[Beowulf] Security issues
kilian.cavalotti.work at gmail.com
Tue Oct 28 01:52:18 PDT 2008
Robert G. Brown wrote:
> Also to be remembered is that in most situations where one user exploits
> another's account or takes another's data INSIDE an organization, the
> best security tool is known as a "sucker rod". Or a hammer. Applied,
> none too gently, to a user's fingers or the side of their head.
> Or (if you are in one of this silly environments that frowns on actually
> causing physical pain to users:-) you can use the "throwing them off of
> the system, permanently, so hard that they bounce" which can have highly
> deleterious effects on their ability to e.g. finish a dissertation. Or
> in a corporate environment, one can "fire them and prosecute".
I definitely agree with that. Technical solutions must be adopted in
case of technical problems, but technical solutions can't solve
Users sharing an account is not a technical issue, that's a social
behavior, which has to be addressed via legal/political/educational
> Security costs cycles, and cycles are precious.
It's also that security, from the academic users' standpoint, is a
useless burden, which sits in their way most of times, and prevent them
to do their work. At least that's often their perception. That's why
education is so crucial, and helping them understand that the damn
sysadmin who puts security checks everywhere is actually working on
their side, to keep them safe, to improve their compute tools' uptime,
and to prevent that the results of their computations get published
before they even have a chance to retrieve their files. And usually,
they care about that last one.
> security in an environment where your office is down the hall from the
> user's office, where the department chair and policy are on your side,
> where you have clear ways to identify and punish misbehaving
Well, yes. But it may also happen that even though the department chair
is on your side, punishing certain misbehaving individuals is not that
> Once somebody sitting in some internet cafe in Germany
Eh! What about Germany? :)
> A good systems manager is just a tiny notch this side of being a raving
> paranoid. Perhaps a "muttering" paranoid. They only rave if they catch
> you being bad, often carrying a sucker rod...:-)
That's an issue too. The vigilance windows may be as wide as human
resources allow, there will still be periods of time where nobody
watches and were malicious users could do their bad things without being
noticed. That's where technical measures can help, by limiting the
damages a user can do, by restricting the scope of their actions
(without preventing them to work either, remember that the main purpose
of an HPC system is to produce computations results), and by notifying
the sysadmin in case something fishy happens.
Anyway, in the case we're talking about, technical solutions would
definitely help containing the fire, but to prevent it being lit, there
has to be some political will from the user side.
More information about the Beowulf