[ISN] Under the Watchful Eye

From: InfoSec News (isn@private)
Date: Wed May 31 2006 - 00:14:36 PDT


By Andrew Nguyen  
Senior Staff Writer  
May 31, 2006  

Reading your e-mail is usually a private experience between you and
the spammer that sent you that ad for the natural Viagra alternative.  
However, for UCSD students, that experience can be shared with the
university administration, too: Even if you delete your e-mail, UCSD
administrators can gain access to the ucsd.edu e-mail address provided
to each student so long as they are authorized to do so by certain
vice chancellors.

With a sophisticated system of backups that allow the retrieval of
e-mail even after it's been deleted, Academic Computing Services, the
campus department that manages the e-mail system, and UCSD
administrators could theoretically go through e-mails looking for
instances of students breaking the law or university policy. What
keeps them from doing so is the University of California's electronic
communications policy, which focuses on "privacy, confidentiality and
security in electronic communications." The policy spells out the
circumstances under which a user's e-mail account can be viewed
without his or her consent.

At UCSD, the policy requires authorization from Vice Chancellor of
Student Affairs Joseph W. Watson or Senior Vice Chancellor of Academic
Affairs Marsha A. Chandler in order for an e-mail account to be
inspected without the user's consent. The user must be notified of any
such inspection.

According to the Annual Reports on Nonconsensual Access to E-mail,
between 2000 and 2004, UCSD requested authorization 12 times to access
a user's e-mail without consent, and 11 of these requests were
approved. In those cases, administrators sought to find out whether
the user was breaking a law based on prior evidence, or there were
"time-dependent, critical operational circumstances," were the reasons
cited in the reports.

Since users often delete e-mails to avoid running out of space in
their mailbox, ACS developed a system that enables the retrieval of
mistakenly deleted e-mail. ACS takes "snapshots" of the deleted
e-mails at various times throughout the day - no less than twice per
day - and can use those "snapshots" to restore e-mails that someone
may need.

Using a system of multiple hard drives for a seven-terabyte array that
is then backed up to tapes, the data go quite a while back. Students
or staff members can contact ACS to restore e-mails and, according to
ACS Director Tony Wood, they're even used for disputes between faculty
and students over grades.

Since UCSD started providing e-mail service in the early 1980s, the
number of e-mails that stream through the servers has increased to
about 1 million a day. Out of all the messages that come into UCSD's
e-mail servers, anywhere from 30 to 50 percent are spam, depending on
the user's habits. Five percent of all e-mails contain viruses.  
Because of this, ACS has servers dedicated to keeping viruses and spam
out of users' mailboxes.

The UCSD Internet link isn't an ordinary connection: It's a massive
optical pipeline that connects all the campuses of the University of
California, as well as Stanford, the University of Southern
California, Caltech and other universities. The connection is
purchased through the Corporation for Education Network Initiatives in
California - of which UCSD is a central backbone - for $160,000 a
year, according to Wood, which pays for membership fees and Internet2

UCSD also purchases access to the Internet through CENIC measured by
bandwidth use, at a cost of an additional $10,000 per month on

The Internet connection isn't solely paid for by students; the state
helps to pay for Internet connections used for more instructional
purposes, while students pay for the wireless network, the wired
connections in the residential areas and the computer labs.

Once that connection gets to UCSD, according to Wood, it's divided up
between 45,000 wired IP addresses, which connect about the same number
of computers, and 15,000 monthly wireless users. All of these
computers share a connection that has a bandwidth of about 50 megabits
per second - in other words, way faster then your connection at home.

With all that bandwidth, users can usually go about their business
with no problems. It's only when someone is using a large amount of
bandwidth that ACS is alerted.

Unusually large uses of bandwidth are almost always caused by hackers
attempting to send out spam or viruses, or by the use of peer-to-peer
file-sharing software to upload and download large numbers of files.  
In the former case, ACS will just shut down the connection and repair
the computer. The latter case, however, is more complicated. If a user
is using so much bandwidth that it interferes with nearby users'
connection, ACS will implement a rate limiter that slows down how much
the individual can use at one time.

Usage, not content, is monitored and even then only in UCSD
residential areas. When it comes to ACS involvement, it's not what
you're downloading, it's how much you're downloading.

If ACS receives evidence that a user is committing or has committed a
violation of its acceptable use policy, including copyright
infringement and violation of federal, state or campus regulation,
then it must take action. Usually after a warning for the first
violation, ACS stops the connection for a period of time and refers
the student to his or her relevant college judicial board.

With e-mail approved as an official form of university communication
and near-universal access to the Internet around campus, the UC system
has had to create a policy that views e-mail and Internet usage as an
important component of daily life - just so long as users behave.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Wed May 31 2006 - 00:27:58 PDT