College Encryption policy – what we are doing to implement.

Most of you should now be aware that the College recently introduced a policy requiring the encryption of mobile devices and desktops, particularly where these are likely to be used for handling sensitive data.

Sensitive data can include :-

  • email from students to personal tutors or from staff to their line managers about their health
  • PDR documents
  • student assessment
  • NDA, contracts, procurement bids/quotes
  • exam scripts

Briefly – you are required to secure all devices (e.g. mobile phone, laptop) however owned, if you use these for work, or have work access credentials stored on them.

As the first stage of implementing this policy, the computing staff are :-

  • providing guidance at
  • arranging a clinic, with Information Services, in March
  • enabling encryption, before handover, of new
    • Apple and Android tablets
    • Apple Macs
  • enabling encryption of admin staff Windows PCs
  • working towards encryption for DICE desktops

If you self manage a university owned desktop or laptop, it is your responsibility to ensure that you adhere to the College policy.

Posted in Uncategorized | Leave a comment

IPv6 update

IPv6 update…

Since my previous post announcing the start of the IPv6 investigation project, good progress has been made:

  • IPv6 support has been tested on the variety of network switches that we run.  As expected, it’s generally good on our newer models, but unreliable or non-existent on our older models.  Our ongoing rolling replacement of older switches should address this over time.
  • Where supported, appropriate IPv6 configurations have been applied to the switches at all our sites.
  • IPv6 routing has been tested locally on our core switch/routers and our Linux edge routers, and functions as expected.  The next step will be to liaise with IS to enable global routing, so that we can test worldwide IPv6 connectivity.
  • Our edge firewall-rule generators are now IPv6 aware.

Once we have global connectivity working in our test setup, we will start to roll out IPv6 to our managed DICE machines. This will be done gradually, to minimise the effect on our existing IPv4 deployment. As soon as our servers start to advertise IPv6 addresses, the rest of the world will expect them to Just Work, and indeed may start to prefer them over IPv4 addresses.

IPv6 for self-managed machines is, unfortunately, still some way off.  It’s dependent on the replacement of our remaining old Forum switches (likely to be F/Y 2016-17), a follow-on project to add IPv6 support to our DHCP infrastructure, and the extension of our network auding tools to handle IPv6.

Posted in Uncategorized | Leave a comment

Informatics and the CSE Data Security Plan

As you were reading Johanna’s email last month on the encryption of personal computing devices, you may have noticed that this advice is but one part of a College of Science and Engineering action plan on data security (this plan was included in Johanna’s message). There are several actions which Schools are required to perform as part of this plan. Johanna’s email, and the accompanying documentation to be found on is intended as the response to one of these actions, pointing out to School members the importance of the security of data and devices.

Another substantial requirement the plan places on Schools is to ‘produce initial registers of datasets, websites, servers and services, their primary locations and ownership, highlighting the most sensitive or vulnerable for special attention’ . To tackle this requirement, the College Computing Professionals Advisory Group (CCPAG) set up a sub-group, of which I am a member, to establish how best to create and populate this register and then establish the sensitivity of the data it contains. After much debate, this group has now come to the conclusion that there are two types of objects this register needs to track, datasets and services.

Datasets are the actual collections of related data, examples of which might be files on disks, text written on a piece of paper or entries in a database. Services are the ways in which this data is accessed, for instance a filesystem, a locked filing cabinet or a database front end. Datasets have characteristics relating to the type of data they contain, and services have characteristics relating to how access to the data is controlled. For example, a dataset might contain anonymised details of the eye colour of 10 people (this would not be considered to be terribly sensitive data) or it might contain the medical records of 10000 identifiable people (this would be very sensitive). Equally, a dataset might be accessed via an unauthenticated web form available world wide or it might only be accessible on a single machine, not attached to a network, kept in a locked room, and accessed via a hardware security device such as a fingerprint scanner. Obviously, if the medical records were accessible via the unauthenticated web site, this would be highlighted in the register as being very high risk and flagged for attention. If on the other hand, the eye colour database was accessible via the website, this might not be regarded as a cause for alarm since although the website is an insecure access method, the dataset itself does not contain terribly sensitive data. To look at the opposite example, if the medical records dataset was only accessible via the machine in the locked room, although the dataset itself is highly sensitive, the overall risk might still be assessed as being acceptable since access to the dataset was so tightly controlled.

Since datasets and services may have a many to many relationship (datasets may be accessed in more than one way and services may make use of more than one dataset), overall risk can only be assessed for a particular dataset/service combination. When datasets and services are added to the register, they are matched against a set of criteria establishing just how sensitive the data is (for datasets) and how secure access is (for services). These factors are then combined to assess the overall risk factor for each dataset/service combination. Examples of the criteria being using to establish whether a dataset contains medium or high risk data can be found in this document. Service characteristics include

• whether the service or data is hosted on a fully supported server or file store
• what the filestore is (eg. datastore, dropbox, AFS, an un‐supported device, etc …)
• what authentication to the service is used
• whether role‐based access controls to parts of the service are in place and managed appropriately
• what the total (approximate) number of users of the service is
• what the number of administrators with access to all data within the service is
• the ease with which bulk export access is enabled by the service
• whether there are any users external to the university, and what limits on access do they have
• likely end‐user patterns of usage, especially in respect of exports

As well as identifying the difference between a dataset and a service, the sub-group also identified two different classes of datasets and services. Datasets and services managed, maintained and curated by members of the administration and computing staff are class A. Computing and administration staff have been working together to identify class A datasets and services held by the School and this process is well advanced.

Datasets and services managed, maintained and curated by academic and research staff are defined as class B. Many more examples of these datasets and services exist so gathering and evaluating this data will be a considerable task, one which we hope to begin in Informatics soon after the start of the new year. Further information about how this is to be done will be circulated closer to the time. In the meantime, it would be very helpful if each and every one of you could start thinking about what data you own and which services you are responsible for now so that you have the information to hand when the time comes.

Posted in Uncategorized | Leave a comment

SL7 desktop reboots

If you have a DICE SL7 desktop you will be prompted to reboot over the next few days. This is required to make an important configuration change which can only be safely applied at boot time. We understand that reboots can be very inconvenient so you can be assured that we will only ever schedule reboots which we consider to be essential.

Student lab machines are not affected. For office machines the delay will be 5 days. Although the reboots are delayed, it would be greatly appreciated if people could manually reboot their machines at their earliest convenience; the delayed reboot would then be cancelled.

If you have any queries they should be submitted via the Support Form.

Posted in Uncategorized | Leave a comment

SL6 DICE: sleep suspended

Some staff and postgrads who haven’t yet had their DICE desktop upgraded to SL7 have been having trouble logging in at the start of the day, after waking their machine from sleep.

We’ve been gathering evidence on this problem, but so far the cause is not fully understood. We do know that on affected machines the network is not properly operational for a few minutes after waking. Without a functioning network, the DICE login process does not work.

To minimise inconvenience we’ve stopped SL6 DICE computers from automatically falling asleep. We’ll enable sleep again once we’ve understood and fixed the problem – if there are many SL6 DICE desktops left by then!

SL7 DICE desktops continue to sleep as normal.

Posted in Uncategorized | Leave a comment

alpine on DICE

I’ve posted some information about the future of alpine on DICE on my blog. But don’t worry, it’s good news.

Posted in News | Comments Off on alpine on DICE

Microsoft Office 2016 for Mac

Office 2016 for Mac is available to Informatics staff for new installation or upgrade from version 2011 on University owned equipment. The software is provided on a USB memory stick to facilitate easy installation and is available to borrow from the Computing Support area on level 2 (2.07).

New features in Office 2016


  • The Design tab provides quick access to design elements to improve the look of documents.
  • The new Insights pane, powered by Bing, shows relevant contextual information from the web within the reading and authoring experience.
  • Threaded comments enables you to have useful conversations right next to relevant text.


  • Recommended charts. Choose the best chart that Excel recommends for your data.
  • PivotTable Slicers Helps to discover patterns in large volumes of data.
  • Use the Analysis Toolpak add-on to perform complex statistical or engineering analyses.


  • Threaded comments enable you to have useful conversations right next to relevant text.
  • Theme Variants – Change the style of your presentation using different color schemes for a theme.


  • Easy navigation between the five main Outlook elements: Mail, Calendar, People, Tasks, and Notes.
  • Push Mail support ensures that the inbox is always up to date.
  • Propose New Time. When you receive a meeting request for a time that is not preferable, you can propose a new meeting time. The meeting organizer can easily accept or decline your proposal.
  • Side by Side Calendar. See multiple calendars in parallel.
  • Weather Forecast in Calendar. Will it be sunny or rainy? No need to look up your local weather forecast because Outlook shows the weather info right in the Calendar view.
Posted in Uncategorized | Leave a comment

subversion upgrade on SL6

As announced by mailing list:

The default version of the subversion (svn) revision control software will
change on DICE SL6 desktop and compute servers. This brings the version
into line with our new SL7 desktops and will allow working copies to be
shared between all DICE machines again.

The change will take place early in the morning of Thursday, 5h November.
You can check the current version as you’d expect:

  [hostname]you$ svn --version                                                                                                 
  svn, version 1.7...                                                                                                            

This change will have one particularly noticeable effect: *any* attempt to
work with an existing subversion working copy (i.e. “checkout”) with a
subversion 1.7 client will fail with the following message:

  [hostname]you$ svn up ./myrepo                                                                                              
  svn: E155036: Please see the 'svn upgrade' command                                                                              
  svn: E155036: Working copy [...] too old (format 10, created by Subversion 1.6)                                                 

You might already have seen this message on SL7 desktops; if you have
already upgraded then the sole effect of the DICE update will be to
restore access from SL6 desktops. Note that unlike historical releases of
subversion this will *not* affect your repository in any way.

If you wish to continue working with other, older clients you
will need to check out two working copies in different locations.

We do not intend to upgrade any of our running subversion servers to 1.7
until they are moved to DICE SL7 (for which there’s no immediate
timetable). If you run your own subversion server on SL6 you may wish to
let us know in advance; we can hold back subversion on your machine if
it’s critical.

Posted in Uncategorized | Leave a comment

OpenVPN configuration file updates

Of interest to users of the Informatics OpenVPN service:

Please note that – as announced via email to the sys-announce list – an updated set of configuration files for our OpenVPN service was put in place in late July 2015.

The old configurations will be turned off on Monday 2nd November, 2015 – so, if you haven’t already updated to the new set, please do so now.

Download links and instructions for the new files can be found at:

We also recommend that you install the latest versions of the OpenVPN client software you’re using (e.g. openvpn for Linux and Windows; tunnelblick for Macs), in order to pick up any recent security fixes.

Please contact Support in the usual way if you have any questions or comments.

Posted in Service Update | Leave a comment

Another web server (with a bit more security)

The web-page hosting services homepages.inf and groups.inf have been complemented by a new service, sweb.inf, which allows users to publish AFS-based web pages that have a greater degree of protection than the mechanism currently employed on existing services.

The new server, sweb.inf, uses AFS space that is accessible from anywhere (as normal) and is editable by the user (also as normal), but when accessed via the web using Apache it is constrained to a separate, user-specific ID, of the form “sweb.<user>” (not the generic <apache> ID as is normal on our other web servers). The resulting filespace should benefit from the resilience and availability of AFS, and be better-protected from any server-side issues (such as another user’s mis-configured script).

The URL of this more-secure web server is, and user pages sit below the user ID at that site, so that the “test.html” page of user “fred” would be “”.

The corresponding filespace is within the AFS file-structure, and accessible in the “web” sub-directory below the user directory in /afs/ (thus the path corresponding to the example URL above would be /afs/

For related files that are not intended to be web-visible (README and other house-keeping files, intermediate or temporary files
used by scripts and suchlike) there is a data directory (for example, /afs/, which is a sibling of the web directory. These “data” files are only accessible via the filesystem, not via the web.

Files within the /afs/ structure need specific permissions if the mechanism is to work correctly. This allows web access as the restricted user-specific ID (such as “sweb.fred”, for example), but full access via the filesystem as user “fred”.

More information can be found on the relevant web page,

To make use of this service, a request should be made via the Support Form.

Posted in Uncategorized | Leave a comment