HTASC - Report to HEP-CCC David Kelsey RAL d.p.kelsey@ rl.ac.uk 6 Nov 1998.

HTASC - Report to HEP-CCC

David KelseyRAL

d.p.kelsey@ rl.ac.uk6 Nov 1998

6-Nov-98 D.P.Kelsey, HTASC report 2

HTASC #10 8th/9th October 1998, CERN

Agenda• Routine business• Report from HEPNT• Distributed editing• Markup languages• Y2k problem (brief discussion)• Computer and Network Security


HTASC Members

• July 1998 - invited R-ECFA to review – Only one change notified: Germany now

T.Haas– L.Sandor (Slovakia) has been replaced by

P.Chochula

• Finland, Portugal and Sweden - still no nomination

• Several reps have never turned up


HEPNT

• DEC Visual FORTRAN for Windows NT– Required for CERNLIB, but very expensive– Negotiations under way with Compaq/DEC

• Web work - Plans for future work

• Plans for Open meeting– 2/3/4 December, 1998 at CERN– Aimed at HEP NT System Managers

• AFS/NT vs. NTFS and CERN’s NT web plans


Distributed Editing

• HTASC has considered this several times– Time to come to a conclusion!

• Members were asked to consult institutes and experiments as to current practice– extensive use of TeX/Latex in current

experiments and Theory– Atlas and CMS use FrameMaker– H1 and others uses Tuovi for version control– Some use of MS Word


Distributed Editing (2)

• Most large documents are written by a small number of authors - not really distributed

• Noted the work at CERN (CEDAR) and DESY on document archival/retrieval

• No sign yet of HEP using groupware, workflow, etc.

• Decided to take the following approach:– Can HTASC recommend a single application?


Distributed EditingRequirements

1. Doc format should be specified and open.2. Implementations available on multiple platforms.3. The application should be available to all.4. Multiple language support is desirable.5. Need version control, locking, archive.6. Easy interface to WWW, including easy entry of links.7. Must be WYSIWYG.8. Spell Checker.9. Inclusion of pictures etc.10. Long term stability.


Distributed EditingAnalysis of some products

1 2 3 4 5 6 7 8 9 10

Latex ?

?

?

FrameMaker ? ?

MS Word ?

? ?

?

?

WordPerfect

? ? ?


Distributed Editing Conclusions

• No product meets all requirements• WordPerfect seems to come out best,

but then why is nobody in HEP using it?• It is impossible to recommend a HEP-

wide solution• Individual experiments should choose• HTASC does not see the need for a sub-

group


Markup languages

• SGML and HTML - still with us, but...• New standards (many acronyms!)

– XML - Extensible Markup Lang. - can invent tags - but no good browsers yet.

– CSS - Cascading Style Sheets– XSL - Advanced styling– DTD - Document Type Definition– RDF - Resource Description Framework (important

for ‘web of trust’)

• New trend: Separate document content from its presentation


Markup languages

Conclusions• Things changing too quickly to make

recommendations• The WWW will become more important

as the front end to databases of ‘information’

• HEP should track the developments


Y2k problem

• Only brief discussion at HTASC #10 - we will revisit next time

• Lab infrastructure is assumed to be under control - if not, already too late!

• What about the experiments?• Many are taking a “wait and see” approach• Experiments should be encouraged to define

a Y2k policy and take particular care of control systems and embedded processors.


Computer/Network Security

• The CERN CERT team joined us• Introduction by Alan Flavell (UK)• General discussion

– what is already in place?

• Some initial recommendations• Proposal for an HTASC security sub-

group


Security - Introduction

• Internet security problems are increasing– see John Gamble’s figures from CHEP98– see articles in Scientific American (Oct 98)– many hacking tools are now widely available

• Several sites disconnected from the Internet– SLAC, JLAB, DESY-Z, Glasgow, Manchester ...– Major inconvenience to the users!

• Many system managers spent their summer working on this!


John Gamble - CHEP98Security Incidents at CERN


John Gamble - CHEP98


Introduction (Alan Flavell)

Outside factors:• Expanding Internet• Fewer OSs, wider OS expertise• “Script kiddies”

Special factors in our situation:• Batch jobs, .rhosts, .netrc -> easy propagation• End-user-managed hosts (esp. Linux!)• Typical academic situation


Introduction(2) (Alan Flavell)

• Some problem areas...– r-series commands (rsh etc.) risky,– .rhosts and .netrc abuses– X Windows security problems– plain text passwords vulnerable to sniffers– trusted-host compromises

• BUT– Users still reasonably want to do their work!– And from sometimes strange places– And run unattended batch work.


Introduction(3) (Alan Flavell)

• There’s no magic bullet! For example...• Using ssh instead of rsh can increase security• Using ssh instead of telnet can increase security• Using ssh badly can make things worse, and could

make diagnosis of hacker incidents impossible!• CERN (French) legal situation re encryption...


Security - what exists already?

• HEPiX security sub-group (UNIX security)– created in 1995– chaired by Lionel Cons (CERN)– not very active, but interest growing now

• HEPNT discusses NT security• HTASC contact list

– not complete and never used(?)

• CERT mailboxes (HEPiX) at some sites– cert@ institute.domain and cert-ssc@

institute.domain


Security - Early recommendations

• The risks are potentially very large!– not only damage to control systems, files, data

etc.– but also damage to our reputation

• Security policy must have the support of senior management– Security is balanced against user requirements– HEP-CCC may need to impose policy

• Resources need to be made available– human and otherwise


Early recommendations (2)

• Every Lab/Univ. should have a security officer and a security policy– firewall, passwords, laptops, when to

disconnect...

• Users/System Managers - need guidance• many HEP users have no control over the

configuration of their systems – HEP should lead by example and aim to

influence others– We are only as strong as the weakest link!


New HTASC Security sub-group

Draft Mandate• Advise HTASC/HEPCCC on Computer and

Network Security needs• suggest policies to meet those needs for

HEP laboratories and institutes by– defining computer/network security

guidelines for HEP institutions– estimating the resources needed to

implement such guidelines– suggesting means of communication between

the institutions in case of security incidents.


Security - HTASC sub-group(2)Proposal

• Chairman– Tobias Haas, DESY

• Membership (should be small)– A. Flavell (Glasgow, UK)– J. Gamble (CERN)– W. Niepraschk (DESY)– plus one or two more?

• Timescale– report to HTASC in March, 1999


Future meetings

• 4/5 March, 1999 (CERN)– Security - receive report from sub-group– Y2k - check that all is OK!– Software licensing - e.g. LHC++ for non-

LHC

• 10/11 June, 1999 (NIKHEF)– Video conferencing

• 7/8 October, 1999 (CERN)


Summary

• HTASC invites HEP-CCC to...– Approve creation of a new Security sub-

group– Provide support and resources for work on

security– Take note of recommendation re Y2K

HTASC - Report to HEP-CCC David Kelsey RAL d.p.kelsey@ rl.ac.uk 6 Nov 1998.

Documents

Transcript of HTASC - Report to HEP-CCC David Kelsey RAL d.p.kelsey@ rl.ac.uk 6 Nov 1998.