Director’s Blog
2007 October

Mary Wielski wrote an article this spring on Daylight Saving Time issues within CalAgenda.  The issue mentioned in that article is coming back this month; because of the change to the dates of Daylight Saving Time, any repeating meetings which were created before December 29, 2006 are off by one hour in CalAgenda, for meetings scheduled between October 28 and November 4.

There is no way to automatically fix this issue, because the CalAgenda server doesn’t know what time period you originally intended to schedule the meeting for.  So, make sure to check any standing meetings that have been in place since 2006 to see that the times are correct for this time frame.  You may also want to look forward to 2008 and 2009 and check the same March and October time frames for accuracy.

For several years now, I’ve coordinated a bulk purchase of computers for L&S units. The idea of the bulk purchase is to save us the time we spend configuring identical or nearly-identical computers one at a time, and the extra 10-20% more we spend for those computers than we would if we bought them all together. Purchasing in bulk just makes sense.

However, coordinating the bulk purchases has been challenging. The vendors give me pretty tight timelines, so there’s not much opportunity to publicize the deal before the deadline for the discount expires. I always get requests from managers the day after the deal expires. And the rest of the year, managers have to decide whether to buy a computer when they need one, or wait for the bulk purchase to save a little money.

So this year, I’m trying something new. In collaboration with The Scholar’s Workstation, I’ve managed to get a web page for L&S computer recommendations placed on the TSW web site. This page will include Dell desktops, and Apple desktops and notebooks, with discounted pricing and our configuration recommendations. I plan to add Windows laptop configurations as well. We will keep the page current, so you’ll be able to get our recommendation and pricing any time during the year, not just during a two-week period in September.

I think this will work a lot better for L&S than the bulk purchase program did; the challenge will be keeping up with the changes in products and technology.

A departmental web manager recently asked me what she could do about the security of the web-based databases she had recently inherited. There are generally two classes of web attacks I see on campus: exploitation of known problems in open-source web-based systems (such as Mambo, phpwebsite, phpBB), and specific attacks on insecure aspects of a home-grown application.

The former are far more prevalent. A typical attack vector is to search Google for sites which are running known-insecure versions of a package, break into those sites, run malicious code (often leaving “zombies” in place to participate in spamming), and try to leave back doors to get back into the machine. Usually these attacks are not directed at the department in question; the hackers are just looking for a machine to use for their own purposes.

The latter are less prevalent, but can be more problematic, as they are more likely to represent an attack directed at the department or the application in question. However, I’ve also seen some examples of hackers attacking a departmental application simply because it was easy to find holes in.

In either case, you want to follow good coding and administration practices to reduce your risk. Never have world-writable directories within the web hierarchy. Any time you get input from the user, test that input for validity, ideally with a positive rather than a negative test (that is, test “does the input contains only A-Z and 0-9″, rather than “does the input not contain |’”/\, etc.”) If you install someone else’s software (open-source or not), put yourself on the mailing list for security updates, and install those as soon as they are available. If you customize someone else’s software, realize that upgrading it will be challenging in direct proportion to the extent that you’ve customized it.

Breaking into computers is no longer the province of 14-year-olds with too much time on their hands; it’s now a huge business with ties to organized crime. Access to compromised machines and applications is sold on the black market. Attacks continue to become more sophisticated, and our practices need to change to keep our machines and data safe.

I should remind you that PHP 4 has reached the end of its support life; we currently have a PHP 5 server up and running if you want to test your code before we go live with the new version around the end of calendar 2007. Mail sysadmin@LS if you are interested in getting a test directory in the PHP 5 installation.