Security Breach

There are moments that every CIO and IT administrator dreads.  One of them, possibly highest on the list of dreaded moments, is when a system administrator comes to you and says “one of our servers has been compromised”.    When that happens, you must immediately start thinking about technological, legal and social issues all at once.  If possible, you also have to try to keep track of what you are learning as the situation unfolds. And these situations always unfold — you never have all the information right at the outset.

At CIS, we had one of those dreaded moments on the afternoon of January 5th.  That’s when we discovered that unauthorized attempts to log in to several of our servers had been successful earlier in the day (at 2:15am).  It was the vigilance of an IT administrator at the Claremont Consortium that first drew our attention to a problem: he had noticed a number of unsuccessful login attempts, all coming from one machine on our network.

The Sakai server was one that had been compromised.  You will remember that HMC is the “lead college” for Sakai; we provide the Sakai service to all the other Claremont Colleges.  And people keep a lot of data on Sakai. So this was potentially a very serious security breach.  If data had been accessed then we would have to notify everyone in Claremont and possibly much further afield. Reluctantly, we made the decision to take Sakai off-line for a full investigation.  A team of six people from HMC and CUC spent most of January 6th working on this issue, and on creating a new Sakai server for use in case it was needed.  We determined that the intrusion had been minimal (a six second login, probably automated and designed to establish the fact that the account had been compromised). By the evening of January 6th we were able to bring Sakai back on line.

The machine (a desktop) that was attempting to reach other systems had been compromised, but that the starting point of this attack was a departmental web server, which had been compromised some time in December. The departmental web server had been subject to a “SQL injection attack”,  a way of sending queries to a server that end up allowing a hacker to gain control of the machine. Once the hackers had gained control of the web server, they waited and captured some usernames and passwords that allowed them to move on to another machine.

I am glad to say that we got the attack under control very quickly and that no data was exposed. We learned many lessons in the process.

Changes we’ve since made  include:

  • reviewed all production servers for signs of compromise
  • locked down production servers
  • changed all system administrator passwords
  • introduced better password management policies for our system administrators
  • solicited information from security firms for vulnerability scanning

We will be performing vulnerability scanning on servers managed by CIS and are interested in working with departments to provide the service to them too.

We were fortunate this time.

Please keep in mind that your own security practices contribute to the overall security of the network to which all of our systems are connected.  Make sure your system is kept up to date with security patches, you are running anti-virus software and you are running only the services you need to run (eg. don’t run a web server if you don’t need to).  You’ll find a (flash based) tutorial on digital self-defense from the Rochester Institute of Technology at If you have any questions or concerns, please make sure to contact the CIS Help Desk  at or (909) 607-7777.

LabSTOR update

Harvey Mudd College is a member of a consortium called LabSTOR.  In fact, we helped set it up, along with Allegheny, Middlebury and Occidental.  LabSTOR uses Apache software called VCL (Virtual Computing Lab) that was originally created at North Carolina State University.  It is designed to allow remote access to computing environments that include applications usually found only in campus computing labs, hence the “virtual computing lab” moniker. It also allows for high performance computing (HPC) on the same infrastructure as used for the Virtual Labs.  The advantage of doing this through a consortium include reduced costs and, potentially, more bargaining power when it comes to negotiating license agreements. It also allows one to rethink how physical space is used.


In early January, Longsight, the company that we have contracted with through NITLE, brought the system up and began arranging training for the people on each campus who will be creating “images” (virtual environments that contain an operating system and applications) that can be run through LabSTOR.  It was very exciting and gratifying to see this happen, since it seems so long ago that I had the first conversations with Rick Holmgren (CIO, Allegheny).  Throughout the Spring Semester LabSTOR will be in pilot mode.  At the end of the semester each institution will be deciding whether to proceed to full production in the Fall.

We plan to test ODE Architect in this environment.  If you have ideas about other applications we might put in LabSTOR (eg. something you have to go to a lab to use, either a lab managed by CIS or one managed by a department), then please let us know.  We will work with the vendor to ensure that we comply with licensing terms and then try the application out in the virtual lab.

For more information see:

LabSTOR blog at

Earlier news item:



ODE Architect:

Notes on experiments in Cloud Computing

If you read the technical media, you know that “cloud computing” is a phrase that is much in vogue these days.  There’s lots of debate as to precisely what “cloud computing” means, and there are lots of sub-categories to get a handle on too:

  • Software as a service
  • Platform as a service
  • Infrastructure as a service

 At CIS and indeed across the College, we’ve been keeping an eye on these developments and experimenting with cloud computing for some time.  Here are some examples.

Formstack (formerly FormSpring).

The old way:  whenever someone needed to create a form on the HMC site, they contacted our “webmaster” and then went back and forth discussing how a form should look, while the webmaster made changes to a set of perl CGI scripts.  The new way: end users log on to Formstack and create their own forms using a drag and drop interface in the browser.  Features like encryption of data and email notifications are easy. 

This experiment has so far been a hit with users, especially administrative staff. We’ve used it for Alumni surveys, HR forms and lots of others.  Users really like the fact that they can design the forms themselves and turn around time is a matter of minutes, not days.   We are not entirely satisfied with the rudimentary data analysis tools that Formstack provides, even though they are improving all the time.  So we are looking at other online survey creation tools as well.


Google Apps

Some 47% of our students currently use Gmail as their primary provider, per our Fall 2009 survey.  In the engineering department, many faculty staff and students use Gmail and Google calendar as their primary email and calendar systems.  There’s clearly interest in this form of cloud computing.   Google Apps for Education is a different offering that we are currently experimenting with. It differs from the public version in several key ways, notably the absence of advertising and a contractual agreement recognizing FERPA obligations.


Jumpboxes are pre-built virtual machines that contain one or more dedicated applications.  They provide a web based interface for managing the virtual machine.  The idea is to provide a ready to run virtual server.  We’ve been experimenting with Jumpboxes in partnership with a hosting company out of Chicago. is one site that needed an instance of WordPress.  It took two or three emails and about 15 minutes of work to get them up and running.


Bluelock  is one of a group of companies that are offering on-demand access to virtual machines, based on VMWare’s technology.  Via a web browser, one builds a “virtual data center” with virtual servers (windows and linux) . You can manage the virtual servers from anywhere (as long as you can get to a web browser) and you can power them on and off as needed.  The pricing model is based on usage.   In general, cloud computing offerings are priced in a “pay as you go” fashion.  One thing we have to do is analyze how much it is costing us to provide similar services in house so that we can get a good understanding of whether services like Bluelock’s are a viable supplement to our own efforts.


This is a fun one.  Presentations online in a format that is very different from good old stolid Powerpoint. Elizabeth Hodas has done several of her conference and in-house presentations using this tool, and enjoys it greatly.  It takes an approach that is very different from Powerpoint, using the idea of a large canvas on which you create presentations and zoom in and out to work your way through the presentation.  It’s worth a few minutes of your time to take a look at  Or chat with Elizabeth about her experiences.

I’ve mentioned virtual machines several times. In another article, we’ll delve more into that topic.

So what cloud computing experiments have you been doing lately?  Let us know what you’ve been learning.   We’re especially interested when you find something that you think the would be of interest to many HMC users.

Portal Progress

After a successful pre-registration for Fall courses, we have continued to make progress on improving the features available through the Student/Faculty portlets.

This summer, for the first time, students are able to add and drop classes through the Portal add-drop feature. Of course, students need to discuss changes with their advisors, but they don’t need to make a special trip to the Registrar’s office to deal with paperwork.

Department Chairs now have the ability to view the grades for all the courses in their departments.  If you are a Department Chair, you should see an option to “Change Semester/Instructor” on the Faculty Course Control page.  If you don’t, please let us know.

The next big project for the Portal is a version upgrade and new versions of both the Student and Faculty CRM’s.   We are working now to incorporate the Claremont Colleges local changes into the standard versions of the CRM’s in our test environment.  Testing and implementation will happen this summer.