Page 2 of 4

Posted: 04-04-2003 03:08 PM
by Gwen
all appears to be working fine now

Posted: 04-05-2003 07:27 AM
by Doug
Surprisingly enough (to me) I actually missed the downtime quite well. I had no problems yesterday whatsoever... except for one time I couldn't get the team stats page up. Guess I should consider myself lucky, huh? I returned a WU @ 12:20 pm EST.

Onward!!

Posted: 04-05-2003 09:56 AM
by Gwen
IMPORTANT! S@H put this up last night! Doug, will you look at this and see if it affects command line? It looks to me as if it is only for the screensaver version, because it refers to 3.08. I am running i386-winnt-cmdline verssion 3.03. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
— April 4, 2003 —
There is a software update with a precautionary security fix. To obtain it, go the the download page. http://setiathome.ssl.berkeley.edu/download.html

— April 4, 2003 —
OUTAGE NOTICES. There will be intermittent service drops for one hour starting tomorrow at 0800 UT while maintenance is performed on our Internet link.
On Monday 4/7 there will be a 2 hour data server outage starting at 1700 UT while Sun performs some maintenance.



[This message has been edited by Gwen (edited 05 April 2003).]

Posted: 04-05-2003 05:08 PM
by Gwen
<font face="Verdana, Arial" size="2">Originally posted by Gwen:
IMPORTANT! S@H put this up last night! Doug, will you look at this and see if it affects command line? It looks to me as if it is only for the screensaver version, because it refers to 3.08. I am running i386-winnt-cmdline verssion 3.03. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
— April 4, 2003 —
There is a software update with a precautionary security fix. To obtain it, go the the download page. http://setiathome.ssl.berkeley.edu/download.html

— April 4, 2003 —
OUTAGE NOTICES. There will be intermittent service drops for one hour starting tomorrow at 0800 UT while maintenance is performed on our Internet link.
On Monday 4/7 there will be a 2 hour data server outage starting at 1700 UT while Sun performs some maintenance.

[This message has been edited by Gwen (edited 05 April 2003).]
</font>
It appears this security fix just affects screensaver users...I think lrs, TJ, webrad98 and daboodaddy use screensaver...Mark (Tabwebmaster) or Doug, do they need to DL this fix? Is this something they need to be concerned about?

Posted: 04-05-2003 10:08 PM
by Doug
<font face="Verdana, Arial" size="2">
> Berkeley have released a new version of the client, 3.08 which fixes a
> buffer overflow error that could potentially be a security threat.
>
> "Version 3.08 is a precautionary security release. There was a potential
> buffer overrun in the networking code of the client that is fixed with
> version 3.08. Note that to exploit this vulnerability, a potential attacker
> would have to trick the client into contacting a fake server rather
> than the actual SETI@home server. To our knowledge, no SETI@home client
> has ever been attacked in this manner."
</font>
It's a possible security hazard... one I'm sincerely doubting would have any effect on any of us. I wouldn't bother. I'm thinking maybe people who are using office/work computers on their business network would be basically the only ones with any risk factor.

But, it's a personal decision. It won't help or hinder the processing of data. But I doubt it's necessary for most of us.

What are you using Tracker?? With 30+ machines in a business environment, it might be wise for you?

Oh - yes, this only affects the screensaver version.

Posted: 04-06-2003 02:49 AM
by TABwebmaster
Ditto what DougB said...it's not absolutely necessary IMO. It's up to you and yes it only affects the screensaver version which nobody should be using anyway since it's about 10% slower than setiathome-3.03.i386-winnt-cmdline.exe. Image

Look at the ORR Cheetos room from last week or so to see a full description of how to get SETI Driver and cmdline set up together if you need it.

Mark

Posted: 04-06-2003 01:03 PM
by Gwen
Thanks, Doug and Mark. I'll come back with the link to the ORR thread where Mark walked CK through installing command line version, if any of the screensaver users are interested, or you can e-mail me and I will send you instructions. Honestly, I think Mark's instructions in ORR are much easier to follow than the ones I have saved from waaaay back.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
edited to add:

Okay, here's the ORR link: http://www.fantasticforum.com/ubb/Forum ... 560-3.html Starts on TABwebmaster's 1:27am post on page 3, about 1/4 way down the page.



[This message has been edited by Gwen (edited 06 April 2003).]

Posted: 04-07-2003 10:07 AM
by Tracker3
<font face="Verdana, Arial" size="2">Originally posted by DougBupstateNY:
It's a possible security hazard... one I'm sincerely doubting would have any effect on any of us. I wouldn't bother. I'm thinking maybe people who are using office/work computers on their business network would be basically the only ones with any risk factor.

But, it's a personal decision. It won't help or hinder the processing of data. But I doubt it's necessary for most of us.

What are you using Tracker?? With 30+ machines in a business environment, it might be wise for you?

Oh - yes, this only affects the screensaver version.
</font>
I am using my office and home office for this project. Security is always an issue for me. I haven't seen any security bypass attempts other than the random hacker trying to ping my local IP addresses (without any success). I must say that this issue shouldn't concern anyone too much. It would only concern me if someone was to use this on a much larger network in a banking or securities industry. Considering that I am work for a real estate company, I have no data that anyone would want.

------------------
<SSSS}|--Tracker-3----->

Posted: 04-08-2003 11:25 AM
by Gwen
This is from http://cnet.com news from 4-7-03. I don't know about this. I seen no patch up for cmdline yet.
``````````````````````````````````
SETI@home flaw could let invaders in


By Robert Lemos and Patrick Gray
Staff Writer, CNET News.com
April 7, 2003, 11:42 AM PT

The SETI@home project has released a new version of its software in order to close up a security hole that could let invaders into participants' PCs.
The project, which allows desktop and workstation users to contribute processing time to the search for extraterrestrials, issued the new distributed client on Friday. It fixes a buffer overflow vulnerability that could allow an attacker to take control of a computer just by sending specially formatted Web requests.

The flaw is one of three reported to Seti@home by a Dutch security researcher last December. The three vulnerabilities only became public knowledge this weekend.

"This has been tested with various versions of the client," Berend-Jan Wever, a 26-year-old computer-science student from Delft University and the researcher who found the flaw, stated on his Web site. "All versions are presumed to have this flaw in some form."

SETI@home software has been installed on more than 4.4 million registered users' desktops and has between 500,000 and 600,000 active users, according to the SETI@home Web site. The group defines an "active" user as one from which they have received a calculated result in the past month.

The vulnerability affects all versions of the client, including the Windows screensaver, the MacOS screensaver and the Linux and Unix command-line clients. The flaw requires that the attacker either successfully create a fake SETI@home server and route the victim there, or take control of one of the project's own Web servers.

SETI@home stated that those caveats make an attack unlikely. "The vulnerability involves a scenario in which hackers are able to impersonate the SETI@home data server, that is, trick the client into communicating with a fake server," said David Anderson, director of the SETI@home project. "This scenario has never happened, as far as we know."

However, Wever pointed out that software to help an attacker reroute a victim's communications already exists.

"This can be done using various widely available spoofing tools," he noted on his Web site. "An attacker could also use the machine the proxy runs on as a base for this attack."

Wever and SETI@home both recommend that users download the latest software from the project's Web site. In addition, SETI@home software users can download a patch from its Web site. The command-line versions of the software for Windows, Linux and Solaris will be available later on Monday, said SETI@home's Anderson. Information about the security flaw has been sent to open-source projects that have created other versions of the software as well.

The Dutch security researcher pointed out two other flaws in the SETI software. One involves the amount of information sent unencrypted by the client to the server. The information includes a great deal of information about the computer running the client, Wever noted, and should be considered a flaw.

The other flaw, apparently in the SETI@home servers, could let an attacker compromise the main servers, the Dutch researcher said. That would allow all SETI@home clients to be exploited, if the flaw could be exploited. E-mails to Wever were not immediately answered.

SETI@home's Anderson, however, stressed that the server vulnerability had been fixed nearly two months ago using information Wever provided.

The SETI@home project uses distributed computing to analyze radio-telescope data. The client software, in the form of a screen saver, downloads raw data collected by the telescope and scours it for intelligent signals embedded in it.

This type of number crunching is computationally intensive. But with around 4.3 million users, the researchers are able to make the most of the world's idle processing power, logging 48 teraflops, or floating point operations per second.

The SETI Web site explains the logic: "While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope."

Web designer Sean Rainey of Melbourne, Australia, has used the SETI client for about two years.

He joked that intelligent extraterrestrials may have used the vulnerability already in order to smudge the project's findings. "It's clear as day," he said. "They're quite happy just being left alone."

ZDNet Australia's Patrick Gray reported from Sydney.


[This message has been edited by Gwen (edited 08 April 2003).]

Posted: 04-08-2003 01:24 PM
by Doug
Gwen - It appears that there is a new cmdln version 3.08. I have it on my site for those who are interested.

http://www.superior.net/~smiley/seti/

I personally don't feel that it's necessary - but if anyone would feel safer, by all means, go ahead and update. Image

Edit to add:

It would appear, according to rumors currently circulating, that the new version is up to 15% slower than the old version.

Also - Be sure and finish any WU's that you are currently working on, as you will most likely lose all work completed, and the new client will start from 0%.

Just thought you might want to know.

[This message has been edited by DougBupstateNY (edited 08 April 2003).]

Posted: 04-08-2003 03:38 PM
by megman
Command-line is/was 3.03 Hasn't changed.

Just came from seti and the 3.08 screensaver patch is no longer there. Back to 3.07. big goof in the patch???

------------------
~~Can't sleep, the clowns will eat me....~~
Come visit us at
www.megmansgym.ca

Posted: 04-08-2003 03:58 PM
by Gwen
Thanks doug and megman for the input. I think I will stick with what I have..don't want 15% slower processing time. Will just keep my fingers crossed...are you confident with using it, megman, cause I am on aDSL too, so am always on? I have had numerous attempts from subseven backdoor trojans that were blocked by Norton Internet Security, but just this morning a Senna Spy trojan was blocked...have never heard of that, but at least it was caught...I always stay current with virus definitions and security updates. Guess I'm getting to be a nervous nelly in my old age Image I have been reading the S@H message boards and other BBS....no one seems to be too concerned about this. Back to crunchin'.

[This message has been edited by Gwen (edited 08 April 2003).]

Posted: 04-08-2003 07:53 PM
by Doug
<font face="Verdana, Arial" size="2">Originally posted by megman:
Command-line is/was 3.03 Hasn't changed.</font>
Beg to differ - I have setiathome-3.08.i386-winnt-cmdline.exe, and have run it for 1 WU. It is v3.08. It is slower, so I'm going to continue with 3.03.

Posted: 04-08-2003 07:59 PM
by Doug
Welcome aboard to our newest member - Chuck Currey! Glad to have ya! Come on in - relax - join the gang! They'll be along any time now. Image

Posted: 04-08-2003 08:12 PM
by Gwen
Chuck, welcome! I am so glad to have you with us. Stop by and post a hello. Image