Cyber Eye: No good deed goes unpunished
No good deed goes unpunished
Spare PC computing cycles worldwide are being harnessed to study 3.5 billion molecular compounds in hopes of finding one that can block the fatal anthrax toxin. A worthy cause'but secure? Maybe not.
Intel Corp., Microsoft Corp. and the National Foundation for Cancer Research are giving financial support to the Oxford University distributed-computing program, which copies similar efforts by SETI@home and others. It requires only Internet access and download of a screensaver developed by United Devices Inc. of Austin, Texas.
The anthrax effort resembles another Oxford program that harnesses 1.3 million idle PCs to fight leukemia. SETI@home, sponsored by the University of California at Berkeley, uses distributed computing to search for evidence of extraterrestrial intelligence.
'I think [distributed computing] has huge potential,' said Chris Wysopal, director of research at the Internet security consulting company @stake Inc. of Cambridge, Mass. It harnesses unused capacity in a good cause to provide supercomputer power at nearly no cost.
But 'there's always risk when you're running something that listens on the network,' Wysopal said. 'You're trusting someone you don't know to access your machine and issue commands.'
Last year the inspector general of the Tennessee Valley Authority reprimanded TVA employees for participating in SETI@home. But if you can't trust the folks at Oxford and U.C. Berkeley, whom can you trust?
The first question agency managers should ask when deciding whether to allow such use of their computers is, 'What kind of authentication is there?' You might trust Oxford, Wysopal said, but are you sure it's Oxford issuing commands to your computers?
Next ask, 'What kind of security does the other side have?' he said. Once your computers are connected with theirs, you are subject to all their vulnerabilities. The best authentication in the world can't stop an intruder who breaks in through the other network.
Finally, 'Make sure their software is implemented correctly,' Wysopal said. Like bad security, bad code and faulty implementation will make your computers vulnerable.
Even if there are safeguards in place, it's a good idea to require a so-called sandbox that segregates the distributed processing from your other applications. A sandbox approach slows performance and might well delay a cure for anthrax, but that's the price you pay for secure computing.