Posted: 3/10/2008 4:03:09 PM EDT
| How would someone go about using the internet at work without being detected? I saw a thread somewhere on here about using a flash drive with some different programs installed on it. But I am not really sure if that works for what I want. |
|
We have had people try that here at work, but here's the thing: #1: There is always something logged on the computer. It might not be much, but there will be a general indication of what happened. #2: Any good company will have a filter at the network firewall that will log, block, & report on where people are going on the internet. Also, even if you boot the workstation from a Linux CD or Flash Drive, it will log what IP address the traffic came from. The admins can still track you down, but they will be pissed that you made them work.  Here is an example of some logging from our Websense server this weekend. The names have been changed to protect the   Damn third shift guys. 
|
No. Nothing on the internet is anonymous. No matter what some people tell you. |
I haven't done it yet, but it's on my list of things to do members.shaw.ca/nicholas.fong/vnc/ |
it's for that reason that a lot of companies disallow SSH outbound. Any admin worth his/her salt would have a firewall drop that connection immediately. They probably have an exception to their own MAC address, however. |
there's always ninjaproxy.com, but admins will block a lot of free proxies, too. I do. Work is for work, and anything else is taking money from your employer's pocket. Good thing I don't have any such silly policies at my business. 
|
| Thats why I put in the admin bit. Any admin worth his salt will know what you are doing in most cases even though you try to be shady. Sometimes they don't say anything if they don't mind you and you don't abuse it. I stick to your rules myself. Plus once I get working I prefer not taking breaks as it breaks me out of my groove. |
i see some of my users trying the SSH tunnel to linux box at home running a SOCKS proxy + FF portable for browsing (i give them points for effort), but they forget that all DNS resolution is occouring locally... DOH!, even if they figure that out, we have desktop authority running on all machines joined to the domain that includes a VNC application that allows us to see what they have on their desktops at all times, completely independent of all HTTP traffic. basically, if you are on a machine in my domain, or using my network/internet connection, you are my bitch. i don't actively block content, but i monitor everything and regularly check the logs. harmless browsing is allowed if you are getting your work done, but otherwise i will give you just enough rope to hang yourself  if it were me trying to browse unallowed content at work, i would just pay for internet access through a cell company and use a personal laptop. the best option is, by far, to do your work at work and then browse your donkey + midget pr0n at home |
lawls. DNS logging is quality. That'll smoke people every time. They may be able to open an SSH tunnel to their house, but unless I give them permission, they're still using my DNS. I log from my router back to a dump file on a server. Sooner or later I'll buy a Security Context License for my Cisco ASA that will do all the work for me, but the office I'm in only has about six people in it. |
I believe current version of FF has remote DNS set to true |
Who said anything about spankin' it? And for all the "work is for work" people... What if you have a job that entails you sitting and waiting for the phone to ring. Not like you can do anything unless people call... |
The basic idea behind any kind of networking is to NEVER trust your connection to a network other than your own. You do not know what kind of tools they have, what content they can see, what kind of spoofing is deployed, etc... What this means is that I would avoid going to your online bank account, your CC account, library account, email account, ANY account....AR15 account even. Because there are hostile networks and you cant trust anyone. Can you guarantee that at your work, your system admin didnt spoof the network to obtain user names and passwords from users who access login sites? see how simple it really is: ARP poisoning SSH tunneling is the most secure and what I would recommend for any kind of potentially hostile network (which would be any network other than your own) Actually, VPN is probably more secure than SSH, because you become part of your home network (if that is what you are VPNing into) remotely. |
|
In the past when I've worked at fascist organizations I've used an SSH tunnel to my home machine. Using the tunnel I can run Remote Desktop and remotely control a machine there, so all the actual midget pr0n surfing is happening over my home connection. I have also used an SSH tunnel to access a SOCKS5 proxy, but as others have said make sure you understand the DNS implications or you're 0wn3d. These days with firewall admins getting smarter you may need to use something like HTTPTunnel. Ultimately, though, if your company is willing to expend enough time and energy they can detect and block all of these countermeasures. If that happens (and for some reason you still want to work there) get a broadband card and a small laptop and fuck'em. |