What is Digg?Sponsored by wix.com
The Ultimate Flash Website Design Tool view!
wix.com - Design a stunning website in 10 easy steps.
87 Comments
- inactive, on 10/12/2007, -1/+15unfortunately i will have to agree with unpopular opinion, that it is the companies business.
We wont even go into bandwidth.
But besides for good morals, there is a reason teh NSFW tag was invented.
Most admins dont care if you shop at amazon.. if working on a confidentcial project, you may expect your forrum posts and emails to be monitored. But most of the time people wont bother, as long as they dont suspect something.
As an admin i have caught more than i would like to admit, doing much more on their computers than shopping. I have also helped a friend catch an employee that was planning on stealing the business idea, steal some customers and open shop as the compitition. Which is fine and dandy, but you cant use my computers to build a business to compete against me. You cant steal my customer lists or any of my hard work i did to build the business. Or my friends either. :)
But even with the problems i have had in the past, i dont have the time or will to watch people i have no suspicion of doing anything wrong. - Portwineboy, on 10/12/2007, -1/+14@dontsayfanboy
Your employer does have the right to monitor where you surf, your phone calls, your emails and anything else you do that utilizes company property. You have NO right to privacy in the workplace. I can install keyloggers on computers if I want...as long as mgmt approves. I couldn't, say, put one on the CEOs machine if that wasn't some sort of approved policy, or I was a policy maker, but all in all, your comments are pretty far from the mark. Millions of people work for companies that, under your definition, invade their privacy.
If they want to put video cams in the bathroom, they can do that too. How do you think Gap et al. get away with cams in the dressing rooms? - monergism, on 10/12/2007, -5/+16This is why I like to install key loggers onto my 'power users'' computers. Encrypted or not, you still type in English.
- monergism, on 10/12/2007, -2/+12Well fanboy, currently I work in many locations. My clients, the people who pay people like you to work and do your job, ask me to secure their systems and protect their interest.
***** or not, I'm only doing my job which is probably what your employer would request of you. - Ludwig, on 10/12/2007, -5/+15Anything. The fact that I check out Digg, a message board or two and perhaps make a purchase at Amazon or RealDoll is really not anybody's business.
- danmac, on 10/12/2007, -3/+12uhh... did you even read the article? He explicitly showed how to set up a dynamic proxy using the -D flag. I've used this to tunnel all kinds of traffic including bittorrent. For non socks-enabled applications he then shows you how to use tsocks to incerept the applications network requests.
buyakasha - t3hj03, on 10/12/2007, -2/+10My friends and I use SSH tunneling all the time at school to get past site filters and whatnot. It's a bit tricky and requires some know-how but its worth it if you don't like the idea of the teh admin seeing everything you do.
- monergism, on 10/12/2007, -3/+11How did you come to your conclusion?
How you spend your employer's money is their business. - monergism, on 10/12/2007, -6/+13As a network admin, yes, this stuff is possible but there are reasons why firewalls exist. To those who barely understand the "why" behind them, they circumvent the security that is in place to protect them (and the company).
I understand myspace and AIM and radio broadcasts are important to people but at times, as with some of my clients, Internet traffic must be monitored or restricted. If you'd really like to surf or chat, they make these fancy cell phones that permit such activities.
You may not agree or like the policies in place but these services and policies belong to the owner of the equipment. Creating a means to circumvent, and thereby steal services that you are not paying for is ethically and morally wrong.
Having done investigations which lead to the terminations of employees I can only suggest the following. Understand your corporate policy. Circumventing it will raise flags and cost you your job. - monergism, on 10/12/2007, -3/+10Bury me if you'd like. It is I who gets to keep my job and watch you pack up your desk.
- Ashex, on 10/12/2007, -1/+7That's called traffic shaping, and you'll need to encrypt your torrent traffic to get around that. Check out these two links:
http://torrentfreak.com/how-to-encrypt-bittorrent-traffic/
http://en.wikipedia.org/wiki/Traffic_shaping - gclef, on 10/12/2007, -1/+6@spengy
You can tunnel more than one port, even without -D. I use multiple -L options on a tunnel all the time. I use the tunnels to check multiple email accounts from work & send outbound mail from my home accounts, so I'm tunneling stuff to two different hosts to 993 and a third to 25...from one ssh session. - spengy, on 10/12/2007, -6/+11Also see: OpenVPN http://openvpn.net/
An SSH tunnel can only forward one port at a time, and only work with TCP connections. If you need other protocols or more than one port, you might consider using OpenVPN. (Works great at colleges and universities) - drm237, on 10/12/2007, -1/+5Or, you could just setup an SSL VPN and make your entire life a lot easier. Check out http://sourceforge.net/projects/sslexplorer/
- DouglasScott, on 10/12/2007, -0/+4Indeed.
I will take your comment with due consideration. I'm sure my students also thank you and have a fruit basket headed your way. - rancemo, on 10/12/2007, -1/+5You can specify which port to connect to. I've got my home router forwarding port 443 to my Mac. Then I can connect from work with ssh to port 443
- TehFRAG, on 10/12/2007, -0/+3i run mine on port 443 for just that reason, even the tightest firewalls leave port 443 open.
- Cytranic, on 10/12/2007, -7/+10A network admin's worst nightmare.....
- konspence, on 10/12/2007, -0/+3And port 443? Ha, have fun with that.
- spengy, on 10/12/2007, -3/+6@danmac
I agree that SSH forwarding is extremely useful, but it does have some limitations.
Sometimes you want to be able to connect a tunnel, and redirect all traffic through it. With OpenVPN, you can do this. TCP,UDP, anything.
I'll admit that I overlooked using -D to use multiple ports though. - bigkm, on 10/12/2007, -1/+4my ~/.ssh/config
------------------------------
Host hometunnel
User bigkm
Port 443
IdentityFile ~/.ssh/id_mini
HostName my.home.com
DynamicForward 1456
-----------------------------------------
and set the socks proxy to localhost:1456 in network prefs
now all i do is type "ssh hometunnel" and my connection is up.
its a lot nicer than that line they show you in tfa. - myrm, on 10/12/2007, -0/+3Most network administrators don't know that, let alone most people. I've yet to meet more than a handful that actually understand the basic differences between TCP and UDP.
"TCP packets inside TCP packets, how can that work? Wouldn't you need two network cards for that?"- and yes, sadly, that is a direct quote. - myrm, on 10/12/2007, -0/+2Don't digg this down, it works. It works in windows and it's easy. It also works on most network administrated machines without Administrative privileges since PuTTY comes as an exe and doesn't need to be installed. As long as you can SSH out, you can proxy with PuTTY.
In PuTTY's connection options, under Category click Connection, then SSH, then Tunnels. Make the source port 8080 (or whatever you like that's not being locally used, it doesn't really matter), click the Dynamic and Auto options under destination and click the Add button.
In your application (almost all support proxies, if not the settings in Control Panel, Internet Options usually apply) go to the proxy settings and add a socks proxy using localhost as the address and 8080 (or whatever port you configured above) as the port.
That's it, all done. Firewalls and ACLs be damned, you're on the Internet.
For bonus points, run ssh on a non standard port (like 80) and your network admin has very little chance of stopping you. Sure there are ways, but SSH is encrypted and 99.9% of the time he or she will have absolutely no clue this even works.
Be warned though, this will upset you network administrator. They, like anyone, don't like to be made to look foolish. 10 seconds to get around that nice multi-thousand dollar/euro/pound firewall pretty much does just that. So if you do, do it quietly. - Darth_tater, on 10/12/2007, -0/+2at my school they have thin clients and you can not save anything to disk unless it is in a certain folder which gets deleted every time you log on/off.
other than some sort of active x (they don't allow firefox...only IE is allowed) i cant use ssh - Jimmyo89, on 10/12/2007, -1/+3You can change the port in which ssh uses. I changed it to port 443 as that is the SSL port and most companies / schools will leave that port open so that you can authenticate with secure sites etc. Been using port 443 to bypass the school filter as it is a bit trigger happy and blocks heaps of forums and other sites.
- zigamorph, on 10/12/2007, -0/+2I have been using this combination for a couple years now. I use WRT54G and SSH PuTTY client to tunnel through and get a remote desktop connection. This is a very useful technology.
Do you need IPSec turned on inorder to get OpenVPN working? - diggduggjoe, on 10/12/2007, -0/+2The PCs belong to the employer, period. Internet radio should be avoided for it is a bandwidth hog. I feel that, even if you abuse a system with this technique, do not be an ass about it.
Businesses need to understand that the Internet is also an enhancer. Your employees will work easier knowing that their family is safe. Personal Internet like personal calls are only negative to the extreme. Your employees may get a great idea from the synergy of the Internet and you may profit well. However, having your employees thumb screwed will only lead to high turnover, or worse yet zombie mode. They show up, but never give a *****.
I have seen companies go ape ***** over a solitaire player which completely, accurately succeeded in their job. The company worried that some unknown productivity was lost. It could be said that the breaks to play solitaire may have rested the mind to allow higher productivity in the end. The slave drivers never seem to see that. We are humans, not machines! - WorldGroove, on 10/12/2007, -0/+2@DontSayFanboy....
At AT&T, Cheveron and Cisco.... they even have the right to search your car if it's in their parking lot.... WITHOUT any warrant or cause. - terminalpariah, on 10/12/2007, -1/+3It's a good idea to run SSH on a non-standard port anyway. Makes it much less likely that someone will find it and start trying to brute-force your root account.*
*P.S. disable SSH root access for Pete's sake! - diggduggjoe, on 10/12/2007, -0/+2I use SSH all the time, it is my preferred method. I like that it opens what I need when I need it. VPNs are awesome, but they open the entire network at one time. By using unique port numbers, scponly at times and other tools SSH is extremely useful. I would like to have the sshd.conf allow for more granularity, but hopefully that will come in time. I would like to be able to clearly state that a user can only port forward to a particular port and IP.
As for key loggers, good luck. My own personal USB keyboard and a CD bootable OS will break that solution in a second. Unless, your office actually seals the cases. I have not seen that yet in the corporate places I have worked. They are reloading PCs for spyware and redistribution so often they wouldn't bother. I can cover my ass when I bypass the BIOS password, just insert an old dead CR2032 afterward. - spengy, on 10/12/2007, -1/+3You can use other ports. If you're using ssh on *nix, you can change which port sshd listens on by editing its conf file, often found at /etc/ssh/sshd_config
IIRC, you can even specify more than one port. I've often used 80 or 53. - DontSayFanboy, on 10/12/2007, -7/+9@mongerism
I doubt that your installing keystroke loggers on your 'power users' computer is very legal. Especially if you haven't informed them of this.
True, the company is paying the employee to work during certain hours, but individuals have an expectation of privacy. This is why you don't see video cameras in the bathrooms. If I ever found out my employer had bugged my computer or phone without my knowledge I would find another place to work and pursue legal recourse.
As long as the employee is fulfilling their job requirements, they should be allowed to spend their downtime as they see fit. Any employer that doesn't respect that is not somewhere a reasonable person would want to work. - dmbuzz, on 10/12/2007, -0/+1jdawg what ***** are you talking about ?
- xandroz, on 10/11/2007, -0/+1instead of using SSH use IPSEC
http://www.jaec.info/Firewall/VPN%20Firewall/firewall-vpn-introduction-1.php - pabut, on 10/12/2007, -0/+1If you're really slick you can tunnel a PPP connection over SSH. You don't even need port forwarding. http://www.faqs.org/docs/Linux-mini/ppp-ssh.html
I've used the technique, works for the most part. Haven't tried to push massive amounts of data so your mileage may vary. - diggduggjoe, on 10/12/2007, -0/+1First of all, I am self-employed and will not be dismissed any time soon. However, I work with users all the time and I found education is far more powerful than the delusion I will lock down the systems perfectly. Usually, as the security goes up the support calls do too. Many apps begin to break, etc. The best lock downs take a lot of time and sometimes need to be rolled back. So, in effect, wasted effort. I believe the best security software is found between a user's ears. Training is vital.
As for the AUPs, they are a tool that needs to be explained. Most users I have dealt with do not want to damage the PC or the network. Power tripping admins are a danger when they quit, they often have undocumented, over done security settings. The simpler the network the better it will work, given a trusted, educated workforce.
Come on, would it not be better to install gaim for a user, so they have IM without the productivity draining ads. Crappy passwords are a greater threat than some user accessing digg for a couple of minutes. - ax0n, on 10/12/2007, -0/+11) A good filer blocks all outbound ip (TCP/UDP/ICMP) and relies only on a really restrictive HTTP proxy.
2) Don't bypass the filter. It's a virus/malware vector capable of causing many man-hours of lost time.
Netadmins couldn't give a rat's ass if your productivity is down. We just have better things to do than chase down stupid computer problems caused by crap you or your filter-bypassing co-workers introduced to the network. - takeda, on 10/12/2007, -0/+1"Do you need IPSec turned on inorder to get OpenVPN working?"
Nope OpenVPN uses it's own protocol to send data, you don't need to turn anything, just make sure that chosen ports aren't filtered by firewall...
I especially like the tap interface in OpenVPN (it emulates the ethernet network) with this you can play some LAN but non-internet games with friends (e.g. Worms World Party is one such game :) - Bigbro69, on 10/12/2007, -0/+1Or they can use a service that filters out packets that aren't HTTP. That's what my school does.
- bobmagoo, on 10/12/2007, -0/+1i would ask your admin, he/she will let you know what to do,
i wouldnt advise opening up random ports to try to get in from the outside, if i was an admin at a place where that happened i would go crazy. its best if the guy who configures the security for the network knows everything thats open to the outside world - lolage, on 10/12/2007, -0/+1Alas, if only my old school had less competent administrators so we could run just any old executable file found on 'the interwebs'. Honestly, sometimes there's just nothing you can do.
- dmbuzz, on 10/12/2007, -0/+1I have Qwest DSL and I don't see any metering on my torrents.
- p4r0l3, on 10/12/2007, -1/+2the portable version of putty for windows can be used at school to connect to an ssh server you're running at home, then proxy through that
- converter, on 10/12/2007, -0/+0For those who are unaware, recent releases of OpenSSH are capable of VPN tunneling. Read the "SSH-BASED VIRTUAL PRIVATE NETWORKS" section of a recent ssh man page.
- Spates, on 07/09/2008, -0/+0If you are looking for a fresh high speed web-proxy to access blocked sites at work and school or you just want to surf the web anonymously you should try http://www.browsejunk.com this web-proxy is brand new and great for streaming vidoes!!!
- wolfgang123usa, on 10/12/2007, -0/+0try this
you have to install a proxy tunnel yourself at your home computer. Here the HowTo http://sharkssl.com/44100/viewforum.php?f=4&sid=b71f75cbde257e319c1b7a5b6a64834d , all the HowTo are made for the free version of BarracudaDrive , called homeserver. When you buy the professional version the proxy is allready buildt in. The free and the professional version you find at http://barracudaserver.com/products/BarracudaDrive/HttpsTunnel.html
enjoy, Wolfgang - knightnet, on 10/12/2007, -0/+0Yes, you also have to lock out any unknown machines on the network AND lock down all of the known machines.
- knightnet, on 10/12/2007, -0/+0You cannot normally push a VPN connection through a secured proxy so when working on most customer sites, it wouldn't work - quite rightly as it represents a serious security hazard since it could easily bridge the local and remote networks.
One of the points of an SSH tunnel is that you can use port 443 and the proxy cannot see any difference in traffic from a normal HTTPS connection. - SneakyGroup, on 10/12/2007, -0/+0http://www.t1proxy.com
http://www.sneakydude.com
http://proxy.arcadeholic.com
http://www.sneaky1.com
http://www.pbase.org
http://www.gaderos.com
http://www.jdm.in
http://www.ray9.com
http://www.sneakyman.com
http://www.sneakygroup.com
More can be found in this group : http://groups.google.com/group/sneakygroup -
Show 51 - 89 of 89 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is