Cyber Monday

X-No-Archive: Yes


Cyber Monday is coming, and given the traffic through my proxy to
shopping sites, over the past few days, coming from corporate
network addresses, I expect to see a heavy volume of traffic
coming through my proxy on Monday, when people go online
from work to do their Christmas shopping through the various
online retailers.

On Tuesday, I had a peak load of 368 at 9:03 AM US Eatern time,
nearly all coming from corporate network addresses, and going
to every kind of shopping site imagineable. I expect the load
to possibly break my proxy softwarre, forcing me to reboot
my server a couple of times.

For proxy site operators, like me, Cyber Monday is a busy
time for us, as we have to monitor the load, and re-boot
our machines, if the software should break under the load.
With a lot of employers blocking shopping sites, public
proxies, like mine, become INVALUABLE to the various
online retailers, as workers can bypass the filtering system,
using our proxies, and access the various shopping sites
and get their online Christmas shopping done. I am sure
a lot of the various online retailers LOVE what we do,
becuase we actually help increase their sales. Because of
us, they get more visits, and, in turn, more money.

Re: Cyber Monday

Chilly8 wrote:

> For proxy site operators, like me, Cyber Monday is a busy
> time for us, as we have to monitor the load, and re-boot
> our machines, if the software should break under the load.
> With a lot of employers blocking shopping sites, public
> proxies, like mine, become INVALUABLE to the various
> online retailers, as workers can bypass the filtering system,
> using our proxies, and access the various shopping sites
> and get their online Christmas shopping done. I am sure
> a lot of the various online retailers LOVE what we do,
> becuase we actually help increase their sales. Because of
> us, they get more visits, and, in turn, more money.
>
>


I wonder how many people each year get fired for shopping while at work?

Re: Cyber Monday

* Ryan P. :
>
> I wonder how many people each year get fired for shopping while at work?

Depends on the company I suspect but shopping not that many I bet.
Listening to the radio, watching tv, warez, looking at porn I suspect a
lot more.

Jason

Re: Cyber Monday

Ryan P. wrote:
> Chilly8 wrote:
>
>> For proxy site operators, like me, Cyber Monday is a busy
>> time for us, as we have to monitor the load, and re-boot
>> our machines, if the software should break under the load.
>> With a lot of employers blocking shopping sites, public
>> proxies, like mine, become INVALUABLE to the various
>> online retailers, as workers can bypass the filtering system,
>> using our proxies, and access the various shopping sites
>> and get their online Christmas shopping done. I am sure
>> a lot of the various online retailers LOVE what we do,
>> becuase we actually help increase their sales. Because of
>> us, they get more visits, and, in turn, more money.
>>
>>
>
>
> I wonder how many people each year get fired for shopping while at work?

That's precisely the reason I do all my surfing through an ssh tunnel
to my home server running a squid proxy, bypassing the corporate
monitoring completely.

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

slackerama wrote:

>
> That's precisely the reason I do all my surfing through an ssh tunnel to
> my home server running a squid proxy, bypassing the corporate monitoring
> completely.



My company has monitoring software on each work station which includes
keyloggers and periodic screen captures. They will see that at some
point you went to kohls.com or target.com and searched for bath robes. :)

But, I'm sure your average small company doesn't dig down that far...
probably not large companies either, unless you're REALLY slacking at
work!

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

Chilly8 wrote:
> X-No-Archive: Yes
>
> "Jason" wrote in message
> news:6nI1j.7884$mk6.655@fe089.usenetserver.com...
>> * Ryan P. :
>>> I wonder how many people each year get fired for shopping while at
>>> work?
>> Depends on the company I suspect but shopping not that many I bet.
>> Listening to the radio, watching tv, warez, looking at porn I suspect a
>> lot more.
>>
>
> As for the guy the mentions keyloggers in his workplace, there
> are programs out there that can hunt down and neutralise keyloggers.
>
>


Which ones actually work? A relative of mine recently purchased a
used computer off Cragislist, but won't let me wipe the HD and reinstall
the OS for safety. I've run Ad-Aware and Spybot and made sure the
router is secure... is there another program out there I can scan with?
I see lots of pretty banners on the internet, but don't trust most of
them!

Re: Cyber Monday

>
> My company has monitoring software on each work station which includes
> keyloggers and periodic screen captures. They will see that at some
> point you went to kohls.com or target.com and searched for bath robes. :)
>
> But, I'm sure your average small company doesn't dig down that far...
> probably not large companies either, unless you're REALLY slacking at
> work!

LOL, well you'll soon realize that monitoring software or not,
companies have neither the time or the resources to devote to watching
employee surfing habits. They put up a proxy to block inappropriate
sites (easily bypassed if you know what you're doing) and leave it at
that...

Re: Cyber Monday

>
> My company has monitoring software on each work station which includes
> keyloggers and periodic screen captures. They will see that at some
> point you went to kohls.com or target.com and searched for bath robes. :)
>
> But, I'm sure your average small company doesn't dig down that far...
> probably not large companies either, unless you're REALLY slacking at
> work!

LOL, well you'll soon realize that monitoring software or not,
companies have neither the time or the resources to devote to watching
employee surfing habits. They put up a proxy to block inappropriate
sites (easily bypassed if you know what you're doing) and leave it at
that...

Re: Cyber Monday

>
> My company has monitoring software on each work station which includes
> keyloggers and periodic screen captures. They will see that at some
> point you went to kohls.com or target.com and searched for bath robes. :)
>
> But, I'm sure your average small company doesn't dig down that far...
> probably not large companies either, unless you're REALLY slacking at
> work!

LOL, well you'll soon realize that monitoring software or not,
companies have neither the time or the resources to devote to watching
employee surfing habits. They put up a proxy to block inappropriate
sites (easily bypassed if you know what you're doing) and leave it at
that...

Re: Cyber Monday

>
> My company has monitoring software on each work station which includes
> keyloggers and periodic screen captures. They will see that at some
> point you went to kohls.com or target.com and searched for bath robes. :)
>
> But, I'm sure your average small company doesn't dig down that far...
> probably not large companies either, unless you're REALLY slacking at
> work!

LOL, well you'll soon realize that monitoring software or not,
companies have neither the time or the resources to devote to watching
employee surfing habits. They put up a proxy to block inappropriate
sites (easily bypassed if you know what you're doing) and leave it at
that...

Re: Cyber Monday

>
> My company has monitoring software on each work station which includes
> keyloggers and periodic screen captures. They will see that at some
> point you went to kohls.com or target.com and searched for bath robes. :)
>
> But, I'm sure your average small company doesn't dig down that far...
> probably not large companies either, unless you're REALLY slacking at
> work!

LOL, well you'll soon realize that monitoring software or not,
companies have neither the time or the resources to devote to watching
employee surfing habits. They put up a proxy to block inappropriate
sites (easily bypassed if you know what you're doing) and leave it at
that...

Re: Cyber Monday

X-No-Archive: Yes

"slackerama" wrote in message
news:474B7B24.8000905@slacker.com...



>
> LOL, well you'll soon realize that monitoring software or not,
> companies have neither the time or the resources to devote to watching
> employee surfing habits. They put up a proxy to block inappropriate
> sites (easily bypassed if you know what you're doing) and leave it at
> that...

That is why people like me run public anonymity proxues, so that
people can bypass the company filtering proxy. And it is just a
matter of changing a few proxy settings to get the proxy to
work.

And I did see a lot of hits today on my proxy as people logged
in to shopping services, from work, through my proxy, so that
they could do their online shopping and the boss will NEVER
know what they were up to. The boss would know that somoene
went to my proxy, but where they went beyond that, there is no
POSSIBLE way they coiuld find out.

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> >
> > LOL, well you'll soon realize that monitoring software or not,
> > companies have neither the time or the resources to devote to watching
> > employee surfing habits. They put up a proxy to block inappropriate
> > sites (easily bypassed if you know what you're doing) and leave it at
> > that...
>
> That is why people like me run public anonymity proxues, so that
> people can bypass the company filtering proxy. And it is just a
> matter of changing a few proxy settings to get the proxy to
> work.

And yet it doesn't work like you claim - we have blocked 100% of
unapproved sites from our clients network using a simple concept - no
internet access to ANY site unless it is white-listed.

Your proxy servers are useless in this manner and any firewall permits
this.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Chilly8 wrote:


> That is why people like me run public anonymity proxues, so that
> people can bypass the company filtering proxy. And it is just a
> matter of changing a few proxy settings to get the proxy to
> work.


Please lookup the keyword "transparent proxy" in your tech manual. Please
read and understand.

Oh, and by the way, maybe you should lookup a typical company's IT usage
agreement. Something about "not circumventing technical installations" and
"you'll get fired it"...

> And I did see a lot of hits today on my proxy as people logged
> in to shopping services, from work, through my proxy, so that
> they could do their online shopping and the boss will NEVER
> know what they were up to. The boss would know that somoene
> went to my proxy, but where they went beyond that, there is no
> POSSIBLE way they coiuld find out.

And now, after you looked up "transparent proxy", you should also lookup
"man-in-the-middle" and "root certificate installation".

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

Chilly8 wrote:
> X-No-Archive: Yes
>
>Some people have wondered why they cannot see any posts from
Leythos. I have found out that SuperNews blocks his posts for
some reason. I have to use an anonymous posting service,
news.aioe.org, to read hits posts. In the oppoosite, news.aioe.org
blocks posts from RyanP, but I can read those on SuperNews.



That's odd. I post through my normal Roadrunner usenet server.

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> My proxy is an entry node onto the Tor network, so its pretty well
> anonymous. The boss would knwo that a person connected to my
> proxy, but would know where a worker went beyond that. Being
> that its a Tor entry proxy, it provides a good level of anonymity.

And it would stick out like a sore thumb in the monitoring and logs....

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> X-No-Archive: Yes
>
> "Leythos" wrote in message
> news:MPG.21b54c4bef68c763989859@Adfree.usenet.com...
> > In article , chilly8@hotmail.com says...
> >> >
> >> > LOL, well you'll soon realize that monitoring software or not,
> >> > companies have neither the time or the resources to devote to watching
> >> > employee surfing habits. They put up a proxy to block inappropriate
> >> > sites (easily bypassed if you know what you're doing) and leave it at
> >> > that...
> >>
> >> That is why people like me run public anonymity proxues, so that
> >> people can bypass the company filtering proxy. And it is just a
> >> matter of changing a few proxy settings to get the proxy to
> >> work.
> >
> > And yet it doesn't work like you claim - we have blocked 100% of
> > unapproved sites from our clients network using a simple concept - no
> > internet access to ANY site unless it is white-listed.
>
> One ONE product made can do that, and it is very expensive.
> CyBlock will do this, for $799 per year per 10 users, so that
> would add up in a hurry. Solutions for white-listing are far
> more expensive that what some companies would want to pay.

No, every firewall on the market can do that, at least every quality
firewall on the market, and there is no subscription for it - it's part
of the native firewall function.

White listing in firewalls, as well as black listing, are a basic
function.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Chilly8 wrote, On 27/11/07 04:13:
> X-No-Archive: Yes
>
> "Leythos" wrote in message
> news:MPG.21b54c4bef68c763989859@Adfree.usenet.com...
>> In article , chilly8@hotmail.com says...
>>>> LOL, well you'll soon realize that monitoring software or not,
>>>> companies have neither the time or the resources to devote to watching
>>>> employee surfing habits. They put up a proxy to block inappropriate
>>>> sites (easily bypassed if you know what you're doing) and leave it at
>>>> that...
>>> That is why people like me run public anonymity proxues, so that
>>> people can bypass the company filtering proxy. And it is just a
>>> matter of changing a few proxy settings to get the proxy to
>>> work.
>> And yet it doesn't work like you claim - we have blocked 100% of
>> unapproved sites from our clients network using a simple concept - no
>> internet access to ANY site unless it is white-listed.
>
> One ONE product made can do that, and it is very expensive.
> CyBlock will do this, for $799 per year per 10 users, so that
> would add up in a hurry. Solutions for white-listing are far
> more expensive that what some companies would want to pay.

The approx 100UKP router I have can block proxies and any web site not
white listed (it does not allow many white-list entries). I'm sure that
the slightly more expensive firewalls companies tend to use can do an
even better job of it.
--
Flash Gordon

Re: Cyber Monday

In article , spam@flash-
gordon.me.uk says...
> Chilly8 wrote, On 27/11/07 04:13:
> > X-No-Archive: Yes
> >
> > "Leythos" wrote in message
> > news:MPG.21b54c4bef68c763989859@Adfree.usenet.com...
> >> In article , chilly8@hotmail.com says...
> >>>> LOL, well you'll soon realize that monitoring software or not,
> >>>> companies have neither the time or the resources to devote to watching
> >>>> employee surfing habits. They put up a proxy to block inappropriate
> >>>> sites (easily bypassed if you know what you're doing) and leave it at
> >>>> that...
> >>> That is why people like me run public anonymity proxues, so that
> >>> people can bypass the company filtering proxy. And it is just a
> >>> matter of changing a few proxy settings to get the proxy to
> >>> work.
> >> And yet it doesn't work like you claim - we have blocked 100% of
> >> unapproved sites from our clients network using a simple concept - no
> >> internet access to ANY site unless it is white-listed.
> >
> > One ONE product made can do that, and it is very expensive.
> > CyBlock will do this, for $799 per year per 10 users, so that
> > would add up in a hurry. Solutions for white-listing are far
> > more expensive that what some companies would want to pay.
>
> The approx 100UKP router I have can block proxies and any web site not
> white listed (it does not allow many white-list entries). I'm sure that
> the slightly more expensive firewalls companies tend to use can do an
> even better job of it.

Yep, I can do it in a $1500 firewall, since we're talking about
businesses, and we already do it - simple, effective, easy.

The thing that people need to start understanding is that Web Access is
not a "Right" anywhere in the world, you don't need to give employees
access to the internet unless it is a business related function.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

* Chilly8 :
> However, it would not be known where someone went beyond
> my Tor entry proxy, or even my phpProxy (if I ever get the problem
> with it fixed). I had an incredible peak load on my Tor proxy, during
> Cyber Monday, as I thought I would, and the total number of hits
> to my proxy nobody would ever believe. But I can say that I had hits
> from THOUSANDS of corporate network addresses during
> Cyber Monday, as online shoppers logged on from work, through
> my proxy, to do their online holiday shopping. I am sure I more
> than did my part to contribute to the holiday economy yesterday,
> given the total number of hits to my proxy thorugh the day, allowing
> people to bypass the company firewall and do thier online holiday
> shopping.

Doesn't matter that we couldn't see where the connection went after
hitting your proxy, all we need to see is the connection to the proxy.
Assuming of course we were lazy enough to allow the connection in the
first place.

Jason

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> "Leythos" wrote in message
> news:MPG.21b5ce1386e57f4e98985a@Adfree.usenet.com...
> > In article , chilly8@hotmail.com says...
> >> My proxy is an entry node onto the Tor network, so its pretty well
> >> anonymous. The boss would knwo that a person connected to my
> >> proxy, but would know where a worker went beyond that. Being
> >> that its a Tor entry proxy, it provides a good level of anonymity.
> >
> > And it would stick out like a sore thumb in the monitoring and logs....
>
>
> However, it would not be known where someone went beyond
> my

It doesn't matter if they know what it being connected to, only that it
is not BUSINESS APPROVED - and that's as simple as it gets.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Sebastian G. wrote:
>
> Please lookup the keyword "transparent proxy" in your tech manual.
> Please read and understand.

transparent proxies are useful against the general corporate
population, but get someone knowledgeable with ssh and transparent
proxies become a joke...aka 'useless'

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> I run an "elite" proxy, effectively
> making corporate transparent proxies USELESS in finding out
> where they final destination was.
>
> I set up the proxy that so people could circumvent the company
> firewall to listen to Live 365.

And the simple truth is that if they can't connect, because of a simple
firewall rule, that you won't be providing anything to them.

As said before, you don't understand SIMPLE FIREWALL methods or
concepts, you just don't understand anything about networking.

All quality firewall appliances allow for restrictions simple enough to
prevent your service from being reached while still allowing approved
company/business websites to be accessed without ANY chance of the users
reaching a proxy.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

"Chilly8" wrote in message
news:fi8d0l$igr$1@aioe.org...
> "slackerama" wrote in message
> news:13kf237g00ucea2@corp.supernews.com...

>> That's precisely the reason I do all my surfing through an ssh tunnel to
>> my home server running a squid proxy, bypassing the corporate monitoring
>> completely.
>
>
> You are most correct there. With any proxy, including your own,
> they cannot determine where you went. They would know you
> were going to a proxy, but would NOT know where you went
> BEYOND that proxy.

Which in turn is why many companies block access to proxies.
--
Brian Cryer
www.cryer.co.uk/brian

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> Well, 14,000 users using my proxy, on Monday, to access shopping sites from
> work, can't be wrong. It proves the old saying "where there is a will, there
> is a
> way".

No, it proves that many companies don't believe in blocking first and
only business necessary sites/access second.

The default rule in firewalling is Block everything, then permit only
what is needed. Many of the newer admin types and many smaller business
owners will go with the Allow everything and block only what they
believe is a threat - just the opposite of how it should be.

So, what you're seeing is the users behind weak security solutions - you
are NOT seeing users from behind properly secured networks.

Again, you clearly show that you don't understand networking, firewalls,
security, how things actually work.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

> Which in turn is why many companies block access to proxies.

Which is why ssh is your best friend...show me a company that can
effectively block outbound ssh without disrupting normal outbound
business traffic and i have a bridge to sell you...

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> However, proxies, are sprouting up like weeds so fast that the
> filteirng companies cannot keep up with them half the time.
> Proxies come and go at such a huge rate, that they cannot keep
> with them. And my proxy is one of thousands of them being
> operated as public proxies.

And a properly configured firewall solution does not need a "Filtering
Company" to identify them in order to prevent access to them.

As a matter of fact, all quality firewall appliances can block all
outbound access by default and then permit the admins to create rules
that allow access to "approved" sites only. Since the approved sites are
not proxy sites, there is no way for the user to abuse the company
resources and access yours or anyone else's services.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

In article <474E2952.7060408@slacker.com>, slackerama@slacker.com
says...
> > Which in turn is why many companies block access to proxies.
>
> Which is why ssh is your best friend...show me a company that can
> effectively block outbound ssh without disrupting normal outbound
> business traffic and i have a bridge to sell you...

If the outbound only permits access to approved sites then it doesn't
matter what you try.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

"Leythos" wrote in message
news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com...
> In article , chilly8@hotmail.com says...
>> However, proxies, are sprouting up like weeds so fast that the
>> filteirng companies cannot keep up with them half the time.
>> Proxies come and go at such a huge rate, that they cannot keep
>> with them. And my proxy is one of thousands of them being
>> operated as public proxies.
>
> And a properly configured firewall solution does not need a "Filtering
> Company" to identify them in order to prevent access to them.
>
> As a matter of fact, all quality firewall appliances can block all
> outbound access by default and then permit the admins to create rules
> that allow access to "approved" sites only. Since the approved sites are
> not proxy sites, there is no way for the user to abuse the company
> resources and access yours or anyone else's services.

Is that practical? I don't want to have to draw up a list of approved sites
for my company, the list would be almost never ending because many of our
staff use the internet for research which means they could legitimately end
up going almost anywhere.
--
Brian Cryer
www.cryer.co.uk/brian

Re: Cyber Monday

"slackerama" wrote in message
news:474E2952.7060408@slacker.com...
>
>> Which in turn is why many companies block access to proxies.
>
> Which is why ssh is your best friend...show me a company that can
> effectively block outbound ssh without disrupting normal outbound business
> traffic and i have a bridge to sell you...

Isn't it simply a case of blocking all traffic to a specific destination?
SSL is still layered over TCP. What the traffic is doesn't matter. Of course
(as Leythos will point out) that requires a decent firewall, or maybe not
given that my cheapo router at home lets me block specific destinations
(although probably not many).

Of course obtaining an up to date list of proxies, that would be a good
trick. My daughters at school know of more proxies than I do, maybe I should
ask them.
--
Brian Cryer
www.cryer.co.uk/brian

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

"Chilly8" wrote in message
news:fim9qg$dl4$1@aioe.org...
> X-No-Archive: Yes
>
> "Brian Cryer" wrote in message
> news:IvCdnRHQjribFtPanZ2dnUVZ8tGqnZ2d@pipex.net...
>> "slackerama" wrote in message
>> news:474E2952.7060408@slacker.com...
>>>
>>>> Which in turn is why many companies block access to proxies.
>>>
>>> Which is why ssh is your best friend...show me a company that can
>>> effectively block outbound ssh without disrupting normal outbound
>>> business traffic and i have a bridge to sell you...
>>
>> Isn't it simply a case of blocking all traffic to a specific destination?
>> SSL is still layered over TCP. What the traffic is doesn't matter. Of
>> course (as Leythos will point out) that requires a decent firewall, or
>> maybe not given that my cheapo router at home lets me block specific
>> destinations (although probably not many).
>>
>> Of course obtaining an up to date list of proxies, that would be a good
>> trick. My daughters at school know of more proxies than I do, maybe I
>> should ask them.
>> --
>
> Proxies come and go so fast, your lists would be out of date in no time.
> The various filtering vendors cannot keep up with it. Your daughter
> might be able to give you a list, but it will be out of date in no time.

Quite true. No argument there.

Re: Cyber Monday

In article , brian.cryer@
127.0.0.1.ntlworld.com says...
> "Leythos" wrote in message
> news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com...
> > In article , chilly8@hotmail.com says...
> >> However, proxies, are sprouting up like weeds so fast that the
> >> filteirng companies cannot keep up with them half the time.
> >> Proxies come and go at such a huge rate, that they cannot keep
> >> with them. And my proxy is one of thousands of them being
> >> operated as public proxies.
> >
> > And a properly configured firewall solution does not need a "Filtering
> > Company" to identify them in order to prevent access to them.
> >
> > As a matter of fact, all quality firewall appliances can block all
> > outbound access by default and then permit the admins to create rules
> > that allow access to "approved" sites only. Since the approved sites are
> > not proxy sites, there is no way for the user to abuse the company
> > resources and access yours or anyone else's services.
>
> Is that practical? I don't want to have to draw up a list of approved sites
> for my company, the list would be almost never ending because many of our
> staff use the internet for research which means they could legitimately end
> up going almost anywhere.

Yea, and it's what should be done. If you have a select group that does
research, using the web, you could (and should) create a different HTTP
rule for them, allowing them access to ALL of the web, but restrict them
using content/other filters to block most of the crap. The generic users
and others would fall under the block all except business rule.

We do this with managers in most companies, permit them to authenticate
with the firewall, or have their PC's in a reserved area (IP), and have
different rules for managers.

Either way, spotting an abuser is simple.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> X-No-Archive: Yes
>
> "Brian Cryer" wrote in message
> news:IvCdnRHQjribFtPanZ2dnUVZ8tGqnZ2d@pipex.net...
> > "slackerama" wrote in message
> > news:474E2952.7060408@slacker.com...
> >>
> >>> Which in turn is why many companies block access to proxies.
> >>
> >> Which is why ssh is your best friend...show me a company that can
> >> effectively block outbound ssh without disrupting normal outbound
> >> business traffic and i have a bridge to sell you...
> >
> > Isn't it simply a case of blocking all traffic to a specific destination?
> > SSL is still layered over TCP. What the traffic is doesn't matter. Of
> > course (as Leythos will point out) that requires a decent firewall, or
> > maybe not given that my cheapo router at home lets me block specific
> > destinations (although probably not many).
> >
> > Of course obtaining an up to date list of proxies, that would be a good
> > trick. My daughters at school know of more proxies than I do, maybe I
> > should ask them.
> > --
>
> Proxies come and go so fast, your lists would be out of date in no time.
> The various filtering vendors cannot keep up with it. Your daughter
> might be able to give you a list, but it will be out of date in no time.

And that's why you have to adopt the idea that no one has a "Right" to
internet access for anything other than Business functions. They don't
have a right to personal use of the company network at all.

Block all access, approve only business legit sites, doesn't matter how
many new/old proxy are out there since they can't get to them at all.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

slackerama wrote:
>> Which in turn is why many companies block access to proxies.
>
> Which is why ssh is your best friend...show me a company that can
> effectively block outbound ssh without disrupting normal outbound
> business traffic and i have a bridge to sell you...

Easy:

- Allow outbound SSH only from whitelisted hosts,
- Allow outbound https only to whitelisted sites.
- Use a transparent proxy for all outbound http.
- Block all other outbound connections.

Besides, despite the encryption it is quite possible to distinguish
between SSH and https connections.

Try getting a clue before posting next time.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Cyber Monday

Post removed (X-No-Archive: yes)

Re: Cyber Monday

In article , chilly8@hotmail.com says...
> X-No-Archive: Yes
>
> "Leythos" wrote in message
> news:MPG.21b879b547e9691f989877@adfree.Usenet.com...
> > In article , brian.cryer@
> > 127.0.0.1.ntlworld.com says...
> >> "Leythos" wrote in message
> >> news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com...
> >> > In article , chilly8@hotmail.com says...
> >> >> However, proxies, are sprouting up like weeds so fast that the
> >> >> filteirng companies cannot keep up with them half the time.
> >> >> Proxies come and go at such a huge rate, that they cannot keep
> >> >> with them. And my proxy is one of thousands of them being
> >> >> operated as public proxies.
> >> >
> >> > And a properly configured firewall solution does not need a "Filtering
> >> > Company" to identify them in order to prevent access to them.
> >> >
> >> > As a matter of fact, all quality firewall appliances can block all
> >> > outbound access by default and then permit the admins to create rules
> >> > that allow access to "approved" sites only. Since the approved sites
> >> > are
> >> > not proxy sites, there is no way for the user to abuse the company
> >> > resources and access yours or anyone else's services.
> >>
> >> Is that practical? I don't want to have to draw up a list of approved
> >> sites
> >> for my company, the list would be almost never ending because many of our
> >> staff use the internet for research which means they could legitimately
> >> end
> >> up going almost anywhere.
> >
> > Yea, and it's what should be done. If you have a select group that does
> > research, using the web, you could (and should) create a different HTTP
>
> What you are talking about requires one filteirng tool, CyBlock, with
> the most expensive annual licensing, $799 annually for just 10 users.
> CyBlock can handle specific groups and their filteirng requirements,
> and can do whitelisting, and there is one European filter maker,
> though I cannot recall the name right now, that can whitelist, but
> unless you use these pricey filtering products, whitelisting is just
> not practical.

Again, you are WRONG:

1) Block all access except approved sites - ANY Firewall appliance cand
do this as shipped - any real firewall has this function already, no
fee, no additional cost, no subscription.

2) Blocking based on Categories of Sites, yes, this has a subscription,
provides hourly/daily updates, still only allows access to approved
sites in the list or can be set to only block what is in the list. Cost
is under $200 per year in most cases, for the ENTIRE FIREWALL, not a
per-user cost.

3) Multiple, simple groups, for HTTP access:

3a - Default rule - block all except business approved sites.

3b - MANAGERS_Rule - allows access to search, etc... still most sites
blocked

3c - SoftwareUpdate_Rule - allow unlimited access by servers to specific
IP ranges for Windows Updates/AV updates (not for workstations).

4 rules for HTTPS:

4a - Default rule - block all except to business approved sites.

4b - Managers/Admins - Allow all HTTPS access.

And the list goes on....

cheap, easy, works well, completely blocks your crap from all users
except IT Admins in network.



--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

* Chilly8 :
> What you are talking about requires one filteirng tool, CyBlock, with
> the most expensive annual licensing, $799 annually for just 10 users.
> CyBlock can handle specific groups and their filteirng requirements,
> and can do whitelisting, and there is one European filter maker,
> though I cannot recall the name right now, that can whitelist, but
> unless you use these pricey filtering products, whitelisting is just
> not practical.
>
>

Wrong as usual but then we've come to expect that from you.

Jason

Re: Cyber Monday

> Easy:
>
> - Allow outbound SSH only from whitelisted hosts,
Good luck... do you have deep packet inspection where you are able to
filter by protocol? i doubt it. block port 22 I'll use 443 or whatever
else is available
> - Allow outbound https only to whitelisted sites.
Wouldn't want to mange that...you'd have people screaming at you all
day long to add sites and it's not practical from a business point of view
> - Use a transparent proxy for all outbound http.
Again, easily bypassed (haven't worked for a company yet that I
couldn't get around)
> - Block all other outbound connections.
No complaint there
> Besides, despite the encryption it is quite possible to distinguish
> between SSH and https connections.
True
> Try getting a clue before posting next time.
>
from one security expert to another.... touche'
> cu
> 59cobalt

Re: Cyber Monday

Ansgar -59cobalt- Wiechers wrote:
> slackerama wrote:
>>> Which in turn is why many companies block access to proxies.
>> Which is why ssh is your best friend...show me a company that can
>> effectively block outbound ssh without disrupting normal outbound
>> business traffic and i have a bridge to sell you...
>
> Easy:
>
> - Allow outbound SSH only from whitelisted hosts,
> - Allow outbound https only to whitelisted sites.
> - Use a transparent proxy for all outbound http.
> - Block all other outbound connections.
>
> Besides, despite the encryption it is quite possible to distinguish
> between SSH and https connections.
>
> Try getting a clue before posting next time.
>
from one security expert to another... touche
> cu
> 59cobalt

Do I really need to post a rebuttal to this??

Re: Cyber Monday

In article <474F6526.8040509@slacker.com>, slackerama@slacker.com
says...
> Good luck... do you have deep packet inspection where you are able to
> filter by protocol? i doubt it. block port 22 I'll use 443 or whatever
> else is available

Wont work on a properly secured network.

You can't use 443 to connect to sites that are not approved at the
firewall.

While white-listing is VERY practical - As soon as businesses adopt the
ideals that users don't need internet service to work, and most don't,
then it becomes very simple and it doesn't take much time at all.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Cyber Monday

X-No-Archve: Yes

"Leythos" wrote in message
news:MPG.21b71f7dd2924928989868@adfree.Usenet.com...
> In article , chilly8@hotmail.com says...
>> Well, 14,000 users using my proxy, on Monday, to access shopping sites
>> from
>> work, can't be wrong. It proves the old saying "where there is a will,
>> there
>> is a
>> way".
>
> No, it proves that many companies don't believe in blocking first and
> only business necessary sites/access second.
>
> The default rule in firewalling is Block everything, then permit only
> what is needed. Many of the newer admin types and many smaller business
> owners will go with the Allow everything and block only what they
> believe is a threat - just the opposite of how it should be.

At one figure skating event we are broadcasting, when the Cumpulsory
Dance fell during the working hours in Europe, on Thursday, there
were a large number of connections coming from corporate IPs
in Europe. Ice Dance is far more popular in Europe, than in the
Americas (which is why European nations usually win all the
medals), so I do see a lot of connections to my station from
Europe whenever ice dancing is own. And with yet another
possible judging scandal develeoping among Russian judges, it
it keeping more people glued to ice dancing broadcasts. I do
expect that in the Grand Prix Final, this will drive up traffic
to coverage of the event, when the ice dancing is going on,
as people will want to see what happens between Belbin/Agosto
and Dominina/Shabalin. In fact, the ice dance on Friday,
14th December will fall during the working hours in America,
so I expect to see a lot of hits from coporate IPs in the U.S.
starting at around 12:30 PM Eastern Standard Time that
day. The talk in the various figure skating boards about
another possible Russian judging scandal, in the ice dancing
event, is already driving up traffic to sites where skating coverage
is available. The fact that one very controversial Russian judge
will be on the dance judging panel, in Torino, is going to drive
the traffic up, considerably, to coverage of that part of the Grand
Prix Final.

Re: Cyber Monday

slackerama wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> slackerama wrote:
>>>> Which in turn is why many companies block access to proxies.
>>> Which is why ssh is your best friend...show me a company that can
>>> effectively block outbound ssh without disrupting normal outbound
>>> business traffic and i have a bridge to sell you...
>>
>> Easy:
>>
>> - Allow outbound SSH only from whitelisted hosts,
>> - Allow outbound https only to whitelisted sites.
>> - Use a transparent proxy for all outbound http.
>> - Block all other outbound connections.
>>
>> Besides, despite the encryption it is quite possible to distinguish
>> between SSH and https connections.
>>
>> Try getting a clue before posting next time.
>>
> from one security expert to another... touche
>> cu
>> 59cobalt
>
> Do I really need to post a rebuttal to this??

To address the points you tried to make in the post you apparently
cancelled (MID <474F6526.8040509@slacker.com>):

>> - Allow outbound SSH only from whitelisted hosts,
>
> Good luck... do you have deep packet inspection where you are able to
> filter by protocol? i doubt it.

We don't have an application level filter in place, because our
employees are allowed to use the internet for their own purposes (as
long as they don't overdo it). However, if I had the need to filter at
application level I'd probably use something like l7-filter:

http://l7-filter.sf.net/

> block port 22 I'll use 443 or whatever else is available

There isn't anything else available to you.

- 22/tcp is allowed only from whitelisted hosts on the LAN
- 80/tcp and 443/tcp are redirected transparently to the proxy, which
allows https connections only to whitelisted domains
- 53/udp and 53/tcp are allowed only from the company's DNS servers
- 25/tcp is allowed only from the company's mail server
- everything else is blocked

>> - Allow outbound https only to whitelisted sites.
>
> Wouldn't want to mange that...you'd have people screaming at you all
> day long to add sites and it's not practical from a business point of
> view

Users don't need to access that many sites using SSL for their work, and
the sites they need to access don't change that frequently, so contrary
to your belief it is quite manageable.

>> - Use a transparent proxy for all outbound http.
>
> Again, easily bypassed (haven't worked for a company yet that I
> couldn't get around)

Get around a transparent proxy? Do you even understand how a transparent
proxy works? The router indiscriminately redirects all traffic on the
given ports to the proxy (and you're not allowed to establish outbound
connections on other ports), so pray tell how you think you can get
around that.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich