As an administrator, I have massive objections to this sorta thing. That aside...

If you're being routed through a proxy, it's very possible that someone is looking through the proxy logs. Even if they don't look at every site you visit, they at least see a list of who uses the web most and who uses it least.

If I was running a proxy, and all of a sudden one of the workstations web activity stopped, I'd check it out. Then that person would be fired, no questions asked.

only fired? why don't we kill him?
he has dangerous notions and we are not able to stop him...


---
operation: mindcrime

It's one thing to make a mistake, but a company doesn't need someone who wants to put that much effort into breaking the rules.

Hmm how nice of you! A little harsh though don't you think? I would ask them about it and get their side of the story. Shame to lose someone without at least giving them a chance to explain.

Of course in most large companies (in the UK at least) you would not be able to fire them no questions asked. Also an administrator would not have authorisation to fire them without getting HR and the person's manager involved. Though perhaps it is different where you work.

[ Reply to This | # ]

I would think that before anyone could get terminated from their place of employment by bypassing a proxy, they would first have needed to sign a computer policy agreement specifically stating that it is against company to do so.

In the case of the user who posted this hint, it sounds to me like he used to have access to these services before, and then something changed on the IT end. It would be kind of irresponsible for a company to suddenly halt access to the internet or some services without at least an email explaining that the change is happening. The user could simply argue that he/she wasn't aware that Gmail or whatever was off limits now, since he/she was able to get to it before. IANAL, but I think that argument may hold some weight in a unlawful termination suit.

Whatever keeps your babysitting job around and instead of in India, eh?

A company can pretty much fire you for anything they wish execept the specific discriminations that are outlawed. You don't have to sign anything before they can fire you for abuse of network resources.

Depending on the nature of the company there maybe very good reasons for the lock down. Do you really want the local bank teller using iChat to send your bank account info to an accomplice on the outside? Do you really want a broker using non-recorded IM to communicate insider information to screw over your 401(k) investments?

I don't think this hint is inappropriate, there are legitimate uses for it too, but as an administrator charged with enforcing company policy anyone found circumventing policy will be reported. Firing isn't up to me, but it'd be a likely scenario. User beware of what you do at work....

Oh boy.. As someone who actually makes money for the company, I am valued far more than an IT person. My manager will not be amused when you ask him to fire me for checking my gmail account. I think you would have a rather unpleasent conversation with your own boss later. Best just stick to keeping things running smoothly.

Well at least you get to use macs at work. Would be more useful to me translated to windows.

As far as contraveyning IT policy - well, all you have to do is sit in front of a computer at most places. I'm not "allowed" to use Firefox here, although I can use the insecure IE? With IT policies like that why pay attention?

Like this (example would tunnel an IRC onnection):

ssh -N -p 22 -c 3des myuserid@mybox.net -L 6667/irc.irchost.com/6667

What am I missing here?

The very first paragraph in the post mentions that all of ports (in or out) are blocked, except for http and https routed through a proxy. I would assume that this means that the ssh port (22) is also blocked and ssh tunneling can't be used unless first tunneled through port 80 or 443 (and through their mandatory proxy).

SSH can run on any port. 80, 443, whatever. 22 isn't a law.

There are several SSH-implementations that supports http-proxies. I usually use Mindterm from Mindbright (they have changed their name but I can't recall it). It even runs as an applet in a browser. Since it does not support dynamic ssh tunnels you have to add a proxy server on the other end of the ssh tunnel but that is easy.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=

You're missing that the overzealous firewall blocks all outgoing except 80 and 443 so you can't get to 22 on your home machine.

Also creating the ssh tunnel requires authenticating at the ssh server. If you're just using that server as a middleman to sites like pop.gmail.com, why bother?

...so that I can actually -=get=- to pop.gmail.com.

ssh -D 1080 user@foo.bar

works with the sw p2p?

Stephanos - take this as a sign. I see this all the time. Your management team is inept. Your CEO might be a stupid ahole too. They don't understand so they fear. They fear so they impede.

This is going to start to pervade all aspects of the business if it hasn't already. Get your resume up on Monster and find a decent job. Your life is just going to get progressively more miserable if you don't.

You clearly have a clever mind and know how to solve technical problems, so there are lots of people out there hoping someone like you will just drop a resume on their desk. Learn to identify the non-technical problems too. Good luck.

Security admins restrict outbound protocols like AIM for a reason. It's insecure. Worms are now being transmitted via AIM. So are the latest versions of Phishing attacks. Yes you can get around just about any restriction. It might be more constructive to open a dialog about the restrictions. MacOS X gives organizations the opportunity to bring Instant Messaging in house. You can run an IM server on Server, use Jabber and encrypt everything. IM can be used constructively as a collaboration tool. Discussions of constructive uses seems better than adolescent rants against "clueless" management.

This was the question our IT people asked me when I requested port 22 to be opened to my workstation. Frankly, I lost all respect for them at that point. They added a filter because some salesperson made it sound like the world would end if they didn't. Of course, they standardized on Dells, so they might have been right.

Don't see why I should have to suffer. I get more work done by bringing in my own laptop and using free software than I do on my Dell and a pretty liberal budget.

I am not advocating irresponsible behavior, but if the support folks don't know how to support you, roll your own.

Bill, thanks for the praise, but it's not really that simple. My management and admins are not idiots. They know I'm doing this, and they don't mind. In fact they told us beforehand when the policy was instated that if we found a hole, we could use it. So I just did.

I'm a software engineer. I'm the only one in my company that uses a Mac. I had to beg and plead before they got me one (yup, they paid for a brand spanking new top-of-the-line PowerBook plus a gig of RAM, and I get to take it home, as well as buy it off them at a very reasonable price if I ever leave. So yeah, I'm appreciated :-)), and I had to promise that if I ran into any serious incompatibilities it was my job, not theirs, to fix them - so far, I haven't, though I do cheat by using Terminal Services to connect to a couple of Win2K server machines once in a while for some odd IE testing. I do J2EE/Oracle development in Eclipse, so I saw no need for me to suffer Windows.

The point is, not everyone here is a software engineer or has these kinds of skills. People ran old versions of MSN Messenger or ICQ that are wide open to bugs. They ran P2P software. They ran all kinds of dodgy stuff on Windows systems. The firewall and proxy is there to protect these guys. If I can get around it it's no big deal, because they know I'm the least likely person to get a worm or a virus. If I made enough of a fuss they might even open up the ports for me anyway.

Security is a relative thing, anyway. You could have all the latest patches, AV data files etc. and still be hit by the first wave of a new worm. I know how to deal with this stuff, before and after infection.

Of course, I work at a small company, and in a larger organization I can see the need for strict enforcement of rules. But the firewall and proxy are there for a simple reason, to protect our layperson Windows users from the onslaught of malware and I don't really do anything to undermine this, so everyone's happy. The only annoyance is I have to select an item from the script menu in the mornings when I come in and hook up my PowerBook, and once more again before I leave in the evenings. I can live with that, and I don't think the policy is stupid.

I think most right-thinking IT admins and managers would agree with this, and even with this hint as posted, you'd have to be at least an intermediate computer user to get it to work, and a Mac user, so it's extremely unlikely you'll catch any malware because of it. If someone got into trouble anyway, then yes, I think they're working with some short-sighted people. That's their decision to make.

With the speed data travels over the Internet today, any company serious about maintaining its private data as private is filtering Internet traffic. A good number of major companies are even having people, not computers, read every single e-mail sent outside the company before allowing it.

Imagine someone gains access to a database with employee information. They may be able to extract and distill information such as social security numbers, direct deposit account info, and salaries into a 10 MB file. Way too much to print out and take home, but easily within reason for sending via e-mail. Even if it's broken into 10 smaller files. Without any outbound traffic filtering or other controls, this is transmitted within seconds to the outside where it can be used for whatever purposes.

There's data much more critical to companies than personnel records. Drug formulas, market research, whatever. Anyone who allows unrestricted employee access to/from the public Internet is just asking for their data to become public.

I don't think so. Why waste money on more or less useless security? If you are even the least talented you can easily work around obstacles like that, e.g.,:

1. Use a ssh client that supports whatever proxy the company is using and sftp the files to a computer outside
2. USB memory stick, zip, cd-r whatever
3. Steganography. Send yourself 'innocent' looking photos with data encoded into them.

You can't protect yourslef from all these methods, you can only be a good employer to whom the employees feel loyalty, responsibility etc.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=

I'd like to try this hint, but I'm having difficulty getting proxytunnel to compile. I'm a Unix beginner, so please be gentle! I've downloaded & uncompressed ProxyTunnel 1.2.2, and tried:
[code]sudo make -f makefile.darwin
sudo make install[/code]
After the first step I get one line tha looks like an error to me:
[code]proxytunnel.c:217: warning: passing arg 3 of 'accept' from incompatible pointer type[/code]

And then I get the following at the second step:
[code]install: root: Invalid argument
make: *** [install] Error 67[/code]

Any suggestions gratefully received.
Thanks in advance.

I'm also a rank beginner, and had the same problem :(

But i managed to figure out that the 'Makefile' file holds the answer to our problem.

If you open the 'Makefile' file with a text editor (even TextEdit), and change the bottom section:

install:
		mkdir -p $(INSTALLPATH)
		install -g root -m755 -o root $(PROGNAME) $(INSTALLPATH)/$(PROGNAME)
		install -g root -m644 -o root debian/$(PROGNAME).1 $(MANPATH)/$(PROGNAME).1

install:
		mkdir -p $(INSTALLPATH)
		mkdir -p $(MANPATH)
		install $(PROGNAME) $(INSTALLPATH)/$(PROGNAME)
		install debian/$(PROGNAME).1 $(MANPATH)/$(PROGNAME).1

It seems that the original makefile install code was trying to create the installed files with group & mode info set to root, which was generating the error! So i just removed those switches and the problem went away, YAY!
I also added a line to create a man folder for the man info in usr/local/, which my OS installation didn't seem to have! If you already have this folder, you can just delete the line.

Hope this helps! And enjoy responsibly ;)

Later!

[ Reply to This | # ]

Thanks - that worked :) Mind you, I still can't get a man page...
Cheers,
tt

For those of you who are a bit put off by compliling programs or installing them into /use/local/bin, you can get a Tiger package of prtunnel, a program that does the same basic thing, thanks to DarwinPorts.

Cheers,

b&

P.S. Of course, this means that, if you’ve got DarwinPorts installed, a simple “sudo port install prtunnel” will do the trick, as well. b&

Oh that is smart...,

but how in hell's name can i work with darwinports if running the 'port'-command fails everytime because it won't work with the proxy.

You can set your environmentvariables (RSYNC_PROXY, .curlrc) what you want, darwinports uses rsync and a specific SSL port which is blocked; so NO SHOW.

Any ideas how to run 'port' in an alienated windowscontroled mac-fearing ICT-landscape?

---
-----------
The Nimitz

It does not work for me cause the Proxy I have to use does not permit me to connect to ports other than 443 (HTTPS). So I have no clue on how to bypass. Solution would be to keep a SSH server at host which listen on 443 and forward connection to remote hosts..

Hi there

I am behing a network firewall and proxy server. my proxy needs authetification. I can access the internet through safari because it uses my proxy settings as set in the network settings in system preferences.

I can't however use my mail program to access my pop3 email account because I assume this port is blocked by the system administrator. No way I can ask him to allow the port to be accessible.

I need help on how to tunnel through the firewall and proxy server to access my mail. I can do it on my windows computer using http-tunnel (www.http-tunnel.com), but the program does not support max os x. Please provide me with in depth details on how to do this. my pop3 server is bow.intnet.mu. so please include that server if you are going to give me any ssh command lines. I am fairly new to mac, and am not fully compatible with the UNIX commands! Thanks!!

Proxytunnel 1.6.0 changed (and simplified) the command line syntax a bit. The basics of the hint still apply. I'm sorry this hint is arcane by the standards of the layperson, but since it's all about circumventing access restrictions I feel that can be a plus; if you don't know enough about networking to use it, you probably shouldn't try. I don't even use proxytunnel any more because I switched from iChat to Adium (which can do this trick internally, and moreover takes proxy settings from system preferences which I switch using the Location menu) and I can live without my gmail (which is not my primary email anyway) during the day.

Hi all,
I´m trying to use this hint to log in MSN.
Therefore, I've tried executing the following command:

proxytunnel -a 522 -p (Proxy Server address) :(Proxy Server Port) -d messenger.hotmail.com:1863

However, when I try to log in MSN application (after setting Internet Explore Proxy settings to "Proxy Server = localhost", and "Proxy Port=522"), then Proxytunel gives me the following error:

Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA
Server is not configured to allow SSL requests from this port. Most Web browsers
use port 443 for SSL requests. )
0 to 65536


Please, May someone help me with this issue?

thanks in advance

I'm from Myanmar (Burma). There is only one ISP in our country. They block a lot of good websites. Can I know the best way to bypass their restrictions?

For some reasons ; i'm not able to install proxy tunnel on my mac ; since just placing the folder in the usr/local/bin folder won't work . Need help pls from anyone who can help