Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Tunneling Out of Proxy Prison

By Milo Minderbender in Internet
Wed May 19, 2004 at 11:18:58 PM EST
Tags: Technology (all tags)
Technology

Since I started my new job a few months ago, I've been trapped in proxy prison, unable to ssh to my home machine or any internet servers. My main goal was to use downtime at my day job to do web development work for a small company that I set up a few years ago (more on the morality of this later). I've finally broken free of the proxy prison, and here's how I did it. It wasn't easy...


Rules of the Game
  1. Damn Microsoft HTTP proxy server uses proprietary NTLM (NT Lan Manager) protocol that only MS products know how to use. This is slowly changing with Mozilla and a few other applications now able to use the protocol.
  2. For some idiotic reason you can only leave the NTLM proxy server on the other side if you are destined for port 80 or 443. I'm not sure how Windows Media Player gets around this... I sure haven't been able to avoid it.
Solution

Luckily a similarly imprisoned python geek has written an app called aps098 that converts from normal HTTP proxy traffic to NTLM proxy traffic. Although I could have written my own NTLM authentication, my end result would have been equivalent to this program, so why bother?

I was also able to find a program called desproxy that converts normal socket traffic to HTTP proxy traffic. I saw how to do this, but I decided to just use this prebuilt app. So now I can get ssh sockets out the other end of the NTLM proxy. But then what? I still was only able leave the NTLM proxy if my destination port was 80 or 443. I had to find a way to get to the ssh port (22) on the destination server. To do this, I needed a helping hand on the other side of the NTLM proxy server.

Well, I managed to whip up a tiny web application to run on my home computer that allows me to spawn a java threaded proxy server (something I wrote a few months earlier for something else) routing from whatever local port to whatever destination server and port. So if I put in local port 443, and destination of my server, port 22, it will listen on 443 and forward whatever sockets it gets on to my server at the ssh port. This web app has to run at port 80, of course, and I can use a regular web browser to see it. After it's all set up, I just type "ssh localhost" on my machine at work, and [tada!], I get the server's login prompt!

Diagram

diagram (any admin wanna insert this image?)

Conclusion

What a bloody nightmare. Even with 4 middlemen between me and my server, the connection speed is still bordering on usable. I was able to do a full checkout of the code from CVS with no problem. Unfortunately, actually doing work would require too many switches of where the java proxy is sending me. To ssh on my home computer for scp'ing the files there, then restarting the server, then switching to my app server's port to view the application, while not being able to watch the log files (via an ssh session). It's not really gonna work. For some small self-contained problems, it could work fairly well.

On Morality and Risk

My boss and the rest of my team have specifically told me to work as slowly as possible and to always appear as if I am working. Our team has nothing to do at the moment and we actually fight over who gets to work on the bug reports as they are raised. As usual, one or two levels up the ladder, they haven't got a clue. Ahh, the corporate life: do nothing all day, get paid a lot. Own your own business: work your ass off all day and all night for pennies an hour. I'd honestly take the latter over the ladder any day.

There's absolutely no risk of getting caught. The tech services team have been around a few times to (attempt to) install upgrades and whatnot. Their incompetence was appalling! I try not to think of what they are getting paid.

Since I originally set this up, another layer of job protection has been added. The aps098 application has been moved to another unused machine using the username of an ex-employee so that other team members can run their instant messaging apps through the NTLM proxy, so the traffic is now neither coming from my ip nor using my user name.

Freedom!!!

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Your thoughts?
o Cool! Nice job! 44%
o Get back to work! That's what they pay you for. 20%
o You did it the wrong way...see below. 10%
o I really don't care 25%

Votes: 75
Results | Other Polls

Related Links
o Microsoft HTTP proxy server
o Mozilla
o aps098
o NTLM authentication
o desproxy
o how to do this
o diagram
o Also by Milo Minderbender


Display: Sort:
Tunneling Out of Proxy Prison | 157 comments (140 topical, 17 editorial, 0 hidden)
Helping hand on other side (none / 1) (#4)
by gazbo on Wed May 19, 2004 at 09:05:32 AM EST

Why whip up your own app?  Why not either tell SSH to just listen on port 80, or use ssh's built in port forwarding to map port 80 to port 22?

-----
Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

Because... (none / 0) (#5)
by Milo Minderbender on Wed May 19, 2004 at 09:13:48 AM EST

  1. I want multiple destination machines. Yes, I could have sshd listening on port 80 or 443 (I had my router doing this for me for a while), but that only got me into my home machine, and not to other servers, like where my CVS repository is, for example.
  2. Also to allow access to other ports. My web app I was trying to develop was running on port 7001 on my home machine. With my custom proxy setup, I was able to map homemachine:443 to homemachine:7001 to access my dev app.
For flexability, basically.

I may be missing a key feature of ssh, though. But I didn't think ssh tunneling could go to another server, I thought it was just for accessing ports on the server running sshd.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
No, any server (none / 2) (#10)
by curien on Wed May 19, 2004 at 09:32:59 AM EST

ssh can forward to any server you wish. I used this at work one time to test a custom application. We needed to test it through the firewall, so I tunneled from my work computer through my home system, which then forwarded the connection to the server at work.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
How does this work? (none / 0) (#13)
by Milo Minderbender on Wed May 19, 2004 at 09:47:14 AM EST

I found this HOWTO to refresh my memory. The way I understand it is like this:
  1. workmachine> ssh homemachine -p 80.
  2. homemachine> ssh -L 443:destserver:22
  3. Open a new shell on workmachine
  4. workmachine> ssh homemachine -p 443
  5. Resulting in successful ssh to destserver
Is that right? All the other pre-NTLM-proxy hoops still need to be jumped through, but you're right. That's nicer than running my own, possibly more inefficient than ssh, web app.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Close (none / 0) (#15)
by curien on Wed May 19, 2004 at 09:51:30 AM EST

Line 4 should be a ssh to localhost.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
No (none / 0) (#17)
by Milo Minderbender on Wed May 19, 2004 at 09:58:43 AM EST

The ssh tunneling has to be running on homemachine, not on workmachine (localhost on line 4).

Maybe you're thinking of the real scenario and not my simplified scenario. In reality, I would need to "ssh localhost" in order to go through desproxy and aps098 to get through the NTLM proxy and out into the Big Bad Internet. My example in my previous post was ignoring the NTLM proxy part of the problem and focussing only on the ssh tunneling part.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Perhaps we're talking about different things? (none / 0) (#22)
by curien on Wed May 19, 2004 at 10:15:44 AM EST

Here's what I'm describing

              ssh connection[1]
Work machine<---------------------->Home machine
      ^      +--------------------+     |
      +------  tunneled thru ssh[1]     |
  ssh conn[2]                           |  
                                        |ssh[2]
                                        |
                    Internet server<----+

First you establish connection 1 to your home system. Connection 2 opens a socket to localhost, which tunnels through connection 1 to your home machine, which then opens a socket with the Internet server and passes data back and forth between the Internet server and the tunneled connection.

For example, I just did this (I've got port 22 open, so my home server just uses that):
work$ ssh -L 2222:www.freeshell.org:22 curien@mydomain
[login]
work$ ssh -p 2222 user@localhost

This second ssh connection actually connects to www.freeshell.org, first by tunneling through the first connection to my home machine, then by going over the Internet to the destination server.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]

Sorry, read it wrong (none / 0) (#16)
by curien on Wed May 19, 2004 at 09:55:32 AM EST

  1. work$ ssh -L HIGHPORT:destserver:22 home -p 80
  2. work$ ssh -p HIGHPORT localhost
HIGHPORT should be some random high port, eg 12345 (but must be the same in both lines). For tunnels to different servers, use a different port for HIGHPORT.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Right... (none / 0) (#18)
by Milo Minderbender on Wed May 19, 2004 at 09:59:50 AM EST

Except in my case I only have 80 and 443, so HIGHPORT=443.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
No, not 443 (none / 0) (#23)
by curien on Wed May 19, 2004 at 10:20:33 AM EST

It should be a random high port... the only two machines that see that number are localhost and your destination machine. If you try to use 443, most systems will deny access, as only root is allowed to use ports <1024.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
But! (none / 0) (#25)
by Milo Minderbender on Wed May 19, 2004 at 10:24:28 AM EST

I can't get out the other end of the NTLM proxy destined for anything other than 80 or 443! (Rules of the Game #2)

Another way to put it is that I can only hit homemachine on 80 and 443. With that given, how do you suggest I use ssh tunneling?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Right (none / 0) (#26)
by curien on Wed May 19, 2004 at 10:28:58 AM EST

Which is why you tunnel through the other ssh connection (which is on 80 or 443).

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Show me (none / 0) (#28)
by Milo Minderbender on Wed May 19, 2004 at 10:36:14 AM EST

So my scenario in my other comment is wrong. Can you explain what commands should be run on what server? You can ignore the NTLM stuff as long as you only hit homemachine on 80 or 443.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Nothing extra on the server (none / 0) (#33)
by curien on Wed May 19, 2004 at 10:53:45 AM EST

That's the beauty of it... once you're able to establish an ssh connection, you don't have to do anything on any machine other than localhost. See http://www.kuro5hin.org/comments/2004/5/19/65512/0633/32#32

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Try a simpler example (none / 3) (#32)
by curien on Wed May 19, 2004 at 10:45:39 AM EST

I'll assume you can connect to your ssh server on port 80.

work$ ssh -p 80 -L 54321:www.google.com:80 user@home

That establishes the first ssh connection. work should now be listening for connections on port 54321 (you should be able to confirm this with netstat). If you make a connection to localhost on port 54321, home will open a socket to www.google.com:80. All data transmitted over the socket from work to localhost:54321 will be sent over the SSH tunnel and then sent through the socket from home to google:80, and vice versa. So, you can then do

work$ telnet localhost 54321
GET / HTTP/1.0\n\n

And you should get the Google index page. Or, you can open a browser (remember to turn off proxy!) and go to http://localhost:54321, and you should see the Google search page.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]

Very nice!! (none / 0) (#34)
by Milo Minderbender on Wed May 19, 2004 at 10:55:39 AM EST

Thank you. That's exactly the kind of pointer I was hoping to get out of this article! That could actually allow for multiple simultaneous connections to different servers and ports.

Thanks again!

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Glad I could help (none / 0) (#35)
by curien on Wed May 19, 2004 at 11:03:29 AM EST

It's really just a poor-man's VPN, but if you only need a handful of services, it works great. (Plus, the only "VPN client" you need is PuTTY. ;)

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Speaking of VPN.. (none / 0) (#119)
by geekmug on Fri May 21, 2004 at 04:47:26 PM EST

I think it is notable that setting up a simple OpenVPN daemon and then bridging the vtun with the "real world" on the home computer would give you a gateway that you could route all your traffic through and let all your buddies prance through to their AIM and you could multi-whatever to your heart's content without having to go through a ssh shananigan everytime you wanted to hit a new host.

-- Why reinvent the square wheel?
[ Parent ]
+1, for the sheer awesomeness of your diagram. (2.62 / 8) (#6)
by alby on Wed May 19, 2004 at 09:22:49 AM EST

I would have put [nt] up there, but I ran out of space, I could only fit [nt and that looked silly.

--
Alby

Use n/t (nt) (2.83 / 6) (#9)
by Ta bu shi da yu on Wed May 19, 2004 at 09:30:39 AM EST



---
AdTIה"the think tank that didn't".
ה
[ Parent ]
or /nt [nt] (2.60 / 5) (#52)
by reklaw on Wed May 19, 2004 at 02:13:47 PM EST


-
[ Parent ]
or NT [nt] (2.50 / 4) (#58)
by mberteig on Wed May 19, 2004 at 04:54:26 PM EST




Agile Advice - How and Why to Work Agile
[ Parent ]
I like consistency in my comments [nt] (none / 2) (#83)
by alby on Thu May 20, 2004 at 06:00:59 AM EST


--
Alby
[ Parent ]

Slight variation (3.00 / 4) (#7)
by curien on Wed May 19, 2004 at 09:25:40 AM EST

I've done very similar things using httptunnel. Luckily, the firewall at my workplace doesn't block port 22, so I don't have to worry about it.

--
All God's critters got a place in the choir
Some sing low, some sing higher
Nice. (none / 0) (#8)
by Milo Minderbender on Wed May 19, 2004 at 09:29:20 AM EST

Looks like that's exactly what aps098 was doing for me, wrapping normal socket traffic in HTTP requests.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Oops... (none / 1) (#19)
by Milo Minderbender on Wed May 19, 2004 at 10:12:29 AM EST

I mean that's what desproxy does for me. aps098 does the NTLM magic.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Oh you proud rebel (1.13 / 15) (#24)
by Hide The Hamster on Wed May 19, 2004 at 10:23:09 AM EST

I've finally broken free of the proxy prison

Awesome. You are such a hero. What a cool dude. I wish I could run a side business and get paid by my current employer to do it too! You should talk to your boss...this could be some action he/she would want to get in on. Managerial types are good at selling things.


Free spirits are a liability.

August 8, 2004: "it certainly is" and I had engaged in a homosexual tryst.

It doesn't work, though (none / 1) (#27)
by Milo Minderbender on Wed May 19, 2004 at 10:33:02 AM EST

In the conclusion, I mentioned that only one destination server/port is not enough to do proper web development. You've gotta be able to hit the server while tailing log files and talking to the CVS server as well. This article is more about the adventure of the attempt than the rewards reaped.

I still work 8 hours/day + 2 hours of commute (1 each way) and still put in 5 hours at night to keep the side business afloat. No hobbies, no books, no TV. It ain't easy, but I'm gonna struggle to get out from under corporate employment as best I can. My boss is probably happier driving his BMW to the golf course after work.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
So noble. (1.12 / 8) (#31)
by Hide The Hamster on Wed May 19, 2004 at 10:44:53 AM EST

It ain't easy, but I'm gonna struggle to get out from under corporate employment as best I can.

*flutter* *flutter* *flutter* *flutter*


Free spirits are a liability.

August 8, 2004: "it certainly is" and I had engaged in a homosexual tryst.

[ Parent ]
if you don't want to work there... (none / 3) (#41)
by Run4YourLives on Wed May 19, 2004 at 12:46:53 PM EST

Then Quit.

Don't justify breaking a policy THAT YOU AGREED TO to make yourself feel good.

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]

It's all black and white for you, isn't it? (2.60 / 5) (#42)
by Milo Minderbender on Wed May 19, 2004 at 12:54:39 PM EST

Interesting IT jobs just don't grow on trees, you know. If I quit, I'd be unemployed (that means no pay, btw) for a few months before finding another job with a longer commute, possibly less pay, and using older technology. This job is fairly interesting when we have work to do.

As I mentioned, I'm under specific orders from my boss to look busy, because he doesn't want to have to explain to his bosses that they are idiots and have hired me for no reason.

Plus, I'm not doing this to make myself feel good, unless you count alleviating boredom. Also, although it would make sense for them to have a policy against what I'm doing, I'm not directly competing against them, and I'm following my boss's orders to look busy. What am I doing wrong again?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
you're clueless. (2.25 / 4) (#46)
by Run4YourLives on Wed May 19, 2004 at 01:16:21 PM EST

Interesting IT jobs just don't grow on trees, you know.

No shit Sherlock. But here's the problem: you accepted this job, not me.

As I mentioned, I'm under specific orders from my boss to look busy, because he doesn't want to have to explain to his bosses that they are idiots and have hired me for no reason.

So, by not doing you're job, you're allowing your boss to avoid doing his job, which in turn keeps management clueless... which means that when the company's hurting in a few months, they'll lay off the whole fricken department.

You can't blame your negligence on someone else's incompetence. Believe me, I've worked with a lot of fools. I've also worked with a lot of people that have never been told anything by the people they hire to keep them informed.

You've got your own side business. If it grew to a point where you needed an accountant, wouldn't you be glad if he told you that department "A" wasn't  productive? Or, would you perfer that he keep his mouth shut, and then say one day "oops", we're
bankrupt!

Also, although it would make sense for them to have a policy against what I'm doing

What am I doing wrong again?

They do have a policy... it's called a proxy server.

I wonder about your morals. If your boss left a few hundred dollars on a desk, is it ok to take it just because there's no sign telling you not to?

You recognized that for whatever reason, the company has limited your internet access. You willfully "hacked" the system and gained access you're not supposed to have, to do things that are counter to your company's interests. (You not working on a company related project is counter to their interests... they're paying you!) If you can't see that your position is tenuous then perhaps it is you, and not upper managment that is clueless.

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]

Corporate Politics (2.20 / 5) (#53)
by Milo Minderbender on Wed May 19, 2004 at 02:15:16 PM EST

"You can't blame your negligence on someone else's incompetence. Believe me, I've worked with a lot of fools. I've also worked with a lot of people that have never been told anything by the people they hire to keep them informed."
I, and everyone else on my team, have specifically told our boss that there is a problem with workload. That's my responsibility, and I've done it. It would not however, fare well for my job if I were to circumvent my boss and tell his boss that we are all idle. In fairy-tale-moral-land where you live, that would result in him being fired, and me being promoted, but in real life, it would make my life at work very difficult, if not get me fired. As long as I can bare the boredom, I'm not gonna blow any whistles.
"I wonder about your morals. If your boss left a few hundred dollars on a desk, is it ok to take it just because there's no sign telling you not to?"
If he gave me a few hundred dollars, I'd take it. More likely, he would give me the equivalent of a few hundred dollars and tell me to take the afternoon off on full pay. I'd damn well take that too! I guess that makes me clueless and immoral...

--------------------
This comment is for the good of the syndicate.
[ Parent ]
heh (3.00 / 5) (#51)
by reklaw on Wed May 19, 2004 at 02:12:55 PM EST

As I mentioned, I'm under specific orders from my boss to look busy, because he doesn't want to have to explain to his bosses that they are idiots and have hired me for no reason.

And this, ladies and gentlemen, is why corporations are broken.
-
[ Parent ]

And the government! (none / 2) (#55)
by Milo Minderbender on Wed May 19, 2004 at 02:19:08 PM EST

Don't forget the government! Oh wait...corporations and the government are the same thing...nevermind...

Actually, on a slightly less cynical note, I have worked for the government before. I have never before nor since seen a more slack work ethic. Government jobs tend to be for life, and the employees know it!

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Against policy? (none / 1) (#48)
by curien on Wed May 19, 2004 at 01:44:57 PM EST

Assuming he doesn't use this to visit nefarious sites, what's necessarily against policy?

Where I work, it isn't how you do something with your computer that they care about but what you do with it.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]

Simpler solution? (none / 1) (#92)
by curunir on Thu May 20, 2004 at 01:39:26 PM EST

I don't work on projects from work (I look busy at work for a very good reason), but I still keep my entire personal development environment on one of those USB keychain flash memory things (a Lexar JumpDrive.) That way, I can work on it when I'm at a friend's house or on vacation or internet cafes or wherever I fell like it. I can't speculate on the type of work that you're doing, but even with my IDE and app server, I still only use about 75% of the 256MB available. You can find larger ones if you need that much storage space.

Just make sure to sync all your work on a nightly basis.

[ Parent ]
Web Application Server (none / 0) (#99)
by Milo Minderbender on Fri May 21, 2004 at 02:09:08 AM EST

I'm working with servlets and JSP's and things that need to be deployed to a web application server to be run and tested. Although I have been unable to get my app server, Resin, to run on my windows box at work, I just du'ed my code repository, libraries, and application server directories and they seem to total about 100MB, so your idea might actually be fairly feasible!

Thanks for the insight.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
um dude... (3.00 / 4) (#36)
by Run4YourLives on Wed May 19, 2004 at 12:20:49 PM EST

My main goal was to use downtime at my day job to do web development work for a small company that I set up a few years ago

Without getting into it, unless you want to be fired, I'd recommend against this. If you have so much down time why not negotiate a contract? Then you could go home and work on your own stuff without  willfully breaking your company's computer use poilcy. (which can also get you fired)

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown

btw... (2.50 / 4) (#37)
by Run4YourLives on Wed May 19, 2004 at 12:22:11 PM EST

There's absolutely no risk of getting caught. The tech services team have been around a few times to (attempt to) install upgrades and whatnot. Their incompetence was appalling!

Everyone who gets caught says this.

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]

And? (2.83 / 6) (#56)
by Milo Minderbender on Wed May 19, 2004 at 02:23:51 PM EST

So does everyone that doesn't! Your point?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
The situation (none / 3) (#40)
by Milo Minderbender on Wed May 19, 2004 at 12:45:27 PM EST

As I implied, they just hired me. The problem is that upper management is misunderstanding where the bottleneck is in the software development process and is throwing more manpower at the wrong place. Everyone on my team is surfing the web 50% of the time. I, on the other hand, at least have an IDE open 100% of the time and look busy. I don't see why I should have to cut my money by half for the same work. It's not my fault that they hired me when they don't need me.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
lol... (none / 1) (#43)
by Run4YourLives on Wed May 19, 2004 at 12:56:41 PM EST

Is this your first job or something?

Listen, if managment is so awful, then write them a letter saying that from what you've seen, your department is overstaffed.

I don't see why I should have to cut my money by half for the same work. It's not my fault that they hired me when they don't need me.

What same work?  You're not doing anything! The ethical thing to do is to negotiate a new arrangment so that you can work on your side business. You will get caught, maybe not soon, maybe not this job. If you continue to break rules that you intially accept you will eventually find yourself on the street. It is very difficult to find work after being fired. Personally I would never hire someone that willfully broke an internal security system, regardless of their intentions.

 

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]

You're not listening (3.00 / 4) (#50)
by Milo Minderbender on Wed May 19, 2004 at 02:04:11 PM EST

I am working half of the time.

I didn't "willfully break" anything.

You're accusing me of being naive, but your the one with the "right and wrong" ethics of a teenager. The vast majority of people, in the IT industry, at least, do very little at their jobs. I would love to do more at my job. They just won't give me the work to do! Not only that, but the research and new technologies I use on my own, I can test and knowledgably bring to the table at the next staff meeting. That's helping the company.

At my last two jobs, I did everything you're telling me to do, I told the upper management, in a polite way, everything that was wrong down at the lower levels. You know what they did? They ignored me and thought of me as a troublemaker. I got tired of fighting so that upper management could get more money. If that makes me immoral, then so be it.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
In my last eighteen jobs I did the same (nt) (none / 0) (#66)
by vqp on Wed May 19, 2004 at 07:08:41 PM EST



happiness = d(Reality - Expectations) / dt

[ Parent ]
i'm probably missing something but... (none / 2) (#77)
by m a r c on Wed May 19, 2004 at 11:45:57 PM EST

why can't you just do the development on your work PC? That way no-one will know unless they actually look onto your PC, and from what you were telling me "but the research and new technologies I use on my own, I can test and knowledgably bring to the table at the next staff meeting. That's helping the company. " implies that if they DID find out you could make a pretty good cover that you are actually doing something useful.

Then if you want to make it commercial or something just burn your work onto CD and then delete from your PC. How could someone know that you weren't just making a backup of legit work?
I got a dog and named him "Stay". Now, I go "Come here, Stay!". After a while, the dog went insane and wouldn't move at all.
[ Parent ]

Who's the one wasting time? (none / 1) (#44)
by duffbeer703 on Wed May 19, 2004 at 01:08:29 PM EST

You are.

Your employer owns anything that you do during work hours, unless you have an agreement to the contrary.

If your little project is of any value and your boss finds out, you'll be fired AND sued.

Surf the web and read academic papers and stuff.

[ Parent ]

IAWTP, and how! (none / 2) (#47)
by ksandstr on Wed May 19, 2004 at 01:32:53 PM EST

Also, do some basic research on whatever you find interesting. Write noddy little programs in whatever obscure or up-coming language or development paradigm you find advances whatever your professional ambitions are. There are lots of interesting stuff to read on the web when you're a programmer and not just any "i've learned language X, and it shall be enough!" type hack.

Webcomics are also a good way to spend time. You might want to invest some of your employer's hours into installing a workspace manager (if running a variant of windows) or tweaking your windowmanager so that you can switch away from the "messing around" browser window into the IDE workspace with a handy little boss key combo :-)

I know I do. (although one of my noddy little programs grew into a far too clever raytracing experiment...)

--
Gegen kommunismus und bolschewismus und terrorismus, jawohl!

[ Parent ]

Am I missing something? (none / 2) (#38)
by Surial on Wed May 19, 2004 at 12:27:40 PM EST

Just tunnel VNC or XP Remote Connection through your aforementioned setup. Or, do better, and get your own server somewhere on your own IP, and let it forward 443 straight to VNC or XP Remote Connection to improve your speed. You can't run a Remote Connection to localhost or 127.0.0.1, but it DOES work to 127.0.0.2, which still loops back to local on XP.

Or, if you don't need graphics much, you can just set up a linux machine someplace and SSH to it, then use screen to emulate having a bunch of screens you can easily switch between. You can even view your log files on the bottom part, and edit your code in the top. Check out the 'screen' manpage if you're not familiar with this.

--
"is a signature" is a signature.

I guess so... (none / 1) (#39)
by Milo Minderbender on Wed May 19, 2004 at 12:38:54 PM EST

The latter is exactly what I'm doing...now that I've found a way through the proxy server.

I guess the part you missed was the feat of squeezing through the restrictive proxy server. Look at the Rules of the Game section again.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Yes, exactly... (none / 0) (#65)
by Surial on Wed May 19, 2004 at 07:06:28 PM EST

If you can manage to tunnel SSH through, you should be able to tunnel VNC or Remote Connection through. Once you're actually on another machine, you won't have any problems with lots of connections and such. That's the part I don't get. Why don't you just develop on ANOTHER machine instead of the machine at work. Safer, too.
--
"is a signature" is a signature.

[ Parent ]
-1 Diary [nt] (1.00 / 10) (#45)
by nooper on Wed May 19, 2004 at 01:12:37 PM EST



Thanks for your criticism (none / 3) (#49)
by Milo Minderbender on Wed May 19, 2004 at 01:48:45 PM EST

I'm amazed that I got 44 real comments before the "-1 Diary" that all articles using the first person get.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
...next in series (1.42 / 7) (#57)
by nooper on Wed May 19, 2004 at 03:34:46 PM EST

"How I discovered the FONT could be changed in Microsoft Word!"

[ Parent ]
eyes glaze over (1.60 / 5) (#59)
by eudas on Wed May 19, 2004 at 05:09:36 PM EST

well, at least it's more interesting than an article on, say, Economics.

eudas
"We're placing this wood in your ass for the good of the world" -- mrgoat
[ Parent ]

trouser tent rises (1.41 / 12) (#69)
by Hide The Hamster on Wed May 19, 2004 at 09:20:38 PM EST

you're turning me on, eudas. I want your butthole.


Free spirits are a liability.

August 8, 2004: "it certainly is" and I had engaged in a homosexual tryst.

[ Parent ]
roooolllllll (none / 1) (#103)
by noogie on Fri May 21, 2004 at 05:48:37 AM EST




*** ANONYMIZED BY THE EVIL KUROFIVEHIN MILITARY JUNTA ***
[ Parent ]
Not a proxy-jail, but... (none / 2) (#54)
by b1t r0t on Wed May 19, 2004 at 02:16:09 PM EST

Once I worked for a place that blocked outbound SSH sessions. So I simply ran SSH on a non-standard (and unlikely to be blocked) port at home.

-- Indymedia: the fanfiction.net of journalism.
This just means that your network admins... (none / 1) (#130)
by skyknight on Sun May 23, 2004 at 11:42:05 AM EST

were complete fucking morons. The correct way to run a firewall is to set the default policy to drop, and to only accept packets that are explicitly authorized. If they set the default policy to accept, and only dropped packets that explicitly matched rules, they were useless IT trash.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Just be careful (2.71 / 7) (#61)
by Blarney on Wed May 19, 2004 at 06:24:28 PM EST

Don't go down like Randal Schwartz.

There is precedent here - even if they are contradictory and ill-enforced, even if your own direct supervisor is willing to look the other way, corporate computer usage policies are backed with far more than the deterrent of termination of employment. They are backed up with the full power of criminal law.

Can you afford to spend $50,000 for a lawyer, $100,000 in fines and inflated 'restitution' payments, and deal with a felony on your record that will prevent you from working at anything in your field ever again? If so, go ahead and keep playing around.

Listen to this man (none / 0) (#97)
by Incommunicado on Fri May 21, 2004 at 12:02:49 AM EST

He's telling you teh TRUTH!



[ Parent ]
This is great stuff, but not quite there. (none / 2) (#68)
by it certainly is on Wed May 19, 2004 at 08:57:15 PM EST

A friend of mine is in a University apartment, and has two choices for internet access:
  1. The University's privately administered ethernet network. No access to the outside Internet, except through the University-wide HTTP proxy. Proxy CONNECT is not supported. Well-formatted HTTP and HTTPS traffic. The official solution to the lack of any connectivity except websites is to "leave your accommodation and go to a computing lab".
  2. Dial-up through a privately administered phone network that costs 3 times as much as normal phone calls.
I told him to find a computing science student, as they will certainly know of a SOCKS proxy or routing hole in the network, but he hasn't found one yet. The deliberate lack of CONNECT support is what infuriates me the most. Almost all non-web programs that "work with an HTTP proxy" do so via the CONNECT method. Even desproxy is of no use. I need to craft something like the desproxy socks server, but using httptunnel. httptunnel is wonderful in that all it does is set up one single connection to one single destination, and has no support for anything extra. So now I need to write 90% of desproxy into httptunnel, to make it usable. The funniest part is that httptunnel is years old, and yet nobody has done this already, but it has been done to finesse in the fatally flawed desproxy. Why is this?

kur0shin.org -- it certainly is

Godwin's law [...] is impossible to violate except with an infinitely long thread that doesn't mention nazis.

Are you sure (none / 0) (#79)
by esrever on Thu May 20, 2004 at 12:29:53 AM EST

That there's no CONNECT, and not simply a restriction on what ports one can CONNECT to?

Audit NTFS permissions on Windows
[ Parent ]
The reason I ask (none / 0) (#80)
by esrever on Thu May 20, 2004 at 12:52:31 AM EST

is that if it will allow CONNECTs to port 80, you can simply set up a cheap server somewhere on the internet (you can get a low end instance from linode.com for $19.95US/month), running its own instance of Squid, etc, and use sconnect and ssh to CONNECT to an ssh listener on port 80 of your host, and forward whatever ports you want from your localhost out to the world.  Or even just forward 3128 from your localhost to the Squid instance, and magically all your apps that 'support HTTP' can be pointed at 3128 on your localhost and will start working...

Audit NTFS permissions on Windows
[ Parent ]
Nope, no CONNECT at all. (none / 0) (#87)
by it certainly is on Thu May 20, 2004 at 08:16:12 AM EST

But there has got to be some route out. Heck, every other computer on campus can do it.

kur0shin.org -- it certainly is

Godwin's law [...] is impossible to violate except with an infinitely long thread that doesn't mention nazis.
[ Parent ]

cheap? (none / 1) (#123)
by anmo on Sat May 22, 2004 at 02:56:16 AM EST

19.95/month? Sounds like a sum a college student can't afford...

[ Parent ]
*shrugs* (none / 0) (#128)
by esrever on Sat May 22, 2004 at 09:07:31 PM EST

I guess perspectives are different, I'm a working dude, but that's cheap even for me living in NZ and losing on the exchange rate :-)

Audit NTFS permissions on Windows
[ Parent ]
That's probably the case (none / 0) (#86)
by curien on Thu May 20, 2004 at 07:58:04 AM EST

Doesn't HTTPS require CONNECT? In that case, it probably at least allows it on port 443.

Even if it is the case, you can use httptunnel to get around that limitation.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]

universities (none / 0) (#132)
by roju on Sun May 23, 2004 at 11:52:20 AM EST

At my univeristy, the on campus housing has (almost) full access to the campus intranet, as well as the internet. In order to cope with the massive amounts of bandwidth this was costing them, the administration implemented caps on external traffic from the residences. Effectively, you got X megs a week, and once you used more than that, you were shunted onto a 'low-bandwidth' pipe, which got you about 1k/s max. What all the computer students did was set up proxies or bouncers or whatever on the CS servers. Since internal traffic wasn't capped, they then got themselves unlimited weekly traffic, at a cost of slightly higher latency. All-in-all, a clever scheme. Unfortunately for me, by the time I arrived, admin had caught on and put the meter at the edge of each subnet. The moral of the story is that there's surely a CS student at your friend's school that has come up with a workaround.

[ Parent ]
-1 not original enough (2.66 / 6) (#70)
by esrever on Wed May 19, 2004 at 09:42:18 PM EST

It could have been great, but it just wasn't.  Proxy and firewall piercing is a great topic, but this article just doesn't do it justice.  How about this hypothetical example:
I have a host on the internet (like, say a dialup) which updates a dyndns entry every time it goes online or reconnects, so I can always get to it by its FQDN, no matter what the IP.  It is firewalled, but has the sshd listening on port 443 for inbound connections from work.  I have a host inside the company that uses aps to setup a proxy and I use sconnect to tunnel an ssh connection to the dialup host on port 443.  This effectively looks like an SSL session with a webserver as far as the web, proxy, and firewall logs will be concerned.  Now, I'm not limited to just one ssh tunnel, so I can setup one to forward my local port 3128 to the dialup's 3128 and run Squid there.  I can also --and this is a kicker-- run a reverse ssh tunnel that connects port 22 on the dialup to port 22 on my machine at work, with a simple script running to reconnect this tunnel if it ever drops.  Now, when I go home, dial up, and ssh to port 22 on my local machine, magically I am at work behind the corporate firewall with full access to everything from the anonymity of an encrypted tunnel.

This is a much bigger topic than this article :-(

Audit NTFS permissions on Windows

errata: (none / 1) (#71)
by esrever on Wed May 19, 2004 at 09:43:50 PM EST

it would connect some predefined high port on the dialup to port 22 on the local machine, so that when at home you would ssh to the predefined high port and end up at work.

Audit NTFS permissions on Windows
[ Parent ]
Yeah, or (2.75 / 4) (#75)
by curien on Wed May 19, 2004 at 11:35:34 PM EST

I can also --and this is a kicker-- run a reverse ssh tunnel that connects port 22 on the dialup to port 22 on my machine at work, with a simple script running to reconnect this tunnel if it ever drops.  Now, when I go home, dial up, and ssh to port 22 on my local machine, magically I am at work behind the corporate firewall with full access to everything from the anonymity of an encrypted tunnel.

Except that they'll know
a) If they're worth a damn, they'll know that it was your workstation that originated any sort of questionable traffic. (There is questionable traffic, right? If not, why are we even talking about this? Legitimate use should have just gone through the VPN server!)
b) There was an unusually long connection from your workstation to a system on a dial-up ISP.
c) Someone used your credentials to make the connection (the proxy does authenticate, right?).
d) With this information, they can subpoena your ISP, finding that the IP of the remote host was in fact your system.

Buh-bye anonymity. Frankly, this is only slightly more obfuscated than a simple ssh connection on port 22.


--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]

*blinks* (3.00 / 9) (#78)
by esrever on Wed May 19, 2004 at 11:59:29 PM EST

You've utterly missed the point, and I will thus assume that you aren't a sysadmin who has to care about these sorts of things on a day to day basis.

Corporations have firewalls with outbound rules for a reason.  It is to protect and enforce data confidentiality and to manage who has access to what, when.

Let's try this again with a new hypothetical situation:

I buy a Sharp Zaurus, socially engineer myself anywhere inside the premises of LargeCorp, and plant my Zaurus on its cradle with a network connection and power.  It's innocuous; if I get it in a meeting room, maybe it will get unnoticed for a week or two - if I get it on an unused desk, potentially even longer.  I then leave the building.  Now, in the background, that little sucker is going to be running Monkey-in-the-middle attacks on SMB traffic, sniffing the wire and trying to brute force the keys it gets, anything and everything it can do to get itself an account - any account - that it can use.  Once it has its credentials (I say when, not if), it nmaps its way around the network looking for machines that listen on port 80, then attempts to start a proxy connection with them and authenticate with the server to get out to the real world.  Once it's found a valid proxy, it initiates an ssh session out via the proxy on port 443 (Which looks just like a normal, everyday SSL web connection) to some random host in China somewhere that I've previously rooted, and sets up a reverse listener to connect port 4444 on that host to port 22 on the Zaurus.  It then also emails me from China advising that its mission is complete.

So, I bounce myself off a few anonymous proxies and land on the rooted Chinese server, ssh or telnet to the localhost port 4444 (doesn't matter really, because everything is still encrypted as far as LargeCorp's proxies are concerned), land on the Zaurus inside LargeCorp, collect all the account details that it has been collecting for me, along with the network maps its generated while its been sitting there, and I am now fully armed and ready for a massive penetration and security violation, which LargeCorp doesn't even realise until long, long after - if ever.  When someone finds the Zaurus, they send an email around LargeCorp 'Anyone lost their Zaurus?' don't get a response, so they take it home themselves, reinstall, put their calendar on it, and no-one is the wiser.

Got it?

Audit NTFS permissions on Windows
[ Parent ]

Yeah (none / 3) (#84)
by curien on Thu May 20, 2004 at 06:42:03 AM EST

It was the introduction of the unauthorized computer by an unauthorized user that I wasn't considering. I was assuming you were still talking about cool things to do at your own workplace.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Roger that :-) [nt] (none / 1) (#85)
by esrever on Thu May 20, 2004 at 07:43:23 AM EST



Audit NTFS permissions on Windows
[ Parent ]
I'm only familliar with the SL5500 (none / 1) (#88)
by tzanger on Thu May 20, 2004 at 10:42:36 AM EST

But you need to install the respective software on a Win32 machine to get the Zaurus on the corporate LAN... unless you plug in a CF ethernet adapter but that makes it look all the more suspicious.  :-)

[ Parent ]
Another way out of prison: through the front door. (2.50 / 6) (#72)
by waxmop on Wed May 19, 2004 at 09:45:59 PM EST

Three steps:
  1. Find the project that your boss cares the most about. Find out what his job is riding on. Then fuck it up spectacularly, but in a non-obvious and non-traceable manner. It needs to fail in a way that nobody else can figure out what's going on. Let everybody get frustrated and panicked. Allow deadlines to be missed. Involve her somehow in marketing material. The idea is to establish a climate of confusion and fear.
  2. Now here's the finesse part: in the mind of your technophobic and very unhappy boss, link the mysterious new bug with the overly strict firewall policy. Remember, you're not using logic to persuade, just fear. Fear trumps reason any day. If you did step one right, and really got a good panic going, he'll dash off an email to tech support demanding they add a policy for you to make your fix immediately. We've all seen people try nonsensical and counterintuitive crap while debugging, especially when desperate. This is your chance to harness that fear!
  3. Once you get your ssh access outward, the project mysteriously works again, and so your boss won't care to hear that it doesn't make sense that you need ssh access outward. Encourage the skeptics to test out other solutions and then try to keep a straight face when they lose their shit trying to figure it out.
How to connect the firewall to the mysterious problem you created? I don't know since I don't know anything about your job or your boss, but there's plenty of ways that you can do it. It could be as simple as thinking out loud, "Hey, I don't remember this problem happening until right after that email we got about the firewall." Of course since you control the bug, you control when it appeared.

Or you could suggest the problem is a virus and you need to download a virus scanner for your network and it needs ssh access to stay up to date. Email pages and pages of text underneath a one sentence summary that says "this explains why the virus scanner needs ssh" and nobody will read the summary, because they're all panicked about the project.

Finally, as an added bonus, you come out looking like a hero.
--
The threat of losing all of your shiny possessions is what keeps us slaves to the machine. --

Social engineering v network engineering (2.75 / 4) (#76)
by curien on Wed May 19, 2004 at 11:37:25 PM EST

Both have their pluses and minuses. Some people find one more enjoyable than the other.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
Good idea, but... (none / 3) (#82)
by Milo Minderbender on Thu May 20, 2004 at 05:51:15 AM EST

...it probably won't work with my particular situation. Our web site is hosted on servers run by another company (corporate partner) in another country. They already don't allow us access to ssh into the servers or even look at the log files. This is a huge corporation!

However, hypothetically going with your ethically questionable proposal...

Say I did cleverly manufacture a hard-to-find bug that somehow made it past the rigorous in-house testing department (date activated, I'd guess) that resulted in a few hundred thousand dollars of lost e-commerce sales... Any magical bug fixes would have to be done in-house (within the firewall), tested by the testers on an in-house dev server, and then deployed to the live servers. I can't think of any, even fear-based, reasoning to request proxy dilation.

We've had several oh-my-god-the-site-is-down crises before, and the hosting partner never budged on their server access restrictions, resulting in a significant loss of money.

In a medium-sized company, your solution might be feasible, but my boss is waaay low on the food chain to be demanding proxy policy changes.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
two kinds of employees (2.80 / 5) (#81)
by NFW on Thu May 20, 2004 at 02:32:15 AM EST

Not to insinuate that the author of the above was bragging, it just reminded me of an observation that I thought was profund:
  1. Some people brag about how much they got done at work.
  2. Some people brag about how much they didn't do at work.  
The above was related to me by a guy who worked for a software startup (type 1 all the way) who then went to work for an aircraft manufacturer where everyone was unionized (type 2 all the way).  He had trouble fitting in. :-)


--
Got birds?


Hmmm... (none / 0) (#145)
by aluminumaloi on Tue May 25, 2004 at 08:08:34 PM EST

I'm not sure that I fit in either of those, since I don't really brag about anything I do at work.

That being said, most days I don't do much at work. I'm not bragging. I'm actually very upset about it. I would much prefer a job where I am actually using my skills, and where I am actually challenged every day. Or at least every week. Or month. But in 4-ish years working in the software development biz, I have yet to encounter that situation. Granted, the companies I have worked for have not been ones really known for innovative, interesting software design. In fact, most of what I do now is maintain crappy barely working code. This is why I don't do much at work. Give me a challenge, though, something interesting and preferably something I haven't done a hundred times, and I suddenly become very productive.

Not really sure what my point is. Just rambling.

[ Parent ]

How I found a way to breath inside a similar priso (none / 1) (#89)
by Anonymous Brave on Thu May 20, 2004 at 11:05:11 AM EST

First I found I didn't have any instant messaging available. This was very easily worked around by using the web interface to ICQ at http://go.icq.com/

The next challenge was how to access my e-mail. After changing ISP a few times, I started using the free v3.com e-mail forwarding service. So I just created a Hotmail account, configured my v3.com service to start forwarding messages I receive to this new Hotmail account and finally simply configured Outlook to fetch mail from this account via HTTP. I also configured my PDA to sync with this mail.

The firewall also disabled me from equipping Mozilla with Java, at least via the install program from Sun. But I was able to succeed by using the XPI available at http://java.mozdev.org/java_xpis instead.

Then I discovered the mentioned aps098 application and this allowed me to use native MSN Messenger, Yahoo! Messenger and ICQ Lite. It also allowed me to use AvantGo on my PDA. Wget also started working.

Hopefully I'll also have the ftp upload functionality available when Mozilla 1.7 is released. In the meanwhile I can use Yahoo! Briefcase to store files.

FTP Upload (none / 0) (#105)
by Anonymous Brave on Fri May 21, 2004 at 06:29:20 AM EST

This actually is going to be implemented in Mozilla 1.8, not Mozilla 1.7 as I thought it would be.

[ Parent ]
It's pretty neat. (none / 0) (#121)
by Zerotime on Fri May 21, 2004 at 11:55:36 PM EST

Although obviously not nearly as useful as an actual dedicated FTP client.

---
"I live by the river
With my mother, in a house
She washes, I cook
And we never go out."

[ Parent ]
Do you know one? (none / 0) (#129)
by Anonymous Brave on Sun May 23, 2004 at 11:08:55 AM EST

Do you know if such FTP client exists? I'm aware of some that work through a SOCKS proxy, but not through an HTTP proxy. In fact the tests I've made with the alpha release of Mozilla 1.8 aren't very exciting so far...

[ Parent ]
Jeez, just use rinetd (none / 3) (#90)
by svanegmond on Thu May 20, 2004 at 12:48:52 PM EST

I note from your diagram that port 443 is sitting open on the firewall.

Well, port 443 can't be proxied, that was the whole point of https.  So just set sshd to listen on 443 (or use rinetd to forward 443 to 80).

Far less jangly nonsense, and your latency won't completely suck ass.

-- Steve van Egmond http://svan.ca/

Of course, HTTPS can't be proxied ... (none / 1) (#93)
by ConsoleCowboy on Thu May 20, 2004 at 02:02:44 PM EST

Well, port 443 can't be proxied, that was the whole point of https.

Think about it next time you do Internet banking from work.


:wq
[ Parent ]
You'd get a warning (none / 1) (#94)
by curien on Thu May 20, 2004 at 02:25:45 PM EST

Your browser would issue a warning that the certificate of the site doesn't match the domain name in the URI. Alternatively, your workplace could be really sneaky and use their CA to issue a cert that claims to be for the requested domain. You can easily check this by examining the cert your browser received... if it's from Verisign or some other T3P, you should be OK. If, OTOH, it's signed by your enterprise CA or a subordinate thereof, you should start worrying.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
no shit (none / 1) (#95)
by WetherMan on Thu May 20, 2004 at 02:58:15 PM EST

I cannot believe this was actually voted up.
---
fluorescent lights make me look like old hot dogs
[ Parent ]
That's what I'm doing, sort of (none / 0) (#101)
by Milo Minderbender on Fri May 21, 2004 at 04:03:22 AM EST

You must have missed something.

Until curien's earlier comment, I didn't know that ssh tunneling to my home comptuer could send me to machines other than my home computer. That's what I was using the java proxy for. But the majority of the effort is still in getting ssh traffic through the proxy at all. Hence aps098 and desproxy. I know that putty will allow HTTP proxy connections, but it doesn't get through NTLM proxies, so I would still need aps098. I just have desproxy so that I can use cygwin's ssh client.

How would rinetd help?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
s/r/x/ ? (none / 0) (#141)
by PigleT on Mon May 24, 2004 at 04:55:41 AM EST

I think whoever suggested rinetd might've meant xinetd.

You can establish a local listener e.g. on firewall:443 that then connects to any other host:port out there, localhost or not. This sounds just the same as the java proxy thing mentioned - I was wondering why, if code-reuse was the order of the day, was this not used instead?
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]

Could be (none / 0) (#143)
by Milo Minderbender on Mon May 24, 2004 at 07:47:19 AM EST

"I was wondering why, if code-reuse was the order of the day, was this not used instead?"
Because I didn't know enough about ssh tunneling and I already had the proxy thing written. As it is, I now have my broadband router forwarding public port 443 to my computer at 22. That's accomplishing the same thing, right?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Only sort-of true (none / 0) (#108)
by curien on Fri May 21, 2004 at 08:25:26 AM EST

True, SSL connections can't be proxied, but they can be required to go through the proxy using CONNECT (which still requires proxy authentication, mind you). So no, port 443 isn't open at his firewall.

--
All God's critters got a place in the choir
Some sing low, some sing higher
[ Parent ]
+1 (none / 3) (#91)
by smileyy on Thu May 20, 2004 at 01:32:43 PM EST

Please post a story whining about how you got fired.  I wish I were your manager/cio/whatever so I could fire you myself.
--
...alone in suicide, which is deeper than death...
And this is a good thing because ... ? (2.75 / 4) (#96)
by cdguru on Thu May 20, 2004 at 10:18:57 PM EST

There are a couple of issues that I think you might be missing with this.

I've read through a bunch of postings saying how this is not a good thing to be doing because you aren't doing your job. I've read the answers to this. The point glossed over or missed by most of the postings is that unless your LARGE_ORG is unlike anything I've seen lately, you signed over rights to whatever you do during work hours. This can cause enormous problems for someone doing "web development" on a consulting basis. You don't own the rights to your work, and therefore, you can't assign the copyright to whomever you are doing stuff for. That you may be doing it as a "work for hire" probably doesn't mean much. This effectively means that whomever is paying you ends up not owning the rights to what they pay you for. Now, if everyone is as clueless as you seem to think, this is unlikely to come back to bite you. Unfortunately, where the real trouble starts is if your outside work ends up being the subject of an acquisition ... something you might never even hear about. This sort of working arrangement can screw up someone else's multi-million dollar acquisition. Should this come to pass, you will have a whole new attitude towards lawyers, judges and the like.

The second point I think is worth making is there is one really good reason why a company would have such a restrictive proxy/firewall policy - paranoia. Probably extreme. How does this affect what you are doing? Well, you have succeeded in opening a gaping hole in what they consider to be a secure environment. You now can easily transport data from within this supposedly secure environment to the outside world. Or bring "unapproved" data, programs, etc. in. I stress that this security does not have to be real, just something that is "secure" in the eyes of the IT staff and upper management.

Employees can and have been prosecuted for this sort of thing, even when nothing has "really happened".

From a risk evaluation perspective, I would say the first case is a low probability but the risks are almost unlimited. The second case is far more likely, as any discovery by the "clueless IT staff" could trigger an investigation and getting the lawyers involved. The risks are fairly low, because even in the event of an investigation it is likely the company would just fire you and not want the story getting around. This could make getting the next job pretty tough, but it is unlikely to go much further.

My conclusion on this is that if you feel you have to do outside work "on company time" do not violate company security procedures while doing so. This does limit you to not doing "online" stuff during office hours, but it virtually eliminates any risk. I suspect it would be incredibly hard to pin down exactly when you did something and therefore makes the whole "ownership" issue far murkier. Then, as long as your boss doesn't care it is almost a non-issue.

Just as a note aside, if I was your boss, your boss's peer or a co-worker, I would go out of my way to make sure you got fired. You are operating far enough out of bounds that you cannot trust anyone.

Listen to this man (none / 1) (#98)
by Incommunicado on Fri May 21, 2004 at 12:14:30 AM EST

He's telling you teh TRUTH!



[ Parent ]
Innocent until proven guilty (none / 2) (#100)
by Milo Minderbender on Fri May 21, 2004 at 03:53:02 AM EST

Thank you for bringing this up. I noticed it in the other threads too, but I forgot to address it. You have given me the chance here.

In the country of my residence, the legal system places the burden of proof upon the accuser. Let's run a hypothetical situation. Let's say that LargeCorp catches word of my activity and confiscates my computer for examination. What will they find?

They'll find a CVS source code repository with code resembling a web application. Do they own the code yet?

I'll say that a friend asked me to look at a problem he was having and he asked me to check out his CVS repository and look into it for him. I waited until lunch time to build his project and look at something for him. Do they own the code yet?

How about an open source project that I downloaded to see how they accomplished a task that we need our LargeCorp app to perform? Do they own that code?

I think they'd have a hard time proving that I did work on company time. Having foreign source code on your machine is not only not against company policy, but it's to the company's advantage for you to be (preferably legally) checking out others' source code. The chances of them changing my Windows password, logging in as me, going through my browser bookmarks one-by-one, finding K5, clicking "Your Stories", and reading this anonymous Internet confession are pretty much nil. These guys have to follow instructions on paper when they come around to create a new shortcut on your desktop.
"You now can easily transport data from within this supposedly secure environment to the outside world. Or bring "unapproved" data, programs, etc. in."
They have HTTP open on the proxy. There's nothing stopping anyone from zipping up the entire LargeCorp code repository and transferring it into the Big Bad Internet. Think of sending email attachments on Hotmail if you don't understand HTTP (although I imagine that you do from your "security does not have to be real" comment). Files can be sent in and out freely. I haven't really opened up such a gaping hole. All I've done is make the existing hole a little bit more secure by allowing ssh traffic through it.
"You are operating far enough out of bounds that you cannot trust anyone."
I understand that. I told a coworker that I managed to ssh to my home machine, and he said, "What's ssh?" That's the extent that I have and will speak of this to coworkers.

Did I address all your points?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Err not really (none / 0) (#102)
by melia on Fri May 21, 2004 at 05:41:11 AM EST

I am your manager. You are fired

But seriously, they wouldn't really have to prove much, they'd sack you first, and your option would be a tribunal. Cue a whole load of grief for everybody, and ultimately, you'll be fucked. Notwithstanding that you'd have to perjure yourself with these lies. It's dangerously arrogant to assume you'll get away with it. (especially since your justification for this assumption is that everyone else is a dumbass)

I waited until lunch time to build his project and look at something for him. Do they own the code yet?

Unfortunately, since you're using company equipment it's not quite as clear cut as you seem to think. Of course, lets not forget that if needed, a court would have the power to search your home PC.

I imagine that you do from your "security does not have to be real" comment). Files can be sent in and out freely. I haven't really opened up such a gaping hole.

Nope, it really is you who's not understanding. The parent post was taking your comments about them being idiots at face value, his point being that their perception of your actions will be (quite rightly it would seem) that you're a crook.
Disclaimer: All of the above is probably wrong
[ Parent ]

Re: Err not really (none / 0) (#104)
by Milo Minderbender on Fri May 21, 2004 at 06:17:54 AM EST

"I am your manager. You are fired"
Hey boss! The project is going nicely! Can you believe all these silly k5'ers actually thought I did this? Man...
"But seriously, they wouldn't really have to prove much, they'd sack you first, and your option would be a tribunal. Cue a whole load of grief for everybody, and ultimately, you'll be fucked."
I suspect that "a whole load of grief" will probably cost LargeCorp a lot more money than they have "lost" by me doing something other than surfing the web with my mandated downtime. They'd probably be satisfied with just sacking me. Were I a permanent employee with something other than a loose-IT-contractor contract, they might want to make sure they had enough evidence before sacking me in case I wanted to take them to court for slander (or whatever they would be guilty of for sacking an innocent employee on such accusations).
"Of course, lets not forget that if needed, a court would have the power to search your home PC."
So I helped my friend from home too. What does that prove?
"The parent post was taking your comments about them being idiots at face value, his point being that their perception of your actions will be (quite rightly it would seem) that you're a crook."
Okay, I suppose that might be the perception.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Heh (none / 0) (#106)
by melia on Fri May 21, 2004 at 06:34:30 AM EST

I suspect that "a whole load of grief" will probably cost LargeCorp a lot more money than they have "lost" by me doing something other than surfing the web with my mandated downtime.

Hmm, you've misunderstood a little. If it went to a tribunal, that would be because you complained about being sacked - i.e. LargeCorp wouldn't have a choice in the matter.

That's not to say LargeCorp wouldn't take you to court - if the work you are doing on the side (using their equipment) was valuable enough to warrant the cost of ensuring their ownership of copyright.

They'd probably be satisfied with just sacking me.

So you wouldn't take them to a tribunal to peddle your fraudulent excuses? Now i'm really confused - you're saying that you're quite happy to be sacked and have your employment record smeared, without trying to worm your way out of it via unfair dismissal?

they might want to make sure they had enough evidence before sacking me in case I wanted to take them to court for slander (or whatever they would be guilty of for sacking an innocent employee on such accusations).

Unfair dismissal - except of course, they would be guilty of no such thing. Perhaps, maybe, understandable that you think your employers are idiots, but to think that a tribunal or court would not have dealt with your type before is just plain stupid.

So I helped my friend from home too. What does that prove?

Heh, we're not talking about lying to your mum here you know. You're prepared to lie in court? That's not to say I think you'd get away with these silly excuses.

Point being - if you get caught you'll get sacked, or you can take them to an employment tribunal during which you will almost certainly be found out. Either way, you lose a job, your reputation, and, if it's worth anything, possibly a great deal of the "work on the side" you've been doing.

Anyway, i'm not a lawyer or anything, but it seems to me you've got a whole lot to lose. I wouldn't if I were you.


Disclaimer: All of the above is probably wrong
[ Parent ]

My reputation (none / 3) (#107)
by Milo Minderbender on Fri May 21, 2004 at 06:53:40 AM EST

I was misunderstanding a bit. I thought the tribunal was initiated by LargeCorp. No, if I got fired, I would not object. I only have a month or two left on my contract as it is.

One thing I'm not understanding is how getting sacked would ruin my reputation. I wouldn't put it on my CV, nor would I admit it to a future potential employer. I've had so many of different employers in the past and never been fired, that I have a plethora of legitimate "why employment terminated" excuses. I've never had a potential employer contact a previous employer without my permission to do so, nor do they mind the excuse, "Well, my direct manager at LargeCorp no longer works there." They are always just as willing to talk to my penultimate employer.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
That only works for criminal cases (none / 1) (#144)
by johnmeacham on Tue May 25, 2004 at 05:58:55 PM EST

In civil matters, such as a dispute between an employee and employer, you start out even. there is no 'innocent until proven guilty' concept in civil cases because which direction would it go? in an argument between two people, neither should be given the advantage of presumed innocence, it is ONLY applicable to government criminal cases.

A simple majority is all that is needed to win a civil case (usually)

[ Parent ]

bump (none / 3) (#109)
by yeux on Fri May 21, 2004 at 10:37:30 AM EST

this is a good story

Thanks (none / 2) (#111)
by Milo Minderbender on Fri May 21, 2004 at 10:52:49 AM EST

Why do you think so?

--------------------
This comment is for the good of the syndicate.
[ Parent ]
bump (none / 2) (#112)
by yeux on Fri May 21, 2004 at 10:53:23 AM EST

i like this comment, bumping it to the front page

[ Parent ]
real morality (none / 3) (#110)
by yeux on Fri May 21, 2004 at 10:52:17 AM EST

frankly, what you're doing isn't moral.

the people paying for their internet connection aren't doing it so you can browse kuro*hin and other pornographi(es). they're doing it so they can make money. by using it for your own unethical purposes, you're stealing bandwidth. not only are you slowing the connection for legitimate work, but you're making it seem as though more people are using it for actual work than actually are. this is a plain and simple theft of the current bandwidth, and may even cause more bandwidth(s) (if any) to be purchased to support all the 'work' going on.

plain and simple theft.



Yes (3.00 / 4) (#114)
by Milo Minderbender on Fri May 21, 2004 at 11:02:57 AM EST

Just like changing the channel when the commercials come on is stealing. And going 43mph in a 40mph zone is illegal. Everybody does it, and it's wrong. Shame on us.

Back to reality...

Personal internet use at work is a necessary evil. The cost of policing usage or over-restricting usage is much greater than the cost of extra bandwidth and lost man hours.

I dare say that k5 would die immediately if it were only accessed from home (non-work) environments.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
What about morale? (none / 1) (#126)
by drakosha on Sat May 22, 2004 at 02:02:10 PM EST

One letter, and such a difference in meaning!
Morale. You know, the stuff that keeps employees from using non-work time to find better, less restricting jobs.

Yes, internet connections decrease productivity. Yes, blocking internet connections or firing people for browsing during work time is one solution. So is locking them in a 2m^2 box with a computer running nothing but dev tools. Welcome to the good old North American tradition of treating the symptom.

One psychologically valid way to increase your productivity on creative (or simply mentally intensive) tasks is to switch tasks for a while. If you can't do that, a ten-minute distraction (like K5) is almost as good. Think K5 browsing is running an IT company somewhere out of business? Only if the people there spend every minute of their waking hours avoiding work. And sorry, that's so rare as to be statistically insignificant.
(caveat: If browsing is a serious problem, most times it's hardly the cause)
----------------------------
"Technologists often forget the general user. Technology is only as good as the user experience. That is something that technology groups very often forget."

--Linus Torvalds, keynote address, LinuxExpo 2000.
[ Parent ]

"slowing connection for legitimate work" (none / 0) (#125)
by Milo Minderbender on Sat May 22, 2004 at 10:00:29 AM EST

Funny how the Dilbert on the day of your comment was about doing legitimate work.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
ssh bandwidth (none / 0) (#127)
by Rich0 on Sat May 22, 2004 at 03:16:46 PM EST

Uh - he's talking about running ssh for the most part.  That uses virtually no bandwidth.

He also mentioned media player, but he mentioned that this works without the fancy proxy bypass.

In any case, we're not talking about a lot of bandwidth here.  For an employee paid a decent wage you might be talking a few percent of salary at most...

[ Parent ]

To bypass outbound firewall rules: (none / 2) (#113)
by UncannyVortex on Fri May 21, 2004 at 10:56:12 AM EST

I run a password-protected SOCKS 5 proxy on my machine at home, listening on port 443.

At work, I configure apps to SOCKS my home machine's IP address at port 443.  For those without built-in SOCKS support, I use SocksCap.

All this works quite well for nearly all applications, but is not encrypted of course.  (I'm on Windows by the way).  I've had trouble finding quality SSH utilities for Windows.  Any suggestions would be appreciated.

-- uncanny

Cygwin and Putty (none / 1) (#115)
by Milo Minderbender on Fri May 21, 2004 at 11:06:28 AM EST

Cygwin is good, but maybe not if you know absolutely nothing about unix. I'm pretty sure it comes with a version of sshd (the ssh server) that will run as a Windows service. Then, if you prefer slighly more graphic ssh client, there's putty.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Thanks... (none / 0) (#118)
by UncannyVortex on Fri May 21, 2004 at 04:44:35 PM EST

I've used cygwin in the past, and know how to use Lunix and derivatives fairly well, though I've never set up ssh.  I also have putty and use it as my preferred telnet client on Windows.

However, at this point I would only be using ssh for tunnelling Windows applications' traffic (web browser, IRC, IM, file-sharing, etc.) through an encrypted proxy.  I have no need for a command-line shell in my situation.

I have actually considered setting up an sshd under cygwin at home, perhaps listening on 443 (since that's one of my only available outgoing ports at the office)... Encryption would probably be a good idea when circumventing company policies.

The SOCKS proxy is just so easy to set up, so it has won out so far.

[ Parent ]

sshd / cygwin (none / 1) (#122)
by anmo on Sat May 22, 2004 at 02:44:12 AM EST

cygwin's sshd works fine on xp. I use it to connect to a subversion server (also on winxp) via ssh+svn and have had no problems

[ Parent ]
Socks through SSH (3.00 / 4) (#116)
by sherbang on Fri May 21, 2004 at 12:25:27 PM EST

I've seen plenty of mentions of SSH's -L option, which is great, but ssh can also act as a full-fledged socks server.

Use -D port
then point your socks capable app at that port for the socks server. ssh will automagically tunnel then traffic to the ssh server, and from there contact whatever machine the client is requesting.

Also, you can run -L multiple times for one ssh session. I do "ssh -D 1080 -L 8081:localhost:8080 -L 1143:mailserver:143 -L 2225:mailserver:25 me@home" on my laptop whenever I'm on an untrusted network, then I point my email at localhost:1143 for imap and localhost:2225 for smtp, and point my webbrowser at localhost:8081 (running squid on my home computer, but only on 127.0.0.1) for http/ftp/https, and can use socks (localhost:1080) for anything else, or just open up another ssh.

Of course I run linux both on my home computer and my laptop, dunno if you'd run into any issues with this on a windows machine. It should work fine with the cygwin ssh anyway.

You can also do some fun stuff with ppp over ssh if you really want to go nuts.

Oh, and ditch that java program on your home computer and just run a copy of ssh on port 443.


Great tip, thanks! (none / 0) (#117)
by Milo Minderbender on Fri May 21, 2004 at 12:35:41 PM EST

"Oh, and ditch that java program on your home computer and just run a copy of ssh on port 443."
Yeah, I've already done that thanks to an earlier post on this article. I just didn't know better at the time I was using the java proxy.

Thanks for your additional ssh insight. That might come in very handy. There's nothing like learning more about security to make you more paranoid! :-)

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Be careful (none / 3) (#120)
by niku on Fri May 21, 2004 at 07:57:40 PM EST

After the the dark times, I was forced to take a number of different interm jobs. One of which was in a call center doing data entry. The first three days were supposed to be doing a "course" on the software that the company used, each section followed by a test. Needless to say, I finished the "three days" worth of work within the first couple of hours at work. I asked the supervisor what I should do in the interm. He said, "whatever you want, play some games or browse around on the internet, or something", since they wouldn't have any work for me to do for the next two days.

I had a home server which I used, and I figured I'll ssh over there and play with my website, or read email or whatever. I downloaded cygwin so I could ssh in and have access to a bash prompt (having used mostly unix since I was 11, windows still feels kinda creepy). I made sure to tell my manager I was downloading some software so I could check my email and the like.

The next day when I showed up for work I was fired.

While it was probably a violation of company rules, and sure it was a misunderstanding - their IT department claimed I was downloading "hacker tools" it didn't make a lick of difference. What's the point? get permission in writing. My manager knew what I was doing, it was fine by him. No one else did, and I didn't have anything to cover my ass when I got in trouble. Get something to cover yours.
--
Nicholas Bernstein, Technologist, artist, etc.
http://nicholasbernstein.com

Nice anecdote, and... (none / 0) (#124)
by Milo Minderbender on Sat May 22, 2004 at 06:08:36 AM EST

...in your case, your boss probably would have given you permission in writing. But in my case, I don't think my boss is that stupid. It's the nature of the corruption. If I had proof that he knew that there was no work to be done and didn't tell his superior, it would be his ass on the line. An essential skill in middle management is passing the buck, learning to let blame bounce of you and onto someone else. He would definitely deny giving such an order.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Parasite. (none / 1) (#131)
by skyknight on Sun May 23, 2004 at 11:43:12 AM EST

It's people like you, taking money out of the economy and generating no wealth, who are the destroyers of economies. Maybe you should tell the shareholders of the company what is up.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
Corporate wastage generates jobs (none / 2) (#133)
by Milo Minderbender on Sun May 23, 2004 at 01:07:57 PM EST

The percentage of the annual wastage based on stupid management from this corporation that makes up my salary is incredibly insignificant. If anything, by remaining employed there, I'm helping the economy by taking money from a super-rich corporation and distributing it to other sectors of the economy, albeit to super-rich mortgage lenders, supermarket chains, and clothing chains.

Also, it would definitely be illegal for me to tell the stockholders what idiotic management the company has. Not to mention, the company is hugely profitable despite such stupid wastage. That's largely the reason that it goes so unnoticed.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Breaking windows also generates jobs. /nt (none / 3) (#134)
by skyknight on Sun May 23, 2004 at 01:17:36 PM EST



It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Exactly (none / 1) (#136)
by Milo Minderbender on Sun May 23, 2004 at 04:38:01 PM EST

If Joe Homeowner keeps breaking his windows, should I, the window repair guy whose job is being generated (or maintained) by Mr. Homeowner's wasteful behavior, refuse to replace the window and accept payment just because stupid ol' Joe is being wasteful and using the economy's resources that could be used for more constructive endeavours? I could take the moral highground and explain to my hungry children why there's no food on the table, or I could be disgusted by the wastefulness and take the damn money.

I do, however, take your point that, at least resource-wise, the corporation's behavior is damaging the economy.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
More specifically... (none / 1) (#138)
by skyknight on Sun May 23, 2004 at 05:44:24 PM EST

this is what I was referencing.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
Heh... (none / 1) (#140)
by Milo Minderbender on Mon May 24, 2004 at 02:49:46 AM EST

And here I was thinking that you had made a surprisingly intelligent metaphor that accurately shot down my "good for the economy" argument.

I still stand by my "willing to be the employed glazier" argument, though.

At least I resisted making the obvious jab at Microsoft...

--------------------
This comment is for the good of the syndicate.
[ Parent ]
It is a surprisingly intelligent metaphor... (none / 2) (#142)
by skyknight on Mon May 24, 2004 at 05:40:20 AM EST

but I am merely demonstrating that I have a good memory, not that I am creative.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
[ Parent ]
How stupid. (none / 1) (#135)
by Tezcatlipoca on Sun May 23, 2004 at 04:35:57 PM EST

Why do you need to do your "web development work" using the internet?

Do it locally, either in your machine or in a laptop, that way you are not compromising the security of your working place.

It is perfectly legitimate to do something else if there is no work (as others have said, that still could mean that your work belongs to your employer, check your contract), what is not legitimate if to vulnerate the security measures that your admins had put in place. If anything you should help them to close these loopholes.

Might is right
Freedom? Which freedom?

I am doing it locally...kind of. (none / 1) (#137)
by Milo Minderbender on Sun May 23, 2004 at 04:52:43 PM EST

I am editing all files locally. It's just that my machine at work doesn't have enough memory to handle another web application server, so I'm using one running on my home machine. This requires deploying compiled classes and JSP files to my home machine to test them. And the other reason I need the internet is for CVS access (using ssh). Is that reasonable enough?

As for helping them close these loopholes... I don't know that this particular loophole can be closed. Unless there's a way for the proxy to verify that the traffic really is HTTP traffic to a web server and not socket traffic wrapped in HTTP packets, it's not really closable.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
Not much of a compromise (none / 2) (#139)
by Highlander on Mon May 24, 2004 at 02:22:34 AM EST

He isn't really compromising the security of the workplace, since he isn't providing any inbound ports or services. Since he has to configure the outbound connection by http it can't in practice be used by a trojan for calling home.

What may be dangerous is the code he checks out from cvs, but currently someone would have to specifically target him to be so devious. Using any utility downloaded from a company on the internet is a greater risk.

Like using WinZip.

And compare how insecure http is .. .
Leaving ANY ports open is a security risk =)
The road to paranoia.

Moderation in moderation is a good thing.
[ Parent ]

There is a serious security risk (none / 0) (#154)
by pieroxy on Mon Sep 13, 2004 at 07:40:39 AM EST

When you say that "He isn't really compromising the security of the workplace", you fail to account for all the security issues in ALL softwares he is using. He also mentionned opening all IMs for his colleagues. That is a heck of a serious risk IMO.

[ Parent ]
Objection: (none / 1) (#146)
by JChen on Wed May 26, 2004 at 10:01:39 AM EST

Poster was the recipient of human sacrifices by barbaric tribe.

Let us do as we say.
[ Parent ]
Kinda like that (none / 0) (#147)
by {ice}blueplazma on Mon May 31, 2004 at 11:18:33 AM EST

My school does something similar to this, except they allow outbound connections however you like. The problem, is, of course, that the only incoming connections allowed have to be established within the school. I figured this out pretty quickly in the first week of school because I can SSH out and connect to my home machines. Flash forward two years when I finally have a laptop and the favor of the IT department. I know the network topology is basically a big home network with an HTTP proxy thrown in for kicks. This proxy is the issue, since it has massive content filtering on it, to the point where I can't access messageboards within the building. Everything else is unrestricted, only port 80 is proxyed. My solution? Seeing as I needed access to other things at my house as well as unrestricted internet access, I set up a VPN on my home network. Now I just use my laptop to set up a L2TP over IPSEC connection from the school to my house, and since only port 80 is restricted it's fine, because L2TP doesn't go near port 80. After that it was a simple matter of sending all traffic over the VPN and getting easy access. Of course, the major difference between this and the story is that (a) I never signed a contract to be nice (really, I didn't, they didn't have one this year), (b) I'm not being paid, and (c) it's not really against school rules because I do have a legitimate reason for it.

"Denise, I've been begging you for the kind of love that Donny and Smitty have, but you won't let me do it, not even once!"
--Jimmy Fallon
No need to switch around so much (none / 0) (#148)
by fortytwo on Tue Jun 01, 2004 at 12:20:43 PM EST

Use a SOCKS proxy instead of your java app - if your apps support SOCKS proxying, you won't need to change the port so much.

Excellent Work from a Fellow Syndicate Member! (none / 0) (#149)
by Milo Minderbinder on Tue Jul 13, 2004 at 05:54:29 PM EST

Excellent work, Milo. The Syndicate is truly proud to have you as a member, even if you misspelled your own last name.
--
M & M ENTERPRISES, FINE FRUITS AND PRODUCE.
Bite me, copycat! [n/t] (none / 0) (#151)
by Milo Minderbender on Thu Jul 22, 2004 at 10:03:11 AM EST



--------------------
This comment is for the good of the syndicate.
[ Parent ]
why limit to 443? (none / 0) (#150)
by mudder on Wed Jul 14, 2004 at 12:57:30 PM EST

Don't forget, all the other ports you can run services from ie: DNS (53).  On the most restrictive FW rules (disable all outbound except those specifically allowed read: business case) the FW admin has invariably added ANY ANY 53 ALLOW so they won't have to mess around with configuring recursive/!recursive DNS lookups.  Additionally, if you find ports open on the firewall at your, uhm, network, test UDP and TCP as well.  This will normally double your available ports.


I dunno (none / 0) (#152)
by Milo Minderbender on Thu Jul 22, 2004 at 10:23:38 AM EST

It doesn't make any sense, but it's just the way it is. If I were the network admin, I wouldn't make it so insanely restrictive...but I'm not.

--------------------
This comment is for the good of the syndicate.
[ Parent ]
SSL port forwarding! (none / 0) (#153)
by someoneunamed on Thu Aug 26, 2004 at 02:47:26 AM EST

I use gtOrenoPC and aps089 for SSL port forwarding. This allows me to do just about whatever I want, securely connecting through only one port at work. Multiple ports can be forwarded. This is currently free and available here. Happy circumventing!

Funny stuff (none / 1) (#155)
by Occulis on Wed Oct 27, 2004 at 03:23:57 PM EST

Hilarious. If your job forces you to have downtime, you're either going to read a book, study from a book, or use your net for your own good. Might as well be productive from it. Kudos to you!

hehe (none / 0) (#156)
by evro on Sat Oct 30, 2004 at 01:32:58 AM EST

Heheheheheh. Occulis.
---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
Tunneling trought freedom (none / 0) (#157)
by pekar on Tue Aug 02, 2005 at 11:15:03 AM EST

If you need to tunnel ports try this. http://your-freedom.net It works for me!
abstraction: "I need to know the time not how to build a watch"
Tunneling Out of Proxy Prison | 157 comments (140 topical, 17 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!