Security

[beerhoff]

Hey folks,

You're doing great job, thanks for that!

There is a question about IT Security controls you have implemented for the solution. Do you have any thread regarding this that I could use as a KB for my team? Can you share how do you protect end user side against their data (PII, credentials, documents etc.) theft? How are we protected against loss of control under our computers? These are common questions I got from my teammates for the last 2 days who would like to join the project, but I couldn't find relevant info yet. I hope, Labs have pretty powerful IT security systems implemented and your network, servers and services are protected well. But how do you maintain an assurance?

BR,
George

[JimboPalmer]

Welcome to Folding@Home!

I am just a user like you, with no association with F@H. I am however a programmer for 40 years and an author of multi level client server applications PC <<>> interactive server <<>> batch server
So I am interested in how they handled problems I had.

F@H will only ever use ports 80 and 8080, same as any browser. The client contacts a fixed Assignment Server, and the assignment server hands off the download to a Work Server. (for the last week, beefing up those assignment servers has been a high priority as everyone wants to be assigned work) The work servers are on many University campuses, but the Assignment servers are at Stanford, so the client always contacts the same IP Addresses.

The client is currently only distributed by Standford. (in the past Sony had Android and PS2 clients, neither is active now) The client only has read/write access to one directory. (Folks who try custom installs run afoul of this frequently) There is very exhaustive digital signature checking to be sure what was sent is what was received, it also serves to impede false flag servers.

All the science part of the client is open source, but F@H keeps the communication protocols proprietary. Security by obscurity.

https://foldingathome.org/faqs/miscella ... ty-issues/

[bruce]

The client contacts an Assignment Server, and the assignment server hands off the download to a Work Server.

The connection to the WS uses explicit IP addresses which are a lot harder to hack than DNS names.

[JimboPalmer]

The client contacts an Assignment Server, and the assignment server hands off the download to a Work Server.

The connection to the WS uses explicit IP addresses which are a lot harder to hack than DNS names.

I think there are only 2 Assignment servers and the Client contacts them by IP address, not DNS as well. (I am less sure of this so I did not mention it)
Only using IP addresses makes it harder for false flag servers to mess with DNS to get access. (at the cost of less flexibility for the University's IT departments)

[bruce]

18.218.241.186

Quoting from a log:

Code: Select all

..:..:..: No WUs available for this configuration
14:50:55:WU02:FS00:Connecting to 18.218.241.186:80
14:50:55:WARNING:WU02:FS00:Failed to get assignment from '18.218.241.186:80': No WUs available for this configuration
14:50:55:ERROR:WU02:FS00:Exception: Could not get an assignment
14:53:31:WU02:FS00:Connecting to 65.254.110.245:8080
14:53:32:WARNING:WU02:FS00:Failed to get assignment from '65.254.110.245:8080': No WUs available for this configuration