On Fri, 2011-10-14 at 13:16 +0100, Marko Vojinovic wrote:
> If you just restrict people by rules, it *is* legitimate for them to
> break the rules.

Bullshit! You should look up what the word actually means. It's
synonymous with:
according to the rules and requirements,
authorised...

The opposite of: breaking the rules, legality...

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday, October 14, 2011 06:05:29 AM Marko Vojinovic wrote:
> On Friday 14 October 2011 05:13:53 KC8LDO wrote:
> > Is there a way to use ssh to get through a firewall for remote access to
> > a system? The situation I'm looking at is a Fedora system sitting behind
> > a company firewall, which I have no control over, that I wish to gain
> > access to by logging into it over the Internet from a remote computer.
> > In other words the connection is initiated from outside of the
> > firewalled company network.
> >
> > What I'm thinking is using ssh to forward a port, 3389, to another
> > computer on my own private network (also behind a firewall and NAT
> > router) at home acting as a middle man. Then from another computer, lets
> > say at a hotel, logging in to the same computer on my private home
> > network and have it pass traffic bidirectionaly between the two end
> > point computers.
> >
> > Is this something than can be done using ssh and if so how? I would also
> > like to have the remote Fedora system connection to the middle man
> > computer remain even if the remote computer is not connected.
>
> You want to look into OpenVPN. It does take some time to read the docs and
> set it up, but it's worth it.
>
> http://openvpn.net/index.php/open-source.html
>
> Essentially, it adds a virtual ethernet device (called tap) to each
> machine, and connects these into a virtual LAN. From that point on you can
> do whatever you want, as if the machines were next to each other in the
> same room, connected to an ethernet switch.
>
> It may happen that the default openvpn port is blocked by the company
> firewall. In that case just reconfigure your machines to use openvpn on
> some port that is not blocked. Other than that, openvpn will work for you
> all over the globe, and it is completely under your control.
>
> Best, :-)
> Marko

Please talk with your manager and your sysadmin.

A good sysadmin will look at the firewall logs, will see something strange,
will report it up to the chain of command, to his boss.

If the sysadmin doesn't, he should lose his job.

If you do something, behind the companies back, the company can't trust you.
If a company can't trust you, they have to design you out of the company.
They have to get rid of you.

I've worked remotely for a number of companies.

In each case, the company, and the sysadmin, wanted me to vpn in.
They helped me. They arranged which VPN I was to use and what I could access.
They also insured their security wasn't compromised.

If you bypassed security at a company where I worked, you would be discovered.
You would be fired.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 10/14/2011 10:40 PM, Tim wrote:
> On Fri, 2011-10-14 at 13:16 +0100, Marko Vojinovic wrote:
>> If you just restrict people by rules, it *is* legitimate for them to
>> break the rules.
> Bullshit! You should look up what the word actually means. It's
> synonymous with:
> according to the rules and requirements,
> authorised...
>
> The opposite of: breaking the rules, legality...
>

All I know is this.... If I were Marko's employer and I read his views
on circumventing or flouting the rules of a company I'd start to worry.

--
Even if you do learn to speak correct English, whom are you going to
speak it to? -- Clarence Darrow
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday, October 14, 2011 10:25:59 AM Rick Sewill wrote:
> On Friday, October 14, 2011 06:05:29 AM Marko Vojinovic wrote:
> > On Friday 14 October 2011 05:13:53 KC8LDO wrote:
> > > Is there a way to use ssh to get through a firewall for remote access
> > > to a system? The situation I'm looking at is a Fedora system sitting
> > > behind a company firewall, which I have no control over, that I wish
> > > to gain access to by logging into it over the Internet from a remote
> > > computer. In other words the connection is initiated from outside of
> > > the firewalled company network.
> > >
> > > What I'm thinking is using ssh to forward a port, 3389, to another
> > > computer on my own private network (also behind a firewall and NAT
> > > router) at home acting as a middle man. Then from another computer,
> > > lets say at a hotel, logging in to the same computer on my private
> > > home network and have it pass traffic bidirectionaly between the two
> > > end point computers.
> > >
> > > Is this something than can be done using ssh and if so how? I would
> > > also like to have the remote Fedora system connection to the middle
> > > man computer remain even if the remote computer is not connected.
> >
> > You want to look into OpenVPN. It does take some time to read the docs
> > and set it up, but it's worth it.
> >
> > http://openvpn.net/index.php/open-source.html
> >
> > Essentially, it adds a virtual ethernet device (called tap) to each
> > machine, and connects these into a virtual LAN. From that point on you
> > can do whatever you want, as if the machines were next to each other in
> > the same room, connected to an ethernet switch.
> >
> > It may happen that the default openvpn port is blocked by the company
> > firewall. In that case just reconfigure your machines to use openvpn on
> > some port that is not blocked. Other than that, openvpn will work for you
> > all over the globe, and it is completely under your control.
> >
> > Best, :-)
> > Marko
>
> Please talk with your manager and your sysadmin.
>
> A good sysadmin will look at the firewall logs, will see something strange,
> will report it up to the chain of command, to his boss.
>
> If the sysadmin doesn't, he should lose his job.
>
> If you do something, behind the companies back, the company can't trust
> you. If a company can't trust you, they have to design you out of the
> company. They have to get rid of you.
>
> I've worked remotely for a number of companies.
>
> In each case, the company, and the sysadmin, wanted me to vpn in.
> They helped me. They arranged which VPN I was to use and what I could
> access. They also insured their security wasn't compromised.
>
> If you bypassed security at a company where I worked, you would be
> discovered. You would be fired.

I should add, in each case, the company provided me with the laptop to use.
The company insured the laptop had the firewall and virus software they wanted.
The sysadmin managed the laptop; either remotely or I brought the laptop in.
I was to use that laptop for work, and nothing else.
I was not to use any other PC for accessing work, only that laptop.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Sat, Oct 15, 2011 at 01:03:49AM +1030, Tim wrote:
> Quite how you come to that conclusion, I don't know. If you're refused
> permission, then that's the *opposite* from being legitimate to try to
> do so. Not only did you originally discover that it was blocked, you're
> being outright told that it's not allowed.
>
> In some places, flouting such rules is grounds for dismissal, perhaps on
> the first and only instance you get caught.

Indeed, in some places, it's grounds for criminal conviction:

http://en.wikipedia.org/wiki/Randal_Schwartz#Intel_case

(although the Wiki doesn't mention it, one of his felonies was making a
private back door into his place of work).



--
No matter how many dust sheets you use, you will get paint on the carpet.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 10/14/2011 08:28 AM, Ed Greshko wrote:
> All I know is this.... If I were Marko's employer and I read his views
> on circumventing or flouting the rules of a company I'd start to worry.

I'd be looking for his replacement.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Some time ago I was the on call admin for a critical system at a certain
large company. I wanted to fix problems from home. I checked with three
different guys in the computer security department before implementing
anything. I wouldn't want to do someting that would get me fired or
charged with a crime.

The computer security guys were somewhat arrogant, they basically said
if you can figure out a way around our firewalls, go ahead, but we won't
create a hole for you.

A couple of days later I had the remote access going and I showed them
how it worked. They were amazed, but just shrugged and said "cool!, Can
I have a copy of that script?"

Again - check around, don't do something that would get you in trouble.
In this economic climate don't take a chance and lose your job!

These days, I'm working for a small company and I make the policies, so
I'm ok.

notes:
office computer setup
create script on your office computer to check home website for special
file (trigger file)
if not exists
sleep 5 minutes
if exists
ssh to home computer. ssh command uses options to open a reverse
tunnel on a special port

home computer setup
copy the public key from the office computer to .ssh/authorized-keys

activate
from home
create special file
start trying to access the special port. You can open multiple windows
on that port. One window may have to run a "keep alive" program.

BP


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 10/14/2011 11:50 AM, Bill Perry wrote:
> The computer security guys were somewhat arrogant, they basically said
> if you can figure out a way around our firewalls, go ahead, but we won't
> create a hole for you.
>
> A couple of days later I had the remote access going and I showed them
> how it worked. They were amazed, but just shrugged and said "cool!, Can
> I have a copy of that script?"

That doesn't come across as arrogant to me. It sounds more like, "We
aren't allowed to help you, but we're not going to try to stop you either."

And, I just figured out the correct response to anybody who thinks it's
legitimate to do something like this "because I think I need it" even
after being told that it's against company policy:

"What *was* your username?"
<clickedy-click!>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday 14 October 2011 16:28:17 Ed Greshko wrote:
> All I know is this.... If I were Marko's employer and I read his views
> on circumventing or flouting the rules of a company I'd start to worry.

Oh, I understand you completely! :-)

The opinion that I have comes from the experience of being on both sides of
the "fence" --- at times, I was the client needing some access, and other
times I was the admin being asked to provide such sort of things.

The point is that when someone asks me to change firewall rules to allow him
some type of access, I take it very seriously into consideration. If there are
no security threats, I would typically grant access. If there are security
issues, I would invest some effort into helping the client to achieve his goal
in a different manner, and/or help him understand why his wish is a Bad Idea
from a security standpoint, and I would not stop until I was sure he
understood. If I don't do that, I run the risk that he is going to provide
himself access behind my back, and that would be even worse.

OTOH, whenever I was in a position of a client asking for something, I
expected nothing less from my admin. If I ask for, say, a firewall rule to
grant me some access to something, admin's reply "it's against the rules" is
not enough. I go on to ask which rule, why, how, for what purpose, etc., and
if the admin has good answers, I get persuaded to give up on my request for
access.

But quite often, the admin doesn't have a valid response to "which rules",
"why are those rules in place" and "what could happen if someone disobeys that
rule". If I am not persuaded that the rule actually makes sense, I go on to
challenge it in one way or another. Quite often I found out that such rules
are a consequence of someone's incompetence or a relict from the past, and
that they are completely useless and artificial (a typical case is when the
company burocracy doesn't keep up with technological development).

In such cases, as well as when the admin insults my intelligence with an
answer of type "it's too complicated for you to understand why...", I come to
the conclusion that the rule can be ignored.

Once I even got caught ignoring one of the rules, and when audited by my boss,
I presented arguments for my defense that eventually led to removing the
offending rule from the "terms of service" and company policy (it was about
allowing access for p2p communication, torrent in particular). I wasn't even
punished in any way. The rule was just plain stupid and unnecessary.

The point is that I am not some hippie, ignorant of security or other policies
that are enforced on the users, I just don't want to blindly "uphold the
rules" without any sanity. :-)

Best, :-)
Marko

P.S. <quote>Rules are made to be broken...</quote> ;-)



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday 14 October 2011 14:02:25 Ian Malone wrote:
> On 14 October 2011 13:16, Marko Vojinovic <vvmarko@gmail.com> wrote:
> > If you just restrict people by rules, it *is* legitimate for them to
> > break the rules. If instead you teach people why they should uphold the
> > rules, it *is* *not* legitimate for them to break those rules.
> > Legitimacy comes from understanding, legality comes from obedience.
>
> Not sure what definition of "legitimate" you are using here.

Yes, it appears to be a problem for some people in this thread.

Let me phrase in like this --- when some rules in some legal system seize to
make actual sense, it is legitimate to challenge them.

Think political revolutions, the fact that they are often completely illegal
by the laws of the countries where they happen, but can be quite legitimate,
if they change the governing system for a better one.

Think factory workers' strikes, the fact that they were illegal up to some
point in the past, but were quite legitimate due to poor working conditions of
the workers.

Think software patents, the fact that they are legal in US, and the legitimacy
of the social/political/etc. movement against the laws which allow them.

>From my POV, a legitimate behavior is the behavior that *makes* *sense* in a
reasonable way, while it can be against all the rules and laws currently in
force, in a given context.

So, if someone fails to explain to me why I am not allowed ssh access to my
work computer (and I *will* listen and understand reasonable explanations),
then ignoring the rule makes sense, and is therefore legitimate.

This is the way I understand the word "legitimate", and the point I wanted to
get across.

Best, :-)
Marko

P.S. All wikipedia articles about legitimacy talk about some specific topics
(birth without marriage, political authorities, etc.), and unfortunately I
didn't find any article or definition that is generic enough... Also, I didn't
bother to search beyond wikipedia. My explanation above should be clear
enough. ;-)



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines