Ask Slashdot: Using Company Laptop For Personal Use

An anonymous reader writes "I'm starting a new job soon, and I will be issued a work laptop. For obvious reasons I cannot name any names, but I can state that I do expect my employer to have tracking software on the laptop, and I expect to not be the administrator on the device. That being said, I am not the kind of person who can just 'not browse the internet.' If I ever have to travel with this laptop, I may want to read an ebook or watch a movie or maybe even play a game. I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it. I can use portable apps off a usb key and browse in private mode. The machine will be encrypted, but I can also make myself my own little encrypted folder or partition perhaps. Are there any other precautions I could or should take?"

No

[Anrego]

I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it.

Is your new job worth it? Not saying you'll automatically lose your job over that, but I can't imagine it'll go over well. Especially as you'd be using your (non-work prepared) laptop for doing work and might inadvertantly put them at risk (the kind of risk they hope to eliminate by issuing you the laptop in the first place).

The simple solution is get yourself a USB / livecd type distro. Don't touch the hard drive.. and if it's encrypted, you shouldn't be putting your company at risk (assuming you don't use the same key for anything else). Personally I'd ask your IT guys if they are ok with this before doing it. Sometimes they can actually be reasonable about this kind of stuff.

The real solution here is to leave your work laptop alone completely and get your own laptop for personal use.

Re:No

[jhoegl]

Agreed. As an IT Director, I can tell you I would be pissed someone took company inventory and did this.
Security is based off of locking down that laptop so you dont do something stupid like install a "free game" with a trojan in it.
Not that I dont trust employees to know better, but I dont trust ALL employees to know better. A breach only takes one infected system.

Re:No

[Collapsing+Empire]

Once you lose physical control of a machine, you really can't say much about the security of it. You don't know where that laptop has been or who else might have tampered with it while it has been traveling the globe. The best you can really do is the standard antivirus scans. But that doesn't stop a 0-day or a custom written trojan.

You really ought to be treating all portable devices as potentially hostile devices and securing (and monitoring) your networks accordingly.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

Re:No

[maxwell+demon]

Another solution is to simply ask the employer, if some personal use of the laptop is OK, and if so, to what extent. Maybe you'll get the answer that your intended usage is fine, and then you'll not have to worry at all about how to hide it.

Indeed, if I were the employer, if someone asked I'd probably be fine with it, but if someone were playing tricks to hide and I'd find out, I'd seriously consider firing him.

Re:No

[Bill_the_Engineer]

I'd hope that the people I issue laptops to are responsible and trustworthy. Personally I don't care if they use the laptop for personal web browsing or e-book, as long as they do it on their own personal time. Most appropriate use agreements say the same thing. I do draw the line at installing programs on the laptop.

However I always strongly suggest people to have their own laptops/computers for personal use. Information stored in the form of cookies, browser history, etc. can be embarrassing or worse. There was a local county worker who was dismissed for inappropriate material being found on his work laptop while it was being serviced by the IT contractor. No one thinks about the laptop failing and having your personal data locked up for the IT repair guy to find. I find it amusing that they warn of key logging (which isn't as wide spread) but aren't as cautious about being caught in a compromising position.

Another (and more appropriate reason for the people I work with) reason being that the company I work for (and most others) consider the use of company equipment for personal financial gain as an offense worthy of dismissal and any goods produced on company equipment as their property. Lawyers are more expensive than a laptop - a.k.a an ounce of prevention is better than a pound of cure.

You really ought to be treating all portable devices as potentially hostile devices and securing (and monitoring) your networks accordingly.

Placing company laptops in a DMZ doesn't always make for a productive work environment nor is your monitoring idea that effective. A compromised laptop can still "behave" in a company private LAN and once connected to a public hotspot send its payload to whomever. There is a reason we like locking down company equipment. Locking down company equipment also has a "cover your ass" attribute that network monitoring alone can't offer. Also depending on the industry there are regulations that may dictate such measures to be taken.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

The employee should stick to his/her paid job assignment and let IT do the job for which they are paid. I have company equipment that have two or more operating systems on them, but they were all approved by IT first and my job directly depends on it. I believe altering the contents of a company laptop in such a drastic manner without the consent of IT may be a severe violation of the use agreement.

Re:No

[Deorus]

As a software engineer, whenever I have to work with IT people like you, I happily leave the company's laptop unused and locked in a drawer beneath my desk and use my MacBook Pro instead. All the information needed to access corporate services is in my possession anyway, so you're none the wiser. If you block Internet access at work, I will happily tether to my iPhone or bring my iPad.

To put it simple: in this day and age you can't afford to think you have that kind of control. If there's sensitive information, the only way to be on the safe side is to ensure that it never leaves the company, which is something that you can still do.

Re:No

[Rary]

This is exactly right. It's amazing how many people immediately look for ways to go behind the employer's back. Why not start by just asking them? If the employer is expecting you to travel for extended periods of time, then there is an obvious need for getting a reasonable amount of personal use out of the laptop, as traveling with two laptops (one for work, one for pleasure) is just silly. Your employer is human, and likely a reasonable one at that (and if not, you should be looking to replace her or him). So, just explain your needs and come to an agreement.

Re:No

[Tom]

All the information needed to access corporate services is in my possession anyway, so you're none the wiser. If you block Internet access at work, I will happily tether to my iPhone or bring my iPad.

Let me get this straight: You would connect to the corporate network using a private, unapproved machine? And you would then connect that machine directly to the Internet?

In several environments in which I've worked, as the IT Security/Compliance Officer I would recommend you for immediate termination.

Just because you think that you are entitled to your own rules doesn't make it so. If you don't like my rules, you are welcome to come into my office and discuss them with me. You better have good reasons, because I do.
You are not free to just break the rules and open up the corporate network to the world at large, bypassing all the security layers that are there for a reason.

Don't go there...

[icebike]

Just get a Tablet/Netbook of your choice and use that for web surfing, personal email, video and music streaming, etc.

Its a far more honest way of going about it, and by shopping around you will find a tablet that fits your needs, and can be slipped into the same carrying case the laptop uses. You may only need a wifi model, but tablets with data plans are not that expensive. You can add encryption to the tablet, if you want.

This gives you the freedom to do as you wish, and you can still move things back and forth between the tablet and the laptop as needed via any number of means when you have a legitimate reason to do so.

If you expect there to be tracking software on the machine out of the gate, then trying to go down the deception road is just a Bad Idea. Key loggers will log what ever you do, and removing them is not likely to go unnoticed. Key loggers things, if properly installed, can even read work you do in a USB thumb-drive based Linux distribution. And depending on how savvy your company's IT department is you may find any attempt to use the laptop in way other than what was intended will trigger alarms. Wiping the drive and restoring it to some back level state amounts to an admission you were doing something you weren't supposed to do. And you may not be given the opportunity to do so, when IT walks in (or accesses it remotely) to do a routine upgrade, and finds all sorts of ebooks and games, etc.

Nope, my advice is to celebrate your first pay check with a gift to yourself of that Tablet or Netbook you've always wanted. This way, you and your employer stay on each other's good side.

Re:Don't go there...

[icebike]

If they give you a company car to take home, chances are they allow grocery shopping.

But if you have to jump on Slashdot and ask about GPS jammers and how to disconnect your built in Nav in a company car so that the company can't know that you routinely stop by the strip club on the way from/to customer meetings, you already have stepped over the line.

Read the policy

[Jethro]

Read your company's employee handbook and policies. it's very likely that they allow "limited personal use". Just don't do anything stupid like watching porn or pirating stuff on the thing.

If you have any doubts about running any specific software on it, talk to your boss or call HR. They should know what the company's policies are.

I have a work-issued laptop. I'm allowed to browse the internet on it so long as it's a reasonable amount, and the corporate image came with media players, including a DVD player, so I'm fairly sure I can watch movies/listen to music on it when I travel.

But I never do. I take my own personal laptop with me. It's just a lot more comfortable that way.

Are you serious?

[Pollux]

If you're seriously thinking that you need to go through that much trouble to hide your "bad work habits," the problem really is you. You appear to be aware of your less-than-exceptional work habits. Reading between the lines, it almost appears as though you lost another previous job because of your self-distractions during work.

Rather than try and hide your browsing history, why not try working for a change? They are paying you to work, after all. And on periods of downtime, bring your own laptop.

Re:Wow

[Alan+Shutko]

Nope. But that's life.

In my case, I worked to get rid of the company-issued laptop in favor of citrixing into my desktop at work. That means I have to carry less, and since I'm not constantly on the road, works well for me.

Yep, don't do that...unless you're allowed to.

[SecurityGuy]

I agree with everyone else. Trying to subvert your company's security policy, especially as a new employee, is an excellent way not to be an employee for very long. Just ask them if you're allowed to use the laptop for personal use. If they say no, then don't do it. If they say it depends, tell them what you have in mind. My employer wouldn't care if I was reading ebooks on it. Reasonable personal use also wouldn't be an issue. Messing around on FB on my own time? No problem. Browsing porn? Yeah, that's not going to be ok. Watching movies? Depends. DVD? Fine. Netflix (or anything else you have legit rights to)? Fine. Downloading them illegally to watch? Not a chance.

Basically, don't be an idiot.

Don't do it. Carry your own laptop.

[ChrisKnight]

If I may, I'd like to address a couple of assumptions in your post:

"I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it."
You can't guarantee this. I am on the security team at my company. When a person is being let go they called into a meeting and someone collects their laptop or desktop while they are in the meeting. In only one case have we allowed someone to access their system after it was collected, and that was under supervised conditions. We pull the laptop hard drive, label it, and shelve it. If that were your drive, we could have your personal information sitting on a shelf for years, waiting for someone to access it. While this didn't happen to me, a friend of mine was asked to peruse the hard drive of a terminated employee, and what she found led to criminal charges being filed against the ex employee. Not saying you would do anything illegal, but never put yourself in a situation where someone else has unlimited and unrestricted access to your personal data.

Also, this could be a violation of company policy and could be grounds for disciplinary action.

"I can use portable apps off a usb key and browse in private mode."
Yes, you can, but that doesn't mean you can bypass any monitoring or filtering software installed on the machine.

"Are there any other precautions I could or should take?"
It's just not worth the hassle, and potential employment repercussions, to modify your company owned system. I have two laptops that go with me everywhere. One is my work laptop, the other is my personal laptop. I keep both realms deliberately separated. Buy yourself a Macbook Air, or other maybe just a tablet since you mostly indicate you are browsing. Keep your work and personal life separate.

Re:No, there's no need

[Anrego]

I would take any of that as a sign that your employer is serious about controlling their equiptment and trying to subvert their control is a sure way to find your stuff in a box at reception when you get back from your trip.

In other words, a sign to buy your own laptop ;p

My solution

[AliasMarlowe]

I bring a Knoppix live CD, a ruggedized 500GB USB drive (Adata SH93, which is powered from a single USB port), and headphones. In total, this adds less than half a kilo to the mass I have to carry, and almost nothing to the bulk. The laptop hard disk is untouched, as it's not even mounted when Knoppix boots. I'm only using the laptop for personal purposes in hotels to either (i) surf the web, (ii) access non-work email accounts, or (iii) watch movies. I generally copy a selection of movies from the home media server to the USB drive before traveling - hotels often charge outrageous amounts for their limited selection of premium channels, and the company won't cover such charges. If I download anything, it also goes to the USB drive.

Re:No, there's no need

[centuren]

I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it.

Is your new job worth it? Not saying you'll automatically lose your job over that, but I can't imagine it'll go over well. Especially as you'd be using your (non-work prepared) laptop for doing work and might inadvertantly put them at risk (the kind of risk they hope to eliminate by issuing you the laptop in the first place).

The simple solution is get yourself a USB / livecd type distro. Don't touch the hard drive.. and if it's encrypted, you shouldn't be putting your company at risk (assuming you don't use the same key for anything else). Personally I'd ask your IT guys if they are ok with this before doing it. Sometimes they can actually be reasonable about this kind of stuff.

The real solution here is to leave your work laptop alone completely and get your own laptop for personal use.

The parent correctly points out that you can use a live distro and avoid having to touch the company's hard drive.

Maybe, maybe not. There may be key-loggers installed which still grab your keystrokes.
Further, you can set up machines to prevent booting from anything other than the hard drive, then lock the bios.

Just to be clear, OP is saying he is "not the type of person who can't look at pornography" right? In this work-related scenario, if that's the case, get your own laptop, tablet, or smart phone.

If that's not the case and he is worried any personal use will get you in trouble, that's probably something he should clarify. I know plenty of unreasonable work places are around, but it is unreasonable to expect no personal use from a company laptop in constant possession of an employee (especially outside of work hours).

If neither is the primary case and you are expecting the laptop to be so locked out that you can't run anything but an office suite and the company-modded IE-engine software, then, as was pointed out, run a separate OS off a thumb drive. If the hardware is completely locked-down, back to the tablet/smartphone concept. Look up the policy, talk to the IT guys, but, essentially, DON'T do something that can mess up IT's carefully locked down security, and DON'T do things that are illegal or NSFW.

If the issue isn't "I want to look at pornography on my work laptop", why would the company care if he reads an ebook or watches a movie, if it's done responsibly (and somewhat out in the open, so all that's monitored is a lot of "unknown activity")? It kind of sounds like it's a porn thing, though. Maybe it's the inferred metaphorical air quotes.

Re:Simplest is goodest.

[John+Bresnahan]

This is one of the reasons the iPad is so popular. It makes a good personal web-surfing device when traveling on business with the company laptop.

Re:No, there's no need

[buzter]

Keyloggers can be installed in the BIOS, though this is rare, it can be done.

Actually, it is not that rare. A company called Absolute is a pretty big player in the firmware level asset security control and recovery business. Every major vendor has models that embed their agent into the firmware of select machines. These agents persist through imaging/formatting. They allow tracking of IP address, geolocation on models with GPS, keylogging, remote bios lockdown, remote wiping, and more. You can see a list of models on their website at: http://www.absolute.com/partners/bios-compatibility

In short, I agree with the above posters. Play it safe and talk to your IT department. Ask them if you should buy your own laptop for non-work use or use a live cd.