Slashdot Mirror
Microsoft Lync Server Gathers Employee Data Just Like NSA
coondoggie writes "Microsoft's Lync communications platform gathers enough readily analyzable data to let corporations spy on their employees like the NSA can on U.S. citizens, and it's based on the same type of information — call details. At Microsoft's Lync 2014 conference, software developer Event Zero detailed just how easy it would be, for instance, to figure out who is dating whom within the company and pinpoint people looking for another job."
I have to use Lync at work, and I'd just assumed it'd be cc'ing keywords etc to HR and management.
I'm shocked and amazed. A company running their own messaging server on their own network can see how it's being used?!
Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.
i work in the same building with a huge Tommy Hilfiger presence and always see people talking on their cellphones in a corner about what they do at their job
Yeah, and for the morons using company resources to look for a different job: don't. Use your personal cellphone, or something otherwise not funded by the company.
If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?
I know my company can see everything I can do when I'm logged on to their computer. This is part of the agreement I signed with them. It's also the reason why I don't do stupid shit on my company's network like look for another job or send out resumes from my company email address.
Oh wait, the outrage is because it's Microsoft. Got it.
And a log is being kept about it? Who'dathunkit? *Groan* This isn't news.
For those who seek perfection there can be no rest on this side of the grave.
This sort of thing is ok in a workplace in the United States, mostly because everyone expects the lack of privacy with using employer's equipment.
Other places in the world offer more privacy in the workplace. Such capabilities could cause some real problems in those environments.
This is why I prefer to do my job searches on a disliked co-workers computer.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
... because that's the way to retain good employees, spy on them.
Given that this is dealing with company computers on a company network, it is their right to know how it is being used. I would hope that there is a strong privacy policy in place regarding any personal information that they uncover that is not a violation of company policies, but that is a hope and not an expectation.
Overall though, I would suggest that it is best to avoid doing anything at work that would stir up office politics.
A company that has to spy on it's employees deserves, a better business model, new leadership and a tax audit.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
ALL PBX type software does this.
Anyone who wants to be able to bill internally HAS to keep this metadata to do internal billing.
Its also something that has been collected for the entire 30 years I've dealt with phone systems, and its not like it was new when I first started in telephony.
You're pretty fucking stupid if this is news to you.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Wow, you mean a corporation has access to the numbers dialed by the people within the corporation!? Quick, call Ripley's Believe it or Not - I think I found something for the "believe it" pile!
Start you own company, and make a point of having absolutely no way to deal with the communications your employers perform on your behalf. Don't worry, you'll never, ever be involved in any sort of lawsuit that would bring out the fact that you don't cover yourself. What could go wrong? You'll be fine.
Don't disappoint your bird dog. Go to the range.
We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.
You guys need better network admins. Proper firewalling and proxying should block traffic like that.
Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.
It sounds like you have something to hide. I'm just the opposite of you. I don't have a personal home phone, cell phone, laptop, etc because my employer provides all of that stuff to me and they don't care if I use it for personal stuff as long as it doesn't interfere with business use. I don't see any sense in paying for something I already have access to for free.
Email is free, so I do have a personal e-mail addres but I use my work e-mail for tons of personal correspondence just because it's a lot more convenient and I don't really care if my employer reads the day to day e-mail conversations I have with my friends and family.
It may be a fear line, but it is also 100% accurate. companies are constantly being sued by there employee's for NOT being vigilant enough in the work place, whether it is sexual harassment, bullying, corruption or workplace safety. Employers have a legal responsibility to demonstrate they are taking steps to prevent and monitor those situations and if they aren't it is a legal bonanza for staff that want to take advantage of it.
Companies in the financial sector - stock brokers, mortgage dealers, financial advisors and the like - are REQUIRED to archive and monitor their employees' work-related electronic communications, and must be able to demonstrate to regulators that they are actively doing so, or they face stiff penalties. The regulations are deliberately vague, but a general rule of thumb is that if an employee says something they're not supposed to say and the company's own compliance team failed to catch it, then they weren't doing enough monitoring and they can be fined.
Posting anonymously because I work for a company that specializes in communications archiving for the financial industry. And yes, we archive Lync IMs (and AIM and Facebook and Twitter and Salesforce Chatter and Instant Bloomberg and whatever else the kids are using these days, because if we can't archive it they're not allowed to use it).
Once you claim "it's only metadata," then you open the floodgates for all abuse.
Imagine, a database. Storing data. That you can run reports on.
Simply amazing what computers can do these days.
Faster! Faster! Faster would be better!
Wow, people really believe this sort of shit?
If it bother you that your employees are looking elsewhere for a job, perhaps try harder to retain them? I have standing offers to work for a couple of places, places that make the top paying employers lists. At this point in my career I don't really have to "look" for a new job, I just stop ignoring the offers. Yet I'm staying where I am - and not based on pay.
Want people to stay when they have plenty of choices? Try not pointlessly hassling them over shit like "using company equipment". You'd have to get pretty extreme with that sort of thing before you'd cost more than the cost of hiring someone new and them coming up to speed, even if you were such a dick that you even pay attention.
Socialism: a lie told by totalitarians and believed by fools.
Sometimes you do want all traffic on a work computer being sent through the VPN. There are a number of security reasons why it would be important to know that, for example, a user is connected to bittorrent simultaneously with being connected to corporate resources. Theres also a good reason for it to be against company policy.
Lync stores the info in two databases, LCSCDR and QoEMetrics. The first one has info on all sessions, other one has quality data. It's not like it's some super-secret database, MS has full specs in Technet, for example http://technet.microsoft.com/e... shows what's exactly stored in SessionDetails table.
Yes, such info *could* be used to do data-mining. Same info could be used to optimize least cost routing, gathering statistics on network performance, planning upgrades, and whatever you like. I've personally crafted a few reports from those DBs on how much folks are calling PSTN from Lync on various customer sites, so they can decide what is the priority in upgrading E1/T1 to VoIP-based PSTN connection.
It's not a conspiracy. Server admins can look at what kind of stuff you are doing on such servers.
While true due to all those "SSL accelerator" devices in people's workplaces which employees are supposed to allow to do an MITM attack, it's still an utterly insane situation that renders SSL almost entirely pointless in an increasing number of places.
IMHO letting one of those boxes into a workplace should be a criminal offence since people do not understand that it is tracking details of their personal banking transactions (for an example of an SSL situation), if they happen to do it at work. Years of using MS product GUI's have conditioned people to do a quick click through and accept everything so the default ends up trusting some proxy box as if it is the bank.
It's tempting to think that these new SSL proxy devices are all information collecting devices for various intelligence agencies - however it's more likely to be stupidity for the sake of convenience.
Its not your machine, or your network, or your electricity. Its not your time, either. Their job, their rules: Get over it.
Unfortunately, as long as employers are employing human beings rather than machines, the only people who think your position is tenable are HR, and Legal will do as much as they can to support it. Everyone else knows that occasionally you need to make a personal phone call during the working day, and everyone else thinks that listening in is creepy (not to mention illegal in many jurisdictions, at least if done as a blanket policy without reasonable grounds). Why should Internet access be held to a different standard?
Of course it's unreasonable for people to abuse work resources to spend all day looking for a new position. I don't see anyone disputing that employees are provided with those resources so they can do their jobs rather than for personal use. I don't see anyone disputing that work time is meant for work either, though of course things aren't so black and white when you get into breaks or what constitutes work time for salaried employees who don't get paid for fixed hours.
But things like deliberately and covertly MITMing secure connections to an employee's bank account, which maybe they're accessing because there's a legitimate question about whether their salary or expenses have arrived yet, is not acceptable. And no, some weasel words at the bottom of page 74 of your employee handbook saying generically that Internet communications may be monitored are not reasonable disclosure that this kind of practice is happening, IMHO. Either make it very clear that work resources may not be used for any personal matters -- and accept any negative consequences in terms of employee morale and/or retention and/or getting taken to a tribunal or sued -- or stop pretending that sysadmins playing Big Brother at work suddenly became acceptable because the word Internet was involved. It isn't, and in many places the law even says that.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
My entire point is that these devices remove any advantage of using https. The device takes it, decrypts it, deals with the data as plain text, then ecrypts it again to send out. Whoever has control of the device gets to decide what to do with that data. It's a very stupid situation for almost zero extra convenience. If I was the NSA or similar I would love to have a lot of these things out there with only a small number of vendors to lean on about backdoors.
Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.
And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. If some company said "hey, you dropped your US mail envelopes in an Out box that we own, so we can open all your mail," they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners of the server? That's crap and the law should be changed. In the meantime, I'll just point out that the ethics (Hey, United Technologies Ethics Officer, I'm talking to YOU) of email spying is beneath despicable.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Bad me! Naughty me!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Hence the malware epidemic which would have been written off as bad science fiction if it wasn't already happening.
Yes, that is a problem and doing such a thing without informing end users is actually illegal in some countries.
No, it none of their business. If they run a business where the employees feel trapped into servitude by pre-employment agreements, local talent monopoly, overwhelming bills and bad economy, seniority w/no upward mobility, etc., the company has clearly overstepped the bounds of human decency with no regard for their most important asset. This is WHY we get corporate espionage, if you back someone in a corner without a reasonable choice, they will do whatever they need to in order to survive and prosper. When a business is so large it has to resort to treating its employees like faceless units, it has grown cancerously without dividing into diversified units and begins its own downward spiral in the name of greed of the board and investors. Morons! (like AT&T, Apple, Chrysler, Shell,etc.) The old business models of dinosaur mega companies are showing their age in waste and loss due to sheer size. The day of the dinosaur is over, many smaller businesses will have a surviving advantage in times to come, their survivability will come from a close knit smaller team and will suck the talent from the big boys.
This software in question is a fine example of the suicide happening right now.
This is a new age of business, just like the new age of politics coming after the fall of trust for the current regeime.
Fool me once , shame on you , fool me twice, shame on me, stick me with a fork, Im done.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!