Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

When you firmly disagree you are personally discriminating against anyone on 
the mild end of the spectrum.  I am NOT discriminating by advocating a positive 
view of mild autism.  Discrimination by definition is negative.  As the saying 
goes, intolerance of Intolerance is NOT intolerance.  Only the shrieking ultra 
right-wingers who carry the racist and intolerance flags claim that anyone 
opposing their viewpoint is "intolerant"   That is what you are doing.

And when you propagate that attitude to other people that being on the mild end 
of the spectrum is a disorder, and that viewing it as a positive is a personal 
process and not reality, then you are propagating that discriminatory attitude 
towards others.  Same when you use terms like "shit" to refer to an autism 
discussion.

What is NOT factual is labeling mild cases as a disorder anymore than labeling 
same sex preference as a disorder is factual.  While a lot of people who should 
know better are doing this, including some in the medical community, that ISN'T 
a fact.  It is an opinion.

I gave a logical explanation that explains why autism has been on the rise for 
centuries and facts that support that, which is a damn sight better than the 
medical community who has no explanation and sit around scratching their asses 
and wringing their hands about what to do about it. (and suggesting diet 
changes as fixes and other rubbish)  An evolutionary advantage to the 
individual CANNOT by definition be a disorder.   While it may be very 
irritating to people for 1 person to be 6 1/2 feet tall and make millions as a 
basketball star, his height is NOT a disorder, because it gives him an 
advantage over the rest of them.  It is only jealous people who label mild 
autism as a disorder.

This is how evolution works.  Yes there are 7 foot tall people but the medical 
literature shows that that amount of height carries more detriments than 
advantages, while a mild amount of height gain carries more advantages than 
detriments, thus evolution favors the 6.5 over the 6 and over the 7.  Just 
because extreme cases of autism are detriments to the individual and can be 
labeled disorders does not mean that mild cases are disorders, anymore than 6.5 
is a height disorder just because 7 is.  I hate having to waste all this time 
spelling out logic but it seems I have to, here.

Discussion of how Linux can be moved out of the "experimenters corner" and into 
mainstream general public is certainly appropriate for a Linux mailing list.  
If nobody in the Linux community cared about that we wouldn't have Linux GUI 
desktops the command line+terminfo & curses would be perfectly fine as an 
interface.   If you think it belongs on -talk you know how to set followups.  
One of the largest obstacles to doing this is failure by the "techies" and 
"experimenters" to understand how the general public thinks about and views 
technology.  This is CLEARLY a result of so many in the Linux and tech 
community being on the spectrum and therefore having difficulty understanding 
WHY the general public cannot immediately see and understand the technical 
superiority of Linux, and throw Windows into the trash where it belongs.  Just 
as you seem to be having difficulty understanding WHY it's not appropriate for 
an IT department to be attempting to violate contracts signed between a 
business and a contractor, because after they were signed the business suddenly 
decides they don't like their contractor subcontracting by using VPNs and 
instead of renegotiating the contract to prohibit subcontracting, attempts to 
make things difficult by erecting VPN blocks.

And note we only went down this rabbithole because of your extreme reaction to 
my suggesting that the answer to how do we block VPN traffic was to say not to 
do it in the first place  (and why)

Ted

-Original Message-
From: PLUG  On Behalf Of Ben Koenig
Sent: Sunday, April 23, 2023 5:53 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

While I firmly disagree, I don't have any isssue with people who want to see 
autism as a positive thing. How we come to terms with our humanity and the 
shitstorm that is society is a personal process.

But when you project your attitude onto others without thinking you end up 
discriminating. Even if you don't consider autism to be a disorder, it's still 
comes down to whether or not it's a fact, and you are not in position to make 
that claim. It's really not about autism being good or bad, it's about the 
claim and how others feel about it. And these days convincing someone they have 
autism when they don't can be extremely dangerous and life threatening so maybe 
don't casually bring it up.

I don't want to see this shit on PLUG. This is an online text-only format with 
a specific focus on Linux conversations so if you want to get into the 
prevalence of autistic nerds in the IT 

Re: [PLUG] 3rd party vpn Defense evasion

[Ben Koenig]

While I firmly disagree, I don't have any isssue with people who want to see 
autism as a positive thing. How we come to terms with our humanity and the 
shitstorm that is society is a personal process.

But when you project your attitude onto others without thinking you end up 
discriminating. Even if you don't consider autism to be a disorder, it's still 
comes down to whether or not it's a fact, and you are not in position to make 
that claim. It's really not about autism being good or bad, it's about the 
claim and how others feel about it. And these days convincing someone they have 
autism when they don't can be extremely dangerous and life threatening so maybe 
don't casually bring it up.

I don't want to see this shit on PLUG. This is an online text-only format with 
a specific focus on Linux conversations so if you want to get into the 
prevalence of autistic nerds in the IT world feel free to take it to PLUG-TALK. 
I'm the last person to dictate politeness on any online forum but I'm gonna sit 
my ass down on this hill and say that bringing statements about mental health 
into a discussion about linux network monitoring is crossing multiple lines. If 
any PLUG old-timers want to get cranky about my attitude I'll show myself the 
door. :)

And for the record, thanks for taking a day to write an honest and 
significantly less toxic response. Most people would have doubled down on their 
BS rather than explain it.
-Ben


--- Original Message ---
On Sunday, April 23rd, 2023 at 3:23 PM, Ted Mittelstaedt 
 wrote:


> Well as I have been on the autism scale myself since I was born and I have 
> read quite a bit about it in an effort to understand what my differences are, 
> I perhaps have a radically different view of it than you do. It is not a 
> disorder unless someone is severely autistic. It is, in fact, an evolutionary 
> advantage that has become more prevalent in humans for the simple and obvious 
> reason that it gives people who have "mild" cases of it the ability to be 
> highly successful with technology and machinery as well as music and the 
> arts. As humans have become more civilized, people with the genetic group 
> that causes autism have out competed people that lack this. Einstein for 
> example is a textbook example. I've worked in high tech since 1994 and the 
> most successful programmers, engineers, it people, - the "techies" of the 
> world - are all on the scale. That is after all what the word nerd was coined 
> to describe. So I am actually rather proud of being on the scale and I DONT 
> regard having it negatively. I'm sorry you do and I hope you can eventually 
> realize your view of it being a disorder is discriminatory. IMHO the biggest 
> proponents of the idea that mild autism is a disorder are old school 
> educators who's main goal in life is getting kids in school to sit down and 
> shut up. Happily that view is gradually changing but it's clear we still have 
> a lot of work to do.
> 
> Get Outlook for Androidhttps://aka.ms/AAb9ysg
> 
> 
> From: PLUG plug-boun...@pdxlinux.org on behalf of Ben Koenig 
> techkoe...@protonmail.com
> 
> Sent: Saturday, April 22, 2023 5:29:40 PM
> To: Portland Linux/Unix Group plug@pdxlinux.org
> 
> Subject: Re: [PLUG] 3rd party vpn Defense evasion
> 
> --- Original Message ---
> On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil isaa...@gmail.com 
> wrote:
> 
> 
> 
> > Greetings,
> > I am tasked to identify a solution to detecting users obfuscating their ip,
> > using verity of VPN services.
> > 
> > What we've done
> > - Prevent users from installing software (VPN Cliens)
> > 
> > - Possibly having a code on endpoints, to collect ip addresses tied to wifi
> > or LAN connection prior to attaching to VPN service,
> > 
> > any other ideas?
> 
> 
> 
> Some people want to debate this ass some sort of political issue, but it's 
> pretty straight forward. This usually is more of a concern at SMBs that don't 
> want to splurge for company managed hardware and ask their employees to BYoD. 
> This then creates anxiety among managers that gets projected down to IT.
> 
> If you control the VDI system, then you have the ability to see who is 
> connecting. At most companies the VPN software used to connect to the VDI is 
> ALSO company managed, so you can see that too.
> 
> So, you log all accesses to the VPN on the server side and monitor for 
> trends. You may not be able to stop an employee from giving out access 
> credentials, but you can see when the IP address used to connect the VPN 
> changes. From here, you implement Zero-trust policies where only known IP 
> addresses are able to access the network because you know the IP address, but 
> 

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

Well as I have been on the autism scale myself since I was born and I have read 
quite a bit about it in an effort to understand what my differences are, I 
perhaps have a radically different view of it than you do.  It is not a 
disorder unless someone is severely autistic. It is, in fact, an evolutionary 
advantage that has become more prevalent in humans for the simple and obvious 
reason that it gives people who have "mild" cases of it the ability to be 
highly successful with technology and machinery as well as music and the arts.  
As humans have become more civilized, people with the genetic group that causes 
autism have out competed people that lack this. Einstein for example is a 
textbook example.  I've worked in high tech since 1994 and the most successful 
programmers, engineers, it people, - the "techies" of the world - are all on 
the scale.  That is after all what the word nerd was coined to describe.  So I 
am actually rather proud of being on the scale and I DONT regard having it 
negatively. I'm sorry you do and I hope you can eventually realize your view of 
it being a disorder is discriminatory. IMHO the biggest proponents of the idea 
that mild autism is a disorder are old school educators who's main goal in life 
is getting kids in school to sit down and shut up.  Happily that view is 
gradually changing but it's clear we still have a lot of work to do.

Get Outlook for Android<https://aka.ms/AAb9ysg>

From: PLUG  on behalf of Ben Koenig 

Sent: Saturday, April 22, 2023 5:29:40 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

--- Original Message ---
On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil  
wrote:


> Greetings,
> I am tasked to identify a solution to detecting users obfuscating their ip,
> using verity of VPN services.
>
> What we've done
> - Prevent users from installing software (VPN Cliens)
>
> - Possibly having a code on endpoints, to collect ip addresses tied to wifi
> or LAN connection prior to attaching to VPN service,
>
> any other ideas?


Some people want to debate this ass some sort of political issue, but it's 
pretty straight forward. This usually is more of a concern at SMBs that don't 
want to splurge for company managed hardware and ask their employees to BYoD. 
This then creates anxiety among managers that gets projected down to IT.

If you control the VDI system, then you have the ability to see who is 
connecting. At most companies the VPN software used to connect to the VDI is 
ALSO company managed, so you can see that too.

So, you log all accesses to the VPN on the server side and monitor for trends. 
You may not be able to stop an employee from giving out access credentials, but 
you can see when the IP address used to connect the VPN changes. From here, you 
implement Zero-trust policies where only known IP addresses are able to access 
the network because you know the IP address, but may not have logged it 
effectively until now.

There are additional layers of control you can add but it ultimately comes down 
to what a given company is willing to provide for their employees/contractors. 
I've worked with systems that would make the kind of subcontracting you 
describe very difficult but in those cases you end up with the employer buying 
a special wifi router for their staff. A lot of managers will ask for a magical 
fix without understanding how much effort it takes to lock this down. For us in 
IT sometimes we just need to map out all the things that would need to be 
implemented and assign a $$$ value to them. Most companies will decide not to 
bother at that point.


Think of it like an arms race, at what point does your user have to jump 
through so many hoops that the act of enabling a subcontractor becomes more 
work than the actual job? Or, we could be Ted and go off on abusive rants about 
how IT people are autistic for even considering this type of solution. ;)
-Ben


P.S.  Hey Denis, I would have posted this info sooner since it's a pretty 
interesting question but was discouraged from doing so because Ted was trying 
to shit on everyone. May the Facts be with me :)

Re: [PLUG] 3rd party vpn Defense evasion

[Ben Koenig]

--- Original Message ---
On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil  
wrote:


> Greetings,
> I am tasked to identify a solution to detecting users obfuscating their ip,
> using verity of VPN services.
> 
> What we've done
> - Prevent users from installing software (VPN Cliens)
> 
> - Possibly having a code on endpoints, to collect ip addresses tied to wifi
> or LAN connection prior to attaching to VPN service,
> 
> any other ideas?


Some people want to debate this ass some sort of political issue, but it's 
pretty straight forward. This usually is more of a concern at SMBs that don't 
want to splurge for company managed hardware and ask their employees to BYoD. 
This then creates anxiety among managers that gets projected down to IT. 

If you control the VDI system, then you have the ability to see who is 
connecting. At most companies the VPN software used to connect to the VDI is 
ALSO company managed, so you can see that too.

So, you log all accesses to the VPN on the server side and monitor for trends. 
You may not be able to stop an employee from giving out access credentials, but 
you can see when the IP address used to connect the VPN changes. From here, you 
implement Zero-trust policies where only known IP addresses are able to access 
the network because you know the IP address, but may not have logged it 
effectively until now.

There are additional layers of control you can add but it ultimately comes down 
to what a given company is willing to provide for their employees/contractors. 
I've worked with systems that would make the kind of subcontracting you 
describe very difficult but in those cases you end up with the employer buying 
a special wifi router for their staff. A lot of managers will ask for a magical 
fix without understanding how much effort it takes to lock this down. For us in 
IT sometimes we just need to map out all the things that would need to be 
implemented and assign a $$$ value to them. Most companies will decide not to 
bother at that point.


Think of it like an arms race, at what point does your user have to jump 
through so many hoops that the act of enabling a subcontractor becomes more 
work than the actual job? Or, we could be Ted and go off on abusive rants about 
how IT people are autistic for even considering this type of solution. ;)
-Ben


P.S.  Hey Denis, I would have posted this info sooner since it's a pretty 
interesting question but was discouraged from doing so because Ted was trying 
to shit on everyone. May the Facts be with me :)

Re: [PLUG] 3rd party vpn Defense evasion

[Ben Koenig]

or trying to exploit workers from time to
> > > time.
> > > 
> > > Once more as I keep saying this needs to be handled from an employee
> > > management standpoint via managers and HR not from the IT department 
> > > trying
> > > to play God and the managers being wussies and afraid to talk to 
> > > employees.
> > > 
> > > Is it simply that a large number of IT people are on the autism spectrum
> > > and have social anxiety disorder that they will literally waste weeks of
> > > company time on elaborate technical solutions that can be handled in 5
> > > minutes by a manager walking up to an employee and saying "hey dude you
> > > know that thing you are doing with the VPN, well knock it off"
> > > 
> > > Or is it that their anxiety disorder and desire to Play God just drives
> > > them to believe that every other employee in the company is trying to 
> > > screw
> > > IT???
> > > 
> > > Sheesh!!!
> > > 
> > > Ted
> > > 
> > > -Original Message-
> > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz
> > > 
> > > Sent: Wednesday, April 19, 2023 1:39 PM
> > > To: Portland Linux/Unix Group plug@pdxlinux.org
> > > 
> > > Subject: Re: [PLUG] 3rd party vpn Defense evasion
> > > 
> > > Disclaimer: some of the following if not all could be wrong.
> > > 
> > > Wouldn't it be easier to deal with the credentials side to avoid this
> > > problem in the first place? To illustrate what I mean, here's a 
> > > theoretical
> > > idea that while it might be flawed (like potential security failures),
> > > could be useful in terms of guidance. When an employee logs in, it sends 
> > > an
> > > email to their company Gmail account complete the login in procedure. They
> > > click the link to a Google form which requires them to be logged in to
> > > their company Google account for the submitted form to either work or be
> > > considered valid. Once, it's submitted, a program will allow them to 
> > > finish
> > > the login process. Also, doing something with a company Google account
> > > could be helpful since Google records the devices you logged in with, 
> > > which
> > > if a company can check that, they can see if there is any suspicious
> > > devices.
> > > 
> > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil isaa...@gmail.com wrote:
> > > 
> > > > We're chasing this from data science side as well. As far as charting
> > > > the pattern of activity and flag anomalies.
> > > > This should trap the subs since he/she won't be checking email,
> > > > responding to chat messages etc, or hopefully time of activity could
> > > > give us clues.
> > > > 
> > > > I do agree, there are many VPN commercial services and they will never
> > > > advertise servers properties, besides there's lots of other open-VPN
> > > > options.
> > > > 
> > > > We shall conquer!
> > > > 
> > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt
> > > > t...@portlandia-it.com
> > > > wrote:
> > > > 
> > > > > -Original Message-
> > > > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of John Jason
> > > > > Jordan
> > > > > Sent: Tuesday, April 18, 2023 2:00 PM
> > > > > 
> > > > > > It would be nice if VPN services advertised how effectively they
> > > > > > stop
> > > > > > others from finding out who and where you really are.
> > > > > 
> > > > > They are never going to do this because they are constantly tweaking
> > > > > their
> > > > > proprietary protocols to get around firewalls, and they don't want
> > > > > the firewall vendors knowing when they made a change to get past
> > > > > firewalls.
> > > > > And given who some of the firewall vendors are, and what they do to
> > > > > people
> > > > > they don't like, this is very understandable.
> > > > > 
> > > > > This stuff is getting very advanced nowadays since many firewalls
> > > > > are doing deep packet inspection, and looking specifically for
> > > > > patterns in packet traffic that indicate it is VPN traffic
> > > > > encapsulated in regular
> > > > > http
> > > > > or https traffic. So the proprietary vpn clients will modify the
> > > > > encrypted
> > > > > traffic to make it look like regular https traffic.
> > > > > 
> > > > > Never forget that for you, me, and probably all the readers of this
> > > > > list, that creating using blocking and messing around with VPNs is
> > > > > really
> > > > > mainly
> > > > > an intellectual exercise, but that there are many people in the
> > > > > world in places like Russia and China where a secure VPN means not
> > > > > having people breaking their doors down in the middle of the night
> > > > > and hauling them off to prison - or worse.
> > > > > 
> > > > > Ted

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

Don’t worry about it Denis.  Ben is passionate about what he's doing and what 
he sees himself doing in security at any rate is protecting the organization 
from the evil people out there.  Naturally he's going to be frustrated when 
faced with the reality of company politics and fiscal money-making that 
sometimes clashes with this directive.

A good manager would recognize that both Ben and the employee or contractor who 
are outsourcing are right.

Yes, outsourcing can leak company vitals.  But, it can also shortcut a problem 
and get a product out ahead of a competitor.  It is right and valid to question 
if it's worth the risk to outsource.  I don't know Ben's CEO but if I were that 
CEO I would drag him and the contractors and employees he's going after into a 
conference room and tell both of them to convince me which one is right.

Ted

-Original Message-
From: PLUG  On Behalf Of Denis Heidtmann
Sent: Saturday, April 22, 2023 4:39 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

What (positive) contribution do your insults bring to the discussion? Can you 
find a less hostile way to contribute?

-Denis

On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig 
wrote:

> Don't be such a dipshit.
>
> Yes, HR and Management are responsible for taking corrective action 
> against employees not doing their job. "Job" in this context being 
> defined by that employees contract so there's no reason for us to 
> speculate and pass judgement on whether or not IT should bother.
>
> What you seem to be missing in your attempt to over-compensate for 
> your sense of psychological supremacy is that in order to take correct 
> action from a management perspective, IT has to identify the digital paper 
> trail.
> That's what we do - We can and often should keep track of network 
> connections and report them accordingly. Whether that person gets 
> punished is not for us to say.
>
> And in some cases this has to be handled proactively. This kind of 
> subcontracting can create massive legal problems for some companies so 
> even if the manager goes and tells them to stop, its too late. Data 
> has been leaked and lawsuits start to fly.
>
> Sadly there are a lot of people in the modern linux community that 
> seem to believe that their understanding of IT trumps everyone else. 
> Small, inexperienced minds that see their own personal use case as 
> superior to all others.
> -Ben
>
>
> --- Original Message ---
> On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < 
> t...@portlandia-it.com> wrote:
>
>
> > For employees it depends if they are exempt or not. Any supervisory
> employee who can fire people is automatically considered exempt and 
> many other employee classifications (such as programming) are 
> considered exempt as well. (exemption is once more IRS and state 
> taxing authority determination that the company has no say over)
> >
> > If the employee is exempt from overtime then it's illegal for the
> company to require that they work a certain number of hours, or at 
> certain times. If the company DOES tell the employee this (that they 
> have to track their time) then the employee can hit them for mandatory 
> overtime (if they exceed 40 hours)
> >
> > Exempt/non exempt classifications are more commonly referred to as
> salaried/hourly employees.
> >
> > Long and short of it is you cannot use an online form to consider 
> > "work
> to be valid" for a salaried AKA exempt employee. Salaried employees 
> are paid BY THE JOB not by being logged into something for a certain time.
> >
> > Companies quite often forget that putting someone like a programmer 
> > on
> salary is a two way street. The benefit from the company's point of 
> view is they don't have to pay overtime for one of those 
> work-round-the-clock-push times. But in exchange for that, the 
> employee also doesn't have to work 40 hours every week either. A 
> decent salaried employee keeps an eye on time since it's an important 
> metric for how much work is reasonable to expect a salaried employee to do 
> but it is NOT the absolute metric.
> >
> > Companies who have tried to do it differently - that is, not pay OT 
> > and
> make you work late during crunch time - and still make you work 40 
> hours - regularly end up paying very large fines and back salary to 
> people when they get sued. It's healthy for that to happen for owners 
> of those companies to get slapped silly for trying to exploit workers 
> from time to time.
> >
> > Once more as I keep saying this needs to be handled from an employee
> management standpoint via managers and HR not from the IT department 
> trying to play God and the man

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

increase security or something like that.  IT 
will ALWAYS lose in any political argument with an exempt employee.  Remember 
that.

Unless of course, that exempt employee is not actually working in a position 
that legally qualifies as exempt.  For sure, there are foolish companies out 
there that think they can exploit workers and con them into working unpaid 
overtime who do not quality as exempt from OT.  And those companies routinely 
end up paying serious fines when they get caught.

I don't know why there is such confusion over what being an exempt employee 
means.  Being exempt from OT, ie: being salaried, effectively means that YOU 
are expected to be out there making money for the company any legal way 
possible because you are a stakeholder.  If you can do this by working 20 hours 
a week from home and never be in the office, then if the company has a CEO with 
any brains at all, they will tell every other employee in the company that 
complains about it to go pound sand.  If you can do this by violating every 
tenant of secure networking that IT hold dear, then if IT complains about it to 
the CEO IT will be told to pound sand.  Well run companies do NOT kill the 
geese that lay the golden eggs.  Even if those geese are stupid idiots.

And yes I have learned this from my years in IT.  I don't say that I like it.  
But, I like eating more, and food costs money so I too will side with the geese 
in a company laying the golden eggs even if it means telling my junior IT guys 
who have gotten puffed up reading the Best Practices security manual to pound 
sand.

Sorry about that.

Ted

-Original Message-
From: PLUG  On Behalf Of Ben Koenig
Sent: Saturday, April 22, 2023 4:02 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

Don't be such a dipshit.

Yes, HR and Management are responsible for taking corrective action against 
employees not doing their job. "Job" in this context being defined by that 
employees contract so there's no reason for us to speculate and pass judgement 
on whether or not IT should bother.

What you seem to be missing in your attempt to over-compensate for your sense 
of psychological supremacy is that in order to take correct action from a 
management perspective, IT has to identify the digital paper trail. That's what 
we do - We can and often should keep track of network connections and report 
them accordingly. Whether that person gets punished is not for us to say. 

And in some cases this has to be handled proactively. This kind of 
subcontracting can create massive legal problems for some companies so even if 
the manager goes and tells them to stop, its too late. Data has been leaked and 
lawsuits start to fly. 

Sadly there are a lot of people in the modern linux community that seem to 
believe that their understanding of IT trumps everyone else. Small, 
inexperienced minds that see their own personal use case as superior to all 
others. 
-Ben


--- Original Message ---
On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt 
 wrote:


> For employees it depends if they are exempt or not. Any supervisory 
> employee who can fire people is automatically considered exempt and 
> many other employee classifications (such as programming) are 
> considered exempt as well. (exemption is once more IRS and state 
> taxing authority determination that the company has no say over)
> 
> If the employee is exempt from overtime then it's illegal for the 
> company to require that they work a certain number of hours, or at 
> certain times. If the company DOES tell the employee this (that they 
> have to track their time) then the employee can hit them for mandatory 
> overtime (if they exceed 40 hours)
> 
> Exempt/non exempt classifications are more commonly referred to as 
> salaried/hourly employees.
> 
> Long and short of it is you cannot use an online form to consider "work to be 
> valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE 
> JOB not by being logged into something for a certain time.
> 
> Companies quite often forget that putting someone like a programmer on salary 
> is a two way street. The benefit from the company's point of view is they 
> don't have to pay overtime for one of those work-round-the-clock-push times. 
> But in exchange for that, the employee also doesn't have to work 40 hours 
> every week either. A decent salaried employee keeps an eye on time since it's 
> an important metric for how much work is reasonable to expect a salaried 
> employee to do but it is NOT the absolute metric.
> 
> Companies who have tried to do it differently - that is, not pay OT and make 
> you work late during crunch time - and still make you work 40 hours - 
> regularly end up paying very large fines and back salary to people when they 
> get sued. It's healthy for that to happen fo

Re: [PLUG] 3rd party vpn Defense evasion

[Denis Heidtmann]

What (positive) contribution do your insults bring to the discussion? Can
you find a less hostile way to contribute?

-Denis

On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig 
wrote:

> Don't be such a dipshit.
>
> Yes, HR and Management are responsible for taking corrective action
> against employees not doing their job. "Job" in this context being defined
> by that employees contract so there's no reason for us to speculate and
> pass judgement on whether or not IT should bother.
>
> What you seem to be missing in your attempt to over-compensate for your
> sense of psychological supremacy is that in order to take correct action
> from a management perspective, IT has to identify the digital paper trail.
> That's what we do - We can and often should keep track of network
> connections and report them accordingly. Whether that person gets punished
> is not for us to say.
>
> And in some cases this has to be handled proactively. This kind of
> subcontracting can create massive legal problems for some companies so even
> if the manager goes and tells them to stop, its too late. Data has been
> leaked and lawsuits start to fly.
>
> Sadly there are a lot of people in the modern linux community that seem to
> believe that their understanding of IT trumps everyone else. Small,
> inexperienced minds that see their own personal use case as superior to all
> others.
> -Ben
>
>
> --- Original Message ---
> On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt <
> t...@portlandia-it.com> wrote:
>
>
> > For employees it depends if they are exempt or not. Any supervisory
> employee who can fire people is automatically considered exempt and many
> other employee classifications (such as programming) are considered exempt
> as well. (exemption is once more IRS and state taxing authority
> determination that the company has no say over)
> >
> > If the employee is exempt from overtime then it's illegal for the
> company to require that they work a certain number of hours, or at certain
> times. If the company DOES tell the employee this (that they have to track
> their time) then the employee can hit them for mandatory overtime (if they
> exceed 40 hours)
> >
> > Exempt/non exempt classifications are more commonly referred to as
> salaried/hourly employees.
> >
> > Long and short of it is you cannot use an online form to consider "work
> to be valid" for a salaried AKA exempt employee. Salaried employees are
> paid BY THE JOB not by being logged into something for a certain time.
> >
> > Companies quite often forget that putting someone like a programmer on
> salary is a two way street. The benefit from the company's point of view is
> they don't have to pay overtime for one of those work-round-the-clock-push
> times. But in exchange for that, the employee also doesn't have to work 40
> hours every week either. A decent salaried employee keeps an eye on time
> since it's an important metric for how much work is reasonable to expect a
> salaried employee to do but it is NOT the absolute metric.
> >
> > Companies who have tried to do it differently - that is, not pay OT and
> make you work late during crunch time - and still make you work 40 hours -
> regularly end up paying very large fines and back salary to people when
> they get sued. It's healthy for that to happen for owners of those
> companies to get slapped silly for trying to exploit workers from time to
> time.
> >
> > Once more as I keep saying this needs to be handled from an employee
> management standpoint via managers and HR not from the IT department trying
> to play God and the managers being wussies and afraid to talk to employees.
> >
> > Is it simply that a large number of IT people are on the autism spectrum
> and have social anxiety disorder that they will literally waste weeks of
> company time on elaborate technical solutions that can be handled in 5
> minutes by a manager walking up to an employee and saying "hey dude you
> know that thing you are doing with the VPN, well knock it off"
> >
> > Or is it that their anxiety disorder and desire to Play God just drives
> them to believe that every other employee in the company is trying to screw
> IT???
> >
> > Sheesh!!!
> >
> > Ted
> >
> > -Original Message-
> > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz
> >
> > Sent: Wednesday, April 19, 2023 1:39 PM
> > To: Portland Linux/Unix Group plug@pdxlinux.org
> >
> > Subject: Re: [PLUG] 3rd party vpn Defense evasion
> >
> > Disclaimer: some of the following if not all could be wrong.
> >
> > Wouldn't it 

Re: [PLUG] 3rd party vpn Defense evasion

[Ben Koenig]

Don't be such a dipshit.

Yes, HR and Management are responsible for taking corrective action against 
employees not doing their job. "Job" in this context being defined by that 
employees contract so there's no reason for us to speculate and pass judgement 
on whether or not IT should bother.

What you seem to be missing in your attempt to over-compensate for your sense 
of psychological supremacy is that in order to take correct action from a 
management perspective, IT has to identify the digital paper trail. That's what 
we do - We can and often should keep track of network connections and report 
them accordingly. Whether that person gets punished is not for us to say. 

And in some cases this has to be handled proactively. This kind of 
subcontracting can create massive legal problems for some companies so even if 
the manager goes and tells them to stop, its too late. Data has been leaked and 
lawsuits start to fly. 

Sadly there are a lot of people in the modern linux community that seem to 
believe that their understanding of IT trumps everyone else. Small, 
inexperienced minds that see their own personal use case as superior to all 
others. 
-Ben


--- Original Message ---
On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt 
 wrote:


> For employees it depends if they are exempt or not. Any supervisory employee 
> who can fire people is automatically considered exempt and many other 
> employee classifications (such as programming) are considered exempt as well. 
> (exemption is once more IRS and state taxing authority determination that the 
> company has no say over)
> 
> If the employee is exempt from overtime then it's illegal for the company to 
> require that they work a certain number of hours, or at certain times. If the 
> company DOES tell the employee this (that they have to track their time) then 
> the employee can hit them for mandatory overtime (if they exceed 40 hours)
> 
> Exempt/non exempt classifications are more commonly referred to as 
> salaried/hourly employees.
> 
> Long and short of it is you cannot use an online form to consider "work to be 
> valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE 
> JOB not by being logged into something for a certain time.
> 
> Companies quite often forget that putting someone like a programmer on salary 
> is a two way street. The benefit from the company's point of view is they 
> don't have to pay overtime for one of those work-round-the-clock-push times. 
> But in exchange for that, the employee also doesn't have to work 40 hours 
> every week either. A decent salaried employee keeps an eye on time since it's 
> an important metric for how much work is reasonable to expect a salaried 
> employee to do but it is NOT the absolute metric.
> 
> Companies who have tried to do it differently - that is, not pay OT and make 
> you work late during crunch time - and still make you work 40 hours - 
> regularly end up paying very large fines and back salary to people when they 
> get sued. It's healthy for that to happen for owners of those companies to 
> get slapped silly for trying to exploit workers from time to time.
> 
> Once more as I keep saying this needs to be handled from an employee 
> management standpoint via managers and HR not from the IT department trying 
> to play God and the managers being wussies and afraid to talk to employees.
> 
> Is it simply that a large number of IT people are on the autism spectrum and 
> have social anxiety disorder that they will literally waste weeks of company 
> time on elaborate technical solutions that can be handled in 5 minutes by a 
> manager walking up to an employee and saying "hey dude you know that thing 
> you are doing with the VPN, well knock it off"
> 
> Or is it that their anxiety disorder and desire to Play God just drives them 
> to believe that every other employee in the company is trying to screw IT???
> 
> Sheesh!!!
> 
> Ted
> 
> -Original Message-
> From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz
> 
> Sent: Wednesday, April 19, 2023 1:39 PM
> To: Portland Linux/Unix Group plug@pdxlinux.org
> 
> Subject: Re: [PLUG] 3rd party vpn Defense evasion
> 
> Disclaimer: some of the following if not all could be wrong.
> 
> Wouldn't it be easier to deal with the credentials side to avoid this problem 
> in the first place? To illustrate what I mean, here's a theoretical idea that 
> while it might be flawed (like potential security failures), could be useful 
> in terms of guidance. When an employee logs in, it sends an email to their 
> company Gmail account complete the login in procedure. They click the link to 
> a Google form which requires them to be logged in to their company Google 
>

Re: [PLUG] 3rd party vpn Defense evasion

[Ishak Micheil]

Agreed,  HR and legal should absolutely be engaged and on-board given the
risk level.


On Wed, Apr 19, 2023, 4:43 PM Ted Mittelstaedt 
wrote:

>
> For employees it depends if they are exempt or not.  Any supervisory
> employee who can fire people is automatically considered exempt and many
> other employee classifications (such as programming) are considered exempt
> as well.  (exemption is once more IRS and state taxing authority
> determination that the company has no say over)
>
> If the employee is exempt from overtime then it's illegal for the company
> to require that they work a certain number of hours, or at certain times.
> If the company DOES tell the employee this (that they have to track their
> time) then the employee can hit them for mandatory overtime (if they exceed
> 40 hours)
>
> Exempt/non exempt classifications are more commonly referred to as
> salaried/hourly employees.
>
> Long and short of it is you cannot use an online form to consider "work to
> be valid" for a salaried AKA exempt employee.  Salaried employees are paid
> BY THE JOB not by being logged into something for a certain time.
>
> Companies quite often forget that putting someone like a programmer on
> salary is a two way street.  The benefit from the company's point of view
> is they don't have to pay overtime for one of those
> work-round-the-clock-push times.  But in exchange for that, the employee
> also doesn't have to work 40 hours every week either.  A decent salaried
> employee keeps an eye on time since it's an important metric for how much
> work is reasonable to expect a salaried employee to do but it is NOT the
> absolute metric.
>
> Companies who have tried to do it differently - that is, not pay OT and
> make you work late during crunch time - and still make you work 40 hours -
> regularly end up paying very large fines and back salary to people when
> they get sued.  It's healthy for that to happen for owners of those
> companies to get slapped silly for trying to exploit workers from time to
> time.
>
> Once more as I keep saying this needs to be handled from an employee
> management standpoint via managers and HR not from the IT department trying
> to play God and the managers being wussies and afraid to talk to employees.
>
> Is it simply that a large number of IT people are on the autism spectrum
> and have social anxiety disorder that they will literally waste weeks of
> company time on elaborate technical solutions that can be handled in 5
> minutes by a manager walking up to an employee and saying "hey dude you
> know that thing you are doing with the VPN, well knock it off"
>
> Or is it that their anxiety disorder and desire to Play God just drives
> them to believe that every other employee in the company is trying to screw
> IT???
>
> Sheesh!!!
>
> Ted
>
> -Original Message-
> From: PLUG  On Behalf Of Daniel Ortiz
> Sent: Wednesday, April 19, 2023 1:39 PM
> To: Portland Linux/Unix Group 
> Subject: Re: [PLUG] 3rd party vpn Defense evasion
>
> Disclaimer: some of the following if not all could be wrong.
>
> Wouldn't it be easier to deal with the credentials side to avoid this
> problem in the first place? To illustrate what I mean, here's a theoretical
> idea that while it might be flawed (like potential security failures),
> could be useful in terms of guidance. When an employee logs in, it sends an
> email to their company Gmail account complete the login in procedure. They
> click the link to a Google form which requires them to be logged in to
> their company Google account for the submitted form to either work or be
> considered valid. Once, it's submitted, a program will allow them to finish
> the login process. Also, doing something with a company Google account
> could be helpful since Google records the devices you logged in with, which
> if a company can check that, they can see if there is any suspicious
> devices.
>
> On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil  wrote:
>
> > We're chasing this from data science side as well. As far as charting
> > the pattern of activity and flag anomalies.
> > This should trap the subs since he/she won't be checking email,
> > responding to chat messages etc, or hopefully time of activity could
> give us clues.
> >
> > I do agree, there are many VPN commercial services and they will never
> > advertise servers properties, besides there's lots of other open-VPN
> > options.
> >
> > We shall conquer!
> >
> > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt
> > 
> > wrote:
> >
> > >
> > >
> > > -Original Message-
> > > From: PLUG  On Behalf Of John Jason
> >

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

For employees it depends if they are exempt or not.  Any supervisory employee 
who can fire people is automatically considered exempt and many other employee 
classifications (such as programming) are considered exempt as well.  
(exemption is once more IRS and state taxing authority determination that the 
company has no say over)

If the employee is exempt from overtime then it's illegal for the company to 
require that they work a certain number of hours, or at certain times.  If the 
company DOES tell the employee this (that they have to track their time) then 
the employee can hit them for mandatory overtime (if they exceed 40 hours)

Exempt/non exempt classifications are more commonly referred to as 
salaried/hourly employees.

Long and short of it is you cannot use an online form to consider "work to be 
valid" for a salaried AKA exempt employee.  Salaried employees are paid BY THE 
JOB not by being logged into something for a certain time.

Companies quite often forget that putting someone like a programmer on salary 
is a two way street.  The benefit from the company's point of view is they 
don't have to pay overtime for one of those work-round-the-clock-push times.  
But in exchange for that, the employee also doesn't have to work 40 hours every 
week either.  A decent salaried employee keeps an eye on time since it's an 
important metric for how much work is reasonable to expect a salaried employee 
to do but it is NOT the absolute metric.

Companies who have tried to do it differently - that is, not pay OT and make 
you work late during crunch time - and still make you work 40 hours - regularly 
end up paying very large fines and back salary to people when they get sued.  
It's healthy for that to happen for owners of those companies to get slapped 
silly for trying to exploit workers from time to time.

Once more as I keep saying this needs to be handled from an employee management 
standpoint via managers and HR not from the IT department trying to play God 
and the managers being wussies and afraid to talk to employees.

Is it simply that a large number of IT people are on the autism spectrum and 
have social anxiety disorder that they will literally waste weeks of company 
time on elaborate technical solutions that can be handled in 5 minutes by a 
manager walking up to an employee and saying "hey dude you know that thing you 
are doing with the VPN, well knock it off"

Or is it that their anxiety disorder and desire to Play God just drives them to 
believe that every other employee in the company is trying to screw IT???

Sheesh!!!

Ted

-Original Message-
From: PLUG  On Behalf Of Daniel Ortiz
Sent: Wednesday, April 19, 2023 1:39 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

Disclaimer: some of the following if not all could be wrong.

Wouldn't it be easier to deal with the credentials side to avoid this problem 
in the first place? To illustrate what I mean, here's a theoretical idea that 
while it might be flawed (like potential security failures), could be useful in 
terms of guidance. When an employee logs in, it sends an email to their company 
Gmail account complete the login in procedure. They click the link to a Google 
form which requires them to be logged in to their company Google account for 
the submitted form to either work or be considered valid. Once, it's submitted, 
a program will allow them to finish the login process. Also, doing something 
with a company Google account could be helpful since Google records the devices 
you logged in with, which if a company can check that, they can see if there is 
any suspicious devices.

On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil  wrote:

> We're chasing this from data science side as well. As far as charting 
> the pattern of activity and flag anomalies.
> This should trap the subs since he/she won't be checking email, 
> responding to chat messages etc, or hopefully time of activity could give us 
> clues.
>
> I do agree, there are many VPN commercial services and they will never 
> advertise servers properties, besides there's lots of other open-VPN 
> options.
>
> We shall conquer!
>
> On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt 
> 
> wrote:
>
> >
> >
> > -Original Message-
> > From: PLUG  On Behalf Of John Jason 
> > Jordan
> > Sent: Tuesday, April 18, 2023 2:00 PM
> >
> > >It would be nice if VPN services advertised how effectively they 
> > >stop
> > others from finding out who and where you really are.
> >
> > They are never going to do this because they are constantly tweaking
> their
> > proprietary protocols to get around firewalls, and they don't want 
> > the firewall vendors knowing when they made a change to get past firewalls.
> > And given who some of the firewall vendors are, and what the

Re: [PLUG] 3rd party vpn Defense evasion

[Daniel Ortiz]

Disclaimer: some of the following if not all could be wrong.

Wouldn't it be easier to deal with the credentials side to avoid this
problem in the first place? To illustrate what I mean, here's a theoretical
idea that while it might be flawed (like potential security failures),
could be useful in terms of guidance. When an employee logs in, it sends an
email to their company Gmail account complete the login in procedure. They
click the link to a Google form which requires them to be logged in to
their company Google account for the submitted form to either work or be
considered valid. Once, it's submitted, a program will allow them to finish
the login process. Also, doing something with a company Google account
could be helpful since Google records the devices you logged in with, which
if a company can check that, they can see if there is any suspicious
devices.

On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil  wrote:

> We're chasing this from data science side as well. As far as charting the
> pattern of activity and flag anomalies.
> This should trap the subs since he/she won't be checking email, responding
> to chat messages etc, or hopefully time of activity could give us clues.
>
> I do agree, there are many VPN commercial services and they will never
> advertise servers properties, besides there's lots of other open-VPN
> options.
>
> We shall conquer!
>
> On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt 
> wrote:
>
> >
> >
> > -Original Message-
> > From: PLUG  On Behalf Of John Jason Jordan
> > Sent: Tuesday, April 18, 2023 2:00 PM
> >
> > >It would be nice if VPN services advertised how effectively they stop
> > others from finding out who and where you really are.
> >
> > They are never going to do this because they are constantly tweaking
> their
> > proprietary protocols to get around firewalls, and they don't want the
> > firewall vendors knowing when they made a change to get past firewalls.
> > And given who some of the firewall vendors are, and what they do to
> people
> > they don't like, this is very understandable.
> >
> > This stuff is getting very advanced nowadays since many firewalls are
> > doing deep packet inspection, and looking specifically for patterns in
> > packet traffic that indicate it is VPN traffic encapsulated in regular
> http
> > or https traffic.  So the proprietary vpn clients will modify the
> encrypted
> > traffic to make it look like regular https traffic.
> >
> > Never forget that for you, me, and probably all the readers of this list,
> > that creating using blocking and messing around with VPNs is really
> mainly
> > an intellectual exercise, but that there are many people in the world in
> > places like Russia and China where a secure VPN means not having people
> > breaking their doors down in the middle of the night and hauling them off
> > to prison - or worse.
> >
> > Ted
> >
> >
>

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

-Original Message-
From: PLUG  On Behalf Of Ishak Micheil
Sent: Wednesday, April 19, 2023 7:29 AM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion


>We shall conquer!

Ah, no you won't.  But go ahead and think that if it makes you sleep easier.  
And if you get seriously annoying to the subs they will start suing you for 
breech of contract.

Ted

Re: [PLUG] 3rd party vpn Defense evasion

[Ishak Micheil]

We're chasing this from data science side as well. As far as charting the
pattern of activity and flag anomalies.
This should trap the subs since he/she won't be checking email, responding
to chat messages etc, or hopefully time of activity could give us clues.

I do agree, there are many VPN commercial services and they will never
advertise servers properties, besides there's lots of other open-VPN
options.

We shall conquer!

On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt 
wrote:

>
>
> -Original Message-
> From: PLUG  On Behalf Of John Jason Jordan
> Sent: Tuesday, April 18, 2023 2:00 PM
>
> >It would be nice if VPN services advertised how effectively they stop
> others from finding out who and where you really are.
>
> They are never going to do this because they are constantly tweaking their
> proprietary protocols to get around firewalls, and they don't want the
> firewall vendors knowing when they made a change to get past firewalls.
> And given who some of the firewall vendors are, and what they do to people
> they don't like, this is very understandable.
>
> This stuff is getting very advanced nowadays since many firewalls are
> doing deep packet inspection, and looking specifically for patterns in
> packet traffic that indicate it is VPN traffic encapsulated in regular http
> or https traffic.  So the proprietary vpn clients will modify the encrypted
> traffic to make it look like regular https traffic.
>
> Never forget that for you, me, and probably all the readers of this list,
> that creating using blocking and messing around with VPNs is really mainly
> an intellectual exercise, but that there are many people in the world in
> places like Russia and China where a secure VPN means not having people
> breaking their doors down in the middle of the night and hauling them off
> to prison - or worse.
>
> Ted
>
>

Re: [PLUG] 3rd party vpn Defense evasion

[Johnathan Mantey]

I'm pretty sure I saw J Jason Jordan on the TV the other day railing that
Spider Man is public enemy number 1.
:)

On Wed, Apr 19, 2023 at 1:50 AM Michael Rasmussen 
wrote:

> On 2023-04-18 12:01, Ishak Micheil wrote:
> > John is a contractor,  hires someone else to do the work. Vdi setup,
> > he
> > shares his creds with the subcontractor who possibly actually in a
> > different country.  Using  VPN services prior to logging in to mask
> > thier
> > locations .
>
> Ahh, you've discovered the root of your problem: J Jason Jordan is a
> terrorist as he wrote in his post earlier in this thread.
>
>
> --
> Michael Rasmussen
> Be Appropriate && Follow Your Curiosity
>

Re: [PLUG] 3rd party vpn Defense evasion

[Michael Rasmussen]

On 2023-04-18 12:01, Ishak Micheil wrote:
John is a contractor,  hires someone else to do the work. Vdi setup,  
he

shares his creds with the subcontractor who possibly actually in a
different country.  Using  VPN services prior to logging in to mask 
thier

locations .


Ahh, you've discovered the root of your problem: J Jason Jordan is a 
terrorist as he wrote in his post earlier in this thread.



--
   Michael Rasmussen
Be Appropriate && Follow Your Curiosity

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

-Original Message-
From: PLUG  On Behalf Of John Jason Jordan
Sent: Tuesday, April 18, 2023 2:00 PM

>It would be nice if VPN services advertised how effectively they stop others 
>from finding out who and where you really are.

They are never going to do this because they are constantly tweaking their 
proprietary protocols to get around firewalls, and they don't want the firewall 
vendors knowing when they made a change to get past firewalls.  And given who 
some of the firewall vendors are, and what they do to people they don't like, 
this is very understandable.

This stuff is getting very advanced nowadays since many firewalls are doing 
deep packet inspection, and looking specifically for patterns in packet traffic 
that indicate it is VPN traffic encapsulated in regular http or https traffic.  
So the proprietary vpn clients will modify the encrypted traffic to make it 
look like regular https traffic.

Never forget that for you, me, and probably all the readers of this list, that 
creating using blocking and messing around with VPNs is really mainly an 
intellectual exercise, but that there are many people in the world in places 
like Russia and China where a secure VPN means not having people breaking their 
doors down in the middle of the night and hauling them off to prison - or worse.

Ted

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

I have to say reading this I had to get a floor jack to put my jaw back into my 
face it dropped so far.

This contractor has apparently discerned that you do NOT want him running a 
personal VPN on your network.  But, he doesn't give a crap about what you want, 
he's doing it anyway.  And on top of that he's doing it in a way to hide it.

Did it not occur to you that if he doesn't give a shit about your rules against 
running a personal VPN that there is going to be other stuff you care about 
that he's not going to give a shit about either?

Here's a thought.  When you issue contracts to contractors just explicitly 
prohibit subcontracting.  Then if John subcontracts anyway, then sue his ass 
out of business.

As I said earlier, technical blocks are NOT the way to handle this problem.

Ted

-Original Message-
From: PLUG  On Behalf Of Ishak Micheil
Sent: Tuesday, April 18, 2023 12:02 PM
To: Portland Linux/Unix Group 
Subject: Re: [PLUG] 3rd party vpn Defense evasion

The use cases I'm working on is to Prevent employees or contractors from 
subcontracting work.

John is a contractor,  hires someone else to do the work. Vdi setup,  he shares 
his creds with the subcontractor who possibly actually in a different country.  
Using  VPN services prior to logging in to mask thier locations .




On Tue, Apr 18, 2023, 11:07 AM Russell Senior 
wrote:

> Can you elaborate, in general terms, on what the goal is?
>
> --
> Russell Senior
> russ...@personaltelco.net
>
> On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil  wrote:
>
> > Greetings,
> > I am tasked to identify a solution to detecting users obfuscating 
> > their
> ip,
> > using verity of VPN services.
> >
> > What we've done
> > - Prevent users from installing software (VPN Cliens)
> >
> > - Possibly having a code on endpoints, to collect ip addresses tied 
> > to
> wifi
> > or LAN connection prior to attaching to VPN service,
> >
> > any other ideas?
> >
>

Re: [PLUG] 3rd party vpn Defense evasion

[John Jason Jordan]

On Tue, 18 Apr 2023 17:38:23 +
Ted Mittelstaedt  dijo:

>It's not going to be possible to block all VPNs.

I've been using a VPN for several years now, currently Mullvad
(Stockholm based). I'm curious about the efficacy of various VPN
services. I selected Mullvad (and PIA previously) based on how badly
they cut my gigabit access speed. In that respect most give you about
10% of what our ISP provides, if you're lucky. But that was the only
way I had to shop for a VPN. I have no idea how good they are at all
the many other issues you brought up. 

I do know that web sites think I am in the city where I am connected to
one of the servers, Houston at the moment. I know that because, e.g., I
tried to access safeway.com while connected to Mullvad in Stockholm,
which rudely told me that I was not in the US, so I was denied
access because I was clearly a terrorist or other evildoer.

It would be nice if VPN services advertised how effectively they stop
others from finding out who and where you really are.

Re: [PLUG] 3rd party vpn Defense evasion

[Ishak Micheil]

The use cases I'm working on is to Prevent employees or contractors from
subcontracting work.

John is a contractor,  hires someone else to do the work. Vdi setup,  he
shares his creds with the subcontractor who possibly actually in a
different country.  Using  VPN services prior to logging in to mask thier
locations .




On Tue, Apr 18, 2023, 11:07 AM Russell Senior 
wrote:

> Can you elaborate, in general terms, on what the goal is?
>
> --
> Russell Senior
> russ...@personaltelco.net
>
> On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil  wrote:
>
> > Greetings,
> > I am tasked to identify a solution to detecting users obfuscating their
> ip,
> > using verity of VPN services.
> >
> > What we've done
> > - Prevent users from installing software (VPN Cliens)
> >
> > - Possibly having a code on endpoints, to collect ip addresses tied to
> wifi
> > or LAN connection prior to attaching to VPN service,
> >
> > any other ideas?
> >
>

Re: [PLUG] 3rd party vpn Defense evasion

[Russell Senior]

Can you elaborate, in general terms, on what the goal is?

-- 
Russell Senior
russ...@personaltelco.net

On Tue, Apr 18, 2023 at 8:38 AM Ishak Micheil  wrote:

> Greetings,
> I am tasked to identify a solution to detecting users obfuscating their ip,
> using verity of VPN services.
>
> What we've done
> - Prevent users from installing software (VPN Cliens)
>
> - Possibly having a code on endpoints, to collect ip addresses tied to wifi
> or LAN connection prior to attaching to VPN service,
>
> any other ideas?
>

Re: [PLUG] 3rd party vpn Defense evasion

[Ted Mittelstaedt]

It's not going to be possible to block all VPNs.  If the users are smart and 
they have their own Internet connection at home then they can setup a SOCKS vpn 
proxy server on a PC on their home network then use dynamic dns with their home 
PC.  If you discover the traffic they can just reboot their home cable modem or 
whatever and get a fresh IP or change the listening port.

You really can only block the commercial or popular VPN servers out there to 
prevent the users who don't understand networking and are the point-and-click 
types from accessing the commercial services.  And most organizations that do 
this have found it a lot easier to just pay a commercial firewall provider like 
Palo Alto to maintain the block lists for them.

You can start here:

https://unit42.paloaltonetworks.com/person-vpn-network-visibility/

Keep in mind that many of the commercial firewall providers play both sides 
against each other.  For example, Fortinet sells both firewalls designed to 
block VPNs, and on the same firewall that you can configure to block vpn's from 
your internal network that are going out to VPN providers, you can set that 
same firewall device up to provide "crypto vpns" to your users that are 
designed to evade other people's firewalls (if your users are remoting in from 
someone else's network.  The irony is rather amusing.

The only way I've ever seen true blocking work is when a company has a policy 
that prohibits most employees with the exception of permitted ones from 
accessing the Internet completely.  That is, no web browsing, no zoom, no 
nothing.  And, that is VERY appropriate for certain classes of employees.  A 
checker in a grocery store has no need to be able to surf the web from their 
cash register that is running on a PC, for example.  So you list all the Ips of 
those registers in your firewall for complete outbound blocks.

But, if you do that all your good employees who are NOT abusing your internet 
service are going to quit on you and the bad apples who are using it for 
gaming, watching porn, and so on on company time will just bring their cell 
phones into the office and use cell carriers for Internet connection on 
personal cell phones and waste their time that way.

You cannot cover up CEO timidity on managing their people with technology.  You 
will just piss off the good eggs who will say "I don't need this shit" and quit 
on you, leaving the bad eggs who nobody else will hire and you are unwilling to 
fire because you are scared of them.  And if you block the bad eggs from 
wasting time on the Internet they will find plenty of other ways to waste time.

Putting IT as the opponent to users never works.  Users just quit going to IT 
with their problems and find other solutions (like personal VPNs) which most of 
the time cause more problems.  It may seem counterintuitive but the most 
productive companies out there unblock everything, have everyone sign AUPs that 
prohibit obvious crap like online gaming, porn, online gambling, personal 
shopping (except during lunch hour) and in general treat employees like adults 
and trust them and make it clear that there is safe harbor for any employee who 
reports another employee violating that trust.  (for any reason)  The only 
exceptions to this are certain kinds of transactions (such as cash handling) 
and the fact is the good eggs WANT IT monitoring that sort of thing just to 
protect themselves from being accused of theft, etc.

One of the biggest problems in HR today is HR departments being forced by the 
executive board to cover up malfeasance by managers, directors, and members of 
the C suite.  Stories of "secretary banging the boss and was reported to HR and 
they fired the person reporting it" are legion and are the quickest way to 
ruining your corporate culture and losing your talent.  A CEO absolutely needs 
to shut this sort of behavior down in their corporate culture.

One of the largest markets for firewall companies that make VPN blockers are 
schools, particularly high schools.  That's because you have an organization 
that by default pits the students against the administration.  The last thing 
any company owner should want is to seek to duplicate that kind of environment 
in their company.

Ted

-Original Message-
From: PLUG  On Behalf Of Ishak Micheil
Sent: Tuesday, April 18, 2023 8:38 AM
To: Portland Linux/Unix Group 
Subject: [PLUG] 3rd party vpn Defense evasion

Greetings,
I am tasked to identify a solution to detecting users obfuscating their ip, 
using verity of VPN services.

What we've done
- Prevent users from installing software (VPN Cliens)

- Possibly having a code on endpoints, to collect ip addresses tied to wifi or 
LAN connection prior to attaching to VPN service,

any other ideas?

[PLUG] 3rd party vpn Defense evasion

[Ishak Micheil]

Greetings,
I am tasked to identify a solution to detecting users obfuscating their ip,
using verity of VPN services.

What we've done
- Prevent users from installing software (VPN Cliens)

- Possibly having a code on endpoints, to collect ip addresses tied to wifi
or LAN connection prior to attaching to VPN service,

any other ideas?