HTASC - Report to HEP-CCC David Kelsey RAL d.p.kelsey@ rl.ac.uk 6 Nov 1998.
-
Upload
dustin-watts -
Category
Documents
-
view
213 -
download
0
Transcript of HTASC - Report to HEP-CCC David Kelsey RAL d.p.kelsey@ rl.ac.uk 6 Nov 1998.
HTASC - Report to HEP-CCC
David KelseyRAL
d.p.kelsey@ rl.ac.uk6 Nov 1998
6-Nov-98 D.P.Kelsey, HTASC report 2
HTASC #10 8th/9th October 1998, CERN
Agenda• Routine business• Report from HEPNT• Distributed editing• Markup languages• Y2k problem (brief discussion)• Computer and Network Security
6-Nov-98 D.P.Kelsey, HTASC report 3
HTASC Members
• July 1998 - invited R-ECFA to review – Only one change notified: Germany now
T.Haas– L.Sandor (Slovakia) has been replaced by
P.Chochula
• Finland, Portugal and Sweden - still no nomination
• Several reps have never turned up
6-Nov-98 D.P.Kelsey, HTASC report 4
HEPNT
• DEC Visual FORTRAN for Windows NT– Required for CERNLIB, but very expensive– Negotiations under way with Compaq/DEC
• Web work - Plans for future work
• Plans for Open meeting– 2/3/4 December, 1998 at CERN– Aimed at HEP NT System Managers
• AFS/NT vs. NTFS and CERN’s NT web plans
6-Nov-98 D.P.Kelsey, HTASC report 5
Distributed Editing
• HTASC has considered this several times– Time to come to a conclusion!
• Members were asked to consult institutes and experiments as to current practice– extensive use of TeX/Latex in current
experiments and Theory– Atlas and CMS use FrameMaker– H1 and others uses Tuovi for version control– Some use of MS Word
6-Nov-98 D.P.Kelsey, HTASC report 6
Distributed Editing (2)
• Most large documents are written by a small number of authors - not really distributed
• Noted the work at CERN (CEDAR) and DESY on document archival/retrieval
• No sign yet of HEP using groupware, workflow, etc.
• Decided to take the following approach:– Can HTASC recommend a single application?
6-Nov-98 D.P.Kelsey, HTASC report 7
Distributed EditingRequirements
1. Doc format should be specified and open.2. Implementations available on multiple platforms.3. The application should be available to all.4. Multiple language support is desirable.5. Need version control, locking, archive.6. Easy interface to WWW, including easy entry of links.7. Must be WYSIWYG.8. Spell Checker.9. Inclusion of pictures etc.10. Long term stability.
6-Nov-98 D.P.Kelsey, HTASC report 8
Distributed EditingAnalysis of some products
1 2 3 4 5 6 7 8 9 10
Latex ?
?
?
FrameMaker ? ?
MS Word ?
? ?
?
?
WordPerfect
? ? ?
6-Nov-98 D.P.Kelsey, HTASC report 9
Distributed Editing Conclusions
• No product meets all requirements• WordPerfect seems to come out best,
but then why is nobody in HEP using it?• It is impossible to recommend a HEP-
wide solution• Individual experiments should choose• HTASC does not see the need for a sub-
group
6-Nov-98 D.P.Kelsey, HTASC report 10
Markup languages
• SGML and HTML - still with us, but...• New standards (many acronyms!)
– XML - Extensible Markup Lang. - can invent tags - but no good browsers yet.
– CSS - Cascading Style Sheets– XSL - Advanced styling– DTD - Document Type Definition– RDF - Resource Description Framework (important
for ‘web of trust’)
• New trend: Separate document content from its presentation
6-Nov-98 D.P.Kelsey, HTASC report 11
Markup languages
Conclusions• Things changing too quickly to make
recommendations• The WWW will become more important
as the front end to databases of ‘information’
• HEP should track the developments
6-Nov-98 D.P.Kelsey, HTASC report 12
Y2k problem
• Only brief discussion at HTASC #10 - we will revisit next time
• Lab infrastructure is assumed to be under control - if not, already too late!
• What about the experiments?• Many are taking a “wait and see” approach• Experiments should be encouraged to define
a Y2k policy and take particular care of control systems and embedded processors.
6-Nov-98 D.P.Kelsey, HTASC report 13
Computer/Network Security
• The CERN CERT team joined us• Introduction by Alan Flavell (UK)• General discussion
– what is already in place?
• Some initial recommendations• Proposal for an HTASC security sub-
group
6-Nov-98 D.P.Kelsey, HTASC report 14
Security - Introduction
• Internet security problems are increasing– see John Gamble’s figures from CHEP98– see articles in Scientific American (Oct 98)– many hacking tools are now widely available
• Several sites disconnected from the Internet– SLAC, JLAB, DESY-Z, Glasgow, Manchester ...– Major inconvenience to the users!
• Many system managers spent their summer working on this!
6-Nov-98 D.P.Kelsey, HTASC report 15
John Gamble - CHEP98Security Incidents at CERN
6-Nov-98 D.P.Kelsey, HTASC report 16
John Gamble - CHEP98
6-Nov-98 D.P.Kelsey, HTASC report 17
Introduction (Alan Flavell)
Outside factors:• Expanding Internet• Fewer OSs, wider OS expertise• “Script kiddies”
Special factors in our situation:• Batch jobs, .rhosts, .netrc -> easy propagation• End-user-managed hosts (esp. Linux!)• Typical academic situation
6-Nov-98 D.P.Kelsey, HTASC report 18
Introduction(2) (Alan Flavell)
• Some problem areas...– r-series commands (rsh etc.) risky,– .rhosts and .netrc abuses– X Windows security problems– plain text passwords vulnerable to sniffers– trusted-host compromises
• BUT– Users still reasonably want to do their work!– And from sometimes strange places– And run unattended batch work.
6-Nov-98 D.P.Kelsey, HTASC report 19
Introduction(3) (Alan Flavell)
• There’s no magic bullet! For example...• Using ssh instead of rsh can increase security• Using ssh instead of telnet can increase security• Using ssh badly can make things worse, and could
make diagnosis of hacker incidents impossible!• CERN (French) legal situation re encryption...
6-Nov-98 D.P.Kelsey, HTASC report 20
Security - what exists already?
• HEPiX security sub-group (UNIX security)– created in 1995– chaired by Lionel Cons (CERN)– not very active, but interest growing now
• HEPNT discusses NT security• HTASC contact list
– not complete and never used(?)
• CERT mailboxes (HEPiX) at some sites– cert@ institute.domain and cert-ssc@
institute.domain
6-Nov-98 D.P.Kelsey, HTASC report 21
Security - Early recommendations
• The risks are potentially very large!– not only damage to control systems, files, data
etc.– but also damage to our reputation
• Security policy must have the support of senior management– Security is balanced against user requirements– HEP-CCC may need to impose policy
• Resources need to be made available– human and otherwise
6-Nov-98 D.P.Kelsey, HTASC report 22
Early recommendations (2)
• Every Lab/Univ. should have a security officer and a security policy– firewall, passwords, laptops, when to
disconnect...
• Users/System Managers - need guidance• many HEP users have no control over the
configuration of their systems – HEP should lead by example and aim to
influence others– We are only as strong as the weakest link!
6-Nov-98 D.P.Kelsey, HTASC report 23
New HTASC Security sub-group
Draft Mandate• Advise HTASC/HEPCCC on Computer and
Network Security needs• suggest policies to meet those needs for
HEP laboratories and institutes by– defining computer/network security
guidelines for HEP institutions– estimating the resources needed to
implement such guidelines– suggesting means of communication between
the institutions in case of security incidents.
6-Nov-98 D.P.Kelsey, HTASC report 24
Security - HTASC sub-group(2)Proposal
• Chairman– Tobias Haas, DESY
• Membership (should be small)– A. Flavell (Glasgow, UK)– J. Gamble (CERN)– W. Niepraschk (DESY)– plus one or two more?
• Timescale– report to HTASC in March, 1999
6-Nov-98 D.P.Kelsey, HTASC report 25
Future meetings
• 4/5 March, 1999 (CERN)– Security - receive report from sub-group– Y2k - check that all is OK!– Software licensing - e.g. LHC++ for non-
LHC
• 10/11 June, 1999 (NIKHEF)– Video conferencing
• 7/8 October, 1999 (CERN)
6-Nov-98 D.P.Kelsey, HTASC report 26
Summary
• HTASC invites HEP-CCC to...– Approve creation of a new Security sub-
group– Provide support and resources for work on
security– Take note of recommendation re Y2K