What's the best way to hide on a network?
 

So... the IT Dept at my company has been coming down on employees who have been keeping any non-work mp3 files on their work owned computers. I don't have a problem complying with this policy and I have deleted all music files on my work machine.

However, I do have a personal laptop that I bring in to work everyday and it sits on my desk, connected to the company network. The IT Dept says that they can do scans of the network and can see files on the network, including mp3s.

They are saying not to connect personal laptops to the network if there are music files on that machine. Well, this is impractical for my job as a film/video producer and I am choosing to disobey this rule, even at the peril of my job.

I have discovered "Stealth Mode" in the Sharing section of System Preferences. Will this truly make me invisible on the network and not show any files or folders?

What options do I have with hiding either the whole laptop or even just the iTunes folder the music is contained in? Would turning on File Vault keep prying eyes away from any items in that folder?

Thanks for your advice,

Dan

Your IT department is speaking of Windows users. Since you are posting to this forum, I assume you use a Mac, which along with anything not-Windows (Unix, Linux, AS/400, etc.) is in a whole higher class of security.

As long as you don't have "Windows Sharing" switched on in System Preferences > Sharing > Services tab, your IT department can't scan for "files on the network" in the standard way. If your IT department is slightly smarter than usual, you might want to turn off Personal File Sharing as well. (Actually, it is always wise to turn off everything you don't use in System Preferences > Sharing > Services, since every open Service decreases your computer's security a little bit more.)

Do that, and the IT department has no way to scan your personally-owned computer for files. At all. They can scan with all their might, but all they will get is red in the face.

Trevor

They will, however, be able to see your laptop on the network. Any requests for info get ignored in Stealth mode (as opposed to refused, which sends an immediate response) but you can't exist without an IP address. Unless they are complete morons (not entirely unknown in the Windows support world) then IT will know something is there, and keeping quiet about it.

Just buy a Nano and keep it in your shirt pocket :D

Of course, deliberately ignoring company policies is a good way to get yourself fired, so the Plan B of getting a non-networked MP3 player sounds like a smart one.

I'm surprised your company even allows you to plug a laptop into their network in the first place :eek:

Have a plan for when they come over and ask to see what's on the laptop you've got plugged into the network. Can you simply say "no?" Do you encrypt/hide the folders containing the forbidden content?

But as others have said, a properly secured/firewalled notebook can't be "scanned" from the network. Obviously, if you run iTunes, don't turn on sharing...

I think the really interesting question is what do you need to do with your personal machine wired to the corporate network. Once you come up with the answers, then there is some substance to assess the risk of being discovered by the net.police.

Is non-work mp3s the only policy enforced ?

Craig is right, obviously... but with it being my own machine and the lame, confusing way they institute policy at my company, I am sure I can get away with a wrist slap first.

In the meantime, I can remain productive. It is too bad I have to fight with the company to remain productive, but that's a different rant.

Let me clarify, this is not about having the mp3's to listen to at work. I have an iPod. I keep my mp3's on my laptop on my machine for my own convenience outside of work. I don't have a lot of time to sit and listen to music at work, as I am on the phone a lot. I use my laptop at work to multitask, transfer files between machines to work at home, etc.

Would turning File Vault on also hide whatever files are behind the vault door, from network snoops?

Thanks for the advice guys!

Does the policy specifically say "mp3" files? You could always convert them to AAC and just be stubbornly pedantic about it :rolleyes:

No, it will make absolutely no difference. As I said above, if you're not sharing your files, they can't see what you've got anyway. Your computer is already safe from prying eyes on the network looking at what files you have, just because it is a Mac.

Filevault would only make a difference if someone physically takes your computer and does something extreme like removing the hard drive in order to put it into another computer and see what is on there. Removing the hard drive and installing it into a computer that they have rights to means that they don't have to log in to one of your users. But if you have Filevault on, they still will not be able to access your files, since your entire home directory will be encrypted.

But that's not what you are asking about--you want to know about what can be seen on the network. If you're not sharing anything, then the answer to that is still NOTHING, whether you have Filevault turned on or not.

Trevor

If both boxes are Macs, you could use IP-over-Firewire to run a private network that would not be routed to the corporate ethernet and therefore not be visible.

Usings sharepoints to limit access to the files you don't bother about being scanned would be another way.

If you create a VPN or use any other strong authentication for your filesharing, there is no way for the IT-department to snoop on you even on the monitoring port of smart switches.

Considering working for less scared people/with less lawyers would probably be yet another relaxing option ;) .

The best advice right there. Life's too short to deal with a company like this.

Voldenuit - You are so right when you say:

"Considering working for less scared people/with less lawyers would probably be yet another relaxing option."

And a few of us are working on that, so hopefully soon.

As for the file type... What's funny is that through communications with the IT dept. it seems like they are calling any and all audio files "mp3s".

As I said, I work in film/video production and our department has a large stock music and f/x library in WAV format. My workflow demands that I pick music from this library and store it locally while creating content with it.

We spent two days fighting IT on this! They were saying we could not store these files locally... that the only place we could store media like this is in designated folders on the SAN.

Finally, we were able to successfully explain our need for these files to be kept on the machine, but jeez!

Their point was that they did not have the ability to differentiate between our stock music and "illegal" music files, therefore they must be stored on the SAN.

Their M.O. is to scan the network for mp3 files, locate the offender and neutralize them. ;)

I think that if they can't see any music files on my laptop, they are not going to bother with me.

What may piss them off is finding a machine they can't access. Sounds like your IT dept is run by people more interested in their power than servicing their customers, and those types get particularly upset when they are foiled.

CAlvarez - You nailed it.

They have never outright admitted that they can see what is on the Macs in the office. We don't think they can, but I know they are working on it. I want to be prepared if that day comes.

Right now they have complete control over every PC in the company. Nothing can be installed on them without permission, they have remote repair abilities, etc. They want the same for the company owned macs.

You guys have so much more faith in the intelligence of the IT department than I do. Although of course it is true that they will be able to know that an IP exists for MemeSlider's personally-owned computer, what they most likely do to "scan the network" will be to look at all open SMB/CIFS shares and scan them. There's no obvious way when scanning SMB shares to connect them to IP addresses (not that it's difficult, just that it isn't RIGHT THERE in front of them when they're scanning), so there's at least two extra steps required to see that there's an IP without an SMB share. Those are two steps that the typical IT monkey is unlikely to take.

Apologies to all the fine intelligent and unusually good looking IT folks reading this posting. Of course, you are an exception to the rule.

Trevor

Sounds like an IT department that costs more than it's worth. It's their job to help, not interfere with company business. Is there some way to go over their heads?
In the mean time, keep your firewall on. ;)

Trevor, there is automated software to do all that. I know, because I've installed/used it. In all those cases it was to scan for porn and other things that truly have a negative business impact. I've found everything from hardcore porn to trade secrets in cleartext files where they shouldn't be. Well, I should say, the software found it.

I pointed out what I did because when we found a machine that had been locked down by the user, the software would flag that clearly. Then we'd just go physically check the machine. One user freaked, refusing us access. Turns out she had more than 50% of the drive full of porn, and was subsequently fired.

So, I'm speaking from "the other side." It's important for us in IT security to know what is on the network. However, it should all have a clear business case behind it, and the goal always has to be to service the customers (which is the company and its employees) without allowing them to harm the other customers with viruses, trojans, or offensive material.

And I simply would never allow your unverified laptop onto any network I admin. Your IT department should be far more worried about viruses/trojans coming into the network on unprotected laptops. Even a new Mac on the network gets a security review; you never know if someone has opened doors using P2P crap.

It sounds a lot like your problem is not about IT at all but only about power and diplomacy.
In such contexts, there are rules, reading "The Prince" (Machiavel) and "Art of War" (Sun Tsu) are the vital minimum here.

I wouldn't even talk to IT directly on this subject once they voiced their unhelpful attitude, instead brief my boss and have him fight it out with the head of IT.

That keeps you the option to get help from IT if you need it, because you're not at war with them and your boss is in the business of fighting this kind of fights all day long anyway, so he's probably a far better killer than you are.

Just wondering, would an encrypted disk image do anything?

If you follow the advice, given by others above, and still have a problem to solve I recommend the following.

1. Re-inform your company of your need to take projects home (I assume the reason for the laptop)

2. Also inform them that their anti-audio file policy disqualifies your personally owned laptop from being used as the vehicle to take your projects home.

3. That if your productivity is to be maintained at the present level, they need to supply you with whatever sized firewire harddrive your projects require.

Then store all you work related files on the firewire hard drive and take it back and forth to work instead of your personal laptop.

If the soloution to the problem costs the employer money, you may see them back off.

my two cents.

It would work as long as it isn't opened. The password only keeps it from being mounted. The way I understand it, if the disk image is opened, then it mounts as just another disk with its files completely visible to the rest of the computer.

how bout making the folder with the files invisible? There is a neat little program that will do this for you. It is called hide folders and is free. Its from altomac www.altomac.com.

Encrypt it before hiding it. Hiding it does 100% of nothing, unless the person is a COMPLETE moron. And even if they are, they could still stumble on it. So, steps to securing your computer

1) Just turn off all the sharing stuff. Turn on the firewall if you are paranoid. Turn on stealth mode if you are absolutely paranoid. Now there is no way they can get on your laptop via the network, at all.

2) Use a password protected screen saver (if you are using it) with an activation corner for quick lockdowns. Disable automatic login. And if you are paranoid, use file vault. Now, there is no way they are going to get at your comp unless you unlock it for them.

And, umm, thats it. The mac is more or less secure by default, so huge changes aren't needed. Actually, assuming default settings, no changed are needed at all.

And diplomacy is always the better route, use those steps ONLY if you have to.