Hi Andy, Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case? In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them. Best, david On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

...

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

Hi Paul, Potentially ... everything is being discussed. I would hope not but ... Best, david On 23/11/2022 10:28, French, Paul (PHOT) M W wrote:

David,

Many of us currently use Outlook/OneDrive apps on iOS and Android to get email, notes, etc. Will this be impacted? It always struck me as interesting that I can access most of my files from my phone via OneDrive.

Best wishes,

Paul

(If I email you out of normal working hours, I would not expect any response before your next working day)

-----Original Message----- From: David Colling <d.colling@imperial.ac.uk> Sent: 23 November 2022 09:56 To: Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

...

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

...

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-comput ing

Hi Andy, ( & David) The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges. I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed.. Rich -----Original Message----- From: Thomas, Andy D <andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J <d.colling@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches. In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, see https://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup So in reality, ssh is the Swiss army knife for a lot of research users ;) Andy On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

...

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

...

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

Hi Will, To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain. Best, david On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

...

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk>; physics-departmental-computing<physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T<c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

...

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

...

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

...

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30th, to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information. Rich From: Will Pearse <will.pearse@imperial.ac.uk> Sent: 23 November 2022 17:06 To: Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop Hello everyone, I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used: * GRASS * QGIS * ArcGIS * Libre Office * Word equivalent * Excel equivalent * Powerpoint equivalent * Office 365 * ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software ...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...). Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research? Thanks, Will --- Measuring phylogenetic structure? Try install.packages('pez') Will Pearse (pearselab.com)<http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 16:14, David Colling wrote: Hi Will, To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain. Best, david On 23/11/2022 14:25, Will Pearse wrote: Hello everyone, I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below. Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers. Cheers, Will --- Measuring phylogenetic structure? Try install.packages('pez') Will Pearse (pearselab.com) <http://pearselab.com/><http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote: Hi Andy, ( & David) The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges. I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed.. Rich -----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk><mailto:andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk><mailto:d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk><mailto:f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk><mailto:paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk><mailto:e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk><mailto:m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk><mailto:i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk><mailto:e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk><mailto:e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk><mailto:r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk><mailto:k.michalickova@imperial.ac.uk>; physics-departmental-computing<physics-departmental-computing@imperial.ac.uk><mailto:physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T<c.bryce@imperial.ac.uk><mailto:c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk><mailto:m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk><mailto:c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk><mailto:will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com><mailto:david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches. In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup So in reality, ssh is the Swiss army knife for a lot of research users ;) Andy On Wed, 23 Nov 2022, David Colling wrote: Hi Andy, Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case? In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them. Best, david On 22/11/2022 23:45, andy thomas wrote: A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer". Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems. Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers. With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about. Andy On Tue, 22 Nov 2022, David Colling wrote: Hi All, I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments. As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s). In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are: service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email. [I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one] Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough. Service: Starfish Access: Secure web access is sufficient. What other services are needed and how? Other comments: - I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal. So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this. Best, david _______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk<mailto:Physics-Departmental-Computing@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

J believe that it is ... On 23/11/2022 18:14, andy thomas wrote:

Is the Nov 30th meeting actually going ahead? There's a UCU/Unite/Unison joint strike planned for IC that day.

Andy

On Wed, 23 Nov 2022, Bantges, Richard J wrote:

...

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30th, to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

From: Will Pearse <will.pearse@imperial.ac.uk> Sent: 23 November 2022 17:06 To: Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

 *  GRASS  *  QGIS  *  ArcGIS  *  Libre Office      +  Word equivalent      +  Excel equivalent      +  Powerpoint equivalent  *  Office 365      +  ...as above  *  R  *  Python  *  Ruby  *  Julia  *  RAxML  *  BEAST  *  MrBayes  *  WoK cloud API  *  Google Maps API  *  Twitter API (...for how much longer I don't know :p)  *  AREAData automated build and distribution API we manage  *  Tyrell (in-house automation and COVID data API)  *  Raven bioacoustics data  *  Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

      Hi Will,

      To some extent I agree with you, but I can quite imagine that       there are plenty of college systems that I have never heard of       that I don't need access to. I have no idea what systems HR use       (and don't want to know) but I do know that I have never needed       access to them. So if we can set up a list of what we do need       and show that we are no danger to any central systems then I       don't see how they can complain.

      Best,       david

      On 23/11/2022 14:25, Will Pearse wrote:

            Hello everyone,

            I think we should compile a list of what people             /shouldn't/ be able to do on research computers             rather than what they /should/. I think such a list             would be much shorter, and doing the opposite will             massively hinder research. I think this is similar             to what others have proposed below.

            Pragmatically, if ICT remove user control over the             machines the users will jailbreak them to do their             research. That would presumably be the worst case             scenario from the perspective of security, and so I             think it's in everyone's interests to give people             control of their own computers.

            Cheers,

            Will

            ---

            Measuring phylogenetic structure? Try             install.packages('pez')

            Will Pearse (pearselab.com) <http://pearselab.com/>             (he/him)             Senior Lecturer, Imperial College London             Department of Life Sciences LGBTQ+ champion             On 23/11/2022 11:20, Bantges, Richard J wrote:

                  Hi Andy, ( & David)

                  The College's Unified Access is another                   angle perhaps to consider for Imperial                   College users. I'm not qualified to                   comment how robust that is, but that                   opens up the entire Imperial College                   network from outside of the College,                   providing access to mapped network                   drives, shared windows directories and                   SSH access to all of our servers. We                   still maintain a couple of externally                   visible Linux SSH servers comparable to                   your "bastion" hosts (running fail2ban,                   etc.) to allow collaborators external to                   the College to access some of our                   systems / data albeit with restricted                   privileges.

                  I'm trying to understand the scope /                   reach of ICT's aim here. I'd imagine for                   it to be effective, as any changes will                   only be as good as the weakest link,                   it'll be all encompassing - i.e.                   anything connected to the Imperial                   College network is to be scrutinised. I                   recall many years ago a printer being                   "hacked" and was printing reams of                   rubbish until it was fixed..

                  Rich

                  -----Original Message-----                   From: Thomas, Andy                   D<andy.thomas@imperial.ac.uk>  Sent: 23                   November 2022 11:02                   To: Colling, David                   J<d.colling@imperial.ac.uk>                   Cc: Bresme,                   Fernando<f.bresme@imperial.ac.uk>;                   French, Paul (PHOT) M                   W<paul.french@imperial.ac.uk>; Keaveny,                   Eric E<e.keaveny@imperial.ac.uk>;                   Sternberg, Michael J                   E<m.sternberg@imperial.ac.uk>; Staffell,                   Iain L<i.staffell@imperial.ac.uk>;                   Pengelly,                   Ellen<e.pengelly@imperial.ac.uk>;                   Buchaca-Domingo,                   Ester<e.buchaca-domingo@imperial.ac.uk>;                   Bantges, Richard                   J<r.bantges@imperial.ac.uk>;                   Michalickova,

Katerina<k.michalickova@imperial.ac.uk>;physics-departmental-computing<physics-departmental-computing@imperial.ac.u                   k>; Bryce, Craig                   T<c.bryce@imperial.ac.uk>; Bearpark,                   Michael J<m.bearpark@imperial.ac.uk>;                   Cucinotta,                   Clotilde<c.cucinotta@imperial.ac.uk>;                   Pearse,                   Will<will.pearse@imperial.ac.uk>; David                   Colling<david.colling@gmail.com>                   Subject: Re:                   [Physics-Departmental-Computing]                   Services needed on a research computing                   desktop and laptop

                  In CMTH access to all internal systems                   in the CMTH cluster from other parts of                   the College network, for example others                   parts of Physics, Maths, etc, and from                   outside the College is only possible via                   3 "bastion" hosts which act as firewalls                   with in-bound ssh being the only service                   exposed to the network. They also run                   fail2ban to discourage repeated break-in                   attempts and these systems are kept up                   to date with security patches.

                  In Maths, the situation is rather                   different - while nearly all systems are                   not directly accessible from outside                   College, they are accessible from other                   depts in College since their users often                   use Maths facilities. For access from                   outside, Maths has 3 ssh gateways                   similar to CMTH & running fail2ban and                   they accept external connections on the                   non-standard port 10022. Also users                   being what they are - especially UGs and                   MSc students who tend to hate the CLI                   and demand GUI coding interfaces such as                   Jupyter Notebook, R Studio server,                   VScode, Spyder 5, PySpark, etc, - we                   have a few dedicated compute servers                   that support direct ssh connections from                   outside College and users working                   remotely can then use ssh port                   forwarding and/or tunnelling to run GUI                   programming environments from home,                   halls of residence, etc over ssh without                   having to rely on the College VPN                   services which don't work for many Mac                   users (eg, MSc students based in China                   often find port 1194 used by OpenVPN is                   blocked by "state actors"). For an                   example of the documentation available                   for MSc students in the Stats section on                   hoe to do this,

seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup

                  So in reality, ssh is the Swiss army                   knife for a lot of research users ;)

                  Andy

                  On Wed, 23 Nov 2022, David Colling                   wrote:

                        Hi Andy,

                        Thanks for these. ssh access                         to remote servers is not                         controversial,                         but if you want ssh access                         to your machines in college,                         how do you                         ensure that your machines                         are fully patched and not                         providing a way into college                         for hackers?                         Or rather how do you                         persuade ICT that this is                         the case?

                        In my group we have a team                         of three people who manage                         things like this                         (along with much much more)                         and these people are                         sufficiently                         respected and reliable for                         ICT to trust them.

                        Best,                         david

                        On 22/11/2022 23:45, andy                         thomas wrote:

                              A plan by the                               Firedrake                               software                               development                               group in Maths                               to use                               four rackmounted                               Mac Minis in a                               build farm to                               help develop a                               Mac                               version of this                               software has                               been completely                               scuppered to                               date by                               ICT's insistence                               that all Macs -                               even those used                               as servers only                               accessible via                               ssh on isolated                               networks not                               connected to any                               College                               network - must                               be                               remote-managed                               by ICT via Apple                               DEP. With                               hindsight                               Maths should                               have bought                               these Macs from,                               say, PC World in                               Kens High St,                               not through an                               "authorised                               Apple dealer".

                              Regarding                               services - and                               speaking for                               both the Maths                               dept and the                               Condensed Matter                               Theory group in                               Physics (CMTH) -                               almost all these                               research users                               use Linux or Mac                               desktop/laptop                               systems for whom                               the                               most important                               services are ssh                               (including                               services that                               rely on ssh                               such as scp &                               sftp) and                               https-based                               network                               connectivity.                               Most                               Linux/Mac                               applications use                               (or can easily                               be configured to                               use) ssh &                               https transports                               and ssh itself                               can also be used                               to create VPNs,                               using its                               tunneling & port                               forwarding                               features.                               Access via ssh                               to external                               services,                               institutions,                               etc is vital for                               these users as                               is the ability                               to use ssh for                               remote access                               into Maths                               & CMTH systems.

                              Maths research                               IT is                               server-based &                               independent of                               central ICT                               services                               although for                               backwards                               compatability,                               login services                               on a                               few systems do                               access a subset                               of the College                               user account                               authentication                               maps via the                               central LDAP                               servers and                               central ICNFS                               home directory                               storage is used                               by some users                               with low storage                               space                               requirements. On                               the other hand,                               the                               workstation-based                               CMTH cluster                               is entirely                               independent of                               ICT with its own                               LDAP and user                               storage servers.

                              With                               departmental                               facilities like                               these, many                               research users                               have no                               real need to use                               central services                               other than the                               network and DNS                               look-up servers,                               and there should                               be no need for                               research systems                               to                               be policed in                               the way ICT                               envisage. The                               College has a                               perimeter                               firewall and ICT                               are at liberty                               to run                               penetration/security                               tests on                               any systems they                               are unhappy                               about.

                              Andy

                              On Tue, 22 Nov                               2022, David                               Colling wrote:

                                    Hi                                     All,

                                    I am                                     sending                                     this                                     to                                     the                                     Physics                                     Departmental                                     Computing                                     Committee                                     and                                     to                                     the                                     departmental                                     members                                     of                                     the                                     FRCC                                     so                                     that                                     they                                     can                                     gather                                     information                                     from                                     their                                     departments.

                                    As                                     some                                     of                                     you                                     know                                     ICT                                     are                                     increasingly                                     confining                                     what                                     people                                     can                                     do                                     on                                     college                                     machines,                                     even                                     those                                     bought                                     on                                     research                                     grants                                     and                                     used                                     by                                     individual                                     researchers.                                     This                                     has                                     been                                     most                                     noticed                                     by                                     the                                     change                                     in                                     the                                     management                                     of                                     Macs.                                     In                                     my                                     years                                     involved                                     in                                     departmental                                     computing,                                     no                                     issue                                     has                                     annoyed                                     more                                     people.                                     Behind                                     this                                     is                                     the                                     increased                                     number                                     of                                     attacks                                     on                                     university                                     computing                                     system                                     which                                     is                                     visible                                     both                                     at                                     Imperial                                     and                                     elsewhere.                                     Some                                     universities                                     have                                     been                                     badly                                     hit                                     and                                     have                                     ended                                     up                                     paying                                     £Ms                                     to                                     ransomware                                     attackers.                                     Apparently                                     this                                     is                                     one                                     of                                     the                                     things                                     that                                     keeps                                     our                                     President                                     awake                                     at                                     night.                                     This                                     is                                     clearly                                     a                                     threat                                     that                                     we                                     have                                     to                                     take                                     seriously,                                     but                                     it                                     is                                     also                                     not                                     clear                                     how                                     much                                     damage                                     could                                     be                                     done                                     to                                     college                                     systems                                     by a                                     laptop                                     or                                     desktop                                     used                                     by a                                     single                                     (or                                     team                                     of)                                     researcher(s).

                                    In                                     discussions                                     with                                     ICT                                     the                                     most                                     sensible                                     approach                                     seems                                     to                                     be                                     that                                     we                                     define                                     a                                     class                                     of                                     machine                                     that                                     is a                                     research                                     desktop                                     or                                     laptop                                     that                                     ICT                                     don't                                     manage                                     but                                     which                                     also                                     has                                     limited                                     access                                     to                                     college                                     central                                     systems.                                     Most                                     of                                     us                                     have                                     no                                     reason                                     to                                     access                                     payroll                                     (say)                                     and                                     in                                     fact                                     would                                     view                                     it                                     as a                                     security                                     breach                                     if                                     we                                     could.                                     We                                     have                                     a                                     meeting                                     on                                     the                                     30th                                     November                                     where                                     we                                     will                                     discuss                                     this                                     proposed                                     set                                     up.                                     What                                     I                                     need                                     going                                     into                                     is                                     the                                     list                                     of                                     services                                     that                                     researchers                                     would                                     need                                     access                                     to                                     from                                     these                                     research                                     machines,                                     how                                     that                                     access                                     would                                     them                                     +                                     any                                     other                                     thoughts/comments.                                     For                                     example                                     the                                     sort                                     of                                     thing                                     that                                     occurred                                     to                                     me                                     are:

                                    service:                                     Office365                                     (including                                     sharepoint,                                     email,                                     OneDrive                                     teams                                     etc)                                     Access:                                     Is                                     access                                     through                                     the                                     secure                                     web                                     portal                                     enough                                     for                                     most                                     of                                     these                                     plus                                     a                                     mail                                     client                                     providing                                     secure                                     access                                     the                                     the                                     email.

                                    [I                                     use                                     Office365                                     much                                     less                                     than                                     almost                                     anybody                                     to                                     whom                                     this                                     email                                     is                                     going                                     so                                     am                                     the                                     least                                     qualified                                     to                                     answer                                     this                                     one]

                                    Service:                                     ICIS                                     (Payslips,                                     expenses                                     claims                                     etc)                                     Access:                                     Secure                                     web                                     access                                     should                                     be                                     enough.

                                    Service:                                     Starfish                                     Access:                                     Secure                                     web                                     access                                     is                                     sufficient.

                                    What                                     other                                     services                                     are                                     needed                                     and                                     how?

                                    Other                                     comments:

                                    - I                                     don't                                     think                                     that                                     it                                     is                                     unreasonable                                     to                                     have                                     a                                     requirement                                     that                                     the                                     disks                                     of                                     all                                     research                                     laptops                                     are                                     encrypted                                     in                                     case                                     they                                     are                                     lost                                     when                                     travelling.                                     The                                     performance                                     hit                                     is                                     minimal                                     and                                     if                                     that                                     is                                     important                                     then                                     running                                     on a                                     laptop                                     might                                     not                                     be                                     ideal.

                                    So                                     please                                     do                                     send                                     me                                     your                                     thoughts                                     (on                                     services                                     mainly)                                     and                                     comments.                                     For                                     once                                     I                                     would                                     not                                     be                                     against                                     you                                     sending                                     to                                     everybody                                     as I                                     would                                     welcome                                     debate                                     on                                     this.

                                    Best,                                     david

_______________________________________________                                     Physics-Departmental-Computing                                     mailing                                     list

Physics-Departmental-Computing@imperial.ac.uk

https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu                                     ting

Indeed ... On 29/11/2022 08:21, Jaffe, Andrew H wrote:

Dear all,

One more service occurs to me (as I am in at 8am to prepare for a 9am and need hardcopies): printing. Right now, some of our printers are part of the “ICT print service” and some are stand-alone IP printers.

Andrew

...

On 27 Nov 2022, at 17:32, David Colling <d.colling@imperial.ac.uk> wrote:

J believe that it is ...

On 23/11/2022 18:14, andy thomas wrote:

...

Is the Nov 30th meeting actually going ahead? There's a UCU/Unite/Unison joint strike planned for IC that day. Andy On Wed, 23 Nov 2022, Bantges, Richard J wrote:

...

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30th, to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

From: Will Pearse <will.pearse@imperial.ac.uk> Sent: 23 November 2022 17:06 To: Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

* GRASS * QGIS * ArcGIS * Libre Office + Word equivalent + Excel equivalent + Powerpoint equivalent * Office 365 + ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

Hi Will,

To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain.

Best, david

On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk>;physics-departmental-computing<physics-departmental-computing@imperial.ac.u k>; Bryce, Craig T<c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

Hi Leigh et al, I am generally happy with the managed print service — perhaps because there is a managed printer right outside my office door. We also have a few standalone printers which are still useful, and I think it would generally be useful for the group and members to be able to purchase such printers without the ID infrastructure. Andrew

On 29 Nov 2022, at 08:47, Davenport, Leigh B M <l.davenport@imperial.ac.uk> wrote:

Good morning all

May I just ask a couple of clarifying questions regarding printing.

Are you happy with the managed print service and everything that it includes, or does this cause issues?

You mention stand alone IP printers, is this common practice and does this also cause issues.

Many thanks in advance

Kind regards

Leigh

-----Original Message----- From: physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> On Behalf Of David Colling Sent: Tuesday, November 29, 2022 8:37 AM To: Jaffe, Andrew H <a.jaffe@imperial.ac.uk> Cc: Staffell, Iain L <i.staffell@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Indeed ...

On 29/11/2022 08:21, Jaffe, Andrew H wrote:

...

Dear all,

One more service occurs to me (as I am in at 8am to prepare for a 9am and need hardcopies): printing. Right now, some of our printers are part of the “ICT print service” and some are stand-alone IP printers.

Andrew

...

On 27 Nov 2022, at 17:32, David Colling <d.colling@imperial.ac.uk> wrote:

J believe that it is ...

On 23/11/2022 18:14, andy thomas wrote:

...

Is the Nov 30th meeting actually going ahead? There's a UCU/Unite/Unison joint strike planned for IC that day. Andy On Wed, 23 Nov 2022, Bantges, Richard J wrote:

...

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30th, to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

From: Will Pearse <will.pearse@imperial.ac.uk> Sent: 23 November 2022 17:06 To: Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

* GRASS * QGIS * ArcGIS * Libre Office + Word equivalent + Excel equivalent + Powerpoint equivalent * Office 365 + ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

Hi Will,

To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain.

Best, david

On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk>;physics-departmental-computing<physics-departmental-computing@imperial.ac.u k>; Bryce, Craig T<c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this,

seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_s etup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-comput ing

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

Dear Leigh, FYI: SPAT also have a couple of standalone IP printers. These were purchased a few years ago at a time when it was deemed to be more cost effective to buy and maintain our own printers when compared with the cost/page of printing with the ICT print managed kit. Also, some academics preferred to have a printer in their office for convenience and security (sensitive documents). Also the security aspect is less of a justification when the secure swipe-to-print systems were introduced. I may be wrong on the following, but I believe the Department covers the cost of printers within individual research groups in Physics now. So the cost is much less visible, and it is my understanding that SPAT Physics at least will be retiring non-ICT managed printers within the next year or so, and certainly not replacing these if they fail. The only complaint I've received concerning the printers are the cleaning schedules are too infrequent, resulting in dirty toner-smudged print outs far too often. Otherwise all seems to be working well as far as I'm aware in SPAT in terms of accessibility and features. Best wishes, Rich -----Original Message----- From: physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> On Behalf Of Davenport, Leigh B M Sent: 29 November 2022 08:48 To: Colling, David J <d.colling@imperial.ac.uk>; Jaffe, Andrew H <a.jaffe@imperial.ac.uk> Cc: Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop Good morning all May I just ask a couple of clarifying questions regarding printing. Are you happy with the managed print service and everything that it includes, or does this cause issues? You mention stand alone IP printers, is this common practice and does this also cause issues. Many thanks in advance Kind regards Leigh -----Original Message----- From: physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> On Behalf Of David Colling Sent: Tuesday, November 29, 2022 8:37 AM To: Jaffe, Andrew H <a.jaffe@imperial.ac.uk> Cc: Staffell, Iain L <i.staffell@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop Indeed ... On 29/11/2022 08:21, Jaffe, Andrew H wrote:

Dear all,

One more service occurs to me (as I am in at 8am to prepare for a 9am and need hardcopies): printing. Right now, some of our printers are part of the “ICT print service” and some are stand-alone IP printers.

Andrew

...

On 27 Nov 2022, at 17:32, David Colling <d.colling@imperial.ac.uk> wrote:

J believe that it is ...

On 23/11/2022 18:14, andy thomas wrote:

...

Is the Nov 30th meeting actually going ahead? There's a UCU/Unite/Unison joint strike planned for IC that day. Andy On Wed, 23 Nov 2022, Bantges, Richard J wrote:

...

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30th, to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

From: Will Pearse <will.pearse@imperial.ac.uk> Sent: 23 November 2022 17:06 To: Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

* GRASS * QGIS * ArcGIS * Libre Office + Word equivalent + Excel equivalent + Powerpoint equivalent * Office 365 + ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

Hi Will,

To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain.

Best, david

On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk>;physics-departmental-computing<physics-departmental-computing@imperial.ac.u k>; Bryce, Craig T<c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this,

seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_s etup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu ting

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-comput ing

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing _______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

I would prefer Friday lunchtime, though could do Monday. Incidentally we had our MSc examiners’ meeting with our external from Manchester today. They too have had the ‘ict-controlling-your-computer’ argument and came down on the side of a two-tier system, one class of machines that ICT would exercise complete control over and then ‘lab’ machines that they would let you do with what you wished. Even then they did still take your new mac off you on arrival and laser-etched a Manchester Uni logo on the back of it. Actually, it looked quite good. [cid:image001.png@01D8FF8E.58EBB1B0] If we could restrict ICT’s fingerprints to just that on my next apple laptop I would be perfectly happy. Mark From: physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> on behalf of David Colling <d.colling@imperial.ac.uk> Date: Wednesday, 23 November 2022 at 22:38 To: Bantges, Richard J <r.bantges@imperial.ac.uk>, Pearse, Will <will.pearse@imperial.ac.uk>, Thomas, Andy D <andy.thomas@imperial.ac.uk> Cc: Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>, Sternberg, Michael J E <m.sternberg@imperial.ac.uk>, Bearpark, Michael J <m.bearpark@imperial.ac.uk>, Bryce, Craig T <c.bryce@imperial.ac.uk>, Staffell, Iain L <i.staffell@imperial.ac.uk>, David Colling <david.colling@gmail.com>, Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>, Michalickova, Katerina <k.michalickova@imperial.ac.uk>, Keaveny, Eric E <e.keaveny@imperial.ac.uk>, physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>, French, Paul (PHOT) M W <paul.french@imperial.ac.uk>, Bresme, Fernando <f.bresme@imperial.ac.uk> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop Hi Rich, I think that this is a good idea. How many people are free midday on Friday? I could set up a doodle poll but time is short so I think it best to suggest a date and lunchtimes are generally the least congested. If this doesn't work then Monday lunchtime? Replies please... Best, daivd On 23/11/2022 17:59, Bantges, Richard J wrote:

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30^th , to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

*From:*Will Pearse <will.pearse@imperial.ac.uk> *Sent:* 23 November 2022 17:06 *To:* Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> *Cc:* Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> *Subject:* Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

* GRASS * QGIS * ArcGIS * Libre Office o Word equivalent o Excel equivalent o Powerpoint equivalent * Office 365 o ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

Hi Will,

To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain.

Best, david

On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> <mailto:andy.thomas@imperial.ac.uk> Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> <mailto:d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk> <mailto:f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk> <mailto:paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk> <mailto:e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk> <mailto:m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk> <mailto:i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk> <mailto:e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk> <mailto:e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk> <mailto:r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk> <mailto:k.michalickova@imperial.ac.uk>; physics-departmental-computing<physics-departmental-computing@imperial.ac.uk> <mailto:physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T<c.bryce@imperial.ac.uk> <mailto:c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk> <mailto:m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk> <mailto:c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk> <mailto:will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> <mailto:david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk <mailto:Physics-Departmental-Computing@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu <https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu> ting

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

Hi All, It has been pointed out by several people that tomorrow is a strike day. WHile I wont be on strike I would not want to put people into a difficult situation and so lets meet on Monday between 12:00 and 13:00. My apologies for those for whom this is impossible. I will send around teams coords tomorrow. Best, david On 23/11/2022 17:59, Bantges, Richard J wrote:

David – if time permits, I wonder if it would be more efficient to have a short Teams meeting in the next few days, prior to your meeting on the 30^th , to make sure we have the correct focus. I’m not sure “Services” = “Software packages” but clearly this is how it is being interpreted – and if this is what is required, then wow what a task to collate all the information.

Rich

*From:*Will Pearse <will.pearse@imperial.ac.uk> *Sent:* 23 November 2022 17:06 *To:* Colling, David J <d.colling@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Thomas, Andy D <andy.thomas@imperial.ac.uk> *Cc:* Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; David Colling <david.colling@gmail.com> *Subject:* Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

Hello everyone,

I do hear what you're saying, and perhaps I am missing something here, but if I were to list every program that a member of my lab uses as part of their research the list would be long and ever-growing. Off the top of my head, today someone in my lab will have used:

* GRASS * QGIS * ArcGIS * Libre Office o Word equivalent o Excel equivalent o Powerpoint equivalent * Office 365 o ...as above * R * Python * Ruby * Julia * RAxML * BEAST * MrBayes * WoK cloud API * Google Maps API * Twitter API (...for how much longer I don't know :p) * AREAData automated build and distribution API we manage * Tyrell (in-house automation and COVID data API) * Raven bioacoustics data * Pendant Loggers software

...I could keep going, I'm sure you see the point I'm trying to make. Some of these have exposed APIs and ports, some of them are 'just' programs that we need to be able to install. You might think the list would be smaller for people in DoLS who are less computational than my lab, but actually the problem would be worse because they use lots of bespoke software for weird bits of kit (DNA sequencers, microclimate loggers, bioacoustic sensors, ...).

Fundamentally, I worry the tail may be wagging the dog here. If I were to put this provocatively, and I think unfairly but hopefully by reducing to the absurd I can make my point clearer, why should we have to demonstrate that our research is no danger to systems that are set up to support our research?

Thanks,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion

On 23/11/2022 16:14, David Colling wrote:

Hi Will,

To some extent I agree with you, but I can quite imagine that there are plenty of college systems that I have never heard of that I don't need access to. I have no idea what systems HR use (and don't want to know) but I do know that I have never needed access to them. So if we can set up a list of what we do need and show that we are no danger to any central systems then I don't see how they can complain.

Best, david

On 23/11/2022 14:25, Will Pearse wrote:

Hello everyone,

I think we should compile a list of what people /shouldn't/ be able to do on research computers rather than what they /should/. I think such a list would be much shorter, and doing the opposite will massively hinder research. I think this is similar to what others have proposed below.

Pragmatically, if ICT remove user control over the machines the users will jailbreak them to do their research. That would presumably be the worst case scenario from the perspective of security, and so I think it's in everyone's interests to give people control of their own computers.

Cheers,

Will

---

Measuring phylogenetic structure? Try install.packages('pez')

Will Pearse (pearselab.com) <http://pearselab.com/> <http://pearselab.com/> (he/him) Senior Lecturer, Imperial College London Department of Life Sciences LGBTQ+ champion On 23/11/2022 11:20, Bantges, Richard J wrote:

Hi Andy, ( & David)

The College's Unified Access is another angle perhaps to consider for Imperial College users. I'm not qualified to comment how robust that is, but that opens up the entire Imperial College network from outside of the College, providing access to mapped network drives, shared windows directories and SSH access to all of our servers. We still maintain a couple of externally visible Linux SSH servers comparable to your "bastion" hosts (running fail2ban, etc.) to allow collaborators external to the College to access some of our systems / data albeit with restricted privileges.

I'm trying to understand the scope / reach of ICT's aim here. I'd imagine for it to be effective, as any changes will only be as good as the weakest link, it'll be all encompassing - i.e. anything connected to the Imperial College network is to be scrutinised. I recall many years ago a printer being "hacked" and was printing reams of rubbish until it was fixed..

Rich

-----Original Message----- From: Thomas, Andy D<andy.thomas@imperial.ac.uk> <mailto:andy.thomas@imperial.ac.uk>  Sent: 23 November 2022 11:02 To: Colling, David J<d.colling@imperial.ac.uk> <mailto:d.colling@imperial.ac.uk> Cc: Bresme, Fernando<f.bresme@imperial.ac.uk> <mailto:f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W<paul.french@imperial.ac.uk> <mailto:paul.french@imperial.ac.uk>; Keaveny, Eric E<e.keaveny@imperial.ac.uk> <mailto:e.keaveny@imperial.ac.uk>; Sternberg, Michael J E<m.sternberg@imperial.ac.uk> <mailto:m.sternberg@imperial.ac.uk>; Staffell, Iain L<i.staffell@imperial.ac.uk> <mailto:i.staffell@imperial.ac.uk>; Pengelly, Ellen<e.pengelly@imperial.ac.uk> <mailto:e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester<e.buchaca-domingo@imperial.ac.uk> <mailto:e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J<r.bantges@imperial.ac.uk> <mailto:r.bantges@imperial.ac.uk>; Michalickova, Katerina<k.michalickova@imperial.ac.uk> <mailto:k.michalickova@imperial.ac.uk>; physics-departmental-computing<physics-departmental-computing@imperial.ac.uk> <mailto:physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T<c.bryce@imperial.ac.uk> <mailto:c.bryce@imperial.ac.uk>; Bearpark, Michael J<m.bearpark@imperial.ac.uk> <mailto:m.bearpark@imperial.ac.uk>; Cucinotta, Clotilde<c.cucinotta@imperial.ac.uk> <mailto:c.cucinotta@imperial.ac.uk>; Pearse, Will<will.pearse@imperial.ac.uk> <mailto:will.pearse@imperial.ac.uk>; David Colling<david.colling@gmail.com> <mailto:david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop

In CMTH access to all internal systems in the CMTH cluster from other parts of the College network, for example others parts of Physics, Maths, etc, and from outside the College is only possible via 3 "bastion" hosts which act as firewalls with in-bound ssh being the only service exposed to the network. They also run fail2ban to discourage repeated break-in attempts and these systems are kept up to date with security patches.

In Maths, the situation is rather different - while nearly all systems are not directly accessible from outside College, they are accessible from other depts in College since their users often use Maths facilities. For access from outside, Maths has 3 ssh gateways similar to CMTH & running fail2ban and they accept external connections on the non-standard port 10022. Also users being what they are - especially UGs and MSc students who tend to hate the CLI and demand GUI coding interfaces such as Jupyter Notebook, R Studio server, VScode, Spyder 5, PySpark, etc, - we have a few dedicated compute servers that support direct ssh connections from outside College and users working remotely can then use ssh port forwarding and/or tunnelling to run GUI programming environments from home, halls of residence, etc over ssh without having to rely on the College VPN services which don't work for many Mac users (eg, MSc students based in China often find port 1194 used by OpenVPN is blocked by "state actors"). For an example of the documentation available for MSc students in the Stats section on hoe to do this, seehttps://sysnews.ma.ic.ac.uk/stats/MSc_compute_servers.html#GUI_setup

So in reality, ssh is the Swiss army knife for a lot of research users ;)

Andy

On Wed, 23 Nov 2022, David Colling wrote:

Hi Andy,

Thanks for these. ssh access to remote servers is not controversial, but if you want ssh access to your machines in college, how do you ensure that your machines are fully patched and not providing a way into college for hackers? Or rather how do you persuade ICT that this is the case?

In my group we have a team of three people who manage things like this (along with much much more) and these people are sufficiently respected and reliable for ICT to trust them.

Best, david

On 22/11/2022 23:45, andy thomas wrote:

A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer".

Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems.

Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers.

With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about.

Andy

On Tue, 22 Nov 2022, David Colling wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.

Service: Starfish Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best, david

_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk <mailto:Physics-Departmental-Computing@imperial.ac.uk> https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu <https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-compu> ting

Dear all Plasma also rely on ssh, scp to access HPC (both college’s and external) For OneDrive / Office 365: web access is OK, but it is much better to use the dedicated apps so files are stored locally and remotely, and you have full app functionality For ICIS there is a distinction between the “self-service” part (individual payslips, my training, my expenses) and parts like purchasing. I agree with the previous comment that the distinction between a “research machine” and a “teaching machine” is spurious. We carry one laptop around that MUST be able to do both. Best wishes Stuart ______________________________ Prof Stuart Mangles (he/him) Professor of Laser-Plasma Physics Imperial College London I’m sending this email now because it suits my schedule. I don’t expect you to read or respond to it until it suits yours. ________________________________ From: physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> on behalf of Bantges, Richard J <r.bantges@imperial.ac.uk> Sent: Wednesday, November 23, 2022 9:23:49 AM To: Colling, David J <d.colling@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk> Cc: Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk>; Pearse, Will <will.pearse@imperial.ac.uk>; David Colling <david.colling@gmail.com> Subject: Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop Hi David, (CC: everyone else) Having just read Andy Thomas' reply, I think SPAT's research requirements are fairly similar, particularly concerning SSH, SCP, SFTP access to our Linux servers within the College and external to institutions globally. I will compose a separate reply once I've consulted with SPAT members, in particular those heavily involved with Space and Earth Observation missions in SPAT. An immediate question I had from reading your email was whether ICT has indicated if it is to define new distinct classes of systems, e.g. Research, Teaching, Student, Admin, etc.. that all (desktop/laptop) systems will have to fall into. I think the latter two already exist, but I anticipate those heavily involved in teaching (/supervision) will want to understand whether a Research class system can be combined with teaching (e.g. multiple "roles"), or whether these are being siloed? SPAT's Linux servers are already being actively scanned for vulnerabilities by ICT's Nessus scanning software (which is still in a development phase), although I've been pushing for a standard research Linux server build for at least a decade, and the closest I got was a dedicated "bantges" PXE menu option allowing me to install OEL 7 in an emergency. Your email implies that individual Group's servers are being treated separately from research desktops and laptops, but please say if this is my misunderstanding. Rich -----Original Message----- From: David Colling <d.colling@imperial.ac.uk> Sent: 22 November 2022 20:17 To: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk> Cc: David Colling <david.colling@gmail.com>; Pearse, Will <will.pearse@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk> Subject: Services needed on a research computing desktop and laptop Hi All, I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments. As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s). In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are: service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email. [I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one] Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough. Service: Starfish Access: Secure web access is sufficient. What other services are needed and how? Other comments: - I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal. So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this. Best, david _______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing

Hi All, For those of you who can make it we will have a meeting to discuss managed devices tomorrow at 12:00. I have another meeting at 13 but that should give us plenty of time. For thos of you actually in college and want to meet in person, I have booked Blackett 532. For those wishing to join on teams the coords are: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Name: Managed Devices Start: Mon Nov 28 2022 12:00:00 GMT+0000 (Greenwich Mean Time) End: Mon Nov 28 2022 13:00:00 GMT+0000 (Greenwich Mean Time) Id: ff530f5e-239f-4f72-814e-bc10308feea9 URL: https://teams.microsoft.com/l/meetup-join/19%3ameeting_Y2RiNzI0ODQtZDJlZS00Y... xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx If you cannot make it tomorrow and want to send in a contribution by email in advance then please do so although I do suspect thatn almost everything has already been said. Best, david