I know most companies block employees from using web browsing for personal use. I was wondering what you guys do to get around it. Do you go out of your way to figure out a by pass or just follow the rules (yea right, most of you are on beyond :P)

Im just curious, I could careless about using internet for personal use since I have my phone.

No one here uses company internet for personal use.

Ever.

I work in Parts at a dealership. Alot of times customers come in over the counter and ask for accessories I've never heard of. I have to in turn, search on Google for what they are looking for. Sometimes stuff is blocked.

I call IT and complain that in order to properly do my job, I need to have access to whatever I am searching for remove whatever they have to so I can view websites.

And it also helps that Beyond is automotive related so I don't get in trouble when I'm surfing Beyond.

Whats funny is the IT department has "job searching" websites blocked. :rofl: :rofl:

They also had Facebook blocked a couple years back but now they allow it as so many customers are using Facebook/Twitter and etc as a means to buy/find and get parts so its allowed access

we have a filter that blocks anything to do with weapons, gambling, adult or "tasteless". It's pretty smart, because while it does block the gun thread, the rest of beyond is wide open.

This is a few years out of date but I was able to use the net freely at Enmax if I installed Ultrasurf on a USB and used a portable browser.

Originally posted by FraserB
No one here uses company internet for personal use.

Ever.

Strictly business here. Considering I may or may not be at work currently.. :angel:

You guys don't have the option to continue through?

We have flagged websites and our security team monitors which sites on the blacklist are accessed.

As long as we can provide a justification when we're asked (if ever), we can go wherever we want.

On mine, I have to call the IT department and get approval before it's unblocked.

I knew when one of the network guys came to my desk and searched for online porn I pretty much had free reign.

I am the IT department, so can go wherever I want :D

We really don't restrict anyone from going anywhere at work, but it does get logged and we can find out if we needed to

.

Its never really been a problem for most jobs I've worked at. For facebook specifically though, if you change http to https you can get around most filters :D

My last job, I had to call Chicago and talk to the IT department when I needed to access the internet. Even though the company policy clearly stated all internet use was monitored and abusive use would be dealt with harshly (whatever that meant). Did it a few times each week and it took 15 minutes to get an OK from Chi IT. So there goes four hours a month wasted.... 48 hours a year. And everyone pretty much had the same needs. And they bitched about someone stealing toilet paper and lights left on overnight yet an easy 100K a year went to waiting around for the internet.... not to mention whatever they were paying Chicago IT.

The rules were made before everyone had smart phones and iPads.... no one said oil companies were bright, just profitable.

Originally posted by eblend
I am the IT department, so can go wherever I want :D

We really don't restrict anyone from going anywhere at work, but it does get logged and we can find out if we needed to

pretty much same here, I'm the one that has to create the quarterly internet report to HR and my boss but we don't really restrict it.
It just gets logged.

Yes, the internet is very blocked at one of my clients sites. But I have an open TELUS connection here. At my main office, since we are an IT company, nothing is blocked. I haven't tried the obvious, like pr0n, etc. I am sure that is but don't care to find out.

I wouldn't workaround any system blocks (ie: websense blocks) as it demonstrates malicious intent to bypass systems.

Everyone does some personal browsing (ie: banking/checking the news). It's how much you do it, and if you're doing anything illegal/unacceptable behavior that'll get you in trouble.

use proxies

Pipe your web traffic through a SSH tunnel. I guarantee you will be able to bypass pretty much anything out there short of someone running packet analysis in which case you can still get around it with a recompile of SSH... Added bonus no one has any idea what you are browsing since it is all encrypted.

Except when you run systems like we do, and we see an assload of ssh traffic heading out of your box.

IT departments nowadays can easily log your websurfing, emails, IMs, phonecalls, Blackberry use, basically anything you do on the company network or devices. Their efforts really depend on management. Some want everything monitored and get weekly/monthly reports, others just request the data when they're looking for an excuse to discipline/terminate.

Websense blocks SSH tunnels easily, Blue Coat and others probably wouldn't have much trouble with it either. Perhaps they'll allow it, then silently (automatically?) remote into your machine and watch/capture what you're doing... There's SSL proxies that'll strip your HTTPS and VoIP tools that can filter conversations by keywords, stress level, whatever... We've come a long way from Back Orifice...

Originally posted by Alterac
Except when you run systems like we do, and we see an assload of ssh traffic heading out of your box.

Recompile SSH and watch your tools fall flat on their faces... If you can't recognize the opening preambles then all it looks like is randomly encrypted SSL packets. Not to mention IT departments are typically staffed by tool using primitive users. Anything that doesn't fit into a neat little box like actually understanding cryptography might as well be voodoo.


Originally posted by toor
Websense blocks SSH tunnels easily, Blue Coat and others probably wouldn't have much trouble with it either. Perhaps they'll allow it, then silently (automatically?) remote into your machine and watch/capture what you're doing... There's SSL proxies that'll strip your HTTPS and VoIP tools that can filter conversations by keywords, stress level, whatever... We've come a long way from Back Orifice...

Fundamentally you don't even understand what your tools are doing or their limitations. I guarantee you can bypass pretty much any tool out there with some minor tweaks into some C OpenSSH code. In addition you can't capture what is going through an SSL encrypted tunnel unless you somehow have tech that doesn't obey the laws of mathematics. :rolleyes:

Fine, tweak the profile of your ssh connections so it ends up in the "wtf?" bucket and your desktop gets remotely captured anyway.

My tech obeys the "laws of mathematics", but I put my CA in your browser and proxy your SSL connections, unbeknownst to you.

Originally posted by mazdavirgin


Recompile SSH and watch your tools fall flat on their faces... If you can't recognize the opening preambles then all it looks like is randomly encrypted SSL packets. Not to mention IT departments are typically staffed by tool using primitive users. Anything that doesn't fit into a neat little box like actually understanding cryptography might as well be voodoo.



All pretty simple stuff to stop.

Inline Layer 7 Content filter (including https / ssl inspection), Deep Packet Inspection, and Proper outgoing traffic filtering.

Pretty much stops anything except the super determined person. Although in that case, that specific person, would find there manager fireing them for spending too much time fucking the dog, and not working.

EDIT - Also you dont need to know what is going on in a SSH Tunnel (and im not saying I can find that out easily), all you need to know its up and running to justify some disiplanary action.

But dude, he knows C OpenSSH code... We'll nevar fingerprint his protocols brah, he's too hrdkr, hackin teh Gibson brah

Originally posted by toor
But dude, he knows C OpenSSH code... We'll nevar fingerprint his protocols brah, he's too hrdkr, hackin teh Gibson brah


They are attacking the central processing unit!

they have uploading a Rabbit, send a flu shot!

Its the Cookie Monster, what do i Do?

Type Cookie you idiot!

Originally posted by mazdavirgin
Pipe your web traffic through a SSH tunnel. I guarantee you will be able to bypass pretty much anything out there short of someone running packet analysis in which case you can still get around it with a recompile of SSH... Added bonus no one has any idea what you are browsing since it is all encrypted.

You probably mean SSL tunnel. SSH is (or at least should be) rarely allowed though a proxy.

This is probably your only bet. However many companies are now running HTTPS proxies which requires you to have a valid cert at the other end to complete the tunnel.


Originally posted by Alterac
Except when you run systems like we do, and we see an assload of ssh traffic heading out of your box.

That is how we found users before enforcing the HTTPS proxy. We would run a netflow report and look for top SSL sessions.

Originally posted by mazdavirgin
Fundamentally you don't even understand what your tools are doing or their limitations. I guarantee you can bypass pretty much any tool out there with some minor tweaks into some C OpenSSH code. In addition you can't capture what is going through an SSL encrypted tunnel unless you somehow have tech that doesn't obey the laws of mathematics. :rolleyes:

I can guarantee that I can block or at least identify any tunneling you try to do though a locked down network/proxy.

To block the vast majority of SSL tunnels all that needs to be done is require a valid cert and resign all encrypted connects with an internal cert created from my internal CA. Doing this allows an organization to easily decrypt all outgoing SSL/SSH traffic. If you use a WCCP proxy you can do this all relatively transparently. It also requires all outbound connections to have the local CA installed on the host.

To identify the connections that might get through (should you actually go through the work to get a valid cert) it is really just a matter of looking at the amount of traffic for single sessions to identify the tunnel. Very often the tunnels are kept open and you will see several (if not hundreds) of megabytes being transferred over a single SSL flow.

I just have to question why someone would go the lengths of what mazdavirgin suggests above in trying to defeat certain roadblocks - if you're that intent on doing something that the company that hired you says you shouldn't be doing, then you should very seriously evaluate why you're still there. Certainly the company one works for will seriously evaluate that employee and any noted situations where set company rules/protocols were deliberately ignored or breached by that same employee.

As an employer, I'll just state that if you (as an employee) think it's a funny little game that you'll be able to get away with then I'll let you in on a little secret - we still hold all the trump cards. And as a past union shop steward/local president in a large national corporation, I can also re-assure you that unions will only go so far to protect an employee who has broke the law or has went around/broke set company rules/protocols - the employee again, won't be holding the trump cards and may indeed be facing more serious legal issues than just being terminated if the circumstances warrant such.

Yes, I agree with Speedog. The issue isn't IF you can get around the roadblocks, I am sure it's possibly. I however like my job and I'm well compensated, so I will not deliberately circumvent any of the systems they have in place.

It really depends on the position but you can basically assume your boss is peering over your shoulder at all times. In some callcenter roles, every 15min block of your day has to be justified so that makes it harder to goof off. Some roles though, trolling dx.com when it's slow is acceptable and occasional facebook/banking/whatever is probably fine. I've seen people fired for:
- excessive Facebook use, girl was on there playing Farmville all day instead of working
- Gmail, we ended up blocking "personal webmail" because of some virus
- guy tethered his phone to the PC (gee look, this machine just suddenly sprouted a third arm! automatic desktop capture triggered...) to get to his Gmail and email client/price lists to competitors
- ssh tunnel guy was using to watch porn
- kinda unrelated, but had one guy watching movies on his phone all day instead of working...

I've personally had to justify my use of:
- YouTube, I'd stream music from there since Soundcloud was blocked
- Facebook, I'd leave it open and the stream updates itself so it looked like I was on there all the time... wink wink... nudge nudge...

With a smartphone in your pocket, I don't really see why you'd do anything on the company-0wn3d machines that might endanger your job. Even if you squeak out the network, they know who you are and have some idea of what you're up to, and if they're really curious they can just log/capture/monitor/keylog what is really happening on THEIR machine so...

So here's another problem/situation - as an employee you have no doubt been hired to perform a certain set of tasks and as such, when does the use of a personal computing device on company become s contentious issue? Yeah, there are cell phone blockers available (which are illegal here) or passive physical barriers can be created (at a cost) but the fact remains that time spent on personsl communication/computing devices while on the clock could be considered just as much of an abuse of company policies as deliberately thwarting physical/software blocks/firewalls.
Now some may argue the whole "I need it for an emergency" but we all know that's a big red herring.

If you're not doing your work, or your boss catches you staring at your own crotch repeatedly. Bring it up in their performance evaluation... confiscate their phones... make them leave their devices at the front desk... fire them. It's good to be the king.

I have worked for a few companies in calgary in their IT departments, most didnt care if you browsed the web as long as you got your job done. With one exception.

Shaw Communications. If you surf the web their you will be nailed, they dont give a shit if you do your job at the same time or have finished all your work - even if you surf and its related to your job they still will nail your balls to the wall.