Here is the deal:

You have decided to surprise your wife by purchasing sexy lingerie from
your favorite site. The problem is that you are at work and your Nazi IT
department has blocked your favorite site.

The recipe
(Defending yourself against Nazi IT departments)

1. Install BarracudaDrive on your home computer.

2. Make BarracudaDrive visible on the Internet by following the
installation tutorial.

3. Enable the tunnel server for your user ID.

4. Go to work.

5. Surf to your home computer using your default work browser.

6. Navigate to the BarracudaDrive "settings page" and login.

7. Start the HTTPS tunnel client by clicking the tunnel button on the
"settings page".

8. Start our preconfigured proxy version of the Firefox portable browser
(*).

9. Enter the URL to your favorite lingerie site.

10. Enjoy. Total satisfaction guaranteed.

wini wrote:


> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.


Yeah, they're nazis because they're implementing policies to make you
actually work instead of having personal fun...

> 5. Surf to your home computer using your default work browser.


5a. The proxy will log this step.

> 7. Start the HTTPS tunnel client by clicking the tunnel button on the
> "settings page".


7a. Certificate mismatch. Once you accept, the proxy will log this step.

> 9. Enter the URL to your favorite lingerie site.


9a. URL or website hits keyword filter, access denied and attempt logged.

> 10. Enjoy. Total satisfaction guaranteed.

Real 10: Get a complaint from your IT department, on repeat you'll get
expelled from the IT. If your jobs depends on it, you'll get fired.

wini wrote:
> Here is the deal:
>
> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.
>
> The recipe
> (Defending yourself against Nazi IT departments)
>
> 1. Install BarracudaDrive on your home computer.
>
> 2. Make BarracudaDrive visible on the Internet by following the
> installation tutorial.
>
> 3. Enable the tunnel server for your user ID.
>
> 4. Go to work.

That's a lot of work. Why not order it from home? Much simpler and you
don't run the risk of dismissal for misuse of Information Systems.

Or was that spam? I think it was.

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

"wini" <winigroups [at] gmail.com> wrote in message
news:c1cVh.15652$JZ3.7675 [at] newssvr13.news.prodigy.net...
> Here is the deal:
>
> You have decided to surprise your wife by purchasing sexy lingerie from
> your favorite site. The problem is that you are at work and your Nazi IT
> department has blocked your favorite site.
>
> The recipe
> (Defending yourself against Nazi IT departments)
>
> 1. Install BarracudaDrive on your home computer.
>
> 2. Make BarracudaDrive visible on the Internet by following the
> installation tutorial.
>
> 3. Enable the tunnel server for your user ID.
>
> 4. Go to work.
>
> 5. Surf to your home computer using your default work browser.
>
> 6. Navigate to the BarracudaDrive "settings page" and login.
>
> 7. Start the HTTPS tunnel client by clicking the tunnel button on the
> "settings page".
>
> 8. Start our preconfigured proxy version of the Firefox portable browser
> (*).
>
> 9. Enter the URL to your favorite lingerie site.
>
> 10. Enjoy. Total satisfaction guaranteed.
>
>

Yes that will work and not one of your IT Nazi's will be any the wiser.
Idiot.

What's that saying I've been saying lately? Oh that's right ... "you don't
know what you don't know, and what you think you know (maybe) just ain't so"

In article <c1cVh.15652$JZ3.7675 [at] newssvr13.news.prodigy.net>,
wini <winigroups [at] gmail.com> wrote:
>You have decided to surprise your wife by purchasing sexy lingerie from
>your favorite site. The problem is that you are at work and your Nazi IT
>department has blocked your favorite site.

>1. Install [software name] on your home computer.

>4. Go to work.

The precondition you imposed is that you are *already* at work.
If you are *already* at work in a place with a "Nazi IT department",
then you are not going to be able to install remotely onto your
computer at home (at least not without it being detected).

You recipe only works if you preplan your surfing escapade, in
which case you might as well just order from home.

>
> The precondition you imposed is that you are *already* at work.
> If you are *already* at work in a place with a "Nazi IT department",
> then you are not going to be able to install remotely onto your
> computer at home (at least not without it being detected).

Not sure I understand your problem. It works for me.

I have worked as a consultant for many years and I always had problems
reading my own emails from behind large company’s firewalls. This solves
the problem, though it requires that Java is installed on the computer I
am using. I know others have experimented with putting Java on a
USB-stick, but this has so far not been necessary for me.

wini wrote:
>
>>
>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).
>
> Not sure I understand your problem. It works for me.
>
> I have worked as a consultant for many years and I always had problems
> reading my own emails from behind large company’s firewalls. This solves
> the problem, though it requires that Java is installed on the computer I
> am using. I know others have experimented with putting Java on a
> USB-stick, but this has so far not been necessary for me.

Interesting. Do the companies you contract to not ask you to adhere to
any security operating procedures? If not, more fool them, please name
them so that I may approach them as they are in dire need of some good
security consultancy. If they do, why do you think it is acceptable to
breech them? It's not a dig as such, I'm interested in attitudes that
breech computer security. I know it happens, I often understand why. In
this case, you feel the resources offered by your client are
insufficient and the procedures for obtaining exceptions are inefficient
I guess.

Bogwitch.

"wini" <winigroups [at] gmail.com> wrote in message
news:pPtVh.533$H_.234 [at] newssvr21.news.prodigy.net...
>
>>
>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).
>
> Not sure I understand your problem. It works for me.
>
> I have worked as a consultant for many years and I always had problems
> reading my own emails from behind large company’s firewalls. This solves
> the problem, though it requires that Java is installed on the computer I
> am using. I know others have experimented with putting Java on a
> USB-stick, but this has so far not been necessary for me.

By your own notebook and get a mobile broadband account.

Post removed (X-No-Archive: yes)

>
> By your own notebook and get a mobile broadband account.
>

That is a possible solution, but why the heck should I do that when this
solution is so much cheaper.

Regarding the responses to my post I realize that there are a number of
Nazi IT specialists on this group. I guess certain type of people have a
strong urge to control other people. I have to say I feel liberated now
when you no longer can control me :-)

>
> Interesting. Do the companies you contract to not ask you to adhere to
> any security operating procedures? If not, more fool them, please name
> them so that I may approach them as they are in dire need of some good
> security consultancy.

Sorry, can't do that obviously.

If they do, why do you think it is acceptable to
> breech them? It's not a dig as such, I'm interested in attitudes that
> breech computer security.

I see this as my right as an individual not to be limited by morons like
you. I do no harm, I simply want to access my own services.

In article <pPtVh.533$H_.234 [at] newssvr21.news.prodigy.net>,
wini <winigroups [at] gmail.com> wrote:

>> The precondition you imposed is that you are *already* at work.
>> If you are *already* at work in a place with a "Nazi IT department",
>> then you are not going to be able to install remotely onto your
>> computer at home (at least not without it being detected).

>Not sure I understand your problem. It works for me.

Bad logic works for you??

Your recipe only works if you have *already* installed something
on your home machine, but the whole premise of your posting
was that you are starting from work -before- you've installed
anything on your home machine.

It is as if you had written,

"You are at work, and you want to use a hammer -now- (immediately,
before going home), but your workplace Health and Safety Committee
won't authorize recreational use of a hammer. Here's what you do:
you go home and you tie a long long fishing line to your hammer at
home, and then you go to work and you reel in the line at work until
your hammer reaches you."

Well, duh, if you need to use that hammer *now*, then you can't
go home and prepare the fishing line and go back to work. If you -did-
have time to go home, then you could just use the hammer at home and
you wouldn't need to go through the rigamorole. So your solution
doesn't solve the situation that it claimed to solve: that you have
no hammer and made no advance preparations and you need the hammer -now-.

The recipe you posted is a recipe for *premediated* violation of
policies, not the claimed recipe for relief of acute and unexpected
need to violate policies.


I would suggest that you consider getting yourself a Palm Trio and use
that to surf the net wirelessly. You can get wireless telnet programs
with terminal emulators if you need to be able to access your machines
at home. Or since it's supposely your wife's favorite lingerie site,
prepare yourself by taking down their phone number, and then calling
in your order.


At my workplace, if you deliberately violated our IT policies, your
company would be told that you were no longer welcome on our
premises, and your company would be reminded that we hired the
company rather than the person, so your company would be responsible
for providing an acceptable replacement worker. If you happen to be
the only employee of your company, tough luck: you'd still be
responsible for meeting the contract goals even if you have to take
a loss to do so by hiring someone else to do the work. Oh, and
non-completion of a contract nets a non-compliance note in the
unified purchasing system of our very large organization...

>
> At my workplace, if you deliberately violated our IT policies, your
> company would be told that you were no longer welcome on our
> premises, and your company would be reminded that we hired the

I guess I would not work for you.

I understand the importance of firewalls, but they are being misused by
many Nazi IT departments. I simply decided to circumvent this limitation
and it works. The same concept probably works for millions of other
users that do not tolerate Nazi IT departments. Why should I suffer and
pay extra for expensive equipment, which I do not really need.

In article <G3zVh.256$im2.170 [at] newssvr22.news.prodigy.net>,
wini <winigroups [at] gmail.com> wrote:

>If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.

>I see this as my right as an individual not to be limited by morons like
>you. I do no harm, I simply want to access my own services.

Get back to us after your own company has had a visit from
one of the TLA's, informing you that one of your ex-employees was
a spy who stole your technology for the benefit of a country with
a history of violence, repression, and war upon other countries.

And no, I am not speaking hypothetically. There have been enough
attempts at the organization I work for that the security teams
receive specific training about dealing with detected spying.

In article <unzVh.262$im2.22 [at] newssvr22.news.prodigy.net>,
wini <winigroups [at] gmail.com> wrote:
>I understand the importance of firewalls, but they are being misused by
>many Nazi IT departments. I simply decided to circumvent this limitation
>and it works. The same concept probably works for millions of other
>users that do not tolerate Nazi IT departments. Why should I suffer and
>pay extra for expensive equipment, which I do not really need.

Your posting IP address is in the USA, but it sounds to me as if
you are not overly familiar with the terms of the US Computer Fraud
and Abuse Act (1986). That's US Criminal Code Title 18, section
1030 and thereabouts.

One might as well ask why you should have to suffer and pay
extra for an expensive car, when you have a method of hot-wiring
other people's cars to "borrow" them when they aren't using them.


The fact that you work on contracts for companies suggests to me
that you are probably not entirely familiar with the laws and
regulations that their IT departments must operate under. Are you,
for example, familiar with what is required for Sarbanes-Oxley
compliance? Were you aware that the legislative branch of the
country I live in gave a government department the authority to
make IT regulations, and that government department thence adopted
as regulations certain clauses that were strongly
recommended by the national domestic security agency, with the effect
of those regulations being that in organizations subject to the
regulations, it is -required- (if they have a firewall at all)
to block outgoing accesses except to locations the organizations
can prove are necessary for their operations? Are you aware that
for certain private information that we deal with, that the
-minimum- fine upon an auditing agency detecting a *potential*
for a leak, is $25000 per day?

So are we operating a "Nazi IT department" and restricting access
just because we get off on controlling people -- or are we just
doing the best we can to comply with multiple jurisdictions'
laws and regulations?

wini wrote:

>> By your own notebook and get a mobile broadband account.
>>
>
> That is a possible solution, but why the heck should I do that when this
> solution is so much cheaper.
>
> Regarding the responses to my post I realize that there are a number of
> Nazi IT specialists on this group. I guess certain type of people have a
> strong urge to control other people.


Ehm... it's their job, damn it!

> I have to say I feel liberated now when you no longer can control me :-)

You'd wish...

wini wrote:


> I understand the importance of firewalls, but they are being misused by
> many Nazi IT departments. I simply decided to circumvent this limitation
> and it works.


Since this circumvention is forbidden by your usage contract, you'll jsut
need to get busted twice and then you'll be fired.

Walter Roberson wrote:


> So are we operating a "Nazi IT department"


That sounds like the S in BDSM.

> and restricting access just because we get off on controlling people


That pretty much sounds like the D in BDSM.

> -- or are we just doing the best we can to comply with multiple
> jurisdictions' laws and regulations?


That's the B in BDSM.

And I guess running Windows on the machines makes the M.

*SCNR*

"wini" <winigroups [at] gmail.com> wrote in message
news:G3zVh.256$im2.170 [at] newssvr22.news.prodigy.net...
>
>>
>> Interesting. Do the companies you contract to not ask you to adhere to
>> any security operating procedures? If not, more fool them, please name
>> them so that I may approach them as they are in dire need of some good
>> security consultancy.
>
> Sorry, can't do that obviously.
>
> If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.
>
> I see this as my right as an individual not to be limited by morons like
> you. I do no harm, I simply want to access my own services.

Access your own services using resources that don't belong to you. Please
explain how you justify that.

wini wrote:
>
>>
>> Interesting. Do the companies you contract to not ask you to adhere to
>> any security operating procedures? If not, more fool them, please name
>> them so that I may approach them as they are in dire need of some good
>> security consultancy.
>
> Sorry, can't do that obviously.
>
> If they do, why do you think it is acceptable to
>> breech them? It's not a dig as such, I'm interested in attitudes that
>> breech computer security.
>
> I see this as my right as an individual not to be limited by morons like
> you. I do no harm, I simply want to access my own services.

OK, no need to get personal. You have no reason to call me a moron, nor
to assume I am a moron.

All I can say is thank Christ you're a yank and very unlikely to work in
my environment. If you were to, and try that crap on any of my networks,
you would be sacked, sued and prosecuted. And you WOULD be detected.

I never suggested you did any harm - at least not as far as you are
concerned. Unfortunately, you are subverting the organisations security,
especially if you are installing Java when there is no business
requirement to do so.

As a contractor, you are paid to do a job of work, not to buy knickers
for your partner hence the harm is obvious.

As an aside, wasn't your original post just a thinly disguised piece of
spam? I refer to the line "8. Start our preconfigured proxy version of
the Firefox portable browser (*)."

Bottom line: You ARE doing harm. You are breeching your employers
security and by installing unauthorised software you are reducing the
overall security of your employers systems.

BUT, it would appear that you are SO arrogant that you will not accept
this and in your world, you are completely justified.

However, you have, in a round about sort of way, answered my question.
Why do you think it is acceptable to breech your employers security
policy? Because you are arrogant and you do not understand the security
requirements of your employer. I just hope you are not contracted for
security work.

Bogwitch.

--
Posted via a free Usenet account from http://www.teranews.com

wini <winigroups [at] gmail.com> wrote:
>> By your own notebook and get a mobile broadband account.
>
> That is a possible solution, but why the heck should I do that when
> this solution is so much cheaper.

Because someone else pays for the resources that you use unauthorizedly?

This may come as a shock to you, but you do not have a natural right to
use resources that belong to someone else. Especially not if that some-
one has taken steps to prevent you from using said resources.

> Regarding the responses to my post I realize that there are a number
> of Nazi IT specialists on this group. I guess certain type of people
> have a strong urge to control other people.

By "control other people" you apparently mean "prevent other people from
abusing company's resources".

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Wow I sure managed to get a flame war.

I have something for you to think about.

I used another solution before using the tunnel. I used to go to a
friend of mine working for another company and use his computer as they
did not have any firewall limitations. This took me about 45 minutes in
traveling, which I charged the company for. I charge $140h, you can do
the math. What I am trying to say is that you should focus on security,
not limit users since they will always find ways around your pathetic
obstacle course. You can throw your flames at me, but that will not
change the facts.

Bye

FYI: http://peacefire.org/

wini wrote:
>
> FYI: http://peacefire.org/

Oh, come on. Freedom of Speech != Buying lingerie.

Bogwitch.

wini wrote:
> Wow I sure managed to get a flame war.
>
> I have something for you to think about.
>
> I used another solution before using the tunnel. I used to go to a
> friend of mine working for another company and use his computer as they
> did not have any firewall limitations. This took me about 45 minutes in
> traveling, which I charged the company for. I charge $140h, you can do
> the math. What I am trying to say is that you should focus on security,
> not limit users since they will always find ways around your pathetic
> obstacle course. You can throw your flames at me, but that will not
> change the facts.
>
> Bye

So, you were buying frilly undies as part of your contracted work?
Interesting job!

I'm glad you're getting paid $140ph. It means that when they do sue you,
they will be well compensated.

You're walking a tightrope and one day you'll fall off. Would you do the
same thing if you had a DoD contract?

Bogwitch.

wini wrote:
> Wow I sure managed to get a flame war.
>
> I have something for you to think about.
>
> I used another solution before using the tunnel. I used to go to a
> friend of mine working for another company and use his computer as they
> did not have any firewall limitations. This took me about 45 minutes in
> traveling, which I charged the company for. I charge $140h, you can do
> the math. What I am trying to say is that you should focus on security,
> not limit users since they will always find ways around your pathetic
> obstacle course. You can throw your flames at me, but that will not
> change the facts.
>
> Bye


Ahh so you're also guily of fraud as well.

>>
>> FYI: http://peacefire.org/
>
> Oh, come on. Freedom of Speech != Buying lingerie.

I thought it would be obvious that the *lingerie* should not be taken
literally.

wini wrote:
>
>>>
>>> FYI: http://peacefire.org/
>>
>> Oh, come on. Freedom of Speech != Buying lingerie.
>
> I thought it would be obvious that the *lingerie* should not be taken
> literally.

I just wanted to establish motives. Your examples and stated uses
demontrate a self serving need, not altruistic nor client benefitting.

You have, no doubt, reminded everyone else in here of an important
lesson. Staff, including contrators may not always take 'No' for an answer!

Bogwitch.

On Thu, 19 Apr 2007 15:29:35 GMT, wini <winigroups [at] gmail.com> wrote:

>You can throw your flames at me, but that will not
>change the facts.

Fact: You are an admitted criminal.

Fact: You wouldn't stand a chance on my network.

Fact: I would probably allow you to connect to your computer but I would
also decode your SSL traffic and prevent any sensitive information from
being transmitted, all the while I would be recording your actions so that
you could be properly prosecuted.

Fact: Anyone taking your advice in this matter is an idiot.

> Fact: You are an admitted criminal.

opinions opinions

>
> Fact: You wouldn't stand a chance on my network.

sure

>
> Fact: I would probably allow you to connect to your computer but I would
> also decode your SSL traffic and prevent any sensitive information from

Do you work as a comedian?
Decode my SSL data: sure :-)
Go somewhere else and spread your FUD.
Your FUD might work in kindergartens.

> Fact: Anyone taking your advice in this matter is an idiot.

Getting a bit personal are we?
Sounds like Hitler when he was no longer in control.

wini wrote:
>
>
>> Fact: You are an admitted criminal.
>
> opinions opinions
>
>>
>> Fact: You wouldn't stand a chance on my network.
>
> sure
>
>>
>> Fact: I would probably allow you to connect to your computer but I would
>> also decode your SSL traffic and prevent any sensitive information from
>
> Do you work as a comedian?
> Decode my SSL data: sure :-)
> Go somewhere else and spread your FUD.
> Your FUD might work in kindergartens.
>
>> Fact: Anyone taking your advice in this matter is an idiot.
>
> Getting a bit personal are we?
> Sounds like Hitler when he was no longer in control.

After all the feedback you've received, do you really that that you're
right and *EVERYONE* else is wrong?

http://en.wikipedia.org/wiki/Delusion

--
Notan

wini wrote:


>> Fact: I would probably allow you to connect to your computer but I would
>> also decode your SSL traffic and prevent any sensitive information from
>
> Do you work as a comedian?
> Decode my SSL data: sure :-)
> Go somewhere else and spread your FUD.
> Your FUD might work in kindergartens.


This is no FUD, this is trivial. Just do a MITM attack at the server.
You have no choice: Accept the changed certificate and the server can read
everything, or reject it and your connection won't work.

>> Fact: Anyone taking your advice in this matter is an idiot.
>
> Getting a bit personal are we?

Huh? Why? No one claimed that you're an idiot, just that your advice is idiotic.

"Sebastian G" <seppi [at] seppig.de> wrote in message
news:58q599F2iefmpU1 [at] mid.dfncis.de...
> wini wrote:
>
>
>>> Fact: I would probably allow you to connect to your computer but I would
>>> also decode your SSL traffic and prevent any sensitive information from
>>
>> Do you work as a comedian?
>> Decode my SSL data: sure :-)
>> Go somewhere else and spread your FUD.
>> Your FUD might work in kindergartens.
>
>
> This is no FUD, this is trivial. Just do a MITM attack at the server.
> You have no choice: Accept the changed certificate and the server can read
> everything, or reject it and your connection won't work.
>

Exactly.

In message <462879f6$0$83730$c30e37c6 [at] pit-reader.telstra.net> "BernieM"
<berniem [at] bigpond.net.au> wrote:

>
>"Sebastian G" <seppi [at] seppig.de> wrote in message
>news:58q599F2iefmpU1 [at] mid.dfncis.de...
>> wini wrote:
>>
>>
>>>> Fact: I would probably allow you to connect to your computer but I would
>>>> also decode your SSL traffic and prevent any sensitive information from
>>>
>>> Do you work as a comedian?
>>> Decode my SSL data: sure :-)
>>> Go somewhere else and spread your FUD.
>>> Your FUD might work in kindergartens.
>>
>>
>> This is no FUD, this is trivial. Just do a MITM attack at the server.
>> You have no choice: Accept the changed certificate and the server can read
>> everything, or reject it and your connection won't work.
>>
>
>Exactly.
>

More importantly, if the IT department cares, they'll install their own
signed certificate on your PC, and when you attempt to establish an
encrypted connection, they'll simply decrypt, log, and reencrypt.

Since your machine is configured to trust the certificate used during
the reencryption phase, you won't even know it's happening unless you
inspect the certificate (and much of that could be spoofed anyway, if an
IT department was really worried about getting caught)

--
I'd give my right arm to be ambidextrous.

Notan <notan [at] ddressthatcanbespammed> skriver:
> After all the feedback you've received, do you really that that you're
> right and *EVERYONE* else is wrong?

Well Imho any admin puting in webfiletsr are definity wrong, don'ät
protect anythuing and makes life much harder. Usally this comes form
the idea that poilices are bone hard and have to be technically
enforced. An assumtion that actually don't work.

But may IT depetment have forgotten why they exists, whet the goal
eher it, the bigger organisation the bigger risk for this. One of my
main customers have these kinds of filters, i often get to use my
proxy at home usin a ssh-tunnel to read relevent internet information.
Out tools for security testring of the product often is blocked as
hacking tools for one thing. (Yes ofcource the use us ssh and
portforwaring to an external proxy is approved way of woring.)

--
http://anders.arnholm.nu/ Keep on Balping

"Anders Arnholm" <Anders+news [at] Arnholm.nu> wrote in message
news:slrnf2h7hn.q97.Anders+news [at] tika.arnholm.se...
> Notan <notan [at] ddressthatcanbespammed> skriver:
>> After all the feedback you've received, do you really that that you're
>> right and *EVERYONE* else is wrong?
>
> Well Imho any admin puting in webfiletsr are definity wrong, don'ät
> protect anythuing and makes life much harder. Usally this comes form
> the idea that poilices are bone hard and have to be technically
> enforced. An assumtion that actually don't work.

One reason web filtering is at the workplace is protect others from seeing /
reading things that someone else has on their screen they might find
offensive. People should not be subjected to offensive things in their
workplace. You look at what you want in the privacy of your own home.

DevilsPGD wrote:


> More importantly, if the IT department cares, they'll install their own
> signed certificate on your PC, and when you attempt to establish an
> encrypted connection, they'll simply decrypt, log, and reencrypt.
>
> Since your machine is configured to trust the certificate used during
> the reencryption phase, you won't even know it's happening unless you
> inspect the certificate (and much of that could be spoofed anyway, if an
> IT department was really worried about getting caught)


He claimed to use his own webbrowser or a Java applet within one.

But well, if the IT department cares, he won't be able to run those in first
place.

wini wrote:
>
> FYI: http://peacefire.org/

Most people who visit this forum have been in industry
for long enough to know what's right and wrong. The
companies we all work for are NOT democracies. If we
don't like the policies of the company we work for,
we are free to take our talents else where.

Most companies I know do allow limited personal browsing..
that includes checking google mail or scanning thro' news
articles. Forget about Nazi IT, what you are trying to do
will not be allowed even if Gandhi were your IT admin.

- Biswajit
Bangalore/INDIA

In message <58romrF2i0irdU1 [at] mid.dfncis.de> Sebastian G <seppi [at] seppig.de>
wrote:

>DevilsPGD wrote:
>
>> More importantly, if the IT department cares, they'll install their own
>> signed certificate on your PC, and when you attempt to establish an
>> encrypted connection, they'll simply decrypt, log, and reencrypt.
>>
>> Since your machine is configured to trust the certificate used during
>> the reencryption phase, you won't even know it's happening unless you
>> inspect the certificate (and much of that could be spoofed anyway, if an
>> IT department was really worried about getting caught)
>
>He claimed to use his own webbrowser or a Java applet within one.
>
>But well, if the IT department cares, he won't be able to run those in first
>place.

Even so, if the app uses the system SSL certificates (Java does, as do
many alternative browsers), the same may apply.

--
I'd give my right arm to be ambidextrous.

DevilsPGD wrote:


>> He claimed to use his own webbrowser or a Java applet within one.
>>
>> But well, if the IT department cares, he won't be able to run those in first
>> place.
>
> Even so, if the app uses the system SSL certificates (Java does, as do
> many alternative browsers), the same may apply.


Even fully untrusted Java Applets have permission to preselect a user-chosen
certificate on a SSLSocketConnection object.

So, this is a plausible scenario:
The IT department allows an installed webbrowser (not of his own choice) as
well as the installed Java VM. They also didn't implement appropriate
configuration of the Java VM to disallow all but whitelisted applets, but
they may have limited it to never trust any applet.

He uses these to load his applet, either from removable media or downloaded
from the Internet. It may be untrusted, but it's still allowed to first
select its own certificate loaded from its resource and then create a
SSLSocketConnection with this certificate.

This would allow him to detect the MITM attack.

But still he won't have any choice. Either it won't work or he will be sniffed.