How do I get past internet monitoring at work?
October 12, 2005 6:13 PM Subscribe
My company has recently started internet monitoring. I believe they have set up some kind of proxy server. Unfortunately, they have blocked sites that I use for productivity. Is there any way of easily getting around the proxy server.
I'm not sure if I'm right, but there must be a setting in Internet Explorer that can route my websites through another server? How do I do this and who do I use. I don't mind paying, but would perfer free.
The owner of my company has become big brother and it's unfortunate because now sites can only be "work related" which can be widely (or narrowly defined)
I would also like to know how to find out what they are using to do this (for curiosity purposes). Where can I look on my computer to see this. Also, I think they may have set up remote viewing. Is there any way to detect this?
I've had pretty good luck with this free proxy list. I use it to access the narod.ru Russian topographic charts, as they seem to download much faster via a Russian proxy server than via direct connection... go figure.
posted by rolypolyman at 6:21 PM on October 12, 2005
posted by rolypolyman at 6:21 PM on October 12, 2005
Mmm. Anonymous proxy services are only useful to the extent that your company does not have a firewall blocking them. Furthermore, if you are detected using an anonymous proxy, you will be in trouble. Companies that are anal enough to filter your net access are anal enough to look for evidence that you are bypassing their filters. I wouldn't use an anonymous proxy in a work situation myself.
posted by i_am_joe's_spleen at 6:27 PM on October 12, 2005
posted by i_am_joe's_spleen at 6:27 PM on October 12, 2005
Can you get an ssh tunnel out of there? Maybe on port 80? I ssh tunnel from my laptop to my Mac at home, which is running the Squid proxy server. I do it to secure my browsing when using open WiFi networks, but it would presumably work just as well for this kind of situation.
posted by kindall at 6:34 PM on October 12, 2005
posted by kindall at 6:34 PM on October 12, 2005
It is possible that you will not be able to get around the proxy, no matter what you do to the settings on your computer. It all depends on how they implemented it. If they wanted to lock down the network tightly, they could set up a firewall on the edge of the network (where all the traffic leaves the organization through its external connection) that blocks all traffic except for port 80, and then forwards the remaining port 80 traffic through a squid proxy that restricts which sites you can visit. If you had a network like this then there is essentially nothing you can change on your PC to get around it, because it's going to go through the proxy no matter what.
Your best bet is to make a case to the management that whatever sites are blocked are used to increase your productivity. Also realize that it is their network, not yours, and they have every right to restrict and monitor it however they please. You may not like it, but you do not have the moral or legal right to try to circumvent their wishes.
One possible when the allowed ports are tighly restricted is to set up a ssh server (on an external machine that you control) on port 80. Then you run a HTTP proxy on that machine, ssh into it, and use ssh port forwarding to make that proxy server appear as a local port, which you instruct your browser to use. This works because it's on port 80 -- the same as normal web traffic. And since it's over ssh, there is absolutely no way for them to tell what the contents and nature of the tunneled traffic is[*]. However, they would be able to tell that it's encrypted ssh traffic which could set off alarm bells. (Think corporate espionage...) This will also fail to work if the network uses a transparent HTTP proxy, or if it uses deep packet inspection as a filtering method, because the ssh handshake will not look like HTTP traffic. If this is the case then your only bet is to use a normal HTTP proxy server on 80, and find one that is not blocked.
[*] But they can still tell what you're surfing through Remote Desktop or VNC or similar.
posted by Rhomboid at 6:38 PM on October 12, 2005
Your best bet is to make a case to the management that whatever sites are blocked are used to increase your productivity. Also realize that it is their network, not yours, and they have every right to restrict and monitor it however they please. You may not like it, but you do not have the moral or legal right to try to circumvent their wishes.
One possible when the allowed ports are tighly restricted is to set up a ssh server (on an external machine that you control) on port 80. Then you run a HTTP proxy on that machine, ssh into it, and use ssh port forwarding to make that proxy server appear as a local port, which you instruct your browser to use. This works because it's on port 80 -- the same as normal web traffic. And since it's over ssh, there is absolutely no way for them to tell what the contents and nature of the tunneled traffic is[*]. However, they would be able to tell that it's encrypted ssh traffic which could set off alarm bells. (Think corporate espionage...) This will also fail to work if the network uses a transparent HTTP proxy, or if it uses deep packet inspection as a filtering method, because the ssh handshake will not look like HTTP traffic. If this is the case then your only bet is to use a normal HTTP proxy server on 80, and find one that is not blocked.
[*] But they can still tell what you're surfing through Remote Desktop or VNC or similar.
posted by Rhomboid at 6:38 PM on October 12, 2005
i don't know about the law, but whether you have a moral case for circumventing this depends upon your beliefs more than Rhomboid's, i would have thought.
anyway, something no-one has mentioned is that port 443 (HTTPS) is usually a better choice for sneaking out on - it accepts binary data, has a pretty simple protocol through proxies, is likely to be open and, because of the technical details of SSL/TLS, there's relatively little that can be done to monitor it.
however, from your question you're clearly pretty clueless technically, so i'd suggest not trying to work round this yourself - you can't really assess the risks your taking. so either persuade them to open things up or look for another job.
posted by andrew cooke at 7:02 PM on October 12, 2005
anyway, something no-one has mentioned is that port 443 (HTTPS) is usually a better choice for sneaking out on - it accepts binary data, has a pretty simple protocol through proxies, is likely to be open and, because of the technical details of SSL/TLS, there's relatively little that can be done to monitor it.
however, from your question you're clearly pretty clueless technically, so i'd suggest not trying to work round this yourself - you can't really assess the risks your taking. so either persuade them to open things up or look for another job.
posted by andrew cooke at 7:02 PM on October 12, 2005
There is one wayto set up your own proxy so that they can't block it at all, but it's somewhat complex. Go to Dan Kaminsky's Doxpara Research. Search for and download the Ozyman DNS executables, configure and run on two machines via the methods described. You now can proxy any port over DNS, which cannot be blocked (unless the firewall shuts down all - and I do mean all - traffic between inside and outside the network) and is virtually impossible to trace.
posted by mystyk at 7:07 PM on October 12, 2005
posted by mystyk at 7:07 PM on October 12, 2005
You could just set up a free VNC server on port 80 on your home machine, and then connect up to your machine at work. Sure, it's not as fast, but the only real communication with the outside work with which your IT department would be concerned is with your private, home computer over an accepted port.
posted by thanotopsis at 7:14 PM on October 12, 2005
posted by thanotopsis at 7:14 PM on October 12, 2005
You can set up your home PC as a proxy server with https access and a password, this will keep your employer and others out. However, if they know what you are doing what will they think? It may not be worth it. Most employers probably don't care as long as work is getting done, but if they have gone so far as to start blocking web sites they may not be so forward thinking.
posted by caddis at 7:14 PM on October 12, 2005
posted by caddis at 7:14 PM on October 12, 2005
My company did this. I made friends with the network engineers in IT and after they were convinced I wasn't going to be misusing the company's bandwidth, they set my privileges such that my internet access was unfiltered by the proxy. It turns out people in IT don't like being told how to do their jobs anymore than I do.
posted by Ritchie at 7:17 PM on October 12, 2005
posted by Ritchie at 7:17 PM on October 12, 2005
I guess I should clarify what I mean about "moral right". What I actually meant (but didn't state very clearly) was that by doing any of this you put yourself into a much more serious predicament if caught. The more extreme the measures you take to evade the restrictions, the more explaining you'll have to do if the sysadmins find out. If it's a company that has decided to put a draconian filter into place, requiring great amounts of hackery to get around, then getting caught doing so is going to be treated much more harshly than if the company just had a causal proxy server setup.
Anyway, my point really was more along the lines of "you put your job at risk by doing this" rather than "morally it's unethical to do so." Though I would certainly say that the people that do these types of things to access porn at work certainly have a much shakier ground to stand on that those that do it to access a site that increases their work productivity. Sadly I suspect that most people that do this fall into the former category (or at least the "goofing off" category if not porn) rather than the latter.
posted by Rhomboid at 7:29 PM on October 12, 2005
Anyway, my point really was more along the lines of "you put your job at risk by doing this" rather than "morally it's unethical to do so." Though I would certainly say that the people that do these types of things to access porn at work certainly have a much shakier ground to stand on that those that do it to access a site that increases their work productivity. Sadly I suspect that most people that do this fall into the former category (or at least the "goofing off" category if not porn) rather than the latter.
posted by Rhomboid at 7:29 PM on October 12, 2005
Allow me to put in an unsolicited word for your management...;-)
I've been an MIS manager, and set up centralized Internet access for many companies. And I'll tell you that the decision to incorporate centralized Internet management is rarely taken lightly. There is a constant cost for hardware and services needed to do this, that is always an ongoing disincentive, so that, unless there is some proximate cause of risk or actual loss at least equal to the ongoing costs of doing it, nobody does.
But more and more companies have little choice, since there are constantly more uses for the Internet, and since many of these uses can be detrimental to the company, in major ways. Probably, your company isn't doing this to manage its bandwidth costs, although those are real costs, and you'd be surprised who is downloading what from where on any given Thursday morning.
More likely, some one in your company has, inadvertently or intentionally, done something that exposes your company to some real loss. This could be anything from putting an "objectionable" chunk of wallpaper on the desktop of their work computer (thus opening your company to charges of facilitating sexual harassment by maintaining a hostile work environment), to accessing private Web mail accounts where personal business is done, exposing your company to involvement in a messy divorce action, when it got a subpoena for the contents of the hard drive on the machine where copies of the Web mail application were likely cached. Yeah, stuff like this happens all the time, and both have happened in more than one place I've worked. Cost to one of the companies for one incident was in the mid-6 figures USD.
Maybe somebody in your company leaked a price list, or a customer list, in as innocent a way as uploading the wrong attachment file to his favorite Web mail site, or downloaded some worm that caused your site to look like a spam farm to the rest of the world. Maybe management has had a visit from the short haired guys in value priced business suits, and they have made some friendly but firm initial suggestions.
Maybe management doesn't have much choice in doing this, and can't discuss it. They just have to have effective network control measures in place, and policies that support that, in order to stay in business, and make sure your paycheck doesn't bounce.
So, don't take it personally, if it isn't personal. If you're hitting blocks on sites you legitimately use, tell them so, and work with them to get access. They don't want to make things you do for the benefit of the business harder (meaning more expensive for themselves) unless there is no other choice.
But yeah, the days of unrestricted, self-policed Internet use on company machines, networks and time are rapidly becoming a thing of the past, even in small companies. Too bad, and even those of us that make a living putting this stuff in place aren't happy about it, usually. Because too often, the people we're trying to protect see us as self-righteous net Nazis*, instead of people who are trying to make an increasingly tough world a little safer and more predictable.
*We aren't, and most of us have a good enough sense of humor to Godwin ourselves.
posted by paulsc at 7:37 PM on October 12, 2005
I've been an MIS manager, and set up centralized Internet access for many companies. And I'll tell you that the decision to incorporate centralized Internet management is rarely taken lightly. There is a constant cost for hardware and services needed to do this, that is always an ongoing disincentive, so that, unless there is some proximate cause of risk or actual loss at least equal to the ongoing costs of doing it, nobody does.
But more and more companies have little choice, since there are constantly more uses for the Internet, and since many of these uses can be detrimental to the company, in major ways. Probably, your company isn't doing this to manage its bandwidth costs, although those are real costs, and you'd be surprised who is downloading what from where on any given Thursday morning.
More likely, some one in your company has, inadvertently or intentionally, done something that exposes your company to some real loss. This could be anything from putting an "objectionable" chunk of wallpaper on the desktop of their work computer (thus opening your company to charges of facilitating sexual harassment by maintaining a hostile work environment), to accessing private Web mail accounts where personal business is done, exposing your company to involvement in a messy divorce action, when it got a subpoena for the contents of the hard drive on the machine where copies of the Web mail application were likely cached. Yeah, stuff like this happens all the time, and both have happened in more than one place I've worked. Cost to one of the companies for one incident was in the mid-6 figures USD.
Maybe somebody in your company leaked a price list, or a customer list, in as innocent a way as uploading the wrong attachment file to his favorite Web mail site, or downloaded some worm that caused your site to look like a spam farm to the rest of the world. Maybe management has had a visit from the short haired guys in value priced business suits, and they have made some friendly but firm initial suggestions.
Maybe management doesn't have much choice in doing this, and can't discuss it. They just have to have effective network control measures in place, and policies that support that, in order to stay in business, and make sure your paycheck doesn't bounce.
So, don't take it personally, if it isn't personal. If you're hitting blocks on sites you legitimately use, tell them so, and work with them to get access. They don't want to make things you do for the benefit of the business harder (meaning more expensive for themselves) unless there is no other choice.
But yeah, the days of unrestricted, self-policed Internet use on company machines, networks and time are rapidly becoming a thing of the past, even in small companies. Too bad, and even those of us that make a living putting this stuff in place aren't happy about it, usually. Because too often, the people we're trying to protect see us as self-righteous net Nazis*, instead of people who are trying to make an increasingly tough world a little safer and more predictable.
*We aren't, and most of us have a good enough sense of humor to Godwin ourselves.
posted by paulsc at 7:37 PM on October 12, 2005
Like cmonkey says, if you really do use the sites for work, then you should get them, or your IP, unblocked, so that you can use them.
Happened to my friend. She works on kids games, and all game sites were blocked by default, but if you work on games ... she got them unblocked.
posted by AmbroseChapel at 7:55 PM on October 12, 2005
Happened to my friend. She works on kids games, and all game sites were blocked by default, but if you work on games ... she got them unblocked.
posted by AmbroseChapel at 7:55 PM on October 12, 2005
Do you have a personal laptop with wireless access? If you do, you might just be able to set it on your desk, plug it in and get on someone's nearby unsecured wireless. It may or may not be ethical, but I occasionally use it as a work-around (unreliable servers at my job, not security issues).
posted by crabintheocean at 8:16 PM on October 12, 2005
posted by crabintheocean at 8:16 PM on October 12, 2005
But yeah, the days of unrestricted, self-policed Internet use on company machines, networks and time are rapidly becoming a thing of the past, even in small companies.
I certainly hope you are mistaken. I have not found this to be the case at any of my last three employers in the Pacific NW. All those rationalizations paulsc mentions boil down to handwaving "we tried our best" justifications. If you can get through, there is little most admins will do to stop you. They are simply too busy, and the legal defense is still there for everyone.
This almost never hits developers in any case, since we need greater powers over our machines and since we can proxy our way out of most restrictions anyway. For example, I recall that we once used a "ping-tunnel" to get through a hotel pay-proxy-wall at a corporate retreat. You only need one port open to get through most systems. Believe me, most systems are not so well maintained that you can't find one hole from the inside. The "perfect" edge-router described above is more the myth than the reality. The funny thing is that many of us will spend much more time breaking the restrictions than we would have spent using the unrestricted network.
For you, the best option is almost certainly the SSH tunnel others have mentioned. Simple and almost bulletproof.
"Moral"? If you can do it without breaking anything, and if you do the job they pay you for, then it is in no way immoral to read Metafilter, even if your bosses would rather you didn't.
posted by Invoke at 9:03 PM on October 12, 2005
I certainly hope you are mistaken. I have not found this to be the case at any of my last three employers in the Pacific NW. All those rationalizations paulsc mentions boil down to handwaving "we tried our best" justifications. If you can get through, there is little most admins will do to stop you. They are simply too busy, and the legal defense is still there for everyone.
This almost never hits developers in any case, since we need greater powers over our machines and since we can proxy our way out of most restrictions anyway. For example, I recall that we once used a "ping-tunnel" to get through a hotel pay-proxy-wall at a corporate retreat. You only need one port open to get through most systems. Believe me, most systems are not so well maintained that you can't find one hole from the inside. The "perfect" edge-router described above is more the myth than the reality. The funny thing is that many of us will spend much more time breaking the restrictions than we would have spent using the unrestricted network.
For you, the best option is almost certainly the SSH tunnel others have mentioned. Simple and almost bulletproof.
"Moral"? If you can do it without breaking anything, and if you do the job they pay you for, then it is in no way immoral to read Metafilter, even if your bosses would rather you didn't.
posted by Invoke at 9:03 PM on October 12, 2005
But how do you detect remote viewing?
posted by By The Grace of God at 8:20 AM on October 13, 2005
posted by By The Grace of God at 8:20 AM on October 13, 2005
There is simply no way to browse the internet undetected on someone else's network. If they want to catch you they can. Do not follow any of the above if you think you might get fired. Sorry.
posted by Mr T at 10:52 AM on October 13, 2005
posted by Mr T at 10:52 AM on October 13, 2005
Boingboing has a some useful instructions and ideas on this topic here:
Guide to Defeating Censorware
posted by flug at 12:59 PM on March 2, 2006
Guide to Defeating Censorware
posted by flug at 12:59 PM on March 2, 2006
This thread is closed to new comments.
Otherwise, you can use Tor if you're in control of your workstation, or do a google search for "anonymizing web proxies" that you can (clumsily) browse the internet through.
Why do you think they've set up remote viewing? That's a pretty huge step for a company to take, and if they have you should really think about leaving, as that's a bad sign that their priorities are wrong.
posted by cmonkey at 6:19 PM on October 12, 2005