Join 3,375 readers in helping fund MetaFilter (Hide)


Can I wirelessly connect my iBook to my (rather restrictive) work intranet?
December 13, 2005 8:32 AM   Subscribe

How can I become a rogue employee? I want to set up an unauthorized hotspot in my office, that "circumvents" the IT policy, by wirelessly linking my iBook to the all-PC network.

My tiny office has 9 people crowded around 4 crummy Dell desktops. We've invested in our own personal laptops: 3 Vaios, 2 Thinkpads, and me with an iBook. The trouble is none of us are allowed access to the work intranet. The IT department are adamant that only authorized Dell laptops can be configured to access the network.
When I plug my Airport Express in, it seems to think it's connected to the intranet, but it won't pass any data. Does anyone have any tips or resources to help me "configure" it, to allow us all untrammeled access?
posted by anonymous to Computers & Internet (16 answers total)
 
if you are caught, be sure to use the cyanide capsule hidden in your false tooth. The IT department are ruthless interrogators, and they will toture you until you reveal the identities of the other rouges in your office.

In all seriousness, why risk being fired over draconian IT policies. Go through channels to get this resolved. If it can't be resolved through channels, then explain to your boss and maybe your bosses boss that productivity is suffering.
posted by cosmicbandito at 8:46 AM on December 13, 2005


The security group at my company has Wifi locators. I've witnessed them walking around the floor with a handheld beeping device. They slowly walked down the hall, then down an aisle. Then to a cubicle. It is apparently trivial to detect and triangulate the location of any wireless signal. If you work at a company that's at all serious about security, they'll have one of these.
posted by Plutor at 8:54 AM on December 13, 2005


It's quite possible that there is networking hardware/software beyond your control that is detecting the Airport from its MAC address and refusing to forward its traffic.

If the Airport supports it, you can try changing its MAC address to that of the computer you normally plug in to the ethernet port.
posted by odinsdream at 9:02 AM on December 13, 2005


Don't leave us hanging Plutor, what happens when the security guys get to the cubicle?
posted by cosmicbandito at 9:08 AM on December 13, 2005


The wireless AP were rolling out will not only automatically detect rogue AP but also work with the switches to disable the network port the rogue is plugged into.

I'd second working with your boss to either change the IT dell only policy or to get your AP authorised.
posted by Mitheral at 9:16 AM on December 13, 2005


I applaud your efforts to allow unauthorized persons access to your company's intranet.
posted by Jairus at 9:33 AM on December 13, 2005


The real problem here is that you want access to the company Intranet, and not the Internet. It's a problem because if you wanted to access the Internet, it would be cake- a cellphone with a data plan, for example. You could even share this with your coworkers, using your built-in wifi.

Now, access to the Intranet is different- depending on the authorization scheme, you could really cause yourself some pain. Regardless of what technique you use to access it, you'll eventually reveal yourself to the IT gestapo, who will cause you big problems, right up to getting fired. To access their protected resources would be the same thing as hacking.

One way to do such a thing would be to clone the MAC address of an already authorized machine, and login with whatever client they use (novell, samba, etc). The problem is that your computer will doubtless send out some kind of signature- for example. the UserAgent string your browser sends out to websites. Also, if you cloned the MAC address, and you and the clone computer were on at the same time, that could cause network problems and would make you easy to detect.

While typing this, I thought of another solution- can you get them to allow a PC on an outside network access the Intranet? Like if you had one of these Dell laptops at home, connected to the Intranet, via the Internet, you could use Remote Desktop or VNC or an SSH session to get access back in.

Finally, you have to realize that you have made a decision to purchase unsupported hardware, which, in the eyes of some IT people, particularly ones who are hardasses about security, a decision that warrants alienation from the network. They know your little iBook is a powerful Unix box that they can't control easily, and they aren't interested in supporting anything beyond the (already difficult to secure/control) Microsoft-based network.

Good luck.
posted by fake at 9:35 AM on December 13, 2005


Depending on the size of your company, I can see a few reasons why your IT department has such a seemingly retarded policy- generally, it comes when their auth system uses AD and Kerberos, which requires serious tinkering on the Mac side to work correctly.

That aside, their wireless access points are probably secured by MAC address, or possibly even using the same Windows challenge/response that is preventing the Macs from going in in the first place.

Either way, your odds of getting this to work are slim to none, and not worth the wrath of IT.
posted by mkultra at 9:37 AM on December 13, 2005


I applaud your efforts to allow unauthorized persons access to your company's intranet.

Jairus is providing a nice example of the IT perspective, here.

Not that askme needs any more moralizing/grandstanding.
posted by fake at 9:39 AM on December 13, 2005


We've invested in our own personal laptops: 3 Vaios, 2 Thinkpads, and me with an iBook.

To me, that indicates deeper unresolved issues that go beyond network access and IT policies.
posted by gimonca at 9:45 AM on December 13, 2005


Jairus is providing a nice example of the IT perspective, here.

Not that askme needs any more moralizing/grandstanding.


How is that moralizing or grandstanding? Jairus is right, the reason that no sysadmin in their right mind allows some dipshit to waltz in and place an AP on their desk and connect it to the LAN is because they can't trust said dipshit to properly secure the connection. Hell, no sysadmin in their right mind places an AP on a LAN in the first place.
posted by cmonkey at 10:11 AM on December 13, 2005


cmonkey called it. It's all about security. If you don't secure the AP properly, then any schmoe in the parking lot has access to the corporate LAN. That's a Bad Thing.

And of course AskMe needs more moralizing/grandstanding. In fact, I think a little Righteous Indignation is called for here.
posted by JeffK at 11:03 AM on December 13, 2005


Sorry to be rude, but your convenience is not worth the lack-of-security in your network that you will be creating.
posted by BrandonAbell at 11:26 AM on December 13, 2005


Well, if you really want to get fired, your easiest (and lamest security) bet is to put a wireless card in one of the Dell desktops and run various internet sharing programs on it, and you'll need to put in some proxy/gateway programs to let you get access to the corporate intranet (beats me which ones because we don't know what you're using there).

You can connect your other wireless cards to that one using ad-hoc mode. You won't need a WAP for this.

But, it'll be a joke to detect, so be prepared to be fired.

Slightly more security would be had by adding a second network card to the Dell desktop, and adding a hub to that network card (and setting up the network as above again). But then you'll have spaghetti wiring all over the office. :-D Oh, and there's the firing thing, etc, again.
posted by shepd at 11:35 AM on December 13, 2005


Jairus has it, and from what I remember of working with him, it's an informed opinion.

The fact is that these laptops are not under IT control or authority. They are not configured with the IT security policies in mind, they aren't updated by IT for the latest virus definitions and patches, etc., etc. They cannot allow just any random machine to be hooked into the network. That includes employees' personal machines.

As far as solutions, you're not so badly off, I think. If those personal laptops really are essential to your work, then stop using them. Once productivity declines and the cause is assessed, manglement will have to either allow you access on the network and work something out with IT for security, or they'll provide you with the right kind of laptop to use with the network. Otherwise they'll have to accept that your needs aren't met by the IT infrastructure.

If you're using the laptops out of convenience rather than a real need, you have to face the facts that your workplace doesn't operate by your convenience. That may mean working with the inconvenience, because that's what the job is, or attempting to circumvent it, at which point you should be treated like anyone attempting to circumvent security.

Your intentions may be good, but you may not fully grasp the risk to which you are exposing your network. That's fine, really, because there are people that are paid to understand the risks and draw up guidelines to minimize them. What you need to do is find a way to do your work under these conditions, and perhaps try to work with manglement in order to allow a better integration between your needs at the workplace and the IT policies.
posted by splice at 12:33 PM on December 13, 2005


Not that askme needs any more moralizing/grandstanding.

Yeah, that was totally unnecessary. Jairus, I apologize. I really should have left that last sentence off.
posted by fake at 4:23 PM on December 13, 2005


« Older Im english and live in England...   |  Is there a Jane Goodall of pen... Newer »
This thread is closed to new comments.