Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

[jon kuroda]

http://security.ucop.edu/ was very recently updated - Mon 1 Feb 2016

I think that the site itself also went live very recently.

--Jon

On Mon, Feb 01, 2016 at 06:57:35PM -0800, jon kuroda wrote:
> http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html
> 
> (Yes, the URL says 'UCLA", but it is about Berkeley.  Go Bears!)
> 
> At Berkeley, a New Digital Privacy Protest
> 
> --Jon
> 
> On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
> > http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
> > 
> > This blogpost I found seems to cover some more details:
> > http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
> > 
> >  
> > -
> > The following was automatically added to this message by the list server:
> > 
> > To learn more about Micronet, including how to subscribe to or unsubscribe 
> > from its mailing list and how to find out about upcoming meetings, please 
> > visit the Micronet Web site:
> > 
> > http://micronet.berkeley.edu
> > 
> > Messages you send to this mailing list are public and world-viewable, and 
> > the list's archives can be browsed and searched on the Internet.  This 
> > means these messages can be viewed by (among others) your bosses, 
> > prospective employers, and people who have known you in the past.
> > 
> > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
> > micronet-annou...@lists.berkeley.edu list.
> 
>  
> -
> The following was automatically added to this message by the list server:
> 
> To learn more about Micronet, including how to subscribe to or unsubscribe 
> from its mailing list and how to find out about upcoming meetings, please 
> visit the Micronet Web site:
> 
> http://micronet.berkeley.edu
> 
> Messages you send to this mailing list are public and world-viewable, and the 
> list's archives can be browsed and searched on the Internet.  This means 
> these messages can be viewed by (among others) your bosses, prospective 
> employers, and people who have known you in the past.
> 
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
> micronet-annou...@lists.berkeley.edu list.

 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.

[Micronet] docker-machine vs. UCB AWS Direct Connect

[Greg MERRITT]

Dear Cloudy Micronetters,

I've hit a nasty catch-22 using docker-machine to set up an AWS EC2 that
has a private UCB Direct Connect address. It goes something like this:

The EC2 requires a route to the public internet so you'll be able to do
apt-get (and other from-the-Internet downloads) to build out Docker
containers.

Meanwhile, AWS EC2 network interfaces on a UCB RFC1918 Direct Connect VPC
are given routing tables that (appropriately) only reference campus network
ranges, and do not support routing out to the public Internet through
campus.

So, how to let your UCB RFC1918-addressed EC2 find the Internet? The most
handy way is to also give it a public IP address, which comes with "igw"
(Internet gateway) routing.(*) BAM! The EC2 has a pathway to the Internet.

Now, when your EC2 comes up, docker-machine tries to do log in to the EC2
to do its magic. It says, "Hey, EC2 API! What's the IP address of my shiny
new EC2 instance?" When it does that, it learns the EC2's *public* IP
address, and it then tries to ssh into the EC2 through that public IP
address so that it can continue setup of the shiny new EC2 instance.

Now, if you're doing all of this from campus, then your local desktop (from
which you're running docker-machine) awaits a response from the EC2 *from* the
EC2's public interface. But guess what? Your local campus desktop is on
campus...and the EC2's routing tables tell it to answer your desktop's ssh
conversation via its UCB RFC1918-addressed 10.x.x.x Direct Connect
interface.

So...your desktop's docker-machine ssh gets a response from some strange,
other IP, and it never completes the conversation.

*Another way of saying it: docker-machine knocks on the front door of the
EC2, but the EC2 answers at the back door...leaving docker-machine hangin'
out in the cold on the front porch.*

By the way: if I do *not* let the EC2 have a public IP address -- it only
has a back door, so to speak -- then  docker-machine
can ssh just fine! Bummer is that when the setup continues, there is no
pathway to the Internet to do apt-get and all the other juicy setup stuff.

...and, in a freaky twist, I can run docker-machine from off campus to fire
up such an EC2 with a UCB RFC1918-addressed 10.x.x.x Direct Connect, and it
all comes up great, since the campus RFC1918 Direct Connect interface is
never involved in the setup conversations. Go figure. Unfortunately,
there's no way to readily mange this EC2 from campus after it's up...the
ssh key generated by the docker-machine setup process is only good for the
public interface, so you have the same front door / back door problem.

Any nice workarounds for this...?

Thanks!

-Greg

(*) A less-handy way would be to fire up an AWS NAT service instance for
your EC2's subnet...and that may actually be the realistic
solution...but!
 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.

Re: [Micronet] docker-machine vs. UCB AWS Direct Connect

[Steve Chan]

   Can you build your container images on a campus network, and then push
the container images to a campus docker registry and just pull the imagine
from your docker registry to run in the EC2 hosted docker host?

Steve Chan
syc...@berkeley.edu
Manager - Enterprise Integration Services, IST-API
SIS Project Integration/Interfaces Team
2111 Bancroft Way office 502A
Berkeley, CA 94720-4990

On Thu, Feb 4, 2016 at 3:55 PM, Greg MERRITT  wrote:

> Dear Cloudy Micronetters,
>
> I've hit a nasty catch-22 using docker-machine to set up an AWS EC2 that
> has a private UCB Direct Connect address. It goes something like this:
>
> The EC2 requires a route to the public internet so you'll be able to do
> apt-get (and other from-the-Internet downloads) to build out Docker
> containers.
>
> Meanwhile, AWS EC2 network interfaces on a UCB RFC1918 Direct Connect VPC
> are given routing tables that (appropriately) only reference campus network
> ranges, and do not support routing out to the public Internet through
> campus.
>
> So, how to let your UCB RFC1918-addressed EC2 find the Internet? The most
> handy way is to also give it a public IP address, which comes with "igw"
> (Internet gateway) routing.(*) BAM! The EC2 has a pathway to the Internet.
>
> Now, when your EC2 comes up, docker-machine tries to do log in to the EC2
> to do its magic. It says, "Hey, EC2 API! What's the IP address of my shiny
> new EC2 instance?" When it does that, it learns the EC2's *public* IP
> address, and it then tries to ssh into the EC2 through that public IP
> address so that it can continue setup of the shiny new EC2 instance.
>
> Now, if you're doing all of this from campus, then your local desktop
> (from which you're running docker-machine) awaits a response from the EC2
> *from* the EC2's public interface. But guess what? Your local campus
> desktop is on campus...and the EC2's routing tables tell it to answer your
> desktop's ssh conversation via its UCB RFC1918-addressed 10.x.x.x Direct
> Connect interface.
>
> So...your desktop's docker-machine ssh gets a response from some strange,
> other IP, and it never completes the conversation.
>
> *Another way of saying it: docker-machine knocks on the front door of the
> EC2, but the EC2 answers at the back door...leaving docker-machine hangin'
> out in the cold on the front porch.*
>
> By the way: if I do *not* let the EC2 have a public IP address -- it only
> has a back door, so to speak -- then  docker-machine
> can ssh just fine! Bummer is that when the setup continues, there is no
> pathway to the Internet to do apt-get and all the other juicy setup stuff.
>
> ...and, in a freaky twist, I can run docker-machine from off campus to
> fire up such an EC2 with a UCB RFC1918-addressed 10.x.x.x Direct Connect,
> and it all comes up great, since the campus RFC1918 Direct Connect
> interface is never involved in the setup conversations. Go figure.
> Unfortunately, there's no way to readily mange this EC2 from campus after
> it's up...the ssh key generated by the docker-machine setup process is
> only good for the public interface, so you have the same front door / back
> door problem.
>
> Any nice workarounds for this...?
>
> Thanks!
>
> -Greg
>
> (*) A less-handy way would be to fire up an AWS NAT service instance for
> your EC2's subnet...and that may actually be the realistic
> solution...but!
>
>
>
> -
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the
> micronet-annou...@lists.berkeley.edu list.
>
>
 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.

Re: [Micronet] NY Times article re: SF Chronicle reports on UCOP-ordered monitoring of Campus traffic

[Christopher Brooks]

Peter Eckersley from the EFF gave a talk today on campus, see 
https://events.berkeley.edu/index.php/calendar/sn/eecs.html?event_ID=97050

He suggested running the Https Everywhere plugin 
(https://www.eff.org/https-everywhere) in Firefox, Chrome and Opera.

He also suggested Tor.

Personally, I'm hesitant to promote Tor, but it also seems that in light 
of the recent UCOP activity, more people will want to know more about 
Tor.  It would be helpful if there was some guidance that we could 
provide people about why they do or don't want to run Tor. For example, 
the knowledge base at https://kb.berkeley.edu/search.php?q=Tor has nothing.

Another alternative is for groups and departments to break away from the 
campus backbone.  This also has risks.  Guidance here would be helpful 
as well.

I've been converting various websites that I mange to be full time https 
and I reinstalled Https Everywhere

My guess is that this incident will blow over, the hardware will 
continue to stay installed and running.

In other news, until it was corrected, the examiner.com article had the 
July break in being at UC Berkeley, not UCLA.

_Christopher



On 2/1/16 6:57 PM, jon kuroda wrote:
> http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html
>
> (Yes, the URL says 'UCLA", but it is about Berkeley.  Go Bears!)
>
> At Berkeley, a New Digital Privacy Protest
>
> --Jon
>
> On Sat, Jan 30, 2016 at 02:34:34PM -0800, jon kuroda wrote:
>> http://www.sfchronicle.com/bayarea/matier-ross/article/Cal-professors-fear-UC-bosses-will-snoop-on-them-6794646.php
>>
>> This blogpost I found seems to cover some more details:
>> http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html
>>
>>   
>> -
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe 
>> from its mailing list and how to find out about upcoming meetings, please 
>> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and 
>> the list's archives can be browsed and searched on the Internet.  This means 
>> these messages can be viewed by (among others) your bosses, prospective 
>> employers, and people who have known you in the past.
>>
>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
>> micronet-annou...@lists.berkeley.edu list.
>   
> -
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe 
> from its mailing list and how to find out about upcoming meetings, please 
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the 
> list's archives can be browsed and searched on the Internet.  This means 
> these messages can be viewed by (among others) your bosses, prospective 
> employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
> micronet-annou...@lists.berkeley.edu list.

-- 
Christopher Brooks, PMP   University of California
Academic Program Manager & Software Engineer  US Mail: 337 Cory Hall
CHESS/iCyPhy/Ptolemy/TerraSwarm   Berkeley, CA 94720-1774
c...@eecs.berkeley.edu, 707.332.0670   (Office: 545Q Cory)


 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.

Re: [Micronet] Forwarding mechanism for a defunct mail server

[Bernie ROSSI]

I sent a message privately to Beth, but thought this might be something
that others with retiring servers might want to consider.

We can take on the hostname as a subdomain in bConnected.  This will allow
the users to create aliases to their Berkeley accounts.  Any mail going to
that alias will go into their Berkeley account.

We have also been migrating mail from the servers into the Berkeley
accounts.

If you want to consider this, please see the KB article:

https://kb.berkeley.edu/page.php?id=23301

Thanks

Bernie



On Thu, Feb 4, 2016 at 8:37 AM, Beth Muramoto  wrote:

> We had a mail server that also contained data on it that we finally
> retired. It was a Linux/Unix machine and the sys admin for it retired.
>
> For the most part we were able to get people to stop using it as a mail
> server years ago to use @berkeley.edu, but no sooner than when we
> disconnected this server from the network than there was one faculty member
> who wants to put in place a forwarding mechanism as some of his papers etc.
> had references to it (don't get me started on why he didn't change over to @
> berkeley.edu) and he can't notify or change every reference to it.
>
> There is no one here who knows Linux/Unix and the computer is out of date
> and sets off alerts with security@berkeley. I don't want to keep it alive
> for this one purpose, however, I don't know how I can forward an email
> addressed to an @soe.berkeley.edu to an @berkeley.edu or even have a
> "vacation" message of sorts in place to say the other address is no longer
> valid without putting that server back on the network.
>
> Does anyone know of a way or knows if there is a campus "service" that
> will "masquerade" as the @soe.berkeley.edu server and perform this
> forwarding?
>
> Thanks for any suggestions.
>
> Beth
>
> --
> ***
> Beth Muramoto
> Computer Resource Specialist
> Graduate School of Education
> University of California, Berkeley
> 1650 Tolman Hall
> Berkeley, CA 94720
> Email:  mailto:bmura...@berkeley.edu
> Phone:  (510) 643-0203
> Fax:  (510) 643-6239
>
> “Finish each day and be done with it. You have done what you could. Some
> blunders and absurdities have crept in – forget them as soon as you can.
> Tomorrow is a new day. You shall begin it serenely and with too high a
> spirit to be encumbered with your old nonsense.”
> -Emerson
>
> This is the essence of forgiveness. You can't change what happened but you
> can make sure it doesn't have the power to prevent you from being happy
> tomorrow.
>
>  -Paul Boese
>
> “Kind words do not cost much yet they accomplish much.”
>
> -Blaise Pascal
>
>
> ***
>
>
>
> -
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the
> micronet-annou...@lists.berkeley.edu list.
>
>
 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.

[Micronet] Forwarding mechanism for a defunct mail server

[Beth Muramoto]

We had a mail server that also contained data on it that we finally
retired. It was a Linux/Unix machine and the sys admin for it retired.

For the most part we were able to get people to stop using it as a mail
server years ago to use @berkeley.edu, but no sooner than when we
disconnected this server from the network than there was one faculty member
who wants to put in place a forwarding mechanism as some of his papers etc.
had references to it (don't get me started on why he didn't change over to @
berkeley.edu) and he can't notify or change every reference to it.

There is no one here who knows Linux/Unix and the computer is out of date
and sets off alerts with security@berkeley. I don't want to keep it alive
for this one purpose, however, I don't know how I can forward an email
addressed to an @soe.berkeley.edu to an @berkeley.edu or even have a
"vacation" message of sorts in place to say the other address is no longer
valid without putting that server back on the network.

Does anyone know of a way or knows if there is a campus "service" that will
"masquerade" as the @soe.berkeley.edu server and perform this forwarding?

Thanks for any suggestions.

Beth

-- 
***
Beth Muramoto
Computer Resource Specialist
Graduate School of Education
University of California, Berkeley
1650 Tolman Hall
Berkeley, CA 94720
Email:  mailto:bmura...@berkeley.edu
Phone:  (510) 643-0203
Fax:  (510) 643-6239

“Finish each day and be done with it. You have done what you could. Some
blunders and absurdities have crept in – forget them as soon as you can.
Tomorrow is a new day. You shall begin it serenely and with too high a
spirit to be encumbered with your old nonsense.”
-Emerson

This is the essence of forgiveness. You can't change what happened but you
can make sure it doesn't have the power to prevent you from being happy
tomorrow.

 -Paul Boese

“Kind words do not cost much yet they accomplish much.”

-Blaise Pascal


***
 
-
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from 
its mailing list and how to find out about upcoming meetings, please visit the 
Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the 
list's archives can be browsed and searched on the Internet.  This means these 
messages can be viewed by (among others) your bosses, prospective employers, 
and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the 
micronet-annou...@lists.berkeley.edu list.