|
|
|
|
|
|
|
|
|
|
|
|
|
|
No doubt you heard about the popular Internet Virus/Worm called "BugBear.B". If you did not see reports on CNN, ABC News, or on NPR, then perhaps you received a few warnings in your in box. Warnings were prolific, and so was the worm. Beginning on the morning of June 5th, it made its way into the University mail infrastructure. By June 6th, thousands of copies of the worm had been mailed around campus and over 100 computers were known to have been infected. Given that the worm was first sighted "in the wild" on June 4th, how did this little blighter manage to get into our system? There were three major causes. We will examine each cause and make present some observations about how we can avoid these problems in the future.
It takes Symantec's product engineers time to design a set of rules which allow the AntiVirus engine to detect and destroy a new worm. Before the advent of mass mailing attacks such as the "ILoveYou" virus, delays of over a week between virus detection and virus definition update were acceptable. These days, a successful worm can infect tens or hundreds of thousands of computers within hours of release. A delay of one day in virus definitions can cause a disaster (as we have seen!).
Conclusion: Unfortunately, Symantec is not significantly slower to provide definition updates than any of the other major anti-virus companies such as McAfee, Sophos, and Trend. We will continue to investigate other filtering and scanning products. This summer we will be evaluating a new mail scanning product based on McAfee's anti-virus engine. However, we are skeptical that switching to a new anti-virus product will produce better results. Also, adoption of new anti-virus software on all campus systems would take years... if the approximately three years it has taken to migrate the campus from McAfee to Norton is any indicator. Fortunately, Symantec usually releases updates in a timely fashion. The recent "Sobig.e" worm was intercepted before more than one or two copies could make their way onto campus.
Unlike many past Internet worms, the BugBear uses a different email subject line, message body, and file attachment name for each infected message it sends. This makes detection of the worm more difficult for both the central mail scanner and for you, the mail recipient. To make matters worse, the file names, message bodies, and subject lines used by BugBear are harvested from the infected host computers of your co-workers and fellow students. This means that the infected message may look exactly like a real message that you may have been expecting.
Conclusion: BugBear defeats the old stand-by virus protection rule-of-thumb: "open no unsolicited email attachments and you will never get infected". The evidence is seen in BugBear's victims. No fewer than four members of CIT staff had computers infected with BugBear. If trained computing professionals still can be suckered by an email attachment, what hope is there for the rest of the population? We have to abandon the idea that we can talk our way out of this problem.
Some businesses and universities configure their mail systems to block all executable email attachments. In this way, almost every email virus is blocked, along with several legitimate email attachments. Had UVM had such a policy in place, proliferation of BugBear could have been halted (or at least severely crippled). These "no-executable" policies were rejected earlier because they were perceived to be overly intrusive and limiting to our users.
Conclusion: It is time for a change. Most organizations which that have instituted executable-attachment blocking policies have received relatively few complaints from confused or irate email users, and have experienced far fewer and more mild virus infestations. Starting June 6th, CIT started blocking all of the major executable file types in all email attachments entering the central mail gateway. We have high hopes that this will greatly slow the spread of future Internet worms and viruses.
-J. Greg
MacKinnon
CIT Client Services
"Internet2® is a not-for-profit consortium, led by over 200 US universities, developing and deploying advanced network applications and technology, accelerating the creation of tomorrow's Internet. With participation by over 60 leading companies, Internet2 recreates the partnership of academia, industry and government that helped foster today's Internet in its infancy." (www.internet2.edu)
UVM has been a member since 1997. NSF grant funded the initial connection and most of the first 2 years of service (fiscal years 2001 and 2002).
Internet2 (I2) provides high-speed, low congestion connections to our peer institutions and many of the companies with whom UVM regularly works. I2 provides researchers with relatively unfettered connections to their peers in other leading research institutions as well as major corporations that serve the higher education market.
If you are connected to the UVM campus network, you are automatically connected to Internet2. Any network traffic to or from another Internet2 institution, will automatically be routed over UVM's Internet2 connection. The I2 membership includes most leading research universities and corporate partners such as IBM, Microsoft, Intel, Nortel, WebCt, Blackboard, Lucent, Cisco, Sun, and many others.
Currently, UVM has 35 megabits per second (mbps). Patricia Ainsworth and her staff have been working with telecommunications vendors and our partners to increase that to 45 mbps this summer. While this is actually less than the amount UVM has for the commodity Internet, the amount per site is far greater.
The normal minimum dedicated network bandwidth to make effective use of I2 is 10 mbps. While everyone at UVM has a network connection of at least 10 mbps, many of these connections share the bandwidth among other nearby users. While these connections still go to I2, the local network congestion may severely limit access to I2 bandwidth. If you have one of these connections and require high-speed access to the network (including I2), you should seek funding to have your network connections upgraded. While dedicated 100 mbps connections are desirable, dedicated 10 mbps connections may be adequate and are much less expensive. Costs vary substantially by building and room location. Contact Patricia Ainsworth (Director of Telecommunications) or Network Services at 656-8888 for more information.
The Perseus Survey Solutions software that is available for UVM members, will be enhanced with a "MobileSurvey" feature to allow data to be collected on handheld devices like the Palm and Pocket PC upon release of SurveySolutions 6 (July 2003). After installing Perseus software on your workstation and creating the survey data form, you can direct the software to place the form on the handheld device. Once it is placed on the Palm or Pocket PC, you can have multiple people fill out the form. When the handheld is next docked in its cradle and "synced" with the workstation, data is automatically delivered to the Unix MySQL database and merged with any other data gathered by the conventional html form. The data is automatically cleared from the handheld and it is made ready for gathering more information.
The forms displayed on the handheld are formatted dynamically to fit the small device. While the both Palm OS and Pocket PC are supported, Pocket PC surveys will allow for much more robust survey design and logic functionality.
Who says you can't take it with you?
Doug Varney
CIT Client Services Consulting Coordinator
Complying with government regulations is an ongoing challenge in complex, decentralized organizations such as UVM. The most efficient approach to this problem, demonstrated by the success of UVM's participation in the EPA's pilot project for managing chemical wastes in laboratories, is developing effective partnerships between central support units, such as the Risk Management Department, and individual departments involved in these issues. Such a partnership depends on effective sharing of information between the departments involved.
With this mind, CIT and the Risk Management Department have been working to develop CASEY - the Computer Assisted Safety Engine - which focuses on the key compliance step of employee training. Training is required by virtually every health and safety regulation, and has proven to be the most important on-going challenge in implementing programs which meet EPA and OSHA requirements. UVM's program has been reviewed by OSHA on several occasions and been found wanting, resulting in fines to the specific departments reviewed. The purpose of CASEY is to provide a shared information system which allows departments and central units to more effectively assure that employee training requirements are met on a timely basis.
CASEY is implemented as an application on the UVM administrative application server, accessible through the Citrix terminal client. The system is built around several roles (employee, supervisor, trainer, etc.) whose access permissions are established at login, which uses the user's network id (formerly "zoo" id) and password. See the CASEY Web site for more specific information. The data included in the system includes basic information about employees (both full time and temporary) and students such as name, title, department, etc. People in neither of those categories can also be added to the system on an individual basis. This data is used to track the assignment of training requirements to individuals by their departments and the completion of those requirements, either by departmental training or through training conducted by the appropriate central office.
This person-by-person tracking of information is necessary because there is no way to deduce from the information currently managed centrally which regulatory requirements apply to particular individuals. For example, a Lab Tech II in the Pathology Department may require training in laboratory chemical safety and blood borne pathogens, while a Lab Tech II in Natural Resources is not likely to require bloodborne pathogen training, but could require driver safety training if driving to field sites is part of the job. CASEY is designed to provide maximum flexibility in order to handle both of these situations effectively.
CASEY is still in development, and we expect improvements to continue as new needs are discovered. For example, the Student Health Center will be using CASEY to manage the medical requirements for medical, nursing and physical therapy students who need to demonstrate that they have had the medical procedures required for clinical internships off campus. Training data from Risk Management laboratory safety training has already been imported into the system and we expect Radiation Safety training data to be added soon.
CASEY has been through several rounds of user testing and feedback has been generally positive in terms of the usability of the user interface. We expect the final major adjustments to the system to be completed this July, so we encourage people with interest in using the system to contact Ralph Stuart as soon as possible to give it a try and provide feedback about improvements that should be made. We expect the system to be fully operational by the beginning of the fall semester.
Ralph Stuart
Environmental Safety Program Manager
Risk Management Department
WebCT (Web Course Tools) provides an easy way to manage course materials and make them available online. It's a great way to deal with the first week or so of course work ("I missed class last week and was wondering how I can get a copy of the hand outs ..."); it offers a convenient grade book available to students in a fully private but convenient form; it's a handy way to accept and manage assignments and is especially useful for managing several revisions of the same assignment; it can be used to store Powerpoint slides, to publish course announcements, and even to deliver weekly reading quizzes -- that can be graded by the computer. All of these features together with its easy-to-learn interface has made WebCT a popular component of UVM's "top wired college" reputation.
If you would like to explore the possibilities of this new version
of WebCT, contact the CTL's Dr. Is In Program (ctldoc@uvm.edu) for an
appointment, or just drop by 303 Bailey-Howe Library on Monday -
Thursday between 10 AM - 3 PM.
Steve Cavrak
Assistant Director for Academic Computing Services
Information technology (IT) continues to play an increasingly important role in the day-to-day operation of UVM. While there is no question that this technology adds a significant value to the institution, we must manage the cost, complexity and support burden for desktop computing technology. As part of efforts to improve the coherence and reduce the cost of UVM's desktop computer technology, Computing and Information Technology (CIT) recently issued RFP # 16-04-03 to microcomputer manufacturers. Our primary goals are to reduce IT costs, increase consistency, and improve support efficiency. Achieving these goals is expected to have a significant impact on UVM's ability to provide quality desktop services for our students, faculty and staff.
CIT is grateful to Microcomputer Advisory Committee members, Nicole Chittenden (Business), Andrew Hendrickson (Arts & Sciences) and Heidi Thibault (Medicine), for their tireless efforts and careful analysis of the vendor RFP responses. The vendor choice was unanimous.
While we were impressed with the competitive offerings put forth by the responding vendors, we have selected Dell Computer Corporation to meet our primary recommendations for another year because of their:
While we have selected Dell Computer as our primary Windows computer vendor for another year, we will continue to offer and service products from other partners where they meet our customer's special needs.
Note that while there are efficiencies gained by retaining the current primary vendor, the incumbent vendor can and will be replaced when competitors make significantly better offers or when the current vendor consistently fails to meet expectations. This is how Dell took the business from IBM and how IBM took the business from AT&T. While there were clearly competitive offerings from a couple of other vendors (IBM and Gateway), we judged the total Dell package to be in the best interests of UVM.
As part of the closure process for RFP # 16-04-03, we will continue our current relationships with Apple Computer, Dell Computer Corporation, and IBM Corporation. We were favorably impressed with some IBM laptop offerings and will be offering an IBM Thinkpad for fall. However, feedback from key clients and our desire for technological coherence led us to sustain our focus on Dell systems for meeting UVM's needs for Windows systems in the near term. Nonetheless, in view of indications of IBM's improved service levels and competitive price-performance of their laptops, we will actively pursue such a relationship as a competitive alternative to Dell or to meet special needs that cannot be met by Dell.
As UVM IT News readers know, CIT has been evaluating Active State's PureMessage for several months. Beginning June 26, 2003, all inbound UVM email has been "rated" for the probability that it is spam.
Why was PureMessage chosen?
While no spam management system will meet everyone's needs, we believe most UVMers will find this product helpful. PureMessage was chosen because:
Will PureMessage delete all the spam sent to me?
No. PureMessage does not delete or filter anything. It will only tag messages that it rates as greater than 50 (on a scale from 0-100). Each end user can then choose to use this rating to move probable spam to a spam folder where it can be checked later, if desired. For example, the subject: "Debt Relief is ON THE WAY!" might be modified to appear as: "[SPAM?:#####] Debt Relief is ON THE WAY!". Each # symbol represents 10 points, i.e.,
|
|
|
|
[SPAM?:#] |
|
|
[SPAM?:##] |
|
|
[SPAM?:###] |
|
|
[SPAM?:####] |
|
|
[SPAM?:#####] |
|
Will PureMessage accurately identify every spam message?
Unfortunately, no spam management solution can do that. Like all such systems, PureMessage will occasionally underrate or overrate a message. Nonetheless, most users find that it is helpful in managing unwanted email. Many users report a 98% accuracy. Your mileage may vary. Each user can set the threshold of when spam is diverted to a spam folder -- or choose not divert messages at all (the default). And finally, not everyone agrees on what constitutes spam.
How does PureMessage compute the spam probability?
It uses many factors such as the origin address (known spammers), how many people are receiving identical messages, and the formatting of the message itself. However, spammers are working very hard to subvert spam filters, and some spam will continue to slip through regardless.
What if I have developed a spam filtering system that works for me?
You can continue to use it if you prefer. In such cases, the tagging may help you visually identify probable spam or sort messages by the spam rating. PureMessage tagging is not known to affect existing filtering schemes.
It looks like you want me to use server side filtering (procmail), but I use POP and prefer to use my email client's (Eudora's) built-in filters. Can I do that?
Yes, you can. You can either do all your filtering using Eudora (and other POP clients that support filtering) or filter out the probable spam using the server-side spam filtering(procmail) combined with any other client-side filters you wish. Note that this will require that you use Webmail, an IMAP client (such as Eudora or Outlook Express), or PINE to view your spam folder, and since the server-side filters will always precede the client-side filters, you cannot use the client-side filters to white-list (see below) sites unless you also use client-side filters to handle spam.
I'd like to use the spam rating to filter out spam but I don't want to filter out the spam-like email from a company we do business with. How do I avoid having email from that company moved to my spam folder?
By establishing source specific filters (e.g. "from *webct.com"), you can assure that messages from that source are not affected by a spam filter you may have set up. Note that such filters (called "white list" filters) must precede any spam filter. The Web-based facility will allow you to easily set procmail filters, set your spam tolerance threshold and white-list one or more sites (domains). The Web interface has recently been expanded to allow individuals to:
- View / Edit / Remove Filter Rules (Recipes)
- Add a New Filter Rules (Recipes)
- Manage Your SPAM Settings
- Change the Order of Your Filter Rules (Recipes)
- Edit your Procmail RC by Hand (Advanced Users Only)
- View Your Procmail Log File
Notes:
Option 3 allows you to set the spam threshold for email (50-90) or to override (white list) messages from a particular domain so they are not considered for moving to your spam folder. It will leave messages from that domain in your inbox. This may be especially useful for those who want to use use server-side filtering and a POP client.
Option 4 allows you to revise the order of your filters. Note that the filter that comes first, takes precedence. For example, if you wish to put all your email from a particular UVM listserv into a particular folder (mailbox), but also have a default mailbox for other uvm.edu email, the UVM listserv filter(s) must come before the general uvm.edu filter.
Send your questions to helpline@uvm.edu. Send comments and suggestions to IT@uvm.edu.
Related Terminology
SPAM Often described as "unsolicited commercial email" (UCE), but in practice some people mean "any mail I don't want to read". For information on the origin of the use of this term, see this article.
Filters, Rules and Recipes User-specified criteria, such as the spam rating or message origin, for separating or handling some messages differently from others.
White-listing Identifying origin addresses that you do not wish to filter into your spam folder. This tends to be useful for some listservs and business partners who send spam-like email. For example, both WebCT.com and educatorsportal.com regularly send out spam-like email. Note that uvm.edu is automatically white-listed.
Server-based filtering Filtering on the uvm.edu email server. This can filter your email as it arrives on your server account. To set up filters, establish a spam diversion threshold, or white-list a site, go to UVM filter management interface.
Client-side filtering Supported by some post office protocol (POP) email clients (e.g. Eudora). Filtering is done as email is down-loaded by client computer. Usually the spam filtering is also done on the client, but it can be done on the server, in which case, you will need to use Webmail, and IMAP client, or PINE to access your spam folder on the server, should you wish to.
Quarantine Folder A term sometimes used to describe the folder (mailbox or directory) where probable spam messages are automatically filed for possible later review. This term is more commonly used to describe to a place where virus-infected email attachments are stored by virus protection software. The uvm.edu email server virus protection software removes, but does not save, viruses.
UVM Network Services would like to find more about the interest level for wireless access, where it should be deployed, and what applications users would be most likely to run. Please take a few minutes to fill take a brief survey. Results will be presented in the next issue of this newsletter, and on the UVM Telecom website after June 27th. Wireless Survey
UVM Network Services is now offering a new pricing model for wireless access. For $17 per month, Network Services will install Cat's PAWS access points to provide 10,000 square feet of coverage. The monthly charge includes the design and installation of the service as well as on-going maintenance and upgrades.
Wireless access points require a data port and a nearby electrical
outlet; additional charges may apply if these must be installed. Of
course, the speed of the service will never exceed the speed of the
"wired" network in your area. Upgrading the wired network where
desirable is not be included in the monthly rate. Network Services
will be happy to do an assessment of your area for Cat'sPAWS wireless
access. To place an order for this service, please visit our website
at
https://giraffe.uvm.edu/telcom-bin/workorder/datareq.pl
[netid & password required]
|
Patricia Ainsworth |
Lynne Meeks |
|
Director of Telecommunications |
Network Engineer |
UVM's Information Technology Standards Committee, an open group of computer users and technical support people, has announced the discontinuation of UVM support for aging software. As students, faculty, and staff members plan to meet their computing needs -- and budgets -- in the year ahead, here are reminders of support changes coming up:
The full standards announcement is online on the Standards Committee's Web pages.
In most cases, departments and individuals will have replaced computers running the phased out software well before the end-of-support dates. Some computers running phased out software are able to run newer software versions; please contact Computing and Information Technology if you need help assessing whether your computer is capable. UVM has negotiated substantial discounts on software. And the Computer Advance Program (CAP) is available to subsidize departmental purchases of new computers. Dean Williams
As announced two years ago, protocols that do not support encrypted passwords (e.g. telnet and ftp) are being phased out in favor of encrypted versions (ssh and sftp). See the network security software pages for information on suitable applications. Note that the network security pages will prompt you for network id and password.
Because so many people have not yet completed the conversion to the new protocols, the deadline for supporting the old protocols has been extended to January 2004. However, the sooner your make the switch, the more secure your work will be!
By now, we should all be using one of the two acceptable forms of our official UVM email addresses:
Please note:
See http://www.uvm.edu/cit/email/ and, specifically, the email FAQ for further information. Send email questions to newemail@list.uvm.edu or the helpline@uvm.edu.
The Telecommunications Department now has the capability to set up conference calls using our own conference bridge. The customer calls the operator with the following information:
Our conference bridge will support twelve participants. The operator will then assist you in setting up your conference call.
The operator will give you:
The caller dials the number at the designated time. A recording will come on and step you through the process.
The fee for using the conference bridge is:
Note that these are below market rates. For comparison, AT&T charges $15 for set up and 68 cents per person per minute. For a 30 minute conference call with 5 callers, this is a difference of $87 ($30.00 vs $117.00).
If you have any questions regarding conference calls, please contact the University operator.
Please make your reservations at least an hour in advance.
Phyllis
DeMarco
Telecommunications Information Supervisor
And don't speak too soon
For the wheel's still in spin
And there's no tellin' who
That it's namin'.
For the loser now
Will be later to win
For the times they are a-changin'.Bob Dylan, The Times, They Are A-Changin'
When Bob Dylan wrote those words, thirty-nine years ago, he
probably was not thinking about changes in how people acquire his
artistic output and how it's paid for. Neither the CD nor the
Internet had been invented, and it was a very rare and special
computer that could play music. Since the development of the
Napster music-sharing service, there has been an escalating legal
battle over copyright, compensation, and culture. The final
outcome is anything but clear, and every month brings new technical
and legal developments, with victories seeming to alternate between
copyright-holding media empires, the corporations that develop
peer-to-peer file sharing programs, and individuals -- including
universities and university students.
Slowly, conflicting economic and cultural interests are being sorted
out, and sometimes there's a development that seems to be a "win" for
everyone. Apple's iTunes
Music Store, where Dylan's song can be yours for under a dollar,
is one of the most visible and successful examples. For those
of us trying to keep track of our media options and responsibilities
while the legal and technical wheel's still in spin, here is a
quick update.
Of course music is just one of the art forms traded over sharing networks like Kazaa, Morpheus, Limewire, and Grokster. Video files, especially pornography, are among the most sought-after forms of content, more so than music. [Wired News, April 30, 2003] Turning the demand for free smut, or video in general, into revenue-generating enterprises may follow the lead of the new low-cost music services, or we may see new marketing, legal, and technical innovations that are later adopted for music. In the mean time, video trading may be the next area to see escalated litigation and prevention efforts. [Wired News, April 30, 2003]
UVM does not monitor the content of online communication -- Web browsing and publishing, email, file sharing, and chat -- on its networks and servers.
Generally, University policies prohibit only:
In those situations, UVM will take action to protect networks and servers or to meet legal requirements. For example:
Copyright complaints are, unfortunately, too common, and copyright violations are by far the most frequent abuse of University networks and servers. The University will continue to act when alleged copyright infringements are reported in accordance with the DMCA.
In addition to the low-cost music download services such as iTunes
and RHAPSODY, free music is out there for legal downloading and
listening -- one just has to find it.
Google
searches turn up numerous options, including the
Free
MP3 Music Player Downloads site.
-Dean Williams,
June 25, 2003
Over the past few months, CIT and distributed IT staff in UVM have been considering the deployment of a centralized Microsoft Active Directory (AD) system. HOLD UP! I am descending into jargon and abbreviations already! Have you ever noticed how discussions of Information Technology (IT) projects entail a great number of two and three letter abbreviations? Consider the following sentences:
"Throughout the month of May, UVM engaged Microsoft Consulting and C2 in a series of Active Directory (AD) planning sessions. Representatives from COM, BSAD, EM, DAR, and BH attended. Feasibility, ROI and Service Level Agreements (SLAs) were chief items of discussion. Ongoing implementation discussions will continue though the summer and will culminate with a Proof-of-Concept (POC) implementation."
Aack! What does it all mean? I will attempt translate:
AD is a service which manages accounts, computers, and applications within logical organizations. When it is working well, it allows you to sit down at any computer in an organization and log in using only one sign-on. At UVM, it has the potential to allow you to log into any University computer using your University "NetID" (formerly known as your "Zoo account"), and to gain access to many applications using that initial sign-in.
Many vendors have made similar "directory service" products in the past, and since the year 2000, so has Microsoft. Microsoft AD now is included with every Windows 2000/2003 Server. AD implements several industry-standard mechanisms for updating accessing its directory data, but has enough deviations from standards that integration of AD with CIT's existing UNIX infrastructure may be difficult, time consuming, and expensive.
Most organizations need a directory service of some sort to make management of accounts and computer systems possible. UVM's Computing and Information Technology department (CIT) already has several! Unfortunately, these directories present significant challenges in integration with personal computers (PCs). We in CIT have always seen directory-integrated desktop login as desirable. In the past we have developed several mechanisms to make this possible. However, as the Windows operating system (OS) has evolved, it has become increasing difficult to accomplish this without a directory service designed for Windows computers.
Still, we have struggled along without Microsoft AD for several years now. Although we see integrated PC login as desirable, it would not be sufficient reason to invest in AD were it not for one small fact. Microsoft and many other software vendors have tied their products to Active Directory. The absence of a central AD has limited CIT's choices in central software purchasing, and has created deeper divisions between CIT and departments with larger investments in Microsoft technologies.
Starting about five years ago, many schools and business units within the University identified a need for robust "groupware" services with capabilities beyond UVM's primary email system. The most popular of groupware offerings was and still is Microsoft Exchange. However, you cannot deploy a Microsoft Exchange server without an Active Directory. Because the Medical School (COM), the School of Business Administration (BSAD), and Fletcher Allen (FAHC) all required an Exchange deployment, each of those units now has a separate AD!
The maintenance of separate AD infrastructures inside of UVM is inefficient. Administrators in CIT reasoned that the consolidation of AD infrastructures into one centrally-managed deployment would reduce the administrative overhead in AD management throughout the University, thus saving money. Additional savings them could be realized by consolidating and eliminating redundant services into the new Windows Server/AD infrastructure. More work remains to be done, but it seems clear that a centralized AD will produce a fairly quick Return on Investment (ROI).
Consultants from Microsoft and Competitive Computing (C2), a local IT consulting group, were enlisted to help UVM's Computing and Information Technology department (CIT) and other distributed IT departments throughout the University determine the feasibility of a united AD. During the month of May, representatives from CIT, the School of Business Administration (BSAD), the College of Medicine (COM), EM (Engineer and Mathematics), DAR (Department of Alumni Relations), and BH (Bailey/Howe Library) attended a series of meetings to define goals and draft a design. A proof-of-concept (POC) lab was initiated as part of the process.
Initially, many attendants expressed concerns about the ability of a central AD to meet the technical requirements of their departments. They were worried that security and stability considerations in the AD managers would inhibit their flexibility in providing services to their constituents. As time past, it became clear that many organizations outside of UVM have struggled with these same questions and have found ways to make a central AD work. By the end of the month, it seemed that all departments involved agreed that a central AD deployment could meet their needs. In our lab environment we were able to demonstrate that the vast majority of technical obstacles could be overcome with minimal effort.
Some questions need to be answered before we can proceed with the deployment:
1. How will the central AD be managed? What level of reliability can be expected?
In giving up control of their own departmental AD's, distributed IT staff will need specific information on who will be running the central AD. These administrative documents will allow distributed IT staff to more easily coordinate service upgrades and configuration changes. Additionally, the need for "Service Level Agreements" (SLAs) has been identified. Departments need to know what level of reliability they can expect from the central AD, and they need assurances that they will receive timely response to requests for help.
2. What will be involved in migrating distributed AD's to the new, centralized service?
A rough outline of the migration process was presented by the consultants, but a proof-of-concept pilot migration has not yet been performed. Until this pilot is completed, we will be unable to generate time tables for final deployment.
3. How will the central AD interact with existing centralized authentication systems?
CIT has a large investment in the Kerberos authentication system and the OpenLDAP directory service. AD will be required to reference these services in order to reduce the burden of managing AD accounts. Although we have been able to make this work for Windows 2000 and XP clients in our test lab, there has been some difficulty with Windows 98 and Macintosh clients. Additionally, some Windows services do not like to reference a non-AD authentication service. These problems may not be show-stoppers, but they delay the implementation process while we develop a plan to cope with them.
4. What will be the scope of services provided with the central AD?
Windows 2000 and 2003 Server platforms ship with a variety of services outside of Active Directory. File and print, web publishing, application deployment, remote workstation deployment, streaming media, and terminal services are available to us. All of these services are provided by CIT on a variety of different platforms at the present time. Given the expense and time that will go in to our AD deployment, does it make sense to leverage that investment by consolidating some preexisting services onto Windows Server?
The most likely candidate for consolidation onto Windows are the file and print services currently provided by NetWare. We will need to invest more time in addressing various questions surrounding migration of NetWare resources to Windows.
Remote workstation installation services also are appealing. Currently, CIT and other departments use Symantec's "Ghost" to prepare computers for deployment to students and staff. Windows Server 2003 may allow us to drop the costly licensing of Ghost in favor of Microsoft Remote Installation Services (RIS).
We will need to decide if we wish any of these service migrations to be part of our initial AD deployment as this will affect time tables and expenses.
CIT is continuing to engage distributed IT departments in answering these questions. We hope to have all of the answers and an official proposal by the end of summer 2003. Assuming that all outstanding concerns can be addressed, we expect to recommend the implementation of a centralized Active Directory service during the next academic year.
-J. Greg
MacKinnon
CIT Client Services
Last semester IBM Global Consulting spent a week on campus conducting a baseline assessment of information technology at UVM, how it is deployed, organized and supported. They met with over 50 UVM leaders, central and distributed IT support staff, as well as conducting three workshops with student, faculty and staff technology users.
Though the contract called for only eight assessments/recommendations, IBM consultants, Ann Riley and Cliff Kramer, outdid themselves by producing a series of fifty recommendations in twelve categories. While some readers have indicated that the recommendations are not fundamentally different from recommendations we have heard (and suggested) before, they are well organized and carry the impact of a widely respected consulting company. For a look at their recommendations, see the Summary of IBM Recommendations. Note that this report is for UVM internal use and should not be distributed outside of UVM. To view the report, you must enter your network ID and password.
We expect this baseline assessment and recommendations to influence IT planning for years to come...
This article has been postponed until August. in the meantime some related reading
Most organizations, especially large complex organizations like the University of Vermont have moved from monolithic, single-architecture, hard-wired mainframe software systems to network-attached, narrowly focused solutions, which are built using a wide variety of hardware and operating system platforms.
In such organizations you will most likely find a team of frustrated IT workers, trying to figure out how to make all these separate systems "play nice". Customers are not impressed if they register (and pay for) a course enrollment but then find they cannot log on to the computers in the library. Employees are not happy if they have to ask separately for an email account, a calendar account, and access to their monthly budget reports. And they are even less happy if they have to use different passwords to access each!
We will not be going back to the "good old days" of a single platform and a set of locally developed applications that are designed and built to interoperate. The advantages of being able to acquire and deploy the best software solutions for each separate need are too compelling. But it is possible to provide some glue to hold things together and make both the system user and the IT support person's lives easier. Enter Middleware.
The Internet2 consortium has recognized the need for middleware and created several projects to help design and build important middleware components. They describe middleware this way:
Middleware, or "glue", is a layer of software between the network and the applications. This software provides services such as identification, authentication, authorization, directories, and security. In today's Internet, applications usually have to provide these services themselves, which leads to competing and incompatible standards. By promoting standardization and interoperability, middleware will make advanced network applications much easier to use. The Internet2 Middleware Initiative (I2-MI) is working toward the deployment of core middleware services at Internet2 universities.
We have deployed a first and critical component here at the University. An "identity management" system feeding our LDAP directory service. Information about people affiliated with the University is extracted nightly from "authoritative" systems. This information is compared to information already in the directory. New affiliates are recognized and unique NetworkIDs are assigned. We expect going forward we will have to have a structure that supports many different kinds of University affiliates, and distributed "authorities" that certify affiliations. Different collections of online services will be available to different kinds of affiliates.
Having an identity management system, and a enterprise directory are the basics. Many other examples of emerging middleware components and protocols are described on the Internet2 Middleware Initiative website .
Here are a few excerpts from papers on their site:
The WebISO Working Group is investigating the realm of "web initial sign-on" (WebISO) packages: systems designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password-based central authentication service.
Public Key Infrastructure (PKI) cryptography provides a sophisticated yet fairly straight forward way to achieve a number of important functions, including:
Of the current components of core middleware, the least developed and most amorphous is authorization services. It is definitely a service rather than a server - authorization functionality will be provided coherently through several means of delivery, including authentication, directory servers and certificates. Examples are legion, which is what makes this area so important. Authorization will be the basis of workflow. It will drive permissions for accessing networked resources, allow us to control and delegate electronic responsibilities, and serve as the basis for future administrative applications. It will allow us to convert our complex legal policies into automated systems in a easily scalable fashion. As middleware components become better defined and more available, we expect to be deploying components in support of a more cohesive, easier to use, easier to manage IT infrastructure.
Keith Kennedy
Associate Director, CIT
XML Bits and Pieces, or, XML from a User's Perspective
If you have been puzzling over XML you have probably noticed there
are many pieces involved. In this article we will take a look at some
of those components, define some of the XML jargon, and suggest some
resources for getting started with XML.
XML provides the framework for describing and marking up document
structures, but in actual practice one needs several pieces to make
it go. The first piece is the XML instance or document itself. This
is a plain text file that contains elements and conforms to the XML
rules. Elements are the formal way to refer to what we often call
"content" and "tags," that is, content surrounded by mark-up that
describes the structure, like this: <title> Hamlet
</title>.
The XML document can be created with any text editor, with an XML
editor, or even with a word processor, especially if it has certain
XML-aware features built in. You can even create an XML document with
a HTML editor, if, that is, you plan to use the XHTML Document Type
Definition (DTD). Which brings up the next piece of the XML puzzle.
The DTD defines the rules that your specific XML document will
follow. It defines the elements that will be allowed and describes
how they will interrelate. For example, a DTD for a collection of
poems might have rules like "all poems must be divided into stanzas"
and "poems must be preceded by a title."
You can actually create and use XML files without a DTD. As long as
the file adheres to general XML rules (all documents must have a root
element, all element names are case sensitive, etc.), your XML file
will be considered "well-formed" and will work with XML browsers. If,
however, you want to adhere strictly to a predetermined set of rules,
as in the poem example above, or to create an XHTML document, you
will need a DTD.
How does the XML file know you have followed all the rules correctly?
Through the use of the next piece: the parser. A parser reads the XML
file and checks to see if it is well-formed (it follows the general
XML rules) or valid (it follows the general XML rules AND the
specific rules outlined in the DTD). Parsers are available as
stand-alone programs, but they are also usually built into XML
editors (and sometimes into browsers, as is the parser in Internet
Explorer 6).
DTDs are part of the SGML world and, as the name implies, were
designed with documents in mind. But XML, especially in conjunction
with the Web, strives to describe more than just documents. XML can
be used to encode financial information, databases, and many other
collections of information. A key need of many of these types of
collections is the ability to describe not only content but the type
of data being stored. For example, if an XML file is storing
financial information, it will need to know if a given field is a
string of numerals or a currency amount. In response to this need,
and in an attempt to make all XML components actually conform to XML
rules, the latest development is the Schema (plural: Schemas). Think
of a Schema as a DTD with additional features. It can describe data
types and is itself a well-formed XML file.
So we now have an XML instance (file), a parser to check it for
well-formedness, or, if used with a DTD or Schema, to check it for
validity. But we still have nothing to actually display the XML file.
Next piece: XSL.
XSL (Extensible Stylesheet Language) is a language for expressing
style sheets. An XSL style sheet is a file that describes how to
display an XML document of a given type. XSL is actually composed of
three pieces: XSLT, XPATH, and XSL-FO. XPATH is a language for
describing the tree structure that all XML documents take, to aid in
navigating through the document. XSLT (the T is for Transformation)
is a way of applying templates to an XML document to Transform it for
display in a given media: web page, paper, PDF file, cell-phone, etc.
XSL-FO, XSL-Formatting Objects, is a "vocabulary for specifying
formatting semantics," that is, for creating complex stylesheets
primarily designed for print or PDF results. For example, XPATH might
define a portion of the document structure as "any title that appears
at the top of a sub-section of a chapter." XSLT can then be applied
to associate all titles of that type to a particular template. That
template might say "for use in a web browser, surround that title
with "H3" tags, or XSL-FO might be applied to say "for print
purposes, make that title appear in 16 point Times Roman."
XML, a parser, a DTD or Schema, and the XSL family are all the pieces
you need to begin creating XML documents. The most recent crop of XML
editors try, to a greater or lesser degree, to include all these
pieces. With the XHTML DTDs or using XSLT to transform your XML
document into an HTML document, you can view your XML documents in
any recent web browser.
If you would like to try creating your own XML documents, download
the Oxygen editor at
http://www.oxygenxml.com/index.html
or find other XML software at
http://www.xmlsoftware.com.
(SIT has no supported XML tools at this time--if you try any we would
love your input!). You may also find helpful the notes from a recent
XML class, along with some sample files, at
http://www.uvm.edu/~hag/presentations/xml.
And, of course, the Web has a wealth of XML information. Try
searching on "XML tutorial."
Future articles: XML at OVUM, Favorite DTDs and What They
Are Used for, XPOINTER and XLINK: Web Linking the Way It
Should Be, and XML for Programmers.
Hope Greenberg
Humanities Computing Consultant
Academic Computing
Q: I received this message from one of my friends telling my how to find the jdbgmgr.exe virus on my computer. I found it on my computer and deleted it. Apparently, UVM's sophisticated virus protection systems missed this one. Why?
A: Because it is a hoax, not a virus. Unfortunately, the file you deleted was part of your computer's operating system. Just because someone can tell you how to find a cryptically-named file on your computer (there are many) does not mean it is a virus. These hoaxes are mostly distributed by well-meaning people who believe they are performing a service by notifying their colleagues -- thereby making it difficult to track down the origin of such hoaxes.
Q: <blush> How can I distinguish legitimate virus warnings from hoaxes that try to trick me into damaging my own computer system?
A:Most legitimate virus warnings don't come from friends or strangers, but from official technical news sources (not just quoted authorities) or your IT support staff. If you would like to try to figure it out on your own if a warning is a hoax, you can check out a list of known hoaxes( jdbgmrg.exe is on several), such as the ones at:
Alternatively, you can use Google to find information on viruses, hoaxes and urban legends. Just type in the key words (in this case, jdbgmgr.exe) that you want to check out.
Classrooms at UVM have a variety of equipment and a variety of uses, from showing movies to presentations, our faculty are using more and more of the hardware provided by our media resources. As these needs grow, support for these various media need to be forthcoming. One way to improve the support experience would be to place telephones in every multimedia classroom on UVM campus.
Here at the School of Business Administration, we find the questions users have with projection equipment to be very common, documentable, step-by-step solvable issues. The problem is that our users are not empowered enough to solve these problems quickly and with ease. By providing a phone line to media services in every classroom we would create an environment for all visiting presenters, faculty and students that will foster the use of all the resources we provide them.
Across the Winooski River, at Saint Michaels College, they have this support structure with telephones in every classroom with support personnel answering calls until 9:00 PM every school night. UVM might not need this level of service but based on the usage we see in classrooms here in Kalkin Hall, some standard communication method is needed to adequately support the people who use our classrooms to teach. Even more so, placing a phone in each classroom will provide a comfort level for professors who would normally feel apprehensive in using a new piece of equipment.
Through the advancement of IP based telephones and power line networking this project doesn't have to be prohibitively expensive. For example, the School of Business Administration could bridge one phone line to all 7 classrooms in Kalkin Hall for under $350. This small investment would improve our end-user experiences with classroom media and enhance our institutions learning environment through expanded use of technologies.
Would a call center be required to handle the expected increase in calls? Not necessarily. Considering the BSAD helpline, CIT helpline and Media Services main phone line are currently accessible to the entire campus, maybe through some coordinated effort, we could focus on servicing our students, staff, faculty and visiting presenters together.
The greatest opportunity we have is to service users that would normally get frustrated with using the equipment and thus completely give up on using the equipment. Second to that, these support phones would decrease the very common frustration our presenters, faculty and students experience when they use this hardware. Lastly, this is not an off-the-wall suggestion implying extreme resource dedication, instead a shift in how we currently provide support on campus. Phones in every multimedia classroom would provide a level of assistance that would be greatly appreciated by the entire UVM community.
Thomas Chittenden
Information Systems Assistant
School of Business Administration
Disclaimer: This reflection is based solely on experiences outside of the University of Vermont. It does not seek to observe, comment nor draw comparison about anything pertaining to the University. These remarks are not to be construed as being either for or against outsourcing. Outsourcing is a strategy that can be bungled or made successful. Internal servicing (i.e., not outsourcing) can also be bungled or made successful. Same goes for a hybrid approach involving both internal and external servicing. More simply put, each institution must know what is right for itself. Michael Kessler
Being aware of the recent IT consultation engagements on campus and participating in one of them, has caused reflection on past experiences with IT outsourcing. These experiences, both good and bad, were in the for-profit sector that is sometimes referred to as the 'real' world. However, reality is where you find it and that holds true with outsourcing, especially IT outsourcing.
Some background, first. The organization where I worked had their entire IT environment outsourced: administrative systems, telecommunications, client services, technical support, project management and an ace-in-the-hole special projects function. There were approximately 8-10 vendors ranging from very small, local niche providers to an all-in-one global service provider.
As the person 'in charge' of the collective efficiency and effectiveness of this IT consortium, I felt at times like the proverbial fire hydrant at a dog show. But, much was observed and maybe even some things learned, and learned the hard way. Herewith, then, may be some of the most important things that were learned.
[1] Who's in Charge
For outsourcing to succeed, the 'who's in charge?' question is the first that must be addressed. Vendors will rightly want to be in charge to a certain extent because they are making a commitment that they honestly want to fulfill and being 'in charge' is, to a certain extent, essential and sometimes a prerequisite. The greater confidence they have in internal management the less they will feel compelled to be in charge. Therefore, rational vendors will gauge the degree to which they need to be in charge proportionately, greedy vendors will want more than they need, and lazy vendors will skirt 'in charge' responsibility. Vendors will realize a profit in all three scenarios, but the greedy and lazy vendors will likely see their relationships stumble and terminate more quickly because those types of relationships are inherently dangerous to the institutions they serve. Thus, the beginning of a successful outsourcing relationship lay in achieving a symbiotic relationship at this strategic level of management control.
In that regard, I have seen outsourcing at its worst (e.g., technical and political paralysis leading to institutional civil war) and at its best (i.e., factored, budgeted cost containment coupled with the latitude to grow and outperform all peers).
Here is the issue from another more sobering angle. In every substantial outsourcing relationship the external vendor has an 'account manager' who is responsible for the contract. Account manager performance may by evaluated and rewarded along any or all of the following in terms of whether they are able to:
[2] It's Not What You Own
This must be internalized by all internal and external parties for the institution to reap the IT benefits anticipated from outsourcing. The yardstick of management stature and success, both internal and external alike, must lay more in the ability to coalesce resources than to own them; owning resources must be strategically subordinated to that of coordinating them. Once understood, the assumed loss of control from loss of ownership is dispelled and institutional dialogue will evolve to a higher level, namely on how to strategically succeed without the baggage of who's going to succeed.
Hence, the importance of resolving issue [1] first. Fighting over resources gave us the disastrous civil war. On the other hand, giving each party (internal and external) their clearly defined roles and resources within an 'overarching management process' was a dynamic win-win. More on the 'overarching management process' follows.
[3] To CIO, or Not to CIO
Old paradigm, pre-outsourcing way of thinking. The question should be 'strategic process, or no strategic process'. Given [1] and [2] above, the most critical element necessary to prioritize, procure, and deploy resources is the intangible of strategic management process. 'Chief xyz Officer' is anachronistic in an outsourced IT setting. 'Chief' is a big label with big connotations, namely big resources ($$$). Hence, within the context of outsourcing, it is often erroneously seen as something to envy, something for which to compete and something to 'win'.
If a CIO is pivotal within the current management paradigm, then the CIO must be visualized as the mortar which holds all the bricks together. It cannot be another brick, and least of all the biggest brick on top of the IT wall. It would be the best seat to fight for, but the wall of bricks upon which it rests would shift and crumble without the mortar. Process is the mortar, mortar holds all the bricks, so whoever holds the process holds it all. Better for all the bricks to have a coordinator than a chief. It is best if the real chief(s) laid elsewhere, outside of IT, senior managers representing the customers of IT, or better yet, the customers of the institution.
[4] About the Institution
There appeared to be two scenarios that typified the 'most likely to succeed' institution when it came to outsourcing. The first type was the 'here's a check now take it off my hands so I don't have to deal with it anymore' institution. This is not necessarily a slight to such institutions. As the advertisement on NPR for Teachers Insurance Annuity Funds states, 'TIAA...managing money for people with better things to think about.' However, some organizations of this type have turned to outsourcing out of prolonged frustration to 'clean up their IT mess'; sometimes successfully, sometimes not, but never inexpensively.
The other 'most likely to succeed' candidate, and more scarce institution, is where Senior Management has an IT management process in place that is embedded within their overarching and preeminent budget planning process in a discreet and subservient manner. If there is a role for IT outsourcing, or outsourcing of any kind, it would be identified, quantified and qualified in a strategic sense before any vendor is engaged, even engaged merely for dialogue. This leaves little maneuverability for greedy vendors, no place to hide for lazy vendors, and clearly delineated opportunities for engagement and mutual success with the right vendors.
An institution must have confidence in its management processes and its managers. Without such confidence, outsourcing is like building upon sand in dubious partnerships.
[5] About the Individual
If an institution has engaged an external vendor even for a 'look-see', it is almost a certainty that the institution is looking for a change from the status quo. Change does not require outsourcing, and outsourcing does not guarantee change; certainly no guarantee of change for the better as was hopefully explained above. However, change is a window of opportunity.
Change that is internally motivated, planned and executed can beat its external rival every time. In competing against external vendors we found that, although possessing a broad industry (and sometimes organizational) perspective, external vendors could only see to a certain depth and, hence, effectiveness within an organization. Therefore, change from within the organization, from within those who knew the organization, was the most influential and successful change whatever the goal may be.
For example, senior management sometimes consulted external vendors as a sanity check on the changes proposed from within the organization, not because the internally proposed changes were thought to be lacking, but rather were seen as 'too good to be true' and therefore in error. The internally proposed changes always panned out to be both 'good' and 'true'. Change from within beat change from without every time. Change from without was only useful where there was resistance to change from within.
Having been asked the 'what can happen to me' question hundreds of times by as many people (and having had to ask it of myself), the most honest and appropriate answer then is probably the same now: To make the best of the situation for both the institution and ourselves we should continue to help each other to be as open as possible and engaged in some form or forum of change. This helps us grow and delivers the best to the institution. It is an opportunity for an organization and its people to show what they know and what they can do.
Michael
Kessler
Human Resources
Organizational Consulting Services
Send technical questions to helpline@uvm.edu.
Send questions and comments regarding IT policies, plans or priorities to
If you have a question or comment regarding this email newsletter or any article herein, send it to UVM-IT-News@list.uvm.edu. Questions of general interest will be posted to UVM-IT-News.
We will publish answers to questions of general interest on the Web and/or in future issues.
So please let us know if you think we have gotten something wrong, and we will publish corrections as appropriate. And we fully expect to change our minds from time to time as we learn and are influenced by the rapidly evolving world of information technology...
Last modified January 16 2004 04:15 PM
