Friday April 15, 2005 
Friday April 15, 2005
From time to time, somebody, maybe a friend, or FOAF (friend-of-a-friend) might ask me about accessing some Internet service from behind a firewall. Most likely it'll be a corporate firewall, or perhaps it may be one that's installed at some educational institution.
Most of the time, I will tell them something like, "this is one of the Dark Arts of Networking - it's not easy, it might not work, and it might be frowned upon." Furthermore, it's a good chance they're not uber-geeks and have no idea of the "issues involved".
One of the best articles out there regarding this topic has a rather catchy title (for uber-geeks, that is) : "Punching holes into firewalls". Alternatively, the author has titled it "Why firewalls shouldn't be considered a ultimate weapon for network security" and "Secure TCP-into-HTTP tunnelling guide".
The basic idea is to create a tunnel through a HTTP proxy in which you can stuff TCP packets from your machine behind the firewall to some other server out there - most likely that will be your home PC connected to your broadband cable or ADSL modem, or perhaps if you're more lucky, you have access to a server sitting on a high-bandwidth network that you can use (I did say it is geek territory, didn't I).
The possible issues :
1. HTTP proxy servers weren't meant to transfer generic TCP traffic reliably. The HTTP protocol is meant to serve up web pages to you. You may encounter latency issues, timeouts, and buffering problems.
2. You need a web server that the HTTP proxy server can reach. That means probably a Tomcat or something similar. You don't want to use the default ports, which might be probed, say, ten thousand times a day by hackers, script kiddies, your ISP, the CIA, FBI, or some other agency.
3. You need special server software sitting on this web server that is able to unwrap incoming TCP traffic, re-direct it, and send the return traffic back over the HTTP tunnel. It must have its own special, non-standard protocol.
4. You also need client software that speaks the same protocol. Preferably, it uses the basic HTTP GET or POST commands. Some of the tunnelling software packages out there rely on CONNECT, which isn't so good because some firewalls/proxy servers have the CONNECT command disabled, while others enable it only on the default SSL port 443 (which you also should avoid, due to the probe issue mentioned in #2).
5. For the paranoid (like myself), the TCP traffic had better not be sent in cleartext. Some kind of encryption has to be utilised. Preferably strong encryption, with "lots of bits" (128, 256, etc). What's the point of exerting great effort trying to set up a covert channel with a complicated protocol that works over HTTP proxies if all it takes is a sniffer or packet dump that can uncover everything you're sending? For that, you need the services of something like OpenSSH or Zebedee, but that means yet another layer of complexity. Alternatively, you can use HTTPS and leave it to TLS/SSL to take care of the encryption part.
For the latest practice in "the dark arts of networking", let's say we use the following :
1. An instance of Jakarta Tomcat with SSL set up using a so-called "self-signed certificate". We don't really care about authentication here, we just want to use the AES-128 encryption.
2. A copy of the SOHT (Socket over HTTP Tunneling) client and server. It's a Java open-source project.
3. My patch to SOHT to support HTTPS. SOHT has got a nice protocol but the patch is necessary to a. make HTTPS work, b. ignore certification path errors, c. ignore hostname verification mismatch errors.
Once you have all that, all you need is to set up the port mapping and you're done. Then you can FTP (passively), SCP, SSH, POP, or SMTP all you want.
And if you want to surf securely, (anonymously, secretly, etc.) try installing the Anomic/Yacy HTTP proxy server.
(2005-04-15 23:38:00 SGT)
[Java]
Permalink
Comments [2]
Scientists watching 79 Indonesian volcanoes
Indonesia has placed 79 active volcanoes on close watch following heightened volcanic activity as massive aftershocks continued to hit Sumatra island daily since the Dec 26 earthquake. Some scientists fear the seismic activity has the potential to trigger a major eruption while the government has urged the public to remain calm.
Indonesia has the world's largest number of active volcanoes with 129 and is part of the notorious Pacific "Ring of Fire" fault line which stretches from quake prone Japan, through Southeast Asia and across the Pacific Basin.
"There are 79 volcanoes which need to be closely-watched and they are being monitored by all observation posts," vulcanologist Wimpy S. Cecep, told the New Straits Times.
On Tuesday, tens of thousands of people panicked and fled from the slopes of Mount Talang, Solok Regency, West Sumatra when the 2,572-metre volcano spewed hot ash as high as 10 metres to blanket five villages. No casualties were reported.
On Wednesday, two volcanoes reported heightened activity in West Java.
- Sometimes, you just have to wonder. A deadly tsunami, earthquakes, and now volcanoes? Hopefully reality stays on the good side of the statistics regarding a major eruption, otherwise, for a preview of a "Day After Tomorrow"-like scenario, you can watch BBC's Supervolcano.
(2005-04-15 22:36:54 SGT)
[Env]
Permalink
Taking a break from the oil & gas, doom & gloom (incidentally, oil has dropped just below $50 right now) :
Well, this is certainly an improvement over the events first related in "Fast Crash".
I am now holding in my hands a letter of employment (aka "offer letter") from an American MNC, for the position of a Java R&D engineer (though that's not the exact title), and I will be starting work at this company in about 2 weeks' time. They are doing projects related to logistics and defence (okay, I probably have to brush up on my American spelling now : *ahem* "defense"), with a cumulative worth in the hundreds of millions of dollars.
Career-wise, it will be a move into a real R&D environment. I will no longer be among the lone one or two engineers in a small company trying to do some R&D work. Money-wise, well, it's a permanent position, they not only matched but actually upped my pay, and there are quite a few stock options to boot.
This is a second chance in more ways than one. Last year, around this time, I was headhunted (via another agent) and went for an interview at this company. I passed the technical tests, and talked to them for just over 3 hours (!!). On what, you may ask. Well, on things like how the Java JDK was designed, and how it works. We talked on and on about the internals of java.*, so to speak. They were about to offer me a position when top management came over and froze hiring (probably due to it being an election year, I'd suppose).
This year, this time, after the retrenchment announcement, another agent re-introduced me to this company. So I went for a second interview. This time, we talked for about an hour and a half. And this time, I got the job.
That's about all I have to say on this for now. Back to the regular oil, gas, doom & gloom ... :)
(2005-04-15 00:19:20 SGT)
[Musings]
Permalink
Comments [5]
Most popular blog postings on lowem.log :
1. Singapore MRT rail network length to double by 2020
2. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
3. Live spot gold price quotes chart on COMEX
4. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
5. AVG Anti-Virus Free Edition 2011 direct download link
6. Real-time live gold and silver price quotes chart on COMEX
7. Singapore electric vehicles : Government agencies EMA and LTA to study EV introduction
8. Book review : Shut Down by William Flynn
Featured articles on lowem.log :
1. Book review : Shut Down by William Flynn
2. Singapore electric cars testing starts with 9 electric vehicles
3. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
4. 2010 Honda Civic Hybrid preliminary specifications released
5. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
6. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
7. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
8. Singapore : Nuclear power not ruled out
| search |
|
|
| sponsored links |
|
|
| bookmarks |
|
about
blogroll
sites
quotes
charts
historical |
| navigation |
| decals |
|
| powered by |
|
| hosted by |
|