U n i v e r s i t y o f O r e g o n C O M P U T I N G N E W S TWENTIETH ANNIVERSARY ISSUE! Winter 2005
Senior Systems Manager Bob Jones begins the process of assembling the new Darkwing cluster. The new Linux systems that comprise the cluster will speed email, web, and other network services. Story on page 4. IN THIS ISSUE… Web People Accessibility Web Tip: Use ‘Skip Navigation’ Link ...... 3 Deb Carver Named Interim AVP for Information Services ...3 New UO Design Guidelines in the Works ...... 14 Who’s Who at the Computing Center ...... 12 Teaching Tools Large Systems Blackboard Adds More Features ...... 15 The New Darkwing: a Briefing ...... 4 Security Email Spotlight on Browser Security ...... 20 More User Control Over Stripped, Defanged Email ...... 2 Update to Firefox 1.0 without Delay ...... 20 Reconfigure Your Email Settings ...... 10 Security Alerts ...... 18 “Black” Web Email Being Phased Out for Gladstone, Free Microsoft Windows Beta Anti-Spyware ...... 19 Darkwing ...... 10 Think Spyware is Harmless? Think Again ...... 23 Microcomputing Interesting Sites Large Format Scanner on the Way ...... 2 Cybercrime in the News ...... 13 The Problem with Free Demo Firewalls ...... 11 Spam Wars ...... 17 Try Using Selection Modifier Keys ...... 14 Sites Worth Seeing ...... 23 Networking Statistics UO Network’s Transit Bandwidth Boosted ...... 9 What’s New in SAS v. 9? ...... 21 Campus Network Users Now Have More Control Over Stripped and Defanged Email Bob Jones Senior Systems Manager March 1, stripped messages will no longer be delivered Administrative Services/Computing Facilities unless users explicitly request it.
For some time now, UO systems administrators have Defanged messages will continue to be delivered been warding off computer viruses by automatically unless users specify otherwise. Note, however, that “defanging” or “stripping” incoming email traffi c using many defanged messages are legitimate and contain a program called Procmail Email Sanitizer, or “PES.” nonmalicious attachments such as .ZIP fi les, and we would urge users not to choose to have them discarded PES typically either strips the message of suspicious unless they are positive that’s what they really want to email attachments, replacing it with a text attachment do. containing a warning, or renames the attachment to render it harmless (defanging). You may specify the desired behavior for stripped and/or defanged messages by going to Currently, we are delivering all stripped and defanged messages to their intended recipients, but as of https://password.uoregon.edu/husks/ Large-format Scanner On the Way COMPUTING CENTER The new scanner is the latest addition to the Architecture and Allied Arts Output Room, TWENTIETH ANNIVERSARY ISSUE which caters to large-format printing needs on campus COMPUTING NEWS VOL. 20 #1 Chris Jones Director of AAA Computing Services Computing News is pub lished quar terly [email protected] by the User Services and Network Applications staff of the Computing The University of Oregon’s Educational Technology Committee, Network Center. Services, Telecom, and Facilities Services have partnered to purchase a © University of Oregon 2005 large-format scanner for university use. The scanner will be available to Contact: Joyce Winslow the university community sometime in February 2005. [email protected] The new scanner, an Action Imaging Colortrac 4280, can scan documents up Photography: Dave Ragsdale to 42 inches wide and half an inch thick. It will be housed at the School of [email protected] Architecture and Allied Arts (A&AA) Output Room (280 Lawrence), where Joe St Sauver, Ph.D. staff will be available to provide expert assistance to customers scanning Director, User Services large documents. The Output Room is also equipped with large-format and Network Applications color and black and white printers capable of producing signs, posters, [email protected] banners, and blueprints. Website: http://cc.uoregon.edu/cnews/ To cover staffi ng and maintenance costs, customers will be charged a nominal fee to use the scanner. To learn more about the specifi cations of the new scanner, visit the Got Extras? manufacturer’s website at http://www.action-imaging.com/colortrac.htm If your campus de part ment re ceives sur plus copies If you have questions about the large-format scanner or if you would like to of Com put ing News, you use it once it arrives on campus, please contact Karl Owens, A&AA Output may return them to the Room Manager ([email protected]). The Output Room is open Monday UO Com put ing Cen ter for through Thursday from 9 A.M. to 10 P.M., on Fridays from 9 A.M. to 5 P.M., re dis tri bu tion. and on Saturdays from noon to 6 P.M.
2 computing news winter 2005 Deb Carver Named Interim Associate VP for Information Services
Ron Renchler Director, Library Communications UO Libraries [email protected]
Deborah A. Carver, Philip H. Knight University Librarian, has been appointed interim associate vice president for information services at the UO, following Joanne Hugi’s retirement.
The AVP for Information Services is the university’s chief administrator for computing, networking, and telecommunication issues. Carver will serve in the position while a national search for a new AVP is conducted.
Carver has chaired or cochaired the university’s Educational Technology Committee for three years. She also serves as the university’s representa- Deborah Carver, University Librarian and Interim Associate VP for tive for the Northwest Academic Information Services. Computing Council (NWACC). Database Licensing Committee. A 1973 magna cum laude graduate in Carver, who was named the Oregon She represented the state as an political science from the University Library Association’s 1999 Librarian elected member of the American of Massachusetts, Amherst, Carver of the Year, has been a member of Library Association Council from earned a master’s degree in library the UO faculty since 1990. She was 1998 to 2001. She was president of science from the University of North appointed by the Oregon Senate the Oregon Library Association in Carolina, Chapel Hill, in 1976 and a to serve on the Interim Legislative 1995-96 and served on its legislative master’s degree in public administra- Committee on Libraries and was committee and chaired its Vision tion from the University of Virginia, a member of Oregon’s Statewide 2010 Task Force. Charlottesville, in 1984. Accessibility Web Tip: Use the ‘Skip Navigation’ Link A simple anchor link can make your web pages far friendlier to people using screen readers. This link, called “skip navigation,” jumps over navigation links and takes the reader directly to the main content of the page. This saves screen-reader users from having to listen to repetitive navigation links as they tab through each page of your site.
Depending upon your design preference, skip navigation links may be either visible or invisible. You’ll fi nd a detailed explanation of various approaches to using the skip link technique, with examples, at http://jimthatcher.com/skipnav.htm
For more general information on how to design universally accessible web sites, see “Web Accessibility for People with Disabilities” at http://darkwing.uoregon.edu/~atl/web_acs.htm If you have questions about designing your website to meet accessibility guidelines, please contact James Bailey, the UO’s technology access adviser ([email protected], 541-346-1076).
computing news winter 2005 3 The New Darkwing: A Briefi ng
Systems staff take the (Simplified) fi rst steps in a major Classic Darkwing reconfi guration of our Everything ran on one box: A tangled, interconnected . . . vital campus server system: where we’re headed and why… WWW RADIUS (Including University home (Authentication for wireless, page, user web pages, virtual dial-in,VPN, Blackboard, etc.) Joe St Sauver, Ph.D. hosting) Shell Access Director, User Services and (”% prompt”) Network Applications [email protected] All Darkwing Email Susan Hilton (Including POP, IMAP, Streaming Audio Director, Administrative Services outgoing mail, receipt of (KWAX, etc.) and Computing Facilities incoming mail, mailing lists) [email protected]
Password.uoregon.edu This article is meant to serve A1000 as a briefi ng for members of the NFS (Password changing) campus community who may be Server interested in learning more about the Computing Center’s work in upgrading Darkwing. Let’s begin by Acad-CL talking about “classic Darkwing.” Front Compute Cluster end Classic Darkwing (Compute intensive jobs) server Compute nodes Darkwing is a server that’s familiar to many UO faculty and staff, although Fig. 1. The way we were… This chart shows the way Darkwing was if you’re like many users, you may confi gured before the upgrade began. know it only as an email server. In reality, while Darkwing does deliver • Darkwing delivers streaming • Darkwing also handles network email for over 15,000 faculty, staff audio, via Real and Darwin backups of user fi les and graduate student accounts, it Streaming Server, for KWAX does quite a bit more, too: (For a diagram of classic Darkwing and other high profi le campus functions, see Figure 1 above.) • Darkwing accounts serve as content providers the basis for faculty, staff, and • Darkwing serves over 1300 That’s a lot for a single six-year- graduate student authentication majordomo-based email mailing old server to do. Not surprisingly, for a variety of campus lists most noticeably beginning in resources, including such • Darkwing offers shell access for 2004, Darkwing began to deliver services as wireless access, users who want to use pine, run unsatisfactory performance—in other dialin access, virtual private statistical packages, compile words, “it got slow.” network (VPN) access, and and run their own programs, the Blackboard teaching and or otherwise work at the UNIX Monolithic Architecture learning system percent-sign (%) shell prompt Moreover, having all those services • Darkwing hosts several • Darkwing provides the boot on a single monolithic system also hundred virtual web servers, environment and font server meant that if Darkwing did have including key web servers needed for X terminals such as problems, or if it were simply taken such as www.uoregon.edu, the those deployed in the basement down for scheduled maintenance, university’s primary website, corridors of McKenzie Hall and the down time would affect many and many others (for a list of elsewhere on campus different activities, including mission all the virtual hosts served from critical production services such as • Darkwing acts as a print server Darkwing, see faculty email or institutional web for multiple campus print http://virtual-www.uoregon.edu/ ) page delivery. queues 4 computing news winter 2005 Running a single monolithic system load you may confront. For example, substantial amount for any also has implications for system Google (at least as of March 2003) licensed product(s), if we needed replacement: if you were to replace used over 15,000 commodity-class to purchase and deploy those a large monolithic system with PCs [2] to meet the world’s aggregate licensed products on each node an even larger monolithic system, search engine requirements. • recognizing that if we needed to you’d be investing in comparatively add capacity, we would have to uncommon hardware with a premium While we’re nowhere near the size of shuffl e users around price tag. Google, it’s easy to see the writing on • accepting the fact that it will be the wall: single monolithic servers hard to evenly share load among For example, Sun’s top-of-the-line don’t scale well. nodes. fl agship E25K server starts at just [1] over a million dollars (list price) If We Don’t Buy a Single Model #2. Alternatively, we could and it isn’t very hard to confi gure Big Box, How Should We divide the load by splitting things an E25K in a way that would make up according to service. Doing that it cost in excess of three million Split Up The Load Onto sort of model means that: dollars, not including any signifi cant disk storage. Even a more modest Multiple Smaller Boxes? • we can tailor nodes to the needs midrange Sun Fire E6900 with just We thought about two approaches we of particular services 16 processors and 64GB of RAM has could use to divide our load across • we can point traffi c for a given a list price of nearly $800,000 (again multiple smaller servers: service at a particular node via not including material disk space). In Model #1. We could divide things DNS tight budgetary times, or at any time, up by user. Taking that approach • we can limit the extent of that’s a lot of money. would involve: licensed products we buy • having each node running all • we can add capacity trans- A fi nal factor leading us away from services monolithic systems is that we know parently by adding additional from the commercial sector that it • having some way to hash or back-end nodes behind a load is easy to get to the point where no “divvy up” users onto multiple balancer. matter how much money you have, nodes in a user-transparent way you can’t buy a single system that’s • being willing to accept the fact Model # 2 is the model the UO has big enough to handle the aggregate that we might need to pay a decided to pursue.
Sample Service Node, New Model Each major service (or group of services) runs on its own set of redundant, load banced hosts
IMAP or WWW or . . .
(Live) Server 1 Load IMAP Balancer 1 Server 2 Private UONet Network NAS t Server 3 Switch
tbea . (Network
Hear . . Attached Load Server N Storage) Balancer 2
(Standby)
computing news winter 2005 5 The New Darkwing, continued… Server Building Blocks; across the servers (e.g., it requires the and you also need to increase disk use of load balancers). I/O throughput (the ability to shovel Load Balancing data over the wire from a server such An inherent part of the new model is Besides fixing the load problem as Darkwing to a network file server the use of commodity dual processor and giving us critical operational connected over the network). AMD Opteron-based 1U rackmount resilience and a clean path for future systems. Those dual processor growth, the new model also eliminates It would do no good to increase the Opteron boxes are the same sort of our reliance on expensive proprietary amount of disk space users would systems we’ve been using for a while hardware and proprietary operating have if there wasn’t increased capac- for the current Academic Compute systems, while also allowing us to ity to read and write data to that disk Intensive Cluster (e.g., the “acad-cl” avoid the growing cost of maintaining space, and network capacity to move nodes, see http://acad-cl0.uoregon.edu/ ), aging hardware and setting the stage that data to/from the file server. where they’ve proven themselves by for enabling new services such as larger disk quotas. Our recent survey of Darkwing delivering tremendous performance [3] at a very reasonable price.[5] We’re users , also identified the fact that users also looking at adding a less powerful Speaking of Disk Quotas, would like to be able to more easily (and less expensive) building block Storage Is Central restore accidentally damaged or unin- host to our architecture for situations tentionally deleted files from backups, Even though Darkwing load mani- where a dual Opteron, or even a single and the fact that users would also like fested itself as general slowness, Opteron, would simply be overkill to be able to get at their Darkwing files that slowness was really a function and unnecessary. via a Microsoft Windows file system of limitations in the system’s I/O (e.g., “CIFS” or “Samba”) rather than Two, three, or more building block (input/output) to disk storage as much just via Darkwing’s traditional UNIX- servers, whether Opteron-based or as anything. oriented NFS. something less powerful, would then When you think about disk storage, sit behind a pair of load balancers Still another factor was the desire to be you probably think about working (which are themselves simply build- well positioned to move to NFSv4 as within a comparatively limited disk ing block servers, this time config- soon as possible to minimize potential quota, such as 100MB on classic [4] ured to run the LVS load balancing NFS-related security issues. Darkwing. software). Building Upon What Emerging trends, such as large desk- Load balancers look at incoming top drives (200-250 gigabyte desktop We’ve Already Been Doing connections along with backend hard drives are routinely available Over the last few years, the server load, and then route incoming now), and things such as Google’s Computing Center has been actively connections to a suitable server, either Gmail service (offering users 1000MB experimenting with a variety of new working round-robin style or by moni- worth of free disk storage for email), technologies—technologies which toring the load on each backend server meant that our traditional 100MB have ended up shaping much of and then sending connections to the email quotas on Darkwing were what we’ll be doing in upgrading currently most lightly loaded host. really pretty antiquated. Meeting Darkwing. user expectations requires that we Use of multiple load-balanced hosts offer disk quotas that are basically We’ve already described the Opteron- in this fashion gives the university an order of magnitude higher than based building blocks we’ll be using; operational resilience by allowing current levels. they are one example of a technology one building block system to be taken that’s proven itself and moved from out of service for maintenance or Simply buying more disk wouldn’t the lab into production. upgrades without users even noticing be sufficient, however. At the same the change; the down side of this ap- time you add disk space, you also Similarly, at least for now, Darkwing’s proach is that it increases server count need to increase the ability to do disk disk storage is running on commodity [6] (redundant servers are required) and I/O operations (read operations, write serial ATA disk network attached it requires a way to share the load operations, seek operations, etc.), storage (NAS), storage which looks
Building block servers: a DVD drive (left) and two hard drives. Any number of these server units may be mounted on racks and deployed as needed, providing a more flexible model for network service. 6 computing news winter 2005 Evolving Darkwing as of Mid-January 2005 Interim Network Attached Storage (NAS) Filer 1
Compute nodes Front end server Interim NAS Filer 2
Acad-CL Compute Cluster (Compute intensive jobs) Spare NAS Interim Filer Private Network Computing Center UONet Darkwing
Production NAS Filer Load balancer Private Network evolving 2nd Campus Location to... POP & IMAP Server 1 Standby load balancer
POP & IMAP Server 2
Live Backup Production NAS Password Box 1 Filer Internally load balanced
Password Box 2
Mail Server 1 Additional Hosts / Pending Nodes · Mail Server 2 · Incoming Mail (MX) Server (two load balanced hosts) · Web (www.uoregon.edu, virtual hosts, personal web pages) (two load balanced hosts) · Majordomo Mailing Lists (two load balanced hosts) Green Web Email · Streaming Audio/Video (two load balanced hosts) · Shell server (two load balanced hosts) · CIFS/Samba (two load balanced hosts) · Backup server · Syslog server · Monitoring server [Additional Hosts] Note: Multiple services may be delivered from the same physical pair of load balanced hosts, depending on system requirements and other factors much like the sort of disk storage attached storage (NAS) filers.[9] against darkwing.uoregon.edu, they proven in the storage of terabytes access POP as pop.uoregon.edu (or of data for the ANTC Route Views The interim filers we’re currently IMAP as imap.uoregon.edu). project.[7] using do not offer the scalability and feature set we ultimately want, At the same time we asked users to A third example of moving proven but its deployment is giving us the make that change, we also asked them technologies from one project to an- breathing room we need to complete to change their outgoing email server other can be seen in the use of RedHat name from darkwing.uoregon.edu to [8] procurement of the mirrored produc- Linux-based load balancers in front tion filer that will be the core of the smtp.uoregon.edu of multiple systems, as pioneered new Darkwing architecture. As we At this time, the migration to the on campus by the Administrative write this, the migration of Darkwing new pop.uoregon.edu, imap.uoregon. Services group and the Systems user files to the interim filer has been edu and smtp.uoregon.edu servers has Group in conjunction with deploying completed. Internet Native Banner. also taken place. The next stage of the upgrade in- We’ve also moved IMHO (the “green” Transition Architecture volved migration of POP and IMAP web email client) off of classic (email reading) services from classic The Darkwing upgrade process has Darkwing and onto its own server. Darkwing to a new load-balanced already begun, albeit on more of an Because users currently access that cluster of Opterons. expedited basis than we might have service by clicking on “Web Email” liked. Moving user POP and IMAP activity from the UO home page, or by visiting The first stage of that upgrade was to the new cluster requires contacting http://email.uoregon.edu/ directly, the migration of user files from Darkwing POP and IMAP users, asking we’ve been able to accomplish the Darkwing’s old, slow, and bottle- them to change their email programs migration of that service in a way necked disks to new interim network so that instead of POPing or IMAPing that’s transparent to users (except computing news winter 2005 7 The New Darkwing, continued… for the fact that green web email is web email client that will support a faculty, staff, and graduate students noticeably faster). spell checker and address book, two so that the university can control features noticeably absent from the access to resources such as the For an overview of Darkwing’s current current green web email). wireless network, dialin modems, stage of development, see the Evolving the virtual private network (VPN), Darkwing diagram at the top of the password.uoregon.edu and the Blackboard teaching and previous page. We’ve also recognized that our web- learning system. Gladstone serves a based password changing system, similar authentication function for The Production http://password.uoregon.edu/ needed undergraduates. (Mirrored) Filers an upgrade. When users supply their Darkwing Concurrently with the steps described For those who may not be familiar username and password to access the above, we’re also working on procur- with password.uoregon.edu, that host UO’s wireless network, or modems, or ing a pair of production network provides the web-based interface Blackboard, we have some confidence attached storage (NAS) filers that will for making password changes on that two things are true: form the core of the new Darkwing. Darkwing, Gladstone, and Oregon, 1. They are who they claim to be Because of the size of those filers while also allowing users to do things and are somehow affiliated with (8TB, or 8000GB initially, scalable such as: the UO, and secondarily to just under 100TB or a tenth of a • check their disk usage via the web petabyte), and because the contents 2. They are probably UO faculty, ( http://password.uoregon.edu/quota/ ) of those filers will be key to university UO staff, or a UO graduate student operations, the contents of the filers • set or disable mail forwarding (although based simply on their will be “mirrored,” or constantly ( http://password.uoregon.edu/forward/ ) ability to login to Darkwing, we synchronized, with one server located • set their spam filtering preferences don’t know which of these they in the Computing Center and a second ( http://password.uoregon.edu/ may be, and there’s a chance that server located elsewhere on campus, allowspam/ ) they might be an undergraduate, connected over a private network con- • set their viral husk disposition e.g., someone using a Darkwing sisting of multiple channel-bonded preferences student account specially created gigabit ethernet links supporting ( http://password.uoregon.edu/husks/ ) for a class) [10] jumbo frames. Because most users rarely if ever Note that the second assertion is That mirroring, along with traditional access their Darkwing accounts via pretty weak. For example, if we had off-site tape backups, will ensure that ssh, password.uoregon.edu provides some service that could be provided even if the primary filer were to be an easy web-based interface for only to staff members but not to destroyed by a catastrophic fire or accomplishing tasks that would faculty or graduate students, based other accident, the backup filer would otherwise require ssh and arcane on current Darkwing credentials it still be available to provide access to UNIX commands to accomplish. would be impossible for us to restrict that service to staff only. your files. The upgrade to password.uoregon.edu Once deployed, the production has been completed at this point, Thinking about that, you start to filer will also offer users easier user- and that system now consists of a understand the fact that authentication controlled restoration of damaged redundant load-balanced pair of is only one leg of what’s often called a or accidentally deleted files, and systems that has far greater capacity three legged “AAA” stool. The three eventually the ability to access files than its predecessor. legs of that stool are: via CIFS/Samba. Once the production Moving to a pair of systems for • Authentication (“I know who filer’s in place, disk quotas should password.uoregon.edu means that you are,” often accomplished increase from 100MB to 250MB, and down time for that host should now be by using a username and secret then, depending on utilization and a thing of the past, and we now have password), other factors, upwards from there. surge capacity to handle situations • Authorization (“I know what you are/what you should be Deployment of the production filers when many passwords need to be changed in a short time interval. able to do in that role,” e.g., will also be the key event that will I’m a faculty member, or an allow us to finally decommission LDAP Authentication undergraduate student), and oregon.uoregon.edu, our legacy • ccess control (“I have the OpenVMS system, and with it, Still another change that’s underway A [11] ability to control what you can “black” web email (“green” web is LDAP-based authentication. access based on what you’re email will remain available, and we’re Remember that one of the things authorized to do/see,”—for also looking at a third generation that Darkwing currently does is to serve as an authentication system for example, hypothetically one 8 computing news winter 2005 might allow visitors to campus and another tree of fi les from that Notes: to access some databases but not same user’s Gladstone account. others, or one might limit access [1] Sun Fire E25K Server to shared departmental printers Our current thinking is that: http://www.sun.com/servers/highend/ to members of that department) sunfi re_e25k/index.xml • users who have only a Darkwing When the LDAP authentication proj- account will see no difference; [2] Web Search for a Planet: The ect has been completed, Darkwing in a converged environment, Google Cluster Architecture users will login just as they currently their default directory will be http://www.computer.org/micro/ do, but behind the scenes the authen- their normal Darkwing default mi2003/m2022.pdf tication process will be handled by the directory new LDAP server instead of directly [3] Darkwing Faculty/Staff Survey by Darkwing. • users who have only a Gladstone account will see no difference; Results: How You Voted http://cc.uoregon.edu