MIT Tracking Campus Net Connections Since 1999

An anonymous reader writes "MIT has been monitoring student internet connections for the past decade without telling them. There is no official policy and no student input." The Tech article says, though, that the record keeping is fairly limited in its scope (connection information is collected, but not the data transferred) and duration (three days, for on-campus connections).

ntop?

[VVelox]

I am curious as to what exactly was setup. It honestly sounds like they setup ntop, which is something I have some what mixed feelings about, but can be amazingly useful for tracking network health and etc.

Re:

[nicolas.kassis]

Sounds more like snort. Which frankly, is a good thing for a University to run, maybe they could ignore non-academic/business stuff like dorms.

What school doesn't?

[Anonymous Coward]

At our university, the lawyers would have a fit if we weren't.

Routine monitoring nothing to worry about

[fluffy99]

I'd be very surprised to find a college or ISP that didn't monitor their network in this fashion. Looks like maybe they are keeping DHCP, transparent proxy, and network statistics. Plus they are doing intrusion detection and looking for malicious activity. The good news is that they are not keeping these records long term, but only for a reasonable amount of time. If they are having a problem or suspicious activity then they probably keep it longer. Face it, your internet activities are NOT anonymous no matter how much you'd like it pretend that it is.

I can see the argument that you could in theory back out the web surfing history of a particular mac address.

These are things any self-respecting network should be doing. The issue here is students not realizing that some monitoring and logging is done. I'm willing to bet that consent to monitoring is referenced in an agreement that the students signed, but that the details of the monitoring are not spelled out.

At my work, users sign agreements on acceptable use and consent to monitoring. I only dig into the logs if there is a problem, the IDS flagged something, or an accusation is made. Sometimes the logs prove innocence, btw.

so its ok i put a camera in your car?

[Anonymous Coward]

i just wanted to monitor where you are going and what you are doing. dont worry i delete it after three days. i promise .... ive been doin it for ten years, didnt think you would mind, thats why i didnt ask you. im sorry if you feel 'invadded', clearly its some emotional problem on your part, hysteria or perhaps paranoia. id suggest some anti psychotics.

Re:so its ok i put a camera in your car?

[sunami]

The University provides Network access to the students. You do not provide him access to his car. Pick a better metaphor.

Re:

[jgtg32a]

and they haven't been given access to the car(computer), they have are monitoring the roads (network) that they provide.

Re:

[im_thatoneguy]

We're going to put a camera in your dorm room and floor bathroom to watch everything you do. But don't worry we'll delete it after 3 days.

*I don't actually have a problem with this logging. But you asked for a better metaphor. :D

Re:

[Hurricane78]

Try it on me. Just try it.

You'll be blind before you can say "OMGJESUSTURNOFFTHATTHINGHELPWHATISHEDOING???"

Re:

[Planesdragon]

i just wanted to monitor where you are going and what you are doing. dont worry i delete it after three days

The car that you're renting me? And that you have the responsibility for maintaining?

Sure. Go ahead. Sounds reasonable to me.

Re:

[Gunstick]

not a camera but those cars actually may already contain GPS home tracking devices. So when you steal instead of rent the car or when you go missing (tourist getting lost in the desert) the car can be tracked down.

Re:

[noidentity]

His car is private property. Now if you have a little hover camera that follows his car everywhere, that's just fine, since he shouldn't expect anything he does in public to not be logged and cross-referenced extensively. If he doesn't want that, he should avoid doing things in public.

Re:

[thePowerOfGrayskull]

This is what happens when someone makes a stupid car analogy on slashdot. Instead of trying ignoring it or steering the subject back to what's actually being discussed... people /extend/ the damned things, making them /worse/! Little hover cameras? Gah!

Re:

[noidentity]

Eh? It wasn't an analogy. I really meant having a hover camera follow his car around (and I'm quite sure there will be such a thing in a few decades, given the direction things are going).

Re:so its ok i put a camera in your car?

[BorgCopyeditor]

Instead of trying ignoring it or steering the subject back to what's actually being discussed

Ach! I know, I know, they put the pedal to the metal and just keep rolling and won't put the brakes on and finally literally drive the thread into the ground!

Re:

[jabithew]

+1 Ironic use of the word 'literally' in an extended metaphor.

Re:

[thePowerOfGrayskull]

Dude, you're still doing it. Stop.

Re:

[Shikaku]

IGNORE ME!

Re:

[Deanalator]

If you were borrowing my car, you had better believe that I would put a camera in it.

This situation is similar to when someone at my university realised that the unix team has access to unencrypted emails stored on the school email server, which caused a huge uproar in the student media. It's not like they were indexing the data and selling queries to data miners.

Anyone who thinks it's a good idea for admins to completely disable logging really does not understand how all this computer stuff works.

Re:

[thePowerOfGrayskull]

What? Stop with the stupid card analogies. They don't apply here. Let's come up with a better analogy.

It's like... a service provider. Who provides a service. And that service provider monitors the health and usage of their service. And if you don't use their service, it doesn't affect you; while if you do use it, it does.

There. Was that so hard?

Re:

[thePowerOfGrayskull]

Of course it's the same fucking thing you nit, that's the point.

Re:

[moosesocks]

The data collected would be more analogous to MIT tracking who parks on campus.

3 articles down, California takes DNA on arrest

[notionalTenacity]

I mean, really, while it's wrong that they store the data without telling the users, and while users should have better expectations of privacy, you have to look at this in context. They are only storing the data for 3 days, and it's only the connection details rather than the content. And the context that this is in, on Slashdot, is that a few articles down the FBI and the state of california are going to take and warehouse DNA from people that have not been convicted of a crime. I'm not saying this is

Re:

[rtb61]

What is much more interesting about this article, is not so much what MIT are doing with regard to typical network function monitoring, rather than data recording and individually targeted analysis, it is the way people are reacting. There has been a major shift in the general public view of digital privacy and the wild wild west days of invading the privacy of people, psychologically analysing them and personally targeting them with adds to manipulate their choices, is no longer considered acceptable.

So

Re:

[thePowerOfGrayskull]

hile it's wrong that they store the data without telling the users, and while users should have better expectations of privacy, you have to look at this in context

No, back up. Why is it wrong? THey own the network. They are responsible for the health and maintenance of that network; and further they are responsible for the things people /do/ on that network to some extent.

I agree with looking at this in context/with perspective, but I don't see how what they're doing is in any way wrong.

Re:

[Toonol]

But any student with an ounce of common sense OR technical knowledge would have assumed they were. I'm surprised their data retention is as limited as it is. Not every single action needs to be spelled out in a contract with the student. The simple fact that the campus OWNS the networks gives them automatically all sorts of rights.

Re:

[ottothecow]

Yeah, I am not surprised. My school definitely keeps connection logs for more than 3 days (I know that they use them to confirm any DMCA accusations before asking the student nicely to stop..so its good that they don't trust the RIAA blindly). I don't think they keep anything more than connection data...no content (though I can't imagine trying to log all of the content that flows in and out of a major research university's lines).

Instead of the stupid car analogies, I would look at your wireless bill.

Re:

[ottothecow]

Oops, forgot to add:

I think the issue here is that there is no clear policy. I don't know what my school has for a policy but I bet it is written out somewhere that "The university will maintain access logs consisting of XX, YY, and ZZ persisting for ##days". I am sure my wireless company has the same thing. MIT is just doing what is reasonable but since they do not have a formal policy, people are worried that they might change their minds and take it further.

Re:

[Jurily]

I'd be very surprised to find a college or ISP that didn't monitor their network in this fashion.

That's like wondering what sysadmin doesn't want the latest porn of their users.

Re:

[Presto Vivace]

I guess the length of time they keep the records is the most important thing. When I saw the headline I too thought that it wasn't just MIT. The market isn't ready for it yet, but privacy is the next big killer app for the Internet. Whoever solves the privacy problem is going to be very rich.

Re:

[fluffy99]

Except we have governments actively trying to thwart the notion of privacy with calls like "think of the children" and the "war on terror". We've had data retention laws, illict wiretapping, internet traffic monitoring, etc. Do you honestly think that if someone comes up with a magic solution that the govt won't label it a security threat and somehow ban its use? Or automatically assume it's use involves illegal activities? We already see that with bittorrent.

Re:

[Presto Vivace]

The gov't developed the Internet, but I don't think they would have done it if they had understood what its impact would be. It is just possible that the significance of the privacy solution won't be recognized until it is too late. I still think there is a bundle of money to be made in privacy.

Re:Routine monitoring nothing to worry about

[QuantumRiff]

I used to work at a small college.. We'd have bandwidth problems, I'd check the logs (ntop is very handy for this) and then look up the IP/MAC. Trace it to the nearest access point, walk into the cafeteria, see two students with laptops out. One of them, sitting far back in the corner so nobody could see their screen..

It would scare the shit out of them when I'd walk up to them and just stay "please stop, or I will have to disable your access until you talk to the director of IT about our acceptable use policy" They could never quite figure out how I knew it was them..

Re:

[account_deleted]

Comment removed based on user account deletion

The problems of not having a policy...

[KibibyteBrain]

Part of the problem with this sort of thing is, with no policy, where do reasonable expectations of privacy for using someone's pipe they've offered you access to begin and end? In general, with no privacy policy, there is no expectation of privacy, unfortunately.

No surprise

[mjdrzewi]

This doesn't surprise me at all, I don't exactly like it but under stand it. The positive side of this is they are being reasonable on how long they keep the logs. Though if they collect this information the student should made aware of, not just buried in the contract they signed.

whenever we have a story about data retention

[circletimessquare]

or the feds snooping, i am really frankly surprised

you actually want to depend upon the federal government for your security?

you want to depend upon some school, some cable company, some phone company not to snoop on you?

whenever i'm encountered by this strange slashdot groupthink, i really have only one thing to offer: if you put it on a wire, if its outside your control, then the security or privacy of whatever you are doing is nothing you should count on

the outrage seems artifical, contrived, illogical, exasperating

if you want security, if you want privacy DON'T PUT IT ON A WIRE OUTSIDE YOUR CONTROL

beginning and ending of discussion

as if you actually want ot TRUST some other entity to do your security work for you?

hey, how about this: YOU are responsible for your security

you, and you alone

is my pov really that strange?

it seems odd anyone should consider it any other way

Re:

[Man On Pink Corner]

hey, how about this: YOU are responsible for your security
you, and you alone

Except where private ownership of firearms is concerned, though, right?

At least that's the impression I've gotten from your last 5 years' worth of posts on K5.

private ownership of Cars

[Mr Abstracto]

is something that impinges on my freedom. in the form of assholes driving around implements of death on my streets.

a car is a valid and necessary

[circletimessquare]

implement of civil life

a gun isn't

Re:

[Anonymous Coward]

Driving is a privilege, remember? The state revokes licenses for all sorts of reasons, and expects people to continue living civilly. And while vehicle ownership is a new phenomenon, there has never been a civilization that wasn't maintained by armed men.

yeah, armed men. an army. the police

[circletimessquare]

why does that translate in your mind into every asshole on the street?

Re:private ownership of firearms

[phantomfive]

In other words you are afraid of people with guns. I once got punched in the face, standing at a bus stop. It was terrifying. And yet I don't go around asking that all fists be taken off the streets.

The world we live in is a dangerous place. I could have just as easily been stabbed, or pushed in front of a train. The sooner you learn to deal with the inherent dangerousness of life, the happier you will be.

Re:

[phantomfive]

lol yes, plutonium, Jefferson would have approved. Basically what it boils down to is society wants guns, at least enough members of society want them, and the rest are willing to tolerate it, so we have them. And if enough of society wanted plutonium, we would have that too. And I would be unhappy, but I would deal with it.

You really only have two choices: either deal with it, or change people's minds so they are against it, just as they are against plutonium. Whining and complaining that it is your

Re:

[Anonymous Coward]

More to the point, if I were in a position to obtain a stash of plutonium, I don't think I'd be very concerned with whatever plutonium-control laws the rest of society might see fit to pass.

I would be no more interested in plutonium-control laws, than criminals are interested in gun-control laws.

now imagine how easy it would be to get

[circletimessquare]

if it were legal

which is my whole fucking point

who's the retard?

gee i dunno

[circletimessquare]

if you have to meet someone shady behind an alley to get [x] versus walking into your average walmart to get [x], it might be that one world has more of [x] than the other

i leave it up to your boundless imagination and massive intellect to imagine which world that might be

its about urban versus rural

[circletimessquare]

the only reason the usa lags in this common sense of outlawing guns is that it is still more rural than other modern societies, that have outlawed guns, that are more densely populated

that will change, already the usa is majority urban, where guns make no sense

thus, its inevitable

with the passage of time, a more and more urban usa will simply reach the critical mass where guns will be outlawed

enjoy your gun. your time is numbered

and if you think it is unfair rural folk should suffer for urban folk, guess wh

Re:

[phantomfive]

Sure, that's the price of living in society: you don't always get what you want. But for now, most of America still supports the right to bear arms.

Re:

[Bobby Mahoney]

Please, enough with your right to live, and your childish fear of guns. Cars kill more people than guns adjusted any way you like. One percent of one percent of deaths are gun related. How is this a credible threat to your "right to live"? The only answer is "It is not", contrary to what movies, television, and govt.'dependency-mongers' would have you believe.

And fascists don't come out of the 'right-wing-small-government-yokel-in-the-woods' fray. It requires a Socialist leader (Hitler, Mussolini) to creat

Re:

[bendodge]

First, I'd like to thank the GP for pointing out your hypocrisy. Second, I'd like to point out that "assault weapon" is either redundant or nonexistent. Stop using that made-up scare term.

"Yokels" like me who live in the western USA and "cling to guns and religion" are a very, very poor target for anyone hoping to "rise to power". Farmers are independent people. No Marxists, Muslims or any other -its or -isms come here make speeches. They'd be wasting their time. There's a reason people like Lenin stump in

Re:

[circletimessquare]

"As for your statement that guns do not protect democracy (I think you meant a republic), I think you ought to take a look at our very own Revolutionary War. Do you think the Continental Army would ever have been able to defeat a world-class army if nearly every able-bodied male didn't have a gun and know how to use it? You say I'm confusing the arena of a civil setting with outright war. In order to protect freedom, one must be able to stage an outright war (see American Revolution again)."

really?

this is a

Re:

[bendodge]

I have not watched, Red Dawn, Star Wars or Dirty Harry. Please make a more relevant argument.

Re:

[Grym]

The more guns there are in a society the more intentional homicides, be it Somalia, USA, or Switzerland (three of the countries with the highest rates of gun violence and homicide anywhere in the world).

So, what's your solution then? A gun prohibition [wfu.edu]? I suspect that will work about as well as Alcohol Prohibition or the "War on Drugs", which is to say not at all.

The current arrangement in no way perfect. But there's no way to prove that a divisive campaign to rid the public of its arms wouldn't be wors

if the majority vote to outlaw guns

[circletimessquare]

how could you define it as anything other than simple democracy at work? the only reason the usa lags in this common sense of outlawing guns is that it is still more rural than other modern societies, that have outlawed guns, that are more densely populated. that will change, already the usa is majority urban, where guns make no sense. thus, its inevitable. with the passage of time, a more and more urban usa will simply reach the critical mass where guns will be outlawed. enjoy your gun. your time is number

Re:

[bendodge]

Other societies never had guns in the first place. They didn't outlaw them democratically. They've been banned from them ever since monarchies.

Re:

[Toonol]

Wow, that was an over-the-top reaction. Far more pissy than anything the GP said, and yet you probably blame them.

Re:

[mrsteveman1]

i

like

my

enter

key

I think we need to start tracking...

[Anonymous Coward]

...when you are going to finsh that fucking movie.

Can you blame them?

[RulerOf]

whenever i'm encountered by this strange slashdot groupthink

I wouldn't say it's all that strange, but we find snooping practices to be extremely abhorrent because they almost directly imply an assumption of guilt. Furthermore, ISP logs have frequently been used as a tool for the MAFIAA Lawyers to nail people up on the wall for enough "protection money" to satisfy their business model.

Lastly, years' duration of log-keeping rarely actually benefits the ISP or company in question. It is kinda funny that you posted this in a thread about 3 days worth of logging.

Sounds like an old idea but...

[LandruBek]

I think this might be plagiarized. Consider:

Whensoever some Broadsheet publisheth some scandalous Story about the practise of "Paper Retention" and "File Mining," or the King's Men are observed in the act of prying into the Affairs of others, I must confess to Incredulousness. Can it be that you expect the Crown to honor his subjects' Security? I make bold to offer this Advice: if ye put some matter to Paper, then quite simply ye should expect it sometime to be read by Others, and not only by Yourself.

yeah, exactly

[circletimessquare]

as if hamilton or madison didn't know what they were inviting?

as if hamilton or madison expected protection from the crown?

you say that my attitude is akin to the attitude of kind george the third goons. no, rather my attitude is to say that king george has goons that don't respect you, and never will, and you should know that. when you criticize me for this, you're simply shooting the messenger

do you think the answer is to hold the goons to some sort of expectation of behavior?

the american revolution would

A rebuttal, with my compliments:

[LandruBek]

Ok, I was being a little mean there -- I concede no one really thinks what I was ascribing to you. I was just exaggerating a little to make a point. But you must concede that no one actually thinks what you are now ascribing to me!

First, I'm making no claims about Madison or Hamilton. My little historical fantasy was an absurd anachronism: as best I gather, Hamilton and Madison had nothing to do with helping incite revolution, and I only mentioned them as political philosophers who were vocal about indi

Re:

[noidentity]

if you want security, if you want privacy DON'T PUT IT ON A WIRE OUTSIDE YOUR CONTROL

Hmmm, what about tubes outside my control?

Re:

[turing_m]

What is strange is that this is the first post I've read of yours that makes sense. Usually you would poke fun at your post as a "conspiracy theory".

The only way I can make sense of it is as follows:
1. GFC hits.
2. Several rich neocons living in New York are particularly hard hit, and have to cut costs.
3. Folks in 2. stop funding you for proselytizing the party line, both on slashdot and (as they would figure from your posting history) in your movie.
4. This post was a warning to them. ...
5. You go back to fl

Re:

[circletimessquare]

no

the solution is to stop caring about what you send out there. and if you care about it, don't send it out there

most of it is useless anyways, and lost in a sea of other random crap from other people

it is a symptom of people imagining little tidbits of their lives to be far more important than it is. its selective, false, self-congratulatory outrage

ZOMG!

[Anonymous Coward]

IT Professionals, working for major Universities, monitor network traffic?

No. Fucking. Way.

And this is a bad thing because?

[/dev/trash]

Help me out with this?

Misleading Headline

[Decado]

Seriously, they keep the records for 3 days for most traffic and 30 days for anomolous traffic which might indicate a threat to the network. Most networks I have seen keep data for far longer just because nobody ever bothers to clean out the logs.

The fact that they have a policy for cleaning the logs puts them streets ahead of the most network admins and yet they are being portrayed as the bad guys here.

Storm in a teacup if I have ever seen one.

Re:

[Matey-O]

And it's surprisingly easy to do. Monitor the ingress/egress traffic, throw away everything but the first 130-odd bits of the TCP Header and you get surprisingly good compression on the data.

Several years ago, I took a SANS class on Snort. Evidently Sandia Labs captured every packet on the wire and kept the transaction info, indefinitely. It was roughly a DVD-R a week.

On th other end of the spectrum, I syslog all of the connection info from our firewalls. I rotate the logs daily, and compress them when they

Re:

[Karrots]

No sniffing needed.

1. Configure the core routers to send netflow data to a central server.
2. Use a netflow collector to record the netflow data.
3. Use tools such as NTop, nfsen, and others to monitor traffic.

No sniffing ingress/egress ports needed unless you want deep packet inspection.

Re:

[ZerdZerd]

The fact that they have a policy for cleaning the logs

TFA:

without an official policy governing how it may use or store the data.

though there is no official policy.

does not appear to have any policy covering the retention and use of connection or security logs

Re:

[Decado]

They keep 3 days of logs and a 30 day log of malicious activity. That the article describes their policy while claiming they don't have one pretty much proves the "storm in a teacup" point.

The policy they are using is both practical and reasonable from a privacy standpoint. It may not be an "official" policy but it is a policy and it is a good one. It is just a case of arguing over definitions.

Like anyone read past the title

[Anonymous Coward]

The Tech article says, though, that the reco[...]

Look, timothy, little tip that'll make your job easier: Effectively zero Slashdotters read past the reminder that somebody can see them sometime, somewhere. They were all too busy alternating between sputtering gibberish, screaming in panic, and folding new layers on their tinfoil hats at that point.

Next time, you can save yourself a lot of writing trouble by just linking to The Tech with the text "people bigger than you fnord can see you fnord fnord fnord", and the effect will be the same.

Good for them

[mc1138]

As a network admin I can't tell you how useful it is to have at least a little data about where something might have come from in the event of a problem arising. Three days worth of data is hardly something to get in a twit about, and honestly the specifics of the data probably isn't even looked at that much.

IHTFP

[psergiu]

I Hope They Favoritize P2p

Interesting How The Feds Pursue

Re:

[maxume]

Enjoying some alcohol tonight?

Re:

[psergiu]

> Enjoying some alcohol tonight?

Intelligence Happens To Fail People

http://en.wikipedia.org/wiki/MIT_hack#IHTFP [wikipedia.org]

Breaking News: MIT Runs a Network for Students!

[carlzum]

This is Quentin Smith reporting live from the Massachusetts Institute of Technology. News agencies are reporting that MIT has been keeping records of network activity. It's a practice called "logging" by hackers, crackers, and other computer deviants. Using nefarious software techniques, "loggers" can identify and disrupt innocent users' botnets.

Individuals with limited knowledge of computers like MIT students are particularly susceptible to these types of attacks. To combat these "loggers," experts suggest disabling firewalls and updating account information if you receive an email from your bank.

Three days...

[Chris Snook]

...is just enough time to figure out:

a) where the bomb threat came from.
b) which building the suicidal student needs to get talked down from.
c) who impersonated the professor to cancel an assignment.
d) how a lab router ended up sniffing for passwords.

All of these things happened while I was in campus IT, but I never heard about an RIAA/MPAA complaint about something that happened less than two weeks prior, so this really doesn't look like undue outside influence to invade student privacy. It's just responsible network management.

!story

[Lehk228]

how the fuck is this news? this is extremely basic monitoring for simple diagnostics and troubleshooting.

They own the network...

[EmagGeek]

... don't they? They can do whatever the hell they want with their network, including monitoring, shaping, filtering, or whatever. If students are that worried about privacy, they can get their own private connections.

Re:

[Repossessed]

Um, no, they can't. They kindof have to use that one. Especially if they live in the dorms.

How comfortable are you with your ISP and landlord tracking you?

'Monitoring'

[ccubed]

Really, unless the people paid by the university who aren't students monitor the network, nothing happens. My school has our residential network monitored by students. Yes, you heard me right, Students. This is why a major file sharing client was allowed to run on someone's computer for several years. Why? Because why is the student going to say anything and get them riled up? They already deal with enough.

Re:

[nicolas.kassis]

I would venture to guess that they do have logs and snort running somewhere like all other universities of this size.

Re:

[BitZtream]

Perhaps its that many slashdotters appreciate others with intelligence that know what they are doing?

I realize this is beyond your comprehension, which is why I'm enlightening you.

Just because you don't understand it or the logic in it doesn't mean its a fairy tale.

I presume you're all bitchy because you think logging is bad. I feel I should warn you that every website, every mail server, every thing you do on the Internet is logged along the way unless they specifically go out of their way to disable logg

Re:

[CompMD]

Way to fail at reading comprehension. I said nothing about logging. In fact, I have probably done more work in involving it (in law enforcement and several aerospace companies) than you can imagine. You have no need to question my technical ability. No, I was pointing out that because this had to do with MIT it made the front page. Anytime anyone at MIT so much as farts it makes the front page of Slashdot; its downright silly. But thanks for writing a huge comment about an assumption that you made, it