Duke ITAC - June 23, 2005 Minutes

DUKE ITAC - June 23, 2005 Minutes


June 23, 2005

Members present : Ed Anapol, Pakis Bessias, John Board, Shailesh Chandrasekharan, Paul Conway, Dick Danner represented by Wayne Miller, Brian Eder, Nevin Fouts represented by Stephen Galla, Tracy Futhey, Michael Gettes, Billy Herndon, David Jamieson-Drake represented by Bob Newlin, Deborah Jakubs, Kyle Johnson represented by Time Bounds, George Oberlander, Mike Pickett, Rafael Rodriquez, Dalene Stangl, Molly Tamarkin, Robert Wolpert, Steve Woody

Guests: Ed Gomes, Perkins Library; Chris Cramer, OIT; Stephen Sopp, OIT; Ginny Cake, OIT

Start time : 4:05 p.m.


I. Review of Minutes and Announcements:

  • Calendar committee

    Michael Gettes says the calendar committee met on Tuesday after the trial and it appears that there is consensus around making a recommendation. The discussion and recommendation will be focused on technical and functional concerns.

    We are hoping that that recommendation will be communicated to Tracy in the next week.

    John Board asks, what is the optimistic time schedule for getting something going?

    Mike Pickett says 18 months.

    Tracy says there is no rush to have everyone on campus with access to, or pushed into, a program.

  • Active directory licenses

    Michael Gettes says on this from there is good news. We have obtained active directory licenses, also known as Windows server licenses, for the university. This includes the health system and students. We are now able to offer basic things like file and print services from a Microsoft-only environment to anybody at Duke.

  • Billy Herndon says Cheryl Crupi, our senior manager for the Office of Web Services (OWS) has resigned effective July 8. Over the past couple years Cheryl was instrumental in creating OWS as a start up group. I've asked Kevin Witte to take on full management responsibilities in the interim. Announcements went out the customers today.

II. Site Licenses: How are they chosen and how do we decide to retire them? - Stephen Sopp, Ed Gomes, Mike Pickett

Mike Pickett says one of the things we've tried to do with site licenses is not only to figure out things that appear on desktops at the university, but also things that might need to show up in labs or software that works across various departments. Back in the 90's, it was relatively easy. There are more and more requests, and pieces we haven't honed, liked how to know when to stop having a site license. About a year and a half ago we created an academic site license process that uses Lynne O'Brien's CIT advisory committee.

Ed Gomes says one of the things we discussed at the end of the last year was changing how the committee operated. One thing was changing the name, because we don't do a lot of site licensing, so we're going to change the name to software licensing. We changed the way we were operating as committee: we used to meet monthly and now meet quarterly, and conduct business via email during the off months. New requests are submitted through the software license page, and the committee then reviews it. We are supposed to get a response back in two weeks. We deal quarterly with things that have taken months to resolve. Our next scheduled meeting is July 20. We're fairly well-represented across the campus from several departments and the health system. When we have questions where we have together additional information, we try to use the mailing lists to get feedback.

As far as the work related to when to retire a license, that did come up in the last quarterly meeting. We're trying to get some kind of a gauge as to how many have been downloaded recently, how many were purchased in the last year or so, and then decide if we need it any more.

Stephen Sopp says as we do have some volume licenses, those are easier to do.

Robert Wolpert asks, how big is this committee?

Ed Gomes says there are about 12 members at the moment?

Robert asks, how are faculty involved in this process?

Ed says they are not very involved, except that when they make a request we ask them to check with their support people to make sure it will be appropriate for what they want to do.

Robert Wolpert says I don't know the best way, but I'd like to see them getting involved.

Rafael Rodriguez asks does everything go through the site license in this respect? One thing we found out recently was that the support we have for McAfee is only so far, it's not available after hours. Depending on what you're using applications for, you have to take in other things than the price and number requested.

Ed says we don't evaluate all enterprise level licenses, though the committee was heavily involved in the discussions about McAfee.

Robert says it may be that the group is doing pretty well, and faculty don't see the need to get involved.

John Board says something we've tried to get our hands around in the past is that a lot of our licenses are sold through the computer store as well, but if you know the “secret handshake” you can get a cheaper copy.

Ed says there is information on the site license website about what is available at the computer store and academic licensed software. In some cases we refer requests to the computer store.

John says in some cases he is worried about the inverse, people coming off the street and buying something that is more expensive than what they could get on the site license website or under the counter at the computer store.

Tracy Futhey asks, suppose we have different license for different constituencies, is that a good thing or is that an issue we should look at? Is that a feature of the system, or is there a way to understand if this is good or bad and something we should do something about.

Ed says this is something we talked about because there is some overlap in the functionality of the programs that we are offering. This committee could probably make a discussion, but we don't want to, just send it out to the discussion groups.

Robert Wolpert says this is an example of a position where would want some faculty input.

Ed says there would be occasions where we'd buy a software package with some overlap with a package we already had because it was so inexpensive to get it.

Molly Tamarkin says it also can be confusing for those licenses that are volume, so people will think we have them and we don't. When I hear people talk about Mac@Duke and Linux@Duke, I think that those organizations could be a good venue to tie in to a supported software list.

Robert says there is also open source stuff that is supported and used across campus that people should be made aware of.

URL for site license website: http://www.oit.duke.edu/site/

III. Update on Password Security - Chris Cramer

There are a variety of things we've been looking at for quite some time regarding strengthening passwords at Duke, particularly NetID passwords. Last time we met, we announced going ahead with password cracking, though we can't do it as often as we would like because there is a lot of manual intervention required. We're looking at making it more regular, so will happen on a three-month schedule. Password cracking has happened twice, but that is not as regular as we would like.

We have done a handful of things to get strong passwords from the beginning. People now get a pre-expired password so they have to change right away. Also, password change has some ability to not let users choose a weak password. There are issues with that, because that only takes place at the Online@Duke site. We are investigating the possibility of doing strong password checks in the Kerberos distribution centers themselves.

John Board asks why is this hard?

Chris says there's a password cracking library we've hooked into Online@Duke and onto the password on Linux programs. But there are many places you can change your password, so we can't affect that. What we'd really like to do is enforce it at the KDC's themselves. One result of migration of the computer abs from Solaris to Linux is it will be much easier to do password checking on machines there.

We're also ready to go live with last, greatest, unencrypted program, FTP. If you want to log into Duke, will be required to use SFTP. There are instructions on Help Desk site for how to do that generally and within Dreamweaver. We're looking at August 1 st for the date for this.

Robert Wolpert asks what do you do when you find a weak password?

Chris says we inform them several times, and eventually expire the password, though not the account, which requires someone to change their password. If they do it through Online@Duke, they create a strong password.

Ed Gomes says you talked about the pre-expired passwords. Is that for staff as well?

Chris says yes, that is for new staff as well.

Robert Wolpert asks if departments that use Kerberos authentication check for weak passwords through similar ways?

Chris says it varies by code – the code we have won't be useful for the Biology department, for example.

IV. SSNs in Department-Level Systems - Chris Cramer

Chris Cramer says we've made excellent progress over last year in making sure we get away from using SSNs in big systems. There are still a couple things out there nagging. Also, there is still question of the departmental levels. How to we get them to stop asking for SSNs?

Tracy Futhey asks are you saying we are almost to the point of declaring success in central systems, but not near success with smaller feeds because they got SSNs a long time ago, or take them in on their own?

Robert Wolpert says one thing we could do to make it easier for them to convert would be to offer to do a free service to convert SSNs to Duke IDs.

Chris says we've done that with some of our conversions, but we could publicize our willingness to work with folks in this way.

Ed Gomes says we've had some problem with faculty members who have had their Duke ID cards for many years, and that card number includes their SSN plus a few digits on one side or the other.

Chris says there was a push early this year to get rid of those, and they tracked down people with SSN cards, called them into the Card Office and reissued their cards for free.

Ed Gomes says we're still getting feeds that include that information.

John Board says this is exactly where there is a leak in a system. We need a cadre of people to watch out for numbers that look like SSNs.

Ed Gomes says what we have run into is faculty saying it is too inconvenient to go and get a new card.

Tracy Futhey says despite the success we've made already, are there more specific things we should try to do to protect ourselves?

Chris says there are some things. I suspect many of these SSNs come out of the business managers. We need to work with them to find out where they are coming from and eliminate them.

Mike Pickett says the business managers across campus are divided into four groups and they meet regularly.

John Board asks can we get Chris on their agendas?

Mike says absolutely.

V. Update: Recent Security Issues at DUHS - Rafael Rodriquez

Rafael Rodriguez says the security breach was as at the medical center at the school of medicine. The web application was coded in handling SQL codes and allowed an exploitation of the SQL server. They picked this up from a department than no longer exists and broke into the SQL databases through those servers. They took information from a series of databases: in some it was passwords that were stored and encrypted, in others it was partial SSNs.

Some of the takeaways: common sense is an oxymoron. We were already changing to internal users to use web auth. With some of the external users have we information on. We have this information because they're registering for conferences, some through the alumni office. The passwords were frankly unneeded: I don't understand why if someone is registering for a conference they need a password. Also, there is absolutely no need for SSNs or partial SSNs. So, we're looking for any system where partial SSNs are kept. And I'm challenging, why are we using passwords? What is the purpose of that?

George Oberlander suggests that maybe they have passwords because if there are optional elements, they may want to make it available to change those at a later date.

George says as an institution we have a huge vulnerability, we make contracts without specifying any level of security. Recently one of my department's business managers brought in two large plasma displays for public use. The login was http-based and not encrypted. I caught it and said we wouldn't install it and contacted their tech people, and they said “It's not a problem because its against the law.” One way to prevent this is to require that all contracts with some degree of exposure is require that certain things be checked.

afael says his biggest concern is in the health system. Medical devices are a huge problem, because a lot of things have been set up by vendors with zero password, and they say they can't to anything because of FDA regulation. This is a very serious problem.

VI. Telcom Building Planning - Michael Gettes

Michael Gettes says we have this problem that we are out of space, power, and cooling for computer equipment. Since OIT moved to ATC in January, we are now in a position to look at the Telcom Building and ask, is it appropriate? It is a three-story structure with a 1970's style central office. Structurally, can it handle computing equipment? What has to change, how much is it going to cost to renovate this structure, and how long will it last? We are now collecting information to see what we've got; we're looking at the health system to see if we can use space there as a backup; and we're also looking at schools and departments to find out what their needs are.

At this point the building is three floors, the top floor is the central office we can't disturb, though a portion of that floor could be allocated to a school in departmental computing, depending on what people's needs are. The first floor is potentially an OIT space, the basement for DHTS, or some combo therein. Its kind of open ended, but right now we're concentrating on if the building is suitable. The current intent is there will be no offices in there except on a temporary basis to perform whatever necessary work. We have approval to move ahead, architects are working to develop a proposal, and -this is extremely ambitious – we're aiming for the mid-august time frame so we can pass them up to Dr. Trask, Tracy , and whoever else. We're moving as quickly as we can because we're all desperate.

John Baord says as a fraction of the CSEM cluster now, what kind of department/school level computing relief will it be able to house?

ichael says the current renovation is about 1000 sq feet, doubling the space we've got, which would take us to about 600-800 nodes.

VII. NLR Status & NLR/I2 Organizational Level Discussions - Tracy Futhey

Tracy Futhey says for a while now we've had Phase 1 of the NLR complete, that is, the optical networking equipment from southern California to Washington, across to Denver, Chicago, Raleigh, Atlanta and Jacksonville. The first actual wave out of this location took place a few weeks ago. We're in process of enhancing that with new stuff from Cisco. Beyond that, at Layer 2 we have service that includes all of that footprint right now. Raleigh 's switch has just come live in the last week, so we can now dedicate 1 GB Ethernet channels wherever we need, within reason, from that location. This Phase 2 piece of the footprint is coming up over the next couple of months. If you have or know of research that requires high-end networking capabilities, please make those known, because we'd love to have a connection from the Raleigh hub that is Duke. Also, if you are working on collaborations with UNC or NC State, we can also enable those.

There have been questions since we started NLR, why are you doing this separate from Internet2? Doesn't it do the same thing? The answer was yes it was, but it no it wasn't, because as Internet 2 provides networking for everyday higher ed, it couldn't provide the infrastructure that research might require. We're driven by expectation that over time we might need to migrate to optical networks that will allow us to do production work and research. That's the technical reason we pushed ahead with NLR. For past several months we have been in discussions with Internet2 about the possibility of merging functions and saving us money rather than creating two things that serve the same function.

VIII. Internet2 and CSG - Mike Pickett, Michael Gettes

Michael Gettes says from Internet2 in the middleware space there is a lot going on with In Common, the higher ed federation in the U.S. It started up 2 or 3 months ago, and it now consists of 20 institutions. Their website is www.incommonfederation.org. Also, there has been lots of work and discussion with U.S. government on federal e-authentication and how it is aligning with Shibboleth and In Common. It looks like Shibboleth is becoming more generally recognized as the thing that's working. Just after Internet2 was the first meeting for Eduroam. Eduroam started last September or October. It is coming out of the European community and now is made of 21 countries. This means that through the use of radius generally used by network folks to authenticate networks to themselves, they are now using it for something it was not intended to do: to find other networks and establish hierarchies, tunnel back to the home institution, and give access to a visiting site.

Problems: it's hierarchical – this tends not to work well with institutions in the U.S. Also, the visiting site doesn't have any say in the matter. We also want to put in mechanisms that deal with privacy issues. I'm involved in this working group, and another person really involved is Kevin Miller, who is doing much of the work on architecture and the gory technical details that will allow this to work in the next generation mode. Yes, we do have interest in using this at Duke so researchers visiting Duke can use their home credentials to authenticate at Duke. There is hope that we will be able to demonstrate this at the next Internet2 meeting at the fall in Philadelphia .

Mike Pickett says the long workshop on next-gen media services was largely spent talking about information commons. With video conferences and the connection project, they have learned so far the ergonomics are really important. Life-size images and plasma screens are important to make people comfortable; audio quality more important than video quality. An OSU study about preferred-learning said all people prefer a type of study, and if you tailor a type of study to that, they see improving and dropout rates dropping. Whether Web information looks pretty has little effect on learning. Princeton is using a lot of video-on-demand, they believe that close studies of multimedia materials is important, and they are using Moveable Type to incorporate blogs into blackboard. Yale is using a lot of Cflix, and using Cdigix someone can get a license for a piece of media for a semester. Harvard does video taping of lots of lectures, and showed for classes without an attendance requirement that recorded lectures, attendance went down. Also, students often don't watch the whole lecture, go to see a particular part of it. There was another Croquet demo. Digital convergence dealt with small devices. The Class and hand project at Wake Forrest makes a lot of things available for faculty on windows-based handheld devices.

Michael Gettes says in terms of Chandler , questions now being asked, how relevant is this still? There is interest in a recalibration discussion this summer to make sure development is in line with CSG institutions. There are many things Chandler is doing right, but there are some spaces where it might be overtaken by events.

IX. Other Business


End time : 5:30 p.m.