Slashdot Mirror
Web-Based E-mail Isn't Safe From Corporate Eyes
Ant points to this CNET story, a snippet from which reads thus: "[S]ecurity experts say many employees would be surprised to know that Web-based email services also offer little privacy. Messages sent via a Yahoo or Hotmail account, or through instant messaging products, such as ICQ or America Online's Instant Messenger (AIM), are just as accessible to nosy employers." I know some people who this ought to make nervous;)
My coworkers often make fun on me because I use pine for my personal mail (have to use Netscape for work e-mail because of attachments) and lynx to surf the web. I ssh into a Linux server and use pine, nothing to it. Plus, no one can look over my shoulder and see a web browser. Look, a xterm, it must be work.
BTW, I know that I should use something better like mutt. I've been using pine for over 6 years and I am just to lazy to relearn.
--weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
So do I.. If I'm sat in my cube when I do anything net-related my employer is welcome to watch it - If they can show me a single instance when I mised a deadline or otherwise didnt get the work done because of it then I'll deserve anything they throw at me but I have no worries there because there are no such incidents. All the same, there isnt any reason I have to make it easy for them, the only way they can read any email I send from my home accounts is either to do screen/keystroke capture (which I'd know about pretty quick as I regularly sniff my own network traffic as part of my job) or pull a fullscale man-in-the-middle attack on my ssh connection to my home LAN at the corporate firewall. If they are that paranoid and want to waste that much time and resources on the project then they are welcome to. If my boss wants to sink that much budget into completely non-productive tasks then he's on a bigtime losing streak and I'll soon have his job myself. Alternatively if he is getting pressure from upstairs to account for my net traffic all he has to do is ask and I'll hand him a logfile. With nothing to hide theres no loss in telling them what you're doing, its just polite for them to ask for the info rather than simply grab it.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
I do all my private email and IRC via SSH when at work. I also do use ICQ because many friends are on it, and I do realize that it is unsafe, so I watch what I say if it's something I don't want anyone else to hear.
Wouldn't it be great if all those silly little chat clients were encrypted? How long is it going to take for someone to develop one and have it catch on enough to where all your friends are using it? That'd be nice. (the second part is the hardest part for sure)
In the mean time, I'll stick with SSH and my shell account. Of course, I'm lucky enough to work at a place where the port is open through the firewall...the last place I was at had the great firewall of china. Only way to telnet was through a gateway. If it wasn't HTTP it didn't leave the place...
--Mike
harlock@raindrop.com
www.raindrop.com
Any management that thinks auditing is an effective way of encouraging good work ethics...
I think your post misses a key point. Most companies do not implement auditing to encourage good work ethics. It is done primarily for accountability. As someone already said in this discussion, the computers of a company do not belong to the user, but the company. For the same reason, the company is responsible for their use. If a computer is being used for non-business, illegal, or malicious purposes, they have to be able to hold the appropriate person accountable. I am an engineering consultant and have been in many environments that audit certain computer use. I can tell you that rarely, if ever, do most companies actively track audit records (except maybe for statistics generation like: most visited site(s) this month). It is usually done ex post facto (after the fact). In other words, it is done to see who performed some certain action after it has already been performed. Most audit records would go untouched if there were not a reason to review them. Auditing is something that is and should be used by responsible admins.
BTW- Auditing can also be effectively used to troubleshoot certain problems as well as foresee future ones.
this is a left handed sig
Actually, I am a consultant for a corporation who, on a totally switched network, monitors almost every e-mail coming in or out by hand. It would be trivial, if the web usage logs showed a large amount of web-based e-mail, to capture the sessions for later perusal. The usage of SSL like on http://www.Hushmail.com would be the only way to get around it. At that point, I am almost positive the management would block hushmail at the firewall. Point being: if your company wants to know what your'e doing bad enough, it doesn't matter whether or not web-based e-mail is in plaintext. They own your workstation, and can block what they can't watch.
Just started using Debian last week after too much RedHat... Thanks for the info, might save my Axx some time! :)
--8<--
--8<--
You know, your post sounds just like a (former) member of my company's management, who would try to meszerize people with his endless repeating of buzzwords, hand gestures, and ending every sentence with "Right?"
In 2000 America, is a non-lawyer truly free?
Hell, if it's not your employer, it's the FBI with Carnivore. Unencrypted traffic is like writing it on a postcard. If you don't care if everyone reads it then there is no problem.. but you should have no expectations of privacy.. period.
Use an anonymizing service. Of course they could block that too. But if the Akamai censorware workaround still works (and it seems to) then you're set. They'll have a lot of trouble justifying blocking Akamai.
I'm reasonably sure of my system security there, since I installed the system myself. It's kind of a pity I have to view my employer as my enemy, but the corporate world's pretty much proved they are anyway.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Repetition sells.
everything --> everything
heck on my network i'd setup a sniffer on the line going out, all traffic funnels to 1 or 2 places, even if i was sniffing both with 2 laptops catching all the data would be easy.
-actual mileage may vary
nuff said.
Nerd rage is the funniest rage.
Hey, we English majors are not all dumb. In fact, some of us are even BSD users, you unsophisticated prick!
Technical know-how has no relationship to how intelligent a person is, I'd expect an English major to know that.
Second Law of Blissful Ignorance
The problem is when a company already has people that their job is to keep out an eye on employees. If they are told to watch for stuff coming out of e-mail then the boss, who doesn't know how to, could tell them to also watch for freemail services. Most (all?) employees need to go through a company server to get on the net, and because the freemail services only encrypt log-ins (exceptions apply) they smart network admin guy can the set-up filters to record mail being sent to/from hotmail, yahoo etc.
The lesson however is encrypt the connection from the start all the way to the log-off. If Yahoo or Hotmail does this, there will be a jump in the number of other freemail services who offer the always encrypt option.
--
From: Aaron "PooF" Matthews
Note that keystroke logging will let them read mail that I'm writing, but they'll need something a bit more powerful to figure out what I'm reading. Keystrokes logging will let them see that I typed:
Not very informative if you're tring to see whether the bad guys are sending me secred messages. OTOH, they can read my password unless I'm truly paranoid and bounce back and forth between the place where I'm typing it in an another text box where I type gibberish.
Fortunately, I don't work somewhere paranoid enough to do that kind of thing. Heck they let me install SSH on their machines without complaint, which no organization that was really paranoid about security would do, and they let me plug my laptop into the company network- so I can actually be reasonably confident that on at least one computer they aren't doing keystrokes monitoring. Part of the reason that I like my current job and haven't gone somewhere that would pay a lot more is because I like that kind of attitude; I'd advise anyone who's really worried about this stuff to consider that before they jump straight for the job with the best pay.
There's no point in questioning authority if you aren't going to listen to the answers.
I expect you to do that, when I collect welfare checks under three different names. I also run a black market viagra ring out of Tijuana and sell live goat porn on the internet.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If it's on the corporate network (LAN/WAN/whatever) it's owned by the company. Expect no right to privacy whatsoever. There have been plenty of court cases which have upheld the right of corporate ownership in such cases. Minimally, a compay may be required to provide a statement of said ownership to it's employees, but that may not be necessary in many cases.
If you don't want the company to see it...don't do it on their network. Done. 'nough said.
Depends on how good they think I am, and what kind of job security I've built into the solutions I've implemented. ;)
I got my Linux laptop at System76.
You'll need to install MySQL, Apache-SSL (if you want to be secure and encrypted :) and horde as well, but the dependencies will take care of that. (I just LOVE apt! :)
If you choose to install it, my recommendation from personal experience is to install MySQL first (by itself), set the MySQL root password, then install imp/horde/apache-ssl.
Requires a bit of tweaking of the Apache files, but hey if I can figure it out, anyone can. :)
Cheers....
However, let's not forget the Slashdot story that Yahoo! will soon begin offering encrypted mail. That's a certain exception, and should prove employer's snooping efforts fruitless. Right?
If you can monitor what web page URLs employees visit from the office, it is trivial to monitor the HTML content of those pages as well. Other protocols likewise can be easily decoded. I do not see what the big deal is here. Employers likely could pick up your password from many of these web-mail systems with ease at their Internet gateway.
Even if a page is https:// encrypted, I can think of a proxy game good enough that most "secure pages" could likely be made readable by your employer as well.
On the other hand, at my university of all places, the administration has set up keyboard, screen, and local disk drive file monitoring in many of the computer labs. I do not know if the monitor network traffic (yet). Talking about taking "usage implies consent to monitoring" to an extreme. But I have yet to see anyone be discouraged from using the systems, or stop from installing personal programs on them, despite the risk of losing their network account.
A while back I had to deal with a similiar problem of everything but port 80 being blocked. They did have a proxy server where I could connect to port 80. Doing some very evil things I managed to hack ing up a copy of SSH on a server and the client to do something like this..
Connect to port 80 of the SSH server:
Send GET / HTTP/1.0
The hacked up SSH server ends up sending..
HTTP/1.0 Okay
SSH-1.5-1.2.25
And then the SSH transaction proceeded as normal...I dunno if this would work with all proxy software, but if its just a simple port blocker, you might not even need to do this, just talk on port 80...
If anybody wants the patches for my hacked up ssh server let me know...
There is a plugin called PGP For ICQ that will allow you to encrypt ICQ messages, and I think that PGP 7.0 has this built in. The linked plug-in has source code also (as of now source for 0.5 only, the current release is 0.9)
Correct me if I'm wrong...
--
From: Aaron "PooF" Matthews
So...is this article trying to say that I should not leak super secret confidential trade secrets over AIM when I am on a company phoneline?
*sarcasm* I never woulda thought...*/sarcasm*
The anti-salmon
You want security, use GPG-encrypted mail through SSL tunnels on both the SMTP and IMAP sides on a mail server you own on bandwidth you pay for. And make damn sure your machines are physically and electronically protected, are running Unix, are behind a firewall, and are well-maintained. If you need more security than that, I'd suggest something involving code names, lasers, high-frequency burst transmissions, and guys wearing trench coats milling around in a fog-bound park.
I'm glad to see this display of morality by a government employee; however, I wish that I'd seen the same from someone higher up in the government ladder (Slick Willy).
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Some employers *severely* discourage this under the aegis of "we don't want to be liable if your nice toy gets lifted".
Restrictions are prohibited. Be well, get better.
In any case messages to/from non-Hushmail users leave/arrive in non-encrypted form. That's still too much openness for really sensitive messages.. If you really want to protect your messages, you should send and receive with public key encryption.
I have to admit that I've used web mail to avoid sending email through an employer's server. This wasn't actually my choice -- I was working for a job shop that asked me to communicate with them this way. But, as this news item points out, I wasn't really gaining any privacy. If the portal company had conspired with my emplyoyers...
As with any security measure, securing your email is a question of making it too much trouble for people to crack with perimeter. If you think you're getting absolute security, you're fooling yourself -- and that's more dangerous than no security at all.
__________
For several years I was part team that ran corporate web proxies for 30,000 employee firm. There was at the the time not a policy against using web based email. But in one incident I can remeber we did review proxy logs in attempt to determine the source anonymous email that was directed at employee. We did so by searching the log for logins to web based email system that happen to have userid in url. It was an effort to determine if email was actually from another employee. We never had cause to sniff the entire http activity of single user. But we could have with little effort, and would have if directed by HR.
Why would the boss need to know how to do the sniffing? He can just order admin to collect the traffic.
Hmmm I wonder if the managers two or three levels up realize the guys at the bottom can sniff just as easily as the IT department :)
I read up on the TOC protocol a while ago (before it went 'closed'), and read the GAIM code a bit too... It seemed that it wouldn't really be hard at all to put SSL in to encrypt the messages - one could set it up so that before sending, the body part of the message could be encrypted (and maybe be html-encoded), keep the headers intact, and then have the other side decrypt...
:) ) to work on it
(gazes off into the distance, as Garth would) It just seems too easy...
Seriously, though: If this could be in high demand, e-mail me and I'll consider using my 5th period (Directed study... Only no one else can figure out what I'm doing
-Brian
We were using it for a while at work, so we could restart server processes without getting up off out arses and walking over to the server. (Incidentally, I guess that tells you we aren't using UNIX) Anyway, I was working one day, and noticed that the mouse was moving around on ther server, and the only person who should have been on VNC was me. Freaked me right out... Upshot of it is, we don't use it anymore
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Not to use the office internet connection for personal use. Except on breaks.
Buy an account from anonymizer.com, and sign up for the "Secure Tunneling" option -- $10 per month. On your local machine, you use SSH configured to port-forward ports 25 (SMTP) and 110 (POP3) to mail.anonymizer.com. You configure your local POP3/SMTP clients to connect to localhost, and the connections are securely forwarded through the Anonymizer. This can be done with Netscape, for example.
This assumes that you have some way of setting up SSH locally, and that there's no keystroke monitoring going on. In both cases, you're probably better off if you have a linux box.
GP
That's why, when I send my love letters messages to the CEO's wife, I wait until my boss goes to lunch and use his computer. And sign it with his name.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
I recieved a message this summer from an individual that worked for a State government agency. It had a faked from address, but the header information showed the IP it came from. I contacted the agency and forwarded the message and info. I was contacted by phone and ended up tracking the individual done w/them. They found out who it was, but they apparently never did anything more than warn him. Now. This is a state government agency... They obviously didn't intercept the message, and really didn't care that he broke several of their rules concerning proper conduct on the Internet from their machines.. Do other companies really give a flying rats ass? With plugins to ICQ that support SSL and ssh for telnet, I would see no reason why anyone wouldn't be protected (even if they were to give a shit what you said or did).
.02
Just my worthless
- Bill
It's a great IBM app very similar to PC Anywhere that allows you simulate a host desktop through any java enabled browser.
When I get to work I simply open up a browser window and connect to my computer at home, then I can ICQ to my heart's desire while downloading songs from Napster and working on my web pages from home. How easy is it for my employers to see the data I transmit if it is going through a java applet?
Anyone else doing this?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
www.licq.org
Silly me, I should have thought to post it. It really is an excellent peice of software.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
You are incorrect if you are using their network to read you email where ever it may be you are using company resources and are bound by what ever they company wants to do with its network.
If you don't like the rules don't play the game.
Except, even keystroke logging can't read an email sent to you... although they could have screen capture software, but come on, you know they don't. The last five jobs I've been at, the management wouldn't have known how to install a keystroke logger if you had whapped them on the ass with a genius stick.
Free music from Jack Merlot.
If you're really paranoid you can get around keystroke monitoring by going to a frequently updated website such as Slashdot and using copy and paste to put letters and words into you're [sic] message.
Umm...no. You are dumb.
with the switch from shared to switched band Local Area Networks snooping is almost impossible anymore. On Cisco equipment, monitoring all traffic types is only possible if you have enable priveleges. Bosses usually dont and if they do they wouldnt know how to set up the nescessary listening apps (tcp, udp). Not to blow my cover but LAN admins usually can snoop quite well because of their access rights and know-how. Weve fired two people from telecomm at my University for just such intrusions.
awhile ago there was an article about ip over DNS. that might be the trick
The coffee god lives!
Is there any plug-in for any of the message services that offers encryption?
I work in as a consultant for the government and it pisses me off to see so many employees goofing off at work. If people did what they are supposed to do, then the government wouldn't need to hire consultants. It doesn't bother me that people read personal email but people will spend all their time online and NOT get their work done. It just really pisses me off.
int func(int a);
func((b += 3, b));
I've worked in places where they didn't mind,
many of which explicitly said so. I don't
understand why you think it's problematic if
they don't think it is, especially if they
explicitly say so. Many places one might work
have the idea that being nice to their
employees is good business. I imagine you think
this is a strange concept?
For every problem, there is at least one solution that is simple, neat, and wrong.
The sysadmin could easily deny access to SMTP servers, thereby preventing you to send e-mail. They could then claim that they're not inconvencing you; after all, you can still use your POP3/IMAP server to read e-mail.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
This article will come as no surprise to anyone here. Any network that is not wholly controlled by you should be assumed to be monitored. Be that with sniffer/loggers, ping sweeps for entity discovery, or email screens. Do not trust any network. Encrypt anything of consequence. At work I may be the master of a couple class c subnets, but the powers that be who _own_ that ip space (the ClassA i live in..) may not hold my personal liberty in as high regard as I do.
Even if not a part of some master-monitoring program designed to monitor all employees, you can assume some monitoring goes on; im guilty of it. Just thing about the last time you snooped around using your operator/root/admin accounts/priv on the various boxes you 'own'. You have done it out of your voyeuristic desires - now imagine that its not being down to you.. hard isnt it.
Get Ralph in the Debates!
Tell your friends/neighbours/relatives to:
Even the login screen is on SSL, and mine snapped right to 128-bit! Now that's a great e-mail server!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Strong encryption won't do squat when they record your keystrokes straight off your PC.
A well designed proxy setup eliminates the need to snoop the network. Just have the proxy record what gets sent (which, in case you're wondering, is fairly trivial). The real bear with this sort of thing is finding the specific thing you want amongst all the crap.
;)
But I'm sure it's not a problem that a bored Perl programmer couldn't help out with
--
Behold the Power of Cheese!
I wish I could remember who first said this:
"Write email with the assumption that your network / mail administrator is reading EVERYTHING, unless you know EXACTLY why they can't."
The things people assume about computers always amazes me - so I think it behooves us all to assume the worst about what people are doing with computers, especially as it relates to any "interesting" data one chooses to store or transmit on shared devices.
Something to add to the general level of paranoia in the work place. Get real, nobody has the time to waste reading all of your email.
On the other hand, an employer is responsible for the actions of their employees at the work place, and therefore have an obligation to monitor their activities. The real question is; do the benefits of said monitoring outweigh all the resources spent doing the monitoring?
At my company, each individual employee has space on the network to save important e-mails and text files they may have received from supervisors/admnistrators. e-mails that were sent through the company's server that were questionable in nature were forwarded to that person's supervisor, and that supervisor made the decision on what to do.
We also requested that if a technician had available time (We are an inbound call center) that they could use web-based e-mail programs to compose and check personal e-mail.
I suppose that it's each company's preference. In my line of work the employees aren't always required to stay glued to their monitors, when there's nothing to do. We don't, however allow them to use messaging services like AIM or ICQ (even java based) or even allow them to use telnet for any reason (Strange, huh?) They're afraid that the techs would use it for (and I quote from our handbook) "Hacking, menacing, or other fraudulent use". Go fig. If my company is that paranoid about messaging, what are other companies so worried about? Not to mention that when the "I love you" virus was rampant, it was an upper Admin that opened the attachment, thinking it was from his wife...infecting the entire callcenter (10 network drives for supervisors) and 1,400 employee's individual paritions. Smooth.
It compliles! Ship it!
There are more ways to snoop than just scanning packets and HTTP logs. I used Omniquad's Desktop Surveillance [ODS] software to bust a friend's wife that was cheating on him. Whenever she fired up her mail client, mIRC, or her web browser, ODS would start taking screen captures and would then email them to me. It also has keystroke logging and remote screen monitoring. She was not happy when he slammed a 1-inch thick folder of all the "evidence" on the table.. Of course, ODS is a Windoze product... but most of the offices I have been in have Windoze on most of the desktops.
If you were on my network I wouldn't even need to use a keystroke recorder. To use the web you have to go through the a proxy, all other traffic is blocked. And your browser is setup to send plain text to the proxy, and the proxy then uses SSL between it and the site you are going to. Therefore even SSL traffic is easily recorded, and you are less the wiser.
If you don't know the rules, don't play the game.
I bring my iBook to work, that way I can have it setup the way I want. I have all the programs I enjoy using, and can actualy do work more efficently.
Do you enjoy using random keyboards? Come home, and can't type worth shit? That's the problem I ran into the first week I was there. Yes, I'm a touch typest. Quite annoying, this solves the problem.
Aside from that, I control what's installed on it. No keylogers here. Trust me, I work in a very non Mac place. Doubtfull anyone would have done anything like that.
But the point of this, is yes. If it's the companys computer, it's not yours. Treat it as such. If it's yours, do as you will.
Though, I do think it's a bit odd that they decied to stick me behind a firewall (only me)...
http://www.xpurple.com
Well I think that depends what your work situation is. I have root access on my machine, so I know (more or less) what's going on, on it. However I don't control what's happening to my data on the way to yahoo or some other website. So encryption would help me. I don't spend all that much time on the net (and my boss is ok with it) but I'd still resent being spied on.
No, the client/server portion is encrypted.. In fact, your whole mailbox is stored in an encrypted state, and ONLY decrypted in the client. -J
The Watchguard Firebox has some excellent logging features. One of my clients is actually getting something worked out with HR to allow certain managers to view where and when their employees are using the internet. Should be interesting to watch....!
http://www.invisik.com
I am, however, worried about Simon monitoring. I don't know about you, but I wouldn't want that bastard noticing me.
First off, how many people know what a packet sniffer is? It isn't obvious unless you live in a fantasy world full of geeks. Non-techs should not only be better informed but also don't need apthetic people like you saying, "too bad."
Imagine if my conservative company has a list of words they like to keep track of going over their network, like pot, work sucks, aids, etc. I IM or email a buddy about getting high, think that I could have a terrible illness, or what parts of my job suck and now the admins go and tell the execs that I'm suddenly high risk. They could easily come up with some bullshit reason to fire me, like "not being a team player."
What they won't do is read my email off to me and say "Okay looks like you've smoked pot before and don't like 3 people in your department, it says it right here to the people you emailed over the last six weeks."
In other words they won't admit to violating my privacy (which last I checked they dont have a right to if its on a remote server) but will easily use that information against me.
And if they find out that I'm sending my resume out, they might try to come up with ways to keep me there, which might be good.
I got my Linux laptop at System76.
Using services like http://www.pop3now.com will let you access POP3 email through the web while protecting you from your employer's prying eyes.
There are also other SSL wrapper services out that will get you out of untrusted workstations. However, keep an eye out for programs that record keystrokes and/or record screen activity.
My home firewall directs pcAnywhere packets to one of my Windows boxes. I have pcAnywhere set to 'symmetric' security. Then I run yahoo from there. Now if I just want private e-mail, I ssh to a box outside of my work's realm, run pine, and I'm set. :) I also have PGP installed - but I can't get all my friends to use it; heck, some I'm just happy they can use e-mail at all.
8 so far, including this one. :-)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Seriously, though, anybody who knows how packets flow across the internet knows that ordinary email, non-secure web forms, etc., are the electronic equivalent of post cards. Expecting anything approaching privacy from them is just plain silly. If you don't want your boss, the Yahoo webmaster, or the NSA to know about your tastes in software porn (I'd find it embarrassing, but it wouldn't be the end of the world) do some elementry public key encryption. That's enough for most purposes -- ordinary encryption is all too easy to crack, but most of us don't have secrets that are worth the trouble.
If you're sending something really sensitive (ho hum, another hippie wants to overthrow the government), make a serious study of encryption issues.
If you're sending something really really important (it will cost somebody money if the fact gets out), use a fax machine.
If you're sending something really really really important (your competition actually cares about what you're up to!), call FedEx.
__________
I am a SysAdmin, and I really don't care for the CEO, I just browse company traffic for the sheer fun of it....er....I never, ever sniff packets. yeah.
We have encrypted webmail at our university using SSL. As far as yahoo and AIM go, screw them. Yahoo is cool, but there are a few people on freshmeat that are working on encrypted instant messaging.
/server irc.obey.org ) This should keep your admins from packet sniffing your private conversations.
the people at suidNET have already put together a really nice encrypted irc network. (connect with
As far as email goes, Don't use your company's email server if you don't want your boss reading the mail. He has access to it all. Use a secure mail server. I believe hotmail has a ssl checkbox you can use.
For those of you who think encryption isn't the solution to all evil. You're RIGHT ON! Of course there are problems with everything. Security holes for everything. That's why we moderate DOWN all informative posts having to do with security via obscurity! Because obscurity is lame, and linux r00lz! (?)
Either way the linux community, and partialy the open source zealots think that just because someone didn't tell them everything relevant about a program they are using that it is obscure. Thats the beauty of opensource, If you care about its security/useability/features, you can change it all the fuck you want! If you care and don't bother to find out on your own, then you are a zealous hypocrite and blong to the slashdot zealot bag that santa drops off his roof top every year on the 25th.
Two infinite things: your stupidity and mine. But I'm not sure about the latter. If my sig offends you, I'm sorry.
Anyway, if your boss is totally indifferent to your privacy, he's going to forbid you to use hushmail isn't he?
If you're really concerned about workplace privacy, you should discuss it openly with your employers and get them to set an explicit privacy policy. Imposing half-assed encryption solutions on your own gives you nothing but a false sense of security (pun intended).
__________
Novell have released a (free) product called Instant Me that builds on AIM but has secure IM.
Plus a damn sexy GUI.
--- cut: Eat well, exercise, die anyway.
Too many companies these days are installing clients that allow them to see your screen.
This software is generally used by support staff to avoid having to move on-site to diagnose and fix problems. Tools such as these degrade performance on the watched machine quite noticeably, so there is no way it could be done without being noticed, and the network bandwidth usage is too high to monitor more than a few people at once. So, this is not really an issue, yet.
------------------
A picture is worth 500 DWORDS.
Yes is the short answer. If you aren't worried about people reading the screen, then you will be fine.
ssh2 is better, but ssh1 is secure.
Again, it comes back to being lucky enough to have bosses which know that being at home enables me to work more efficiently. I am not constantly interrupted by hallway conversations. I am able to string together longer spans of undivided attention when at home.
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
SSL is a much better solution, no employer is going to block outbound HTTPS connections without good cause.
I do not deploy Linux. Ever.
It would be a trivial excersise to add the option to use p/gp/g for outgoing mail. I'm sort of suprised they haven't implemented that already. Incoming pgp mail could also be dealt with in a similar way (though you would have to trust the service enough to send it your private pgp key -- which is more than I would like to do. As soon as I enter the pass phrase, a compromised front end could capture my private key. Not good).
Hushmail's biggest problem is exactly to ensure that no one can compromise the java byte codes in transit. This requires signatures and authentication infrastructure that is hard to assume accross architecures, no?
There is no true defense against company snoops. Even if you used a super-duper encrypted email package, the company can still install a keystroke monitor on their computer. The safest course is to forget using the company machine and get your own email-capable device like one of the new 'pagers' or an email-equipped cell phone. And don't have the company pay for it. Then if they want to read your emails they'll have to subpoena them.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
There is no excuse, for both sides of the argument.
(ohh....I'm tired...yeah, thats my excuse if this doesn't make sense :)
First off.....do your job....its not hard....hell its what they pay you for (you do get paid right?)
Second.....after you are doing your job well (you do do it well, correct?) or its during lunch...there is no reason you shouldn't be allowed to read slashdot (they do want you to become a smarter employee, right?)
- Make sure you find out what company policy is though...its going to be a real pain if you have to tell your girlfriend you got fired because you checked your hotmail account when you got to work in the morning to read that steamy email she sent you.
Now that we have cleared the hard part....
Client side: encryption...it's not complicated (this isn't the stone age folks)
- Secure Crt for windows (http://www.vandyke.com/) - if you are allowed to install programs on your computer
- if the connection is fast enough, go get X-win (http://www.starnet.com/) to run things from your remote *nix box on your windows desktop
- company only allows http via a http proxy? - http://www.http-tunnel.com&a mp;l t;/P>
- if that one doesn't work (socks2http)
- Both of these support "connect" as well as "push"
(And those http proxies that don't support connect need taken down and converted into something useful)
- program doesn't support socks? SocksCap32 http://www.socks.nec.net/
- web based mail w/encryption (http://www.hushmail.com)
From *their* side:
First off, they should have enough bandwidth....in this day and age no one should have a whole network routing email on a dialup (I ought to know, I might just work for our humble government and we just got rid of the last dialup router :)
Second...for reasons known to us all, they should be using switches, not hubs....if they are not...does anyone at your business even care about security? (ok, so maybe its still to expensive or some other lame excuse....the sysadmin better be using ssh or else he better find a job as a telegraph operator)
Third, I understand that http proxy with surfwatch (or whatever)...but please....the only people its stopping are the ones who are either doing their jobs (my favorite was blocking www.egroups.com...which would have been fine except we update each other with a group, so someone always (well, until I got there) had to sign the new person up from home)
- the people who want to get porn at work.....probably want it bad enough that they are going to find a way around (chaining proxies in netscape?)
Now that I have given my speech......there is no reason for one to not be able to enforce their own privacy
BUT....It's a place of business......do your job.....its why you have access to the computer equipment in the first place......
(Ok, lets NOT kill me when it comes to replies, this was my first slashdot post (but I have been a longtime
reader)
I would wager most companies that institute any sort of e-mail monitoring policy only go that deep into message contents when an employee is under active investigation. Even the most paranoid of companies typically log only the presence of messages, or individual HTTP requests made, never actual content.
If you were indeed such a dominant alpha male, I would consider it unlikely that you would call yourself "Anonymous Coward". It is obvious to anyone reading this who is in a healthy relationship that you are loser. I could go on and on about this, but I choose to simply leave it at this. Maybe someday when you stop lying to yourself you'll be able to tell what a happy woman really wants from a man.
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
Your first suggestion won't work - most key loggers log the window name as well. So they know which keystrokes are going to which window.
;).
And even if they don't log keystrokes the boss is going to be curious if you are going to hushmail 5000 times a day.
I think for most decent companies people have better things to do than monitor you. BUT if you stick out from the crowd - like download a Gig a day and slow down the boss when he's checking his stocks, all bets are off...
Cheerio,
Link.
There are very few proxies which proxy https- as in http in, https out, since most client browsers can do SSL for themselves, and most that don't grumble immediately when seeing a https:// so they don't even bother asking the proxy.
So usually if clients visit a HTTPS site, it's encrypted all the way. Maybe your network is really set up differently, but have you really checked? Run a sniffer and see. I have for mine, and it's satisfactorily encrypted.
Basically the clients contact the proxy, and then issue a CONNECT dest.ip.address.blah. The proxy makes the connection, then you have a channel between the client and the destination server. You don't even get the URIs in the proxy logs.
However, over here, users must still log in to the proxy server to have internet access. So if they really misbehave it's not too difficult to track them.
Tracking severe abuse is quite simple and doesn't require any spying of payloads or even urls.
When the Boss asks "Why is the Internet connection so slow?" or worse "Why are the emails slow" then the people who have been downloading movies and mp3s better watch out.
Link.
-
The information is essentially being sent back and forth via text as long a wire. Anyone along that wire, inside or outside of your company, has the ability to intercept, read and change the text," said David Kennedy, director of research services for ICSA.net in Reston, Va. "Is it technically possible? Yes, and it's fairly easy to do."
For Slashdot to sensationalize what is basic knowledge to anyone with a smidgeon of technical know-how (my girlfriend's an English major and she knows this) and make it seem like there is some sinister plot underway by AOL, Yahoo, MSN, etc to cooperate with employers to steal employee rights is irresponsible.Second Law of Blissful Ignorance
I should note that the scheme I can thought of to proxy https:// pages so an employer can read them in real-time does give the fact that it is there away in most cases. This is because all https:// traffic would be routed through a server (say spyonssl.mycomp.123) that would then establish its own secure connection to yourbank.456 or whatever. URLs and referrers would be rewritten to keep everything working. This would be required without your employer becoming their own certificate certifying authority, because most web browsers will complain bitterly if the certificate does not match the site. Most users would likely spot this, unless the secure page was quickly switched away from.
Of course, no one is stopping them from installing their own certifying certificate on your PC, generating fake SSL certificates in near real-time on a fast computer, and playing a "man-in the middle" attack that few people would know how to spot. But now, we are *really* getting paranoid... and so are many employers nowadays. It is likely that at least a few companies out there have systems that try to decode your secure web pages out there, even if it means taking a year or two with a Cray...
One should realize that most web-email services do use secure https:// for the login, but send your mail as insecure http:// . So they likely can't get your password too easily, but they can get everything else. As we speak, companies are likely working on the former, considering it a "trivial issue" that needs to be overcome. Given that most people only use one password for everything, I would not be surprised if many employers can guess your web mail password anyway.
i took a gander at it and it's about sniffers and keystroke moniters. these are rather extreme and most likely not going to be in general usage, especially the keystroke monitors. the personnel costs of monitoring the logs would be prohibitive. however, if someone were willing to pay me to read through them, then they are a whole lot more stupid than i am.
I mean ok, for ZDNet, or CNet or any of those...sure, but /. is a News for Nerds. Stuff that matters. That article is neither.
Let's get back to News for Nerds. Stuff that matters.
That is exactly the type of self righteous, analistic attitude that drives real talent away from companies. You Sir, would do your company a great service by leaving. >LM
C'mon people, RSA is now in the public domain, you have no right to complain about not using it.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
The problem is not just the sending of inflammatory material, it's the receiving. If you pissed some script k1dd13 and he decides to spam your mailbox with many [pick something inflammatory] messages, is that your problem? If you get an IM from a friend, and the friend starts trying to turn the conversation into something inappropriate, what about that? What if they assume that your friend even saying that indicates they should fire you?
There's also a much more evil side to that, assuming your company wants to be or can be draconian. Say that you're talking to your wife on IM about how you think one of your kids has the flu or some other disease, and you think you should see a doctor. They pick that up, assume "expensive" and drop your health benefits. More than likely, this wouldn't happen, and it would probably be illegal anyway, but it's still a scary thought.
My main point is that it's possible for people to take things, especially conversations which rely on a context that those watching wouldn't understand. (For a while, a girl I knew from highschool and I were joking about sending commando teams to kill each other. If that were ever taken out of context... (Of course, anyone stupid enough to ignore the emmoticons used in those... >:))) It's still a scary thought what they might guess from communications. That's what's potentially scary - the company firing someone who they think might cost them too much due to an illness in the family. There are urban legends about that type of thing happening. That's why people are scared.
You are in a maze of twisty little relative jumps, all alike.
Yes, this is a lot of trouble, but it needs to be mentioned. Every time this kind of issue comes up, someone suggests encryption as the end-all-be-all, and suggests that if the user uses it, all is safe. It isn't so.
Comment removed based on user account deletion
I read most of my non work-related e-mails and download big files (don't want to hog the company's bandwidth) on various UNIX boxes with ssh1.
:)
How secured is ssh1? Can people still sniff this beside reading off my monitor? Once in a while, I have personal stuff (nothing illegal) that I don't want people to read.
TIA for replies.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.
While this is all true, there are many situations in smaller companies where this doesn't work.
My workplace is a case in point.
We used to be a division of Litton, but were sold off because we weren't part of the "core business".
The guy who bought the company, our old GM under Litton, is paranoid.
The boss knows enough about computers to have mirrored his Windows 95 installation up through every machine he's had since his 486DX-33, but still doesn't know why it's dangerous (or why he can't make a partition bigger than 512 megs).
The boss is paranoid enough that while he wants me to administer the mail server, he also doesn't want me to have access to the mail. Same with the fileserver.
The boss wants to be able to watch *everything* going across the LAN at all times and is willing to sit in front of the server in my office to do it.
That's the mentality you might have to deal with. If you can't, get another job. Things were great while we were a Litton company - the philosophy in our division allowed everything but XXX sites and *excessive* non-profitable useage - but since our old GM became our owner, the paranoia has increased and things have gone downhill. I'm looking, as are most of the rest of our staff.
Fire and Meat. Yummy.
Depending on the security level employed at your workplace, remember that a simple keystroke monitor doesn't care WHAT you're running. You type, it captures, end of story.
The Electronic Communications Privacy Act of 1986 gives protections against interception and wiretaping. My employer can look at my mail that's saved and transmitted between her servers but cannot attempt to intercept my mail going to Hotmail or a remote ISP. This would be like Ameritech saying "we own these wires, we're going to record all your conversations."
Imagine you're the boss. You've got a few min to spare, why not watch an AIM conversation go by?
Lots of people get off on snooping in other people's business. This is why 'reality' TV shows are such a hit.
Now imagine you're the boss or the network guy, and there's an employee you don't like using AIM and you've got a few min to spare. You don't think there's a real chance that people might casualy skim through your stuff? And if the boss(or network guy) is out to get you fired then there's a serious chance people are going to look through your stuff.
LICQ has more features than any other ICQ client, the most interesting of which is encryption.
No, the most interesting thing is right clicking on a Windows user in your contact list, and LICQ suggesting `Back Orifice' as the top action ;-)
Seriosuly though, another LICQ feature is UID emulation. This might have an impact on your encryption bonanza when your client broadcasts its end of the transaction to all hosts with the ID of your associate].
VeriSign will assure you that the server you are securely connected to is who you think it is.
While it is possible and common for a http cache/proxy to "grab" all http connections without a normal user noticing, certificates prevent anyone anyone fiddling with a https connection without the browser warning the user.
I'm careful about this too, even at home. It amounts to thought control. This is one of the drawbacks of email in general. It's funny how the filters you build for yourself can change your thoughts. It can be frustrating.
Some things just can't be written.
Carnivore must be destroyed.
A tempest system will allow you to read off a CRT through a wall. Have a hunt on google for it.
And set up SMTP through your home machine if at all possible. Of course - only allow forwarding through it from your work IP or you'll have all kinds of spammmer trouble on your hands. I believe VNC can be run through a secure connection as well, though I don't bother. Surf from work with your home machine as well... The only thing I don't know how to protect is keystroke recording.
Cut the cackle, open an account with HushMail.
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.
The only true measure of an employees worthiness is output and nothing but. This is a very important concept as we move to more telecommuting/contract type employment anyways (and boy will the lines get blurry when employers are monitoring employees in their own home). The vast majority of us in this business get paid by salary, not by punching a card in a clock, and while there are some general expectations regarding hours, generally the salary structure is based upon perforance not time. For our salary we are expected to contribute a certain amount of worth to the company versus the salary that we are receiving. If an employee doesn't contribute that worth then firstly examine the management structure and corporate supports to determine if they are the problem, and if not FIRE THEM. That is the only way to manage effectively in the information age. If you've got some company outcast sitting in a room packet scanning whether someone is using hotmail then you've got your priorities totally messed up : There are a million ways of wasting away time and if you think you're creating a super efficient workplace by totalitarianistic network policies then you are completely ignorant of the real world.
If you have a worker that you think might be dicking away a lot of time simply set goals and performance requirements and you should have a system in place that measures metrics (not keystrokes as that is worthless, but some other metric). Reward exceptional performance and punish under performance. The time an employee needs to accomplish that goals is irrelevant. Obviously if someone is sending offensive mail from a company email address that is poor judgement and should be punished, however if someone is sending emails to friends on Hotmail you really shouldn't give a shit if you have the performance metrics and good measurement systems. If you think you will improve the worthiness of your company by instituting superficial monitoring systems then you are will soon be out of a job as your company will be out of business.
BTW : For the corporate outcasts that feel the supreme justice of being the one's "in charge" of monitoring employees : Firstly these systems are never unbiased -> It is usually targetted at whichever persons these losers feel a dislike towards recently. Secondly there is no justification based upon what I was saying above (except for a few positions which are more time based : i.e. answering phones). Pathetic claims about "company resources" and the like are ridiculous. Do you abscond from drinking lest you use the sacred company water pissing? Do you partake of company provided refreshments? Do you happily request a 14" monitor over a 19" because really netmon runs just as good at 800x600? If not then shut up : The "wear and tear" on a computer system for someone to visit hotmail is rather minimal and of minimal costs.
Too many companies these days are installing clients that allow them to see your screen. Typing an e-mail? They can read it while typing. Talking on ICQ? They can get the conversation, too.
The PGP/SSL argument's don't hold water. If they see you doing something personal, either by sniffing or peeking into your computer, they can monitor whatever they darn well please. And read whatever they want to. And watch what you're doing.
It is impossible for you to hide what your personal web usage from the IS department. There are no solutions when they can take over your monitor from another box and packet sniff.
Of course, Hushmail doesn't encrypt its client-server connection. That does protect you from your boss -- but do you really want to work for somebody who spies on his employees?
Hushmail does offer digital signatures -- but all that proves is that your email headers aren't forged. It doesn't prove that the owner of the hushmail account is who he says he is.
__________
No always. There was a majordomo newsgroup that was for employees of Netscape I believe. It was run by an employee offsite entirely. Despite not being a company resource it was successfully subpeoned in a lawsuit.
The INternet at-large is a public network, for all intents and purposes. So treat it as such.
Treat any traffic generated as a public radio broadcast. You have no control over who sees it.
God, men like me love it when you talk like that. Now fuck me.
~~~
Strong encryption won't do squat when they record your keystrokes straight off your PC.
Yeah, but how common is that compared to proxy firewalls filtering/logging content that passes through them? Most companies have all their internet traffic going through one box, so it's easy to scan. I think that an encrypted connection will keep the vast majority of people's email secret.
Another solution, and one that I've tried and got working well just to see how it would work, is to establish a single outbound TCP/IP connection via a port such as 80, 25, 110, etc to your home system's Linux router and then use either IPsec or PPTP across the Ethertap/CrackPipe TCP/IP connection to log into your home network, set the default route to be your home network after ensuring that the route to your home's external IP goes through your local router, and e-mail/IM/chat/whatever to your heart's content encrypted :)! (or, if your company doesn't block GRE/IP or the other one (forgot name), you could just use PPTP and/or IPsec directly without having to use a fake-looking TCP/IP connection.
Correct me if I am wrong .. and I probabbly am, but if you are using AIM's connect via https proxy setting ... arent you secure? Just a curiosity question.
Of all the things I miss
Use ssh to bounce X11 from home over to your office and ICQ/AIM/email from there. *grin*
In webmail you don't directly talk to SMTP servers. Everything goes through forms on the webmail page.
Me: Man, I always wonder if I ever get any work done in this office. Then I look around and I wonder if ANYONE gets any work done. Me: Dude you need to come down to the office, we're printing out PORN on the laser jet printers, then shredding the paper and putting acid on it! Me: My boss reminds me that left nuts do grow out of porportion. Me: Work reminds me that life is nothing but a big orgy, often on keyboards. This would explain why my keyboard is hairier then Rosseane's legs. I hope this reminds the majority of you unemployed, disillusioned stiffs like myself why we constantly get fired. God bless the internet, and all it's pornographic glory.
prosebeforehos.com
This is why I always do my personal e-mail from work on a remote machine using SSH. Actually, I use SSH because the machine got rooted a couple of years back and now the admins won't let anyone access it by telnet, but it's still nice to know that the same features that keep crackers from sniffing my password also keep my boss from sniffing my e-mail.
There's no point in questioning authority if you aren't going to listen to the answers.
In reality, since we run a SOCKS proxy server at work, and already monitor URLs, capturing AIM conversations can't be very difficult, plus we've in the past been able to take snapshots of sites users are visiting through some creative sniffer work. So this really isn't a big surprise. When you think about it though, people are right, your work PC, internet connection, and your office are there for work. You don't hold tupperware meetings in your office, why should you chat online during office hours. Although, there are occasions where using applications such as IM in the workplace are appropriate. When I use to work for an ISP (Thank god I dont' any more) we used IM to communicate with other techs while we were on the phone. Very useful instead of having to say "Maam' can I put you on hold" go ask a question then come back.
I'm an AIX Systems administrator, and yes I do cry myself to sleep at night....
It's been long evident to me that Web based email services should use HTTPS/SSL, however since the clueless minions of orthodoxy continue to make use of insecure services, they deserve what they get.
In addition, if a company is sued, any emails sent using these services will not appear in any lawsuits because they were never stored on the company's email servers.
Unless the company keeps a complete backup of every HTTP message, an employee can write what he/she wishes without fear of getting the company in hot water, unless of course the email itself is what caused the problem, rather than being found in the process of 'discovery' for an unrelated lawsuit.
If you take the stance that people should be using business resources for personal email, which is a stance that I disagree with strongly, an SSL connection to your webmail provider is the easy answer.
Does it really matter that much if they can view the contents? I think most companies have better things to do that to read other's mail. They may chew you out over using email during work, but I doubt they'll be all that interested in what you are saying.(Unless the person monitoring the company email gets bored :)
There's also lokmail.
You'd probably do well to read this article from counterpane if you want some analysis of web based encrypted email.
Dave
wrong. see one of my previous posts
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
ANY electronic communication coming of going through corporate firewalls (including voice) is fair game. Bottom line is dont ever send anything from work that you don't want big brother to see.
They get away with it because they "own" the environment you are using to communicate and somewhere in the employee manuals it states something like "Company resources are for company use only and can be monitored or restricted without notice. balh blah blah.
Don't be dumb, save the communications you could be fired if caught doing for home. Use the corporate networks for corporate stuff.
.
Take all good things in moderation, including moderation.
Damnit, if they're reading my hotmail e-mail, you think they can tell when i'm checking out hotmale.com? Cause that would be lil' embarasing.
What is this world coming to? Can't I read My HotMale without being snooped on at work. Geez!
HTTPS through a proxy simply uses the CONNECT method to get a direct connection to the SSL server at the other end. It requires an end-to-end byte stream.
The proxy can sniff the traffic, but they then need to decode the SSL...
HushMail.com uses strong encryption end to end. It's the strongest web based email that i know of...
I like to build things and wire stuff together.
When I get a cable modem (yeah, still using an aging USR V.90 sucky dialup), I plan on setting up my own e-mail service on my Linux box (sendmail). The idea is to use this to handle all my incoming and outgoing e-mail, so that it never resides on a 3rd party server, except of course, the person who sends me a message, or a person who receives my message.
The question is, is it possible to keep an employer from being able to monitor what is sent and received from a POP server that doesn't exist within the company's network?
In 2000 America, is a non-lawyer truly free?
That moderator was about as inept as a perl script doing the same job. Or was that a perl script that modded me down?
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
When you work from home, for example. As a sysadmin and programmer, it happens plenty. My solution for some time now has been to collect email from various (not publicly available) addresses into an account which I ssh to (as do other users on the box) and read mail at my leisure. I don't engage in any activities nefarious to be more paranoid than that anymore (no gun running, drug manufacture, or espionage, for example). I occasionally chat with people from competing companies or fix up someone's resume, and once in a while I might flame someone.
Basically, I wouldn't work for an employer who was so paranoid that this arrangement made me nervous, and I would encourage others to consider whether they should. I'm a fairly decent systems programmer and administrator, but I don't believe that my leverage with my employers is excessive. On the other hand, I also don't try to rip off my employers or do a substandard job, which sometimes seems like apostasy in modern-day working America, so YMMV.
Remember that what's inside of you doesn't matter because nobody can see it.
It seems that a company that has the resources to effectively sniff out and monitor what employees are using on the internet, shouldn't have to be worried about the efficiency of their employees.
(sorry if this is redundant, I didn't read too thoroughly)
I mean, seriously guys, this is so 8 days ago. If you use your company network to send e-mail, webmail, or whatever, that's not encrypted, then you could get caught, and snooped on, if you feel you can reasonably defend those actions, on the basis that, "well it took less time than a personal phone call, and we're allowed to make a few of those on the clock" etc, then go for it, otherwise take precautions, or send a fax! Don Middendorf
To get the password of another hotmail user, all you have to do is to send a forged mail to hotmail staff and claim you have lost your password. The only information you are asked for is your victim's real name and birthday.
Hilariously, when asked to comment, a Microsoft representative stated that "Your hotmail address should not be distributed to unknown people."
And, let's not forget the "read anyone's mail" Hotmail incident some time back.
"The good die first." "Most of us are morally ambiguous, which explains our random dying patterns." --- MST3K
...not necessarily, anyway. If you're on a LAN which blocks all un-proxied ports, you can't open a direct HTTPS connection to your provider. You'd have to go through an HTTPS proxy, which means you're back at square one again.
Of course, encrypting everything would be an excellent start at a solution.
One time I threw a brick at a duck.
Why doesn't hotmail or yahoo (or the other big browser email folks) use HTTPS. Doesn't that effectively scramble the browser based emails from prying employers?
I've wondered about this before and can see this being an attractive marketing tool for the privacy consious.
--- -- - -
Give me LIBERTY, or give me a check.
I'm a lvl2 in our I.T. Dept and I'm totally sick of this shit. We blcok ICQ and Hotmail at the firewall, The only time we look through e-mails is when we get some idiot trying to e-mail a 40 meg avi through our little link. We're developing a world or paranoids, no wonder our stress levels are going through the roof.. Just my .02
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Cool news blurb, but I hope that no one that reads /. was really all that surprised by this.
-This sig intentionally left blank
To most people that read the news on this website, this shouldn't come as a big surprise.
Most larger companies will use a proxy server, and if I am not mistaken, it can keep logs of who pulled what through or from the proxy server. And the content of those pages. That's what a proxy server does!
Not to mention the companies that use the "security" softwares to keep their employees off of "restricted" (read:prOn) sites.
Of course, any plain text communication can be monitored. I use a web based site for my e-mail. It's convient, as I'm on the road a lot and happen to change ISPs every so often. Having a perminate e-mail address independent of location or ISP is a nessesity! I know the access isn't secure, so I ALWAYS go to https://www.operamail.com, (my free e-mail service) to make sure that everything is encrypted. It's not complete security, but it makes seeing what I'm doing harder. Instead of sniffing traffic, they will need to monitor what is on my screen, or try and break the encryption. Most companies will not go that far, so I'm confortable with the level of security. If there is a company that would go that far, then they are REALLY determained to see what your doing. As all of us hackers know, there is no way to stop anyone who is really determained to get into anything.
-Prof MD
What a short-sighted PHB you must be...."Nobody has any business..."?
Well, sir, I'm a consultant, and I get my main office to forward mail to my Hotmail account...it can sometimes be pertinent information, and it's nice to get it in a timely fashion...if it's something that's not important at that time, I can usually figure that out from the header, and read it later....that takes maybe all of a minute to check maybe 2-3 times a day.
Maybe no one has any business using the office restroom, either, as it uses up those valuable "work resources". Maybe the consulting firm I work for shouldn't call me during working hours as it also uses up the client site's "work resources".
Geez, I'm glad I never worked with/for anyone that had an attitude as bad as yours must be.
You must be a shipload of fun at work...
The only people likely to be surprised by this "revelation" are the same ones who would be flabbergasted when the boss got upset about the online porn subscription that they charged to their corporate card.
"Biped! Good cranial development. Evidently considerable human ancestry."
Perhaps the only safe way to send mail at work is through an e-mail client which is passworded at the program level, and set to an e-mail account outside the company's jurisdiction. The only way to possibly have that logged is if the sysadmin is an absolute snoop who monitors all SSL connections.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
And there was me thinking that slavery had been made illegal..
If an employer thinks that I am just a machine, capable of nothing but churning out code, and that I enjoy nothing more than staring at pages and pages of PERL for the 50 - 60 hours a week I'm in the office then thats fine. I can get other jobs. I'm in my last week at my current job, my primary reason for leaving is a restrictive web surfing policy. People who vote with their feet and leave jobs because of this are rare, but I'm one of the few.
http://twitter.com/onion2k
If you're in an office environment, the computer on your desk belongs to the company. Not you, the company. It is not "your" computer. Therefore the company can regulate what you do with it, and they can monitor what you do with it. You are not entitled to privacy.
Moreover, it is not your God-given right to customize the computer. Yet when some twit installs the latest Leonardo DiCaprio screen saver and it breaks all of the applications installed on the machine, said twit still feels entitled to yell at the poor tech from the IT department who is dispatched to fix the problem, and removes it.
You want to do personal stuff? You want to customize? You want to use the computer for any reason other than to do your job? Then go home and use your own computer. I can see this getting modded down by someone who wants to use their computer to goof off at work, but think about it. If your employer is ok with you casually surfing the web during slow times at work, that's fine, but in the end it's their computer and they make the rules.
--
Tired of FB/Google censorship? Visit UNCENSORED!
If a boss/sysadmin is going to be prepared to sit down and go through masses of text looking for that one naughty personal email, you have to ask yourself who is wasting the most time?
Or. If your company has such an epidemic of personal email use that you are forced to take such measures, maybe you should be asking yourselves why your employees care so little about the work they are supposed to be doing!
If people felt like their job was worth doing, they would be doing it!
P.S. I am posting from work. Nobody here cares, because they like to see their employees thinking, learning, and contributing to the community!
"How much truth can advertising buy?" - iNsuRge - AK47
"How much truth can advertising buy?" - iNsuRge - AK47
One of the better services AT&T provides is SSL-only mail connections from outside of their network.
:-)
Their Internet-accessible webmail site, http://netmail.att.net/ is redirected to https.
They also don't allow normal POP/SMTP from the Internet. (well duh on the SMTP bit, but it's unusal that an ISP doesn't allow normal POP from the Internet)
Users not dialed into the AT&T network must set up their mail clients to POP using ssl on port 995, and SMTP using ssl to port 465.
Why Hotmail and Yahoo don't require SSL is beyond me. I guess you get what you pay for.
To get around this, and other packet sniffer based privacy intrusions (cough* Carnivore cough*), I wrote a peer-to-peer chat application similar to Instant messenger, only with up to 4096 bit public key encryption (GnuPG based). check it out -> SeqChat
"Your pen is bugged..." "How do you know? " "This is an action thriller"
My statement about this: Whomsoever operates in a Space of production is subject to the mechanics and distributions that are a consequence of the Modes of production. Nowhere that I know of is human behavior (or any observable object or condition) not limited. Those who decide, design, own, and endorse the Modes of production are incredibly interested in optimizing those Modes. In fact, very often, they are interested in defining the legal and social boundaries such where the Modes of production may be optimized more and more. And, in general, any Mode that you >yerself do not decide, design, own, and endorse is a Mode whose effects and methods might not favor you. Yey, for that all acks of wi'll may bless me and leave me sexually fortunate.
everything --> everything
You can use Hushmail for free which will encrypt your web-based-email-usage.
then they probably deserve what they get.
If it goes over a company network, there is always the chance that the company can intercept it. Live with it.
Do I let it worry me? Well, if the company wants to listen in to my IM conversation between my wife and myself, they are welcome to hear all about who's turn it is to pick up the kids, or who has to stay late. If they want to tap my email, they can read all they want about my opinions about some book, show, or event in some mailing list or other. I am very careful to not post anything that would be considered undesirable from work, and fairly careful to limit "ok" emails.
You want to send inflammatory material? Do it from home.
According to the website, hushmail is "the world's first, secure end-to-end, free, Web-based email service." I haven't used it myself, but I've seen testimonials from happy users both here on slashdot and on other sites.
Email is read and sent via a Java applet that ensures it is encypted before even being sent to a company proxy, so your boss can't intercept the plain text going over the connect, as is the problem with hotmail, icq, et al.
Besides, doesn't 1024-bit encrypted email make you drool?
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
So they block ports 22 and 23. So what? Just pick another one that they haven't blocked. Like RealAudio...
/usr/local/sbin/sshd -p 7070
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Licq is a really great program. It has more features than any other ICQ client, the most interesting of which is encryption. As far as I know, it is the only ICQ client that encrypts instant messages sent to other users of the same client. And it has frontends written in both QT and GTK+ so it is great for anyone.
If you are paraniod about people snooping in on your instant messaging, use Licq and get your friends to do it to!
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The best solution available is Freedom (www.freedom.net), by Zero-Knowledge systems. It offers 4096 bit encryption and pseudonymous email.
Ah, but this is why the sysadmin at a company is usually a corporate brown-noser. This way, the CEO can hire him to go muck-raking on the server transfer logs. If there's some connections to a Yahoo server, or AIM packets discovered floating around, then it's time to start spying!
If anything is found, then the CEO can either cite non-disclosure or work ethic, depending on the situation.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer