2. Perspectives

2.1. Grid Computing in Oxford

The average desktop computer is more than powerful enough for the average user. It has more than enough CPU speed, disk capacity and network bandwidth for the general work for which it is employed. Moreover, since it is replaced after 3 to 5 years of service, the average desktop computer is actually increasing in capacity and capability over time. Yet, 90% of the time it sits idle. The hard disk space is generally less than half full. And the network that the computer connects to rarely reaches full utilisation. Given that the investment in both computers and networking hardware within the University is a not insignificant proportion of departmental and college budgets, the question arises: can the potential of all this equipment be realized? Could the under utilised computing resources within the University be better utilised?

Meanwhile, the questions being asked by researchers require greater and greater computing resources. This requirement will only get larger. Fortunately, the field of grid computing offers some approaches to this desire to match up computing resources with those who need them.

One approach has been the development of screensavers or agents which do useful work when the computer is otherwise idle. Examples of such projects include SETI@home and the World Community Grid. Within Oxford University there have been a number of such projects:

  • The Cancer Screensaver project (http://www.chem.ox.ac.uk/curecancer.html) is aiming to screen 3.5 billion molecules for cancer-fighting potential. Over 3 million computers have joined the project with over 410,000 years of CPU time contributed.

  • The climateprediction.net project (http://www.climateprediction.net/) aims to produce forecasts of the climate over the next century. The project does this by running state-of-the-art climate models many thousands of times with slight tweaks to the approximations that the models make. The models are run to simulate the earth's climate decades into the future. To date over 9 million "model years" have been simulated with over 120,000 simulation runs completed.

For this screensaver approach to be used for a research problem, the data and computation needs to be split up into "downloadable chunks". Over and above the effort of migrating code to fit into a screensaver, effort is required to foster a community of people who volunteer time on their computers. This is not a trivial amount of effort, but the benefits in terms of work done can be enormous.

Another approach is the development of grid "middleware", or software that enables the linking of computing resources into a grid. This has been an active of research across the world and within the UK e-Science Core Programme in the last few years. Within Computing Services there are two projects which are deploying grid middleware.

OxGrid is Oxford University's Campus Grid project. OxGrid will provide the infrastructure for researchers to submit work to computing resources within the University. Individual desktop computers will be pooled together to provide a set of resources to which computational jobs can be submitted. Various cluster installations (systems with "nodes" which are connected by faster interconnection hardware for running parallel computing jobs) around the University will also be part of OxGrid. Work on OxGrid began over summer 2005 and will shortly be launched.

Computing Services is also involved in the National Grid Service (NGS) which is a project providing grid infrastructure to UK academia. Over the past year, the Oxford node of the National Grid Service (http://www.ngs.ac.uk/) has been running as a production level service, having provided service to early adopters since April 2004. The 128 CPU high performance cluster at Oxford is one of a set of nodes across the country that have been used by many researchers within Oxford and across the country to run computations from a wide variety of fields including molecular dynamics simulations, heart modelling, bioinformatics. It is planned that the OxGrid interface will provide access to the NGS resources for Oxford users who are also NGS users.

Being part of a grid involves more than just installing grid middleware. Working across different administrative domains (between Oxford departments, colleges and other units, and in the wider national and international context, between universities and other institutions) can introduce additional difficulties, but also benefits.

Realising the power of grid computing is about more than just providing access to computing resources. Researchers should be able to have seamless access to wider resources without being bogged down by the overhead of doing work ?on the grid?. This has been a major focus of the UK e-Science programme. There are also a number of projects within Oxford investigating Virtual Research Environments (http://www.vre.ox.ac.uk/) which aim to provide integrated environments for the entire research process including providing access to grid resources.

Grid computing links together computing resources providing access to computing power that might otherwise be unused. Research problems which in the past might have been too large can now be considered and tackled. Grid deployments in Oxford aim to provide a common interface to the grid resources within the University and beyond.

2.2. The leading edge of advice and guidance

Setting up a national advisory service for UK further and higher education can be a daunting task. Tripling its size (from 1 to 3 staff) due to user demand and at the request of the funder in the course of its first year of operation is definitely a challenge. However, when the subject impacts every institution, and more particularly every institution's central computing service, it is only fitting that the University of Oxford is involved and that OUCS is where this effort is located.

OSS Watch (http://www.oss-watch.ac.uk/) is the national advisory service on open source software. Based within the Research Technologies Service of OUCS, and funded by the Joint Information Systems Committee (JISC), OSS Watch provides unbiased advice and guidance to senior IT decision-makers in universities and colleges across the UK. Virtually every institution has some use of open source software. In many cases it provides the secure, practical and cost-effective solution to infrastructure needs, as with the GNU/Linux cluster on which runs the Herald Webmail service at Oxford. In other cases, it is software developers who need assistance. They may be seeking best practice in open source development methodologies. Or they may be coming to grips with the challenges of intellectual property rights (IPR) and open source licensing and business models within an institutional environment where these are not yet well understood.

Oxford University Computing Services is both the host of and model for OSS Watch. Decisions concerning software deployment are best based on the technical requirements of the case in hand, be these security, interoperability, or robustness issues. The question as to whether the solution is proprietary or open source is secondary. What is needed is the right tool for the job. That's why Oxford settled on Bodington (known locally as WebLearn) as its centrally supported virtual learning environment (VLE). The potential for cost savings from this freely available open source solution is a pleasant bonus. But rational IT decisions need to be taken on the basis of the technical arguments and, of course, as in this case on the pedagogical arguments from potential users of the software.

It is this kind of good practice that OSS Watch promulgates across the UK, often pointing to Oxford as an exemplar. Working with stakeholders to promote appropriate institutional engagement with open source software is both a practical and policy matter. OSS Watch has worked closely with JISC to formulate an open source policy for JISC services and projects. This will impact ICT in universities and colleges across the UK. Equally important though is finding ways to work within existing university policy to enable participation in open source projects by staff and researchers.

2.3. Constant vigilance - security in the electronic age

Social engineering? The latest new degree course on offer at Oxford? No, it's the Machiavellian art of luring someone into committing a security breach such as handing over their password or credit-card details, or opening a virus-infected file. The trick is to make the request sound authoritative or as if it comes from some familiar trusted source, or preferably both. Many Oxford email users had first-hand experience of this in 2004 when they woke up one Saturday morning to find messages purporting to be from their local IT Support:

Subject: Your Account is Suspended For Security Reasons
         
Dear Oucs Member,
We have temporarily suspended your email account.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an
internal error within our processors.
See the attached details to reactivate your Oucs account.
Virtually yours,
The Oucs Support Team

In this instance, the "attached details" contained the MyTob virus which turns off security applications, blocks access to anti-virus websites, and attempts to open a 'back door' onto the computer, allowing a hacker to access the system. Within hours of Mtyob's appearance, OUCS had set up mail blocks and by Monday, the anti-virus companies had produced protective updates. The majority of users were streetwise enough to spot the quirky wording and spelling mistakes, and did not open the message's attachments. However, some did fall for the beguiling message with over 200 machines being infected and needing help with recovery. In July 2005, MyTob variants were still accounting for 7 out of the top 10 reported viruses.

An unfortunate side-effect of the growth in social engineering is that it has become increasingly difficult for OUCS to use email for making genuine service-related announcements such as reminders about password expiry.

More conventional forms of attack on the University network continued unabated throughout the past year. External scans of the Oxford network, looking for vulnerable machines, averaged around 5,500 a month. The smarter scans try to avoid detection by drip-feeding their probes over several days but can still be detected by OUCS's sophisticated network monitoring equipment.

A favourite target continues to be password hacking. In the past year, around 200 password hacking attempts a month were detected on the Oxford network. Each attempt may try up to 10,000 different passwords from a large 'dictionary', highlighting the importance of choosing secure passwords. This has become even more crucial with the advent of single-sign-on (SSO) where a single login and password give access to a number of different services. Webauth, the OUCS SSO service for web-based applications, was this year extended to WebLearn, with Webmail and other systems soon to follow. SSO is a boon for users, but anyone who uncovers an SSO password immediately gains access to a multitude of resources. Hence the increasing need for passwords to be hard-to-guess and changed periodically - something that, unfortunately, is not always popular with users.

A compromised account not only allows a hacker access to confidential information, but is a highly valuable foothold into the system from which to initiate further attacks. The most subtle hacks don't do any immediate damage but stay quietly harvesting information for months on end.

Viruses, too, have continued to evolve in sophistication. In the case of the recent MyTob-AT attack, the virus periodically updated itself to a new version over the network so as to try to avoid detection. During the past year, preparations began for the rolling out of a major new release of Sophos, the University's site-licensed anti-virus product distributed by OUCS. Our negotiations with Sophos resulted in an agreement that all users of the new release would be able to receive automatic updates direct from Sophos, thereby much reducing the delay and effort involved with the current release. Sophos now offers protection against over 100,000 viruses.

It has been shown that a machine running the Windows operating system that lacks up-to-date service packs and patches can be compromised within a few seconds of connecting to the network. To reduce such vulnerabilities, 15,000 copies of the OUCS Windows patch CD were distributed in September 2004, with every new undergraduate receiving a copy in their welcome pack. Persuading users to keep their systems fully updated continues to be a challenge.

The University mail system continues to be a target for both emails containing viruses and for the inexorable rise in junk mail or 'spam'. During the past year, around 70% of all incoming messages were immediately rejected by our mail relay for various reasons, for example a non-existent address or containing a known virus. At peak times of virus activity, over 100,000 infected messages an hour have been intercepted by the mail system.

Of the 30% that were accepted into the system, around 47% were probably spam, as indicated by the spam ratings applied to each message by the SpamAssassin software used by the OUCS mail systems. In other words, for every 'good' mail you get, another one is filtered, and another 5 are rejected outright.

2.4. Healthy Growth for Virtual Learning

It's been a busy year for the University's institutional virtual learning environment, known locally as WebLearn. WebLearn is based on the Bodington software and is being developed by staff situated in the Learning Technologies Group with OUCS. This has been the first full year of large scale development and a large amount of external funding 1 has allowed the team to grow to five members meaning that the development effort has been greater than initially envisaged.

Over the last year we have focused on: integration with local systems and services (such as the student records systems and the Oxford single sign-on service ("Webauth")); updating the look and feel; the introduction of new facilities to improve usability (such as copying and timed-release of resources); the introduction of new tools (such as logbooks, reading-list and 'quick-links'); and general bug-fixing.

The availability of WebLearn has had a positive effect on learning and teaching at Oxford with a number of departments making heavy use of its facilities. For example, a programme which uses online learning to take Oxford University teaching to health professionals has won a University award for innovative use of WebLearn.

The University's OXTalent IT in Teaching and Learning Award 2005 was given to Oxford's Department for Continuing Education's Evidence Based Health Care (EBHC) programme, a part-time postgraduate course. The programme's use of a virtual learning environment means that the students, who are health professionals based all over the world, can study online whenever suits them.

The EBHC programme provides education and training in the principles and practice of Evidence Based Health Care for professionals working in all aspects of health service.

Dr Janet Harris, Academic Director of the EBHC programme, said:
Our programme makes fantastic use of a virtual learning environment, WebLearn. Our course administrators developed this online teaching resource so that our students, who are all studying part-time and spend a maximum of only three weeks per year in Oxford, can access information supporting their studies whenever suits them and wherever they are in the world.

The WebLearn team wishes to encourage more innovative uses of the system. There are a myriad of facilities that can be used to add extra value to most courses and an active user community exists for tutors to swap ideas and tips for effective embedding within teaching or research. If you want to find out more about WebLearn then visit (http://www.weblearn.ox.ac.uk/) or contact weblearn@oucs.ox.ac.uk

2.5. Electronic access management in Oxford (and beyond...)

Access management to library, research and a whole host of other resources within the University began centuries ago. Originally this would have been achieved by the handing out of keys to buildings and rooms or by persuading the scary looking chap in the bowler hat outside the gate to let you in.

Today, such resources - from ordering a book, to reading email or accessing a genetics database - are largely provided electronically, often via a web browser. And the equivalent of the chap in the bowler hat is still necessary. The University now has licences with resource-providers that permit authorized staff and students to gain access to those resources. Each of these users also has personal information or data that may be held on a central database, data only the owner of which should have access to be able to change. Together these establish the two basic concepts involved in access management:

  • who - the personal information that identifies who someone is
  • what - the roles someone has, e.g. a University staff member, which may be a prerequisite for gaining access to certain resources

In many cases, the what can be more important than the who. Indeed, there are some cases where we might need access without needing to answer the what question. The right to read anonymously - even on line - is actively pursued in the USA, and is gaining interest here in the UK. Furthermore, researchers in 'sensitive' disciplines may need a guarantee that they cannot be traced easily in order to protect themselves from over-zealous activists or extremists.

To this end - and also to make other things a lot easier - many researchers in the UK are now working on implementing an access management architecture known as Shibboleth 2. Shibboleth will work with almost any authentication system, from usernames and passwords in Oxford's Webauth 3 to digital certificates 4, as used in the UK e-Science Grid 5. It also provides a means whereby important role information regarding the user may be passed securely to resources on the web so that they can make authorisation decisions.

Members of staff in the Systems Development and Support team have implemented the Webauth 6 system developed at Stanford University in the USA to provide single sign-on (SSO) facilities for web services. This has been available throughout the University since January 2004 and has been highly successful as more and more resources internal to the University become 'Webauth ready' and can be accessed after logging in via the Webauth interface. The University virtual learning environment (VLE), WebLearn, was also updated to allow Webauth logins in April 2005, and the Webmail service will follow suit later this year.

It is likely that, in future, the Webauth system may be used to access external resources via Shibboleth. In fact, developments to this end are about to be undertaken as a partnership between the Systems Development and Support team and the Shibboleth-enabled Portals and Information Environments (SPIE) project. The SPIE project is funded by the Joint Information Systems Committee (JISC) to demonstrate the effectiveness of Shibboleth in providing integration between institutional and national information environments, especially via enhanced portals and portlets. In addition to this ground-breaking research, long term benefits to Oxford researchers should become apparent.

Another Shibboleth research project being undertaken within OUCS - this time within the Learning Technologies Group - is the Guan Xi project, in partnership with the University of Highlands and Islands Millenium Institute. Also JISC-funded, the Guan Xi project is using the Shibboleth architecture to investigate ways in which to assist students and researchers to share resources within the Bodington VLEs based in UHI, Leeds, Manchester and Oxford. This should mean that learning objects and course materials in the VLE within one institution can be accessed by appropriately authorised users from another institution. In effect, a Weblearn user in Oxford, for example, could seamlessly create an account for him/herself in the Bodington VLE in Leeds, where the two institutions are collaborating.

Shibboleth is also being considered as an aid to accessing resources on the UK e-Science Grid. The Evaluating Shibboleth and PKI for Grids (ESP-GRID) project has naturally followed on from the work of the recently completed Digital Certificate Operation in a Complex Environment (DCOCE) project. Both projects arose within the Research Technologies Service, which is also home to the OUCS parts of the Oxford e-Science Centre. The Shibboleth system could mean that many grid users either do not need to use digital certificates or could minimise their exposure to them. The project is also re-appraising the suitability of the Public Key Infrastructure (PKI) technology and personal digital certificates and whether these are really necessary for grid computing.

OUCS is a leading centre in the research into access control methodologies, and their implementation. National initiatives towards improving the experience of researchers with respect to access management and in improving security are supported strongly by the work of OUCS. Oxford's Computing Services has a high national research profile in these areas. Such initiatives should result in a better experience for researchers and in increased security, both from the view of the resource providers and of that of the researchers in organisations such as Oxford.

Up: Contents Previous: 1. Introduction Next: 3. Service reports

Notes
1.
Mainly from the Joint Information Systems Council (JISC)
2.
You can find out more about Shibboleth at http://shibboleth.internet2.edu/
3.
An introduction to Webauth at http://www.oucs.ox.ac.uk/webauth/
4.
See http://www.dcoce.ox.ac.uk/background/index.xml?ID=whatare for a background to digital certificates
5.
For an introduction to e-Science, see http://www.nesc.ac.uk/nesc/define.html and http://www.rcuk.ac.uk/escience/ for the UK e-Science Grid
6.
General background can be found at http://www.stanford.edu/services/webauth/