[freehunter]

That's true. You probably can get out. Until the security team catches you, which they really, really can do. Trust me, I do it for a living. And then you're in trouble for violating the terms of your employment, and then HR gets involved, and then you are fired.

Like I said, if you're going to work in security, you're going to have to consider a lot more than can it be done. Corporate security is more closely tied to HR and the business than it is IT. You can't break the rules just because it's technically possible. It would be your job to find the people who are doing exactly that and report them to HR.

[lucb1e]

> Until the security team catches you, which they really, really can do. Trust me, I do it for a living.

True, I don't doubt they can if they wanted to, simply look for connections to known Tor nodes (of which there is a list). So long as I don't bother using a bridge node of course.

As for being fired, I don't think it's that strict. The company policy is aimed at blocking people from posting the company's slides on Slideshare, using icons from icon sites without a license (some icon site is also blocked) or pasting sensitive data on Pastebin by accident. As long as I don't do these things, I am not violating corporate policy, while I do need some of these sites to do my work.

If they make shitty policies that apply to the people who don't know what they are doing as well as to the people who do know what they are doing (or even need some of those sites), they can expect people to work around it. Rules are to be followed within reason. And if people are that strict, I don't want to stay in that company. Even as a student I'm asked to do work enough times that I don't doubt I could switch jobs in a matter of weeks.

[freehunter]

>Even as a student I'm asked to do work enough times that I don't doubt I could switch jobs in a matter of weeks.

That's true, no one should ever be unemployed if they have infosec on their resume.

Do everything you can to learn how to bypass anything. Hack as much as you get your hands on. Break everything. Code all the things. It's really good for you and good for your career.

But I've had enough interns come work with me and then the company gets a letter from HBO because the intern thought no one was watching him torrent off our 2Gbps pipe. I've had college hires who spent the day browsing porn in incognito mode thinking the company couldn't see it. I've seen people using VPNs to mask the fact that they're getting paid to watch Netflix. And every single one of them wonder how in the hell we knew what they were doing.

Companies spend literally millions of dollars in security products to know exactly how their employees are misuing company property and company time. If you think there isn't a security tool that shows people using Tor, I think you're wrong.

I'm not telling you to stop. I'm not your manager. I just like helping people in infosec keep from making rookie mistakes. I've seen it way too often.

[lucb1e]

> If you think there isn't a security tool that shows people using Tor, I think you're wrong.

Targetting Tor specifically, yes I'm quite sure it's trivial to find a way to detect its usage. Even with bridge nodes on :443, traffic analysis probably reveals it, and especially on company-owned laptops you could scan for certain software.

So I'm not claiming that it's impossible, I just think it's not as easy as you say it is if they're not specifically looking for it (as long as there is no abuse, there is no immediate incentive to look for it).

As for interns downloading illegal or personal data over a company's connection, yeah, that is clearly abuse. We agree on that. I even know of people here that download random stuff over 4g (built into our laptops) abroad. In fact the 4g disables any blocks the company put in place because it's outside their firewall so many use it for that. If they want to fire anyone, they should start there.

[cmdrfred]

Ssh proxy to my private server. Squid proxy behind Tor. You might know I'm doing something, but what exactly I'm doing. No way. (Taking reasonable precautions to prevent DNS leakage, etc)

[freehunter]

At that point though, it doesn't matter. If company policy says you can't use anonymizing proxies or can't SSH out or can't mask your traffic in any way, you're hosed right there. And most enterprises would have an employee handbook that says that. Immediately you're in breech of guidelines and misusing company resources.

So many people in this thread are trying to argue ways to hide your traffic. All I'm saying is, no matter how clever you get to hide what you're doing, you're in breech of your terms of employment from the very first step. No matter how clever you get, I've seen people fired based on my report that they were using SSH to get to their private server. Doesn't matter if they were checking their email or if they were hiring a hitman on Silk Road.

Enterprises don't care what you're doing, they care what you're not doing, and what you're not doing is the job they paid you to do under the terms you agreed to do it.