[Micronet] SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

jon kuroda-2
http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php

This blogpost I found seems to cover some more details:
http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

jon kuroda-2
For who can't cross the SFChron Paywall, I am told that this FB post
by the people who run utotherescue.blogspot.com is of reasonable ...
fidelity to the SFChron article

https://www.facebook.com/groups/RemakingtheUniversity/permalink/442058249320877/

On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>
> This blogpost I found seems to cover some more details:
> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

Christopher Brooks
http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html 
was updated on 1/31 at 6pm with the contents of the letter sent by UCOP.

See also a few random opinions at
https://news.ycombinator.com/item?id=11006915

_Christopher



On 1/30/16 3:11 PM, jon kuroda wrote:

> For who can't cross the SFChron Paywall, I am told that this FB post
> by the people who run utotherescue.blogspot.com is of reasonable ...
> fidelity to the SFChron article
>
> https://www.facebook.com/groups/RemakingtheUniversity/permalink/442058249320877/
>
> On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
>> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>>
>> This blogpost I found seems to cover some more details:
>> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.

--
Christopher Brooks, PMP                       University of California
Academic Program Manager & Software Engineer  US Mail: 337 Cory Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm               Berkeley, CA 94720-1774
[hidden email], 707.332.0670           (Office: 545Q Cory)


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

[Micronet] UCOP/UCB-Faculty communcations Re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

jon kuroda-2
In reply to this post by jon kuroda-2
For those who would like to read the UCOP/UCB-Faculty communications with
minimal 3rd-party filtering, Campus-affiliates can access that with their
CalNet credentials at CalMessages:

  * https://calmessages.berkeley.edu/archives/message/41220
  * https://calmessages.berkeley.edu/archives/message/41281

--Jon

On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:

> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>
> This blogpost I found seems to cover some more details:
> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

[Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

jon kuroda-2
In reply to this post by jon kuroda-2
http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html

(Yes, the URL says 'UCLA", but it is about Berkeley.  Go Bears!)

At Berkeley, a New Digital Privacy Protest

--Jon

On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:

> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>
> This blogpost I found seems to cover some more details:
> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

Christopher Brooks
Peter Eckersley from the EFF gave a talk today on campus, see
https://events.berkeley.edu/index.php/calendar/sn/eecs.html?event_ID=97050

He suggested running the Https Everywhere plugin
(https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera.

He also suggested Tor.

Personally, I'm hesitant to promote Tor, but it also seems that in light
of the recent UCOP activity, more people will want to know more about
Tor.  It would be helpful if there was some guidance that we could
provide people about why they do or don't want to run Tor. For example,
the knowledge base at https://kb.berkeley.edu/search.php?q=Tor has nothing.

Another alternative is for groups and departments to break away from the
campus backbone.  This also has risks.  Guidance here would be helpful
as well.

I've been converting various websites that I mange to be full time https
and I reinstalled Https Everywhere

My guess is that this incident will blow over, the hardware will
continue to stay installed and running.

In other news, until it was corrected, the examiner.com article had the
July break in being at UC Berkeley, not UCLA.

_Christopher



On 2/1/16 6:57 PM, jon kuroda wrote:

> http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html
>
> (Yes, the URL says 'UCLA", but it is about Berkeley.  Go Bears!)
>
> At Berkeley, a New Digital Privacy Protest
>
> --Jon
>
> On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
>> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>>
>> This blogpost I found seems to cover some more details:
>> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
>>
>>  
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.

--
Christopher Brooks, PMP                       University of California
Academic Program Manager & Software Engineer  US Mail: 337 Cory Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm               Berkeley, CA 94720-1774
[hidden email], 707.332.0670           (Office: 545Q Cory)


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

jon kuroda-2
In reply to this post by jon kuroda-2
http://security.ucop.edu/ was very recently updated - Mon 1 Feb 2016

I think that the site itself also went live very recently.

--Jon

On Mon, Feb 01, 2016 at 06:57:35PM -0800, jon kuroda wrote:

> http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html
>
> (Yes, the URL says 'UCLA", but it is about Berkeley.  Go Bears!)
>
> At Berkeley, a New Digital Privacy Protest
>
> --Jon
>
> On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
> > http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
> >
> > This blogpost I found seems to cover some more details:
> > http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
> >
> >  
> > -------------------------------------------------------------------------
> > The following was automatically added to this message by the list server:
> >
> > To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
> >
> > http://micronet.berkeley.edu
> >
> > Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
> >
> > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

shane knapp
In reply to this post by Christopher Brooks
> He suggested running the Https Everywhere plugin
> (https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera.
>
i would also strongly suggest everyone run this.  :)

> My guess is that this incident will blow over, the hardware will
> continue to stay installed and running.
>
i agree, and this makes me sad.

btw, new article up @ ars technica:

http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybersecurity-measures-at-university-of-california-campuses/

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

Christopher Brooks
Thanks for the ars link. 

The article states: " a separate committee of system-wide faculty has now given its blessing. "

The link goes to a letter is at https://www.documentcloud.org/documents/2703922-Cyber-Risk-Statement-Final-3-Feb-2016.html

I disagree that the committee gave its blessing.  That make it sound like they were super happy about this and thought it was a great idea.  I think that the letter says that doing this is possibly reasonable to do this monitoring, but the manner in which it occurred was suboptimal.

My concern here is who has access to the contents of the tcp packets and what sort of retention policy they have?  For example, could UC be party to a lawsuit about discovery in a civil matter such as a divorce case?   I'm also concerned about the heavy-handed manner in which the deployment occurred.

There are various statutes and regulations that protect communication. One concerns the monitoring of conversations in California.  If I send an audio conversation of TCP/IP, is it protected from monitoring?  Thank the heavens I'm not a lawyer, but I would not want to be retaining that data or looking at it without a warrant.  My understanding is that the metadata (who-called-who, when) is not protected, but the conversation is.

Would anyone like to comment on p. 10 of https://www.documentcloud.org/documents/2703887-Ucop-Monitoring.html, where it states that the Fidelis SSL Inspector is decrypting SSL traffic? 

See also:
https://image.slidesharecdn.com/201201pt2secdatacenter-120122182219-phpapp02/95/2012-data-center-security-14-728.jpg?cb=1327257466

Is this possible in such a small box?  Maybe they mean that they are messing with http proxies and SSL?  For example, if we all used a machine as an http proxy, then that machine might have good access.

Currently, I'm getting my website SSL certs from UCB.  My understanding is that there is no backdoor so that UCOP could decrypt traffic to and from my SSL websites.  Does anyone see a problem with this?

Should we be using Let's Encrypt instead?  I hope not, I like my certs from Berkeley.

Note that applications like Thunderbird send email that goes through a campus Sentrion box (http://www.sendmail.com/sm/sentrion_appliances/) Check the headers of micronet messages and you will see:

Delivered-To: [hidden email]
Received: by 10.76.172.230 with SMTP id bf6csp185024oac;
        Fri, 5 Feb 2016 11:22:44 -0800 (PST)
X-Received: by 10.129.71.5 with SMTP id u5mr8783719ywa.91.1454700164425;
        Fri, 05 Feb 2016 11:22:44 -0800 (PST)
Return-Path: [hidden email]
Received: from ees-sentrion-sdsc-04.sdsc.berkeley.edu (ees-sentrion-sdsc-04.sdsc.berkeley.edu. [2607:f140:a000:a::e])
        by mx.google.com with ESMTPS id h184si6074675ywf.386.2016.02.05.11.22.44
        for [hidden email]
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 05 Feb 2016 11:22:44 -0800 (PST)
Received-SPF: pass (google.com: domain of [hidden email] designates 209.85.215.41 as permitted sender) client-ip=209.85.215.41;
Presumably getting the clear text of these email messages would be easily done at the Sentrion box.  I've never understood why we are maintaining a box locally.  I thought everything was up in the cloud?

(BTW - The speaker yesterday popped up the Snowden post-it slide that showed the problem with Google's the unencrypted internal traffic.  See https://upload.wikimedia.org/wikipedia/commons/f/f2/NSA_Muscular_Google_Cloud.jpg.  Maybe that applies?)

_Christopher

On 2/5/16 11:22 AM, shane knapp wrote:
He suggested running the Https Everywhere plugin
(https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera.

i would also strongly suggest everyone run this.  :)

My guess is that this incident will blow over, the hardware will
continue to stay installed and running.

i agree, and this makes me sad.

btw, new article up @ ars technica:

http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybersecurity-measures-at-university-of-california-campuses/

-- 
Christopher Brooks, PMP                       University of California
Academic Program Manager & Software Engineer  US Mail: 337 Cory Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm               Berkeley, CA 94720-1774
[hidden email], 707.332.0670           (Office: 545Q Cory)

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
gts
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

gts
Christopher,

I am not sure how Fidelis can decrypt SSL, perhaps a man-in-the-middle(MIM)? The slide says "its an SSL proxy. Just need to install endpoint-trusted CA certificate on the SSL Inspector.".

So apparently Fidelis accepts your client SSL request but connects to your destination itself, including verifying the destination certificate and establishing a session key. Then, Fidelis makes a new certificate using its CA certificate authority and responds to your client SSL request with its own certificate and establishes a session key with you. During the rest of the session, it captures the plain text going both ways.

If true, this suggests that the Fidelity device is using the UCB Certificate Authority which would be trusted by all UCB hosts. So connect to an non-UCB SSL site and use your browser to see what certificate authority the connection is using.

Back in the 90's I wrote a report that discussed this problem and suggested that clients should disable all keys for certificate authorities that are not in use to avoid a rogue authority allowing this kind of MIM.

If true, this introduces a new security problem. When connecting to especially sensitive sites, such as banking etc., I verify the Certificate chain before entering my password (I know which CA each site uses). If I were to always see the Fidelis certificate, I could not detect MIM attacks further out on the Internet. Also you would be relying on Fidelis to do a proper verification of the destination certificate.

Additionally, is error detection preserved while Fidelis decrypts and re-encrypts each packet? A side effect of SSL is excellent end-to-end error and tamper protection.

greg
"On a network paranoia is just good thinking." Lowell Detloff

At 12:11 PM 2/5/2016, Christopher Brooks wrote:
Would anyone like to comment on p. 10 of https://www.documentcloud.org/documents/2703887-Ucop-Monitoring.html, where it states that the Fidelis SSL Inspector is decrypting SSL traffic? 
Is this possible in such a small box?  Maybe they mean that they are messing with http proxies and SSL?
Currently, I'm getting my website SSL certs from UCB.  My understanding is that there is no backdoor so that UCOP could decrypt traffic to and from my SSL websites. Does anyone see a problem with this?
Should we be using Let's Encrypt instead?  I hope not, I like my certs from Berkeley.
Christopher Brooks,
PMP                      
University of California
Academic Program Manager & Software Engineer  US Mail: 337 Cory
Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm              
Berkeley, CA 94720-1774
[hidden email],
707.332.0670          
(Office: 545Q Cory)

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.