Dispatches From The Geeks

Hi, everyone. Hope you’re staying healthy.

In this new wonderful world of working from wherever we happened to be holed up, there’s a lot more teleconferencing going on. People are using the official Argonne apps, and some people are using others. Please bear in mind the following when choosing what you’re going to do and talk about during a teleconference. This is very important if you’re doing anything with Controlled Unclassified Information (CUI) (formerly known as Sensitive Information, including Official Use Only (OUO)).

1. The only officially sanctioned options for use at Argonne for teleconferencing are Microsoft Teams and Bluejeans. CELS also maintains a Slack instance.
2. Slack is not authorized for CUI.
3. Platforms not listed above (including Zoom, Google, WebEx) are not sanctioned.

If you’re discussing anything that might be CUI, follow the guidelines below – this is a combination of information from cyber and my notes.

For any platform, the attendance should be VERIFIED. On a system like MS Teams, everyone is authenticated so names of all participants will show, unless it’s a call with dial-in numbers or external collaborators invited. Bluejeans can accept callers and guests so they would also need to be verified before CUI/OUO discussions can happen.

Teams (as long as it’s not a call with external collaborators) is configured for any CUI discussions by default (by the end of the month everyone at ANL will be MFA into the application). The only other thing people should be aware of in teams is file sharing. You could file share to a person who is on a personally owned system that does not meet LMS PROC 22 guidelines (which say MFA and encryption is required to protect CUI). So if a person shares a file that is CUI, they should verify the person receiving it has a system that can process it.

Box Plus is the officially sanctioned way to share and work with CUI. My recommendation is to keep CUI off any of the conferencing platforms and use Box.

Bluejeans is ONLY good for OUO and below data sensitivity. It still uses username/password and encryption is OFF by default, however can be turned on by the meeting moderator for an OUO discussion (BIS and Cyber are currently seeing if we can have this ON by default, but this change has not happened yet, they are still testing).

Zoom is not authorized at the lab and NO OUO or CUI discussions or files should be shared on that platform. Nor any other remote conference platform that has not been vetted by cyber. (This includes Slack.) If CUI discussions NEED to be made, we should be using Argonne’s vetted platforms. That is the whole point of having a vetted platform. Zoom’s been in the news a lot lately due to its security and privacy issues. It’s a fancy and alluring platform, but it’s not the panacea that some people thought it was.

I’m aware there are other DOE sources using Zoom, including DOE itself. Zoom’s federal tier is still OK however there is no way to detect that the person actually bought that tier of service without a cyber review. DOE owns the Federal tier of Zoom, so if it’s a DOE call THEY have the correct version. But otherwise, you must assume any other company is using the “free vulnerable tier”.

We are investigating an unplanned network outage to computers in the building 240 data center. See https://twitter.com/celssys for updates.

First of all, I owe you an apology. I was under this mistaken impression this would be communicated out via other channels, but I was mistaken. So now I’m announcing something that’s already happened, and I’m sorry about that.

Effective today, rules were put in place on our Office365 services to prevent forwarding mail to non-Argonne addresses. This is primarily a part of enforcing the previously announced DOE-mandated multifactor authentication for e-mail. An extra benefit to the lab is that is allows proper enforcement of eDiscovery and legal hold policies.

As with MFA, this isn’t something we in CELS have any control over, nor can we override it. But it’s a good security and data stance for the lab and its employees. All of this is geared around data security and helping us avoid inadvertently getting ourselves into trouble by exposing data we shouldn’t.

If this new change breaks something you’re doing, let me know and we’ll see if we can find a way to accomplish what you need within the boundaries of what we’re allowed to do.

Thanks.

Thanks to all who attended in person and virtually. Extra big thanks to Rob Denney from Cyber for fielding the questions I didn’t know the answer to.

The slide deck and a recording can be found at https://anl.box.com/v/StaceTalksANL (ANL login required) in the 2020 folder.

I edited out some of the dead spots in the audio and added captions for the questions I forgot to repeat. Got it down to a tight 57 minutes.

If you’ve got questions or concerns, ask me or my team (help@cels.anl.gov) and we’ll get you answers to the best of our ability. Over the next couple of days, we’ll have our docs at https://virtualhelpdesk.cels.anl.gov updated with:

* Instructions on the various unofficial and unsupported methods to use MFA (Google Auth, other TOTP methods) * Instructions on how to configure davmail
* Instructions on how to connect to nomachine.cels.anl.gov from offsite. * Form for requesting conversion of a free Slack instance to paid.

It was fun, hope you got the info you needed. Thanks!

Maintenance of our GitLab services has been completed. Please let us know if you encounter any issues by emailing help@cels.anl.gov

– CELS Systems

Beginning work to update our GitLab services at https://gitlab.cels.anl.gov and https://xgitlab.cels.anl.gov

Services will be disrupted during this maintenance window.

Service is expected to be restored by 18:00 CT and may be available sooner than that.

We will send a followup email upon completion of the work.

– CELS Systems

This has been rescheduled to next Wednesday, March 4, 1PM in Building 240, room 1416 (the big room). Thanks!

Calendar invite attached.

—

Hey, everybody! Let’s get together and talk about TLAs!*

The first TLA is MFA. That stands for Multi Factor Authentication, and that rhymes with nervous anticipation, and that ends my attempt to invoke lyrics from a movie few of you have seen because it’s an old movie even for me and now I’m depressed.

But, anyway, you’ve no doubt heard of the shift to Multi Factor Authentication at the lab (and, indeed, across DOE) for email. In fact, a good portion of you have already switched. (Hi, ALCF!) I meant to hold one of these before the big shift for everyone, and I somehow missed ALCF was on an earlier timeslot (Feb 18) than the rest of CELS, who are switching at the end of March.

So, I’d like to take the opportunity to get together, go over what’s changing, what isn’t, what will work, what won’t, and how you can get help in any of the above situations. The plan is to give a brief chat about how the process works, what we know will break, give BIS/Cyber an opportunity to answer any questions, and throw myself on the mercy of the Live Demo gods and try to show off how to configure some common clients.

But, since I’ve got your attention and will have a bunch of you in the room together, why not also take the opportunity to plug the new General Computing Environment (GCE). That’s the second TLA*. It’s kind of a BFD** in CSG.***

Rather than plaster the announcement in this mail, because this is long enough already, here’s a link: https://mcssys.wordpress.com/2020/02/17/the-cels-general-compute-environment-gce-is-live/

We’ll take the rest of the time we’ve got available to go over a brief overview of the GCE as it stands, answer questions you may have.

Hope to see you there!

*Three Letter Acronym

** Big Freakin’ Deal

*** CELS Systems Group (okay, I’m reaching)

—

Craig

A maintenance window of our GitLab services has been planned for 2020-02-27 at 17:00 CT in order to update the software.

GitLab services provided by gitlab.cels.anl.gov and xgitlab.cels.anl.gov will be unavailable during maintenance.

Service is expected to be restored by 18:00 CT, and may be available sooner than that.

If this window poses undue inconvenience please let us know, we can reschedule if needed.

– CELS Systems

With the low on-site attendance due to weather, I’m going to reschedule this to a better day. Will send an announcement when it’s booked. Sorry for the inconvenience.

Hey, everybody! Let’s get together and talk about TLAs!*

The first TLA is MFA. That stands for Multi Factor Authentication, and that rhymes with nervous anticipation, and that ends my attempt to invoke lyrics from a movie few of you have seen because it’s an old movie even for me and now I’m depressed.

But, anyway, you’ve no doubt heard of the shift to Multi Factor Authentication at the lab (and, indeed, across DOE) for email. In fact, a good portion of you have already switched. (Hi, ALCF!) I meant to hold one of these before the big shift for everyone, and I somehow missed ALCF was on an earlier timeslot (Feb 18) than the rest of CELS, who are switching at the end of March.

So, I’d like to take the opportunity to get together, go over what’s changing, what isn’t, what will work, what won’t, and how you can get help in any of the above situations. The plan is to give a brief chat about how the process works, what we know will break, give BIS/Cyber an opportunity to answer any questions, and throw myself on the mercy of the Live Demo gods and try to show off how to configure some common clients.

But, since I’ve got your attention and will have a bunch of you in the room together, why not also take the opportunity to plug the new General Computing Environment (GCE). That’s the second TLA*. It’s kind of a BFD** in CSG.***

Rather than plaster the announcement in this mail, because this is long enough already, here’s a link: https://mcssys.wordpress.com/2020/02/17/the-cels-general-compute-environment-gce-is-live/

We’ll take the rest of the time we’ve got available to go over a brief overview of the GCE as it stands, answer questions you may have.

Hope to see you there!

*Three Letter Acronym
** Big Freakin’ Deal
*** CELS Systems Group (okay, I’m reaching)

Add to my calendar