Papers and presentations by Andrew Findlay

Note that earlier papers that are not available online have been excluded from this list. Note also that most of the papers written while at Brunel University are now mirrored on the Skills 1st website due to Brunel's re-organisation of its website in April 2005.

The Home-Directory Mail System - A paper published in the EUUG Newsletter in 1988, describing the system used to place mailboxes in home directories at Brunel. The system was originally designed to work with Sendmail but was later used with PP and Exim. The complete source code is also available.
Command-name pollution (and how to avoid it) - A paper presented at the UKUUG conference in December 1990, describing the use and package commands developed at Brunel for managing large collections of software.
Building Large Filestores - slides presented at the UKUUG summer conference in 1992, describing the problem of filestore growth and how Brunel had installed a multi-level fileserver with optical jukebox to get ahead of the curve. See later paper Multi-Level Storage: a User's Tale to find out why this was a bad idea... (PostScript format. Graphs are inverted)
The World On Your Desktop - a set of WWW `slides' used for the talk The Rodent Librarian or The World On Your Desktop, originally written for the IEE in 1993, but also presented to other audiences.
Campus-wide networked services - a paper presented at the UCNG PC-Integration workshop in June 1993
Managing Software - the slides for a talk given at the Oxford Unix Users Group on 6th April 1994, describing the software package management scheme at Brunel. A complete distribution kit is also available.
Network Performance - an article written for the User Note in November 1994, describing some of the factors that affect the speed of networked applications
Netpassword - changing passwords safely across the net - a paper presented at the 1994 JANET Security Workshop, describing the system used at Brunel for changing passwords in a large networked system
Snooper-proof Passwords - a paper written for the UKUUG 1994 conference, describing problems with current password systems, and suggesting ways to evaluate replacement authentication schemes.
Cable-Runs to Client-Server - a talk given to BME students in March 1995, describing network technology and distributed applications
Multi-Level Storage: a User's Tale - a paper presented at the UKUUG LISA conference in 1994, describing Brunel's experience with the Epoch multi-level filestore, its optical jukebox, and how we finally had to revert to conventional disk storage.
Make Room Make Room! - a paper presented at the UKUUG winter conference at York in December 1995. It describes the ever-growing computing requirements of Brunel University and details some of the methods being developed to bring supply closer to demand. The use of the local cable-TV network to provide an ethernet-like service to staff and student homes is particularly mentioned.
100M Technology for the Brunel Network - a paper describing a way forward from Brunel's overloaded 10M ethernet-based network in early 1996. See also the diagrams of existing and proposed topologies.
Setting Up an X.500 Directory Service - a paper presented at the Europen conference in Nice in 1990, describing experiences with early versions of the Quipu X.500 DSA and the problems of merging data from several different sources into a coherent directory.
Designing an X.500 User Interface: The Early Stages (with Damanjit Mahl) - a paper presented at the UKUUG conference in Cardiff in 1989, describing the design of a directory-searching user interface.
XDir Design Document (with Damanjit Mahl and Stefan Nahajski) This document describes the design of a user agent for the X.500 directory service. The design is intended to be implemented as an application running in a windowing environment such as X, NeWS, OS/2 Presentation Manager or MS Windows.
August 1990
Designing an X.500 User Interface: One Year In (with Damanjit Mahl and Stefan Nahajski) - a paper presented at the UKUUG conference in Cambridge in 1990, describing more advanced user interface designs and showing example screens. [Note: the original PostScript file has pages in reverse order]
Conference Proceedings, EurOpen Autumn Conference 1991, Budapest. (Editor and Conference Chairman) With Biel-Nielson, K., O'Dell, M., Helsingius, J,. Brazier, F., Knuth, E. (eds)
The Multi-Media Telephone: Directory service and session control for multi-media communications - a paper presented at the IEEE SDNE96 conference in Macau. (The link here is to an earlier version of the paper. Copies of the Proceedings are available from the IEEE)
Information Security - Is IT Safe? This is a review of a colloquium run by the IEE on 27th June 1996. The speakers were drawn from Government security services, MoD, the police, and security software houses, so those attending gained a useful insight into the `official' view of information security. Some fairly clear statements were made on the use and export of cryptography.
How to divide 4000 computers by 5 staff and get a working network A PostScript copy of the slides used at a talk given to the IEE Thames Valley Younger Members Section on 12th December 1996.
Response to DTI consultation paper on the Licensing of Trusted Third Parties for the provision of encryption services. May 1997.
Euroview Service Design (with K H Bonacker and D S Mahl) (Euroview deliverable) Dortmund, 1997.
Planning Directory Services (with D S Mahl) - a booklet for European Administrators outlining the benefits of Directory Services and the process of planning for their introduction. (Euroview deliverable) Dortmund, 1998.
Implementing An Organisational Directory Service (With D S Mahl and K Ktenidis). A detailed look at Directory Services, their benefits, the legal and organisational framework that they exist in, and the issues involved in planning and deploying them. (Euroview deliverable) Uxbridge, 1999.
The Brunel Network: How it works The slides from a training course given in July 1998 to Computing Service staff, covering the basic technology of the network and some of the details of how things are set up and managed at Brunel. (PostScript format)
How to divide 4612 computers by 4.2 staff and get a working network An updated version of an earlier talk, given on 2nd December 1998. There are more slides than in the 1996 version. Note that some of the graphs and diagrams will appear upside-down or sideways in a PostScript viewer as they came from several different packages.
A Plan for a Strategy Generating strategy documents in large institutions can be a long process, and the results are often seen as unsatisfactory by many of the people they affect. This paper suggests how a different approach based on an open process could be used to build an Information Services Strategy for Brunel.
Regaining Single Sign-On A central and valuable aspect of Brunel's computing environment is the single username and password that each person uses to access all resources. More usernames and passwords have been creeping in recently, with the rise of remote web-based dataset providers. This paper covers the main issues and suggest directions of work to contain `identity explosion' in the future.
Towards Open-Source Secure Single Sign-On Single Sign-On means different things to different people, but the main theme is making life easier for computer users and more secure at the same time. This set of slides (PostScript format) were presented at the Netproject Open Source conference in May 1999.
A slightly different version of this talk was presented at the Authentication in HE event in November 1999.
A page of related links is also available.
Efficient IT Service Provision - the Brunel University Experience - a talk given at Kingston University Business School in March 2000, describing Brunel's computing environment and the driving forces in its development, and deriving lessons that could be useful elsewhere.
Serving the Masses: 21,000 users and 5 sysadmins - talk given at London Unix Users Group / UK Unix Users Group meeting on 21st September 2000. Discusses ways of servicing large user populations with relatively few staff. Covers service design and Unix/NT integration issues. (PostScript file, one slide per page). The list of useful web pages distributed at the talk is also available (NISGina, SAMBA, Ghost, Rsync, Jumpstart, Atboot, NTP, etc).
Connections: A Network Connection Booking System Connections is a web-based system that manages the booking, payment, connection, and teardown of network connections in student study-bedrooms. It can use secure HTTP to reassure users that their credit-card details are being protected. The system is written entirely in Perl, and it uses PerlDBI to interface with an SQL database. MySQL was used in the original implementation. Connections was first used at Brunel University in 1999, and was described at the UKUUG Winter Conference in Newcastle in February 2001.
Planning for an open-source entrant in the PKI interoperability trials - the result of a feasibility study undertaken in May 2001. Details components that could be used to build an open-source entrant for the trials being conducted by CESG for the Office of the E-Envoy. The focus is on PKI functions to support signed and/or encrypted e-mail. (Also available in PDF)
Security with LDAP It is possible to use LDAP as a Network Information Service as well as for the more traditional white-pages service. This requires support from operating systems and has new security implications. This paper examines how open-source implementations are rising to the challenge. The paper was first presented at the UKUUG Winter Technical Conference, London, February 2002.
I wrote several large chunks of the IDA Open Source Migration Guidelines which is a very useful document for any organisation that is considering a move to open-source software. The target audience is European Administrations, but most of the content is applicable to all organisations.
This is the main product of the MigOSS project, which also produced a spreadsheet to help compare the cost of ownership of proprietary and open-source systems. The report and spreadsheet can both be found on the IDA website.
Open Source on the Desktop - slides used at the first OSS Watch conference at Oxford, 11th December 2003.
LDAP Schema Design It is possible to make one LDAP directory serve many applications in an organisation. This has the advantage of reducing the effort required to maintain the data, but it does mean that the design must be thought out very carefully before implementation starts.
Schema is the term used to describe the shape of the directory and the rules that govern its content. This paper takes the reader through the schema design process from requirements capture to tree layout to entry design. Some traps and pitfalls along the way are discussed, and an example design is sketched out.
This paper was presented at the UKUUG Winter Technical Conference in February 2005.
LDAP Workshop - a half-day tutorial session on LDAP technology and design principles, presented at the UKUUG Spring Technical Conference, Durham, March 2006.
Selected LDAP Attributes This is a document that I give to all my LDAP design clients: it collects together descriptions of most of the commonly-used attributes. For each attribute I give the definition from the standard and a commentary on how it is used in practice.
Writing Access Control Policies for LDAP Most non-trivial LDAP deployments have an access policy. Writing this policy and translating it into the access-control language of the server requires some care. This paper suggests an approach to designing and testing access control rules. It includes worked examples to illustrate some common use-cases.
The paper was presented at the UKUUG Spring Conference in London, 24-26 March 2009.
Response to the Communications Data Consultation On 27th April 2009 the UK Government issued a paper titled Protecting the public in a changing communications environment Cm7586. It proposes to "maintain" the current traffic-analysis capability of law enforcement and other public bodies by requiring UK communications service providers to analyse and record data about all network sessions. The providers would be further required to cross-reference and index this data so that official demands for data can be satisfied very rapidly.
I do not usually take much notice of the doings of politicians and governments, but I have responded to this consultation in some detail as I find the proposals truly terrifying and out of all proportion to the claimed public good.
LDAP for Linux Admins: a Lightning Course, LOADays conference, Antwerp, April 2011.
The challenge was to pack everything into 2 hours: learn the basics of LDAP, build a resilient LDAP infrastructure, load it with user-account data, and configure Linux to use it for logins with NSS and PAM. We provided every participant with two Linux machines in the cloud, and the focus was very much on practical work. As it turned out, we had rather less than two hours in the final programme so most people did not finish everything. I think this could reasonably be run as a half-day remote-teach class.
Best Practices in LDAP Security
LDAP servers are part of the critical infrastructure of most large organisations. They hold personal data subject to legal protection, and often act as the authoritative source of authentication and authorisation for multiple applications.
This paper divides LDAP security into three major requirements: availability, integrity, and confidentiality. Appropriate controls are proposed for each topic, noting the interactions and compromises that are required. Most of the controls are technical, relating to design and administration issues that affect all LDAP server products. The tradeoff between technical and organisational controls is discussed, with reference to common human factors issues.
The paper was presented at the LDAPCon2011 conference in Heidelberg.
Letter to Dominic Grieve about Communications Data Monitoring
Three years on, under a new government, and I find myself writing to my MP about communications data again. There are no official proposals yet, but the sort of intrusive monitoring that ministers are talking about is so dangerous that I really want to get the idea squashed before it reaches the Queen's Speech.
Letter to Dominic Grieve MP about Communications Data Monitoring, January 2014
Again! My letter in 2012 worried about the bad things that could happen if the "Snooper's Charter" bill were allowed to pass. Last year's revelations by Edward Snowden make it clear that most of the snooping set out in that bill was already in progress. In the US, the NSA is rightly getting a lot of flak for its industrial-scale snooping but our own "security services" are just as guilty. Politicians seem prepared to accept this once they are themselves part of the Government, and all we can do is write to them.
LDAPCon 2015 I was the conference chairman and general organiser for the 2015 edition of the international LDAP and ID Management conference.
Monitoring Mum made its first appearance as a lightning talk at the flossUK Spring 2016 conference.
Monitoring Mum Update delivered at the flossUK Spring 2017 conference. Monitoring Mum has a GitHub repository by this stage, and is looking more like a development project than a one-off datalogger installation.
Watch the video
Monitoring Mum: Telecaring with the IoT, open source and open hardware - evening lecture for the Thames Valley Specialised Section of the IET on 27th April 2017.
Slides with speaker notes
Monitoring Mum technology list
More Monitoring Mum resources
Open-Source LDAP Training Material Andrew is publishing some of his training courses under a Creative Commons licence and inviting people to use and improve them. This was presented as a lightning talk at LDAPCon 2019 in Sofia.
Password Policy Considered Harmful Another lightning talk at LDAPCon 2019 in Sofia. This examines some of the negative effects of using password policies, recommends the NCSC 'Updating Your Approach' guidance, and suggests a new direction for dealing with password failures in large distributed systems.