an option for google groups users

a tip for darsy and the like who have had their work internet access
castrated by dopey sysadmins who think that cutting off outbound port 22
access will result in fewer windows virus infections.

exactly this happened to me the other day, but i worked out a solution
by setting up a private http proxy (squid) on port 80 and using
corkscrew

http://www.agroman.net/corkscrew/

to tunnel ssh over http using this proxy.

obviously you need to have access to a server that can see the internet
at large (and which doesn't have anything else running on port 80, or
whichever other port your sysadmins haven't blocked), but it will support
anything you can tunnel over ssh, which is most things.

 

Maybe they just have no business need for allowing SSH, NNTP, whatever
through the firewall. It is theirs after all.

 

i'm giving their stated reason. and frankly, the "business need" is to keep
me from fucking off and working for someone else, like the reason they buy
me a chair instead of making me work standing up.

 

Nice, very nice.

 

Have you tried that line on management yet?

"I need usenet access so I can slack off, else I'm fucking off."
"Bye."

 

Nice. For those that use *nix at work. Mind you, I am setting up a
virtual server on my work PC at the mo with Redhat. I'll give it a
crack.


--
Cab :^) - I'm dyslex-spic apparently
GSX 1400 - Speedy Zimmerframe.
UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1
email addy : ukrm_dot_cab_at_rosbif_dot_org
The gingeometer: http://www.rosbif.org/ukrm/gingeometer/

 

I am pretty sure that ssh will work on any port. (Maybe that is what
was just said. Just set the ssh server to your desire.

One reason for blocking it (sort of is that as mentioned you can
tunnel anything over it and since it is encrupted no one can see
what is afoot. Customer database leaves premises quietly.

 

Customer database can leave the premises in USB key/disk, MP3 player,
Mobile phone... and if it's bigger they would notice the traffic.

I used to work for a company who didn't trust us developers (who were
nevertheless shareholders) to not export the code, so they gave us PCs
without CD writers. But they forgot to block USB ports. And totally
overestimated the size of the source code. Few programmers write more
than 4k of working source code per day.

 

Correct, it's just a simple change in your ssh setup. However, if your
co blocks _all_ ports apart from basics such as http, https, ftp, etc,
you're still stuffed. As I am.

I don't think that's the case. I take my laptop home with me every day,
as do countless others.


--
Cab :^) - I'm dyslex-spic apparently
GSX 1400 - Speedy Zimmerframe.
UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1
email addy : ukrm_dot_cab_at_rosbif_dot_org
The gingeometer: http://www.rosbif.org/ukrm/gingeometer/

 

<Points to Openssh for Windows>

You can run ssh on just about anything y'know - I even have a version
for Windows Mobile..

Phil.

 

you can do this, but any automated protocol detection system will see that
you're not actually doing http over port 80 and report you sharpish.

customer database can leave premises on a usb key without systems seeing
what is afoot, and it's orders of magnitude easier for your average numpty
to achieve.

with a little more effort, customer database can be encrypted and uploaded
to a remote http server as form data.

 

However, you should be able to run your ssh server on port 443, and tell
your ssh client to use the correct HTTPS protocol. The connection just
looks like standard HTTPS as far as the proxy is concerned.

That's what I used to do, anyway.

 

See my reply to dog...

 

Depends on whether your network people do the "block everything and only
open approved ports" routine (and only via proxies - which will of course
do protocol sniffing[1] and (as you say) kick you out for invalid use)

Of course for some protocols (https) proxying is a little more tricky
as it's an encrypted protocol - when I was playing with it a number of
years back it was strictly a packet-forwarding proxy rather than a full
application-level proxy.

Most of these systems are put in in large organisations where the
people in charge have very little idea how the technology actually
works - a fact that the firewall vendor salesweasels take full
advantage of.

Lets not forget the other possibility - printing out the juicy bits and
taking it out in chunks..

Phil.

 

Do you mean there are actually companies that *don't* do that?

 

Yep.

I've got pretty much open internet access at work, no issues running
MSN, NNTP, Pop3, terminal services sessions, or pretty much any app I
chose.

We do have a corporate security policy which includes firewall software
on everybodies local machine though, and a restrictive (but user
modifiable) standard policy.

Perhaps the fact I work for a technology company is the reason they
trust the userbase.

 

Mine (for one). We do maintain audit trails of activity (web/ftp
activity) and a log of 'other non-recognised network traffic' but
otherwise it isn't that restricted.

What we *do* have it pretty strong virus scanning of all inbound and
outbound network traffic.

Phil.

 

*Ding*

You can do what you like here - but be aware that it's logged.. (well -
except for my ssh sessions of course - there have to be *some*
advantages to being the network manager as well as the IT manager..)

Same here. Our standard anti-virus package includes a proper local
firewall (and the users can't switch it off).

Indeed. Although the people that give me the most grief tend to be the
programmers..

Phil

 

Ah, I forgot about that. Actually, I used to use 443, until I played
around with an https server for a while, then I forgot about it.

--
Cab :^) - I'm dyslex-spic apparently
GSX 1400 - Speedy Zimmerframe.
UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1
email addy : ukrm_dot_cab_at_rosbif_dot_org
The gingeometer: http://www.rosbif.org/ukrm/gingeometer/

 

Can you email me the link please? I've searched for decent ssh clients
on WM, but not found anything really great.

--
Cab :^) - I'm dyslex-spic apparently
GSX 1400 - Speedy Zimmerframe.
UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1
email addy : ukrm_dot_cab_at_rosbif_dot_org
The gingeometer: http://www.rosbif.org/ukrm/gingeometer/