I think the important point to take home is that while there are ways to get around these transparent proxies that they cannot ultimately defeat, it is surely going to be logged and likely set off an alarm bell somewhere that you're tunneling garbage or seemingly-random data. Ultimately, the result of a proxied SSL session should be lots of recognizable text, maybe some graphics, and possibly email attachments. If what they see is something else, then it's clear someone is trying to rig the system.
You're on company property using their resources, they're free to kick you out once they see you're trying to hide information from them.
Of course, if the point is to STOP all leaks, then obviously they cannot do that as your method would allow you to leak information before you can be stopped. But you will be flagged.
A former employer of mine (publicly traded) used to proxy all IM conversations. The technology they used wasn't quite as clever and robust though. Basically, they would just create their own A records in the company's DNS server for the various IM servers (Yahoo, AIM, MSN, etc.) that point to an internal appliance. The internal appliance would proxy the connection and sniff all the conversations.
They made it quite obvious because every time you logged in, you would get an automatic IM from " IM Administrator" informing you that the logging was taking place.
It was very easy to bypass though - either set the correct IP addresses in the hosts file of your PC or plug the IP addresses into your IM client. This was necessary sometimes because those of us with Linux workstations would not be allowed to use IM because our Linux workstations didn't have Active Directory computer accounts (used for tying AD users to IM conversations).
They didn't do any webmail logging though.
Not sure what policy mandated this. We were not in a sensitive industry like finance, healthcare, or defense. Just a medium-sized software company. May have just been IT's interpretation of SOX compliance requirements.
That's not entirely accurate (re: Google). Your search query has to go to Google's servers, where it might be logged and seen by someone at Google.
I tend to think it would be difficult to leak too much to Google that way (the search box only takes so many characters of input) but if you're paranoid enough it is a valid leak vector to worry about.
Not really. The spooks want to attack the platform the enemy is using and will have high value in comprimising.
Linux and Mac computers don't manage the SCADA system in Iran's enrichment plants, nor do their military commanders, bureaucrats, and etc. use Linux or Mac computers on a day to day basis.
Both Linux and Mac OS have had their share of embarrassing exploits.
To write proper documentation, I need to have access to the systems that you propose I should be shut off from. I don't have memory of the exact syntax of commands and etc.
Further, if you don't trust employees with system access why do you trust them to be in the office to not do something untoward?
I don't dispute or disagree that word would get around or even think its a bad thing, but the employee may have grounds for a lawsuit if he finds out that there is some behind the scenes talking going on.
How can you be forced to wipe your personal laptop? What if you refused? Unless the company is offering me a decent severance, they're not getting that level of cooperation out of me when I'm being shown the door.
Slashdot Mirror
I think the important point to take home is that while there are ways to get around these transparent proxies that they cannot ultimately defeat, it is surely going to be logged and likely set off an alarm bell somewhere that you're tunneling garbage or seemingly-random data. Ultimately, the result of a proxied SSL session should be lots of recognizable text, maybe some graphics, and possibly email attachments. If what they see is something else, then it's clear someone is trying to rig the system.
You're on company property using their resources, they're free to kick you out once they see you're trying to hide information from them.
Of course, if the point is to STOP all leaks, then obviously they cannot do that as your method would allow you to leak information before you can be stopped. But you will be flagged.
A former employer of mine (publicly traded) used to proxy all IM conversations. The technology they used wasn't quite as clever and robust though. Basically, they would just create their own A records in the company's DNS server for the various IM servers (Yahoo, AIM, MSN, etc.) that point to an internal appliance. The internal appliance would proxy the connection and sniff all the conversations.
They made it quite obvious because every time you logged in, you would get an automatic IM from " IM Administrator" informing you that the logging was taking place.
It was very easy to bypass though - either set the correct IP addresses in the hosts file of your PC or plug the IP addresses into your IM client. This was necessary sometimes because those of us with Linux workstations would not be allowed to use IM because our Linux workstations didn't have Active Directory computer accounts (used for tying AD users to IM conversations).
They didn't do any webmail logging though.
Not sure what policy mandated this. We were not in a sensitive industry like finance, healthcare, or defense. Just a medium-sized software company. May have just been IT's interpretation of SOX compliance requirements.
That's not entirely accurate (re: Google). Your search query has to go to Google's servers, where it might be logged and seen by someone at Google.
I tend to think it would be difficult to leak too much to Google that way (the search box only takes so many characters of input) but if you're paranoid enough it is a valid leak vector to worry about.
There is NO expectation of privacy on a private network.
Not really. The spooks want to attack the platform the enemy is using and will have high value in comprimising.
Linux and Mac computers don't manage the SCADA system in Iran's enrichment plants, nor do their military commanders, bureaucrats, and etc. use Linux or Mac computers on a day to day basis.
Both Linux and Mac OS have had their share of embarrassing exploits.
To write proper documentation, I need to have access to the systems that you propose I should be shut off from. I don't have memory of the exact syntax of commands and etc. Further, if you don't trust employees with system access why do you trust them to be in the office to not do something untoward?
And this is supposed to accomplish what? Pull a keyboard off an absent coworker's workstation.
I don't dispute or disagree that word would get around or even think its a bad thing, but the employee may have grounds for a lawsuit if he finds out that there is some behind the scenes talking going on.
How can you be forced to wipe your personal laptop? What if you refused? Unless the company is offering me a decent severance, they're not getting that level of cooperation out of me when I'm being shown the door.