Don't use work laptops for personal stuff

Originally published at: Don't use work laptops for personal stuff | Boing Boing

…

While this advice is obvious the number of IT types who do stupid things on work computers is astounding. Especially the ones who visit really off limits stuff, like child porn. Personally have seen two walked into the arms of LEO.

Indeed. If you’re using your work’s internet, just assume they see all your traffic.

If you are using a work computer, then assume they can silently login and view your screen, and even turn on cameras and mics without your knowledge. It is trivially easy to setup and own that machine completely.

And yes, I’ve encountered people in IT thinking that since they’re the cops they won’t be held accountable.

Work laptops are rarely allowed to run linux. Many of us research nerds can use nothing but linux. Soooo… the answer was to leave the work laptop as an ad-hoc ssh upload link to deal with the “it’s gotta be an excel™ spreadsheet corporate VPN’ed to upload the hours!” to. So when they suddenly laid us all off (shifting R&D to India) instantly demanding our laptops, a few us handed them nearly empty pristine (crap) laptops to their confusion. a Pyrrhic victory of sorts. -sigh-

I saw my IT guy watching movies from work. After that I had no problems doing personal work, which was mostly downloading Linux updates because I was on dial-up at home.

A way around this is to use their hardware, but your own software. Install a system and your data on a thumb drive. When you want to do your own stuff, boot from that (with no monitors or trackers), and never store anything on the regular disk. When you’re done with your own goodies, reboot from the installed disk, restoring everything

They can still see your traffic just fine when you do that on the corporate network.

Also, that’s typically against the permitted use policy. It’s something I used to ask about as well, cuz that’s how I used to do remote personal computing when I was too skint to buy a whole $500 laptop.

Yep. Work phone is just used as an email machine too. Did not take the option of a few bucks from them to use mine.

Besides the company oversight- too many subpoenas and right to know requests.

Yeah, it goes without saying (so I didn’t) that anything you do on the corporate network will be visible. The unwritten part was that this activity would happen elsewhere, where corporate eyes wouldn’t see your Skyrim session at all. Or all the other violations of policy

Actually, if you’re downloading child porn, feel free to keep doing that on your work laptop. Hell, you should also feel free to use 1234 as your password, and even to post about what you’re doing on your blog. The dumber you are, the less ammunition you give to people who try to use you as an excuse to make it okay to spy on the rest of us (everywhere, not just at work).

I definitely am not claiming that any given IT department is necessarily on this ball; but it has long been considered best practice to lock down the boot order to the exclusion of any device that the user can readily tamper with(floppies and CDs back when that was a thing, mostly USB now); with some outfits making an exception for PXE because it’s just so convenient for management purposes and a lot fewer people know how to spoof everything needed to get their PXE payload executed than know how to use a liveCD.

Pre full-disk encryption it was particularly important because anyone who could boot another OS could trivially strip-mine or modify the production OS. These days it’s somewhat less critical since you can usually only trash the encrypted blob of primary OS; but still recommended.

I’d be even less sure that anyone is watching this; but, while it is usually fiddly and vendor-specific, there are frequently methods to query firmware settings and event logs from the OS that IT has instrumented all up; so don’t bet against a transient change in boot medium being invisible anymore.
(edit: I am nothing even resembling a master of the 2540 pages of UEFI 2.6 specification; but I checked efivars on a T460s that was handy and entries like “LastBootOrder” and “LastBootCurrent” and “SMBIOSELOG” are all a bunch of cryptic garbage; but sound like they might be informative to a subject matter expert.)

(other edit: completely forgot about AMT. If configured to do so it can grab data right out of Intel GPU framebuffers and emulate peripherals in order to provide a wholly OS-independent mostly-VNC session. Anyone using that for purposes other than support or remote provisioning is creepy and has too much time on their hands; but I’d bet that some bunch of terrible people are working on “ManageMetrix Agentless Enterprise Solution” that uses some “Cloud-Scale AI Machine Vision something something” in order to micromanage those pesky ‘knowledge workers’ by feeding their screen feeds into a black box and generating authoritative-looking reports and promising a “single pane of glass”. It’ll be dreadful.)

That part.

I never use my own personal equipment for work.

I use my personal computer to WFH, but I’m in a rather unique situation. Instead of the usual VPN, I run a VMWare Horizon in Chrome browser setup. It gets me into the network within the browser, but on a very secure, locked down VM. Then I launch a regular VM from there to do my work. Everything is contained in the web browser, it’s delightful and simple, and best of all they’re only monitoring that traffic, they’re not monitoring my system. I could switch over to the work laptop, but meh… I prefer this method. I don’t have to switch around my 34" monitor cable or buy a KVM switch.

But yes, don’t do dumb shit on your work systems, and for heaven’s sake do not directly connect your personal system to work. I’ve been in IT almost 30 years, we’ll see what you’re doing. I guarantee it.

While I do a lot of work from home on my personal laptop (typing documents, spreadsheets, running equation editors, mathmatica, ect…) just because it’s more convenient not to have to juggle two machines while I do other things (like goof off here ), I send anything to my work-provided machine if I have to submit it through the applications IT installed on it. These days colleges should really offer a brief elective in scrubbing meta-data.

I won’t even use my own mobile device for 2 step verification; they want me to do that, then they better get me a company cell phone.

Sage precaution.

The IT Guy always knows what you are up to.

image700×312 32.8 KB

What I want to know is who monitors this data. Of course it varies from place to place but I can’t think of a way to do this without giving bosses way more access to personal information than they should be comfortable having.

So is there some HR department randomly monitoring keystrokes and screen cams? That is even creepier.

Of course the most likely use is simply to capture evidence of someone’s three felonies a day when that someone is going to be fired anyway.

seems so.

Screen Shot 851286×380 120 KB