- 1 Can I be sure IBM really runs World Community Grid?
- 2 Can I be sure the software is what it says it is?
- 3 Can I be sure the software has no known vulnerabilities?
- 4 How is the grid kept safe from hackers?
- 5 Is there anything I can do to further reduce BOINC's attack surface?
New members often have security concerns about World Community Grid. Letting any organisation use your computing resources isn't a decision to take lightly. Here are answers to the most common questions:
Can I be sure IBM really runs World Community Grid?
World Community Grid isn't merely funded by IBM - it is managed and run by IBM staff. IBM often promote World Community Grid on ibm.com. Here is the latest press release from IBM concerning World Community Grid: http://www.ibm.com/ibm/ibmgives/news/african_climate_home.shtml
Also, have a look at this video where Stanley S. Litow (President, IBM International Foundation and Vice President, IBM Corporate Community Relations), and Ligia Elizondo (Deputy Director, Bureau for Resources & Strategic Partnerships, United Nations Development Programme) talk about World Community Grid.
Can I be sure the software is what it says it is?
All the World Community Grid software is digitally signed. The BOINC software is signed by the University of California.
Can I be sure the software has no known vulnerabilities?
IBM does regular security audits of the software. This includes the agent software that you download, and the project software written by the scientists. The BOINC software is open source, so security bugs are usually found very quickly. Make sure you use the version of BOINC recommended by World Community Grid. Other versions have not undergone the rigorous testing process by World Community Grid.
How is the grid kept safe from hackers?
The World Community Grid servers are located in a secure IBM data center. Their physical security is as good as it gets. All the communication between World Community Grid and your computer uses SSL. This is the same level of encryption used by websites for online shopping and banking.
The last part is up to you. You need to keep your own computer secure and up to date, running the latest firewall and antivirus software.
Is there anything I can do to further reduce BOINC's attack surface?
Yes! Run BOINC with minimal permissions, as a service/daemon. In addition, you can set these advanced options in cc_config.xml:
This option prevents users from attaching BOINC to additional BOINC projects. Make sure you attach to World Community Grid before setting this option!
To determine if a physical network connection exists, the client occasionally contacts a highly-available web site (google.com). If this flag is set, this behaviour is suppressed. This flag also suppresses a periodic fetch of a project list from boinc.berkeley.edu. Note: BOINC 6.2.28 contacts ibm.com instead of google.com.
Prevent sending your private IP address and domain name to servers. Note: even if you don't set this option, your information is not visible to anyone except World Community Grid.