I have a question for the sys admins out there. My company monitors ALL traffic in and out of the office. Of course they monitor what URLs people visit. A more interesting thing, they can read strings typed from multiple protocols. i.e. they can read IM conversations.

My question is, can they interpret traffic that is encrypted? Ex: gmail that is secured.

I know the simplest solution is to use remote desktop but is this really secure?

11/5/2008 7:35:38 AM

VPN to your house + remote desktop is what i'd do..doubt they'll be seeing much from that one

11/5/2008 7:58:03 AM

you could stop reading pron emails at works, or stop doing non-work things at work.

Otherwise, vpn home and rdp

11/5/2008 8:02:20 AM

They don't give a damn what you're doing on your work computer. The IT dept has better things to worry about.

11/5/2008 8:47:11 AM

so a VPN is needed along with RDP? I thought RDP was somewhat secure??

11/5/2008 8:49:58 AM

https is fine

11/5/2008 9:09:27 AM

if they've got vnc loaded on all the machines, they can see your screen and what you're doing whenever they want.

that means all options are futile.

11/5/2008 9:27:30 AM

how about you just do work when you are at work and do all the shit that you want to do at work at home

11/5/2008 9:37:22 AM

I'm glad I don't work for a big brotherish company.

11/5/2008 10:12:25 AM

Im glad at my work, all the ppl are smarter then the guys in IT...and they know it, so they dont even try.

[Edited on November 5, 2008 at 11:25 AM. Reason : !]

11/5/2008 11:24:52 AM

That sounds like an HR issue.

11/5/2008 11:32:52 AM

The key is to not tell people you're monitoring them because it's a waste of time and resources and that they have full unbridled internet access.

11/5/2008 11:57:35 AM

or you could be high enough up that you have an outside connection in addition to your inside line...

11/5/2008 12:21:32 PM

technically HTTPS is NOT safe in that scenario. HTTPS is still vulnerable to man in the middle attacks, if the snooper sees the initial certificate/key exchange.

iirc SSHv2 is safe from MiTM attacks, if you want to setup an ssh tunnel.

11/5/2008 12:36:23 PM

mellocj, please2setup my supersecret VPN.

11/5/2008 12:52:17 PM

use AES.

11/5/2008 3:50:37 PM

1. SSH tunnel
2. VNC or RDP
3. Don't use the IT-provided images

Most organizations have a minimal compliance standard you can adhere to in lieu of using the IT-provided images. I'd recommend going that route as minimal compliance guarantees you freedom from the spyware as well as the general crapware preinstall.

11/5/2008 5:26:12 PM

SSHv2 is relatively safe from MITM attacks due to the RSA key protocols it employs, but nothing is 100% safe.

if you use gmail over https, i'd be willing to bet that you're fine - yes, if they tried very hard, they could intercept your traffic, but it's a pretty safe bet your IT group doesn't have the time nor the interest in doing so. they'll be able to see the URI you're visiting, but that's it.

they can see your IM traffic and whatnot because that's all plaintext. anything that's sent in plaintext can easily be sniffed, especially if you've got console access to the switch that's serving the person of interest. port mirroring is pretty awesome.

if you really want to be safe, set up a ssh tunnel between your box at work and your box at home, and tunnel all your web traffic and dns queries through it via socks5.

11/5/2008 8:37:49 PM

and if they are using key loggers none of this will work

11/5/2008 8:39:27 PM

well, yes

but i'd be willing to bet most IT groups wouldn't do that.

11/5/2008 8:41:45 PM

is Vista's RDP by default secure/encrypted without having to go through a SSH tunnel? That's what I do at work; they don't care what we do, but it would be nice to keep my stuff from snooping eyes of possible.

11/5/2008 8:45:44 PM

Vista uses 128-bit RC4 encryption for RDP connections whenever it can.

if the other client doesn't support it, it'll yell at you. versions before v6 were quite vulnerable to MITM attacks if someone tried hard enough.

11/5/2008 8:52:56 PM

i think that the only places that really care enough to watch you are the national labs

11/5/2008 9:02:32 PM

Dont confuse:
IT guy sitting around all day watching everything you do.

With:
Logging websites/company emails/company IM for reading if you give them a reason.

11/6/2008 10:18:18 AM