On 1 Sep 2001, at 1:38, Dan Geer wrote:
. "Below, we present an implementation of a parasitic computer . using the checksum function. In order for this to occur, . one needs to design a special message that coerces a target server . into performing the desired computation."
This is the same principle that underlies denial of service attacks -- the irreducible residual vulnerability of a system to denial of service is proportional to the amount of work (or time) that system must do (or consume) before it can conclude its initial authorization decision. Ironically, the more precise and complex that authorization decision process, the greater the amount of work that the active (initiating) side of the connection can call on the passive side to perform. This critically bears on protocol and application security design.
--dan
Since I haven't noticed anyone else point this out (apologies for my redundancy if I just somehow missed it), it's worth mentioning that the original result was more of a "gee whiz, it's interesting we can do this in principle" type of thing than an actual threat of something anybody would ever actually do. Yes, you can trick a remote host into performing calculations for you with a specially prepared message, but it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself. George