Welcome to ECCIE - Sign up today!

Polecat · 01-06-2010, 03:22 PM

My cat can beat up your cat.........

GneissGuy · 01-06-2010, 04:24 PM

Quote:

Originally Posted by Steve67

2. Why Pay? http://www.torproject.org/index.html

Tor has some at least one serious security problem. Anyone can set themselves up to run a tor exit node and watch the traffic that comes out of the tor network through your node. You can then eavesdrop on that traffic, seeing both what the user types in and the response.

Tor does solve the problem of your employer or ISP watching your traffic, but they can still tell you're using tor.

You can't use this trick to watch a particular person, but you can randomly steal userids and passwords, except for secure sites that use encryption through https, like most banking sites.

It would be a good thing if eccie were set up to allow a secure connection via https for several other reasons as well. In particular, no one at your ISP or even impersonating a wireless connection would not be able to see your eccie information.

curiousbill101 · 01-06-2010, 08:45 PM

https seems like it would be nice security enhancement.

npita · 01-07-2010, 10:36 AM

Quote:

Originally Posted by GneissGuy

It would be a good thing if eccie were set up to allow a secure connection via https for several other reasons as well. In particular, no one at your ISP or even impersonating a wireless connection would not be able to see your eccie information.

The only issues with using https might be the additional overhead required for (1) the connection handshake; and (2) encryption/decryption. The first would presumably not be an issue so long as clients used the http-keepalive and the server is set up for it (which presumably is the case).

The second might be an issue if the server load is already high. In any case, using https would require a lot of attention to tuning a number of web server parameters, so it might be a nice ``wish list item,'' but not something that should be looked at until the most important issues have been sorted out and well under control.

A third issue would be that while no one could see the information passed in the requests and served pages, the tcp header is not encrypted, so the IT dept. would still know the to which one is connecting. Lots of proxies are set up to handle http, but not https (I don't know about anonymizers), so there may be no real benefit in practice. A false sense of security is worse than knowing something is insecure and acting accordingly. The bottom line is everyone with something to lose should not do stupid things, like connecting from work.

GneissGuy · 01-07-2010, 12:37 PM

I think the https server code is sufficiently optimized and/or the computers are powerful enough that the overhead is not really that big a deal any more.

I wasn't necessarily talking about having eccie use https in conjunction with an anonymizer/proxy service. I'm thinking that https: gives an extra level of protection against internet providers and things like rogue access points in hotels or free wireless access places like restaurants. There are getting to be more and more people who'll put up their own wireless access point at a wireless hotspot and snoop on the traffic.

Even with an anonymizer service, there are getting to be so many sites that use https that there's quite an incentive to make the service work with https.

I was also not necessarily suggesting that all connections use https. It would be good if you could choose to use https: when you logged in, either by typing https://www.eccie or maybe even as a profile setting.

Risn2TheOccasion · 01-07-2010, 01:33 PM

Thank God for Smart Phones.

textodd11 · 01-07-2010, 04:05 PM

Trust me, I AM "Big Brother" and if you're on my network I can see anything I need to.

Not ONE of the measures mentioned here would have one bit of impact on my ability to trace and log all activity on any given user.

Your only hope is to use a wireless carrier outside the corporate network or better yet, wait till you get somewhere else. If you can't then the only suggestion I have is to become your IT Director's best friend in a hurry.

GneissGuy · 01-07-2010, 04:22 PM

Quote:

Originally Posted by textodd11

Trust me, I AM "Big Brother" and if you're on my network I can see anything I need to.

Not ONE of the measures mentioned here would have one bit of impact on my ability to trace and log all activity on any given user.

Your only hope is to use a wireless carrier outside the corporate network or better yet, wait till you get somewhere else. If you can't then the only suggestion I have is to become your IT Director's best friend in a hurry.

Well, yes, if you have administrator/root access to the user's PC, you can see anything they do.

If you don't control their individual PC, you're not going to be able to read what they send or receive over an https/ssl connection, are you? Yes, you can tell which web page they're going to, but not see their passwords or the data displayed, correct? If they go to something like anonymizer.com, you wouldn't be able to see anything more than the fact that they are going to anonymizer.com, would you?

Anyway, it's big time STOOPID to browse here from work on the company network.

argus256 · 01-07-2010, 04:53 PM

Quote:

Originally Posted by textodd11

Trust me, I AM "Big Brother" and if you're on my network I can see anything I need to.

Not ONE of the measures mentioned here would have one bit of impact on my ability to trace and log all activity on any given user.

Your only hope is to use a wireless carrier outside the corporate network or better yet, wait till you get somewhere else. If you can't then the only suggestion I have is to become your IT Director's best friend in a hurry.

I submit my measure for canidacy of you not seeing what I'm doing, and it's called IPSEC VPN to my home... unless you can break that encryption (which most IT lackies can't) then you ain't seein it... however, if you block that from leaving your network or block the application from being installed that will allow you to setup that encryption, then i'm not getting out of the network with it, obviously.

In addition to that if you're doing screen caps of the machine I'm on, obviously you can see it then...if I'm not using one of your comps then you can't with IPSEC.

okie69696 · 01-07-2010, 05:31 PM

I like all this information here but can you explain more about how to "Setup a "file" server with no monitor/keyboard... use a laptop to connect to the server." ?? That sounds like a perfect fit for me...if I just figure out how to do it. Would this new "server" be at home or my business?

GneissGuy · 01-07-2010, 07:31 PM

Quote:

Originally Posted by argus256

I submit my measure for canidacy of you not seeing what I'm doing, and it's called IPSEC VPN to my home... unless you can break that encryption (which most IT lackies can't) then you ain't seein it... however, if you block that from leaving your network or block the application from being installed that will allow you to setup that encryption, then i'm not getting out of the network with it, obviously.

It's pretty easy to detect that you're using IPSEC. Plenty of companies would take serious disciplinary action for using an unauthorized VPN.

argus256 · 01-07-2010, 11:32 PM

I didn't suggest that it wasn't easy to detect, just hard to break and take a peak

GingerOnTour · 01-08-2010, 07:13 PM

While hideing your IP from IT is great, some of us providers use this as a screening tool when reciving emails and yes your smartphone has an IP address too. I prefer to look up your IP and cell #, then to ask you where you work, 2+ refs, favorite color, and first born (just sayn).

busageek · 01-08-2010, 09:03 PM

Quote:

Originally Posted by okie69696

I like all this information here but can you explain more about how to "Setup a "file" server with no monitor/keyboard... use a laptop to connect to the server." ?? That sounds like a perfect fit for me...if I just figure out how to do it. Would this new "server" be at home or my business?

If all you're trying to do is hide your tracks on your home pc or laptop, there's an easier way to do that. Just run a browser on a usb flash drive. Take a look at portableapps.com. Load Firefox on a usb stick and only use that browser. Just remove the USB stick when you walk away from the pc and all traces of activity go with it.

Another option is to use the incognito feature in the Google Chrome browser.

Cheers,

argus256 · 01-08-2010, 10:10 PM

Quote:

Originally Posted by busageek

If all you're trying to do is hide your tracks on your home pc or laptop, there's an easier way to do that. Just run a browser on a usb flash drive. Take a look at portableapps.com. Load Firefox on a usb stick and only use that browser. Just remove the USB stick when you walk away from the pc and all traces of activity go with it.

Another option is to use the incognito feature in the Google Chrome browser.

Cheers,

That's all fine and dandy unless the network you're on is logging and filtering traffic.