OK, another of many computer related questions. I’m afraid the answer to this might be far too in depth for this MB, but I’m going to ask it and hope for the best. Hope some of you insanely intelligent computer veterans can help me out. If you guys don’t feel that you can’t do the answer justice here please direct me to a website where I can try and teach myself. Here goes.
First let me lay out my perdicament. Between my home and work computers I get alot of overlap in my online surfing. My company is a start-up and they are very permissive of what I use my internet connection for. Because of a bitch commute I stay late in the office and use the equipment for personal things. This is with the bosses explicit consent, and porn isn’t a problem. So before you get the impression I’m a total lech, I’m going to get on with the technical stuff.
I run Win98SE at home and WinNT at work. The home system runs with a software firewall and cable modem, while the office set up runs on a 100baseT network plugged into a Windows proxy server and a T1. The tools i’m concerned about are AIM, mIRC, ICQ and, secondarily, media files.
All of my friends send me the typical e-mails with porn or other crude attachments and I occasionally do a little baiting or chatting on AIM and ICQ, and of course waste some time in mIRC (although less than I’d like). So knowing how everything in the world is logged, I began to wonder what information is exactly stored and started wondering if I should cover my shiny white ass a bit in case policy changes or the boss gets pissy at me. Secondarily I just wonder what embarrassing, if not incriminating, items a bored net admin could read of mine.
So, in the office setting what volume of information can the typical net admin gather when I use AIM and IRC? Short of using a keystroke monitor can the read my chat logs even if I tell AIM and mIRC not to save them? Does it record the IP of the other person, and what types of stuff is saved on either the proxy/network logs or on my local computers hard drive (for both home and office).
What about with a .mpeg I d/l or get sent to me? If I delete it and empty my trash bin can it still be resurrected (by someone other than the FBI)? If I don’t delete it can someone track where that file came from, based on local information? What about in the proxy?
How realistic to think any of these communications could be parsed out of the tons of internet activity in the office?
Does a proxy server track what is transfered across it? Or just where it from and going?
Basically do I need to worry about someone getting into the proxy servers and reading all my personal conversations? What about someone getting onto my computer and digging up the chat logs (presuming I don’t save them) and reading them? (No, no cybersex…its still an office)
Another nugget that this got me wondering about is a few months back I had my hard drive replaced. The old one was sent into the manufacturer for recycling or disposal or whatever. Now I imagine they wouldn’t have much trouble getting the files on the drive itself since I didn’t reformat it, but how much of my internet and general computer activity could they deduce beyond the content of the media and documents?
Sorry for the long non-specific question, I don;t know much about log files and registries and what ever else Windows saves to disk without telling me.
Now since I am not up on proxy servers I can’t tell you a whole lot. However, even though I am not a genius when it comes to computers, I don’t think you should have too many problems with regards to AIM, mIRC and ICQ. As long as you aren’t keeping logs I don’t think that your employer should be able to access your communications. Most are server based outside your company.
Also, if you are accessing personal email (presumably via a web based email server) then you shouldn’t have too much to worry about. I can access my personal/business email from my email client at the office (although I use the web based system instead and recommend anyone else to do so.)
If you download a file and delete it then empty the trash can you should be in the clear. This is provided they aren’t tracking your system like the above software site I mentioned.
A proxy server could be set up to log IPs, top level domains, of what is sent across it. Websites aren’t terribly difficult to track. Basically, like techchick68 pointed out, given the right software they can probably track whether or not you’re typing with one hand, and how many times per day. (Yeah, yeah, it’s an office, but don’t you ever get lonely there late at night?)
As far as AIM, ICQ, mIRC traffic, without local logs you saved yourself on your hard drive, it’s going to be a real pain in the ass for them to get chat contents. They would have to set up a sniffer to monitor and record packets to and from the ports used for these applications. This is highly unlikely. The emails, make sure they are all web based, and none of them is sent to your corporate account. Corporate email can get backed up to long term storage, and at this point the incriminating evidence could be there for months or years. Don’t give out your work address to friends and tell them to stop using it.
I wouldn’t worry too much about what you’re doing/have done. But keep your finger in the wind.
They could pretty much read what you send and what you receive as you’re in the act. If they were so inclined.
A keystroke monitor on your local machine wouldn’t be necessary, as there is no doubt a packet monitor on the server, which is one of the ways they could read what you send/receive in question #1.
Can they save this to a log? Certainly…but most don’t because of the sheer bulk of the files. I don’t want to make you paranoid or anything, but is also possible that your local machine could specifically be flagged for logging.
If they’re logging at the server level, the short answers are “yes” and “everything”. Otherwise, the info is probably just stored locally.
Understand, though, that extra and altered IP’s can appear in the log, depending on the firewall/proxy in use. Also, there’ll be a lot of trash in the log because of encryption, compression, and out-of-order packets.
Heh–easily, just by using the DOS “undelete” command.
There are two methods for zotting a file beyond all hope of resurrection:
Simply Defrag. This is NOT 100% reliable.
Get a program such as Scorch, which overwrites and inverts any file you specify.
A single overwrite will suffice for the casual snoop. For FBI/CIA snoops, you’ll need to use multiple overwrites including an inversion process to foil these guys…
No…generally speaking, the mail with the attached file (or at least the header from the mail) would be required in order to find out who sent it to you.
Back to the paranoia thing, if they’re specifically logging you, then they could easily map your access.
Otherwise, it would be a bitch.
Normally, just the addresses. Sometimes, file names are also included…so if they see “ButtNakedBimbo.Gif”, it might catch some IT dude’s eye–better to rename it to “Flowchart.Gif” or something.
Better yet, ZIP it so that IT won’t know that it’s a GIF. Don’t forget to fix the ZIP log.
I wouldn’t worry, but I would realize that it’s a distict possibility. It’s done frequently by bored IT personnel for kicks. Give 'em a copy of Quake to keep occupied (trust me, it works!)
Probably not…though again, if they’re logging at the server level, it’s possible, though there will be quite a bit of trash to wade through.
Bad move.
While they really couldn’t tell who you were chatting with or all of the sites you visited, they CAN read your swap file–which could possibly be complete with some URLs, passwords, credit card info, buddy lists, you name it.
Using a deleter like Scorch to periodically delete your swap files is a very good idea (shut down to DOS, THEN Scorch it (overwrite AND invert,) then power down.)
No one here has yet mentioned the use of PGP, especially a real cool utility by Network Associates called PGPDisk. PGPdisk is a “virtual disk” program that allows to create PGP-encrypted drives that can be mounted at-will as any drive letter you desire.
Since my laptop has extremely sensitive work materials on it, including the entire development environment and source code for a $110,000 piece of software, I put the whole development environment in a PGPDisk, and mount every time I reboot. That way, it is pretty much impossible for anyone searching my PC to find any trace of the source code, should my laptop be lost or stolen.
Some of you know I write erotica - well, all of that is stored on another PGPDisk that I can mount at leaisure as well. I also put my Outlook mail folders on the PGP drive as well.
PGPDisk takes surprisingly little overhead under NT (It works for NT/95/98). The difference between doing a complete rebuild of my calcs (2300 files, about 1.3 million lines of code, written by little ol’ me) on a PGP versus an non-PGP disk is about 42 minutes, versus 30 minutes. So a small slowdown in exchange for safety. It is also very crash-stable - I have only had 1 PGPDisk go “bad” after quite honestly several hundred crashes of NT that required a powerdown. In fact, I’ve had to install NT 6 more times than PGPDisk.
Another very cool thing - you can make your virtual disk a compressed NTFS drive on a FAT drive, thus saving tons of space and getting a small cluster size. Very neat. (Doesn’t work under 95/98 tho)
Thanks for all the help so far, and keep it coming, I’m actually learning something here.
Anthricite, not to sound too dense, but what do you mean when you say “mount” (all sexual innuendos are unintended)?
On the porn thing. Thanks for the advice on how to safely store those files. The input is helpful, but you can rest assured that their presence on my machine isn’t a major problem since half of the stuff is sent to me by the CEO. Same goes for the website traffic and where I’ve been. I know they can log what sites I visit and shit, but that fact isn’t really a concern. I guess my higher concern is my personal and private canversations and the routes that some of the files and chats come from. I’m not doing anything illicit (I’m a good boy) so the FBI proof overwrites and inversions aren’t really worth my time, but thanks for the 411.
Basically I have a little paranoia that some bored net admin (its a reasonably small office so I don’t think I’d have to be flagged specifically to make it realistic they could figured out who’s saying what) could find out what I say and who I say it to. I guess I’m just new to this whole not being a freewheeling college student or home user who doesn’t need to answer too, or trust anyone else.
Thanks for the advice on e-mails, my e-mail traffic is fairly tame and I don’t generally use the company address for much, but if I did want to I’d definately use hotmail.
SoulFrost, about the AIM/IRC stuff, you said they could read what is said back and forth while I’m in the act, but what about after? Secondly does AIM encrypt this stuff at all? I’m not sure where I’d have to look to figure this out, so I’d at least make them break the encryption and sniff out the traffic if need be. You’re answer differs from the others, what are you condsidering that they aren’t?
I’m sure I’ll think of more stuff. Thaanks for the help so far, please keep any new tidbits coming.
If I recall, it is possible to intercept AIM messaging. I know I’ve seen encryption for it popping up. I think I read it on slashdot.
Your best defense is the CEO being on your side. Easy to tell which way the wind is blowing.
Outside of that, you have to realise you can be super paranoid, and have a computer that takes 50 minutes to boot simply because of all the security restricions. Kind of like how easy it is to read all sorts of personal stuff off of someone’s Browser. You can secure your browser to the point that using the web is actually impossible.
Don’t worry Omniscient, if you’re afraid some 'Net admin’s gonna stumble upon your stuff, you can bet on your grandmother’s tomb(if she’s passed away) that he’s doing the exact same thing, so you acutally catch him at his own game, if he tried to ridiculise you…
To “mount” a virtual disk means to have the software open the file as a virtual drive, thus when I mount my development drive in the morning, I click on the file (a 500 MB file), enter the 30-or-so-digit PGP password, and then I suddenly have a “Z” drive available, that for all purposes appears to be a 100% normal drive that I can copy, install applications, run programs, or whatever on. As soon as I “un-mount” the drive by re-booting, hitting the “panic key”, or right-clicking and selecting “unmount”, it’s as if the drive never existed.
It still sounds like at least for your e-mail PGP mail might work for you. The problem is the people on both ends need to be running the software.
Yup, another satisfied user of PGP here. I do not understand how people will leave vital information unencrypted an a computer disk. If your laptop is stolen with it goes all your important information. My neigbors were burglarized and their computer stolen. Yes, all their bank and credit card information is in the hands of the burglars now
For safety I do two things: Encrypt all information I would not want others to see and backup the entire hard disk once in a while. I just plug in a second hard disk and copy the entire partition.
It is amazing how people donate their old computers and neglect to wipe out their important information. There was also the case of a guy who sent his computer in for repair and the repair people found some illegal porn and turned him in.
Nothing really…just my own personal experience. There are so many different possible configurations of server/proxy/firewall/software that it’s impossible to say exactly how yours will behave.
All I can really give is a “this is what I’ve run into most often” answer.
Unless they’re logging the traffic, they would not be able to know what you said afterward.
AOL in general uses a token system. I’m not sure if this applies to AIM or not. If so, then the logs would be seriously garbled.
For instance, this is a log section of me logging onto AOL–this section is ONLY the log-on…no chat, mail, IM, nothing.
Assuming that the board doesn’t screw the formatting, you may be able to tell what some of this does, but it’s puzzling at the very least.
This, however, is what two minutes in an AOL chat room looks like:
Example 2:
*** Starting circular dump ***
Circ: IN - AA (pktlen = 83, TX = 123, RX = 80, CRC = e6a3)
41 41 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | AA???
Circ: IN - AA (pktlen = 75, TX = 23, RX = 81, CRC = c257)
41 41 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | AA????
Circ: IN - AA (pktlen = 29, TX = 24, RX = 81, CRC = 1e09)
41 41 07 6D 6F 6E 73 6F 6F 6E 73 20 61 6E 64 20 | AA.monsoons and
66 69 72 65 73 74 6F 72 6D 73 ?? ?? ?? ? ?? ?? | firestorms
Circ: IN - CA (pktlen = 21, TX = 25, RX = 81, CRC = fb85)
43 41 13 44 6F 64 ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ | CA.ZZZZZZZZZZZZ
33 31 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | 31?
Circ: IN - AA (pktlen = 45, TX = 26, RX = 81, CRC = 9735)
41 41 1A 49 20 64 6F 6E 74 20 65 76 65 6E 20 6B | AA.I dont even k
6E 6F 77 20 77 68 61 74 20 61 20 6D 6F 6E 73 6F | now what a monso
6F 6E 20 69 73 20 20 4C 4F 4C ?? ?? ?? ?? ?? | on is LOL
Circ: IN - AA (pktlen = 33, TX = 27, RX = 81, CRC = 620f)
41 41 14 70 65 6E 6E 79 20 69 74 20 77 61 73 6E | AA. it wasn
74 20 65 76 65 6E 20 39 30 20 68 65 72 65 ?? ?? | t even 90 here??
Circ: IN - CA (pktlen = 15, TX = 28, RX = 81, CRC = d6a1)
43 41 16 42 6F 6F 64 6C 65 73 38 36 ?? ?? ?? ?? |
Circ: IN - CB (pktlen = 6, TX = 29, RX = 81, CRC = 1338)
43 42 13 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | CB.
Circ: IN - AA (pktlen = 46, TX = 30, RX = 81, CRC = deff)
41 41 15 54 68 65 72 65 27 73 20 73 6F 6D 65 74 | AA.There's somet
68 69 6E 67 20 61 62 6F 75 74 20 43 41 20 74 68 | hing about CA th
61 74 20 69 73 20 53 61 6E 65 3F ?? ?? ?? | at is Sane
Circ: OUT - Type: ACK, pktlen = 3, TX = 81, RX = 30, CRC = 598e
Circ: IN - AA (pktlen = 29, TX = 31, RX = 81, CRC = 5803)
41 41 14 62 75 74 20 69 74 20 77 61 73 20 72 65 | AA.but it was re
61 6C 6C 79 20 68 75 6D 69 64 ?? ?? ?? ?? ?? ?? | ally humid??????
Circ: OUT - Aa (SID = 1581, pktlen = 96, TX = 82, RX = 31, CRC = 68d9)
41 61 06 2D 00 01 00 01 07 04 00 00 01 50 01 0A | Aa.-...
04 00 00 01 02 03 01 42 54 65 6E 6E 69 73 20 62 |
61 6C 6C 20 73 69 7A 65 64 20 68 65 72 65 20 6C | all sized here l
61 73 74 20 74 69 6D 65 2E 2E 2E 6E 65 76 65 72 | ast time...never
20 73 65 65 6E 20 68 61 69 6C 20 74 68 61 74 20 | seen hail that
62 69 67 20 62 65 66 6F 72 65 00 02 00 ?? ?? ?? | big before..
uni_start_stream
man_set_response_id <336>
man_set_context_relative <258>
de_data 54x 65x 6Ex 6Ex 69x 73x 20x 62x ...
uni_end_stream
Circ: IN - AA (pktlen = 72, TX = 33, RX = 82, CRC = 89f2)
41 41 05 54 65 6E 6E 69 73 20 62 61 6C 6C 20 73 | AA.Tennis ball s
69 7A 65 64 20 68 65 72 65 20 6C 61 73 74 20 74 | ized here last t
69 6D 65 2E 2E 2E 6E 65 76 65 72 20 73 65 65 6E | ime...never seen
20 68 61 69 6C 20 74 68 61 74 20 62 69 67 20 62 | hail that big b
65 66 6F 72 65 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | efore?
Circ: IN - AA (pktlen = 27, TX = 34, RX = 82, CRC = d52c)
41 41 18 6C 6F 6C 20 69 74 73 20 61 62 6F 75 74 | AA.lol its about
20 36 37 20 68 65 72 65 ?? ?? ?? ?? ?? ?? ?? ?? | 67 here
Circ: IN - CB (pktlen = 6, TX = 35, RX = 82, CRC = 93e5)
43 42 16 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? |
Circ: IN - AA (pktlen = 41, TX = 36, RX = 82, CRC = 3d32)
41 41 14 74 68 65 20 73 6B 79 20 74 75 72 6E 65 | AA.the sky turne
64 20 6C 69 6B 65 20 64 61 72 6B 20 64 61 72 6B | d like dark dark
20 62 6C 61 63 6B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | black?
Circ: IN - AA (pktlen = 55, TX = 37, RX = 82, CRC = 980f)
41 41 07 4F 68 20 79 6F 75 20 72 65 6D 65 6D 62 | AA.Oh you rememb
65 72 2E 2E 77 68 65 6E 20 74 68 65 20 68 6F 75 | er..when the hou
73 65 73 20 77 61 73 68 20 6F 75 74 20 74 6F 20 | ses wash out to
73 65 61 3F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | sea
Circ: IN - AA (pktlen = 73, TX = 38, RX = 82, CRC = 5f52)
41 41 19 57 69 63 6B 69 64 2C 20 79 61 27 6C 6C | AA.Wi, ya'll
20 63 6F 75 6C 64 6E 27 74 20 74 61 6B 65 20 6F | couldn't take o
75 72 20 72 61 69 6E 73 2E 2E 2E 61 6C 6C 20 79 | ur rains...all y
65 72 20 68 69 6C 6C 73 20 77 6F 75 6C 64 20 62 | er hills would b
65 20 67 6F 6E 65 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | e gone??
Circ: IN - AA (pktlen = 23, TX = 39, RX = 82, CRC = e2b6)
41 41 12 3C 2D 20 6E 65 61 72 20 54 61 6D 70 61 | AA.<- near Tampa
2C 20 46 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | , FL??
Circ: OUT - Type: ACK, pktlen = 3, TX = 82, RX = 39, CRC = bbde
Circ: IN - CB (pktlen = 6, TX = 40, RX = 82, CRC = 5297)
43 42 0B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | CB.
Circ: IN - AA (pktlen = 40, TX = 41, RX = 82, CRC = 03fc)
41 41 14 61 6E 64 20 68 65 6E 20 69 74 20 67 6F | AA.and hen it go
74 20 61 20 77 65 69 72 64 20 67 72 65 65 6E 20 | t a weird green
63 6F 6C 6F 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | color
Both of these examples have the atoms resolved, for ease of reading. The actual raw data wouldn’t be, but anyone with knowledge of hex-based numbering systems can easily resolve them. There is also software available that will do it.
For example, “74 20 61 20 77 65 69 72 64 20 67 72 65 65 6E 20” = "t a weird green ". The server would only get the numbers, but from that, the words could easily be made out.
I’m not 100% sure, but I imagine that AIM more closely resembles Example 2.
The point of all this is that IF they are logging, then they’ll be able to get something like the above, so they can get SOME information about what you were doing.
And if nothing else, you can see how much “trash” the logs would have.
Soulfrost, thanks alot. I think I see your point there, and it seems reassuring, to me anyways, that its not just plain old text. Its not exactly secure if its just a hex convertion of the ASCII text, but probably more time consuming and inane than any self respecting human would bother to decode.
A question, is that plain text to the right of all those blocks of numbers something you decoded as an example, or does it just garble chunks of the logs at a time? It seems odd that there’d be a bunch of hex digits interspersed with uncoded text. Maybe I’m missing a bigger concept here.
Actually after more closely reading your post, it seems you resolved some of the hex into text for an example. So the logs just contain a pile of hex digits.
I’ve never used plain AOL so is an AOL chatroom a Java applet? If so I’m kinda skeptical that it would resemble an AIM chat, but thats just my uneducated instinct.
Thanks again for you’re help, and I’m a sponge here so anything else you feel up to explaining feel free. Come to the ChiDope and I’ll buy you a beer or 5.
You can clearly make out that I was talking to XXXXXX, and he said “the AIMs usually got suspended in 5 hours”. Also, the HTML for the font and color stuff is included.
Here, you can easily see that I’m doing a really bad Alice Cooper impersonation.
There’s no encryption to speak of, so if you were being logged at either the server or at your machine, it wouldn’t be hard for them to see exactly what you said, what you were told, and who you were talking with.
If you’re interested in capturing the packets for yourself, or if you just want more information, a good site is at: http://grc.com/oo/packetsniff.htm
(non-commercial, I think, but has links to commercial sites.)