World Community Grid - View Thread - IBM -> let /. help you

World Community Grid Forums

Category: Retired Forums

Forum: Member-to-Member Support [Read Only]

Thread: IBM -> let /. help you

Quick Go »

No member browsing this thread

Thread Status: Active
Total posts in this thread: 13

[ ]

Author

This topic has been viewed 1926 times and has 12 replies

Alther
Former World Community Grid Tech
United States of America
Joined: Sep 30, 2004
Post Count: 414
Status: Offline
Project Badges:

2 year badge for Human Proteome Folding - Phase 2

45 day badge for Help Cure Muscular Dystrophy

90 day badge for Discovering Dengue Drugs - Together

90 day badge for Nutritious Rice for the World

14 day badge for The Clean Energy Project

1 year badge for Help Fight Childhood Cancer

45 day badge for Influenza Antiviral Drug Search

1 year badge for Help Cure Muscular Dystrophy - Phase 2

180 day badge for Computing for Clean Water

180 day badge for Drug Search for Leishmaniasis

90 day badge for GO Fight Against Malaria

45 day badge for Uncovering Genome Mysteries

2 year badge for FightAIDS@Home - Phase 2

180 day badge for Smash Childhood Cancer

1 year badge for Microbiome Immunity Project

5 year badge for OpenPandemics - COVID-19


Re: IBM -> let /. help you

Whoa! Let's see if I can bring this thread back into reality here for a moment.

First, there seems to be a misunderstanding about the difference between the agent and the application (Rosetta). They are two completely separate programs. The Agent is proprietary and owned by United Devices. Rosetta is also proprietary and owned by the University of Washington (though the source is free under some circumstances). We (IBM) didn't write or own either program.

The Agent is not, nor will it every likely be released as open source. It's how UD makes their money. We don't even see the source. That's just the way it is.

As for Rosetta, we've modified it in order to get it to run properly on the grid ("gridified" it).

Yes, I would agree that open source has the potential to be more secure since you can't hide anything from anyone. But if you're really paranoid and have the skills, you can disassemble anything you want and check for security flaws as well. How do you think all those virus' and worms keep propagating via Windows?

On the flip side, open source provides an easy way for malicious people to add back doors and other nasties. Remember, it's only noticed if 1) someone actually looks at the code and 2) understands exactly what the code is doing (and what it's supposed to do). It's easy to hide devious code in plain sight as the chances of the above two requirements happening are fairly low unless you're the primary maintainer of the code and really know it. If you looked at Rosetta, would you be able to tell the difference between complex protein manipulation code and a subtely hidden back door? You might be able to notice it...maybe not. Would you be able to identify these things in 500,000 lines of code?

It's not that an agent or an application can't be done in open source, it's just there are some serious issues that would have to be dealt with.

Ensure that someone can't run their own, customized agent. If this happens we need to reject all requests from the client. We need to be able to trust the client.
Ensure that someone can't run their own, customized application.
Ensure that the data stream can't be tampered with or if it is, be able to detect the tampering.

All of these are dealt primarily with encryption and digital signatures.

Really, it all comes down to trust. What does IBM gain by injecting trojan horses or allowing sureptitious programs access to run? If we were caught, it would destroy World Community Grid and IBMs reputation. We have a vested interest in making sure it's safe and secure.

People run Apache because they believe it is secure. They believe this, not because they're read the code, but because millions of websites use it and haven't had (many) issues. If I wrote and released a completely new web server with better features than Apache, would you run it? Even if it was open source how would you trust it? Are you going to read every line of source code? Of course not. You're likely going to base your decision on reviews and what other people's experiences are. Same with World Community Grid. How can hundreds of thousands of people be wrong? smile

As for a Linux client, we do plan to have it rolled out sometime in 2005. We will also likely have a beta phase before rolling it out for the public. Mac will also likely happen at or around the same time.

----------------------------------------

Rick Alther
Former World Community Grid Developer

[Jan 9, 2005 6:12:30 PM]

Former Member
Cruncher
Joined: May 22, 2018
Post Count: 0
Status: Offline


Re: IBM -> let /. help you

Alther;
You bring up some valid concerns for both WCG and IBM. However, each of your concerns are faced by others everyday. Open source is not the enemy or the problem, IP rights are, if I read the concerns properly. There are ways to control the baselines - the Linux kernel shows that it is possible.
Is it possible that some unscruples person to feed back bad stuff - yes- but isn't that why the same segment is sent to different clients to validate results? Is it possible to send an expected response code with the installation so that on first contact the code is sent back from the client to indicate a valid install - could be done for each subsequent contact from the client.
What is done now if incorrect results are returned rountinely from a client? Are the any statistics kept to indicate how often a client miscompares with another alternate run of the same data? If not why not? If security and correct processing is the main concern it would seem there should be some manner to check, cross-check and track where it is originating from and stop the source at its orgins.
My point is - if this data is THIS CRITICAL and it is expected to be used AS IS with no additional checks on the part of the USER of the refined data then these are very valid concerns and should be treated as such. Else, I'm not so certain that everyone who is participating would not be liable for the results as a class/group, most especially if the results were later proven false and caused harm. If you tell me now that these are still concerns but I should have no worry in this area - pardon me as I pull the plug on my own continued participation and request that you purge all my result I've return to date from your server(s). I have little faith in the U.S. tort system for common sense, nor shall I willingly take that chance.
Otherwise, if these are not valid concerns and IP rights are not concerns, it becomes a convient rebuttal as to why everything needs to be closed.

[Jan 10, 2005 5:21:54 AM]

Alther
Former World Community Grid Tech
United States of America
Joined: Sep 30, 2004
Post Count: 414
Status: Offline
Project Badges:


Re: IBM -> let /. help you

I think you misinterpreted my post (or I wasn't clear). I wasn't arguing for or against open source. I was simply explaining our current situation and the potential issues faced with open source. It's not that an open source solution can't be done. Of course it can. It's just not as simple as people make it out to be.

We don't own the code for either the Agent or the application so it's a moot point to ask us to open it. It's not ours to open. This will likely be the case for most applications since we just take exiting applications from organizations and gridify them for deployment.

As for detecting bad or malicious clients and results, we already have checks and countermeasures for these situations. Of course the data would be useless to the application owner (ISB in this case) if they couldn't trust the data.

----------------------------------------

Rick Alther
Former World Community Grid Developer

[Jan 10, 2005 8:12:14 PM]

[ ]