Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: What's Your Take On HTTPS Snooping?

timothy posted more than 2 years ago | from the note-from-the-principal's-office dept.

Businesses 782

First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"

Sorry! There are no comments related to the filter you selected.

They don't enforce snooping on everything (5, Interesting)

borv (2021802) | more than 2 years ago | (#40346857)

Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.

Re:They don't enforce snooping on everything (5, Insightful)

lindi (634828) | more than 2 years ago | (#40346895)

It's a good idea to not access personal bank account from company computers anyway.

Re:They don't enforce snooping on everything (4, Interesting)

MichaelSmith (789609) | more than 2 years ago | (#40346901)

My workplace is pretty open about proxying all https connections and I get the horrors whenever I see a co-worker doing their banking from their desk.

Re:They don't enforce snooping on everything (4, Interesting)

WaywardGeek (1480513) | more than 2 years ago | (#40347025)

My understanding is that very large companies are doing this to save money rather than to snoop on your https sessions. Companies are saving money by locally caching large data sets from electrically far away branches of the same company. When you https into a a company site in another country, you get that nice all secure indicator, even though your company has a caching server in the middle.

That said, large companies have Big Brother watching you all the time. My aunt had to get a guy fired for watching porn at work, because that was part of her job. If you're trying to be sneaky, do it competently, or don't do it at all.

Re:They don't enforce snooping on everything (1, Informative)

Anonymous Coward | more than 2 years ago | (#40347169)

You are correct about the whitelisting of banking, healthcare and other sites that require SSL but should not be snooped on. Most vendors ssl inspection products contain pre-configured rules that stop SSL inspection being applied to sites that should not be snooped on such as banking sites.

However for DLP to work correctly, you must have SSL inspection setup or you cant intercept data being snuck off via P2P messaging (MSN, Skype etc..) or via Gmail and alike.

at the end of the day, if you have nothing to hide because you are doing your job, whats the big deal?

Forward shields down to 0% captain! (-1)

Anonymous Coward | more than 2 years ago | (#40346863)

SPOCK: Open the Air Lock.
KIRK: Permission to come aboard, Captain?
SPOCK: Welcome, Admiral. I think you know my trainee crew. Certainly they have come to know you.
KIRK: Yes, we've been through death and life together.
KIRK: Mister Scott, you old space dog. You're well? What's the story with HTTPS Snooping by the company that employs me and owns my ass?
SCOTTY: She can't take much more of this!

Don't do personal shit at work (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40346865)

Simple as that.

Re:Don't do personal shit at work (2, Insightful)

Sorthum (123064) | more than 2 years ago | (#40347091)

This was more sensible a decade ago; nowadays with so much of our lives online (banking, shopping, correspondance) it's no longer "reasonable" to not do anything "personal" on the internet while you're at work.

Re:Don't do personal shit at work (0)

Anonymous Coward | more than 2 years ago | (#40347179)

Why exactly not?
You are at work, aren't you. if you think the breaks you have totally aren't enough, then you should complain about that, not about you not being able to do personal stuff at work.

Re:Don't do personal shit at work (5, Insightful)

Austerity Empowers (669817) | more than 2 years ago | (#40347201)

60+ hour work weeks.

Re:Don't do personal shit at work (2, Insightful)

circletimessquare (444983) | more than 2 years ago | (#40347199)

why are you banking, shopping, or correspondence at work?

personally, i've done all those things, and i was sneaky and quick about it

never did i expect i had a right to do it

i get paid to work, what do you get paid to do?

it is COMPLETELY reasonable to not do anything personal on the internet while you're at work

seriously, the sense of entitlement is a little annoying

Re:Don't do personal shit at work (0)

Anonymous Coward | more than 2 years ago | (#40347131)

just do it over your phone's data card and use your phone as a local wifi hotspot. its that simple.

Expensive (1)

tepples (727027) | more than 2 years ago | (#40347157)

use your phone as a local wifi hotspot

This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.

Re:Expensive (3, Informative)

mpoulton (689851) | more than 2 years ago | (#40347171)

use your phone as a local wifi hotspot

This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.

No, it just requires that you root your android device.

Perspectives (5, Informative)

gellenburg (61212) | more than 2 years ago | (#40346869)

Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.

Data leakage.

We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.

We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.

But your Gmail is fair game.

Re:Perspectives (5, Insightful)

guruevi (827432) | more than 2 years ago | (#40346909)

Data leakage can be done a myriad of other ways. And by the time you actually have analyzed the data (if anyone even looks at the reports after 2 weeks) the damage has already been done.

Re:Perspectives (1, Interesting)

gellenburg (61212) | more than 2 years ago | (#40346931)

Agreed. But the OP's Ask Slashdot isn't about Data Leakage, it's about SSL proxying.

Now, if you WANT to have a discussion about Data Leakage, well then grab a cup of coffee and pull up a chair.

I do this shit for a living.

Re:Perspectives (1)

mjensen (118105) | more than 2 years ago | (#40347137)

Okay, I'll bite on this one. Thank you for posting, Gellenburg.

I've had to go through hoops to get information to a customer and had to run around/through the IT department blocking my email. We had a time crunch, and it wasn't that sensitive of information, but policies were preventing me from sending, and we couldn't wait for IT to change rights to permit me to send this data. Sending ZIP files, for instance, was unpacked and scanned and blocked if the contents were funny. I used an unexpected archive format (my own).

I can easily see where you could detect the file names or database footprint of, say, a payroll database file. How good would your system be at finding the same data exported to spreadsheet format first?

Without compromising your system, what have you detected, and what couldn't you detect?

Thanks

Re:Perspectives (1)

ganjadude (952775) | more than 2 years ago | (#40347161)

do you whitelist based on IP or on DNS? if not IP couldnt someone edit their host file, go to www.mybank.com, which is white listed and have it route to www.myemail.com ?

Re:Perspectives (1)

brusk (135896) | more than 2 years ago | (#40347045)

Sure, the damage is done, but at least you know who did it. For a firm dealing with medical, financial, or other sensitive data, that's kind of important.

Re:Perspectives (1)

gellenburg (61212) | more than 2 years ago | (#40347063)

Actually it's important for any publicly traded companies.

It's not just HIPAA, but also Sarbanes-Oxley, GLBA, the SEC, and a myriad of other pesky CFRs.

Re:Perspectives (1)

Anonymous Coward | more than 2 years ago | (#40347189)

Not every public company deploys these solutions though, so clearly it's not a requirement of SOX. It may be helpful in some aspect of SOX compliance, but it's not a requirement.

Re:Perspectives (1)

kcurrie (4116) | more than 2 years ago | (#40347083)

..and just because it's already done NOW, doesn't mean that it's useless to know! Knowing that employeeX is stealing company data allows you to potentially look further into what else the employee is compromising and put a stop to it.

Re:Perspectives (0)

Anonymous Coward | more than 2 years ago | (#40347135)

Most Data Loss Prevention (DLP) solutions I use use real time blocking. For example if you attempt to upload proprietary information as a gmail attachment and it triggers a DLP rule it blocks the upload. It's pretty much set it and forget it once you have your rules properly configured.

Re:Perspectives (2)

ThatsMyNick (2004126) | more than 2 years ago | (#40346929)

Do you also block SSH traffic and other data that looks like it has already been encrypted through some software (a java applet, if users are not allowed to install their own software). Just curious.

Re:Perspectives (1)

gellenburg (61212) | more than 2 years ago | (#40346973)

SSH can't be proxied like SSL traffic. The reason SSL traffic works is precisely because of the existence of a wildcard certificate issued from a Trusted Root CA. (I also manage our PKI too).

But SSH — as a matter of good practice — should be heavily restricted. In other words, good security policy dictates you don't let anyone on your network blithely open up an outgoing SSH connection to any host on the Internet.

Re:Perspectives (2)

DarkOx (621550) | more than 2 years ago | (#40347075)

Not sure how you are doing but we do the SSL negation with the remote peer first than use the information from their certificate to generate and sign a CSR on the fly from our CA. No need for wild cards.

Re:Perspectives (1)

Jose (15075) | more than 2 years ago | (#40347165)

SSH can't be proxied like SSL traffic

yep, it can. there are a few commercial fw's that do it...check out page 191 of McAfee's (.pdf) userguide
here [mcafee.com]

if you don't wanna read the .pdf...check here [mcafee.com]

"Put the network firewall in charge of security again with integrated comprehensive network gateway protection technology, including:

        Encrypted traffic inspection (SSH/SSL)
"

Re:Perspectives (2)

MichaelSmith (789609) | more than 2 years ago | (#40347023)

ssh doesn't work to external locations from my workplace but curiously, there is no restriction on DNS traffic ;)

Re:Perspectives (2)

DarkOx (621550) | more than 2 years ago | (#40347041)

We decrypt SSH as well. Our equipment will actually go up to several tunnels deep. Yes you do get hostkey warnings.

Re:Perspectives (1)

gellenburg (61212) | more than 2 years ago | (#40347087)

I just checked. Turns out ours can do it too but I don't remember ever seeing it on a roadmap of something to turn on.

Not sure what benefit it would provide us anyway tbh.

Re:Perspectives (0)

Anonymous Coward | more than 2 years ago | (#40347143)

Just be glad you don't have to read my traffic. I have a knack for assembling weird custom protocols that look like line noise.

Oh, and getting a host key warning will probably result in me piping one of my custom protocol through a ssh link and letting you chew on it.

Incidentally, don't try it with my commercial software. It just might detect the server key is wrong and flat-out reject it with tamper detection, and _no way to override it_ because your key doesn't check out.

Re:Perspectives (1)

MichaelSmith (789609) | more than 2 years ago | (#40346945)

Well okay but what happens when a worker googles for information on a task they have to do abd while the actual information they want is generic in nature ("how to compile an android program") for example, they cast the query in such a way that it includes internal information, possibly because they don't even know that the information is internal? For example where I work we are encoraged to google for answers to our clear case problems, rather than bothering the internal consultant. But when you do that there is a risk that you will paste in all of a command or something and leak information.

Re:Perspectives (2)

gellenburg (61212) | more than 2 years ago | (#40347003)

For my Company, we're looking for patterns indicative of SSNs, credit card numbers, and certain keywords such as "confidential", "proprietary", or other keywords that refer to sensitive internal projects or other sensitive company information.

And Googling for information isn't "data leakage", because your activity is bringing information INTO the company (from the results of your Google search) so we don't care a lot about that.

Re:Perspectives (1)

Reschekle (2661565) | more than 2 years ago | (#40347031)

That's not entirely accurate (re: Google). Your search query has to go to Google's servers, where it might be logged and seen by someone at Google.

I tend to think it would be difficult to leak too much to Google that way (the search box only takes so many characters of input) but if you're paranoid enough it is a valid leak vector to worry about.

Re:Perspectives (1)

ganjadude (952775) | more than 2 years ago | (#40347181)

you could in theory, log into google (i assume you do allow google to be logged into?) put in strings of information that is confidential, but makes no sense out of context, at home look at search history and re assemble.

Re:Perspectives (1)

GryMor (88799) | more than 2 years ago | (#40347057)

You can still leak confidential data through the queries that are made.

Re:Perspectives (0)

MrMista_B (891430) | more than 2 years ago | (#40346961)

So why are you, personally, not in jail right now for illegal wiretapping?

Not trolling, I'm honestly curious how you're getting away with this without some sort of FBI investigation into the practice, and massive fines/imprisonments.

Re:Perspectives (3, Insightful)

Reschekle (2661565) | more than 2 years ago | (#40347007)

There is NO expectation of privacy on a private network.

Re:Perspectives (1)

lsllll (830002) | more than 2 years ago | (#40347175)

There is NO expectation of privacy on a public network.

There. Fixed that for you.

Re:Perspectives (1)

gellenburg (61212) | more than 2 years ago | (#40347019)

LOL. Because it's not wiretapping when you're sniffing the communication going on your own private network.

Re:Perspectives (2)

Savantissimo (893682) | more than 2 years ago | (#40347037)

The owner of the equipment says it's OK, the user is an employee with no right to privacy on the employers' machine.

Re:Perspectives (1)

ganjadude (952775) | more than 2 years ago | (#40347191)

more than likely it is in the sign on agreement that your communications on company wires (or wireless) may be monitored

Re:Perspectives (1)

Bill, Shooter of Bul (629286) | more than 2 years ago | (#40346981)

Which is why I route all of my companies secrets through my bank.

Re:Perspectives (0)

Anonymous Coward | more than 2 years ago | (#40347011)

Your boss probably don't pay you to use internet banking or personal things at work.

Re:Perspectives (0)

Anonymous Coward | more than 2 years ago | (#40347061)

We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party

If it's malicious, what you say will in no way stop it from happening. It won't even make it significantly more difficult.

The best way to have your employees not do malicious things is to create an environment where they don't want to.

Re:Perspectives (1)

Reschekle (2661565) | more than 2 years ago | (#40347129)

A former employer of mine (publicly traded) used to proxy all IM conversations. The technology they used wasn't quite as clever and robust though. Basically, they would just create their own A records in the company's DNS server for the various IM servers (Yahoo, AIM, MSN, etc.) that point to an internal appliance. The internal appliance would proxy the connection and sniff all the conversations.

They made it quite obvious because every time you logged in, you would get an automatic IM from " IM Administrator" informing you that the logging was taking place.

It was very easy to bypass though - either set the correct IP addresses in the hosts file of your PC or plug the IP addresses into your IM client. This was necessary sometimes because those of us with Linux workstations would not be allowed to use IM because our Linux workstations didn't have Active Directory computer accounts (used for tying AD users to IM conversations).

They didn't do any webmail logging though.

Not sure what policy mandated this. We were not in a sensitive industry like finance, healthcare, or defense. Just a medium-sized software company. May have just been IT's interpretation of SOX compliance requirements.

Zoals de waard is, vertrouwt hij zijn gasten (5, Informative)

El_Muerte_TDS (592157) | more than 2 years ago | (#40346875)

In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.

Re:Zoals de waard is, vertrouwt hij zijn gasten (3, Insightful)

brusk (135896) | more than 2 years ago | (#40346991)

In security, you have to start with the assumption that everyone is untrustworthy until proven otherwise.

Re:Zoals de waard is, vertrouwt hij zijn gasten (2)

El_Muerte_TDS (592157) | more than 2 years ago | (#40347059)

You work for the TSA I assume?

Re:Zoals de waard is, vertrouwt hij zijn gasten (0)

Anonymous Coward | more than 2 years ago | (#40347015)

A little useless here, since that works equally well from both the employee and employers point of view.

Employer might well be reading your personal email, and employee might well be moving shit that doesn't belong to them.

Re:Zoals de waard is, vertrouwt hij zijn gasten (1)

bky1701 (979071) | more than 2 years ago | (#40347073)

Then please post your passwords to all your accounts in reply to this message. Otherwise, I don't trust you.

Re:Zoals de waard is, vertrouwt hij zijn gasten (1)

El_Muerte_TDS (592157) | more than 2 years ago | (#40347163)

That's exactly the point I'm trying to make. Apparently you have zero trust on me and demand my credentials to check on me, because without checking you cannot trust me. I'm not asking you to trust me. I'm just saying you shouldn't distrust me to start with. Trust is earned, just like distrust.
I made a little error in the translation, although it doesn't make much of a difference, it's more like "The host who distrusts his guest, is probably untrustworthy". But it doesn't make much of a difference.
If you start of with distrusting your employees, then what reason would your employees have to trust you. Legally your employers are required to keep company shit secret, because, that's what you put into their contracts, right?

Re:Zoals de waard is, vertrouwt hij zijn gasten (1)

Anonymous Coward | more than 2 years ago | (#40347101)

Star Trek the next Generation has an episode named roughy translated from the Latin phrase "Quis custodiet ipsos custodes?"

Re:Zoals de waard is, vertrouwt hij zijn gasten (1)

davidoff404 (764733) | more than 2 years ago | (#40347185)

Follow that line of reasoning and you may very well wake up one day to the sight of Germans stealing your bicycles.

Seriously (0)

Anonymous Coward | more than 2 years ago | (#40346877)

Are you stupid or a really bad troll ?

Simple (1)

wiredlogic (135348) | more than 2 years ago | (#40346879)

Their network, their rules. You have no right to expect privacy for work or non-work related activities on their systems.

Re:Simple (1)

Richard_at_work (517087) | more than 2 years ago | (#40346969)

This is absolutely no different at all to recording all phone calls into and out of the building - many companies do that, and its never been seen as an issue in the light that the submitter is trying to make this out to be.

I wouldn't be surprised if your employer also had the right to open all mail, parcels and packages you have delivered to your place of work as well. Or send, for that matter.

Re:Simple (0)

Anonymous Coward | more than 2 years ago | (#40347145)

You can not waive some rights under the law.

Opening mail addressed to someone else is a federal crime.

Therefore, opening mail addressed to an employee is not legal.

Re:Simple (0)

Anonymous Coward | more than 2 years ago | (#40347009)

Agreed 4g tethering in the parking lot at a lunch break if need be.

They expect you to be "part of the team" (3)

betterunixthanunix (980855) | more than 2 years ago | (#40347195)

So when you work for a big company, they talk a big game about being part of the team and so forth -- then turn around and treat you like a prisoner. Sure, they are within their rights, but I find it interesting that people like you are willing to defend them.

Personal at Work? (0)

Anonymous Coward | more than 2 years ago | (#40346881)

Don't do your personal through your work network might be a good place to start.

Remember, it's their network (0)

Anonymous Coward | more than 2 years ago | (#40346889)

If you don't want them to see what you're doing, don't do it on their box.

Don't do personal stuff requiring privacy at work (2)

isopropanol (1936936) | more than 2 years ago | (#40346899)

Do it at home, on your own equipment like the rest of us.

Re:Don't do personal stuff requiring privacy at wo (1)

Threni (635302) | more than 2 years ago | (#40347039)

Or use a VPN.

Re:Don't do personal stuff requiring privacy at wo (0)

Anonymous Coward | more than 2 years ago | (#40347047)

Or just do personal stuff on your smartphone/tablet using 3g.

Re:Don't do personal stuff requiring privacy at wo (1)

fongaboo (813253) | more than 2 years ago | (#40347089)

Or remote into a home machine

No worst than key loggers (4, Insightful)

zill (1690130) | more than 2 years ago | (#40346925)

The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.

I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.

It's their network... (1)

Kili (265889) | more than 2 years ago | (#40346927)

They own the network.
They have told you there is no privacy on it so you have no resonable expectation for such privacy.
It's their network, provided so you may perform their job function, not do personal stuff on the company dime.
Get over if or find an employer willing to let you do personal stuff on their dime and network.
Did I mention it's their network and they are entitled to monitor what you do with their property?

Re:It's their network... (1)

betterunixthanunix (980855) | more than 2 years ago | (#40347203)

Well, next time you come to my house for a "friendly" visit, expect the same treatment if you use my network...

nice advertisement (0)

Anonymous Coward | more than 2 years ago | (#40346935)

would have been helpful to include integration and pricing info as well, but i was able to locate that without too much trouble. thanks!

Not nice but not illegal (0)

Anonymous Coward | more than 2 years ago | (#40346941)

Their computers, their network, their rules.

I assume that they have disclosed the fact that your SSL traffic is being intercepted and stored so that you do not hand over your personal data (including financial and medical) to your employer without your knowledge.

With that said, what is motivating this company to be so paranoid? How much data are they storing and how are they analyzing it? Are there any obvious flaws (i.e. alternative port number)? What about ssh traffic?

Don't work there (2, Insightful)

guruevi (827432) | more than 2 years ago | (#40346943)

If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.

Leave your job, no. Do your job, yes. (2, Insightful)

MacTO (1161105) | more than 2 years ago | (#40346947)

There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.

illegal (3, Interesting)

chrb (1083577) | more than 2 years ago | (#40346949)

I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.

Re: illegal (1)

brusk (135896) | more than 2 years ago | (#40347029)

Actually I doubt you'd have a case against Cisco or even the company; it would be the employee who knowingly initiated a connection that could be snooped on who would be at fault, if anyone.

Re: illegal (1)

chemicaldave (1776600) | more than 2 years ago | (#40347095)

I doubt that, legally, a server is a legal entity, or counts as a "communicating party".

Re: illegal (1)

TheGinger (2575099) | more than 2 years ago | (#40347155)

I would agree with this, from the administrator of the https server's perspective, this is a man in the middle attack

Bring your own network to work (3, Informative)

Anonymous Coward | more than 2 years ago | (#40346953)

Just do your banking over your phone's carrier network. Your employer can't go there (can they?)

Controll of egress (3, Informative)

DarkOx (621550) | more than 2 years ago | (#40346955)

You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.

Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.

Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.

One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.

Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.

u r an fag (-1)

Anonymous Coward | more than 2 years ago | (#40346959)

snupe deez ho

"Their network, their rules..." (0)

Anonymous Coward | more than 2 years ago | (#40346963)

I agree with this sentiment 100%, but I also feel strongly that it's the employer's duty to tell their employees that it is company policy to do this. It may be within their legal rights to do this without informing their employees (IANAL), but I would not want to work for an employer who does that. doesn't jibe with my personal ethics.

You have no right to privacy at work (0, Redundant)

vinn (4370) | more than 2 years ago | (#40346975)

You have zero expectation of privacy at work. Do you think it's fair to sit on Facebook all day while at work or even pay your bills?

Mostly I hear questions like this at work from people who are just getting their first job and who seem to think they have this sense of entitlement with regards to everything. Face it, the job market sucks right now and for anyone just entering it, you're at the mercy of employers who have the luxury right now of many more qualified applicants than open positions. If you're using their computer and their network, you play by their rules. You are a wage slave just like all the other people in your building.

With regards to whether you should quit your job, only you can answer that. I can tell you there are plenty of good places to work that don't do anything like that, but only you can answer whether or not it's worth working at one of them.

Re:You have no right to privacy at work (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40347147)

You have zero expectation of privacy at work.

Since about 8 million people have said this now, I think the counterpoint needs to be stated.

You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.

IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.

Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.

So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...

Re:You have no right to privacy at work (1)

Nutria (679911) | more than 2 years ago | (#40347187)

sense of entitlement with regards to everything ... using their computer and their network, you play by their rules.

Now you know what social conservatives think about drug testing welfare recipients: if you want my money, you must follow my rules.

Whose equiptment is it? (1)

TedTschopp (244839) | more than 2 years ago | (#40346985)

Are you using their equipment, their network, their bandwidth, their physical space?

Even if the computer is yours, its still their network, bandwidth, and physical space. This means they are bending over backwards to even let you go to personal websites like your bank.

For all the people okay with it (1)

Anonymous Coward | more than 2 years ago | (#40346989)

Are you also okay with the company listening to every phone call you make? How about reading every piece of mail you send? Or perhaps eavesdropping on your conversations? What if they come up with a way to read brainwaves? That acceptable, too?

Re:For all the people okay with it (1, Insightful)

ledow (319597) | more than 2 years ago | (#40347173)

Phone call I make? "This call may be recorded for training purposes".

Mail I send? Hell, yes, they should know what they are paying to post.

E-Mail I send? "The views in this email... blah blah blah... this email may be recorded".

Eavesdropping and brainwaves - There you have the already-imposed limit of it going "too far" anyway, and arguments into absurdity don't make your point - they just make you look stupid. "What next, they gonna come to my home and tell me I haven't been to work today and stop my salaray going into my bank account??!?!?!?"

But while you're an agent of the company, everything you do on company time, using company facilities, that communicates outside the company? It's ALREADY being monitored. Don't like it? Don't use company resources on company time to do your online banking (Why the hell would you do that anyway, and what would you have done 20 years ago when you COULDN'T do that?). Using personal internet connections on company time may still be a breach too, because you're supposed to be fucking working.

Nobody CARES about your phone call to your wife, or how much you have in your bank. I assure you, the IT department don't give a shit and wouldn't let anyone else just eavesdrop on private things anyway. But while you're being paid to work, bloody work, and you do so as a representative of the company. That means they can know exactly WHAT you're doing while you're supposed to be working (i.e. Did you call that customer a tosser? Are you defaming them on Facebook? Have you just obtained insider info from your pal at your rival?.

And in your lunch hour? They have no more requirement to supply you with a connection to Facebook or anything else than they have to give you a pool table in the staff room. The fact that it will get sniffed is neither here nor there - they just monitor everything and it's a workplace so you're supposed to be working.

You're at work. Get over it. If it worries you, use your own device and connection. /me longs for the day when WORK meant WORK, and I'm not even an employer. I can't tell you how much slacking off I see on smartphones, Facebook, etc. Fine, if nothing NEEDS to be done at that moment but then I see those same people whinging about deadlines and pressure.

Re:For all the people okay with it (1)

Anonymous Coward | more than 2 years ago | (#40347205)

Even if you're at work, there can still be an expectation of privacy in certain situations. Just because a workplace can use a camera in the lobby doesn't mean they can do the same thing in the bathroom. Being a private company doesn't trump everything. Also, I don't see how eavesdropping on conversations is so difficult to believe. Many cameras can handle sound as well.

Security of Other Computers (1)

bky1701 (979071) | more than 2 years ago | (#40346993)

When using a computer not owned by you (you might go so far as not used solely by you), you have to assume everything you do on it is being monitored, either by design (snooping/logging) or accidentally (because someone using it ended up getting a keylogger). This should be standard security procedure: if it is not your computer, you have no idea where what you type into it is going.

Yep and they should snoop (1)

Anonymous Coward | more than 2 years ago | (#40346995)

So here's the unpopular answer. It's their network. As an employee you have no inherent right to having unfiltered Interent access as an employee. If you don't like it, use your smartphone, bring a personal laptop and an 3G card, etc. Lots of alternatives if you don't want to be snooped. Unfortunately they all cost you money or inconvenience you in some way but hey it would cost the company money as well to provide what is in theory extra bandwidth for you to do your personal stuff.

Here's the real kicker. The company is the one that is at risk by not monitoring. You surf child porn, it gets traced back to them. You download illegal software, it gets traced back to them. You steal company secrets and they have to explain to shareholders how they provided the means for data to be stolen but didn't bother to put any monitoring in place to prevent it from happening.

What you seem to want is the equivalent to a door in the back of the building with no locks and no video surveillance.

It is thier network. (1)

zoeller (1322797) | more than 2 years ago | (#40347017)

Why would anyone be entitled to privacy using someone else's equipment or Internet connection. On the other hand Ironport allows you to exclude banking as a category for the proxy service which in my option should not be proxied to reduce a companies liability in t he event of a security breech.

Re:It is thier network. (0)

Anonymous Coward | more than 2 years ago | (#40347033)

You're using your ISPs equipment right now why should you be allowed privacy?

Re:It is thier network. (1)

Cute Fuzzy Bunny (2234232) | more than 2 years ago | (#40347115)

Because you're paying them to use their data lines, and agreeing with their snooping in the process...unless the OP's work is charging him a monthly ISP fee with a TOS, then I don't think thats a very deep comparison.

If you would be missed (1)

Anonymous Coward | more than 2 years ago | (#40347035)

If you would be missed, I would say threaten to quit (and be prepared to actually do so). I wouldn't put up with it as a matter of principle. I would begin by making it known that it isn't acceptable, and that if they don't trust me then they don't need me.

Companies do this without changing IE's CA list (0)

Anonymous Coward | more than 2 years ago | (#40347071)

Lots of companies have been issues certificates that allow them to issue other certificates and have been signed by a CA that is the existing root trust lists of most browsers. For example, my employer got a CA certificate from identrust.com which allows them to issues certs and it already singed by a cert that is in the CA trust list in the browser. So even it a guest brings in their own notebook computer and browses to their own corporate website, in theory the company they were visiting could look at all the traffic and they would not be aware that happened. Same thing can happen when using HTTPS from someone else's WIFI network. As Eric Rescorla, one of the TLS Working Group Co-Chairs has been saying - certificates are too easy for the bad guys to get and too hard for the good guys to get.

SSH tunnel (0)

Anonymous Coward | more than 2 years ago | (#40347093)

that's one of the reasons why I connect home and tunnel everything unrelated to work through my SSH connection - skype, google talk, M$ messenger, private emails that read in thunderbird, and just about every web page I visit that's not on the intranet.

Pattern-based proxy selection works great thanks to FoxyProxy, and I have the "External IP" addon display my external IP address in the status bar in Firefox. I always verify it's my home IP address when slacking off ;-)

Your employer owns their own systems, dont they? (1)

Cute Fuzzy Bunny (2234232) | more than 2 years ago | (#40347105)

When you're at work, doing work, I imagine you're not supposed to be using the company network for your own personal day to day stuff. Get a netbook or a tablet or a phone with 3g and do your own work on your own hardware on your own network that you paid for.

Then let your employer snoop on and look at whatever data is running around their network. They're entitled to, to make sure you aren't doing anything illegal, passing on company secrets or information, etc.

I ran a big piece of the IT shop for one of the largest companies in the world. We looked at everything, all the time, everywhere. And that was a while ago...

Do they have a clear internet usage policy? (0)

Anonymous Coward | more than 2 years ago | (#40347151)

I seem to recall a few years ago a number of headlines here in the UK about employers snooping on their employee's computer use at work and after a bit of political shouting, new rules (or at least guidlines) were introduced which boil down to "You can restrict the use of company computers however you like, but you must have a clear and readily available set of rules and if you are going to monitor computer activity then you have to make this clear as well." and I have to say that this seems to me to be fair and pragmatic.
I work somewhere where security is very important and as a result we have quite limited web access from our desks. HTTPS often doesn't work at all and when it does the proxy trick mentioned is used. This is not actually spelled out in any of the rules, but OTOH, every time you log in a big box comes up which basically says "All activity on this computer may be monitored" which I guess covers it.
The bottom line, as others have mentioned, is that you should never enter anything personal, particularly not passwords, into a computer you don't completely trust and this usually means having root acces to ensure that it is secure.

Wrecks non-browser user agents (1)

artbristol (904315) | more than 2 years ago | (#40347167)

My company does this. It's assumed by our IT department that 'fixing' Internet Explorer (plus some lame wiki instructions for Firefox users to install the bogus CA cert) is enough. Now try using Subversion, or cURL, or Yum, or Java+Maven. None of it works without trial and error configuration.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?