Surfing at Work

Discussion in 'Computer Security' started by HB2, Sep 28, 2004.

  1. HB2

    Bill Unruh Guest

    ]HB2 wrote:
    ]> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    ]> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    ]> have Windows 2000. Is it safe to assume that my e-mails are kept private
    ]> from my employer since they are sent using SSL? Does Winodws 2000 Server


    ]> have monitoring tools built in or would our employer have to purchase such
    ]> monitoring tools seperately?

    ]> Also, its my understanding that using a keyboard log program is illegal.
    ]> Is this correct?

    No, it is not AFAIK illegal. Employers can more or less do what they want
    with their own computers. There may be some expectation of privacy, but it
    is pretty weak WRT computers I believe.
    Bill Unruh, Oct 6, 2004
    1. Advertisements

  2. It's a very legal thing to do. I have some clients doing it and it works
    like a charm.
    Lawrence A Rodis, Oct 7, 2004
    1. Advertisements

  3. HB2

    nemo outis Guest

    Ignore the nascent Nazis who thrill to tell you you will be fired
    for sending email from work, etc. Shit, never mind your internet
    habits, in the fascist US you can be fired for ANY reason or NO
    reason - most contracts of employment are "at will." Most of
    the rest of the world is more civilized.

    But, in any case, don't let officious low-level functionaries
    (e.g., sysadmins) with megalomaniacal dreams of power turn you
    into one of the sheeple.

    You are not a medieval serf. You are selling your services for
    money. There is a reciprocal benefit. Your company should value
    your services and it would cost them a lot of money to replace
    you. You should not rip the company off by excessive use of
    company facilities for personal matters, but the company should,
    in turn, not try to run the company like a Dickensian sweatshop.

    If they have so little regard for you as to disregard your
    privacy then you are better off without them. They don't need to
    continuously shine a flashlight up your ass to make sure you are
    working - they can manage by results. (A dusty old book I once
    read said: By their fruits ye shall know them.)

    Yes, you will get rants here and elsewhere about how you owe
    every second of your existence to the company and that if you so
    much as go to the can they have the right to check if there is a
    turd in the bowl in case you were just malingering. You decide
    if you're willing to live like that - I'm not.

    But before the inevitable flames begin from the net-nazis who
    revel in the vicarious thrill of telling you that you will not
    just be fired but burned at the stake in the company parking lot,
    let's discuss mechanics.

    Encrypted communications ove the company net is one way but while
    they cannot check content they can know you are doing it. So let
    me explain two alternatives:

    1. Get an (ordinary analog) modem and surf out on the fax
    line. There are prudential issues about being unobtrusive, not
    hogging the line, etc. but any reasonable person will quickly
    figure these out for himself.

    2. Get a digital modem (not an ordinary analog one - you'll
    fry it!) and surf out through the company PBX system. Yeah,
    they're a bit pricey - life's a bitch! But it is very, very rare
    for companies to monitor this.

    For both 1 and 2 you'll need a dial-up ISP.

    There are more sophisticated methods of actually using the
    company internet but I will not describe them here.

    nemo outis, Oct 16, 2004
  4. HB2

    Leythos Guest

    This is true, in most states you can be fired without reason. In the
    other states, you can be fired for ANY reason.
    You have no privacy when using the company services or anything else
    that belongs to the company - except the bathroom stall, if there is a
    door on it. You should not expect any privacy except in the bathroom.
    It's people that steal company services and materials that have cause
    this level of monitoring in the workplace.
    You only OWE the company the time they pay you for, but they don't owe
    you any relaxation time while you are at work (unless your contract
    provides for it). You also can't use company resource for personal use
    without their express permission, when it's against company policy. You
    really need to understand that there is nothing that the company OWES
    YOU, you get paid for working, that's the entire contract.
    Yea, good idea, tie up the FAX line why playing around at work, see what
    happens when someone is missing a fax that was just sent, or when they
    try to send a fax but the line is busy because the person connected in
    between the fax and the outlet instead of to the daisychain port from
    the fax.

    See what happens when they see the 100' tel-co cable running from the
    fax machine to your location.
    Since most PBX systems monitor lines and generate USE reports, you're
    going to have to explain the time sooner or later.
    And everyone of them will get you caught red-handed and the reaction
    from the company MAY including firing you.
    Leythos, Oct 16, 2004
  5. HB2

    Jim Watt Guest

    <bullshit sniped>

    A) Buy your own computer, pay for an internet
    connection and use the Internet at home in your own time

    B) Rob a bank, its more profitable than stealing at work.

    Option a) is legal but does not result in an extended stay
    in all-in residential accomodation
    Jim Watt, Oct 16, 2004
  6. HB2

    Ant Guest

    Ant, Oct 16, 2004
  7. HB2

    Leythos Guest

    Leythos, Oct 16, 2004
  8. HB2

    nemo outis Guest

    So tell me, Jim, where do you buy those nifty brown shirts of
    yours? - you know, the ones with the epaulets and insignias and


    PS As I predicted, the vicarious enforcers of pettiness have
    already come out of the woodwork.
    nemo outis, Oct 17, 2004
  9. HB2

    nemo outis Guest

    FinJan SSL 1Box™
    This solution enables threat analysis of encrypted SSL/HTTPS traffic and
    enforces SSL certification.
    SSL 1Box™ decrypts SSL/HTTPS traffic and reveals the original data,
    allowing Internet 1Box™ or another security proxy to perform security
    analysis and defend against hidden attacks. Furthermore, the device
    maintains role based policies to allow/block access of SSL traffic carrying
    an invalid certificate. SSL 1Box™ maintains confidentiality and preserves
    user privacy

    The only way to find out if your company has such a device is to examine
    the SSL certificate and find out who issued it.[/QUOTE]

    Only the terminally stupid do not examine certificates and
    independently verify them for the encrypted proxies they use.
    Moreover, sensible folks do not keep them in their certificate
    store at work (which might be tampered with) but use them only on
    a "per session" basis (although even that is rather sloppy
    practice - I prefer to boot from a Knoppix MiB CD).

    nemo outis, Oct 17, 2004
  10. HB2

    Leythos Guest

    He is where we differ, as a consultant for many corporations, I see them
    tightening their security methods in order to prevent loss and wasted
    time by slacker employees.

    In one case, in just under 1 days time, after reviewing the logs and
    watching a suspected node, we were table to find a person working for a
    company that was also working for the competitor of that company - while
    in the office on company time!

    I know all the methods of getting out around a typical corporate network
    that's been "locked down", it's my job to know how, and how to subvert
    all the other means to get a connection, don't think that companies that
    get burned once will not find an easy means to look for it in the
    future. Some companies are getting wise, they are looking BEFORE it hits
    them in the pocketbook.

    People can do their work without "playing" around on the computer, in
    fact, most people would be much more productive without internet access
    while at work.

    I understand that people can get away with a lot while at work, but
    let's not kid anyone, if they get caught they may get fired or worse.

    Your ethics may not be on par with the rest of the honest people, but
    don't show people how to get into trouble with their employers.
    Leythos, Oct 17, 2004
  11. HB2

    nemo outis Guest

    I have had similar conversations before - many times. You feel
    threatened. I understand. So let me reassure you right from the
    outset: you are the exception, no one could ever do anything
    undetected on any network you run. Feel better?

    As I said, I have had similar conversations many times before.
    And I have repeatedly had to reassure threatened sysadmins, each
    bristling with offended professional pride, that he was the

    Yes, some companies - a very few - are serious about security and
    give it the resources it needs. Most don't. Security is a cost
    centre, not a profit centre, a "hygiene item" to which much lip
    service is paid but which winds up sucking hind tit for money and

    You say you caught someone? Well, good for you! And what about
    the ones you didn't catch? But, of course, they don't exist -
    they can't exist!

    To beat the system is trivially easy in most cases - although
    that's no excuse for sloppiness. No, discipline, discipline
    above all. And with it a good measure of research and patience.
    Patience, that rarest of virtues in North America.

    A few years ago I had to crack a tough one: the security system
    of one of the largest [redacted] companies. Not that it was that
    hard - after the fact - but they were serious and I couldn't
    afford any mistakes. So full-blown analysis, careful study of
    all hardware and software manuals, monitoring and response
    modelling, the works. Simulated a subset of their network with
    Vmware GSX on my home machines, running *the same* system and
    monitoring software (Isn't it funny how easy it is to find out
    what monitoring and security software is being run? They're
    always so eager to brag about their inpenetrable methods! Same
    weakness as me, I guess :) Took nearly two months until I was

    No, quality assurance and testing are not methods solely used by
    the white hats.

    And, in the end, it was simple - once I'd done my homework.
    (Their Achilles heel? They were so security conscious that some
    users had to violate security policy - in small ways - just to
    get their work done. That opened holes. I piggy-backed on those
    holes. In short, they were too careful! Security had become the
    enemy of productivity - and productivity won.)

    There are many many methods that can be used. Even simple ones
    like installing a proxy on a coworker's machine and tunnelling
    through it from a third company machine to see if he draws heat
    work well. My trusty keyghost gets their passwords well in
    advance, of course.

    And psychological jiu-jitsu as well, such as installing a
    keyghost on my own machine. Plausible deniability! Omigod, I've
    been victimized!

    And those are just junk methods I'm willing to throw away in
    public here to give you the flavour.

    You are a sysadmin. You think of it as "your" network.
    Sysadmins tend to have the outlook and disposition of small-town
    policemen - it goes with the line of work. Despite some
    familiarity with networks, etc. few think like a hacker. Most
    sysadmins are the white hat equivalent of script kiddies - they
    only know how to use the tools formulaically.

    So, yes, you are jealous of your network. Why should you have to
    share it with "them," the great unwashed who are so clueless and
    so much trouble? They don't really need your lovely network.

    He sent an email to his wife on company time? Well, lash him to
    a grating, Mr. Christian, and fetch the cat-o'-nine-tails!

    My ethics are to give good value for money, which is why I have
    been in high demand these forty years, including much repeat
    business from clients. But I don't let the pettifoggery of minor
    functionaries and their obsession with silly and trivial rules
    get in my way while I'm about it.


    PS When sysadmins brag about catching miscreants who dared
    to take liberties with their systems, I am reminded of the
    equally proud boasts of law enforcement officials whenever they
    seize some laundered money.

    But then I remember that, even by their own statistics, law
    enforcement catches only one-third of one percent of the amount
    of money that is laundered!
    nemo outis, Oct 17, 2004
  12. HB2

    Leythos Guest

    I don't feel anything about it at all. In fact, I only feel sorry for
    people like you.
    There is nothing offended, not pride, not honor, etc... A good network
    security admin will expect that people want to violate policy, do
    personal things, etc... It's up to the company as to how they want to
    handle it - the security admin is there to let the company know what is
    going on with their network, enforce policy based on network use, and to
    make adjustments so that people can do their "work".
    All forms of maintenance are a cost center, but some of the cost
    centers, when run by a good manager, can show ROI if they understand the
    company cost/profit model. A good IT department, while mostly running in
    the RED, may be able to cover it's costs by increasing productivity,
    decreasing down-time, decreasing losses, etc...
    There are always people that don't get caught, most of the ones that
    don't get caught are not the ones we care about. People that tunnel out,
    visit residential subnets, foreign networks, etc... (for those that
    don't already block those sorts of places) are the ones that we look
    for. It's fairly easy to see/catch people connected to services outside
    the company, it shows up in the real-time monitoring software attached
    to the firewalls.

    Catching people is only a benefit of the real work - keeping the network
    performing as designed, limiting loss of productivity, limiting loss of
    information, limiting compromising of systems.
    I see how you think now - too careful? They were slackers, creating an
    easy way around an issue. Security only becomes a problem with the
    security admin doesn't understand the network and methods fully. You can
    easily give people all the access the "Need to work" without
    compromising security, but most people don't really NEED all the access
    they want in order to efficiently work.
    And only a noob admin would fall for that, or one that doesn't really
    care about security.
    No, I'm a contractor that designs corporate networks, including their
    security methods. I perform report support as needed and on a time
    basis. I travel all over the country as needed, but can monitor
    everything remotely if needed.
    Those admins, as you describe, are part of the problem. Had they been
    hackers in their early years, had they been ethical, had then taken a
    love for the science, had they actually learned about security (other
    than from a teacher or book), they would be great admins. In todays
    world, people get promoted to CIO without even knowing about IPSec or
    about the systems at the OS level, they are just managers of people that
    mostly have skills. This is where the problem lies, in people in jobs
    that don't really understand the systems and infrastructure.
    Wrong idea, or at least the wrong person, I believe that I'm here to
    serve the people that need the network, that the network is there to
    make their jobs easier, that the job benefits from a smoothly running
    network, that security ensures that the network is of benefit to the

    I'm also of the school that thinks that the network BELONGS to the
    COMPANY, not the users. As long as the network BENEFITS the COMPANY
    goals and mission, then it's running as it should. There is no benefit
    in allowing personal, non-company, use of the network - it only
    decreases productivity of the network, of the users, and risks
    compromise by the abusers.
    People that don't "abuse" the system are not a problem, and most policy
    documents are clear on that. A few email's per day will not bring down
    the net-police on anyone. What the IT department has a hard time with is
    when an employee starts running a football-pool on company email, when a
    person signs up for daily weather info, when a person signs up for a
    porn site, when a person subscribes to the local news alerts.... All of
    that is personal and takes valuable company resources that are better
    used for COMPANY purposes. Imagine all the spam companies get because of
    the lamers that visit sites and use their company email address, all of
    the subscription services that they use with their company email
    address.... And it goes on and on and on and on.....
    I've been doing this for a long time too, since the late 70's, and
    getting paid for it. Sure, the job and methods have changed a lot since
    back then, but it's just getting worse and people are starting to feel
    that they are OWED something by the company, other than their paycheck
    and benefits.

    If you had a valid company related reason to use resources then I could
    see letting you have the access you need, provided there was some form
    of security, but to just let you surf the net, get personal email,
    listen to streaming audio from a radio station, watch video's from your
    system at home, etc... None of that makes good business sense, it
    doesn't HELP the company in any manner.

    That's because they are hindered by laws that prohibit them from
    monitoring what they need, hindered by search laws, etc... Companies are
    not hindered by anything when it comes to monitoring their own networks
    and systems.

    A good admin will have a set of tools that he can use to monitor for
    specific activities that do not require him to physically be present
    during the monitoring. They will also have scripts that can process the
    firewall logs to red-flag things like you describe...

    It may be fun/a game to you, but what you espouse as being "OK" is not
    benefiting the company and in fact, by your own descriptions, is
    decreasing the performance of the network and productivity of workers.
    Sounds real ethical to me (NOT).
    Leythos, Oct 17, 2004
  13. HB2

    nemo outis Guest

    <>, Leythos

    I know you are convinced you are the exception - that a sysadmin
    as good as you could never be beaten. That's why I addressed it
    even before you brought it up: your position is by no means
    unusual. To the contrary, it is the one expressed by every
    sysadmin I have ever spoken to. Sorta reminds me of the way that
    99% of men are convinced they're better than average lovers and
    drivers :)

    You argue aginst yourself. While giving me the pitch you use to
    cadge dollars from management ("Systems aren't reeeeeeally just a
    cost - they contribute "indirectly" to a healthy bottom line.")
    you admit a few short paragraphs later to the inadequacies of
    many sysdmins. You also acknowledge, grudgingly, that the
    problems are getting worse, not better. Exactly the point I made
    about the "existence proof" of the weakness of most systems: the
    enormous number of security failures year after year in companies
    from big to small. Maybe you are as great as you claim, but,
    passing over exceptions such as you, there sure must be a pile of
    sysadmins somewhere doing a piss-poor job!

    As for your "it's the company's property" mantra, I am not
    surprised. Such "property before all else" is a uniquely USian
    phenomenon with a long (and checkered) history. Hell, the US
    Supreme Court ruled in Dred Scott that even people (black
    people!) were property and it took a civil war and a
    constitutional amendment to back USians off that particular
    interpretation of "property before all else." That an only
    slightly milder form of it should still be asserted today towards
    workers is hardly surprising.

    You speak of those who waste their time playing on the net all
    day, and how it is you who, with unerring skill and
    determination, unmasks them to management. Hah! I spoke in my
    previous post about sysadmins having the mentality of cops. And,
    true to form, you reveal yourself as an Inspector Javert tracking
    Jean Valjean to the ends of the earth for his stolen loaf of
    bread - or, in this case, illicit email!

    Let me tell you this. If I ran a company and you found out
    someone had been wasting time for weeks on end on the network, I
    would be mad as hell and would fire someone. No, not the guy
    wasting time, but his manager. If a manager doesn't know whether
    his people are productive without spying on them then he's the
    one who has to go!

    Sensible companies do not treat their workers as serfs, or worse,
    as prisoners to be spied on. Good management knows that creating
    a hostile "my way or the highway" environment and a suspicious
    and adversarial outlook towards workers is a recipe for disaster.
    No, such pettiness is the domain of minor functionaries like
    sysadmins who have the "rules must be obeyed" mentality of geeky
    hall monitors in grade school.

    But I won't persuade you, so I needn't continue. I have made my
    case to those who are open to it.

    In closing, although you are convinced that no one could ever
    defeat you, let me leave you with a little bit of cowboy wisdom
    from up here in Alberta that you might wish to ponder (It has
    helped keep me from getting too cocky):

    There ain't a horse that can't be rode - there ain't a cowboy
    that can't be throwed.

    nemo outis, Oct 17, 2004
  14. HB2

    Leythos Guest

    I think you are clearly mistaken, I never claimed to be perfect or not
    beaten, I only claimed that your complete abuse of the rules if a
    serious character flaw, that all of the things you mention in getting
    around the security methods can easily be detected, and that you're full
    of hot air.
    Leythos, Oct 17, 2004
  15. HB2

    nemo outis Guest

    Well, isn't it lucky then that a person as full of hot air as I
    has had over thirty years of unbroken success in penetrating and
    compromising systems?

    If that's just luck then I'll comfort myself with Napoleon's
    remark that he'd rather have lucky generals than good ones.


    PS I love the outraged self-righteous sense of morality you
    project - Inspector Javert couldn't hold a candle to you.

    Violating company rules? What moral turpitude! Raping little
    girls pales in comparison to such a heinous act!
    nemo outis, Oct 17, 2004
  16. HB2

    Leythos Guest

    I never said you couldn't do it, I said that it's easy to detect and
    that the people you advocate doing this too may not be as lucky as you
    are in not getting reprimanded.

    It's the ethics you espouse that I disagree with.

    Breaking through corporate networks from the inside to the outside is
    child's play for those that know a little, or those that have enough
    Leythos, Oct 17, 2004
  17. HB2

    nemo outis Guest

    Everything is easy and obvious - after the fact. What could be
    more trivially simple than E=m.c^2 That, for instance, was the
    point of my digital modem through the PBX story. (And, no,
    despite your protestations, few companies pay much attention to
    usage for local numbers. Not that that would be an issue for
    someone not spending hours a day at it.)

    Life is a risky business - no one gets out alive. But risks and
    consequences can be managed. A careful, thorough person can surf
    out undetected from virtually all companies - only the amount of
    work to accomplish it varies. (I say "virtually" out of
    graciousness - my experience is "all.")
    There are more things in heaven and earth, Horatio, than are
    dreamt of in your philosophy.

    I have tried to give you a few glimmerings that what you
    apparently regard as bedrock values are not universal and are not
    unquestionable or unquestioned. That goes, for instance, for
    your sacrosanct "property rights." And it goes, a fortiori, for
    your "corporate rules must be obeyed" outlook.

    If our forbears had unquestioningly accepted such dicta children
    would still be working 12-hour days and any attempt by workers to
    organize would still be a criminal "combination in restraint of

    Working conditions that are unconscionable (as spying on
    employees certainly is, in my view) - whether enshrined in law or
    not - are legitimately opposed by fair means or foul.

    Which is where I entered this discussion. You have taken a very
    circuitous route only to wind up conceding the obvious.

    nemo outis, Oct 17, 2004
  18. Strangely, everybody here seems to have gone into a flamewar over
    private Internet use...

    To answer your actual question: If you use a SSL connection to an
    external server AND religiously check that the SSL certificate
    displayed in your browser actually is the right one (some proxies can
    do Man-in-the-middle for SSL connections), yes, you are protected from
    prying eyes in your company network, unless they installed something on
    your machine to monitor you. The owner of the SSL proxy might still
    monitor you, though - best to simply switch to a webmail service that
    offers SSL all by itself.

    As for the legality of installing monitoring software on your PC - that
    depends on your work contract and where you live. AFAIK in the US it's
    pretty much legal... I know that it ISN'T legal in .de if you HAVE been
    given permission to use the Internet privately from your workplace,
    though, unless you've signed something that allows the company to
    monitor your traffic. And even then, keyloggers etc. would be illegal -
    but that's just for .de, YMMV in other countries.

    Juergen Nieveler
    Juergen Nieveler, Oct 17, 2004
  19. Why do I have the feeling that you'd get laughed out of court if you
    tried to give THAT as a reason for private Internet use? ;-)

    Juergen Nieveler
    Juergen Nieveler, Oct 17, 2004
  20. Desktop AV should always be the last line of defense - but
    unfortunately proxy server AV doesn't catch viruses in SSL-sessions :-(
    Only if one can get authorisation for mail encryption. A company that
    doesn't allow mail encryption should get busted for violation of
    Sarbanes- Oaxley - they're doing NOTHING to prevent industrial
    espionage, which damages the company...
    Indeed. In Germany, there's a legal requirement to have a company
    privacy officer, who MUST NOT belong to the IT department.
    Many companies monitor private phone use and have you pay a reasonable
    fee for it - I wish there was a way to do the same for Internet use :)

    Juergen Nieveler
    Juergen Nieveler, Oct 17, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.