Post Computer Pictures Here

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Post Computer Pictures Here

Notorious b.s.d.: Jan 25, 2003; by Reene

big scary monsters posted:

at a company in the US, probably, in europe, probably not

apparently it's not uncommon for web filter systems to even intercept https traffic using an internal ca

corporate networks usually man-in-the-middle ssl, yes

but they will whitelist sites to not be MITM'ed. your employer has zero interest in monitoring your interactions with your bank, for example.

# ? Mar 12, 2017 17:01

Adbot: ADBOT LOVES YOU

# ? Jun 9, 2024 22:40

big scary monsters: Sep 2, 2011; -~Ｓｋｕｌｌｗａｖｅ~-

goddamnedtwisto posted:

on a corporate network in most of europe, it's absolutely legal, with varying degrees of spelling out to your employees that you're doing it

surely it'd fall foul of the DPD, especially if you're doing mitm on https. for example: it's my lunch break. i log in to my online banking on the company network and transfer some cash to my daughter. then i go on amazon and order a birthday present sent to her home address. finally i send her a tasteful jacquie lawsons e-card. now the company has processed and stored her personal information, without her knowledge or consent, and would seem to lack a specific and legitimate purpose for holding that information

unless you're doing very hands-off and minimally intrusive filtering/monitoring, i don't see how you could avoid a hundred scenarios like that happening every day. i admit that this is not an area i'm exactly clued up on, i'm just going off half-remembered training stuff, so i'd be interested in hearing it from someone who actually has a clue

# ? Mar 12, 2017 17:01

NoneMoreNegative: Jul 20, 2000; GOTH FASCISTIC
PAIN MASTER

shit wizard dad

muffled reeeeeeee

# ? Mar 12, 2017 17:25

Notorious b.s.d.: Jan 25, 2003; by Reene

big scary monsters posted:

surely it'd fall foul of the DPD, especially if you're doing mitm on https. for example: it's my lunch break. i log in to my online banking on the company network and transfer some cash to my daughter. then i go on amazon and order a birthday present sent to her home address. finally i send her a tasteful jacquie lawsons e-card. now the company has processed and stored her personal information, without her knowledge or consent, and would seem to lack a specific and legitimate purpose for holding that information

the specific and legitimate purpose is monitoring employee activity

you, as an employee, are extensively and repeatedly informed that the company monitors your activity on corporate networks. you and you alone are responsible for violating your daughter's privacy.

(also, the bank's web site would probably be whitelisted, since the company has zero interest in snooping on your banking activity. but that's not important here.)

# ? Mar 12, 2017 17:35

Shaggar: Apr 26, 2006

all traffic on your corporate network should be snooped for security reasons. do not do personal poo poo on company resources.

# ? Mar 12, 2017 17:37

KoRMaK: Jul 31, 2012

ugh sounds like heck

# ? Mar 12, 2017 17:39

Salt Fish: Sep 11, 2003; Cybernetic Crumb

big scary monsters posted:

surely it'd fall foul of the DPD, especially if you're doing mitm on https. for example: it's my lunch break. i log in to my online banking on the company network and transfer some cash to my daughter. then i go on amazon and order a birthday present sent to her home address. finally i send her a tasteful jacquie lawsons e-card. now the company has processed and stored her personal information, without her knowledge or consent, and would seem to lack a specific and legitimate purpose for holding that information

unless you're doing very hands-off and minimally intrusive filtering/monitoring, i don't see how you could avoid a hundred scenarios like that happening every day. i admit that this is not an area i'm exactly clued up on, i'm just going off half-remembered training stuff, so i'd be interested in hearing it from someone who actually has a clue

My dude have you heard of ssh tunneling?

# ? Mar 12, 2017 18:11

Nitr0: Aug 17, 2005; IT'S FREE REAL ESTATE

Salt Fish posted:

My dude have you heard of ssh tunneling?

lol if you think a corp doing ssl mitm attacks isn't going to block or at least notice your goofy ssh tunnel

# ? Mar 12, 2017 18:30

Trabant: Nov 26, 2011; All systems nominal.

https://twitter.com/K2PLANTHIRE/status/838675439971348480

# ? Mar 12, 2017 18:37

Improbable Lobster: Jan 6, 2012; "From each according to his ability" said Ares. It sounded like a quotation.; Buglord

# ? Mar 12, 2017 18:46

Notorious b.s.d.: Jan 25, 2003; by Reene

Salt Fish posted:

My dude have you heard of ssh tunneling?

ssh tunneling through a proxy only works if HTTP CONNECT is available and works correctly. which it never does in a mitm environment.

which is, of course, the point of the mitm.

they don't want you passing arbitrary things through the proxy

# ? Mar 12, 2017 18:48

Silver Alicorn: Mar 30, 2008; 𝓪 𝓻𝓮𝓭 𝓹𝓪𝓷𝓭𝓪 𝓲𝓼 𝓪 𝓬𝓾𝓻𝓲𝓸𝓾𝓼 𝓼𝓸𝓻𝓽 𝓸𝓯 𝓬𝓻𝓮𝓪𝓽𝓾𝓻𝓮

# ? Mar 12, 2017 18:51

Improbable Lobster: Jan 6, 2012; "From each according to his ability" said Ares. It sounded like a quotation.; Buglord

# ? Mar 12, 2017 19:06

KoRMaK: Jul 31, 2012

https://i.imgur.com/ChJwwZc.mp4

# ? Mar 12, 2017 19:08

goddamnedtwisto: Dec 31, 2004; If you ask me about the mole people in the London Underground, I WILL be forced to kill you; Fun Shoe

big scary monsters posted:

surely it'd fall foul of the DPD, especially if you're doing mitm on https. for example: it's my lunch break. i log in to my online banking on the company network and transfer some cash to my daughter. then i go on amazon and order a birthday present sent to her home address. finally i send her a tasteful jacquie lawsons e-card. now the company has processed and stored her personal information, without her knowledge or consent, and would seem to lack a specific and legitimate purpose for holding that information

unless you're doing very hands-off and minimally intrusive filtering/monitoring, i don't see how you could avoid a hundred scenarios like that happening every day. i admit that this is not an area i'm exactly clued up on, i'm just going off half-remembered training stuff, so i'd be interested in hearing it from someone who actually has a clue

okay, answering just for the uk because my knowledge of eu law is much sketchier. a much simpler example is personal email accessed from a corporate ("private" in uk legal terms) network, which is perfectly legit for companies to capture as long as they do not process or transfer it for reasons otherwise forbidden by law. so it's perfectly legit for a company to capture all of your internet traffic, even decrypting it, as it transits their network, for the purposes of protecting their own network or commercial interests. so virus-scanning it or even searching it for evidence that you're stealing for the company is fine, using it to discover that you're pregnant and sack you before you have a chance to declare it (and get statutory protection) isn't.

there's a proportionality test - you can't hold everything indefinitely, and you can't intercept everything just to work out who keeps leaving the toilet seat up, and there's still a requirement to inform your users that you're doing it (and allow them to access all data you hold about them - and also anyone else with a court order or dpa/ripa authority), but the balance is very much towards the company.

even under eu law you're not legally entitled to your own ideas on company time, why would your email be any different?

# ? Mar 12, 2017 19:19

jetz0r: May 10, 2003; Tomorrow, our nation will sit on the throne of the world. This is not a figment of the imagination, but a fact. Tomorrow we will lead the world, Allah willing.