Minutes of Smathers
Middle Manager's Meeting
December 2, 2004
Present: Joe Aufmuth, Denise Bennett, Rich Bennett, Gary Cornwell, Robena Cornwell, Michelle Crump, Trudi DiTrolio, Lori Driscoll, Iona Malanchuk, Cathy Mook, Pat Reakes, Betsy Simpson, Colleen Seale, Jan SwanbeckInformation Security Administrator
IE Security Flaw
- Martha Hruska has been appointed the ISA for the Libraries. Her task will be to enforce the UF computing security policies. Bill will be the one to implement those policies.
Java Virtual Machine Problem
- Another fatal IE flaw. This one will get into your computer and take over anything, bypassing the entire security system.
- Using IE for any purpose is very risky. The current trend is that the invader does not destroy your machine, but turns it into a part of an army of bots that does all the dirty work.
- We recently had a report that one of our public machines had been compromised (before we even opened in the morning) and was dispensing the Stargate TV series.
- This kind of thing can happen. Organized crime is now getting into doing it.
- We should caution folks about doing non-UF things online. Shopping networks, even banking firms are often compromised sites. You are playing with fire when using IE.
- For the moment, ignore the MS update notices you receive. We should be updating the new way to push these patches this week. Hold off, your machine should be OK for a day or two. If you have any questions, let us know.
UF/Microsoft Software Contract
- Java Virtual Machine - used by Firefox. So far, theyíve released one security patch.
- Cute downloads are a security risk. We are not enacting a policy to prohibit their use, but it is very risky to customize University computers.
- IE is still on public machines. What to do? The public machine situation is more difficult: we canít remove IE from the machines. It can be hidden, but we canít totally remove it.
- Some sites can only be viewed in IE, rendering it a necessary evil. All we can do is keep the machines as patched as possible. The security on the public machines works better with IE.
- There is no perfect answer to this dilemma. Circa completely reboots each machine after each user. This is not a popular option within the Libraries. Our machines are aimed more toward functionality.
- We had an incident where a database had hundreds of articles straight downloaded from the site. The vendor locked out the IP that was downloading. They threatened to lock out the entire subnet. The academic department responsible for the downloading still wants to do it Ė people donít get it: use vs. abuse.
- Frankly, even if we transferred everything to Linux tomorrow, it would not fix the problem. IE is not good. Staff, in all possible cases, should be using Firefox.
- The latest fix to push patches will also put a gizmo on the machine that will detect if a patch is needed and patch it.
- MS has a habit of releasing patches prematurely and then the patches cause breaks. Many times the MS update site is jammed and downloading takes forever. Weíll get it once, test it and put it on our server. The mechanism to detect the need for patches has to be downloaded.
- We dropped the Shavlik patch-pushing software.
- The Java Virtual patch will go out in the next few days. It is not as dire as the MS security flaw.
- The Microsoft contract is in play for their software. UF is set to get copies of XP. No extra charges. We are also eligible for updates to Office packages.
- Another feature: home Office use for faculty and staff. Need to figure out how it will mechanically be delivered.
- There is also the patching issue. If machines are not up-to-date on SP2, the average time for a machine to be infected is four minutes. If we are allowing this software to be installed on home machines, we have to make sure the machines are reasonably secure.
- We will try to come up with CDs that have the patches. Be sure to inform folks that after the upgrade, their operating system may not work as well Ė lots of things can happen when upgrading to a OS operating system. May not want to upgrade, just because itís free. It could make for a lot of work.
Back to the Systems Homepage
Last updated December 6, 2004
by Debra Fetzer