The Register reports on an uproar following the discovery of an Internet traffic spying device on campus at the University of California Berkeley:
Academics at the University of California Berkeley have protested after it emerged that management had put a secret data slurping device into the campus that was mapping and storing all network traffic. "The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus and has enough local storage to save over 30 days of all this data," Ethan Ligon, a member of the Senate-Administration Joint Committee on Campus Information Technology, wrote in an e-mail to fellow faculty members, the SF Chronicle reports.
Benjamin Hermalin, chairman of the UC Berkeley Academic Senate, also expressed serious concerns about the monitoring, and about the storage of the data off-campus. As a third party company is running the device, rather than the university's IT staff, there were also privacy issues to consider.
The device was installed after UCLA Health was hacked in June. Who ordered the installation of the device? No other than Former Governor of Arizona and United States Secretary of Homeland Security Janet Napolitano, who is now the President of the University of California.
A statement from the chair of the University Committee on Academic Computing and Communications has this to say about the monitoring:
We have been informed that the monitoring of communications looked only for "malware signatures" and Internet traffic patterns. As neither message content nor browsing activity were monitored, we believe this level of monitoring can be appropriate.
We have been informed that monitoring of transmissions occurs only at campus edge, and does not capture internal campus traffic. Monitoring of traffic patterns for a pre-defined purpose can be appropriate given that results are maintained for a limited time and limited use.
(Score: 4, Informative) by Anonymous Coward on Sunday February 07 2016, @01:16AM
Only a few days ago, Berkeley students filed a lawsuit against Google for mining their email: http://www.theregister.co.uk/2016/02/03/college_students_sue_google/ [theregister.co.uk]
(Score: 2) by takyon on Sunday February 07 2016, @03:09AM
Thanks. I didn't make that connection.
Nice get.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Insightful) by Gravis on Sunday February 07 2016, @01:39AM
We have been informed that the monitoring of communications looked only for "malware signatures" and Internet traffic patterns. As neither message content nor browsing activity were monitored
according to who? the DHS? the NSA? other government branches that lie to the public regularly?
(Score: 2) by davester666 on Sunday February 07 2016, @08:50AM
The NSA was only involved in making sure the hardware safely made it to the campus.
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @04:48PM
Right now the faculty are trying to figure out what's going on (https://www.insidehighered.com/news/2016/02/01/u-california-faculty-members-object-new-email-monitoring [insidehighered.com]). Based on the intellectual IT firepower in the targeted group this could get interesting. This will not play well in the international higher ed market.
(Score: 1) by Arik on Sunday February 07 2016, @02:19AM
Thank you.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @02:40AM
Would they be as outraged if the uni IT department enabled the traffic logging (ahem - spying)?
Also how much internal traffic does not cross the 'edge' at some point?
Dichotomy of the modern age - information must be free, unless it is mine!
(Score: 2) by linkdude64 on Sunday February 07 2016, @09:07AM
"the uni IT department"
I imagine that before you are given authorization to access any campus network you have to sign a EULA that states your traffic can be monitored or logged.
Who signed the EULA for this agency's device?
(Score: 3, Interesting) by NotSanguine on Sunday February 07 2016, @03:03AM
TFA and the various links in TFA don't detail what "monitoring" tools were in use.
Most large organizations use some form of IDS/IPS [wikipedia.org] in conjunction with SIEM [wikipedia.org] systems to identify potential attacks, threats and compromises.
IDS/IPS systems used in conjunction with SIEM systems could certainly fit the description given in TFS:
While it's not clear (given that the above sentence is all of the detail provided) what exactly it is that is in use, given that it was installed in response to network intrusions elsewhere in the UC system, IPS/IDS and SIEM systems seem to be a likely candidate.
IDS/IPS monitoring, log aggregation and correlation are an important part of securing and managing large networks. If that's what they're doing, this is just paranoia (although, given the current environment, a little paranoia is a good thing, IMHO).
If, however, UC is actually snarfing up all the network packets and storing them for later perusal, that's a big problem.
That said, most .EDU IT organizations are woefully understaffed and underfunded already. How many man-hours would be required to actually review all network connections (presumably including https connections -- via transparent proxies with forced install of UC signed certificates on network devices). As such, that sounds rather unlikely.
In the absence of any real information, I'm going to assume that this is pretty standard IDS/IPS with log aggregation/correlation, rather than some massive plot to spy on UC students, faculty, staff and visitors. I could be wrong. I don't think I am.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by Whoever on Sunday February 07 2016, @04:54AM
Why the secrecy about the device? If its purpose is purely intrusion detection and nothing else, then there is little reason to keep its existence secret.
The problem here is the secrecy. No one really knows what this device does. No one knows how secure it is -- its primary function may be as an IDS, but perhaps it also has other functions.
(Score: 2) by NotSanguine on Sunday February 07 2016, @05:59AM
The problem here is the secrecy. No one really knows what this device does. No one knows how secure it is -- its primary function may be as an IDS, but perhaps it also has other functions.
No. You don't know what it does. It may well have lots of functions. But that doesn't mean it was installed for nefarious purposes. What's more nothing in TFS (or TFA for that matter) provides a lick of evidence that anything nefarious is going on.
I know, I know. Capturing network data bad!. What you likely don't realize is just how much data we're talking about. If UCB was actually capturing all the network traffic traversing its internet-facing links, even with lots of automation, it would require dozens, if not hundreds of people to parse and analyze it. And to what purpose? From a technical and resource utilization perspective, it just doesn't make sense.
Just for fun, go ahead and capture all the network traffic coming in and out of your *home* network for just 24 hours. Disk space is cheap these days, so you may well have enough to hold all the captured packets. Then go and see how long it takes to analyze the traffic. And that's just for you and anyone else in your household. UCB has 40,000 students. That doesn't include faculty, staff, visitors and others who may use the campus network.
I've found that most people don't understand how networks are secured and managed -- in many cases, even the folks tasked with securing and managing networks. Which is likely why folks are up in arms -- because they have no idea what's going on and someone wanted to raise their profile by making something sound scary.
A wide variety of completely normal equipment has the capability to be (and often has an actual, valid requirement which has nothing to do with spying on anyone) for "capturing and analyzing all network traffic to and from the Berkeley campus."
Routers, firewalls, IDS/IPS devices and application proxies come immediately to mind.
TFS and TFA are so sorely lacking in detail, they're essentially semantically null.
For all we know, the IT group did one or more of the following:
started sending firewall logs to a syslog server;
enabled Netflow on edge routers;
added IDS/IPS functionality with or without SIEM integration;
installed traffic mirroring devices and started shipping every single packet to UCB's secret Ukiah data center [wikipedia.org].
Given what little information was actually provided in TFS and TFA, I applied Ockham's Razor and theorized that it was likely the third option (and hopefully all of the first three) -- and almost certainly wasn't the fourth.
What's more, given that in the letter [universityofcalifornia.edu] sent to the UC Academic Senate, the chair of the UC Committee on Academic Computing and Communications said:
in addition to the portion quoted in TFS.
The website referred to in the letter includes all manner of policy and other information, including this gem [berkeley.edu].
The letter also mentions that it handled communications about this project poorly:
You may see evil spies lurking under every classroom desk. I see what is probably reasonable InfoSec policy implementation which was poorly communicated to relevant stakeholders.
(Score: 2) by HiThere on Sunday February 07 2016, @07:56PM
Threat analysis: You look at what the potential threat can do, not what it claims it's going to do, or what you hope it will do.
So this is a secretly installed device with unknown capabilities, but which is claimed to be capable of monitoriing (whatever it means by that) all of your electronic communications and storing the results for analysis.
That's a fairly reasonably high threat level. About as high as any virus would have....perhaps higher than all viruses put together.
It *MIGHT* be justifiable if you are expecting intrusion from a source with lots of expertise and funding, say something sponsored by a major corporation of a fairly large and modern country. But in such a case I would expect it to be inadequate.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Insightful) by Soybean on Sunday February 07 2016, @05:13AM
most .EDU IT organizations are woefully understaffed and underfunded already. How many man-hours would be required to actually review all network connections
You are presuming that university staff are the ones doing the reviews. Want to bet that somewhere in the 65 billion dollar DHS budget, the 53 billion dollar NSA budget, or one of the other less well known agencies' budgets there is at least one program to review data collected from university network traffic for 'anti-terrorism' purposes?
Like Whoever said, the muzzling of the IT staff forbidding them from even talking about this stuff makes it look like way more than just some typical network troubleshooting tool.
(Score: 2) by NotSanguine on Sunday February 07 2016, @06:03AM
You are presuming that university staff are the ones doing the reviews. Want to bet that somewhere in the 65 billion dollar DHS budget, the 53 billion dollar NSA budget, or one of the other less well known agencies' budgets there is at least one program to review data collected from university network traffic for 'anti-terrorism' purposes?
As far as UCB is concerned, I'll take that bet.
Like Whoever said, the muzzling of the IT staff forbidding them from even talking about this stuff makes it look like way more than just some typical network troubleshooting tool.
Read the letter referenced in TFS. No one is being "muzzled." Any lack of transparency is either poor communication and an unwillingness to disclose every piece of InfoSec infrastructure to every cracker on the planet.
As I said before, I could be wrong. But I'm probably not.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Sunday February 07 2016, @06:05AM
My apologies. I screwed up the link to the letter in TFS in my reply.
Here it is again [universityofcalifornia.edu]. I wouldn't want you to have to scroll all the way back up to the top to find it.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Informative) by Anonymous Coward on Sunday February 07 2016, @03:37PM
Well, I've read that letter twice and I don't see anything that addresses the claims that IT staff were forbidden from discussing the system. The closest is their accusation that, "the degree to which these actions were kept secret, constituted a serious failure of shared governance."
What I do see is a lot of weasel wording about what's not monitored that leaves giant loopholes for meta-data collection. Also that the people writing the letter have no way to independently verify any of the claims.
(Score: 1, Flamebait) by NotSanguine on Sunday February 07 2016, @03:54PM
Also that the people writing the letter have no way to independently verify any of the claims.
I guess reading comprehension isn't your strong suit. From the letter [universityofcalifornia.edu]:
Let's go through that sentence, okay. They (meaning the IT organization) have also indicated their availability (that is, get in touch with those self-same IT folks and we'll get together) to describe (explain what we're doing and why) and demonstrate (show you what it is we're doing) to interested faculty (those that want to know) the security measures (well, we're not going to post it on the Internet and let every cracker or SN Anonymous Coward see what our security infrastructure looks like. That would be pretty dumb, wouldn't it?) at issue.
Do you get it now, or should we go through it again with smaller words?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday February 08 2016, @10:14PM
"Achieving a greater degree of certainty would require an independent audit, which we are not prepared to undertake and which would still be subject to question."
M'kay?
(Score: 2) by NotSanguine on Monday February 08 2016, @11:50PM
No. Not "m'kay."
If you're so sure there's a problem, why don't you file suit [ca.gov].
Here are some tips on finding the right lawyer [ca.gov].
You could run your own audit. Here's some info [berkeley.edu] to get you started.
Or hire someone [cybersecurityventures.com] to do the audit for you.
What? Not willing to spend your own time and money to get to the bottom of this evil conspiracy designed to steal your liberty and privacy? I guess it isn't really that important to you. Perhaps you just want to complain anonymously about 'all teh evil' on the intertubes.
You go, girlfriend!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by jelizondo on Sunday February 07 2016, @04:37AM
Sometime ago, I was in charge of a corporate network and most people, including top-level executives and shareholders did not realize I could read their emails and any other data that went thru the network; the only thing stopping me was my lack of desire to look at someone else's data.
Except one time, which by accident, as I was doing some upgrade or another, a connection to the Internet at six in the morning caught my attention... like no one is supposed to be at the offices at this time, where is this connection from? Well, on of our top-level guys had a connection to the network from home and what the hell is this guy doing at this ungodly hour?.... Watching porn!
I found so funny that this guy, probably before breakfast and a shower, was using his connection to watch porn that I could not resist later that day to drop some comment like, "Nice site you found, I didn't know about it" or some shit like it. The guy went pale then red, turned about and left without a word... he was a devout christian (or so he seemed) and we never spoke about it again.
Just for fun I traced his Internet connection for some weeks but he never used the company's connection for porn again...
So what is stopping these guys from looking at emails, Internet connections and any other data? How are those rules (assuming they exist) being reviewed and enforced? Who is supervising? Who is watching the supervisor?
God, there are some many things wrong with such a setup that I can't list them all!
(Score: -1, Troll) by Anonymous Coward on Sunday February 07 2016, @04:51AM
Except one time, which by accident, as I was doing some upgrade or another, a connection to the Internet at six in the morning caught my attention... like no one is supposed to be at the offices at this time, where is this connection from? Well, on of our top-level guys had a connection to the network from home and what the hell is this guy doing at this ungodly hour?.... Watching porn!
I found so funny that this guy, probably before breakfast and a shower, was using his connection to watch porn that I could not resist later that day to drop some comment like, "Nice site you found, I didn't know about it" or some shit like it. The guy went pale then red, turned about and left without a word... he was a devout christian (or so he seemed) and we never spoke about it again.
Just for fun I traced his Internet connection for some weeks but he never used the company's connection for porn again...
Please send me your resume so that I know never to hire your completely unprofessional ass.
So what is stopping these guys from looking at emails, Internet connections and any other data? How are those rules (assuming they exist) being reviewed and enforced? Who is supervising? Who is watching the supervisor?
God, there are some many things wrong with such a setup that I can't list them all!
Which only goes to show that not only are you unethical, you're ignorant and likely incompetent as well. Thanks for letting us all know.
(Score: 1, Informative) by Anonymous Coward on Sunday February 07 2016, @10:32AM
Too bad this got modded as "Troll." This snip from the parent, for example...
the only thing stopping me was my lack of desire to look at someone else's data.
...is a red flag, and I wouldn't hire you either.
The "only thing" stopping you should be your code of ethics and sense of responsibility as a System Administrator.
See here, if you need a refresher:
https://www.usenix.org/lisa/system-administrators-code-ethics [usenix.org]
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @02:10PM
Thanks for the link to the code of ethics. For over twenty years I have held myself and my employees to nearly identical standards but I didn't know someone had documented them so nicely. I'm going to hang a copy in each of our IT offices, server closets, and in the break areas near the various labor law posters. The people who trust us deserve to know that we take this stuff seriously...
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @07:27AM
Informed? So there's no checking that this claim is actually true?
I've also been informed that some Nigerian prince wants to give me lots of money if I help him with some money transaction. Since I got the information, it must be true, right?
Oh, and what exactly are "Internet traffic patterns" anyway? If person X regularly visits web site Y, that's also a pattern clearly visible in the Internet traffic. The same is true for regular email contacts.
"Oh, this guy is exchanging lots of email with a certain company, maybe they have a project running, well, I can guess what it might be, especially given that he frequently visits a specific documentation site for that subject. We should hurry up our own research on this topic in order to be first!"
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @11:22AM
This could help.
https://isc.sans.edu/presentations/first_things_first.html [sans.edu]
(Score: 0) by Anonymous Coward on Sunday February 07 2016, @04:33PM
i wonder how they catch all those hackers if all they do is relay and no touching.
the world would probably run amoke with hackers if internet data traffic weren't copied and logged "somewhere".
since we're still talking (and not crashing-on-connect, exempt some "not a door version X os") the question that
should be asked, rather, isnt it enough that the unis isp is logging, the isp of the isp is loging,
the DHS is logging and prolly the nasa-minus-one-"a" is logging, the uni wants to log too so to be able double check their loging results with the others?
maybe somebody can make an extra buck and provide scientific references as to why
a off-site backup of the logging data would be a good idea and that ofc this off-site ... site
needs to be loged also and ... uhm ... errr... maybe requires a backup too. preferably .. uhm ...err off-site.
50% of internet traffic is loging?
^_^