Secure Tunnelling software from a usb drive?

So in effect you want a way to do ssh and socks5 tunnelling from a machine that is locked down and won't allow ytou to run the windows installer.

If you can't run install on the machine THERE IS A REASON FOR IT and I for one ain't gonna help you circumvent it.

I understand your point - if a machine has installation restricted, it's for a reason... but i'm not trying to install anything by force - if that were the case I'd just be looking for cracks to attain administrator privilege.

Instead, I'm looking for a program that, as you say, facilitates SSL and SOCKS v5 tunneling (including port hiding) that runs without registry read/writes and so needs no installations. Very different kettle of fish.

Why? Well as you may know, Primedius offer a USB program that runs a version of linux with firefox etc... installed, so that people on the move can utilise public boxes without being monitored, for whatever reason (the desire for privacy isn't always a bad thing). I was just looking for the equivalent that doesnt require you to boot off a removable drive, and which also doesnt tie you to primedius.

I hope I've cleared that up - any ideas would be great. Thanks.

Um, no, thats exactly what I thought you meant.

The desire to circumvent authorized monitoring IS always a bad thing. If someone wants to use anonymous proxies they should do it from their own machine. This sort of thing should not happen without permission from the owner of the machine. Period.

I don't think such an animal exists. Closest I have seen would be the later versions of HipCrimes news agent, which would run without install and supported socks5 (as well as TLS), but only does NNTP. And it's been mostly purged from the net - you can't get a copy of it easily nowadays.

Perhaps. But what constitutes "authorized"? Email snooping? And a desire to circumvent UNauthorized monitoring IS always a good thing.

Everything not expressly allowed is presumed forbidden? Perhaps in Germany but not in America. If an owner doesn't want others to use anonymous proxies, can't they just route them to 127.0.0.1?

Why? What legitimate owner's interest is being protected? What requires machine-level monitoring rather than firewall/gateway monitoring?

On one level, a cybercafe owner or employer has certain rights. But the user also has certain privacy rights [inalienable in the EU] that the machine owner simply may not be able to provide. Maybe then the machine should not be used. But maybe a smart owner would allow non-damaging use?

-- Robert in Houston

Yes, of course. But this guy explicitly stated he wants something he can run on public machines (I assume library or cybercafe, maybe school?) computers without having to do an install. Either the machine is locked and odesn't allow installs, or he simply does not want to leave evidence that he was running the program on the PC - either of which would seem to indicate he is doing something he should not be doing.

BTW, email snooping is not neccessarily a bad thing. And of course on an employers machine one has no right to expect that it won't be snooped. And in fact for public companies, Sarbanes-Oxley REQUIRES them to keep an unaltered arcvhive of every email you send or recieve at your job.

With private property, I'd say yes. Even in the USA. If I loan someone my car to drive to the store, and they drive accross country instead, you can sure as hell bet they will be arrested for car theft. Even if I didn't specifically tell them not to drive cross country in it.

But it seems that in this case, software installation it WAS expressly forbidden - he wants something that will run without an install. Why? Either installs are disabled, meaning the owner does not want software other than what is on the machine run, or this guy wants to hide the fact he ran the software on the box, which implies he knows the owner doesn't want him doing it.

The legitimate owner interest being protected is the simple right to decide what their machine is used for!

ssh: yes socks5: no

Go to google for "putty ssh", and find a nice litte ssh/telnet client. No problem running it from any maschine

No problem - no install. Only the fingeprint of the targeting server is saver on the local machine.

Ah, but the usual reason for locking machines is to reduce maintenance on fragile MS-Windows systems. And to facilitate recovery by data-free reimaging.

To answer part of the OP's question, s/he could put Simon Tatham's `putty.exe` on a USB stick. I really cannot see what harm running it (a terminal emulator) would cause.

I do not believe this is true in the EU, where email privacy is supposed to be guaranteed.

IANAL SOx requires no such thing. It requires that any public-trading relevant emails be retained for specified periods. Some lazy companies implement it by archiving everything. Dangerous for later discovery. My divisiion has been told that we are not material for SOx purposes, but need to retain anything that might be ourselves. Some companies may also run afoul of EU privacy law if they retain/archive emails of EU residents that are not from US employees.

Not in the USA. Theft is the taking without authorization. Keep overlong or unauthorized use are very different offenses, if they exist at all. Some states have recently had to add laws to cover car renters who kept the cars past due.

-- Robert

(snip)

Most unix software can be installed by a user in the users own directory without root access. Most windows software, even if it doesn't do anything that needs privilege, needs Administrator access to install. There is no reason it needs to be that way as far as security goes, but that is the way it is.

-- glen

Most American criminal law is *state* law, not federal. What constitutes theft is generally determined from a state-by-state statutory definition.

For example, the common-law definition of theft is the unlawful taking of personal property *with the intent to permanently deprive* its rightful owner. However, in California, there is no such "specific intent" requirement, and one can be guilty of theft if they "feloniously steal, take, carry, lead, or drive away the personal property of another .... ." Cal. Penal Code § 484 (West 2005).

(I am not a lawyer; I *am* a law student in my last year of study.)

California, being a land of cars and car rentals, enacted such a law in

1959 (more than 45 years ago), and it has not been amended since! "Whenever any person who has leased or rented a vehicle wilfully and intentionally fails to return the vehicle to its owner within five days after the lease or rental agreement has expired, that person shall be presumed to have embezzled the vehicle." Cal. Veh. Code § 10855 (West 2005).

The presumption affects the burden of evidence. That is, if you keep your rental car more than five days after you were supposed to return it, the law presumes that you have embezzled (stolen) it, and the burden shifts to you to show that you had a legally valid reason to keep possession beyond the rental contract terms.

The law may be different in that state, or the offense might have involved a federal statute, having crossed state lines with the car.

-- Rich Seifert Networks and Communications Consulting 21885 Bear Creek Way (408) 395-5700 Los Gatos, CA 95033 (408) 228-0803 FAX

Send replies to: usenet at richseifert dot com

Interesting. However I do know someone who was arrested for car theft once when doing exactly what I described - borrowing it to go to the store and deciding to drive to virginia instead.

No harm. But that does not seem to be what the original poster was looking for. he/she seemed to want something more along the lines of what sockschain does, but without the need to do an install. The OP specifically said they were looking for something that other applications will plug into. I took that to mean something "sockscap" like.

Well, actually the usual reason is to keep users from writing into the system area. This effectively prevents software installation because software developers insist on writing to the system areas even when they have no legitimate need to do so. If you are installing an application on a default-configured XP or Server 2K3 system from a nonprivileged account, and it won't install, think very hard about whether you want to let that developer make changes to the system files before you log in as administrator to install.

Unix systems are locked down in the same manner for the same reason, however Unix has had that security model from the start and so the developers have learned the hard way that there are things that their user applications will not be allowed to do, and so application installation is not a problem.

I'm curious as to the specific legislation--I haven't been able to find anything that says that employers in the EU cannot monitor their employees mail--I have found some references to specific legislation in specific member countries but nothing that would apply to the EU as a whole.

I'm not disputing you, I would just like to read the legislation.

Well, humph! I'm not entirely sure what this `sockschain` does but why would it need an install if the system can read removable media and run executables from there. A "locked-down" system might easily be configured this way. Or not, at the administrators discretion.

Without a "no outside executables" clause in the TOS, I'd assume a system configured to execute from removable media also allowed such execution. And a no-exec TOS clause is unenforceable: What about Javascript that many sites use? I'm pretty sure a `putty.exe` limited clone could be written in JS and dropped on some website. Maybe even `sockschain`

There really is nothing special about "Installs" beyond loading executables and mapping libs & other files. With CoW VM systems, the media cannot be removed until the process is done.

Of course proxying opens up a whole can of worms. I would hope no MS-WindowsNT+ system would allow non-Administrator processes to listen on priviliged ports (

Not true. these days the default on windows XP machines in a domain is to have users have no write access to the c:\\windows dir, as well as the machine hive of the registry.

Unfortunately most lower end and niche market software vendors can't seem to understand this concept. They act amazed when their install crash on a default setup.

You *nix folks seem to forget a little thing we have in the windoze world called the registry. Oftentimes installs set up default values in the registry that thge program needs to have in place to run. Also DLL registration can be important. Need that for many programs to run. That's also usually handled by the install.

Or, you can of course disbale the windows installer via group polocy, or restrict executables (in effect create a list of files the user can execute - all else is verboten and will gernerate an error dialog)

Sure. And similar things have been done. That is EXACTLY why hipcrime wrote newsagent in Java.

That's also why I have seen java filtered at the firewall in many places, and no JRE installed on the desktops.

Depends on the OS. Most have some sort of an "execute" flag for file priveleges. WIth some (windoze, fer instance) there is a bit more needed than just the ability to read the executable and any libraries in some cases.

For the outgoing connection. Also plain old port 80 is quite common for http tunneling in addition to the more commmon port 8080 and 3172.

However, it'll use whatever port the proxy is set up on - could be ANY port. Depends on what the bonehead who set up the open proxy in the first place did.

Yes, that is a good reason to lock-down. It reduces maintenance.

Yes, and I do not understand why. I consider it the mark of good commercial MS-Windows software that it be fully installable by a user account unless system control is needed. When I have the misfortune of setting up an MS-WinXP box, I always set up multiple users without Administrator priviliges.

A good point. I presume it is usually because the install wants to write to \\WINDOWS\\ somewhere, not necessarily trash files. Yet the MS-DOS/Windows install model has always been under /opt/progname and not the Unix scattering of files to /usr/bin, /usr/lib, and ~/.progname There is no reason to write to C:\\WINDOWS.

Well, for full installs, usually you need to do `make install` as root. But Unix software makes do not assume that you can or want to be root. MS Windows still has the philosophy of the user being "Administrator" when this is provably dangerous.

Among other Google hits, see:

-- Robert

Sure it is.

Ah, but that only applies when machines are setup as multi-user. Most consumer machines are set up with one user "Owner" who also has Administrator access. As usual, MS has chosen technically inferior but economically superior [for them] defaults. They reduce tech support calls from "can't do this" at a cost in "my system has a virus" which they don't handle.

Yes. But the increase in unwriteable c:\\windows might cause them to fix their bugfests.

-- Robert

In article , T. Sean Weintz wrote: :You *nix folks seem to forget a little thing we have in the windoze :world called the registry.

Oh, we don't forget it, you can be sure ;-)

:Oftentimes installs set up default values in :the registry that thge program needs to have in place to run.

Hmmm, what's this .ini file doing in my folder?

:Also DLL :registration can be important. Need that for many programs to run.

The 'D' in 'DLL' standa for 'Dynamic'. Without knowing the details of Windows, it seems to me rather likely that the search path to find DLL's is one of the things under the control of the program.

Or at least in Unix, "dynamic" linking implies dynamic paths. If the pathes aren't dynamic, then one speaks of "shared" libraries rather than of "dynamic" libraries.

I've found numerous similar--they all discuss the transfer of data from personnel files, not the monitoring of email. That one mentions it in passing but doesn't say anything about what is or is not allowed.