Defending yourself against Nazi IT departments

Here is the deal:

You have decided to surprise your wife by purchasing sexy lingerie from
your favorite site. The problem is that you are at work and your Nazi IT
department has blocked your favorite site.

The recipe
(Defending yourself against Nazi IT departments)

1. Install BarracudaDrive on your home computer.

2. Make BarracudaDrive visible on the Internet by following the
installation tutorial.

3. Enable the tunnel server for your user ID.

4. Go to work.

5. Surf to your home computer using your default work browser.

6. Navigate to the BarracudaDrive "settings page" and login.

7. Start the HTTPS tunnel client by clicking the tunnel button on the
"settings page".

8. Start our preconfigured proxy version of the Firefox portable browser
(*).

9. Enter the URL to your favorite lingerie site.

10. Enjoy. Total satisfaction guaranteed.

Re: Defending yourself against Nazi IT departments

wini wrote:


> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.


Yeah, they're nazis because they're implementing policies to make you
actually work instead of having personal fun...

> 5. Surf to your home computer using your default work browser.


5a. The proxy will log this step.

> 7. Start the HTTPS tunnel client by clicking the tunnel button on the
> "settings page".


7a. Certificate mismatch. Once you accept, the proxy will log this step.

> 9. Enter the URL to your favorite lingerie site.


9a. URL or website hits keyword filter, access denied and attempt logged.

> 10. Enjoy. Total satisfaction guaranteed.

Real 10: Get a complaint from your IT department, on repeat you'll get
expelled from the IT. If your jobs depends on it, you'll get fired.

Re: Defending yourself against Nazi IT departments

wini wrote:
> Here is the deal:
>
> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.
>
> The recipe
> (Defending yourself against Nazi IT departments)
>
> 1. Install BarracudaDrive on your home computer.
>
> 2. Make BarracudaDrive visible on the Internet by following the
> installation tutorial.
>
> 3. Enable the tunnel server for your user ID.
>
> 4. Go to work.

That's a lot of work. Why not order it from home? Much simpler and you
don't run the risk of dismissal for misuse of Information Systems.

Or was that spam? I think it was.

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

Re: Defending yourself against Nazi IT departments

"wini" wrote in message
news:c1cVh.15652$JZ3.7675@newssvr13.news.prodigy.net...
> Here is the deal:
>
> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.
>
> The recipe
> (Defending yourself against Nazi IT departments)
>
> 1. Install BarracudaDrive on your home computer.
>
> 2. Make BarracudaDrive visible on the Internet by following the
> installation tutorial.
>
> 3. Enable the tunnel server for your user ID.
>
> 4. Go to work.
>
> 5. Surf to your home computer using your default work browser.
>
> 6. Navigate to the BarracudaDrive "settings page" and login.
>
> 7. Start the HTTPS tunnel client by clicking the tunnel button on the
> "settings page".
>
> 8. Start our preconfigured proxy version of the Firefox portable browser
> (*).
>
> 9. Enter the URL to your favorite lingerie site.
>
> 10. Enjoy. Total satisfaction guaranteed.
>
>

Yes that will work and not one of your IT Nazi's will be any the wiser.
Idiot.

What's that saying I've been saying lately? Oh that's right ... "you don't
know what you don't know, and what you think you know (maybe) just ain't so"

Re: Defending yourself against Nazi IT departments

In article ,
wini wrote:
>You have decided to surprise your wife by purchasing sexy lingerie from
>your favorite site. The problem is that you are at work and your Nazi IT
>department has blocked your favorite site.

>1. Install [software name] on your home computer.

>4. Go to work.

The precondition you imposed is that you are *already* at work.
If you are *already* at work in a place with a "Nazi IT department",
then you are not going to be able to install remotely onto your
computer at home (at least not without it being detected).

You recipe only works if you preplan your surfing escapade, in
which case you might as well just order from home.

Re: Defending yourself against Nazi IT departments

>
> The precondition you imposed is that you are *already* at work.
> If you are *already* at work in a place with a "Nazi IT department",
> then you are not going to be able to install remotely onto your
> computer at home (at least not without it being detected).

Not sure I understand your problem. It works for me.

I have worked as a consultant for many years and I always had problems
reading my own emails from behind large company’s firewalls. This solves
the problem, though it requires that Java is installed on the computer I
am using. I know others have experimented with putting Java on a
USB-stick, but this has so far not been necessary for me.

Re: Defending yourself against Nazi IT departments

wini wrote:
>
>>
>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).
>
> Not sure I understand your problem. It works for me.
>
> I have worked as a consultant for many years and I always had problems
> reading my own emails from behind large company’s firewalls. This solves
> the problem, though it requires that Java is installed on the computer I
> am using. I know others have experimented with putting Java on a
> USB-stick, but this has so far not been necessary for me.

Interesting. Do the companies you contract to not ask you to adhere to
any security operating procedures? If not, more fool them, please name
them so that I may approach them as they are in dire need of some good
security consultancy. If they do, why do you think it is acceptable to
breech them? It's not a dig as such, I'm interested in attitudes that
breech computer security. I know it happens, I often understand why. In
this case, you feel the resources offered by your client are
insufficient and the procedures for obtaining exceptions are inefficient
I guess.

Bogwitch.

Re: Defending yourself against Nazi IT departments

"wini" wrote in message
news:pPtVh.533$H_.234@newssvr21.news.prodigy.net...
>
>>
>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).
>
> Not sure I understand your problem. It works for me.
>
> I have worked as a consultant for many years and I always had problems
> reading my own emails from behind large company’s firewalls. This solves
> the problem, though it requires that Java is installed on the computer I
> am using. I know others have experimented with putting Java on a
> USB-stick, but this has so far not been necessary for me.

By your own notebook and get a mobile broadband account.

Re: Defending yourself against Nazi IT departments

Post removed (X-No-Archive: yes)

Re: Defending yourself against Nazi IT departments

>
> By your own notebook and get a mobile broadband account.
>

That is a possible solution, but why the heck should I do that when this
solution is so much cheaper.

Regarding the responses to my post I realize that there are a number of
Nazi IT specialists on this group. I guess certain type of people have a
strong urge to control other people. I have to say I feel liberated now
when you no longer can control me :-)

Re: Defending yourself against Nazi IT departments

>
> Interesting. Do the companies you contract to not ask you to adhere to
> any security operating procedures? If not, more fool them, please name
> them so that I may approach them as they are in dire need of some good
> security consultancy.

Sorry, can't do that obviously.

If they do, why do you think it is acceptable to
> breech them? It's not a dig as such, I'm interested in attitudes that
> breech computer security.

I see this as my right as an individual not to be limited by morons like
you. I do no harm, I simply want to access my own services.

Re: Defending yourself against Nazi IT departments

In article ,
wini wrote:

>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).

>Not sure I understand your problem. It works for me.

Bad logic works for you??

Your recipe only works if you have *already* installed something
on your home machine, but the whole premise of your posting
was that you are starting from work -before- you've installed
anything on your home machine.

It is as if you had written,

"You are at work, and you want to use a hammer -now- (immediately,
before going home), but your workplace Health and Safety Committee
won't authorize recreational use of a hammer. Here's what you do:
you go home and you tie a long long fishing line to your hammer at
home, and then you go to work and you reel in the line at work until
your hammer reaches you."

Well, duh, if you need to use that hammer *now*, then you can't
go home and prepare the fishing line and go back to work. If you -did-
have time to go home, then you could just use the hammer at home and
you wouldn't need to go through the rigamorole. So your solution
doesn't solve the situation that it claimed to solve: that you have
no hammer and made no advance preparations and you need the hammer -now-.

The recipe you posted is a recipe for *premediated* violation of
policies, not the claimed recipe for relief of acute and unexpected
need to violate policies.


I would suggest that you consider getting yourself a Palm Trio and use
that to surf the net wirelessly. You can get wireless telnet programs
with terminal emulators if you need to be able to access your machines
at home. Or since it's supposely your wife's favorite lingerie site,
prepare yourself by taking down their phone number, and then calling
in your order.


At my workplace, if you deliberately violated our IT policies, your
company would be told that you were no longer welcome on our
premises, and your company would be reminded that we hired the
company rather than the person, so your company would be responsible
for providing an acceptable replacement worker. If you happen to be
the only employee of your company, tough luck: you'd still be
responsible for meeting the contract goals even if you have to take
a loss to do so by hiring someone else to do the work. Oh, and
non-completion of a contract nets a non-compliance note in the
unified purchasing system of our very large organization...

Re: Defending yourself against Nazi IT departments

>
> At my workplace, if you deliberately violated our IT policies, your
> company would be told that you were no longer welcome on our
> premises, and your company would be reminded that we hired the

I guess I would not work for you.

I understand the importance of firewalls, but they are being misused by
many Nazi IT departments. I simply decided to circumvent this limitation
and it works. The same concept probably works for millions of other
users that do not tolerate Nazi IT departments. Why should I suffer and
pay extra for expensive equipment, which I do not really need.

Re: Defending yourself against Nazi IT departments

In article ,
wini wrote:

>If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.

>I see this as my right as an individual not to be limited by morons like
>you. I do no harm, I simply want to access my own services.

Get back to us after your own company has had a visit from
one of the TLA's, informing you that one of your ex-employees was
a spy who stole your technology for the benefit of a country with
a history of violence, repression, and war upon other countries.

And no, I am not speaking hypothetically. There have been enough
attempts at the organization I work for that the security teams
receive specific training about dealing with detected spying.

Re: Defending yourself against Nazi IT departments

In article ,
wini wrote:
>I understand the importance of firewalls, but they are being misused by
>many Nazi IT departments. I simply decided to circumvent this limitation
>and it works. The same concept probably works for millions of other
>users that do not tolerate Nazi IT departments. Why should I suffer and
>pay extra for expensive equipment, which I do not really need.

Your posting IP address is in the USA, but it sounds to me as if
you are not overly familiar with the terms of the US Computer Fraud
and Abuse Act (1986). That's US Criminal Code Title 18, section
1030 and thereabouts.

One might as well ask why you should have to suffer and pay
extra for an expensive car, when you have a method of hot-wiring
other people's cars to "borrow" them when they aren't using them.


The fact that you work on contracts for companies suggests to me
that you are probably not entirely familiar with the laws and
regulations that their IT departments must operate under. Are you,
for example, familiar with what is required for Sarbanes-Oxley
compliance? Were you aware that the legislative branch of the
country I live in gave a government department the authority to
make IT regulations, and that government department thence adopted
as regulations certain clauses that were strongly
recommended by the national domestic security agency, with the effect
of those regulations being that in organizations subject to the
regulations, it is -required- (if they have a firewall at all)
to block outgoing accesses except to locations the organizations
can prove are necessary for their operations? Are you aware that
for certain private information that we deal with, that the
-minimum- fine upon an auditing agency detecting a *potential*
for a leak, is $25000 per day?

So are we operating a "Nazi IT department" and restricting access
just because we get off on controlling people -- or are we just
doing the best we can to comply with multiple jurisdictions'
laws and regulations?

Re: Defending yourself against Nazi IT departments

wini wrote:

>> By your own notebook and get a mobile broadband account.
>>
>
> That is a possible solution, but why the heck should I do that when this
> solution is so much cheaper.
>
> Regarding the responses to my post I realize that there are a number of
> Nazi IT specialists on this group. I guess certain type of people have a
> strong urge to control other people.


Ehm... it's their job, damn it!

> I have to say I feel liberated now when you no longer can control me :-)

You'd wish...

Re: Defending yourself against Nazi IT departments

wini wrote:


> I understand the importance of firewalls, but they are being misused by
> many Nazi IT departments. I simply decided to circumvent this limitation
> and it works.


Since this circumvention is forbidden by your usage contract, you'll jsut
need to get busted twice and then you'll be fired.

Re: Defending yourself against Nazi IT departments

Walter Roberson wrote:


> So are we operating a "Nazi IT department"


That sounds like the S in BDSM.

> and restricting access just because we get off on controlling people


That pretty much sounds like the D in BDSM.

> -- or are we just doing the best we can to comply with multiple
> jurisdictions' laws and regulations?


That's the B in BDSM.

And I guess running Windows on the machines makes the M.

*SCNR*

Re: Defending yourself against Nazi IT departments

"wini" wrote in message
news:G3zVh.256$im2.170@newssvr22.news.prodigy.net...
>
>>
>> Interesting. Do the companies you contract to not ask you to adhere to
>> any security operating procedures? If not, more fool them, please name
>> them so that I may approach them as they are in dire need of some good
>> security consultancy.
>
> Sorry, can't do that obviously.
>
> If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.
>
> I see this as my right as an individual not to be limited by morons like
> you. I do no harm, I simply want to access my own services.

Access your own services using resources that don't belong to you. Please
explain how you justify that.

Re: Defending yourself against Nazi IT departments

wini wrote:
>
>>
>> Interesting. Do the companies you contract to not ask you to adhere to
>> any security operating procedures? If not, more fool them, please name
>> them so that I may approach them as they are in dire need of some good
>> security consultancy.
>
> Sorry, can't do that obviously.
>
> If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.
>
> I see this as my right as an individual not to be limited by morons like
> you. I do no harm, I simply want to access my own services.

OK, no need to get personal. You have no reason to call me a moron, nor
to assume I am a moron.

All I can say is thank Christ you're a yank and very unlikely to work in
my environment. If you were to, and try that crap on any of my networks,
you would be sacked, sued and prosecuted. And you WOULD be detected.

I never suggested you did any harm - at least not as far as you are
concerned. Unfortunately, you are subverting the organisations security,
especially if you are installing Java when there is no business
requirement to do so.

As a contractor, you are paid to do a job of work, not to buy knickers
for your partner hence the harm is obvious.

As an aside, wasn't your original post just a thinly disguised piece of
spam? I refer to the line "8. Start our preconfigured proxy version of
the Firefox portable browser (*)."

Bottom line: You ARE doing harm. You are breeching your employers
security and by installing unauthorised software you are reducing the
overall security of your employers systems.

BUT, it would appear that you are SO arrogant that you will not accept
this and in your world, you are completely justified.

However, you have, in a round about sort of way, answered my question.
Why do you think it is acceptable to breech your employers security
policy? Because you are arrogant and you do not understand the security
requirements of your employer. I just hope you are not contracted for
security work.

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

Re: Defending yourself against Nazi IT departments

wini wrote:
>> By your own notebook and get a mobile broadband account.
>
> That is a possible solution, but why the heck should I do that when
> this solution is so much cheaper.

Because someone else pays for the resources that you use unauthorizedly?

This may come as a shock to you, but you do not have a natural right to
use resources that belong to someone else. Especially not if that some-
one has taken steps to prevent you from using said resources.

> Regarding the responses to my post I realize that there are a number
> of Nazi IT specialists on this group. I guess certain type of people
> have a strong urge to control other people.

By "control other people" you apparently mean "prevent other people from
abusing company's resources".

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Defending yourself against Nazi IT departments

Wow I sure managed to get a flame war.

I have something for you to think about.

I used another solution before using the tunnel. I used to go to a
friend of mine working for another company and use his computer as they
did not have any firewall limitations. This took me about 45 minutes in
traveling, which I charged the company for. I charge $140h, you can do
the math. What I am trying to say is that you should focus on security,
not limit users since they will always find ways around your pathetic
obstacle course. You can throw your flames at me, but that will not
change the facts.

Bye

Re: Defending yourself against Nazi IT departments

FYI: http://peacefire.org/

Re: Defending yourself against Nazi IT departments

wini wrote:
>
> FYI: http://peacefire.org/

Oh, come on. Freedom of Speech != Buying lingerie.

Bogwitch.

Re: Defending yourself against Nazi IT departments

wini wrote:
> Wow I sure managed to get a flame war.
>
> I have something for you to think about.
>
> I used another solution before using the tunnel. I used to go to a
> friend of mine working for another company and use his computer as they
> did not have any firewall limitations. This took me about 45 minutes in
> traveling, which I charged the company for. I charge $140h, you can do
> the math. What I am trying to say is that you should focus on security,
> not limit users since they will always find ways around your pathetic
> obstacle course. You can throw your flames at me, but that will not
> change the facts.
>
> Bye

So, you were buying frilly undies as part of your contracted work?
Interesting job!

I'm glad you're getting paid $140ph. It means that when they do sue you,
they will be well compensated.

You're walking a tightrope and one day you'll fall off. Would you do the
same thing if you had a DoD contract?

Bogwitch.

Re: Defending yourself against Nazi IT departments

wini wrote:
> Wow I sure managed to get a flame war.
>
> I have something for you to think about.
>
> I used another solution before using the tunnel. I used to go to a
> friend of mine working for another company and use his computer as they
> did not have any firewall limitations. This took me about 45 minutes in
> traveling, which I charged the company for. I charge $140h, you can do
> the math. What I am trying to say is that you should focus on security,
> not limit users since they will always find ways around your pathetic
> obstacle course. You can throw your flames at me, but that will not
> change the facts.
>
> Bye


Ahh so you're also guily of fraud as well.

Re: Defending yourself against Nazi IT departments

>>
>> FYI: http://peacefire.org/
>
> Oh, come on. Freedom of Speech != Buying lingerie.

I thought it would be obvious that the *lingerie* should not be taken
literally.

Re: Defending yourself against Nazi IT departments

wini wrote:
>
>>>
>>> FYI: http://peacefire.org/
>>
>> Oh, come on. Freedom of Speech != Buying lingerie.
>
> I thought it would be obvious that the *lingerie* should not be taken
> literally.

I just wanted to establish motives. Your examples and stated uses
demontrate a self serving need, not altruistic nor client benefitting.

You have, no doubt, reminded everyone else in here of an important
lesson. Staff, including contrators may not always take 'No' for an answer!

Bogwitch.

Re: Defending yourself against Nazi IT departments

On Thu, 19 Apr 2007 15:29:35 GMT, wini wrote:

>You can throw your flames at me, but that will not
>change the facts.

Fact: You are an admitted criminal.

Fact: You wouldn't stand a chance on my network.

Fact: I would probably allow you to connect to your computer but I would
also decode your SSL traffic and prevent any sensitive information from
being transmitted, all the while I would be recording your actions so that
you could be properly prosecuted.

Fact: Anyone taking your advice in this matter is an idiot.

Re: Defending yourself against Nazi IT departments

> Fact: You are an admitted criminal.

opinions opinions

>
> Fact: You wouldn't stand a chance on my network.

sure

>
> Fact: I would probably allow you to connect to your computer but I would
> also decode your SSL traffic and prevent any sensitive information from

Do you work as a comedian?
Decode my SSL data: sure :-)
Go somewhere else and spread your FUD.
Your FUD might work in kindergartens.

> Fact: Anyone taking your advice in this matter is an idiot.

Getting a bit personal are we?
Sounds like Hitler when he was no longer in control.

Re: Defending yourself against Nazi IT departments

wini wrote:
>
>
>> Fact: You are an admitted criminal.
>
> opinions opinions
>
>>
>> Fact: You wouldn't stand a chance on my network.
>
> sure
>
>>
>> Fact: I would probably allow you to connect to your computer but I would
>> also decode your SSL traffic and prevent any sensitive information from
>
> Do you work as a comedian?
> Decode my SSL data: sure :-)
> Go somewhere else and spread your FUD.
> Your FUD might work in kindergartens.
>
>> Fact: Anyone taking your advice in this matter is an idiot.
>
> Getting a bit personal are we?
> Sounds like Hitler when he was no longer in control.

After all the feedback you've received, do you really that that you're
right and *EVERYONE* else is wrong?

http://en.wikipedia.org/wiki/Delusion

--
Notan

Re: Defending yourself against Nazi IT departments

wini wrote:


>> Fact: I would probably allow you to connect to your computer but I would
>> also decode your SSL traffic and prevent any sensitive information from
>
> Do you work as a comedian?
> Decode my SSL data: sure :-)
> Go somewhere else and spread your FUD.
> Your FUD might work in kindergartens.


This is no FUD, this is trivial. Just do a MITM attack at the server.
You have no choice: Accept the changed certificate and the server can read
everything, or reject it and your connection won't work.

>> Fact: Anyone taking your advice in this matter is an idiot.
>
> Getting a bit personal are we?

Huh? Why? No one claimed that you're an idiot, just that your advice is idiotic.

Re: Defending yourself against Nazi IT departments

"Sebastian G" wrote in message
news:58q599F2iefmpU1@mid.dfncis.de...
> wini wrote:
>
>
>>> Fact: I would probably allow you to connect to your computer but I would
>>> also decode your SSL traffic and prevent any sensitive information from
>>
>> Do you work as a comedian?
>> Decode my SSL data: sure :-)
>> Go somewhere else and spread your FUD.
>> Your FUD might work in kindergartens.
>
>
> This is no FUD, this is trivial. Just do a MITM attack at the server.
> You have no choice: Accept the changed certificate and the server can read
> everything, or reject it and your connection won't work.
>

Exactly.

Re: Defending yourself against Nazi IT departments

In message <462879f6$0$83730$c30e37c6@pit-reader.telstra.net> "BernieM"
wrote:

>
>"Sebastian G" wrote in message
>news:58q599F2iefmpU1@mid.dfncis.de...
>> wini wrote:
>>
>>
>>>> Fact: I would probably allow you to connect to your computer but I would
>>>> also decode your SSL traffic and prevent any sensitive information from
>>>
>>> Do you work as a comedian?
>>> Decode my SSL data: sure :-)
>>> Go somewhere else and spread your FUD.
>>> Your FUD might work in kindergartens.
>>
>>
>> This is no FUD, this is trivial. Just do a MITM attack at the server.
>> You have no choice: Accept the changed certificate and the server can read
>> everything, or reject it and your connection won't work.
>>
>
>Exactly.
>

More importantly, if the IT department cares, they'll install their own
signed certificate on your PC, and when you attempt to establish an
encrypted connection, they'll simply decrypt, log, and reencrypt.

Since your machine is configured to trust the certificate used during
the reencryption phase, you won't even know it's happening unless you
inspect the certificate (and much of that could be spoofed anyway, if an
IT department was really worried about getting caught)

--
I'd give my right arm to be ambidextrous.

Re: Defending yourself against Nazi IT departments

Notan skriver:
> After all the feedback you've received, do you really that that you're
> right and *EVERYONE* else is wrong?

Well Imho any admin puting in webfiletsr are definity wrong, don'ät
protect anythuing and makes life much harder. Usally this comes form
the idea that poilices are bone hard and have to be technically
enforced. An assumtion that actually don't work.

But may IT depetment have forgotten why they exists, whet the goal
eher it, the bigger organisation the bigger risk for this. One of my
main customers have these kinds of filters, i often get to use my
proxy at home usin a ssh-tunnel to read relevent internet information.
Out tools for security testring of the product often is blocked as
hacking tools for one thing. (Yes ofcource the use us ssh and
portforwaring to an external proxy is approved way of woring.)

--
http://anders.arnholm.nu/ Keep on Balping

Re: Defending yourself against Nazi IT departments

"Anders Arnholm" wrote in message
news:slrnf2h7hn.q97.Anders+news@tika.arnholm.se...
> Notan skriver:
>> After all the feedback you've received, do you really that that you're
>> right and *EVERYONE* else is wrong?
>
> Well Imho any admin puting in webfiletsr are definity wrong, don'ät
> protect anythuing and makes life much harder. Usally this comes form
> the idea that poilices are bone hard and have to be technically
> enforced. An assumtion that actually don't work.

One reason web filtering is at the workplace is protect others from seeing /
reading things that someone else has on their screen they might find
offensive. People should not be subjected to offensive things in their
workplace. You look at what you want in the privacy of your own home.

Re: Defending yourself against Nazi IT departments

DevilsPGD wrote:


> More importantly, if the IT department cares, they'll install their own
> signed certificate on your PC, and when you attempt to establish an
> encrypted connection, they'll simply decrypt, log, and reencrypt.
>
> Since your machine is configured to trust the certificate used during
> the reencryption phase, you won't even know it's happening unless you
> inspect the certificate (and much of that could be spoofed anyway, if an
> IT department was really worried about getting caught)


He claimed to use his own webbrowser or a Java applet within one.

But well, if the IT department cares, he won't be able to run those in first
place.

Re: Defending yourself against Nazi IT departments

wini wrote:
>
> FYI: http://peacefire.org/

Most people who visit this forum have been in industry
for long enough to know what's right and wrong. The
companies we all work for are NOT democracies. If we
don't like the policies of the company we work for,
we are free to take our talents else where.

Most companies I know do allow limited personal browsing..
that includes checking google mail or scanning thro' news
articles. Forget about Nazi IT, what you are trying to do
will not be allowed even if Gandhi were your IT admin.

- Biswajit
Bangalore/INDIA

Re: Defending yourself against Nazi IT departments

In message <58romrF2i0irdU1@mid.dfncis.de> Sebastian G
wrote:

>DevilsPGD wrote:
>
>> More importantly, if the IT department cares, they'll install their own
>> signed certificate on your PC, and when you attempt to establish an
>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>
>> Since your machine is configured to trust the certificate used during
>> the reencryption phase, you won't even know it's happening unless you
>> inspect the certificate (and much of that could be spoofed anyway, if an
>> IT department was really worried about getting caught)
>
>He claimed to use his own webbrowser or a Java applet within one.
>
>But well, if the IT department cares, he won't be able to run those in first
>place.

Even so, if the app uses the system SSL certificates (Java does, as do
many alternative browsers), the same may apply.

--
I'd give my right arm to be ambidextrous.

Re: Defending yourself against Nazi IT departments

DevilsPGD wrote:


>> He claimed to use his own webbrowser or a Java applet within one.
>>
>> But well, if the IT department cares, he won't be able to run those in first
>> place.
>
> Even so, if the app uses the system SSL certificates (Java does, as do
> many alternative browsers), the same may apply.


Even fully untrusted Java Applets have permission to preselect a user-chosen
certificate on a SSLSocketConnection object.

So, this is a plausible scenario:
The IT department allows an installed webbrowser (not of his own choice) as
well as the installed Java VM. They also didn't implement appropriate
configuration of the Java VM to disallow all but whitelisted applets, but
they may have limited it to never trust any applet.

He uses these to load his applet, either from removable media or downloaded
from the Internet. It may be untrusted, but it's still allowed to first
select its own certificate loaded from its resource and then create a
SSLSocketConnection with this certificate.

This would allow him to detect the MITM attack.

But still he won't have any choice. Either it won't work or he will be sniffed.

Re: Defending yourself against Nazi IT departments

"Sebastian G" wrote in message
news:58romrF2i0irdU1@mid.dfncis.de...
> DevilsPGD wrote:
>
>
>> More importantly, if the IT department cares, they'll install their own
>> signed certificate on your PC, and when you attempt to establish an
>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>
>> Since your machine is configured to trust the certificate used during
>> the reencryption phase, you won't even know it's happening unless you
>> inspect the certificate (and much of that could be spoofed anyway, if an
>> IT department was really worried about getting caught)
>
>
> He claimed to use his own webbrowser or a Java applet within one.
>
> But well, if the IT department cares, he won't be able to run those in
> first place.

Depending on the IT department, that may well be true, but in some places
that kind of security does not exist, and networks are pretty much wide
open.

Re: Defending yourself against Nazi IT departments

"Anders Arnholm" wrote in message
news:slrnf2h7hn.q97.Anders+news@tika.arnholm.se...
> Notan skriver:
>> After all the feedback you've received, do you really that that you're
>> right and *EVERYONE* else is wrong?
>
> Well Imho any admin puting in webfiletsr are definity wrong, don'ät
> protect anythuing and makes life much harder.

That depends on a lot of factors and is not such a black and white issue.


> Usally this comes form
> the idea that poilices are bone hard and have to be technically
> enforced. An assumtion that actually don't work.
>
> But may IT depetment have forgotten why they exists,


I can agree here.
I have seen your IT Nazis.

>whet the goal
> eher it, the bigger organisation the bigger risk for this. One of my
> main customers have these kinds of filters, i often get to use my
> proxy at home usin a ssh-tunnel to read relevent internet information.
> Out tools for security testring of the product often is blocked as
> hacking tools for one thing. (Yes ofcource the use us ssh and
> portforwaring to an external proxy is approved way of woring.)
>
> --
> http://anders.arnholm.nu/ Keep on Balping

Re: Defending yourself against Nazi IT departments

"Dana" wrote in message
news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>
> "Sebastian G" wrote in message
> news:58romrF2i0irdU1@mid.dfncis.de...
>> DevilsPGD wrote:
>>
>>
>>> More importantly, if the IT department cares, they'll install their own
>>> signed certificate on your PC, and when you attempt to establish an
>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>
>>> Since your machine is configured to trust the certificate used during
>>> the reencryption phase, you won't even know it's happening unless you
>>> inspect the certificate (and much of that could be spoofed anyway, if an
>>> IT department was really worried about getting caught)
>>
>>
>> He claimed to use his own webbrowser or a Java applet within one.
>>
>> But well, if the IT department cares, he won't be able to run those in
>> first place.
>
> Depending on the IT department, that may well be true, but in some places
> that kind of security does not exist, and networks are pretty much wide
> open.
>

Unfortunatly, these last two statements say it all.
....if the IT department cares...that kind of security does not exist...
Most IT departments don't have the time/budget/manpower to care about
something like this. If you do have this much free time, I envy you.

Re: Defending yourself against Nazi IT departments

Wayne wrote:
> "Dana" wrote in message
> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>> "Sebastian G" wrote in message
>> news:58romrF2i0irdU1@mid.dfncis.de...
>>> DevilsPGD wrote:
>>>
>>>
>>>> More importantly, if the IT department cares, they'll install their own
>>>> signed certificate on your PC, and when you attempt to establish an
>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>
>>>> Since your machine is configured to trust the certificate used during
>>>> the reencryption phase, you won't even know it's happening unless you
>>>> inspect the certificate (and much of that could be spoofed anyway, if an
>>>> IT department was really worried about getting caught)
>>>
>>> He claimed to use his own webbrowser or a Java applet within one.
>>>
>>> But well, if the IT department cares, he won't be able to run those in
>>> first place.
>> Depending on the IT department, that may well be true, but in some places
>> that kind of security does not exist, and networks are pretty much wide
>> open.
>>
>
> Unfortunatly, these last two statements say it all.
> ....if the IT department cares...that kind of security does not exist...
> Most IT departments don't have the time/budget/manpower to care about
> something like this. If you do have this much free time, I envy you.

Some observations.

1. IT security is *NOT* an IT function. It is a security function.
2. Organisations that do not invest time/budget/manpower in 'something
like this' invariably invest time/budget/manpower in the subsequent
clearup, not to mention the potential losses that could be suffered due
to a lack of security/ lack of enforcement.
3. IT departments should be monitored as closely, if not more so than
regular users. The OP demonstrated this VERY clearly.

Bogwitch.

Re: Defending yourself against Nazi IT departments

"Bogwitch" wrote in message
news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
> Wayne wrote:
>> "Dana" wrote in message
>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>> "Sebastian G" wrote in message
>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>> DevilsPGD wrote:
>>>>
>>>>
>>>>> More importantly, if the IT department cares, they'll install their
>>>>> own
>>>>> signed certificate on your PC, and when you attempt to establish an
>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>
>>>>> Since your machine is configured to trust the certificate used during
>>>>> the reencryption phase, you won't even know it's happening unless you
>>>>> inspect the certificate (and much of that could be spoofed anyway, if
>>>>> an
>>>>> IT department was really worried about getting caught)
>>>>
>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>
>>>> But well, if the IT department cares, he won't be able to run those in
>>>> first place.
>>> Depending on the IT department, that may well be true, but in some
>>> places that kind of security does not exist, and networks are pretty
>>> much wide open.
>>>
>>
>> Unfortunatly, these last two statements say it all.
>> ....if the IT department cares...that kind of security does not exist...
>> Most IT departments don't have the time/budget/manpower to care about
>> something like this. If you do have this much free time, I envy you.
>
> Some observations.
>
> 1. IT security is *NOT* an IT function. It is a security function.

In most organizations it is IT that handles the security function.

> 3. IT departments should be monitored as closely, if not more so than
> regular users. The OP demonstrated this VERY clearly.
>
Agree
> Bogwitch.

Re: Defending yourself against Nazi IT departments

Dana wrote:
> "Bogwitch" wrote in message
> news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
>> Wayne wrote:
>>> "Dana" wrote in message
>>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>>> "Sebastian G" wrote in message
>>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>>> DevilsPGD wrote:
>>>>>
>>>>>
>>>>>> More importantly, if the IT department cares, they'll install their
>>>>>> own
>>>>>> signed certificate on your PC, and when you attempt to establish an
>>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>>
>>>>>> Since your machine is configured to trust the certificate used during
>>>>>> the reencryption phase, you won't even know it's happening unless you
>>>>>> inspect the certificate (and much of that could be spoofed anyway, if
>>>>>> an
>>>>>> IT department was really worried about getting caught)
>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>
>>>>> But well, if the IT department cares, he won't be able to run those in
>>>>> first place.
>>>> Depending on the IT department, that may well be true, but in some
>>>> places that kind of security does not exist, and networks are pretty
>>>> much wide open.
>>>>
>>> Unfortunatly, these last two statements say it all.
>>> ....if the IT department cares...that kind of security does not exist...
>>> Most IT departments don't have the time/budget/manpower to care about
>>> something like this. If you do have this much free time, I envy you.
>> Some observations.
>>
>> 1. IT security is *NOT* an IT function. It is a security function.
>
> In most organizations it is IT that handles the security function.

True. It doesn't make it right.

Bogwitch.

Re: Defending yourself against Nazi IT departments

"Bogwitch" wrote in message
news:GCLWh.5741$nh7.548@newsfe7-win.ntli.net...
> Dana wrote:
>> "Bogwitch" wrote in message
>> news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
>>> Wayne wrote:
>>>> "Dana" wrote in message
>>>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>>>> "Sebastian G" wrote in message
>>>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>>>> DevilsPGD wrote:
>>>>>>
>>>>>>
>>>>>>> More importantly, if the IT department cares, they'll install their
>>>>>>> own
>>>>>>> signed certificate on your PC, and when you attempt to establish an
>>>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>>>
>>>>>>> Since your machine is configured to trust the certificate used
>>>>>>> during
>>>>>>> the reencryption phase, you won't even know it's happening unless
>>>>>>> you
>>>>>>> inspect the certificate (and much of that could be spoofed anyway,
>>>>>>> if an
>>>>>>> IT department was really worried about getting caught)
>>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>>
>>>>>> But well, if the IT department cares, he won't be able to run those
>>>>>> in first place.
>>>>> Depending on the IT department, that may well be true, but in some
>>>>> places that kind of security does not exist, and networks are pretty
>>>>> much wide open.
>>>>>
>>>> Unfortunatly, these last two statements say it all.
>>>> ....if the IT department cares...that kind of security does not
>>>> exist...
>>>> Most IT departments don't have the time/budget/manpower to care about
>>>> something like this. If you do have this much free time, I envy you.
>>> Some observations.
>>>
>>> 1. IT security is *NOT* an IT function. It is a security function.
>>
>> In most organizations it is IT that handles the security function.
>
> True. It doesn't make it right.

I would say it does, as it is a centralized point of control.

>
> Bogwitch.

Re: Defending yourself against Nazi IT departments

Dana wrote:
> "Bogwitch" wrote in message
> news:GCLWh.5741$nh7.548@newsfe7-win.ntli.net...
>> Dana wrote:
>>> "Bogwitch" wrote in message
>>> news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
>>>> Wayne wrote:
>>>>> "Dana" wrote in message
>>>>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>>>>> "Sebastian G" wrote in message
>>>>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>>>>> DevilsPGD wrote:
>>>>>>>
>>>>>>>
>>>>>>>> More importantly, if the IT department cares, they'll install their
>>>>>>>> own
>>>>>>>> signed certificate on your PC, and when you attempt to establish an
>>>>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>>>>
>>>>>>>> Since your machine is configured to trust the certificate used
>>>>>>>> during
>>>>>>>> the reencryption phase, you won't even know it's happening unless
>>>>>>>> you
>>>>>>>> inspect the certificate (and much of that could be spoofed anyway,
>>>>>>>> if an
>>>>>>>> IT department was really worried about getting caught)
>>>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>>>
>>>>>>> But well, if the IT department cares, he won't be able to run those
>>>>>>> in first place.
>>>>>> Depending on the IT department, that may well be true, but in some
>>>>>> places that kind of security does not exist, and networks are pretty
>>>>>> much wide open.
>>>>>>
>>>>> Unfortunatly, these last two statements say it all.
>>>>> ....if the IT department cares...that kind of security does not
>>>>> exist...
>>>>> Most IT departments don't have the time/budget/manpower to care about
>>>>> something like this. If you do have this much free time, I envy you.
>>>> Some observations.
>>>>
>>>> 1. IT security is *NOT* an IT function. It is a security function.
>>> In most organizations it is IT that handles the security function.
>> True. It doesn't make it right.
>
> I would say it does, as it is a centralized point of control.

The problem with an IT department running the organisations security is
that it could be compromised more easily.
Also, an IT department will tend, IMO, to concentrate on technical
countermeasures rather than physical or procedural measures.
Additionally, the security department should not be reporting directly
to the head of IT as decisions based on expediency may override
decisions concerning CI&A.

It is a tricky one, an IT department may have technical skills in excess
of a security team but that is down to the HR department to ensure
relevant personnel are selected.

The separation of duties principle comes into play here.

Bogwitch.

Re: Defending yourself against Nazi IT departments

On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article , Bogwitch wrote:

>Wayne wrote:

>> "Dana" wrote

>>> "Sebastian G" wrote

>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>
>>>> But well, if the IT department cares, he won't be able to run those
>>>> in first place.

Below - "care" doesn't enter into the argument.

>>> Depending on the IT department, that may well be true, but in some
>>> places that kind of security does not exist, and networks are pretty
>>> much wide open.

When I saw the original post in this thread, I thought it was a sock
puppet of the skating/internet radio troll. Same useless technique,
same advice. The only thing missing was the line that I/T or the bosses
would "never _GUESS_ what is going on".

>> Unfortunatly, these last two statements say it all.
>> ....if the IT department cares...that kind of security does not exist...
>> Most IT departments don't have the time/budget/manpower to care about
>> something like this. If you do have this much free time, I envy you.

It's not so much the IT departments as the company itself. No IT (or
similar level/function) manager should be setting policy without written
"direction" (read that as "policy") from on high. That direction should
include staffing and budgets, and the basic policy should be reviewed by
the legal staff of the company (who may have to defend it in court).

>Some observations.
>
>1. IT security is *NOT* an IT function. It is a security function.

It's also not a single object - like a firewall or proxy server, but is
a whole bunch of other things like company policies that the employees
are strongly aware of - like "Thou shall not use the network for personal
reasons." and "Thou shall not install unapproved hardware and/or software
on company computers." among other things. Another item is warning the
employees/users that the network is, OR MAY BE monitored at any (or all)
time, and that violation of company policies will have consequences.

>2. Organisations that do not invest time/budget/manpower in 'something
>like this' invariably invest time/budget/manpower in the subsequent
>clearup, not to mention the potential losses that could be suffered due
>to a lack of security/ lack of enforcement.

Boy, ain't THAT the truth.

>3. IT departments should be monitored as closely, if not more so than
>regular users. The OP demonstrated this VERY clearly.

I don't disagree, but I didn't get the opinion that the O/P was IT.
For certain, the O/P was quite clueless about this newsgroup, and
failed to even try using a search engine to see what past postings in
the group referred to.

Old guy

Re: Defending yourself against Nazi IT departments

"Bogwitch" wrote in message
news:HdOWh.5812$nh7.2610@newsfe7-win.ntli.net...
> Dana wrote:
>> "Bogwitch" wrote in message
>> news:GCLWh.5741$nh7.548@newsfe7-win.ntli.net...
>>> Dana wrote:
>>>> "Bogwitch" wrote in message
>>>> news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
>>>>> Wayne wrote:
>>>>>> "Dana" wrote in message
>>>>>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>>>>>> "Sebastian G" wrote in message
>>>>>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>>>>>> DevilsPGD wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> More importantly, if the IT department cares, they'll install
>>>>>>>>> their own
>>>>>>>>> signed certificate on your PC, and when you attempt to establish
>>>>>>>>> an
>>>>>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>>>>>
>>>>>>>>> Since your machine is configured to trust the certificate used
>>>>>>>>> during
>>>>>>>>> the reencryption phase, you won't even know it's happening unless
>>>>>>>>> you
>>>>>>>>> inspect the certificate (and much of that could be spoofed anyway,
>>>>>>>>> if an
>>>>>>>>> IT department was really worried about getting caught)
>>>>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>>>>
>>>>>>>> But well, if the IT department cares, he won't be able to run those
>>>>>>>> in first place.
>>>>>>> Depending on the IT department, that may well be true, but in some
>>>>>>> places that kind of security does not exist, and networks are pretty
>>>>>>> much wide open.
>>>>>>>
>>>>>> Unfortunatly, these last two statements say it all.
>>>>>> ....if the IT department cares...that kind of security does not
>>>>>> exist...
>>>>>> Most IT departments don't have the time/budget/manpower to care about
>>>>>> something like this. If you do have this much free time, I envy you.
>>>>> Some observations.
>>>>>
>>>>> 1. IT security is *NOT* an IT function. It is a security function.
>>>> In most organizations it is IT that handles the security function.
>>> True. It doesn't make it right.
>>
>> I would say it does, as it is a centralized point of control.
>
> The problem with an IT department running the organisations security is
> that it could be compromised more easily.
> Also, an IT department will tend, IMO, to concentrate on technical
> countermeasures rather than physical or procedural measures. Additionally,
> the security department should not be reporting directly to the head of IT
> as decisions based on expediency may override decisions concerning CI&A.
>
> It is a tricky one, an IT department may have technical skills in excess
> of a security team but that is down to the HR department to ensure
> relevant personnel are selected.
>
> The separation of duties principle comes into play here.

True, the separation is needed. What is more important is staffing your IT
department with people who are more than just plain windows techs.
Most window techs/admins no very little about
networking/security/telecommunications in general
>
> Bogwitch.

Re: Defending yourself against Nazi IT departments

Moe Trin wrote:
> On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
> article , Bogwitch wrote:
>
>> Wayne wrote:
>
>>> "Dana" wrote
>
>>>> "Sebastian G" wrote
>
>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>
>>>>> But well, if the IT department cares, he won't be able to run those
>>>>> in first place.
>
> Below - "care" doesn't enter into the argument.
>
>>>> Depending on the IT department, that may well be true, but in some
>>>> places that kind of security does not exist, and networks are pretty
>>>> much wide open.
>
> When I saw the original post in this thread, I thought it was a sock
> puppet of the skating/internet radio troll. Same useless technique,
> same advice. The only thing missing was the line that I/T or the bosses
> would "never _GUESS_ what is going on".

I didn't make the link myself but I do see what you mean.

>>> Unfortunatly, these last two statements say it all.
>>> ....if the IT department cares...that kind of security does not exist...
>>> Most IT departments don't have the time/budget/manpower to care about
>>> something like this. If you do have this much free time, I envy you.
>
> It's not so much the IT departments as the company itself. No IT (or
> similar level/function) manager should be setting policy without written
> "direction" (read that as "policy") from on high. That direction should
> include staffing and budgets, and the basic policy should be reviewed by
> the legal staff of the company (who may have to defend it in court).

No arguement there. Top level support is essential.

>> Some observations.
>>
>> 1. IT security is *NOT* an IT function. It is a security function.
>
> It's also not a single object - like a firewall or proxy server, but is
> a whole bunch of other things like company policies that the employees
> are strongly aware of - like "Thou shall not use the network for personal
> reasons." and "Thou shall not install unapproved hardware and/or software
> on company computers." among other things. Another item is warning the
> employees/users that the network is, OR MAY BE monitored at any (or all)
> time, and that violation of company policies will have consequences.

Training, too.

>> 2. Organisations that do not invest time/budget/manpower in 'something
>> like this' invariably invest time/budget/manpower in the subsequent
>> clearup, not to mention the potential losses that could be suffered due
>> to a lack of security/ lack of enforcement.
>
> Boy, ain't THAT the truth.

Difficult to quantify though! Do you know of any work that attempts to
explain the cost/ benefit of pre-emptive security?

>> 3. IT departments should be monitored as closely, if not more so than
>> regular users. The OP demonstrated this VERY clearly.
>
> I don't disagree, but I didn't get the opinion that the O/P was IT.
> For certain, the O/P was quite clueless about this newsgroup, and
> failed to even try using a search engine to see what past postings in
> the group referred to.

Fair point. My assumption was based on the fact that most of the
contractors *I* know, work in IT but that's probably more to do with the
environment *I* work in. There was also the assumption that the OP had
admin rights in order to install the client software or Java, assuming
it was necessary to have admin rights!

Bogwitch.

Re: Defending yourself against Nazi IT departments

Dana wrote:
> "Bogwitch" wrote in message
> news:HdOWh.5812$nh7.2610@newsfe7-win.ntli.net...
>> Dana wrote:
>>> "Bogwitch" wrote in message
>>> news:GCLWh.5741$nh7.548@newsfe7-win.ntli.net...
>>>> Dana wrote:
>>>>> "Bogwitch" wrote in message
>>>>> news:OHIWh.2140$V7.345@newsfe7-gui.ntli.net...
>>>>>> Wayne wrote:
>>>>>>> "Dana" wrote in message
>>>>>>> news:21ffa$462a31e4$944e306e$315@STARBAND.NET...
>>>>>>>> "Sebastian G" wrote in message
>>>>>>>> news:58romrF2i0irdU1@mid.dfncis.de...
>>>>>>>>> DevilsPGD wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> More importantly, if the IT department cares, they'll install
>>>>>>>>>> their own
>>>>>>>>>> signed certificate on your PC, and when you attempt to establish
>>>>>>>>>> an
>>>>>>>>>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>>>>>>>>>
>>>>>>>>>> Since your machine is configured to trust the certificate used
>>>>>>>>>> during
>>>>>>>>>> the reencryption phase, you won't even know it's happening unless
>>>>>>>>>> you
>>>>>>>>>> inspect the certificate (and much of that could be spoofed anyway,
>>>>>>>>>> if an
>>>>>>>>>> IT department was really worried about getting caught)
>>>>>>>>> He claimed to use his own webbrowser or a Java applet within one.
>>>>>>>>>
>>>>>>>>> But well, if the IT department cares, he won't be able to run those
>>>>>>>>> in first place.
>>>>>>>> Depending on the IT department, that may well be true, but in some
>>>>>>>> places that kind of security does not exist, and networks are pretty
>>>>>>>> much wide open.
>>>>>>>>
>>>>>>> Unfortunatly, these last two statements say it all.
>>>>>>> ....if the IT department cares...that kind of security does not
>>>>>>> exist...
>>>>>>> Most IT departments don't have the time/budget/manpower to care about
>>>>>>> something like this. If you do have this much free time, I envy you.
>>>>>> Some observations.
>>>>>>
>>>>>> 1. IT security is *NOT* an IT function. It is a security function.
>>>>> In most organizations it is IT that handles the security function.
>>>> True. It doesn't make it right.
>>> I would say it does, as it is a centralized point of control.
>> The problem with an IT department running the organisations security is
>> that it could be compromised more easily.
>> Also, an IT department will tend, IMO, to concentrate on technical
>> countermeasures rather than physical or procedural measures. Additionally,
>> the security department should not be reporting directly to the head of IT
>> as decisions based on expediency may override decisions concerning CI&A.
>>
>> It is a tricky one, an IT department may have technical skills in excess
>> of a security team but that is down to the HR department to ensure
>> relevant personnel are selected.
>>
>> The separation of duties principle comes into play here.
>
> True, the separation is needed. What is more important is staffing your IT
> department with people who are more than just plain windows techs.
> Most window techs/admins no very little about
> networking/security/telecommunications in general

I have to disagree with you there. Yes, it would be useful to have
experienced, knowledgeable IT staff but more importantly, they should be
trustworthy.

The IT department should know what to look for with regards to a
security incident, as should all employees but I believe that a separate
security department should have overall responsibility for enforcing
security policy and performing audits, etc. and should be suitably
experienced.

Bogwitch.

Re: Defending yourself against Nazi IT departments

On Sun, 22 Apr 2007 15:58:30 GMT, Bogwitch
wrote:

>>> 1. IT security is *NOT* an IT function. It is a security function.
>>
>> In most organizations it is IT that handles the security function.
>
>True. It doesn't make it right.

Huh?

In most organizations 'security' doesn't mean the IT department, it
means the folks who look after opening and closing the building at
night. The folks who look after keys and passcards etc. The last $100
million company I worked at had a system of passcards that gave you
access only to certain floors and only during certain times of day.
This had the negative feature that with the restrooms in the common
area one often had to take the elevator down to the ground floor
before returning to your floor when working late. The alternative was
to put a small block in the door to hold it open which obviously was
frowned on by the security department.

Since then I haven't worked in any office with more than two floors so
am not really up on the current technology but none of the folks
referred to above worked in the IT department.

Re: Defending yourself against Nazi IT departments

Bogwitch wrote:
> Dana wrote:
>> "Bogwitch" wrote:
>>> It is a tricky one, an IT department may have technical skills in
>>> excess of a security team but that is down to the HR department to
>>> ensure relevant personnel are selected.
>>>
>>> The separation of duties principle comes into play here.
>>
>> True, the separation is needed. What is more important is staffing
>> your IT department with people who are more than just plain windows
>> techs. Most window techs/admins no very little about
>> networking/security/telecommunications in general
>
> I have to disagree with you there. Yes, it would be useful to have
> experienced, knowledgeable IT staff but more importantly, they should
> be trustworthy.

Wrong. They MUST be both knowledgeable AND trustworthy. If they're
knowledgeable but not trustworthy your security may be breached on the
social level. If they're trustworthy but not knowledgeable your security
may be breached on the technical level. Either way you lose.

And could you guys *please* learn to trim your quoting?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Defending yourself against Nazi IT departments

On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article , Bogwitch wrote:

>Moe Trin wrote:

>>> 1. IT security is *NOT* an IT function. It is a security function.
>>
>> It's also not a single object - like a firewall or proxy server, but is
>> a whole bunch of other things like company policies that the employees
>> are strongly aware of - like "Thou shall not use the network for personal
>> reasons." and "Thou shall not install unapproved hardware and/or software
>> on company computers." among other things. Another item is warning the
>> employees/users that the network is, OR MAY BE monitored at any (or all)
>> time, and that violation of company policies will have consequences.
>
>Training, too.

True - we don't do as much training as we might, but the general class
of users we have can make rational decisions about violating the well
known policies and the possible consequences. But for the O/P trying to
order frilly knickers, we have systems in the employee break areas
that are completely isolated from the company network. They have
enough software on them to allow our users to do such things, and
they have a "guest" account for this purpose. When the user logs out,
part of the .logout script clears the cache files and /home/guest/
directory. The systems are running a Linux distribution, "guest" is
just an ordinary user whose shell is rbash. Remember the 'cd' command
to change directories? This shell doesn't have one, and doesn't
accept a directory separator character in any command.

>Difficult to quantify though! Do you know of any work that attempts to
>explain the cost/ benefit of pre-emptive security?

Ask your legal staff. I suspect they know of the benefits.

>> I don't disagree, but I didn't get the opinion that the O/P was IT.
>> For certain, the O/P was quite clueless about this newsgroup, and
>> failed to even try using a search engine to see what past postings
>> in the group referred to.
>
>Fair point. My assumption was based on the fact that most of the
>contractors *I* know, work in IT but that's probably more to do with the
>environment *I* work in. There was also the assumption that the OP had
>admin rights in order to install the client software or Java, assuming
>it was necessary to have admin rights!

We're an R&D facility, so most of our contractors are in the support
areas - building maintenance, the cafeteria, stores, and the like.
At other divisions, there are contractors in the admin areas, and to
some extent in the general technical fields. One exception is that
we have contractor techs doing general computer maintenance, and
software installs.

How many companies are stupid enough to be running windoze in the
out-of-box configuration, with the users whining all the time that they
need to be admin in order to do anything useful? How many of them
are using Internet Explorer for their Internet activities (and just
about everything else) because that's the only piece of software they
"learned" - which in itself is probably an overstatement.

We're a *nix shop, and the user accounts don't have the capability to
alter the system. That makes it harder to set up, but then you don't
have to worry about the user trashing the system - they only thing they
can trash is their own account, and peer pressure makes sure they don't
do that very often. About 4 or 5 percent of our people have a
mechanism to do _some_ admin stuff

[compton ~]$ whatis su sudo
su (1) - run a shell with substitute user and group IDs
sudo (8) - execute a command as another user
[compton ~]$

'su' is normally used to become another user (typically the admin
user 'root') while sudo can be configured to allow a specific user
to do a specific command - and in the paranoid companies, these
activities are logged - to a printer.

Old guy

Re: Defending yourself against Nazi IT departments

Ansgar -59cobalt- Wiechers wrote:
> Bogwitch wrote:

>>> networking/security/telecommunications in general
>> I have to disagree with you there. Yes, it would be useful to have
>> experienced, knowledgeable IT staff but more importantly, they should
>> be trustworthy.
>
> Wrong. They MUST be both knowledgeable AND trustworthy. If they're
> knowledgeable but not trustworthy your security may be breached on the
> social level. If they're trustworthy but not knowledgeable your security
> may be breached on the technical level. Either way you lose.

Fair point. I thought it was a given that the staff would have
sufficient knowledge to perform their assigned tasks, else they should
not have been given the job.

> And could you guys *please* learn to trim your quoting?

Apologies, I had just come from a group where trimming is frowned apon!

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

Re: Defending yourself against Nazi IT departments

Moe Trin wrote:
> On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
> article , Bogwitch wrote:
>
>> Moe Trin wrote:
>
> True - we don't do as much training as we might, but the general class
> of users we have can make rational decisions about violating the well
> known policies and the possible consequences. But for the O/P trying to
> order frilly knickers, we have systems in the employee break areas
> that are completely isolated from the company network. They have
> enough software on them to allow our users to do such things, and
> they have a "guest" account for this purpose. When the user logs out,
> part of the .logout script clears the cache files and /home/guest/
> directory. The systems are running a Linux distribution, "guest" is
> just an ordinary user whose shell is rbash. Remember the 'cd' command
> to change directories? This shell doesn't have one, and doesn't
> accept a directory separator character in any command.

Agreed, we have a separate Internet access LAN for just such things. We
have controls in place to prevent corporate material from accidentally
being introduced to that LAN.
I am suprised that you allow anonymous logons to your Internet
workstations. How do you maintain accountability?

>> Difficult to quantify though! Do you know of any work that attempts to
>> explain the cost/ benefit of pre-emptive security?
>
> Ask your legal staff. I suspect they know of the benefits.

:) Our legal staff wouldn't know the first thing about cost/ benefit
concering Information Security. It's an unusual environment.

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

Re: Defending yourself against Nazi IT departments

BernieM skriver:

> One reason web filtering is at the workplace is protect others from seeing /
> reading things that someone else has on their screen they might find
> offensive. People should not be subjected to offensive things in their
> workplace. You look at what you want in tse privacy of your own home.

But the filters have never worked like that, they jusgt make life
harder imho. The only thinks that can help agaiste it teh ones getting
spyware installed that makes then unwillingly surf to somware they
don't like. But on the other hand if soemone can get that into your
somputers you have real problems and just getting a porn hijack is was
I call luck as the attack then probaly didn't stole any important
information.

/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: Defending yourself against Nazi IT departments

"Anders Arnholm" wrote in message
news:slrnf2p4ed.q97.Anders+news@tika.arnholm.se...
> BernieM skriver:
>
>> One reason web filtering is at the workplace is protect others from
>> seeing /
>> reading things that someone else has on their screen they might find
>> offensive. People should not be subjected to offensive things in their
>> workplace. You look at what you want in tse privacy of your own home.
>
> But the filters have never worked like that, they jusgt make life
> harder imho. The only thinks that can help agaiste it teh ones getting
> spyware installed that makes then unwillingly surf to somware they
> don't like. But on the other hand if soemone can get that into your
> somputers you have real problems and just getting a porn hijack is was
> I call luck as the attack then probaly didn't stole any important
> information.
>
> / Balp
> --
> http://anders.arnholm.nu/ Keep on Balping

Yes content filtering does make it harder ... to surf non-work related web
sites from work. I'm part of an IT team in an insurance company with around
1,100 employees. Our IT security team split the workload associated with
releasing quarantined emails and web site classification etc. amongst two
people. Staff soon learn what is acceptable and what isn't and understand
why restrictions are necessary. Very few that think they have some God
given right to sit at their desk and surf the web while someone else does
their job.

Re: Defending yourself against Nazi IT departments

BernieM skriver:
>
> "Anders Arnholm" wrote in message
>news:slrnf2p4ed.q97.Anders+news@tika.arnholm.se...

> people. Staff soon learn what is acceptable and what isn't and understand
> why restrictions are necessary. Very few that think they have some God
> given right to sit at their desk and surf the web while someone else does
> their job.

Sure that rules are necessary, there is very little need to do all
kinds of surfing while at work. The Questions is if the automatic
filtering adds in benifit och lovers the produtivity more than it's
worth. Working with test eviroment for network equipment, i definitly
run into the contentfileters dayly when trying to get into doing my
work. Hackingtools being the first that fails and siome places that
hosts many cites invlcudfing user releted contest in second place.
Find the very few that tried to porn surf to much during work hours
there are much better way to do. I'm not quwestrioning the policy,
just the studio ways to techically implement it. A contect filter is a
techical sulution to a human problem, these solutions always fails, a
social solution is needed. Not a techical one.

/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: Defending yourself against Nazi IT departments

On Mon, 23 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article <462c5054$0$16390$88260bb3@free.teranews.com>, Bogwitch wrote:

>Moe Trin wrote:

>> But for the O/P trying to order frilly knickers, we have systems
>> in the employee break areas that are completely isolated from the
>> company network. They have enough software on them to allow our
>> users to do such things, and they have a "guest" account for this
>> purpose. When the user logs out, part of the .logout script clears
>> the cache files and /home/guest/ directory. The systems are
>> running a Linux distribution, "guest" is just an ordinary user
>> whose shell is rbash. Remember the 'cd' command to change
>> directories? This shell doesn't have one, and doesn't accept a
>> directory separator character in any command.
>
>Agreed, we have a separate Internet access LAN for just such things. We
>have controls in place to prevent corporate material from accidentally
>being introduced to that LAN.

Layers. These boxes don't have removable media, so you can't move
software or data around. The 'rbash' shell not allowing a directory
character in a command or file name further blocks the possibility.
The company firewall blocks access to this address range. Actually,
the reason the O/P's idea won't work here is that we block access to
ALL local ISPs, from Comcast, SBC, Road Runner. etc., on down to the
"Mom and Pops" with a /24 and a T1.

>I am suprised that you allow anonymous logons to your Internet
>workstations. How do you maintain accountability?

"We" don't. The computers are owned by the employee association
rather than the company, and share a separate broadband connection
to a local ISP. The company provides power and physical space, but
that's it. Abuse is controlled by the fact that the systems have
limited capability, and by peer pressure.

>> Ask your legal staff. I suspect they know of the benefits.
>
>:) Our legal staff wouldn't know the first thing about cost/ benefit
>concering Information Security. It's an unusual environment.

We had an industrial espionage incident back in the 1980s. There was
considerable screaming and gnashing of teeth. We're the company's R&D
division, and our income depends on corporate profits, not so much as
on sales. Information Security has a direct (as well as indirect)
effect on those company profits.

Old guy

Re: Defending yourself against Nazi IT departments

Moe Trin wrote:

> Layers. These boxes don't have removable media, so you can't move
> software or data around. The 'rbash' shell not allowing a directory
> character in a command or file name further blocks the possibility.
> The company firewall blocks access to this address range. Actually,
> the reason the O/P's idea won't work here is that we block access to
> ALL local ISPs, from Comcast, SBC, Road Runner. etc., on down to the
> "Mom and Pops" with a /24 and a T1.

Interesting. Is that a publicly available list? It's not something
*I've* come across before....

>> I am suprised that you allow anonymous logons to your Internet
>> workstations. How do you maintain accountability?
>
> "We" don't. The computers are owned by the employee association
> rather than the company, and share a separate broadband connection
> to a local ISP. The company provides power and physical space, but
> that's it. Abuse is controlled by the fact that the systems have
> limited capability, and by peer pressure.

"Transferring the risk" :)

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

Re: Defending yourself against Nazi IT departments

On Fri, 27 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article <4631ccbc$0$16407$88260bb3@free.teranews.com>, Bogwitch wrote:

>Moe Trin wrote:

>> Actually, the reason the O/P's idea won't work here is that we block
>> access to ALL local ISPs, from Comcast, SBC, Road Runner. etc., on
>> down to the "Mom and Pops" with a /24 and a T1.
>
>Interesting. Is that a publicly available list? It's not something
>*I've* come across before....

We're using a privately compiled list, based on knowing the "local"
providers and the IP ranges they're using. Originally, it started as
firewall logs (who were our users connecting to), modified by whois
lookups. As for identifying the ranges for the larger providers like
Comcast, SBC, Road Runner. etc., I've seen lots of reports of DNSBL
blocklists available.

>> "We" don't. The computers are owned by the employee association
>> rather than the company, and share a separate broadband connection
>> to a local ISP. The company provides power and physical space, but
>> that's it. Abuse is controlled by the fact that the systems have
>> limited capability, and by peer pressure.
>
>"Transferring the risk" :)

A much more effective control. The systems are positioned so that
shoulder surfing is difficult, but you really wouldn't want to visit
your favorite pr0n site, as someone would likely detect this - I
haven't seen to many banks using _that_ for a splash screen.

Old guy