Page 1 of 1

Folding@Home security practices

PostPosted: Fri Apr 17, 2020 5:59 pm
by stuartsoft
I'm interested in setting up a Folding@Home team for my coworkers, but need to do my due diligence of evaluating Folding@Home's security measures before recommending it to them. I've looked through the about pages from the Folding@Home website on the topic of security, and while I was able to answer some questions, other topics were not covered. If you are willing to answer these questions, I'd greatly appreciate your time and answers!

What is the process for adding projects to Folding@Home? Is there an academic peer review process before new Work Units are made available?

What protections are in place to prevent malware from running within Folding@Home Work Units? If I'm giving up my computing power, it would be nice to have peace of mind that it's actually simulating protein folding and not doing something malicious.

Are Work Units encrypted on disk, or is the connection encrypted? From what I've read on the website, Folding@Home has a 2048 bit digital signature that is verified for incoming data and outgoing results. It also makes some mention of Public Key Infrastructure (PKI), but nothing specific.

Re: Folding@Home security practices

PostPosted: Fri Apr 17, 2020 8:41 pm
by HaloJones
All work is created by members of the team of scientists. No outside party is involved with that process. So you either trust the scientists on the project or you don't.

The scientists aren't interested in putting malware on your computers, they're interested in finding cures for diseases.

Connections move work units over either port 80 or 8080. they are then worked on and then returned over the same ports. There is no need to encrypt the data. It contains nothing of any interest to anyone except the scientists.

Look, I get the concerns. But this is a science project that has been running for many years and is attached to serious science institutes publishing their results for others to then exploit to make (hopefully) cures.

This isn't credit card numbers, or personal identifying information. Or passwords. Or anything else. Run it, don't run it. It's not a security risk. Promise.

Re: Folding@Home security practices

PostPosted: Fri Apr 17, 2020 8:47 pm
by JimboPalmer
stuartsoft wrote: Are Work Units encrypted on disk, or is the connection encrypted? From what I've read on the website, Folding@Home has a 2048 bit digital signature that is verified for incoming data and outgoing results. It also makes some mention of Public Key Infrastructure (PKI), but nothing specific.

Making it easier to spoof F@H check sums is not a security goal. No specifics will be supplied, I bet.

Re: Folding@Home security practices

PostPosted: Fri Apr 17, 2020 11:25 pm
by stuartsoft
Thanks HaloJones. Is there a list of Universities/Institutions that these scientists belong to? Obviously Stanford and Washington University School of Medicine.

Re: Folding@Home security practices

PostPosted: Fri Apr 17, 2020 11:28 pm
by PantherX
Welcome to the F@H Forum stuartsoft,

To create a new Project, there's analysis done by the researchers, then internal testing, then Beta testing, then pre-release testing then full release. You can always pause folding and look at the files inside the work directory, they contain simulation data.

Folding is done by FahCore_22 (on GPUs) or FahCore_a7 (on CPUs). They are built using GROMACS (for CPU) and OpenMM using OpenCL (for GPUs). All three are open source and widely used in the molecular simulation field.

WUs don't have to be encrypted but there's a verification done once the WU is downloaded to the client and then once it is uploaded to the servers. If the verification fails, the WU is dumped.

Here's the F@H Consortium page: https://foldingathome.org/about/the-fol ... onsortium/

Re: Folding@Home security practices

PostPosted: Sat Apr 18, 2020 4:12 pm
by stuartsoft
Thank you PantherX!

Re: Folding@Home security practices

PostPosted: Mon Apr 20, 2020 9:56 pm
by bruce
In the interest of scientific validity, several techniques are use to weed out potential falsified or erroneous results. While the WU is running, "sanity checks" are run periodically to catch things like unstable overclocking before the WU gets too far along. Additional validation steps are performed once the results are uploaded before the data are accepted. Rejections are not frequent but they do happen. Even though points are virtually worthless, there's a great appeal to earning more, including various forms of cheating.