Page 1 of 1

Security question

Posted: Sun Apr 12, 2020 8:55 pm
by Smashprod
I'm a newbie who just installed the client on my MacBook. How should I configure the software for the best security? I use this laptop for all of my personal information.

Re: Security question

Posted: Sun Apr 12, 2020 9:20 pm
by JimboPalmer
This is what I think I understand.

The software constructs work directories/folders, it would be inadvisable to store any of your personal data in that folder. You may need to omit that folder from your antivirus scanning.

The software has two IP Addresses for Assignment Servers hard coded into it, so it would be very hard for a man in the middle attack to succeed. The assignment servers give the client a work server, also via a hard coded IP Address. So your software cannot easily be deflected to talk to a fake Folding@Home by bad DNS entries. (Any evil intent would have to be in house)

The Client only uses Port 80 and Port 8080, just like a browser, so it has no abilities that IS, Firefox, Safari, or Chrome lack.

Files downloaded have a checksum that has to match, I assume uploads do as well, but I do not see that checksum as I don't run a server.

So if you wish, you can configure your Firewall to restrict fahclient to ports 80 and 8080. In most OSs you can restrict the Folding application to only have read/write permissions in the work folders, and I think that is done by default. Some folks have an overwhelming desire to change the default directories, but I advise against it. viewtopic.php?f=106&t=34226

Re: Security question

Posted: Sun Apr 12, 2020 9:26 pm
by HaloJones
there has never to my knowledge been any security issue with FAH in its near 20 year history. I understand your concern but there are far more dangerous things out there on the web than this application.

Re: Security question

Posted: Sun Apr 12, 2020 10:02 pm
by SeanPearce44
The FAHClient.exe listens on port 36330 and the FAHControl.EXE User Interface (from the Taskbar icon) connects to that port to display the stats...
BY default the Client will ONLY allow those connections on the local host internal to any particular machine (127.0.0.1).

You CAN alter this set-up to allow connections from e.g. the remainder of your internal network - OR specific IPs (MUST keep 127.0.0.1 in the list)... Say, if you set up FAH on other computers.

Therefore - if you never open up that port to be forwarded in from the internet (unless you want / need to) there is no danger an anybody / anything connecting TO the FAH installation.

In the above scenario, one can set a password as well which needs supplying to be able to connect.

Additionally, you may apply for a password for your Username - and set that up in your client(s) such that nobody else would be able to be use your username - you also get bonus points after 10 WUs for doing so :D

Re: Security question

Posted: Sun Apr 12, 2020 10:55 pm
by PantherX
SeanPearce44 wrote:...Additionally, you may apply for a password for your Username - and set that up in your client(s) such that nobody else would be able to be use your username...
Just a minor correction, at F@H usernames are not unique. Thus, there can be multiple Donors with the same username. However, the passkey is unique as it's a combination of username and email address which allows you to find your points as opposed to yours and others. Here's the link if you would like to read more about passkeys: https://foldingathome.org/support/faq/points/passkey/

Re: Security question

Posted: Mon Apr 13, 2020 4:42 am
by iceman1992
JimboPalmer wrote:The software has two IP Addresses for Assignment Servers hard coded into it, so it would be very hard for a man in the middle attack to succeed. The assignment servers give the client a work server, also via a hard coded IP Address. So your software cannot easily be deflected to talk to a fake Folding@Home by bad DNS entries. (Any evil intent would have to be in house)
Unless of course the installer was tampered with (e.g. from downloading via an unofficial source).
Would it be possible to add PGP signatures for the files so we can verify authenticity?

Re: Security question

Posted: Mon Apr 13, 2020 10:19 am
by JimboPalmer
iceman1992 wrote:Unless of course the installer was tampered with (e.g. from downloading via an unofficial source).
Would it be possible to add PGP signatures for the files so we can verify authenticity?
It COULD happen, perhaps after the current programmer retires, one of the about 6 people they will need to replace him will be interested in PGP.
Meanwhile, I would stick to getting the installer directly from F@H.

Re: Security question

Posted: Mon Apr 13, 2020 10:20 am
by HaloJones
iceman1992 wrote:Unless of course the installer was tampered with (e.g. from downloading via an unofficial source).
Would it be possible to add PGP signatures for the files so we can verify authenticity?
or you could just download it from the official source.

If people choose to download Windows from somewhere other than Microsoft they would be foolish. Same here. It's not for FAH to fix people who choose to do stupid things.

Re: Security question

Posted: Mon Apr 13, 2020 10:30 am
by iceman1992
HaloJones wrote:If people choose to download Windows from somewhere other than Microsoft they would be foolish. Same here. It's not for FAH to fix people who choose to do stupid things.
We have seen instances where official websites of some software were compromised and the installers were replaced with malicious ones.
I'm no security expert but it seems from those events, people who downloaded and checked PGP signatures could avoid installing them, so it's not necessarily only for unofficial download sources.

Re: Security question

Posted: Mon Apr 13, 2020 10:40 am
by HaloJones
people who download software and know to check PGP signatures aren't the people who would download software from unofficial sources.

look, I get the concerns but if massive software companies can't ensure their software doesn't end up on download sites with deliberately corrupted code, how do you expect a science project with one developer to do it?

the issue isn't an absence of PGP signatures. the underlying problem is people who download software from unofficial locations. that's not FAH's problem.

Re: Security question

Posted: Mon Apr 13, 2020 10:52 am
by Neil-B
... and they can also debate whether PGP Signatures are the best solution https://crypto.stackexchange.com/questi ... comparison (old post I know but makes the point)

Possibly the most telling part of the linked discussion is tone of the responses "To be honest, regardless of which one you choose, it will likely be the strongest component of your security architecture.".

Yes, FAH software should be moved up to current standards as/when possible (the discussion re Web Server Certificates springs to mind with this) but Security is about defence in depth and all parts of a system play a part - signed software packages landing on a system without AV is as much at risk from what else may also be on the system, or from an "insider risk" within the developer/systems administrators team - AND I AM NOT SUGGESTING THAT THIS EXISTS BEFORE ANYONE SHOOTS ME :)

A sensible balance of security and usability is important (but usually argued over what is the best balance) and it is up to the FAH team to deliver what/as they can when they deem it appropriate.

The only truly secure was to protect your systems (and even then only with current technology ) is to have it ground up into sub-micron particles and then "shot into the centre of the sun"/"diluted in the oceans of the world", but regrettably that isn't a particularly user friendly :shock:

Re: Security question

Posted: Mon Apr 13, 2020 11:22 am
by ipkh
If an official website gets compromised, so does the PGP signature.
Windows and Mac won't install unsigned software, but it's not unheard of signing keys being stolen.

Re: Security question

Posted: Mon Apr 13, 2020 11:59 am
by iceman1992
ipkh wrote:If an official website gets compromised, so does the PGP signature.
Windows and Mac won't install unsigned software, but it's not unheard of signing keys being stolen.
But that does add an extra step for attackers. Supply chain attacks are getting more common.
Security is about minimizing risks after all, not completely eliminating them.
I don't know how much effort adding PGP signatures will take, but it might be worth considering adding to future updates - lower priority than other tasks of course.

Re: Security question

Posted: Mon Apr 13, 2020 7:43 pm
by PantherX
iceman1992 wrote:...Supply chain attacks are getting more common...
That's correct so let's investigate the supply chain for F@H (simplified view):
GORMACS (open source) -> F@H Team (researches plus developer) -> FahCore_a7 (closed source)
OpenMM (open source) + OpenCL (open source) -> F@H Team (researches plus developer) -> FahCore_22 (closed source)
F@H Team (researches plus developer) -> FAHClient (closed source)
F@H Team (researches plus developer) -> FAHControl (open source)
F@H Team (researches plus developer) -> FAHViewer (open source)

I am omitting the dependencies from above as I am not fully aware of it but they are open source AFAIK. Thus, if we see the above, if a supply chain attack were to occur, it would not just impact F@H, it would impact a significant portion of GROMACS/OpenMM/OpenCL userbase. Plus, F@H doesn't jump to the newest release of those standards, only when there's a significant improvement to the science and it's worth developing it to use the new features, etc. The closed source stuff is managed by trusted people and do note that V7 was completely written from the group up and doesn't use any existing code from the previous versions.