Slashdot Mirror
Web-Based E-mail Isn't Safe From Corporate Eyes
Ant points to this CNET story, a snippet from which reads thus: "[S]ecurity experts say many employees would be surprised to know that Web-based email services also offer little privacy. Messages sent via a Yahoo or Hotmail account, or through instant messaging products, such as ICQ or America Online's Instant Messenger (AIM), are just as accessible to nosy employers." I know some people who this ought to make nervous;)
My coworkers often make fun on me because I use pine for my personal mail (have to use Netscape for work e-mail because of attachments) and lynx to surf the web. I ssh into a Linux server and use pine, nothing to it. Plus, no one can look over my shoulder and see a web browser. Look, a xterm, it must be work.
BTW, I know that I should use something better like mutt. I've been using pine for over 6 years and I am just to lazy to relearn.
--weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
So do I.. If I'm sat in my cube when I do anything net-related my employer is welcome to watch it - If they can show me a single instance when I mised a deadline or otherwise didnt get the work done because of it then I'll deserve anything they throw at me but I have no worries there because there are no such incidents. All the same, there isnt any reason I have to make it easy for them, the only way they can read any email I send from my home accounts is either to do screen/keystroke capture (which I'd know about pretty quick as I regularly sniff my own network traffic as part of my job) or pull a fullscale man-in-the-middle attack on my ssh connection to my home LAN at the corporate firewall. If they are that paranoid and want to waste that much time and resources on the project then they are welcome to. If my boss wants to sink that much budget into completely non-productive tasks then he's on a bigtime losing streak and I'll soon have his job myself. Alternatively if he is getting pressure from upstairs to account for my net traffic all he has to do is ask and I'll hand him a logfile. With nothing to hide theres no loss in telling them what you're doing, its just polite for them to ask for the info rather than simply grab it.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
I'm reasonably sure of my system security there, since I installed the system myself. It's kind of a pity I have to view my employer as my enemy, but the corporate world's pretty much proved they are anyway.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Hey, we English majors are not all dumb. In fact, some of us are even BSD users, you unsophisticated prick!
Technical know-how has no relationship to how intelligent a person is, I'd expect an English major to know that.
Second Law of Blissful Ignorance
There is a plugin called PGP For ICQ that will allow you to encrypt ICQ messages, and I think that PGP 7.0 has this built in. The linked plug-in has source code also (as of now source for 0.5 only, the current release is 0.9)
Correct me if I'm wrong...
--
From: Aaron "PooF" Matthews
In any case messages to/from non-Hushmail users leave/arrive in non-encrypted form. That's still too much openness for really sensitive messages.. If you really want to protect your messages, you should send and receive with public key encryption.
I have to admit that I've used web mail to avoid sending email through an employer's server. This wasn't actually my choice -- I was working for a job shop that asked me to communicate with them this way. But, as this news item points out, I wasn't really gaining any privacy. If the portal company had conspired with my emplyoyers...
As with any security measure, securing your email is a question of making it too much trouble for people to crack with perimeter. If you think you're getting absolute security, you're fooling yourself -- and that's more dangerous than no security at all.
__________
For several years I was part team that ran corporate web proxies for 30,000 employee firm. There was at the the time not a policy against using web based email. But in one incident I can remeber we did review proxy logs in attempt to determine the source anonymous email that was directed at employee. We did so by searching the log for logins to web based email system that happen to have userid in url. It was an effort to determine if email was actually from another employee. We never had cause to sniff the entire http activity of single user. But we could have with little effort, and would have if directed by HR.
Buy an account from anonymizer.com, and sign up for the "Secure Tunneling" option -- $10 per month. On your local machine, you use SSH configured to port-forward ports 25 (SMTP) and 110 (POP3) to mail.anonymizer.com. You configure your local POP3/SMTP clients to connect to localhost, and the connections are securely forwarded through the Anonymizer. This can be done with Netscape, for example.
This assumes that you have some way of setting up SSH locally, and that there's no keystroke monitoring going on. In both cases, you're probably better off if you have a linux box.
GP
That's why, when I send my love letters messages to the CEO's wife, I wait until my boss goes to lunch and use his computer. And sign it with his name.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Except, even keystroke logging can't read an email sent to you... although they could have screen capture software, but come on, you know they don't. The last five jobs I've been at, the management wouldn't have known how to install a keystroke logger if you had whapped them on the ass with a genius stick.
Free music from Jack Merlot.
with the switch from shared to switched band Local Area Networks snooping is almost impossible anymore. On Cisco equipment, monitoring all traffic types is only possible if you have enable priveleges. Bosses usually dont and if they do they wouldnt know how to set up the nescessary listening apps (tcp, udp). Not to blow my cover but LAN admins usually can snoop quite well because of their access rights and know-how. Weve fired two people from telecomm at my University for just such intrusions.
I work in as a consultant for the government and it pisses me off to see so many employees goofing off at work. If people did what they are supposed to do, then the government wouldn't need to hire consultants. It doesn't bother me that people read personal email but people will spend all their time online and NOT get their work done. It just really pisses me off.
int func(int a);
func((b += 3, b));
I've worked in places where they didn't mind,
many of which explicitly said so. I don't
understand why you think it's problematic if
they don't think it is, especially if they
explicitly say so. Many places one might work
have the idea that being nice to their
employees is good business. I imagine you think
this is a strange concept?
For every problem, there is at least one solution that is simple, neat, and wrong.
A well designed proxy setup eliminates the need to snoop the network. Just have the proxy record what gets sent (which, in case you're wondering, is fairly trivial). The real bear with this sort of thing is finding the specific thing you want amongst all the crap.
;)
But I'm sure it's not a problem that a bored Perl programmer couldn't help out with
--
Behold the Power of Cheese!
If you were on my network I wouldn't even need to use a keystroke recorder. To use the web you have to go through the a proxy, all other traffic is blocked. And your browser is setup to send plain text to the proxy, and the proxy then uses SSL between it and the site you are going to. Therefore even SSL traffic is easily recorded, and you are less the wiser.
If you don't know the rules, don't play the game.
First off, how many people know what a packet sniffer is? It isn't obvious unless you live in a fantasy world full of geeks. Non-techs should not only be better informed but also don't need apthetic people like you saying, "too bad."
Imagine if my conservative company has a list of words they like to keep track of going over their network, like pot, work sucks, aids, etc. I IM or email a buddy about getting high, think that I could have a terrible illness, or what parts of my job suck and now the admins go and tell the execs that I'm suddenly high risk. They could easily come up with some bullshit reason to fire me, like "not being a team player."
What they won't do is read my email off to me and say "Okay looks like you've smoked pot before and don't like 3 people in your department, it says it right here to the people you emailed over the last six weeks."
In other words they won't admit to violating my privacy (which last I checked they dont have a right to if its on a remote server) but will easily use that information against me.
Using services like http://www.pop3now.com will let you access POP3 email through the web while protecting you from your employer's prying eyes.
There are also other SSL wrapper services out that will get you out of untrusted workstations. However, keep an eye out for programs that record keystrokes and/or record screen activity.
Seriously, though, anybody who knows how packets flow across the internet knows that ordinary email, non-secure web forms, etc., are the electronic equivalent of post cards. Expecting anything approaching privacy from them is just plain silly. If you don't want your boss, the Yahoo webmaster, or the NSA to know about your tastes in software porn (I'd find it embarrassing, but it wouldn't be the end of the world) do some elementry public key encryption. That's enough for most purposes -- ordinary encryption is all too easy to crack, but most of us don't have secrets that are worth the trouble.
If you're sending something really sensitive (ho hum, another hippie wants to overthrow the government), make a serious study of encryption issues.
If you're sending something really really important (it will cost somebody money if the fact gets out), use a fax machine.
If you're sending something really really really important (your competition actually cares about what you're up to!), call FedEx.
__________
I am a SysAdmin, and I really don't care for the CEO, I just browse company traffic for the sheer fun of it....er....I never, ever sniff packets. yeah.
Anyway, if your boss is totally indifferent to your privacy, he's going to forbid you to use hushmail isn't he?
If you're really concerned about workplace privacy, you should discuss it openly with your employers and get them to set an explicit privacy policy. Imposing half-assed encryption solutions on your own gives you nothing but a false sense of security (pun intended).
__________
SSL is a much better solution, no employer is going to block outbound HTTPS connections without good cause.
I do not deploy Linux. Ever.
There is no true defense against company snoops. Even if you used a super-duper encrypted email package, the company can still install a keystroke monitor on their computer. The safest course is to forget using the company machine and get your own email-capable device like one of the new 'pagers' or an email-equipped cell phone. And don't have the company pay for it. Then if they want to read your emails they'll have to subpoena them.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
I would wager most companies that institute any sort of e-mail monitoring policy only go that deep into message contents when an employee is under active investigation. Even the most paranoid of companies typically log only the presence of messages, or individual HTTP requests made, never actual content.
There are very few proxies which proxy https- as in http in, https out, since most client browsers can do SSL for themselves, and most that don't grumble immediately when seeing a https:// so they don't even bother asking the proxy.
So usually if clients visit a HTTPS site, it's encrypted all the way. Maybe your network is really set up differently, but have you really checked? Run a sniffer and see. I have for mine, and it's satisfactorily encrypted.
Basically the clients contact the proxy, and then issue a CONNECT dest.ip.address.blah. The proxy makes the connection, then you have a channel between the client and the destination server. You don't even get the URIs in the proxy logs.
However, over here, users must still log in to the proxy server to have internet access. So if they really misbehave it's not too difficult to track them.
Tracking severe abuse is quite simple and doesn't require any spying of payloads or even urls.
When the Boss asks "Why is the Internet connection so slow?" or worse "Why are the emails slow" then the people who have been downloading movies and mp3s better watch out.
Link.
-
The information is essentially being sent back and forth via text as long a wire. Anyone along that wire, inside or outside of your company, has the ability to intercept, read and change the text," said David Kennedy, director of research services for ICSA.net in Reston, Va. "Is it technically possible? Yes, and it's fairly easy to do."
For Slashdot to sensationalize what is basic knowledge to anyone with a smidgeon of technical know-how (my girlfriend's an English major and she knows this) and make it seem like there is some sinister plot underway by AOL, Yahoo, MSN, etc to cooperate with employers to steal employee rights is irresponsible.Second Law of Blissful Ignorance
I should note that the scheme I can thought of to proxy https:// pages so an employer can read them in real-time does give the fact that it is there away in most cases. This is because all https:// traffic would be routed through a server (say spyonssl.mycomp.123) that would then establish its own secure connection to yourbank.456 or whatever. URLs and referrers would be rewritten to keep everything working. This would be required without your employer becoming their own certificate certifying authority, because most web browsers will complain bitterly if the certificate does not match the site. Most users would likely spot this, unless the secure page was quickly switched away from.
Of course, no one is stopping them from installing their own certifying certificate on your PC, generating fake SSL certificates in near real-time on a fast computer, and playing a "man-in the middle" attack that few people would know how to spot. But now, we are *really* getting paranoid... and so are many employers nowadays. It is likely that at least a few companies out there have systems that try to decode your secure web pages out there, even if it means taking a year or two with a Cray...
One should realize that most web-email services do use secure https:// for the login, but send your mail as insecure http:// . So they likely can't get your password too easily, but they can get everything else. As we speak, companies are likely working on the former, considering it a "trivial issue" that needs to be overcome. Given that most people only use one password for everything, I would not be surprised if many employers can guess your web mail password anyway.
C'mon people, RSA is now in the public domain, you have no right to complain about not using it.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I read most of my non work-related e-mails and download big files (don't want to hog the company's bandwidth) on various UNIX boxes with ssh1.
:)
How secured is ssh1? Can people still sniff this beside reading off my monitor? Once in a while, I have personal stuff (nothing illegal) that I don't want people to read.
TIA for replies.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.
While this is all true, there are many situations in smaller companies where this doesn't work.
My workplace is a case in point.
We used to be a division of Litton, but were sold off because we weren't part of the "core business".
The guy who bought the company, our old GM under Litton, is paranoid.
The boss knows enough about computers to have mirrored his Windows 95 installation up through every machine he's had since his 486DX-33, but still doesn't know why it's dangerous (or why he can't make a partition bigger than 512 megs).
The boss is paranoid enough that while he wants me to administer the mail server, he also doesn't want me to have access to the mail. Same with the fileserver.
The boss wants to be able to watch *everything* going across the LAN at all times and is willing to sit in front of the server in my office to do it.
That's the mentality you might have to deal with. If you can't, get another job. Things were great while we were a Litton company - the philosophy in our division allowed everything but XXX sites and *excessive* non-profitable useage - but since our old GM became our owner, the paranoia has increased and things have gone downhill. I'm looking, as are most of the rest of our staff.
Fire and Meat. Yummy.
The Electronic Communications Privacy Act of 1986 gives protections against interception and wiretaping. My employer can look at my mail that's saved and transmitted between her servers but cannot attempt to intercept my mail going to Hotmail or a remote ISP. This would be like Ameritech saying "we own these wires, we're going to record all your conversations."
Imagine you're the boss. You've got a few min to spare, why not watch an AIM conversation go by?
Lots of people get off on snooping in other people's business. This is why 'reality' TV shows are such a hit.
Now imagine you're the boss or the network guy, and there's an employee you don't like using AIM and you've got a few min to spare. You don't think there's a real chance that people might casualy skim through your stuff? And if the boss(or network guy) is out to get you fired then there's a serious chance people are going to look through your stuff.
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.
The only true measure of an employees worthiness is output and nothing but. This is a very important concept as we move to more telecommuting/contract type employment anyways (and boy will the lines get blurry when employers are monitoring employees in their own home). The vast majority of us in this business get paid by salary, not by punching a card in a clock, and while there are some general expectations regarding hours, generally the salary structure is based upon perforance not time. For our salary we are expected to contribute a certain amount of worth to the company versus the salary that we are receiving. If an employee doesn't contribute that worth then firstly examine the management structure and corporate supports to determine if they are the problem, and if not FIRE THEM. That is the only way to manage effectively in the information age. If you've got some company outcast sitting in a room packet scanning whether someone is using hotmail then you've got your priorities totally messed up : There are a million ways of wasting away time and if you think you're creating a super efficient workplace by totalitarianistic network policies then you are completely ignorant of the real world.
If you have a worker that you think might be dicking away a lot of time simply set goals and performance requirements and you should have a system in place that measures metrics (not keystrokes as that is worthless, but some other metric). Reward exceptional performance and punish under performance. The time an employee needs to accomplish that goals is irrelevant. Obviously if someone is sending offensive mail from a company email address that is poor judgement and should be punished, however if someone is sending emails to friends on Hotmail you really shouldn't give a shit if you have the performance metrics and good measurement systems. If you think you will improve the worthiness of your company by instituting superficial monitoring systems then you are will soon be out of a job as your company will be out of business.
BTW : For the corporate outcasts that feel the supreme justice of being the one's "in charge" of monitoring employees : Firstly these systems are never unbiased -> It is usually targetted at whichever persons these losers feel a dislike towards recently. Secondly there is no justification based upon what I was saying above (except for a few positions which are more time based : i.e. answering phones). Pathetic claims about "company resources" and the like are ridiculous. Do you abscond from drinking lest you use the sacred company water pissing? Do you partake of company provided refreshments? Do you happily request a 14" monitor over a 19" because really netmon runs just as good at 800x600? If not then shut up : The "wear and tear" on a computer system for someone to visit hotmail is rather minimal and of minimal costs.
Too many companies these days are installing clients that allow them to see your screen. Typing an e-mail? They can read it while typing. Talking on ICQ? They can get the conversation, too.
The PGP/SSL argument's don't hold water. If they see you doing something personal, either by sniffing or peeking into your computer, they can monitor whatever they darn well please. And read whatever they want to. And watch what you're doing.
It is impossible for you to hide what your personal web usage from the IS department. There are no solutions when they can take over your monitor from another box and packet sniff.
Of course, Hushmail doesn't encrypt its client-server connection. That does protect you from your boss -- but do you really want to work for somebody who spies on his employees?
Hushmail does offer digital signatures -- but all that proves is that your email headers aren't forged. It doesn't prove that the owner of the hushmail account is who he says he is.
__________
Not even breaks are safe.
To keep the stuff I really want to keep private private. I use my palm pilot, modem and TGPostman over a VPN link to home to get and send my email. Sure thay can tap the phone, but all they will get is encrypted garbage.
The INternet at-large is a public network, for all intents and purposes. So treat it as such.
Treat any traffic generated as a public radio broadcast. You have no control over who sees it.
Me: Man, I always wonder if I ever get any work done in this office. Then I look around and I wonder if ANYONE gets any work done. Me: Dude you need to come down to the office, we're printing out PORN on the laser jet printers, then shredding the paper and putting acid on it! Me: My boss reminds me that left nuts do grow out of porportion. Me: Work reminds me that life is nothing but a big orgy, often on keyboards. This would explain why my keyboard is hairier then Rosseane's legs. I hope this reminds the majority of you unemployed, disillusioned stiffs like myself why we constantly get fired. God bless the internet, and all it's pornographic glory.
prosebeforehos.com
In reality, since we run a SOCKS proxy server at work, and already monitor URLs, capturing AIM conversations can't be very difficult, plus we've in the past been able to take snapshots of sites users are visiting through some creative sniffer work. So this really isn't a big surprise. When you think about it though, people are right, your work PC, internet connection, and your office are there for work. You don't hold tupperware meetings in your office, why should you chat online during office hours. Although, there are occasions where using applications such as IM in the workplace are appropriate. When I use to work for an ISP (Thank god I dont' any more) we used IM to communicate with other techs while we were on the phone. Very useful instead of having to say "Maam' can I put you on hold" go ask a question then come back.
I'm an AIX Systems administrator, and yes I do cry myself to sleep at night....
If you take the stance that people should be using business resources for personal email, which is a stance that I disagree with strongly, an SSL connection to your webmail provider is the easy answer.
wrong. see one of my previous posts
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
HTTPS through a proxy simply uses the CONNECT method to get a direct connection to the SSL server at the other end. It requires an end-to-end byte stream.
The proxy can sniff the traffic, but they then need to decode the SSL...
HushMail.com uses strong encryption end to end. It's the strongest web based email that i know of...
I like to build things and wire stuff together.
How easy is it for my employers to see the data I transmit if it is going through a java applet?
Well, that depends - it's still an IP stream, and the packets are still going through your employer's network so they can sniff the packets. Whether or not they can understand those packets depends on whether the applet does encryption at all.
--
When you work from home, for example. As a sysadmin and programmer, it happens plenty. My solution for some time now has been to collect email from various (not publicly available) addresses into an account which I ssh to (as do other users on the box) and read mail at my leisure. I don't engage in any activities nefarious to be more paranoid than that anymore (no gun running, drug manufacture, or espionage, for example). I occasionally chat with people from competing companies or fix up someone's resume, and once in a while I might flame someone.
Basically, I wouldn't work for an employer who was so paranoid that this arrangement made me nervous, and I would encourage others to consider whether they should. I'm a fairly decent systems programmer and administrator, but I don't believe that my leverage with my employers is excessive. On the other hand, I also don't try to rip off my employers or do a substandard job, which sometimes seems like apostasy in modern-day working America, so YMMV.
Remember that what's inside of you doesn't matter because nobody can see it.
--
The shareholder is always right.
Why doesn't hotmail or yahoo (or the other big browser email folks) use HTTPS. Doesn't that effectively scramble the browser based emails from prying employers?
I've wondered about this before and can see this being an attractive marketing tool for the privacy consious.
--- -- - -
Give me LIBERTY, or give me a check.
Cool news blurb, but I hope that no one that reads /. was really all that surprised by this.
-This sig intentionally left blank
well, had you read the article, you would have noted that using yahoo mail to conduct personal email should be encouraged to limit liability if that person is sending sexist/racist, or bad taste emails. This 'waste of time browsing or chatting' is probably a well needed break. Where i work it is actually encouraged to do this b/c it allows us to get back to work more quickly if we are having a mind block or are doing something tedious. Would you rather someone browse the web for 10minutes or stare blankly at the screen for 20? You incorrectly assume that people only surf for porn. I searched the web b/c i wanted to set something up on my network at home. I proably would not have been able to do it with out spending just a little time at work researching it. It payed off when i overheard they needed pretty much the same thing done there. I was able to implement it much faster b/c i already had the expenience from at home. I worked for an company that was heavily into montoring and control; the turnover rate is around 50%. Thats not the only reason, but its just one more of many. Buinesses like your need to wake up and realize that people are not machines, and cannot concentrate hours on end at ONE task. Minds wear down. You may not notice it in your job, since i'm sure each task you have usually does not last more then a few hours, and even then must be broken up so you can deal with other things. But thats not how it is with most jobs. Just as the article states, people also have a life, they have personal buinsess to attend to. How are they to get anything down if most of the day they are locked up, especially if the buinsess is discussing something with another buinsess, only open M-F, 8-5. Its difficult, to say the least. My company respects the needs of its employees, and gives them a pretty large leaway in what is acceptable to take care/do of at work. In return, each employee pours their heart and soul into the company, and genuenly wants the company to succeed .
And there was me thinking that slavery had been made illegal..
If an employer thinks that I am just a machine, capable of nothing but churning out code, and that I enjoy nothing more than staring at pages and pages of PERL for the 50 - 60 hours a week I'm in the office then thats fine. I can get other jobs. I'm in my last week at my current job, my primary reason for leaving is a restrictive web surfing policy. People who vote with their feet and leave jobs because of this are rare, but I'm one of the few.
http://twitter.com/onion2k
If you're in an office environment, the computer on your desk belongs to the company. Not you, the company. It is not "your" computer. Therefore the company can regulate what you do with it, and they can monitor what you do with it. You are not entitled to privacy.
Moreover, it is not your God-given right to customize the computer. Yet when some twit installs the latest Leonardo DiCaprio screen saver and it breaks all of the applications installed on the machine, said twit still feels entitled to yell at the poor tech from the IT department who is dispatched to fix the problem, and removes it.
You want to do personal stuff? You want to customize? You want to use the computer for any reason other than to do your job? Then go home and use your own computer. I can see this getting modded down by someone who wants to use their computer to goof off at work, but think about it. If your employer is ok with you casually surfing the web during slow times at work, that's fine, but in the end it's their computer and they make the rules.
--
Tired of FB/Google censorship? Visit UNCENSORED!
then they probably deserve what they get.
If it goes over a company network, there is always the chance that the company can intercept it. Live with it.
Do I let it worry me? Well, if the company wants to listen in to my IM conversation between my wife and myself, they are welcome to hear all about who's turn it is to pick up the kids, or who has to stay late. If they want to tap my email, they can read all they want about my opinions about some book, show, or event in some mailing list or other. I am very careful to not post anything that would be considered undesirable from work, and fairly careful to limit "ok" emails.
You want to send inflammatory material? Do it from home.
So they block ports 22 and 23. So what? Just pick another one that they haven't blocked. Like RealAudio...
/usr/local/sbin/sshd -p 7070
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Licq is a really great program. It has more features than any other ICQ client, the most interesting of which is encryption. As far as I know, it is the only ICQ client that encrypts instant messages sent to other users of the same client. And it has frontends written in both QT and GTK+ so it is great for anyone.
If you are paraniod about people snooping in on your instant messaging, use Licq and get your friends to do it to!
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.