Duke ITAC - April 11, 2013 Minutes
ITAC Meeting Minutes
April 11, 2013, 4:00-5:30
Allen Board Room
- Symantec - Anti-Virus (Richard Biever)
- Dr. Trask
- Multi-Factor Authentication (Richard Biever)
- Co-Lab (Michael Faber, Evan Levine)
Chairman Ashutosh Kotwal announced that the next ITAC meeting will be the last of the semester so it will be a shorter meeting with a reception afterwards.
Dr. Trask will join us today at 4:15, so Richard will present until he arrives and resume afterwards.
An evaluation by groups around campus of the current anti-virus vendor, McAfee, led to decision to look at other vendors. After reviewing providers in this space, we came down to two vendors for final consideration, Semantec and Sophos. We selected Semantec based on technical feedback received from the committee. For campus this means that for the next eight to twelve months we’ll work on removing McAfee from the environment. We have perpetual licenses so we can continue, with updates. In the next three months there will be communications around implementation and establishment of a pilot. There will be also be an anti-virus client available to staff and students for home use. We look to roll this out in the May/June timeframe.
Richard then went on to update activity in the world of hacking. It’s been an active year. The biggest this year was in January/February. A company called Mandiant exposed a hacking collective out of China that was backed by the People’s Liberation Army, based in Shanghai.
Two other issues have come up in the last couple of weeks. The first involved Spamhaus. Spamhaus is a company that does blacklisting, based on spam. A group that was blacklisted by Spamhaus launched a denial of service attack and took them down. The other involves MIT security changes. A gentleman named Aaron Schwartz was indicted in the past couple of years for downloading library journals. In the process MIT came under heavy criticism and attack. Someone was able to social engineer and gain limited control of their domain. Servers were hacked and websites were defaced. Leadership wrote a memo about moving from an open network structure to a more restricted network environment.
We’ve had a few issues including some printer exposure involving printers primarily to those available to the public internet. We’ve had some content management sites defaced, mainly in the Wordpress area. We had a Professor targeted by spear phishing campaign. Spear phishing is a little more personal and crafted message than the general phishing messages. We’ve also had some issues with open DNS resolvers.
Email is still running at about 17% legitimate messages. The rest (85%, which is spam, phishing and virus) is thrown away before it ever gets to users. Richard did a phish or not phish exercise. He showed various emails that were legitimate and not legitimate examples of things that have been seen in the system. We are working to set some guidelines for things that are sent out by our own systems. The security office and support people get lots of calls about suspicious emails. We are looking into using log analysis to see if accounts have been compromised.
A question was raised about how we are doing with keeping up with inbound malicious traffic. The capacity was increased by about 50% in the past month and we have process in place to add new Edge Sophos devices quickly. We look at metrics every month and evaluate how we are doing. “When we move to Office 365 will we be doing the spam and phish filtering?” Yes, for incoming and outgoing email; only intra-cloud (all within O365) will be handled by Microsoft.
Ashutosh introduced Dr. Trask and started by asking about the China campus. He was particularly interested in discussions about how the technical information flow in and out of the China campus would be handled. Dr. Trask answered that there have been a lot of discussions and a lot of assurances, but until we turn it on we won’t know for sure. We have heard all the right things so far.
Ashutosh also asked about MOOCs. Faculty have reported and enjoyed the process. The numbers are extremely impressive. Where is the growth? Are we actively recruiting faculty involvement? Dr. Trask replied that it’s a good experiment. We aren’t about to become an on-line university. It could change the landscape, but it’s not a way to address severe financial issues. Ashutosh asked about the advancement of intellectual property? Dr. Trask stated that we’ve taken the view that the IP belongs to the faculty. It’s not an issue if lots of people look at it. It’s only an issue if lots of people are paying for it. We do now have the first cases of reputable schools offering on-line degrees.
Tracy Futhey asked about the areas where we need to be paying attention to in the technology space in the next few years. Dr. Trask said that we’re in pretty good shape on the administrative side and should be able to work with what we have in place. We need to do some work in the academic space. We aren’t in any immediate danger, but we still have to make some tough choices about where we spend. Robert Wolpert asked what things are we not going to be able to get? Dr. Trask said that possible challenges would be bandwidth and raw computing, but not as daunting as it used to be since computing has gotten so much cheaper. John Board asked where at Duke is there potential to do big data analysis… and do we have the infrastructure to do these? Tallman answered that there’s lots of data, but that he’s not sure what these projects would be. Ashtosh asked if there are unique opportunities at Duke. John answered that most of what Duke has done has been in algorithms, not in actual mining. Robert pointed out that most sciences are involved in big data possibilities. John stated that it hasn’t been clear what if anything to do for infrastructure since there are cost effective commercial resources, like Amazon.
Ashtosh asked about the financial front. Last year you said that we were doing ok. Is this still the case? Dr. Trask said that we’re still in roughly the same spot. The problem hasn’t gone away. We did a really good job of protecting all the units. We’re finding the right balance of getting units to control their own budget and not ask for assistance from Allen Bldg. We’re still running moderate deficits and using reserves. The real operating deficit is probably 10-20M in 4.5B enterprise, so it’s not a big problem. Another thing is that the stock market is about to hit 15000, but we’re not really in the market right now. Most of our money is elsewhere. The high-water mark was 6.1 billion before the crash. Dr. Trask believes that we’ll be back to that point by the end of the year. A question was posed that if we had strategic funds to plan right now, where would we want it to go? Dr. Trask wasn’t sure. We haven’t really asked since we don’t have funds. Recent discussion has been around new buildings, but construction levels have dropped. Capital budget projects aren’t really in the active pipeline. We’ve said that the Campaign will become the source of those kinds of discretionary funds.
A few questions were asked about the financial situation for particular departments or schools. Every school is different, but some or more vulnerable or have issues that are more structural. There are also special issues that relate to our two largest schools – A&S and Medicine – which together make up 69% of the university. We’ll get there. We aren’t that far off. We’re trying to find collective ways to cut expenses and increase revenues. We’re doing better. We’re back at equilibrium, but we don’t have lots of free capital to invest in big things.
Multi-factor authentication is a way to add requirements to the authentication process. Hopefully this doesn’t impact users too much. We looked into how we could add the necessary additional token for authentication that allows users a variety of ways to access. We also looked at ways for IT enforcement as well as ways for the general population to opt in.
Duo Security gives the ability to offer multiple forms of second factors. We also have the ability to issue backup codes for unexpected emergencies.
The project plan is to do series of communications and demonstrations. The pilot is set to run through the middle of the summer. We will start a second pilot based on feedback from the first. We will develop service desk tools, policies for use and integrating with VPN, PeopleSoft and SAP. We will roll out for IT administrators and “power users” by the end of summer or early fall. These are users with higher than typical access where security is most important. We will also make available for optional use to faculty and staff.
Shilen Patel then did a demonstration. There’s a three step process for registration.
Step 1 is to setup challenge/response information. Step 2 is to register your phone with Duo and activate the app on the phone, if you are using a smartphone. Step 3 is to configure a website to use multi-factor. For instance the admin for a website might be required to use a second factor for access as an admin.
Shilen also demonstrated various ways to use multi-factors when the internet or phone isn’t available by accessing backup passcodes. If internet access is an issue, backup passcodes can be initiated via phone. If phone access is an issue, backup passcodes can be initiated via the internet.
Another option is to use a hardware token that generates a code to use for access. There is also a UB key that can generate the code on-screen. This requires no driver and works on any computer.
Richard pointed out that this could also available for SSH. The use cases would be for IT administrators and for researchers working with protected data. Richard said that we are looking for people to participate in the pilot. We want to know where it works and where the pain points are. Richard said to email firstname.lastname@example.org(link sends e-mail) to request to be in the pilot.
We’re also looking at VPN integration.
John Board pointed out that Duo exists in the “the cloud” and asked what happens if it fails. Richard said that we can set it to fail in open mode, which might not be the best plan. There are options are to do on premise. We’re not sure right now which way we’ll go.
Michael and Evan presented on Co-Lab and gave an update. The previous presentation was done a couple of months ago before the launch of a new challenge. Now they have wrapped up the challenge. It went very well. The GIT repository has been useful for students, faculty and staff who need a code repository. The virtual machine requisition process has been going well. We will check at the end of semester to see how users are doing. Studio nights on Tuesdays have been happening to build an involved community. There has been consistent attendance of about 15. There are about 80 on mailing list and 120 on the Facebook page. We are building partnerships by meeting with Judd StapIes at I & E and faculty who are working in this space. We’re getting a better understanding where we belong and don’t belong. We’re also working with American Underground which has a lot of potential as collaborative space. We’re getting on the radar of other initiatives at Duke, like Howie Rhee at Fuqua. A suggestion was made to talk to Linda Franzoni at Pratt.
Part of what we want to do is involve and connect people who have ideas with the people who can do projects. Most of the people there aren’t necessarily engineers. We’re continuing to develop a database of mentors, students, young alums and local entrepreneurs.
We’ve had two major events. The first was co-sponsoring the HackBlue Hack-a-thon on April 6-7. This was entirely student run. There were 65 participants on Saturday and 14 finished projects on Sunday. The event was also sponsored by Google, Palantir and Github who provided swag and engineers. This was also a recruiting effort for these groups.
The winning team was “iDrum”. They did computer driven drumstick recognition from your camera with audio processing that made a game interface. This was essentially a drum version of “Guitar Hero”. They made great progress in 24 hours of development.
The second place team was “Hover”. This was a full-on computer to iPad interface.
The Co-Lab challenge started 8 weeks ago. Ten projects did four minute presentations on Tuesday night. Tracy and Charley were judges along with Adam Cue and Ajay Patel.
DevilPrint was top prize of the night. They wrote an iOS application that solves EPrinting from iOS devices. This was the perfect kind of project in that it solves a problem that OIT was not solving.
HackDuke won honorable mention. HackDuke scrapes data from a bunch of places at Duke like ACES, the events calendar and the directory. He wrote an API that allows you to put in http request and get a response. It’s an impressive meta-project that could generate other apps. Michael showed two apps that had been easily generated. The first is “around me” which populates nearby events on a map. The second was “course tree”. This generated a nice data visualization format for the data in the course catalog.
These examples are important. The number one lesson is that if we don’t build it, they will. This is great for things like DevilPrint and ultimately it’s what we need, but we want a little more control over something like the HackDuke project that is more complete and sustainable. An important point is that users need access to data. It’s the hardest thing to provide because it typically locked up somewhere. A student attending the meeting explained that he wanted to get all the logistical info for facilities and scheduled events to combine for an app. We can build great apps, fast, but need access to information. Ultimately HackDuke has the information we want, but it’s not getting the way we want.
We have a couple things coming up this semester. The biggest is the Duke Mobile Challenge. We hope to get students thinking about the DukeMobile app. There are lots of things coming up for next year. We are working on challenges based on ideas and around video and sustainability. We also want to learn how to integrate faculty more into the process. We haven’t been able to do this yet and we are looking for ideas and ways to get faculty involved. Evan noted that student time is limited. It would be great if we could overlap with things in course work. For example the proposed video challenge is based around a course assignment for an “Innovation and Media” class in the fall.