[TriLUG] blocking outbound port 22

tj via TriLUG trilug at trilug.org
Fri Oct 9 09:59:19 EDT 2015


speaking on patents system
the system is already broken for a long time :D

my coworker scores many patents that easy to get via company funding.
make any non-sense patents and you will get through it :D
I can not discuss those patents,  but the patents are  easy pie and some
are non-sense at reality(in innovation).

interested?
sorry for my side talk.

On Fri, Oct 9, 2015 at 9:00 AM, Tim Jowers via TriLUG <trilug at trilug.org>
wrote:

> Funny. When I was at Wells the programmers had two computers. One they
> routed through their phones to look stuff up. Wells was locked down pretty
> tightly. When I was at Bank of America the systems were locked down but
> select people were allowed to transfer files out. For instance, the iOS
> programmers both had unlocked USB and also a public share where they could
> transfer files with the vendor. So, the rules which exist were enforced on
> some staff but overlooked and ignored for the outsourced staff (who
> actually sat onsite :-). The irony is once off the bank's network the
> laptop could still connect to a network and perform unscanned http/https.
> The bigger irony is Android and Windows mobile development opens a hole to
> write to devices. The security team was more of a bureaucracy than
> engineers. Personally, I never messed with it but seems someone could just
> encrypt a document and do an https upload and that would be untrackable.
> Amazingly, they could even print it out and walk out of the door. Oh my!
>
> Good point about the patents. hadn't realized that. I've worked with
> several patent hobbyists. One hoodwinking manager I had at BofA couldn't
> program his way out of a hello world but claimed many patents. Probably
> each was worthless or he patented something someone else had done.
>
> Cheers,
> Tim
>
> On Fri, Oct 9, 2015 at 12:20 AM, Keith Woodie via TriLUG <
> trilug at trilug.org>
> wrote:
>
> > I have worked in places that allow SSH out and places that only allow web
> > proxy traffic outbound. In the grand scheme of it all it is probably best
> > from a security perspective to block it. All of us know how easy it is to
> > bypass arbitrary rules with non-default ports and SSH. In the age of
> > security breaches I can honestly say that if I were the security admin I
> > would block it too and only allow web proxy traffic.
> >
> >
> >
> >
> > On Thu, Oct 8, 2015 at 3:45 PM bak via TriLUG <trilug at trilug.org> wrote:
> >
> > > Yes indeed. Certainly it’s an issue where I find it easy to see both
> > sides.
> > >
> > > —bak
> > >
> > > > On Oct 8, 2015, at 15:39, William Sutton <william at trilug.org> wrote:
> > > >
> > > > some places take data seepage very seriously.  where I work, they've
> > > pushed out (via Windows GPO) software that automatically encrypts any
> USB
> > > keys that get plugged into a workstation.  Which kills transferring
> > > firmware from your PC to an appliance, but also keeps you from handing
> > off
> > > sensitive information to someone less than trustworthy.
> > > >
> > > > William Sutton
> > > >
> > > > On Thu, 8 Oct 2015, bak via TriLUG wrote:
> > > >
> > > >> Long ago in a far away land when I was but a nerdling, I was let go
> > > from a (rather terrible temporary) job for doing this.
> > > >>
> > > >> These days I would have just used the data connection I carry around
> > in
> > > my pocket all the time.
> > > >>
> > > >> —bak
> > > >>
> > > >>> On Oct 8, 2015, at 10:44, Matt Flyer via TriLUG <trilug at trilug.org
> >
> > > wrote:
> > > >>> This sounds like a perfect place to test the application Corkscrew:
> > > >>>
> > >
> >
> http://www.techrepublic.com/blog/linux-and-open-source/using-corkscrew-to-tunnel-ssh-over-http/
> > > >>> " If you are in an environment that disallows the use of SSH and
> > forces
> > > >>> the use of an HTTP proxy, it is possible to use that HTTP proxy as
> a
> > > >>> transport for SSH."
> > > >>> I worked at a place that was absurdly totalitarian with regards to
> > > their
> > > >>> web proxy.  As a design engineer I would frequently research
> > technical
> > > >>> information and they would even block categorically university
> sites,
> > > >>> where you can get a lot of technical papers, as "educational sites
> > > >>> prohibited".
> > > >>> Using SSH to tunnel out of there was the quick and obvious answer.
> > > >>> Blocking port 22 simply makes the case for moving SSH to a non
> > standard
> > > >>> port, the old security through obscurity line.
> > > >>>> port ssh , can be easily used for tunneling
> > > >>>> I think, web proxy is in the blacklist for security reason.
> > > >>>> On Wed, Oct 7, 2015 at 5:22 PM, Ken Mink via TriLUG <
> > > trilug at trilug.org>
> > > >>>> wrote:
> > > >>>>> Sent from my iPhone
> > > >>>>>> On Oct 7, 2015, at 16:52, Wes Garrison via TriLUG <
> > > trilug at trilug.org>
> > > >>>>> wrote:
> > > >>>>>> I ran into a situation today I've never seen before.
> > > >>>>>> I was working at an engineering firm and their IT guy had all
> > > outbound
> > > >>>>>> traffic on port 22 blocked.
> > > >>>>>> Is there any sane reason to do this?
> > > >>>>>> I can't think of any reason to block SSH, but maybe I'm missing
> > > >>>>> something.
> > > >>>>>> -Wes
> > > >>>>> Sure, internal security policies. One place I worked had ALL
> > outbound
> > > >>>>> traffic blocked. The only way out was web proxy, which also had
> > quite
> > > >>>>> the
> > > >>>>> blacklist.
> > > >>>>> Ken
> > > >>> --
> > > >>> This message was sent to: bak at picklefactory.org <
> > bak at picklefactory.org
> > > >
> > > >>> To unsubscribe, send a blank message to trilug-leave at trilug.org
> from
> > > that address.
> > > >>> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> > > >>> Unsubscribe or edit options on the web      :
> > > http://www.trilug.org/mailman/options/trilug/bak%40picklefactory.org
> > > >>> Welcome to TriLUG: http://trilug.org/welcome
> > > >>
> > > >> --
> > > >> This message was sent to: William <william at trilug.org>
> > > >> To unsubscribe, send a blank message to trilug-leave at trilug.org
> from
> > > that address.
> > > >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > >> Unsubscribe or edit options on the web       :
> > > http://www.trilug.org/mailman/options/trilug/william%40trilug.org
> > > >> Welcome to TriLUG: http://trilug.org/welcome
> > >
> > > --
> > > This message was sent to: Keith Woodie <kwoodie at gmail.com>
> > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > that
> > > address.
> > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > Unsubscribe or edit options on the web  :
> > > http://www.trilug.org/mailman/options/trilug/kwoodie%40gmail.com
> > > Welcome to TriLUG: http://trilug.org/welcome
> > --
> > This message was sent to: timjowers <timjowers at gmail.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > http://www.trilug.org/mailman/options/trilug/timjowers%40gmail.com
> > Welcome to TriLUG: http://trilug.org/welcome
> >
> --
> This message was sent to: fendy <bimasakti at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/bimasakti%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>


More information about the TriLUG mailing list