Well, since I am IT, I am not about go to snitch on myself.
deleted by creator
Kind of yeah, the rest of the working world uses Windows for good reasons.
deleted by creator
Legacy software with incredible backwards compatibility, exponetially more software options, user familiarity, pretty much everything that active directory provides from user management to group policies, the list goes on.
Im a linux guy, but the thought of rolling out even the most user friendly linux distro gives me nightmares.
deleted by creator
Aren’t they? Changing a legacy app can take years to do the needed research, approval, procurement, and implementation. “Because my IT guy doesn’t like Windows” is a terrible reason to undergo that process.
The same with retraining users on a whole new OS. You’ll spend hours over the course of months answering “where did my C:\ drive go?”. That’s a lot of time you’ll never get back.
Active Directory provides a lot of tools that are familiar to senior techs and easy enough for junior techs to figure out. I might prefer how Salt Stack works but I don’t have time to train dozens of fellow techs.
Linux is cool for a number of reasons, but it isn’t a magic easy button and a wise admin doesn’t swap out fundamental parts of his tech stack without careful consideration.
I’m in a company that uses Microsoft stuff, but I use a lot of fedora and Linux mint in VMs. The latter is based off Ubuntu at least!
It’s actually kind of nice to be able to save the state of my VM since forced restarts are so infrequent.
deleted by creator
I’m in the process of convincing my management to switch to Linux. The most important thing to them is having a way to remotely delete the pc in case it’s stolen. Does someone know of a solution in Linux for that?
I’m on Ubuntu at work! The only employee on Linux at a tech company of >150 people! (Where are my Linux nerds?)
I’m using it, as well as my boss!
What about private browsing or running a Firefox portable exe?
I mean it’s not blocked, but if you’re connected to their network, they can still see your traffic if they wanted to.
Yes of course. But OP is asking about Browsing history, which is basically the only think private browsing can do
Private browsing is a fig leaf at best.
Portable Firefox is hit or miss, depending upon the work environment. It’ll definitely show up in file system monitoring, might show up in the logs of the border proxy as an unexpected user agent. The initial download will definitely show up. Removable media might or might not, depending on how group policy is set up.
No, no, no. Private browsing isn’t private like that. Your ISP and network adminstrator (in this case your employer) can still see every website you access. This is usually explained on the “New private tab” on browsers.
“Tor browser bundle” is the version of Firefox that doesn’t reveal browsing data to the local network.
The use of Tor does show up on the network. The protocol is known and understood, and has been in the detection sets of pretty much every layer 7 filtering product for the last ten or eleven years. What, exactly, is being accessed is largely concealed (but traffic patterns give away a reasonably broad picture of what’s happening).
deleted by creator
They can see what IPs you connect to, doesn’t matter what browser you use or if the connection is made from a browser at all
You can use Tor and your IT won’t be able to see what you’re browsing. They will be able to see that you’re using Tor, and might get grumpy about that, though.
Anything on a work computer, or on a work network, you have to assume is recorded by the office
We record network traffic, not data from your browser. We can see every URL any device on the network hits, regardless if the traffic comes from a browser or even a phone app.
How about DoH? Firefox supports it, and not every IT admin has blocked the ability to use it. (mozilla.cfg)
That only provides a secure connection to the DNS server. The DNS server can still log your activity.
When on a private network, all DNS traffic can be forced to use a inhouse DNS server that records everything.
How is this with mobile devices from your employer. I have a company iPhone and understand that there is a certain “space” on the phone which is controlled by the company, mostly all the Microsoft 365 apps (so, for example it is not possible to copy/paste stuff between MS and non-MS apps).
However, for the rest I would assume that all the other traffic does not go through company servers (probably no traffic at all, as I usually have a local IP), and that they can’t see what I am doing in my other apps. Otherwise they could spy on all my transactions I do in my banking apps for example. But AFAIK iOS apps are pretty much sandboxed anyway.
This might be different on my company PC / Laptop, though.
The security on your device doesn’t matter at all.
For ANY device to reach ANYTHING on the Internet it has to send a lookup request to a DNS server to get the IP of the server.
A privately controlled network can easily force all of those requests through their own private DNS server which captures all activity.
I am actually running AdGuard Pro with a custom DNS on that device.
That device would not be able to reach th custom DNS in the scenario I mentioned. If it cannot fall back to the network’s DNS it would simply fail to reach any websites.
That’s what I meant to say, that your scenario is unlikely in my case.
Most companies deploy management software on their mobile devices. They have the ability to monitor activity and do things like remote wipe the device if you’re fired. On iPhone go to settings->general->vpn and device management to see if anything’s there.
Thanks for pointing me to this setting. There are two profiles, one is my personal VPN, which I use for device-wide ad-blocking (AdGuard Pro), another one is the MDM management profile. The latter one consists of a list of managed Microsoft apps (e.g. Outlook, OneDrive, Teams, etc.) and various (device) certificates. I guess nothing to be concerned about.
If your company also pays for your phone’s data bill, we can see a general overview of what sites you visit.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
In addition, some companies install software on each employee’s machine that enhances what they can monitor on that machine. It may not be labeled “corporate spyware” but something like “endpoint security”, yet it may have the capacity to track pretty much everything you do.
Products such as Cisco Umbrella cover both. There’s a DNS appliance inside the network, as well as a client software that installs on devices that forces them to use Umbrella’s public DNS server when being used on another network.
This means we can track everything on the company owner device, even when you are at Starbucks or at home.
Never expect privacy on any device and/or network you don’t have ownership and control over.
Never do anything on work machines/networks you don’t want to have to explain to hr/legal.
Absolutely. Everyone could use that reminder
Sr. Systems Admin here. IT does not give 2 shits about what you browse UNLESS something is reported or something trips our Alerts (has to be something major like Child Porn).
We don’t sit there and actively monitor and watch what you are browsing. We investigate when something is reported by a worker or an Alert/Filter gets tripped
HR also doesn’t know unless we tell them.
Depends on the company size and the people above IT. Sometimes the boss is a chode and demands everyone be supervised like children constantly.
That’s still inline with what they said.
Second. I once had a staff member come to me all embarrassed because someone sent a dick pick via some dating app while they was on our corporate wifi. I was like, “I promise we don’t care”.
I mean, its HTTPS right?
Https is no match for work monitoring: pre-installed software, certs.
Pre installed certs would be a huge vulnerability
Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment… They are what allow a corporate device to connect to WiFi networks without a password.
I’m not sure what you’re saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.
Usually a manager asks a sysadmin to watch someone’s stuff, then the sysadmin and manager tell HR what they find.
We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn’t have been able to pull this info since they don’t have access to the system that tracks it
All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.
Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.
And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.
I say “attacks” in quotes because they own the hardware and they own the time of the person using it.
Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.
RADIUS doesn’t depend on preinstalled certs. But I wouldn’t use Windows anwyay.
That only applies to work devices. If you’re using your personal device, they would be able to see traffic to/from a dating website but not the actual content.
Yeah, but the it’s a good rule anyway, for some of the same reasons as the “Don’t put it in an email if you wouldn’t want it read aloud in a deposition” rule.
deleted by creator
Probably for audit/investigation reasons.
IT generally doesn’t care (doesn’t want to care) but you still shouldn’t do personal stuff on work machines/profiles.
Also do some really weird things that are innocuous so the HR lady looks at you weird from now on.
Examples please?
deleted by creator
Reload every five seconds the global doomsday countdown clock.
You sick €%#¥! /s
Everybody has a cell phone nowadays. There’s no excuse not to use your cell phone for private stuff. In fact don’t use the company Wi-Fi. You must use the company Wi-Fi then you must use a VPN
But no excuse anymore not to use your phone, you don’t need to use the word computer to browse, send emails, flirt, whatever
Everybody has a cell phone
All of my colleagues have work provided phones and laptops. They do all their personal shit on these devices (they don’t have their own)
They think i’m a huge weirdo for having my own personal devices… “Why waste money? Work gives us computer/phone… Lol, you carry two phones like a drug dealer?”
Just tell them “I don’t want to spend company’s resources for my own private life.”
The only way is to give them back that guilt and fear they are feeling.
WTF? What country? Even at jobs where I was given a phone no one felt like ditching their personal devices.
I suspect its a millenial thing…
A few of us old guys keep personal devices… Our young colleages just expect the company to provide devices for them and never have to buy their own
Or we can’t afford our own 😕.
personal
Decent used laptops are quite affordable. I recently scored one on Ebay for under $100. It runs Linux and everything is snappy.
Hustlah 4 lyfe
Then they have nobody to blame but themselves when drama happens.
IT: “You’ve been fired. Please return your laptop…”
“But how do i retrieve all my personal files?”
IT: [Shrug emoji]
Like IT gives you any time to get anything off a corporate-owned device.
When I got laid off, IT sent a bullet to my laptop immediately kicking me off and completely locking me out of it.
I was supposed to have another 4 days to transition my work. I contacted IT and was told once the bullet goes out, that’s it. Any and all access to everything has been terminated. Might as well just go home and enjoy the extra 4 days because no one’s going to undo a bullet going off early unless it comes from the C-suite. So I did.
@EmbeddedEntropy @9488fcea02a9 Okay. Note fur future me: BACKUP🙃
it’s one thing if they pay for them but if they are actually company devices that’s fucking weird
Nope. It’s not a pay and reimburse situation
Pure company owned devices
I would love to see the look on your friends faces if they ever got caught doing something they shouldn’t have on company property.
Don’t most work Wifi networks prevent VPN use?
No.
then spin up your own wireguard instance and connect to it?
Use Tailscale. Much easier to configure and manage than raw WireGuard.
raw wireguard is hard to setup? since when?
I’ve done both. I wrote my own scripts to generate the WG config files to handle variations in configure I needed to make for my different networks (masking, IPv6, cross multiple WG networks).
After converting to Tailscale, WG is just an extra level of hassle I can now easily avoid.
If only it was that easy…
Tried that. And openvpn tun+tap configs, Various ports incl 443, even shadowsocks. None of it gets through.
Mine does. They also keep an eye on it because I had gotten through it and that only worked a few days before it was blocked too. Didn’t want to press my luck after that.
This has not been my experience
Not sure why you’re down voted. Yes some definitely do. You could get around it by hosting your own VPN on 443 or something but some do lock it down.
Their network, their rules. Makes sense.
deleted by creator
And if you don’t have a VPN set up, use Tor on your phone:
https://play.google.com/store/apps/details?id=org.torproject.torbrowser
That’s fair, bur if your not using a VPN just don’t connect to wifi at all. Too easy to make a mistake
Guardian Repo on FDroid… preinstalled
The Tor website provides .apk files for Android, and there is an F-Droid release too. https://www.torproject.org/download/#android
You must use the company Wi-Fi then you must use a VPN
The company VPN or the client VPN, sadly
I mean if your personal device is attached to a work network use a always on personal VPN.
If you can’t for whatever reason then don’t connect to the wifi!
your work sees all your browser history
Possibly, if they’ve bothered to configure their machines that way. And only on the browsers they’ve configured that way and only on their machines.
Also, please don’t assume that your work operates the same way as everyone else’s work.
We have that capability but dont really have the time or need for it. having said that, it only takes one rouge employee to mess it up for everyone else.
it only takes one rouge employee
What about a pink employee?
They were tickled?
Sir, that is not an employee. That is a pig.
I’m not on the IT team but have elevated permissions. I can dial into any of my subordinates computers “invisibility” I might add, and watch their screen. I can copy data remotely. It’ll take me a few minutes to grab an image of their computer “for backup” reasons, restore it on another computer, and then safely view their history.
By invisibility, I still leave log traces on their computer.
I’m not going to, because wtf. But I totally do have that power.
What are you talking about? They definitely dont see what I browse in a whonix Qube…
Wow, didn’t know that is possible. Is it same behavior with other browsers?
Same can be said for any browser, any app, any connection while on the employers network IF they wished to monitor it. Even if you were able to delete all local browsing history and used private browsing, your employer would still be able to know every site you visit if they wished.
If you’ve authenticated with your credentials on the device, IT is able to see IPs visited and DNS queries and has access to all sorts of network tools to track, shape and otherwise manage your activity.
It’s best to assume that nothing you do on your employers network, even when logging into their corporate VPN from a personal device, is private.
I’m always shocked by privacy conscious people who do not have complete segregation of work and personal equipment and devices.
They can monitor anything they want.
They could even force you to connect to a mainframe instead of your own computer in order to work, and only allow you to click on 3 allowed buttons if they wanted to.
It is their hardware, they can do what they want.
Quick question, private mode can be locked too, right?
I mean yes it can be locked. It can all be controlled by the group policy.
But either way, they can monitor all network traffic going through their network.
mean yes it can be locked. It can all be controlled by the group policy.
Okay, ty. That what is what I wanted to know.
Yes
Okay
Sorry, I see in another comment you were looking for a more technical explanation. I feel like I didn’t contribute to that at all.
Private mode is absolutely not private at work even if it’s enabled. They see everything you access with their network and know exactly where the traffic is coming from and going to.
I know, I was just curious. I was Interested in the technical detail.
For US government employees USAJobs is probably one of the most accessed websites.
Also in Google searches, if you click the vertical … next to the URL on results, click the down arrow in the pop-up, and click Cached you can likely access a version of the website your white/blacklist service doesn’t block. If there are SFW sites you need access to. Generally all scripts are disabled, though.
Of course they can, they literally own the machine. You don’t own it, so don’t treat it like it’s your own private job hunting platform or porn viewer.
Yea, this regular “surprise” that work computers are… IDK… owned by work and are configured as the owner requires… is so strange to me.
deleted by creator
Unless you work in recruitment or porn…
Or maybe you’re a porn recruiter, that’s a double whammy.
Yes I imagine it might be!
I work in cybersec - I’m not going to speak for all businesses or individuals but I will give you my perspective.
Sometimes we need to see browser history to help with timeline correlation, it’s mainly to see “how did this file get here, was it downloaded etc.
Sometimes the investigators need to check out the things they need to check out, BUT
BUT
It needs to be done precisely and sparingly where needed only. This means instead of going through the entire history file, or doing unrelated correlation work (spying on you without cause) you are going to only grab specific timeframes from things you suspect explicitly to prevent any overreach. It’s a tricky balance to hold but also why it’s so important for people in tech to be privacy advocates as well.
There’s a difference between searching for answers to a problem that arose and looking for/predicting problems (thought crime detected!)
Same for our company, and all companies whose security folks I’ve had a chat with. We don’t give a fuck what you do on your computer. Almost all security folks are into privacy themselves, additionally to simply not having the time to look at people’s browser history or traffic or whatever.
Yes, we have the option to collect data. No, we don’t look at it unless there is a very good reason to do so. And we protect that data, HR or whoever can’t just have it if they feel like taking a look. There is a process to protect the data, because that means protecting the company.
Your security team is not the enemy.
I agree with you completely
Another Cybersec worker here, and I’ll broadly agree with all this. That said, I’d also point out that, depending on your site setup, the browser history may be nothing more than another place to correlate information we have from elsewhere.
Several sites I have been at have used Data Loss Prevention (DLP) software which automagically records (and possibly blocks) data moving into and out of the environment. This can be very detailed, to the point of knowing when someone copy/pastes data to a web form. I’ve also been at sites which sniff web traffic at the firewall and record full pcaps and extract metadata for quick analysis. So yes, for those not aware, deleting browser history or using “in private” browsing or other steps to avoid us seeing your porn browsing, may not be as effective as you think.
All that said, I’ve never been on a Cybersec team which has had enough time to really care about porn browsing, so long as you are not putting the network at risk. And, so long as HR/Management doesn’t tell us to care. We have better things to spend our time on.
Lastly, if you don’t want us seeing it, don’t so it on a work computer. Look, we have lots of ways to see what you are doing. Just, do that stuff at home, on your own hardware. And leave the work computer for work. Writing up misuse reports is something I really hate doing.
I also work in cybersecurity. Second everything this person said.
This thread is a good reminder, because at many organizations HR / management can and will look at your browser history (and computer activity in general) as a method of monitoring performance and staying in control.
But at my organization, we have never once looked at anyone’s browser history (and I know that HR hasn’t because they would have to go through us). We certainly could if we were asked to and we would if there was an incident (what we would care about is sensitive / confidential information getting leaked or suspicious activity on the network using a specific person’s credentials, suggesting those credentials may be compromised). But in almost 2 years (we’re a startup in the aerospace electronic sector) we have never once had cause to do that and we have a philosophy that happy relaxed employees who feel trusted by their employer are the kinds of employees that we want, so we wouldn’t intrude that way without cause ever.
I third(?) this. Security and IT teams are too busy to be monitoring your everyday habits. Sure, they can see your history if they wanted to, but they won’t unless there is an appropriate justification to do so, and it’s usually triggered by an incident or HR. There also stricit rules with doing so because employees still have the right to their own privacy. It’s not like HR can just go over to the security guy and ask them to pull someone’s browsing history.
My work has a 100% mandatory vpn and mitm proxy for ssl scanning. I just use parsec to view my laptop from my desktop and browse what I want on my actual personal computer
Luckily my work hasn’t disabled the remote desktop application protocol. So I do the same, but without parsec.
Can’t install parsec on the work computer, and the web app displays a black screen.
Don’t forget the agents they install that take screenshots every 10 seconds!
Nothing to screenshot if all of my personal stuff is on a completely different pc
That doesn’t mean someone isn’t going to pull those up to reprimand you, or monitor your work.
There’s privacy from personal things, then there’s overbearing micro management who will literally track “Mouse hovering” and “Keyboard Idle Time” or how long you take to write an email.
Amingst the other creative ways they can try to keep you at a level “non promotable” status or whatever leverage to control you.
I’ve never had to suffer from it, I do my job, but as a systems admin/engineer for over 15 years, I’ve definitely worked at places that implemented it at our expense, or we had to set it up for our clients using it against their own staff.
Yep. Good point.
My work has a 100% mandatory vpn and mitm proxy for ssl scanning
These are worse than useless. They are anti safety. If this box or its private keys get compromised ALL tls traffic of all employees is immediately plaintext.
Any company that buys one of these appliances from mcafee or whatever is asking for it (losing most/all their secrets)
Oh I 1000% agree. But you try to convince my opsec colleagues
That sort of thing is required for a lot of enterprise certifications. When you do work for government, healthcare, banking, etc. stupid “security” is mandatory for checking off compliance requirements. Not that any of it has to be in any way effective…
when breaking the internet and end-to-end encryption are part of any kind of “enterprise certification” that certification is worthless (or worse) and probably some kind of chinese or russian (or the CIA or whoever, certainly not your friend) psyop. Only a mindless idiot would implement it.
Unlimited mobile data with tethering and no blocking of piracy websites ftw
That’s a nice dream. Not a reality in many places.
No mobile data access, or bad mobile plans?
Canadian mobile plans, in my case.
Oh no, my employer might find out I’m looking for other jobs after being overloaded for a year and a half and constantly having my concerns/feedback/process improvement initiatives brushed aside.
I have been hinting to my manager for 6-9 months that he needs to move part of my workload elsewhere so that I can focus and actually achieve something. To think, all it took was for me to tell him straight that I was unhappy and unfulfilled to the point that I was considering resigning. Suddenly he’s all apologies and let’s make changes because you’re kind of vital and we don’t want to lose you.
And I was fired for it. Depends on the market demand I suppose, some industries there is no denying your worth, in others you’re disposable.
I love the fact that firing me what the person you’re answering mentioned is illegal here.
Peace of mind.
Yeah pretty outrageous, I soon found out employment rights in Ontario Canada are practically useless. I had no idea, I thought I had some basic protections, it’s almost nothing.
Shot, i regularly browse jobs websites even though Im not looking to change jobs again soon. Just to keep them guessing.
