From pedro@tastytronic.net Thu Aug 23 17:13:09 2007 Date: Thu, 23 Aug 2007 17:13:08 -0700 From: "Peter A. H. Peterson" Subject: notice of network monitoring Hi Everyone (and I mean EVERYONE), Please take a minute to read this email, because it affects your privacy as a user of flynn (tastytronic.net, etc.). If you accept what I have discussed here, please reply to this email and let me know. If you do not accept it, please contact me ASAP. snort network information used in a public project -------------------------------------------------- I'm working on a project that involves using the 'snort' Network Intrusion Detection System and I will be using that system to monitor flynn (the tastytronic.net server) for a few hours here and there, not exceeding ~100 hours (4 days). I want to formally let you know that I am doing this and will be using some of the pieces of data that snort recovers for this project. The issue at stake here is that I will be showing the data from this project to other people, and this may include tiny bits of your data. This is a valid privacy concern, which is why I will be painstakingly sanitizing the data. To do that, I will change all personally identifiable network information and usernames, and I will inspect other questionable sources (like mail system errors) to make sure that there is no personal or personally identifiable information present in the data. What's Snort? What's a Network Intrusion Detection System? ---------------------------------------------------------- snort is a tool that examines the stream of data that flows through a network device. Those pieces of data are called packets, and a large file can be like a mosaic made of thousands of individual packets. Most packets are fairly meaningless on their own, snort looks at the packets the way your anti-virus software scans files, and flags suspicious activity (like network attacks) and alerts the administrator (me). snort totally ignores 99.99% of all traffic because it doesn't appear suspicious. This means that of everything that you do on my server, only the tiniest bits will be seen by me prior to my sanitizing them. Even when snort *does* find a packet it thinks is interesting and saves it, it is usually a boring request for a website, or something strange happening to the mail server, or attacks from the Internet. Usually this doesn't contain anything produced by flynn users (it's usually from Internet based attackers), but occaisionally it contains a snippet of an email message, bbs post, web request, or the like, and on some occaision even more rare than that, it's something you've actually typed in, or a personal email sent to you. Most of the time that snort saves a packet, it's *absolutely impossible* to know anything other than that the request was sent or received by my server -- there's nothing personally identifiable (e.g., I can't tell if the 3rd sentence of a spam message about magic pills was sent to you or to me just from looking at it). And in the cases where there is anything personally identifiable, I will be making sure that the data is changed. Regardless, all network information identifying this server will be changed so there is no way to trace the data back to this server. If I even think that an snippet of email (or any other data) is remotely personal, I will be deleting it or changing it out with some innocuous text (probably Shakespeare). This means that if anyone is going to see any personal data, it will be me, just before I delete it. If you are still uncomfortable about this at all, please contact me and we can discuss it. If you are vehemently opposed to my using sanitized data for this project, please let me know ASAP. Why this server? ---------------- I need a body of snort alert data and this server is on the Internet, faces many attacks daily, and has active users who do things -- in short, it's a decent small test system for this kind of thing, and because it is my private server, you are not my customers, and it is not a system funded in any way by the government, it makes a good source of data that is relatively unencumbered by bureaucratic regulations. As I said earlier, please contact me if you have any questions or concerns about this. In any event, this monitoring will be over at the latest by September 24th but in all likelihood sometime next week. Please respond to this email notifying me that you have received it and whether I have your permission. Thanks, Peter pedro@tastytronic.net