A clear breakdown of everything your employer can (or can't) see on your computer

Originally published at: https://boingboing.net/2019/12/16/a-clear-breakdown-of-everythin.html

…

Don’t torrent download Amazon shows while using the Amazon guest wi-fi at the Amazon fulfillment center when you are subcontracted by Amazon, I learned.

I never use my computer at work for anything other than work. I have a phone for anything else.

I felt vindicated by this when I started getting an error on shut down. Something like vidlogger can’t shut down, do you want to continue. This happened on and off for a few weeks, so I finally searched for what it was. It’s was some sort of key logger/screen logger thing.

I called my IT, and said I found it, and asked if it was theres. They were really squirrelly about it, and I finally got them to tell me it was there’s and not to worry about it.

I work for a government agency, and tell all new hires that are given to me to train about this.

You fool! That’s what your sister’s ex-boyfriend’s new girlfriend’s brother’s girlfriend’s password is for!

This is one aspect of why I like being a freelance artist, no matter how broke.

There’s pictures of nekkid people and all kinds of other things all up in my work files…

Relevant. A classic…

I’m required to have a laptop issued by my employer. It’s even a pretty decent ThinkPad as work laptops go as it would have to run some fairly demanding software. If I used it, which I don’t since I’m not required to. I just have to keep track of it until they want it back.

This article conspicuously lacks mention of video and audio capture on work-issued laptops, which is standard for many work from home gigs at large corporations.

Running vid/key loggers locally on PCs is a bit overkill.
Thanks to logs on servers and edge of network kit like layer 7 firewalls, we can see what servers you log into/connect to, what applications you’re using, we can SSL decrypt and analyse the content inside.

Locally, we can run things like crowdstrike and nexthink which can report on dodgy applications, the network, file, and registry objects it touches as well as general system telemetry.

Feed all of this into a logging system like ELK or Sumo Logic and we can generate dashboards to notice whenever something is out of the ordinary and examine further.

You can just go ahead and say that pretty much everything is up for the taking. It’s okay. I think it’s best we just get it out there.

To be fair, at least at where I work, we don’t do it to get a feed on what you’re doing and nor am I reporting that to their line manager. Rather, we’re doing it to detect malicious activity on systems, be it malware/ransomware, or even an APT that is attempting to traverse the network in search of the crown jewels or further compromise.

As the network and security guy, I don’t care if you’re sitting there watching youtube for 5 hours per day as that is an issue for your manager, though I might drop you a message if you’re chewing through too much bandwidth and impacting on other services.
I’ll also drop you a message if I detect any streaming of pirated content and tell you to knock it off or else it will get escalated.

I also use it to keep tabs on whether I can infer misconfigurations and correct them before they become a bigger problem. Current fav is how MS Teams can get stuck in a loop and generate tens of GBs of traffic per day per system if an update fails to install.

What does “APT” mean in this context? “Advanced Persistent Threat”? (Thanks, Wikipedia.)

Any work-provided hardware should be used with the understanding that your employer may keep a record of anything you do with that device. Act accordingly.

If your employer asks to install software on your personal device, refuse until you have had the opportunity to provide a separate device to be used only for work. Your job should compensate you for the acquisition of this device.

Turn off your work devices when you are not at work. Many of these devices have GPS tracking. Your employer doesn’t need to know where you go when you’re not at work.

It might seem a little extreme, but when I left my last employer, I used factory reset to wipe my iDevices before turning them in, just to make sure.

TL;DR: Don’t want your boss to know? Don’t do it on their computer. Don’t do it on their network, either.

These days, a small Faraday cage might not be a bad idea.

I realize not everyone is in a position to say no, but letting employers install anything on one’s personal devices should be a nice tall glass of nope. Many workplaces have them, but personal lockers accessible only to the current individuals using them should be a legal requirement for any workplace that prohibits personal devices in specified areas.

Really.
.
.

There is a lot of pressure on IT depts for allowing BYOD, which means we need to find a way to secure company data on non-company devices.

The thing we have been looking into is running encrypted containers on phones to allow you to access company email and documents by having them be saved into a container we can remotely wipe.

I think our stance is gonna be “you can use your own device as long as we can make sure company data isn’t being compromised, otherwise here’s a company device”. Again, it isn’t a case of snooping on you, but one of making sure any data you have or access to corporate networks is secure.

What always makes me nervous(thankfully it hasn’t happened, yet, to me; I’m sure some white-collar-Taylorist hellholes have been doing it enthusiastically for years) is the possibility that other departments, with a more…direct…interest in ‘employee metrics’ might get ideas about the exciting applications of data gathered for security purposes and come knocking.

As you say, pretty much any computer security aside from “patches, antivirus, prayer” involves an amount of traffic and process inspection that, like it or not, is deeply revealing; but in the ideal case you want the relationship with IT to be analogous to that of the relationship with a doctor or lawyer:

Your doctor wants to know if you’ve been doing any interesting drugs or engaging in unsafe sexual practices because it’s quite relevant to your health, not because he gets paid per head by the DEA and the Moral Majority. You tell your lawyer what you did, under attorney-client privilege; so that he can properly represent you. IT needs to watch your computer’s activity carefully because the internet is a terrifyingly hostile place full of smart adversaries with essentially unlimited time and patience.

I know in my own practice of IT security, and user interaction, I always try to be quite open about what I can, architecturally, see(and also the important caveat that I’m only interested in pattern analysis and anomalies and I’d get smacked down hard for creeping over someone without very good cause; and we do formally write up the sorts of investigations that involve pulling a bunch of someone’s stuff specifically because the ability to do that is a powerful capability for compromising ordinary permissions structures); and always try to emphasize that our interaction is founded on the mutual desire for their stuff to work and get out of their way and them to not get hacked, not a desire to watch them or enforce arbitrary power-tripping policies, so that they will be as forthcoming as possible about the ‘I think I may have clicked on something…’ incidents; and they can get an understanding(if they care, don’t like to bore people) of why policies exist as they do.

However, I have no particular confidence that, if another department came to IT with a demand for “Who has been screwing around on YouTube?” we’d have the institutional clout to do anything about it(unless Legal objected under a given jurisdiction’s laws concerning privacy, not too likely in the US, more likely for EU operations); and that would put us in a very unpleasant place.

I have no desire to abuse the power, or even to exercise it outside the context of intrusion detection and reliability analysis; but I can’t pretend that the powers exercised for those purposes don’t generate a pile of data that would be fairly trivial to chew into some rightsizing metrics if someone would prefer a bit of spreadsheet jockeying and data visualization to actual management; and IT doesn’t exist in a vacuum, or typically occupy the top spot in terms of any internal struggles over procedure, so I also can’t pretend that my intentions would be the final word on what gets done with the data.

Oh, there are plenty of both IT and other depts that use what IT can see and do as a form of authoritarianism over their employees, sadly.

It’s interesting how much IT is evolving, for our team we are really quite embedded in with all the other departments. We look at their workflows, identify pain points and areas where productivity gains can be made and if there is an IT-based solution to it, we’ll go ahead and run that project.
We also act as consultants for the games our studio produces, helping them with things from figuring out network code problems to the infrastructure of game servers in the cloud.

We are also intrinsically involved with things like facilities changes, be it structured cabling, security systems, AC monitoring, design of new office space, etc.

The days of IT being break/fix and server monkeys are long over and and our tendrils are everywhere within a company, improving systems and upping productivity wherever we go. I’d say, if they ever tried to outsource the IT dept where I work the whole place would grind to a halt.

So where all do you find yourself on Chrome having (light and movement, if not sensor.next) sensor access (W3C sensor API remix) permitted by default?