United Nations University -
Campus Computing Centre

This space contributes to the sharing culture of the Internet.

UNU Rector's Vision

UNU Rector Konrad Osterwalder outlines his vision for the future of the United Nations University as a fully fledged graduate school. Following a recent General Assembly resolution co-sponsored by 112 countries, UNU plans to begin awarding Masters and PhD degrees at its current institutes and in partnership with local institutions within five years. The move will allow the organization to better fulfil its mandate as an interdisciplinary training provider and capacity builder in developing countries.

Japan's Grape-DR is the World's Most Energy Efficient Supercomputer

July 8, 2010 - Grape-DR, developed by the University of Tokyo and the National Astronomical Observatory of Japan was ranked first in Little Green500 List.  Grape-DR has a computing performance of 24.67 TFLOPS and a performance per unit power consumption of 815.43 MFLOPS/W compared to the 773 MFLOPS/W of the second-ranked IBM supercomputer system located in Germany.  The supercomputer system combines 64 pairs of Intel's Core i7-920 microprocessors and a board with 4 Grape-DR accelerator chips, which enhances the total computing performance by about 5 times.

Read the full article

Cloud Computing 1.0 meets science

June 18, 2010 - Early performance results of using the U.S. Department of Energy's Magellan cloud computing testbed for scientific computations suggest that commercially available clouds are not fast enough for science. "For the more traditional MPI (message passing interface) applications there were significant slowdowns, over a factor of 10," says National Energy Research Scientific Computing's Kathy Yelick.

Read the full article

Effects of long term use of multitouch devices on health

June 8, 2010 -  When the keyboard was designed as a computer input device, little was known and thought about the potential long term health hazards associated with typing.  Some studies have shown that repetitive high volume data entry requiring intensive keyboard activities can lead to damages on the tendons that run from the hands to the forearms.  With multitouch interaction becoming the default input method for the nascent computing devices (e.g., iPad), scientists at Arizona State University are gearing up to investigate the potential musculoskeletal stresses the prolonged use of multitouch systems can place on our bodies.  The results of this study can provide substantive refinement feedback to the design of multitouch systems.

Read the full article.

China's Dawning Nebulae is World's Second Fastest Supercomputer 

May 31, 2010 -  The Dawning Nebulae based at the newly built National Supercomputing Center in Shenzhen, China, with sustained computing speed measuring at 1.27 PFlop/s against the 1.75 PFlop/s world record achieved by the Cray Jaguar supercomputer,  claimed the second place in the latest semiannual ranking of the world's fastest 500 computers.   Nebulae is based on chips from Intel and Nvidia. China is expected to challenge the US dominance in supercomputing with their next system, which will be built using Chinese designed components.  

Read the full article

ICANN CEO resists to the call for UN control of Internet Addresses

May 25, 2010 -  No end in sight to the ongoing debate about whether the United Nations would be in a better position to coordinate the Internet's naming system than ICANN, which has until recently reported solely to the U.S. government.  

Countries such as Iran and Brazil have repeatedly advocated for a global body like the United Nations to run the Internet. However, ICANN CEO Rod Beckstrom warns that "Multilateral state control could make ICANN less nimble and therefore less likely to quickly develop technologies such as Arabic-language domain names that feed rapidly expanding Internet demand.".

Read the full article

Using compute power from Amazon.com for cancer treatment 

May 12, 2010 -  Radiation therapy that targets tumors require complex calculations to map the precise area to be treated with as little damage as possible to surrounding healthy tissue.  These calculations can take hundreds of hours of processing on sophisticated computers, which are often unattainable for clinics to buy and maintain.  

Clouds provide a powerful compute infrastructure at a modest cost and are a catalyst for innovation.  Researchers at University of New Mexico turned to cloud computing when they learned that clinics could buy computer time at $0.10 an hour from Amazon.com. They reduced the problem into pieces that could run on 200 nodes.  This approach, if successful, can lead to more effective and lower cost radiation treatments with fewer side effects for patients. 

Read the full article

Is Amazon EC2 Really What You Need?

I like the concept of Amazon EC2, which allows you to rent computing power by the hour.  Their entry level spec is called 'small', and costs $0.12 per hour for a Windows server based instance at their cheapest data center in Virginia USA, it provides you with the following:

    * 1.7 GB memory
    * 1 EC2 Compute Unit (1 virtual core with 1 EC2 Compute Unit)
    * 160 GB instance storage

Ok, everyone knows what 1.7GB of memory is, and 160GB of disk space.  But what is an EC2 Compute Unit?

They describe that as "equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or 2007 Xeon processor", which unfortunately does not help much.

I set out to find out exactly how much power that is, by using PassMark's PerformanceTest 7.0.  By running that on a few machines I had access to, and Amazon's small EC2 I could get an idea how much processing power you can get for $0.12 per hour (about $87 per month).  Here are the results:

Core i7 920 @ 2.667Ghz - Passmark Score 5,706
Intel Dual-Core E5200 @ 2.50GHz - Passmark Score 1,574
Intel Pentium Dual E2180 @ 2.00GHz - Passmark Score 1,270
Intel Atom D510 @ 1.66GHz - Passmark Score 663
Amazon Small @ 1 Ec2 - Passmark Score 343

These scores are based on PassMark's CPU test only, and were not designed to test all aspects of the computer.  With so much variation between disks, network and video performance I was really only interested in the raw CPU power.

The results were disappointing to say the least.  You can purchase an entire computer based on Intel's Atom processor for $300 - $400 on the market right now (no monitor or keyboard).  That much financial outlay will get you a machine with nearly twice the CPU power of Amazon's small EC2.

It would take you nearly 17 of these Amazon small EC2 computers to provide you with the same level of CPU power of a single i7 920 processor.  So, if you want the i7 computing power on Amazon's cloud it would cost you $1,468.80 per month.  With numbers like that you really need to do your homework, if you require something that is CPU intensive for long periods vs. burst usage for only a few hours you may be better off buying than renting.

Nintendo Wii remote in the classroom

May 5, 2010 - If learning is to be fun, turning Nintendo's Wii remote into a teaching tool in a computer engineering course is certainly one step in this direction.  Students at Iowa State University are writing software that enables the Wii remote to send data collected through its sensors about spinning pedals of a bicycle to a computer instead of a game console, and turn that into useful information about cadence and rider's movement and efficiency.

Read the full article

Mind-reading Devices by 2020?

April 22, 2010 - The Japanese government, in partnership with the private sector and univerities aims to develop mind-reading consumer electronics and robots in 10 years. Electronic devices and robots would have a brain-machine interface to detect and analyze the brain waves and brain blood flow patterns to respond or make a suggestion to users' wishes.  For example, a person wearing a sensor-mounted headset would be able to control a TV or send text messages "telepathically".

Read the full article

Stealing what Google knows about you

April 21, 2010 - In an era when giving away some of our privacy means more online convenience, we are increasingly enticed not to think about that our privacy could be at risk.  Personalized services on the Internet, such as, Google's auto suggest feature, rely on personal information that they capture about the user. The concern is that if this information is not properly protected, it could be hijacked for malicious purposes.

In a test of Google's privacy protections, a group of researchers were able to reconstruct users' Web search histories by intercepting cookies from Google's Web History service.  This was possible because certain elements of search queries employed by this service were sent in clear text over the Internet.  The report mentioned that Google responded responsibly to this vulnerability by always encrypting the communications related to the Web History service. However, the researchers noted that search suggestions available on  mobile phones remain vulnerable. 

You can monitor a maintained list of vulnerable services here.  Read the full article

Unlimited High Performance Cloud Storage?

A new product has hit the market, with unlimited storage in the cloud combined with local network caching to maximize performance and reliabality.  Impressive technology, will it take off?

Read full post about this new storage concept.

Combining pen and touch interactions in a new user interface design

April 12, 2010 -  Touch interfaces, through gestures, such as, holding, tapping, dragging and crossing, allow users to manipulate objects onscreen, for example, zooming in and out of an image.  However, many actions that we perform with computer objects, like images, require certain level of precision, which are not possible with touch interactions. A  research project called Manual Deskterity goes beyond just touch by enabling simultaneous pen and touch inputs. A short video demonstrates how touch and pen interactions can complement each other.  For example, one hand holding an image onscreen while another hand using a pen to annotate the image or perform other actions, such as a precision cut. 

When is it coming to mobile devices?

Read the full article

Replicating ColdFusion Configuration Within A Cluster

If you have multiple ColdFusion servers in a cluster, keeping the configuration in sync can be quite a bit of work, especially after a server melt down.

Read Full Post...

New technique allows inherently serial programs run faster

April 5, 2010 - Despite continuing advances in processor architecture and technology, highly serial programs, like word processors and Web browsers are difficult to benefit from the parallel processing power of multi-core processors, which are common in today's computers.  These applications consist of many steps that must be run one after another, making them difficult to run on more than one core at a time.   Although the execution logic is rather sequential, the memory operations and management associated with many of the progam steps is repetitive and parallelizable.  Researchers have found that by offloading dynamic memory management to a separate thread, common computer programs can run up to 20% faster.  The new technique also opens avenues to incorporate new security measures in memory management without having any impact on the program's performance.

Read the full article

PeopleSoft Enterprise Documentation - On Kindle!

If you are an Amazon Kindle user, and an Oracle PeopleSoft user you may be interested in knowing that Oracle has released a number of documents specifically formatted to your Kindle.  Always nice to see things being relased in new formats, thanks Oracle.

Secure one-click access - no user ID and password required

April 5, 2010 - Imagine you can securely authenticate to an online site without having to type your user ID and password. All you need to do is to open the login page on any computer, and scan a 2D image code with the aid of your smartphone, which is running a special software.  This is exactly the new approach a group of computer scientists from Tubingen University are proposing.  Such a solution will not only save users the trouble of memorizing and entering login credentials when accessing a password protected site, but it also solves the common security threat problem posed by keyloggers, trojans that can steal user passwords for malicious purposes.

Read the full article

New world record in energy-efficient sorting algorithm 

March 26, 2010 - Using low computing power processors and fast SSD (Solid State Disks), scientists achieved an impressive energy efficiency record of 0.2 kWh to sort 1TB of data, which is 3 to 4 times more power economical than the previous record set by the team from Stanford University. Sorting was chosen as it is a core step in data processing and analysis.

The result highlights the importance of the design of fast algorithms in an increasingly energy hungry world. The use of low processing power but energy efficient hardware can be compensated by fast algorithms. 

Read the full article

HTML 5 - a challenge to Flash

March 23, 2010 - An estimated 98% of the computers connected to the Internet have the Adobe Flash Plugin installed. Experts point to HTML 5, a nascent open Web standard, still in the draft process as a strong challenger to the ubiquitous status of Flash.  Browsers with full support for HTML 5 bring advanced rich media and interactive capabilities to end users without the burden of downloading and installing any plug-ins. 

Less dependency on browser plugins makes the Web a more robust and flexible development platform to deliver quality video streaming experience and highly interactive applications.  HTML 5 will permit developers to use Javascript and CSS to achieve a more seamless integration of the rich media elements (e.g., video player) into their website designs. 

There is little doubt that HTML 5 will not be widely supported, but it remains to be seen how it will be implemented in the different browsers and how they fare in terms of performance with respect to each other and Flash.

Read the full article

VoIP delays may mean information leak

February 25, 2010 - The benefits of VoIP are numerous, to name a few, calls are cheaper as it uses the Internet as the backbone, rather than PSTN lines which you pay for each minute of usage; richer and more sophisticated user experience, like visual voicemail, calling by clicking a link on a website or from an integrated application and  location-independent lifetime phone numbers.

A less known application area is steganography.  Researchers at Warsaw University of Technology in Poland have demonstrated that it is possible to manipulate voice streams to embed secret information in certain packets. In fact, one technique known as LACK (Lost Audio Packet Steganography) can be used to hide information in certain deliberately delayed packets, which a normal receiver will discard but a LACK-aware receiver can detect and recover the secret information from the altered VoIP stream. Their study shows that the intentional packet delays are not easy to distinguish from routine packet delays and drops. 

Read the full article.

Unmasking the anonymous user

February 23, 2010 -  A new form of attack is threatening to make it harder for users to hide their identity when browsing the Web. A group of researchers from Vienna University of Technology have developed the “de-anonymization” attack to discover the identity of the user behind the browser by stealing the browser history and probing for previous visits to social networking sites.  If you are a member of a social network (e.g., Facebook), your identity can be revealed when you visit a malicious site that contains the de-anonymization code.  

Traces about the victim’s fingerprint are often encoded in the URL itself.  For example, the Facebook application URLs contain the user ID and group ID:  

   http://www.facebook.com/ajax/profile/picture/upload.php?id=[userID]+
   http://www.facebook.com/group.php?gid=[groupID]&v=info&ref=nf+

A successful attack would need to have access to the history containing visited links to a social networking site, which supports member directory and group directory searches.

The researchers carried out a proof-of-concept attack against Xing, a German social network with a membership of over 8 million users, achieving a success rate of 42%. 

There is currently no fix for the attack.  All the mainstream browsers are vulnerable but you can reduce the risk by turning off browser history or using a private browsing mode.

Read the full article

Working Under Heavy Loads

If you have ever developed a web based application that has to operate under heavy loads (several hundred simultaneous users or more) you know it is not the same as building an application for only a handful of users.

Under load you run into all types of interesting problems, such as memory space corruption, record locking in databases and general performance issues of a single machine.  Load balancing (software or hardware) can allow you to spread your application over a number of CPUs which can help with the heavy lifting.

What if you could squeeze as much as 50% more out of your existing CPUs!  That would be a great benefit to your application and reduce the number of servers you need.  Or keep the same number of servers and let your users reap the benefits.

According to a recent blog posting by Facebook, they have released an open source PHP code transformer.  You develop your applications in PHP as normal and prior to deployment you can transform the code with HipHop for PHP into compiled C++.  The Facebook team has been using the technology for a while, and have seen CPU reductions by as much as 50%.  If you are a PHP developer looking to improve your application performance this is something you will want to investigate.

Protecting yourself from a $120,000 phone bill

In January 2009 a company in Australia suffered a massive phone bill of about $120,000 when their VOIP telephone server was compromised.  Unfortunately this sort of thing happens more than you might think.  How are these phone systems being hacked?

It is actually quite easy if the administrators for the office phone system do not take the necessary precautions.  A LOT of people use the same password for their phones as the extension number.  So if they have extension number 104 they use the same password - not very smart. Setting a more complex password would probably have prevented the attack.

Will a firewall protect you from the bad guys?

Probably not...  Most VOIP phone systems have either SIP or AIX2 ports open so they can communicate with Internet based phone service providers.  Attackers looking to use your phone server to make phone calls roam the Internet looking for victims, those who use a password that matches their extension are the easiest targets.

The open source community makes adjustments

An update to FreePBX, which is used to power many Asterisk based phone systems (including Trixbox & PBX in a Flash) has added two new security features to aid phone administrators with increasing security on their extension numbers.

The first enhancement is a new module that requires all extension passwords contain at least two numbers and two letters.  This seemingly simple change in itself will significantly reduce the chances of a hacker guessing your extension password.

The second, more powerful change is the ability to add a network IP address or address range for every extension (as of version 2.5.1.1)  Even if someone attempts to hack your system by guessing your password, if they are not doing it from the IP range you specify they will not be able to make any calls.

The combination of these two new features really will make the life of hackers a lot harder to make phone calls on your dime, and they will quickly move on to the next phone server they find unprotected.

An Asterisk Failover Solution?

We have been looking at ways to implement Asterisk based phone systems with some level of redundancy.  We already have one Asterisk phone system that uses a cluster for load balancing and redundancy... but the system as implemented is a bit expensive as it was developed by some Asterisk consultants.

We are looking to put Asterisk in some smaller offices, and don't need real time load balancing.  With support of these new systems being remote having a machine standing by is a nice idea, especially if it can be done for minimum cost.

Today I found FLIP1405 which is a fairly simple script that will allow a pair of Asterisk servers run in an active/passive configuration.  The important configuration files are copied between the servers on a regular interval and when one server stops working the second server will automatically take over.

So if the primary server gets shut down, or looses a hard disk the second server should come up quickly and take over.

Machine over Mind?

February 2010 - IBM Pioneer Arthur Samuels built the world's first chess-playing machine that could learn from experience in the 1950s. Forty years later, IBM's Deep Blue became the first machine to defeat chess champion Garry Kasparov in a full match.  The high performance computer capable of evaluating 200 million positions per second gave Deep Blue the advantage on a chess board.  Upcoming IBM supercomputer, codenamed Watson aiming to rival human contestants on America's quiz show, Jeopardy will make this restricted form of artificial intelligence pale in comparison.

Unlike the mathematically well-defined chess game, the Jeopardy-playing machine has to make use of the massive parallelism power to deal with real-world ambiguity and complexity in natural language questions, over vast domains of knowledge.  In the contest, if a player buzzes in and gets a wrong answer, he or she is penalized. Therefore, the competition demands high speed in processing natural language questions and computing the confidence and accuracy relationships in answers constructed from the knowledge bank.  

Will computers one day pass the Turing test?

Read more

Security with CFQUERYPARAM & MS SQL Server

Here at United Nations University, we operate mostly in English.  We do however get involved with some Japanese and other official UN languages from time to time.

When developing database driven applications to support foreign languages some care must be taken to ensure the characters can be both inserted and retrieved successfully from the database.

If you attempt to insert high level ASCII characters or Unicode into a database it will default to the character set defined at the database level.  If you have a database defined using Latin collation, and you insert Japanese characters the encoding is lost and you will end up with gibberish.

One technique in MS SQL is to insert the string text with a capital N at the beginning of the string, like this:

insert into mytable
(id, text)
values
(4,N'例')

The capital N before the string informs MS SQL to apply no collation and forces the server not to treat it as any particular language.  This solution works nice, you can input any character collation you wish and life is good.

Enter SCRIPT INJECTION attacks

Anyone who monitors their website logs has undoubtedly seen SCRIPT INJECTION attempts on their server.  It is basically a way for hackers to attack a website and try and gain control of the server itself or change the website content.

ColdFusion has a nice command called QFQUERYPARM which you can use to protect yourself from injection attacks by wrapping strings to be inserted into a database with this tag.  Just one problem, it does not work if you are using the N trick to store the data in a neutral language format.

Not using the CFQUERYPARM would mean you must leave your application vulnerable to attack, or come up with your own cleaning function to insert code into the database and be sure you are protected from attack.  Leaving yourself open is not fun, and developing your own cleaning function is not fun either.

An easy way around this problem lays in the advanced ODBC configuration of ColdFusion (confirmed to work in version 8 & 9).  By selecting the string format option, ColdFusion is then enabled for high ASCII characters and Unicode. 

That's it!  You do not need to specify the N character anymore, and it just works.  This allows you to use the CFQUERYPARAM without problems.  Your data will be inserted into the database safely, and you are protected against script injection at the same time.

One more tip!  Don't forget in order to store any characters outside of the defined collation you need to define the data type of the field as ntext, nvarchar etc.

Can Computer Vision Make Programming Easier?

January 2010 - Graphical user interfaces (GUIs) have made our interactions with a computer easier and much more intuitive than text-only interfaces.  Imagine you can write a program to automate GUI interactions by taking screenshots of what is on the screen (e.g., icons and browser windows) without having to know anything about the code behind the GUIs. What new applications come to you mind?

A group of researchers at MIT have developed a visual programming framework called Sikuli that uses computer vision algorithms to search specified GUI screenshot patterns on your computer and provides an API to control the GUI behaviors programmatically.  You can find a list of demo applications here. 

I would love to have a program to fill out a bunch of forms for me and automate testing of GUIs we build at Campus Computing Centre.

Adding intelligence to your email server

January 2010- Email has become the most popular vehicle for online communications and data exchange. The explosion of email usage not only has led to increased traffic, but also ever larger email attachments.  To guard against abuse and lessen the burden on email servers, ICT departments have set limits on the size of messages.  This has created a market for tools that allow for distributing files, which would be too large for email to handle, most commonly by uploading them to a Web server via a Web form or an email client plug-in.  

If you are using Sendmail as MTA for your mail server, there is a very easy way to replace automatically an email attachment with a URL, whenever the size of the attachment has exceeded a predefined threshold.  UNU Campus Computing has had experience using a C/Perl-based filtering tool called MiMEDefang to do this and remove viruses from emails.  MMEDefang works with the Sendmail Milter API.

Education 2.0 - As good as or better than traditional learning?

Can a software program totally replace a teacher or a classroom?   

December 2009 - While we are not quite there yet, with continued R&D fundings fueling the journey toward a more efficient and effective learning model, the prospect certainly looks good.  Researchers from Carnegie Mellon University under the auspices of the Open Learning Initiative developed an open learning software that works as a virtual tutor rather than a medium for delivery of instructions used by the teacher.  Findings over a trial period of two semesters suggest that students in a traditional classroom setting without using the online learning application performed no better than their counterparts who used the computer program to learn by themselves. 

This encouraging result has prompted the possibility of using a hybrid model whereby the baseline information is taught using the virtual tutorial and the faculty can spend their time going deeper in the subject.  Read more here. 

Someone may be easedropping your private cellphone calls

December 2009 - A German security expert published online a guide for cracking the encryption algortihm that protects the privacy of over 8 billion GSM standard cellphone conversations.  While the rationale of the disclosure is allegedly purely academic, it is raising questions about the legality of releasing the decryption know-how in the public domain and the possibility of organized crimes taking advantage of the proven security weakness and further evolving the public code book to steal sensitive data in business transactions. 

The 21-year old encryption code under threat known as A1/5, is a 64-bit strong encryption algorithm.  Experts agree that the wireless industry should see the crack as a a shot across the bow and should do more to protect the privacy of the mobile calls, such as increasing the key size to 128 bits.  Read more here.

Silver bullet to stop web site attacks?

An indeterminate number of web sites are in the crosshairs of hackers’ attack machineries every day.   Hackers use an array of evolving techniques and tactics to obtain access to your network.   One of the most common form of cyber hacking is denial-of-service (DoS) attack, which uses a large number of machines from multiple locations to swamp a site with more traffic than the victim server can handle.  There is an interesting article about DoS here.

In general, cryptographic tools can’t be used to thwart DoS attacks as they only make the server resources depletion problem worse, which is the very essence of what DoS attacks exploit.   On the bright side, scientists from University of Bristol, at ASIACRYPT 2009 (Japan), discuss about a defense framework based on cryptography, which promises to make web site attacks computationally impossible.   The central idea is to overload the adversary machine when the server resources drop below a certain level by demanding the client to construct puzzles and return both the puzzles and their solutions to the server before the server starts responding to the request of the client. 

Full article:  http://www.bris.ac.uk/news/2009/6746.html

Protect yourself against malicous sites on the Internet

Do you know that you can query Stopbadware (http://www.stopbadware.org/home/reportsearch) to find out if a site poses any danger to your computer?

There are abundant security resources here: http://badwarebusters.org/main/resources, including a free scan service to determine if an executable can pass a number of popular malware scanners.

Can ICT departments keep their jobs?

Within the UNU we are seeing an ever increasing number of users consuming Web 2.0 services outside our enterprise, many of them for free or very little cost.

I recently came across this article at computerweekly that has quite a few points that hit home.

And if IT fails to grasp the opportunities of Web 2.0, many businesses will simply subvert or sideline the function, he warns.

the marketing department of one large pharmaceutical company asked IT for a fancy Web 2.0 collaboration environment and was told it was on the roadmap, but would not be in place for another 23 months. So the marketing people, who needed the tool the following week, used an open web platform instead. Soon, they were sharing confidential drug discovery pipeline information between Asia, Europe and the US on hundreds of these collaborative platforms. And IT had no idea this was going on.

In the 'old days' users within an organization did not have much choice, use the platform and software provided by the organization.  It would have been difficult for users within an organization to accomplish the collaboration system across multiple offices without the support of the ICT department.

Now, when the ICT department can't deliver the requested service users only need a web browser and they can get their needs filled outside the organization quickly and cheaply.

Yes, the ICT departments of many organizations are having a harder time to satisfy their users. When there are large organizations developing software in the cloud, or as a service and offering them for free or little cost how can an organizations internal systems compete?

When your users start taking their work outside the office, lots of issues come up such as: security of organization data, data loss, providers go broke (is another tech bubble coming?) etc.  The issues are many, but do the benefits outweigh the potential costs?

If you are in the ICT field, check out the full article at computerweekly.  It will surely get your mind moving.  Interesting times ahead, for both users and ICT departments.

UNU & OpenID, has the time come?

Several years ago I read about something called OpenID, it seemed like something interesting but after doing some investigation it seemed like no one was using it.  At the time there was not much drive to do anything with it, since deployment was so sparse.

Advance a few years, and it seems like we have actually fallen behind as millions of people now have OpenID accounts, since some of the Internet's largest players such as Google, six apart, Yahoo, WordPress, facebook, Verisign, AOL and thousands of smaller organizations have all started using OpenID.

The Campus Computing Centre has been working towards a vision of a UNU Global Office, under which all staff have a single username & password to access internal services.  Having a single password helps simplify things for users, and hopefully prevents a yellow sticky note from hanging off their monitor (those in ICT departments know what I am talking about!).

All this account/password synchronization is taking place within the organization, however at the same time our users are consuming outside services as well.  When users go outside the UNU walls to consume web services, it defeats our objective of offering a single username/password to them.

We are still in the testing stage, but we are investigating the UNU operating our own OpenID server where all UNU staff would automatically have an OpenID account backed by their UNU credentials.  When accessing an external service supporting OpenID authentication, our users would be able to benefit from being able to use their OpenID to authenticate and not have to remember another username/password combination.

While we have not tested it yet, we suspect that we can go so far as to have single sign on direct to the users desktop so the sign in process would be seamless for them.  So not only would they not have to remember a new username, they would not even have to sign in to use services hosted externally, simply supplying their OpenID would be enough.

The concepts are very interesting with OpenID and we look forward to exploring all of them.

Connecting a managed switch to an unmanaged switch

Question:  Both Host A and Host B are in the same IP subnet.  Host A is in VLAN X and Host B is in a tagged or untagged VLAN.  Host A  and Host B in the following network cannot reach each other:
Host A -- L3 Cisco access switch (3550) -- unknown L2 access switch -- Host B    

Solution:  Conventional wisdom has it that you should put the port in trunk mode if the switch is to be connected to another switch.  A trunk port can carry the traffic of multiple vlans to the neighoring interface.  The traffic through the switch-to-switch link may not transit to the L2 switch as the L2 switch may ignore or get confused by the vlan information attached to the packets (using encapsulation 802.1Q or ISL). More importantly, Host B may even be in a different vlan of its own. To avoid any unpredictable results, when connecting to an unmanaged switch, it is always best to force the L3 switch port to be in the static operational mode or simply restore the L3 switch port to dynamic desirabe (3550's  default mode) or auto. 

Rogue DHCP servers on your network

If your network is properly secured, there is less chance for an authorized DHCP server to turn up in your own turf.  Arguably, when it comes to security, no risk is too small to be ignored.  Even in the best possible scenario, the DHCP service of a Linux host can be inadvertently put into operation. 

Prevention and detection are close cousins.  Prevention means that we have to be able to detect rogue DHCP servers.  One easy way is to use a swissknife scanning tool, like NMAP.   We know that DHCPS is running on UDP port 67.  Thus, we can use the following command to loop through your network address space to track down the presence of DHCP servers: nmap -sU -p67.

In an enterprise network environment, there are some more advanced features at our disposal.  For example, you can turn on DHCP snooping on switches and VLANs, which relies on the concepts of trusted and untrusted ports.  In situations where certain key packets are maliciously discarded, the arp inspection feature should prove useful.