Advanced search

Message boards : Number crunching : ACEMD3 security issue

Author Message
Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54048 - Posted: 25 Mar 2020 | 7:04:16 UTC
Last modified: 25 Mar 2020 | 7:05:25 UTC

https://i.imgur.com/bgoHpok.png

Why does ACEMD3 log all of my folders at savepoints and print them clear?
Any reasonable explanation?

Toni
Volunteer moderator
Project administrator
Project developer
Project scientist
Send message
Joined: 9 Dec 08
Posts: 947
Credit: 4,353,973
RAC: 58
Level
Ala
Scientific publications
watwatwatwat
Message 54049 - Posted: 25 Mar 2020 | 9:04:22 UTC - in response to Message 54048.
Last modified: 25 Mar 2020 | 9:07:54 UTC

It's the BOINC wrapper. It's compiled in debug mode so it prints out a bit of the strings (a few chars from the path names, mostly "programdata" or translations) which are still allocated at the wrapper exit. You should be able to hide your PCs and workunits with preferences.

Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54050 - Posted: 25 Mar 2020 | 9:29:36 UTC - in response to Message 54049.

You should be able to hide your PCs and workunits with preferences.


Can't see anything related to that. Would you point me where to look?

Keith Myers
Send message
Joined: 13 Dec 17
Posts: 508
Credit: 525,681,602
RAC: 1,676,608
Level
Lys
Scientific publications
wat
Message 54063 - Posted: 25 Mar 2020 | 15:59:29 UTC - in response to Message 54050.

You should be able to hide your PCs and workunits with preferences.


Can't see anything related to that. Would you point me where to look?

https://www.gpugrid.net/prefs.php?subset=project

Should GPUGRID show your computers on its web site? yes

Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54066 - Posted: 25 Mar 2020 | 21:39:09 UTC

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?

Keith Myers
Send message
Joined: 13 Dec 17
Posts: 508
Credit: 525,681,602
RAC: 1,676,608
Level
Lys
Scientific publications
wat
Message 54071 - Posted: 25 Mar 2020 | 23:13:11 UTC - in response to Message 54066.

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?

I don't understand what it is you are seeing.
All I see on ANY BOINC project are my Computers page which only shows the Details of the host hardware and the Tasks assigned to it.

It also shows the current host RAC and host Totals. Nothing more. No other information about the host is leaked.

You must have some sort of weird operating system environment.

Keith Myers
Send message
Joined: 13 Dec 17
Posts: 508
Credit: 525,681,602
RAC: 1,676,608
Level
Lys
Scientific publications
wat
Message 54072 - Posted: 25 Mar 2020 | 23:19:03 UTC - in response to Message 54066.

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?

Put the blame on Windows.

I don't see any of that in Linux.

Stderr output
<core_client_version>7.17.0</core_client_version>
<![CDATA[
<stderr_txt>
13:58:20 (491): wrapper (7.7.26016): starting
13:58:20 (491): wrapper (7.7.26016): starting
13:58:20 (491): wrapper: running acemd3 (--boinc input --device 2)
14:37:08 (491): acemd3 exited; CPU time 2325.436945
14:37:08 (491): called boinc_finish(0)

</stderr_txt>
]]>

rod4x4
Send message
Joined: 4 Aug 14
Posts: 162
Credit: 1,861,782,741
RAC: 1,223,105
Level
His
Scientific publications
watwatwatwatwatwatwat
Message 54074 - Posted: 25 Mar 2020 | 23:28:58 UTC - in response to Message 54066.

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?


Your partial folder tree that it displays is a standard BOINC installation tree.

It is a partial tree and nothing there uniquely identifies you, nor poses a security risk.

As Keith mentioned, if security is high on your list, you can hide your computers, as you have done.

Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54080 - Posted: 26 Mar 2020 | 12:23:07 UTC - in response to Message 54071.

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?

I don't understand what it is you are seeing.


Look at the image I linked in the first message.
It logs folders set in search path.

Profile Retvari Zoltan
Avatar
Send message
Joined: 20 Jan 09
Posts: 2185
Credit: 15,824,047,857
RAC: 697,719
Level
Trp
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 54085 - Posted: 26 Mar 2020 | 17:38:13 UTC - in response to Message 54080.

Well, it could show my computers, not the damn folder tree.
And jeez why on earth it shall show my folders, out of the boinc tree?

I don't understand what it is you are seeing.


Look at the image I linked in the first message.
It logs folders set in search path.

You made the ascii text unreadable with that red mark, but the funny thing is that the hex numbers after the unreadable text encode the same information. So now I know that your given host has an environmental setting of TMP=D:\ProgramDa... The only information which is leaked that your host has a D: drive (as every Windows has a hidden system folder called ProgramData, usually in the root of the C: drive).
Being such an ingenious hacker as I am, I still don't know how on Earth could I use it for my nefarious purposes.

Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54088 - Posted: 26 Mar 2020 | 19:34:28 UTC - in response to Message 54085.

And still no one knows why it does that. Still a security issue IMHO

Profile Retvari Zoltan
Avatar
Send message
Joined: 20 Jan 09
Posts: 2185
Credit: 15,824,047,857
RAC: 697,719
Level
Trp
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 54089 - Posted: 26 Mar 2020 | 19:54:48 UTC - in response to Message 54088.
Last modified: 26 Mar 2020 | 19:57:13 UTC

And still no one knows why it does that.
We do.
As it is stated by Toni right after your question: it's not the GPUGrid app, but the BOINC wrapper does it because it was compiled in "debug" mode so it prints out some app and system related strings to help debug the connection between the app and the BOINC wrapper.
The BOINC wrapper is not GPUGrid's "product".

Still a security issue IMHO
I don't agree with you.

Keith Myers
Send message
Joined: 13 Dec 17
Posts: 508
Credit: 525,681,602
RAC: 1,676,608
Level
Lys
Scientific publications
wat
Message 54099 - Posted: 26 Mar 2020 | 23:32:34 UTC - in response to Message 54089.

And still no one knows why it does that.
We do.
As it is stated by Toni right after your question: it's not the GPUGrid app, but the BOINC wrapper does it because it was compiled in "debug" mode so it prints out some app and system related strings to help debug the connection between the app and the BOINC wrapper.
The BOINC wrapper is not GPUGrid's "product".

Still a security issue IMHO
I don't agree with you.

Correct. You have a problem with the BOINC Wrapper app and you should vent your paranoia at the BOINC developers which wrote the application.

Target would be David Anderson.
davea@berkeley.edu and you should post this issue to the BOINC developer website
https://github.com/BOINC/boinc

Profile ServicEnginIC
Avatar
Send message
Joined: 24 Sep 10
Posts: 198
Credit: 1,456,811,663
RAC: 915,511
Level
Met
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 54107 - Posted: 27 Mar 2020 | 8:54:21 UTC - in response to Message 54088.
Last modified: 27 Mar 2020 | 9:42:49 UTC

Anyway, collaborating with BOINC projects is an altruist and voluntary action.
If somebody feels unsafe or uncomfortable at GPUGrid, there is always the chance to look for alternatives at other (better?) projects.

Padanian
Send message
Joined: 1 May 09
Posts: 7
Credit: 6,670,734
RAC: 36
Level
Ser
Scientific publications
watwatwatwatwatwatwatwatwatwatwat
Message 54148 - Posted: 29 Mar 2020 | 19:23:47 UTC - in response to Message 54099.

it's not the GPUGrid app, but the BOINC wrapper does it because it was compiled in "debug" mode so it prints out some app and system related strings to help debug the connection between the app and the BOINC wrapper.
The BOINC wrapper is not GPUGrid's "product".


It is shown on your website as result log of your application. It is not shown on anyone else's project debug logs.
I'm participating on other projects, and only GPUGRID shows such info.
You're wrong.

popandbob
Send message
Joined: 18 Jul 07
Posts: 67
Credit: 32,333,065
RAC: 217,439
Level
Val
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 54149 - Posted: 29 Mar 2020 | 21:48:00 UTC - in response to Message 54148.

You're wrong.


Just because this project uses a different feature to your other projects does not make him wrong.

So perhaps you'd like to get off your high horse and complain to the correct department?

Ian&Steve C.
Avatar
Send message
Joined: 21 Feb 20
Posts: 68
Credit: 929,734,531
RAC: 6,423,934
Level
Glu
Scientific publications
wat
Message 54167 - Posted: 31 Mar 2020 | 14:52:13 UTC - in response to Message 54148.
Last modified: 31 Mar 2020 | 15:17:28 UTC

it's not the GPUGrid app, but the BOINC wrapper does it because it was compiled in "debug" mode so it prints out some app and system related strings to help debug the connection between the app and the BOINC wrapper.
The BOINC wrapper is not GPUGrid's "product".


It is shown on your website as result log of your application. It is not shown on anyone else's project debug logs.
I'm participating on other projects, and only GPUGRID shows such info.
You're wrong.


as has been said, it's the BOINC wrapper.

your computers are hidden anyway. no one can see what you're talking about outside of your screenshot that you posted yourself, so any perceived security concern is kind of moot anyway.
you need to address your concerns on the BOINC forum: Questions and Problems
____________

Post to thread

Message boards : Number crunching : ACEMD3 security issue