Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Student Advisory Committee
Meetings & Minutes
Jan 24, 2008
Oct 25, 2007
Sep 20, 2007
Feb 15, 2007
Jan 18, 2007
Nov 30, 2006
Sep 21, 2006
Apr 27, 2006
Mar 30, 2006
Feb 23, 2006
Jan 26, 2006
Dec 1, 2005
Support & Repair
Information Security Office (ISO)

Meeting Minutes

March 30, 2006

Attendees: Related Links:


Students:

Anand Boscha, CIT
Mercy Chang, Tepper
Trevor Clark, Student Senate
Tamara Friedlander, MCS
Allison Gallant, HSS
Maryam Haque, HSS
Richard Kung, CIT
Ryan Menefee, HSS
David Murray, SCS/CFA
George Schaeffer, MCS
Nathan Stock, MCS
Claire Tomesch, MCS
Matthew Wright, SCS

Guests:
None

Computing Services:
Justin Angelo, User Outreach
Connie Deighan Eaton, Clusters
Sachal Lakhavani, User Outreach
Ted Pham, Information Security Office
Mark Tyrrell, Systems Development Mgr
Laura Valentine, User Outreach
Pomona Valero, Clusters Mgr
Karen Van Dusen, User Outreach Mgr

SAC Business - Laura Valentine

  • This meeting is being recorded. We use this to make notes, and we throw it away afterwards.
  • We have upcoming open slots in the SAC. If you are graduating, expect email from me asking you to nominate someone to fill your slot! We will have spots in CFA, MCS, CIT, SCS, and HSS.
  • Computing Services mailing list - subscribe at the Computing Services home page.
    • Matthew: will things there be just copies of what's on official.computing-news?
      • We'll have to check & let you know. (Confirmed: at present, that is the plan. Readership of official.computing-news is low and so people don't find out about things they need to know.)
  • April SAC meeting! What kind of food would you like?
    • Sushi, subs... ?

Spam Opt-in - Mark Tyrrell

[Presentation]

  • Goals:
    • Tell you how we do spam processing
    • Find out how you experience spam today - we are interested in anecdotal spam info from you guys!
    • How we are changing what we do
  • How we handle mail and spam.
    • The set of servers we use to process mail is over 50. They deliver, process, send, receive mail.
    • Incoming messages go to different pools based on domain, and we figure out if you are someone we can deliver mail to, and if you are, we send it off.
    • If it comes to Andrew, we do spam processing on it, assign a score, and then the mail server handles it and you can read it.
  • We get about 1-2 million messages/day, and about 70% of it is spam.
  • Right now we handle spam with score, tag, and deliver: servers look for spam characteristics and assign a score, then insert a header in the mail, and deliver it to your mailbox.
  • If you have spam filtering turned on, messages go to your inbox.spam if they score above 50%. False positives?
    • David - 3 times in the past year and a half, so it's rare.
    • International mail gets it a lot.
    • David - I had one professor where all his mail was being tagged as spam, but he resolved it
    • Karen - we had an interesting issue with ECE where one of their servers was on a blacklist
  • Mark - what happens with international mail a lot is that one or two hosts in a HUGE IP block will be compromised spam hosts, and then the whole ISP, sometimes the entire country, will end up blacklisted because of it. We only have a certain amount of spam points come from blacklists, but that doesn't always help.
    • If you are getting a lot of false positives, send them to advisor. It helps us tune our spam filter. I'm glad to see that almost half of you have that turned on!
  • How much spam are you getting in your main inbox?
    • Anand - for me, about 1 a day
    • Allison - it used to be really good, but the other day I got 10.
    • Trevor - about 25 - it's in waves, all the same. And Student Senate mail comes to me and that has a lot of spam.
    • Nathan: One thing I've seen is messages filled with gibberish - what are those?
      • There may be an embedded URL; they may be relying on auto-opening (which some mail programs do); or the message might just be malformed
    • Maryam: I've started seeing spam with the first/last name of people I know - how do they do that?
      • Usually that means that you or someone you know had a spyware infection, and an address book or list of names got sent off to someone. Spyware writers sell those lists to spammers.
  • Do you delete your spam?
    • Most people delete it
    • David - Can't you auto-expire spam, rather than relying on people to delete their own?
      • Mark: we are investigating right now
    • Richard - I forget - that's why I don't
  • Spam opt-in - we are planning, for new accounts, to just drop spam, not deliver it to you at all, unless you ask us to. For current accounts, we are not changing behavior, but you will be able to opt-out of spam on the portal. Do you care?
    • David - you may want to communicate specifically to international students about the spam dropping.
    • Anand - can you let people set their own spam thresholds?
      • Mark - we thought about that, but the data doesn't support it. It turns out that with spam scores, instead of getting a bell curve, you get an inverted bell - lots of things with very low scores, and then lots with very high scores. So having people set their own thresholds would introduce complexity without any real benefit. We also didn't want to change behavior too drastically.
  • David -in the context of spam prevention? - what about education/communication about posting your address on web sites? A lot of people do that and don't realize that spammers can get that.
    • Karen - we can look into communications on that matter.
    • Nathan - sometimes that is out of your control - I know my info is on a website, but I didn't put it there.
      • David - That's true; some departments in CFA post the addresses of all their freshmen on their website. I was a transfer student, and I didn't get posted, and it took me a lot longer to start getting spam.
      • Trevor - could someone tell Architecture specifically to stop posting student addresses?
      • (Music, too....)

Computer & Data Privacy - Ted Pham

[Presentation]
Note: the presentation is very information-dense. Meeting minutes are less complete in many details. Ted was presenting for John Lerchey, who was unable to attend.

  • Areas of Concern
  • System logs - different systems have different settings.
    • Where it says "everyone" has access, that's not really true. If you log into a public unix server and run the "last" command, you can see who has logged into that machine. What systems administrators and ISO have access to is different.
  • Authentication logs - any time you use your Andrew id/password to log into kerberos authenticated service; Active Directory logins; dialup and VPN logins.
    • Generally, only systems administrators have access
  • Network Traffic logs - the first 128 bytes of packets that cross subnets.
    • Generally if it goes within the same building, it's not logged, but if it goes between buildings or out over Internet 1, we do.
    • DHCP logs, to see when computers connected to our network - for example, wireless machines don't always get the same IP address. So if someone does something bad on wireless, we can go back through the DHCP logs and see which machine that was at the time.
    • Primarily we do this to track bandwidth and problems such as viruses.
    • Matthew - How long are the stored packets kept?
      • Ted - I'm not sure. 3 months or 6 months.
    • Network group, ISO, and Help Center have access, at different levels.
  • Shared file space - AFS
    • You can change permissions on your directories, and create groups of people who have access
    • A problem for us is people not changing things properly for organization changes, or people accidentally giving too much access.
    • Some sites - like MIT student group - that will mount all of AFS on a web server, and then anything accessible on AFS is world-readable and crawlable by Google!
  • Shared file space - My Files - mounted drive on Cluster machines
  • Email/Bboards - there are occasions where to solve problems, we do have to look at mail in your mailbox. Not to read it, but to make sure it's there and OK.
    • For example, last week we had a problem with corrupted attachments, and we had to look around and see what was up.
    • You can restrict access to individual mailboxes, and some bboards are restricted access as well.
  • Protected information - Student Information System, LDAP.
    • LDAP "Person record" - tells us who you are, and what rights you have.
    • SIS - access is different for different groups - Administrative Computing, HUB & Enrollment; faculty or staff who need to enter grades, etc; Help Center fulltime staff have limited access to troubleshoot problems.
    • LDAP - you have some control over this data, and what level of access people have.
  • Who can access the data?
    • Internal authorities - such as Student Affairs,University Counsel, campus police - can access the data without a subpoena
    • External authorities need a subpoena.
    • In most cases, unless we are under a gag order, we will tell you that your data is being looked at, whether for law enforcement purposes or because we had to touch your account for some reason.
    • Matthew - ISO has access to a lot of our information. Under what circumstances will ISO look at that information?
      • Ted - If your account's compromised, and we're searching for evidence of that. We will notify you unless we are under a gag order.
      • Karen - User Outreach & Analysis also has access to much of this information, which we work with in aggregate only. So we don't look at you as a person with this set of attributes, but we need to know that there are 500 people with those attributes. Mostly we use this for demographic analysis.
    • Matthew - the OldFiles directory seems to have the same permissions as the original files. So if you change the permissions, would old copies still be accessible with the old permissions until the backup happens?
      • Ted - Yes, I think that's correct. I'll have to check, because OldFiles is special.
    • Maryam - How can I check my bandwidth?
      • bandwidth.net.cmu.edu. There's a link from the bandwidth policy documents.
      • Karen - it's been brought up before that there are some majors that are very heavily hit by the bandwidth policies, and I don't know where things stand with that.
        • Ted - ISO is charged with enforcing the current policies, and Network Services is in charge of what the policies are.
          • Karen - right, they came and talked about that with the SAC before.
        • Ted - part of the issue is that there are two types of wireless on campus - 54 megabit in some areas, and 11 in others, and so people are affected differently because of that.

UC Printer - Connie Deighan Eaton

  • The UC printer is the least used printer that isn't the CFA Color Printer. What would make that printer get more use? What prevents you from using it?
    • People want it on the first floor
    • David - you have to walk down the stairs, it's just inconvenient
    • Mercy - people don't know they can print to it. They just print to the cluster they're in.
    • Richard - I use it because I never have to wait there
    • Tamara - I would use it more if there was a computer right there to print from, because if I'm in the UC and I need to print something, I have to go to the cluster anyway.
    • David - I know a lot of people use their laptops in the black chairs [Kirr Commons], and if you had a sign saying where they could print to, I think it would get used more
  • If we did better PR, and made people more aware of it, do you think that would help?
    • Allison - I think it would still be underused, because just walking around I'm going to go closer to a cluster printer than I am to the UC printer.
    • David - West Wing is getting 18%. That's close to the UC, so probably a lot of those people are close to the UC, and you could divert a lot of that printing if the printer were better located.
      • Connie - and we should focus our PR efforts there, probably.
      • Pomona - we are working to pilot a printer in Donner
        • Richard - that would help, because if you live on the east side of campus, the closest printer is West Wing
          • Connie - how many of you have lived in Donner? Which printer did you use? [Two people; both used WW printer]
      • Maryam - put a sign in WW to send to the UC printer. Paper runs out late at night.
  • Connie - So where would a good location be?
    • Mercy - The pilot printer on the first floor of the UC was good. [Lots of agreement]
    • George - the first floor of Doherty would be good [Lots of agreement]
    • Morewood
    • Maryam - what about along the bottom of the MM apartments, where the storefronts are?

Your Turn

  • Trevor - We had problems with attachments in webmail. Anything over 15mb, and you might only get, say, half a picture. This is a big problem for students in Architecture, because we have to send files to each other a lot.
    • Karen - I don’t know if we can do anything about it. We know that we need to make it better. We will be thinking about it over summer
  • David - Thunderbird issues - people with different versions can't quite follow the security instructions - need version numbers to be clearer in the documentation.
    • Ted - Please let us know about Thunderbird security issues.
  • David - there was a wireless problem in the library, and it got fixed in less than a day! That was great.
  • ? - had a problem with printing - I swiped my card, and there was a huge list, and I didn't know what was going on.
    • Connie - there was a hiccup with printing system, where it was showing everyone as guest. We fixed it pretty quickly.
  • Claire - I was having a problem printing and viewing PDFs. Thanks for help with that.
    • Laura - Mike Kelleher was very helpful in solving that one.