Forbidden Websites

litirspam

Where I work the firewall or whatever it is does not allow access to a lot of websites. This is very annoying as I cannot even access my yahoo mail.
Is there any way around this that you know of?
It is purely for email etc that I want to know this.

Verdammt

You can specify a different proxy server, although I would'nt recommend this as if you probably get sacked

Blub2k4

litirspam wrote:

Where I work the firewall or whatever it is does not allow access to a lot of websites. This is very annoying as I cannot even access my yahoo mail.
Is there any way around this that you know of?
It is purely for email etc that I want to know this.

Litirspam, I wouldn't bother, the piece of paper you signed in your induction will say that you agree not to try to circumvent the systems there.
Chances are that if you are found out getting around the systems that they will fire you.

seamus

Yep. IT can see everything. Everything. There is very little you could do to circumvent controls that they wouldn't notice.

tck

seamus wrote:

Yep. IT can see everything. Everything

well not if its encrypted

http://anon.inf.tu-dresden.de/index_en.html may be of assistance

seamus

tck wrote:

well not if its encrypted

http://anon.inf.tu-dresden.de/index_en.html may be of assistance

Even using that tool, they know what you're doing. They see pretty much all of your web traffic going as secure traffic to one or a group of servers and they'll suspect that something is up. The content is usually irrelevant - it's still an attempt to circumvent their controls.

Capt'n Midnight

Considering the number of dodgy files out there no admin would be happy about people by passing all the security systems.

Most windows systems not patched in the last two weeks are vunerable to JPEGs. Some older IE5 and Mozilla versions are susceptible to BMPs.

Any half decent firewall can list source & destination addresses and traffic volume and times. Ain't worth it.

You could ask if such things can be done during lunch / outside hours or perhaps from a spare machine, then again they'd probably tell you to use the local library (which is free BTW).

Blub2k4

Blub2k4 wrote:

Litirspam, I wouldn't bother, the piece of paper you signed in your induction will say that you agree not to try to circumvent the systems there.
Chances are that if you are found out getting around the systems that they will fire you.

The only way you would be sacked for this is if they were trying to get rid of you anyway. Although if you spent much time dossing on the net...
*ahem*
anyways.

If your work proxy supports SSL you are laughing. (Ie if you can connect to secure sites in work). You can basicly tunnel anything through SSL.

MiCr0

is it blocked to all yahoo sites?

Blub2k4

ronoc wrote:

The only way you would be sacked for this is if they were trying to get rid of you anyway.

Not if I was the admin, dont be talking rubbish man the fact is that if he contravenes his terms of employment and somewhere there will be a security policy as they have bothered to implement a firewall policy they will obviously be interested in enforcing it, if he tries to circumvent this he is putting himself in a fireable position. Do you have any proof of what you are saying that goes beyond hearsay and the fact that he has signed pieces of paper to the contrary? If I was admin and saw encrypted traffic going over my firewall where it was not supposed to be I would fire the person, although a stateful inspection will normally stop all that it would still not be acceptable to try and if I saw it on my network you are gone. I'm sure Seamus would say the same.

seamus

Blub2k4 wrote:

If I was admin and saw encrypted traffic going over my firewall where it was not supposed to be I would fire the person, although a stateful inspection will normally stop all that it would still not be acceptable to try and if I saw it on my network you are gone. I'm sure Seamus would say the same.

Our admins would be a little more lenient. They'd just organise a bollocking for said employee with his superiors and make sure he knows that IT see absolutely everything that happens on the network. Security is a biggie here, so he'd be kept under heavy scrutiny for about 6 months after.

Blub2k4

Blub2k4 wrote:

If I was admin and saw encrypted traffic going over my firewall where it was not supposed to be I would fire the person, although a stateful inspection will normally stop all that it would still not be acceptable to try and if I saw it on my network you are gone. I'm sure Seamus would say the same.

Do you know how difficult it is to sack people in this country? A judge in a wrongful dismissal case (who always tend to be sympathetic to the employee) would want more of an explaination than that. You can't just sack people at the tip of a hat.

But apart from that different companies will take a different attitude to bypassing their proxys. Where I work for example I need to bypass it occasionally to do my job. I work in IT but we don't have control of what is blocked.
I supposed on your head be it if you decide to bypass. :rolleyes:

seamus

ronoc wrote:

Do you know how difficult it is to sack people in this country? A judge in a wrongful dismissal case (who always tend to be sympathetic to the employee) would want more of an explaination than that. You can't just sack people at the tip of a hat.

True, but if it's in the contract, it's in the contract. Most contracts will say "Unauthorised or improper use of computer, internet and email facilities will result in disciplinary procedures, such as written warnings, suspension without pay or dismissal", or something to that effect.

Remember that BOI director who was fired for looking at some barely pornographic sites? It's that simple. Essentially it can come under many labels, such as fraudulent use of company property, abuse of company facilities, or even theft.

Many companies will set up site filters to protect their employees, since many wouldn't be savvy enough to realise what is a dodgy site, and to make clear where the line is drawn on borderline sites. Maddox is a good example. Blocked in my place, and while it'snot strictly awful, it's possibly offensive to some.
It also protects the company against any possible hassle, legal or otherwise. If an employee saw another employees screen full of porn and other material, the company could be held partly responsible for providing the access to that content. If the company allowed access to a site providing services illegal in that territory, it could be legally liable.

By attempting to circumvent those controls you are presenting many risks to the company, consciously and deliberately, and anybody will tell you that's a sackable offence.

seamus

seamus wrote:

Remember that BOI director who was fired for looking at some barely pornographic sites? It's that simple. Essentially it can come under many labels, such as fraudulent use of company property, abuse of company facilities, or even theft.

By attempting to circumvent those controls you are presenting many risks to the company, consciously and deliberately, and anybody will tell you that's a sackable offence.

Word is going around was that people were trying to get rid of him anyways and the IT dept were more than happy to help after cutbacks were made

I'm not going to get into the legal side of things cause it ain't my forte. But I agree with what your saying. It can cause trouble. And yes can sack somebody for it (given the right circumstances). But in balance I fundementally disagree with such a hard line that Blub2k4(whoes post bordered on a flame) would take, its bad for business. In practice people who who are able to tunnel out of a firewall are the more technically clued up and the least likely to foul up the network (ignoring all other issues of course)

Blub2k4

ronoc wrote:

Do you know how difficult it is to sack people in this country? A judge in a wrongful dismissal case (who always tend to be sympathetic to the employee) would want more of an explaination than that. You can't just sack people at the tip of a hat.

But apart from that different companies will take a different attitude to bypassing their proxys. Where I work for example I need to bypass it occasionally to do my job. I work in IT but we don't have control of what is blocked.
I supposed on your head be it if you decide to bypass. :rolleyes:

Ai it would be on his head not on yours with your dodgy info. Strangely enough with firewall logs etc it is easy to tell where he was and when, and in his contract it will expressly say that, unlike with other information that a judge will be presented with in the course of his day this is easily documented and proveable and black and white, he shouldn't be doing what he is. If IT have no problem with what he wants to do then he can ask them.
I work in IT security.
If you decide to bypass tell them but conor said it was ok, I'm sure they wont mind.

Blub2k4

ronoc wrote:

But in balance I fundementally disagree with such a hard line that Blub2k4(whoes post bordered on a flame) would take, its bad for business. In practice people who who are able to tunnel out of a firewall are the more technically clued up and the least likely to foul up the network (ignoring all other issues of course)

And also more likely to know where to get the kiddie porn and the warez, would you ever cop on, that argument is just so amateur it doesn't bare thinking about. You want to help some one hack a system go ahead.

seamus

ronoc wrote:

In practice people who who are able to tunnel out of a firewall are the more technically clued up and the least likely to foul up the network (ignoring all other issues of course)

Tunnelling tools are widely available now, and pretty hassle-free, so long as you have a little knowledge. Those with a little knowledge are, in practice, the biggest threat to data and network security, because they think they know more than they do.

Blub2k4

Blub2k4 wrote:

Ai it would be on his head not on yours with your dodgy info.

I did not tell him how to do it or even say that he should. I merely said that he could..

I work in IT security.

Good for you..

If you decide to bypass tell them but conor said it was ok, I'm sure they wont mind.

I never said it was ok. I would advise rereading this thread.

There is much scaremongering going on I am simply pointing out you probably won't get sacked. Not unless he works for you!

Blub2k4

ronoc wrote:

I did not tell him how to do it or even say that he should. I merely said that he could..


Good for you..


I never said it was ok. I would advise rereading this thread.

There is much scaremongering going on I am simply pointing out you probably won't get sacked. Not unless he works for you!

It's not a willy waving competition, but you cant give the man advice that is likely to get him sacked, you dont know his situation, what we do know is
1/ They have a firewall
2/ We can infer from that that they have an IT policy.
3/ He has a contract with acceptable internet usage policy.
4/ He didn't say that they are lenient, he asked how he can bypass a firewall.
5/ People will be fired for this under ANY security policy.

Dont work off an assumption that everyone has a security policy that is enforced as badly as where you work.

andersde10

I wonder if you could use a browser emulator or the likes such as http://www.dejavu.org/ then access the blocked sites through it. i.e. you'd be browsing one blocked site but though another. just an idea!

ecksor

Blub2k4 wrote:

Not if I was the admin,

Admins making hiring/firing decisions in your place of work?

dont be talking rubbish man the fact is that if he contravenes his terms of employment and somewhere there will be a security policy as they have bothered to implement a firewall policy they will obviously be interested in enforcing it,

Perhaps, or perhaps only when it suits them. Catching a bad employee surfing for porn is a very convenient way of getting rid of them. Don't forget, many companies have policies for the purpose of audit or due diligence and may not expend a lot of resouces on enforcing them, depending on the policy of course.

if he tries to circumvent this he is putting himself in a fireable position.

Agreed.

Do you have any proof of what you are saying that goes beyond hearsay and the fact that he has signed pieces of paper to the contrary?

I'm confused by this. Proof that not all companies rigidly enforce such things?

If I was admin and saw encrypted traffic going over my firewall where it was not supposed to be I would fire the person, although a stateful inspection will normally stop all that it would still not be acceptable to try and if I saw it on my network you are gone. I'm sure Seamus would say the same.

How many companies give their sys-admins hiring and firing powers?

5/ People will be fired for this under ANY security policy.

Dont work off an assumption that everyone has a security policy that is enforced as badly as where you work.

If it's not a willy waving contest then stop waving your willy about. 1 to 4 in your list are reasonable. 5 should have 'may' rather than 'will'. It's not necessarily a sign that the company enforces the policy badly, more that it's there to serve the company rather than the company being there to serve the policy. If you catch a guy surfing porn but you know that firing him will put you out of business then it's smart to turn a blind eye as long as he's not offending anyone. If you catch the guy in reception or the guy who does no work surfing for porn then it makes sense to walk him off the premises. There's many shades between those two scenarios.

Blub2k4

ecksor wrote:

Admins making hiring/firing decisions in your place of work?

Not exactly but passing it on to HR, they wont filter this once it has come from IT.

ecksor wrote:

Perhaps, or perhaps only when it suits them. Catching a bad employee surfing for porn is a very convenient way of getting rid of them. Don't forget, many companies have policies for the purpose of audit or due diligence and may not expend a lot of resouces on enforcing them, depending on the policy of course.

Whatever, policy is policy, again dont assume everyone is as lax as you might be, it is written on paper.

ecksor wrote:

Agreed.

Phew, so why assume they wont act on someone actively circumventing a firewall, remember we're not talking about a dodgy email or an accidental click on a porno link here, someone is getting around your systems.

Ecksor wrote:

I'm confused by this. Proof that not all companies rigidly enforce such things?

NO proof that his company doesn't.

Ecksor wrote:

How many companies give their sys-admins hiring and firing powers?

as above.

Ecksor wrote:

If it's not a willy waving contest then stop waving your willy about. 1 to 4 in your list are reasonable. 5 should have 'may' rather than 'will'. It's not necessarily a sign that the company enforces the policy badly, more that it's there to serve the company rather than the company being there to serve the policy. If you catch a guy surfing porn but you know that firing him will put you out of business then it's smart to turn a blind eye as long as he's not offending anyone. If you catch the guy in reception or the guy who does no work surfing for porn then it makes sense to walk him off the premises. There's many shades between those two scenarios.

Whatever. A well written security policy serves the company and the company serves it, it protects the company too you know.
I take it you have a security background ecksor.

madramor

you want to access web mail, a site that is blocked by your sysadmin

most companies only block internet explorer access so you
could simply learn pop3/imap commands and type them into
your command prompt.

or try
http://www.anonymizer.com

ecksor

Hang on hang on. People may get fired for circumventing the network policy and certainly for downloading inappropriate material. I'm not doubting that at all, and certainly not assuming that they won't or suggesting that anyone else assumes that. All I'm disagreeing with is your apparent assumption that a person will get fired for such behaviour.

A well written security policy serves the company and the company serves it, it protects the company too you know.

Absolutely, because it covers their arse. If there is no policy then acting on any inappropriate behaviour becomes very difficult. It doesn't necessarily mean that all inappropriate behaviour will be acted upon. How strictly or laxly this is dealt with is going to vary wildly.

Whatever, policy is policy, again dont assume everyone is as lax as you might be, it is written on paper.

How strict or lax I might be is completely irrelevant, I never even directly hired or fired anyone in my life. I'm don't think I've even been responsible for anyone getting fired although I may be mistaken.

The point is that this stuff varies from company to company, and your experience sounds a lot more rigid than what most Irish companies will practice I reckon. Risk aversion and what measures of control employees will happily work under vary from country to country and the enforcement of security policy also seems to vary depending upon country, type of business and how large the business is. An Irish SME will on average be a lot more lenient then an American pharmaceutical (except where the researchers are concerned of course ) or a large Swiss bank (apparently the swiss accept all sorts of controls on their work environment, just another cultural thing).

Blub2k4

Blub2k4 wrote:

And also more likely to know where to get the kiddie porn and the warez, would you ever cop on..

By your logic because a person are able to bypass a companies firewall that lumps them in the same group as pirates and paedophiles. Thats not right at all infact its plain wrong.
Have you even used these tools or are you just assuming that is their evil purpose?

Would I cop on? If by that you mean not expressing my opinion, no I will not. I'm more than happy to engage in a debate. I am more than happy to listen to what you have to say as long as it isn't in rant form as above.

Blub2k4

ronoc wrote:

By your logic because a person are able to bypass a companies firewall that lumps them in the same group as pirates and paedophiles. Thats not right at all infact its plain wrong.

This is not what I said, you made the first dodgy contention by assuming that the person with the knowledge to bypass the firewall will do less damage, that's an assumptive crock, I extended this logic to assume that they will also be going for material that the company dont want their employees accessing, otherwise there would be no firewall, and he would not have to ask how to bypass it.

ronoc wrote:

Have you even used these tools or are you just assuming that is their evil purpose?

I repeat I work in security, yes I have used these tools, here's some reading for you if you want to get up to speed on policies their creation and usage
http://www.infosyssec.net/infosyssec/secpol1.htm

ronoc wrote:

Would I cop on? If by that you mean not expressing my opinion, no I will not. I'm more than happy to engage in a debate. I am more than happy to listen to what you have to say as long as it isn't in rant form as above.

Cop on and dont be giving bad information on security policies and the sense of trying to bypass them, this should in any company with a correctly enforced security policy, get the man fired.

There are forums where this thread would have been locked immediately as illegal in content cos he was expressing a wish to break the law.

Blub2k4

ecksor wrote:

Hang on hang on. People may get fired for circumventing the network policy and certainly for downloading inappropriate material. I'm not doubting that at all, and certainly not assuming that they won't or suggesting that anyone else assumes that. All I'm disagreeing with is your apparent assumption that a person will get fired for such behaviour.

people SHOULD get fired for circumventing security policy it is after all written into their contract and they signed it, after that you are down to a lot of factors, start with the assumption that they will be then start adding whatever plus points you want to keep them there performance etc, and the argument is actually why they should be kept, they have at this point already proven that they could/should be fired,but they are working uphill from there. Sorry for assuming that companies acutally carry out that which is in their employees contracts, I did forget that we are in Ireland where rules are made to be broken, or something.

Ecksor wrote:

Absolutely, because it covers their arse. If there is no policy then acting on any inappropriate behaviour becomes very difficult. It doesn't necessarily mean that all inappropriate behaviour will be acted upon. How strictly or laxly this is dealt with is going to vary wildly.

In Ireland there may be a large variation this is not the norm.

Ecksor wrote:

How strict or lax I might be is completely irrelevant, I never even directly hired or fired anyone in my life. I'm don't think I've even been responsible for anyone getting fired although I may be mistaken.

not really it is your interpretation of acceptable internet usage, in that way it is relevant.

Ecksor wrote:

The point is that this stuff varies from company to company, and your experience sounds a lot more rigid than what most Irish companies will practice I reckon. Risk aversion and what measures of control employees will happily work under vary from country to country and the enforcement of security policy also seems to vary depending upon country, type of business and how large the business is. An Irish SME will on average be a lot more lenient then an American pharmaceutical (except where the researchers are concerned of course ) or a large Swiss bank (apparently the swiss accept all sorts of controls on their work environment, just another cultural thing).

I work for a very large security vendor and have studied SANS security courses etc, sorry for being exact. So without knowing the guys company etc it is ok to say he wont be fired, the argument like I said becomes well why shouldn't we fire him and not ah sure it's ok, as you seem to think it will be.

Blub2k4

Blub2k4 wrote:

This is not what I said, you made the first dodgy contention by assuming that the person with the knowledge to bypass the firewall will do less damage, that's an assumptive crock, I extended this logic to assume that they will also be going for material that the company dont want their employees accessing, otherwise there would be no firewall, and he would not have to ask how to bypass it.

Ok take a company without a proxy/firewall. The clued up users will be the ones who don't download dodgey exes.

A company with a firewall, assume these same people are the only ones able to bypass the proxy. So will hopegfuly still be intellegent enough not to download crap. (if they are clued in enough to know how to bypass it they should be clever enough not to download crap)

There are harmless reasons for working around the proxy its not all black and white..

Cop on and dont be giving bad information on security policies and the sense of trying to bypass them, this should in any company with a correctly enforced security policy, get the man fired.

Cop yourself on trying to shovel your PoV down my throat. He is still free to make a balanced decision based on this thread. And lets face it he came looking for the info.
How do you know his security policy is the same rigious one you persue. There is no such thing as a one size fits all security policy.

There are forums where this thread would have been locked immediately as illegal in content cos he was expressing a wish to break the law.

Thats if the content were against the law, but guess what, it isn't! Its common knowlege (if you use google). This isn't hacking or gaining illegal access to a network. And even talking about that certainly isn't illegal.

seamus

ronoc wrote:

A company with a firewall, assume these same people are the only ones able to bypass the proxy. So will hopegfuly still be intellegent enough not to download crap. (if they are clued in enough to know how to bypass it they should be clever enough not to download crap)

You can't assume anything. A clued-up user bypassing the proxy is just as likely to be a disgruntled, clued-up user who is accessing content and sites with the intention of compromising security, as a clued-up user who just wants to access his email.

There are harmless reasons for working around the proxy its not all black and white..

Agreed, but a company can't be flexible on its rules. Either it applies to everyone or it doesn't. People's intentions may not be black and white, but company policy has to be, or that policy isn't worth ****e.
As I've said before, you cannot assume anything about any user. A little knowledge can be a dangerous thing.

While they may not do anything serious if he does attempt to bypass the proxy, they will indeed smack him down and warn him against doing it further (if they have a policy in place).

I think the point that Blub is trying to get across is - Unless your IT department is run by illiterate camels, the risk you run by bypassing the proxy may not be worth it just to check your mail.

seamus

seamus wrote:

You can't assume anything. A clued-up user bypassing the proxy is just as likely to be a disgruntled, clued-up user who is accessing content and sites with the intention of compromising security, as a clued-up user who just wants to access his email.

Agreed but if there are disgruntled employees inside the company (who are sufficently motivated) they could damage the network no matter what policies are in place. I wouldn't agree these employees are just as likely to bad as good. Most people want to work and do their job. Being a disgruntled employee to the extent of damaging the network is usually a bad employees last surprise when they leave.

Agreed, but a company can't be flexible on its rules. Either it applies to everyone or it doesn't. People's intentions may not be black and white, but company policy has to be, or that policy isn't worth ****e.
As I've said before, you cannot assume anything about any user. A little knowledge can be a dangerous thing.

True enough. But there has to be some give. The law isn't black and white by any means. Any company that persued their company policy to the letter would find themselves in court more times than not.

Blub2k4

ronoc wrote:

There are harmless reasons for working around the proxy its not all black and white..

And strangely enough there are also policies and procedures for this which IT get involved in. I wont even address the first bit.

ronoc wrote:

Cop yourself on trying to shovel your PoV down my throat. He is still free to make a balanced decision based on this thread. And lets face it he came looking for the info.
How do you know his security policy is the same rigious one you persue. There is no such thing as a one size fits all security policy.

It's not my POV it's pretty standard stuff, I even provided you with a link to read up on it.

ronoc wrote:

Thats if the content were against the law, but guess what, it isn't! Its common knowlege (if you use google). This isn't hacking or gaining illegal access to a network. And even talking about that certainly isn't illegal.

The act of bypassing a security system without the owners consent is in most cases illegal. Has nothing to do with the content, but then you knew that?

Soon thereafter, the United Kingdom promulgated the Computer Misuse Act 1990 into law, which served as the model for many other countries‘ legislative framework including Ireland

Computer Misuse Act 1990 UK wrote:

Extract from Computer Misuse Act 1990 (c. 18)
Computer misuse offences

Unauthorised access to computer material.

1.—(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

Now what were you saying exactly???????

seamus

That act doesn't exactly cover what we're talking about here though (do you have a copy of the Irish one, for relevance?).

To use a tunnelling proxy isn't necessarily covered here. After all, he is accessing a public server, with authorisation (the proxy on the internet), and also using the business proxy (the firewall/gateway to the internet) is authorised access, as it's safe to assume that if a site is not blocked, then you are authorised to use the company's proxy server to access it.

So this not may fall into a legal issue whatsoever, since at no point is the access unauthorised. The company however, is still free to take action, since the attempt is to circumvent security measures, and it would usually be specifically covered in one's AUP.

{Edit: It depends on where the act applies. He wants to access data on a public server. Therefore that access is authorised (by the owner of the server). However the access via the company proxy is not authorised. Who wins out? I'd hazard that the authorisation required is authorisation to access the computer where the data is held, not authorisation to access the route to get to that data (except of course where one is gaining unauthorised access to machines on that route).

Blub2k4

Blub2k4 wrote:

Soon thereafter, the United Kingdom promulgated the Computer Misuse Act 1990 into law, which served as the model for many other countries‘ legislative framework including Ireland

Blub2k4 wrote:

1.—(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

That covers the tunneling proxy. The access in that form would be unauthorised, otherwise he would not need to bypass it.
IT IS ILLEGAL under the law, agreed the call is the companies call but that does not change it's illegality only whether or not it is reported as such.

Blub2k4

seamus wrote:

{Edit: It depends on where the act applies. He wants to access data on a public server. Therefore that access is authorised (by the owner of the server). However the access via the company proxy is not authorised. Who wins out? I'd hazard that the authorisation required is authorisation to access the computer where the data is held, not authorisation to access the route to get to that data (except of course where one is gaining unauthorised access to machines on that route).

The act applies all along the route, suitably fuzzy to catch all.

It's not my POV it's pretty standard stuff, I even provided you with a link to read up on it.

Read again its advice I was giving as were you. I'm not disputing the link you gave me which is pretty boiler plate stuff, I'm disputing the fact you feel the need to drum into me that my point of view is wrong. My advice was you CAN do it, but on your head be it. It is also my point of view that not all sysadmins will hang you for doing so. Now tell me again what does that have to do with the content of security policies?

Now what were you saying exactly???????

Ok say I use a program to bypass a proxy where I work. The data I'm accessing does not belong to the company in question as it is on the internet,freely available , the law you quoted does not apply. Organisational policies prevent access to blocked websites not the law.

Blub2k4

ronoc wrote:

It's not my POV it's pretty standard stuff, I even provided you with a link to read up on it.[\QUOTE]

Read again its advice I was giving as were you. I'm not disputing the link you gave me which is pretty boiler plate stuff, I'm disputing the fact you feel the need to drum into me that my point of view is wrong. My advice was you CAN do it, but on your head be it. It is also my point of view that not all sysadmins will hang you for doing so. Now tell me again what does that have to do with the content of security policies?


Ok say I use a program to bypass a proxy where I work. The data I'm accessing does not belong to the company in question as it is on the internet,freely available , the law you quoted does not apply. Organisational policies prevent access to blocked websites not the law.

Your point of view is your point of view, accepted, that you would give someone information that is likely to get him fired or make him complacent about his companies security policy is wrong even illegal, I am pointing it out.

You interpret what you read as the law whatever you want I understand what it means if you choose not to or cant understand it all I can do is try to clear it up for you, the unauthorised access that is illegal is when you MISUSE the company proxy or your local pc to bypass the proxy, not the remote internet server.

Gilgamesh

My god, what a lot of words here,

from my point of very it is very straight forward.
If a firewall has been implemented and blocks certain Sites, functions, etc. then the company has a reason for this.
even if they do no have a policy you have signed, and you tunnel the Firewall, you are creating a security breach in the system.
If a company cops on to this, and even if you do know what you are doing, they won't be very happy about it.
It's quite simple, the bosses hear of it, they give IT a bollocking, they trace you, to pass on the bollocking, because they don't want the blame.
if it is severe, or IT would be in a bad ood, the ywill trace every single step you have taken to date, send the report to the peaved boss, and hey presto, your are under heavy surveilance, not even allowed to turn on the coffee machine, or you wil lbe out of there.

Chalk

not wanting to interrupt or anything ,
but if it really is just for email and its only yahoo mail being blocked
could you not bring it up with the admin?
ie if they allow hotmail but not yahoo as its a searcg engine couldnt they allow the mail.yahoo.com subdomain?
or even allow something like www.mail2web.com and continue blocking whatever they block but thereby allowing all staff to access there web mail without allowing individual access to the mail sites.

that you would give someone information that is likely to get him fired or make him complacent about his companies security policy is wrong even illegal, I am pointing it out.

The fact i'm giving him information is not wrong. Its not illegal either. I'll agree to disagree over the "tunneling is illegal thing" but most of what said is is to counter your experience of and your attitude to the breaking of the policy. It ain't the same everywhere mate.

Blub2k4

ronoc wrote:

I'll agree to disagree over the "tunneling is illegal thing" but most of what said is is to counter your experience of and your attitude to the breaking of the policy.

Whatever. I tried.

Gilgamesh

It is quite an easy equasion when it comes to company policies, they are there to set guidelines for the employees in the company, so the company can not be damaged by legal issues, such as Porn Sites, Warez etc.
If a Sales Rep in O2 would start selling mobile phones at a reduced price and started cracking the simlock for the customer, he will also be sacked, as this would damage the company.
there are more than enough criminal investigations going on at the moment, about illegal content on company PCs, so that no company can afford to have this happen to them.
A company, especially a smaller one, can not afford to be crushed with legal bills from a major company like Microsoft, just as an example, because some idiot in the company tunneled the Firewall and downloaded MS Office to his machine.
I am not saying that someone in this forum has that intent, but I am saying that you would have to be very ignorant to say that nobody in this world would not abuse this

ecksor

Blub2k4 wrote:

people SHOULD get fired for circumventing security policy it is after all written into their contract and they signed it,

That's a different argument that I can't be bothered getting into. Saying that people will be fired is a different thing to saying that they should be fired.

In Ireland there may be a large variation this is not the norm.

Perhaps not, but I was just talking about Ireland.

not really it is your interpretation of acceptable internet usage, in that way it is relevant.

If I ever work in HR it will become relevant.

I work for a very large security vendor and have studied SANS security courses etc, sorry for being exact. So without knowing the guys company etc it is ok to say he wont be fired, the argument like I said becomes well why shouldn't we fire him and not ah sure it's ok, as you seem to think it will be.

Am I mistyping something? I never said anything of the sort. You were saying "will get fired" and I'm saying that "may get fired" is more accurate. "may get fired" doesn't mean "won't get fired" as you seem to be interpreting it.

Blub2k4

So telling the guy there is a possibility he wont be fired when he is asking for advice from a "security" board is good advice is it?
A simple yes or no answer suffices.

ecksor

Saying that he may or may not get fired is accurate. We don't know what will happen even though you seem to think that you do.

BTW, you forgot to mention that you work in security in that post. Perhaps you should put it in your signature.

Blub2k4

I mentioned that when he mentioned he worked in IT.
Dont worry you are no doubt a 1337 h4Xor uninterested in the views of someone who does this for a living.

ecksor

:rolleyes:

seamus

Blub2k4 wrote:

So telling the guy there is a possibility he wont be fired when he is asking for advice from a "security" board is good advice is it?

I think so. Better to give him all the facts and let him make up his own mind about it rather than tell him something that may not be true.

The irony of your last post makes me laugh....

dogs

Blub2k4 wrote:

Dont worry you are no doubt a 1337 h4Xor uninterested in the views of someone who does this for a living.

GOAAAALLLLLL!!!!

Blub2k4

Blub2k4 wrote:

So telling the guy there is a possibility he wont be fired when he is asking for advice from a "security" board is good advice is it?
A simple yes or no answer suffices.

Thats a "Have you stopped beating your wife?" type question...

Blub2k4

ronoc wrote:

Thats a "Have you stopped beating your wife?" type question...

I dont get what you mean.

In reference to the legality, in case you are interested here is a paper with the position outlined in it with regard to Irish misuse laws: <edit> specifically page 5.

http://colr.ucc.ie/2004viii.pdf

And here is the computer misuse act:

http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

Have a look if you want if you dont then dont, interpret them how you will it's there in black and white.

ecksor

As far as the possibility of recommending an illegal act goes, I'm comfortable with allowing the thread to stay in either case.