Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic
http://security.ucop.edu/ was very recently updated - Mon 1 Feb 2016 I think that the site itself also went live very recently. --Jon On Mon, Feb 01, 2016 at 06:57:35PM -0800, jon kuroda wrote: > http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html > > (Yes, the URL says 'UCLA", but it is about Berkeley. Go Bears!) > > At Berkeley, a New Digital Privacy Protest > > --Jon > > On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote: > > http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php > > > > This blogpost I found seems to cover some more details: > > http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html > > > > > > - > > The following was automatically added to this message by the list server: > > > > To learn more about Micronet, including how to subscribe to or unsubscribe > > from its mailing list and how to find out about upcoming meetings, please > > visit the Micronet Web site: > > > > http://micronet.berkeley.edu > > > > Messages you send to this mailing list are public and world-viewable, and > > the list's archives can be browsed and searched on the Internet. This > > means these messages can be viewed by (among others) your bosses, > > prospective employers, and people who have known you in the past. > > > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > > micronet-annou...@lists.berkeley.edu list. > > > - > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and the > list's archives can be browsed and searched on the Internet. This means > these messages can be viewed by (among others) your bosses, prospective > employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
[Micronet] docker-machine vs. UCB AWS Direct Connect
Dear Cloudy Micronetters, I've hit a nasty catch-22 using docker-machine to set up an AWS EC2 that has a private UCB Direct Connect address. It goes something like this: The EC2 requires a route to the public internet so you'll be able to do apt-get (and other from-the-Internet downloads) to build out Docker containers. Meanwhile, AWS EC2 network interfaces on a UCB RFC1918 Direct Connect VPC are given routing tables that (appropriately) only reference campus network ranges, and do not support routing out to the public Internet through campus. So, how to let your UCB RFC1918-addressed EC2 find the Internet? The most handy way is to also give it a public IP address, which comes with "igw" (Internet gateway) routing.(*) BAM! The EC2 has a pathway to the Internet. Now, when your EC2 comes up, docker-machine tries to do log in to the EC2 to do its magic. It says, "Hey, EC2 API! What's the IP address of my shiny new EC2 instance?" When it does that, it learns the EC2's *public* IP address, and it then tries to ssh into the EC2 through that public IP address so that it can continue setup of the shiny new EC2 instance. Now, if you're doing all of this from campus, then your local desktop (from which you're running docker-machine) awaits a response from the EC2 *from* the EC2's public interface. But guess what? Your local campus desktop is on campus...and the EC2's routing tables tell it to answer your desktop's ssh conversation via its UCB RFC1918-addressed 10.x.x.x Direct Connect interface. So...your desktop's docker-machine ssh gets a response from some strange, other IP, and it never completes the conversation. *Another way of saying it: docker-machine knocks on the front door of the EC2, but the EC2 answers at the back door...leaving docker-machine hangin' out in the cold on the front porch.* By the way: if I do *not* let the EC2 have a public IP address -- it only has a back door, so to speak -- then docker-machine can ssh just fine! Bummer is that when the setup continues, there is no pathway to the Internet to do apt-get and all the other juicy setup stuff. ...and, in a freaky twist, I can run docker-machine from off campus to fire up such an EC2 with a UCB RFC1918-addressed 10.x.x.x Direct Connect, and it all comes up great, since the campus RFC1918 Direct Connect interface is never involved in the setup conversations. Go figure. Unfortunately, there's no way to readily mange this EC2 from campus after it's up...the ssh key generated by the docker-machine setup process is only good for the public interface, so you have the same front door / back door problem. Any nice workarounds for this...? Thanks! -Greg (*) A less-handy way would be to fire up an AWS NAT service instance for your EC2's subnet...and that may actually be the realistic solution...but! - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
Re: [Micronet] docker-machine vs. UCB AWS Direct Connect
Can you build your container images on a campus network, and then push the container images to a campus docker registry and just pull the imagine from your docker registry to run in the EC2 hosted docker host? Steve Chan syc...@berkeley.edu Manager - Enterprise Integration Services, IST-API SIS Project Integration/Interfaces Team 2111 Bancroft Way office 502A Berkeley, CA 94720-4990 On Thu, Feb 4, 2016 at 3:55 PM, Greg MERRITTwrote: > Dear Cloudy Micronetters, > > I've hit a nasty catch-22 using docker-machine to set up an AWS EC2 that > has a private UCB Direct Connect address. It goes something like this: > > The EC2 requires a route to the public internet so you'll be able to do > apt-get (and other from-the-Internet downloads) to build out Docker > containers. > > Meanwhile, AWS EC2 network interfaces on a UCB RFC1918 Direct Connect VPC > are given routing tables that (appropriately) only reference campus network > ranges, and do not support routing out to the public Internet through > campus. > > So, how to let your UCB RFC1918-addressed EC2 find the Internet? The most > handy way is to also give it a public IP address, which comes with "igw" > (Internet gateway) routing.(*) BAM! The EC2 has a pathway to the Internet. > > Now, when your EC2 comes up, docker-machine tries to do log in to the EC2 > to do its magic. It says, "Hey, EC2 API! What's the IP address of my shiny > new EC2 instance?" When it does that, it learns the EC2's *public* IP > address, and it then tries to ssh into the EC2 through that public IP > address so that it can continue setup of the shiny new EC2 instance. > > Now, if you're doing all of this from campus, then your local desktop > (from which you're running docker-machine) awaits a response from the EC2 > *from* the EC2's public interface. But guess what? Your local campus > desktop is on campus...and the EC2's routing tables tell it to answer your > desktop's ssh conversation via its UCB RFC1918-addressed 10.x.x.x Direct > Connect interface. > > So...your desktop's docker-machine ssh gets a response from some strange, > other IP, and it never completes the conversation. > > *Another way of saying it: docker-machine knocks on the front door of the > EC2, but the EC2 answers at the back door...leaving docker-machine hangin' > out in the cold on the front porch.* > > By the way: if I do *not* let the EC2 have a public IP address -- it only > has a back door, so to speak -- then docker-machine > can ssh just fine! Bummer is that when the setup continues, there is no > pathway to the Internet to do apt-get and all the other juicy setup stuff. > > ...and, in a freaky twist, I can run docker-machine from off campus to > fire up such an EC2 with a UCB RFC1918-addressed 10.x.x.x Direct Connect, > and it all comes up great, since the campus RFC1918 Direct Connect > interface is never involved in the setup conversations. Go figure. > Unfortunately, there's no way to readily mange this EC2 from campus after > it's up...the ssh key generated by the docker-machine setup process is > only good for the public interface, so you have the same front door / back > door problem. > > Any nice workarounds for this...? > > Thanks! > > -Greg > > (*) A less-handy way would be to fire up an AWS NAT service instance for > your EC2's subnet...and that may actually be the realistic > solution...but! > > > > - > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and > the list's archives can be browsed and searched on the Internet. This > means these messages can be viewed by (among others) your bosses, > prospective employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. > > - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic
Peter Eckersley from the EFF gave a talk today on campus, see https://events.berkeley.edu/index.php/calendar/sn/eecs.html?event_ID=97050 He suggested running the Https Everywhere plugin (https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera. He also suggested Tor. Personally, I'm hesitant to promote Tor, but it also seems that in light of the recent UCOP activity, more people will want to know more about Tor. It would be helpful if there was some guidance that we could provide people about why they do or don't want to run Tor. For example, the knowledge base at https://kb.berkeley.edu/search.php?q=Tor has nothing. Another alternative is for groups and departments to break away from the campus backbone. This also has risks. Guidance here would be helpful as well. I've been converting various websites that I mange to be full time https and I reinstalled Https Everywhere My guess is that this incident will blow over, the hardware will continue to stay installed and running. In other news, until it was corrected, the examiner.com article had the July break in being at UC Berkeley, not UCLA. _Christopher On 2/1/16 6:57 PM, jon kuroda wrote: > http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html > > (Yes, the URL says 'UCLA", but it is about Berkeley. Go Bears!) > > At Berkeley, a New Digital Privacy Protest > > --Jon > > On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote: >> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php >> >> This blogpost I found seems to cover some more details: >> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html >> >> >> - >> The following was automatically added to this message by the list server: >> >> To learn more about Micronet, including how to subscribe to or unsubscribe >> from its mailing list and how to find out about upcoming meetings, please >> visit the Micronet Web site: >> >> http://micronet.berkeley.edu >> >> Messages you send to this mailing list are public and world-viewable, and >> the list's archives can be browsed and searched on the Internet. This means >> these messages can be viewed by (among others) your bosses, prospective >> employers, and people who have known you in the past. >> >> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the >> micronet-annou...@lists.berkeley.edu list. > > - > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and the > list's archives can be browsed and searched on the Internet. This means > these messages can be viewed by (among others) your bosses, prospective > employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. -- Christopher Brooks, PMP University of California Academic Program Manager & Software Engineer US Mail: 337 Cory Hall CHESS/iCyPhy/Ptolemy/TerraSwarm Berkeley, CA 94720-1774 c...@eecs.berkeley.edu, 707.332.0670 (Office: 545Q Cory) - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
Re: [Micronet] Forwarding mechanism for a defunct mail server
I sent a message privately to Beth, but thought this might be something that others with retiring servers might want to consider. We can take on the hostname as a subdomain in bConnected. This will allow the users to create aliases to their Berkeley accounts. Any mail going to that alias will go into their Berkeley account. We have also been migrating mail from the servers into the Berkeley accounts. If you want to consider this, please see the KB article: https://kb.berkeley.edu/page.php?id=23301 Thanks Bernie On Thu, Feb 4, 2016 at 8:37 AM, Beth Muramotowrote: > We had a mail server that also contained data on it that we finally > retired. It was a Linux/Unix machine and the sys admin for it retired. > > For the most part we were able to get people to stop using it as a mail > server years ago to use @berkeley.edu, but no sooner than when we > disconnected this server from the network than there was one faculty member > who wants to put in place a forwarding mechanism as some of his papers etc. > had references to it (don't get me started on why he didn't change over to @ > berkeley.edu) and he can't notify or change every reference to it. > > There is no one here who knows Linux/Unix and the computer is out of date > and sets off alerts with security@berkeley. I don't want to keep it alive > for this one purpose, however, I don't know how I can forward an email > addressed to an @soe.berkeley.edu to an @berkeley.edu or even have a > "vacation" message of sorts in place to say the other address is no longer > valid without putting that server back on the network. > > Does anyone know of a way or knows if there is a campus "service" that > will "masquerade" as the @soe.berkeley.edu server and perform this > forwarding? > > Thanks for any suggestions. > > Beth > > -- > *** > Beth Muramoto > Computer Resource Specialist > Graduate School of Education > University of California, Berkeley > 1650 Tolman Hall > Berkeley, CA 94720 > Email: mailto:bmura...@berkeley.edu > Phone: (510) 643-0203 > Fax: (510) 643-6239 > > “Finish each day and be done with it. You have done what you could. Some > blunders and absurdities have crept in – forget them as soon as you can. > Tomorrow is a new day. You shall begin it serenely and with too high a > spirit to be encumbered with your old nonsense.” > -Emerson > > This is the essence of forgiveness. You can't change what happened but you > can make sure it doesn't have the power to prevent you from being happy > tomorrow. > > -Paul Boese > > “Kind words do not cost much yet they accomplish much.” > > -Blaise Pascal > > > *** > > > > - > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and > the list's archives can be browsed and searched on the Internet. This > means these messages can be viewed by (among others) your bosses, > prospective employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. > > - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
[Micronet] Forwarding mechanism for a defunct mail server
We had a mail server that also contained data on it that we finally retired. It was a Linux/Unix machine and the sys admin for it retired. For the most part we were able to get people to stop using it as a mail server years ago to use @berkeley.edu, but no sooner than when we disconnected this server from the network than there was one faculty member who wants to put in place a forwarding mechanism as some of his papers etc. had references to it (don't get me started on why he didn't change over to @ berkeley.edu) and he can't notify or change every reference to it. There is no one here who knows Linux/Unix and the computer is out of date and sets off alerts with security@berkeley. I don't want to keep it alive for this one purpose, however, I don't know how I can forward an email addressed to an @soe.berkeley.edu to an @berkeley.edu or even have a "vacation" message of sorts in place to say the other address is no longer valid without putting that server back on the network. Does anyone know of a way or knows if there is a campus "service" that will "masquerade" as the @soe.berkeley.edu server and perform this forwarding? Thanks for any suggestions. Beth -- *** Beth Muramoto Computer Resource Specialist Graduate School of Education University of California, Berkeley 1650 Tolman Hall Berkeley, CA 94720 Email: mailto:bmura...@berkeley.edu Phone: (510) 643-0203 Fax: (510) 643-6239 “Finish each day and be done with it. You have done what you could. Some blunders and absurdities have crept in – forget them as soon as you can. Tomorrow is a new day. You shall begin it serenely and with too high a spirit to be encumbered with your old nonsense.” -Emerson This is the essence of forgiveness. You can't change what happened but you can make sure it doesn't have the power to prevent you from being happy tomorrow. -Paul Boese “Kind words do not cost much yet they accomplish much.” -Blaise Pascal *** - The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.