Thanks for the ars link.
The article states: " a separate committee of system-wide faculty has
now
<https://www.documentcloud.org/documents/2703922-Cyber-Risk-Statement-Final-3-Feb-2016.html>
given its blessing. "
The link goes to a letter is at
https://www.documentcloud.org/documents/2703922-Cyber-Risk-Statement-Final-3-Feb-2016.html
I disagree that the committee gave its blessing. That make it sound
like they were super happy about this and thought it was a great idea.
I think that the letter says that doing this is possibly reasonable to
do this monitoring, but the manner in which it occurred was suboptimal.
My concern here is who has access to the contents of the tcp packets and
what sort of retention policy they have? For example, could UC be party
to a lawsuit about discovery in a civil matter such as a divorce case?
I'm also concerned about the heavy-handed manner in which the deployment
occurred.
There are various statutes and regulations that protect communication.
One concerns the monitoring of conversations in California. If I send
an audio conversation of TCP/IP, is it protected from monitoring? Thank
the heavens I'm not a lawyer, but I would not want to be retaining that
data or looking at it without a warrant. My understanding is that the
metadata (who-called-who, when) is not protected, but the conversation is.
Would anyone like to comment on p. 10 of
https://www.documentcloud.org/documents/2703887-Ucop-Monitoring.html,
where it states that the Fidelis SSL Inspector is decrypting SSL traffic?
See also:
https://image.slidesharecdn.com/201201pt2secdatacenter-120122182219-phpapp02/95/2012-data-center-security-14-728.jpg?cb=1327257466
Is this possible in such a small box? Maybe they mean that they are
messing with http proxies and SSL? For example, if we all used a
machine as an http proxy, then that machine might have good access.
Currently, I'm getting my website SSL certs from UCB. My understanding
is that there is no backdoor so that UCOP could decrypt traffic to and
from my SSL websites. Does anyone see a problem with this?
Should we be using Let's Encrypt instead? I hope not, I like my certs
from Berkeley.
Note that applications like Thunderbird send email that goes through a
campus Sentrion box (http://www.sendmail.com/sm/sentrion_appliances/)
Check the headers of micronet messages and you will see:
Delivered-To: cxh+e...@g.berkeley.edu
Received: by 10.76.172.230 with SMTP id bf6csp185024oac;
Fri, 5 Feb 2016 11:22:44 -0800 (PST)
X-Received: by 10.129.71.5 with SMTP id u5mr8783719ywa.91.1454700164425;
Fri, 05 Feb 2016 11:22:44 -0800 (PST)
Return-Path: <skn...@berkeley.edu>
Received: from ees-sentrion-sdsc-04.sdsc.berkeley.edu
(ees-sentrion-sdsc-04.sdsc.berkeley.edu. [2607:f140:a000:a::e])
by mx.google.com with ESMTPS id
h184si6074675ywf.386.2016.02.05.11.22.44
for <cxh+e...@g.berkeley.edu>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 05 Feb 2016 11:22:44 -0800 (PST)
Received-SPF: pass (google.com: domain of skn...@berkeley.edu designates
209.85.215.41 as permitted sender) client-ip=209.85.215.41;
Presumably getting the clear text of these email messages would be
easily done at the Sentrion box. I've never understood why we are
maintaining a box locally. I thought everything was up in the cloud?
(BTW - The speaker yesterday popped up the Snowden post-it slide that
showed the problem with Google's the unencrypted internal traffic. See
https://upload.wikimedia.org/wikipedia/commons/f/f2/NSA_Muscular_Google_Cloud.jpg.
Maybe that applies?)
_Christopher
On 2/5/16 11:22 AM, shane knapp wrote:
He suggested running the Https Everywhere plugin
(https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera.
i would also strongly suggest everyone run this. :)
My guess is that this incident will blow over, the hardware will
continue to stay installed and running.
i agree, and this makes me sad.
btw, new article up @ ars technica:
http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybersecurity-measures-at-university-of-california-campuses/
--
Christopher Brooks, PMP University of California
Academic Program Manager & Software Engineer US Mail: 337 Cory Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm Berkeley, CA 94720-1774
c...@eecs.berkeley.edu, 707.332.0670 (Office: 545Q Cory)
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from
its mailing list and how to find out about upcoming meetings, please visit the
Micronet Web site:
http://micronet.berkeley.edu
Messages you send to this mailing list are public and world-viewable, and the
list's archives can be browsed and searched on the Internet. This means these
messages can be viewed by (among others) your bosses, prospective employers,
and people who have known you in the past.
ANNOUNCEMENTS: To send announcements to the Micronet list, please use the
micronet-annou...@lists.berkeley.edu list.
