Monday, July 14, 2014

Kernel updates 07/18

All OCF servers will be restarted Friday night (07/18) in order to apply security updates. We will also be increasing the memory and CPU allocated to tsunami (the login server) during this time.

Tuesday, June 17, 2014

POP/IMAP, webmail phased out

As part of our phasing out of email service for individual OCF members, we have migrated to forward-only email service. This means that no new mail can be stored, so POP/IMAP email access is no longer very useful.

On June 21st, roughly a week from today, we will turn off POP/IMAP email access permanently for individual accounts. Webmail will also be unavailable after this date. We are leaving this window as we understand some users may wish to archive their emails by downloading them via POP/IMAP.

After this date, your mailbox will be moved into your home directory where you can access it at any time (we will never delete any mail). Your mailbox is in standard mbox format, which can be opened by almost any email client, or even a simple text editor.

If you have any trouble downloading your mail or accessing your OCF account, don't hesitate to reach out to us!

Friday, June 06, 2014

Kernel updates 06/07

All OCF servers will be restarted Saturday night (06/07) to apply security updates.

Wednesday, June 04, 2014

Subnet move

We'll be moving from our trusty old subnet, 169.229.172.64/26, to a brand new subnet 4x the size: 169.229.10.0/24. All hosts should be fully migrated by Tuesday, June 10th.

There may be small periods of downtime for all servers during Monday evening/Tuesday morning, but we don't anticipate extended downtime. All services should be otherwise unaffected.

If you access OCF servers via SSH, you may notice a warning that the IP address for ssh.ocf.berkeley.edu has changed. The host key will not change, so you can continue to verify against our SSH fingerprints (available via HTTPS on our wiki). The new IP address for the public login server (tsunami) will be 169.229.10.25.

Update 2014/06/06: All OCF servers are now assigned both their old and new IP addresses. Old IPs have been removed from DNS, and servers will soon be assigned only their new IP. This may break existing connections (such as SSH).

Sunday, June 01, 2014

Email discontinuation update: forward-only on June 14th

Back in November of last year, the OCF Board of Directors announced that email service was being discontinued, with the first phase being transitioning into forward-only email service.

The start date for the first phase, October 20th, has long passed, although we never actually enforced the change. We're now ready to move into forward-only mode, and will enter this phase on Saturday, June 14th.

After this date, email will be forwarded to your registered email address. For most members, this is the email you provided when you created your account, but for old accounts, or for accounts with complicated .forward or .procmailrc files, this entry may be blank or incorrect.

You are strongly advised to run update-email over SSH in order to verify that you have registered an email with LDAP. If you don't have an SSH client handy, the easiest way to access SSH is by visiting ssh.ocf.berkeley.edu in your web browser.

Email will only be forwarded to your email in LDAP. .forward and .procmailrc files will no longer be processed. If no email has been set after June 14th, incoming email will bounce.

If you need assistance updating your email or accessing your OCF account, please get in touch so we can help you sort it out.

Happy summer!

Edit for clarification: Email addresses set in LDAP via update-email will only be used for forwarding after June 14th. There's unfortunately no good way to run the old system (.forward/.procmailrc files) alongside the new system, so setting an email will have no effect until the switch. Sorry for the confusion!

Sunday, April 27, 2014

Scheduled restart Tuesday for kernel updates

All OCF servers will be restarted late Tuesday night (04/29) to apply kernel security updates.

Thursday, April 10, 2014

CVE-2014-0160 ("Heartbleed") openssl vulnerability update

On Monday, an extremely serious bug in openssl was announced. The bug affected all recent versions of openssl, including the version in use on all OCF servers.

Every OCF server was patched against the bug within an hour of Debian releasing a fix. However, because the bug was present in openssl for multiple years, there is no guarantee that private keys or other sensitive information (like user passwords) were not leaked.

As a precaution, we have revoked all SSL certificates in use by OCF (~9 of them), discarded old private keys, and installed new certs and keys in their place.

Some estimates suggest that over 66% of all HTTPS websites were vulnerable to this bug, and it is known that many high-profile sites were. We encourage you to update your OCF password, as well as your passwords on every website you use.

Daily printing limit raised

The weekday printing limit has been raised from 10 pages/day to 15 pages/day for the remainder of the semester.