Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Nyxalinth]

DF is awesome, but man if your job is that dull, you might consider another line of work (carefully, of course).  Don't get yourself fired over this: the economy blows.

Economy isn't as bad as people make it out to be.
I've had no problem finding and keeping a job even in this economy.
Even took a couple months off from my job to go work the summer in Alaska for shits and gigs.

Okay. shit like this has a way of coming back to haunt people, but it's your life and your job.  Good luck to you.

[Vox]

Deleted for misquote.

[Dorfus]

Does Linux DF, in terminal mode, use the CP437 character set through Unicode? If so, SSH could be an option, if it is approved by your employer.

Yes. That said, you're likely to get into much more trouble for outbound ssh than for smuggling a usb stick in. 22 out is almost definitely blocked so I suggested tunneling over https or something to a legit-looking website.

It's still a lot of trouble to go to just to play df at work. I play sometimes on my phone over ssh and it's pretty usable.

The split & email & recombine approach is a decent idea. Problem for OP is that they probably monitor his computer's execution so running the game would immediately flag it as unsigned. Best bet is to find some way to run it on an external comp.

Protip - no one cares at all what runs on mail servers. If it's multicore, you'll never hit the cpu alert and no one will ever know or care. I'm pretty sure you need WD-40 just to ssh into a mail server in any well-established company.

[wierd]

One possibility is to run the game inside a VM that is whitelisted. Kind of a POS to run DF inside a VMware linux image, just to keep it whitelisted, but it is one way around the OS tattling on your running unsigned code.

I am surprised about your statement about mailservers though. I would be apoplectic if any mail server I admined suddenly had spikes of CPU activity or worse, network activity that is outbound. To me that means somebody is making it their little minion for churning out herbal viagra spam, and would result in my intervention quite quickly.

One I wouldn't notice, would be an RDP access DMZ end node inside a virtual machine. You EXPECT activity on one of those, and spikes in activity are normal. Playing DF inside one over an intranet RDP session would be ballsy, but less likely to get caught than trying to run an HTTP tunneling proxy past the web-access firewall.

[Dorfus]

Agreed on the RDP/DMZ - not so sure the performance would be great but at least you could run therapist and the like. Mind you, DMZng a VM in the first place would be tough unless you get direct control of the router (in which case you might as well just port forward).

I still think HTTPS tunneling is safest if it all starts off like a normal https request, though the performance may be abominable. Self signed servers might trigger some things too so it might not be best.

Maybe it's just the companies I've worked for but no one cared about (internal) mailservers. We typically had fairly powerful servers with awesome internal latency and something like DF simply wouldn't register on our normal monitoring. The main issue would be gaining access to one in the first place, but I think our monitoring was probably cruder than Vox's company's. We just used to track network/cpu/ram/disk utilisation and throughput, pretty much ignoring the relevant ports and processes outside of our normal firewall/init config - we assumed they were all mail related. The only reason I suggested it is because we once ran a CS server overnight on our nearest mail server and no one batted an eyelid. We tested the idea on a clone first, of course, with the backup story of 'stress testing' but it all went off without a hitch.

VMs look like a good plan though, in terms of local execution. If OP can set up a VM without setting off alarms then all he needs to do is get DF into the building, which is perfectly possible via something like segments uuencoded into emails.

[Vox]

I'm pretty sure a movie needs to be made about this.

[wierd]

I was approaching the DMZ RDP host virtual server this way:

His company is *UBER* paranoid, but still has to service personel that are outside the country, and need access to files that are restricted, and can't be stored on hardware that leaves the country. (Say, DoD security blueprint files, for consultants dealing with chinese material dealers. They need access to the blueprint data to make sure the material they are brokering the purchase of is going to suit their needs, but they DO NOT want the chinese to steal the blueprints while he is in the shower. As such, they issue the executive a netbook running a liveCD based OS, and have him access an RDP host that is in a special DMZ, to get access to his files, and only as needed. They might even require use of an OTP generating key dongle. Hell, *I* have such a toy, and I need it to access BOEING's internal website! Requiring a 2 front pass to get in from outside the DMZ is just plain prudent in this case.)

The (ab)user learns what the LOCAL IP address is, and RDPs to that virtual host from his workstation. He loads DF on that virtual host, and plays it over RDP, in text mode.

Because that virtual host is servicing foriegn executives, cpu and network activty are expected, and not flagged. If he uses a whitelisted VM inside the virtual host, (and suffers the performance penalty), he won't trigger ay unsigned code flags either. The most he might trigger is an unapproved user account access attempt, and then only if the VM is configured right by the DA. Many enterprise assets are NOT configured right, so he could very well RDP into that system through the local intranet, without suspision.

It's just REALLY REALLY ballsy.

Some of the benefits of doing this: screencapturing spyware would experience similar problems to what normal capture software, like fraps, experiences: capturing an uninformative black rectangle where the RDP session window is! Not garanteed, but the possibility is certainly real.

Further, keypresses wouldn't be very informative, and further obscured if you are *also* doing your job at the same time. Bonus points if you have legitimate reasons to use RDP sessions. (Like I do. I need it to access our MRP infrastructure, which is hosted on a terminal services virtual host. Many MRP systems are accessible this way, because they also function as the timeclock, and for clocking job cards.)

[Dorfus]

You could say ballsy again and you'd still be pretty far off the mark. It would work though, as far as I know. Nothing I've seen would pick up such an edge case - tbh I hadn't even thought of that as a vector but social engineering + exactly that scenario = comped internals.

The most security-conscious organisations I've worked for have been banks and the like, so not top tier. If OP is looking at these sorts of methods then, honsetly, he's far better off just not playing DF at work. That said, it's a fun thing to think about - using such a technique for just DF is almost a shame. You could do a lot if you could get the IP and login details, and if it's for the sort of scenario you described (external contractors) then you could do a real lot. Hah. Aw I wish I'd stayed in the paranoid areas of computing.

[Blue_Dwarf]

It just occured to me that we might be helping someone break the law 

[thatkid]

I'm guessing you're a playtester of some kind.
Given what I know of the field, you're going to lose your job for shitty reasons eventually, but it's best not hasten it for something as silly as DF. Just soldier on, my friend, soldier on.

[wierd]

I made my network admin class instructors crazy, asking horrible questions like this.

You don't wanna know all the possible routes of intrusion I discovered when I took my novell netware class so many years ago... (gawd.. so long ago...)  I found methods of employing the very security countermeasures used to secure a server, against the admin staff, and permanently PWN a server, without leaving any tracks or signs of compromise. Gawd it was beautiful. The instructor didn't think so though. LOL. I asked her how I, as a system admin, could discover and correct infiltrations like I just demoed, and she just turned purple and demanded I undo it. LOL.

Others were edge cases where the server itself could be tricked into creating security objects under its own system-level credentials, and several others. (I was very bored in the network lab time, and embarked on self-educational activities.)

Oh... Netware 5 had sooooooooooooo many holes. LOL.


*I don't consider the method I just outlined to be within the capability or competency range of a person NOT trained in the installation, configuration, and administration of network infrastructures or security.  The major less on here, is that simply because something is being done on the "safe" side of the router, it does NOT automatically make it safe! ALWAYS configure *ALL* network assets correctly! *ALWAYS!*

[Vox]

I'm guessing you're a playtester of some kind.
Given what I know of the field, you're going to lose your job for shitty reasons eventually, but it's best not hasten it for something as silly as DF. Just soldier on, my friend, soldier on.

Swing and a miss.

[wierd]

My guess is that he is a cryptographic expert, or works for a company that does crypto, and uses a farm of very inexpensive and highly uniform systems (xboxes) as compute nodes for a distributed computing environment, used in hard crypto research, possibly with defense connections.

The sensitive nature of the setup used means no pictures. The sensitive nature of the data means no removable storage. The gravity of a security breach necessitates draconian enforcement policies that are otherwise too costly to be rational in private enterprise.

I doubt NSA or RSA, but could be a satellite of those. Proximity to Alaksa (taking seasonal work as salmon fisherman) suggest naval intelligence.

[CRM114]

My guess is that he is a cryptographic expert, or works for a company that does crypto, and uses a farm of very inexpensive and highly uniform systems (xboxes) as compute nodes for a distributed computing environment, used in hard crypto research, possibly with defense connections.

The sensitive nature of the setup used means no pictures. The sensitive nature of the data means no removable storage. The gravity of a security breach necessitates draconian enforcement policies that are otherwise too costly to be rational in private enterprise.

I doubt NSA or RSA, but could be a satellite of those. Proximity to Alaksa (taking seasonal work as salmon fisherman) suggest naval intelligence.

Does anyone actually use xboxes for this sort of work? Using PS3s which don't have the otheros patched out or off-the-shelf hardware would be infinitely easier and at worst computationally equivalent. A pure GPU farm would be superior for massively parallel computation (obviously increasing cost & complexity, but reducing power consumption).

More to the point, though - if the OP is a cryptographic expert why hasn't he already figured out how to accomplish his goal?

[wierd]

He could just be part of the support staff; people who keep records of uptime, and other drudgeries.

Running a successful operation requires more than just crypto nerds and IT staff. Also requires maintenence workers, janitors, security screeners, managers, and all that lot as well.

(Something often overlooked by inintentionally self-agrandizing comp-sci types. The eggheads develop the prototypes, but the middle men and working poor bring it to market.)