NAS Appliances in the School of Informatics

Over the last couple of years, we have noticed that more and more of you are buying NAS appliances, boxes containing a number of commodity disks which can be attached to the network and serve that disk space to other machines on the network. This was a cause of concern to the computing staff because these appliances can raise issues of security and reliability and so in an effort to see if these boxes were meeting a need which might be equally well met by a commodity computing provision, I talked to those of you who had purchased this kind of kit in the last couple of years (and a big thanks to all those who took the time to respond to my request for information).

As expected, the biggest attraction of these devices was that they (with one or two caveats) offered substantially cheaper storage than anything offered by the School or the central University. Also attractive was the fact that people had more control over their storage, allowing them to reconfigure it as necessary, and that units could be bought with more disk slots than were required at first allowing for low cost expansion as needs dictated. These are features which would be difficult for the School to match at the moment and so it does seem that the purchase of this kind of equipment may be justified in some cases.

As mentioned above however, there are some real security and reliability concerns over these devices and so to help people decide whether a NAS appliance may be a good fit for their needs, we have created a page detailing some points to consider when contemplating purchasing one of these devices. We would encourage anyone thinking about using a NAS box to read this page and, if they require further advice, contact the computing staff in the usual way.

Posted in Uncategorized | Leave a comment

User Account Creation and Expiration

Informatics is one of the few schools that maintains its own separately authenticated local user accounts (DICE) rather than using EASE/AD centrally managed accounts. Our accounts are automatically created and expired based on data we receive from the centre. However this is a much more complex process than at first might seem.

We need to pull data from a number of central sources to determine whether a local Informatics account should be generated for a user:

  • EUCLID (Edinburgh University Complete Lifecycle Integrated Development) is used to provide data on which students are on our programmes, or on other School’s programmes but taking some of our courses, and we use this to create the set of “current” students that need an account. When the programme registration ends for whatever reason (hopefully the result of an award) or the course ends (effective at the end of a session) or status indicates withdrawal then the local account will enter expiry. There are plenty of issues we see with this data such as changes of programme/status, or a dependence on when the centre update key data that can all cause a lag in local account creation. We also use data from EUCLID to be informed of our “upcoming” students (principally PG students) so that the local account can be created in advance of the actual programme start date.
  • OracleHR/IDM (Identity Management System) is used to provide data on which staff are associated with our School and are entitled to a local account. There are many subtle issues with this particular data set (primarily due to the fact that OracleHR at least was never intended to be a feed of live data) that means we often see a lag in account creation for staff, which we would prefer not to have. Also we see issues with new staff that have transferred from elsewhere in the University. Staff that are not “contractually” associated with our School but nevertheless for whatever reason need a local account are also problematic.
  • VRS (Visitor Registration System) is used to provide data on visitors who need a local account (not all do). There are issues with this data set due to upstream bugs that have not been fixed and also with handling aspects of the UUN reconciliation process.

As a meta issue we also have to track many accounts that traverse (and change associated UUN as they do) from one data set to another. For example, a student on one of our programmes that after finishing becomes employed as a member of staff and then leaves but is kept on as a visitor. Different account types often overlap as well, temporarily while traversing or for a longer period of time (for example a member of staff who is also registered to do a PhD).

So while we deal automatically with the creation and expiration of many local accounts every day, the vast majority of the few thousand or so we have causing us no trouble, we still often have to deal with anomalies in specific edge cases. Unfortunately individual anomalies can cause a delay in account creation or can result in erroneous account expiration. Each instance must be manually investigated and progressed.

If you do have an issue with your own account or an account you have requested for someone else please contact frontline support who will be able to investigate.

Posted in Uncategorized | Leave a comment

KeePassX password manager

If you sometimes struggle to remember passwords, a password manager can help. It’s a utility which can store your usernames and passwords in a strongly encrypted personal file, and which can generate random passwords for you.

DICE has keepassx2. It can save passwords to a local file, which it encrypts securely. If you need to access your passwords on another system, copy the file to that machine and download a copy of KeePassX to open it with. It’s available for Mac, Linux and Windows.

To get started, read How to: Use KeePassX, one of the Surveillance Self Defense series published by the Electronic Frontier Foundation.

Users of the older keepassx command will find that their older-format password file can be imported into keepassx2.

If you’re a Windows user you might prefer the similar .NET based project KeePass, which KeePassX was based on – although in fact nowadays both projects are available for a variety of platforms. Current versions of KeePass and KeePassX use the same file format, so you should be able to open your password file with either or both of them.

If you’d also like to use your KeePassX or KeePass file on a phone, take a look at the list of unofficial ports of KeePass on the KeePass download page.

Posted in Uncategorized | Leave a comment

Beware of Domain-squatters

Please take care when you type internet domain names, whether into an address box or at the command line!

Domain-squatters are people who register internet domain names which are very similar to other “real” names.  They do this in the hope of attracting mis-directed traffic, generally either for advertising purposes or so that they can steal credentials for later use.  For example, c.uk is registered to “a non-UK Corporation”, and if you mis-type www.inf.ed.ac.uk as www.inf.eda.c.uk you will be taken to a completely different site altogether.  Roughly half of the possible single-letter .uk domains are registered, as are many two-letter permutations and truncations.

Within Informatics we attempt to block these, by having our own nameservers redirect to the bit-bucket. Many large corporations also register common typos of their own names: for example gooogle.com will redirect to google.com.

Elsewhere though, it’s down to care and vigilance. Don’t just click through unexpected responses. Take a second look to see what’s really going on. And if in doubt, ask.

You can find some guidance on data security on our computing.help pages.

Posted in Uncategorized | Leave a comment

Changes to local mail service

There have been a couple of changes to the local mail services recently. None of which Informatics users should have noticed, but for the record.

mail.inf.ed.ac.uk now only relays from Informatics machines

Due to a misconfiguration, mail.inf.ed.ac.uk had been allowing any machine within the University’s network to relay mail through it. This came to light when a compromised machine elsewhere in the University was sending spam out via us. This is now been tightened up, and only machines on the Informatics network can freely relay mail via mail.inf.ed.ac.uk.

smtp.inf.ed.ac.uk is now running fail2ban

The smtp.inf.ed.ac.uk service has been upgraded to SL7, and at the same time is now running fail2ban. This means that repeated, successive authorisation failures from an IP address, will result in that IP address being denied access for a period of time. This is to stop the bad guys from trying to brute force your password. This is similar to the steps taken on the external ssh access machines.

Neil

Posted in Service Update | Tagged | Leave a comment

NX service upgrade

On Thursday 26th January we plan to upgrade the NX remote desktop service.

All that will happen is that at about 09:00 we will change the DNS aliases (nx.inf and staff.nx.inf) to point to the new machines. This change can take some time to propagate so we will not immediately remove access to the old servers, they will be left running as normal until 12:00 Friday 3rd February. This should allow sufficient time for users logged in to finish their existing sessions and move to the new server.

The general access service (nx.inf.ed.ac.uk) will move from piccadilly to hammersmith, the new IP address will be 129.215.202.146.

The staff service (staff.nx.inf.ed.ac.uk) will move from northern to jubilee, the new IP address will be 129.215.33.6.

The SSH key fingerprints will change which will cause the NX client to request verification. See the NX help pages for the new key fingerprints and further information regarding the NX service.

If you encounter any problems accessing the NX service please contact us via the Support Form.

Posted in Uncategorized | Leave a comment

macOS Sierra

The university information security office recommends keeping system software up to date as the first basic requirement to protect yourself online.

Users of self-managed machines, particularly laptops and tablets that are used outside the School need to be particularly vigilant. Computing support rarely recommend installing the initial release of new software straight away, e.g. 10.12.0, as there are inevitably problems to be resolved. In the case of Mac OS X we now recommend that users upgrade to macOS Sierra, if possible, for reasons of security. The current release is now 10.12.3

Some older machine models are no longer supported so please do check the requirements online. If you believe that your hardware or application software is not compatible with Sierra and that you need to stick with an older version then please check the security fixes for your operating system are up to date.

Recent updates to Sierra, as well as Yosemite and El Capitan provide important security fixes for browser vulnerabilities, noted in this security advisory.

We have put some initial information about Sierra on the computing help website at macos-releases .

Please remember there is a local mailing list  mac-users@inf.ed.ac.uk, which is a very low traffic list for self-support amongst Informatics Apple users.  To subscribe visit http://lists.inf.ed.ac.uk/mailman/listinfo/mac-users .

 

Posted in Uncategorized | Leave a comment

blog.inf upgrade to SL7

We are planning to upgrade the WordPress server providing blog.inf from SL6 to SL7, and to this end a clone of blog.inf running on SL7 has been set up. If you wish to test that your blog and any associated plugins behave as you expect under SL7, then take a look at the SL7 test server, wobleg.inf.ed.ac.uk, and let us know if you find anything amiss.

WordPress itself will also be upgraded to version 4.6.1 (from 4.5.2), which addresses some security issues and fixed 15 bugs. For more information, see the release notes.

Note that this site is a clone of the live site, and a one-time copy was taken on 23/01/2017. Note also that the site is not accessible outside of the Informatics firewall, and any changes you make to the test site will be temporary, as the test site will be deleted after the live service upgrade.

Please try to do any testing within the next week, as – all other things being equal – the upgrade will take place at some point after 1st February (date to be announced).

Note that it is also intended to upgrade other managed WordPress servers within Informatics to SL7, and a similar process may apply.

Posted in Uncategorized | Leave a comment

Disruption to Informatics services based in Appleton Tower

Following on from the recent reminder of disruption to Informatics and central University systems on Tuesday 10th January, here is a bit more detail.

A fault was recently identified in the Appleton Tower “essential services” electrical supply, which amongst other things powers the basement server room which houses many Informatics and central University systems. Unfortunately a complete shut-down of this supply is required in order to repair the fault.

This work has been scheduled for the evening of 10th January.

The following websites will be unavailable (from 5pm) for the duration of the scheduled work:

  • Informatics Web CMS service, wcms.inf.ed.ac.uk
  • LFCS website, wcms.lfcs.inf.ed.ac.uk
  • ANC website, www.anc.ed.ac.uk
  • CISA website, www.cisa.inf.ed.ac.uk
  • HCRC website, www.hcrc.ed.ac.uk
  • ILCC website, www.ilcc.inf.ed.ac.uk
  • Peter Buneman 2013 Workshop, pbf2013.inf.ed.ac.uk
  • CLASSiC Project website, www.classic-project.org
  • EMIME project website, www.emime.org
  • Articulatory data corpus, www.mngu0.org
  • Ultrax Speech project, www.ultrax-speech.org

The CDT cluster is also affected, and will be powered down from 4.30pm on the 10th. Some additional maintenance will also be carried out, and it is unlikely that the whole cluster will be back up before 11am the following morning (although individual James nodes may be available before then).

Note that some home directories will also be unavailable from 5pm for the duration, mostly those of students and visitors. To check your home directory, (on a DICE machine) use the “homedir” command, and look for one of the affected hosts in the output – the second field contains a host/partition pair, and if the host (the bit before “/”) is one of keto, ladon, naga, or cetus, then you will be affected. For example, an affected directory would show as:

% homedir
fred (Fred Smith) : naga/vicepa : /afs/inf.ed.ac.uk/user/f/fred : free 1320.2G (used 39%)
%

If you are affected, but would prefer not to be, contact Computing Support (who may be able to move your home directory to an unaffected server). Note that this is aimed primarily at new staff or visitors who may still have a home directory on an affected server, it is unlikely that UG student requests will be acceded to.

Note that the student.compute server will also be unavailable from 4.30pm on the 10th.

Other servers and services affected:

  • Login server (ssh.inf)
  • Student login server (student.ssh.inf)
  • Remote access server (nx.inf)
  • Projects database (projects.inf)
  • ANC server (trout.inf)

Note that connectivity to Forrest Hill & Wilkie may be lost, as might wireless and ‘phones.

Note also that it is assumed (unless otherwise stated) that all services will be unavailable from 4:30pm on the 10th, and returned to normal service at or before the end of the scheduled “At Risk” time of 12:00pm (noon) on the 11th.

Details of the work scheduled by IS can be found at http://reports.is.ed.ac.uk/alerts/index.cfm?fuseaction=view_alert&alert_id=6406

Posted in Uncategorized | 1 Comment

capturED replacement

The lecture capture system (capturED) that has been in place throughout the University for a number of years is now no longer supported by IS. As a result of the efforts of AHSS (in particular, the Business School), CSE has found an alternative (Panopto) which has been piloted and is now installed in the majority of lecture theatres.

A number of lectures have now been recorded successfully using panopto. Although it does have its limitations e.g. in the majority of lecture theatres, it is only possible to capture screen and audio, the feedback so far suggests that it has proved reliable and simple to use. There is now a page on computing.help which links to clear instructions created by PPLS on how to use panopto.

computing.help.inf.ed.ac.uk/panopto

The pages do, however, refer to contacting PPLS support – if you do have any questions or need support, please contact Informatics support in the usual way rather than PPLS.

You may also have seen a recent news article about the University targeting an improved student digital experience by investing in a state-of-the-art lecture recording system covering 400 rooms. The process has only just started and there is an opportunity to take part in the User Consultation process. If you would like to contribute to this process, you can take a look at:

https://www.wiki.ed.ac.uk/display/LRec/Lecture+Recording+User+Consultation

and add any comments/suggestions that you may have.

Posted in Uncategorized | Leave a comment