Exploit Found in Seti@Home 266
Jamie noted that an Exploit was found in Seti@Home and there is code exploiting the hole actually running about in the wild. Patches are available for those of you not interested in running a public warez server or DoS client ;)
Offtopic but out of curiosity (Score:2, Interesting)
Is my box owned? (Score:3, Interesting)
Re:Time to retire C (Score:1, Interesting)
Re:If you're asking people for their cycles... (Score:3, Interesting)
The problem is Seti@home is science, and a primary requirement for science is that results must be repetable. If I were for example to recompile to program for athlon optimisation, it probably wouldn't be too big a deal and might gain me an advantage of of 20 min to an hour for each work-unit, which are averaging about 27 hours on my older machine. Sooner or later somebody is going to take apart the program and start change the math involved which would increase the advantage but absolutly kill reproducability.
I think that this exploit would be pretty hard to exploit because you would have to intercept the IP address of the seti@home server, and redirect to a malicious server to exploit it. It would be easier to just exploit one of the many other easier to exploit security holes out there.
Re: 366 Toshiba synchronicity (Score:3, Interesting)
In addition, I noted how the S@H team seemed to neglect optimizing the client, so I got into other projects. S@H sucks particularly on the K6. My P2-350 runs it over twice as fast as the K6-2 of similar MHz, partly because it can use the 686 optimized version.
I still prefer S@H over things like distributed.net; the latter poses purely mathematical problems, which IMHO should not be bruteforced. The RC5 crack is plain silly, and the OGR is something that might be 'solved' by other means some day. In addition, things like protein folding could use a proper theory, as you can only bruteforce individual cases. But there's no scientific shortcut in SETI, you just have to keep looking.
Re:Time to retire C (Score:1, Interesting)
As someone else points out, careful programmers catch their mistakes in C. Unfortunately, most programmers aren't careful. So we can either institute an apprenticeship system for programmer wanna-bes, or do the cheap and less political thing, and use better tools for the job. C is just a tool, and it's not always the best. I write in C, and Pascal (well, Delphi/Kylix these days), and COBOL, and Perl, and sometimes even Visual Basic if I need to knock off some proof-of-concept prototype in Windows. I've worked in Java, C++, four or five statistical languages, several variations of assembler and machine language, and dabbled in Ada, Turing, APL, Fortran, and several scripting languages. And when I go to write a new program, my first instinct is not to fire up GCC. Too many people do, though, and that's why we get crap programs that do stupid things like allow buffer overruns.