Re: [PLUG] 3rd party vpn Defense evasion
When you firmly disagree you are personally discriminating against anyone on the mild end of the spectrum. I am NOT discriminating by advocating a positive view of mild autism. Discrimination by definition is negative. As the saying goes, intolerance of Intolerance is NOT intolerance. Only the shrieking ultra right-wingers who carry the racist and intolerance flags claim that anyone opposing their viewpoint is "intolerant" That is what you are doing. And when you propagate that attitude to other people that being on the mild end of the spectrum is a disorder, and that viewing it as a positive is a personal process and not reality, then you are propagating that discriminatory attitude towards others. Same when you use terms like "shit" to refer to an autism discussion. What is NOT factual is labeling mild cases as a disorder anymore than labeling same sex preference as a disorder is factual. While a lot of people who should know better are doing this, including some in the medical community, that ISN'T a fact. It is an opinion. I gave a logical explanation that explains why autism has been on the rise for centuries and facts that support that, which is a damn sight better than the medical community who has no explanation and sit around scratching their asses and wringing their hands about what to do about it. (and suggesting diet changes as fixes and other rubbish) An evolutionary advantage to the individual CANNOT by definition be a disorder. While it may be very irritating to people for 1 person to be 6 1/2 feet tall and make millions as a basketball star, his height is NOT a disorder, because it gives him an advantage over the rest of them. It is only jealous people who label mild autism as a disorder. This is how evolution works. Yes there are 7 foot tall people but the medical literature shows that that amount of height carries more detriments than advantages, while a mild amount of height gain carries more advantages than detriments, thus evolution favors the 6.5 over the 6 and over the 7. Just because extreme cases of autism are detriments to the individual and can be labeled disorders does not mean that mild cases are disorders, anymore than 6.5 is a height disorder just because 7 is. I hate having to waste all this time spelling out logic but it seems I have to, here. Discussion of how Linux can be moved out of the "experimenters corner" and into mainstream general public is certainly appropriate for a Linux mailing list. If nobody in the Linux community cared about that we wouldn't have Linux GUI desktops the command line+terminfo & curses would be perfectly fine as an interface. If you think it belongs on -talk you know how to set followups. One of the largest obstacles to doing this is failure by the "techies" and "experimenters" to understand how the general public thinks about and views technology. This is CLEARLY a result of so many in the Linux and tech community being on the spectrum and therefore having difficulty understanding WHY the general public cannot immediately see and understand the technical superiority of Linux, and throw Windows into the trash where it belongs. Just as you seem to be having difficulty understanding WHY it's not appropriate for an IT department to be attempting to violate contracts signed between a business and a contractor, because after they were signed the business suddenly decides they don't like their contractor subcontracting by using VPNs and instead of renegotiating the contract to prohibit subcontracting, attempts to make things difficult by erecting VPN blocks. And note we only went down this rabbithole because of your extreme reaction to my suggesting that the answer to how do we block VPN traffic was to say not to do it in the first place (and why) Ted -Original Message- From: PLUG On Behalf Of Ben Koenig Sent: Sunday, April 23, 2023 5:53 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion While I firmly disagree, I don't have any isssue with people who want to see autism as a positive thing. How we come to terms with our humanity and the shitstorm that is society is a personal process. But when you project your attitude onto others without thinking you end up discriminating. Even if you don't consider autism to be a disorder, it's still comes down to whether or not it's a fact, and you are not in position to make that claim. It's really not about autism being good or bad, it's about the claim and how others feel about it. And these days convincing someone they have autism when they don't can be extremely dangerous and life threatening so maybe don't casually bring it up. I don't want to see this shit on PLUG. This is an online text-only format with a specific focus on Linux conversations so if you want to get into the prevalence of autistic nerds in the IT
Re: [PLUG] 3rd party vpn Defense evasion
While I firmly disagree, I don't have any isssue with people who want to see autism as a positive thing. How we come to terms with our humanity and the shitstorm that is society is a personal process. But when you project your attitude onto others without thinking you end up discriminating. Even if you don't consider autism to be a disorder, it's still comes down to whether or not it's a fact, and you are not in position to make that claim. It's really not about autism being good or bad, it's about the claim and how others feel about it. And these days convincing someone they have autism when they don't can be extremely dangerous and life threatening so maybe don't casually bring it up. I don't want to see this shit on PLUG. This is an online text-only format with a specific focus on Linux conversations so if you want to get into the prevalence of autistic nerds in the IT world feel free to take it to PLUG-TALK. I'm the last person to dictate politeness on any online forum but I'm gonna sit my ass down on this hill and say that bringing statements about mental health into a discussion about linux network monitoring is crossing multiple lines. If any PLUG old-timers want to get cranky about my attitude I'll show myself the door. :) And for the record, thanks for taking a day to write an honest and significantly less toxic response. Most people would have doubled down on their BS rather than explain it. -Ben --- Original Message --- On Sunday, April 23rd, 2023 at 3:23 PM, Ted Mittelstaedt wrote: > Well as I have been on the autism scale myself since I was born and I have > read quite a bit about it in an effort to understand what my differences are, > I perhaps have a radically different view of it than you do. It is not a > disorder unless someone is severely autistic. It is, in fact, an evolutionary > advantage that has become more prevalent in humans for the simple and obvious > reason that it gives people who have "mild" cases of it the ability to be > highly successful with technology and machinery as well as music and the > arts. As humans have become more civilized, people with the genetic group > that causes autism have out competed people that lack this. Einstein for > example is a textbook example. I've worked in high tech since 1994 and the > most successful programmers, engineers, it people, - the "techies" of the > world - are all on the scale. That is after all what the word nerd was coined > to describe. So I am actually rather proud of being on the scale and I DONT > regard having it negatively. I'm sorry you do and I hope you can eventually > realize your view of it being a disorder is discriminatory. IMHO the biggest > proponents of the idea that mild autism is a disorder are old school > educators who's main goal in life is getting kids in school to sit down and > shut up. Happily that view is gradually changing but it's clear we still have > a lot of work to do. > > Get Outlook for Androidhttps://aka.ms/AAb9ysg > > > From: PLUG plug-boun...@pdxlinux.org on behalf of Ben Koenig > techkoe...@protonmail.com > > Sent: Saturday, April 22, 2023 5:29:40 PM > To: Portland Linux/Unix Group plug@pdxlinux.org > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > --- Original Message --- > On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil isaa...@gmail.com > wrote: > > > > > Greetings, > > I am tasked to identify a solution to detecting users obfuscating their ip, > > using verity of VPN services. > > > > What we've done > > - Prevent users from installing software (VPN Cliens) > > > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > > or LAN connection prior to attaching to VPN service, > > > > any other ideas? > > > > Some people want to debate this ass some sort of political issue, but it's > pretty straight forward. This usually is more of a concern at SMBs that don't > want to splurge for company managed hardware and ask their employees to BYoD. > This then creates anxiety among managers that gets projected down to IT. > > If you control the VDI system, then you have the ability to see who is > connecting. At most companies the VPN software used to connect to the VDI is > ALSO company managed, so you can see that too. > > So, you log all accesses to the VPN on the server side and monitor for > trends. You may not be able to stop an employee from giving out access > credentials, but you can see when the IP address used to connect the VPN > changes. From here, you implement Zero-trust policies where only known IP > addresses are able to access the network because you know the IP address, but >
Re: [PLUG] 3rd party vpn Defense evasion
Well as I have been on the autism scale myself since I was born and I have read quite a bit about it in an effort to understand what my differences are, I perhaps have a radically different view of it than you do. It is not a disorder unless someone is severely autistic. It is, in fact, an evolutionary advantage that has become more prevalent in humans for the simple and obvious reason that it gives people who have "mild" cases of it the ability to be highly successful with technology and machinery as well as music and the arts. As humans have become more civilized, people with the genetic group that causes autism have out competed people that lack this. Einstein for example is a textbook example. I've worked in high tech since 1994 and the most successful programmers, engineers, it people, - the "techies" of the world - are all on the scale. That is after all what the word nerd was coined to describe. So I am actually rather proud of being on the scale and I DONT regard having it negatively. I'm sorry you do and I hope you can eventually realize your view of it being a disorder is discriminatory. IMHO the biggest proponents of the idea that mild autism is a disorder are old school educators who's main goal in life is getting kids in school to sit down and shut up. Happily that view is gradually changing but it's clear we still have a lot of work to do. Get Outlook for Android<https://aka.ms/AAb9ysg> From: PLUG on behalf of Ben Koenig Sent: Saturday, April 22, 2023 5:29:40 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion --- Original Message --- On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil wrote: > Greetings, > I am tasked to identify a solution to detecting users obfuscating their ip, > using verity of VPN services. > > What we've done > - Prevent users from installing software (VPN Cliens) > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > or LAN connection prior to attaching to VPN service, > > any other ideas? Some people want to debate this ass some sort of political issue, but it's pretty straight forward. This usually is more of a concern at SMBs that don't want to splurge for company managed hardware and ask their employees to BYoD. This then creates anxiety among managers that gets projected down to IT. If you control the VDI system, then you have the ability to see who is connecting. At most companies the VPN software used to connect to the VDI is ALSO company managed, so you can see that too. So, you log all accesses to the VPN on the server side and monitor for trends. You may not be able to stop an employee from giving out access credentials, but you can see when the IP address used to connect the VPN changes. From here, you implement Zero-trust policies where only known IP addresses are able to access the network because you know the IP address, but may not have logged it effectively until now. There are additional layers of control you can add but it ultimately comes down to what a given company is willing to provide for their employees/contractors. I've worked with systems that would make the kind of subcontracting you describe very difficult but in those cases you end up with the employer buying a special wifi router for their staff. A lot of managers will ask for a magical fix without understanding how much effort it takes to lock this down. For us in IT sometimes we just need to map out all the things that would need to be implemented and assign a $$$ value to them. Most companies will decide not to bother at that point. Think of it like an arms race, at what point does your user have to jump through so many hoops that the act of enabling a subcontractor becomes more work than the actual job? Or, we could be Ted and go off on abusive rants about how IT people are autistic for even considering this type of solution. ;) -Ben P.S. Hey Denis, I would have posted this info sooner since it's a pretty interesting question but was discouraged from doing so because Ted was trying to shit on everyone. May the Facts be with me :)
Re: [PLUG] 3rd party vpn Defense evasion
--- Original Message --- On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil wrote: > Greetings, > I am tasked to identify a solution to detecting users obfuscating their ip, > using verity of VPN services. > > What we've done > - Prevent users from installing software (VPN Cliens) > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > or LAN connection prior to attaching to VPN service, > > any other ideas? Some people want to debate this ass some sort of political issue, but it's pretty straight forward. This usually is more of a concern at SMBs that don't want to splurge for company managed hardware and ask their employees to BYoD. This then creates anxiety among managers that gets projected down to IT. If you control the VDI system, then you have the ability to see who is connecting. At most companies the VPN software used to connect to the VDI is ALSO company managed, so you can see that too. So, you log all accesses to the VPN on the server side and monitor for trends. You may not be able to stop an employee from giving out access credentials, but you can see when the IP address used to connect the VPN changes. From here, you implement Zero-trust policies where only known IP addresses are able to access the network because you know the IP address, but may not have logged it effectively until now. There are additional layers of control you can add but it ultimately comes down to what a given company is willing to provide for their employees/contractors. I've worked with systems that would make the kind of subcontracting you describe very difficult but in those cases you end up with the employer buying a special wifi router for their staff. A lot of managers will ask for a magical fix without understanding how much effort it takes to lock this down. For us in IT sometimes we just need to map out all the things that would need to be implemented and assign a $$$ value to them. Most companies will decide not to bother at that point. Think of it like an arms race, at what point does your user have to jump through so many hoops that the act of enabling a subcontractor becomes more work than the actual job? Or, we could be Ted and go off on abusive rants about how IT people are autistic for even considering this type of solution. ;) -Ben P.S. Hey Denis, I would have posted this info sooner since it's a pretty interesting question but was discouraged from doing so because Ted was trying to shit on everyone. May the Facts be with me :)
Re: [PLUG] 3rd party vpn Defense evasion
or trying to exploit workers from time to > > > time. > > > > > > Once more as I keep saying this needs to be handled from an employee > > > management standpoint via managers and HR not from the IT department > > > trying > > > to play God and the managers being wussies and afraid to talk to > > > employees. > > > > > > Is it simply that a large number of IT people are on the autism spectrum > > > and have social anxiety disorder that they will literally waste weeks of > > > company time on elaborate technical solutions that can be handled in 5 > > > minutes by a manager walking up to an employee and saying "hey dude you > > > know that thing you are doing with the VPN, well knock it off" > > > > > > Or is it that their anxiety disorder and desire to Play God just drives > > > them to believe that every other employee in the company is trying to > > > screw > > > IT??? > > > > > > Sheesh!!! > > > > > > Ted > > > > > > -Original Message- > > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz > > > > > > Sent: Wednesday, April 19, 2023 1:39 PM > > > To: Portland Linux/Unix Group plug@pdxlinux.org > > > > > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > > > > > Disclaimer: some of the following if not all could be wrong. > > > > > > Wouldn't it be easier to deal with the credentials side to avoid this > > > problem in the first place? To illustrate what I mean, here's a > > > theoretical > > > idea that while it might be flawed (like potential security failures), > > > could be useful in terms of guidance. When an employee logs in, it sends > > > an > > > email to their company Gmail account complete the login in procedure. They > > > click the link to a Google form which requires them to be logged in to > > > their company Google account for the submitted form to either work or be > > > considered valid. Once, it's submitted, a program will allow them to > > > finish > > > the login process. Also, doing something with a company Google account > > > could be helpful since Google records the devices you logged in with, > > > which > > > if a company can check that, they can see if there is any suspicious > > > devices. > > > > > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil isaa...@gmail.com wrote: > > > > > > > We're chasing this from data science side as well. As far as charting > > > > the pattern of activity and flag anomalies. > > > > This should trap the subs since he/she won't be checking email, > > > > responding to chat messages etc, or hopefully time of activity could > > > > give us clues. > > > > > > > > I do agree, there are many VPN commercial services and they will never > > > > advertise servers properties, besides there's lots of other open-VPN > > > > options. > > > > > > > > We shall conquer! > > > > > > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > > > t...@portlandia-it.com > > > > wrote: > > > > > > > > > -Original Message- > > > > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of John Jason > > > > > Jordan > > > > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > > > > > > > > It would be nice if VPN services advertised how effectively they > > > > > > stop > > > > > > others from finding out who and where you really are. > > > > > > > > > > They are never going to do this because they are constantly tweaking > > > > > their > > > > > proprietary protocols to get around firewalls, and they don't want > > > > > the firewall vendors knowing when they made a change to get past > > > > > firewalls. > > > > > And given who some of the firewall vendors are, and what they do to > > > > > people > > > > > they don't like, this is very understandable. > > > > > > > > > > This stuff is getting very advanced nowadays since many firewalls > > > > > are doing deep packet inspection, and looking specifically for > > > > > patterns in packet traffic that indicate it is VPN traffic > > > > > encapsulated in regular > > > > > http > > > > > or https traffic. So the proprietary vpn clients will modify the > > > > > encrypted > > > > > traffic to make it look like regular https traffic. > > > > > > > > > > Never forget that for you, me, and probably all the readers of this > > > > > list, that creating using blocking and messing around with VPNs is > > > > > really > > > > > mainly > > > > > an intellectual exercise, but that there are many people in the > > > > > world in places like Russia and China where a secure VPN means not > > > > > having people breaking their doors down in the middle of the night > > > > > and hauling them off to prison - or worse. > > > > > > > > > > Ted
Re: [PLUG] 3rd party vpn Defense evasion
Don’t worry about it Denis. Ben is passionate about what he's doing and what he sees himself doing in security at any rate is protecting the organization from the evil people out there. Naturally he's going to be frustrated when faced with the reality of company politics and fiscal money-making that sometimes clashes with this directive. A good manager would recognize that both Ben and the employee or contractor who are outsourcing are right. Yes, outsourcing can leak company vitals. But, it can also shortcut a problem and get a product out ahead of a competitor. It is right and valid to question if it's worth the risk to outsource. I don't know Ben's CEO but if I were that CEO I would drag him and the contractors and employees he's going after into a conference room and tell both of them to convince me which one is right. Ted -Original Message- From: PLUG On Behalf Of Denis Heidtmann Sent: Saturday, April 22, 2023 4:39 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion What (positive) contribution do your insults bring to the discussion? Can you find a less hostile way to contribute? -Denis On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig wrote: > Don't be such a dipshit. > > Yes, HR and Management are responsible for taking corrective action > against employees not doing their job. "Job" in this context being > defined by that employees contract so there's no reason for us to > speculate and pass judgement on whether or not IT should bother. > > What you seem to be missing in your attempt to over-compensate for > your sense of psychological supremacy is that in order to take correct > action from a management perspective, IT has to identify the digital paper > trail. > That's what we do - We can and often should keep track of network > connections and report them accordingly. Whether that person gets > punished is not for us to say. > > And in some cases this has to be handled proactively. This kind of > subcontracting can create massive legal problems for some companies so > even if the manager goes and tells them to stop, its too late. Data > has been leaked and lawsuits start to fly. > > Sadly there are a lot of people in the modern linux community that > seem to believe that their understanding of IT trumps everyone else. > Small, inexperienced minds that see their own personal use case as > superior to all others. > -Ben > > > --- Original Message --- > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > t...@portlandia-it.com> wrote: > > > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and > many other employee classifications (such as programming) are > considered exempt as well. (exemption is once more IRS and state > taxing authority determination that the company has no say over) > > > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at > certain times. If the company DOES tell the employee this (that they > have to track their time) then the employee can hit them for mandatory > overtime (if they exceed 40 hours) > > > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > > > Long and short of it is you cannot use an online form to consider > > "work > to be valid" for a salaried AKA exempt employee. Salaried employees > are paid BY THE JOB not by being logged into something for a certain time. > > > > Companies quite often forget that putting someone like a programmer > > on > salary is a two way street. The benefit from the company's point of > view is they don't have to pay overtime for one of those > work-round-the-clock-push times. But in exchange for that, the > employee also doesn't have to work 40 hours every week either. A > decent salaried employee keeps an eye on time since it's an important > metric for how much work is reasonable to expect a salaried employee to do > but it is NOT the absolute metric. > > > > Companies who have tried to do it differently - that is, not pay OT > > and > make you work late during crunch time - and still make you work 40 > hours - regularly end up paying very large fines and back salary to > people when they get sued. It's healthy for that to happen for owners > of those companies to get slapped silly for trying to exploit workers > from time to time. > > > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department > trying to play God and the man
Re: [PLUG] 3rd party vpn Defense evasion
increase security or something like that. IT will ALWAYS lose in any political argument with an exempt employee. Remember that. Unless of course, that exempt employee is not actually working in a position that legally qualifies as exempt. For sure, there are foolish companies out there that think they can exploit workers and con them into working unpaid overtime who do not quality as exempt from OT. And those companies routinely end up paying serious fines when they get caught. I don't know why there is such confusion over what being an exempt employee means. Being exempt from OT, ie: being salaried, effectively means that YOU are expected to be out there making money for the company any legal way possible because you are a stakeholder. If you can do this by working 20 hours a week from home and never be in the office, then if the company has a CEO with any brains at all, they will tell every other employee in the company that complains about it to go pound sand. If you can do this by violating every tenant of secure networking that IT hold dear, then if IT complains about it to the CEO IT will be told to pound sand. Well run companies do NOT kill the geese that lay the golden eggs. Even if those geese are stupid idiots. And yes I have learned this from my years in IT. I don't say that I like it. But, I like eating more, and food costs money so I too will side with the geese in a company laying the golden eggs even if it means telling my junior IT guys who have gotten puffed up reading the Best Practices security manual to pound sand. Sorry about that. Ted -Original Message- From: PLUG On Behalf Of Ben Koenig Sent: Saturday, April 22, 2023 4:02 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion Don't be such a dipshit. Yes, HR and Management are responsible for taking corrective action against employees not doing their job. "Job" in this context being defined by that employees contract so there's no reason for us to speculate and pass judgement on whether or not IT should bother. What you seem to be missing in your attempt to over-compensate for your sense of psychological supremacy is that in order to take correct action from a management perspective, IT has to identify the digital paper trail. That's what we do - We can and often should keep track of network connections and report them accordingly. Whether that person gets punished is not for us to say. And in some cases this has to be handled proactively. This kind of subcontracting can create massive legal problems for some companies so even if the manager goes and tells them to stop, its too late. Data has been leaked and lawsuits start to fly. Sadly there are a lot of people in the modern linux community that seem to believe that their understanding of IT trumps everyone else. Small, inexperienced minds that see their own personal use case as superior to all others. -Ben --- Original Message --- On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt wrote: > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and > many other employee classifications (such as programming) are > considered exempt as well. (exemption is once more IRS and state > taxing authority determination that the company has no say over) > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at > certain times. If the company DOES tell the employee this (that they > have to track their time) then the employee can hit them for mandatory > overtime (if they exceed 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to be > valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE > JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on salary > is a two way street. The benefit from the company's point of view is they > don't have to pay overtime for one of those work-round-the-clock-push times. > But in exchange for that, the employee also doesn't have to work 40 hours > every week either. A decent salaried employee keeps an eye on time since it's > an important metric for how much work is reasonable to expect a salaried > employee to do but it is NOT the absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and make > you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when they > get sued. It's healthy for that to happen fo
Re: [PLUG] 3rd party vpn Defense evasion
What (positive) contribution do your insults bring to the discussion? Can you find a less hostile way to contribute? -Denis On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig wrote: > Don't be such a dipshit. > > Yes, HR and Management are responsible for taking corrective action > against employees not doing their job. "Job" in this context being defined > by that employees contract so there's no reason for us to speculate and > pass judgement on whether or not IT should bother. > > What you seem to be missing in your attempt to over-compensate for your > sense of psychological supremacy is that in order to take correct action > from a management perspective, IT has to identify the digital paper trail. > That's what we do - We can and often should keep track of network > connections and report them accordingly. Whether that person gets punished > is not for us to say. > > And in some cases this has to be handled proactively. This kind of > subcontracting can create massive legal problems for some companies so even > if the manager goes and tells them to stop, its too late. Data has been > leaked and lawsuits start to fly. > > Sadly there are a lot of people in the modern linux community that seem to > believe that their understanding of IT trumps everyone else. Small, > inexperienced minds that see their own personal use case as superior to all > others. > -Ben > > > --- Original Message --- > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > t...@portlandia-it.com> wrote: > > > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and many > other employee classifications (such as programming) are considered exempt > as well. (exemption is once more IRS and state taxing authority > determination that the company has no say over) > > > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at certain > times. If the company DOES tell the employee this (that they have to track > their time) then the employee can hit them for mandatory overtime (if they > exceed 40 hours) > > > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > > > Long and short of it is you cannot use an online form to consider "work > to be valid" for a salaried AKA exempt employee. Salaried employees are > paid BY THE JOB not by being logged into something for a certain time. > > > > Companies quite often forget that putting someone like a programmer on > salary is a two way street. The benefit from the company's point of view is > they don't have to pay overtime for one of those work-round-the-clock-push > times. But in exchange for that, the employee also doesn't have to work 40 > hours every week either. A decent salaried employee keeps an eye on time > since it's an important metric for how much work is reasonable to expect a > salaried employee to do but it is NOT the absolute metric. > > > > Companies who have tried to do it differently - that is, not pay OT and > make you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when > they get sued. It's healthy for that to happen for owners of those > companies to get slapped silly for trying to exploit workers from time to > time. > > > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > > > Is it simply that a large number of IT people are on the autism spectrum > and have social anxiety disorder that they will literally waste weeks of > company time on elaborate technical solutions that can be handled in 5 > minutes by a manager walking up to an employee and saying "hey dude you > know that thing you are doing with the VPN, well knock it off" > > > > Or is it that their anxiety disorder and desire to Play God just drives > them to believe that every other employee in the company is trying to screw > IT??? > > > > Sheesh!!! > > > > Ted > > > > -Original Message- > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz > > > > Sent: Wednesday, April 19, 2023 1:39 PM > > To: Portland Linux/Unix Group plug@pdxlinux.org > > > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > > > Disclaimer: some of the following if not all could be wrong. > > > > Wouldn't it
Re: [PLUG] 3rd party vpn Defense evasion
Don't be such a dipshit. Yes, HR and Management are responsible for taking corrective action against employees not doing their job. "Job" in this context being defined by that employees contract so there's no reason for us to speculate and pass judgement on whether or not IT should bother. What you seem to be missing in your attempt to over-compensate for your sense of psychological supremacy is that in order to take correct action from a management perspective, IT has to identify the digital paper trail. That's what we do - We can and often should keep track of network connections and report them accordingly. Whether that person gets punished is not for us to say. And in some cases this has to be handled proactively. This kind of subcontracting can create massive legal problems for some companies so even if the manager goes and tells them to stop, its too late. Data has been leaked and lawsuits start to fly. Sadly there are a lot of people in the modern linux community that seem to believe that their understanding of IT trumps everyone else. Small, inexperienced minds that see their own personal use case as superior to all others. -Ben --- Original Message --- On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt wrote: > For employees it depends if they are exempt or not. Any supervisory employee > who can fire people is automatically considered exempt and many other > employee classifications (such as programming) are considered exempt as well. > (exemption is once more IRS and state taxing authority determination that the > company has no say over) > > If the employee is exempt from overtime then it's illegal for the company to > require that they work a certain number of hours, or at certain times. If the > company DOES tell the employee this (that they have to track their time) then > the employee can hit them for mandatory overtime (if they exceed 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to be > valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE > JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on salary > is a two way street. The benefit from the company's point of view is they > don't have to pay overtime for one of those work-round-the-clock-push times. > But in exchange for that, the employee also doesn't have to work 40 hours > every week either. A decent salaried employee keeps an eye on time since it's > an important metric for how much work is reasonable to expect a salaried > employee to do but it is NOT the absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and make > you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when they > get sued. It's healthy for that to happen for owners of those companies to > get slapped silly for trying to exploit workers from time to time. > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > Is it simply that a large number of IT people are on the autism spectrum and > have social anxiety disorder that they will literally waste weeks of company > time on elaborate technical solutions that can be handled in 5 minutes by a > manager walking up to an employee and saying "hey dude you know that thing > you are doing with the VPN, well knock it off" > > Or is it that their anxiety disorder and desire to Play God just drives them > to believe that every other employee in the company is trying to screw IT??? > > Sheesh!!! > > Ted > > -Original Message- > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz > > Sent: Wednesday, April 19, 2023 1:39 PM > To: Portland Linux/Unix Group plug@pdxlinux.org > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > Disclaimer: some of the following if not all could be wrong. > > Wouldn't it be easier to deal with the credentials side to avoid this problem > in the first place? To illustrate what I mean, here's a theoretical idea that > while it might be flawed (like potential security failures), could be useful > in terms of guidance. When an employee logs in, it sends an email to their > company Gmail account complete the login in procedure. They click the link to > a Google form which requires them to be logged in to their company Google >
Re: [PLUG] 3rd party vpn Defense evasion
Agreed, HR and legal should absolutely be engaged and on-board given the risk level. On Wed, Apr 19, 2023, 4:43 PM Ted Mittelstaedt wrote: > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and many > other employee classifications (such as programming) are considered exempt > as well. (exemption is once more IRS and state taxing authority > determination that the company has no say over) > > If the employee is exempt from overtime then it's illegal for the company > to require that they work a certain number of hours, or at certain times. > If the company DOES tell the employee this (that they have to track their > time) then the employee can hit them for mandatory overtime (if they exceed > 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to > be valid" for a salaried AKA exempt employee. Salaried employees are paid > BY THE JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on > salary is a two way street. The benefit from the company's point of view > is they don't have to pay overtime for one of those > work-round-the-clock-push times. But in exchange for that, the employee > also doesn't have to work 40 hours every week either. A decent salaried > employee keeps an eye on time since it's an important metric for how much > work is reasonable to expect a salaried employee to do but it is NOT the > absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and > make you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when > they get sued. It's healthy for that to happen for owners of those > companies to get slapped silly for trying to exploit workers from time to > time. > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > Is it simply that a large number of IT people are on the autism spectrum > and have social anxiety disorder that they will literally waste weeks of > company time on elaborate technical solutions that can be handled in 5 > minutes by a manager walking up to an employee and saying "hey dude you > know that thing you are doing with the VPN, well knock it off" > > Or is it that their anxiety disorder and desire to Play God just drives > them to believe that every other employee in the company is trying to screw > IT??? > > Sheesh!!! > > Ted > > -Original Message- > From: PLUG On Behalf Of Daniel Ortiz > Sent: Wednesday, April 19, 2023 1:39 PM > To: Portland Linux/Unix Group > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > Disclaimer: some of the following if not all could be wrong. > > Wouldn't it be easier to deal with the credentials side to avoid this > problem in the first place? To illustrate what I mean, here's a theoretical > idea that while it might be flawed (like potential security failures), > could be useful in terms of guidance. When an employee logs in, it sends an > email to their company Gmail account complete the login in procedure. They > click the link to a Google form which requires them to be logged in to > their company Google account for the submitted form to either work or be > considered valid. Once, it's submitted, a program will allow them to finish > the login process. Also, doing something with a company Google account > could be helpful since Google records the devices you logged in with, which > if a company can check that, they can see if there is any suspicious > devices. > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil wrote: > > > We're chasing this from data science side as well. As far as charting > > the pattern of activity and flag anomalies. > > This should trap the subs since he/she won't be checking email, > > responding to chat messages etc, or hopefully time of activity could > give us clues. > > > > I do agree, there are many VPN commercial services and they will never > > advertise servers properties, besides there's lots of other open-VPN > > options. > > > > We shall conquer! > > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > > > wrote: > > > > > > > > > > > -Original Message- > > > From: PLUG On Behalf Of John Jason > >
Re: [PLUG] 3rd party vpn Defense evasion
For employees it depends if they are exempt or not. Any supervisory employee who can fire people is automatically considered exempt and many other employee classifications (such as programming) are considered exempt as well. (exemption is once more IRS and state taxing authority determination that the company has no say over) If the employee is exempt from overtime then it's illegal for the company to require that they work a certain number of hours, or at certain times. If the company DOES tell the employee this (that they have to track their time) then the employee can hit them for mandatory overtime (if they exceed 40 hours) Exempt/non exempt classifications are more commonly referred to as salaried/hourly employees. Long and short of it is you cannot use an online form to consider "work to be valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE JOB not by being logged into something for a certain time. Companies quite often forget that putting someone like a programmer on salary is a two way street. The benefit from the company's point of view is they don't have to pay overtime for one of those work-round-the-clock-push times. But in exchange for that, the employee also doesn't have to work 40 hours every week either. A decent salaried employee keeps an eye on time since it's an important metric for how much work is reasonable to expect a salaried employee to do but it is NOT the absolute metric. Companies who have tried to do it differently - that is, not pay OT and make you work late during crunch time - and still make you work 40 hours - regularly end up paying very large fines and back salary to people when they get sued. It's healthy for that to happen for owners of those companies to get slapped silly for trying to exploit workers from time to time. Once more as I keep saying this needs to be handled from an employee management standpoint via managers and HR not from the IT department trying to play God and the managers being wussies and afraid to talk to employees. Is it simply that a large number of IT people are on the autism spectrum and have social anxiety disorder that they will literally waste weeks of company time on elaborate technical solutions that can be handled in 5 minutes by a manager walking up to an employee and saying "hey dude you know that thing you are doing with the VPN, well knock it off" Or is it that their anxiety disorder and desire to Play God just drives them to believe that every other employee in the company is trying to screw IT??? Sheesh!!! Ted -Original Message- From: PLUG On Behalf Of Daniel Ortiz Sent: Wednesday, April 19, 2023 1:39 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion Disclaimer: some of the following if not all could be wrong. Wouldn't it be easier to deal with the credentials side to avoid this problem in the first place? To illustrate what I mean, here's a theoretical idea that while it might be flawed (like potential security failures), could be useful in terms of guidance. When an employee logs in, it sends an email to their company Gmail account complete the login in procedure. They click the link to a Google form which requires them to be logged in to their company Google account for the submitted form to either work or be considered valid. Once, it's submitted, a program will allow them to finish the login process. Also, doing something with a company Google account could be helpful since Google records the devices you logged in with, which if a company can check that, they can see if there is any suspicious devices. On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil wrote: > We're chasing this from data science side as well. As far as charting > the pattern of activity and flag anomalies. > This should trap the subs since he/she won't be checking email, > responding to chat messages etc, or hopefully time of activity could give us > clues. > > I do agree, there are many VPN commercial services and they will never > advertise servers properties, besides there's lots of other open-VPN > options. > > We shall conquer! > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > wrote: > > > > > > > -Original Message- > > From: PLUG On Behalf Of John Jason > > Jordan > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > >It would be nice if VPN services advertised how effectively they > > >stop > > others from finding out who and where you really are. > > > > They are never going to do this because they are constantly tweaking > their > > proprietary protocols to get around firewalls, and they don't want > > the firewall vendors knowing when they made a change to get past firewalls. > > And given who some of the firewall vendors are, and what the
Re: [PLUG] 3rd party vpn Defense evasion
Disclaimer: some of the following if not all could be wrong. Wouldn't it be easier to deal with the credentials side to avoid this problem in the first place? To illustrate what I mean, here's a theoretical idea that while it might be flawed (like potential security failures), could be useful in terms of guidance. When an employee logs in, it sends an email to their company Gmail account complete the login in procedure. They click the link to a Google form which requires them to be logged in to their company Google account for the submitted form to either work or be considered valid. Once, it's submitted, a program will allow them to finish the login process. Also, doing something with a company Google account could be helpful since Google records the devices you logged in with, which if a company can check that, they can see if there is any suspicious devices. On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil wrote: > We're chasing this from data science side as well. As far as charting the > pattern of activity and flag anomalies. > This should trap the subs since he/she won't be checking email, responding > to chat messages etc, or hopefully time of activity could give us clues. > > I do agree, there are many VPN commercial services and they will never > advertise servers properties, besides there's lots of other open-VPN > options. > > We shall conquer! > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > wrote: > > > > > > > -Original Message- > > From: PLUG On Behalf Of John Jason Jordan > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > >It would be nice if VPN services advertised how effectively they stop > > others from finding out who and where you really are. > > > > They are never going to do this because they are constantly tweaking > their > > proprietary protocols to get around firewalls, and they don't want the > > firewall vendors knowing when they made a change to get past firewalls. > > And given who some of the firewall vendors are, and what they do to > people > > they don't like, this is very understandable. > > > > This stuff is getting very advanced nowadays since many firewalls are > > doing deep packet inspection, and looking specifically for patterns in > > packet traffic that indicate it is VPN traffic encapsulated in regular > http > > or https traffic. So the proprietary vpn clients will modify the > encrypted > > traffic to make it look like regular https traffic. > > > > Never forget that for you, me, and probably all the readers of this list, > > that creating using blocking and messing around with VPNs is really > mainly > > an intellectual exercise, but that there are many people in the world in > > places like Russia and China where a secure VPN means not having people > > breaking their doors down in the middle of the night and hauling them off > > to prison - or worse. > > > > Ted > > > > >
Re: [PLUG] 3rd party vpn Defense evasion
-Original Message- From: PLUG On Behalf Of Ishak Micheil Sent: Wednesday, April 19, 2023 7:29 AM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion >We shall conquer! Ah, no you won't. But go ahead and think that if it makes you sleep easier. And if you get seriously annoying to the subs they will start suing you for breech of contract. Ted
Re: [PLUG] 3rd party vpn Defense evasion
We're chasing this from data science side as well. As far as charting the pattern of activity and flag anomalies. This should trap the subs since he/she won't be checking email, responding to chat messages etc, or hopefully time of activity could give us clues. I do agree, there are many VPN commercial services and they will never advertise servers properties, besides there's lots of other open-VPN options. We shall conquer! On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt wrote: > > > -Original Message- > From: PLUG On Behalf Of John Jason Jordan > Sent: Tuesday, April 18, 2023 2:00 PM > > >It would be nice if VPN services advertised how effectively they stop > others from finding out who and where you really are. > > They are never going to do this because they are constantly tweaking their > proprietary protocols to get around firewalls, and they don't want the > firewall vendors knowing when they made a change to get past firewalls. > And given who some of the firewall vendors are, and what they do to people > they don't like, this is very understandable. > > This stuff is getting very advanced nowadays since many firewalls are > doing deep packet inspection, and looking specifically for patterns in > packet traffic that indicate it is VPN traffic encapsulated in regular http > or https traffic. So the proprietary vpn clients will modify the encrypted > traffic to make it look like regular https traffic. > > Never forget that for you, me, and probably all the readers of this list, > that creating using blocking and messing around with VPNs is really mainly > an intellectual exercise, but that there are many people in the world in > places like Russia and China where a secure VPN means not having people > breaking their doors down in the middle of the night and hauling them off > to prison - or worse. > > Ted > >
Re: [PLUG] 3rd party vpn Defense evasion
I'm pretty sure I saw J Jason Jordan on the TV the other day railing that Spider Man is public enemy number 1. :) On Wed, Apr 19, 2023 at 1:50 AM Michael Rasmussen wrote: > On 2023-04-18 12:01, Ishak Micheil wrote: > > John is a contractor, hires someone else to do the work. Vdi setup, > > he > > shares his creds with the subcontractor who possibly actually in a > > different country. Using VPN services prior to logging in to mask > > thier > > locations . > > Ahh, you've discovered the root of your problem: J Jason Jordan is a > terrorist as he wrote in his post earlier in this thread. > > > -- > Michael Rasmussen > Be Appropriate && Follow Your Curiosity >
Re: [PLUG] 3rd party vpn Defense evasion
On 2023-04-18 12:01, Ishak Micheil wrote: John is a contractor, hires someone else to do the work. Vdi setup, he shares his creds with the subcontractor who possibly actually in a different country. Using VPN services prior to logging in to mask thier locations . Ahh, you've discovered the root of your problem: J Jason Jordan is a terrorist as he wrote in his post earlier in this thread. -- Michael Rasmussen Be Appropriate && Follow Your Curiosity
Re: [PLUG] 3rd party vpn Defense evasion
-Original Message- From: PLUG On Behalf Of John Jason Jordan Sent: Tuesday, April 18, 2023 2:00 PM >It would be nice if VPN services advertised how effectively they stop others >from finding out who and where you really are. They are never going to do this because they are constantly tweaking their proprietary protocols to get around firewalls, and they don't want the firewall vendors knowing when they made a change to get past firewalls. And given who some of the firewall vendors are, and what they do to people they don't like, this is very understandable. This stuff is getting very advanced nowadays since many firewalls are doing deep packet inspection, and looking specifically for patterns in packet traffic that indicate it is VPN traffic encapsulated in regular http or https traffic. So the proprietary vpn clients will modify the encrypted traffic to make it look like regular https traffic. Never forget that for you, me, and probably all the readers of this list, that creating using blocking and messing around with VPNs is really mainly an intellectual exercise, but that there are many people in the world in places like Russia and China where a secure VPN means not having people breaking their doors down in the middle of the night and hauling them off to prison - or worse. Ted
Re: [PLUG] 3rd party vpn Defense evasion
I have to say reading this I had to get a floor jack to put my jaw back into my face it dropped so far. This contractor has apparently discerned that you do NOT want him running a personal VPN on your network. But, he doesn't give a crap about what you want, he's doing it anyway. And on top of that he's doing it in a way to hide it. Did it not occur to you that if he doesn't give a shit about your rules against running a personal VPN that there is going to be other stuff you care about that he's not going to give a shit about either? Here's a thought. When you issue contracts to contractors just explicitly prohibit subcontracting. Then if John subcontracts anyway, then sue his ass out of business. As I said earlier, technical blocks are NOT the way to handle this problem. Ted -Original Message- From: PLUG On Behalf Of Ishak Micheil Sent: Tuesday, April 18, 2023 12:02 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion The use cases I'm working on is to Prevent employees or contractors from subcontracting work. John is a contractor, hires someone else to do the work. Vdi setup, he shares his creds with the subcontractor who possibly actually in a different country. Using VPN services prior to logging in to mask thier locations . On Tue, Apr 18, 2023, 11:07 AM Russell Senior wrote: > Can you elaborate, in general terms, on what the goal is? > > -- > Russell Senior > russ...@personaltelco.net > > On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil wrote: > > > Greetings, > > I am tasked to identify a solution to detecting users obfuscating > > their > ip, > > using verity of VPN services. > > > > What we've done > > - Prevent users from installing software (VPN Cliens) > > > > - Possibly having a code on endpoints, to collect ip addresses tied > > to > wifi > > or LAN connection prior to attaching to VPN service, > > > > any other ideas? > > >
Re: [PLUG] 3rd party vpn Defense evasion
On Tue, 18 Apr 2023 17:38:23 + Ted Mittelstaedt dijo: >It's not going to be possible to block all VPNs. I've been using a VPN for several years now, currently Mullvad (Stockholm based). I'm curious about the efficacy of various VPN services. I selected Mullvad (and PIA previously) based on how badly they cut my gigabit access speed. In that respect most give you about 10% of what our ISP provides, if you're lucky. But that was the only way I had to shop for a VPN. I have no idea how good they are at all the many other issues you brought up. I do know that web sites think I am in the city where I am connected to one of the servers, Houston at the moment. I know that because, e.g., I tried to access safeway.com while connected to Mullvad in Stockholm, which rudely told me that I was not in the US, so I was denied access because I was clearly a terrorist or other evildoer. It would be nice if VPN services advertised how effectively they stop others from finding out who and where you really are.
Re: [PLUG] 3rd party vpn Defense evasion
The use cases I'm working on is to Prevent employees or contractors from subcontracting work. John is a contractor, hires someone else to do the work. Vdi setup, he shares his creds with the subcontractor who possibly actually in a different country. Using VPN services prior to logging in to mask thier locations . On Tue, Apr 18, 2023, 11:07 AM Russell Senior wrote: > Can you elaborate, in general terms, on what the goal is? > > -- > Russell Senior > russ...@personaltelco.net > > On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil wrote: > > > Greetings, > > I am tasked to identify a solution to detecting users obfuscating their > ip, > > using verity of VPN services. > > > > What we've done > > - Prevent users from installing software (VPN Cliens) > > > > - Possibly having a code on endpoints, to collect ip addresses tied to > wifi > > or LAN connection prior to attaching to VPN service, > > > > any other ideas? > > >
Re: [PLUG] 3rd party vpn Defense evasion
Can you elaborate, in general terms, on what the goal is? -- Russell Senior russ...@personaltelco.net On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil wrote: > Greetings, > I am tasked to identify a solution to detecting users obfuscating their ip, > using verity of VPN services. > > What we've done > - Prevent users from installing software (VPN Cliens) > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > or LAN connection prior to attaching to VPN service, > > any other ideas? >
Re: [PLUG] 3rd party vpn Defense evasion
It's not going to be possible to block all VPNs. If the users are smart and they have their own Internet connection at home then they can setup a SOCKS vpn proxy server on a PC on their home network then use dynamic dns with their home PC. If you discover the traffic they can just reboot their home cable modem or whatever and get a fresh IP or change the listening port. You really can only block the commercial or popular VPN servers out there to prevent the users who don't understand networking and are the point-and-click types from accessing the commercial services. And most organizations that do this have found it a lot easier to just pay a commercial firewall provider like Palo Alto to maintain the block lists for them. You can start here: https://unit42.paloaltonetworks.com/person-vpn-network-visibility/ Keep in mind that many of the commercial firewall providers play both sides against each other. For example, Fortinet sells both firewalls designed to block VPNs, and on the same firewall that you can configure to block vpn's from your internal network that are going out to VPN providers, you can set that same firewall device up to provide "crypto vpns" to your users that are designed to evade other people's firewalls (if your users are remoting in from someone else's network. The irony is rather amusing. The only way I've ever seen true blocking work is when a company has a policy that prohibits most employees with the exception of permitted ones from accessing the Internet completely. That is, no web browsing, no zoom, no nothing. And, that is VERY appropriate for certain classes of employees. A checker in a grocery store has no need to be able to surf the web from their cash register that is running on a PC, for example. So you list all the Ips of those registers in your firewall for complete outbound blocks. But, if you do that all your good employees who are NOT abusing your internet service are going to quit on you and the bad apples who are using it for gaming, watching porn, and so on on company time will just bring their cell phones into the office and use cell carriers for Internet connection on personal cell phones and waste their time that way. You cannot cover up CEO timidity on managing their people with technology. You will just piss off the good eggs who will say "I don't need this shit" and quit on you, leaving the bad eggs who nobody else will hire and you are unwilling to fire because you are scared of them. And if you block the bad eggs from wasting time on the Internet they will find plenty of other ways to waste time. Putting IT as the opponent to users never works. Users just quit going to IT with their problems and find other solutions (like personal VPNs) which most of the time cause more problems. It may seem counterintuitive but the most productive companies out there unblock everything, have everyone sign AUPs that prohibit obvious crap like online gaming, porn, online gambling, personal shopping (except during lunch hour) and in general treat employees like adults and trust them and make it clear that there is safe harbor for any employee who reports another employee violating that trust. (for any reason) The only exceptions to this are certain kinds of transactions (such as cash handling) and the fact is the good eggs WANT IT monitoring that sort of thing just to protect themselves from being accused of theft, etc. One of the biggest problems in HR today is HR departments being forced by the executive board to cover up malfeasance by managers, directors, and members of the C suite. Stories of "secretary banging the boss and was reported to HR and they fired the person reporting it" are legion and are the quickest way to ruining your corporate culture and losing your talent. A CEO absolutely needs to shut this sort of behavior down in their corporate culture. One of the largest markets for firewall companies that make VPN blockers are schools, particularly high schools. That's because you have an organization that by default pits the students against the administration. The last thing any company owner should want is to seek to duplicate that kind of environment in their company. Ted -Original Message- From: PLUG On Behalf Of Ishak Micheil Sent: Tuesday, April 18, 2023 8:38 AM To: Portland Linux/Unix Group Subject: [PLUG] 3rd party vpn Defense evasion Greetings, I am tasked to identify a solution to detecting users obfuscating their ip, using verity of VPN services. What we've done - Prevent users from installing software (VPN Cliens) - Possibly having a code on endpoints, to collect ip addresses tied to wifi or LAN connection prior to attaching to VPN service, any other ideas?
[PLUG] 3rd party vpn Defense evasion
Greetings, I am tasked to identify a solution to detecting users obfuscating their ip, using verity of VPN services. What we've done - Prevent users from installing software (VPN Cliens) - Possibly having a code on endpoints, to collect ip addresses tied to wifi or LAN connection prior to attaching to VPN service, any other ideas?