[awakened]

Many on HN may not realize, but there are miniature NSA groups in most every organization in the USA. Universities, non-profits, small corporations, local governments, etc. If they have an IT Security group, then they are likely spying on IP connections.

They use Bro, Snort, Suricata, Argus and other tools to record metadata about every IP connection that comes into or leaves their networks. Some of them terminate SSL connections and forge certificates. A few of them even drop encrypted protocols that they are not able to decrypt and inspect.

They use taps and/or SPAN ports to do the spying.

Most of them try to keep this activity quiet. This mentality is pervasive and it is everywhere (especially in USA based organizations). Everyone should be aware.

No one is safe from this spying, even senior management and tenured faculty connections are being inspected and recorded for later use if needed. They just don't know it.

[shawnreilly]

I think this comment is quite misleading. Your average IT Security Group within an organization is not a 'miniature NSA group'. The difference is where Data is collected and monitored.

Your average IT Security Group is focused on their own Internal network. This includes all Internal and External Traffic/Communication going to/From the Internal Network. The reality is, most Security Threats come from an internal source [1]. So yes, your average IT Security Group is interested in monitoring, analyzing, and sometimes dropping internal Traffic. This allows the Organization to track and respond to Data Breaches and Security Incidents. The overall insinuation of this comment seems to be that this is Evil and a Violation of your Privacy (Spying!). But if you've ever worked with (or used Services provided by) any Organization that has a handle on Security, you've likely signed a User Agreement Form (or similar), which clearly states what is going on. So nothing is hidden, and when you think about it, this is a logical reaction to the realities of Security in today's Digital Age. If you can't trust people, then it makes sense to implement checks and balances. Instead of thinking about it from the perspective is a User, think about it from the perspective of a Service Provider, and it makes a lot more sense. If you think this is Unjust, then the solution is simple. Provide your own services and control your own Destiny.

A 'miniature NSA group' is (presumably) focused on External Networks and External Data Sources. And I say presumably because it is not really clear what you mean by 'miniature NSA group', but the insinuation is clear. So this is very different from your average IT Security Group, and it is not correct to insinuate that they are one and the same.

[1] http://www.itproportal.com/2013/10/15/security-experts-no-su...

[iancarroll]

This post lacks citations, stories where this has been outed, and just seems like bullshit in general.

[wyager]

Well, I have some evidence in support of what he says (at least, that universities log connections). My university, of some 48,000 students (in 2010), logs 100% of all connections. I know, because I have seen the data. It's provided to researchers with the IPs replaced by some other persistent identifier (which they hopefully generated randomly). You can see IP addresses/domain names, and I think they might have also had URL data for http connections (although I'm not sure on that one).

They also emailed and temporarily disconnected all students who were running servers vulnerable to heartbleed, so presumably they do some form of more intensive inspection and logging as well.

[ams6110]

Because most universities have pretty wide-open networks with high bandwidth, they do monitor for illegal, commercial, or malware activity on their networks. They don't want to get blacklisted as spammers among other things. They are also highly concerned about possible exposure of sensitive student personal and research data and some have started auto-encrypting emails that appear to contain such.

[wyager]

Why do they keep old logs if they're just monitoring for illegal/commercial/malware stuff?

And if they were very concerned with exposure of sensitive data, they wouldn't be logging it.

[ams6110]

They keep the logs so they can use them in after-the-fact investigations, and for research.

[wyager]

>and for research.

That's not the same thing as "monitoring for illegal/commercial/malware activity".

[mcot2]

What he is saying is not bullshit, it's fairly accurate, but just way overblown with the "spying" drama. It should be common sense to keep your personal life at home and use work provided resources for work related stuff...

[monkey26]

It's true. I develop such software commercially. Sure we have some govt. users, but the majority is the enterprise.

Full packet capture for how much disk space you want to allocate to it (many like 48 hours) then longer term storage of flow records, DNS and http metadata, etc.

The majority of the use cases are watching the internal uses of the network as well - not generally being used to detect intruders.

[webroot17]

I did it back when I worked for a major private university (enrollment 25k+). It was simple, add a tap to the fiber coming into our network (we had redundant fiber connections to our particular little niche of a network, and conveniently, there were taps on the market that would aggregate the traffic from both fiber connections), pipe it to a monitoring server and run the logging + monitoring tool of your choice.

My boss barely understood what I was doing, his superiors certainly didn't know anything about it. We were not part of what would be considered the university IT department either -- we were just some random organization within the university. Who knows how many different people on hops above us were doing the same thing. And I was capturing the full traffic (not metadata) of people who would normally take even extra offense at this sort of thing going on. Not because the traffic contained SSNs or credit card details or something like that, but because the traffic was sensitive in a more private, personal way (I can't go into the particular details any more).

Unfortunately, this brief story doesn't have a juicy ending. I didn't do anything nefarious with the data. I didn't use it to spy on anyone. I simply used it to watch out for attacks against services on our network -- I thought I was doing something positive for the users of our services. But reading the parent post made me pause for a moment and consider that all these things I'm reading about and taking issue with in the news today (the NSA, eavesdropping, etc), that I did something similar, albeit on a much, much, smaller scale myself, many years ago when I was younger and more naive.

[tacoman]

I was doing this sort of thing back in the 90's with a product called AbirNet SessionWall. Managers in the gov't department I worked for wanted to know how much time their employees where spending on the internet and what they were doing.

This is anecdotal of course but I can't imagine what were were doing back then was unique or isolated. It's trivial.