Home workers use clever tricks to resist productivity monitoring technology

Originally published at: Home workers use clever tricks to resist productivity monitoring technology | Boing Boing

…

IAAL and I bet half of my best ideas come when I’m walking down the hall, or getting a snack, or staring off into space. The work of putting down keystrokes is by far the trailing indicator of my value.

There are down sides to being a remote contractor (paying both sides of the payroll taxes, mostly) but the up side is that if anyone ever suggested something along these lines, I would just laugh and laugh and laugh.

Imagine a manufacturing manager that reported the machines were all turned on, but had no idea whether anything came off the assembly line all day. They’d get fired on the spot. But when HR managers try to do more or less the same with presence monitoring tools, they somehow get away with it. An actual functioning brain is not, it seems, a requirement in departments tasked with managing the most complex asset a company has, its employees.

This is all stuff we heard in reports from the USSR. Taxi drivers needed to travel a certain number of miles. Raise the back of the cab and let the motor run with the transmission engaged. Shoe makers need to make a certain number of left shoes. Why bother making any right shoes? The US has been sovietized. Remind me, who won the Cold War exactly?

Kids these days have it easy!

It took me a whole day of messing with AutoHotKey scripts, some freeware VNC, and ImageMagick to build a system to text me when my boss IMed me on my workstation (which you could only detect by screenshot) so I could play video games in the den on the alternate Friday I got to work from home.

Sorry not sorry Casey!

Or the old school oscillating fan attached to the mouse

I’ve found that displaying this image on an old android phone, locking the screen on, and putting an optical mouse on it creates a free(ish) mouse jiggler.
Spoiler set to reduce flashing.

WARNING! FLASHING IMAGE BEHIND SPOILER TAGS BELOW.

Homer had it figured out. (Almost)

I think if you’re actually using something like this then it’s probably time to look for another job.

Fun fact: the MouseJiggler was originally invented by WiebeTech to allow cops to move a desktop computer without disconnecting it or powering it off. They have a contraption called HotPlug that allows unplugging from the wall socket and transferring to a UPS so it can be impounded and used for forensics.

I wish. The soviets were killed off in the 1920s, the Marxist-Leninists were their own counter-revolution. If the US was genuinely sovietised it would resemble something like anarcho-syndicalism or council communism.

Capitalism won, and now we are realising that we need some form of socialism (not Marxism-Leninism!) to avoid exploitation.

and once again it seems like TikTok is playing a role in cultural change

How is it TikTok that drives the change here? I can learn about all of these thingamajigs in other places. In fact I just have.

So have millennials. We also usually don’t use TikTok and are pushing forty. Maybe update your lexicon of condescension.

That is legitimately awful to look at, definitely a good call to blur it out.

I heard an old story of a shop where the supervisor would look down a line of desks to make sure every draftsman’s pencil was moving. One guy taught himself to keep his pencil moving while taking a nap.

I suspect that a nontrivial percentage of ‘productivity monitoring’ software deployments are done by the technically incompetent(or demanded by the technically incompetent and then executed with grudging disinterest by IT who aren’t going to refuse a direct order but would vastly rather be making things work than applying the snake oil one of the suits bought or getting roped in to soothing someone’s anxiety about 'metrics), and some of the software is probably also minimum-viable garbage put together by abject hacks; but I’d be very, very cautious about using software circumvention measures against someone who has an agent on the relevant computer and is openly engaged in adversarial monitoring.

In the sort of environment that would do that it’s not unlikely that merely running unauthorized software, much less doing it with intent to pollute the precious metrics, would be excuse enough to get rid of you; and, unless you are doing it at a level on par with decent quality malware authors, it will be pretty trivial to observe that your credentials are being used to run a fairly well known class of automation utilities that the people who write white-collar spyware probably also know about.

If it’s just about giving some inveterate shoulder-surfer a ‘dashboard’ to fret at since he doesn’t have human targets within walking distance anymore you might well get away with it; but against anyone who actually cares the only sensible assumption is that activity monitoring will include process monitoring with at least matching against a library of well-known signatures, potentially also heuristic detection of unknown utilities based on checking up on who is unexpectedly using the SendInput API an awful lot and similar.

Even with a hardware solution; one would want to be a bit careful. I’d assume that most of the cheap mouse-jiggler dongles out there have deeply generic hardware IDs, if only because it takes more effort to be distinctive than not; but I’d be a lot more comfortable after I’d verified that the vendor isn’t using their own distinctive VID and has instead used exactly what some plausibly cheap and common actual mouse reports; because enumerating endpoint hardware is also really easy, if you care.

i see a dancing chicken.

I wish a knew about that HotPlug device back when I had to reluctantly power off a Novell server when my company moved to new digs. It had over 2 years of uptime on it, and I didn’t want to interrupt it.

I don’t doubt that a lot of the ‘productivity’ monitoring is, indeed, of low sophistication; there’s not really a lot of reason to try harder if you are basically selling a solution to the anxiety of lower-middle management terrified of the fact that, when it comes right down to it, they don’t actually know very much about how to monitor or encourage productivity; and historically compensated for that by doing lots of hovering and assuming that their social instincts were carrying them through.

What makes me nervous is mostly the abundance of data gathered for other purposes, where caring more is necessary, that could be folded into employee monitoring if somebody asked.

By way of example, the EDR system we use at work logs(among a great many other things) process creation events. All of them. Machine, timestamp, name and location of the executable, MDF5 and SHA256, the command line that kicked the process off, account under which the process was created; plus all the same information for the parent process(and, for that parent process, the same information on its parent, all the way back to wininit).

This is invaluable for security purposes, because you never know when it is going to be your unlucky day and the process will end up being other-than-benign; and you need to (ideally automatically, really frantically if not) lock it down, order all other systems to block it on sight, scrub all copies from the mailserver(if it originated with an attachment) or blacklist a bunch of hostnames(if it was web delivered); potentially start isolating computers from the network and generally freaking out. Obviously, though, logging every process creation because you don’t know when the next one will be some ransomware or a hit of mimikatz leaves you with a great deal of totally innocent, but readily analyzable, data about what people are doing day-to-day. (Similar thing for the similarly pervasive logging of network connectivity events. We absolutely cannot afford to miss a webshell or a RAT of some kind; someone getting hit by a malicious domain, a script unexpectedly downloading a base64 blob, etc. but that does leave a large pile of “edge.exe accessed domain cnn.com” type stuff).

Thankfully(and I’m honestly really grateful, the prospect of being asked to do surveillance is second only to the “I Do Not want to discover someone’s child pornography habit” on my list of things I’d prefer to make it to the end of my career without having to deal with); where I work nobody demands we do anything unseemly with that. We use the data specifically for incident response and troubleshooting(and, in absence of any data scientists on the team, we really, really, don’t have the time, much less the interest, to go browsing; by way of example the process creation log for a machine I only created 4 days ago is ~80mb) and ignore the bycatch; but it would be terrifyingly easy for someone to read about ‘employee productivity metrics’ in some glossy trade rag and come to us to inquire “Can I get sign-in and sign-out times for all employees on all workstations? Can you give me X’s internet activity? Is anyone using unapproved software to appear active?” and the answer would be “with the right queries, yes, yes we could”.

There is no goddamn way I’d want to touch that with someone else’s ten foot pole; to the degree that there’s anything like a code of ethics around IT security it’s that you are bound to use your(frankly kind of creepy) level of visibility purely for knowledge and defense; but there’s no architectural barrier to going to the dark side.

And that’s with a pure, purpose-built, EDR tool. It doesn’t have a keylogger, or a ‘take screenshot every x minutes’ or ‘active webcam remotely’ feature, because it’s a security tool rather than designed to be spyware. It’s just that there are a lot of powerful inferential attacks you can construct around security-related data.

If our reliability and performance logging were fully up to scratch, something that is still a work in progress, there’d be even more inferentially dangerous data; since we’d potentially be seeing process resource utilization; which processes are hanging, what aspects of the system are keeping users waiting(and, by implication, what users are doing).

That’s what scares me. The sleazy “take a keylogger, add something that takes periodic screenshots, ship that shit” software reveals an ugly aspect of both human nature and contemporary labor market dynamics; but it might as well be banging rocks together compared to what is possible, often with tools that are already in place for nobler purposes.

(edit: Authentication logs are another really scary dual-use. fantastic for security purposes: log access attempts along with their characteristics(timestamp, IP, user agent, exact resource requested, etc.) and you can get anomalies to jump out dramatically enough to detect compromises automatically and shut them down before harm is done if, say, someone suddenly tries to log in from an internet cafe in Lagos. Of course, to detect anomalies one must characterize normality; which kind of means that you build a fairly detailed picture of where, when, and how employees interact with your systems, inside and outside of work hours, onsite and offsite. Am I eternally grateful for the fact that a number of intrusion attempts that would otherwise have succeeded(even with MFA, the user fell for the prompt request despite not initiating the login) were shut down by activity heuristics before they could turn into disasters? Hell yes. Do I not even want to think about what an adversarial analysis of those logs could be used to learn? Hell Yes.)