Slashdot Mirror
Exploit Found in Seti@Home
Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
I wonder whether aliens are exploiting this to control us /me screams and runs in fear.
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.i 686-pc-linux-gnu.tar
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.s parc-sun-solaris2.6.tar
Can't seem to find 'em on wcarchive.cdrom.com, the other mirror site -- anyone got a link?
Carousel is a lie!
Something tells me that this exploit is going to lead to a lot more people getting fired than, say, that OpenSSH one a while back.
But I already run a public warez server!
Must be because of evil bits sent by menacing aliens!
Just a bunch of h4x0rs having fun again? Dang.
the Aliens doing this. Not to worry though. I will use my I-Book to hack into their systems and upload a virus.
Of course, they're secretly using our cycles now. It must stop.
There are illegal aliens in my computer!#!@
Who am I kidding, no-one watches the X-Files anymore/
I'm sure the Aliens will love it when we try to DoS attack them. That's one way to make friends with a new species. "Oh sorry about that, yeah were a smart world, REALLY!!"
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
Thank you!
I could have dug around, but now I don't need to.
It's good to be lazy.
My mom says I'm cool.
If the aliens would be exploiting that, our computers would be full of alien pr0n, which it isn't the case... Right? RIGHT?
I demand the Cone of Silence!
distributed.net in support of Team Slashdot. Let's crack that RC5-72 so that we can move on to RC5-128! Only 657,374 days (~1800 years) left to go!
where are those karma whores when you need them?
- There was a potential buffer overrun in the networking code of the client that is fixed with version 3.08. Note that to exploit this vulnerability, a potential attacker would have to trick the client into contacting a fake server rather than the actual SETI@home server. To our knowledge,
- no SETI@home client has ever been attacked in this manner.
Whereas Jamie claims that- an Exploit [sic.] was found in Seti@Home and
- there is code exploiting the hole actually running about in the wild.
Can anybody help clear this up until the linked site get back online?"If you think education is expensive, try ignorance" - Derek Bok
Seems a lot of people freaked over this, understandable, but aren't they aware that running any software leads to security risks?
/040
- Oh my bad, I guess it's mostly the windows client users that have experienced that before...
(I was also always sure there was a little man inside my computer doing all the work, little did I know that it was a little alien).
Well, let's see here. I'm going to be reading data from an untrusted source. So, I feel it's safe to assume that this data will be no longer than, oh, let's say 100 characters. Yeah, 100. I mean, who would send more than that. That'd be crazy!
That'd be about as crazy as wasting cycles on checking the length of my input. Or, dynamically allocating buffers. Or, using safe, bounded copy/read instructions. What kind of wacko would do that! Hah!
Justin Dubs
Ah. You're going for the Homer/aliens reference, eh?
Look! Their site is down! Someone must have used this exploit to launch a Dos on them! Oh wait... damn you slashdot!
Everybody denies I am a genius--but nobody ever called me one!
at least its doing something useful... rather than just pointlessly scanning some random data with no hope of finding anything.
I'm smarter than the average bear.
over here.
"If you think education is expensive, try ignorance" - Derek Bok
running winxp on the spaceship woo -.-
This sig was cut off by the sla
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
PATCHED VERSION
Are available
BACKGROUND INFORMATION
From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
"The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"
There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.
THE VULNERABILITIES
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
THE TECHNIQUE
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server
Live to be Moderated
Wasn't this SET@home thing programmed in Ada? Ada isn't supposed to allow buffer overruns. What gives?
Are many individuals (on their own machines and not he company hardware) actually running the SETI client? I started it back in 1999 but gave up when I discovered that it took about 24hrs to process one unit on my 366 Toshiba laptop making it rather unlikely that at that rate I would live long enough to find anything. To be honest I had pretty much forgotten about the project altogether.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
wouldn't it make sense to at least allow people to know what they're running?
I'm not saying that open source is the best solution in all circumstances, but when you're asking people to run your code it seems that the least you could do would be to provide them with the source code.
Tarsnap: Online backups for the truly paranoid
or, us vs. us.
now you see IT? now you DOWt.
pay attention, that's cheap enough.
lookout bullow. the daze of the Godless greed/fear/murder based payper liesense hostage ransom stock markup frauds is upon US.
the creator is participating lookout bullow.
check with yOUR creator to discover what yOUR role might be in the rescue of the planet, from those who would hold IT hostage.
gooed 'job' there robbIE, turning off va lairIE's patentdead PostBlock(tm) device. that didn't cause a flareup of trust/cohesion in the 'community' buy the weigh. everIE 'man' for himself dooing the 'hard times'?
Being part of a community involves give and take. /. has done its fair of giving, so far as links to news and a place to comment is concerned. This has also involved more than a fair share of taking.
As a responsible net-citizen, though, the editors need to be far more considerate of other people. This is a clear case of inproper net behavior, something I would expect the newest AOL-newbie, spam producing, weenie to do.
Instead of complaining about how much spam you get everyday, Taco, why don't you do the community something useful and mirror the websites that you link to. We whine and complain about bad patents, spam, copyright abuse, monopolies, and then treat the net community with disrespect by effectively dos'ing random servers? It isn't funny anymore.
How about using your cycles on something that isn't a complete waste of time, like folding@home, or some other project?
Can anyone give any practical advice on how to figure out if your own system has been compromised? No, I don't have any tripwires installed :-(
Find free books.
I got up this morning and SETI was reporting a fatal error i've never seen before - coincidence?
-
How do we know aliens don't communicate by propogating buffer overruns throughout the planet? Has anyone analysed this code, if it is indeed out in the wild?
There's gotta be more to extraterrestial life than mutilating cows and doing donuts in crop fields.
Does anyone know if this exploit effects folding@home clients? I do not know if they use the same engine or if the '@Home' name is the only thing they have in common.
Good thing the 20 computers I'm running it on aren't even mine!
The coolest voice ever.
If we retire "C", then we will be forced to change the entire language. Truly we will be left with the inability to spell "can't", "can", "copy-protection". Our lexicon will forever be altered. besides..b and d would look funny next to each other a.b.d.e. hahaha
There is nothing wrong with languages such as C, you just have to be aware of what you're doing. Good, safe, secure and efficient code is generated by educated programmers who are aware of what they're doing. You can't replace that with any computer generated stuff. Perhaps you'll be able to patch one security hole with something like this, but others will go unnoticed. The only solution is to make sure that coders are aware of what they're doing. IMHO languages that do more for you automatically create a sense of false security in that you assume that you can let the compiler / interpreter worry about what you should be thinking about yourself. It acts as a crutch for good programming habits, and so actually encourages sloppy programming. I think this is the opposite of what is needed for secure code.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Good, safe, secure and efficient code is generated by educated programmers who are aware of what they're doing.
Ah the typical real men need no bounds check argument. This is, of course, a bogus argument.
In real life, people cannot be expected to be extra careful day in and day out. It's just not humanly possible. The long history of buffer overrun exploits proves this.
We need new moderation categories:
Score +1: Takes gratuitous sideswipe at Microsoft
Score -1: Claims that C/Linux is other than perfect.
It's not I-Book - it's iBook.
Arithmetic according to C: float x = 3.14159; float y = 1/2 * x; Value of y? zero.
:-)
You seem to hate this language quite a bit -- when it is just a language. A tool.
Let me explain to you why y is zero. When performing math operations in pretty much any language, it casts to the operand of the lowest precision. Otherwise, you start dealing with arbitrary, unknown data. 1 and 2 are both integers, so they have no precision greater than what is defined. The computer cannot represent 0.5 as an integer value, so it becomes zero. Zero multiplied by any number is zero. See?
What amuses me about your post is your knocking a tool you don't really understand.
Join Tor today!
What gave you the idea that Seti@home is "waste"? It could bring humanity the greatest revelation there is. And besides, S@H-data is used in variety of scientific projects, not just hunting aliens. And finally: S@H was the forerunner of these kinds of projects. It showed what could be done and how to do it. Without S@H your precious folding@home wouldn't even exist. S@H was the first, it showed others the way.
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
BTW, your sig makes perfect sense if you understand that, in C, straight numeric constants are assumed to be integers, and hence 1/2 is equal to zero. The obvious fix is to change that to 1.0/2.0. Gotta love it when people complain about non-issues...
Incidentally, Java has similar rules, it's just more verbose when warning about type mismatches and loss of precision.
and just where is Jeff Goldblum when we need him; we could ask him to write up a virus on his Mac and just let it sit there on our hard drives and when the aliens get to that file: BOOM!
...we are from the government - we are here to help...
Where do you download the software for warez servers and DoS clients? I know some people who have old DOS programs that they need to run for their business, and they also need a warez server to search for stock quotes online and tell them "ware" they are.
nevermind, that was stupid....
...we are from the government - we are here to help...
I got spam from seti@home encouraging me to run the client again on March 21st, but nowhere did it mention this security problem even though they knew about it back in December or Janauary.
...
This seems pretty irresponsible to me. Notice they say in the email, you "can" download the software, they should have really said you _should_ download it!
This is an exciting time for SETI@home. On March 18-20 2003 we travel to the Arecibo radio telescope to re-observe the most promising "candidates" produced by our search so far. There is a chance that these new observations will yield the first real evidence of extraterrestrial life. Thanks for being part of this history-making effort! According to our records, you have processed 44 work units, the most recent on October 27, 1999. Your contribution of computer time to SETI@home is greatly appreciated. If you have taken a break from SETI@home, now is a great time to start up again; you can download the latest software
I'm not saying that real men don't need a bounds check. What I'm saying is that a smart programmer will make appropriate use of a bounds check, or design objects / structures that handle this appropriately.
In real life, people cannot be expected to be extra careful day in and day out, this is absolutely true. Because of this, they need reminders, and one very good reminder is when you get lots of errors and warnings during compilation & testing. If you become habituated to a programming environment which warns & gives errors often, you will develop better habits because you are used to seeing these everyday. Programming environments which are more flexible and allow sloppy code to go without warnings means that more code will be allowed to be in use before the problems that exist come to the attention of the coder.
Essentially I'm saying that the sooner it breaks, the sooner it will be fixed. If it can go for weeks without breaking, then it is unlikely to be fixed, and this allows more security vulnerabilities to go on into production code, not less.
I agree that intelligent systems which look for potential buffer overflows and report them to the coder are a good thing, and I fully advocate using such in development & testing, but languages and environments which hide the internals beneath a veneer of smooth operation are not a good substitute for knowing what you're doing.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Is it safe to assume that the command line version for other platforms will take similar URLs? The presumed OSX version at ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.p owerpc-apple-darwin1.2.tar, and the presumed WinNT version at http://wcarchive.cdrom.com/pub/setiathome/setiatho me-3.03.i386-winnt-cmdline.exe, both don't work yet. (I got these urls by hand editing the links on the Unix download page to replace 3.03 with 3.08, so I'm assuming that the new versions will be consistent with what was already there.) Maybe these links will work by the time you read this, but as of now (2:30 pm EST) they haven't been updated yet.
DO NOT LEAVE IT IS NOT REAL
As I've commented before, I'm intrigued that we have our planetary computer network hooked up to an open port on a radio-telescope. Hoping for a superior alien race to send us e-mail. What if they also have alien computer viruses?
Gives new meaning to the honeynet concept.
Yep, see that news story? "NASA were proud to announce the finding of 18 more satellites around Jupiter. They said, It is thought that 3 of these, w00t, l33t and h4x0r, may be capable of sustaining life. Soon after the announcement, analysts were sceptical that whilst these planets may contain life, they would not be socialable creature who use a similar form of communication to humans"
This advisory came 4 months late. While I'm glad this person contacted Seti first before releasing the advisory, I cannot believe that it took them two months to fix a bufer overflow! While seti@home isn't a mission critical app, I would think the seti people would want to release a new version very quickly, at the very least so that they know that their personal omputers can't get exploited.
Bah, forgot about a username.
Only dead fish swim with the stream...
They are covering their tracks. How else could you explain this suspicious lack of alien signal evidence after all of these years of searching? This is a coverup of galactic proportions.
I am risking my life by sharing this with you, but someone must speak out before it's too late!
There ARE no such things as aliens. The real coverup is that the government has been manipulating the public to accept that there may be aliens, and is using that to get funding and public support for sinister military projects that, otherwise, would be difficult to run.
Seti@Home is the most recent, and diabolical, of them all. Hundreds of thousands of people have been conned into believing that they're actually searching for "alien communications." The truth is that they're processing massive amounts of data, fed directly to the Arecibo dish by the military as part of a massive attempt at global mind control / thoughtcrime detection.
The signals being processed are actually brainwaves of the billions of people on the planet. Currently, they are researching normal brainwave activity in the global population and experimenting on a select group of individuals using weather satellites to beam mind control signals directly into their skulls. Once phase 1 has been completed, they will being experimenting with lightly controlling the minds of a whole country or continent. Finally, total control of the world population will take place.
The odds of my computer being tricked into contacting a fake SETI@home server, are about as slim as they are of me finding alien life.
Saskboy's blog is good. 9 out of 10 dentists agree.
Then you might write a quick and dirty function that calls sprintf to format a message (snprintf is not portable, so you might not have a simple fix). Then after a while you forget that it was quick and dirty and use it in a client that will only connect to your own server. I think its a very easy mistake to make. It gets more interesting. Say you are reading a 1024 bit number that is supposed to be a product of two 512 bit primes. Your code has a hand-optimized assembler loop that will not violate bounds of a fixed-length array if the number is what it's supposed to be. But if it has small factors, the loop might blow away the memory. On the other hand, checking the bounds would make your performance-critical loop twice slower. Still think it's easy to validate the input?
anyone know if there's a new version of the windows command-line client? all i could find is the ancient setiathome-3.03.i386-winnt-cmdline.exe. i tried exploring a couple of the ftp servers with no luck.
anyone able to locate a newer version or am i stuck running the crappy gui?
THERE IS NO DATA. THERE IS O
If this was a microsoft hole, slashdot would be jumping all over it. "MS sucks! Look at these security holes! Waa! I'm gonna go cry about it now, even though they patch them quickly!"
I know a lot of people hate MS, especially the slashdot/open source community. But at least be fair....why is it so egregious for MS to have a few security holes where any other company would be cut some considerable slack? Like Seti@Home for example. No piece of software is perfect, open or closed.
The client connects to Seti@home's servers and downloads a 'work packet'. This packet is stored locally and when analysis is complete the results are uploaded to Seti@home.
>
I'd rather have a program that defaults to an uncaught exception and program crash to one that is instead vulnerable. One is somewhat more dangerous than the other, though an uncaught ArrayOutOfBounds or whatnot exception isn't perfect and still results in program crashes.
Indeed the sooner it breaks the sooner it will be fixed in normal applications distributed to society at large. And if you know what you're doing and are ever vigilant you can perhaps avoid these sorts of errors. But its becoming increasingly clear that few and fewer know what they're doing behind that veneer, while still choosing C/C++ because its the standard. To fix this, we can either educate these people in the way of the code warrior or they can select another language. There's an entire body of information on the way of the warrior, so perhaps another language is indeed a viable option. Java actually implements an array class that throws your suggestion of an intelligent object/class built into the library.
Microsft has chosen C#, or Managed C(++). Universities have chosen Java. I'd love to see enterprise level support for OCaml personally, but I think that's doubtful. Stateful inspection of possible overflows is a long way from being complete. It seems a lot of research at my university is focused on such stuff.
I Browse at +4 Flamebait
Open Source Sysadmin
People are so used to this design flaw that they can no longer tell that it is there. What would you say if I wrote a language in which the name of rebooting subroutine was say, "print"?
.sig is no different. It looks like standard schoolbook arithmetic, hence the outcome should be a resonable approximation of it.
Well the code in my
Yes, Java has the same flaw as it inherited several C/C++ design flaws. In fact the bug can be traced back to Fortran.
Pascal and the new version of Python, algol, modula and others don't have this flaw as they use div for integer division.
And a very special "fuck you" to Taco for complaining about there being nothing worth posting today.
This is the reason employers have problems when their employees run Seti@Home (and indeed, any unauthorized software) on their machines.
As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.
And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.
Should have taken your own advice.
NO CARRIER
You can just FTP to ftp://alien.ssl.berkeley.edu/pub/ and see for yourself what's there.
When I checked, the only 3.08 versions available were the GUI versions for Windows and Mac OS 9 (not OS X), and the two command line versions mentioned above (x86 Linux and Sparc Solaris). The ones I personally care about, the command line versions for WinNT and OS X, were not there yet.
before installing the patch, I had 441 workunits. now it says I have 240. Anyone else experiencing this?
Let me explain to you why y is zero. When performing math operations in pretty much any language, it casts to the operand of the lowest precision. Otherwise, you start dealing with arbitrary, unknown data. 1 and 2 are both integers, so they have no precision greater than what is defined. The computer cannot represent 0.5 as an integer value, so it becomes zero. Zero multiplied by any number is zero. See? :-)
Oh gee, thanks. I _didn't_know_that_.
No siree bob. My comment could have nothing to do with the cognitive dissonance caused by elementary-school ingrained arithmetic rules being gratuitously subverted by C... By the way, the python designers identified this bug and are fixing it in the new version: integer division will be called "div" and "/" will behave like the standard arithmetic "/" (up to finite precision issues).
So... for those people who installed Seti on 100 machines at school/work, are you updating them RIGHT NOW? One guy where I am put Seti on a bunch of cluster machines because, after all, no one else is using them. I certainly hope that he's working unpaid overtime patching his (against the rules) pet project.
-- Is "Sig" copyrighted by www.sig.com?
For thouse looking for an alternative, there is always distributed.net.
I shouldn't think we'd need anything very elaborate for a DoS attack on the aliens. Just link /. to them.
It's the queers. They're in it with the aliens. They're building carefully crafted packets to remote control the SETI client for gay martians. I swear...
This exploit really isn't as bad as people here like to make it out to be. In order to perform this buffer overrun, you would have to trick the S@H client to connect to a different server. Short of actually breaking into the host computer of the client, I believe this would prove extremely difficult (anyone know how to do this?).
And as was mentioned in the advisory, there has been no reported case of this actually being exploited (outside of proof of concept of course, where the discoverer changed the S@H server address in the client itself).
I've contributed lots of cycles to many DC projects. A little while ago the people from UD and SETI were talking about making one screensaver that allows you to pick and choose what projects you want to contribute to.
Some of the proposed features were switching to another project after finishing a WU, auto updates, ad hoc teams, simultaneous DC use with custom priority, etc.
I wonder what ever happened to that idea. It sounded great. It would also give not so famous groups a chance to write their screensaver using the API, script, or however the one-screensaver-to-rule-them-all DC client works.
It would be nice to be able to see a list of projects from students asking for a group to do the math for them. How cool would offering your team's PC power to the local high school doing a simple DC experiment?
In the meantime the big boys rule. That's not bad, but it could be better.
interesting concept, anyone tried this out? http://www.trepia.com/
In addition, I noted how the S@H team seemed to neglect optimizing the client, so I got into other projects. S@H sucks particularly on the K6. My P2-350 runs it over twice as fast as the K6-2 of similar MHz, partly because it can use the 686 optimized version.
I still prefer S@H over things like distributed.net; the latter poses purely mathematical problems, which IMHO should not be bruteforced. The RC5 crack is plain silly, and the OGR is something that might be 'solved' by other means some day. In addition, things like protein folding could use a proper theory, as you can only bruteforce individual cases. But there's no scientific shortcut in SETI, you just have to keep looking.
Escher was the first MC and Giger invented the HR department.
I guess the command line versions are uneffected... They are still at version 3.03 AFAIK.
After 50 years the aliens hadn't inovated at all. The craft that crashed at roswell in '47 was the same ones they used to attack earth with in the late '90s(i dont remember what year the movie came out). We have new fighters every few years, wouldn't the aliens have made some progress over 5 decades?
"Sic Semper Tyrannosaurus Rex."
THE SLANT
The Slant
Huh? This is a crock.
Operands are always (or should be) cast to the HIGHEST precision possible: float * double = double, int * long = long, etc etc.
1/2 is zero because in C, the '/' operator is overloaded to mean floating-point division for floating-point operands, and integer division for integral operands. Many other languages use different names for these operators (eg, in Pascal, its '/' for floating-point divide and 'DIV' for integer divide).
This is arguably a case of misleading overloading, for people not familiar with C. It has nothing to do with typecasts.
As someone else points out, careful programmers catch their mistakes in C. Unfortunately, most programmers aren't careful. So we can either institute an apprenticeship system for programmer wanna-bes, or do the cheap and less political thing, and use better tools for the job. C is just a tool, and it's not always the best. I write in C, and Pascal (well, Delphi/Kylix these days), and COBOL, and Perl, and sometimes even Visual Basic if I need to knock off some proof-of-concept prototype in Windows. I've worked in Java, C++, four or five statistical languages, several variations of assembler and machine language, and dabbled in Ada, Turing, APL, Fortran, and several scripting languages. And when I go to write a new program, my first instinct is not to fire up GCC. Too many people do, though, and that's why we get crap programs that do stupid things like allow buffer overruns.
You've actually sparked a great idea.
A kind of software book exchange club. A client (kind of p2p in nature) that randomly uploads and downloads a new piece of software every couple days. You never know what you're gonna get, and you have no say in what you send the other person. There's no personal interaction at all. You could get an mp3.. or an iso. However, you could limit your downloads to say, Mac, PC, or Linux.
Anyway, I think this would be cool. p2p, but with no say in what you send or receive. Open your "received" folder every morning and look at what you got. Maybe it's an mp3 that absolutely sucks -- or maybe a really cool app you never knew existed. Or maybe just a really funny picture.
Sadly, when I have mod points, I can't find these informative posts. :)
jX [ Make everything as simple as possible, but no simpler. - Einstein ]
If they do this, then all those unpatched clients will stop working, and people running them will have to either (a) figure out how to get a new client or (b) stop running the existing client, both of which fix the exploit problem.
Does the client have facilities for informing the user of things like this? Like, can the screensaver replace the graphic with "please download a new client"? Otherwise if people get "cannot connect to server" over and over they might just get stupid and give up.
Of course, if they do this, SETI@HOME might actually lose half the current number of computers giving them data, if they would actually consider that useful or not.
How is talking about SETI@home offtopic in this story?
Worse is the reality that, in an effort to help the SETI find an extraterrestrial Yeti (or just to rack up points for geeky ego-boost) it is not too uncommon for junior admins to install SETI clients on fat production servers (I'm confident of the 'junior' status of such admins because even if they are otherwise 'senior' admins this busts them back down to junior status).
In fact, I recall being hired in July of 2001 by a small web design/ecommerce company to work on a new project for a pharmaceutical company to lead their development team. Now, anyone who knows me knows I'm not a sys admin, but I know enough to crash really big systems ;). So, having been entrusted with root on the firms production servers I snooped around and, you guessed it, found SETI@home running on them racking up points for one of the members of the firm.
These servers were being used for credit card processing for ecommerce sites and were scheduled to be used for processing prescriptions and HIPAA-sensitive patient data (they weren't at this point; remember, I was hired for that project and found SETI during an initial server assessment--but these admins knew the purpose of these servers).
So, without ceremony or fanfare I killed and deleted SETI along with this admin's user account. Being new I didn't outright fire the moron but I did recommend strongly that this loser be tossed, which he was within a month.
-- @rjamestaylor on Ello
its Monday and still no patches for non gui clients.
"Oh sh*t there goes the the planet"
ERR 411[Max number of witty sigs reached]
I thought we had them to moderate posts like your as redundent or offtopic.
and posts like this one (mine) as trolls.
oh well, to each his own.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Well, if you want a noble goal for your spare cycles...
Give 'em to Google!
Seriously, though - this is a distributed program to find protein folding solutions, that could eventually be used for creating new medicines... Plus, it's run by everyone's favorite search engine!
-T
That's a rather narrow viewpoint. You don't think finding, say, primes, even one at a time, has any value, and we must wait for a mathematical solution for calculating any given one?
Shrug. Closed source: what do you expect?
Actually, much of the delay was due to the fact that all of our non-Solaris clients are ported and tested by volunteers whose available time to put toward such things is limited. (On a properly set up SPARC solaris machine, the bug doesn't result in a vulnerability by the way.)
The primary bug was fixed by me prior to 1/25/03, at which point the code was sent to the porters of the Win32 versions. The Win32 versions continued to show a segfault on overflow. The porters eventually tracked down a more subtle bug. Not every buffer overflow is as simple as "he used gets() rather than fgets()." The buggy was far uglier than it needed to be for the job it was doing. Given the time, I probably would have reimplemented it from scratch. I'm not going to reveal who wrote the flawed code other than to say it wasn't me.
Meanwhile, the main team was in panic mode getting ready for the trip to Arecibo. I was out of town on business for much of that two months. (2.5 weeks in Korea, 1.5 Weeks at Arecibo). Maybe we weren't pushing hard enough on our volunteers, but hell, they are volunteers with real jobs that they get paid for.
As has been said, so far as we know at this point no client has been comprimised by exploiting this hole. In order to break the client, an attacker would need to set up a machine to act as a proxy or pretend to be the server. That's not the easiest thing in the world to do without access to the local network (or a security breach at your ISP). And if an attacker has access to your local network or routers and proxies at your ISP, holes the in SETI@home client are the least of your worries.
At any rate, if you're worried, get the upgrade. Given I haven't upgraded my machines yet, you can see how concerned I am about it.
Support SETI@home
The WinNT command line version is now available.
Still no OS X version.
You can check check to see what's avaiable here: ftp://alien.ssl.berkeley.edu/pub/
Can't do it, simple fact that it's the property of the pubisher not slashdot. If Slashdot went a did make copies of all the pages they were going to refer to they would get sued. Google does is as a cache. It's dicey, but if you refer to the google cache then google takes the hit. Most pages on the web with interesting content have banner ads. If you sent slashdotters to google then the ads don't get seen, the site loses money. Damned if you do, Damned if you don't.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
The Grub project is a distributed method of crawling the internet. You download the client and you help Looksmart( their search engine wisenut is pretty good but not the best ) crawl the web.a a2b3b639ab6f4b92965e132a1418df9
In my opinion it is better to help contribute your spare bandwith and cpu to help make sure more of the internet is crawled and more frequently instead of something more pie in the sky like SETI. Grub has a more down to earth use. Help make sure all of cyberspace can be crawled.
Download the grub client:
http://www.grub.org/html/downloads.php?PHPSESSID=
There is a linux version. Get crawling, forget seti, helping crawl all the internet is more of an attainable goal.
A manager went to the master programmer and showed him the requirements
document for a new application. The manager asked the master: "How long will
it take to design this system if I assign five programmers to it?"
"It will take one year," said the master promptly.
"But we need this system immediately or even sooner! How long will it
take it I assign ten programmers to it?"
The master programmer frowned. "In that case, it will take two years."
"And what if I assign a hundred programmers to it?"
The master programmer shrugged. "Then the design will never be
completed," he said.
-- Geoffrey James, "The Tao of Programming"
- this post brought to you by the Automated Last Post Generator...