Slashdot Mirror
Microsoft Lync Server Gathers Employee Data Just Like NSA
coondoggie writes "Microsoft's Lync communications platform gathers enough readily analyzable data to let corporations spy on their employees like the NSA can on U.S. citizens, and it's based on the same type of information — call details. At Microsoft's Lync 2014 conference, software developer Event Zero detailed just how easy it would be, for instance, to figure out who is dating whom within the company and pinpoint people looking for another job."
Seriously? You deserve to be fired.
I have to use Lync at work, and I'd just assumed it'd be cc'ing keywords etc to HR and management.
I'm shocked and amazed. A company running their own messaging server on their own network can see how it's being used?!
Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.
i work in the same building with a huge Tommy Hilfiger presence and always see people talking on their cellphones in a corner about what they do at their job
Cisco and lots of other phone software vendors do this
my wife fired someone because they had the call details to prove she didn't call customers like she was told to do so
Yeah, and for the morons using company resources to look for a different job: don't. Use your personal cellphone, or something otherwise not funded by the company.
So, as corporate policy becomes more like that of highschool, and highschool policy becomes more like prison, we're all kept in adolescent, fear-driven hell just a little more, already well past the sell-by date. Meanwhile, lawyers and software vendors write laws and software to profit from this stunting of society. More at 11.
If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?
I know my company can see everything I can do when I'm logged on to their computer. This is part of the agreement I signed with them. It's also the reason why I don't do stupid shit on my company's network like look for another job or send out resumes from my company email address.
Oh wait, the outrage is because it's Microsoft. Got it.
Sounds like Event Zero was looking for some free press...
Every phone system I've ever worked with (Cisco, Definity, Avaya, OCS/Lync) can do this...
And a log is being kept about it? Who'dathunkit? *Groan* This isn't news.
For those who seek perfection there can be no rest on this side of the grave.
He loved using the phone records as management metrics to be used against us all. No personal phone calls allowed. PERIOD.
He just assumed everyone was plotting against him, stealing from him and looking for new job.
He was right about one aspect: Everybody was desperately looking for a new job but asking for time off or calling in sick was met with suspicion that they were going out on a job interview. He made it very difficult to look for a new job.
He never liked us conferring with fellow employees since he had to control everything. All information flowed down from him. Any information we had was supposed to flow up to him, but he didn't need us since he knew everything and any information we would tell him would be pointless.
Most of my fellow employees would just stop showing up or never come back from vacation. It was hell.
They're needed until the customer has paid their bill, and then should be deleted, just like library records of who borrowed what book are deleted when it's returned. Anyone keeping them longer is looking to make themselves a target for break-ins, subversion or court orders.
Telcos are often mandated to keep them, in the kind of "future crime" scenario that belongs in a movie like Minority Report (:-))
davecb@spamcop.net
This sort of thing is ok in a workplace in the United States, mostly because everyone expects the lack of privacy with using employer's equipment.
Other places in the world offer more privacy in the workplace. Such capabilities could cause some real problems in those environments.
They're getting lonely with so few people commenting.
nice way to run a tabloid, /. "editors"
This is why I prefer to do my job searches on a disliked co-workers computer.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
... because that's the way to retain good employees, spy on them.
Given that this is dealing with company computers on a company network, it is their right to know how it is being used. I would hope that there is a strong privacy policy in place regarding any personal information that they uncover that is not a violation of company policies, but that is a hope and not an expectation.
Overall though, I would suggest that it is best to avoid doing anything at work that would stir up office politics.
As I recall, you write your name on a card that doesn't get thrown away until its full. when the book is returned, the card is put back in it for anyone to see. You can go to the library, grab the book off the shelf, copy down the names and dates on the card and return the card to the book, likely without anyone realizing your doing it for small numbers of books.
Deleting the info when the book is returned even today sounds unlikely unless they are inspecting every page in the book on return, otherwise when the next guy checks it out and finds missing pages or that someones kid thought it was coloring book, they wouldn't know who to charge for the damage.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It's the taxpayers' property, and the 4th and 5th amendments don't have an age limit.
Either get a warrant, or it's an illegal search. Case closed.
(I'm only replying because you are obviously the same person loudly and obnoxiously defending the corporate status quo above)
We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.
I love Jesus, except for his foreign policy.
Apart from shareholders (you know who they are: they have hundreds of millions or billions of dollars in the bank). Is microsoft good for anyone? I see people like Forbes fawning over them for years, but unless you are a shareholder, they only thing you share with them is an overpowering greed. They destroy competition in the marketplace not through high quality products or better value buy by manipulation, monopolistic tactics, lies, coercion, threats, cheating and stealing. There are people who also see this as good (just like the overwhelming greed). None of their products are good for the software or technology industries: indeed, most technology companies avoid using their products because their products cannot be integrated into anything else without destroying the bottom line of any other company. They are bad for their employees because they aren't interested in innovation: innovation costs money, if they can keep the same level of profits with stagnation that's much cheaper. They aren't good for customers: the same old products year after year, with enough window dressing to make what is new incompatible with what was old, so customers keep paying for the same software they had 15 years ago (indeed, ID software developers found 16 bit API's in their graphics stack...software that had been originally written in 1992). They aren't good for the local government: they refuse to pay fair taxes: they 'export profits' to other countries with lower tax rates, robbing local schools of income for things like electricity and (ironically) computers, and now we find they spy on employees. We had a good idea that they allowed NSA back doors years ago, confirmed on a massive scale by Snowden that they spy on customers. Is microsoft a candidate for a company that deserves to have its business license revoked worldwide? It would seem so.
Wow, you mean a corporation has access to the numbers dialed by the people within the corporation!? Quick, call Ripley's Believe it or Not - I think I found something for the "believe it" pile!
We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.
You guys need better network admins. Proper firewalling and proxying should block traffic like that.
Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.
I work for an IT company that is one of the largest users of Microsoft Lync outside of Microsoft.
I never, EVER, use my employer email, my employer lync chat, voice, video, and screensharing service, my employer supplied cellphone, and my employer supplied desktop and laptop computers for personal use. Ever. I have my own personal laptop, email and chat accounts, and personal cellphone for personal use.
The libraries I used no longer use cards. Checkout info is done on a computer system. When this first started, there was a question over law enforcement requests to turn over such info. After 9/11, (IIRC), the position of the Federal Govt. homeland security, etc, was that no warrant was required. A lot of Libraries, a field with a long history or supporting individual liberties and privacy regarding the right to read (censorship issues), and the right to keep it private, (no, not every library or librarian) put in place new polices: delete such info shortly after it is no longer needed. Then they have no info, or only info on the current items checked out, to turn over.
That is what my local library does. Even so, sometimes I think I should check out lots of books at random to create noise in any list of books I've checked out.
It will get better. Take the "Business Microscope" (curiously removed from the developers website), which will give the boss a log of more than just communications. Bob Greene covered it earlier this month: http://www.cnn.com/2014/02/02/opinion/greene-corporate-surveillance/
It sounds like you have something to hide. I'm just the opposite of you. I don't have a personal home phone, cell phone, laptop, etc because my employer provides all of that stuff to me and they don't care if I use it for personal stuff as long as it doesn't interfere with business use. I don't see any sense in paying for something I already have access to for free.
Email is free, so I do have a personal e-mail addres but I use my work e-mail for tons of personal correspondence just because it's a lot more convenient and I don't really care if my employer reads the day to day e-mail conversations I have with my friends and family.
"Lync does this no differently than any other enterprise communications system,” says Barry Castle". They are not lying. There have been better solutions for a long time. All of them integrate directory services (AD/LDAP) with information from everything, audio recording of phone conversations, video recording of desktop usage, real time network traffic information.
Having to work for a living is the root of all evil.
Companies in the financial sector - stock brokers, mortgage dealers, financial advisors and the like - are REQUIRED to archive and monitor their employees' work-related electronic communications, and must be able to demonstrate to regulators that they are actively doing so, or they face stiff penalties. The regulations are deliberately vague, but a general rule of thumb is that if an employee says something they're not supposed to say and the company's own compliance team failed to catch it, then they weren't doing enough monitoring and they can be fined.
Posting anonymously because I work for a company that specializes in communications archiving for the financial industry. And yes, we archive Lync IMs (and AIM and Facebook and Twitter and Salesforce Chatter and Instant Bloomberg and whatever else the kids are using these days, because if we can't archive it they're not allowed to use it).
Once you claim "it's only metadata," then you open the floodgates for all abuse.
http://en.m.wikipedia.org/wiki/Poisoning_the_well
A fallacy and a reverse assertion does not a refutation make.
Full call details can be logged from a asterisk server. Its pretty much std features for any PABX. Complete non story.
This is different than any other chat/VOIP/Conferencing system in what way?
Ever thought about such a lax policy could come from their boss? At the place where I work there are literally no restrictions and I am not at liberty to introduce any because my boss won't allow it. Anything that would in any way impair employees in doing whatever they damn well please is off limits to resrict.
Imagine the fun I'm having as an administrator in a company where everyone has administrator rights.
My mom says your troll is about 20 years out of date. (She's a retired public library director.)
Il n'y a pas de Planet B.
It sounds like you have something to hide.
Let me be the first to say, "Fuck you. (And you're an idiot.)"
Il n'y a pas de Planet B.
Sometimes you do want all traffic on a work computer being sent through the VPN. There are a number of security reasons why it would be important to know that, for example, a user is connected to bittorrent simultaneously with being connected to corporate resources. Theres also a good reason for it to be against company policy.
BZZZT, Wrong. Schools do not need a warrant to search their own property (it is owned by the school, even if the money came from taxpayers), and the supreme court has ruled that during the schoolday, several of the Bill of Rights protections do NOT apply to school children.
Not sure where you got your law degree, but maybe you should take a refresher course.
He is not wrong to call GP out on his ignorance. Just about everything in that post was completely wrong. If someone continues to post stuff that is factually wrong and trivially provable, theres very little point spending the time to prove it in every post; telling them to "shut up and sit down" is not a fallacy.
I would have expected better from the /. crowd.
Especially to understand the difference between a theoretical ability to look at individual data and systematic large-scale data analysis.
You know, one is someone giving you the looks on the street - and the other is 24/7 stalking. As a society, we pretty much agree that one is fine and the other isn't.
Assorted stuff I do sometimes: Lemuria.org
Or is that, tin roof, rusty? Nothing a b-52 strike couldn't solve, though nothing for the madness that lurks within.
Lync stores the info in two databases, LCSCDR and QoEMetrics. The first one has info on all sessions, other one has quality data. It's not like it's some super-secret database, MS has full specs in Technet, for example http://technet.microsoft.com/e... shows what's exactly stored in SessionDetails table.
Yes, such info *could* be used to do data-mining. Same info could be used to optimize least cost routing, gathering statistics on network performance, planning upgrades, and whatever you like. I've personally crafted a few reports from those DBs on how much folks are calling PSTN from Lync on various customer sites, so they can decide what is the priority in upgrading E1/T1 to VoIP-based PSTN connection.
It's not a conspiracy. Server admins can look at what kind of stuff you are doing on such servers.
This is why I prefer to do my job searches on a disliked co-workers computer.
What a coincidence, I'm doing my job search on your computer right now.
Imagine the fun I'm having as an administrator in a company where everyone has administrator rights.
That's not necessarily unmanageable, I've worked in a really large multinational where all employees had local admin rights, but IT still had full control and very few issues through the right tools, setup and policies -- including Network Access Control.
Its not your machine, or your network, or your electricity. Its not your time, either. Their job, their rules: Get over it.
Unfortunately, as long as employers are employing human beings rather than machines, the only people who think your position is tenable are HR, and Legal will do as much as they can to support it. Everyone else knows that occasionally you need to make a personal phone call during the working day, and everyone else thinks that listening in is creepy (not to mention illegal in many jurisdictions, at least if done as a blanket policy without reasonable grounds). Why should Internet access be held to a different standard?
Of course it's unreasonable for people to abuse work resources to spend all day looking for a new position. I don't see anyone disputing that employees are provided with those resources so they can do their jobs rather than for personal use. I don't see anyone disputing that work time is meant for work either, though of course things aren't so black and white when you get into breaks or what constitutes work time for salaried employees who don't get paid for fixed hours.
But things like deliberately and covertly MITMing secure connections to an employee's bank account, which maybe they're accessing because there's a legitimate question about whether their salary or expenses have arrived yet, is not acceptable. And no, some weasel words at the bottom of page 74 of your employee handbook saying generically that Internet communications may be monitored are not reasonable disclosure that this kind of practice is happening, IMHO. Either make it very clear that work resources may not be used for any personal matters -- and accept any negative consequences in terms of employee morale and/or retention and/or getting taken to a tribunal or sued -- or stop pretending that sysadmins playing Big Brother at work suddenly became acceptable because the word Internet was involved. It isn't, and in many places the law even says that.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What's a nudist with a vow of poverty doing here?
Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.
Depends. With proper endpoint assessment tools, you can obtain some reasonable security. BYOD is kind of a rising trend, so a generally accepted method seems to be "Sure, you can connect your own laptop or tablet or whatever to the network, but you'll use Anyconnect and the HostScan has to report conformance". This mostly stems from the fact that in all the meetings folks are starting to use their fancy iPads instead of bulky laptops...and are expecting same services being available.
I've seen some customer actually think of this as a benefit - savings in IT budget. If workers are willing to maintain their own devices on their own time and all the IT has to do is a compliance check, all the better for the company.
With all the setups of this type I have heard of there is no opt out. Accept the certs, let the MITM box have all your traffic in the clear or no SSL traffic for you. It's a man in the middle attack "for your own good" because it speeds up all the traffic, but whoever has access to that box gets to see what you've sent - usernames, passwords, the entire lot. So instead of having a possibility of security leaks at two ends you've got a third player that knows everything as well, and that's a lot of extra trust that IMHO should never have to happen.
Even if it's 100% company data the junior sysadmin and external consultant should not have a handy and easy way to get the bank login and password that the CFO uses for company bank transactions.
There are even obligations of companies to keep records of communitcations of their employees. Helps to prevent corruption a little bit, or at least make it more clear when examining it.
Well, so much for Microsoft's Scroogled campaign... case of the pot and the kettle.
Sometimes you do want all traffic on a work computer being sent through the VPN.
I could make the argument its more secure in some cases to have a split tunnel rather than a default route? Why? If you need internet traffic while on the VPN with a default route I have to somehow let that go out and then come back in through the corporate firewall/VPN server to route back to your VPN client. I'd just as soon let you access it directly with a split tunnel and have additional security software on your system to figure out if you are doing anything naughty.
... but I learned early on as a parent that jumping on everything I find my kids doing just teaches them to hide things better.
The whole OMFG the NSA!!1! spin on this article is absurd. If you use a computer while connected to a company network you can be sure the activity is being logged. Email, texts, browsing URLs, all of it is logged no matter what the platform. Can the logs be analyzed? Of course.
If you're job hunting or dipping your pen in the company ink so to speak, do it with your own mobile phone without any corporate stuff on it. If you're dumb enough to be bangin the bosses wife and calling her using his telephone you deserve toget caught.
There could be a lot of valid reasons for that, particularly if any of the work you do involves clearances.
I love it when slashdotters complain about how boneheaded policies are without having the faintest clue of the reasons behind them.
Since you neglected to quote any portion of the post you responded to, let me quote for you a key sentence in the post you are making fun of:
That's all employees, not just those who have monitored access to government secrets.
The emphasis on "all" was in the OP. Are you being deliberately obtuse, Warden Norton?
The library community has been sensitive to this for a long while, and the library software vendors (eg, GEAC and friends) are careful to keep data for a short a period as possible, meeting the requirements of the most privacy-protective countries they sell into. As few countries either have or enforce library anti-privacy laws, the software is therefor saleable everywhere.
Almost ironically, privacy-protective code can be a business advantage.
davecb@spamcop.net
Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.
And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. If some company said "hey, you dropped your US mail envelopes in an Out box that we own, so we can open all your mail," they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners of the server? That's crap and the law should be changed. In the meantime, I'll just point out that the ethics (Hey, United Technologies Ethics Officer, I'm talking to YOU) of email spying is beneath despicable.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Microsoft Exchange stores data for all emails for the company.
What a stupid article. Of course any internal communication tool can be monitored by the company - as it should be.
Exactly. Cisco's UC has the same capabilities. I'm sure all other UC by other vendors have the same features.
Nothing to see here.
"A plan fiendishly clever in its intricacies"- Homer Simpson
> And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. ...
> they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners
When you use the company's telephone network, the same information is logged. Since virtually all systems do so, there's a standard data format they use, called CDR (call detail record). This has been the case for at least 40 years. You need logs to debug problems in the system, for capacity planning, etc. Does the company need to place an order now to have more lines to the outside world installed two months from now? The admin queries the logs to find out. Why is the company suddenly spending so much money on international calls? Again, they query the logs. If you send packages or letters using the company's FedEx account they have records of that too. They need to know how their money is being spent.
Not new news, this product has been around for over a decade. Before it was renamed Lync it was called Office Communication Server 2007, and before that it was Live Communication Server 2003/2005.
Also there is no need for the employer to analyze the data or "to figure out who is dating whom within the company and pinpoint people looking for another job". They can just enable the Archive feature of the product and use SQL SRS to crank out chat logs, where you probably spelled it out for them plainly. All versions for a decade have had this feature.
MS Technet blog about Archive reports:
http://blogs.technet.com/b/dodeitte/archive/2013/06/02/sample-lync-server-archiving-report-available.aspx
Conversation search results:
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-74-93/0027.2013_5F00_11_5F00_26_5F00_01_2D00_02.png
Conversation details:
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-74-93/2541.2013_5F00_11_5F00_26_5F00_01_2D00_03.png
The Supreme Court also ruled that Dred Scott wasn't a person.
If "several" of the Bill of Rights protections do not apply to school children, who gets to decide which is which? Can they be held without trial? Questioned without a lawyer? Denied a jury trial? Convicted on secret evidence?
Forced to pray to whatever god the school deems appropriate?
Oh shit, it looks like your argument just turned around and took a nice thick bite out of your smart ass. Next time a little less mouth might serve you well.
It will get more interesting: http://yro-beta.slashdot.org/story/14/02/03/162216/virtual-boss-keeps-workers-on-a-short-leash
Water's wet. The sky is blue. And companies monitor company communications.
My employer explicitly says they keep your Lync messages. Do other employers pretend they don't?
I mean they give you an email and they keep the record. Tied to that email is your Lync. They keep that data too.
Democracy Now! - your daily, uncensored, corporate-free
Are you aware that you can get in very deep legal shit when someone takes your policy as a merely a guideline to break and then does something that turns your monitoring into criminal wiretapping?
Laws trump petty little acceptable use policies.
In case you want to continue with pretended stupidity here's a very clear analogy. A keep off the grass sign in a public park is not a licence to plant landmines to enforce it.
Guys, Gathering data on activity made with corporate property is not spying, no matter the logic or mindset you're using. Sorry, it's just not. It's spying when you're paying for the service and they're going through its records. Not sure how this is news. Also, c'mon really? How is any of this new? It's an extension of monitoring telephony call detail records or email usage.
All the commercial operators are in bed with NSA and sometimes use the same techniques even before they hand your data to NSA on a silver plate so that "government algorithms" can do the same.
"Data Protection" is for Useful Idiots.
..otherwise you would simply do that.
signed
Another naive Slave
Who the hell would use the company network to look for a job?
I respect companies' right to control their hardware and their network. However, a true IT professional knows how to safeguard a network without compromising the privacy of employees. If there is a law enforcement need or a matter of theft that a company needs to deal with, then okay. However, blaming data mining on technology is a cop-out.