Slashdot Mirror
Instant Message, Instant Transcript
shams42 writes: "Although the internet has been far from private for some time now, it seems that public awareness and concern over this issue is mounting. This article at CNN discusses the issue of companies monitoring instant messages for cyberslacking or leaking company secrets. There is also the possibility of them being included as evidence in court cases."
If the companies are monitoring for so called cyberslacking it
may not matter much if you are using SSL/SSH with your instant
messaging. There is software for monitoring the users' desktops
and keystrokes which is one of many tools that employers can use,
not only packet/traffic monitoring on company networks. Just to
add another formula to things, monitoring can be completely seperate
from the computer, they (employers) can also use well placed CCTV
systems.
Licq includes the option to secure messages with SSL, and there was (is?) a pgp plugin for icq as well.
It also does on the fly language translation using a babelfish-quality replacement engine, so you can chat with people whose language you don't speak. It's very cool.
Since the IM clients, as well as most other things you do at the office are so easy to monitor. I've always made it a personal policy not to discuss any thing over IM that I'd be embarassed to have to explain to a judge in court some day. And in case they were monitoring it I'd always add an "Hi Sysadmin, I know you are reading this" every once in while to my messages just to let them know I knew they were there ;)
Use SSH link to your PC at home to run text based IM client and/or web browser from your home address.
I've not heard of an employer that monitors Port 22, and even if they did, it's encrypted so they can't pick up what you said.
Best program for this is PuTTY (assuming you use NT at work)
The whole thing assumes you are using *n?x at home and can run an SSH daemon on it.
OF course best of all is to not shout from the rooftops what should be said in private.
If my call is important, why am I talking to a recording?
Actually, it's pretty useful for getting answers to quick questions from colleagues. Instead of traipsing(sp?) down the hall or emailing the person, just IM them. Everyone at the office uses it and it has helped my productivity. I no longer get snagged into whatever is going on outside my office.
But you would be wrong.
The problem is that none of the Jabber clients implement the SSL protocol fully, and are vulnerable to 'man in the middle' attacks. They do not take the most basic precautions that you would find in any web browser (except Lynx, Lynx has this problem too).
I explained the vulnerability in a presentation at JabberCon 2001, and the client developers have still not taken the basic step of including some mechanism for validating the server certificate, much less added support for client certificates.
Jabber is interesting, and perhaps an improvement over other IM protocols, but the security is only halfway there.
Where I work, Yahoo! Messenger is the preferred means of exchanging short work-related messages.
Unlike the phone or in-cube appearances, the recipient may respond when it is convenient for them (no interruption necessary if you have your message windows set to auto-minimize), but unlike e-mail, it's more interactive and conversational.
It's also incredibly convenient to be able to cut and paste example code, command-lines, URLs, etc. to co-workers on the fly.
First of all, the only reason I use IM these days is for work-related purposes with co-workers on an internal Jabber server. Okay, we do our share of chatting that's not exactly work-related, but who doesn't have f2f conversations with people at work about things that have nothing to do with work?
In any case, why I consider the instant transcript a "feature" is because my co-workers and I do tech support. We talk to each other frequently about customer issues. These transcripts often contain useful troubleshooting information. It seems awfully silly to type something more than once, so once a conversation is done, it's copied straight from Jabber into a case note. We usually do not make those kinds of notes viewable to customers, but they are good for internal documentation.
For those of you who have issues with your employer "snooping" on what you're doing, I would not expect any sort of privacy with respect to your computer usage at work. However, your employer needs to tell you your computer usage is subject to monitoring. Employers who fail to notify employees of monitoring are subject to serious trouble if they decide to take advantage of any information they find out as a result.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
I've worked at a certain big investment bank over the summer. Internet access there was completely firewalled away except for a port 80 HTTP proxy server. Now, one could tunnel IM programs through this successfully but even then, the company has a zero-tolerance policy that bans any use of IM programs.
There is a very good reason for this. Apart from the usual virus problems, it is often *mandatory* by law for investment banks to log all communications between employees and clients, just like the article says. It is well known that all telephone calls are recorded for this reason. All proxy requests are naturally recorded and scanned for port and external mail use (also against company policy). Allowing IM would equally thus be in violation of company policy and legal requirements. Unless of course... if a system was introduced where all messages could be reliably logged and traced.
If you still aren't convinced about these policy issues, consider this. In a IB, if your phones are tapped, all web access is logged and you know it, then perhaps consider that logging IM isn't such a big extra step.
The last place I worked was a dying publicly owned company on the Canadian Stock Exchange. As one of 3 IT guys in this software company of 100 high-high-maintenance clients, I spent a lot of time monitoring my fellow employees for news of the companies impending doom.
I discovered that the 'promised-management-positions' crowd was keeping close tabs on their fellow employees as well. Monitoring exactly how long each of us worked, took breaks for, (and of course) never mentioning the major overtime we put in.
It's funny, because between them monitoring us and talking all day with numerous online boyfriends - the management hardly did any work. We on the other hand managed to keep 100 clients happy, fix the "Interactive Unix" network so that it didn't die each and every day, *and* format all of their MSN chat logs for easy reading off a floppy disk when the inevitable day came that we would quit.
and man, those chat logs were good!
Once we left, we started our own Software Company and are almost ready to release software exactly for companies like that. Network Security & Productivity monitoring software. I wish we had a package like this when we were there, but don't get me wrong - NGREP worked pretty well too.
NGREP src 192.168.10.3 or dst 192.168.10.3 -ql "MSN-IM-Format" >log.log
I currently SSH tunnel for IRC, but for IM related software, I can't seem to SSH tunnel and get the relevant ports forwarded.
Assuming you have a recent version of OpenSSH, follow these instructions:
1. Run ssh -D 1080 hostname. This causes ssh provide a SOCKS v4 proxy services when connecting to localhost on port 1080.
2. Set your IM client to use your SOCKS v4 proxy server and point it to localhost on port 1080. Most IM clients support the SOCKS proxy protocol.
3. Chat.
My car gets 40 rods to the hogshead, and that's the way I likes it!
- - instant 'are you online' status
The main enhancements I can see corporates needing for this to become as mainstream as email are security, supportability, scalability, the ability to lockdown who can connect (ie internal only, external approved list etc) and centralised logging. It's certainly lessened the load on my email inbox and made me more productive. I work with a large team across the globe. I regularly use IM to answer real quick questions from colleagues in the Americas, Europe, South Africa and Asia.- ideal for quick questions and answers
- removes load from email systems (bandwidth, storage, backup)
- it is instant. Ideal when taking part in a global con call and you want to check something offline
- IM cuts down on the number of intl (or even national!) calls you need to make
Evil ZEN Scientist
I'm glad that IM hasn't caught on at my employer. I would find it incredibly annoying to be distracted by IM popups every few minutes
Depending on your level of responsibility, it really doesn't work out to "every few minutes". I, too, use Sametime at work and it, like MSN and Jabber (I never tried any others) allows you to set your online status. So each employee has their contact list up with a little status indicator right next to the name. Green means available, Red means Away (which can be set to not auto-return), and there's a little "international NO symbol" which means "Do Not Disturb".
I most recently used it to "feed lines" to my project manager while he was presenting to some big wigs in a meeting. He doesn't have time to know all the minutiae, so he would tread water on questions while I fed him better details. Luckily, I looked ahead into a presentation and saw some numbers were way off. I was able to warn him before he got to the page.
Being a mobile employee means I have to go to many different customer sites (or work at home) all the time. For coworkers with whom I'd occasionally have conversations of a personal nature, I always "take it outside", and off Samtime onto MSN or AIM. The chances of ALL of the customer sites recording IM sessions will always be less than the 100% guarantee that my IM's will be recorded if I use the company Sametime server.
Intelligent Life on Earth
Even when you encrypt your traffic, it will not protect you from traffic analysis.
.xls spreadsheets from an server in Poland and all the URL's have /..%20%20/ in the path, I give that user a call.
I happen to be the dude in between management and the users on my site. I refuse to eavesdrop on my users. Not all of my users realize it, but we've got a pretty liberal policy (don't break the law, don't be offensive to others, don't use excessive bandwidth during business hours; that basically sums it up).
Some of my users know me for cracking down on porn or MP3 downloads, and think I'm reading their every keystroke. Because if I wasn't, then how would I know that they were doing stuff that they weren't supposed to do?
The reality is, when I get complaints about Internet performance, I run some quick scripts on the logs to find out who is hogging the system. If, after eliminating the obvious business use connections, I'm left with a top ten and number two is downloading a gazillion of
Usually, the user will accept the lecture that his contractual obligation to stick to the corporate guidelines is not optional. I sometimes learn through the grapevine that such a user thinks I'm a fascist. So be it. If other people can't work because of egregious abuse, I have to intervene.
Do I even look at the stuff they're downloading? Not if I can avoid it. The only times I look at what they're downloading is when they start yanking my chain, giving me the go around that there is no law against downloading Warez or porn. Maybe there isn't, I've got no clue. I do know what's in their contracts though.
Most of these issues are dealt with amically. People sometimes don't realize how big their impact on the corporate network is, and even if they do I usually let them get away with it if the abuse stops. They're usually pretty happy when I tell them I've got no clue what they were downloading, but could find out when forced to.
Over the last year, IM became a bit of an issue because of the way their stupid tools communicated (if only they used persistent connections they'd fly right under the radar). At some stage, 30% of our proxies capacity was used to serve a few dozen IM sessions and it really started to hurt web performance.
It's always funny when they let it escalate to management level, and I can at that stage let them rant about the invasion of their presumed privacy, and then drop the bombshell that I didn't even look at what they were downloading, and that it was trivial traffic analysis that gave them away, and that the reason they were in that meeting was because they incriminated themselves.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
If you have a server you control, and wish to be able to get an SSH session through a firewall that blocks the "standard" SSH port, place your SSH server on port 443 (https) - both are SSL, and most firewalls will happily let you establish the connection.
/., Freshmeat et. al. while waiting for a recompile is one thing, burning huge amounts of bandwidth downloading crap it another.
That said - It's not spelled Foxtrot Uniform November, it's Whiskey Oscar Romeo Kilo - if you want to download porn or waste lots of time IM'ing, then do it at home. A quick scan of
www.eFax.com are spammers
For those interested, salon had a simmilar article a few days ago.
"Question with boldness even the existence of a god." - Thomas Jefferson