Well... all I can say is I'm glad I use gmail which encrypts all of its traffic.
--Kyle Mathews kyle.mathews2000.com/blog http://twitter.com/kylemathews On Wed, Feb 24, 2010 at 7:24 PM, Joseph Scoville <[email protected]>wrote: > I first heard about this in January when our department secretaries > responded to one of these emails with their email address, current password, > intended future password, and birthdate. (Yeah...) > > They then got an email from Taylor Payne (OIT Network Security) saying that > if "such and such" (he included the actual password they had been sent in > the reply) was actually their password, they had been scammed and should > switch it immediately. > > I was both surprised and impressed at their rapid response. It saved the > department potential problems and embarrassment. The victim was also rather > embarrassed and less likely to fall for this in the future. > > -Joseph > Mechanical Engineering > > On Wed, Feb 24, 2010 at 5:20 PM, Robert LeBlanc <[email protected]>wrote: > >> On Wed, Feb 24, 2010 at 5:11 PM, Andrew McNabb <[email protected]>wrote: >> >>> On Wed, Feb 24, 2010 at 04:29:23PM -0700, Robert LeBlanc wrote: >>> > >>> > As I talked with the security guy, he mentioned that when they get a >>> > phishing message like the one you got, they put a rule to rewrite the >>> > reply-to address so that that it goes to them rather than the phisher. >>> They >>> > can then inform the sender that they were phished without their >>> sensitive >>> > information actually reaching the wrong hands. >>> >>> What you describe here isn't what they did in this case, but if it were >>> what they did, it would be evil. I don't want anyone silently changing >>> emails to or from me. That would just be evil. (BYU didn't silently >>> change network traffic in this case, but I've had weird creepy problems >>> with ssh traffic that could probably be explained by meddling from OIT). >>> >>> >>> > This is not some thing that they are constantly watching as they record >>> > about 4 TB of network traffic a day. Usually if they get an alert they >>> just >>> > tell us CSRs that there is a problem with the computer and don't give >>> us the >>> > traffic. I had to specially request it from them in this case. The >>> e-mail is >>> > different because they what to help educate the users. >>> >>> When some email message is matched by their filter, David reads it. He >>> read my personal email message without my permission. I don't care how >>> much he was trying to help. >>> >>> At one point, the CS Department logged all requested URL over HTTP, but >>> they were careful to let everyone know what they were doing, and they >>> didn't store personal stuff like POST data. What BYU Network Security >>> is doing is completely secret and stores all of my private data. As >>> great as it would be to have everyone use GPG, it's simply not feasible >>> to encrypt most email messages. >>> >>> >>> > I'm grateful for their efforts to help secure our computing >>> environment. >>> > Understanding what they are doing, why and how has helped ease my mind >>> about >>> > it. By the way, they can't look into SSL traffic, but they can >>> reconstruct >>> > unencrypted traffic to find files and what not. It is very useful to >>> see the >>> > payload in an attack. This is not done on the fly, but has to be >>> > specifically requested for a host and a period of time. >>> >>> I'm grateful that they want to help secure our computing environment, >>> but I don't think that this is always possible without violating higher >>> principles. In this particular case, they read my email and confronted >>> me with its contents. The Bush and Obama administrations may not >>> believe in warrants, but I think that looking through the contents of >>> personal messages should require probable cause. >>> >>> >> I'm not a lawer so I don't know all the details. I do think that US law >> does allow an employer or institution to do what they want with traffic on >> their network. I remember hearing that this is not true in Germany or was it >> the other way. In any case, if you want it secure, encrypt it. If you can't >> encrypt it and you are concerned about privacy, don't do it at your >> employer's place. I have to say that I think the FBI is requireing all ISPs >> to record all traffic on their networks, and to increase that to 6 months. I >> think the only safe option is encryption. Sorry, I can't do anything about >> you feeling that your rights are being violated. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> >> >> >> -------------------- >> BYU Unix Users Group >> http://uug.byu.edu/ >> >> The opinions expressed in this message are the responsibility of their >> author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. >> ___________________________________________________________________ >> List Info (unsubscribe here): >> http://uug.byu.edu/mailman/listinfo/uug-list >> > > > -------------------- > BYU Unix Users Group > http://uug.byu.edu/ > > The opinions expressed in this message are the responsibility of their > author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. > ___________________________________________________________________ > List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list >
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
