back to article Staff sacked after security sees 'suspect surfer' script of shame

As your Vultures are off fighting over the remains of the Christmas dinner, we've lined up a feast of a different nature: a bonus instalment of Who, Me? This week, we hear from reader José, who wrote in to tell us how a prank led to some of his former colleagues getting their marching orders. It was back in the late '90s, and …

Page:

          1. Wexford

            Re: And that's why...

            Pfft, my IPv8 MITM laughs at your IPv7!

      1. Gordan

        Re: And that's why...

        You are overthinking it.

        ssh -D 1080 user@your.server

        Set Firefox to use localhost:1080 as socks5 proxy with remote DNS lookups.

        No need to mess about with DNS or anything of the sort. You just have to find a port that isn't filtered by the firewall and run sshd on that port on your.server.

        1. Trixr

          Re: And that's why...

          Good luck finding anything that *isn't* filtered on a real enterprise network. Even outbound 80/443 filtered unless coming via the proxy.

    1. steviebuk Silver badge

      Re: And that's why...

      It was the late 90s. And that, in these times, won't stop seeing what you're viewing if you're going via a proxy. And any private VPN at work wouldn't be allowed.

      1. Symon Silver badge
        Pint

        Re: And that's why...

        "any private VPN at work wouldn't be allowed"

        I'm pretty sure the commentards here would know how to tunnel their OpenVPN link through port 443. Maybe using stunnel. How is anyone gonna detect, let alone stop, that without banning almost all internet access to https websites?

        p.s. Try searching for ways around the Chinese Great Firewall. Plenty of hints and tips there! Merry Xmas!

        1. Anonymous Coward
          Anonymous Coward

          Re: And that's why...

          The firewalls MITM and inspect all HTTPS packets. VPN over HTTPS and (obviously) non-HTTPS traffic is dropped. And logged. Not 100% proof since nothing is.

          SSLVPN from China is a hit and miss, connections may work for a while and then stop. I think that's down to different ISPs but I haven't bothered to troubleshoot, not my problem. ;-)

          1. J. R. Hartley

            Re: And that's why...

            "not my problem. ;-)"

            That's the spirit.

        2. Paul Stimpson

          Re: And that's why...

          I'm pretty sure either the Palo Alto or Bluecoat firewalls we have at work check SSL sessions for validity and detect VPN traffic masquerading as SSL. The Infoblox DNS servers detect and report VPN DNS tunneling.

          1. The Oncoming Scorn Silver badge
            Childcatcher

            Re: And that's why...

            I have my personal laptop on my desk with my very generous data plan acting as a hotspot, for anything dodgy or time killing.

            This weeks post Christmas lull was spent firing up the VPN & streaming Outnumbered (See Icon) from I-Player, while I did my normal work.

            1. P. Lee Silver badge

              Re: And that's why...

              Exactly.

              Everyone sees the problem with running on someone else's systems.

              And yet... cloud! It seems like some people never learn.

              Early 90's, we barely had firewalls. Most lans were ipx and just the smtp gateway had ip. Pick an IP address from the class c assigned, fire up chameleon and off you go!

          2. TheMeerkat Bronze badge

            Re: And that's why...

            The actual reason is simple. It tries to decrypt SSL and fails closed :)

        3. Brad Ackerman

          Re: And that's why...

          Proxies can also be set to only permit categorized pages, in addition to blacklisting pr0n or whatever.

        4. Alan Brown Silver badge

          Re: And that's why...

          "p.s. Try searching for ways around the Chinese Great Firewall."

          As I've had to explain to cow-orkers: The issue isn't "working around" the great firewall. It's what happens when you get caught doing so.

          In the case of China, there are a lot of rules and they will use them to throw the book at someone who's annoyed them. (Which is why we warn staff it's a criminal offence in china to bypass the firewall and not to do so when there)

          In the case of "your employer" it's backdooring security and a trip to the door escorted by a couple of guys from security - they'll send your stuff later - maybe - when they've finished going through it to see what damage you may have done.

        5. gnarlymarley

          Re: And that's why...

          I'm pretty sure the commentards here would know how to tunnel their OpenVPN link through port 443. Maybe using stunnel. How is anyone gonna detect, let alone stop, that without banning almost all internet access to https websites?

          My work has both 80 and 443 blocked. To get to those, you must use the proxy. Of course, port 22 is open, but when you have windows logging setup for the browser to pass all the websites back (using a microsoft domain policy) to the mail logging server, why would you even chance something like this. If you manage to get past the proxy, then the browsers will report you anyway.

          1. Anonymous Coward
            Anonymous Coward

            Re: And that's why...

            Firefox portable app.

            1. Trixr

              Re: And that's why...

              And when you're using application whitelisting, and Firefox (Portable) is not on the whitelist, good luck.

  1. Banksy

    Access Denied

    I'm surprised they could access those sites in the first place.

    1. ElReg!comments!Pierre

      Re: Access Denied

      T'was the 90s. Besides, even now with the block-everything-till-someones-fills-the-paperwork approach, the blocked URL will still show up in the logs, even though you won't access the page ("The website you are trying to access contains freeware, shareware or open source software and has been blocked. If your work require material from this page, please fill the form at [link] to have the page* unblocked. Be informed that your manager will be asked to approve your request." ; better not need to review that patch on github anytime soom then)

      *yes, 'page', not 'website'

      1. Gordan

        Re: Access Denied

        It works for some people - namely those that like all the work prevention devices that enable them to spend an hour on some work, half a day on admin to actually work around the security measures, and the rest to slack off.

        Of course it will drive everyone who actually enjoys being productive nuts in days and they'll probably choose to leave guilt free on 1 day's notice before their probation period is up.

    2. Alan J. Wylie

      Re: Access Denied

      My experience in the late '90s was that you had to be very careful about blocking on keywords in domains. https://www.essex.ac.uk/ anyone? (Yes - a genuine example that I came across).

      1. Unicornpiss Silver badge
        Happy

        Re: Access Denied

        "My experience in the late '90s was that you had to be very careful about blocking on keywords in domains. https://www.essex.ac.uk/ anyone? (Yes - a genuine example that I came across)."

        Well, you'd never be able to apply for a job at Research in Motion (www.rimjobs.com)

        1. Symon Silver badge
          Coat

          Re: Access Denied

          Especially a big job in Scunthorpe.

          1. TRT Silver badge

            Re: Access Denied

            I'm surprised URLs containing the keyword BBC don't get banned more often.

            1. Sequin

              Re: Access Denied

              I subscribe to a weekly email quiz, and the creator numbers them in Roman numerals. Whenever he sends out a mail with the number 30 in it (e.g. 130, 330 etc) he has to change to Arabic numerals as so many email filters will reject mails with XXX in the subject line.

              1. Sandtitz Silver badge

                Roman numerals @Sequin

                To quote Asimov about Roman numerals:

                "But why? Where's the need? To be sure, you will find Roman numerals on cornerstones and gravestones, on clockfaces and on some public buildings and documents, but it isn't used for any need at all. It is used for show, for status, for antique flavor, for a craving for some kind of phony classicism.

                I dare say there are some sentimental fellows who feel that knowledge of the Roman numerals is a kind of gateway to history and culture; that scrapping them would be like knocking over what is left of the Parthenon, but I have no patience with such mawkishness. We might as well suggest that everyone who learns to drive a car be required to spend some time at the wheel of a Model-T Ford so he could get the flavor of early cardom."

                1. Brewster's Angle Grinder Silver badge

                  Re: Roman numerals @Sequin

                  Roman numerals are like caps lock for numbers; they're a meta channel for conveying contextual information and a variation that adds to the rich texture of English.

                  after all we could do away with capital letters and punctuation because you dont use them in speech although perhaps theres a need to indicate a pause or the rising intonation of a question but why not go for the minimum and while were at it switch to phonetic spelling and get rid of any words whose meaning is so similar as to be all but identical to another

          2. Doctor Syntax Silver badge

            Re: Access Denied

            It looks as if we're getting back to the bad old days when residents of Scunthorpe and Penistone had trouble signing up to stuff: https://linux.slashdot.org/story/18/12/20/1753257/debians-anti-harassment-team-is-removing-a-package-over-its-name In fact residents of Titchfield might have the same problem.

          3. ricardian

            Re: Access Denied

            Or Penistone

      2. Boork!
        Unhappy

        Re: Access Denied

        There was a list of websites whose names took on unfortunate connotations when concatenated into a URL. Among them were Pen Island Stationers and Mole Station Creche.

        1. Jeffrey Nonken

          Re: Access Denied

          The pen is mightier than the sword; therapist will concur.

        2. Goldmember

          Re: Access Denied

          "There was a list of websites whose names took on unfortunate connotations when concatenated into a URL. Among them were Pen Island Stationers and Mole Station Creche."

          And Experts Exchange. When they started appearing in "unfortunately named websites" lists, they added a redirect to a domain with a hyphen.

          1. IceC0ld Silver badge

            Re: Access Denied

            "There was a list of websites whose names took on unfortunate connotations when concatenated into a URL. Among them were Pen Island Stationers and Mole Station Creche."

            And Experts Exchange. When they started appearing in "unfortunately named websites" lists, they added a redirect to a domain with a hyphen.

            ===

            wasn't there an issue when SuBo had her latest CD release ?

            all invited to see at www.susanalbumparty...................................

            1. Doctor Syntax Silver badge

              Re: Access Denied

              "wasn't there an issue when SuBo had her latest CD release ?

              all invited to see at www.susanalbumparty"

              Obligatory DIlbert: https://dilbert.com/strip/2000-08-19

          2. Nick Kew

            Re: Access Denied

            @Goldmember - I'd veto them on grounds of the prolific spam they inflicted.

        3. katrinab Silver badge

          Re: Access Denied

          And an Italian battery supplier called Powergen Italia.

          1. Brad Ackerman

            Re: Access Denied

            That one's bogus, but presumably too funny to fact-check.

        4. cantankerous swineherd Silver badge

          Re: Access Denied

          powergen Italia was my favourite.

      3. Chris King

        Re: Access Denied

        It wasn't just URL's that were affected. An over-enthusiastic regex test in SpamAssassin (FUZZY_XPILL ?) would trigger if people used "Oxon" instead of "Oxfordshire" in a snail-mail address in their signature - stick the postcode straight after it (OX whatever), and you got flagged as pink-and-porky for peddling pills.

        That made dealing with JANET and Travelodge... Interesting... for a while.

      4. Davegoody

        Re: Access Denied

        sCUNThorpe.gov.uk was another one

      5. Anonymous Coward
        Anonymous Coward

        Re: Access Denied

        Company I worked for blocked "virginatlantic.com" as a "sex site" for a time.

        As for accessing "dodgy websites" ... in the early days of the web NCSA (who produced Mosaic which was the first significant browser) maintained a "new web sites this month" page (it later changed to this week and then they gave up tracking new sites!) and on of the early listings was from the CS dept of a Dutch University (?Delft) which proudly advertised that its website contained the largest collection of online porn in Europe!

        1. jake Silver badge

          Re: Access Denied

          "which proudly advertised that its website contained the largest collection of online porn in Europe!"

          They claimed "in the world!" until I pointed out an unnamed, dotted quad accessible anonymous FTP site located in Berkeley IP space that was basically a USENET binaries archive.

      6. swm Silver badge

        Re: Access Denied

        How about xxx.lanl.gov?

  2. handle bars

    Merrill Lynch Investment Funds was often mis-typed into search boxes - but I remember the crack down on work internet use and the "sniffers" compliance for HR put on email & web site use just happened to coincide with a need early 2000s for a head count reduction & looked a cheap way to bin people

  3. Alan J. Wylie

    Many years ago, we had an ISDN connection at the office, and a bank of modems. HTTP connections were forced to go through a Squid proxy. I had a similar little script which grepped the log for "interesting" keywords, but not much interest was shown in this from above.

    However, one day all our sales people and managers were gathered together at a hotel for a big meeting. One of my colleagues in network admin was due to address them, and took the opportunity to remind them that, as in the T's and C's they had acknowledged, our network was monitored for inappropriate (and expensive: on-demand ISDN had a per-call cost) usage. There were no sackings as a result, just a few red faces as he stood at the lectern and read out a few of the less unsafe-for-work domains that had been visited the previous night.

  4. Anonymous Coward
    Anonymous Coward

    I had the opposite

    My setup included a script to remove certain NSFW URLs from the firewall logs before they were processed to produce usage reports.

    1. Mark 85 Silver badge

      Re: I had the opposite

      Be very careful with that one as it can come back to bite you. Certain manglement types might thank you for it, if high ups get wind and are of a certain mindset, it could cost you.

    2. Gordan

      Re: I had the opposite

      Most considerate of you. Some serious karma hoarding going on there. ;-)

      1. jake Silver badge

        Re: I had the opposite

        Out o'curiosity, why would one hoard karma? To do so would be bad karma, no? And, almost by definition, the result would be pretty much exponential, Shirley. Sort of like a ball of shit rolling down a hill of shit, becoming a larger ball of shit of ever increasing size.

  5. Anonymous Coward
    Anonymous Coward

    The mistake was to use them for blackmailing intead of simply blocking the domains

    Here employees remote monitoring is explicitly forbidden, thereby that behaviour would be illegal from the beginning. If you find accesses to illegal material and sites that could put the whole company in trouble, you have to follow the proper procedures to identify the culprits and sack them (of course, unless they are executives high enough who just leave 'to follow new opportunities'...)

    Of course you can backlist the domains, instead of blackmailing people, no matter how disgusting they could be.

    1. Gene Cash Silver badge

      Re: The mistake was to use them for blackmailing intead of simply blocking the domains

      > Here employees remote monitoring is explicitly forbidden

      I don't see how you can forbid monitoring of company resources. Using the company's bandwidth to surf porn is not very different from using the expensive Haas CNC to machine something pornographic/offensive. Reading the access logs is no different from walking over to see what your employee is working on.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020