1CERN Computer Newsletter • January–March 2006

CERN COMPUTERNEWSLETTER

Volume 41 Number 1 January–March 2006

CNL – the early years It is 1966. The Soviet Luna 9makes the first controlledspaceship landing on the Moon.John Lennon announces that theBeatles are more popular thanJesus. Mao Tse Tung’s Little

Red Book is published. Englandwins the football World Cup atWembley Stadium. And the first CERN Computer Newsletter

is circulated! To celebrate CNL’s 40th

anniversary, we look back atsome of the highlights andhistorical curiosities of the earlyyears of computing at CERN, asreported in the newsletter.

Why was there a need for CNL? “As computing becomes a moreand more widespread andcomplex activity in thelaboratory, the need willincrease for a means to have awider general circulation ofbackground information aboutdifferent aspects of computingactivities than is possible withthe present system of ComputerNotices.” (February 1966, fromthe introduction to the first

issue by G R Macleod, the leaderof the Data Handling divisionfrom 1964 to 1975.)

Ancestor of the Helpdesk“The Enquiry Office […] has hadto cope with enquiries on bothour installed machines and alsoto adapt themselves to therapidly changing demands dueto the running on outsidecomputers.” (March 1966)

“The principal purpose of theoffice is to help programmers inobtaining useful results from thecomputers. Advice is given onsuch topics as speeding upprograms, better use ofmagnetic tapes as well as on the problems of debugging.Suspected machine faults areanalysed and discussed with theCDC engineers.” (February 1967)

CERN’s first computer expires“The Ferranti Mercury [...] hasnow been dismantled […] Thecomputer was the first to beinstalled at CERN and remainedas the only machine until thearrival of the IBM 709 in 1961.”(July 1966)

CNL celebrates40th birthdayEditorial

CNL celebrates 40th birthday 1Announcements & newsComputing featured in this month’s CERN COURIER 3CERN network database clean-up project begins 3Non-Admin tackles Windows security 3Videoconferencing with HERMES 3Computer Centre opens to the public 3Students invited to apply for openlab 3EU funds EGEE-related projects 4Tim Berners-Lee starts blog for ‘semantic stuff’ 4Desktop computingCERN enforces Web-authoring encryption to ensure security 5LCG newsPROOF will analyse LHC data 6Grid technology helps UNOSAT to tacklehumanitarian challenges 7Canada’s TRIUMF is home to ATLAS Tier-1 centre 7Technical briefsA ‘defence-in-depth’ strategy to protect CERN’scontrol systems 8Conference reportUS HEPiX attracts large audience 10Information cornerUsers must be suspicious when reading e-mails 11IT database staff gain Oracle 10g certification 12Recent changes to IT services 12Calendar 12

Editors Nicole Crémel and Hannelore Hämmerle, CERN IT Department,1211 Geneva 23, Switzerland. E-mail: cnl.editor@cern.ch. Fax: +41 (22) 7668500.Web: cerncourier.com/articles/cnl.

Advisory board Wolfgang von Rüden (head of IT Department), François Grey (ITCommunication team leader), Christine Sutton (CERN Courier editor), Tim Smith(group leader, User and Document Services).

Produced for CERN by Institute of Physics PublishingDirac House, Temple Back, Bristol BS1 6BE, UK. Tel: +44 (0)117 929 7481. E-mail: jo.nicholas@iop.org. Fax: +44 (0)117 920 0733. Web: iop.org.

Published by CERN IT Department

©2006 CERN

The contents of this newsletterdo not necessarily represent theviews of CERN management.

Contents

▲▲

The Ferranti Mercury was CERN’s first “central” computer. It was

installed in building 2 on 30 June 1958. The Mercury’s performance did

not compare to the simplest of today’s pocket calculators. Its clock

speed was a modest 1 MHz and its RAM capacity was 2000 20-bit words.

Editorial

2 CERN Computer Newsletter • January–March 2006

The end of Fortran?“● FORTRAN: FORmulaTRANslating. The most commonlyused program language exists inmany versions e.g. CERN Fortran.● ALGOL: From Algorithm. A moreadvanced language now availableon many computers but rarelyefficient for production work. ● PL1: The new programminglanguage specified by the IBMusers’ organization (SHARE) and IBM to supplant Fortran.”(April 1966)

Un problème de traduction“Le Comité d’Etude des TermesTechniques Français nous priede soumettre à l’appréciation denos lecteurs spécialisés dans lecalcul automatique le choix destermes français proposés enremplacement des termesanglais hardware et software […]

“HARDWARE: équipementmatériel et ensemble desappareils formant unecalculatrice électronique.

“SOFTWARE: en oppositionavec le terme précèdent,désigne tout ce qui vients’ajouter aux calculatricesélectroniques pour permettre,faciliter, assouplir et accélérer letraitement de l’information.

“Cet ensemble comprend,notamment, les relèves d’undouble jeu de mots en anglais.L’acception banale de hardware

est quincaillerie et c’est parplaisanterie que ce mot estappliqué à la partie matérielled’une calculatrice. Le motsoftware fait contraste avechardware (hard = dur; soft =mou) pour désigner ce qui, endehors du matériel, estindispensable au fonctionnementde la calculatrice.

“Traductions proposées: […] 1) hardware = MATERIEL 2) software = PROGRAMMAIREou PERIGRAMME.” (June 1967.Articles were sometimes writtenin French in the early days.)

Online in the swinging sixties“FOCUS is the acronym for aFacility for On-line Computationand Updating Services. It is aproject to give an improvedcomputing service for the on-line users. These users are thegroups who require data linkconnections between their own satellite computer and thelarge central computers.”(September 1967)

CERN computing and democracy“The following pressannouncement was madeconcerning the use of the CDC3800 for the election dataprocessing.

“Meyrin-Genève: unordinateur du CERN, un CDC3800, a effectué le

dépouillement électronique desbulletins de votations desElections fédérales suisses auConseil national et au Conseildes Etats. Cette opération faisaitpartie d’un contrat entrel’Administration cantonalegenevoise et l’OrganisationEuropéenne pour la RechercheNucléaire.” (November 1967)

Not quite the Web“ITIRC, IBM TechnicalInformation Retrieval Center,has developed an evolutionarycomputerized textualinformation system […] fordocument storage, retrieval,current awareness,dissemination, and preparationof special tools such as indexlistings, bulletins, KWOC, etc…This is to service within IBM, itsmultithousand internationalcommunity of line and staffpersonnel.” (April 1968)

GUI, seventies style“Over the last six months therehave been two additions to thetypes of graphics devicesconnected to the centralcomputer installation. TheFOCUS system has had threeTektronix T4002 storage tubedisplays added as terminals, anda Ferranti ARGUS 500 computerwith a refreshed display,keyboard, tracker ball and light

pen has been attached to the6600. For these devices the userwrites his program for the 6600using the graphic softwaresystem GD-3 […] the file can bereturned to FOCUS where the TVcommand allows the user toview the output on the T4002screen. In the latter case theuser may expand a part of thepicture, superpose pictures orcompare frames side by side.”(November 1970)

A computer centre is born“At the Finance Committee on12th February 1970 twoadjudication papers werepresented concerning the newcomputer building […] Theadjudications were for the air-conditioning plant, and thecivil engineering work. Thebuilding will be about 75 m longby 50 m wide, with three floorsabove ground level and abasement, and will be built closeto the new CERN restaurant onthe South side of the sitebetween the ISR and the PS.”(March 1970)

“The nearly completed newcomputer building, building513, which will house the CDC7600 computer system, islocated in the French sitesandwiched between the newrestaurant and the booster.”(January 1972)

The newly built computer centre, building 513, as it looked in June 1972.

The CDC 3800 was used to process

Swiss election data in 1967.

The CDC 6400 with control console

(centre) and tape decks (right).The front page of one of the early issues of CNL, dated 14 March 1966.

Announcements & news

3CERN Computer Newsletter • January–March 2006

Computing featured in this month’s CERN Courier The articles listed below appearin the January/February 2006issue of CERN Courier. Full-textarticles and the rest of theissue’s contents are availableat www.cerncourier.com.

Computing News● ETICS assures quality on the GridEU-funded project will improvethe coherence of Grid software.● Grid researchers get one onlineidentityA new Grid federation will givescientists access to global data.● Python developers swap ideasNews from the 2005 EuroPythonconference in Göteborg, Sweden.● SC|05 showcases high-energycomputingGrid scientists flock to Seattle.● CNL is 40 years oldEarly days of computing at CERN.● Meeting highlights Grid potentialCERN and UNESCO host event.● Middleware has two importantadditionsNMI-R8 eases resource security.● W3C improves features fortransforming and querying XMLW3C issues recommendations.

IT products and calendar

Feature articles● Tackling the challenge of latticeQCDFermilab’s commodity solutionfor lattice QCD goes online.● Towards a read–write WebSecurity efforts by LCG and EGEEunite the Web and the Grid.● Globus Toolkit upgrade aids theGrid communityGT4 offers major improvementsin terms of performance.

The network database is a key element of the CERNnetwork infrastructure. It isessential that its information iskept up to date, for securityreasons and to ensure thesmooth running of the networkinfrastructure. Over the yearssome of the information in thedatabase has become obsolete;the database therefore needs tobe cleaned up, for which we arerequesting your help.

In the coming weeks you mayreceive an e-mail from Netops.database@cern.ch relating tothe clean-up. If you receive sucha message, it will be for one ofthe following reasons:● You are responsible for or are

the main user of a system forwhich a problem has been found. ● You have been the supervisorof a person who has now leftCERN (according to the HumanResources database). ● The problem has been passedup to you because someoneunder your supervision has nottaken the necessary actionwithin four weeks of notification.

Just open the link that will beincluded in the message andfollow the instructions. Thankyou in advance for your help.IT Department, CommunicationSystems and Network Group● The above article was alsopublished in CERN Bulletin

50–51/2005 (December 2005).

CERN network databaseclean-up project begins

Two more of CERN’s experimentalfacilities have been added to thetours offered by the VisitsService. The public can now visitthe COMPASS experiment andthe Computer Centre.

The Computer Centre hasalways been a popular place tobring visitors, and the growingpublic awareness of CERN’s Gridactivities is increasing thedemand. More than 1000 peoplepassed through during CERN’sopen day in October 2004, and itwas one of the most popularoptions on the site.

The first batch of guides hasnow been trained. During thetour, visitors will find out moreabout the development of theGrid and its importance to CERNand the global scientificcommunity. Visitors will also beable to appreciate the amount ofcomputing power required toprocess data from the LargeHadron Collider, by comparingtheir own PCs with the thousandsof new desktop computers.

The Visits Service now offersseven sites. For more details,refer to http://cern.ch/visits.

Computer Centre opens to the public

From 16 January, Windows XPNICE installations (both newcomputers installed and oldcomputers re-installed) will nolonger grant administrativeprivileges by default to the mainuser or to the personresponsible for the computer.

Administrative privilegesenable the user to performadministrative actions, such asinstalling new applications orchanging system settings. Untilnow these privileges have beenenforced each time machinesare rebooted, but this riskscompromising the computerevery time a code from anunknown source (e.g. e-mailattachment) is executed.

To enable users to continue

to install software and changesystem settings on theircomputers, a shortcut calledNiceAdmin in the Start/Programs menu will offer ameans of performing certaintasks that require administrativeprivileges, but only on demand.

Users with valid reasons to bea permanent administrator fortheir machine will still have thisoption. However, users whowish to benefit from thisincreased security proactivelywithout reinstalling theircomputer can already sign up forthe project. More informationand the enrolment procedurecan be found at: http://cern.ch/WinServices/docs/nonadmin.The NICE team

NonAdmin tackles Windows security

The messenger of the godsbrings CERN a new service forhosting multipoint remotemeetings. HERMES is operatedby CERN together with IN2P3,CNRS and INSERM.

HERMES relies on a Codian40-port Multipoint Control Unit/videoconference bridge and issimilar to the ESnet ECS 88service. It enables high-qualityconferences that can bemanaged with great flexibility.

Current IP connectivity will besupplemented in January withISDN (video) and traditional

telephone capabilities. The service includes advanced

features such as Web streamingof conferences (using eitherRealPlayer or Quicktime) andindividual selection of theconference display style. Soon itwill also be possible to bookvideoconferences from theIndico interface.

Information about the servicecan be found at http://cern.ch/it-multimedia/HERMES.htm.(Contact videoconference-support@cern.ch.)Thomas Baron, IT/UDS

Videoconferencing with HERMES

The CERN openlab studentprogramme is open forapplications from bachelor,master and Ph.D. students incomputing and physics.

Successful applicants willspend two months at CERN thissummer working on cutting-edgeGrid-related technology projects.

They will receive training in allaspects of Grids from LCG, EGEEand CERN openlab staff.

Check www.cern.ch/openlabfor details. Candidates shouldsend a CV and letter of supportfrom a supervisor to Francois.Grey@cern.ch. The closing datefor applications is 31 March.

Students invited to apply for openlab

Submitted by Tim Berners-Lee 12 December 2005 at http://dig.csail.mit.edu/breadcrumbs/blog/4:“In 1989 one of the mainobjectives of the WWW was to bea space for sharing information.It seemed evident that it shouldbe a space in which anyone couldbe creative, to which anyonecould contribute. The firstbrowser was actually a browser/editor, which allowed one to editany page, and save it back tothe web if one had access rights.

Strangely enough, the webtook off very much as apublishing medium, in whichpeople edited offline. Bizarely,they were prepared to edit thefunny angle brackets of HTMLsource, and didn’t demand awhat you see is what you get

editor. WWW was soon full oflots of interesting stuff, but not a space for communaldesign, for discource throughcommunal authorship.

Now in 2005, we have blogsand wikis, and the fact that theyare so popular makes me feel Iwasn’t crazy to think people

needed a creative space. In the mean time, I have had theluxury of having a website whichI have write access, and I’veused tools like Amaya and Nvuwhich allow direct editing of webpages. With these, I haven’t feltthe urge to blog with bloggingtools. Effectively my blog hasbeen the Design Issues series oftechnical articles.

That said, it is nice to have amachine to the administrative

work of handling the navigationbars and comment buttons andso on, and it is nice to edit in amode in which you can tolimited damage to the site. So Iam going to try this blog thingusing blog tools. So this is forall the people who have beensaying I ought to have a blog.

Thank you for the comments.”

Submitted 19 December 2005: “Oops! Thanks for all the

wonderful welcoming comments.We’ve had rather a lot, and hadto turn the comments off on thefirst blog. I can’t answer them all,but I would point out one thing.I just played my part. I built onthe work of others – the Internet,invented 20 years before theweb, by Vint Cerf and Bob Kahnand colleagues, for example, andhypertext, a word coined by TedNelson for an idea of links whichwas already implemented inmany non-networked systems. I just put these technologiestogether. And then, it all took off because of this amazingcommunity of enthusiasts, whohave done such incredible thingswith the technology, and are stilladvancing it in so many ways.

By the way, this blog is at DIG,the Decentralised Informationgroup at MIT’s CSAIL. I intend itto be geeky semantic web stuffmostly. For example, it won’t befor W3C questions which shouldbe addressed to working groups.

So thanks for all the support,no need for more general ‘thankyou’ comments! Thank *you* all.”

Announcements & news

4 CERN Computer Newsletter • January–March 2006

EU funds EGEE-related projectsOne of the primary goals of theEnabling Grids for E-sciencE(EGEE) project is to integratethematic and national Gridprojects to support the rapidlyemerging European Gridinfrastructure. EGEE hastherefore always had closerelations with other Gridinitiatives such as DEISA, SEE-GRID and DILIGENT.

The EU has recently fundedmany new projects in areas thatare closely related to the workof EGEE. These projects can besorted into three categories:infrastructure, application andsupport (see figure).

Infrastructure projects work intwo ways: either they providenew sorts of infrastructure (suchas the DEISA supercomputerGrid), or they extend existingGrid infrastructure and networkcapacity to new geographicalregions. This regional model forinfrastructure extension is nowalso being adopted for China,the Mediterranean area, the

Baltic States and Latin America. Application projects use the

Grid infrastructure to servevarious goals but also help tounderstand the requirements of

users and feed these back intothe Grid development. Two newapplication projects, Health-e-Child (computationally intensiveresearch in paediatrics) and

BIOINFOGRID (bioinformatics),will soon come online.

Support projects includeinitiatives that will contribute tothe development of the Grid,enhancing the impact andeffectiveness of infrastructureand application projects. The e-Infrastructures ReflectionGroup (e-IRG) receives supportin the form of the e-IRG SupportProject. ISSeG (led by CERN) willwork in the area of site securityfor Grid computing. BELIEF willhelp European Grid projects todevelop contacts worldwide withindustry, while the ICEAGEproject aims to advanceeducation about the Grid. ETICS(led by CERN), will bringtogether facilities for softwareconfiguration, integration,testing and benchmarking toenable developers to ensure thequality and compatibility of theirproducts. (See also “ETICSassures quality on the Grid”(p13) in the Jan/Feb issue ofCERN Courier.)

support projects

infrastructure projects

applications projects

Active projectsNew projectsSep 2005 proposals

KeyBaltic Grid

DEISA+eDEISA

EUIndiaGridEUChinaGrid

SEE-GRIDEUMedGrid

SEE-GRID 2EELA

BELIEF

ETICS

ICEAGE

ISSeG

eIRGSP

OMII – Europe BIOINFOGRID

Health-e-ChildGRIDCC

DILIGENT

EGEEEGEE-II

Ongoing, new and proposed projects that are funded by the EU.

Tim Berners-Lee starts blog for ‘semantic stuff’

Sir Tim Berners-Lee and his blog (photomontage).

Desktop computing

5CERN Computer Newsletter • January–March 2006

Web authoring is the action ofediting a website’s content,typically using Web-authoringapplications such as MicrosoftFrontPage or MacromediaDreamweaver.

To ensure documentconfidentiality and to protectuser passwords from possibletheft, all Web-authoring actionswill be required to useencryption as of 15 February.

The instructions about usingFrontPage or Dreamweaver havebeen modified accordingly onthe CERN Web Services site athttp://cern.ch/web. All usersare encouraged to apply the newinstructions immediately.

Here are some questions andanswers about this change. Ifyou need more help, pleasecontact the helpdesk orweb.support@cern.ch.

Who does this change concern?All persons who use FrontPageor Dreamweaver to edit awebsite that is hosted centrallyby CERN Web Services.

Why is this change taking place?Authoring a website requiresthat you supply your user nameand password. If the Web-authoring application does notuse a secure, i.e. encrypted,communication channel toconnect to the Web server, thereis a risk that your password may be stolen. By requiring anencrypted communicationchannel, your password isprotected from theft.

How does it affect me?From 15 February it will not bepossible to author a websitewith FrontPage or Dreamweaverwithout using encryption.

Whether or not encryption is used depends on how thewebsite is opened in your Web-authoring application. Thismeans that you may have tochange the way you open yoursite in Dreamweaver orFrontPage if you do not yet use encryption.

This change affects only theuse of FrontPage or Dreamweaver

to edit a website. There is noimpact on the actual website, itsfunctionality or its contents.

How to ensure encryption is used?● FrontPage: start FrontPage, goto the File menu, Open site… andtype the URL https://mysitename.web.cern.ch/mysitename (notethe “s” in “https”), then click“Yes” if a security alert appears(figure 1).● Dreamweaver: change yoursite definition to use the Local/Network connection method,with path \\mysitename.web.cern.ch\mysitename.

For more details, read theonline instructions about usingFrontPage or Dreamweaver toedit a website on http://cern.ch/web/docs/AuthDoc/EditWeb.

Note that both FrontPage andDreamweaver remember howyou last edited your website, sothat you can re-open thewebsite more quickly the nexttime. It is likely that your currentshortcut or site definition is notusing encryption.

As a result, you have to fullyfollow the instructions at leastonce to create new shortcuts or site definitions that useencryption, before you can usethe shortcuts again.

Why do I get a security alert withFrontPage?To encrypt communications with the Web server, FrontPageuses the HTTPS (Secure HTTP)protocol. HTTPS communicationsrequire that the Web serverprovides a digital certificate thatproves its identity. If FrontPagecannot verify the Web server’sidentity, a security alert isdisplayed to the user.

Since HTTPS supports onlyone identity per Web server, theWeb server always identifiesitself with its actual name (e.g. webh01.cern.ch) even if awebsite is opened in FrontPageusing the website’s name (e.g.mysitename.web.cern.ch).FrontPage detects this namemismatch and shows thesecurity alert. You can click“Yes” to proceed.

How do I remove the security alertin FrontPage?For the security alert not toappear, the website must beopened in FrontPage using thename of the actual server that ishosting your website. The servername is visible in your website’sproperties on http://cern.ch/web.

For instance, if the websitemysitename is hosted on serverwebh01, use the URL https://webh01.cern.ch/mysitename(instead of https://mysitename.web.cern.ch/mysitename) inFrontPage. This will match thename on the digital certificatethat proves the server identity,and the alert will not reappear.

Note that the actual servername for your website canchange from time to time. Pleaserefer to your website’s propertiesfor the latest information.

FrontPage seems to freeze when Iopen my website.Sometimes FrontPage mayappear to freeze when you try toopen a website. It is actuallywaiting for you to click on thesecurity alert message box thatis hidden by the main FrontPagewindow (figure 2).

The solution is to use the taskbar to bring the hidden messagebox to the front.

What will happen if I try to connectwithout using encryption?After 15 February, if you do notuse encryption your Web-authoring software will reportthat it cannot find your website.

What should I do if Dreamweavershows the following error message:“The desired action could not becompleted because an unexpectedclient/server communication erroroccurred” (figure 3)? You are probably trying toconnect without encryption.Follow the instructions fromhttp://cern.ch/web/docs/AuthDoc/EditWeb to open yourwebsite using encryption.

What should I do if FrontPage showsthe following message: “The folder‘http://test-frontpage.web.cern.ch/test-frontpage’ isn’t accessible. The folder may be located in anunavailable location, protected witha password, or the filenamecontains a / or \” (figure 4)?See answer to previous question.

I cannot open my site in FrontPagefrom Internet Explorer.The Edit with Microsoft Officebutton in Internet Explorer willnot work anymore, because thisfeature does not use encryption.Alexandre Lossent, IT/IS

CERN enforces Web-authoringencryption to ensure security

Fig. 1 (left): security alert from

FrontPage. Fig. 2 (above): use

the task bar to bring the hidden

message box to the front.

Fig. 3: Dreamweaver message when connecting without encryption.

Fig. 4: FrontPage message when connecting without encryption.

LCG news

6 CERN Computer Newsletter • January–March 2006

The Large Hadron Collider (LHC)experiments will generate hugeamounts of data, and specialmethods will be needed toanalyse them efficiently. Nosingle computer will be able tocrunch the data in a reasonableamount of time.

The only way to cut analysistime to an acceptable level is touse parallelism. Depending onthe amount of data, parallelismcan be employed on multicorelaptops, local clusters or globaldistributed clusters, i.e. the Grid.The challenge will be to providethis parallelism transparently sothat users won’t have to worryabout how to access all of theseresources in parallel.

The ROOT frameworkFrom the mid-1990s, the ROOTsystem was developed to offerthe functionality needed tohandle and analyse largeamounts of data. ROOT, which isan object-oriented framework,offers an extensive set of toolsfor data storage, analysis andpresentation. The data aredefined as objects, and specialstorage methods are used to getdirect access to the separateattributes of the selected objects,without having to touch the bulkof the data. The system wasdesigned to query its databasesin parallel on parallel-processingmachines or on computer clusters.

ROOT is the preferred dataanalysis environment for theLHC experiments, so the ROOTteam has increased its efforts toprovide a system that will giveefficient access to manycomputers in parallel.

PROOF provides transparencyThe Parallel ROOT Facility(PROOF) enables distributed datasets to be analysed interactivelyin a transparent way. It exploitsthe inherent parallelism in datafrom uncorrelated events via amulti-tier architecture thatoptimizes I/O and CPU use inheterogeneous clusters withdistributed storage. Being partof the ROOT framework, PROOFinherits the benefits of aperformant object-orientedstorage system, and statisticaland visualization tools.

PROOF requires the analysisto be run via “selectors” thatcontain user code that is calledby the PROOF worker nodes.PROOF opens the ROOT filesthat are to be analysed and triesto optimize the data-accesspatterns so that workers readdata locally or via the high-performance xrootd file servers.Since many PROOF selectorstypically are I/O bound, theefficiency of the data-accessinfrastructure largely determinesthe efficiency of the system.

Selectors are a universal wayof processing ROOT files and canbe run transparently in a localROOT session or on a PROOFcluster. Selectors can beinterpreted with CINT or compiledon the fly with the ACliCmechanism (ROOT’s transparentC++ compiler interface). The usercode in the selectors can accessexperiment or user sharedlibraries, which can then beuploaded, compiled and installedwith the PROOF packagemanager. This mechanismenables PROOF cluster nodes tohave a different architecture,operating system or compilerfrom the platform on which theuser developed the code.

Suitable for long-running jobsInitially PROOF was developedpurely for interactive analysis,with queries lasting no morethan several tens of minutes andoperating in synchronous mode– i.e. the lifetime of a PROOFsession was determined by thatof the client session. We haverecently extended PROOF tosupport the “interactive batch”mode, in which a user can closethe local client session while thePROOF query continues to runon the remote cluster. The usercan later reconnect to thePROOF cluster to inspectprogress or get the results offinished queries.

The advantage of usingPROOF for long-running jobs(instead of splitting the analysisinto multiple-batch jobs, eachrunning over part of a data set)is that the selector and analysismodel does not changedepending on the length of thequery or the size of the data set.This means that a more dynamicand interactive monitoring of theintermediate results is possible.

PROOF can also be distributedover several sites if data setsspan more than one site. In thiscase, PROOF has to operate

with the Grid file and metadatacatalogues, and authenticationand job-submission systems.

Typically, a user will query the file catalogues for a data set to be analysed. The locationof the files in the data setdetermines where PROOF workernodes have to be started by theGrid job-submissions system.Once the PROOF worker agentsare started, the user’s clientsession will connect to themaster and the queries can beexecuted (see figure). Aprototype of this model, whichcombines AliEn (the ALICE filecatalogue and job-submissionsystem) with PROOF, wasdemonstrated at the 2005Supercomputing conference.

This year the ROOT team willimprove PROOF and help theLHC experiments to integrate itinto their analysis and Gridenvironments.

Further information● ROOT – http://root.cern.ch;● xrootd – http://xrootd.slac.stanford.edu;● CINT – http://root.cern.ch/root/Cint.html;● AliEn – http://alien.cern.ch.Fons Rademakers, PH/SFT, CERN

PROOF workers

PROOF

PROOF workers

PROOF

PROOF submasterserver

PROOF

PROOF masterserver

PROOF workers

user session

proofd start-up

PROOF

guaranteed site access throughPROOF submasters calling outto master (agent technology)

Grid service interfaces

TGrid UI/Queue UI

Grid access control service

Grid/root authentication

Grid file/metadata catalogue

client retrieves listof logical files (LFN + MSN)

slave servers access data viaxrootd from local disk pools

ROOT

Multi-tier PROOF architecture with the client talking to a master, the master talking to the submasters, and

each submaster talking to a group of worker nodes. In a Grid environment the location of the submasters

and workers will be determined by the location of the data files that are to be analysed.

PROOF will analyse LHC data

TRIUMF, Canada’s nationallaboratory for particle andnuclear physics, will host a Tier-1 centre for the ATLASexperiment. By 2008 the centrewill include 1900 kSI2k of CPUpower, 1000 TB of disk storageand 730 TB of tape storage.Funding has been requestedfrom the Canada Foundation forInnovation. A review isscheduled to be held in January2006, and a decision is expectedby February.

Canada’s current involvementin the LCG includes developingand deploying middleware forthe Grid. In particular, TRIUMF,which is located in Vancouver, is

hosting several LCG site/clustersolutions. These include: ● a modest, fully fledged localLCG cluster; ● a gateway that unitesresources at Canadianuniversities and makes themaccessible to LCG as one site,via a computing element thatuses CondorG technology (this isa unique Canadian initiative, seewww.gridX1.ca); ● a development cluster that is dedicated to the servicechallenges on which LCGbaseline services are deployedand tested. The main focus atTRIUMF last year was to set upthe components to participate in

all aspects of LCG ServiceChallenge 3, such as disk-to-diskand disk-to-tape transfersbetween CERN and TRIUMF, anddisk-to-disk transfers betweenTRIUMF and several Canadianuniversities that were acting asTier-2 centres; ● a distinct LCG executor basedon CondorG (and hosted byTRIUMF and Simon FraserUniversity), which has doubledATLAS’s overall capacity forproduction and job submissionon the Grid. This was crucial tocomplete the Monte Carlosamples that were needed forlast year’s ATLAS PhysicsWorkshop, held in Rome.

The networking resources areprovided by CANARIE, and at themoment comprise 2 ×1 Gbit/sdedicated lightpaths that weremade available in spring 2005and used in Service Challenge 3last summer. A 10 Gbit/s line isnow being commissioned andshould be available in the firstquarter of 2006.

In June 2005 a temporary10 Gbit/s lightpath betweenCERN and TRIUMF was availablefor several days. This lightpathwas used for various transfertests. A sustained transfer rateof 2.33 Gbit/s was achieved. R Tafirout, TRIUMF; MCVetterli,Simon Fraser University/TRIUMF

LCG news

7CERN Computer Newsletter • January–March 2006

Patricia Mendez Lorenzo is partof the LCG Experiment andIntegration Support Team atCERN. Normally she supportsALICE, helping LCG sites to installand run the ALICE software. Butlast summer she was assignedan additional task: to help gridifysatellite imagery applications forUNOSAT, a United Nationsinitiative that provides thehumanitarian community withaccess to satellite imagery foruse in crises such asearthquakes and tsunamis.

CERN has hosted the UNOSATteam for the past four years, sothat it can benefit from CERN’ssubstantial IT infrastructure andInternet access. Tapping intoCERN’s Grid know-how wasanother reason, and last year a summer student project,supervised by Mendez Lorenzoand Einar Bjorgo of UNOSAT,provided an ideal opportunity topush forward on this front.

With Sean Moran, a studentfrom Cambridge University, theybegan by transferring some3.5 TB of data on the Asiantsunami to the CASTOR storagemanagement system. They thenset up a software infrastructureto enable the UNOSAT team toaccess the data using standardLCG tools. At the same time,Mendez Lorenzo and Bjorgo

created a virtual organization for UNOSAT, with a view toextending this to other sitesaround the globe that UNOSATcollaborates with. In this way, infuture this sort of data can bestored in a truly distributed way.

With members of the ARDAproject, led by MassimoLamanna, Bjorgo and MendezLorenzo implemented metadataapplications that enable storeddata to be searched according togeographical co-ordinates. They

also interfaced computer-intensive UNOSAT programs toLCG. These programs can heavilycompress satellite images fortransmission over low-bandwidthconnections to relief workers inthe field. Mendez Lorenzo hascontinued to test these Gridapplications and was invited topresent the results at a workshopduring the 1st IEEE InternationalConference on e-Science andGrid Computing in Melbourne,Australia, in December.

“Gridifying an application likethis from zero is gratifying,” saidMendez Lorenzo, “because youget to develop the wholeinfrastructure and seeapplications run in a relativelyshort time.” The UNOSAT teamis equally enthusiastic, and isalready planning the next stageof this development project – toadapt more of the UNOSATsoftware suite to the Grid – withMendez Lorenzo and LCG.François Grey, IT/DI, CERN

CERN’s Patricia Mendez Lorenzo and UNOSAT’s Einar Bjorgo have adapted satellite imagery tools to the Grid.

Canada’s TRIUMF is home to ATLAS Tier-1 centre

Grid technology helps UNOSAT to tackle humanitarian challenges

Ten years ago control systemswere restricted to dedicatedprocesses that had sparseinterconnectivity with othersystems, if at all. The hardwarewas based on proprietarytechnologies, andcommunication protocols werecustom designed or came fromonly one or a few vendors. Assuch, the control systems werecompletely (or mostly)separated from the rest of theworld and only reachable bymeans of a few dial-up modems.

From the point of view ofsecurity these systems weresafe (“security throughobscurity”), since only a fewexperts had knowledge of theprotocols and methods used,and outside connectivity waslow. Major threats were insiders(e.g. disgruntled employees)who might target the controlsystem for personal gain, orusers who badly configured thesystem. However, a recentanalysis reports that today thedominance of internal fraud israpidly being replaced bythreats created externally [1].

During the 1990s, in parallelto control systems, standardsbased on Ethernet and theTCP/IP protocol were introducedinto information technology (IT)networks. Because of theiropenness and ease of use, thesenetworks spread around theworld and became the standardfor office and business networksas well as for use at home.

However, with this openness,and because no software oroperating system is free offlaws, there was a downside inthe form of “war dialling”,“backdoors”, password sniffingand cracking, and the hijackingof user sessions.

These threats, which startedin the mid-1990s, became moresophisticated. As hackersaccumulated knowledge, newviruses and worms automatedthe attacks. Today IT is facedwith Internet Relay Chat (IRC)-based intrusions, denial-of-service attacks, botnets and

zombie machines, which canstrike with a synchronized attack from hundreds ofmachines around the world.

Control systems join IT networksMany control systems are nowundergoing a change towardsmodern IT-based solutions, withcommon IT standards beingapplied to control systems andnetworks. Proprietary fieldbuses are being replaced byEthernet and TCP/IP. Common ITprotocols such as SNMP, SMTP,FTP, Telnet and HTTP are beingused to share data from controlsystems with data warehouses,the upper management levels(“from top floor to shop floor”)and the outside world. More andmore sensors, actuators andother field devices are beingconnected to this network.

Furthermore, commercial off-the-shelf (COTS) IT hardware nowenables virtual private network(VPN) access from remotelocations (e.g. from home) to thecontrols network, and permitswireless communication with it.

On the user interface side,operator consoles andSupervisory Control And DataAcquisition (SCADA) systems arenow based on the MicrosoftWindows platform or are portedto a standard Linux installation.Notebooks and USB sticks havebecome new means to monitorand configure control systems.

Controls are open to attackHowever, the rise of modern ITin control systems and networksalso has drawbacks. The closeinterconnectivity betweencontrols and office networksenables viruses and worms tospread more easily to controlsystems. Remote VPN or wirelessaccess, notebooks and USBsticks offer new possibilities fora virus or worms to enter thecontrols network. Not tomention hackers and terroristswho might be interested intargeting controls computers toshutdown the system.

Since Microsoft’s Windowsoperating system is now the de facto platform for SCADAapplications, the correspondingcontrol PCs inherit the samevulnerabilities that office PCshave. Linux-based controls PCsdo too. Unfortunately controlsPCs cannot be patched andupdated as fast as office PCs,and some might even lackantivirus software because ofinterference with the controlprocesses. Even if these PCs aresecured, zero-day exploits mightenter before the proper patch orvirus signature file is availableor applied.

Users and operators of controlsystems are the next weak link.First they might carry infectednotebooks into the control roomor connect their infected homePC to the controls network via

VPN. Second, in the era of legacycontrol systems passwords wereknown to many people and stillare. These passwords might alsobe weak, in the sense that theyconsist of a few letters only orcan be found in a dictionary. Forconvenience, passwords mighteven be written on a sticker andfixed directly onto a terminal. Inaddition, many applications stilluse the default password or mayhave no password at all. In thepast, traceability was guaranteedowing to the restricted group ofpeople that had access to thecontrol system, but with the newinterconnectivity, passwordsniffing can be done remotelyand automatically.

Last but not least, COTSautomation systems such asprogrammable logic controllers(PLCs), power supplies andother field devices generallyhave no security integrated intotheir designs. Of a range of such devices tested at CERNwith a standard IT securityscanner for vulnerabilities, morethan 30% failed to communicateproperly [2]. Even worse,manufacturers are includingmore and more IT functionality(like e-mailing and Web servers)into these devices, which isreducing security even further.

CNIC presents mitigation strategyMore than 110 different controlsystems are now operational orunder development at CERN.These systems monitor, control,supervise and safeguard CERN’saccelerators, experiments andinfrastructure – from buildings,electricity and heating to accesscontrol, radiation protection andsafety. Many systems usetoday’s standard technologiesmentioned above. Thecorresponding PLCs, VME cratesand PCs that run Linux, LynxOSor Windows operating systemsare connected to CERN’s local-area network (LAN) using theTCP/IP protocol in one way oranother. However, apart fromthe range of IP numbers, noclear distinction has been made

Technical briefs

8 CERN Computer Newsletter • January–March 2006

A ‘defence-in-depth’ strategy toprotect CERN’s control systems

ICALEPCS 2005, where the CNIC working group presented its policy

document on protecting CERN’s control systems from cyber-attacks.

Technical briefs

9CERN Computer Newsletter • January–March 2006

between office and controlsapplications, neither fornetworking nor configuration.

To refine the use of controlsystems at CERN and to offermethods to protect them, theworking group called Computingand Network Infrastructure forControls (CNIC, see http://wg-cnic.web.cern.ch/wg-cnic)has produced a security policydocument [3]. This documentwas presented at theInternational Conference onAccelerator and LargeExperimental Physics ControlSystems (ICALEPCS05) inGeneva, Switzerland, lastOctober. The document followsclosely the best-practicestandards that are usedincreasingly in industry, and, toachieve an acceptable level ofprotection, follows a “defence-in-depth” approach. Here is anoutline of its recommendations:

● Separation of the controlsnetworks (i.e. dedicated networksfor accelerators and experiments)from the office network, andadditional segregation of thecontrols networks.

The CERN LAN now consists oftwo different physical networks:the General Purpose Network(GPN) and the Technical Network(TN). The former is used for alloffice (campus) computing andfor development, while the latteris used to run the controlsystems for all accelerators (ABand AT departments), for safetyprecautions (the safetycommission), and for site-widemonitoring (the TS department).They were fully separated, interms of interconnectivity, on 9 January.

Four additional networks areplanned or have been installedfor the LHC experiments ALICE,ATLAS, CMS and LHCb. Morededicated controls networksmight be envisaged for fixed-target experiments. Inside eachnetwork, further accessrestrictions, such as localfirewalls and network filtering,will enable the protection ofsensitive equipment.

● Channelled paths to accesscontrols networks remotely, andrules for handling notebooks,wireless and VPN connections –to protect these controlsnetworks from outside threats.

Access to each of these

controls networks is restricted.Direct data exchange is inhibitedexcept for a few “trusted”central IT services such as DNS,NTP, AFS, DFS and Oracle DB.However, users are guaranteedaccess through Linux andWindows-based applicationgateways, which require properauthorization. The use ofwireless access, VPN access andnotebooks on a controls networkare generally prohibited.Wireless and VPN accesses arestill possible from the GPNthrough the correspondingapplication gateway.

● Procedures to register devicesbeing connected to a controlsnetwork, to manage controlsystems under the responsibilityof the users, and to intervene inthe case of a security incident.

For each controls network,one or more domain managershave been appointed toimplement and follow up theCNIC security policies and adaptthem where necessary. Themanagers authorize devices thatneed to be connected to acontrols network. For this, eachdevice must be properlyregistered in the networkdatabase that is managed byIT/CS (http://networking.cern.ch). The domain managers alsofollow up security incidents withCERN’s Computer EmergencyResponse Team (CERT).

● Methods to secure controlsPCs and to centrally manage theinstallation, patching andupgrading of their operatingsystems and application softwareunder the responsibility of thecontrol system experts.

The existing installation,patching and upgrading

procedures for Windows andLinux PCs are inappropriate forcontrols PCs, since they leavelittle control to the user in termsof what to install and when toreboot the PC. To mitigate this,the IT/FIO and IT/IS groups havedeveloped new tools namedLinux for Controls (LinuxFC) andNice for Controls (NiceFC).

Each user can create one ormore sets of PCs and take overthe responsibility of these. Foreach set, the user can defineprecisely which centrallymanaged operating system andwhich application softwareshould or might be installed,and for which applicationsinstallation is denied. The userskeep full control of when theseapplications are applied andwhen to reboot the PCs.

Furthermore, no automaticpatching or upgrading will becarried out. Instead, themanager of a targeted systemwill receive e-mail notification toapply the patches as soon aspossible. However, althoughpatching is not automatic,failure to apply a patch within adefined time limit may lead to aPC being disconnected from thenetwork if it poses a risk to theoverall integrity.

● Rules on user accounts andpasswords to enforce traceability.

Users are often the weakestlink in the security chain,especially owing to their choiceof weak passwords. Furthermore,generic accounts (e.g. operatoraccounts) that are used tooperate control systems are notbound to one person, and thecorresponding passwords arefrequently known to manypeople. The CNIC policy requiresusers to employ strong

passwords. It also imposes averification of all genericaccounts and their removalwhere possible. In any case,traceability must be guaranteedin every case, e.g. throughphysical access protection.

● Raise awareness of securityissues in the users community.

Security starts with users, soCNIC has launched an awarenesscampaign to inform all users ofcontrol systems of the possiblerisks and threats. CNIC alsoorganizes weekly usersexchange meetings, whereproblems are discussed andsolutions presented. Finally, theCNIC TWiki (https://uimon.cern.ch/twiki/bin/viewauth/CNIC/WebHome) documents allCNIC-related issues and offers aplatform to discuss problemsfurther. Every user of controlsystems at CERN is encouragedto join one of these activities.

ConclusionWith the adoption of modern ITstandards by control systems,and the subsequent growinginterconnectivity betweencampus networks and controlnetworks, control systems havebecome exposed to the sameweaknesses that threatencomputer security. However,most control systems are notable to defend themselvesagainst such cyber threats.

Therefore, the CNIC workinggroup has produced a securitypolicy document that proposesvarious means of mitigating anattack. In particular, all controlsystems at CERN must beproperly secured by a “defence-in-depth” strategy. Users ofcontrol systems are invited toparticipate in this discussion. Thethreat is real, and so the primaryquestion must be “Do we actbefore or after an incident?”

References[1] E Byers, Who Turned Out theLights? Understanding theChanging Risks to CriticalControl Systems from CyberAttacks to Viruses – New Trendsin Threats and Implications, ISAEXPO 2004.[2] S Lüders, Control SystemsUnder Attack?, ICALEPCS05.[3] U Epting et al., Computingand Network Infrastructure forControls CNIC, ICALEPCS05.Stefan Lüders, IT/CO

A computer simulation of the control centre for CERN’s Large Hadron

Collider. The centre is expected to be operational by 1 February.

The autumn 2005 HEPiX meetingwas held at the Stanford LinearAccelerator Center (SLAC) on10–14 October. Confirming thetrend from last year, the USmeetings now attract as large anaudience as European meetings– more than 80 this time fromsome 27 institutes in Europeand North America.

The meeting, which wasimpeccably organized by ChuckBoeheim and colleagues,comprised a day of sessions oncollaboration tools, followed bythree days of “normal” HEPiXsessions, and finally a half dayof talks on hardware issues.

Collaboration tools dayThe first day was a review ofsome common collaborativetools, highlighting possibletrends in videoconferencing inparticular. The talks includedsome from non-typical HEPiXspeakers who had stopped atSLAC on their way to an ESnetconference in Berkeley.

The afternoon session waslargely drawn from informationgathered by RTAG12, arequirement technicalassessment group of the LHCComputing Grid project. Thesession included a summary of areport by the RTAG12 chairman,who closed his talk withpersonal suggestions on how tomove forward on the report’srecommendations. There wasalso a talk on how to select themost appropriate electronicdocument management systemtool for the International LinearCollider study.

The following collaborative

tools were presented: Wiki (atGSI, Darmstadt, and at FZK,Karlruhe); the Form Factory toolbeing built at DESY; the Indicotool developed at CERN; theSkype peer-to-peer telephonysystem over IP; the Access Gridhigh-performance videoconferences, which are widelyused in the UK; the collaborativetools in NICE at CERN (such asWebDAV access to DFS, andWindows Terminal Services); theVirtual Room VideoconferencingSystem; VACS, the home-writtenmanagement system that isused in France; and the Web-hosting services at CERN.

HEPiX session highlightsThe following are a selection of other highlights from themeeting. Please note that not allsessions are covered, and pointsare in no particular order. Moredetails can be found on the SLACwebsite(www.slac.stanford.edu/conf/hepix05/agenda.html).

● Collaboration was evidentthroughout the week, with manysystem and sysadmin toolsappearing in laboratories acrossthe HEP community; for example,Scientific Linux, Quattor, dCacheand Xrootd. At HEPiX came thefirst indication that CERN’smonitoring tool, Lemon, may bethe latest package to be of moregeneral interest.

● As at the last meeting, mostsites reporting CPU farmincreases are buying Opteronsystems – BNL and CERN beingexceptions. In this area, aninteresting set of benchmarks

performed at GridKA on differentprocessors was reported on thefinal day (see SLAC website).

● At a batch workshop follow-up,Tim Bell presented some changesmade following input at the lastHEPiX meeting. Francesco Prelz,the main Enabling Grids for E-sciencE (EGEE) batch systemdeveloper, then presented hisopen questions, which resultedin a productive exchange and aplan to move forward on a topicthat has been unresolved forsome time. It was agreed tofollow this up at the nextmeeting. Francesco said he feltthe session had been valuable,and that HEPiX had provided awelcome forum to make thishappen. The HEPiX board hasagreed to make this happen inCASPUR and perhaps in futuremeetings as needed.

● Regarding Linux, Fermilabproposed that we considermaking HEP code comply withLinux Standards Base. Therewas a discussion aboutdifferences and compatibilitybetween Scientific Linux (SL)and Scientific Linux CERN (SLC).Some concern was expressedthat CERN, unlike other labs,had issued its tailored version ofSL as a formal SLC release. Itapparently confuses some users,at least those outside CERN,who are associated with LHCexperiments. CERN either needsto reconsider this branding or toadvertise better what it is, whywe do it, and the fact that it is,or should be, binary-compatiblewith the SL from Fermilab.

● An interesting set of sessionswas held on disk and storagesystems, including DPM, SRB,Xrootd, dCache and Panasas.

Comments All CERN talks from the InternetServices groups included a livedemo. While this is not alwayspossible (Hege Hansbakkthought of doing one for LicenceMonitoring, but off-site access tothe pages is forbidden), it shouldbe considered where possible.

The organizers made adeliberate effort to scheduleseveral talks that were targetedat the physics that is happeningor is planned to take place atSLAC, rather than at our usualrange of only computingsubjects. These additional talks(given by the director, RichardMount, and by an astrophysicstheorist) were quite interesting,and the last one in particularwas entertaining.

Trip reportFor those who are interested, amore detailed report about theHEPiX meeting is stored inIndico. Also, the SLAC HEPiXReport (summary and slides)that was presented at the jointComputing/After-C5 seminar in October 2005 is available athttp://indico.cern.ch/conferenceDisplay.py?confId=a056269.

Future HEPiX meetingsThe next meeting will be atCASPUR in Rome, Italy, on 3–7April. The autumn meeting willbe held at the Jefferson Lab.Alan Silverman, IT/DI

Conference report

10 CERN Computer Newsletter • January–March 2006

US HEPiX attracts large audience

Participants at the autumn meeting enjoyed talks on collaboration tools, CPU benchmarks, Linux, and disk and storage systems among others.

Information corner

11CERN Computer Newsletter • January–March 2006

Techniques used by spammersevolve continuously and arebecoming very clever. LastDecember CERN was attacked bya malicious e-mail in which theuser was invited to access aURL. By selecting the URL someusers have infected their PCswith a virus. Unfortunately thereis no reliable way to distinguisha fake e-mail from a real one.Below we provide someguidelines to help you recognizewhether an e-mail should beconsidered suspicious.

What should I check?Read the text carefully.● Does it contain account-specific data (such as the real[first] name or physical locationof a network device)?

While most of these data canprobably be gained from somepublicly visible information, it ismuch easier for a legitimate mailsender (with direct access toCERN’s internal databases) toobtain such information. As youcan see in the example, themessage was not precise,referring to “your account”(without any indication to whichmachine and login it wasreferring to at CERN), and “forsecurity reasons” (withoutgiving any further explanation).

● Look for small errors in titlesor names.

In the example, the signatureis given as “Cern SecurityDepartment”, which does notexist (it is the CERN Computer

Security team). These indicators should be

enough to make you suspiciousabout an e-mail already.

Suspicious URLA good way to check if a URL iswhat it claims to be is to type it(do not cut and paste it) intoyour browser. However, mostmail clients have features thatare easier to use.● If you read your mail (HTMLformat) on NICE using Outlook,or on Linux using GNOMEEvolution, pause the cursor overthe highlighted URL. Check if thereal URL that appears in a yellowbox (in Outlook) or in a statusbar at the bottom of the screen(Evolution) looks trustworthy. Inthe example, the URL pointed toa strange address outside CERN. ● If you use pine and hit returnnext to the URL, the real URL willappear at the bottom of the screenalong with a request to confirmthat you really want to go there.

Suspicious attachmentIf the suspicious mail comeswith an attachment, anothergood indicator is whether theright “tool” (file format) is beingused for the message: ● A short notification is besthandled by plain text.● A complex, multipagedocument will probably arrive asa .doc or .pdf attachment. ● Unless you are expecting acollection of binary files thatonly make sense together (soadding them as individual

attachments won’t work), a .zipfile is highly suspicious.

On Windows, it is stronglyrecommended to saveattachments before viewingthem, because a virus scan isautomatically performed whensaving the file. This is true evenfor attachments that come fromsomeone you trust, as theircomputer may be infected.

Fighting this problemThe IT department is investigatingfurther techniques to combat

spamming. There are ways tofight these bogus e-mails butthis means imposing stricterrules, which will eventually leadto less convenience for users;the challenge is to find the rightbalance. Meanwhile we have torely to some degree on usersbeing proactive and suspicious.As was written in the last issueof CNL, in case of doubt usersshould ask the helpdesk beforetaking any action. Nicole Crémel, IT/UDS; Judy Richards, IT/DI

Users must besuspicious whenreading e-mails

An example of a malicious e-mail sent to CERN last December.

From: security@cern.chTo: Nicole CremelSubject: ACCOUNT ALERT

Dear Valued Member,

According to our terms of services, you will have to confirm youre-mail by the following link, or your account will be suspendedwithin 24 hours for security reasons.

http://www.nicole.cremel@cern.ch/confirm.php?account=cern.ch

After following the instructions in the sheet, your account will notbe interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for anyinconvenience.

Sincerely, Cern Security Department

The deadline for submissions to the next issue of CNL is 3 MarchE-mail your contributions to cnl.editor@cern.chIf you would like to be informed by e-mail when a new issue of CNL is available, subscribe to the mailing listcern-cnl-info. You can do this from the CERN CNL website at http://cern.ch/cnl

Changes to services in the ITdepartment are published on theService Status Board (SSB),which is located at http://cern.

ch/it-servicestatus. The mostrecent changes and their datesof posting are shown below. TheSSB also includes power cuts,

scheduled interventions, serviceincidents, and the status of mostservices. A dynamic page withthe status of most services isalso available at http://cern.ch/itservicestatus/dynamic/.

Information corner

12 CERN Computer Newsletter • January–March 2006

Oracle database administratorsrecently attended two trainingcourses on the latest 10gR2release of the software. Thecourses were offered followingco-operation between thegroups HR/PMD (HumanResources PersonnelManagement and Development)and IT/DES (Database andEngineering Services).

The main motivation behindthe courses was to offer expertsin database administration high-quality training that would matchtheir demanding job. Anotherasset was to give participantsthe opportunity to get certifiedin Oracle 10g and thus to receiverecognition for their skills, evenoutside the organization.

The first course was held on2–4 November and was designedfor people who passed the Oracle9i certification last year. Elevenpeople attended: five from IT/DES,four from IT/ADC (Architectureand Data Challenges), and twofrom IT/AIS (AdministrativeInformation Services).

The second course, whichtook place on 7–11 November,was designed for people whodid not have the Oracle 9i

certification. Seventeen peopleattended it: three from IT/DES,four from IT/ADC, three fromIT/AIS, four from IT/FIO (FabricInfrastructure and Operations),two from IT/CS (CommunicationSystems), and one from TS/CSE(Technical Support Department,group “Controls, Safety andEngineering Databases”).

Both courses were held at theOracle Training Office, at theWorld Trade Centre, Geneva.

The attendees thanked theorganizers who made this eventhappen. These Oracle 10gcourses will undoubtedly helpthe newly certified database

administrators to continue toaddress the evolving needs ofthe database users’ communityand to improve the overallquality of the many CERN servicesthat are based on Oracle.

CERN Technical Trainingservices provides a completecurriculum on Oracle, called theOracle Training Curriculum @CERN. You will find informationabout dates and registration onthe CERN Technical Trainingwebsite at http://cern.ch/HR-web/external/training/tech/software/te_softw.asp.Catherine Delamare and MontseCollados, IT/DES

Oracle(IT GlobalSolutions)

Oracle(IT GlobalSolutions

customized)

IT GlobalSolutions

SQL

Oraclefeatures fordevelopers

PL/SQL(Intro, Progr)

PL/SQL(Web, Progr)

Oracledesigner:First class

Oracledeveloper

formsJavaDB XML

Javaprogramming

Jdeveloper Introductionto XML

3 da

ys

3 da

ys

5 da

ys

5 da

ys

5 da

ys

3 da

ys

2 da

ys

? da

ys

? da

ys3

days

3 da

ys

databaseanalysis &

design 2-3

days

introductionto databases ?

days

other

The organization of the Oracle Training Curriculum @ CERN.

Recent changes to IT services

18 November 2005 Oracle Forms 6i migration to Forms 10g (summer 2006) 19 December Restrictions on the CERN VPN service 15 December e-MAPS form is available in EDH 12 December EDH – new options: “Confidential” and “Urgent” in the DAI document 25 November New tutorials for EDH 25 November New profile for user accounts in DEVDB 21 November AIS-NICE login synchronization 21 November Change in EDH Material Request form17 October NICE login is mandatory for all operations via the network Web interface 14 October TCP and UDP port 3372 blocked in firewall

CalendarFebruary 13–16 16th Global Grid Forum(GGF16) Athens, Greece www.ggf.org/GGF16/ggf_events_ggf16.htm

13–17 15th InternationalConference on Computing in HighEnergy and Nuclear Physics(CHEP06)Mumbai, Indiawww.tifr.res.in/chep06

March1–3 EGEE User ForumGeneva, Switzerlandhttp://egee-intranet.web.cern.ch/egee-intranet/User-Forum/index.html

1–3 TridentCom 2006Barcelona, Spainwww.tridentcom.org

April2–6 High Performance ComputingSymposium (HPC 2006)Huntsville, Alabamawww.caip.rutgers.edu/hpc2006

3–7 HEPiX meeting Rome, Italywww.hepix.org

25–29 20th IEEE InternationalParallel and DistributedProcessing SymposiumRhodes Island, Greece www.ipdps.org

June27–30 ISC2006 Dresden, Germanywww.supercomp.dePaper deadline 20 February

August29–1 September Euro-Par 2006Dresden, Germanywww.europar2006.dePaper deadline 31 January

September13–15 HPCC-06Munich, Germanyhttp://hpcc06.lrr.in.tum.dePaper deadline 13 March

October25–27 eChallenges 2006 Barcelona, Spain www.echallenges.orgPaper deadline 28 February

The CNL team wishes you ahappy New Year for 2006!

IT database staff gainOracle 10g certification