[Geek] Getting around your workplace web filters.

Sep. 17th, 2004 11:30 pm
azekeil: (vague)
[personal profile] azekeil
It seems they've finally caught up with [livejournal.com profile] ev1ldonut at work - LJ had been switched off for him from work.

However, I've just put in place a workaround for him. It's not brilliant, but it's pretty good. After trying a few search terms I found this. It's a perl-based web proxy. You put it on your server and browse to the page on your server. You then enter the URL of the page you actually want to visit and the program on the server fetches it for you and forwards it to you. This is identical to the sort of service www.anonymizer.com and other similar sites gives you, only it's free, on a non-public URL (so won't already be in their filters) and very configurable.

This circumvents the filters put in place because neither the IP address nor the name of the server you're visiting are the same. I increased the default security by uncommenting the code to do some basic encoding on the URLs displayed and the cookies cached. I tried a blowfish encryption but the Crypt::Blowfish perl module seems to be neutered.

For added security if [livejournal.com profile] ev1ldonut's IT staff go to the URL he uses I put a .htaccess file in place so anyone going there must enter a username and password. This will also preserve my bandwidth by preventing joe public using my web proxy.

Additionally, I tried to get it working in mod_perl which I managed, but I couldn't get the .htaccess file to work as well, plus I had to disable the non-parsed headers which made it less compatible so I've given up for the time being.

I discovered as well Ghostzilla, which is a branch of an old version of Mozilla modified to be a very surruptitious browser. It will appear in the largest frame of whichever window has focus when you move your mouse to the screen edges: left-right-left. It disappears when you move your mouse a small distance away from the frame. The final bonus is that it will run from a CD which gets around the uncustomisable problem with the browser that's on [livejournal.com profile] ev1ldonut's work PC. Ghostzilla's been discontinued by the author on moral grounds and the browser is hard to get hold of [Update: It just seems to be a flakey download from their site]. Unfortunately I couldn't get hold of the version specifically designed for running from CD but the version I did have seems to run fine off a CD :)

Finally I put PuTTY on the CD so if he needs to tunnel through to another machine to give him access he can.

The last touch (which I haven't done yet) will be to make the web proxy available on SSL only so they can't even snoop the traffic from the websites he visits.

Although it will be slower than a standard connection (not by much if a friend of mine hosts it) I do quite like it for a couple of reasons: it doesn't actually rely on any special web settings, and because it's pretty impervious to attack without a great deal of effort.

It can also be rehosted if they end up blocking the range of IPs my server comes from, which I doubt as he's not exactly big fry. As an IT admin I know there are much better things I'd rather be spending my time on, and certainly for me I'd only be implementing web filtering if I was asked to by management, and would be pleased someone'd found a workaround ;)
  • Current Mood: pleased
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2004-09-17 04:24 pm (UTC)
From: [identity profile] hawkida.livejournal.com
Cool. I always used to use Putty to go to my shell account and view via Lynx but it's really not the same. These days the employer is a lot more lax about this kind of thing. We have to sign an agreement but it basically amounts to "I won't surf porn or do anything similarly stupid in work".

Date: 2004-09-17 04:34 pm (UTC)
From: [identity profile] azekeil.livejournal.com
Yeah that's the easy version. Ghostzilla is cool in that not only does it appear to be part of the work program you're running but you can have it blank out all images until you mouse over them and render everything in greyscale so gawdy pages don't get attention drawn to them.

Date: 2004-09-18 12:21 am (UTC)
From: [identity profile] hawkida.livejournal.com
I used Opera for LJ at work and I've set it to use a local stylesheet by default. It does similar - images are replaced by [image + alt tag] and it's small black text on a grey background. No nasty non-worksafe icons or whatever can catch me out that way.

Date: 2004-09-19 01:09 pm (UTC)
diffrentcolours: (Default)
From: [personal profile] diffrentcolours
The easier option is to run squid, Apache or tinyproxy on the far end, and tunnel HTTP traffic over SSH. Same effect, but you can use a real browser with it ;)

Date: 2004-09-17 04:34 pm (UTC)
gerald_duck: (lemonjelly)
From: [personal profile] gerald_duck
One needs to be careful with all these shenanigans, of course, because they're already onto him. This applies especially if the I.T. department where he works is competent.

I'm a competent I.T. department. If I gave a shit about people using LJ in the office, the next stage would be a formal warning not to use LJ, followed by sneaking a KeyGhost into his work PC, and/or installing a covert surveillence camera, followed by gathering sufficient evidence to get him sacked.

Personally, I prefer to keep such measures in reserve for catching people doing really naughty things. It sounds like his employer may be somewhat more anally-retentive. )-8

Date: 2004-09-17 04:41 pm (UTC)
From: [identity profile] azekeil.livejournal.com
Yes, circumventing security is always going to be dodgy. But I think apathy will favour him in all this.

And of course it is dodgy for a company to monitor its employees in the manner you suggest, unless his work contract stipulates otherwise and it is legal to do so.

I like your phrasing: I'm a competent I.T. department ;)

Date: 2004-09-17 05:26 pm (UTC)
gerald_duck: (devil duck)
From: [personal profile] gerald_duck
You'd be amazed what you can get away with, provided you put it in your data protection register entry, and find a way to justify its proportionality if later challenged…

Date: 2004-09-18 01:09 am (UTC)
From: [identity profile] ev1ldonut.livejournal.com
I'd have a field day with such actions...

I'm one of those rare scarey things... An employee who really knows employment law, all my rights, and all things considered to be fair and legal practice. The guy I lived with for two years, and one of my oldest friends works for the largest legal firm in Bristol, and is a specialist Employment solicitor. Useful to know ;)

I know my contract, and I know the law. :)

Date: 2004-09-18 01:12 am (UTC)
From: [identity profile] ev1ldonut.livejournal.com
because they're already onto him
No, I think it's simply a case of they probably noticed a high volume of traffic (there are well over 2500 people in the building, the chance of me alone bringing attention to LJ is very slim) to the site, went and had a look, decided they didn't like it, so blocked it.

Trust me, it is not a competent IT dept... it's all outsourced to HP. ;)

*grin*

Date: 2004-09-20 12:02 am (UTC)
From: [identity profile] daemongirl.livejournal.com
huggles!!!!!
*more grins*
this all makes up for me being awake until four am !

Re: *grin*

Date: 2004-09-20 01:05 am (UTC)
From: [identity profile] azekeil.livejournal.com
Oh good :)

(I hope I wasn't to do with you being awake until four am..?)

Date: 2004-09-20 01:18 am (UTC)
From: [identity profile] stuartl.livejournal.com
Do you want a more well connected place for hosting it?

Date: 2004-09-20 02:11 am (UTC)
From: [identity profile] azekeil.livejournal.com
Yes please. Do you think you could stretch to SSL as well? I could put the CGI in my ~/public_html/cgi-bin directory on sneaky as it should require no additional modules (unless I try to do better encryption on the URLs and cookies again).

Date: 2004-09-20 02:22 am (UTC)
From: [identity profile] stuartl.livejournal.com
SSL is slightly more of a challenge as Sneaky currently runs a SOCKs proxy on port 443 to allow certain people to bypass similar security. I'm not sure if anyone is still running it.

If you were to write to that same CD a tool such as HTTP bouncer [livejournal.com profile] ev1ldonut would be able to create a fake HTTPS connection to sneaky through the normal corporate web proxy and then use the SOCKs proxy on sneaky for Trillian, web browsing etc :)

That's the way that certain people break out of certain other companies... ;)

Date: 2004-09-20 11:42 am (UTC)
From: [identity profile] azekeil.livejournal.com
Yes, but this is simpler and doesn't require the person to install/run stuff on their machine.. :)

I'll have a look into it anyway when I get a chance.

In the mean time, can I simply put it where I suggested? Can you check script execution and AllowOverride are enabled for users in the cgi-bin and subdirectories?

Date: 2004-09-20 11:54 pm (UTC)
From: [identity profile] stuartl.livejournal.com
Feel free to install and try it. cgi-bin is enabled for home directory accounts so it should Just Work™

Date: 2004-09-20 06:39 am (UTC)
From: [identity profile] olithered.livejournal.com
Nice. I might be able to help with hostage if you're still in need.

Doesn't .htaccess leave passwords to be sent in clear? Maybe that's not too much of a worry...

Date: 2004-09-20 11:43 am (UTC)
From: [identity profile] azekeil.livejournal.com
I think they are, but I think if the connection is SSL then that gets set up first before the user/pass request is sent.

I think I should be OK for hosting, but thanks anyway :)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

azekeil: (Default)
azekeil
azekeil's picture gallery

March 2014

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 12th, 2026 05:32 pm
Powered by Dreamwidth Studios