We have just added another program to the line up on our station, that is attracting quite a few listeners, the Classical Hour. A couple times a we air an hourlong program of classical music which is apparently quite popular with people working in offices. I have a listener in Sheffield, England, to that show, who uses a heavily encrypted tunnel to listen to that show, so she can enjoy, say, a Mozart symphony, and the boss wont know what she is up to. The boss will know that is a either a 64k or 256K (classical music demands a much higher bitrate than other audio broadcasts), encrypted outbound connection, but there is no POSSIBLE way they can find out that she was listening to Tchaikovsky's 6th Symphony in B minor "Pathetique", on her work computer, when she was on the other day, during an airing of the show. Even if they used Snort, of some other packet sniffer, they would have gotten nothing, as the data packets would have been encrypted.
LOL, another company facilitating the breaking of company rules that doesn't understand that encryption means nothing when they can easily see the tunnel created between your location and their location - it's easy to spot a connection that's maintained, then track it to the workers computer, then fire that worker.
The employer doesn't have to know WHAT she's listening too, only that she's got a connection to a non-approved site, where they can track the IP to the company that leases the IP, which means it's really easy to see that she's not working. Oh, and classical music doesn't require any different bit level, all music suffers from lower quality at lower bit rates.
Are you the same moron that tried to offer the Olympics to people and then told them they could not be detected?
It is possible for the communications to be intercepted. You may find that the organisation is using a proxy server, the data may be encrypted from the streaming server to the proxy server, unencrypted, then re-encrypted to the user, giving the user the impression they are 'undetectable'. The encryption sertificate issued to the user could just as easily come from the proxy server as from the streaming server. It is called a man-in-the-middle attack.
As Leythos said, the employer can see an obvious link from the listeners workstation to the streaming server. If I detected a hugely suspicious, encrypted link sucking up a chunk of my bandwidth, I'd be investigating it now!
It isn't necessarily an "attack" if the employer is doing it on purpose. I have firewalls that do this on a regular basis in order to detect illegal transmissions of sensitive material. Beware the idiot who tells you that the "boss" can't see what you're doing... ;-)
We do a LOT more than just figure skating. I even have my own talk show now on the station, which does a little bit of everything. During one of my 2 hour talk shows the other day, I had one guy gabbing with me for 45 minutes on my talk show, instead of working. Because I use Skype, I give listeners the option of calling me, or, me calling them. In most cases, its cheaper for me to call them, via Skype, than for them to call via traditional phone services. I call him on his cell phone, and we gabbed quite a bit about the issues. The Skype "history" shows that I had a minute call to him. Beucase I called him, instead of him calling me, there will be no record of the call on the company's phone bill. And since Skype "obfuscates" the caller-ID data, there is no way that his company will NEVER know that somoene from a radio talk show of any kind called him up. Skype sends a bunch of "nonsense" digites to any caller-ID box. It will either show of a bunch of nonsense digits, or say somehting like "Caller Unknown". He was gabbing with me, and debating a lot of current issues in the news, instead of working, for about 45 minutes. Beucase I called him, instead of him calling me, there is no POSSIBLE way for his employer to know that he was gabbing with me on my talk show for about
45 minutes, instead of working. All he had to do was sign on to the chat room associated with my show, and them leave me his number, than I called him, and put him on the air. He would have stayed on the line a lot longer, but he had to go to a meeting, and had to cut the call short. Since the call was inbound, there would be no record of the call.
And you seem to think that businesses don't track in bound phone calls - almost every business I know of or have contact with does, in and out, by station/phone number and date/time and duration.
Oh, and lets not forget the productivity issue, and the fact that any properly designed firewall solution would block his connection to your serivice.
They may track inbound calls, but since calls made via Sekype either show a bunch of nonsense digits in caller-id records, or indicate the caller is uknown, they cannot know where the call was placed from.
I hae checked the domain for my serices in Websense, Bess, Sentian, SmatFilter, and SurfControl, and I am not on any of thier blacklists, so my show could still be heard in most workplaces. The way I have it is that I created a subromain under my domain, and pointed to an address and port on my server (I OWN that Ijnternet radio station), that acts as a "relay". This allows listeners to get past any filtering of Live 365, since its my server you asctually connect to, and it fetches the Live 365 feed, and the relays it to the listener. The only problem anyone would have would be with the station "sold out" and became avaialble to VIP listeners only. The filters would prevent someone from logging on to thier VIP account. But as long as the station is avaialble to free listeners, it can be heard in most worlpaces, since my domain/web site are not on any of the afforementioned products filtering lists.
Wrong on both idea - the call, even without caller ID is still recorded as connected, still shows that it was to the persons desk, and a 45 minute call stands out.
Next, any properly setup firewall would not allow connection to your site, as most of blocking setup to limit users to ONLY business partners and some other sites - and if the site is not identified then there is no access.
Keep trying, you won't win in a properly designed network and you will be getting people fired.
There have been some times where people will use their mobie phones, from work, to clal into my talk show. Since its their mobile phone provider that handles the traffic, there is no record on the company phone network. I know this because Skype, to many places around the world, charges more to call a mobile, than to call a landline.
Websense, SurfControl, etc, etc, are used in nearly the entire Fortune 500. At any company using Bess, Websense, Bess, Sentian, SmartFilter, SurfControl, or WebWasher, my show can still be heard, if one goes through the "relay" I have set up on my server, which is currently not in any of the filtering lists on those products. And they are used by the majority of Fortune 500 companies, so people at most Fortune 500 companies could still tune in to my station.
If the URL is not in the filtering lists of any of those filtering products I mentioned, they can still get through. A number of compaies, especially the Fortune 500, use those products, because of the convenience. Just set it, and forget it, and Websense, WebWasher, SurfControl, etc, etc, do all the work. All that needs to be done is make sure the filters are updates. In any company that uses, Bess, Sentian, SmartFilter, WebWasher, SurfControl, or WebSense, my web site and the relay for my radio station will still be accessible, because it is not on the filtering lists of those products. Unless and until it shows up in the filtering lists of those products (and I do check it quite often), most people working for Fortune 500 companies will still be able to access my radio station from work. When I am not doing live programming, I have an automated program of 80s and 90s music playing, and I do get quite a few hits them. I have seen someone from their workplace in Austin, Texas connect to my station from their workplace all day. Because they are using my server, it cannot be known. What happens is that when you click onto the audio link, either Windows Meida, or some other MP3-compatable player, will open, and then connect to my server, which will then connect to the Live 365 feed for my station, and relay the stream back to them. This defeats any screen shot software that would otherwise show them connected to Live 365. All one has to do once the connection starts is just minimise the Window, and software that takes a screen shot of the current screen will not see anything. Once Windows Media, Winamp, or a similar program starts, you can minimise the Window Also, if one bill, known as the PERFORM act, passes, all Webcasters, including me, that transmit streams that can be heard in the USA, will have to use an DRM-laden stream that would be encrypted. With the DRM-laden streams, that means that admins will not be able to intercept the communications, through any program, such as Snort, and if they do try it, they will be committing a felony under the DMCA. Only the users running Real or Windows Media will be able to decrypt and data streams. So called "man in the middle attacks" will effective become a felony.
What you seem to be missing is that companies don't just implement "web sense" or any of the others and not also check or restrict access to the web, so, your site would not, in any way, be reachable from a properly configured firewall solution.
As an example, in more than 70 of our customers sites, everything from 5 person shops to small medical centers with hundreds of nodes, not one of them would be able to reach your service or any proxy or any relay, because we've properly secured the network.
Did you know that you can setup those filters so that if it's not identified as good that people can't reach them?
Your complete lack of understanding of security has not changed.
Did you know every firewall appliance can easily identify what you are saying they won't see?
Since I own and run my radio station, I am responsible for the security of all related servers, as well. But here is the rub, I put the "relay" for my Live 365 feed on a port other than the 80, 1755, or
8000 (The most commonly used ports for streaming MP3), so that also puts it under the radar of many admins, since its not using a commonly used port. Snort, or somilar programs, would only be sniffing those ports. I know of a few other online radio stations that use such tricks too, for thier Live 365 feeds. There is one "gangsta rap" station, that has such a link from its website to Live 365. This guy, running a station out of his home in the projects of Compton, California, has a relay set up through his DSL feed, that lets anyone come through his server, to his Live 365 feed. This way, someone can get his station, and the boss wont know about it. He has had a lot of people down in the LA area access his station. Becuase of the large black and hispanic population in the LA area, such stations are popular. A lot of people in Los Angeles area workplaces, are tuning into his Hip Hop/Rap station, by bouncing through his computer in Compton, and admins are totally unaware of what is going on. All theu know is that someone is connecting to an AT&T DSL conneciton in Compton, but where they go beyond that, the admins cannot find out. He bypasses all the major blacklists, by doing this.
Responsible, yes. Do you /administer/ the security?
But here is the rub, I put
I only allow a very small subset of ports outbound from my organisations Internet access network, your services would almost certainly be blocked.
Do you administer the security? Can you remind me of the name of your organisation please? If you feel like it, you could give me the IP range you've been assigned, too.
And traffic on any non-standard port would be automatically blocked by default on a properly setup firewall.
Now, your non-standard port would stand out like a shining beacon in the moonless night - as a matter of fact, traffic on non-standard ports is the easiest to spot.
Also, as to your claim about doing a proxy/relay through a residential computer network, that's another bright beacon - as there is almost no reason for anyone in a business to be connecting to a residential network from their office, not to mention that the firewall would still block it/you.
And the only reason it works for them is because their admin is an idiot that doesn't know anything about network security.
As they form a constant connection to a RESIDENTIAL IP in order to use the relay, it's a easy to spot connection, that could be spotted in minutes, even on a busy network.
Oh, and since Residential Networks (and many others) have no reason to be permitted as a connection point, it would never be able to be connected to on a properly configured network.
This guy has obviously never heard of CyBlock. The one thing that makes CyBlock effective is that you can select a category known as "other", which automatically blocks anything not classified one way of the other in any of the other categories. He would not get past CyBlock, if it were configured properly. Catergorization of content is one thing that hardware firewalls have not learned yet, except for a few models made by Cisco that can load and run a version of Bess that has been ported to them. Cisco makes the only hardware appliances in the world that are capable of filtering by category, and that is only if you purchase the versions of Bess, and other Secure Computing products, made for Cisco firewalls.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.