Secure Services Mtg Notes
July 9th, 2001
Attendees: Mark, Lori, Nathan, Donn, Harold

Summary: The group went over Rick and Brad's initial task breakdowns for
disabling unsecure FTP services. Nathan promised to merge, massage, and
circulate via the meeting notes (see below).

Discussion:

- our July 23 mtg will be important, when we set the date/scope of
  the ftp cutover. the main issues are:
   o have the WebDAV experiments yielded sufficient results that
     we feel comfortable that a solution for web publishing tools
     is attainable? or that this audience is small or savvy enough
     anyway to cope with the change without WebDAV?
   o Secure Fetch behind a NAT issue 
   o new version of ssh.com software - will it go into new UWICK,
     does it require server changes, etc.
   o cutover timing - it's desirable not to coincide with other major 
     autumn changes, if there are any

- more discussion on changes to ftpd to help Secure Fetch
  make kerberos/GSS connections (?) from behind a NAT. Donn doesn't
  want to embarass himself with MIT, so further thought and testing is 
  needed. We could decide that it doesn't make sense to adopt some
  funky workaround for the UA hosts that won't also be available on
  other departmental systems. Mark may look into a scp solution for
  Macintosh. Nathan will check with Josh to see if he does kerberos
  from behind a NAT router - if so, we might volunteer him for more
  testing.

General Task Breakdown:

- reuse UA/Admin/MCIS/low-vis divisions 
- determine time/date of change
- plan UWICK sw requirements / test prelim uwick release.
- log who is using ftp (what to log?  what to report?)
- draft/send email announcement to users:
   o UA
   o Vitcos
   o other?
- coordinate with MCIS
- coordinate with Catalyst team
- update security web page 
- modify ftp banner
- setup 'final config' host for testing before cutover
- cutover support plan ( 24hour support? )
- setup fallback host for emergency use after cutover?
- pre-warn C&C Directors about potential crisis?

Communication Task Breakdown:

- develop a secure file transfer page for end users
   o explains the policy & why
   o describes and links to the UWICK file transfer tools
   o answers practical questions about implications of the
     new requirements - (i.e., file transfer from within
     many applications will no longer work)
   o describes or links to new services such as WEBDAV, if any

- identify audiences - take steps to find out who we
  need to communicate with and, if possible, track trends
  in use.
   o can we come up with a reasonably meaningful summary
     statistics for
       .  insecure vs secure ftp logins;
       .  unique users making insecure ftp logins;
       .  web directory vs home directory transfers
     over a given time period.
   o can we capture UWNetIDs of people making insecure connections?
   o can we draw any inferences from their use patterns that
     will help us know how best to communicate with them?

- set PR timeline, relative to general secure ftp timeline
   o publish secure file transfer Web page
   o email support list
   o email broadcast message
   o review other Web sources of information on file transfer
     to make needed updates (/computing, faqs, Catalyst, etc.)
   o present plan at next support meeting
   o news item for OnTech News (Kay is interested)
   o article for Windows on Technology (probably due out in
     October, Kay wants to do an article on how to protect
     yourself)
   o focused email message (only to insecure file transfer
     people).
   o article for University Week
   o faq for help@cac