Last night I saw an article on Slashdot that caught my attention titled “MIT Tracking Campus Net Connections Since 1999.” I had a sick feeling about it so I read deeper. (Disclaimer: Rant ahead!)

Essentially what is happening here is that MIT’s IT department is preforming the extremely evil and nefarious act of running Snort on a SPAN port and gathering Netflow data. (If you didn’t detect the sarcasm in that statement, please insert it now.)

Before I go any farther I realize that the the main point here is that there was no “policy” regarding this practice. Though the tone of the article seems to be trying to infer some alternative motive on the part of the MIT IS&T department.

First let me address Netflows. Netflows are nothing more than a method to watch how much data is going through an interface. Netflows do not spy on users. I’d say more but that’s about all Netflows do! The picture is an example of a Netflow capture.

Snort on the other hand does grab the packets from the network for analysis. The easiest way to set this up is with a span port or in my world a monitor port (Procurve dork). Span ports create a copy of all the data passing through a switch and recreate it on the port designated as the span port. This is the easiest way to setup a IDS because it allows you to set it up on a network without making the IDS box a router or proxy. It can sample the network data off to the side and leave the rest of the network alone.

Snort does create a copy of the data going over a network but for a short time. It’s called an intrusion detection system because that’s what it does. It does not monitor people in the tone the article is written in.

I love this quote:

“Undergraduate Association President Noah S. Jessop ’09 said he was surprised that IS&T was collecting this information without notice. “It is not the kind of thing I would expect from MIT, and it is definitely not the kind of thing that I would expect to hear long after the fact.””

Mr. Jessop probably didn’t hear about it until long after the fact because this level of monitoring is common security practice in most organization on the Earth with an IT department. Honestly I’d be very surprised to find out that this is all a school the size of MIT is doing to watch for hackers and compromised systems on their network.

Before I get a bunch of hate mail for this I should say that I do agree that policies are important and that MIT should have a policy that dictates how long the snort logs are kept. Policies protect organizations and departments from internal deputes (supposed to anyway) and they provide a set of guidelines to follow which helps streamline processes.

“Professor Harold Abelson, who teaches 6.805 “Ethics and the Law on the Electronic Frontier,” found it troubling that these logs were being collected without public knowledge. “It’s a violation of fair information practices to be keeping logs that people don’t know about … If they’re collecting logs, they have to inform people that it’s there. If they’re collecting logs, there has to be a policy on how those logs are used or not used.””

Professor Abelson needs to realize that if you connect a computer to a network that you should assume that there are connection logs begin kept. Most off the shelf home routers keep minimal connection logs. Connection logs are kept for many reasons, most basic of which is simple troubleshooting. Companies/Universities are under no obligation to inform user about such practices, especially about something that is a common security practice.

Also:

“About the logs, Jessop said “It’s egregious to implement measures on the network that could be used to circumvent user privacy without both policies and procedures in place and some means for the users to understand what the implications to them might be,” Jessop said.

“If you told me this was Comcast, I wouldn’t have been quite as surprised,” he said.”

My point is, in short, if you connect to a network that you do not control, always assume some level of logging/monitoring is being done as a matter of common sense. If you are really concerned about people spying (which you should be on public networks), encrypt your data! I do agree with Jessop that people should understand the implications of running their computers on public networks. Here I’ll even provide a couple links to help. http://www.truecrypt.org/
How to setup a ssh proxy

Ok, my rant is done. It just bugs me that people always think their IT department is out to spy on them or do something evil. Believe me we are here to help protect the computer systems in our employer’s organizations, doing so is in our best interest and keeps us employed. 🙂