Attending
Members
John Bradley, Independent
Rob Carter, Duke, (Chair)
Matthew Economou, InCommon TAC Representative to CACTI
Stoney Gan, University of South Florida
Kevin Hickey, Detroit Mercy
Barry Johnson, Clemson University
Marina Krenz, REN-ISAC
Chris Phillips, CANARIE
Erik Scott, RENC
Internet2
- Ann West
- Steve Zoppi
- David Walker
Regrets
- Les La Croix
- Nicole Roy
- Mike Grady
Action Items
- Marina Krenz agreed to give a 10-minute community update in the 1/18/2022 meeting.
- Rob will structure a discussion of CACTI's backlog issues for the 1/18/2022 call with the goal of creating a work plan for 2022. Chris will help.
Discussion
Agenda Bash
- Chris suggested a little reflection on the recent log4j events. It was added to the backlog topic below.
- John mentioned that NIST is looking to collaborate with organizations like Internet2 on cybersecurity issues, e.g., for the first responders' network, FirstNet.
Community Updates
- Marina Krenz agreed to give a 10-minute community update in the 1/18/2022 meeting.
Review of CACTI topics backlog
- https://docs.google.com/spreadsheets/d/1pAyB9b9eUUhacmVivJlACMOfJFVtfVCxAc8fHBtULik/edit#gid=198555470
- log4j
- (Mis)appropriately-formatted log records can invoke remote execution by log4j, a security issue for any application that includes log4j. It's a supply chain issue, but it caught many people unawares, making it also an incident response issue.
- From Steve in chat: https://imgs.xkcd.com/comics/dependency.png
- People were scrambling. Published fixes were found to need further fixing.
- This happens all the time, also with vendor products. The community needs to think about how to utilize communication channels to share information, often only for awareness, but (when appropriate and authoritative) also details about the vulnerability and what to do.
- Whose role is this? REN-ISAC? CACTI? Internet2? eduGAIN?
- This is a good topic for CACTI this year.
- Understanding our dependencies is very important. Minimizing them provides more flexibility but increases the difficulty of creating software.
- Steve: This problem is an ocean, and we can’t boil more than a bucket.
- Rob: This can be added to the questions the new work group will be asking the community.
- Kevin Hickey in chat: A zero day such as this only allows for reaction. I guess the question is, what can be planned in advance to assist the reaction.
- (Mis)appropriately-formatted log records can invoke remote execution by log4j, a security issue for any application that includes log4j. It's a supply chain issue, but it caught many people unawares, making it also an incident response issue.
- Quick review of CACTI Discussion Topic Voting (Responses)
- Rob will structure a discussion of the issues for the 1/18/2022 call with the goal of creating a work plan for 2022. Chris will help.
Next CACTI Meeting: Tuesday, January 18 2022