Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Surfing at Work

Thread Tools

Surfing at Work

Posts: n/a
Juergen Nieveler wrote:

> Strangely, everybody here seems to have gone into a flamewar over
> private Internet use...

Strangely people here seem to think that using the company network is
somehow also private - not.
Reply With Quote
nemo outis
Posts: n/a
In article
<(E-Mail Removed)>, Leythos
<(E-Mail Removed)> wrote:
>In article <m8Ecd.128851$a41.123601@pd7tw2no>, nemo Removed)
>(nemo outis) says...
>> In a nutshell, you're wrong - it isn't easy for the sysadmins. If
>> it were, the problems would have disappeared years ago. And they
>> haven't!

>Nope, I'm right. The problem is not that it's hard to detect, since it's
>not, it's that there are more an more people in positions they should
>not be in. Many people that are in positions of Network Administrators
>are just people that lucked into the position since they were willing to
>take less money than the qualified administrator. I see it all over the
>country, companies, fortune 100, that have a bunch of unqualified people
>maintaining their networks. Don't get me wrong, they have fully
>qualified people, but they are doing something else while the chap
>monitoring the firewall presents and image of knowing something.

Are you only getting around now to reading my previous posts in
which I said most sysadmins were ill-trained, overworked, and
underfunded, and that this made network compromise child's play
in most cases?

You dismissed the phenomenon when I spoke of it just a few short
posts ago - are you conceding its near-universality now?

>If you had ever looked at the real-time traffic monitors, logs, phone
>records, and understood what you were looking at, you would know that
>it's easy to detect/spot the things you claim to use.

Yes, I've looked at them, and, yes, I understood what I was
looking at. Not on all of the systems I penetrated, of course,
(they weren't quite that lax but often enough. And, of
course, I looked at the output of the tools from my own
simulations of the networks I penetrated. I would never try to
compromise a system I didn't understand ten times better than the
sysadmins running it

Of course, in principle, for every exploit there is a counter
[remeber my cowboy aphorism?]. And you can foolishly say -
after the fact - that if you had been there you would have
implemented exactly that counter. But that is patent bullshit -
while you can cover any particular exploit (once you've been told
about it!) you cannot know about nor cover them all. Not without
resources beyond those granted to all but the tightest of
organizations (Yeah, I'll grant the NSA would be tough to crack

Ross Anderson in Security Engineering develops the same theme in
a slightly different context when talking about bugs. Condensing
and simplifying greatly, the exploiter need only find one usable
bug, but the bug-swatters must try to exterminate them all.
Contrary to expectations, the lone exploiter has a huge advantage
even over hundreds of swatters!

Nor do most sysadmins think of the strange interactions and
multiple uses of a specific technology, or interface, or feature,
etc. For instance, here's another simple throwaway.

Now, just as a conjurer's trick no longer amazes once it has been
explained, I'm sure you will bluster, "Yeah, I knew about that."
But the overwhelming likelihood is that while you may have had
some passing acquaintance with specific ingredients of the
recipe, such as ADS, you hadn't thought about how to use it this
particular way, and therefore, all the moreso, hadn't ever
thought how to prevent it.

In a nutshell: I have used alternate data streams, inter alia, in
order to bypass disk quotas on shared network drives.

Now, having been told the trick, you could easily check for and
stop it. But, even in situations where sysadmins had some
knowledge of alternate data streams (coming to the party a decade
or more late, I might add!) they had never thought how to use
them in this specific way. Or how to prevent it! I have NEVER
encountered an organization that was aware of this specific trick
(unless and until I told them).

And I could regale you with the many tricks that can be done
using reparse points to break security, but I'm sure there's no
need - a hotshot like you already knows them all, right?

No, a sysadmins lot is not a happy one, happy one [acks to G&S].

Just as locks only help to keep honest people honest, all a
sysadmin's monitoring does is raise the threshold to keep
triflers out. But there are those who can crack, not just any
lock, but any safe. And similarly, there are those to whom
network security - an oxymoron if there ever was one - is a joke!


Reply With Quote
Posts: n/a
"Leythos" <(E-Mail Removed)> wrote...
> In article <ckusb5$732$(E-Mail Removed)>, (E-Mail Removed)y says...
>> "Leythos" wrote...
>>> It would be nice if they had to give a reason, but they don't in most
>>> cases. This is what makes it great for workers and employers alike -
>>> people work hard they get to keep their job (most of the time), people
>>> that are slackers get fired (most of the time).

>> I fail to see any benefit to an employee in not been given a reason.
>> Suppose a new manager came in and fired someone because he didn't like
>> the colour of their skin? Without a reason, the employee has no
>> redress for discrimination.

> That's the very reason that some idiot created the laws that let you
> fire people without reason in some states. I personally think that you
> should have to have a reason, backed with documentation, to fire
> someone.

When you said "This is what makes it great..." above, you gave me the
impression that dismissal without reason was a good thing!

>> They don't, but I was commenting on your apparent position of the
>> company owing you nothing. It's a two-way thing. Both sides have their
>> responsibilities towards each other.

> I understand your position, but in the UK you also get 30 days holiday

I think the norm is 20 to 25. Some organizations give more for long
service, or seniority. I'm one of the lucky ones. I've heard it's two
weeks in the US - far too short!

> if I remember what some of my friends said. I, on the other hand, have
> not had 30 days off in the last 10 years. Some of that is my own fault,
> I started an IT company about two years ago after resigning my position
> as a director of another IT company. Even then, I was on the road or
> working 12+ hour days, for 50+ weeks a year.

I wouldn't want the hassle of that sort of job, but it probably pays
well. The question is, when would you have time to spend your earnings?
I enjoy my work (software development), most of the time, but I value
my time off.

> Don't get me wrong, I was also a UAW member, a Teamster, and a Union
> Steward too. I have worked as an hourly most of my life, and see both
> sides. The idea that the company owes me anything more than what's in my
> contract, benefits, and wages, and a safe place to work, is just wishful
> thinking. While it would be nice if they owed me 2 hours per 8 hour day
> to relax, a nice Cuban cigar at lunch,

All I expect is that they treat their employees decently. I'm not much
interested in perks.

> and all the tea I can drink for free,

But we do get that!

> it's not something I'm going to expect out of them. The same goes
> for their resources, just because they have resources doesn't mean I'm
> entitled to use them in any capacity other than as directed.

I'm not in disagreement. In my company we have two separate networks.
One is internal, with highly controlled and very limited access to the
outside world. This is the "business" network. The other is much less
controlled and mainly for Internet usage. We are free to use it more or
less as we want, within reason, and as long as no sensitive company
information is stored on it.

> The last company I worked for, as a Director, provided free Beer and
> drinks after 4:00 PM most days of the week, but I don't expect to see
> that many places And no, I don't offer that to my team either.

Nice, but I'd rather have the money to spend in a tavern of my choice
than hang around after work.

Reply With Quote
Juergen Nieveler
Posts: n/a
Leythos <(E-Mail Removed)> wrote:

>> Strangely, everybody here seems to have gone into a flamewar over
>> private Internet use...

> Strangely people here seem to think that using the company network is
> somehow also private - not.

Depends. If the company ALLOWS you to use Internet privately, then at
least in some countries by default they HAVE to respect your privacy
unless they make you sign a paper saying that they can monitor you.

But since the original poster said that he IS allowed private
Internet use, the flamewar was just a waste of bandwidth... all he
wanted to know was a technical answer.

Juergen Nieveler
File not found, I'll load something *I* think is interesting.
Reply With Quote
Posts: n/a
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> But since the original poster said that he IS allowed private
> Internet use, the flamewar was just a waste of bandwidth... all he
> wanted to know was a technical answer.

You see it as a flame-war, I don't think that either myself or the other
chap did.

(E-Mail Removed)
(Remove 999 to reply to me)
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: IE surfing OK on dialup doesn't work on wireless HELP! Jack \(MVP-Networking\). Wireless Networking 1 12-15-2006 11:20 AM
surfing other sites within a page Bill HTML 8 02-01-2005 09:40 PM
Amazing what one can learn whilst surfing Richard HTML 5 12-28-2004 10:57 PM
Pix logon page comes up when surfing to some sites Chris Gumm Cisco 1 12-05-2003 08:43 PM web application fails to Access db after surfing for awhile mark ASP .Net 2 10-30-2003 05:02 PM