[Beowulf] Security issues

Kilian CAVALOTTI kilian.cavalotti.work at gmail.com
Tue Oct 28 01:52:18 PDT 2008 

Robert G. Brown wrote:
> Also to be remembered is that in most situations where one user exploits
> another's account or takes another's data INSIDE an organization, the
> best security tool is known as a "sucker rod".  Or a hammer.  Applied,
> none too gently, to a user's fingers or the side of their head.
> 
> Or (if you are in one of this silly environments that frowns on actually
> causing physical pain to users:-) you can use the "throwing them off of
> the system, permanently, so hard that they bounce" which can have highly
> deleterious effects on their ability to e.g. finish a dissertation.  Or
> in a corporate environment, one can "fire them and prosecute".

I definitely agree with that. Technical solutions must be adopted in 
case of technical problems, but technical solutions can't solve 
non-technical issues.

Users sharing an account is not a technical issue, that's a social 
behavior, which has to be addressed via legal/political/educational 
measures.

 > Security costs cycles, and cycles are precious.

It's also that security, from the academic users' standpoint, is a 
useless burden, which sits in their way most of times, and prevent them 
to do their work. At least that's often their perception. That's why 
education is so crucial, and helping them understand that the damn 
sysadmin who puts security checks everywhere is actually working on 
their side, to keep them safe, to improve their compute tools' uptime, 
and to prevent that the results of their computations get published 
before they even have a chance to retrieve their files. And usually, 
they care about that last one.

> security in an environment where your office is down the hall from the
> user's office, where the department chair and policy are on your side,
> where you have clear ways to identify and punish misbehaving
> individuals.

Well, yes. But it may also happen that even though the department chair 
is on your side, punishing certain misbehaving individuals is not that 
easy...

> Once somebody sitting in some internet cafe in Germany 

Eh! What about Germany? :)

> A good systems manager is just a tiny notch this side of being a raving
> paranoid.  Perhaps a "muttering" paranoid.  They only rave if they catch
> you being bad, often carrying a sucker rod...:-)

That's an issue too. The vigilance windows may be as wide as human 
resources allow, there will still be periods of time where nobody 
watches and were malicious users could do their bad things without being 
noticed. That's where technical measures can help, by limiting the 
damages a user can do, by restricting the scope of their actions 
(without preventing them to work either, remember that the main purpose 
of an HPC system is to produce computations results), and by notifying 
the sysadmin in case something fishy happens.

Anyway, in the case we're talking about, technical solutions would 
definitely help containing the fire, but to prevent it being lit, there 
has to be some political will from the user side.

Cheers,
-- 
Kilian

More information about the Beowulf mailing list