Exploit Found in Seti@Home
Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
Why is there always an assumption that exploits=firings? If it was intentionally added, yes, but if it's an honest mistake why do heads have to roll?
Coders make mistakes. That's why they put a backspace key on keyboards.
I believe he was refering to people who run SETI without their employer's permission getting fired for doing so, as it now may be more of a problem.
Well, let's see here. I'm going to be reading data from an untrusted source. So, I feel it's safe to assume that this data will be no longer than, oh, let's say 100 characters. Yeah, 100. I mean, who would send more than that. That'd be crazy!
That'd be about as crazy as wasting cycles on checking the length of my input. Or, dynamically allocating buffers. Or, using safe, bounded copy/read instructions. What kind of wacko would do that! Hah!
Justin Dubs
Yes, that's a good answer, except that it completely ignores the facts that
1. People have turned in fake results
2. People have deliberately tried to screw up their database and server
3. There are apparently security holes in the client which would have been noticed much sooner if the code was open.
Tarsnap: Online backups for the truly paranoid
BTW, your sig makes perfect sense if you understand that, in C, straight numeric constants are assumed to be integers, and hence 1/2 is equal to zero. The obvious fix is to change that to 1.0/2.0. Gotta love it when people complain about non-issues...
Incidentally, Java has similar rules, it's just more verbose when warning about type mismatches and loss of precision.
This is the reason employers have problems when their employees run Seti@Home (and indeed, any unauthorized software) on their machines.
As an IT professional, you talk and talk and talk and talk trying to warn your superiors of the danger of running unnecessary network services -- why you can't just open the firewall wide up to let them use their proprietary stock-tracking application; hell, why you even have a firewall in the first place.
And then Seti@Home, the ultimate nonessential network service, comes along and validates everything you've been saying. But you're running it anyway, because it's "cool". And now your network is compromised.
Should have taken your own advice.
NO CARRIER
So... for those people who installed Seti on 100 machines at school/work, are you updating them RIGHT NOW? One guy where I am put Seti on a bunch of cluster machines because, after all, no one else is using them. I certainly hope that he's working unpaid overtime patching his (against the rules) pet project.
-- Is "Sig" copyrighted by www.sig.com?