Right from the FAQ:
I heard the Server can Remote-Execute Code on my Client? WTF?
Yes, the server can do that and the server uses that only for client consistency checks and dealing with client inconsistencies. Despite security-experts turning blue in their face, this is actually a security feature: namely security of the server and validity of the data sent to the server. In order to ensure this data consistency in this specific use case, the server has to have the power to execute turing-complete checks on clients to trust them. As proof of validity, the client submits itself to the server. Let us rephrase it in simple terms: If you want to board a plane, for the planes' - and thus also your security, you have to undergo certain scanning procedures and comply to restrict some of your freedom or you will not board that plane. Same story.
So your IP got blocked because you violated the rules.
I do understand that the author needed to implement a way to make sure the data sent to the server is always valid. If not, the whole project is failing...
You shouldn't be running this as root and you're still allowed to block all outgoing connections (except the server connection) in order to improve security on your side and prevent the author from abusing your client...
Having this said I still think you're right about the fact that an MITM attack is possible. The client does indeed not seem to verify the SSL cert.
I assume this is something he can add in a next release?
I'm more concerned about the binaries that are actually doing the work which seem to be closed source. When I find the time I'll load them up in a disassembler in order to roughly find out what the hell they are up to ..
Also the fact that we can't use GPU acceleration from the beginning is kind of strange. We're not allowed to use GPU acceleration unless we pay 0.1BTC (=$819 !!!) or get our first 3000GKeys done with a CPU, which takes a long time....
While this project stinks at many places I still believe it's not a fake one...
Show Posts
