[K12OSN] old proxy by-pass prob

k12osn at collinsoft.com k12osn at collinsoft.com
Mon Jun 7 01:40:16 UTC 2004

On Sun, 6 Jun 2004, Bert Rolston wrote:
> Aw shucks, just keep an eye out for one site that seems to be getting
> extra attention.
> There are flaws in the circumventor  strategy. 
> 1) It relies on someone in the censored environment with sufficient
> ability to install the software on their personal machine outside of the
> censored environment. The censored environment may be a home, school, or
> country.
> 2) The circumventor machine has to be uncensored, or the censoring
> software has to be disabled.

With the proliferation of cable/DSL connections, this is getting easier 
and easier, and most parents are pretty ingorant when it comes to their 
> 3) The circumventor machine has to be on a permanent connection, so the
> address won't change. This will show up in your proxy logs, once it
> does, BLOCK IT!

Even with dial-up you can use a service such as http://www.no-ip.com/ or 
http://www.dyndns.org/. But wait, you can block those sites, but they 
could bring up the command line and ping the no-ip.com name and get their 
ip address. If command line is disabled, go to one of the various sites 
that give you net tools such as ping or traceroute, such as 
http://www.geektools.com/ and you can still find out the ip address.

> If you have squidguard / dansguardian running on the firewall/proxy will
> the circumventor machine be able to bypass that filtering? 
> The peacefire site only mentions machines with locally installed
> filtering software like Net Nanny.

Since circumventor traffic is encrypted with SSL, Dans Guardian wouldn't 
be able to see the data to filter it. SquidGuard could if you check your 
logs and start blocking access to IPs. In a small enough location you 
could conceivably block most of the dial-up and broadband ip addresses.

You could run something like this:
at home with SSL and be able to surf anywhere. In fact, I haven't figured 
out how to force them to make sure every site they're visiting goes 
through our filter. The best that I've figured out is to make sure you can 
use you logs to tell you exactly who was using what computer when and what 
websites they visited.

Anyway, you can't rely on technology for this one, unless you go to 
whitelists and block everything else.. :-)

Ryan Collins
Technology Coordinator - Kenton City Schools

More information about the K12OSN mailing list