From predragp at andrew.cmu.edu  Mon Feb  1 10:19:54 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Mon, 1 Feb 2021 10:19:54 -0500
Subject: Main file server temp down
In-Reply-To: <CAEFFt-GTtHhPoAWCFO3uWvaisNwX8i7=jfMxDcEVuw_1tYnxBw@mail.gmail.com>
References: <CAEFFt-Eog8XuKWpM91ykrtEnPTiQkE3YV++KHorhrY6i0k2fRw@mail.gmail.com>
 <CABwU0nmNYD7E0BQvotrzGgbG5Q6-NpsjZ8by_H04Ko1zoy190A@mail.gmail.com>
 <CAEFFt-GTtHhPoAWCFO3uWvaisNwX8i7=jfMxDcEVuw_1tYnxBw@mail.gmail.com>
Message-ID: <CAEFFt-EHyrdH80n9SfyZ32QmzFeX3Q7tkjXa0wtZ5kC7aii80g@mail.gmail.com>

HI Ifi,

The issue came from the fact that your home directory was unavailable due
to the File server being down. I have managed to bring the file server up
using IPMI and KVM console and you can proceed as usual. If you want to
hear more details please keep reading this email.

Namely, one of two ZFS pools seems to be a bit damaged and holding the
boot. I have managed to use IPMI and KVM console to boot in the single-user
mode into the server and export ZFS data pools so that they don't hold the
boot process. Once I was convinced the server works as expected I imported
back ZFS pool tank which holds your home directory and home directories of
other people who have a higher than normal disk quota. In total 15 users.
Than I tried to import the ZFS pool storage which holds home directories of
the majority of users including my own. The import didn't complete and I
suspect that the file system is trying to self-heal (not possible on any
other file system except ZFS). Even half functional system was sufficiently
working for me to be able to use my regular user account and my home
directory. There is nothing wrong with HDDs and I hope that the system will
be able to repair itself. However, if you are unlucky and your home
directory is on the damaged part of the ZFS pool I suspect that login might
not work for you. Your only option, in that case, is to be patient and hope
that things will be back to normal by tomorrow morning.

Cheers,
Predrag




On Sun, Jan 31, 2021 at 7:59 PM Ifigeneia Apostolopoulou <
iapostol at andrew.cmu.edu> wrote:

> Hi Predrag,
>
> I can now login but I'm getting the following. is it an issue related to
> my account (or just have to be a little bit more patient :))? thanks!
>  Could not chdir to home directory /zfsauton3/home/iapostol: Input/output
> error
>
>
> On Sun, Jan 31, 2021 at 6:08 PM Predrag Punosevac <predragp at andrew.cmu.edu>
> wrote:
>
>> Dear Autonians,
>>
>> The main file server Gaia is temporary down. I applied security patches
>> and updates across all the FreeBSD file servers and jail hosts (6 in total)
>> and rebooted them. Unfortunately, GAIA was running ZFS scrubbing and didn't
>> come back. In my experience, once the scrubbing finishes (hopefully in an
>> hour or two) it should automatically come back online. I apologize for any
>> inconvenience but servers need some regular maintenance to be able to run.
>>
>> On an unrelated note, I had to reboot GPU2 which was crashed by runaway
>> scripts. As you probably know Python is not designed for scientific
>> computing and has a global interpreter lock (GIL) which makes multithreaded
>> programming almost impossible. Our users just like all other people who are
>> using Python for scientific computing keep spawning process in order to
>> fake multithreading as a result we have regular server reboots/crashes.
>>
>> Cheers,
>> Predrag
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210201/668de6d2/attachment.html>

From predragp at andrew.cmu.edu  Tue Feb  2 21:37:26 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Tue, 2 Feb 2021 21:37:26 -0500
Subject: Main file server temp down
In-Reply-To: <CAEFFt-GTtHhPoAWCFO3uWvaisNwX8i7=jfMxDcEVuw_1tYnxBw@mail.gmail.com>
References: <CAEFFt-Eog8XuKWpM91ykrtEnPTiQkE3YV++KHorhrY6i0k2fRw@mail.gmail.com>
 <CABwU0nmNYD7E0BQvotrzGgbG5Q6-NpsjZ8by_H04Ko1zoy190A@mail.gmail.com>
 <CAEFFt-GTtHhPoAWCFO3uWvaisNwX8i7=jfMxDcEVuw_1tYnxBw@mail.gmail.com>
Message-ID: <CAEFFt-GkkED1Vd_0BAHhLJOh=17Bb00jxLQTnmNyNzzSNfUWfQ@mail.gmail.com>

Dear Autonians,

I am happy to report that the second ZFS pool (storage) on our main file
server has healed 100%. I don't know how you feel about it but I am going
to buy a beer to Matt Ahrens when I see him next time at one of the BSD or
OpenZFS conferences for saving my rear end :-)

Cheers,
Predrag

On Sun, Jan 31, 2021 at 9:03 PM Predrag Punosevac <predragp at andrew.cmu.edu>
wrote:

> HI Ifi,
>
> The issue came from the fact that your home directory was unavailable due
> to the File server being down. I have managed to bring the file server up
> using IPMI and KVM console and you can proceed as usual. If you want to
> hear more details please keep reading this email.
>
> Namely, one of two ZFS pools seems to be a bit damaged and holding the
> boot. I have managed to use IPMI and KVM console to boot in the single-user
> mode into the server and export ZFS data pools so that they don't hold the
> boot process. Once I was convinced the server works as expected I imported
> back ZFS pool tank which holds your home directory and home directories of
> other people who have a higher than normal disk quota. In total 15 users.
> Than I tried to import the ZFS pool storage which holds home directories of
> the majority of users including my own. The import didn't complete and I
> suspect that the file system is trying to self-heal (not possible on any
> other file system except ZFS). Even half functional system was sufficiently
> working for me to be able to use my regular user account and my home
> directory. There is nothing wrong with HDDs and I hope that the system will
> be able to repair itself. However, if you are unlucky and your home
> directory is on the damaged part of the ZFS pool I suspect that login might
> not work for you. Your only option, in that case, is to be patient and hope
> that things will be back to normal by tomorrow morning.
>
> Cheers,
> Predrag
>
>
>
>
> On Sun, Jan 31, 2021 at 7:59 PM Ifigeneia Apostolopoulou <
> iapostol at andrew.cmu.edu> wrote:
>
>> Hi Predrag,
>>
>> I can now login but I'm getting the following. is it an issue related to
>> my account (or just have to be a little bit more patient :))? thanks!
>>  Could not chdir to home directory /zfsauton3/home/iapostol:
>> Input/output error
>>
>>
>> On Sun, Jan 31, 2021 at 6:08 PM Predrag Punosevac <
>> predragp at andrew.cmu.edu> wrote:
>>
>>> Dear Autonians,
>>>
>>> The main file server Gaia is temporary down. I applied security patches
>>> and updates across all the FreeBSD file servers and jail hosts (6 in total)
>>> and rebooted them. Unfortunately, GAIA was running ZFS scrubbing and didn't
>>> come back. In my experience, once the scrubbing finishes (hopefully in an
>>> hour or two) it should automatically come back online. I apologize for any
>>> inconvenience but servers need some regular maintenance to be able to run.
>>>
>>> On an unrelated note, I had to reboot GPU2 which was crashed by runaway
>>> scripts. As you probably know Python is not designed for scientific
>>> computing and has a global interpreter lock (GIL) which makes multithreaded
>>> programming almost impossible. Our users just like all other people who are
>>> using Python for scientific computing keep spawning process in order to
>>> fake multithreading as a result we have regular server reboots/crashes.
>>>
>>> Cheers,
>>> Predrag
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210202/c9390001/attachment.html>

From ngisolfi at cs.cmu.edu  Wed Feb  3 08:43:48 2021
From: ngisolfi at cs.cmu.edu (Nick Gisolfi)
Date: Wed, 3 Feb 2021 08:43:48 -0500
Subject: Fwd: Reminder: Join us to Celebrate School of Computer Science
 Professorships, February 4
References: <554767c81d6c439eab82e14a416eafbb@andrew.cmu.edu>
Message-ID: <7E1FBB43-3167-4DE7-BD74-428437A2C812@cs.cmu.edu>

Dear Autonians,

Please join me in congratulating Artur as he receives the Alumni Research Professorship!

Today is the last day to rsvp (see link in forwarded message) for the virtual event celebrating Artur!

Let?s tune in to support our fearless leader and celebrate with him!

Congratulations, Artur!

- Nick

> Begin forwarded message:
> 
> From: CMU Events <CMUevents at andrew.cmu.edu>
> Subject: Reminder: Join us to Celebrate School of Computer Science Professorships, February 4
> Date: January 29, 2021 at 9:15:29 AM EST
> To: CMU Events <CMUevents at andrew.cmu.edu>
> 
> 
> 
> Martial Hebert, Dean, School of Computer Science, and Professor of Robotics, invites you to a celebration honoring
> 
> Artur Dubrawski as he receives the
> Alumni Research Professorship of Computer Science
> 
> and
> 
> Carleton Kingsford as he receives the
> Herbert A. Simon Professorship of Computer Science
>  
> Thursday, February 4
> 5:30-6:30 p.m. ET
> Virtual Program
>  
> Register Now <http://click.connect.cmu.edu/?qs=54407bd15f8f0c22a08e4a9f49de0f5a872699fbd42505c13445e5ef97327e8724eae15c72c3b01e5ac195f7a395eff802a15e6c32c22a95>
> All participants must register for this event. A Zoom login link will be provided in a confirmation email.
> 
> Register by Wednesday, February 3 <http://click.connect.cmu.edu/?qs=54407bd15f8f0c2264b3b2c576614258268ef0b103cbb6496c593dd558dc0feaada53363547c9fb2875e029199830c1a3328952306f7c21d>
> 
> Questions? Contact CMUevents at andrew.cmu.edu. <mailto:cmuevents at andrew.cmu.edu?subject=SCS%20Professorship%2C%202-4-21>
>  
>  <http://click.connect.cmu.edu/?qs=54407bd15f8f0c22970a0b88a3b3db2e873485f00d93da5c3c805aa3b1ffb786f24d5e69b633e42f35746384a7d898d4eb429889cf823e9f>
>  
>  
> This email was sent by: 
> Carnegie Mellon University
> 5000 Forbes Ave, Pittsburgh, PA, 15213 US 
> 
> 
>  
> _______________________________________________
> ri-people mailing list
> ri-people at lists.andrew.cmu.edu <mailto:ri-people at lists.andrew.cmu.edu>
> https://lists.andrew.cmu.edu/mailman/listinfo/ri-people <https://lists.andrew.cmu.edu/mailman/listinfo/ri-people>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210203/63c09983/attachment-0001.html>

From cgmorale at andrew.cmu.edu  Thu Feb  4 09:35:51 2021
From: cgmorale at andrew.cmu.edu (Cecilia Morales Garza)
Date: Thu, 4 Feb 2021 09:35:51 -0500
Subject: Zoom work sessions and lunch
Message-ID: <CAPZSV91Bq=1xLrRQN3BNL4auxJCsQRy6C-S=Zb97Nxv8Xx6j3w@mail.gmail.com>

Hi everyone,

A lot of you seemed to be interested in the zoom work sessions, so we will
be trying them out today. Here is the zoom link for the work sessions:
https://cmu.zoom.us/j/98316255303?pwd=cjJWWXRnalJCaXlESmUvcjl0SWlFQT09
<https://www.google.com/url?q=https://cmu.zoom.us/j/98316255303?pwd%3DcjJWWXRnalJCaXlESmUvcjl0SWlFQT09&sa=D&source=calendar&ust=1612881163418000&usg=AOvVaw1HFJ9g0W3FUnusK4jsqYKl>.
Then we will be going to the zoom lunch in this link:
https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09 ,
feel free to join whenever. I will have a timer up and will be working for
50 minutes at a time and then taking a 10 minute break for a couple of
hours. Probably until 5:30pm. We will try to use the same link in future
sessions but for now, I don't have screen sharing capabilities for the
timer :)

Best,
Ceci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210204/43327cbf/attachment.html>

From awertz at cmu.edu  Thu Feb  4 10:04:43 2021
From: awertz at cmu.edu (Anthony Wertz)
Date: Thu, 4 Feb 2021 10:04:43 -0500
Subject: Zoom work sessions and lunch
In-Reply-To: <CAPZSV91Bq=1xLrRQN3BNL4auxJCsQRy6C-S=Zb97Nxv8Xx6j3w@mail.gmail.com>
References: <CAPZSV91Bq=1xLrRQN3BNL4auxJCsQRy6C-S=Zb97Nxv8Xx6j3w@mail.gmail.com>
Message-ID: <3DA365D8-97E0-45F4-B3C0-E1A7A20ABFD8@cmu.edu>

If you?re wondering what to do with your 10 minutes, you can try the 7-minute workout. :-)

https://www.nytimes.com/2021/01/04/well/move/for-an-exercise-snack-try-the-new-standing-7-minute-workout.html


- Anthony

> El feb. 4, 2021, a las 09:35, Cecilia Morales Garza <cgmorale at andrew.cmu.edu> escribi?:
> 
> Hi everyone,
> 
> A lot of you seemed to be interested in the zoom work sessions, so we will be trying them out today. Here is the zoom link for the work sessions: https://cmu.zoom.us/j/98316255303?pwd=cjJWWXRnalJCaXlESmUvcjl0SWlFQT09 <https://www.google.com/url?q=https://cmu.zoom.us/j/98316255303?pwd%3DcjJWWXRnalJCaXlESmUvcjl0SWlFQT09&sa=D&source=calendar&ust=1612881163418000&usg=AOvVaw1HFJ9g0W3FUnusK4jsqYKl>. Then we will be going to the zoom lunch in this link: https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09 <https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09> , feel free to join whenever. I will have a timer up and will be working for 50 minutes at a time and then taking a 10 minute break for a couple of hours. Probably until 5:30pm. We will try to use the same link in future sessions but for now, I don't have screen sharing capabilities for the timer :)
> 
> Best,
> Ceci

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210204/14cef4b8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210204/14cef4b8/attachment.sig>

From ngisolfi at cs.cmu.edu  Thu Feb  4 10:25:47 2021
From: ngisolfi at cs.cmu.edu (Nick Gisolfi)
Date: Thu, 4 Feb 2021 10:25:47 -0500
Subject: Zoom work sessions and lunch
In-Reply-To: <3DA365D8-97E0-45F4-B3C0-E1A7A20ABFD8@cmu.edu>
References: <CAPZSV91Bq=1xLrRQN3BNL4auxJCsQRy6C-S=Zb97Nxv8Xx6j3w@mail.gmail.com>
 <3DA365D8-97E0-45F4-B3C0-E1A7A20ABFD8@cmu.edu>
Message-ID: <1F52DFEE-845C-42C9-A7A2-410A3F394AA8@cs.cmu.edu>

It?s also the perfect amount of time to brew fresh coffee!  Although, don?t do this at the top of *every* hour :-)

These work sessions are a great idea, Ceci.  Thank you for organizing!

- Nick

> On Feb 4, 2021, at 10:04 AM, Anthony Wertz <awertz at cmu.edu> wrote:
> 
> If you?re wondering what to do with your 10 minutes, you can try the 7-minute workout. :-)
> 
> https://www.nytimes.com/2021/01/04/well/move/for-an-exercise-snack-try-the-new-standing-7-minute-workout.html <https://www.nytimes.com/2021/01/04/well/move/for-an-exercise-snack-try-the-new-standing-7-minute-workout.html>
> 
> 
> - Anthony
> 
>> El feb. 4, 2021, a las 09:35, Cecilia Morales Garza <cgmorale at andrew.cmu.edu> escribi?:
>> 
>> Hi everyone, 
>> 
>> A lot of you seemed to be interested in the zoom work sessions, so we will be trying them out today. Here is the zoom link for the work sessions: https://cmu.zoom.us/j/98316255303?pwd=cjJWWXRnalJCaXlESmUvcjl0SWlFQT09 <https://www.google.com/url?q=https://cmu.zoom.us/j/98316255303?pwd%3DcjJWWXRnalJCaXlESmUvcjl0SWlFQT09&sa=D&source=calendar&ust=1612881163418000&usg=AOvVaw1HFJ9g0W3FUnusK4jsqYKl>. Then we will be going to the zoom lunch in this link: https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09 <https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09> , feel free to join whenever. I will have a timer up and will be working for 50 minutes at a time and then taking a 10 minute break for a couple of hours. Probably until 5:30pm. We will try to use the same link in future sessions but for now, I don't have screen sharing capabilities for the timer :) 
>> 
>> Best,
>> Ceci 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210204/4a8e08cf/attachment-0001.html>

From chiragn at cs.cmu.edu  Tue Feb  9 19:18:29 2021
From: chiragn at cs.cmu.edu (Chirag Nagpal)
Date: Wed, 10 Feb 2021 05:48:29 +0530
Subject: New Chest X-Ray Dataset Acquired
Message-ID: <CAKH1gVpxXL3E1TL_GeKuUs2uU4fnrpiyyTYHfnv0BMCBny4gdg@mail.gmail.com>

Hi All

We have just acquired a new NIH NCI Chest X-Ray dataset (PLCO)
https://cdas.cancer.gov/plco/ of screening chest X-rays of patients
suspected to have lung cancer.

This is a more esoteric dataset than what most groups use for Chest X-ray
analysis.

This includes follow up screening result X-rays at subsequent stages as
well as severity, mortality information. It also includes doctor's
impressions, and EHR information.

The total population of patients included in this dataset is 25,000 with
over 80,000 X-ray images from multiple stages of screening.

Please let me know if you think this would be of use to your research. I
and Andy are listed as authorized users and can help you set it up for your
research.



-- 

*Chirag Nagpal* PhD Student, Auton Lab
School of Computer Science
Carnegie Mellon University
cs.cmu.edu/~chiragn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210210/c66ab4b1/attachment.html>

From ngisolfi at cs.cmu.edu  Thu Feb 11 09:29:51 2021
From: ngisolfi at cs.cmu.edu (Nick Gisolfi)
Date: Thu, 11 Feb 2021 09:29:51 -0500
Subject: [Lunch] Today @noon over zoom
Message-ID: <C1E4D3CE-2463-4B0E-87B3-24B8C1918E37@cs.cmu.edu>

https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09 <https://cmu.zoom.us/j/96391712304?pwd=WGhzSy9kWnNpc3haZjd5bmVXV291QT09>

We hope to see you there!

- Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210211/d643eab3/attachment.html>

From awd at cs.cmu.edu  Tue Feb 16 08:59:09 2021
From: awd at cs.cmu.edu (Artur Dubrawski)
Date: Tue, 16 Feb 2021 08:59:09 -0500
Subject: CMU Auton Lab spinoff Marinus Analytics named the finalist of the AI
 XPRIZE competition!
Message-ID: <CAJvAoyv8PZ8FO7Ep2+5pJeCOaNfC7ea7meUA6hv64m2AwjDvhQ@mail.gmail.com>

Dear Autonians,

This is a spectacular success of the former Autonians Emily Kennedy and
Cara Jones, and their team at Marinus. It is also a remarkable recognition
of the Traffic Jam technology we have originally developed here at CMU.
Congratulations to everyone involved!

See here for the company press release with details:
https://www.marinusanalytics.com/articles/2021/2/16/marinus-analytics-to-represent-united-states-in-5m-ibm-watson-ai-xprize-grand-prize

We have been waiting for this announcement for about a year, as it was
delayed by covid.
All's well that ends well!

Cheers,
Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210216/f4487f18/attachment.html>

From bspice at cs.cmu.edu  Tue Feb 16 09:13:03 2021
From: bspice at cs.cmu.edu (Byron G Spice)
Date: Tue, 16 Feb 2021 14:13:03 +0000
Subject: CMU Auton Lab spinoff Marinus Analytics named the finalist of the
 AI XPRIZE competition!
In-Reply-To: <CAJvAoyv8PZ8FO7Ep2+5pJeCOaNfC7ea7meUA6hv64m2AwjDvhQ@mail.gmail.com>
References: <CAJvAoyv8PZ8FO7Ep2+5pJeCOaNfC7ea7meUA6hv64m2AwjDvhQ@mail.gmail.com>
Message-ID: <b38dae8408954bfa87b9bec038454f95@cs.cmu.edu>

https://twitter.com/SCSatCMU/status/1361679908036993035

Byron Spice
412-268-9068

From: Artur Dubrawski <awd at cs.cmu.edu>
Sent: Tuesday, February 16, 2021 8:59 AM
To: users at autonlab.org
Cc: Jim Garrett <garrett at cmu.edu>; Byron G Spice <bspice at cs.cmu.edu>; Andrew W. Moore <awm at google.com>; Farnam Jahanian <farnam at andrew.cmu.edu>; Srinivasa G Narasimhan <srinivas at andrew.cmu.edu>; Martial Hebert <hebert+ at cs.cmu.edu>; Michael McQuade <mmcquade at andrew.cmu.edu>; Reed McManigle <reedm at andrew.cmu.edu>
Subject: CMU Auton Lab spinoff Marinus Analytics named the finalist of the AI XPRIZE competition!

Dear Autonians,

This is a spectacular success of the former Autonians Emily Kennedy and Cara Jones, and their team at Marinus. It is also a remarkable recognition of the Traffic Jam technology we have originally developed here at CMU. Congratulations to everyone involved!

See here for the company press release with details:
https://www.marinusanalytics.com/articles/2021/2/16/marinus-analytics-to-represent-united-states-in-5m-ibm-watson-ai-xprize-grand-prize

We have been waiting for this announcement for about a year, as it was delayed by covid.
All's well that ends well!

Cheers,
Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210216/a4254b75/attachment.html>

From awd at cs.cmu.edu  Tue Feb 16 10:23:52 2021
From: awd at cs.cmu.edu (Artur Dubrawski)
Date: Tue, 16 Feb 2021 10:23:52 -0500
Subject: Fwd: Aleksander Madry on Why Do ML Models Fail?
In-Reply-To: <aae4610086c8b3a8646b00cbe.b5ed94badf.20210216145925.55d1d77794.428f294e@mail64.atl261.mcdlv.net>
References: <aae4610086c8b3a8646b00cbe.b5ed94badf.20210216145925.55d1d77794.428f294e@mail64.atl261.mcdlv.net>
Message-ID: <CAJvAoyv1ULbV9BhvRa1RuJhjhEN8dw5fhRFVa6zCzMN-u8c64Q@mail.gmail.com>

This will be of interest to those of us whose work touches reliability and
trustworthiness of ML.

Artur

---------- Forwarded message ---------
From: C3.ai Digital Transformation Institute <info at c3dti.ai>
Date: Tue, Feb 16, 2021 at 10:16 AM
Subject: Aleksander Madry on Why Do ML Models Fail?
To: <awd at cs.cmu.edu>


Aleksander Madry on Why Do ML Models Fail?
[image: C3DTI Colloquium on Digital Transformation Science]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=0cf721f153&e=b5ed94badf>

The Colloquium on Digital Transformation is a series of weekly online talks
on how artificial intelligence, machine learning, and big data can lead to
scientific breakthroughs with large-scale societal benefit. The spring 2021
series focuses largely on COVID-19 mitigation research.


*See details of upcoming talks here
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=bc0e6d7ac4&e=b5ed94badf>
and
note we have the same Zoom Webinar registration
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=3e6c706cbc&e=b5ed94badf>
link
for all forthcoming talks*
 *Why Do ML Models Fail?*

*February 18, 1 pm PT/4 pm ET*

*Aleksander Madry*

*Professor of Computer Science Massachusetts Institute of Technology*

<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=228810bb87&e=b5ed94badf>

Our current machine learning (ML) models achieve impressive performance on
many benchmark tasks. Yet, these models remain remarkably brittle,
susceptible to manipulation and, more broadly, often behave in ways that
are unpredictable to users. Why is this the case? In this talk, we identify
human-ML misalignment as a chief cause of this behavior. We then take an
end-to-end look at the current ML training paradigm and pinpoint some of
the roots of this misalignment. We discuss how current pipelines for
dataset creation, model training, and system evaluation give rise to
unintuitive behavior and widespread vulnerability. Finally, we conclude by
outlining possible approaches towards alleviating these deficiencies.

Aleksander Madry
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=182acacc3a&e=b5ed94badf>
is a Professor of Computer Science at MIT and leads the MIT Center for
Deployable Machine Learning. His research interests span algorithms,
continuous optimization, science of deep learning, and understanding
machine learning from a robustness and deployability perspectives.
Aleksander's work has been recognized with a number of awards, including an
NSF CAREER Award, an Alfred P. Sloan Research Fellowship, an ACM Doctoral
Dissertation Award Honorable Mention, and Presburger Award. He received his
PhD from MIT in 2011 and, prior to joining the MIT faculty, he spent time
at Microsoft Research New England and on the faculty of EPFL.
For those who missed last week's C3.ai DTI Colloquium, you can catch it on
our YouTube channel Colloquium Playlist
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=3aee0a74e5&e=b5ed94badf>,
where videos of all weekly talks are available.
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=9880bf9944&e=b5ed94badf>
C3.ai DTI Colloquium: February 11, 2021


*Scoring Drugs: Small Molecule Drug Discovery for COVID-19 using
Physics-Inspired Machine Learning*

Teresa Head-Gordon
Chancellor?s Professor, Department of Chemistry, Chemical
and Biomolecular Engineering, and Bioengineering
University of California, Berkeley

The rapid spread of SARS-CoV-2 has spurred the scientific world into action
for therapeutics to help minimize fatalities from COVID-19. Molecular
modeling is combating the current global pandemic through the traditional
process of drug discovery, but the slow turnaround time for identifying
leads for antiviral drugs, analyzing structural effects of genetic
variation in the evolving virus, and targeting relevant virus-host protein
interactions is still a great limitation during an acute crisis. The first
component of drug discovery - the structure of potential drugs and the
target proteins - has driven functional insight into biology ever since
Watson, Crick, Franklin, and Wilkins solved the structure of DNA. What
could we do with structural models of host and virus proteins and small
molecule therapeutics? We can further enrich structure with dynamics for
discovery of new surface sites exposed by fluctuations to bind drugs and
peptide therapeutics not revealed by a static structural model. These
?cryptic? binding sites offer new leads in drug discovery but will only
yield fruit if they can be assessed rapidly for binding affinity for new
small molecule drugs. We offer physics-inspired data-driven models to: 1)
extend the chemical space of new drugs beyond those available; 2) create
reliable scoring functions to evaluate drug binding affinities to cryptic
binding sites of COVID-19 targets; 3) accelerate computation of binding
affinities by training machine learning models; and 4) closing the loop of
design and evaluation to bias the distribution of new drug candidates
towards desired metrics enabled by the C3 AI Suite.
*About the C3.ai Digital Transformation Institute*

Established in March 2020 by C3 AI, Microsoft, and leading universities,
the C3.ai Digital Transformation Institute is a research consortium
dedicated to accelerating the socioeconomic benefits of artificial
intelligence. The Institute engages the world?s leading scientists to
conduct research and train practitioners in the new Science of Digital
Transformation, which operates at the intersection of artificial
intelligence, machine learning, cloud computing, internet of things, big
data analytics, organizational behavior, public policy, and ethics. The
nine C3.ai Digital Transformation Institute consortium member universities
and laboratories are: University of Illinois at Urbana-Champaign;
University of California, Berkeley; Carnegie Mellon University; Lawrence
Berkeley National Laboratory; Massachusetts Institute of Technology;
National Center for Supercomputing Applications at University of Illinois
at Urbana-Champaign; Princeton University; Stanford
University; and University of Chicago. Learn more at C3DTI.ai
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=6c87501aef&e=b5ed94badf>
.
[image: Twitter]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=139cb3c2de&e=b5ed94badf>
[image: LinkedIn]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=a2f874999b&e=b5ed94badf>
[image: Facebook]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=df5e82568e&e=b5ed94badf>
[image: YouTube]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=c8230f1630&e=b5ed94badf>
[image: Website]
<https://c3dti.us8.list-manage.com/track/click?u=aae4610086c8b3a8646b00cbe&id=b47714cc8b&e=b5ed94badf>
[image: Email] <info at c3dti.ai>

*C3.ai Digital Transformation Institute @ Berkeley*
University of California, Berkeley
750 Sutardja Dai Hall, MC 1764
Berkeley, California 94720-1764

*C3.ai Digital Transformation Institute @ Illinois*
University of Illinois at Urbana-Champaign
1205 W. Clark Street, MC-257, Room 1008
Urbana, Illinois 61801
*Copyright ? 2021 C3.ai Digital Transformation Institute, All rights
reserved.*
You are receiving this email because you opted in via our website.

Want to change how you receive these emails?
You can update your preferences
<https://c3dti.us8.list-manage.com/profile?u=aae4610086c8b3a8646b00cbe&id=2aac18199b&e=b5ed94badf&c=55d1d77794>
or
unsubscribe from this list
<https://c3dti.us8.list-manage.com/unsubscribe?u=aae4610086c8b3a8646b00cbe&id=2aac18199b&e=b5ed94badf&c=55d1d77794>
.

[image: Email Marketing Powered by Mailchimp]
<http://www.mailchimp.com/email-referral/?utm_source=freemium_newsletter&utm_medium=email&utm_campaign=referral_marketing&aid=aae4610086c8b3a8646b00cbe&afl=1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210216/93c71050/attachment-0001.html>

From ngisolfi at cs.cmu.edu  Thu Feb 18 11:28:35 2021
From: ngisolfi at cs.cmu.edu (Nick Gisolfi)
Date: Thu, 18 Feb 2021 11:28:35 -0500
Subject: [Lunch] **New Link** Today @noon over Zoom
Message-ID: <CC5F4658-7900-44D4-A5A6-AC6378468371@cs.cmu.edu>

**New Link**
https://cmu.zoom.us/j/95972096730?pwd=ZG1Vb0JnSEJ4Y0FPYUk0NGkrdHFHQT09 <https://cmu.zoom.us/j/95972096730?pwd=ZG1Vb0JnSEJ4Y0FPYUk0NGkrdHFHQT09>

We hope to see you there!

- Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210218/f00889d2/attachment.html>

From awd at cs.cmu.edu  Thu Feb 18 17:53:44 2021
From: awd at cs.cmu.edu (Artur Dubrawski)
Date: Thu, 18 Feb 2021 17:53:44 -0500
Subject: jobs at Marinus Analytics + internship opportunities elsewhere
Message-ID: <CAJvAoytNZQeNF8swUqVZqbeY-RoAVOS3j6+cf6N7NS7u0p+nHw@mail.gmail.com>

Our spinoff Marinus is growing and hiring, so if you happen to know
relevant people who may be interested please forward them this link:

https://www.marinusanalytics.com/careers

Also, a former Autonian who is apparently involved in a new startup is
looking for interns (see below).

Cheers
Artur

---------- Forwarded message ---------
From: paul hsiung <paulhsiung at gmail.com>
Date: Thu, Feb 18, 2021 at 3:49 PM
Subject: ML interns
To: Artur Dubrawski <awd at cs.cmu.edu>


Hi Artur,

How are you?  Hope you are safe during COVID.

I am looking for ML interns for the startup I am working at.  Do you
have any good leads?  It will be great to have a background in
behavior analysis in video conferencing.

Thanks,

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210218/2474f751/attachment.html>

From awd at cs.cmu.edu  Sun Feb 21 18:46:20 2021
From: awd at cs.cmu.edu (Artur Dubrawski)
Date: Sun, 21 Feb 2021 18:46:20 -0500
Subject: A very useful outreach activity by our own Ceci Morales
Message-ID: <CAJvAoyut3woWTDCogLv_EPTf=qr-3LZEHSQtm+C7=ju9ud6gJw@mail.gmail.com>

Ceci will be talking to Spanish speaking audiences of all ages about
robotics in medicine.

This is the kind of a really great example of outreach activity we all
should consider as a way to give back to society and to inspire next
generations of AI researchers.

Check this out:
https://www.fundapromat.org/evento/la-robotica-en-la-medicina/

Way to go Ceci!

Cheers,
Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210221/89833ada/attachment.html>

From choset at andrew.cmu.edu  Sun Feb 21 18:48:55 2021
From: choset at andrew.cmu.edu (Howie Choset)
Date: Sun, 21 Feb 2021 18:48:55 -0500
Subject: A very useful outreach activity by our own Ceci Morales
In-Reply-To: <CAJvAoyut3woWTDCogLv_EPTf=qr-3LZEHSQtm+C7=ju9ud6gJw@mail.gmail.com>
References: <CAJvAoyut3woWTDCogLv_EPTf=qr-3LZEHSQtm+C7=ju9ud6gJw@mail.gmail.com>
Message-ID: <A1AA22B2-3267-4884-AEF9-3A53BF21C533@andrew.cmu.edu>

Cool.  Good for her. I can try also speaking to one of these audiences in Spanish but would need a Ceci to help. I did that once before to Spaniards and it was fun. I did need help 

Howie 

Howie Choset
http://choset.com
412-268-2495


> On Feb 21, 2021, at 6:46 PM, Artur Dubrawski <awd at cs.cmu.edu> wrote:
> 
> ?
> Ceci will be talking to Spanish speaking audiences of all ages about robotics in medicine.
> 
> This is the kind of a really great example of outreach activity we all should consider as a way to give back to society and to inspire next generations of AI researchers.
> 
> Check this out:
> https://www.fundapromat.org/evento/la-robotica-en-la-medicina/
> 
> Way to go Ceci!
> 
> Cheers,
> Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210221/434d1d61/attachment.html>

From cgmorale at andrew.cmu.edu  Sun Feb 21 21:52:46 2021
From: cgmorale at andrew.cmu.edu (Cecilia Morales Garza)
Date: Sun, 21 Feb 2021 21:52:46 -0500
Subject: A very useful outreach activity by our own Ceci Morales
In-Reply-To: <A1AA22B2-3267-4884-AEF9-3A53BF21C533@andrew.cmu.edu>
References: <CAJvAoyut3woWTDCogLv_EPTf=qr-3LZEHSQtm+C7=ju9ud6gJw@mail.gmail.com>
 <A1AA22B2-3267-4884-AEF9-3A53BF21C533@andrew.cmu.edu>
Message-ID: <CAPZSV92w+vzyeqMdtowBu7aCu17EVpHJfnwb_8-XJmSLUFOrbw@mail.gmail.com>

Thank you for the support Professor Dubrawski. And I would be happy to
translate for you any time Professor Choset. Although that organization has
also started doing some talks in English for Latin American countries. :)
If anyone is interested, I would be happy to connect you with them.

Ceci

On Sun, Feb 21, 2021 at 6:50 PM Howie Choset <choset at andrew.cmu.edu> wrote:

> Cool.  Good for her. I can try also speaking to one of these audiences in
> Spanish but would need a Ceci to help. I did that once before to Spaniards
> and it was fun. I did need help
>
> Howie
>
> Howie Choset
> http://choset.com
> 412-268-2495
>
>
> On Feb 21, 2021, at 6:46 PM, Artur Dubrawski <awd at cs.cmu.edu> wrote:
>
> ?
> Ceci will be talking to Spanish speaking audiences of all ages about
> robotics in medicine.
>
> This is the kind of a really great example of outreach activity we all
> should consider as a way to give back to society and to inspire next
> generations of AI researchers.
>
> Check this out:
> https://www.fundapromat.org/evento/la-robotica-en-la-medicina/
>
> Way to go Ceci!
>
> Cheers,
> Artur
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210221/7b0c6078/attachment.html>

From choset at andrew.cmu.edu  Sun Feb 21 23:03:27 2021
From: choset at andrew.cmu.edu (Howie Choset)
Date: Sun, 21 Feb 2021 23:03:27 -0500
Subject: A very useful outreach activity by our own Ceci Morales
In-Reply-To: <CAPZSV92w+vzyeqMdtowBu7aCu17EVpHJfnwb_8-XJmSLUFOrbw@mail.gmail.com>
References: <CAPZSV92w+vzyeqMdtowBu7aCu17EVpHJfnwb_8-XJmSLUFOrbw@mail.gmail.com>
Message-ID: <EAE76D45-B821-44BB-8BE3-5A7DFF59381F@andrew.cmu.edu>

I think it is great what you are doing  

I would like to try to give such a talk in Spanish and have someone help me when I cannot get a word or two out. I had someone do that when I spoke to the Spaniards a few years ago. 

Howe 

Howie Choset
http://choset.com
412-268-2495


> On Feb 21, 2021, at 9:53 PM, Cecilia Morales Garza <cgmorale at andrew.cmu.edu> wrote:
> 
> ?
> Thank you for the support Professor Dubrawski. And I would be happy to translate for you any time Professor Choset. Although that organization has also started doing some talks in English for Latin American countries. :)  If anyone is interested, I would be happy to connect you with them. 
> 
> Ceci  
> 
>> On Sun, Feb 21, 2021 at 6:50 PM Howie Choset <choset at andrew.cmu.edu> wrote:
>> Cool.  Good for her. I can try also speaking to one of these audiences in Spanish but would need a Ceci to help. I did that once before to Spaniards and it was fun. I did need help 
>> 
>> Howie 
>> 
>> Howie Choset
>> http://choset.com
>> 412-268-2495
>> 
>> 
>>>> On Feb 21, 2021, at 6:46 PM, Artur Dubrawski <awd at cs.cmu.edu> wrote:
>>>> 
>>> ?
>>> Ceci will be talking to Spanish speaking audiences of all ages about robotics in medicine.
>>> 
>>> This is the kind of a really great example of outreach activity we all should consider as a way to give back to society and to inspire next generations of AI researchers.
>>> 
>>> Check this out:
>>> https://www.fundapromat.org/evento/la-robotica-en-la-medicina/
>>> 
>>> Way to go Ceci!
>>> 
>>> Cheers,
>>> Artur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210221/60f4bb63/attachment-0001.html>

From predragp at andrew.cmu.edu  Wed Feb 24 19:01:28 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Wed, 24 Feb 2021 19:01:28 -0500
Subject: Two-factor authentication please read
Message-ID: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>

Dear Autonians,

The times of password login or even passwordless with ssh keys are going
the way of the dinosaurs. The Auton Lab cluster is one of the very few
services at Carnegie Mellon University which can be accessed with a simple
password. Shortly this is no longer going to be true. I have just turned on
2FA on

lop2.autonlab.org

and I will do it shortly on two other shell gateways. ssh access to the
Auton Lab desktops is restricted only to their rightful owners so 2FA can
wait a bit on personal desktops.

At this point, I will need to ask everyone with a valid AndrewID or even
with an alumni account to log into lop2.autonlab.org and make sure 2FA
works for you. If you can read your Andrew emails via a browser you should
not have any problems accessing the Auton Cluster with the same mobile
device. If I don't hear back from you in the next 7 days I will assume that
you are dandy and turn on 2FA on all our shell gateways.

If your username is for some reason different than Andrew's ID we have to
fix that (I am looking at you interns who became CMU grad students). There
are in total 18 external accounts presumably without corresponding Andrew
ID and I have the green light from sponsoring faculty to close most of
those accounts. This is your last chance to access the system and get your
belongings before I store them for safekeeping.

There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
access. I have little incentive to troubleshoot it as you can use reverse
SSH proxy per our documentation

https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control

for GUI or Gogs access.

At this point, we have no intention to turn on 2FA inside the Lab or to
require 2FA authentication for Version Control Server. Those things are
located inside the outer perimeter firewall and have satisfactory security
protection.

Most Kind Regards,
Predrag Punosevac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210224/c9e8e0ce/attachment.html>

From jim at xuth.net  Wed Feb 24 22:32:32 2021
From: jim at xuth.net (Jim Leonard)
Date: Thu, 25 Feb 2021 03:32:32 +0000
Subject: Two-factor authentication please read
In-Reply-To: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
Message-ID: <20210225033232.GK2841@xuth.net>

Can there be some means of making it so that subsequent logins for some duration from the same IP don't require more duo acknowlegements?  This will make using git.int.autonlab.org or similar more difficult from anything other than our work desktops because most of us just use netcat scripts that handle the multiple hops in our .ssh files.  Unless you have some suggested better means of doing this.  Alternately providing a means that anyone in the lab can use to get any of our machines onto the VPN so we can access the machines directly without doing the multiple hops.

On Wed, Feb 24, 2021 at 07:01:28PM -0500, Predrag Punosevac wrote:
> Dear Autonians,
> 
> The times of password login or even passwordless with ssh keys are going
> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> services at Carnegie Mellon University which can be accessed with a simple
> password. Shortly this is no longer going to be true. I have just turned on
> 2FA on
> 
> lop2.autonlab.org
> 
> and I will do it shortly on two other shell gateways. ssh access to the
> Auton Lab desktops is restricted only to their rightful owners so 2FA can
> wait a bit on personal desktops.
> 
> At this point, I will need to ask everyone with a valid AndrewID or even
> with an alumni account to log into lop2.autonlab.org and make sure 2FA
> works for you. If you can read your Andrew emails via a browser you should
> not have any problems accessing the Auton Cluster with the same mobile
> device. If I don't hear back from you in the next 7 days I will assume that
> you are dandy and turn on 2FA on all our shell gateways.
> 
> If your username is for some reason different than Andrew's ID we have to
> fix that (I am looking at you interns who became CMU grad students). There
> are in total 18 external accounts presumably without corresponding Andrew
> ID and I have the green light from sponsoring faculty to close most of
> those accounts. This is your last chance to access the system and get your
> belongings before I store them for safekeeping.
> 
> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> access. I have little incentive to troubleshoot it as you can use reverse
> SSH proxy per our documentation
> 
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> 
> for GUI or Gogs access.
> 
> At this point, we have no intention to turn on 2FA inside the Lab or to
> require 2FA authentication for Version Control Server. Those things are
> located inside the outer perimeter firewall and have satisfactory security
> protection.
> 
> Most Kind Regards,
> Predrag Punosevac

From predragp at andrew.cmu.edu  Wed Feb 24 22:50:57 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Wed, 24 Feb 2021 22:50:57 -0500
Subject: Two-factor authentication please read
In-Reply-To: <20210225033232.GK2841@xuth.net>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <20210225033232.GK2841@xuth.net>
Message-ID: <CAEFFt-H3YQBj4_brNY04Qoak22ForV51J1_jOkYF4cGU9K_50w@mail.gmail.com>

Hi Jim,

I hope you are doing well. You are not the first one to ask. I am
forwarding my original response to a similar question to the mailing list.

"I don't think so but this is still in such an early stage that I am just
speculating. I am fully aware that some corner cases will have to be
encountered and resolved eventually. CMU VPN has nothing to do with us. We
have our own perimeter firewall and consider the rest of the CMU network
hostile. ssh is a poor man VPN and we did evaluate a bunch of VPN
technologies besides ssh. TL:TW. They all appear to be significantly more
involving than what we use now. "

And just to add to the above answer. We could even spend thousands of
dollars for Cisco AnyConnect proprietary appliance as NREC did and you will
still have to use your phone for 2FA challenge.  I do when I log into the
NREC. There is no way around it. Our main adversaries are bitcoin mining
guys. They could care less about anything we do. They want our expensive
computing nodes for cryptocurrency mining. Microsoft guys came up with our
paper and they are advocating 3FA. You need to respond to the
challenging question (last 4 digits of your cell phone) before they send
you a security token if you want to login into hotmail.

Cheers,
Predrag


On Wed, Feb 24, 2021 at 10:32 PM Jim Leonard <jim at xuth.net> wrote:

> Can there be some means of making it so that subsequent logins for some
> duration from the same IP don't require more duo acknowlegements?  This
> will make using git.int.autonlab.org or similar more difficult from
> anything other than our work desktops because most of us just use netcat
> scripts that handle the multiple hops in our .ssh files.  Unless you have
> some suggested better means of doing this.  Alternately providing a means
> that anyone in the lab can use to get any of our machines onto the VPN so
> we can access the machines directly without doing the multiple hops.
>
> On Wed, Feb 24, 2021 at 07:01:28PM -0500, Predrag Punosevac wrote:
> > Dear Autonians,
> >
> > The times of password login or even passwordless with ssh keys are going
> > the way of the dinosaurs. The Auton Lab cluster is one of the very few
> > services at Carnegie Mellon University which can be accessed with a
> simple
> > password. Shortly this is no longer going to be true. I have just turned
> on
> > 2FA on
> >
> > lop2.autonlab.org
> >
> > and I will do it shortly on two other shell gateways. ssh access to the
> > Auton Lab desktops is restricted only to their rightful owners so 2FA can
> > wait a bit on personal desktops.
> >
> > At this point, I will need to ask everyone with a valid AndrewID or even
> > with an alumni account to log into lop2.autonlab.org and make sure 2FA
> > works for you. If you can read your Andrew emails via a browser you
> should
> > not have any problems accessing the Auton Cluster with the same mobile
> > device. If I don't hear back from you in the next 7 days I will assume
> that
> > you are dandy and turn on 2FA on all our shell gateways.
> >
> > If your username is for some reason different than Andrew's ID we have to
> > fix that (I am looking at you interns who became CMU grad students).
> There
> > are in total 18 external accounts presumably without corresponding Andrew
> > ID and I have the green light from sponsoring faculty to close most of
> > those accounts. This is your last chance to access the system and get
> your
> > belongings before I store them for safekeeping.
> >
> > There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> > access. I have little incentive to troubleshoot it as you can use reverse
> > SSH proxy per our documentation
> >
> > https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> >
> > for GUI or Gogs access.
> >
> > At this point, we have no intention to turn on 2FA inside the Lab or to
> > require 2FA authentication for Version Control Server. Those things are
> > located inside the outer perimeter firewall and have satisfactory
> security
> > protection.
> >
> > Most Kind Regards,
> > Predrag Punosevac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210224/2b474ecb/attachment-0001.html>

From predragp at andrew.cmu.edu  Thu Feb 25 09:29:58 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Thu, 25 Feb 2021 09:29:58 -0500
Subject: Two-factor authentication please read
In-Reply-To: <29ED82E4-DD3E-4BB9-9973-A920374D829F@andrew.cmu.edu>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <29ED82E4-DD3E-4BB9-9973-A920374D829F@andrew.cmu.edu>
Message-ID: <CAEFFt-HhzXQ+F0aDmgOK7JDjqW+3_kvgKMGraanU_oTEWkp7Eg@mail.gmail.com>

No accounts will be closed just to accommodate 2FA. If your user name is
not the same as Andrew ID that will have to be fixed. I am still figuring
out what is the most effective way to do this.

P^2

On Thu, Feb 25, 2021, 3:33 AM Vincent Jeanselme <vjeansel at andrew.cmu.edu>
wrote:

> Good morning,
>
> I have the message: ?We?re sorry, access is not allowed because you are
> not enrolled. Please contact your organisation?s IT help desk for
> assistance? when I ssh lop2
>
> My CMU id is *vjeansel*, I am in the group of people being intern before
> staff (so it seems that my AutonLab id mismatches). Please, don?t close my
> account if this is possible, I still have a few projects with the lab
>
> Best,
> Vincent
>
> On Feb 25, 2021, at 00:02, Predrag Punosevac <predragp at andrew.cmu.edu>
> wrote:
>
> ?
> Dear Autonians,
>
> The times of password login or even passwordless with ssh keys are going
> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> services at Carnegie Mellon University which can be accessed with a simple
> password. Shortly this is no longer going to be true. I have just turned on
> 2FA on
>
> lop2.autonlab.org
>
> and I will do it shortly on two other shell gateways. ssh access to the
> Auton Lab desktops is restricted only to their rightful owners so 2FA can
> wait a bit on personal desktops.
>
> At this point, I will need to ask everyone with a valid AndrewID or even
> with an alumni account to log into lop2.autonlab.org and make sure 2FA
> works for you. If you can read your Andrew emails via a browser you should
> not have any problems accessing the Auton Cluster with the same mobile
> device. If I don't hear back from you in the next 7 days I will assume that
> you are dandy and turn on 2FA on all our shell gateways.
>
> If your username is for some reason different than Andrew's ID we have to
> fix that (I am looking at you interns who became CMU grad students). There
> are in total 18 external accounts presumably without corresponding Andrew
> ID and I have the green light from sponsoring faculty to close most of
> those accounts. This is your last chance to access the system and get your
> belongings before I store them for safekeeping.
>
> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> access. I have little incentive to troubleshoot it as you can use reverse
> SSH proxy per our documentation
>
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>
> for GUI or Gogs access.
>
> At this point, we have no intention to turn on 2FA inside the Lab or to
> require 2FA authentication for Version Control Server. Those things are
> located inside the outer perimeter firewall and have satisfactory security
> protection.
>
> Most Kind Regards,
> Predrag Punosevac
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/6253ee24/attachment.html>

From predragp at andrew.cmu.edu  Thu Feb 25 10:13:16 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Thu, 25 Feb 2021 10:13:16 -0500
Subject: Two-factor authentication please read
In-Reply-To: <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
Message-ID: <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>

No. I don't control the Duo server. I am almost 95% sure that no to Jim and
some other guys is due to the same reason. We use the same Duo server as
CMU and their identity office is setting defaults. I have received 2 dozen
emails and it appears that I have more things to do than originally
anticipated. It will take me a few weeks to clear the issues.

P^2

On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:

> Worked for me. I wonder, since there?s only one option (duo push) can that
> be selected automatically? I know I?m being lazy asking you to save us two
> keystrokes, but?. I?m lazy. :-)
>
>
> - Anthony
>
> El feb. 24, 2021, a las 19:01, Predrag Punosevac <predragp at andrew.cmu.edu>
> escribi?:
>
> Dear Autonians,
>
> The times of password login or even passwordless with ssh keys are going
> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> services at Carnegie Mellon University which can be accessed with a simple
> password. Shortly this is no longer going to be true. I have just turned on
> 2FA on
>
> lop2.autonlab.org
>
> and I will do it shortly on two other shell gateways. ssh access to the
> Auton Lab desktops is restricted only to their rightful owners so 2FA can
> wait a bit on personal desktops.
>
> At this point, I will need to ask everyone with a valid AndrewID or even
> with an alumni account to log into lop2.autonlab.org and make sure 2FA
> works for you. If you can read your Andrew emails via a browser you should
> not have any problems accessing the Auton Cluster with the same mobile
> device. If I don't hear back from you in the next 7 days I will assume that
> you are dandy and turn on 2FA on all our shell gateways.
>
> If your username is for some reason different than Andrew's ID we have to
> fix that (I am looking at you interns who became CMU grad students). There
> are in total 18 external accounts presumably without corresponding Andrew
> ID and I have the green light from sponsoring faculty to close most of
> those accounts. This is your last chance to access the system and get your
> belongings before I store them for safekeeping.
>
> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> access. I have little incentive to troubleshoot it as you can use reverse
> SSH proxy per our documentation
>
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>
> for GUI or Gogs access.
>
> At this point, we have no intention to turn on 2FA inside the Lab or to
> require 2FA authentication for Version Control Server. Those things are
> located inside the outer perimeter firewall and have satisfactory security
> protection.
>
> Most Kind Regards,
> Predrag Punosevac
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/a5317ae0/attachment.html>

From bparia at cs.cmu.edu  Thu Feb 25 11:14:46 2021
From: bparia at cs.cmu.edu (Biswajit Paria)
Date: Thu, 25 Feb 2021 11:14:46 -0500
Subject: Two-factor authentication please read
In-Reply-To: <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
 <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
Message-ID: <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>

Thank you Predrag, for trying to accommodate all our requests, while
keeping the security of our servers in mind.
I just wanted to +1 on Jim's comment. My workflow is in a similar situation
(requires a lot of ssh-ing), and it would be extremely convenient to
remember our devices for some duration.
Hoping that we converge to a solution that is a little more convenient.

Best,
Biswajit

On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <predragp at andrew.cmu.edu>
wrote:

> No. I don't control the Duo server. I am almost 95% sure that no to Jim
> and some other guys is due to the same reason. We use the same Duo server
> as CMU and their identity office is setting defaults. I have received 2
> dozen emails and it appears that I have more things to do than originally
> anticipated. It will take me a few weeks to clear the issues.
>
> P^2
>
> On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>
>> Worked for me. I wonder, since there?s only one option (duo push) can
>> that be selected automatically? I know I?m being lazy asking you to save us
>> two keystrokes, but?. I?m lazy. :-)
>>
>>
>> - Anthony
>>
>> El feb. 24, 2021, a las 19:01, Predrag Punosevac <predragp at andrew.cmu.edu>
>> escribi?:
>>
>> Dear Autonians,
>>
>> The times of password login or even passwordless with ssh keys are going
>> the way of the dinosaurs. The Auton Lab cluster is one of the very few
>> services at Carnegie Mellon University which can be accessed with a simple
>> password. Shortly this is no longer going to be true. I have just turned on
>> 2FA on
>>
>> lop2.autonlab.org
>>
>> and I will do it shortly on two other shell gateways. ssh access to the
>> Auton Lab desktops is restricted only to their rightful owners so 2FA can
>> wait a bit on personal desktops.
>>
>> At this point, I will need to ask everyone with a valid AndrewID or even
>> with an alumni account to log into lop2.autonlab.org and make sure 2FA
>> works for you. If you can read your Andrew emails via a browser you should
>> not have any problems accessing the Auton Cluster with the same mobile
>> device. If I don't hear back from you in the next 7 days I will assume that
>> you are dandy and turn on 2FA on all our shell gateways.
>>
>> If your username is for some reason different than Andrew's ID we have to
>> fix that (I am looking at you interns who became CMU grad students). There
>> are in total 18 external accounts presumably without corresponding Andrew
>> ID and I have the green light from sponsoring faculty to close most of
>> those accounts. This is your last chance to access the system and get your
>> belongings before I store them for safekeeping.
>>
>> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
>> access. I have little incentive to troubleshoot it as you can use reverse
>> SSH proxy per our documentation
>>
>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>>
>> for GUI or Gogs access.
>>
>> At this point, we have no intention to turn on 2FA inside the Lab or to
>> require 2FA authentication for Version Control Server. Those things are
>> located inside the outer perimeter firewall and have satisfactory security
>> protection.
>>
>> Most Kind Regards,
>> Predrag Punosevac
>>
>>
>>
>>
>>

-- 
Biswajit Paria
PhD student
Machine Learning Department
Carnegie Mellon University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ede3704f/attachment-0001.html>

From ngisolfi at cs.cmu.edu  Thu Feb 25 11:48:38 2021
From: ngisolfi at cs.cmu.edu (Nick Gisolfi)
Date: Thu, 25 Feb 2021 11:48:38 -0500
Subject: [Lunch] Today @noon over Zoom
Message-ID: <74BBDF26-8AE5-4C24-8D8F-D6C5CE72FEAA@cs.cmu.edu>

https://cmu.zoom.us/j/95972096730?pwd=ZG1Vb0JnSEJ4Y0FPYUk0NGkrdHFHQT09 <https://cmu.zoom.us/j/95972096730?pwd=ZG1Vb0JnSEJ4Y0FPYUk0NGkrdHFHQT09>

We hope to see you there!

- Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ed0f94ce/attachment.html>

From jim at xuth.net  Thu Feb 25 12:01:41 2021
From: jim at xuth.net (Jim Leonard)
Date: Thu, 25 Feb 2021 17:01:41 +0000
Subject: Two-factor authentication please read
In-Reply-To: <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
 <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
 <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>
Message-ID: <20210225170141.GP2841@xuth.net>

We already have an Auton Lab VPN deployed that has worked fairly reliably for at least as long as I've been in the lab.  Why are we not building on this instead?  Were this built upon and provided to everyone in the lab rather than just having Predrag install credentials on the work desktops, all of the issues/concerns discussed would be moot (there would be other issues but I don't think that they would be show stoppers).

On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
> Thank you Predrag, for trying to accommodate all our requests, while
> keeping the security of our servers in mind.
> I just wanted to +1 on Jim's comment. My workflow is in a similar situation
> (requires a lot of ssh-ing), and it would be extremely convenient to
> remember our devices for some duration.
> Hoping that we converge to a solution that is a little more convenient.
> 
> Best,
> Biswajit
> 
> On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <predragp at andrew.cmu.edu>
> wrote:
> 
> > No. I don't control the Duo server. I am almost 95% sure that no to Jim
> > and some other guys is due to the same reason. We use the same Duo server
> > as CMU and their identity office is setting defaults. I have received 2
> > dozen emails and it appears that I have more things to do than originally
> > anticipated. It will take me a few weeks to clear the issues.
> >
> > P^2
> >
> > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
> >
> >> Worked for me. I wonder, since there?s only one option (duo push) can
> >> that be selected automatically? I know I?m being lazy asking you to save us
> >> two keystrokes, but?. I?m lazy. :-)
> >>
> >>
> >> - Anthony
> >>
> >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <predragp at andrew.cmu.edu>
> >> escribi?:
> >>
> >> Dear Autonians,
> >>
> >> The times of password login or even passwordless with ssh keys are going
> >> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> >> services at Carnegie Mellon University which can be accessed with a simple
> >> password. Shortly this is no longer going to be true. I have just turned on
> >> 2FA on
> >>
> >> lop2.autonlab.org
> >>
> >> and I will do it shortly on two other shell gateways. ssh access to the
> >> Auton Lab desktops is restricted only to their rightful owners so 2FA can
> >> wait a bit on personal desktops.
> >>
> >> At this point, I will need to ask everyone with a valid AndrewID or even
> >> with an alumni account to log into lop2.autonlab.org and make sure 2FA
> >> works for you. If you can read your Andrew emails via a browser you should
> >> not have any problems accessing the Auton Cluster with the same mobile
> >> device. If I don't hear back from you in the next 7 days I will assume that
> >> you are dandy and turn on 2FA on all our shell gateways.
> >>
> >> If your username is for some reason different than Andrew's ID we have to
> >> fix that (I am looking at you interns who became CMU grad students). There
> >> are in total 18 external accounts presumably without corresponding Andrew
> >> ID and I have the green light from sponsoring faculty to close most of
> >> those accounts. This is your last chance to access the system and get your
> >> belongings before I store them for safekeeping.
> >>
> >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go GUI
> >> access. I have little incentive to troubleshoot it as you can use reverse
> >> SSH proxy per our documentation
> >>
> >> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> >>
> >> for GUI or Gogs access.
> >>
> >> At this point, we have no intention to turn on 2FA inside the Lab or to
> >> require 2FA authentication for Version Control Server. Those things are
> >> located inside the outer perimeter firewall and have satisfactory security
> >> protection.
> >>
> >> Most Kind Regards,
> >> Predrag Punosevac
> >>
> >>
> >>
> >>
> >>
> 
> -- 
> Biswajit Paria
> PhD student
> Machine Learning Department
> Carnegie Mellon University

From predragp at andrew.cmu.edu  Thu Feb 25 12:45:45 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Thu, 25 Feb 2021 12:45:45 -0500
Subject: Two-factor authentication please read
In-Reply-To: <20210225170141.GP2841@xuth.net>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
 <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
 <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>
 <20210225170141.GP2841@xuth.net>
Message-ID: <CAEFFt-FjgPC05yPCD5L7P5Ktzf+7Fi90ktS1AjJo0z21X-N7Tg@mail.gmail.com>

Hi Jim,

Majority of the lab infrastructure users are cloud based and don't have the
lab issued desktops. Safely distributing and more importantly maintaining
(keeping them safe) OpenVPN cryptographic credentials on the client side
would be even more challenging. I have no problem getting OpenVPN
cryptographic credentials to people who want to use it. However, I will not
support clients nor troubleshoot your home networks.
FYI we have used 2FA for several years now
for specific purpose and it worked as desired. You have an Auton Lab
desktop so I don't see how is this change affecting you in adversarial way.

Cheers,
Predrag


On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:

> We already have an Auton Lab VPN deployed that has worked fairly reliably
> for at least as long as I've been in the lab.  Why are we not building on
> this instead?  Were this built upon and provided to everyone in the lab
> rather than just having Predrag install credentials on the work desktops,
> all of the issues/concerns discussed would be moot (there would be other
> issues but I don't think that they would be show stoppers).
>
> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
> > Thank you Predrag, for trying to accommodate all our requests, while
> > keeping the security of our servers in mind.
> > I just wanted to +1 on Jim's comment. My workflow is in a similar
> situation
> > (requires a lot of ssh-ing), and it would be extremely convenient to
> > remember our devices for some duration.
> > Hoping that we converge to a solution that is a little more convenient.
> >
> > Best,
> > Biswajit
> >
> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
> predragp at andrew.cmu.edu>
> > wrote:
> >
> > > No. I don't control the Duo server. I am almost 95% sure that no to Jim
> > > and some other guys is due to the same reason. We use the same Duo
> server
> > > as CMU and their identity office is setting defaults. I have received 2
> > > dozen emails and it appears that I have more things to do than
> originally
> > > anticipated. It will take me a few weeks to clear the issues.
> > >
> > > P^2
> > >
> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
> > >
> > >> Worked for me. I wonder, since there?s only one option (duo push) can
> > >> that be selected automatically? I know I?m being lazy asking you to
> save us
> > >> two keystrokes, but?. I?m lazy. :-)
> > >>
> > >>
> > >> - Anthony
> > >>
> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
> predragp at andrew.cmu.edu>
> > >> escribi?:
> > >>
> > >> Dear Autonians,
> > >>
> > >> The times of password login or even passwordless with ssh keys are
> going
> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very few
> > >> services at Carnegie Mellon University which can be accessed with a
> simple
> > >> password. Shortly this is no longer going to be true. I have just
> turned on
> > >> 2FA on
> > >>
> > >> lop2.autonlab.org
> > >>
> > >> and I will do it shortly on two other shell gateways. ssh access to
> the
> > >> Auton Lab desktops is restricted only to their rightful owners so 2FA
> can
> > >> wait a bit on personal desktops.
> > >>
> > >> At this point, I will need to ask everyone with a valid AndrewID or
> even
> > >> with an alumni account to log into lop2.autonlab.org and make sure
> 2FA
> > >> works for you. If you can read your Andrew emails via a browser you
> should
> > >> not have any problems accessing the Auton Cluster with the same mobile
> > >> device. If I don't hear back from you in the next 7 days I will
> assume that
> > >> you are dandy and turn on 2FA on all our shell gateways.
> > >>
> > >> If your username is for some reason different than Andrew's ID we
> have to
> > >> fix that (I am looking at you interns who became CMU grad students).
> There
> > >> are in total 18 external accounts presumably without corresponding
> Andrew
> > >> ID and I have the green light from sponsoring faculty to close most of
> > >> those accounts. This is your last chance to access the system and get
> your
> > >> belongings before I store them for safekeeping.
> > >>
> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
> GUI
> > >> access. I have little incentive to troubleshoot it as you can use
> reverse
> > >> SSH proxy per our documentation
> > >>
> > >>
> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
> > >>
> > >> for GUI or Gogs access.
> > >>
> > >> At this point, we have no intention to turn on 2FA inside the Lab or
> to
> > >> require 2FA authentication for Version Control Server. Those things
> are
> > >> located inside the outer perimeter firewall and have satisfactory
> security
> > >> protection.
> > >>
> > >> Most Kind Regards,
> > >> Predrag Punosevac
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> > --
> > Biswajit Paria
> > PhD student
> > Machine Learning Department
> > Carnegie Mellon University
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ca299bcd/attachment.html>

From gwelter at andrew.cmu.edu  Thu Feb 25 14:52:06 2021
From: gwelter at andrew.cmu.edu (Gus Welter)
Date: Thu, 25 Feb 2021 14:52:06 -0500
Subject: Two-factor authentication please read
In-Reply-To: <CAEFFt-FjgPC05yPCD5L7P5Ktzf+7Fi90ktS1AjJo0z21X-N7Tg@mail.gmail.com>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
 <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
 <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>
 <20210225170141.GP2841@xuth.net>
 <CAEFFt-FjgPC05yPCD5L7P5Ktzf+7Fi90ktS1AjJo0z21X-N7Tg@mail.gmail.com>
Message-ID: <CAACjBDWQfDNYUk9JrkZyccSQrpG3aMySBOX95-tk4gQT0HucBA@mail.gmail.com>

Some observations/ideas...

I have this in my ~/.ssh/config file:

Host lop1 lop2 bash
    Hostname %h.autonlab.org
    User gwelter
    LocalForward 8080 git:80
Host lov1 lov2 lov3 lov4 lov5 lov6 lov7 lov8 lov9 gpu1 gpu2 gpu3 gpu4 gpu5
gpu6 gpu8 gpu9 gpu10 gpu11 gpu12 gpu13 gpu14 gpu15 gpu16 gpu17 gpu18 gpu19
gpu20 gpu21 gpu22 gpu23 gaia ari athena foxconn low1 git
    Hostname %h.int.autonlab.org
    User gwelter
    ProxyCommand ssh lop2 exec nc %h %p
    LocalForward 8888 localhost:8888
    LocalForward 8889 localhost:8889

If I do "ssh lov3" (which per config above hops automatically in via lop2),
the duo push happens automatically the menu prompt. Duo push also happens
automatically with scp command fyi.

Furthermore, if you add this to your ~/.ssh/config:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    ControlPersist 180

Once you establish a first ssh tunnel to a machine, subsequent ssh
"connections" will hop over the already-established tunnel and thus you
won't be prompted for duo authentication.

E.g.:
ssh lov3
[duo push]
ssh lov3 # in a separate terminal
[no duo push]

Best,
Gus


On Thu, Feb 25, 2021 at 12:47 PM Predrag Punosevac <predragp at andrew.cmu.edu>
wrote:

> Hi Jim,
>
> Majority of the lab infrastructure users are cloud based and don't have
> the lab issued desktops. Safely distributing and more importantly
> maintaining (keeping them safe) OpenVPN cryptographic credentials on the
> client side would be even more challenging. I have no problem getting
> OpenVPN cryptographic credentials to people who want to use it. However, I
> will not support clients nor troubleshoot your home networks.
> FYI we have used 2FA for several years now
> for specific purpose and it worked as desired. You have an Auton Lab
> desktop so I don't see how is this change affecting you in adversarial way.
>
> Cheers,
> Predrag
>
>
> On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:
>
>> We already have an Auton Lab VPN deployed that has worked fairly reliably
>> for at least as long as I've been in the lab.  Why are we not building on
>> this instead?  Were this built upon and provided to everyone in the lab
>> rather than just having Predrag install credentials on the work desktops,
>> all of the issues/concerns discussed would be moot (there would be other
>> issues but I don't think that they would be show stoppers).
>>
>> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
>> > Thank you Predrag, for trying to accommodate all our requests, while
>> > keeping the security of our servers in mind.
>> > I just wanted to +1 on Jim's comment. My workflow is in a similar
>> situation
>> > (requires a lot of ssh-ing), and it would be extremely convenient to
>> > remember our devices for some duration.
>> > Hoping that we converge to a solution that is a little more convenient.
>> >
>> > Best,
>> > Biswajit
>> >
>> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
>> predragp at andrew.cmu.edu>
>> > wrote:
>> >
>> > > No. I don't control the Duo server. I am almost 95% sure that no to
>> Jim
>> > > and some other guys is due to the same reason. We use the same Duo
>> server
>> > > as CMU and their identity office is setting defaults. I have received
>> 2
>> > > dozen emails and it appears that I have more things to do than
>> originally
>> > > anticipated. It will take me a few weeks to clear the issues.
>> > >
>> > > P^2
>> > >
>> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>> > >
>> > >> Worked for me. I wonder, since there?s only one option (duo push) can
>> > >> that be selected automatically? I know I?m being lazy asking you to
>> save us
>> > >> two keystrokes, but?. I?m lazy. :-)
>> > >>
>> > >>
>> > >> - Anthony
>> > >>
>> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
>> predragp at andrew.cmu.edu>
>> > >> escribi?:
>> > >>
>> > >> Dear Autonians,
>> > >>
>> > >> The times of password login or even passwordless with ssh keys are
>> going
>> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very
>> few
>> > >> services at Carnegie Mellon University which can be accessed with a
>> simple
>> > >> password. Shortly this is no longer going to be true. I have just
>> turned on
>> > >> 2FA on
>> > >>
>> > >> lop2.autonlab.org
>> > >>
>> > >> and I will do it shortly on two other shell gateways. ssh access to
>> the
>> > >> Auton Lab desktops is restricted only to their rightful owners so
>> 2FA can
>> > >> wait a bit on personal desktops.
>> > >>
>> > >> At this point, I will need to ask everyone with a valid AndrewID or
>> even
>> > >> with an alumni account to log into lop2.autonlab.org and make sure
>> 2FA
>> > >> works for you. If you can read your Andrew emails via a browser you
>> should
>> > >> not have any problems accessing the Auton Cluster with the same
>> mobile
>> > >> device. If I don't hear back from you in the next 7 days I will
>> assume that
>> > >> you are dandy and turn on 2FA on all our shell gateways.
>> > >>
>> > >> If your username is for some reason different than Andrew's ID we
>> have to
>> > >> fix that (I am looking at you interns who became CMU grad students).
>> There
>> > >> are in total 18 external accounts presumably without corresponding
>> Andrew
>> > >> ID and I have the green light from sponsoring faculty to close most
>> of
>> > >> those accounts. This is your last chance to access the system and
>> get your
>> > >> belongings before I store them for safekeeping.
>> > >>
>> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
>> GUI
>> > >> access. I have little incentive to troubleshoot it as you can use
>> reverse
>> > >> SSH proxy per our documentation
>> > >>
>> > >>
>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>> > >>
>> > >> for GUI or Gogs access.
>> > >>
>> > >> At this point, we have no intention to turn on 2FA inside the Lab or
>> to
>> > >> require 2FA authentication for Version Control Server. Those things
>> are
>> > >> located inside the outer perimeter firewall and have satisfactory
>> security
>> > >> protection.
>> > >>
>> > >> Most Kind Regards,
>> > >> Predrag Punosevac
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> >
>> > --
>> > Biswajit Paria
>> > PhD student
>> > Machine Learning Department
>> > Carnegie Mellon University
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/8391e82d/attachment-0001.html>

From predragp at andrew.cmu.edu  Thu Feb 25 15:07:38 2021
From: predragp at andrew.cmu.edu (Predrag Punosevac)
Date: Thu, 25 Feb 2021 15:07:38 -0500
Subject: Two-factor authentication please read
In-Reply-To: <CAACjBDWQfDNYUk9JrkZyccSQrpG3aMySBOX95-tk4gQT0HucBA@mail.gmail.com>
References: <CAEFFt-Fx45wKaZ4dZUKa-KP6hYODjGDfGsry_ZXT76K51V-Srw@mail.gmail.com>
 <60375782-FC3B-4F13-9612-37DA80476705@cmu.edu>
 <CAEFFt-F61rrTaPrOBGDTGh232WcgiLrQ2OJAg7PkhutGiNRorQ@mail.gmail.com>
 <CAGPLMfrbt+LqyCZ2eUiBF7D3s_cPz8-QE6_zdVcgzZU+61OMDg@mail.gmail.com>
 <20210225170141.GP2841@xuth.net>
 <CAEFFt-FjgPC05yPCD5L7P5Ktzf+7Fi90ktS1AjJo0z21X-N7Tg@mail.gmail.com>
 <CAACjBDWQfDNYUk9JrkZyccSQrpG3aMySBOX95-tk4gQT0HucBA@mail.gmail.com>
Message-ID: <CAEFFt-EwoaXCdwABdhc5j+w=QgxH0Yv9VLwRHC+sPLXxMMvLeQ@mail.gmail.com>

Gus thanks a bunch!

These are the kind of ideas I really appreciate. Updating documentation is
on my to-do list and this will be the very first thing to be added.  I wish
we still live in a ladies/gentlemen world but we don't. I really don't
enjoy turning knobs and making people do extra steps to do their daily
business.

Cheers,
Predrag

On Thu, Feb 25, 2021 at 2:53 PM Gus Welter <gwelter at andrew.cmu.edu> wrote:

> Some observations/ideas...
>
> I have this in my ~/.ssh/config file:
>
> Host lop1 lop2 bash
>     Hostname %h.autonlab.org
>     User gwelter
>     LocalForward 8080 git:80
> Host lov1 lov2 lov3 lov4 lov5 lov6 lov7 lov8 lov9 gpu1 gpu2 gpu3 gpu4 gpu5
> gpu6 gpu8 gpu9 gpu10 gpu11 gpu12 gpu13 gpu14 gpu15 gpu16 gpu17 gpu18 gpu19
> gpu20 gpu21 gpu22 gpu23 gaia ari athena foxconn low1 git
>     Hostname %h.int.autonlab.org
>     User gwelter
>     ProxyCommand ssh lop2 exec nc %h %p
>     LocalForward 8888 localhost:8888
>     LocalForward 8889 localhost:8889
>
> If I do "ssh lov3" (which per config above hops automatically in via
> lop2), the duo push happens automatically the menu prompt. Duo push also
> happens automatically with scp command fyi.
>
> Furthermore, if you add this to your ~/.ssh/config:
>
> Host *
>     ControlMaster auto
>     ControlPath ~/.ssh/master-%r@%h:%p
>     ControlPersist 180
>
> Once you establish a first ssh tunnel to a machine, subsequent ssh
> "connections" will hop over the already-established tunnel and thus you
> won't be prompted for duo authentication.
>
> E.g.:
> ssh lov3
> [duo push]
> ssh lov3 # in a separate terminal
> [no duo push]
>
> Best,
> Gus
>
>
> On Thu, Feb 25, 2021 at 12:47 PM Predrag Punosevac <
> predragp at andrew.cmu.edu> wrote:
>
>> Hi Jim,
>>
>> Majority of the lab infrastructure users are cloud based and don't have
>> the lab issued desktops. Safely distributing and more importantly
>> maintaining (keeping them safe) OpenVPN cryptographic credentials on the
>> client side would be even more challenging. I have no problem getting
>> OpenVPN cryptographic credentials to people who want to use it. However, I
>> will not support clients nor troubleshoot your home networks.
>> FYI we have used 2FA for several years now
>> for specific purpose and it worked as desired. You have an Auton Lab
>> desktop so I don't see how is this change affecting you in adversarial way.
>>
>> Cheers,
>> Predrag
>>
>>
>> On Thu, Feb 25, 2021, 12:05 PM Jim Leonard <jim at xuth.net> wrote:
>>
>>> We already have an Auton Lab VPN deployed that has worked fairly
>>> reliably for at least as long as I've been in the lab.  Why are we not
>>> building on this instead?  Were this built upon and provided to everyone in
>>> the lab rather than just having Predrag install credentials on the work
>>> desktops, all of the issues/concerns discussed would be moot (there would
>>> be other issues but I don't think that they would be show stoppers).
>>>
>>> On Thu, Feb 25, 2021 at 11:14:46AM -0500, Biswajit Paria wrote:
>>> > Thank you Predrag, for trying to accommodate all our requests, while
>>> > keeping the security of our servers in mind.
>>> > I just wanted to +1 on Jim's comment. My workflow is in a similar
>>> situation
>>> > (requires a lot of ssh-ing), and it would be extremely convenient to
>>> > remember our devices for some duration.
>>> > Hoping that we converge to a solution that is a little more convenient.
>>> >
>>> > Best,
>>> > Biswajit
>>> >
>>> > On Thu, Feb 25, 2021 at 10:15 AM Predrag Punosevac <
>>> predragp at andrew.cmu.edu>
>>> > wrote:
>>> >
>>> > > No. I don't control the Duo server. I am almost 95% sure that no to
>>> Jim
>>> > > and some other guys is due to the same reason. We use the same Duo
>>> server
>>> > > as CMU and their identity office is setting defaults. I have
>>> received 2
>>> > > dozen emails and it appears that I have more things to do than
>>> originally
>>> > > anticipated. It will take me a few weeks to clear the issues.
>>> > >
>>> > > P^2
>>> > >
>>> > > On Thu, Feb 25, 2021, 10:06 AM Anthony Wertz <awertz at cmu.edu> wrote:
>>> > >
>>> > >> Worked for me. I wonder, since there?s only one option (duo push)
>>> can
>>> > >> that be selected automatically? I know I?m being lazy asking you to
>>> save us
>>> > >> two keystrokes, but?. I?m lazy. :-)
>>> > >>
>>> > >>
>>> > >> - Anthony
>>> > >>
>>> > >> El feb. 24, 2021, a las 19:01, Predrag Punosevac <
>>> predragp at andrew.cmu.edu>
>>> > >> escribi?:
>>> > >>
>>> > >> Dear Autonians,
>>> > >>
>>> > >> The times of password login or even passwordless with ssh keys are
>>> going
>>> > >> the way of the dinosaurs. The Auton Lab cluster is one of the very
>>> few
>>> > >> services at Carnegie Mellon University which can be accessed with a
>>> simple
>>> > >> password. Shortly this is no longer going to be true. I have just
>>> turned on
>>> > >> 2FA on
>>> > >>
>>> > >> lop2.autonlab.org
>>> > >>
>>> > >> and I will do it shortly on two other shell gateways. ssh access to
>>> the
>>> > >> Auton Lab desktops is restricted only to their rightful owners so
>>> 2FA can
>>> > >> wait a bit on personal desktops.
>>> > >>
>>> > >> At this point, I will need to ask everyone with a valid AndrewID or
>>> even
>>> > >> with an alumni account to log into lop2.autonlab.org and make sure
>>> 2FA
>>> > >> works for you. If you can read your Andrew emails via a browser you
>>> should
>>> > >> not have any problems accessing the Auton Cluster with the same
>>> mobile
>>> > >> device. If I don't hear back from you in the next 7 days I will
>>> assume that
>>> > >> you are dandy and turn on 2FA on all our shell gateways.
>>> > >>
>>> > >> If your username is for some reason different than Andrew's ID we
>>> have to
>>> > >> fix that (I am looking at you interns who became CMU grad
>>> students). There
>>> > >> are in total 18 external accounts presumably without corresponding
>>> Andrew
>>> > >> ID and I have the green light from sponsoring faculty to close most
>>> of
>>> > >> those accounts. This is your last chance to access the system and
>>> get your
>>> > >> belongings before I store them for safekeeping.
>>> > >>
>>> > >> There is a caveat to 2FA. I am fully aware that 2FA will break X2Go
>>> GUI
>>> > >> access. I have little incentive to troubleshoot it as you can use
>>> reverse
>>> > >> SSH proxy per our documentation
>>> > >>
>>> > >>
>>> https://www.autonlab.org/autonlab_wiki/new_arrivals.html#version-control
>>> > >>
>>> > >> for GUI or Gogs access.
>>> > >>
>>> > >> At this point, we have no intention to turn on 2FA inside the Lab
>>> or to
>>> > >> require 2FA authentication for Version Control Server. Those things
>>> are
>>> > >> located inside the outer perimeter firewall and have satisfactory
>>> security
>>> > >> protection.
>>> > >>
>>> > >> Most Kind Regards,
>>> > >> Predrag Punosevac
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> >
>>> > --
>>> > Biswajit Paria
>>> > PhD student
>>> > Machine Learning Department
>>> > Carnegie Mellon University
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.srv.cs.cmu.edu/pipermail/autonlab-users/attachments/20210225/ae731ab0/attachment.html>