Proxy Sites Offer Secret Passage to Myspace

JafSquared writes "As sites like MySpace.com gain popularity in young adults, schools all over are finding that taking measures to keep kids blocked out of these websites is becoming increasingly difficult. As this hype continues, proxy servers such as "Box of Prox" are springing up like wildfire. While system admins furiously work to diminish the strain placed on their school's local networks from sites like MySpace, these proxy sites are enabling easy access to restricted areas. However, schools aren't the only places that are feeling the heat. Proxies have also been becoming a bit of a complication in the workplace. To the more advanced user, the proxy server can become a tool for malicious intent as this article, delivering an anecdote with the termination of an employee, so poignantly details."

Proxies?

[Goaway]

Wow, Slashdot sure is on the CUTTING EDGE of TECHNOLOGY NEWS!

Re:Proxies?

[onebuttonmouse]

This isn't flamebait. Proxies have been a problem for years and years, the advent of web two-point-oh does not have any bearing on the problem.

Re:Proxies?

[kbox]

I don't know why hes post has been modded as troll, He has a point.
No wonder digg is getting more hits than slashdot now.

What with last weeks post about installing windows, and now this one "informing" us about proxy sites slashdot seem to be posting very trivial things now, Hardlly the cutting edge tech news site it used to be.

Re:Proxies?

no but schools network ADmins are certianly pretty incapable of doing their job if they are not using a whitelist instead of a blacklist.

Have only a list of acceptable sites. when blocked put a link to submit for approval and teachers in the class or room can click on the link they wanted, view that it is not a backdoor to myspace or someplace inappropriate and then click "allow" which add's it to the whitelist.

simple works great and has near immediate access to sites not on the whitelist.

Too bad most schools cant afford IT staff that has the brains to do this stuff. They have to spend all that cash on the sports programs!

Re:Proxies?

[deblau]

Or, proxies have been the solution for years and years. Depends on which side of the table you sit.

Do we have a war on social networking yet?

[Spazntwich]

I'm just waiting for more fallacious appeals to emotion in the fight against kids talking to one another.

Do politicians even consider how ridiculous their arguments are? Why, ghettos have become a haven for drug dealers, prostitutes, and other nerdowells! Do we ban ghettos? No, I believe parents simply teach their kids about the dangers of going there, and before they're old enough to understand that, the parents simply don't allow them to go there.

It's sad how human ignorance comes back with a vengeance with the emergence of any new technology or tool, without fail.

Re:Do we have a war on social networking yet?

[namityadav]

If school admins try to block sites that kids just HAVE to get to, then the kids will find a way to do so (Hint for Kids: Read about SSH / VPN). And once they know that they've found a way to bypass the school security, their curious minds would want them to check if they can now access porn this way too. The point that I am trying to make here is that the more freedom you try to take away, the more you're encouraging them to break the rules. I, for one, am happy that this will make at least a certain percentage of the kids aware of proxies, private networks etc. It's time that those nerds get to have some 'coolness' factor about them.

Re:Do we have a war on social networking yet?

[timeOday]

before they're old enough to understand that, the parents simply don't allow them to go there.

Which is exactly what they're trying to do. Stories like this inform parents that establishing those boundaries is harder than they thought.

Internet @ School

[toochoos]

I wonder why kids have internet access at school. Do someone really want them to have ADHD since childhood? Aren't they supposed to learn something while they sit in waiting to be online back home?

MySpace.com IS created to get into young adults

As sites like MySpace.com gain popularity in young adults ...

The last time I was in a young adult, I know I certainly gained popularity.

Needs more attentive blocking.

[celardore]

It is possible to filter out these sites with a little more work. For example, my company blocks any url that contains 'proxy'. It also filters most proxy sites that you can find on Google.

Also, if an admin notices they're getting a load of traffic to say http://surfinsecret.com/index.php?q=d3d3Lm15c3BhY2 UuY29t&hl=1111101001 then they could just visit that link, see what it was and block away.

I got around it by installing my own copy of phpproxy on my server and use it infrequently for certain sites. There's a lot of traffic to my domain anyway because I run an application my department uses on there, so it's fairly safe for me.

Next it will be SSH tunneling...

[martinultima]

My school district already hates me, just because I was using a VNC connection over an SSH tunnel to work on some stuff at home (yes, this was for a school project). For whatever reason they thought I was trying to access banned sites... funny thing is, I don't even like MySpace. Or any of those sites.

Re:welcome to 1995?

better news would have been to mention anonet since its vpn based it can transverse 99% of firewalls, not for malicious activity but to stop network admins spying on what you do, with the ability to use with randomly assigned ip addresses its also a great way to connect home to work securly.

Strain on networks?

[b0s0z0ku]

Set up a bandwidth-shaping/QoS-type system that guarantees certain computers (office computers, presentation boxes in classrooms) a certain bandwidth. The other computers can share the scraps from this. In order to prevent hogging of the scraps, also set up a system where the remaining bandwidth is doled out more or less equally to those who need it. With routers running Linux, this should be less difficult than it seems.

Blocking sites is a half-assed solution since students will always find a way to expend bandwidth. (Personally, I think that the 'net doesn't need to be in classrooms anyway. I went to HS from 1993 to 1997 and survived just fine without going online in school.)

-b.

Restrictions are evolutionary pressure

[Gopal.V]

The average kid in school, thinks proxies and mucking around with computer stuff are the realm of nerds, sitting in their parents' basement typing away, creating a pathetic online world to compensate for the real one upstairs.

But the moment, you introduce blockades to access to a "cool" thing like myspace or facebook, these talents become valuable in terms of utilization. More kids learn these, use these and try to out-do the other in terms of l33tness. If there aren't the artificial boundaries drawn by the authorities, these skills would have never been learnt, developed and hopefully put to good use in the future.

Whatever they block these with, they just raise the bar for the kids. Clever, curious and with the power of the rest of the internet behind them ... there's nothing that's totally blocked off. Probably threats to those who break the security and offer real world punishments maybe, but blocking it all is impractical. Of course, then there are those who prefer forbidden fruit to the ones in the fridge, for the momentary thrill of breaking some rules.

I remember breaking the proxy at a college where I was giving a talk. All I did was ssh -D 8080 into my box and bypassed the "security" of the campus network. But I did that by unplugging the monitor cable, running ssh and plugging the monitor back on in under 2 minutes.And lo, meebo.com suddenly worked. The kids thought I was some great genius or something. THat kind of ego-rush to a 17 year old teenager can drive them to do far more than just break firewalls to get kudos from their peers.

These kind of restrictions just favour the kids who learn to use the system, instead of just fighting it on the streets like the average politico.

Recent Joyous Discovery

[Balthisar]

Despite years of fiddling with my own home networks and hearing about ssh tunnelling, I'd never set up an ssh tunnel and never "got" the reasons for it. That's changed recently, and now I'm a convert. I know this is basic crap among most of the /. crowd, but here's how I can anonymously surf at work:

I have Proxomitron at work to get through the firewall. It acts as a local proxy server, and works with our something-Point firewall. It seems like only ports 80 and 23 are open. No port 22 for ssh, and no ports for email.

Using puTTY configured to look at the local proxy server, I establish the appropriate ssh tunnels to my Linux box at home. I don't know why this works, so any explanation would be cool. I'm using port 22 via the Proxomitron local http proxy over the corporate http proxy to my plain vanilla Linux box. Fscking mystery to my how it works, but it does. Setting up puTTY to work directly with the company firewall doesn't work, and I have no idea why. Proxomitron is required.

Of course now with all the right tunnels, I can use FireFox on my Linux box or even Safari on my Mac (if I leave it on) via VNC, and I have instant anonymous surfing. Yeah, I know I'm using a helluvalot of bandwidth, and I generally don't need or do any anonymous surfing anyway.

So, what's my traffic look like to my company IT boys for my interesting setup? I'm assuming that my secure ssh connection doesn't let anyone know what I'm doing over ssh; that's the point. But yet I have this traffic flowing out of Port 80 to Port 22 somehow, and it's either little tiny bursts when I'm working in bash, or it's a bandwidth hog if I'm using SAMBA or VNC over the connection.

-----
The whole initial point of the excercise was to talk to my MythTV box while on the road. All I wanted to do was ssh in to check my RAID status. I also had all kinds of ports open on my router so I could http into MythWeb, and Webmin, and MythStream, and SMB, and the router itself, and ftp, and generally a big mess. Now all I need is my single ssh port, and I'm good for everything without all of those open doors. At work I use puTTY, at the hotel I've got my iMac (remind myself to look for an ssh tunnel control panel so I don't have to keep using the shell).

Even with ssh, I'm subject to brute force attack, right? Wasn't there something like a magic knock I can setup so that I ping a certain sequence of ports in the right order, my ssh port opens up, otherwise being closed? Probably won't work for me, as I have a proprietary hardware router...

Re:Recent Joyous Discovery

It sounds like the firewall admins at your work are taking it pretty easy.....

Checkpoint (and any 'decent' firewall these days) has the ability to do protocol inspection and enforcement of things like HTTP and if the admins at your work either upgrade to an appropriate version of Checkpoint or simply enable the protocol inspectoin (if already running appropriate code) they can easily enable the function to stop you doing what your're doing.
 
...which then means you have to try to tunnel your traffic within a TLS session (over tcp 443). Because the payload is encrypted when passing the border firewalls there's nothing they can do to inspect the traffic besides ensure conformance with TLS/SSL standards (and your tunneled traffic does). It takes a bit more work to setup the local and remote proxies but works a treat once properly configured (and I support the Checkpoint and PIX firewalls at work and previously worked for Cisco in the security team). There's simply no way to stop it as long as HTTPs traffic is permittted by your work proxy and there's very few that would block it these days.
 
...but then your IT team should have fully locked down SOE images to prevent you installing and running your own apps (Cisco CSA works well), have disabled USB, CD and floppy drives to prevent other OSes being booted and be running with locked down switchport security to prevent unauthorised systems from attaching to the network etc etc etc. You know, the whole blended security thing....

...but then who of us works for a company that's willing to kick down dollars for sensible security measures?

Why I plan to homeschool my kids

[MikeRT]

Half of what I learned in high school, actually probably 2/3-3/4 of it, I learned online at school or on my own time. A lot of the stuff that I read was at one point or another restricted, like a lot of libertarian stuff (including the party site) was restricted because it advocated drug use.

That's how the pea-brained morons that make most filtering software think. Yet a friend of mine would pull up porn sites like pink.com (back in the day) and laugh about it.

I have been out of college for 6 months and so am young enough to remember high school life. It was a waste of my time. I plan to homeschool my kids because they shouldn't have to "fight the system" to get anything interesting out of it.

What?!?!?!

[Belial6]

What does the internet have to do with ADHD? Ohhhh... That's right. Anything we don't like kids doing must cause ADHD.

Re:Security

[generic-man]

For Yahoo Messenger and other IM programs, there are JavaScript clients like Meebo that have garnered a good reputation for being trustworthy. (How do you know it's secure? You don't, of course, but you don't do anything secure over IM anyway)

Similarly, it's only a matter of time before the MySpace cottage industry cranks out a few JavaScript programs to read and reply to MySpace messages, post to blogs, and whatever other services MySpace offers.

Filter Complainer

[Deviant+Q]

Just this last year, our school introduced an extremely-restrictive proxy that would often block legitimate research sites (as well as all the fun ones.) In addition to finding a few workarounds (ping to get IP address, use that instead; google translation; etc.), I wrote a happy little program that I distributed throughout the computer lab.

What did this program do? It ran in the background, monitoring Internet Explorer's address bar (couldn't find a nice API for Firefox, but mozilla.org was blocked anyway). When it detected that the proxy had taken over (http://www.lghs.net?blockedsite=mozilla.org&reaso n=ADULT-CONTENT), it sent a nice little email to the IT guy. It was very polite, just saying a sentence or two about how I believe site.com had been added to the filter list in error and I would request its removal. Multiply that by every blocked site ever visited, though... :-D.

(Yes, I know it's probably not moral to use school computers for this. Yes, I know he could have created an email filtering rule to send the messages to the trash. I liked it, and so did the users. *Shrug*.)

Re:Students vs. Public Schools

You had your grading, scheduling, and payroll systems on the same local network as the student lab computers? Sheesh.

I'm not the grandparent but I can respond to this. The way most K-12 systems are setup this is largely unavoidable. All computers are on one network within each school building. I know in the system I worked for most schools had one router and a class C of address space. The Internet access was provided by the state, and all sites ran through central office and through a firewall there. There was no way to provide completely seperate VLANs and routing because the state controlled the core routers and wouldn't do so. Our policy was that bookkeeping and other critical systems were kept off the network unless absolutely necessary.

Personally I wanted to use cheap Linux boxes as NAT routers/firewalls and put the entire office of each school behind one but that never came to be. It also never will, the system eliminated my position so now there is no network admin. Things will start falling part soon because I was the only person there who knew how to run most of the stuff I had implemented. (Which also greatly stabilized the network from how it was when I started. They had no network admin when I started either.)

Having the administrative systems on the same network as the computer lab and worrying about network hacking is sort of like teaching chemistry classes in the school cafeteria and worrying that students will poison the lunch.

Well yeah, but welcome to the reality of K-12 school systems. Often the network admins hands are tied by arbitary crap that's decided upstream. Even the most competent network admin can't do shit when they can't change parts of the network or the system refuses to buy the necessary equipment to implement even the simplest, cheapest solutions.

It's a pity that an insecure setup like that made it necessary to be so paranoid about your students -- whose education, after all, the computer lab exists to serve. I for one think it is cool to teach network programming to sophomores (or freshmen, for that matter). Isn't teaching the whole point?

I can tell you've never worked IT in a K-12 system, and so can anyone else who has. I've done systems and network administration for years and in places other than K-12, and K-12 is an absolute nightmare. The students are your enemies, there's no two ways around it. It's not all of them, some are simply curious, some really want to learn but quite a few simply want to do whatever the hell they want to do, when they want to do it, and don't give a damn about learning anything that they don't need to know to access their game/porn/social networking site. They'll damage software installs if they can, they'll hose profiles, they'll screw up entire labs to the point of near being unusable all so they can play a game. I've encountered every one of those situations, and it's very hard, and very time consuming to get ACLs and permissions exactly right on every single point of attack that they'll use. (Also keep in mind that in my case I had 18 sites to deal with and was the only network admin. A lot of time I simply didn't have time to get all the fine details exactly right because I had fires to put out in other schools.) They also use attacks that you'll never see anywhere else, and frankly it's amazing and scary both. If these kids would bother to direct that intensity at learning they'd probably end up being brilliant, as it is they're generally hardcore slackers who don't care if they get suspended or expelled as long as they can play their game one more time.

I don't think it's necessarily bad to teach network programming to sophomores, but you don't know the realities of K-12 network administration at all or you'd understand why the grandparent said it was a bad idea. It IS a bad idea the way most K-12 networks are forced to be designed, and until that part is fixed (and you'll have to talk to people much higher up the chain than your local system to get that fixed, like your state congresspeople) it will remain a bad idea.