[crims0n]

Looks interesting, will give it a read as it looks to cover more than the basics.

Years ago I worked in a SOC doing managed services for a major telco provider, and for some reason they thought that we didn't have the need to do any kind of SSH tunneling to manage routers/switches/firewalls. They kept blocking it at various layers, and we kept having to find more and more creative ways to get around it. I think at one point we were hosting our own PAC files local to our machines, building three layers of tunnels (the last of which being a dynamic SOCKS tunnel), and using a portable browser (because we couldn't be trusted with admin!) with FoxyProxy (or similar) to finally reach our destination.

[Spooky23]

It’s pretty much impossible to validate that you are meeting the terms of your contract re: security policy if you’re doing that. You almost certainly were if you were providing SOC services to a big telco.

I have terminated contracts for cause and in one case got a vendor suspended from a big centralized procurement contract for pulling bullshit like what you described.

[icedchai]

Folks do all sorts of naughty things with SSH. Back when we used to work in an office, one guy would tunnel out and proxy all his web connections through an SSH socks proxy so the employer's IT would not monitor his web traffic. Another guy would do reverse tunnels from his work PC to home, so he could connect to work without using the VPN.

[crims0n]

The telco was providing the managed services in this case. That is interesting, so it sounds like this was a complete breakdown in the process somewhere. We weren’t doing it for fun or sport, we were doing it because it was the only way to effectively do our job.

[znpy]

I've been there but nowadays my policy is to let my employer/customer get hit with downtime if they don't provide me with ways to effectively do my work.

[Spooky23]

Absolutely — that’s nuts! I was in the managed services biz for some time, I can’t imagine facing our auditors having allowed third party contractors to do stuff like that.

[bryanrasmussen]

>You almost certainly were if

Don't you mean they almost certainly weren't? It's hard to understand the rest otherwise.

[znpy]

No, gp is speaking from the point of view of those who set up the security measure.

Once you start poking holes into the security it's hard to assure you only did it for a good cause or with good intentions (whatever that means).

[bryanrasmussen]

I still don't get it:

The original:

"It’s pretty much impossible to validate that you are meeting the terms of your contract re: security policy if you’re doing that. You almost certainly were if you were providing SOC services to a big telco."

That second sentence seems to be only interpretable as:

You almost certainly were meeting the terms of your contract re: security policy if you were providing SOC services to a big telco.

However it also says it's impossible to validate - so if it is impossible to validate that you were meeting the terms of your contract re: security policy, it must mean you weren't meeting the terms of your contract because such a contract will require validation.

But I guess I should let it go.