Robert G. Brown wrote:
Also to be remembered is that in most situations where one user exploits
another's account or takes another's data INSIDE an organization, the
best security tool is known as a "sucker rod". Or a hammer. Applied,
none too gently, to a user's fingers or the side of their head.
Or (if you are in one of this silly environments that frowns on actually
causing physical pain to users:-) you can use the "throwing them off of
the system, permanently, so hard that they bounce" which can have highly
deleterious effects on their ability to e.g. finish a dissertation. Or
in a corporate environment, one can "fire them and prosecute".
I definitely agree with that. Technical solutions must be adopted in
case of technical problems, but technical solutions can't solve
non-technical issues.
Users sharing an account is not a technical issue, that's a social
behavior, which has to be addressed via legal/political/educational
measures.
> Security costs cycles, and cycles are precious.
It's also that security, from the academic users' standpoint, is a
useless burden, which sits in their way most of times, and prevent them
to do their work. At least that's often their perception. That's why
education is so crucial, and helping them understand that the damn
sysadmin who puts security checks everywhere is actually working on
their side, to keep them safe, to improve their compute tools' uptime,
and to prevent that the results of their computations get published
before they even have a chance to retrieve their files. And usually,
they care about that last one.
security in an environment where your office is down the hall from the
user's office, where the department chair and policy are on your side,
where you have clear ways to identify and punish misbehaving
individuals.
Well, yes. But it may also happen that even though the department chair
is on your side, punishing certain misbehaving individuals is not that
easy...
Once somebody sitting in some internet cafe in Germany
Eh! What about Germany? :)
A good systems manager is just a tiny notch this side of being a raving
paranoid. Perhaps a "muttering" paranoid. They only rave if they catch
you being bad, often carrying a sucker rod...:-)
That's an issue too. The vigilance windows may be as wide as human
resources allow, there will still be periods of time where nobody
watches and were malicious users could do their bad things without being
noticed. That's where technical measures can help, by limiting the
damages a user can do, by restricting the scope of their actions
(without preventing them to work either, remember that the main purpose
of an HPC system is to produce computations results), and by notifying
the sysadmin in case something fishy happens.
Anyway, in the case we're talking about, technical solutions would
definitely help containing the fire, but to prevent it being lit, there
has to be some political will from the user side.
Cheers,
--
Kilian
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
