PCs THEMSELVES!

Could an employer deduct as a charitable donation the percent computer usage donated to such causes? That would make it a LOT more attractive. Of course, eventually the computer is deducted anyway as it depreciates, but this might effectively accelerate the deduction. Plus some of the electricity used might be deductible.

Re:Why not use distributed computing for more?

[kr4jb]

When I worked for [large un-named Candian Telecom giant], our management was convinced that unix workstations automatically shared their processor loads. So each manager had a nice workstation running nothing but a screen saver.

Re:Why not use distributed computing for more?

[tmark]

Incorrect. Depreciation is the opposite. It is the remaining value of the asset, excluding the amount of the asset that has been used in the present and previous accounting periods.

Huh ? I am not an expert in accounting, but have had some financial accounting in the CFA program, and depreciation shows up on the income statement, so it couldn't be "the remaining value of the asset" (else it would be on the balance sheet). To use your terminology, depreciation is "the amount of value that has been used on an asset" in a given reporting period. The amount of value that has been used (total) on an asset is the accumulated depreciation.

Re:Why not use distributed computing for more?

[KagakuNinja]

You know, it is OK to turn those PCs off at night. They are going to be thrown out in 5 years (or less), who cares about the alleged damage caused by turning them off occasionally...

Hacking the TVA

[phunhippy]

So let me get this straight... TVA is paranoid about being hacked....

SETI@Home is a violation of Security protocol...

www.tva.gov is running Apache on an HPUX machine.. pretty secure...

Workers of the TVA are running windows... doesn't this violate the security protocol?

:)

Re:Company computers are for work.

[Greyfox]

That's why they call it "work"! If it was supposed to be fun, they'd call it "Happy fun time!"

Re:Open Source has the same problem

[MWright]

It's true that any one person will probably not look at the code for a program, but, chances are there will be someone else who will look at the code instead. Of course, one shoudn't trust that someone else will for very important things; however, you can be far more certain that an open-source program is free of backdoors than a closed-source program. Furthermore, knowing that the code will be seen by anyone else who wants to look is enough motivation for most people to not include backdoors at all.


-----

Right: unaudited apps + waste of (nuclear) power

[peterw]

To all the folks claiming SETI@home is safe: how many of you have thoroughly audited its source code? The rest of you can drop that claim. Adding any software to a system represents a security risk. Give TVA some credit for showing their employees some respect and not locking down the workstations so that management is a headache. Obviously TVA has a policy against installing unapproved software, and these folks broke that rule. They're at work, so they should follow the rules. [Sidenote: if TVA trusts JVMs, then seti@home might be OK as a Web applet.]

Power consumption: TVA is very sensitive to this issue, though it seems some posters do not know this (what a shock!). TVA has many, many employees, and the power they use is not free (has anyone been following the California power crisis press coverage?). Every extra watt that TVA burns because some dufus won't let his screen go to DPMS suspend/off mode is potentially just more nuclear waste to be dealt with.

Re:No, clueless users...

[Col.+Panic]

True that the benefit to TVA is nil, but the software is exploiting resources which otherwise go unused, so it's a Good Thing IMNSHO.

Re:Clueless seniors

[Trinity-Infinity]

SETI@home is closed source. Neither the employee running it nor TVA management has the faintest idea what it really does. Therefore the TVA can reasonably be paranoid about it.

Amen! Its those reasons that I use when I try to pursuade others not to use Windows... I get the impression MS is trying to do something sneaky when most any windows app I use tries to install the latest version of IE automagically... :-/

ANY downloaded software is a security threat

[El]

If you haven't diligently reviewed the source and then compiled it yourself, _any_ software could contain trojans... even say, software coming out of a certain monolithic company in Redmond. In the Open Source community we rely on many eyes examining the code to detect malicious insertions, but even this isn't foolproof. In general, it's good idea to assume that any code that hasn't been running for several months _may_ contain back doors. The assumption is that if the software is running on enough machines, within a few months to a year _somebody_ should have detected the problem, although there are no guarantees. In this case, running a new update of the SETI code DOES represent a security risk.

Re:Job satisfaction is same as stealing from compa

[F452]

I think it was "having a personal life" is like stealing from the company. Either way, funny stuff.

Re:Perhaps....

[OmegaDan]

I think we all learned from ID4 that to hack into an aliens syste all we need to do is press "send virus" or some key to that effect ...

Presumably this will work equally well for the aliens hacking our systems.

Well, when you think about it...

[11thangel]

SETI @home is pretty much just trying to find patterns in random data. Which is pretty much what you do with TCP sequence prediction. Of course it's a security risk, its the worlds biggest connection hijacker!

Re:please...

[Ser\/o]

I gotta agree on this one. Folks with that sort of an attitude are the reason I don't wanna go to work some days. These types, I've seen create problems just to see how fast I can fix 'em (yeah, I'm a lowly desktop guy, so bite me).

There is a big difference between making someone else's job easier, and showing a small amount of thought and having things configured/arranged logically. I don't ask folks to go around the world to make things simple, but it some asshole thinks I'm gonna spend a whole day trying to sort through crapware bullshit, then image it is.

Re:please...

[perky]

But giving someone a computer implies a little personal freedom

how? I agree with you that this might be seen as a little OTT, but at the end of the day a computer at the office is a work tool and nothing more. Giving someone a pile of envelopes and a pad of A4 doesn't grant them any "personal freedom" as you put it. The rules were written down and they were broken - end of story.

/. comments are correct

[SimCash]

Hey, all you posters out there - (at least the ones that were moderated up) - my faith is renewed. Seems almost all of you recognize the fundamental dichotomy between treating your own (home) systems as free goods to be shared versus the systems you are tied to at the job.

However, this poster complained that another faceless bureaucrat might be clueless but right. Hey, one of the clue'd in crowd's biggest shortcomings is the inability to articulate technical issues so the bureaucrats can get it right. In this case, the 'crats must have a good IT in their corner, feeding them the right answers with a soothing but not condescending tone.

Remember, "We have met the enemy he is us!"

Re:I know the real reason...

[kirby697]

I've had friends like that... built separate boxes out of spare parts JUST to have something to run dedicated SETI on. pretty ridiculous.

Re:*giggle* Nope, you're wrong

[Rand+Race]

I seriously doubt that the critical systems are anywhere near these machines physicaly or network wise. These machines are office computers and engineering workstations not the power controllers. TVA employs over 13,300 people, the vast majority of which do not work in it's 44 power facilities but rather at the huge administrative centers in Knoxville, Nashville, Chattanooga, and Muscle Shoals.

They are worried about internal documents being compromised not that some SETI hacker will dump core in a non-computing sense.

I can see thier point.

[uncledrax]

"Downloading the program from the University of California at Berkeley, called SETIhome (Search for Extraterrestrial Intelligence), was both a violation of written TVA policy and computer security, and future violations could result in dismissal, managers told the guilty employees. "

This makes it improper the the employees to do this.

" Richard Chambers, TVA's inspector general, said: "If you're allowing others to tap into your computer, you have got some additional risk there." "

This is a fact. It's true. Oh yes, It's true.

However:
It is correct that SETI@Home poses pretty much to real risk, but since it was a violation of exsisting policy, and if they are that anal about security (a good thing really).

For those that work in large office enviroments, you know how much junk users stick on 'thier' computers (most of which is unstable 'neat-ware'.
And that is part of the issue. Many users do feel that they practically 'own' the computer, when in fact it is the companies, and they can govern how it is to be used.

Re:I can see thier point.

[Alatar]

Ah, but the SETI client does not "tap into your computer"...it makes an outgoing connection, and downloads data.

Re:No, clueless users...

[bsdnazz]

Here's a recent case posted on the RISKS Forum by a chap called Steve of a small company DOSing themselves. It was put down to the use of SETI@home clients on company PCs...

There is an interesting little article on Sun's best practices site, titled, "Network Wedged by Little Green Men"

http://dcb.sun.com/practices/devtales/network_wedg ed.jsp

It covers how a small firm's network kept on slowing down to a halt. The problem was tracked down to Seti@home screen savers repeatedly trying to connect to the Seti servers, which were inaccessible due to attempted cable theft (as noted in past RISKS).

The local firm's Internet access used NAT address translation, and each screen saver made multiple attempts to connect. Each connection attempt used a NAT assignment, an assignment which took a while to be cleaned up. Before long the company had exhausted their pool of 128 NAT addresses, even though only six people were present.

Only through router interrogation was the problem identified.

The article closes by saying the problem was "solved" by increasing the number of available NAT addresses, although of course that didn't fix the problem, merely caused it to 'go away'. A real solution would be to have the screen-saver software implement incremental backoff and other mechanisms designed to gracefully handle a complete loss of remote server access.

One would hope that the authors of the next generation of distributed computation applications take heed of the lessons of the current batch.

Re:Security in Tennessee ??

[sPaKr]

Built the BOMB? So einstien and Oppenhimer were Hillibillies? man you really have been drinking to much SHINE

Didn't anyone look at the installation routine?

[kk5wa]

The SETI@Home client allows you to NOT have it contact the mothership unless you give it permission. The TVA users that allowed it to communicate unattended....well they should have been aware of the risks, especially on the corporate dime.

I am behind a firewall on the corporate/guvment-shill LAN, and if SETI@Home were banging away trying to contact the mothership, my firewall guys wouldn't contact me...they'd just lock me out until I called them. Just like they do for those poor saps who installed GoZilla, CometCursor, and all that other crap.

Irony

[mrfiddlehead]

Ironically, 98% of computers within the TVA were found to be running Microsoft Windows '9x, NT or 2000, all of which have been found to be susceptible to security threats from without. No comment yet from TVA Inspector General, Richard "bigmeanie" Chambers.

News at 11 ...

Open Source has the same problem

[Mold]

The same goes for open source software. I mean really, how often do you download a program and then read through the thousands of lines of code that make it. Oh sure, I can go in and change something that bothers me, which is nice, but if there isn't anything bothering me about it, and nothing I want to add, then why would I look at the code? And even when I do, I generally jump straight to where I need to go.

If there is hole, and it was intentional, then it's probably in some obscure section of the code I'm not going to look at.

Most companies don't have the time to search for this sort of problem, and in the case where the software wasn't supposed to be on the computers anyways, they aren't going to waste time and money to find these problems.

Re:Open Source has the same problem

[Tech187]

I make a point of only running software that I've downloaded from binary Warez Usenet newsgroups.

Re:Security

[coolgeek]

What they're really saying is that "a computer being connected to the internet is a security threat."

I believe calling SETI a risk is going a bit far, and I also don't believe that is their point. The point is about the user's behavior. Installing unauthorized software on their computer systems _is_ a risk.

Actually ...

[Aceticon]

... the first value that came to my mind was 1 million.

I guess my 500Hz brain cannot cope with the concept of 1GHz processors ...

Redundant but ...

[Aceticon]

1 bilion "wasted" CPU cycles

• Cost (while in energy saving mode): $0
• Benefit for TVA: $0

1 bilion CPU cycles used in SETI@Home

• Cost: a couple of dolars
• Benefit for TVA: $0

Re:Redundant but ...

[Bob9000]

1 bilion CPU cycles used in SETI@Home
Cost: a couple of dolars

1 billion cycles tend to happen in less than a second these days. If your CPU cost a couple of dollars to run a second...man...

Re:Security @home

[buss_error]

That's pretty much what we do. The bigest problem is "experts" that load network killing software and wonder why the switch port doesn't work, and none of the unused ports work, then unplug some one that DOES still work to kill the segment again.

We need better control over the MDF's and IDF's, and we arn't likely to get it.

Security @home

[buss_error]

I think the @home says it all. It's for home.

Many people get the idea that "their" pc is theirs, and thus are allowed to do anything they wish. MP3's? No problem. Lotto results in e-mail, SURE! p0rno? Why the heck not? Need to make sure you don't waste all that down load time? Go ahead and copy 10 gig of MP3's to the server. Not enough space on VOL1? Heck, map over to SYS and drop it there. Server crash? Not your problem! The lazy nazi sysadmins will take care of it! Hey, those ass holes don't do anything but tell us not to do stuff. (OK, I am bitter.)

At my employment, we have 9,000+ desktops with another 4,000 or so on the way. With this many pc's in to deal with and 14 full time techs, we have to have some ground rules. Part of those rules are what software is suppored and allowed, what is allowed, and what we will delete if we see it.

For example, we had one site (we have a total of 78 sites) that 80+% of the desktops had virii from marker to backoriface to hybris to you-name-it. One PC had 11 different virii.

Now, we have anti-virus software on the servers, on our smtp, and on the desk top. So how did this happen? It all started with public free web based e-mail, a verion of anti-virus that had a problem with auto-updates, and herd stupidity. (When it did find a virus, people thought that it just HAD to be wrong. So they turned off the anti-virus.)

We had to spend a great deal of time and effort, not to mention overtime rates, to deal with this problem.

Now, tell me again why you simply must be able to load what ever the hell it is you want to load from what ever depths of slime you get it?

Now, please, use your brain now and again. You can be the best power user since the woz. The problem is that the next guy/gal in line may be my grandmother, and I'm here to tell you that she can't deal with swapped mouse buttons, persistant tails, and a Degas/Seurot looking desk top. So leave it alone, ok? And no, I am NOT going to deal with unmanaged user accounts on a desk top, so don't even bring it up.

Bottom line: When you have a lot of people and a few techs, you must give up some flexability to be able to manage that many resources. It's a case of too many eggs, not enough basket, and some joker setting fire to your foot. It can be done, but only if they don't stick an exploding cigar in your face at the same time the throw rotten fruit at you.

Re:Security @home

[acceleriter]

Just leave the "power users" to fend for themselves. The policy I adhere to is that if you don't screw up your working environment, don't ask me to fix your machine, and don't piss off your coworkers, you can do whatever you darn well please with your office PC. If I have to mess with it, however, things change immediately for the worse. This tends to separate the real "power users" from the wannabes.

Re:Security @home

[jotaeleemeese]

Such a policy is irresponsible and wasteful.

You must be sure nobody, not even wannabe power users, can disrupt other's people work.

In some environemnts you can get away with it, in others you are opening the door to real nightmares.

Re:Security @home

[NutscrapeSucks]

Agreed - the worst threat to internal networks are the users that imagine themselves to be 'power users' and therefore outside or above IT jursidiction. These are the guys who download the "shareware of the day", get e-mail updates about dubious Windows-optimization tips (just delete this reg key and computer go fast!), load up their machine with game demos and weird multimedia crap, send out viruses (real or "good times"), run out of disk because they installed an unused Linux partition, read "PC Magazine" religously, and so on.

Generally, if someone can't figure out the difference between a "home" computer and a "work" computer they aren't power users, they're wannabes, and that's dangerous.

Re:What you don't know...

[PeterP]

and/or users installing stuff like AudioGalaxy or Comet Cursor, etc. on their machines.

I have made it a crusade to get rid of comet cursor on every machine I come across. It is perhaps the most evil app I have run in to.

I spent three hours once trying to get a Windows machine to show up on a network. We went so far as to delete and reinstall all of the networking protocols on the machine. and then, we deleted comet cursor. Bingo.

What is the obsession with flashy cursors? I used to think that sysadmins that blocked users from installing any programs were draconian, but Comet Cursor has made me re-evaluate my views..

Two PCs on every desk?

[Clyde]

"As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop..." Wow, that's what I call a silly statement. Do they need an extra pc on every desk for internet access (so no sensitive data from other PC is exposed)??? Or do they need an extra pc on every desk to run dedicated SETI processing?

Company toilets are for use at breaks only

[shepd]

And so is the company water fountain.

And company furniture is for work only. Not for you to rest your drinks, food, and children's pictures on.

And the company floor is not for you to stand your own furniture on, just in case you were thinking of avoiding company rules.

Better learn how to both use the toilet and drink at the same time. And learn how to time both those urges to happen for exactly 15 minutes minus walking distance once every four hours.

"Employee #3782372, your typing rate has been below company standards for the past 240 seconds. You have been sent an automated pink slip as a result. Your pink slip will be recalled upon your resumption of a 40 wpm typing rate, and warning sent in its place. Note employee #3782372, you already have 2 of the 3 warnings necessary before being fired. Please clean your desk out tonight."

I have a quote from a cartoon that's appropriate here (picture a steward readying the whip for a sweatshop worker): "Nike - Do it. Or ELSE!"

California

[PolyDwarf]

They just looked at what happened in California, and figured that it could happen to them.

Some one set us up the screensaver!

[ErikTheRed]

All your power plants are belong to us!

Loaded article

[magarity]

Those /.ers who are not from that part of the country may not realize it, but the language in that news article was completely loaded to make the people running SETI@Home look like dangerous wierdos rather than people who just didn't read the employee handbook closely. That's the scariest part of that article; the insight into local culture and thinking. I bet that if it were one of the distributed cancer research programs, it wouldn't have made the news (although that would have been also shut down per TVA policy). As it is, searching for signs of alien life is tabloid fodder there.

Re:Loaded article

[Tech187]

SETI users are Mostly Harmless ** users, actually.

(** Copyright, the estate of Douglass Adams)

Re:Security

[b0r1s]

There's a lot of over reacting going on here...

First, look at the headline ... that pretty much says it all. Reading the article, I realized that the TVA was not complaining about security, as much as unauthorized use. They mentioned security only briefly, saying it was a potential, and cited an example. Slashdot readers like to embellish stories to make it more likely that they'll get to the front page. It's human nature. People need to look past the headline, and read the story. Yes, someone complained. No, it's not newsworthy, but the headline was sufficiently flamboyant that it made it to the front page anyway, since the editors probably never read the entire article...

Re:Company computers are for work.

[tritiumsys]

While you are completely right, is Seti@Home enjoyment, or a usefull utility that would make use of something that isnt being used? Companies should be allowed to dictate whatever they want regarding their computer systems, however, Seti@Home should not be branded along the likes of Hoop it up or pr0n.

-Rick

Stupid Users?

[Firethorn]

I'd hardly call the average user running SETI stupid.

That said, I have to agree that if they want to run SETI, do it at home. My work says very explicitly: No unapproved software. Period. Even microsoft's been compromised at times. The more stuff you keep off your computer, the easier it is to keep it secure.

I also wouldn't call a web server hack unrelated. I just checked, and the executable appears to be on the web server. If I can compromise the web server, I could replace that executable with whatever I want. Like a backdoor program that reports who it's compromised to somewhere. Depending on how quiet I was about it, it could be days before somebody noticed.

Translation of 'Some kind of risk': There could be a problem with it, but we don't want to spend the resources to precisely determine what the actual risk factor is. If we do it for the SETI client, we'll have to do it for all the little programs people download and mail to each other.


Firethorn

Re:Stupid Users?

[TGK]

I think the key here is the policy. /. is getting upset, not because the TVA is saying "no unapproved software" but because they are saying "no SETI@Home." Unapproved software doesn't seem to enter into it. And therein lies the problem. The saying goes that a chain is only as secure as its weekest link. If you ban SETI@Home because it's "some kind of risk" but don't bother to check and get rid of every other unapproved peice of software you're running, the whole thing is for naught. Furthermore, not only have you failed to protect your system, you've also managed to annoy and irritate your users (and from what I can tell a number of /.ers) for what is ultimately no realizeable gain.

In short, what's the point in being a stickler for security on one front if you let it slide everywhere else?

This has been another useless post from....

Re:Clueless seniors

[Totally_Lost]

It's totally Clueless from a security standpoint to allow any user behind a firewall to net install binaries. Sure, the real target site might be offering hidden trojans (after getting hacked). Sure, mirror sites get hacked, and can offer trojans. But consider that key DNS servers can also get hacked redirecting ftp down load to hackers clone sites with everything a trojan.

Network installs behind a firewall should be termination grounds, no exceptions. Any other policy, ESPECIALLY for US infrastructure, is just plain stupid.

I know the real reason...

[oingoboingo]

Richard Chambers, the Inspector General of the Tennessee Valley Authority, has declared that employee use of SETI@Home on TVA computers compromises computer security

This guy has just gone out and blown a phat wad of $$$ on one of those new dual AMD 760MP motherboards and a pair of 1.2GHz Athlon 4 chips. There's no way he's going to let any of his employees crunch more SETI@Home work units than him...and what better way to ensure that than by banning the client in the office?

KGB agents

[PyRoNeRd]

Well I have a hard time seeing how a KGB agent would do that since the KGB was disbanded in 1991. Maybe you are thinking of the FSB, the Russian secret service.

But really you Americans should stop being so paranoid about those "evil foreigners" doing dastardly things to your nation.

After all Timothy McVeigh was an all-American boy and he was the worst terrorist in US History.

And you Americans spy far more on other nations than other nations spy on America. Think Echelon!

The last time i was in the USA I made the mistake of trying to pay with a traveller's check in a store and using my Dutch passport as identification. I was immediately surrounded by a couple of security agents because they probably reckoned I was one of those "foreign terrorists" they saw items about on CNN.

And at immigration I had to fill in some form stating that I wasn't a communist, terrorist, childpornographer, AIDS bearer or whatever.

Try making foreign people feel welcome in your nation for a change instead of laying xenophobia upon them!!

It's a conspiracy

[WildBeast]

They don't want us to find out that aliens exist.

Re:Security

[sulli]

Could be if the SETI@Home guys turned out to be blackhat terrorists who, discovering it's TVA, DDoS them and take out power to the South ... hey, you know, you can never be too careful when you're in the security business!

Right Decision / Wrong Logic

[dkemist]

There are enough different aspects of this to make a few points. First, regardless of any "security" implications, any employer providing PCs (and the power to run them during those off cycles) has full rights to dictate what can and can't be run on them. For example, I've seen some employers try to force people to use all the powersave screensaver options to make sure that there's no electric consumption when the PC is not in use.

Beyond that part, there's the security debate. From the quotes in the article, it would seem that the people here are quite clueless. A web-site compromise of email addresses somehow leads to "some kind of risk" associated with the client?? That doesn't quite make sense. However, another good point that was raised in another post was the fact that the SETI client is closed source. It's doubtful, but what if the evil minds at Berkely really put a 3l33t r00tkit backdoor in the latest client? There'd really be little most people could do to detect it and stop it.

Of course, that's probably being paranoid, but the bottom line is, I'd still hate to walk into a reasonably secure government facility and see the SETI screensaver going. This is probably one of those cases where people end up at the right decision, just using the wrong logic.

Re:No, clueless users...

[cprael]

After all, what corporate benefit would there be to running the Seti@home program on a few computers? (sure, if they ran it company wide, they could get some miles out of it, but not on an individual user basis)

To the Sysadmin, it's "unknown" software... could be benign, could be hazardous. They shouldn't have to be put in the position to have to make that distinction. They have better things to do (well... usually...) q:] Y'know, in an ideal world, I would agree with you. But you and I both know that this isn't an ideal situation. Re-reading the article, it looks like the systems where they found S@H are reasonably close to being critical systems - all of the areas they mentioned look like they would have to keep the desktops locked down pretty tight.

But I will repeat my objection to making this a global (org-wide, at least), single-point ban. They are only banning S@H, even though there are probably quite a few screensavers/games/etc. that they're running on non-critical desktops that pose at least as many security risks. I got a pretty good look at how "tight" Federal agencies are with their computer systems after my wife spent a decade in the INS. Simply put, their machines are just as porous, just as prone to getting odd little bits of software put on them, as those at any company. My objection is to banning S@H, and _not_ sanitizing the rest of the organization for other unauthorized software. Is a little consistency too much to ask?

Re:No, clueless users...

[cprael]

Considering it's really none of your business, yes.

It's a Federal Agency. It's paid for by my taxes.

Damn right it's my business. It's my country, it's my government, and I'll damn well stick my nose in. If the rest of the country thinks it's acceptable to tell CA what out power rates should be and how badly we should be screwed, then I'm perfectly willing to step up and tell the TVA that they should be consistent in how they enforce their system policies.

Re:No, clueless users...

[cprael]

I don't think it's my business, your business, or anybody but the people paying for and providing the power to determine what the price should be for said power.

Let the market decide. Get goverment out of the loop entirely.

For some reason I am guessing that isn't your position on the issue.

Actually, it is exactly my position on that particular issue. However, as long as I'm writing a check each month to PG&E, and PG&E is using that money to write a check each month (or less) to the generator, then it's my business, isn't it? I'm one of "the people paying for...the power" at that point, right?

You're right about the market issue, too. That's why we just dropped $50-odd K at my office in generation capability (solar, plus battery backup). If the remarketing companies make a commodity product outlandishly expensive compared to generation costs, then I'm perfectly willing to get into the game and smack 'em where it hurts.

You see, the "let the market rule" argument works both ways. You can also use the market to whup on people, as well as be whupped on. If their profits decline by 80-90% this year because of current behavior drawing more generation capacity into the market, then I won't cry a single tear. And if I can make scandalous amounts of money selling/building/installing that generation capacity in the first place, darn, what a bummer.

Re:No, clueless users...

[cprael]

The NSA's computers are also paid for by the taxpayer, do you presume to tell the NSA what they can and can't install on their systems?

As a taxpayer, it's my right to insist that they follow rational, consistent, and cost-effective IT policies, to the extent of my ability within the law, for exactly the same reason - it's my money they're spending. I can't _make_ them do anything. I can't tell them to _do_ anything. OTOH, it is my right to suggest certain possibilities, and to insist that whatever policy they wind up deciding on is rational and consistent.

Re:No, clueless users...

[cprael]

Following your line of logic, go ahead and call up the NSA and give them your input.

No, that's what congresscritters are for. Used to have a pretty good one, too, that they'd listen to.

And, btw, TVA is considered a government agency, but, like the Post Office, makes it own money. Your taxdollars are not hard at work there. Your grandparent's, probably.

Actually, mine are too - TVA isn't self-supporting. The only component of the TVA that _is_ self-funded is the electricity generation program - everything else they do is paid for more-or-less with Federal money.

Re:No, clueless users...

[cprael]

This is only a very recent development, you should understand. FY2000 was the _first_ year that they went dry.

http://w3.access.gpo.gov/usbudget/fy2000/pdf/budge t.pdf

"In 2000, TVA plans to pay for most of these programs in a new way, using proceeds from the agency's $6.8 billion power program, user fees and sources other than appropriations. The budget proposes appropriations of $7 million for TVA to manage the Land Between The Lakes National Recreation Area."

http://www.tva.gov/finance/reports/pdf/fy2000ar.pd f

Page 19

Prior to 2000 TVA received Federal appropriations for essential stewardship activities related to its management of the Tennessee River system and TVA properties (nonpower programs). Congress did not provide any appropriations to TVA to fund such activities in 2000. Consequently, TVA paid for essential stewardship activities primarily with power revenues, with the remainder funded through user fees and nonpower fund balances unused in prior years.

So, were you saying something about my tax dollars not being hard at work?

Re:No, clueless users...

[cprael]

>> best they can come up with is, "some kind of risk"?

And that isn't a good answer? Do you expect them to analyze the Seti@home software to determine exactly what risks are involved? Do you expect them to do the same for every piece of crapware that is out there that the user "might" install on their system?

No, it isn't a good answer. The statements imply a significant amount of risk based on running Seti@Home. Technically, they're correct. Risk is a non-zero number in this case. HOWEVER, that doesn't mean that it also isn't a trivial number, something in the range of 10^-4 or more. Given the current data set (0 security breaches in 2 million users), it's more in the 10^-6 or -7 range _at worst_. So we're talking something over 4 orders of magnitude difference from what they've decided to imply.

Now, speaking as the owner of a company, I can understand what they're doing, and the policy statement behind the "why". But they _damn_ well better go sanitize the rest of the TVA for unauthorized software (that cutesy screen saver someone bought, or the bootleg copy of Photoshop your graphic artist is using to maintain your marcomm because you're too stingy to buy a license), or they're going to look like a really hypocritical mob. Just my two cents.

Clueless seniors

[Alatar]

Richard Chambers, TVA's inspector general, said: "If you're allowing others to tap into your computer, you have got some additional risk there."

Anthony Smith, a senior manager of TVA's computer system [said] use of the SETI program on 17 TVA computers presented "some kind of risk".

God, this would just be hilarious if it wasn't so pathetic. Sure, use of the pointless SETI program was against policy, and should have never been done in the first place...it's an example of stupid users installing software on their workstations that accomplishes nothing and increases complexity when troubleshooting is needed. But, when asked to clarify exactly what problem existed, the best they can come up with is, "some kind of risk"? God, what crap. And these guys are senior, and supposedly know what they're doing...this is the kind of knee-jerk response you expect when you put a freshly-minted MCSE in charge of a firewall. "We can't do that [desperately needed service], it's some kind of security risk." They go on to cite a breakin to the SETI web server (completely disconnected with the client, but try explaining that to these clueless morons). I hope I never, ever have to work in a shop like this.

Re:Clueless seniors

[SpeelingChekka]

Neither the employee running it nor TVA management has the faintest idea what it really does. Therefore the TVA can reasonably be paranoid about it.

While this is true, this isn't what happened here. If you read the article, you get the extremely distinct impression that the TVA management is paranoid here because they are clueless, not because they have any sort of realistic perception of where the risk really lies. Look at the following paragraph:

Don Hickman, a senior manager in the TVA inspector general's office, said the staff knew the SETI program could allow hackers into a computer system and pointed to a news story showing at least one successful infiltration of SETI's Web site

And the following one:

Richard Chambers, TVA's inspector general, said: "If you're allowing others to tap into your computer"

Mr Hickman very clearly seems to think that hackers can infiltrate a system running the seti client, simply because of an exploit whereby the hackers sniffed some traffic and figured out how to extract some email addresses from the data (it was not an infiltration of the web site - which would have been less serious anyway). This demonstrates an extremely vague and obfuscated understanding of networks, I'm not sure this guy even understands the difference between client and server, and between "web" and "internet".

And "tap into your computer"? Sounds like this guy's understanding of hacking is limited to having read a couple of mainstream CNN media articles on hacking. These people seem to somehow think that the seti@home server connects to the clients and not the other way round.

I agree that running any "blackbox" software on PCs is an unknown security risk. But the same can be said of any such software, including Microsoft Windows, which is already known to connect to the Internet and send information (as seti does). Yet nobody seems worried about running Windows. Chances are much better that hackers would use known Windows exploits to attack the TVA's computers than going through seti@home. I know GetRight connects to the Internet automatically and sends information without letting the user know, for example, and many people install GetRight without even being aware of this. Plenty of other commonly used software such as RealPlayer also apparently is guilty of this.

Seti@home is a client. It doesn't run any listen ports whatsoever. You can't "get into a system" by going through seti. The only possible risk is potential malice from the authors of the client. But then why aren't these guys worried about all the other client software they use? I mean, precisely the same arguments apply to email clients and http clients.

I think the world at large is slowly maturing to an understanding of the CSS risk, though management types will see it in "toys" like SETI@home before they see it in their precious COTS applications

I don't think this article is indicative of any trend toward a "maturing" understanding of the issues. My impression is quite the opposite, this seems to be a trend toward draconian, knee-jerk paranoia in policies stemming from fear which stems from a lack of understanding of the technology.

You are correct that there is some reason to be paranoid about seti@home (which, as you say, extends to all COTS software). But I think in this case this is not the reasoning used by the managers at all. If these guys were paranoid about security for the right reasons, then why the hell wouldn't they already be running a firewall? While I'm not very experienced with firewalls, I'm pretty sure any reasonable default firewall config will block seti@home ports. These guys don't even have a firewall and they blindly trust all their "precious COTS" software. Doesn't sound to me like "maturing understanding" at all.

Risk? Uh... yeah??

[jrockway]

The use of the SETI program on 17 TVA computers presented "some kind of risk," Smith said.

Breathing presents "some kind of risk," Jon said.
No more breathing, folks. You're a fire hazard.
--Jon

Re:Risk? Uh... yeah??

[jrockway]

It was kind of a joke. It's funny (okay, maybe not). Laugh. ANYWAY, though... breating does HEAT the air, which means running the energy-sucking air conditioning more :)

Re:Company computers are for work.

[jrockway]

But when SETI kicks in, you're not using the machine. It actually saves the company money by not wasting CPU cycles. So there.

Re:Company computers are for work.

[jesseraf]

it costs them power though.
in all reality, it's not your decision to make.

Re:Company computers are for work.

[FreeMath]

How dare you think about enjoying work. Thou shalt be miserable. Get back to your slave labour.

Make a sacrifice for science

[Eisenfaust]

I believe that wasting CPU cycles that could otherwise be used to advance different fields of science is ridiculous. The SETI at home client is ran by people at thousands of companys and institutions around the world none of which (that I can find) have reported any legitimate security problems regarding the client. Quite frankly I find the argument that "you arent supposed to run what your company doesnt want you to" completely ridiculous. If I know a program you wish to run is safe (or pretty friggin certain at least) and doesnt effect your work productivity why should you let the advancement of science fall to the way side! With all these morons opening their binary executable files they get from complete strangers in MS Outlook do you think the main security risks to a system is through SETI??? To the argument of all the people whining about SETI at home not being open source I have only one thing to say. SETI is already having enough problems with people cracking the client to send back fake result so they can moronically increase their score. Just imagine how many results would taint this scientific research project if they allowed people to download the source code so every script kiddy could have his/her way with it. Believe it or not there ARE legitimate reasons for keep things closed source in some instances. If the SETI team engineers a method of verifying all results without wasting too much cpu power (not bloodly likely) they probably would release the source.

What's their OS?

[arfy]

Betcha they've lost more time to VB scripting, Outlook viruses, IE security holes, GPFs or BSODs than the silly SETI screensaver.

Heck, they've probably lost more time trying to comply with silly directives from Richard Chambers than they ever will from the SETI screensaver.

Re:Perhaps....

[grammar+fascist]

...hack into our computers.

I suppose they'd do that with Macs.

What you don't know...

[corky6921]

Richard Chambers, TVA's inspector general, said: "If you're allowing others to tap into your computer, you have got some additional risk there."

This sounds suspiciously like a comment from someone who has no idea what SETI@Home does, and is condemning a random program that happened to access the Internet.

Think of how many people in that office probably check their bank accounts online, or send email through Yahoo! or Hotmail, or download warez or pr0n through the company's computers. Come on, what would hackers really see in a SETI@Home chunk? ("Damn, Joe now has 568 units, and I only have 565...")

Re:What you don't know...

[baumanj]

This sounds suspiciously like a comment from someone who has no idea what SETI@Home does, and is condemning a random program that happened to access the Internet.

Ah, but Mr. Chamber's understands all too well what SETI@Home does, for he himself is of extraterrestrial origin. It is a well known fact (among the informed, that is) that the TVA was subverted by expatriated venutians as early as 1983. Now that their power base is beginning to expand, they fear that the discovery of their bretheren will expose them once and for all. I think it is also common knowledge that the management of the TVA are galactic fugitives, but perhaps I've said too much.

Re:No, clueless users...

[MadCow42]

I guess my real point is that the company shouldn't have to go to the trouble of even investigating if there is a security risk with Seti@home... it's not in their best interests to invest the time. After all, what corporate benefit would there be to running the Seti@home program on a few computers? (sure, if they ran it company wide, they could get some miles out of it, but not on an individual user basis)

To the Sysadmin, it's "unknown" software... could be benign, could be hazardous. They shouldn't have to be put in the position to have to make that distinction. They have better things to do (well... usually...) q:]

You and I might know enough about Seti@home specifically to be sure it won't cause a problem... but you probably spent at least 30 minutes reading up about Seti@home before coming to that conclusion. For a sysadmin that gets no benefit from it, that's 30 minutes wasted.

playing-the-devils-advocate-ly-yours...

MadCow

No, clueless users...

[MadCow42]

>> best they can come up with is, "some kind of risk"?

And that isn't a good answer? Do you expect them to analyze the Seti@home software to determine exactly what risks are involved? Do you expect them to do the same for every piece of crapware that is out there that the user "might" install on their system?

Sure, Seti@home is mentioned specifically, but it's not a problem that's specific to that code. No Sysadmin could realistically do anything but "forbid" basically all non-company-issued software, especially those that connect to the Internet.

Now, on the other hand, if a company wanted to support Seti@home specifically, it would be feasible to test it so that they could determine the risks... but that's one out of millions of programs that the user might want to install.

MadCow.

Re:No, clueless users...

[Tech187]

I don't think it's my business, your business, or anybody but the people paying for and providing the power to determine what the price should be for said power.

Let the market decide. Get goverment out of the loop entirely.

For some reason I am guessing that isn't your position on the issue.

A bigger threat than SETI

[clone22]

They probably have MS Office running on every employees' workstation.

not a big deal

[Mr.+Foogle]

I'm wondering why using SETI@Home on PCs with access to the internet would be a problem. As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop, and so no form of malware could affect their machines used for power generation and/or managment."

The article *didn't* say the machines used for power management were affected.

I've never worked for the TVA, but I *have* worked for the guv'mnit - every end-user acknowledges what they can/can't do. TVA owns the computers used, it's their business deciding how they're used. It's trivial, sure, but it's garbage like seti@home that drives IT bats.

Re:please...

[Mr.+Foogle]

The IT department and the computers are meant to support the users, not the other way around.

If I want to install software on my work machine, and I think it's required in the slighest, I won't let anyone from IT tell me otherwise. If I want to make it as complicated as possible to troubleshoot, that's fine, because when I need troubleshooting IT is there and they're getting paid for it. I don't care about making their job easier.

It's fine with YOU. Attitudes like yours make jobs like mine much (sys admin) harder than they have to be. You can be very sure that your IT staff is very aware of the low regard you hold them, and they hold YOU in equally low regard.

Don't be too surprised if the best solution for any given problem is to reformat your drive and zap your data. Bastard.

Firewall?

[ImaLamer]

Is there any firewall that could help?

Wouldn't one solution be to not let it access the internet at all? This could be acheieved with ZoneAlarm if they are using a windows computer, and other non-easy solutions if you are on a linux or bsd system.

Is there a proxy server? It seems to be a short solution.

please...

[hyrdra]

Was there any *real* cause for concern? No. Was there any chance of someone actually exploiting a SETI client to gain control? Probably not. I really don't think those in industrial espionage automatically would look for a SETI client as a means to gain entry into a system.

Mostly because there are much more conventional ways, and the SETI client is good only for sending and receiving data.

Of course, this is management's job. They have to look like they're constantly doing something. If its attacking harmless, albeit useless applications, or harping on people for installing screensaves, they have a job to do.

It's true that the machines do belong to the company, and equally they can do whatever they want with them. But giving someone a computer implies a little personal freedom. I also don't like the fact that many IT departments think they are god today. The IT department and the computers are meant to support the users, not the other way around.

If I want to install software on my work machine, and I think it's required in the slighest, I won't let anyone from IT tell me otherwise. If I want to make it as complicated as possible to troubleshoot, that's fine, because when I need troubleshooting IT is there and they're getting paid for it. I don't care about making their job easier.

Even software which isn't really required but is more or less classified along the line of 'fun' still should be allowed, provided it is not very, very dangerous to run. This helps boost spirits and encourages employees to work together. For example, I read in that report those who used the SETI clients were in a compitition. I'm sure it was just a fun thing to do in thier freetime. But now, how has their attitude changed now that they have been investigated for installing software which looks for alien life? It will probably not only affect their performance, but their general feeling for the company as well. And for what? In the long term companies who have a no tolerance, no sense policy like this end up only hurting themselves.

Re:please...

[jotaeleemeese]

How do you know there was no real cause of concern?

Just an example: recently we had a GPLed application that for its particular way of making requests was clogging one of our servers. If it had been Seti@Home we would have been completely lost. Since it was GPLed somebody found the problem, corrected the program and the problem was solved.

You can never tell what is going to happen with an application for which you don't have the source. Period.

From where did you get the idea that to have a computer in your desk entitles you to some freedom about how to use it? That is your wishful thinking, most people would also love to make all their long distance calls at the expense of the company from their office phones.

IT departments are god today in what respects to the IT infrastructure od the company that pays your salary. It is their job to make sure the people that is making possible for you to make a living don't see their profits damaged because employess can't be arsed to comply to some basic common sense rules reagrding computers, specially in today's networked environments.

It is beacuse computers are tools to support users that you should not allow users to break the tool.

If you can get away with bullying your IT people you work in a company that eventually will be biten by security issues.

In most companies I have worked you would have gotten disciplinary actions against you, and if persisted, you would have been dismissed.

Re:please...

[Registered+Coward+v2]

That's fine, but don't complain when IT reimages your disk to fix a problem. They're paid to fix problems with their installed programs, and if the bets way to do that is to restore a standard configuration. Course, if they lose some of your data in the process, then, hey, you're paid to keep backups.

All hail to the Sys admins (not)!

[hyrdra]

I don't hold them in high regard because they aren't doing anything novel. Most think they are all powerful gods because they can install a network card and run cable from the wall. Some of the more experienced run fancy shell scripts, but that's about it. They come in with pompus attitudes and move my stuff around in my office without care, all to get the job done so they can go back downstairs and play Quake.

Meanwhile, I'm the one producing a product which sells and provides the MONEY for their paycheck. Although I value their importance as a service which can be thought of as analgous to a custodian, I'm not going to walk around with plastic liners on my feet just so they will have less work to do. They're paid to clean up messes if and when they arise. Sorry if you people have to actually DO something.

And as for a reformat, any IT who reformats my drive with the recent build and code, will be fired. Sorry. They're not important, and can easily be replaced. My boss won't care about their pathetic excuse ("I'm too lazy and don't like him enough to fix it.") -- he'll ask who lost the 6 months of work and write the pink slip.

However, I never call them because I fix problems myself (unless the problem is network, etc.). I have heard co-workers call them and the stories of how they come in and are extremly abusive, especially to those who aren't technical users. This is ironic because the only difference is they have read "Unix For Dummies" or another associated 'cookbook'.

So don't worry. The ones who know a little bit more than the Unix command line won't be calling you and I'm sure they run a beast of a system do to 'troubleshooting -- although if you want to call your method of reimaging troubleshooting at all.

Remember what you were hired for -- for us. So don't bitch when you have to *actually* be challenged by your job. You still get the same wage whatever the problem is, so the company could care less either way as well.

Bustin' Hippies @ Home

[ip4noman]

> Actually, it's real simple. SETI@home is closed source. Neither the employee
> running it nor TVA management has the faintest idea what it really does.

I have a friend who's into SETI. I always tell him that he's really cracking PGP for the Feds on the most massively parallel computer every dreamed of....

Security policy?

[winchester]

The TVA is absolutely right on this one. Running an untrusted program is asking for trouble, and running it without approval is both theft of corporate resources and a violation of corporate guidelines.

The question remains why the users actually CAN run Seti@Home, since I expect their network to be protected by a good firewall, ad the users given no rights to install any software (it's not that hard with windows 9x, even easier with windows NT). If I were security officer, I would conduct a serious audit of the security policies, because apparently something is lacking.

Re:Ack

[SomeoneYouDontKnow]

It's the Tennessee Valley Authority, a huge federally-owned power company.

You can visit its Web site at http://www.tva.gov

Company computers are for work.

[glrotate]

Not your enjoyment.

Re:Company computers are for work.

[shiftless]

How does this save the company money? It could be argued that this actually COSTS the company money in terms of the power used to power the hard disk as it writes data to disk.

University != company Re:I can see it now

[jotaeleemeese]

You would not last 5 minutes as a SysAdmin in a bank if you applied those same policies (but I guess you know that): they will escort you out of the building and would launch an audit to see if there is the need to press legal charges against you (not a joke).

Each environment has its needs, and as far as I can see TVA is not in the business of either finding ETs or pleasing their employees with useless toys.

Nothing stops those same employees to have Seti@HOME (see, *at home*) to run the program in their own PCs during the day and check results later.

We always complain about how dumb management seems to be, then for once they do something sensible and half of /. (mostly college kids I guess) complain about it.

?

Hmmm.... more a foot!

[Libster]

Yet another example of Mr.IT Mangement drone, designation thirty of something or rather, fooling him/her self into believing that they are infact the Borg Queen, and flexing their damn implants!

I work for a large corp, and I am all for the concept that process and uniformity are in place for a reason. However, I am also clear that the most effective and powerful management tool is empowering the masses. Not allowing people to choose their own screensaver is most definately not in keeping with this mindset! If this crew could see a genuinely negative security implication (RTFM guys!) with their employees loading (the very excellent) SETI screen saver then ok.... but my thinking is that the smoking man himself has got to be behind this decision!

( He probably took their copper cable too )

Perhaps....

[JohnnyKnoxville]

Aliens will be more likely to contact if we make it easier to hack into our computers. In that case maybe this is all a a good thing.

Re:Perhaps....

[I.+M.+Bur]

No way man, there was like four lines of code in C (or whatever)...

void main(void); { Load('Virus'); }
or something like that... :))) Anyway, mark me offtopic...

Why not block the site?

[Datameister]

Why didn't TVA prevent employees from hitting the site to begin with?

Why is that silly?

[evenprime]

TVA supplies power to eight states. Keeping something like that free of malware is important enough to invest in a second network. Having a separate networks - one set of PCs connected to a mailserver and to the internet but not to any internal machines, another set that don't have access to the internet, but that you use to manage internal machines - is a totally reasonable precaution. Forget about SETI@Home for a minute. What about all the other stupid net tricks that your typical luser engages in; i.e. all the malware they bring into the network by sending each other email attatchments, the unpatched web browsers with cross-site scripting holes that are ripe for abuse because the lusers won't turn off javascript. How much time do you think their admins have to spend cleaning up malware? What if that malware could never get to the important machines, no matter how virulant it is?

Don't you think that makes sense? The military does. That's why staff are supposed to use separate computers for SIPRnet and NIPRnet
--
"Weapons should be hardy rather than decorative" - Musashi

*giggle* Nope, you're wrong

[evenprime]

Some anonymous coward said: what this joker is suggesting is that each employee should have a separate PC to be used exclusively for such vital tasks as reading Slashdot and crunching SETI data.

I'm the "joker" who submitted the article, and I didn't mean that at all. :) I mean that a critical infrastructure like the power grid should *NEVER* have a connection, not even an indirect connection, to the internet. I don't think it is smart to put a computer that can manage the grid on the same network as a PC that will be used to browse the web, or answer email, do SETI@home, look at pr0n, or what ever else lusers do that involves the internet.

Any of that stuff - even reading business related email - should be happening on a separate network from the computers for the grid. I'm not talking about a subnet that is supposedly isolated from the rest of the network by a switch. (What if I flood your switch with so many MAC advertisements on one port that it fails open and turns into a big, fat hub?) What they need is an honest air gap to separate their grid computers from their computers that can access the internet.

I was not trying to defend the actions of the employees who were violating TVA's computer policy when I said, "I'm wondering why using SETI@Home on PCs with access to the internet would be a problem. As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop..." I was saying that a proper setup (e.g. using separate computers with an air gap) is not expensive, and it would have prevented an employee policy violation from becoming a breech of computer security.
--
"Weapons should be hardy rather than decorative" - Musashi

Did anyone else notice this?

[jelling]

As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop, and so no form of malware could affect their machines used for power generation and/or managment."

This almost makes me think the poster is trying to troll us into bashing any sort of corporate control over user/their desktops. PCs may be cheap, but not when you multiply the necessary number times two, and especially not when you take into consideration the increase in support time this would require. I get nauseous just thinking of the headaches.

.jelling

SETI Explained!

[K4GPB]

How SETI Really Works.

Re:Security Policy

[NutscrapeSucks]

any and all unofficial screen savers must be extinguished -

"Install this screen saver" has been one of the most prevalant way (next to Outlook viruses and 'greeting cards') to trojan Windows systems. Unofficial screensavers should be forbidden.

Rules and rules...

[Registered+Coward+v2]

While TVa may seem draconian, as a government agency, they're bound by a whole lot of rules and laws, as well as negotiated labor contracts. If they let people install some unapproved programs, they'll have a lot harder time dealing with someone who really screws up. Yes, you can argue that SETI is low risk, but the point is either they enforce their rules or lose the ability to enforce them. It may not be what /.'s want, but then that's the government for you.

suggestions == troll?

[idonotexist]

Instead of bitching, I offer suggestions and ask for other suggestions. As a result, I am labelled a troll. I guess it is back to bitching?

Re:Let's be realistic here...

[adalger]

3) trojaned executables can be avoided by verifying PGP signatures

Unless the trojan was already in when the PGP signature was applied. If one is properly paranoid, one has to consider the case that the original supplier of the software may have had motives other than advertised.

In simple terms, PGP only verifies that you got what they wanted to give you, not that what they gave you was safe in any sense. It's just like the tamper-proof caps on Tylenol: they don't do a damned thing when someone inside the company slips the mickey in there.

Hypocrites

[Shortcut+to+CmdrTaco]

Why is it that the same crowd that proudly proclaims that "I will not run software for which I have no source" thinks that they have a God-given right to run whatever they please on their employer's computers, security and property rights be damned?

Grow up, kiddies. Don't work for a critical infrastructure provider if you want to run your company-owned PC your own way.

--Shortcut to CmdrTaco

Security

[RaboKrabekian]

Isn't SETI just as insecure as any internet application? What they're really saying is that "a computer being connected to the internet is a security threat."

Re:Security

[RaboKrabekian]

I agree that installing unauthorized software on a computer is a risk - but why single out SETI@Home? It sounds to me like they're just trying to grab headlines by marking one particular piece of software. When was the last time Slashdot reported that "Company X has decided to limit users' ability to install software on there system." Or even, "Company X realizes unauthorized software can pose a security risk!" So why is this noteworthy other than that the newsmakers decided to mention SETI@Home when describing their inadequacy as sysadmins?

Another BIG security threat

[Zangief]

Stupid humans using computers

Stupidity should be banned, and censo#######

(too much dilbert for me, I know)