Help make me like a computer ninja.

Discussion in 'Mac OS X 10.3 (Panther) Discussion' started by Kingsnapped, Mar 10, 2004.

  1. Kingsnapped macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #1
    Is there some software or technique to make me hidden from a network? I've been having some troubles with my school district, and rather than raise a stink (which I am fully prepared to do) I would like to just keep using the network. You can read the details of my banishment on my blog (see sig). I have an excellent defense lined up, and I am prepared to take legal action if they try to suspend me, but I don't think all that would be worth it for the four months I have left tied to this system.

    If anyone knows of a way to hide from the network (aside from renaming my computer,) I would be appreciative.

    Please remember that this thread is about finding a way to keep my PowerBook hidden from the higher up so I can continue to function, not a discussion on the ethics of it. Questions about the situation are welcome… flames are not. Thank you.
     
  2. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #3
    Thanks. Brevity is always nice.
    I suppose I'm going to have to be like a computer guerilla.
     
  3. SilentPanda Moderator emeritus

    SilentPanda

    Joined:
    Oct 8, 2002
    Location:
    The Bamboo Forest
    #5
    You could just... not use their network like that don't want you to. I don't really know why you should have rights to their network unless you're paying them for access to it (which I guess you could arguably say is part of your parents local taxes)...
     
  4. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #6
    Maybe my blog doesn't explain it well enough. I work for the district, and a lot of that work is graphics design. That's very hard to do when I have to burn templates and single images to a disc to upload to the school's website. I also moderate my school's newspaper site, and the computers in the newsroom aren't able to do this. Their reasoning for taking me off the network is that they would lose government funding if there are unfiltered computers on their network. I looked up the law, and I am in the clear. Now their reasoning is that I signed an agreement saying I wouldn't plug in. I looked back at the agreement, and it turns out there is nothing that says anything about personal equipment. Their arguments for keeping me off the network aren't justified at all. This also interferes with my online Algebra 2 class, which requires the use of my computer (unless they want me to pirate software to their system :rolleyes: )
    It's not as simple as not using my Powerbook on the network, I have to in order to do my jobs, and finish my class to get into college. If they don't want to provide me with an alternative, and try to discipline me for plugging in, I am prepared to take legal action. I am just looking for a way to avoid this unpleasantness.
     
  5. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #7
    Although I don't pay the property taxes, I paid all my school fees which includes tecnology use. That is a part of my arguement. The people in the school district are still public servants.
     
  6. Grimace macrumors 68040

    Grimace

    Joined:
    Feb 17, 2003
    Location:
    with Hamburglar.
    #8
    If this is public education - you don't have rights to every school resource unless the school says you do. I'm confused still as to why you were banned...
     
  7. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #9
    If you already know all this stuff, then bear with me. For anyone that doesn't know, this may be useful reading.

    You will always have both an IP address and a MAC address that will be tied to your machine while you are on your district's network. Otherwise, nothing could be routed to you. But, you can prevent any information other than your IP and MAC address from being gleaned from your machine by configure MacOS X's build in ipfw facilities, and setting a couple of variables with sysctl.

    First off, it is possible to change your MAC address of the built in ethernet interface from the command line with the ifconfig command. Some tools, however, use the MAC address to identify your machine, so you may want to write down your original MAC address so you can change it back if you run into any problems. To change the MAC address, type the following in the terminal:

    sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

    Where aa:bb:cc:dd:ee:ff is the MAC address you want to use in hex format. Bear in mind that when you do change your MAC address you will likely have to renew your DHCP lease.

    Secondly, you can set up ipfw to close all common ports. Portscans can be used to glean all kinds of information from your machine, including what Operating System its runing. While you can configure ipfw wholly through the Terminal, I would recommend downloading Brickhouse for sheer ease of use. Brickhouse will, by default, set up ipfw to block all incoming traffic on the most common ports. To prevent people from being able to ping your machine, you can use the 'Advanced' button in Brickhouse to disallow incoming ICMP traffic.

    Once the firewall configuration is in place, you can enable logging to the system.log file with the following command in a Terminal:

    sudo sysctl -w net.inet.ip.fw.verbose=1

    Logging can be capped at a certain limit. To unlimit logging, use this:

    sudo sysctl -w net.inet.ip.fw.verbose_limit=0

    Thirdly, I would enable the TCP blackhole feature. Blackholing instructs the packet filter to drop all incoming traffic whose destination port has no listening socket. Basically, if you don't have a service running that is listening on a port, all traffic to that port is completely ignored regardless of your ipfw configuration. To enable the TCP Blackhole, use the following command in the Terminal:

    sudo sysctl -w net.inet.ip.tcp.blackhole=1

    Fourthly, I would use SSH for as much communication over the network as possible. SSH isn't just limited to remote shells, secure ftp, and secure copying. You can use SSH to tunnel other services over an encrypted channel. To set up an SSH tunnel, use the following command in a Terminal:

    ssh -N -C -c 3des (ssh server) -L (local port)/(remote host)/(remote port)

    This command is a little complicated to use and understand. So, lets break it down. My local library has their own closed wireless network that is open to anyone who walks into the building with an 802.11 enabled laptop. Being a closed network, you can only access machines that are on the library local network, and the central university Solaris servers (strauss). I really want to access a website (slashdot.org) that is outside of the university's network, but because of the closed nature of the library's network, I can't. That is, without a tunnel. So, in my case I might use a command like:

    ssh -N -C -c 3des esheep@strauss -L 8099/slashdot.org/80

    Breaking this down:

    • esheep@strauss strauss is the server that I can ssh into, and that also has access to the outside world. I'm going to use strauss as a sort of stepping-stone to get out of the closed library network and into the web.
    •8099/slashdot.org/80 8099 is the local port number. I'll explain that later. slashdot.org is the remote server that I really want to access, and the port on slashdot.org that I want to access is port 80 (HTTP).

    The local port number I mentioned is the port I'm going to access on my own machine to get to strauss.org. So, once the tunnel is established, I can open up Safari and type the address: "http://localhost:8099" in the addressbar and when I hit enter: BAM! I'm taken to slashdot.org. If you are thinking that the ipfw configuration you setup earlier might block this because you are accessing an open port on your machine, you should know that ipfw allows all traffic through 'localhost', also called the loopback device. So, even if you have port 8099 firewalled on your network connection, you can still access it through the loopback.

    Feel free to use whatever local port number you want when setting up your tunnels, but you should use ports higher than 1024.
     
  8. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #10
    Wow, I'm going to take a minute to wrap my mind around that. Thanks a lot.
     
  9. cb911 macrumors 601

    cb911

    Joined:
    Mar 12, 2002
    Location:
    BrisVegas, Australia
    #11
    ElectricSheep... that's awesome!! :D i was sure there would be some way to get around it. i'm going to keep that for future reference as well... ;)
     
  10. tiktokfx macrumors regular

    Joined:
    Aug 7, 2003
    Location:
    DC Metropolitan Area
    #12
    That really won't help any.

    The problem is still that they do not want invalid users on the school network.

    When there's only one unauthorized person using the network, that makes it extremely easy to figure out, whether or not one changes MAC address/IP address/SSH tunneling.
     
  11. Mantat macrumors 6502a

    Joined:
    Sep 19, 2003
    Location:
    Montréal (Canada)
    #13
    Not if he use the mac adress of anohter computer on the network which is not connected at the same time. Right?

    Btw, this was GREAT informations! Thanks!
     
  12. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #14
    I switch from ethernet to airport through the day, that shouldn't affect me, right? Anyways, I can think of the perfet computers to borrow the address from. Anybody know how to find that data in 9.2?
     
  13. abhishekit macrumors 65816

    abhishekit

    Joined:
    Nov 6, 2003
    Location:
    akron , ohio
    #15
    Electric sheep
    Awesome dude...just some days ago I was wondering how to change my mac address..thanks
    :)
     
  14. DNH macrumors member

    Joined:
    Oct 15, 2003
    Location:
    Halifax, NS, Canada
    #16
    I think that you'll likely have to assign two mac addresses: one for the hardwired port and one for airport. IIRC, they both have their own MAC address. Good luck!
     
  15. Blackheart macrumors 6502a

    Blackheart

    Joined:
    Mar 13, 2004
    Location:
    Seattle
    #17
    Wow, Electric Sheep, are you a network admin? Or just hella knowledgable about this area?
     
  16. Plissken macrumors newbie

    Joined:
    May 23, 2003
    Location:
    Tennessee
    #18
    I can understand your frustration with being told you can't access your school network with a personal machine but as person who works for a school system supporting over 80 buildings and 45,000+ users networks NEED policies. you say you're not a hacker, which i would believe, but the threat is still there technically. Also your machine is not managed or subject to the same scrutiny as school computers, thus dangerous. Unfortunately you can't be so selfish School systems have some of the largest computer networks to maintain out there and you have to haved blanket policies. I recommend you not try to spoof your MAC address or any other method of sneaking onto the network. I'd know how to find you if I were your system's Network Admin and in this post 9-11 world there are scary things you could be accused of doing. Follow the rules even though they may suck because there is too much at stake, trust me.
     
  17. Kingsnapped thread starter macrumors 6502a

    Kingsnapped

    Joined:
    Oct 16, 2003
    Location:
    Los Angeles, CA
    #19
    Our network isn't that large, all the numbers are about a tenth the size of what you say, and each building has its own servers/admin. I have offered to go through all the same proxies and install altris for the next few months, but still met rejection. It's not about making a blanketed law because of sheer numbers. No other student in the district has been told not to bring in personal equipment. Beyond that, there are actually no rules pertaining to this. The Network Use form I signed only said I couldn't remove computers from the network, it said nothing about adding them. The district is doing this for all the wrong reasons, and giving me false justification for their actions. Until I get a legit reason for my banishment, I shall continue to rase a stink over this.
     

Share This Page