Slashdot Mirror
Web-Based E-mail Isn't Safe From Corporate Eyes
Ant points to this CNET story, a snippet from which reads thus: "[S]ecurity experts say many employees would be surprised to know that Web-based email services also offer little privacy. Messages sent via a Yahoo or Hotmail account, or through instant messaging products, such as ICQ or America Online's Instant Messenger (AIM), are just as accessible to nosy employers." I know some people who this ought to make nervous;)
I'm reasonably sure of my system security there, since I installed the system myself. It's kind of a pity I have to view my employer as my enemy, but the corporate world's pretty much proved they are anyway.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
There is a plugin called PGP For ICQ that will allow you to encrypt ICQ messages, and I think that PGP 7.0 has this built in. The linked plug-in has source code also (as of now source for 0.5 only, the current release is 0.9)
Correct me if I'm wrong...
--
From: Aaron "PooF" Matthews
Buy an account from anonymizer.com, and sign up for the "Secure Tunneling" option -- $10 per month. On your local machine, you use SSH configured to port-forward ports 25 (SMTP) and 110 (POP3) to mail.anonymizer.com. You configure your local POP3/SMTP clients to connect to localhost, and the connections are securely forwarded through the Anonymizer. This can be done with Netscape, for example.
This assumes that you have some way of setting up SSH locally, and that there's no keystroke monitoring going on. In both cases, you're probably better off if you have a linux box.
GP
That's why, when I send my love letters messages to the CEO's wife, I wait until my boss goes to lunch and use his computer. And sign it with his name.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
I work in as a consultant for the government and it pisses me off to see so many employees goofing off at work. If people did what they are supposed to do, then the government wouldn't need to hire consultants. It doesn't bother me that people read personal email but people will spend all their time online and NOT get their work done. It just really pisses me off.
int func(int a);
func((b += 3, b));
Using services like http://www.pop3now.com will let you access POP3 email through the web while protecting you from your employer's prying eyes.
There are also other SSL wrapper services out that will get you out of untrusted workstations. However, keep an eye out for programs that record keystrokes and/or record screen activity.
This would only apply if employees were concerned with employers snooping internal communication. Unless these employees each have a personal line to the Internet, the shared pipe out provides a pretty good perch to sniff from.
Switched networks aside, it's not the executives that are setting up monitoring. It's the net admin. If they can't set up a sniffer they shouldn't be in charge of this stuff. They also don't need anything too specific. Even the most rudimentary sniffer will be enough to get whatever an employer wants.
Along the lines of the point to point solutions such as SSL'ed web based e-mail, hushmail and the like, you're really just upping the ante for the system administrator. The article (if anyone actually ever reads the articles slashdot references) make a good point of keystroke grabbers, etc. It's always possible for an adept admin to trojan your box for "official business." If it ain't your box, you lose. Very few ifs, ands, or buts about it. Hell, a really persistent admin can grab PGP keys out of memory and escrow :) them for you.
Bruce Schneier's new book has great stuff on these extremes and how they aren't as extreme anymore. He puts it best throughout his book with the futility of trying to protect data using as system you don't control. He mostly looks at it from the angle of the user being the attacker, but obviously the concepts apply in the reverse. This time the chump sitting at the keyboard is us.
If it ain't yours, don't trust it.
StephenI'll assume by your post that you are in a university environment. Well I'll tell you that the corporate world is very different.
For starters, many, many companies still use hubs for their networking. If you are plugged into a hub then you can hear anything on your subnet. I have personally worked with small to medium sized companies, with tens to thousands of users, who still link end stations to the LAN with hubs. In these cases snooping by the boss is actually less of a threat than your neighbor running an SMB sniffer and cracking your clever M$ password of "password".
Second, with the proliferation of intrusion detection system it is becoming less and less possible for your traffic to not be examined. Large organization use IDS not only on their Internet connections, but on their internal networks as well. This is because a majority of security viloations occur on the inside of a network. By definition, an IDS system must hear everything that happens on a segment it is to protect.
Third, bosses may not be technically capable of setting up a sniffer, but they are very aware that the opportunity exists. They will order the use of sniffing technology if they believe that they must use it to accomplish something. In practice, they will only do this if there is a significant reason to do so because of legal liability.
Fourth, something like 60% of US companies actively monitor their employee's use of Internet resources. They may not look at each payload, but if you are spending 50% of your day going to Hotmail with your browser, chances are that they already know about it.
Remember that in the US the current opinion is that if you are using a company's computer then the company owns the data input into or produced from that computer. If you are doing something that might be a no-no, you'd better not do it.
I read most of my non work-related e-mails and download big files (don't want to hog the company's bandwidth) on various UNIX boxes with ssh1.
:)
How secured is ssh1? Can people still sniff this beside reading off my monitor? Once in a while, I have personal stuff (nothing illegal) that I don't want people to read.
TIA for replies.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.
The only true measure of an employees worthiness is output and nothing but. This is a very important concept as we move to more telecommuting/contract type employment anyways (and boy will the lines get blurry when employers are monitoring employees in their own home). The vast majority of us in this business get paid by salary, not by punching a card in a clock, and while there are some general expectations regarding hours, generally the salary structure is based upon perforance not time. For our salary we are expected to contribute a certain amount of worth to the company versus the salary that we are receiving. If an employee doesn't contribute that worth then firstly examine the management structure and corporate supports to determine if they are the problem, and if not FIRE THEM. That is the only way to manage effectively in the information age. If you've got some company outcast sitting in a room packet scanning whether someone is using hotmail then you've got your priorities totally messed up : There are a million ways of wasting away time and if you think you're creating a super efficient workplace by totalitarianistic network policies then you are completely ignorant of the real world.
If you have a worker that you think might be dicking away a lot of time simply set goals and performance requirements and you should have a system in place that measures metrics (not keystrokes as that is worthless, but some other metric). Reward exceptional performance and punish under performance. The time an employee needs to accomplish that goals is irrelevant. Obviously if someone is sending offensive mail from a company email address that is poor judgement and should be punished, however if someone is sending emails to friends on Hotmail you really shouldn't give a shit if you have the performance metrics and good measurement systems. If you think you will improve the worthiness of your company by instituting superficial monitoring systems then you are will soon be out of a job as your company will be out of business.
BTW : For the corporate outcasts that feel the supreme justice of being the one's "in charge" of monitoring employees : Firstly these systems are never unbiased -> It is usually targetted at whichever persons these losers feel a dislike towards recently. Secondly there is no justification based upon what I was saying above (except for a few positions which are more time based : i.e. answering phones). Pathetic claims about "company resources" and the like are ridiculous. Do you abscond from drinking lest you use the sacred company water pissing? Do you partake of company provided refreshments? Do you happily request a 14" monitor over a 19" because really netmon runs just as good at 800x600? If not then shut up : The "wear and tear" on a computer system for someone to visit hotmail is rather minimal and of minimal costs.
Too many companies these days are installing clients that allow them to see your screen. Typing an e-mail? They can read it while typing. Talking on ICQ? They can get the conversation, too.
The PGP/SSL argument's don't hold water. If they see you doing something personal, either by sniffing or peeking into your computer, they can monitor whatever they darn well please. And read whatever they want to. And watch what you're doing.
It is impossible for you to hide what your personal web usage from the IS department. There are no solutions when they can take over your monitor from another box and packet sniff.
Me: Man, I always wonder if I ever get any work done in this office. Then I look around and I wonder if ANYONE gets any work done. Me: Dude you need to come down to the office, we're printing out PORN on the laser jet printers, then shredding the paper and putting acid on it! Me: My boss reminds me that left nuts do grow out of porportion. Me: Work reminds me that life is nothing but a big orgy, often on keyboards. This would explain why my keyboard is hairier then Rosseane's legs. I hope this reminds the majority of you unemployed, disillusioned stiffs like myself why we constantly get fired. God bless the internet, and all it's pornographic glory.
prosebeforehos.com
If you take the stance that people should be using business resources for personal email, which is a stance that I disagree with strongly, an SSL connection to your webmail provider is the easy answer.
HTTPS through a proxy simply uses the CONNECT method to get a direct connection to the SSL server at the other end. It requires an end-to-end byte stream.
The proxy can sniff the traffic, but they then need to decode the SSL...
HushMail.com uses strong encryption end to end. It's the strongest web based email that i know of...
I like to build things and wire stuff together.
? But that's not the point at all.
It's not some rogue boss who has a sniffer that people dislike... it's when the company itself officially tracks things. THat means the IT dept. is involved, and that means they CAN do it.
LAN admins can snoop? Isnt' that missing the point? It's the IT departments job to manage all aspects of information technology, including hte lan. If the company has a mandate to analyze that traffic, then it is the IT department who would do it.
When you work from home, for example. As a sysadmin and programmer, it happens plenty. My solution for some time now has been to collect email from various (not publicly available) addresses into an account which I ssh to (as do other users on the box) and read mail at my leisure. I don't engage in any activities nefarious to be more paranoid than that anymore (no gun running, drug manufacture, or espionage, for example). I occasionally chat with people from competing companies or fix up someone's resume, and once in a while I might flame someone.
Basically, I wouldn't work for an employer who was so paranoid that this arrangement made me nervous, and I would encourage others to consider whether they should. I'm a fairly decent systems programmer and administrator, but I don't believe that my leverage with my employers is excessive. On the other hand, I also don't try to rip off my employers or do a substandard job, which sometimes seems like apostasy in modern-day working America, so YMMV.
Remember that what's inside of you doesn't matter because nobody can see it.
then they probably deserve what they get.
If it goes over a company network, there is always the chance that the company can intercept it. Live with it.
Do I let it worry me? Well, if the company wants to listen in to my IM conversation between my wife and myself, they are welcome to hear all about who's turn it is to pick up the kids, or who has to stay late. If they want to tap my email, they can read all they want about my opinions about some book, show, or event in some mailing list or other. I am very careful to not post anything that would be considered undesirable from work, and fairly careful to limit "ok" emails.
You want to send inflammatory material? Do it from home.