|
bull3964 posted:How in the world can you handle stuff like data exfiltration? You need to use fully automated systems, like purview, that block the user doing the act rather than doing queries on the xdr activity feed. Once the breach is confirmed, you have full authority to check the full gamut of activity logs.
|
# ? Dec 29, 2023 23:46 |
|
|
# ? May 25, 2024 14:53 |
|
That makes sense, when I was working at a place that had access to medical client databases including customer SSNs I was pushing hard for some kind of access control with logging so that if someone went in and scraped the SSN/DOB/name/address fields we could see who had recently accessed those customers. As of the time I left, the database credentials were still in plaintext on a Sharepoint page accessible to the entire company.
|
# ? Dec 30, 2023 00:29 |
|
22 Eargesplitten posted:That makes sense, when I was working at a place that had access to medical client databases including customer SSNs I was pushing hard for some kind of access control with logging so that if someone went in and scraped the SSN/DOB/name/address fields we could see who had recently accessed those customers. As of the time I left, the database credentials were still in plaintext on a Sharepoint page accessible to the entire company. Show of hands if you've seen the following exchange in Teams/Slack/Whatever "Does anyone have the prod admin creds? I need to get in and change [thing that should be part of change control]" "admin/admin1" "Thx"
|
# ? Dec 30, 2023 01:47 |
|
SlowBloke posted:You need to use fully automated systems, like purview, that block the user doing the act rather than doing queries on the xdr activity feed. Once the breach is confirmed, you have full authority to check the full gamut of activity logs. But in order to do that, you have to MITM the security. That's the bit I'm having trouble with here. There can't be privacy by definition. Automation in the analysis of data and the ability to access data that's not anonymous if the need arises means that the same level of privacy intrusion is happening, the only thing that may be different is the bar needed to access the raw data. The data is collected regardless. If you can inspect an SSL encrypted HTTP POST to prevent someone from leaking restricted information, that also means you intercepted the personal credentials for someone's Google Drive or OneDrive account. It also means you are intercepting those things on people who aren't doing anything wrong because you have to in order to check for bad actors. Even if you discard that information promptly and no human eyes see it, the security is still compromised. I don't see a ton of difference between someone looking at a log stream that has my Gmail credentials in it vs some algorithm. Neither one is preserving privacy. The line seems fuzzy. If they can't report on who's accessing Facebook on company assets, are they also forbidden from monitoring what applications are installed on a computer? If someone is fired and locked out of their computer, is it forbidden for anyone to access the drive without wiping for fear that someone may have personal photos or documents on it? Not trying to start an argument mind you, I'm just curious about this because it seems like there's a different definition of privacy. I'm as anti-employee monitoring as they get, but I'm having trouble with the concept that monitoring activity on an asset that you don't own is a violation of privacy as long as it's not doing something like recording audio or flipping the webcam on (since that's gathering information outside of the controlled asset).
|
# ? Dec 30, 2023 01:48 |
|
bull3964 posted:How in the world can you handle stuff like data exfiltration?
|
# ? Dec 30, 2023 02:10 |
|
Every.EVERY connection to the Internet coming out of our workstations is MITM though Zscaler. That's one of the reasons why you would never catch me doing anything personal on a work device. That cert issuer in the browser is Zscaler and nothing is private.
|
# ? Dec 30, 2023 03:28 |
|
bull3964 posted:... Europe literally has laws that say employers can't do certain things even though they own the machines. It's that simple. The software being able to access anyone's data is irrelevant until access actually occurs. The courts and follow-up legislation deal with the particulars of special cases like software making automated disciplinary or pay raise decisions based on info the law deems private. Blue Footed Booby fucked around with this message at 07:09 on Dec 30, 2023 |
# ? Dec 30, 2023 07:01 |
|
How could a system developed to track if people are at their computer or not that is running continuously not be an invasion of privacy? A non-program analog would literally be someone standing there just looking at you. And your right to privacy isn’t something that just disappears at work.
|
# ? Dec 30, 2023 09:15 |
|
zokie posted:How could a system developed to track if people are at their computer or not that is running continuously not be an invasion of privacy? A non-program analog would literally be someone standing there just looking at you. That's the thing though. In our hellscape US there are jobs where someone literally just does that.
|
# ? Dec 30, 2023 09:22 |
|
bull3964 posted:But in order to do that, you have to MITM the security. Issue is not being able to do user data activity logging and data introspection, issue is physical people knowing the user activity and seeing the data feed. If your security systems are automated black boxes and it staff cannot see what users do, it's perfectly fine. The moment it staff gets to see the users data feed without a data breach procedure being active, welcome to hell. Our sequence, that has been validated by a team of a dozen GDPR and privacy lawyers is as follows: 1. the user do something bad to the point of triggering Purview 2. Purview notifies the DPO, which will assess the gravity and if it's not a fluke, blows into the horn of gondor, activating the crisis team, a select group of staff with a mandate to deal with GDPR adjacent issues 3. Once the team is fully gathered, all data pertinent to the event (and nothing else!) gets analyzed, documenting the fact that the team is touching the user data logs. 4. If the issue is bad enough to warrant the cops, a data breach sequence is initiated, all the logs gets archived in a bundle to be provided to the police. Otherwise, HR will set up training for the user including remediating the improper data transfer. Touching the user data logs when not under a GDPR breach sequence is not just termination grade stuff, it's also civil lawsuit time. For funsies our net team also suggested doing HTTPS introspection and when we explained to them how badly the assfucking would have been if they saw even an instant of the user data that shown religious or political info about a specific individual, they backed down immediately. SlowBloke fucked around with this message at 10:14 on Dec 30, 2023 |
# ? Dec 30, 2023 09:53 |
|
SlowBloke posted:Issue is not being able to do user data activity logging and data introspection, issue is physical people knowing the user activity and seeing the data feed. If your security systems are automated black boxes and it staff cannot see what users do, it's perfectly fine. The moment it staff gets to see the users data feed without a data breach procedure being active, welcome to hell. This is the key thing, often with GDPR it’s not about the collection of the data, it’s about the processing and use of it. There was a (sadly anonymous) Dutch company that got fined for mis-using biometric authentication data. Collecting it was absolutely fine as required for incident response and other legitimate purposes, but they were trying to use it for employee time-tracking and attendance purposes. This was a big no-no and got them a 750k fine. I believe also that TikTok got dinged for trying to use biometric data to work out the users ages or something, but I might be misremembering that.
|
# ? Dec 30, 2023 10:36 |
|
I have access to the OT firewalls at work, and the One Big Rule regarding that access is that I am not allowed to actively "follow" a user's activity in any way unless there's an active breach. I don't have access to the IT-side firewalls but the process there is even stricter.
|
# ? Dec 30, 2023 10:54 |
|
zokie posted:A non-program analog would literally be someone standing there just looking at you. How does this differ from an office situation where this can actually happen? If a manager can look up from their desk and see what everyone is actually doing whenever they want, they can easily see if someone is messing around on Facebook or spending all their time on their phone.
|
# ? Dec 30, 2023 16:11 |
|
SlowBloke posted:Issue is not being able to do user data activity logging and data introspection, issue is physical people knowing the user activity and seeing the data feed. If your security systems are automated black boxes and it staff cannot see what users do, it's perfectly fine. The moment it staff gets to see the users data feed without a data breach procedure being active, welcome to hell. I work for a company that does literally this and this is accurate. The data is gathered in compliane with storage requirements (tokenized, with location specific requirements) and access is tightly controlled and audited.
|
# ? Dec 30, 2023 17:46 |
|
bull3964 posted:How does this differ from an office situation where this can actually happen? If a manager can look up from their desk and see what everyone is actually doing whenever they want, they can easily see if someone is messing around on Facebook or spending all their time on their phone. Because it’s someone’s home, because someone taking a glance or walking around is different from continuous surveillance and monitoring. Because it’s looking at group of people (a public if you will) versus looking at them each as isolated individuals. Because you can see the manager doing the looking when they are doing it, instead of knowing that you are monitored every single millisecond of every second of every minute of every hour of every day. Because a person doing it normally leaves no record, but a program probably does. Like if you go inside a conference room or whatever, and sit down with your monitor facing a wall opposite the door. Then the manager enters and walks around the table to stand behind you just to look at your screen, is that not creepy? Not an invasion of privacy?? zokie fucked around with this message at 19:10 on Dec 30, 2023 |
# ? Dec 30, 2023 19:07 |
|
zokie posted:Because it’s someone’s home, because someone taking a glance or walking around is different from continuous surveillance and monitoring. Because it’s looking at group of people (a public if you will) versus looking at them each as isolated individuals. Because you can see the manager doing the looking when they are doing it, instead of knowing that you are monitored every single millisecond of every second of every minute of every hour of every day. Because a person doing it normally leaves no record, but a program probably does. I don't disagree with you, but I want to point out that there is a huge cultural gap here. In the US, managers expect to be able to do this. Think about your typical US cubicle farm. Managers' desks face towards the door / cube opening so their computer is facing the wall and nobody can see what is on their screen. Workers' desks face the cubicle wall so a manager can see what the worker is doing without the worker seeing the manager behind them. This is intentional and it has been pervasive since basically forever so the cultural norm is that workers do not get any privacy ever. Some companies make their remote workers work with a webcam on the entire time so a person can sit there and watch them do their jobs. That's an extreme case, but it's the kind of work culture we're dealing with here.
|
# ? Dec 30, 2023 19:47 |
|
Slavery never ended in the US. It just changed forms.
|
# ? Dec 30, 2023 19:57 |
|
If one of my people forgot to clock in or out on a given day (my people are machine operators and mechanics) I use the door fingerprint readers to verify what time they got on site and clock them in on their behalf
|
# ? Dec 30, 2023 20:11 |
|
zokie posted:
Overbearing definitely. Creepy, depends on a host of other factors. But invasion of privacy? No, I don't see it. If it's a work laptop you are doing work on it and your manager is well within their rights to see that work. Again, I don't view it as healthy behavior in a work environment and I wouldn't like it, but I can't see how it's an invasion of privacy. If my privacy is invaded, that means that someone may glean something personal and private about me without my consent. That can't be done by looking at my work laptop screen. If you ducked into a conference room to take a personal phone call and someone went out of their way to listen in then absolutely yes, it's an invasion of privacy. I know I'm being somewhat obtuse on this since people do use work machines for personal use more than they should. I'm also not advocating any sort of extreme monitoring on what people are doing since people should be evaluated on the work that they do. I just find the idea curious that a human somehow seeing information like this, when people are putting it in places that they absolutely should not be putting it, is a burden for the business to solve for and indeed can incur penalties for stumbling across it. This is even more so when that information is absolutely collected and stored anyways and it's only the processing/uses that's under restriction. Presumably a person leaving a company can request that any information like that about them must be purged, but how does that factor into regulatory retention requirements? How does something like this work for phishing tests/awareness? It seems like sending simulated phish out and monitoring the engagement, assigning out additional training for those who fail, would fall under similar restrictions for privacy. I don't expect these questions to be answered here and further the derail and I'm sure the specifics about regulations deal with stuff in a more nuanced way. I consider myself to be a pretty privacy forward person (I specifically asked to be removed from a government project since I didn't want to go through the public trust security process) and think the US's regulations need a serious overhaul in that regard. I think companies should tell you what data they have on you, what they do with it, and have the ability to be forgotten. I'm just having trouble with the idea that you should have an expectation of privacy on equipment that you do not own, do not control, and are told specifically not to use for personal means.
|
# ? Dec 30, 2023 20:28 |
|
bull3964 posted:Overbearing definitely. Creepy, depends on a host of other factors. But invasion of privacy? No, I don't see it. If it's a work laptop you are doing work on it and your manager is well within their rights to see that work. Again, I don't view it as healthy behavior in a work environment and I wouldn't like it, but I can't see how it's an invasion of privacy. If my privacy is invaded, that means that someone may glean something personal and private about me without my consent. That can't be done by looking at my work laptop screen. The invasion of privacy argument is somewhat weak since the capitalist wage labour relationship already constitutes an invasion of sorts. I think why this stings so much is that it’s adding insult to injury; not only are you being paid less than your labour is worth in a job that doesn’t care about you, being graded on the quality of your work isn’t enough, someone feels the need to constantly monitor you to ensure they’re getting the last dregs of productivity out of you. Which to be honest doesn’t even work long term. I would say the purpose of this isn’t even about productivity when you get down to it, it’s about power. It’s the same thing as the return to office push; the evidence is all over the place as to whether workers are more productive at home or in the office, but what management gets in the office is the feeling of reassurance that people are there and working, i.e. they feel more secure in their power in that scenario.
|
# ? Dec 30, 2023 20:50 |
|
I mean, I'm not in any disagreement about the reasons why companies want to do this sort of stuff and how unproductive it actually is to implement it. To me it's just a symptom of an toxic work environment and of one that doesn't value or trust its employees, but not an actual debasement of their privacy rights.
|
# ? Dec 30, 2023 21:09 |
|
nielsm posted:In a good world, that kind of tool would be used to detect broken workflows and start improvement projects.
|
# ? Dec 30, 2023 21:20 |
Arsenic Lupin posted:Sitting and thinking is part of the workflow. The implication I was attempting to make is that if it's used to detect keeping a session from locking because that will interrupt or deprioritize some running process, then that's a target to fix. If it's used to detect someone being interrupted while following regular change procedures, because they might get the session locked while verifying the next step to perform and/or registering the result of a step and/or performing a step on a different system, that's a broken process that needs fixing. If your boss taps you on the shoulder because your workstation has locked because you're analyzing something on a whiteboard or just thinking through something, that's your boss who's broken and needs replacement.
|
|
# ? Dec 30, 2023 21:52 |
|
Wow, you really are broken over there. You all seem to agree that it’s stupid, creepy, unproductive, and that the only purpose of this kind of monitoring is to demean and dehumanize workers. BUT it’s well within the rights of a company or individual manager to do this, so really can tell…
|
# ? Dec 30, 2023 23:55 |
|
bull3964 posted:I mean, I'm not in any disagreement about the reasons why companies want to do this sort of stuff and how unproductive it actually is to implement it. To me it's just a symptom of an toxic work environment and of one that doesn't value or trust its employees, but not an actual debasement of their privacy rights.
|
# ? Dec 31, 2023 00:28 |
|
It sounds like what bull is saying is that it doesn't seem like it's a privacy violation by US law, which I think is probably right although I assume none of us are lawyers. Also anyone who refuses to comply can be fired for completely unrelated yet unspecified reasons thanks to at-will employment, yay. That said, if I found out that a company was doing that, I'd be looking for a new job. Closest I've had is someone telling me "Hey Teams says you're offline" thanks to Teams being buggy and requiring me to bounce it sometimes. I'm fine with that because I want people who need to reach me to know they can.
|
# ? Dec 31, 2023 01:28 |
|
Man do not get me started on Teams, especially New Teams. poo poo will say I'm green in the task bar, so available, but if I don't click it after it launches, it actually shows me as offline! If I disappear and stop posting, either I forgot this website exists (again) or I killed someone on that product team at Microsoft
|
# ? Dec 31, 2023 02:57 |
|
Our big rollout of Teams to replace Skype (the regular one, not Skype for Business) has been delayed, again. Sysadmin mentioned it was because our dns was hosed so we had to use the .onmicrosoft.com virtual email addresses and can't use our own yet. I'm still waiting for any further instructions at all, beyond the initial "hey we're gonna turn it on Dec 27th, please be in office" email - which was quite quickly followed by "since nobody is in office after xmas, here's a new date".
|
# ? Dec 31, 2023 08:45 |
|
Sywert of Thieves posted:Sysadmin mentioned it was because our dns was hosed so we had to use the .onmicrosoft.com virtual email addresses and can't use our own yet. this is hilarious to me
|
# ? Jan 1, 2024 00:07 |
|
22 Eargesplitten posted:It sounds like what bull is saying is that it doesn't seem like it's a privacy violation by US law, which I think is probably right although I assume none of us are lawyers. Also anyone who refuses to comply can be fired for completely unrelated yet unspecified reasons thanks to at-will employment, yay.
|
# ? Jan 1, 2024 00:26 |
|
I've been running Virtualbox VMs on my old Win10 desktop, which has a Intel 6700k and 32 GB of memory. The VMs have been slow and stuttery, which I just attributed to old hardware. It even got to the point where I started browsing eBay for newer hardware because the VM lag was grating on me. Turns out to be user error. Hyper-V apparently will still try to gently caress things up even if you disable it through the GUI. I found this post which talks about how to properly disable Hyper-V. Since doing that my VMs have been buttery smooth, with even less assigned resources, and I should get more life out of this old desktop. If you use Virtualbox on a Windows 10 host, and you notice odd performance, you might want to check it out.
|
# ? Jan 1, 2024 20:37 |
|
Arsenic Lupin posted:Sitting and thinking is part of the workflow. The number of times I’ve finally found a solution to X major problem while wandering around my kitchen staring blankly at the coffee filters or taking a poo poo is absurdly high. I figured out the fix for my Meraki/Cisco ISE and older avaya phone issues while chucking my dogs squeaky platypus around for him to chase.
|
# ? Jan 2, 2024 00:14 |
|
The fix for anything Avaya is to launch it into a bin. I solve lots of problems in the shower, just seems to be a great place to think.
|
# ? Jan 2, 2024 01:16 |
|
Thanks Ants posted:The fix for anything Avaya is to launch it into a bin. Putting all your Avaya gear in the shower is also a great way to fix it!
|
# ? Jan 2, 2024 01:26 |
|
Started off my first day back from PTO with a half dozen messages from people that held on to their issues the entire time I was gone. One of them is specifically annoying me because they want to deploy to production this week and have just been sitting on the issue for the last 2 weeks.
|
# ? Jan 2, 2024 17:10 |
To access company resources you need to be on the company VPN To connect to the company VPN you need to confirm 2FA prompts via the authenticator on your company phone Unlocking the company phone, opening the authenticator, and confirming the prompt all require fingerprint verification each time you do them The VPN drops if you so much as wave your arms in a particular direction so enjoy doing this 10 times a day
|
|
# ? Jan 2, 2024 17:45 |
|
Sounds like a network issue tbh unless your vpn is woefully underpovisioned. Or you may just have a poo poo vpn. I can stay connected to our Cisco ASA for a full workday and have all the same login requirements.
|
# ? Jan 2, 2024 17:59 |
|
We're using tailscale, migrated from pritunl, and neither one had any of the issues you're describing. Your VPN implementation is poo poo
|
# ? Jan 2, 2024 18:07 |
|
our forticlient finally supports sso so instead of the whole authentication song and dance, i press a button and it connects me i mean it's still poo poo performance-wise, but at least it doesn't take as much time to connect anymore
|
# ? Jan 2, 2024 18:23 |
|
|
# ? May 25, 2024 14:53 |
|
Polio Vax Scene posted:To access company resources you need to be on the company VPN Items 1-3 are fine if a bit outdated, but the last thing is definitely an issue.
|
# ? Jan 2, 2024 18:34 |