
UC Berkeley profs lambast new “black box” network monitoring hardware - pavornyoh
http://arstechnica.com/tech-policy/2016/02/profs-protest-invasive-cybersecurity-measures-at-university-of-california-campuses/
======
toufka
An interesting statement from the UC President, former head of the Department
of Homeland Security: [1]

> "While we have absolutely no interest in the content of any individual's
> emails or browsing history, we must accept that active network monitoring is
> a critical element of a sound cyber-security infrastructure and the
> interconnections of the University and all of its locations requires that
> such monitoring be coordinated centrally."

Do you guys agree?

[1]
[https://www.documentcloud.org/documents/2702981-Chancellors-...](https://www.documentcloud.org/documents/2702981-Chancellors-
Cybersecurity-Measures-020116.html)

~~~
Eridrus
The security industry has largely given up on prevention as a means of
stopping breaches, the current trend is very much based on fast detection &
response.

Neither the NSA's nor these systems have the capacity to store full-take data,
hell even just netflow data can be a challenge to store for any extended
period of time.

The only thing that can really be done is streaming monitoring.

To the people wondering why decryption is necessary: HTTPS is ubiquitous and
ip/port info is not actually enough to figure out where the communications are
going, SNI helps quite a bit, but it may not be enough e.g. if a bad guy
decided to use Twitter or AppEngine/Spot or an S3 bucket for C&C.

In a corporate environment your options are usually either network or host
agent based, and frankly the network approach is significantly less intrusive,
but also less effective.

~~~
pfooti
According to an earlier article [0] about this, there's enough storage to keep
30 days of network traffic. That's not nothing. It's also something that
apparently the regular UC IT folks have no control over whatsoever.

0: [http://utotherescue.blogspot.com/2016/01/ucop-ordered-
spywar...](http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-
installed-on-uc.html) 1:
[https://news.ycombinator.com/item?id=11006915](https://news.ycombinator.com/item?id=11006915)

~~~
reolt
That's strange. My company uses the same Fidelis XPS appliances Berkeley is
using, and they're entirely installed, administered, managed, configured, and
monitored by our internal IT security staff. Only our staff has access to
alerts it fires and the snippets of traffic it captures (for example, if it
detects potential malware C&C beaconing, it'll show the bytes it flagged as
matching the signature, and some ~200 bytes before and after it). We're also
able to view, change, or add all the rules it uses. The source code is closed,
so that part is a blackbox, but it seems like a huge stretch to call the
entire appliance a blackbox considering we're 100% responsible for
integrating, managing, and utilizing it.

I imagine Fidelis probably also offers a professional services option that
allows them to manage setup and maybe even remote monitoring. If this is true,
there's absolutely no reason why Berkeley can't hire competent infosec folks
to handle it all internally, especially considering they have a lot of smart
students in the field.

~~~
pfooti
My understanding of the situation (which I'm not involved with since I'm no
longer Berkeley faculty, but I follow because I was in the past) is that the
office of the president (UC-wide, not just UCB) ordered the systems installed
and specifically out of the control (and over the objections) of UCB IT
services.

~~~
reolt
I see. That certainly makes it more interesting. In that case, all of the
criticism should be directed at him, and not at Fidelis or their appliances.

~~~
ethbro
*Her

[http://www.ucop.edu/president/index.html](http://www.ucop.edu/president/index.html)

------
rixed
I can't believe checking for malware signature, which can be done much more
easily from the browser (and is already done, indirectly and efficiently by
chrome for instance), justifies MITMing everyone at great expense.

In any case, signature check is not going to be useful in any scenario of
targeted attack that I can imagine.

I can easily believe, though, that some BOFH is more than happy to retrieve
the amount of logs he has in the good old days of plain http.

~~~
meowface
This is how _all_ network security appliances work.

All IDS or IPS appliances do this. Running something open source like Snort or
Suricata? It's "MitMing" you, too. (More accurately "Man-on-the-Side'ing" for
most installations, since they're typically IDS and not IPS, but I'm just
using the same alarmist term you did to make my point.)

All "smart firewalls" (sometimes dubbed "nextgen firewalls" by marketing
departments) do this. If your network uses firewalls from Palo Alto, that
firewall is doing nearly the exact same things as this Fidelis appliance.
Either most of the same features, or all of the same if you pay a little
extra.

All proxies do this, except only for 80/443.

All host IDS agents do this as well.

>(and is already done, indirectly and efficiently by chrome for instance)

Chrome isn't going to detect your machine beaconing out via malware that's
already installed. Chrome just has lists of bad URLs and URL paths. Chrome's
security features certainly provide another useful layer of protection, but is
not nearly sufficient as a malware or intrusion detection system by itself.

This article is FUD, in my opinion, for singling out just this specific
appliance as if it's somehow more invasive than all the other gear on a
typical large network. If you want to make an article about how packet
inspection is bad in general, go ahead, but I think that war has been lost. If
you're using someone else's network and computers, I don't think you should
have a problem with a device checking the packets your computer sends and
receives to see if they match specific regex or byte patterns.

It's true that a proprietary appliance is going to be a bit more blackbox with
exactly how it processes traffic, compared to an open source solution, but
often the signature lists themselves are accessible and configurable by the
customer. Sometimes the actual signature content is visible as well.

Systems like these are absolutely necessary to help prevent breaches, as long
as there are competent internal employees who can make full use of them.
Perhaps an open source system will be a little bit better privacy-wise, on the
off chance the proprietary solution you're using is secretly doing something
malicious or sending sensitive traffic elsewhere on the Internet, though if it
were, the scandal would likely greatly harm or ruin the company.

~~~
superuser2
For bureaucrats in their cubicles, yes, this is normal corporate network
management. You have no expectation of privacy at work; if you want that, go
home.

As a student, though, the university is also your home ISP. And the public
WiFi at the coffee shops, libraries, etc. In this context, reading your users'
email is _way_ less okay.

Don't think of UCB IT as the BigCo IT department, but as Comcast.

~~~
meowface
True. I'd be less comfortable about this just as a university student trying
to use the Internet. I think it's fine for employees of UCB, though.

------
simonebrunozzi
I don't know if it's of any interest, but the title is unclear to me (Italian,
self-proclaimed almost perfect English, working for US companies for 8 years,
in the US since 4, previously in Singapore for 2.5 years).

I didn't know what "profs lambast" meant, until I googled it:

Lambast = criticize someone harshly

profs = it means UC Berkeley "profs", or professors.

(I erroneously thought that "UC Berkeley" was subject, "profs" verb, and
lambast an adjective).

Strange that despite all these years, sometimes you stumble on some unknown
English terms that you have to look up.

~~~
themartorana
Man, I'm 37, have lived in the US for 37 years plus 9 months if you believe
life starts at conception, and have a better command of the English language
than many if not most, and I constantly have to look things up! I don't know
if it means I'm actually not in any better command of the language than most
5th graders, or the things I read are written at a high level, or I just read
enough to stumble upon new words, idioms, and phrases constantly, but
whichever it is, I feel you :)

Of course when English has over 1,000,000 recognized words, who _can_ be
expected to know all of them?

------
toufka
How does the "Fidelis SSL Inspector" work from page 10 of Professor Ligon's
slides? [1]

The man-in-the-middle server 'identifies and decrypts all SSL/TLS encrypted
traffic'? So long as an 'endpoint-trusted CA certificate' has been installed?

Does this really break SSL on all traffic that is diverted to the device, or
does one of the endpoints need to have some 'registration' on it to permit
this?

[1] [https://www.documentcloud.org/documents/2703887-Ucop-
Monitor...](https://www.documentcloud.org/documents/2703887-Ucop-
Monitoring.html)

~~~
azdle
In this case "endpoint-trusted" mean that it's a CA that is trusted by the
client on the local network. What happens is that the box intercepts all
traffic and establishes it's own TLS session with the remote server while
establishing a different session under it's own CA with the client. Then any
traffic sent by the client is decrypted, analyzed, and re-encrypted under the
real server's session. (And the reverse for traffic coming back.)

~~~
toufka
Is there any way to know what CA is being used by the man-in-the-middler, and
then revoke its trust on local machines?

~~~
azdle
Sure, your browser would tell you who the CA is. In this case it'd tell you
that it's a Fidelis cert. And if you have the permissions on your system you
could revoke the cert, but I'd be shocked if this system set encrypted
traffic, that it couldn't inspect, pass. Your connection would probably just
timeout or get some random error about your connection being refused.

~~~
sjtgraham
It wouldn't be a Fidelis cert, it would be a cert signed by whatever CA is
installed on the SSL terminator. What would happen if you locally revoked
trust of the CA in question is you would get warnings that the connection is
unsafe as you would with any other TLS error, e.g. hostname mismatch,
untrusted cert, etc. Depending on the client behaviour you may be able to
continue with the connection.

------
tomohawk
Seems like overkill for a government entity to scan all packets entering or
leaving the network as a whole. Definitely not minimally intrusive.

It seems likely that the computers with information they really need to
protect are already on separate subnets/vlans, so why not protect just those
instead of sweeping up everything?

------
nwmcsween
Well a very simple way to poke a hole in this would be to download the image
(where ever it may be?) they use and see if any licenses are being violated as
it seems to be based on Linux (as of 2012 [https://www.niap-
ccevs.org/st/st_vid10449-st.pdf](https://www.niap-
ccevs.org/st/st_vid10449-st.pdf) find "linux").

------
thetruthseeker1
The title of the article wasn't very worrying to me, so I read the whole
article, and I was trying to figure what in this article is actually a cause
for concern. I actually didnt find any "significant" cause of concern.

I have worked in the area of computer networking for many years. My guess is,
one of the things the black box product is doing is typically looking for TCP
or IP traffic patterns(packet flow patterns) that indicate say command control
type of malware, or other malwares, that don't have much resemblance to packet
flow signature of user browsing activity.

Also, this blackbox won't be able to decode HTTPs anyway. So may not be a
privacy concern for most people?

~~~
nindalf
My understanding is that it can decode all HTTPS traffic because it acts as a
Man-in-the-Middle. Traffic from the client to the Fidelis device is encrypted
with a Fidelis certificate. Its decrypted at the device, encrypted again with
the actual certificate and sent to the destination. If it couldn't do this, I
think it would be impossible to distinguish benign traffic from malicious
traffic.

------
PhasmaFelis
"Bad actors" is when you want to say "bad guys" but also sound formal and
respectible, yes?

~~~
exolymph
you're not wrong :D

------
Create
Transparent monitoring for your protection

In keeping with this spirit, here is a reminder of how we monitor (your) CERN
activities. We monitor all network Traffic coming into and going out of CERN.

Our new analysis infrastructure will be able to cope with the automatic live
analysis of about one terabyte of data every day. All this data is stored for
one year.

~~~
Symbiote
You quoted from
[http://cds.cern.ch/journal/CERNBulletin/2016/05/News%20Artic...](http://cds.cern.ch/journal/CERNBulletin/2016/05/News%20Articles/2126902)

This does seem more reasonable — probing devices on their network for running
services, counting unusual numbers of connections, etc. Are they MITMing SSL
traffic?

As far as I know, CERN isn't a "home ISP" to anyone, unlike many universities.

~~~
Create
[https://en.wikipedia.org/wiki/Tempora](https://en.wikipedia.org/wiki/Tempora)

------
brohoolio
Sounds really expensive. I wonder if they have MFA and other measures in place
already.

