Joe shares his story of how he lost his job at PNNL, that involved his blog and firewall logs.  This is one reason I blog pseudo anonymously. Among the other things I do in my real life work, I run the company firewall.  If anyone wants to know how to stick it to your corporate boneheads, there are many ways to get around them, and in ways where they can’t possibly tell exactly what you’re doing. Feel free to discuss in the comments.
9 thoughts on “Blogging Risks”
Comments are closed.
I, uh…. well, since I blog under my own name I don’t think it prudent to tell how I do it, but being the Webmaster, I know all the loopholes to get through things.
My employer can look through logs all day, I don’t surf private stuff on company time – and the logs will prove it ;)
That’s about it. I keep my real name as far from the ‘net as I can. A WWII reenactment group I belong to wanted yahoo profiles w/ actual names on it for the group list. I’m not on it because of that.
The best method is to run a proxy server at home listening on 127.0.0.1:8080, then ssh to home using port 8080 on the local machine forwarded to 8080 on the home machine. The SSH tunnel encrypts everything, so your admin will notice a lot of SSH traffic, but won’t know what that traffic is. Chances are, your admin might not pay close attention to it. If your company blocks port 22, you can run ssh on any port.
I did something almost exactly like this at PNNL. This was to prevent the web browsing about sensitive projects from the lab to show up on the web logs of the websites.
They way they had net set up at the lab the individual computer names would show up when you did a DNS lookup on the IP address in the web log. From the computer name you could, with someone on the “inside” could look up the computer owner. Huge security hole… See http://www.pnnl.info/Report.htm for more details of how I tracked my investigators click, by click, through nearly two dozen websites.
Ultimately someone noticed the traffic they couldn’t track and I was called into my boss’s office. I explained what I was doing and why and told him if he wanted I would stop. He didn’t have a clue as to what I was doing. I got a call from security and explained the security hole and he didn’t understand either. I offered to stop if he wanted. He wouldn’t give me an answer. I continued the practice.
About a month after I was fired they changed the corporate policy. It is now against policy to use a proxy for your browsing. This insures people can check their web logs and know exactly who at the lab is browsing their website. They are guaranteeing the security hold stays open.
Idiots.
I was modifying a PHP web proxy for my own personal use. My plan wasn’t for “foolproof” security, it was just to get past content firewalls. So, I modified it to encode all pages with Rot13, then have client-side JavaScript “de-rot13” it. Unfortunately, I have so far only gotten this to work in Opera (the JavaScript seems to cause problems in other browsers).
(This was made assuming that https and other methods were blocked and unavailable.)
The big problem is they can tell that you’re doing “something”. They just can’t say exactly what. I guess this raises flags in a high security environment.
That is truly stupid to have any outside revelation of your internal network structure, especially in a high security environment! I’d say that’s really shocking, but you wouldn’t believe how many IT people have no clue about security matters like that. I guess what’s shocking is that a national lab wouldn’t understand that it needs to hire top notch security experts.
The problem of outside people being able to compile browsing habits of internal users is a fundamental one, unfortunately. We have the same problem in Pharma, where Google searches can reveal, to anyone who cared to watch, exactly what programs we were working on internally. One technique we use in pharma is to set up bots to go out and make random searches on subjects we’re not actively working on at all, just to confuse anyone who might be listening. Someone who’s listening would have to conclude that we’re working on… well… everything!
I can see why in a high security environment, you’d have to be particularly careful about the use of outside proxy servers; someone could be trying to hide what they are doing because they are passing classified material to the Chinese or something, but your classified networks shouldn’t even be able to talk to the outside, and should be a separate network.
Most corporate networks don’t really have a fundamental need to be high security, in terms of not trusting employees on the inside. No one from the outside should ever be trusted! I have no restrictions on my internal corporate network in terms of browsing, and I don’t really care to add any. If we’re having problems with employees browsing habits, I think that’s an HR problem, and not an IT problem. The only reason that most corporations see it as an IT problem is because management cultures tend to be control freakish, and IT management culture is mostly about not getting blamed for anything. My client base are mostly researchers, so fortunately, I’ve been able to give them a pretty free hand in terms of their internet activities, which they really need to be able to do their jobs effectively.
owww, my head, make it stop!!
Interesting!
Any good books on the subject?
Best regards,
I’m sure there are. I learned it mostly through industry experience, and just knowing what kind of things are useful to know if you’re trying to crack into a system, or get information.