Is SMP Affinity Changer Safe?

[scottv67]

Utility for automatical assigning of affinities for SMP folding cores. It works as a service and assigns affinities every 10 mins if needed. Generally this gives up to 10% PPD, which is like up to 1000 additional points for Intel Quad processors.

1.0.3 version is available here:

http://distributed.org.ua/forum/index.p ... topic=1149

ps: i'll try to google old topic and post it here

Hello,

There is a link on your website with the comment "security noobs" that points to a discussion in the Distributed Computing forum on the AnandTech website. I am one of the "security noobs" in that discussion. I am assuming that you labelled me a "noob" because I would like someone to vouch for the author of this program and/or I'd like the author to post the source code for this program so that it can be reviewed by the community. This program will probably never have any commercial value so why are you reluctant to make the source code available?

If the label "security noob" applies to people who don't blindly download software from the Internet without verifying that the program is not malicious, then I guess I am a "security noob".

Until the source is made available for review, I will not be downloading the affinity changing program from your site. I don't care if the program promises a "FREE 1000 PPD increase!1!!1!!!!1111". You can leave the "security noobs" label on your site if you wish. When hundreds or thousands of Folders find their Windows boxes (running the affinity setting program) sending spam or being used for other nefarious purposes, people will be asking "Why didn't we listen to the security noobs?"

Thank you,
-Scott

[rilian]

if you were not security noob, you'd already have firewall installed and see that Affinity Changer does not connect to internet.

!!!111 k ?

from the other side, this program goes from the top of crunchers from top50 world team (Ukraine). that is not enough for you too?

no off3ns3.

[noorman]

if you were not security noob, you'd already have firewall installed and see that Affinity Changer does not connect to internet.

!!!111 k ?

from the other side, this program goes from the top of crunchers from top50 world team (Ukraine). that is not enough for you too?

no off3ns3.

.


Indeed, my ZoneAlarm Pro would tell me immediately if A-Ch wanted to connect to WAN ...

And since my Antivirus program didn't alert me to malicious content, I 'm glad to use the program, certainly now that I 've seen the beneficial effect on production speed; I see it on the core temps too. They are a few degrees higher since A-Ch has been started


.

[petrusbroder]

Utility for automatical assigning of affinities for SMP folding cores. It works as a service and assigns affinities every 10 mins if needed. Generally this gives up to 10% PPD, which is like up to 1000 additional points for Intel Quad processors.

1.0.3 version is available here:

http://distributed.org.ua/forum/index.p ... topic=1149

ps: i'll try to google old topic and post it here

Hello,

There is a link on your website with the comment "security noobs" that points to a discussion in the Distributed Computing forum on the AnandTech website. I am one of the "security noobs" in that discussion. I am assuming that you labelled me a "noob" because I would like someone to vouch for the author of this program and/or I'd like the author to post the source code for this program so that it can be reviewed by the community. This program will probably never have any commercial value so why are you reluctant to make the source code available?

If the label "security noob" applies to people who don't blindly download software from the Internet without verifying that the program is not malicious, then I guess I am a "security noob".

Until the source is made available for review, I will not be downloading the affinity changing program from your site. I don't care if the program promises a "FREE 1000 PPD increase!1!!1!!!!1111". You can leave the "security noobs" label on your site if you wish. When hundreds or thousands of Folders find their Windows boxes (running the affinity setting program) sending spam or being used for other nefarious purposes, people will be asking "Why didn't we listen to the security noobs?"

Thank you,
-Scott

if you were not security noob, you'd already have firewall installed and see that Affinity Changer does not connect to internet.

!!!111 k ?

from the other side, this program goes from the top of crunchers from top50 world team (Ukraine). that is not enough for you too?

no off3ns3.

if you were not security noob, you'd already have firewall installed and see that Affinity Changer does not connect to internet.

!!!111 k ?

from the other side, this program goes from the top of crunchers from top50 world team (Ukraine). that is not enough for you too?

no off3ns3.

.


Indeed, my ZoneAlarm Pro would tell me immediately if A-Ch wanted to connect to WAN ...

And since my Antivirus program didn't alert me to malicious content, I 'm glad to use the program, certainly now that I 've seen the beneficial effect on production speed; I see it on the core temps too. They are a few degrees higher since A-Ch has been started


.

This is an interesting exchange ...

I am very much convinced that it is not too hard to write a program which bypasses a firewall (even a better one than ZoneAlarm) and which does not trigger an antivirus scanner. Because: if it was so hard, then why would all the security software need updating so often?

I think scottv67 rises a valid concern. It is possible to write a trojan which does harm and to hide it in a popular program, which affects only powerful computers, which in turn are working 24/7.

I agree with scottv67 ... because security is not a matter of having a firewall, antivirus program or anti spam filters or other malware protection. Security is located inside the head of the user, who knows what he is doing and does a risk assessment before down loading a unknown program. Some of us value our integrity, the integrity of our computers and we do not want to contribute to the abuse of the internet. IMHO scottv67 is no way a "security noob".

If it is a legit program and if the creators of that program really want to contribute to the scientific purpose of Folding @Home, then they would be interested in the use of the program by all interested. Then it would be very natural to publish the source code or to open it (e.g. with a open source agreement) for contribution from other knowledgable programmer, who probably would help to make it even better and more efficient.

Just my 2 cents.

[Flathead74]

If it is a legit program and if the creators of that program really want to contribute to the scientific purpose of Folding @Home, then they would be interested in the use of the program by all interested. Then it would be very natural to publish the source code or to open it (e.g. with a open source agreement) for contribution from other knowledgable programmer, who probably would help to make it even better and more efficient.

Just my 2 cents.

Not even Folding @Home is open source, so I don't think that your example reinforces the point that you are trying to make.
Open sourcing someone's work is not necessarily a "natural" thing.

There are plenty of "legit" programs that are not open source.

Also, just my 2 cents.

[noorman]

.


how many people have payed for a license of a M$ O.S. ?

Have you got the source code of that ?

Have you installed it on your systems without question, or have you written to Bill Gates demanding the Source Code before you 're going to pay for a license for one of his products ???


.

[caferace]

Actually, the application IS already open source according to Google Code: http://code.google.com/p/fah-smp-affinity-changer/

Yet the source is not posted. That's a very strange (and totally non-GPL) way of doing things.

-jim

[petrusbroder]

.


how many people have payed for a license of a M$ O.S. ?

Have you got the source code of that ?

Have you installed it on your systems without question, or have you written to Bill Gates demanding the Source Code before you 're going to pay for a license for one of his products ???


.

Question 1: Probably too many - if they had not, then probably MS would not be that large - and what has that to do with this issue?

Question 2: Do you? But: there is an company (OK, quite a few people do not like that company, but so what?) which takes responsibility for the software. If they screw up, it hits where it hurts the most: in the pocket book.

Question 3: No, not without question, not without reading, looking around, checking it out and testing it (since DOS 2.1 and Win 2.0). There are quite a few versions I have not installed because I did not like what they did.

OTOH: If a software which is being sold through retail channels is malicious, the sellers and the publishers of that software are liable for damages.
If software is given away (freeware or open source) the there is some one who takes responsibility, adds his e-mail, a phone number, his site. I can check out the software.
This software is published anonymously, where - AFAIK - nobody has taken responsibility for the software. I have not been able to find a name of the author, no e-mail, nothing. He has -AFAIK- no reputation for good or bad software. He is just a name in a forum. Why? Is the dev not happy with his product? Is the programmer not proud of his accomplishment?

Come on, would you accept some unknown food item, which you have not seen, smelled, tasted before from a person whom you do not even know the name of, whom you do not know which company he/she represents, not knowing if that company or person is trustworthy and who is giving it away for free? Would you fill your car with a fuel which you did not know what it was? Wouldn't you check it out if it did not come from a pump or company you could trust? I would not. My computers are very important for me. They do a lot of work - not only folding. I will not put any kind of software on them without knowing anything about it. Nor should you.

[petrusbroder]

If it is a legit program and if the creators of that program really want to contribute to the scientific purpose of Folding @Home, then they would be interested in the use of the program by all interested. Then it would be very natural to publish the source code or to open it (e.g. with a open source agreement) for contribution from other knowledgable programmer, who probably would help to make it even better and more efficient.

Just my 2 cents.

Not even Folding @Home is open source, so I don't think that your example reinforces the point that you are trying to make.
Open sourcing someone's work is not necessarily a "natural" thing.

There are plenty of "legit" programs that are not open source.

Also, just my 2 cents.

I agree. But: behind Folding@home is a reputable organization, the project is checked regularly (especially by those who fund the research - the paper work the scientists have to do is very demanding!!!) and there are people which take responsibility for the product. If they screw up they loose big: the crunchers disappear, there are no results, they loose funding, they loose their jobs and get a very bad reputation which in turn prevents them from doing research... . Quite an incentive for quality control, wouldn't you say?

I am not saying that all programs should be open source. I am just saying that some one should take responsibility. Please see my previous post.

What happens to the author of this program if it behaves maliciously in lets say 9 days? Nothing! He may not even get thrown out from his team. He may be banned, but can change his IP and his login and can be back again in no time. He gets a bad reputation for some time, but may change his handle and that is all. OTOH: he may be doing something very good. Why does he not claim credit for it then? That makes me suspicious.

[petrusbroder]

Actually, the application IS already open source according to Google Code: http://code.google.com/p/fah-smp-affinity-changer/

Yet the source is not posted. That's a very strange (and totally non-GPL) way of doing things.

-jim

Hi Jim,
Yes, I agree, very strange. And that makes me think.

[caferace]

FWIW, the named dev nick4eva openly aligns themself with a group/website by the name of 0day.kiev.ua in their sig. You can see that on the link provided by the OP in this topic at http://distributed.org.ua/forum/index.p ... topic=1149 Innocent fun? I don't know...

While the vast majority of virus scanning products have no issues with the code, at least one triggered a problem with it, as seen here: http://www.virustotal.com/resultado.htm ... c4e5089709

Prevx1 V2 2007.12.22 Heuristic: Suspicious File With Covert Attributes

Personally, I'm all for anything that will help my many computers crunch better. I'd like to use this, if the author would be more forthcoming. If it's a language issue I have a Ukrainian co-worker who would be happy to translate when speaking/emailing directly to the dev.

-jim

[Flathead74]

Having a virus scanner report a problem with a file is nothing new.
There were several reports in the old FCForum stating that someones virus scanner
reported that the folding @ home files themselves were bad.

I use the Affinity Changer myself, since it was first offered, well over nine days, and I have found no problem with it.
On the systems which I use it, it produces an increase of 9 - 10%.

Nothing is for everybody, and if one is uncomfortable using this program, or any other, then they should not use it.

Simple as that.

It really makes no sense to to hassle and haggle the author or his teammates over it,
or to cast false aspersions over the programs abilities and intents.

The only thing that they are guilty of, as far as I am concerned, is trying to help the fah community.
They could have easily, and selfishly, kept it to themselves.

Personally, I think they did a good thing.

[Flathead74]

FWIW, the named dev nick4eva openly aligns themself with a group/website by the name of 0day.kiev.ua in their sig. You can see that on the link provided by the OP in this topic at http://distributed.org.ua/forum/index.p ... topic=1149 Innocent fun? I don't know...

They have a folding team, just like anandtech, fold4life, and thousands of others.
Why do you keep trying to defame them?

While the vast majority of virus scanning products have no issues with the code, at least one triggered a problem with it, as seen here: http://www.virustotal.com/resultado.htm ... c4e5089709

Prevx1 V2 2007.12.22 Heuristic: Suspicious File With Covert Attributes

Personally, I'm all for anything that will help my many computers crunch better. I'd like to use this, if the author would be more forthcoming. If it's a language issue I have a Ukrainian co-worker who would be happy to translate when speaking/emailing directly to the dev.


-jim

Perhaps a better approach would be for you and your Ukrainian co-worker to write them and ask for clarification?
Have you tried?

Just wondering, no offense intended.

[caferace]

1) I believe this was the forum where I first heard of the product. Hence, the established communication medium. The original site has no way to get in touch with the programs developer.

2) Rilian, the original poster linked directly to a topic on Anandtech where one of my fellow crunchers was curious about the origins of the software and questions regarding it's peer oversight. In turn, the same poster scottv67 was mocked by Rilian here as well as a "n00b" and told to monitor his firewall. Nice.

3) The developer placed v 1.02 on the Google Code website on Oct. 23rd under a GPL v3 license. That license requires that source code is released. A GPL license can provide some assurance that the code have been peer reviewed and is safe for general usage. Yet asking for source code here where the application was announced was met with scorn. Checking the code repository on Google shows the directories are empty.

Distributed Computing in general requires an inherent sense of trust within the community. Installing and running programs on high performance machines connected to remote and often unknown locations as a user with administrator rights takes that to a very high and inherently risky level. It is only correct that as DC participants, we question not only the safety of our resources but the potential problems that may arise if our circle of trust is compromised.

The above are irrefutable facts. I'm not mad or on a witch-hunt, but I would like some answers. A security compromise in the DC community would hurt DC badly, and even a brief explanation from the developer is better than silence.

-jim

[caferace]

Perhaps a better approach would be for you and your Ukrainian co-worker to write them and ask for clarification?
Have you tried?

Not yet. This program came to my attention yesterday, and I have no off-hours contact information for her. Nor any contact info for the developer in the Ukraine.

-jim