IT Services and Resnet
There seems to be a great deal of moaning and winges about IT services recently, both on here and in general around campus, especially with regard to ResNet.
I have just come from the Resnet focus group meeting, to which all students who wish to express problems with resnet are invited. This week there were two of us students there, and four people from ITS. If you really have something to say, come to the meetings.
For example, they've made some changes to the traffic shaping systems recently, and need some feedback about how the network was performing last weekend. Fortunately for me, I was away from the curse of technology on the weekend and so couldn't help. The other student reported that it wasn't any worse than before the changes and so we've all assumed that it's at least bearable at the moment. If you don't agree or you'd actually like to talk to ITS about their level of service rather than sitting around winging or throwing abuse at them, then come and actually do something useful about it.
Before anyone moans about the 'incident' on the weekend, I'd like to point out that I believe they did the right thing – initially at least. They very quickly dealt with a situation where everyones accounts were at risk. You may moan about having to change your passwords but how would you like to have all of your work deleted by someone whos broken into your account? Also, it should be pointed out that the usual method of dealing with an incident of that sort, in the short term, is to take the entire system offline, how would you have liked that?
I can't pretend that I don't think they made any mistakes though, particularly with regard to the handling of communication of the login grace period. I think they now realise that communication of the 2 login grace period to people using the web-based single sign-on system or the accursed Groupwise webmail system would have saved them the few thousand helpdesk calls and massive queues outside the computing centre on Monday. The two of us that did turn up to the resnet meeting have suggested some ways we think they can improve this and deal with it in a much better way if it ever happens again, but this is just our opinion, how are they supposed to ever improve anything is all they get is abuse and winging from people that don't even have anything constructive to say??
With regard to Novell Groupwise, everyone is fully aware of its complete inability to cope with the university's email and ITS are working to migrate everyone over to the new system. Please abuse Groupwise itself as much as you like, hopefully anything written on here about it will eventually come up in search engine queries for 'Groupwise', as it is one of the most useless and unstable systems I've ever had the displeasure to use.
25 Jan 2006 14:28
| 
Tags: ITS Rant
| 
Comments (7)
| 
Report a problem
Loading…
7 comments by 3 or more people
[Skip to the latest comment]Mathew Mannion
I was just about to make a post about this but you beat me to it – ITS did exactly the correct thing once they were aware of a security breach (whether that should have happened, I have no idea, NDS is voodoo to me) – the problem was the gross lack of communication, which I attribute to the ill feeling between students and ITS as a whole.
And so forth.
25 Jan 2006, 14:56
I can't comment on ResNet, as I don't live on campus, but I must say I really don't think that ITS' disgraceful handling of the weekend's events is defensible. Their response may have been reasonably appropriate initially, but the result – locking hundreds? thousands? of people out of the system without any real warning or detailed explanation – was not. Honestly, I'd have preferred 90–120 minutes of shutdown time to the unspecified amount of inconvenience we were faced with instead. Had it not occurred to someone on Monday to give everyone extra grace logins, I think it's fairly safe to say there would still be phone queues now.
Here's some constructive criticism: why is there no automated password-recovery system built into ITS services (forums/blogs/insite/etc)? If there were, and it was independent from all Warwick services (ie. it didn't rely on sending you an email, potentially to the compromised GroupWise accounts), that would have been problem solved.
Some more: the system is woefully disconnected. I now use, I think, five separate passwords for Warwick services, for reasons entirely out of my control! ITS, DCS (Computer Science), BOSS Online Submisison, Webmail, and the Warwick HTTP Proxy are all completely independent of each other. I can't even figure out if it's possible to change my password for the proxy, it's still set as the original password I chose when enrolling – almost 3 years ago! I'm not saying that this disconnection is necessarily a bad thing, but it strikes me as less of an example of "good design" and more "left hand doesn't know what the right hand is doing."
And finally: and this is the big one. WHY WERE PASSWORDS STORED IN A PLAIN TEXT FORMAT IN THE FIRST PLACE? This one I consider unforgivable. Surely passwords should always, always be stored in such a manner that retrieving the username/password association file (be it plaintext, database, what have you) should be of absolutely no use to anyone. Even a simple encryption function would accomplish this, and there are plenty of other methods available.
Oh yes, and finally, GroupWise is indeed shockingly shoddy (though bizarrely it really wasn't this bad up to half way through my second year, or so it seemed to me). Good job it's on the way out.
25 Jan 2006, 14:56
Mathew Mannion
That rumour is almost certainly tosh.
The reason that the Single Sign On system (forums, blogs, sitebuilder) didn't carry a warning or have a single password change system is because it's actually seperate to the insite passwords.
25 Jan 2006, 15:00
Chris May
There's no automated password recovery system built into web-sign-on (blogs/forums/insite/etc) because they just delegate to NDS (Novel Directory Services) to do the authentication, and NDS (at least, as implemented here) doesn't have such a feature. I can't comment on whether NDS could have this feature, as I'm not involved in it.
As it happens, we're mulling over whether to build an alternate password infrastructure into websignon to cope with this kind of eventuality, but we don't have any firm plans as yet.
Passwords aren't stored in plaintext in NDS, or websignon (Those are the only two authentication DBs here that I know anything about); as far as I know they aren't stored in plain-text anywhere. If they were, it would be every bit as indefensible as you describe. I'm not sure if it's appropriate for me to describe how they were acquired, but I feel like I ought to at least correct your assertion.
25 Jan 2006, 15:10
I hadn't heard about this plain-text storage of passwords, I shall endeavour to find out if it is true or not.
Mathew: The single sign on system is not seperate from in-site, which is why it now carries a notice, as it should have done immeadiatly after the incident, that you should login through insite first. The lack of communication between ITS and students is something that definately needs to be worked on, in both directions.
Alex: Systems like that are seperate for a good reason, I believe. If you choose to set all your passwords differently that is up to you and you'd probably find that your left hand wouldn't know what the right were doing if you had a hundred different hands! ITS simply don't have the resources to cope with integrating the whole of DCS and such like into their own systems (and I can't imagine DCS would like the idea either). Personally I have a feeling ITS arn't given the resources for what they already do, but that's a whole different rant.
Also, I have no intention of trying to defend their handling of the account locking, I did clearly say that in the original post.
25 Jan 2006, 15:24
Mathew Mannion
I can assure you that the SSO system is seperate from insite, and simply uses NDS to do the authentication, which is the same as what insite does, but they are not the same system. If they were, then insite would use SSO. The reason that a message was put on the SSO sign-in page was out of good grace, in that it was obvious that the lookups were using up people's grace logins.
Of course, I defer any actual knowledge to Chris.
25 Jan 2006, 15:49
I stand corrected. I didn't write exactly what I meant though. I didn't mean it in the technical sense as I don't have any knowledge of how the system works.
What I meant to say was that it's the same system from the point of view of a warwick student, i.e you use the same username and password, changing your password on insite changes it on the SSO and logging in to SSO used up the grace logins.
It would certainly help if the same system was used to log into all the web based services (insite, gwmail and smail aswell). At least that way they could put any important information just on that page and everyone(almost) would have to see it.
25 Jan 2006, 16:07
Add a comment
You are not allowed to comment on this entry as it has restricted commenting permissions.