SoylentNews is people
SoylentNews
The Register reports on an uproar following the discovery of an Internet traffic spying device on campus at the University of California Berkeley:
Academics at the University of California Berkeley have protested after it emerged that management had put a secret data slurping device into the campus that was mapping and storing all network traffic. "The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus and has enough local storage to save over 30 days of all this data," Ethan Ligon, a member of the Senate-Administration Joint Committee on Campus Information Technology, wrote in an e-mail to fellow faculty members, the SF Chronicle reports.
Benjamin Hermalin, chairman of the UC Berkeley Academic Senate, also expressed serious concerns about the monitoring, and about the storage of the data off-campus. As a third party company is running the device, rather than the university's IT staff, there were also privacy issues to consider.
The device was installed after UCLA Health was hacked in June. Who ordered the installation of the device? No other than Former Governor of Arizona and United States Secretary of Homeland Security Janet Napolitano, who is now the President of the University of California.
A statement from the chair of the University Committee on Academic Computing and Communications has this to say about the monitoring:
We have been informed that the monitoring of communications looked only for "malware signatures" and Internet traffic patterns. As neither message content nor browsing activity were monitored, we believe this level of monitoring can be appropriate.
We have been informed that monitoring of transmissions occurs only at campus edge, and does not capture internal campus traffic. Monitoring of traffic patterns for a pre-defined purpose can be appropriate given that results are maintained for a limited time and limited use.
(Score: 3, Interesting) by NotSanguine on Sunday February 07 2016, @03:03AM
TFA and the various links in TFA don't detail what "monitoring" tools were in use.
Most large organizations use some form of IDS/IPS [wikipedia.org] in conjunction with SIEM [wikipedia.org] systems to identify potential attacks, threats and compromises.
IDS/IPS systems used in conjunction with SIEM systems could certainly fit the description given in TFS:
While it's not clear (given that the above sentence is all of the detail provided) what exactly it is that is in use, given that it was installed in response to network intrusions elsewhere in the UC system, IPS/IDS and SIEM systems seem to be a likely candidate.
IDS/IPS monitoring, log aggregation and correlation are an important part of securing and managing large networks. If that's what they're doing, this is just paranoia (although, given the current environment, a little paranoia is a good thing, IMHO).
If, however, UC is actually snarfing up all the network packets and storing them for later perusal, that's a big problem.
That said, most .EDU IT organizations are woefully understaffed and underfunded already. How many man-hours would be required to actually review all network connections (presumably including https connections -- via transparent proxies with forced install of UC signed certificates on network devices). As such, that sounds rather unlikely.
In the absence of any real information, I'm going to assume that this is pretty standard IDS/IPS with log aggregation/correlation, rather than some massive plot to spy on UC students, faculty, staff and visitors. I could be wrong. I don't think I am.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by Whoever on Sunday February 07 2016, @04:54AM
Why the secrecy about the device? If its purpose is purely intrusion detection and nothing else, then there is little reason to keep its existence secret.
The problem here is the secrecy. No one really knows what this device does. No one knows how secure it is -- its primary function may be as an IDS, but perhaps it also has other functions.
(Score: 2) by NotSanguine on Sunday February 07 2016, @05:59AM
The problem here is the secrecy. No one really knows what this device does. No one knows how secure it is -- its primary function may be as an IDS, but perhaps it also has other functions.
No. You don't know what it does. It may well have lots of functions. But that doesn't mean it was installed for nefarious purposes. What's more nothing in TFS (or TFA for that matter) provides a lick of evidence that anything nefarious is going on.
I know, I know. Capturing network data bad!. What you likely don't realize is just how much data we're talking about. If UCB was actually capturing all the network traffic traversing its internet-facing links, even with lots of automation, it would require dozens, if not hundreds of people to parse and analyze it. And to what purpose? From a technical and resource utilization perspective, it just doesn't make sense.
Just for fun, go ahead and capture all the network traffic coming in and out of your *home* network for just 24 hours. Disk space is cheap these days, so you may well have enough to hold all the captured packets. Then go and see how long it takes to analyze the traffic. And that's just for you and anyone else in your household. UCB has 40,000 students. That doesn't include faculty, staff, visitors and others who may use the campus network.
I've found that most people don't understand how networks are secured and managed -- in many cases, even the folks tasked with securing and managing networks. Which is likely why folks are up in arms -- because they have no idea what's going on and someone wanted to raise their profile by making something sound scary.
A wide variety of completely normal equipment has the capability to be (and often has an actual, valid requirement which has nothing to do with spying on anyone) for "capturing and analyzing all network traffic to and from the Berkeley campus."
Routers, firewalls, IDS/IPS devices and application proxies come immediately to mind.
TFS and TFA are so sorely lacking in detail, they're essentially semantically null.
For all we know, the IT group did one or more of the following:
started sending firewall logs to a syslog server;
enabled Netflow on edge routers;
added IDS/IPS functionality with or without SIEM integration;
installed traffic mirroring devices and started shipping every single packet to UCB's secret Ukiah data center [wikipedia.org].
Given what little information was actually provided in TFS and TFA, I applied Ockham's Razor and theorized that it was likely the third option (and hopefully all of the first three) -- and almost certainly wasn't the fourth.
What's more, given that in the letter [universityofcalifornia.edu] sent to the UC Academic Senate, the chair of the UC Committee on Academic Computing and Communications said:
in addition to the portion quoted in TFS.
The website referred to in the letter includes all manner of policy and other information, including this gem [berkeley.edu].
The letter also mentions that it handled communications about this project poorly:
You may see evil spies lurking under every classroom desk. I see what is probably reasonable InfoSec policy implementation which was poorly communicated to relevant stakeholders.
(Score: 2) by HiThere on Sunday February 07 2016, @07:56PM
Threat analysis: You look at what the potential threat can do, not what it claims it's going to do, or what you hope it will do.
So this is a secretly installed device with unknown capabilities, but which is claimed to be capable of monitoriing (whatever it means by that) all of your electronic communications and storing the results for analysis.
That's a fairly reasonably high threat level. About as high as any virus would have....perhaps higher than all viruses put together.
It *MIGHT* be justifiable if you are expecting intrusion from a source with lots of expertise and funding, say something sponsored by a major corporation of a fairly large and modern country. But in such a case I would expect it to be inadequate.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Insightful) by Soybean on Sunday February 07 2016, @05:13AM
most .EDU IT organizations are woefully understaffed and underfunded already. How many man-hours would be required to actually review all network connections
You are presuming that university staff are the ones doing the reviews. Want to bet that somewhere in the 65 billion dollar DHS budget, the 53 billion dollar NSA budget, or one of the other less well known agencies' budgets there is at least one program to review data collected from university network traffic for 'anti-terrorism' purposes?
Like Whoever said, the muzzling of the IT staff forbidding them from even talking about this stuff makes it look like way more than just some typical network troubleshooting tool.
(Score: 2) by NotSanguine on Sunday February 07 2016, @06:03AM
You are presuming that university staff are the ones doing the reviews. Want to bet that somewhere in the 65 billion dollar DHS budget, the 53 billion dollar NSA budget, or one of the other less well known agencies' budgets there is at least one program to review data collected from university network traffic for 'anti-terrorism' purposes?
As far as UCB is concerned, I'll take that bet.
Like Whoever said, the muzzling of the IT staff forbidding them from even talking about this stuff makes it look like way more than just some typical network troubleshooting tool.
Read the letter referenced in TFS. No one is being "muzzled." Any lack of transparency is either poor communication and an unwillingness to disclose every piece of InfoSec infrastructure to every cracker on the planet.
As I said before, I could be wrong. But I'm probably not.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Sunday February 07 2016, @06:05AM
My apologies. I screwed up the link to the letter in TFS in my reply.
Here it is again [universityofcalifornia.edu]. I wouldn't want you to have to scroll all the way back up to the top to find it.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Informative) by Anonymous Coward on Sunday February 07 2016, @03:37PM
Well, I've read that letter twice and I don't see anything that addresses the claims that IT staff were forbidden from discussing the system. The closest is their accusation that, "the degree to which these actions were kept secret, constituted a serious failure of shared governance."
What I do see is a lot of weasel wording about what's not monitored that leaves giant loopholes for meta-data collection. Also that the people writing the letter have no way to independently verify any of the claims.
(Score: 1, Flamebait) by NotSanguine on Sunday February 07 2016, @03:54PM
Also that the people writing the letter have no way to independently verify any of the claims.
I guess reading comprehension isn't your strong suit. From the letter [universityofcalifornia.edu]:
Let's go through that sentence, okay. They (meaning the IT organization) have also indicated their availability (that is, get in touch with those self-same IT folks and we'll get together) to describe (explain what we're doing and why) and demonstrate (show you what it is we're doing) to interested faculty (those that want to know) the security measures (well, we're not going to post it on the Internet and let every cracker or SN Anonymous Coward see what our security infrastructure looks like. That would be pretty dumb, wouldn't it?) at issue.
Do you get it now, or should we go through it again with smaller words?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday February 08 2016, @10:14PM
"Achieving a greater degree of certainty would require an independent audit, which we are not prepared to undertake and which would still be subject to question."
M'kay?
(Score: 2) by NotSanguine on Monday February 08 2016, @11:50PM
No. Not "m'kay."
If you're so sure there's a problem, why don't you file suit [ca.gov].
Here are some tips on finding the right lawyer [ca.gov].
You could run your own audit. Here's some info [berkeley.edu] to get you started.
Or hire someone [cybersecurityventures.com] to do the audit for you.
What? Not willing to spend your own time and money to get to the bottom of this evil conspiracy designed to steal your liberty and privacy? I guess it isn't really that important to you. Perhaps you just want to complain anonymously about 'all teh evil' on the intertubes.
You go, girlfriend!
No, no, you're not thinking; you're just being logical. --Niels Bohr