Show HN: Bananalert(52.4.212.135) |
Show HN: Bananalert(52.4.212.135) |
Bananas live 5 days?
Step 1: Select Your Avocado's Color!
☐ Avocado Green ☐ Avocado Green ☐ Avocado Green
☐ Avocado Green ☐ Avocado Green ☐ Avocado Green
Since that day I've put my apples and pears in the refridgerator, and haven't had to suffer as many overripe pears and apples.
/* Engage HN filter /
How do you plan to monetize this? This is clearly ripe for disrupting the fuits/supermarket economy. Like an Uber but for fruits.
I think you should email, tweet, instagram, like, share, deck and meet Paul Graham in order to get into Y combinator. This will be bigger than AirBnB.
Ryan from Product Hunt will be contacting you in shortly!
/ Filter off */
From Absolut Drinks in the source. And it's collecting phone numbers? ...
Not sure this is the purest of intentions. Not sure it's not though.
[Edit - Looks legit and unaffiliated :) ]
So that's why I use https://torproject.org/download the whole day and never have any trouble with blocked sites (e.g. Pastebin; Slideshare) or blocked ports (e.g. :8080 was used today by some random site in XHR).
Edit: You mean Analytics ... so here's yet another site where $SomeBigCorp tracks what I do :/
There's two general ways to treat Internet traffic, whitelisting and blacklisting. Many companies will simply use blacklists. These are easy to bypass as you are well aware. I have seen more than one environment that was whitelist based, no machine can access any other machine that isn't required for it to do it's job. Anyone needing to override a block enters a username, password, and reason, if they have the authority to do so, which leaves an audit trail.
Security and convenience is often a trade off, you do a risk assessment to determine if it's worth the risk to you and your company. For many people and companies, it's not, so they blacklist.
The whole point of the Tor network is that anyone can access the Internet through it uncensored, regardless of countries' or corporate firewalls.
Like I said, if you're going to work in security, you're going to have to consider a lot more than can it be done. Corporate security is more closely tied to HR and the business than it is IT. You can't break the rules just because it's technically possible. It would be your job to find the people who are doing exactly that and report them to HR.
True, I don't doubt they can if they wanted to, simply look for connections to known Tor nodes (of which there is a list). So long as I don't bother using a bridge node of course.
As for being fired, I don't think it's that strict. The company policy is aimed at blocking people from posting the company's slides on Slideshare, using icons from icon sites without a license (some icon site is also blocked) or pasting sensitive data on Pastebin by accident. As long as I don't do these things, I am not violating corporate policy, while I do need some of these sites to do my work.
If they make shitty policies that apply to the people who don't know what they are doing as well as to the people who do know what they are doing (or even need some of those sites), they can expect people to work around it. Rules are to be followed within reason. And if people are that strict, I don't want to stay in that company. Even as a student I'm asked to do work enough times that I don't doubt I could switch jobs in a matter of weeks.
That's true, no one should ever be unemployed if they have infosec on their resume.
Do everything you can to learn how to bypass anything. Hack as much as you get your hands on. Break everything. Code all the things. It's really good for you and good for your career.
But I've had enough interns come work with me and then the company gets a letter from HBO because the intern thought no one was watching him torrent off our 2Gbps pipe. I've had college hires who spent the day browsing porn in incognito mode thinking the company couldn't see it. I've seen people using VPNs to mask the fact that they're getting paid to watch Netflix. And every single one of them wonder how in the hell we knew what they were doing.
Companies spend literally millions of dollars in security products to know exactly how their employees are misuing company property and company time. If you think there isn't a security tool that shows people using Tor, I think you're wrong.
I'm not telling you to stop. I'm not your manager. I just like helping people in infosec keep from making rookie mistakes. I've seen it way too often.
Targetting Tor specifically, yes I'm quite sure it's trivial to find a way to detect its usage. Even with bridge nodes on :443, traffic analysis probably reveals it, and especially on company-owned laptops you could scan for certain software.
So I'm not claiming that it's impossible, I just think it's not as easy as you say it is if they're not specifically looking for it (as long as there is no abuse, there is no immediate incentive to look for it).
As for interns downloading illegal or personal data over a company's connection, yeah, that is clearly abuse. We agree on that. I even know of people here that download random stuff over 4g (built into our laptops) abroad. In fact the 4g disables any blocks the company put in place because it's outside their firewall so many use it for that. If they want to fire anyone, they should start there.
So many people in this thread are trying to argue ways to hide your traffic. All I'm saying is, no matter how clever you get to hide what you're doing, you're in breech of your terms of employment from the very first step. No matter how clever you get, I've seen people fired based on my report that they were using SSH to get to their private server. Doesn't matter if they were checking their email or if they were hiring a hitman on Silk Road.
Enterprises don't care what you're doing, they care what you're not doing, and what you're not doing is the job they paid you to do under the terms you agreed to do it.
