Slashdot Mirror
Ask Slashdot: What's Your Take On HTTPS Snooping?
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.
Simple as that.
Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.
Data leakage.
We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.
We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.
But your Gmail is fair game.
In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.
Their network, their rules. You have no right to expect privacy for work or non-work related activities on their systems.
I am becoming gerund, destroyer of verbs.
Do it at home, on your own equipment like the rest of us.
The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.
I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.
They own the network.
They have told you there is no privacy on it so you have no resonable expectation for such privacy.
It's their network, provided so you may perform their job function, not do personal stuff on the company dime.
Get over if or find an employer willing to let you do personal stuff on their dime and network.
Did I mention it's their network and they are entitled to monitor what you do with their property?
If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.
Custom electronics and digital signage for your business: www.evcircuits.com
There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.
I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.
Just do your banking over your phone's carrier network. Your employer can't go there (can they?)
You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.
Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.
Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.
One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.
Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Are you using their equipment, their network, their bandwidth, their physical space?
Even if the computer is yours, its still their network, bandwidth, and physical space. This means they are bending over backwards to even let you go to personal websites like your bank.
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Are you also okay with the company listening to every phone call you make? How about reading every piece of mail you send? Or perhaps eavesdropping on your conversations? What if they come up with a way to read brainwaves? That acceptable, too?
When using a computer not owned by you (you might go so far as not used solely by you), you have to assume everything you do on it is being monitored, either by design (snooping/logging) or accidentally (because someone using it ended up getting a keylogger). This should be standard security procedure: if it is not your computer, you have no idea where what you type into it is going.
Great Intellect...
So here's the unpopular answer. It's their network. As an employee you have no inherent right to having unfiltered Interent access as an employee. If you don't like it, use your smartphone, bring a personal laptop and an 3G card, etc. Lots of alternatives if you don't want to be snooped. Unfortunately they all cost you money or inconvenience you in some way but hey it would cost the company money as well to provide what is in theory extra bandwidth for you to do your personal stuff.
Here's the real kicker. The company is the one that is at risk by not monitoring. You surf child porn, it gets traced back to them. You download illegal software, it gets traced back to them. You steal company secrets and they have to explain to shareholders how they provided the means for data to be stolen but didn't bother to put any monitoring in place to prevent it from happening.
What you seem to want is the equivalent to a door in the back of the building with no locks and no video surveillance.
Why would anyone be entitled to privacy using someone else's equipment or Internet connection. On the other hand Ironport allows you to exclude banking as a category for the proxy service which in my option should not be proxied to reduce a companies liability in t he event of a security breech.
If you would be missed, I would say threaten to quit (and be prepared to actually do so). I wouldn't put up with it as a matter of principle. I would begin by making it known that it isn't acceptable, and that if they don't trust me then they don't need me.
Or use a VPN.
Or remote into a home machine
When you're at work, doing work, I imagine you're not supposed to be using the company network for your own personal day to day stuff. Get a netbook or a tablet or a phone with 3g and do your own work on your own hardware on your own network that you paid for.
Then let your employer snoop on and look at whatever data is running around their network. They're entitled to, to make sure you aren't doing anything illegal, passing on company secrets or information, etc.
I ran a big piece of the IT shop for one of the largest companies in the world. We looked at everything, all the time, everywhere. And that was a while ago...
You have zero expectation of privacy at work.
Since about 8 million people have said this now, I think the counterpoint needs to be stated.
You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.
IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.
Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.
So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...
use your phone as a local wifi hotspot
This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.
My company does this. It's assumed by our IT department that 'fixing' Internet Explorer (plus some lame wiki instructions for Firefox users to install the bogus CA cert) is enough. Now try using Subversion, or cURL, or Yum, or Java+Maven. None of it works without trial and error configuration.
Comment removed based on user account deletion
sense of entitlement with regards to everything ... using their computer and their network, you play by their rules.
Now you know what social conservatives think about drug testing welfare recipients: if you want my money, you must follow my rules.
"I don't know, therefore Aliens" Wafflebox1
So when you work for a big company, they talk a big game about being part of the team and so forth -- then turn around and treat you like a prisoner. Sure, they are within their rights, but I find it interesting that people like you are willing to defend them.
Palm trees and 8
Pedantic much? Let me rephrase: Even if you consent, the operator of the server at the other side of the connection hasn't consented.
Comment removed based on user account deletion
Get a netbook or a tablet or a phone with 3g
For one thing, given the price of mobile broadband in the United States market, that's like taking a 50 cent per hour pay cut. For another, it won't help someone who comes into work to do large downloads because he can't get cable or DSL at home and is trying to work around a single digit GB/mo cap on satellite. 3G has the same single digit GB per month cap.
You don't need to decrypt HTTPS sessions to find out if someone is using the internet for non work purposes.
Also I most definitely do have an expectation of privacy for any HTTPS session. If a company doesn't expressly state this in a big warning page, or at the front of their IT policy in bold then they could be open to liability. No reasonable person expects someone to do a MITM attack on you as normal business practice which could allow some pimpled intern in IT to see your banking passwords.
This practice is wrong and the numpties advocating the practice are idiots who don't actually understand the problem space. I have worked in the IT security space for over 15 years doing risk assessments, designing gateways and demonstrating remote compromises. The two threats that these controls are meant to treat are information egress and inbound malware. Unfortunately it is woefully ineffective for both. Essentially an evil administrator can harvest the financial credentials of internal staff and any corporation sponsoring this practice is liable. I'm not saying that this threat is not real however there are fundamentally better mechanisms for treating this problem. In one organisation which was sensitive to remote compromise we used browsers hosted in a DMZ an used XWindow to provide the browser on a users desktop. The two threats mentioned above are gone and we didn't need to compromise the privacy of end users. By the way, I have been involved in demontrating remote comprises or organisations which implement gateway SSL termination and in reality its and ineffective contol.
You have zero expectation of privacy at work.
Tell that to the women who complain about the cameras I put in the change rooms.
http://michaelsmith.id.au
Who, in this day and age, has had a boss who would care about this? Hell, at some jobs, the boss will just let you cut out early for a doctors or dentist appointment without taking PTO. That's the ultimate personal business at work.
use your phone as a local wifi hotspot
Rooting a Wi-Fi-only Android device won't help.
A phone is not a Wi-Fi-only device, by definition.
For that matter, root isn't necessary. I'm using a stock unrooted Galaxy Nexus on T-Mo, and tether to my heart's content.
For one thing, given the price of mobile broadband in the United States market, that's like taking a 50 cent per hour pay cut.
I pay $30/month for my unlimited-but-throttled-down-at-5Gb. That's more than I pay for my home connection.
For another, it won't help someone who comes into work to do large downloads because he can't get cable or DSL at home and is trying to work around a single digit GB/mo cap on satellite. 3G has the same single digit GB per month cap.
It's not supposed to help doing that, since that's a clear example of abusing company resources for personal gains. People have been fired over doing that kind of thing, and I can't feel sorry for them.
OK, sounds fun. So you've cracked the https to get the content. This raises a much more difficult question: short of having all emails screened by the employee's supervisor, how do you tell which data is sensitive, and being sent to an unauthorized party?
I've worked in classified environments. I've done research on detecting data leakage using anomaly detection, and my impression of the field is that it's seriously hard, and that you'll be hard-pressed to identify unauthorized content. At best, you might identify unusual employee behavior, which could be used to tip an internal team for an information audit.
Since that's so hard, the best thing to do is to segregate sensitive information in some way - air-gapped networks is one way. Another way is to use protected networks (logically isolated?), which allows you at least the a priori assumption that any documents leaving contain sensitive information, which allows you to improve your needle/hay ratio. Otherwise, you're looking at rather a difficult problem. Also, there's no notion that employees should be doing their banking on such systems, so it sort of puts a wet blanket on the moral discussion of this story.
So, I'm interested - outside of heavily isolated networks (that employees aren't using for banking), once you've gotten down to the content, what the hell do you *then*?
You have zero expectation of privacy at work.
The fact that people like you keep having to repeat this shows it isn't true. People do have an expectation of privacy at work, whether or not you think they should. I'm sure even you expect some level of privacy. Or do you just assume that your employer is filming you while you use the toilet?
With all due respect, data leakage is a piss-poor excuse to spy on people without their knowledge. These devices and policies work not just to snoop on SSL traffic, but to hide that fact from people browsing SSL-protected sites. I'm sorry, but that's pretty damn scummy and something that is on the level of criminal behavior.
Personally, I think that transparent SSL interception should be illegal. The transparent aspect of it means that you're not just interested in data leakage, but in surreptitiously snooping on people who realistically expect that their activities aren't being monitored. It's the technological equivalent of installing hidden cameras in the employee restrooms. (Which, incidentally, is illegal.)
Go ahead and monitor. Block if you have to. But be up front about what is going on.
I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.
Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.
As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.
I tried to get some main stream press attention on this topic a while back. No one would bite.
Quit if you want, but the computers and the network are theirs. Would you rather they simply forbade all personal use?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
You want privacy, do it on your own time, on your own dime.
Really? You think they are decrypting your traffic and stockpiling data on users? You can have a hundred trusted signing authorities, it doesnt mean they can decrypt your data. Read about public key encryption - its point to point - they would need the other endpoint's private key (combined with your public key) to decrypt. Even IF the other end used the same CA, their key is..um...private. Chill brother/sister!
will work for dragon quest localization
Fuck that. If I can't check forums / listen to Pandora / whatever else I feel like doing that isn't giving away company data in my free time / as I'm working, the company is a piece of shit and I would quit on the spot. That is no different than them trying to tell me what I can / can't eat on my lunch break ( or at home ), not gonna happen.
To err is human; effective mayhem requires the root password!
I hate to break it to you but employers are under tremendous pressure to limit liability for sexual harasement and hostile work environment lawsuits. Worse other torts can still open you for liability as a slick lawyer can argue that the fact the employer didn't monitor all IP traffic must mean they are negligent! Hmm your honor what are they hiding?
It sucks but ass covering makes HR and the legal departments happy. If you do not like this then start your own company or work small business. Besides as others have pointed out it is the price to pay in order to get a paycheck. Your employer wants you to work even if studies show a 10 minute break 3x a day helps productivity they really do not care and want a machine.
Just suck it up or browse on your phone. Everyone but the tiniest shops all do this.
http://saveie6.com/
There's quite a big difference between "covers most of the exits" and "completely worthless".
First off, physical security is entirely beyond the scope of the OP's problem. If you want to secure your digital assets, you are going to require both an electronic and a physical policy because data can take either shape when leaving the building. The limitations of one side really have no bearing on the other side, and if one side is your job and the other is not, don't look at how the other team is doing to determine how much effort you put into your end of the task. The goalie doesn't just not bother if his strikers aren't doing well that day. You do your job, and let them do theirs.
Second, giving up an any security just because there's a weakness somewhere isn't the answer. If you're going to consider for extreme scenarios and then throw up your hands and say "see we're not prepared for that, lets jut give up!" is entirely the wrong attitude. You're not likely to stop a CIA mole among your staff regardless of what you do, and that's not a sensible justification for completely giving up on security.
DLP is like antivirus. Only a PHB will expect 100% protection, there's going to be that 0.001% lurking around no matter how crazy you get. So you just have to decide how many 9's you need, and strike the right balance between usability and security.
And to the numerous people above complaining about accessing financial and medial records at work... what makes you think your employer is required to provide you with private access via their network while you are at work? Do this at home, duh. Same for the phone - if you're at work and pick up the company phone to talk with your doctor about your STD, do you really expect privacy on that phonecall? The internet connection there is the same way. About the only privacy you're entitled to at work is in the bathroom. It's really embarrassing that anyone makes assumptions here. Those employers are simply doing some CYA by notifying the employees of the policy (probably got your signature too) and by forcing you to use their root CA to https at work so you have zero grounds to tell a judge later that you had any expectation of privacy.
I work for the Department of Redundancy Department.
Is it reasonable on their part? No.
Would I quit my job over it? No. Unless I was already in the process of gaining employment elsewhere this is a pretty weak reason to quit a job.
Would I do online banking (or other such things that require an HTTPS connection) at work? No.
Legality? Well it is their network. They can do what they want on it. You don't have to do your banking across their network.
I work in a secure environment so this type of tech is nothing new. I actually manage a system which does the "SSL INSPECTION" which is exactly as described in the initial post. However we don't actually search for anything in the packets it's really so that we can log what goes in and out in the event of a break out.. We are actively trying to stop wikileaks style mass document escapes. We are primarily interested in people sending files/data/posts rather than what they are browsing. All the files that are posted get archived against the users name. All encrypted files are blocked.. It is a good thing in our environment.. If you want privacy on the net go home and browse or use your mobile phone on it's cell network.
Its their network, they can make any rule they want.
Not necessarily. Doing this sort of thing can run afoul of laws in many jurisdictions, as employees often have some expectation of privacy. What they could do just fine is just block HTTPS to non-whitelisted sites from their network; that would be far simpler to implement, and wouldn't run the risk of hitting privacy laws (or employment protection laws, or any number of things that might be communicated privately).
Ultimately though, the approach in TFA smacks of a company that doesn't understand that they need to trust their users somewhat. Instead of recognizing that they need an approach that persuades their employees to keep the company's secrets, they seek to use technological means to do black-hat snooping. Trying to use a technical solution to deal with a fundamentally non-technical problem (management's failure to persuade employees to behave responsibly) is always a disaster. As it is, treating people this way encourages them to seek ways around it, and there are many creative things they could do that you've not thought of. For example, they could print the sensitive information, wrap it in plastic, and shove it up their asses; if your solution to that scenario is to immediately institute a full proctological examination of everyone leaving the company's site, you're doing it wrong. Or working in entirely the wrong industry.
"Little does he know, but there is no 'I' in 'Idiot'!"
Do you think it's fair to sit on Facebook all day while at work or even pay your bills?
You're talking about reasonable use policy violations. There are better ways of dealing with this than snooping - for starters, just go tell them to stop because their work is suffering. However, for use still considered reasonable and recognized as personal by everyone involved, like say sending an email to your physician, do you think it's fair to snoop?
While obviously employers have the right to set use policies, it's also in their interest to allow some personal use - because taking time off to go talk your physician, or you kid's principal, or report an auto accident, or whatnot is even more detrimental to work when you're not even in the office for several hours to begin with. Many permit this for obvious reasons. But once permitted and allowed, can they listen in to what they recognize as personal use? That's not as obvious. And of course if you try to prevent personal emergency time off for people you will soon find yourself with retention problems as the most qualified staff begins to trickle out the door.
I certainly care. I had to discipline employees before because the owners did not like them going on youtube even if business was slow. Just following orders and if there is shit to do then you need to work. I am not paying you to goof off. Dentist appiontment or something is different. Life happens but people goof off too much in the office as well.
http://saveie6.com/
I'm really enjoying watching the justification of using company resources without limitations because they're cheaper than paying for it yourself.
No wonder so many people get fired. Entitlement and no ability to recognize what is and isn't theirs.
Where do you draw the line? Would you pull a hose or electrical wire from the building to your house because it'd be a lot more expensive to have the electric or water company come out and turn on the service?
>I pay $30/month for my unlimited-but-throttled-down-at-5Gb.
And the provider of this is?
Some interesting questions to ask your company's C-level executives: Does your company mind if every other company does the same and sniffs your own customers' passwords and whatever other info they can glean from SSH connections to your systems? Are they comfortable with the risks associated with this? Are they concerned that customers would no longer be able to trust secure connections to your website? Are they willing to disclose their covert SSH-sniffing policies in an SEC filing or NY Times story? :-)
You don't own the system you are on, the company does. Their property, their rules. You should not be doing personal business at work. I hate to tell you, but they pay you to do your job not personal business.
There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.
ISPs own carrier equipment too, just like your employer does. Should they be entitled to snoop your home banking session?
You get paid, do you not?
Use your personal phone or tether it to a personal notebook.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
It's not your network. You have neither a right to nor an expectation of privacy.
Here's an idea stop using your work computer for personal business. No seriously, stop use your own computer for such things. Problem solved.
T-Mobile, "Walmart plan". The prepaid card to activate that can be purchased off Amazon.
I'm glad a few people have some common sense. It is just insane hearing all this whining about not being able to use the companies resources without being monitored. Seriously it drives me crazy. You aren't paying for the bandwidth. The increased bandwidth usage and reduced speed isn't costing you money. You aren't losing money when you get pwned by visiting some shady site, again costing the company money in incident response, and possible exfiltration. It is just ludicrous to think you have any entitlement to use any company resources for personal use. Most companies allow this, but it should never be expected. The resources are purchased for conducting business, not serving your personal needs./nBTW. Don't plan on using the Opera Mini Browser for the iphone, if this bothers you. All YOUR traffic is proxied through Opera's proxy servers, ssl connections are terminated there, leaving all your data open to Opera. Now this is something that is worth an uproar.
This is what's called a false dichotomy (or non-sequitur, if you want to get fancy).
Indeed, and it is this disgraceful attitude many employers bring to the table that forces the creation of regulations to make them act in a more reasonable and acceptable fashion.
If the answer is basic dignity or financial ruin, then the real problem lies in the question.
Produce some copyrightable material (or commission some, if your company is the sort that claims everything you make)
Host it on HTTPS.
Access it from work.
... now they've circumvented your over-the-wire copy protection scheme.
I always find the "sense of entitlement" posts on these threads interesting, because they are both spot on and misplaced at the same time.
If you work an hourly wage job you are being paid for the time you work. You don't get paid for time you're not working. It's entirely reasonable for your employer to say "no personal calls" or "no gmail" while they are paying you to work.
If you work a salaried job, the theory is that the employer is paying you to do a job. "Ship version 1.0 to the customer by next thursday." If you get that done in 20 hours, great. If you get it done in 60 hours, great. If going to meet with the customer gets the job done, do it. If working in your office gets the job done, do it. One of the tests of if a job is salaried or not is if the employee has a significant amount of self direction. For a properly salaried employee if playing your cable bill online means you an sit at your desk and bang out the customer task, or you can knock off early to go to the office and pay it and miss the deadline, and that it's reasonable for your employer to provide that resource than it is ok. Salaried executives get to call home from the corporate jet and move around their personal life so they can meet with a client, and no one dings them for the long distance phone call to their wife.
The problem, in the US, is that many people are misclassified. Most programmers are salaried, but should probably be hourly. If you're told where to be, when to be there, what to do, and how to do it, you're not a salaried professional, you're an hourly professional. Companies prefer to pay salaries because they don't have to pay overtime. Your job takes 50 hours this week there's no hit to the budget for the extra 10.
This also means we don't have enough information to answer the OP's question. Is the OP an hourly, entry level person at a call center paid hourly? If so, his employer is telling him exactly how to do his job, and any personal stuff is off limits 100% of the time. If the OP is a Vice President who is given tasks and deadlines and told to take care of them in the best way possible in their professional opinion, and in their professional opinion paying a bill online, reading some personal e-mail, or keeping up with tech trends by reading slashdot helps get the task done faster/cheaper/better they are generally given that latitude.
In my organisation (in Australia) we are allowed to use the Internet for "reasonable personal use" so long as we don't get carried away and still get our work done. The reason they allow us this is twofold:
(1) Your personal life doesn't just stop the moment you sit down at work. You might need to check up on some details about an account, pay a bill, find out an address, whatever. You can do these at home, but then this leads to the next reason:
(2) People are going to use the Internet for personal use ANYWAY. Might as well accept this and employ some reasonable access requirements and processes rather than throw the hammer down block it all, which will only end up with people finding more creative ways to bypass your locks.
Seriously, it doesn't have to be black and white. No wonder you guys have such a reputation as having such bad work conditions over there.
Most people on Slashdot are fucking idiots.
You're right, you'd have no case against the people providing the equipment, but you would probably have one against those operating it (likely in their personal capacity too given that it's criminal law). In the UK this would definitely be illegal under the Regulation of Investigatory Powers Act, which whilst it grants broad exceptions for regulatory, diagnostic and business reasons does not allow you to monitor all traffic indiscriminately (and definitely not if you have reason to believe it is personal). In the US it would probably depend on each state and how their law was written (aka whether it was just conversations protected or electronic communications in general). Unfortunately if you did get IP traffic from a two party state you might be committing an offence in that state, even if you aren't committing one in your own. Technically if you angered the wrong company in the UK at least, a prosecutor could extradite you under the UK-US extradition treaty with just a probable cause standard of evidence needed.
First off, physical security is entirely beyond the scope of the OP's problem. If you want to secure your digital assets, you are going to require both an electronic and a physical policy because data can take either shape when leaving the building. The limitations of one side really have no bearing on the other side, and if one side is your job and the other is not, don't look at how the other team is doing to determine how much effort you put into your end of the task. The goalie doesn't just not bother if his strikers aren't doing well that day. You do your job, and let them do theirs.
Bad analogy. You can win with a good goalie and poor strikers or a poor goalie and good strikers, they add up. With security you're as good as the weakest link. To use a house analogy, if you're guarding the door and they're guarding the window are you really going for that blast-proof two inch steel door with three-factor authentication when the window is single layer glass with a simple hatch and no alarm?
Live today, because you never know what tomorrow brings
I'm starting to want to do this at work, and need to look into whether I can do it with Squid.
Why? Drive-by downloads, fake antivirus scams, and other malware delivered via the web. I already transparently proxy HTTP, blocking all executable downloads. I suspect it makes a big difference. If nothing else, the proxy was down for a week at one point and *two* machines got infected by malware during that week. Co-incidence? Possibly, but I'm not betting on it, especially since examination showed that both were drive-by attacks the proxy would've prevented.
The user base is pretty computer illiterate ("why yes, please do clean that nasty virus off my system. You need admin rights to do so? Of course, no problem.") and somewhat resistant to education/training, so technical protection measures are needed.
I'm concerned that that drive-by attacks, fake antivirus scams, etc will soon use HTTPs in an attempt to bypass filtering proxies and transparent proxying - if they don't already. I can knock these out fairly effectively if I can examine data being downloaded for things like PE headers, but I can't do that with HTTPs. I can still do URL-based filtering for "file extensions", which works surprisingly well and only requires the very occasional site to be whitelisted for using "blah.dll?query-string" or "myapp.exe?dosomething" URLs. Nothing forces the attacker to put a Windows file extension in the URL, though, and I can't discover the MIME type or the type of data being downloaded without inspecting the stream.
The challenge is to do this without any risk of compromising netbanking data, etc. If our proxy gets cracked... ow.
We do something similar where I work. While it's theoretically possible to abuse this and snoop on personal https traffic, it's not worth the time. You are not interesting, your facebook posts are not worth an admin's time. Your personal banking information is not worth the effort to extract. Every potentially useful bit of private information that could harm you being protected by https was already given freely to the company anyway - SSN, Bank account for direct deposit, address, contact info, mother's maiden name, etc. You should be *vastly* more worried about the DBA's than the network admins. And again, you're not important enough for them to mess with it either.
Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.
I totally agree because I'm embroiled in the middle of the same situation. There are still some old skool people in my workplace who haven't progressed technologically over time (and still mourn for the Windows 98 days. Yeech.) ... these are the people that cannot accept the fact that the computer on their desk is NOT theirs, that the company owns all of the data that they create. They think that nobody in the company should have access to their PC. And they don't see the harm in loading up their own software. C'mon, get real.
virgin mobile; it's pretty ghetto in terms of speed and service, but fwiw they turn a blind eye to tethering (you'll probably have to root or even flash one of their phones to do it; but they have at least one choice with an unlocked bootloader), and the price is nice.
"They were pure niggers." – Noam Chomsky
I have to completely disagree that they would run afoul as if you are using the companies equipment you do NOT have an right of privacy while using that equipment. One can argue about something like a personal phone, but any good company bans the use of those on premises anyway.
Also, we don't know the OP's industry, and it may be standard practice to monitor like this, or even be required.
Intentional circumvention of security measures where i work is *instant* firing, no questions asked and no recourse. You are shown the door, via armed security forces.
---- Booth was a patriot ----
First keep your work and your personal shit separate.
Second, since they insist on having the ability to https, in reality they probably aren't the kind of people you want to be working for in the first place. So I would recommend leaving, because it reflects the nature of their character, as opposed to that being a specific behavior.
There may be specific instances where this may be acceptable; so this is only a general rule to go by.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I don't see the problem; if you are at work, accessing the internet on a business-owned computer and/or connected to a business network, shouldn't you be working on the BUSINESS'S work, and not your own shopping or banking?
No transparency simply means not needing the browser to be configured to use the proxy server.
SSL certs are completly orthogonal, though since a transparent proxy is a textbook example of a "man in the middle" you need to do somthing like you described to avoid cert errors on every connection (and of course make life much easier for a malicious man in the middle further down the line).
jez9999 -- you're just going to have to get used to this. If this was a company-owned device, then probably IT and InfoSec staff had root access to it so you were already "owned" before you opened your web browser ;)
And if it was your own device, then I would add that it was the company's network. Companies have a moral and legal responsibility to ensure that their networks and data are secure. I don't want my bank, hospital, or government unintentionally or intentionally leaking my confidential information over HTTPS.
I work at a large website and we had a few customers suddenly call to complain that they were seeing other people's accounts when logged in to our site. Turns out their company was doing https proxying (bluecoat) and they had messed up the cache settings, and the customers were seeing accounts of other people at the same company. Meanwhile they were threatening to sue us over our 'security issues.' Nice.
Corporate network... it doesn't belong to you. They can do whatever they want. Corporations do have to follow some laws... but you are using their network... people need to remember that. Even so.. even if you had your "own" network to go through, realize that the Internet as a whole is a trusted network. It really doesn't support true privacy.... though there are many ways to try to protect your traffic.
too bad these corporatocrats don't get that it's bilateral. they have no right dictating to employees what they may do outside of work, or commandeer their off-duty intellectual activity as their own. until this is fixed, I have zero sympathy for your 'entitlement' problems.
Would you leave work to go to your bank during your work day? Stop bringing your personal life to your employer's place of business. What they hell is wrong with you? Do you accept personal courier packages at work too? Would you be upset if the building's security guard -- or mail desk -- checked what was inside if you did?
Just because it takes you fewer than 5 minutes, and you can do it "on a break" doesn't make it something that you should be doing at someone else's premises. Do you have dinner at a friend's house, and between courses just casually pay your bills from their computer? Do you format their hard drive afterwards just to make sure they weren't logging anything?
Just because your employer allows you to do some personal errands using his premises doesn't mean that he isn't controlling his own network however the hell he wants to. It doesn't matter why. It's his network, not yours.
You want your privacy, get your own private network. The word private is right in the name.
So sorry that other people's stuff isn't your private stuff. Buy your own.
People do have an expectation of privacy at work, whether or not you think they should.
Wikipedia:
There are two types of expectations of privacy:
* A subjective expectation of privacy is an opinion of a person that a certain location or situation is private. These obviously vary greatly from person to person.
* An objective, legitimate or reasonable expectation of privacy is an expectation of privacy generally recognized by society.
You're in their building, using their equipment and resources.
People who expect privacy at work are generally wrong and the law generally will not support them.
[Fuck Beta]
o0t!
why are you banking, shopping, or correspondence at work?
Because the employer doesn't want the alternative, which is for me to take the afternoon off, drive home, and do my banking or other things that can be done only during business hours. Whether it is on my time (using my vacation hours) or theirs is not the point, the point is that they lose productivity and don't meet the schedule.
That is why one of the perks (yes, entitlements) of a white-collar job has always been occasional personal calls (20th century) and occasional personal internet use (21st century).
i get paid to work, what do you get paid to do?
I am a salaried engineer. I get paid to get the job done, as long as it takes. And that door swings both ways. Sometimes I work overtime, sometimes undertime.
I have never worked for a company which didn't clearly state in the employee handbook that company-owned technology assets are for work purposes only, may be monitored at any time with no notice, for any reason, or for no reason. It only makes sense for them to put that in there because it allows them to do whatever they want without worrying about you, and that's the way all contracts are written by default (to favor the party writing it). If you don't agree with this, then you should tell them and see if they will change the policy (most will not, you are not that important to them).
There are many excellent reasons for companies to proxy https traffic. Just off the top of my head...
It can help troubleshooting network / application issues
It helps them monitor what you're doing online and make sure you're not sending private data places it shouldn't go (gmail, and many social networks use https, so they want to watch these sites)
It can help in terms of caching https content
It's that simple. If you have to ask the question about whether it's worth leaving a job that is providing you money to have food, housing, and healthcare over concerns about having your employer see your personal business you're doing over the company Internet connection on company time, you probably have your priorities screwed up and you're going to be a problem for your employer later. Save yourself and your company time and quit now. Make sure you ask all your prospective new employers in interviews if they do HTTP snooping so you can do personal web surfing over the company Internet connection in privacy and let us know how that works out.
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
So if they are basically capable of MITM on any HTTPS connection, what if you use a secure site to do health-care related stuff (HIPAA?). What about sexual harassment reporting? Since they can see your banking password and others, what kind of liability have they exposed themselves to?
I wouldn't work at a place that did this, but then again, if I were in IT at a company like this, I wouldn't want to assume the risks of watching all secure traffic.
It's a terrible idea for a company to do this. A company can block access to sites via HTTPS on their own network if they wish. Breaking the encryption and snooping, though, creates liability for the company. There is an expectation of privacy associated with an encrypted connection. If an employee's legitimate online banking activity (for example, making sure their pay was deposited) results in a security breach, the employer would be liable. The employer may be guilty of an HIPAA violation. If they snoop on an employee's communication with their union or a Government agency, they may violate other laws.
There's been discussion on the Mozilla security list over whether Firefox should raise alarms if it detects a wildcard cert. The consensus seems to be "yes, it should". Mozilla policy is moving towards kicking CA out of the root list if they issue wildcard certs, and adding technical measures to prevent them from working.
but that doesn't mean that it's a good idea for them to be a dick about it
But it is their right to do so, and OP is acting immature by getting this attitude that his rights have been violated-- when he is essentially a guest on the employer's network.
Are you saying that is a bad thing?
People who expect privacy at work are generally wrong and the law generally will not support them.
Generally wrong? Not always wrong? So what you're saying is that there is some level of privacy "generally recognized by society". Such as not filming people when they're on the toilet, even though you're "in their building, using their equipment and resources", namely the toilet.
The process of getting society to generally recognize an expectation in a specific circumstance is a classic debate over social norms. It's the same sort of process that happens when society decides what sorts of clothing (or lack thereof) are allowed in public. Few people are absolutists in either direction; most want some restrictions, but not too much. Likewise, there are and should be some circumstances where your employer is not allowed to intrude on your privacy.
Good point.
But, in any case, why are you working on your personal bank account at work?
What to do: When you go to work, work. Do it well for 8 hours. Then go home. Watch TV, the news, do your banking (if you're one of those people that needs to compulsively check their balance online). Facebook, email, skype your friends.
What not to do: Spend 10-12 hours at the office, and 4 of those are just goofing off. Watch Youtube, read the news and ESPN. Facebook, email, skype your friends. Do your personal banking at work.
I'm not a lawyer, but I play one on the Internet. Blog
Wait, your banking is online, but it has to be done during business hours? Are they using mechanical turks on the other end?
I'm not a lawyer, but I play one on the Internet. Blog
For security reasons, never use SSL. As an educated user can easily guess from the sheer number of warnings that will pop up when SSL is activated, it is a major security hazard. Until now I have always been able to click them away before they could do any harm, but it's just a matter of time until one gets through the firewall.
Oh, the beautiful gloss of greality!
How can you expect to have control of your computing, if your company uses proprietary operating systems and doesn't let you control it? SSL/TLS snooping is the least of your problems; if they own the computer and they're in control, they can spy on you anyway.
As a rule I avoid computers I don't own whenever possible. I only use such computers for trivial tasks, or perhaps work if I can't use my own. If I don't own the computer or if it has proprietary software on it, I immediately assume I'm being spied on.
One is that you are using company resources for non-business purposes.
By the same token, I shouldn't be expected to use non-company resources (ADSL line for remote standby support, personal smartphone reading company mail) for business purposes.
Or we can come to a compromise, and all be adults.
Something that was completely impossible to detect and deal with back in the day when management didn't have computers, and we didn't have the internet at work.
Not.
Stefan Axelsson
Should it even be legal?
In many nations, my own included (Sweden). It is not. (This specific case has not been tested, but the general rule has. They can't open your outgoing mail, so why open your outgoing encrypted tunnels?).
You have a reasonable expectation of privacy even when you are at work, and even though you're using company equipment.
By law. And it's funny; It doesn't lead to all the problems that you seem to be plagued by "over there". If you treat someone like an adult, chances are they'll act like one. If you insist on treating them as children, however, that's what you'll get.
Stefan Axelsson
Lets say employee, using corporate desktop, logs into their health provider's website and via SSL gets confidential health records about themselves.
Your company is now evesdropping on this sensitive information provided by the health provider (who does not fall under "your company policies" and has no idea your company is illegaly impersonating the employee login).
e.g. it's not a "my equipment, my rules" situation. You cannot impersonate folks on 3rd party networks. Within your realm do whatever you want, but you cannot login into a bank account pretending to be the employee (which is what you're doing when you're faking certificates).
In other words, disallow SSL access if you're that concerned about security, but don't go around snooping on folks private communications.
"If anything can go wrong, it will." - Murphy
The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped
This is the problem. As others have said, it is their prerogative to restrict the use of their network - but if they're going to snoop, or break security, they should make it clear (including to non-techies) that, for example, internet banking will not be secure on their network.
What's more, some people's jobs do involve working on third-party sites. IT shouldn't be able to snoop on people's work-related passwords any more than they should be able to tell you what your current work login password is.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
It's their computers. There are some security vulnerabilities though: (1) Don't install the certs on your own hardware. Then the company could snoop on you anywhere, and you are vulnerable if they get compromised. Accept every connection manually, or install the certs temporarily. (2) Check what happens if you use the company computer to navigate to a site with a self-signed certificate, and an expired certificate. I found a site with some example pages of self-signed and expired certificates: https://onlinessl.netlock.hu/test-center/self-signed-ssl-certificate.html# -- https://onlinessl.netlock.hu/en/test-center/invalid-ssl-certificate.html . If the sites linked to from there show up without warning, you get encryption, but not authentication. Then, realise that most of the security benefit of SSL is lost.
I did not think there was any expectation of privacy when using corporate email and by default, web services. Would that not make the https process a moot point?
Said employee violated terms of use in the first place, so they are out of luck as its their fault. ( and should be fired anyway. )
*no* personal use means none..
---- Booth was a patriot ----
The resources are purchased for conducting business
Retaining valuable employees is part of conducting business.
Assess: Does this harass you that much? yes or no.
If yes: Does this job pays you a good sum of money and allows you to have financial freedom, pay your bills comfortably, pay your car, mortgage and etc? yes or no.
if yes: Suck it up. Jobs are supposed to give you money in exchange to you doing something they need, not to fulfilling your desires.
if no: If you have the guts and skill to find a better job, just leave. Chances are that you might find something better or at least the same, without the policies that bother you.
ME?
The policies harass me but i get paid very well, don't wanna leave this job (good money = freedom to do what i REALLY want on weekends and hobby projects, and support my family). I just have a vps on a cheap provider out there with ssh running on port 443 :-) snoop ssh encrypted traffic all you want. I get safe internet browsing on my breaks (also can access blocked sites here like GMAIL or YOUTUBE).
The good thing is that they're lazy to really analyze the logs (well, squid generates huge logs anyway) and puncturing a hole for SSH just makes ONE entry to your server ip (connect XXXXX:443) on the squid log (instead of one for each object, when you're just http browsing), so i guess i'm leaning on that and getting lucky as well!
If they ask me someday what server is it, i'll just explain to them what that means and also remind them that *when i was hired, i didn't sign or was given to read ANY documents about internet usage policies on the company*. Be aware that if you have a clause like that on your contract you might as well get fired for that, even if it's legitimate use.
My 2 cents. Don't work against the system (it's impossible, you have bills to pay and if you keep your pipe dream of ever getting a perfect job you'll end up frustrated and jobless :D). Work around it!
A friend of mine once said. A job can be 2 of those characteristics: I LIKE DOING IT, WELL PAID, LEGAL.... don't try to find the magical three!
A phone is not a Wi-Fi-only device, by definition.
I now realize that my point missed you: My Android device is not my phone. To run Android on a phone, I would have to buy a new phone.
REALLY.... you're paid to be there to work, not conduct personal business! Perhaps if you were relieved of your employment you could dedicate yourself full time to your own endeavours from a connection that you procure with your own money that you can fully trust!!
Try hard to really imagine that it was YOUR money that paid for the office, lights, computers, Internet, and your salary, not to mention things like workmans comp insurance should you decide to do something stupid and hurt yourself while working etc... would you want people conducting personal business on YOUR dime?
Are you a prisoner, stuck there 24 hours a day? if so, then you may have a valid point, if not, wait until you get home!
Quit whining and devote that energy to being productive and perhaps if you have a positive work ethic good things will come your way!
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
One thing that I don't has been mentioned here is: treat others how you would want to be treated. If you treat your employees like h*ll - don't be surprised if it comes back and bites you in the butt. I've worked for at least a few egregious employers - One was so wound up about his employees showing up on time (no, not thirty seconds late, literally) he had a some satellite synchronized clock installed about the door. Guess what, he paid for it, when 5:00.00pm rolled around there was a cloud of dust in the parking lot (the front wheels of everyone's car were rolling, and the back ones spinning), and darned any work left on the bench, or it's importance. If you come across as a jerk to your employees - they WILL NOT look after you. Employees in their daily travels see all kinds of things, things we really have no real responsibility too (perusing logs, angry customers that we aren't dealing with, mistakes made by the last guy who was here,etc.) - I cannot stress this enough be good to your employees - don't be accusatory by default and take some third grade teacher tone with them on the phone with them. I saw at the beginning of this people were stating things like: 'back in the day, you couldn't do your banking online, so just because technology has changed the fact that you can bank online now, doesn't mean you should "steal" from your employer by paying a bill' - B.S. I SAY - employee / employer relationship has changed too - you've conveniently overlooked that....we don't work on time cards anymore putting in our '40' - it was unheard of 30 years ago to stay and work because a clients PDC was down and know you were not going to get paid for it.
I've had occasions where I had to do banking from work during business hours, because the other people I was dealing with -- mortgage companies in several cases(and I was relocating for the job, so it was even work-related) and a credit card fraud detection department on another occasion -- were only available during business hours.
However, I'm paranoid and the company I work for certainly has the technical capability to snoop on machines they control, even if they likely wouldn't do it, so I used my personal laptop over their "guest" internet connection.
Not to mention that certain Youtubes can create an environment ripe for lawsuits.
I'm not a lawyer, but I play one on the Internet. Blog
>free time / as I'm working
That's a big dichotomy you've set up there. Free time (lunch break) is a lot different from "as you're working".
Also, listening to music is quite different from checking forums. There isn't one thing you could be doing to improve your work process as opposed to reading random forum posts?
Finally, if everyone is listening to Internet music continuously, that's a lot of bandwidth usage, just so people won't have to use an old-fashioned device called a "radio" (or even an MP3 player).
I'm not a lawyer, but I play one on the Internet. Blog
Very good point. I wouldn't ask an employee to use personal equipment to access to company network.
Leaving aside questions of equity (who pays for it), there's also the matter of security.
Out-of-office support should happen on company-provided smartphones with company data plans.
I'm not a lawyer, but I play one on the Internet. Blog
I agree that dev jobs are creative.
The best thing to do when I've needed to think is to take a walk and get some real air (not from the HVAC), preferably where there are trees. Dev companies like M$ like leafy campuses--take advantage of that. Take a small whiteboard with you.
I would submit you will think much more clearly than if you spent 10, or even 30 minutes melting your brain on Facebook or break.com.
Google has "think rooms" with the same purpose.
I'm not a lawyer, but I play one on the Internet. Blog
Why are you doing your banking at work?
It's Internet banking--you can do it at any time, including at home on your own computer, with a strong password stored in a password vault.
If it only takes 5 minutes, do it at home.
If it takes an hour (you're researching stocks, then executing buy orders), you're wasting the company's time, and, by extension, bringing down your peers.
I'm not a lawyer, but I play one on the Internet. Blog
>If the answer is basic dignity or financial ruin,
I think white-collar workers have it far too easy.
Here's a shoutout to blue-collar workers who get to work 5 min before 8AM, get back to the work stations when lunch ends, and do an honest day's worth of work. They're not checking their Facebook every 5 min or expecting their employer to provide a computer to facilitate that.
The (spoiled) white collar worker will talk about "human dignity" when asked to do work for their money. Businesses bought and supplied computers for workers because they believed it would increase productivity. It is not a human right.
Later, when the Internet became prevalent, computers were networked and inter-networked, on the chance that people might need to contact suppliers/vendors. Web access was provided on the off chance you might need to research something.
To talk about human dignity is to say that workers without computers aren't humans!
Just to recap: Your employer provides you with an air-conditioned office. Your own desk, phone and computer. Ergonomic chair. Fast Internet access. And you resent that they install some sanity checks to make sure you're using the provided resources in order to achieve business goals?
I'm not a lawyer, but I play one on the Internet. Blog
In Europe, you can agree to waiver to that, which is likely going to be in most major corporations when you take the job contract.
Change is certain; progress is not obligatory.
Here's what a lot of people seem to be missing:
The concept of a company. Company: it's a grouping of people, people who come together for the purpose of making money.
Think of an athletic team: it's a grouping of people whose purpose is to win games. In order to do that, you practice. What would you think of a teammate who starts checking his Facebook in the middle of practice? Do it on your own time, you're here to work.
Car analogy: You're in the pit. You've got a car coming in. At that time, a co-worker decides to email his doctor about his bad knee. And another decides that's just the time to pay his telephone bill. Work, already!
I'm not a lawyer, but I play one on the Internet. Blog
Their health insurance is provided by the company in the first place.
Normally, your employer knows every ailment you have because they're sent reports from the health consortium.
I'm not a lawyer, but I play one on the Internet. Blog
Note: I am not the ground parent
Uhm, isn't it obvious? Some work places may have a policy where everyone is meant to have a super level of privacy - In which cases the people making that assumption wouldn't be wrong, no?
Change is certain; progress is not obligatory.
My rate is 38USD an hour.
Change is certain; progress is not obligatory.
Good point, I see what you're saying.
I would say: if your (vendor) company is providing a service, then the customer would properly be the buying company, not its employees.
On the other hand, there's no reason for employees to be accessing personal services (like Dropbox) from work.
I'm not a lawyer, but I play one on the Internet. Blog
No, I've got your point. But your case is hardly common, and you can buy an Android phone if you really want to have your own connectivity while at work (I think one can be had for less than $150 these days).
... and I think HTTPS snooping is just fine!
Your friendly fork-tongued pal down under,
Satan
p.s. heh, sure hope I remember to anonymize this comment, so no one knows the real truth -- Al Pacino was only *playing* the Devil!
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
A better question is should you be doing something at work that you wouldn't want your boss to see in the first place.
What, are you arguing that one shouldn't use the toilet at work?
Learn to love Alaska
It's apparently not obvious to the people who tell us "You have zero expectation of privacy at work" and variants of "their property, their rules". It's obvious to you and me that neither of these things are true in the real world.
What matters are the social norms surrounding privacy; if most people expect privacy, then employers will have to abide by that, policy be damned. To go back to my well used example, an employer wouldn't be able get away with putting "we will film you using the toilet" in their policy.
.....I'll bet they've got key loggers on your system as well -- SOP at places which do that kind of snooping, guy!
If a corporation cannot look into encrypted data streams going in and out of their corporate network, they cannot properly discover malware intrusions (such as spearphishing and data exfiltration). So this is not optional - it is a necessity if a corporation values the data inside their corporate network.
Social norm is to ignore it.
I've had enough conversations with people regarding privacy to realize that people don't even think about it, so the idea they were expecting it is ludicrous. It's the same old story, they never thought about privacy before, they see something that makes them think about it, get outraged, only seeing it from their small point of view. A logical discussion ensues, and generally the outcome is that people need to be informed about this, of which often they were in their job contract or they continue down the line of logic that would make you a social hermit if you followed it.
I don't know... If you put it in your work contract, I'm not sure what the legal ramifications are, how are you so certain?
Change is certain; progress is not obligatory.
I'd be willing to bet that my employer has had even more serious "APT" problems. As in "hit the mainstream newspapers" serious. And they're not that draconian.
I've had enough conversations with people regarding privacy to realize that people don't even think about it, so the idea they were expecting it is ludicrous.
Social norms are often so ingrained to your behavior that you don't think about them. Acceptable behavior in bathrooms is highly regimented, but it's rarely overtly codified. If you're a man at a urinal, no one has to tell you that you're not supposed to stare at the junk of the man next to you. You just don't do it. You probably don't even classify that as part of "privacy", even though it surely is.
So people have all sorts of expectations that they're not consciously aware of until those expectations are violated. People expect that their company isn't going too far with the privacy policy, so few people bother to check -- and fewer still make a point to ask about it before accepting a job offer. It's only when they come to find out later that the privacy policy is clearly outside of the normal range that people are upset.
I don't know... If you put it in your work contract, I'm not sure what the legal ramifications are, how are you so certain?
I think it's probably illegal, but that's not even the point. All it takes is for one whistleblower to go to their local TV station and then that company becomes a global pariah as a peeping tom -- even if it's technically legal. After that, the company is going to face intense pressure to change their ways. Politicians will face pressure to make it explicitly illegal. This is all part of the process of establishing social norms that I talked about.
I thought it is currently considered best practice to move ssh to some other port on any Internet connection.
OP, you are almost guaranteed to be violating the company's internet use policy, so quit your bitching and stop using your company's internet for personal use on company time.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
your case is hardly common
Do I understand you correctly that dumbphone use is now considered "hardly common"?
you can buy an Android phone if you really want to have your own connectivity while at work (I think one can be had for less than $150 these days)
Plus how much more per month of service? Switching from my current phone to an Android phone on my current carrier (Virgin Mobile) would cost $30 more per month.
Do I understand you correctly that dumbphone use is now considered "hardly common"?
I believe so. I haven't seen a dumbphone in ages now, and IIRC smartphones overtook dumbphones in US by market share a year ago or so (sorry, can't find the link to that study, but it was on /.).
Plus how much more per month of service?
$30 on T-Mobile.
Funny, I have these things called "breaks" which are definitely not my company time. Perfect time to login to internet banking and transfer some money to a colleague after he brought in some lovely goods from his wife's home business.
(a real life scenario, just one of many that I could think of involving using a financial institution's website during my work BREAKS.)
Fine.
To claim that privacy while using the restroom is the same as privacy while using the computers and network that company is a logical fallacy.
Using the bathroom is a necessary biological function that most of the world [and I'm betting 100% of the people who work in offices] considers private. In fact, there are numerous laws that protect that privacy with very clear rules spelled out.
Using the network of the company that you work for is an optional perk of being employed by that company. The company may be bound by laws requiring them to monitor communication, SOX is a good example of this. Not using the company network is as simple as using a cell phone, laptop, iPad or one of the dozens of other devices that let you surf, call or play while not using their network and resources. Now, there are rules regarding listening in on phone conversations and web sessions, and they should have been clearly spelled out when you started using the network.
Finally, all businesses have restrooms available in some form, only a small percentage let you make calls or have internet access. It is inane to claim that privately using the phone or web through your employer is a right.
> t while the proxy can effectively decrypt your https traffic, noone else can
You only know your session is encrypted between your browser and the proxy.
You cannot check who is at the other side of the proxy (unless perhaps you're the proxy admin).
You don't know whether your session is encrypted between the proxy and the other side. You don't know what grade of encryption is used between the proxy and the website, or whether that traffic is encrypted at all. For all that you know, your company's network admin is a nice honest guy, would never dream of snooping on anyone's traffic, but hasn't noticed that the proxy has been failing all SSL negotiation for the past 14 months and is reverting to no encryption. And even if it doesn't, I've seen commercial websites that provided identity through SSL, but did not encrypt the session. My browser warned me that the traffic is not encrypted. I could check the certificate, see that the other side is who he claims he is, see that the sesion is https but not encrypted, and decide not to use my CC on that site. But would not be able to do so if it were thorough a proxy.
I disagree with this kind of monitoring. Sure, the company has (or might have) the right to do it in many juristictions. It's their network, et cetera, but it most certainly isn't right, especially if they aren't making those whose communications are monitored aware that even https traffic is subject to monitoring -- most people would not assume that. People typically think if the lock icon is in their browser that they are using a secure connection, though in this case, they are not. Furthermore, monitoring https is risky for the company. If someone does exploit the vulnerabilities posed by https monitoring, the firm could be held responsible. We have no real reason to implicitly trust IT or anyone other than the bank to refrain from eavesdropping on our data. History shows us many examples of IT staff breaking laws to steal information and money -- that's not an attack on IT people (I'm in IT myself), it's just that some people do bad things and one shouldn't trust everyone (Especially when they don't trust employees. Trust is mutual). The easiest way to do that is by keeping personal traffic personal. Furthermore, we've all seen articles posted here on Slashdot and elsewhere, revealing that many (most, by some accounts) businesses have been breached or are breached regularly. So criminals can potentially break in to the company network and steal data through this proxy. As for the question over whether or not this issue is one to leave a job over, my quick answer is no. The people who made this decision probably don't have ill intent. They might actually believe they are doing the best thing they can do and this might otherwise be a decent place to work. I would definitely bring up the risks to management in hopes that they will change their posture. If you are considering leaving, consider all the positives and negatives of doing so and put this matter in there (sounds like you'd put it in the negative column). Then do what's best for you and, of course, only resign after signing an employment agreement with a new employer. It sounds like you've already left this place, however, so I hope you're on to something you like better! Hope that provides some good points of consideration. Best, Mike
It is stupid to block wholesale. surely one can request specific videos from the security administrators, a manger could approve the whole thing....
Sorry folks, security brings lots of bureaucracy if one wants to be able to do useful things.
IANAL but write like a drunk one.
You don't hand away all your privacy to your employer just for using their computers, you simply abide by their policies, but that does not mean they have free reign to do wahtever they want with your data.
Ths superceding principle is not to do private stuff in the office, not because you are losing all your privacy, which most likely you aren't, but because you agreed to not doing personal stuff with the company equipment.
IANAL but write like a drunk one.
If you are fool enough to use your employer's computer for banking, healthcare, credit, etc., and especially if you don't think this stuff is routinely intercepted and looked at by employers, prospective employers, etc., notwithstanding HIPAA, FCRA, you should be fired for sheer ignorance or stupidity, but the real reason you will get fired is more likely going to violate federal or state law with relative impunity because an employer can always make up a permissible reason, especially if you get caught doing personal business on the company system. "Anything you say, on or off line, can or will be used against you, if not in a court of law, then at work and in other relationships and transactions." I used to practice with an insurance-defense law firm, and have also represented plaintiffs whose depositions were taken by other insurance-defense firms. Trust me on this, your or your wife or teenage daughter's OB/GYN records or abortion, or having taken antidepressants, are known and likely to be used against you in deposition if not in court. We used to get not only the plaintiffs' but their lawyers' financial data including specifically due dates of major loans. My wife's and my records were quoted in court, complete with details about my best man at our wedding, when I was appointed to represent some children whose father accused their mother of abuse. I was fired from one job at the behest of the health insurer, and called in while a dorm counselor in college, because of a typo that indicated I had a heart attack, which nobody living could correct, and I had never met the woman listed on one hospital's credit and medical records as my wife, nor our alleged child. Having our health insurance through our employers is one of the single worst arrangements ever invented, because it is impossible to segregate such information, especially but not only with self-insured employers where even the weak anti-discrimination provisions don't apply. John McCain got this right.