climateprediction.net (CPDN) home page
Thread 'Security of the BOINC software and supporting infrastructure'

Thread 'Security of the BOINC software and supporting infrastructure'

Questions and Answers : Getting started : Security of the BOINC software and supporting infrastructure
Message board moderation

To post messages, you must log in.

AuthorMessage
old_user441277

Send message
Joined: 7 Apr 07
Posts: 3
Credit: 58,919
RAC: 0
Message 48026 - Posted: 22 Jan 2014, 18:20:04 UTC

All, if a certain state government was thinking about using spare computing cycles (for 70,000 desktops) to work on a climate model, that state government would need significant assurance regarding the security of the software. What assurances exist, and with whom can I speak about this idea?

Michael K. Hamilton
ID: 48026 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 48027 - Posted: 22 Jan 2014, 19:52:59 UTC
Last modified: 22 Jan 2014, 19:53:48 UTC

I don't know whether you are thinking about a real or hypothetical state government, but it doesn't matter because no governments are involved in writing the software.

Several pieces of software are involved. All the projects (climateprediction is a project) run on a software platform called BOINC. Read about it here:

http://boinc.ssl.berkeley.edu/

I expect you've already downloaded it as otherwise I don't think you'd be able to post here. The chief programmer, Dr David Anderson, is at the University of California in Berkeley. He has a full-time and a part-time paid programmers to help.

You can read more about the BOINC software here:

http://boinc.ssl.berkeley.edu/wiki/User_manual

Part of the security of BOINC stems from the fact that there are email lists on which volunteer helpers can post and collaborate with the development process. The openness of this process would in my view make it extremely difficult to subvert.

The climateprediction climate models are based on climate models devised and used by the UK Met Office (called the Unified Model). The climateprediction (CPDN) programmers adapt these models for the specific research being undertaken and configure them for the three platforms: Windows, Linux and Mac. The core research staff are at the University of Oxford, but they collaborate with researchers at a number of universities, notably Southampton in the UK but also others in South Africa, Australia and the USA. The collaborative research is being extended to other countries.

I suggest that in the blue menu on the left of this page you explore the Main page link. On the About page you will find a link to some of the staff involved in CPDN, both programmers and researchers.

If you have more specific concerns please tell us what they are.
Cpdn news
ID: 48027 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 48028 - Posted: 22 Jan 2014, 20:55:13 UTC - in response to Message 48026.  

To add a bit (but not much):

BOINC itself is open software, and all of the bits, both for the server side, and for the client side, (i.e. the computers which run the models), can be downloaded from the BOINC site, along with instructions for assembling them, and for creating a project.

It can then be examined, and if desired, modified.
This has already been done by WCG (World Community Grid), I think sponsored by IBM. The version that they run is different in several areas, which causes problems for people who are used to "standard" BOINC, who then join WCG.

And the climate models, as Mo has said, was written, developed by, and is owned by the UK Met Office.

Your unnamed state government would need to get access permission from the Met office to use them, as do all of the other groups around the world that currently use these modelling programs, including The University of Oxford.
As a foreign state entity, this may involve getting permission from the UK government, because the UK military is one of the main sponsors/users of the Met Office data.

But, then, this state government would probably already have their own climate models which they could use.
The USA for instance have their own programs, as does Australia. (BoM)

There may be a degree of program/data sharing already, but that would most likely be classified.


Backups: Here
ID: 48028 · Report as offensive     Reply Quote
ProfileastroWX
Volunteer moderator

Send message
Joined: 5 Aug 04
Posts: 1496
Credit: 95,522,203
RAC: 0
Message 48029 - Posted: 23 Jan 2014, 0:03:31 UTC

Michael,

What sort/level of "assurances" do you seek? Protection for (or from) whom?

To reiterate Mo and Les' advice, said state would be well advised to do a bit of research into historical security of boinc and CPDN. Finding nothing to cause a national epidemic of hives, the state's lead climate research university program could be funded to develop a project.

The best 'assurance' is the long history of boinc and the longer history of CPDN.

The state's process would have experts evaluate boinc's open-source code and work with UK Met Office to satisfy any latent security paranoia which may exist. Two possibilities, either license the software or coordinate with Oxford/CPDN personnel to open a Global or Regional project to accomplish the state's research objective.

Is your question hypothetical? Specific?
"We have met the enemy and he is us." -- Pogo
Greetings from coastal Washington state, the scenic US Pacific Northwest.
ID: 48029 · Report as offensive     Reply Quote
old_user441277

Send message
Joined: 7 Apr 07
Posts: 3
Credit: 58,919
RAC: 0
Message 48051 - Posted: 26 Jan 2014, 2:27:29 UTC - in response to Message 48029.  

Not hypothetical. I'm working with a pretty innovative CIO for a state government, and he's intrigued by the possibility that unused computing cycles might be put to good use in this way - started as a chat about bitcoin mining.

My question then, is regarding the ability to demonstrate that we would not be bringing an application onto government systems that allows unauthorized access to endpoints - either through the BOINC software or one or more of the grid computing projects. The open-source is a good assurance, as is the long track record, but ultimately we'd want to either see - or help obtain - some kind of security test results.

My role is as a policy adviser on cybersecurity, however my 14 years of postsecondary and 3 degrees are all in earth science. I like what you guys are doing, and yes I've run the model.

More on this later I think. Thank you very much for the thoughtful responses; they were helpful.

- mkh
ID: 48051 · Report as offensive     Reply Quote
old_user441277

Send message
Joined: 7 Apr 07
Posts: 3
Credit: 58,919
RAC: 0
Message 48052 - Posted: 26 Jan 2014, 2:28:57 UTC - in response to Message 48051.  

PS:
michael . hamilton at ofm . wa . gov
ID: 48052 · Report as offensive     Reply Quote
ProfileastroWX
Volunteer moderator

Send message
Joined: 5 Aug 04
Posts: 1496
Credit: 95,522,203
RAC: 0
Message 48054 - Posted: 26 Jan 2014, 7:11:40 UTC - in response to Message 48052.  

PS:
michael . hamilton at ofm . wa . gov

Michael,

Interesting to learn that we are from the same state. We are covered!

A higher-resolution model, embedded in the Global Climate Model, already exists for the Pacific Northwest; a large number of tasks have been completed for the region...

Perhaps you would be better served by coordinating with Oregon State University. (Phil Mote, unless my old memory fails me.)
"We have met the enemy and he is us." -- Pogo
Greetings from coastal Washington state, the scenic US Pacific Northwest.
ID: 48054 · Report as offensive     Reply Quote

Questions and Answers : Getting started : Security of the BOINC software and supporting infrastructure

©2024 cpdn.org