[HN Gopher] Using Brave's "Private Window with Tor" could get yo...
___________________________________________________________________
Using Brave's "Private Window with Tor" could get you fired
Author : UnquietTinkerer
Score : 60 points
Date : 2021-12-31 16:35 UTC (6 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| renewiltord wrote:
| Well, it appears to be over zealous management. One might as well
| say "eating at your desk can get you fired". The problem isn't
| the eating. It's the management.
| mindslight wrote:
| One of the few comments in this thread that isn't rooted in
| Stockholm syndrome. Sure, it's prudent to do do one's personal
| computing on personal devices - get a GPD pocket or something
| like it for use at work, and only use their uplink via a
| wireguard link to something else you control (and/or get a cell
| modem). But management that fires people for _using a protocol_
| , and furthermore for using it _incidentally_? It makes me want
| to publish everything I do as onion only.
| rdudek wrote:
| I've been working in the IT industry way too long. Any devices
| provided by my employer will only have whatever the employer has
| preloaded in terms of software. I will not browse any private or
| personal things on that device. I'm under constant assumption
| that device is keylogged/monitored. Even when working from home,
| I have it connect to it's own private network on it's own VLAN.
|
| If I do go into the office, I'll just use my cell-phone for
| personal browsing.
| bryguy32403 wrote:
| I have that same mindset, but at the last two companies I've
| been at, I was a bit disturbed that the software policy was
| basically, "If you need it, just go to the website and download
| it. Don't download a virus, good luck!"
| jpollock wrote:
| There are industries where compliance requires all work-related
| communications be logged and monitored.
|
| This logging is typically done through proxy servers on the
| network, and avoiding them is a _bad_thing_. They will also track
| web traffic through a proxy and MITM any https traffic by forcing
| the use of specific keys. They're trying to look for insider
| trading. Avoiding the proxy is the problem.
|
| Staff using their own apps for regulated communications just cost
| JPMorgan USD$200m.
|
| https://www.cnbc.com/2021/12/17/jpmorgan-agrees-to-125-milli...
| jmnicolas wrote:
| What do they do about personal devices?
| jpollock wrote:
| I'm not in the industry, but I am aware of this from various
| news articles. Quick googling...
|
| Typically, devices are banned from restricted areas (trading
| floors). Where BYOD is "allowed", apply a corporate profile
| which prevents the installation of problematic apps. What
| these people do outside of office hours can get them in
| trouble too.
|
| NYSE Rule 36 seems to cover this:
|
| https://nyseguide.srorules.com/rules/document?treeNodeId=csh.
| ..
|
| (d) Floor brokers must maintain records of the use of
| telephones and all other approved alternative communication
| devices, including logs of calls placed, for a period of not
| less than three years, the first two years in an accessible
| place. The Exchange reserves the right to periodically
| inspect such records pursuant to Rule 8210.
|
| UK rules seem to ban BYOD?
|
| https://www.lawyer-monthly.com/2018/03/fca-says-employees-
| ca...
| oyashirochama wrote:
| Imagine not having a key logger and mouse tracer on your
| computer at work. Our machines also lock your account, computer
| and ID if you plug mass storage devices.
| loudtieblahblah wrote:
| This is why I'm never not working from home again
|
| Having a work machine and a personal machine side by side is
| invaluable to me..
| ivraatiems wrote:
| It's absolutely reasonable to have security requirements. It's
| not reasonable to fire someone for a single, accidental
| violation. I hope the people in the above story realize that
| they've made a mistake.
| floatingatoll wrote:
| It is if you have a zero-tolerance policy and they break it.
|
| Their IT department will certainly ban Brave to prevent
| future uses of Tor, now that they're aware!
|
| But there are many industries where a zero tolerance policy
| for Tor session origination from a desktop is absolutely
| legitimately appropriate, as it could otherwise be (even just
| one-time) exploited for massive potential harm to wealth and
| people.
|
| There's a popular view with some freedom folks that we
| shouldn't have the right to search people who are visiting
| family in jail, and while they're right from a purely
| theoretical "my rights" standpoint, from a pragmatic stance
| it is generally understood that it's fair to _try_ not to let
| weapons be given from visitors to criminals, even if
| abrogation of rights occurs -- and if you forget and bring a
| knife someday, you may get banned from the jail, even though
| it's just a mistake, because of how serious the safety and
| lives are at stake.
| ivraatiems wrote:
| Who would be comfortable working under such a policy? You'd
| never know what accidental action on your computer could
| lead to you being fired. Using a computer to do work is not
| like getting dressed and carrying a knife with you. You
| knew you put the knife there, you chose it. If you weren't
| thinking about the rules, that's on you.
|
| A regime where any accidental fat-finger or triggering of
| an unknown keyboard shortcut results in dismissal will
| quickly produce an environment where nobody is able to work
| or do anything useful - as seems to be happening here.
| floatingatoll wrote:
| It doesn't sound like a fun workplace, but nor should
| every workplace be fun. I'd really appreciate it if
| bankers and health insurance companies had to keep
| audited records and were disallowed encrypted /
| disposable backchannels, like Tor.
|
| I assume that IT didn't install Brave, the user did. No
| IT department at this strict of a company would approve a
| browser that actively inserts its own advertising into
| websites, much less has a Tor option builtin. So, then,
| why on earth would the user risk their employment by
| installing unapproved software without IT signoff?
|
| If IT approved Brave and pre-installed it, then they
| would have grounds to contest the firing. That they're
| let go suggests otherwise. One could likely predict the
| demographic of the let-go employee just by filtering for
| "would know and care about Brave" and "would not seek IT
| permission first".
| ivraatiems wrote:
| Typically, workplaces this strict don't allow users to
| install software on their machines themselves at all.
|
| This whole story still just sounds to me like a huge
| overreaction. I think we can invent a hypothetical
| situation where the company's behavior makes sense, or
| the employee's motives are impure, but I think it's much
| more likely that they just got scared and were rash and
| hurt an employee.
| yokoprime wrote:
| I can fully understand why a company doesn't want Tor traffic
| coming from inside the firewall. But this case, if the sort
| description is accurate, should have been cleared up with a
| conversation with the employee possibly resulting in temporarily
| banning Brave until they can actually deploy it in a
| configuration that works with company policy.
|
| Again, IF the description is accurate, the employee was using a
| browser allowed by IT and did not have any ill intentions.
| jp42 wrote:
| Its not allowed to installed in my company since long time.
| kgwxd wrote:
| I once triggered my domain account and PC intranet connection to
| be disabled because I started a Linux ISO download via
| BitTorrent. I didn't get in any trouble. Assuming this is even
| real, it's obviously just an example of bad management or there's
| more to the firing than what's being said.
| Symbiote wrote:
| I was "caught" torrenting Knoppix on a university computer. I
| had left it running in the background, and not realised it
| wouldn't exit when I logged off.
|
| After I'd shown what it was, the sysadmins suggested leaving it
| seeding to see if we could get the university domain name to
| the top of the "top seeders" list.
| charcircuit wrote:
| What's next? Using https could get you fired because they can't
| MITM you?
| zo1 wrote:
| Most of them use group-policies and other software to install
| root-certs onto company devices. HTTPS won't help you with MITM
| in that case.
| Scoundreller wrote:
| It was good while it lasted tho.
|
| Fun times getting blocked by the public/corporate firewall
| for something, hovering the mouse in the right place and
| pressing "s" and going, ahhh, "fixed it!"
| PopeUrbanX wrote:
| Don't browsers these days loudly warn you if something like
| that is happening?
| watermelon0 wrote:
| Most browsers (with the exception of Firefox which has its
| own store) trust root certificates installed on the OS (at
| least for Windows/Linux/macOS.)
|
| With mobile devices (iOS/Android), web browsers also trust
| custom root certificates, but apps have the ability to
| reject them.
| minerva23 wrote:
| I noped out of the corporate CA that came per-installed for the
| purpose of MitM my machine. Getting rid of the corporate
| malware increases my productivity anyway (via faster
| computing).
| donatj wrote:
| My company blocks so much inane crap it's ridiculous. Any site
| not explicitly reviewed by the firewall company? Blocked. Want to
| Google restaurants for lunch? Half the restaurants websites are
| blocked under the firewall rule against "alcohol and bars". So
| much more.
|
| Trying to talk to IT about it is painful. I had to go through
| three levels of support over a week just to get a single site
| unblocked.
|
| Before Work-from-Home started, Brave's Tor support was a godsend
| just for getting actual work done.
|
| Before my department got bought out, our old company had pretty
| draconian blocking as well, but if you explicitly plugged into
| the ethernet ports in the developer area they were wide open.
|
| And no, we're not in any sort of industry where it really
| matters. Privately held educational software company.
| benttoothpaste wrote:
| I used to work for a financial company that used such extensive
| blocking. One day I had to download a particular version of
| boost libraries (the C++ ones). Of course all official sites to
| download from were blocked. So I searched for the specific file
| name (a tar.gz archive). And eventually I found something that
| was not blocked: a misconfigured server somewhere in Russia.
| Misconfigured because it served entire contents of its hard
| disk - and Google indexed it all. And there it was - my coveted
| boost archive which I promptly downloaded.
| gruez wrote:
| That seems super risky. How did you know the file was
| authentic? What if the archive contains backdoored code?
| donatj wrote:
| Seems like an odd proposition for an attack vector. Maybe,
| just maybe if I make this look like a misconfigured server,
| maybe, just maybe, someone will grab the boost files from
| the server and compile them? I can't imagine.
| b3morales wrote:
| The open server does not have to be a deliberate attack
| setup. It could be compromised itself, or someone could
| have downloaded a bad artifact to it unknowingly. It
| could be someone's malware research storage (admittedly
| this is pretty unlikely). It's the simple fact that the
| provenance is unknown.
| vkk8 wrote:
| I've heard of people doing similar things before. Maybe
| people working in high security environments downloading
| libraries from random websites is common enough that some
| attackers are actually targeting those people by
| backdooring common Python packages, C++ libraries, etc.
| and trying to get their server to bypass enterprise
| blocking somehow.
| benttoothpaste wrote:
| Yeah it was risky. It is quite common for excessive
| security practices to actually decrease security and that
| particular example was not nearly the most egregious one in
| that company.
| MattPalmer1086 wrote:
| I don't really get why you did it though. You risked your
| job, and potentially regulatory issues for the company
| just to get a build done? I'd have just submitted a
| request to unblock the official download site. Then it's
| security's problem.
| 908B64B197 wrote:
| > Trying to talk to IT about it is painful. I had to go through
| three levels of support over a week just to get a single site
| unblocked.
|
| Don't talk to IT using their support channel. Escalate to your
| boss (and his boss potentially) about what you are trying to
| do, what's blocking you and how it's stalling the (revenue
| generating) project you are working on.
| wolverine876 wrote:
| From another perspective (perhaps not popular here): How does
| allowing access to restaurant websites help the bottom line?
| What is the risk? One malware outbreak can be enormously
| damaging.
|
| How much time should IT employees spend unblocking restaurant
| websites instead of, for example, developing new applications
| that increase productivity? Arguably, an IT employee who is
| spending time unblocking restaurant websites might be viewed as
| negative ROI for their salary.
|
| And users have phones, so there is an easy workaround.
| torstenvl wrote:
| Yes. Exactly. Which is why they shouldn't be blocked, forcing
| people to spend time and energy unblocking them.
| kortex wrote:
| It's not blocking restaurants per se. It's doing some
| heuristic based match and seeing entries on the site with
| words like "wine" "whiskey" "cocktail" and determines the
| website is "alcohol and tobacco" and bans or limits it.
|
| Ran into this at $lastco, as a chemist. Used to look up
| alcohol water azeotrope charts and half would be on homebrew
| sites and got blocked.
|
| I just used my phone to email the charts to myself.
| donatj wrote:
| Not restaurant specifically, but I suspect the loss of
| innovation from the general chilling effect is pretty high.
| When I have trouble researching something, that's money lost
| for them in time I am wasting, and potentially worse from the
| side effects.
|
| Every time an engineer doesn't look into something at all,
| because they know odds are good they're not going to be able
| to, that's potentially millions lost.
| whatshisface wrote:
| > _How does allowing access to restaurant websites help the
| bottom line?_
|
| Humans need to eat to survive, and one consequence of
| survival is that tickets are closed.
| vkk8 wrote:
| Indeed. Somehow people managed to eat lunch before the
| internet.
| jmnicolas wrote:
| Meanwhile at work I can't convince the "firewall guy" to block
| YouTube to save bandwidth for actual work ... Even porn
| websites aren't blocked!
| derekp7 wrote:
| Do they allow your cell phone to be out when you are working?
| I'd just plug my cell phone in a USB port ("I'm charging my
| phone" if anyone asks), and use IP over USB to talk to the
| phone, and run non-business internet through the phone's data
| connection. On step further if the PC is locked down to prevent
| this, plug the keyboard/mouse/monitor into a Raspberry Pi, with
| a soft KVM plugged into one of the Pi's USB ports so your
| primary connection is to a device you control. Then use the KVM
| software to view your PC in full screen mode. Of course, this
| won't work if you are in an open office and your Pi's
| environment looks suspiciously different from your normal
| Windows desktop (but that can be fixed with theming).
|
| Of course if I worked at a place that was constantly looking
| for an excuse to fire you, I wouldn't work there for long
| (because I'd either find a more relaxing job, or get fired).
| oyashirochama wrote:
| At my job plugging in a USB device gets you paperwork and
| loss of computer use for at least 3-6 months. Fun fact my job
| also can't fire you, but it can make you wish you could.
| latchkey wrote:
| Sounds like they did the employee a favor. Who would want to work
| in those conditions?
| Lordarminius wrote:
| I skimmed through the reddit thread but couldn't find an answer.
| Why do companies not want you using Tor ?
| JohnTHaller wrote:
| Tor enables content that work can't monitor or block. And it's
| associated with child porn, dark web drug networks, sex
| trafficking, and similar. In reality, it's a small part of Tor.
| In the media, that's all it's used for.
| judge2020 wrote:
| The biggest use statistically is bot and malicious traffic.
|
| > Based on data across the CloudFlare network, 94% of
| requests that we see across the Tor network are per se
| malicious.
|
| https://blog.cloudflare.com/the-trouble-with-
| tor/#:~:text=Ba....
| btdmaster wrote:
| This needs to be compared to clearnet for it to paint an
| accurate picture, which has reached 64% recently[1]. Though
| this figure comes from summing "good bots" with "bad bots",
| Cloudflare seems to have done the same ("automated
| requests", "content scraping").
|
| [1] https://www.digit.fyi/two-thirds-of-internet-traffic-
| is-now-...
| 8organicbits wrote:
| In my brush with a similar issue, the intrusion detection
| system flagged Tor traffic as potential malicious traffic. The
| IDS can't tell if this is malware calling back to a command and
| control node via Tor.
|
| We allow developers to install their own software, so there
| isn't a good way to enforce browser policies. We ended up
| letting the developers know that connections to Tor generate
| alerts, and that these tie up security resources. That was
| enough that we haven't seen the issue again.
|
| In our case the developer was using Brave and had opened the
| private window with Tor. That gave us a plausible explanation
| that didn't include malware, so we closed the ticket.
|
| I'd say that there are very few legitimate reasons a Tor
| connection would come from a corporate network. So we'd like to
| keep the alert on, but any false positives tie up resources.
| Developers sometimes accidentally install malware, so we need
| to be vigilant about detecting and remediating that.
| RF_Savage wrote:
| Malware and other attackers use Tor for C&C.
|
| So blocking Tor hinders attackers using it.
| chasil wrote:
| I've never used Onionshare, but it would allow untraceable file
| transfers bidirectionally through any (permitting) corporate
| firewall, and keybridging/mitm cert rewrites could not see into
| the session.
|
| https://onionshare.org/
| brendoelfrendo wrote:
| Every company I've worked for has had DLP, firewalls, and
| content filtering in place, and circumventing those is a
| violation of acceptable use policies, and thus grounds for
| termination... so it seems pretty cut and dry to me.
| Veen wrote:
| The initial post mentions FUD and top-level management, so it's
| possible management associate Tor with dark net drug dealing,
| CP, and assinations and so on. Non-tech people aren't likely to
| have heard of Tor in any other context.
| nitrogen wrote:
| Speculation: it looks a lot like a data exfiltration attempt,
| or like malware trying to reach its control network.
|
| Just don't do things unrelated to work using work resources.
| smoldesu wrote:
| This is definitely the case. Most of these people are worried
| about you ferreting away company secrets over a connection
| they cannot monitor.
| JohnTHaller wrote:
| In the interim, have the IT folks setup a group policy to disable
| Brave's Tor feature so no one else accidentally gets caught in
| this: https://support.brave.com/hc/en-
| us/articles/360039248271-Gro...
___________________________________________________________________
(page generated 2021-12-31 23:02 UTC)