
UCOP Ordered Spyware Installed on UC Data Networks - firloop
http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
======
jph
I consulted for UC Berkeley on a project with the UCB IT email team.

I can say firsthand they are excellent people, both technically and also
morally. They are careful about security and protecting people and data. There
is the usual email protection for virus scanning, spam blocking, abuse
alerting, archiving of legal items, and the like.

In my direct experience, the entire chain of command up to and including the
UCB CTO is solid. So I hope Napolitano steps up and explains what's happening
now.

In the meantime if any UC Berkeley people want to learn how to use GPG for
encrypting email, and VPNs for encrypting traffic, I will donate pro bono
hours.

~~~
wfunction
> In the meantime if any UC Berkeley people want to learn how to use GPG for
> encrypting email

Could you explain why this should be necessary when email communication
between the servers and clients is already encrypted via SSL/TLS? Can they
bypass that? (And if so how?)

~~~
zrm
> Could you explain why this should be necessary when email communication
> between the servers and clients is already encrypted via SSL/TLS? Can they
> bypass that? (And if so how?)

RFC2487 Section 5:

    
    
       A publicly-referenced SMTP server MUST NOT require use of the
       STARTTLS extension in order to deliver mail locally. This rule
       prevents the STARTTLS extension from damaging the interoperability of
       the Internet's SMTP infrastructure. A publicly-referenced SMTP server
       is an SMTP server which runs on port 25 of an Internet host listed in
       the MX record (or A record if an MX record is not present) for the
       domain name on the right hand side of an Internet mail address.
    

In other words, internet mail servers are _required_ to allow a trivial
downgrade to plaintext by a MITM attacker.

~~~
btgeekboy
And if you don't follow the RFC, the internet police will come after you!

Yes, I am aware of the RFC2119 meaning of "MUST NOT." In reality, nothing
prevents the servers from disallowing that downgrade, except that they may not
be interoperable with other servers on the internet. If the operator of the
server wishes to make that tradeoff, then requiring STARTTLS is an option.

~~~
zrm
If you don't follow the RFC then people will email you from gmail saying "I
tried to send you mail from my company's mail server and it didn't work",
other people will submit a github issue to your project saying they couldn't
email you, and when you try to subscribe to one of djb's mailing lists you'll
get a response from your mail server saying it couldn't deliver the message.

That is what actually happened when I tried it.

~~~
spc476
And I subscribed to a mailing list years ago that suddenly went TLS-mandatory
(for incoming email---it doesn't demand TLS when sending email) and now I
can't even unsubscribe from the list.

------
zbjornson
I was similarly _un_ surprised to find out that Stanford monitors all emails,
including ones not sent via Stanford servers. I noticed my emails sent via
SMTP to an outside server (edit: while connected to campus network) were
getting softfail header flags because they were being relayed by Stanford. I'm
sure all network traffic is monitored as well -- the network usage policy
explicitly allows them to.

~~~
richardwhiuk
>> I noticed my emails sent via SMTP to an outside server were getting
softfail header flags because they were being relayed by Stanford.

This doesn't make any sense - either you were sending them via Stanford or you
weren't. If you weren't, how can they be relayed via Stanford?

~~~
hackbinary
Because Stanford has a silent proxy picking up SMTP traffic, and running it
through their security system.

[http://serverfault.com/questions/382329/routing-smtp-and-
pop...](http://serverfault.com/questions/382329/routing-smtp-and-pop3-past-
iptables-through-proxy)

------
stochastician
I left industry to be a postdoc in the AMPLab and it's really depressing to
see this sort of intrusive monitoring coming to the home of BSD and sockets.

One of the benefits of working in academia in CS has been the absence of top-
down corporate IT control -- no MDM on you mobile devices, no third-parties
having root on your devices, the ability to have a static IP, etc.

~~~
swiley
The university I go to requires giving root access to third party closed
source apps to use most of their IT infrastructure. I don't do this of course
so I end up having to use things as a "guest" and occasionally my email
clients can't sync.

~~~
eru
Could you give them root access in a VM?

~~~
swiley
That's a good idea for my laptop.

------
gradys
How surprising is this when Janet Napolitano[1], former Secretary of Homeland
Security, is the president of the UC system?

[1] -
[https://en.wikipedia.org/wiki/Janet_Napolitano](https://en.wikipedia.org/wiki/Janet_Napolitano)

~~~
ajmurmann
I honestly had no idea she was running the UC system now. I'm actually shocked
to see her in that position. That only furthers my disillusion with anything
related to politics.

~~~
huac
Condi Rice was the provost of Stanford and is now on the Dropbox board. Norcal
has a surprising affinity for neocons...

~~~
jlmorton
Janet Napolitano is a liberal Democrat, former governor of Arizona, and the
Secretary of Homeland Security under Barack Obama. How does this make her a
neocon?

~~~
huac
I mean in terms of foreign policy (keep USA an unchallenged number 1
militarily and economically) and willingness to use surveillance as a
mechanism of control. I get your point that socially or whatever she's not a
neocon, but we're not talking about views on abortion, etc. in this thread. Do
you have a better word than neocon?

> Janet Napolitano [was] the Secretary of Homeland Security under Barack
> Obama.

That qualifies her w.r.t. surveillance and exercise of power. Sounds a lot
like her approach to the UC system! Barack Obama, while a Democrat, commands a
fleet of extrajudicial killing machines that have been used to murder American
citizens without trial. It was during Napolitano's time at DHS that drones for
surveillance and control (read: killing) became cemented as governmental
policy.

Elsewhere here commenters mentioned John Yoo and Condi Rice for their roles in
enabling W's torture policy. How is Napolitano's support for drones (and many
other things - [http://www.foxnews.com/opinion/2013/07/17/janet-
napolitanos-...](http://www.foxnews.com/opinion/2013/07/17/janet-napolitanos-
orwellian-legacy.html)) different?

------
mschuster91
Money quote:

> \- The intrusive device is capable of capturing and analyzing all network
> traffic to and from the Berkeley campus, and has enough local storage to
> save over 30 days of _all_ this data ("full packet capture"). This can be
> presumed to include your email, all the websites you visit, all the data you
> receive from off campus or data you send off campus.

Just how expensive was that system?!

~~~
ethbro
_> Just how expensive was that system?!_

Attorney-client privilege.

------
fencepost
Seems to me that a big part of the concern is that this is imposed by and
reports to the UCOP (University of California Office of the President?) and is
independent of all local IT staff beyond "stick this black box between your
network and the world and don't tell anyone about it." Covert action does not
inspire trust.

------
themartorana
I'm a bit shocked that I need to be surveilled by absolutely everybody. It's
bad enough my government does it, but at least the conversation starts with
the fact that they're spies by profession. Now my college needs to surveil my
online activities?

I'm not the president of a major university, but how is this justified in the
least?

~~~
a3n
UC exists by the good graces of the State of California. In some sense, UC
_is_ the government, same as the DMV.
[https://en.wikipedia.org/wiki/University_of_California#Gover...](https://en.wikipedia.org/wiki/University_of_California#Governance)

~~~
djcapelis
> UC exists by the good graces of the State of California. In some sense, UC
> is the government, same as the DMV

You've actually dramatically understated it, I think. The UC doesn't exist
through the good graces of the state. The UC's good graces are sufficient to
make them exist under the state constitution absent any other part of
government. If the legislature or governor wanted to shut them down, the only
way they could do it is if they could get enough other regents to vote for it.
The UC system has a _great_ deal more power than the DMV. For one, the
legislature is explicitly not allowed to regulate them outside a few ways
involving funding. Also, the UC has its own state level police agency, that is
controlled by UC, not any other part of the state government.

The DMV is involved in some of the things CHP does, but CHP doesn't report to
the DMV.

UCPD reports to UC.

UC governance is pretty fuckin' wild.

------
jlgaddis
Pretty much every .edu with more than a few thousand students is likely
already doing this. If you work at one of them, you should not be surprised to
know that your traffic is being monitored or that the capability is there.

Is the "uproar" because of the capturing itself or because the captures are
being sent to/monitored by an external third-party?

~~~
free2rhyme214
Ditto. I don't find this surprising either.

If you work for someone else, they can do whatever they want with your
communications on their devices.

I don't work at Berkeley but my guess is their system can do more than record
emails which is extremely pervasive.

~~~
privong
> If you work for someone else, they can do whatever they want with your
> communications on their devices.

I agree with regard to companies, but I think it's a bit less clear for a
university in general. Yes, the faculty and staff are clearly employees and so
in a that sense it's reasonable to expect their internet usage will be
monitored. But on the flip side, one of the historical aspects of universities
is supposedly intellectual freedom. And in the sense that faculty might feel a
chilling effect on their intellectual freedom if they know or suspect
everything this type of monitoring, monitoring might be less acceptable.

When it comes to students, this argument is perhaps less clear. The students
are not employees. Yes it's true they have all clicked "I Agree" to the
university's network terms of service (but with all TOS's, how many of them
actually read it?). But again, universities are ostensibly havens for
intellectual freedom; what would pervasive monitoring do to that?

So, I think you are technically and legally correct, but I wonder if that
justification is in the long-term best interests of universities as
institutions of learning and exploration.

~~~
free2rhyme214
Napolitano's decision was probably one of those that sounded good in theory
until people found out about it.

If I was a professor I'd want to work somewhere where I feel safe and secure
because it's eerie having someone standing over your shoulders, let alone
24/7.

You mentioned intellectual freedom which is a feeling of security. I find that
feeling misleading in the US with the NSA's new data center in Utah collecting
our information.

Still it would be wise of Napolitano to reverse course but I think it's
unlikely given her background.

------
ch
Hopefully this forces all UCB faculty to begin to use GPG for all email
communication; then that in turn requires all the faculty contacts to use GPG;
finally the GPG virus spreads nationwide due to this one selfish act!

~~~
dd9990
GPG and HTTPS are just band aids over a far more serious problem. They don't
protect meta data. Knowing what sites you connect to and who you email and how
often is more than enough to seriously undermine privacy and chill discourse.
The real solution is a political one, not a technical one.

~~~
Spooky23
That is not at all germane to this issue -- we're talking about a campus mail
system, so all metadata is inherently available to the system.

~~~
eru
They intercept people using SMTP to connect to non-campus email systems, too.

------
anomic_one
Hardware: Fidelis XPS. 40U in the campus data center, unusual power and
cooling requirements, sending a lot of data to Oakland and the vendor.

~~~
toufka
From their product page: [1]

Deep Session Inspection®. Decode and analyze content in real-time, no matter
how deeply embedded it is. The Deep Session Inspection engine sees every
single packet that traverses the network, reassembles those packets into
session buffers in RAM, and recursively decodes and analyzes the protocols,
applications and content objects in those session buffers in real-time - while
the sessions are occurring. This allows XPS to “see deeper” into applications
and, in particular, the content that’s flowing over the network.

Detect and Investigate Retrospectively. Investigate what attackers have done
in the past. By collecting and storing rich content-level metadata from both
the network and the endpoint, XPS provides a lighter, faster and less
expensive way to analyze historical data.

[1] [https://www.fidelissecurity.com/products/fidelis-
xps](https://www.fidelissecurity.com/products/fidelis-xps)

~~~
mentat
Time to do some fuzzing experiments...

------
greggarious
Does this include data sent by students in the course of their classes? If so,
couldn't this be a FERPA violation?

~~~
stevenbedrick
I don't know precisely, but if FERPA works the way HIPAA does, there's a
carve-out for arrangements like this provided that the vendor has an agreement
in place (a BAA in HIPAA-speak) and agrees to abide by certain security
standards. Note that, in practice, it goes like this:

VENDOR: We promise that we are doing all of the stuff that the law says we're
supposed to do to protect the covered data that you're sending us. Look, see
the pretty pictures of a fancy data center in our marketing materials?

CUSTOMER: OK, that's good enough for us! ( _checks off box on list_ )

------
codeonfire
In the workplace it's useful to follow counterintelligence strategies. Send
yourself outlandish job offers from spoofed addresses, for example. The
possibilities are endless.

~~~
gnu8
Looks like an opportunity to launch a $10/mo subscription service.

~~~
a3n
If you had linked to an existing service, I would have signed up on impulse.

~~~
jeffbr13
No need! A LinkedIn account with a recruiter-visible email address will result
in these sorts of unsolicited emails with no subscription fees at all.

------
at-fates-hands
This is actually pretty funny.

In the first email, which basically is loaded with innuendo and short on
actual facts it states:

 _UCOP defends their actions by relying on secret legal determinations and
painting lurid pictures of "advanced persistent threat actors" from which we
must be kept safe. They further promise not to invade our privacy
unnecessarily, while the same time implementing systems designed to do exactly
that._

Then in the nest email says:

 _A network security breach was discovered at the UCLA Medical Center around
June 2015._

 _UCOP began monitoring of campus in networks around August 2015._

 _ONLY AFTER this monitoring, on August 27, 2015, did UCOP issue a new
cybersecurity policy online under the heading of "Coordinated Monitoring
Threat Response." The policy describes how UCOP would initiate "Coordinated
Monitoring" of campus networks even though it is believed that such monitoring
was already underway prior to the announcement of the new policy._

So first they were drumming up conspiracy theories about "supposed" threats to
the network and in the second email, they outline there _actually was_ a
breach of their network.

I guess the real issue is they have no idea who the vendor is and what exactly
they're doing with their data. The good news is appears they're only holding
up to 30 days of data, but aren't clear what happens after the 30 days.

I would be more concerned about the lack of transparency with what they intend
to do with the data and who the hell the vendor actually is. Nothing like
having some shadowy government vendor snooping around your network and storing
and analyzing your data without letting you know what they're doing.

------
huac
My school uses Google Apps for email (among other stuff). Does anybody know if
that setup can be/is monitored?

~~~
jvoorhis
Absolutely. Google's Apps for Work line includes the Vault product, which can
be used for compliance, monitoring and e-discovery.

~~~
huac
Looking more into this: if your Google Apps for Work/Education account has
unlimited storage, then your company has definitely purchased Vault as well.
Easily checked in Gmail.

~~~
aselzer
[https://apps.google.com/products/vault/](https://apps.google.com/products/vault/)

Thanks, for me it is: Don't use Google Apps for Education for anything except
for taking advantage of it by uploading your encrypted data to the nice
"unlimited" Google drive space or sending PGP mails.

~~~
sillysaurus3
_Don 't use Google Apps for Education for anything except for taking advantage
of it by uploading your encrypted data to the nice "unlimited" Google drive
space_

Is this really abusable in this fashion?

~~~
mehrdada
I have a few terabytes of encrypted backups and disk images (via command line
OpenSSL) on my "unlimited" Google Drive for Education account. I do not
consider this an _abuse_ , but a perfectly valid use case for Google Drive. If
they don't like it, they can feel free to stop using the word "unlimited".
However, I believe they do do some sort of throttling.

------
jonesb6
Absolute power corrupts absolutely. If NSA contractors were brazen enough to
look up the private information of spouses and "ex-lovers" [1] I don't see why
the IT departments of education systems won't evolve to be susceptible to the
same thing.

"Oh hey look, snapchat traffic!"

[1]: [http://www.reuters.com/article/us-usa-surveillance-
watchdog-...](http://www.reuters.com/article/us-usa-surveillance-watchdog-
idUSBRE98Q14G20130927)

~~~
toufka
Or, you know, have access to one of the world's premiere research
institution's data in real-time. The amount of NDA'd traffic alone across UC's
network is enormously valuable. How many private companies made of valuable,
transmittable IP have have endpoints within that network?

------
dekhn
I used to work for Berkeley Lab, which is run by UC, on a network research
group in the mid-2000s. Already by that time, Berkeley Lab, and the UCs were
passing their traffic via passive fiber optic tap to a deep packet inspector
developed by my team. It was called Bro
([https://www.bro.org/](https://www.bro.org/)). It didn't have the disk
capacity to save 30 days of traffic (at Berkeley's level of traffic, that's
quite a lot of storage) but it certainly did some pretty deep snooping. It was
used primarily for security (it would log into the router and cut off
connections that appeared to be hackers). I got a call from IT one day asking
what I was torrenting (it was a linux distro).

------
Zigurd
Is there any background to what seems like assertions made in the article?

Who did the installation, and how were they coerced into secrecy?

The article says information is sent directly to the vendor? Who is the
vendor?

The article mentions "attorney-client privilege." Which counsel? Do they work
for the state?

UC CIO Tom Andiola is said to have promised that the monitoring equipment
would be removed and disclosed.

Then other UC senior management retracted that promise. Has anyone followed up
with Tom Andiola? Hasn't he got a system-wide trust problem now? How is he
taking being hung out to dry this way?

And, on top of all that, how does a UC president hire a contractor in secret?
How is that legal? And how do you think it happened? Was Janet Napolitano
really that concerned "for the children," or was this a sweetheart deal with
the seeds sown back at DHS?

------
dpweb
Can someone better explain the privacy outrage?

\- These are University resources? \- Any corporation you work for would be
monitoring their email systems and letting users know that. Why are these
Univ. resources owned by the people? \- There's many legitimate reasons for
monitoring. Security, legal defense, etc..

I'll admit trying to sneak this through over objections was probably not
handled in the best way from a PR perspective.

And if you're privacy minded you should already know - most privacy debates
that make the news - are moot.

If you have something truly secret - you must encrypt - so no man in the
middle can read. If you think you have privacy sending _any_ unencrypted email
over any public network you're dreaming.

Assume that anyone with the key - has your data. Ask the guys that lost
millions with Mt. Gox.

~~~
intopieces
Is privacy a luxury we only afford to the technologically savvy? Previously we
considered privacy a right of all people to be free of unreasonable searches.
Your attitude displayed here says otherwise: if you can't encrypt everything
from start to end, you don't deserve privacy. If you are not up to date with
the absolute latest way of sending data without it being monitored, you don't
deserve privacy.

In the past, those with these abilities fought hard to protect those who
didn't. When did that change?

~~~
dpweb
Everyone deserves privacy and it must be defended, and if I have my computer
data at home, the government should not be able to search it without a
warrant.

But when I send that data over public networks unencrypted, I willingly give
up that privacy.

Pretending like the transmitted data was safe in the first place, before they
set up these servers - is a lie, and only plays into the hands of those who
would snoop on you.

~~~
intopieces
>But when I send that data over public networks unencrypted, I willingly give
up that privacy.

You may willingly give up privacy, but many users do so unwittingly. Their
ignorance does not make the current state of affairs just.

>Pretending like the transmitted data was safe in the first place, before they
set up these servers - is a lie, and only plays into the hands of those who
would snoop on you

Ignorance of privacy concerns on public networks is not the same as pretending
the transmitted data was safe in the first place.

The article and controversy are attempting to call attention to the mechanisms
in place that are a threat to privacy of all users. Your response was "well
anyone who doesn't want their data exposed should know better." This is a
disturbing attitude.

~~~
pdkl95
> Ignorance of privacy concerns on public networks is not the same as
> pretending the transmitted data was safe in the first place.

The general public is at least somewhat aware of these problems. People
pushing a surveillance agenda (esp. marketing) often extrapolate this
awareness, suggesting that people are surrendering privacy willingly either
because they don't care or as part of a "trade' for services.

In reality[1], people often feel _powerless_. Without the necessary technical
knowledge to create alternatives, the aggressively pushed surveillance option
seems like the only choice.

> "well anyone who doesn't want their data exposed should know better."

That's classic victim blaming.

I think the common "this isn't surprising" response has some victim blaming in
it, too, when it becomes a thought-terminating cliche. Jacob Appelbaum's is
probably right[2] in his interpretation: that saying something isn't
surprising is a coping mechanism that probably means "I can't do anything
about it". Unfortunately, sometimes it's used to shut down discussion.

[1] [https://www.asc.upenn.edu/news-
events/publications/tradeoff-...](https://www.asc.upenn.edu/news-
events/publications/tradeoff-fallacy-how-marketers-are-misrepresenting-
american-consumers-and)

[2]
[https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=594](https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=594)

------
ck2
Would anyone know in the USA if there was a "30 day full packet capture"
system on every ISP ?

[https://en.wikipedia.org/wiki/National_security_letter](https://en.wikipedia.org/wiki/National_security_letter)

No judicial review. At all.

~~~
andyzweb
pro tip: there already is a full packet capture system on every ISP

------
mintplant
The article is a little unclear - is this going on at other UC campuses
besides Berkeley?

~~~
mintplant
Answering my own question: yes.

> On Dec. 7, 2015, several UC Berkeley faculty heard that UCOP had hired an
> outside vendor to operate network monitoring equipment at _all campuses_
> beginning as early as August 2015.

------
jcrawfordor
So, I don't want to defend UC entirely, because they appear to have seriously
mishandled this in several ways. But I would like to share some information
about this aspect of security.

Full packet captures of network traffic are extremely, extremely valuable in
post-compromise incident investigation and in incident detection, as they
allow for vastly more complex analysis of traffic (done post-hoc with more
complicated logic) than is practical on the wire. There's absolutely no need
to invoke the NSA here: multiple private vendors offer these systems. It
sounds like UC went with Fidelis, another major provider is RSA NetWitness
(now part of EMC). These systems are fairly common on corporate networks, the
main thing that limits their installation is cost: just the storage becomes
rather costly at large scales.

Invoking attorney-client privilege on matters related to security is pretty
common in the private world. The reason for this is that any security
investigations and reports are subject to legal discovery and may be used to
establish liability in the event that someone sues you for a matter related to
a cybersecurity incident. The primary way to protect this information is to
place the cybersecurity function under legal counsel so that all security work
is work-product of an attorney and so under privilege. This is a recommended
best practice in the security compliance community. Public institutions do
this less frequently for the reason that it is often prevented or superseded
by the relevant public record/accountability law, or unnecessary due to some
type of immunity for example, but this may not be the case in California.

All in all, nothing here strikes me as particularly unusual practice for a
large organization. What I do see is that UC has made several massive mistakes
in implementation:

1\. It must be completely clear to users that they have no expectation of
privacy when using organizational networks. Unfortunately, many users do not
realize this, and many organizations do not sufficiently communicate it. All
users of organizational networks should sign an agreement to ensure that they
are aware that they have no expectation of privacy. This is already legally
true in as far as I know all cases, but there is an ethical obligation, I
think, to ensure further than that.

2\. Universities present a particularly tricky situation because there is a
captive audience of users who rely on the university network for their
personal usage. Ideally this should be 100% segregated from the institutional
network, I believe, but I have work experience in a small university's IT and
I can tell you how difficult this is to manage - and I can imagine that the
problems at the scale of even a single UC campus are so much greater. They can
and definitely should work harder to balance network management against the
privacy of their captive users.

3\. It appears that there are inadequate controls in place (or at least
disclosed) to protect this data. I am very uncomfortable with the involvement
of a third-party without thorough documentation of their controls in place and
their liability in the event of misuse. There must also be further internal
controls - both technical and administrative - to guard against misuses.
Simply asserting that the data is only used for security is not sufficient,
set actual controls to ensure this and establish how violations will be
handled.

4\. Creating fragmentation within the IT org is very common in universities
but still a terrible idea. All levels of IT and security operations should be
100% on board with security mechanisms used, which appears to not be the case
here.

A couple of auxiliary thoughts:

\- If they are intercepting SSL (which may be a good idea for a corporate
network, there are several factors to weigh against each other) this will of
course be limited to computers that they manage.

\- Tivoli BigFix, as mentioned elsewhere, is a common and rather good endpoint
security solution. A similar competitor is Cisco NAC. These aren't scary NSA
codewords, they're commercial products that many corporations use to ensure
that all computers on a protected network meet a minimum security
configuration. Whether or not they are appropriate in the ways that some
universities use them is a very touchy issue, I don't think that they are, but
that means that potentially much more costly (and inconvenient) controls will
need to be in place.

\- Universities need to carefully manage the fact that they are often not
perceived as corporate orgs in terms of their network practices, although they
usually behave like them. There are certainly complications at universities.
Open communication of policies and procedures will help to alleviate this, as
well as good network management (once again, complete isolation of residential
and administrative networks should be the goal).

~~~
anomic_one
Good comments. But note that UC doesn't have a document that says one _can 't_
expect privacy--it has one that says that (except in special cases, and in
these the user is supposed to have recourse) one _can_ expect privacy.

See
[http://policy.ucop.edu/doc/7000470/ElectronicCommunications](http://policy.ucop.edu/doc/7000470/ElectronicCommunications)

The monitoring may be routine and innocent. But it shouldn't be secret, and it
shouldn't be in stark violation of the University's own (stated) policies.

~~~
jcrawfordor
I wasn't familiar with that document, but I read IV-C-2-b as authorizing this
activity:

"University employees who operate and support electronic communications
resources regularly monitor transmissions for the purpose of ensuring
reliability and security of University electronic communications resources and
services (see Section V.B, Security Practices), and in that process might
observe certain transactional information or the contents of electronic
communications."

This is followed by standard restrictions (only for valid purposes, controls
to protect information, etc). They provide a stronger assurance of privacy
than I would expect, but still leave plenty of latitude for this activity.

Edit: copied and pasted from a PDF. never again.....

Further edit: V-B is really interesting and requires user permission "it is
necessary to examine suspect electronic communications records beyond routine
practices." This is kind of a strange rule, but particularly since they're
using a third-party vendor, all of this would easily fall under routine.

It's important to note that this policy primarily discusses "disclosure,"
which I can't see this being considered. It does go to a third party, but one
contracted for internal purposes.

~~~
toufka
Doesn't this: "they are not permitted to seek out transactional information or
contents when not germane to system operations and support, or to disclose or
otherwise use what they have observed." [4C2b]

Conflict a bit with the product's advertised description: "The Deep Session
Inspection engine sees every single packet that traverses the network,
reassembles those packets into session buffers in RAM, and recursively decodes
and analyzes the protocols, applications and content objects in those session
buffers in real-time - while the sessions are occurring. This allows XPS to
“see deeper” into applications and, in particular, the content that’s flowing
over the network." [1]

Boiled down: "University employees are not permitted to seek out... content
when not germane to system operations and support", juxtaposed against, "XPS
reassembles those packets... and content objects... to "see deeper" into
applications and, in particular, the content that's flowing over the network."

Or do we go all bureaucratic-NSA-legalese and say that, " _all_ content is
[could be] germane to some kind of ethereal 'persistent threat'". And that
"'automated packet inspection' based on human-generated rulesets is different
from a human 'seeking out' content." If so, then there shouldn't even be a
privacy carve-out, as there's nothing from which to carve. And the first
sentence in the policy is entirely meaningless.

[1]
[https://www.fidelissecurity.com/sites/default/files/ds_fidel...](https://www.fidelissecurity.com/sites/default/files/ds_fidelis_xps_1509.pdf)

~~~
jcrawfordor
I would argue that reviewing traffic is _obviously_ germane to security
monitoring, which is by definition monitoring traffic for security incidents.

Edit: Content included. Content is where the bad things go, of course, and a
lot of the features that come out of full packet data are the ability to do
things like auto-detonation of executable files for malware detection.
Extremely content-based detection heuristics.

~~~
toufka
But would you argue that reviewing _content_ is germane to security
monitoring? Content and traffic are very different things.

And is that really the (required) 'least invasive' mechanism to achieve a
properly functioning network?

------
whitehat2k9
Well, that's what happens when you put the former head of Homeland Security in
charge of a university.

------
chinathrow
As if that could shine more light into why the network breach occurred...

------
gregniemeyer
We are hosting a forum at UC Berkeley on this issue tomorrow Tuesday from 3-5
PM at 630 Sutardja Dai Hall. We are most concerned about DNS logs.

------
ausjke
the IT department at universities or corporations can archive all the emails
"legally" in their system(not personal emails though, but emails related to
job), I guess this monitoring is something live instead of a cold-storage-
alike archiving? while I hate this practice, they do have the right of doing
that correct?

------
zifnab06
Any ideas what all they're logging? Netflow wouldn't surprise me, but that is
just traffic metadata.

------
toufka
Have the actual letters between the JCIT and the UCOP been released to the
public?

------
jtth
Wait so port mirroring is now a reason for outcry?

------
xndjcjdjf
Just because something isn't surprising doesn't mean it's right.

------
tilt_error
By definition; any democratic society has the government it deserves.

If not, the society is not a democracy or the citizens are idiots.

The etymology of "idiot": from "idiota" (Late Latin) an "uneducated or
ignorant person", and from "idiotes" (Greek) a "layman, person lacking
professional skill".

Now, vote wisely.

------
geggam
Why is anyone familiar with email surprised that other people can read it ?
Remember when people called email internet postcards ?

