[HN Gopher] Bossware is a big legal risk
___________________________________________________________________
Bossware is a big legal risk
Author : nickwritesit
Score : 65 points
Date : 2024-05-14 12:21 UTC (1 days ago)
(HTM) web link (www.kolide.com)
(TXT) w3m dump (www.kolide.com)
| triyambakam wrote:
| So how do I know if my work computer features such surveillance?
| bitwize wrote:
| That's the neat thing -- you don't.
| woleium wrote:
| Just assume it does
| davely wrote:
| No kidding!
|
| We have some ridiculous timeout on our work machines that
| triggers the screensaver after 2 minutes of idle time (we
| can't change this).
|
| After it's triggered, you need to enter your password to
| unlock (company mandated, 10 chars minimum, no repeating
| chars, at least 1 upper and 1 lower case char, at least 1
| special symbol, change every 90 days, can't be too similar to
| last 10(!) passwords).
|
| Okay, this is annoying. So, for the longest time, I used an
| open source mouse jiggler app (basically simulated cursor
| movement).
|
| This worked fine until a recent software update. I wondered
| why my screen saver was being triggered again. Oh, the mouse
| jiggler isn't running! Let's open it up.
|
| A big dialog box appears on the screen: "THIS APPLICATION
| VIOLATES COMPANY POLICY AND ITS USAGE HAS BEEN REPORTED."
|
| Oh... cool.
|
| I went on Amazon and ordered some $5 hardware mouse jiggler
| dongle. That worked for about a month or so.
|
| Then suddenly, I started getting CrowdStrike notifications:
| "Functions of a USB device were restricted according to
| company policy."
|
| Fun times!
|
| It's only a matter of time until Zoom starts sending reports
| of whether I had the window in focus or not during meetings
| with management.
| kridsdale1 wrote:
| You can get mechanical mouse mover devices that are not
| connected to the pc at all. It should be fully
| undetectable.
| davely wrote:
| Ah, that's a good point. I've thought about this, but I
| use a trackball due to mild RSI. So, I don't think it can
| help me there.
|
| (This is going to make me embark on a weekend project to
| use an Arduino, some servos and a 3D printed finger to
| move my trackball.)
| eequah9L wrote:
| Plug in a second mouse then?
|
| The trick that I heard is to just place the mouse on a
| clock. The second hand jiggles the mouse every minute.
| Can be stashed away in a drawer or something. Never tried
| this though.
| mattmerr wrote:
| Does watching a video pause the timeout? If so,
| hypothetically one could stream or locally create a video
| with no contents but long duration.
| davely wrote:
| Ah, that's an interesting point. I haven't tried to
| correlate that, but it must be true. For example, the
| screensaver never seems to appear during Zoom calls!
| Izkata wrote:
| That might also be implemented as "don't start the
| screensaver if the camera is in use". Easy to detect in
| either /proc/ or /sys/, I forget which one I was fiddling
| with.
| hunter2_ wrote:
| Nah, I know people who use Zoom for this purpose without
| the camera enabled. It's just Zoom invoking the OS's wake
| lock.
| GauntletWizard wrote:
| You are the user I fear most; clever enough the be
| dangerous and aware of the bullshit.
|
| If you were really smart you would lobby your IT department
| to change the ridiculously short timeout, and protest by
| not working when it locks on you during normal pauses.
| davely wrote:
| Hah. I'd like to think there's nothing to fear from me as
| a user.
|
| Look, I get _why_ some of these policies are in place --
| a bunch of it stems from locking down our systems and
| protecting critical data due to various Sarbanes-Oxley
| requirements. Plus, sometimes smart people do dumb
| things, and it leads to bad things (e.g, see the LinkedIn
| incident) [1].
|
| But man, oh man, is it annoying! Especially if I'm in my
| own home, with no one around, and I otherwise get my work
| done.
|
| [1] https://darknetdiaries.com/transcript/86/
| kyleee wrote:
| I found nosleep.page a while back here, wonder if it would
| work for you?
| hunter2_ wrote:
| If you're on a work VPN, presumably you wouldn't want
| this in the DNS logs. Best to make a local clone! Simply
| "Save" from the browser, assuming the whole trick is
| within a client-side script that doesn't phone home,
| which appears to be the case.
| Etheryte wrote:
| Either root the device or mitm yourself, not much outside of
| that that you can do to ensure nothing fishy is going on.
| 98codes wrote:
| You have to assume that it does.
| ChrisMarshallNY wrote:
| That's a big reason that I purchased my own, personal computer,
| many years ago. I was paid well enough, that it was quite
| possible.
|
| Back then, they hadn't really gotten going with all the
| monitoring stuff, but I did it from a sense of personal
| integrity.
|
| I was writing open-source stuff, and there was _no way_ that I
| was going to allow my company to try to claim it. I didn 't use
| company time, and I didn't use company equipment.
|
| I did not have a "shower clause" in my employment contract, so
| I was free to work on my own stuff, on my own time.
| toss1 wrote:
| As many others said, assume that it does, by default.
|
| Do you have admin rights, including to the firmware? Can you,
| and did you setup from scratch the device that you received
| from the from the employer? If not, then it is almost 100%
| there is surveillance. If they let you do _all_ the setup, then
| maybe 50%.
|
| Just isolate any box your employer touches, both physically and
| in the network sense, separate visible and sound space as
| possible, separate WiFi network, etc..
| halfcat wrote:
| Generally you won't, but some vendors documentation lists
| folder paths you can check, like if this folder exists in your
| computer it's running Teramind [1]:
|
| C:\ProgramData\\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}
|
| [1] https://kb.teramind.co/en/articles/8791095-how-to-verify-
| if-...
| paxys wrote:
| Assume it does. Don't do any personal work on it. Isolate it
| from your home network.
| CoastalCoder wrote:
| I was surprised (perhaps I shouldn't have been) to encounter
| bossware-like surveilance in an _interview process_.
|
| About 6 months ago I was interviewing with InterSystems, a
| company that does healthcare software. Only when I signed in for
| the online coding interview did I learn that they required I have
| a webcam on myself the whole time.
|
| I don't like using coarse language. But it was the first time I
| struggled to not use the phrase "fuck you" in my email to the
| recruiter.
| Terr_ wrote:
| IMO there's a huge difference between "we do this because we
| had too many fraudulent applicants and this is a compromise
| compared to having you interview in-person" versus "this is
| representative of how the entire employment relationship will
| go."
|
| If the former, their fears are not unfounded: Sometimes the
| person who impressed you in the interview is not actually the
| same person who arrives for their first day of work. There are
| also less-audacious forms of interview cheating, where an off-
| screen cyber-Cyrano is supplying them with answers and/or
| keyboard-input.
|
| That said, I agree that any workplace with a "webcam on at all
| times for monitoring" policy for employees is one I would leave
| ASAP. Not just because it's hostile and offensive, but also
| because it's indicative of the company doing badly while
| management is busy "rearranging deck-chairs on the Titanic."
| paxys wrote:
| So you are okay with giving random companies an hour of
| footage of your face and part of your house just for the
| privilege of going through their automated screening round?
| VBprogrammer wrote:
| Emm, yes? What do you think they are going to do with it.
| They are also considering giving you access to potentially
| a vast amount of their IP and maybe even customer data.
| Teever wrote:
| Whatever they're legally allowed to and I may never know.
|
| That's the problem.
| coldtea wrote:
| > _Emm, yes? What do you think they are going to do with
| it_
|
| I don't care what they're going to do with it. They aint
| having it.
| ozim wrote:
| I agree.
|
| But there still is a line like if I am doing take home
| assignment I will not install spyware on my personal
| computer.
|
| We can have a zoom/teams call with a person where I share
| screen if someone wants that with enabled camera as well
| during coding or for discussion.
| Terr_ wrote:
| > I will not install spyware on my personal computer.
|
| Agreed, if they want to _lend_ me a computer for the
| exercise, that 's another matter. :p
|
| It's been a while since I last interviewed in earnest, but
| my recollection is that those situations (fortunately)
| correspond with companies that I probably wouldn't want to
| work for anyway.
| ryandrake wrote:
| I think the former might strongly imply the latter.
|
| If a company can't think of a single way to ensure the person
| who interviews is actually the person who comes to work the
| first day (hint, there was a time when webcams did not
| exist), then that company is probably also inclined to
| inflict lazy, intrusive surveillance-based schemes on
| employees after they're hired.
| neilv wrote:
| > _" this is representative of how the entire employment
| relationship will go."_
|
| Seems like it's great signal of how the company thinks, and
| will behave.
|
| Not necessarily that they'll put all employees under video
| surveillance, but if they think this is a good idea, I'd
| guess probably they'll do numerous other things along the
| same line of thinking.
|
| Occam's Razor possibilities:
|
| 1. The company is normally very enlightened and thoughtful
| and fair, and has a very subtle and nuanced rationale for why
| they're coming across and invasive and overbearing in this
| one specific instance, and their reasons in this bad first-
| impressions instance (when they should be thinking about
| first impressions) were simply somehow not explained.
|
| 2. The company is going to behave like a jerk.
| tetromino_ wrote:
| In light of interview fraud, it seems reasonable for the
| interviewer to request that you are live on camera so they can
| see that you are who you say you are and that you are working
| alone.
|
| The part that would have made me walk away would have been if
| the video was being _recorded_ and retained, as opposed to
| merely being watched live.
| skwirl wrote:
| That doesn't sound bossware-like at all. It seems completely
| reasonable to me.
| bee_rider wrote:
| Do these companies support Linux or do these recruiters only go
| after Windows users? There are of course lots of perfectly fine
| technical folks who are windows-centric, but it still seems
| like a pretty bad filter to apply to their candidate pool.
| silisili wrote:
| Wait just during the interview? That actually sounds completely
| reasonable.
| vundercind wrote:
| It probably also means signing over rights for the recording
| to be used for training AI by some third party, plus god
| knows what else.
| VBprogrammer wrote:
| Oh christ. What absolute nonsense.
| coldtea wrote:
| How about a manager wanking off to pretty candidates?
|
| Hardly without lots of precedent..
| root_axis wrote:
| How can you vet a candidate remotely without having them on the
| cam? Especially today with all the LLMs, it's pretty much a
| hiring requirement if you can't bring the candidate in for an
| interview.
| fullspectrumdev wrote:
| Easy, you ask them to talk you through their reasoning.
|
| LLM's are fucking _terrible_ at this for anything nontrivial.
| hnthrow289570 wrote:
| We're probably at the point where it's cost effective to pay
| for traveling-to-interview again, especially for the later-
| round interviews.
|
| That is, unless companies are lying about how much damage bad
| hiring does. I don't suspect they are, but they apparently
| can't also do the math to go back to that option.
| apimade wrote:
| Cybersecurity nerd here, have talked to many platform and
| financial company CISO's, security teams and recruiters over
| the past few years.
|
| Fake interviewees are pretty rampant. We're getting to the
| point where presenting yourself in-person to a government
| representative, agency or a private attestation company will be
| part of the onboarding process. At this point it looks like
| it'll be iris scans.
|
| In the US it's even an issue in-person with H1B's where they
| get interviewed and hired online, then someone else shows up.
|
| Also the fact that insider threats are almost never budgeted
| for, and so many companies blanket-approve access to systems
| like logging systems, customer support systems, source code,
| etc - means attackers don't even need to get hired into a very
| important role to get the data they want.
| mistrial9 wrote:
| > then someone else shows up
|
| someone else shows up ? what is the denominator
| klntsky wrote:
| Unfortunately this is a requirement nowadays. Scammers learned
| how to generate realistic CVs and they organize people to pass
| online interviews for them. After getting the job, they do
| nothing, get their salary for the first billing period, and
| leave.
| surfingdino wrote:
| I was asked to be recorded answering three stupid questions
| like "what motivates you?", "why do you want to work here?"
| etc. before attending a multi-stage interview. I never got
| invited to that interview, and I did wonder if I could take
| them to court, because my CV showed me as good fit for the job
| (literally ticked all the boxes), but they clearly rejected me
| based on the video. (In case you wonder why I thought I was a
| good fit, I can tell you that I built the tech they were
| implementing.
| hobotime wrote:
| Perhaps during the video they discovered that they didn't
| like you.
| bitwize wrote:
| I've started preemptively stipulating to recruiters that I will
| not accept spyware (including browser extensions and phone
| apps) or autoproctoring as part of the application process, nor
| will I subject myself to interviews with or evaluation by a
| large language model after encountering this nonsense once.
| exabrial wrote:
| The reasons given are pretty much a nothingburger and standard
| compliance items you should be doing anyway!
|
| I am trying to figure out what exactly is the problem people have
| though: you're literally on a company asset, being paid by the
| company, you've signed copyright away, you're aware their is no
| expectation of privacy. Use your cell phone or your home computer
| for home business, work during company hours, doesn't seem like
| that big of a deal.
|
| === EDIT: Re: Comments about about webcams, and nowhere in my
| comments did I say anything about cameras. Read both the article
| and my comments before attacking straw men.
| BriggyDwiggs42 wrote:
| Because workers arent slaves or robots, and being on the job
| doesnt make them such. Your mentality is actually staggering to
| me.
| exabrial wrote:
| Can you answer this question directly:
|
| What is it that you don't want seen by a company
| representative, on a company computer, while being paid by
| the company?
| vundercind wrote:
| How would you feel about audio recording in break rooms and
| hallways? How about fart-detectors in the chairs, recording
| all that to some database?
|
| Same idea, and maybe _you_ wouldn't mind but surely you can
| see why many people would.
|
| FWIW enough people _do_ mind that this kind of thing is
| illegal in some countries.
| potta_coffee wrote:
| Ironically, I'm involved with a startup developing fart
| monitors as we speak. I'm certain it's going to be a huge
| market. /s
| 4MOAisgoodenuf wrote:
| Anything in my home, any traffic on my home network, and
| any sounds in my home that aren't me directly talking to a
| coworker about work matters.
| j-bos wrote:
| Anything, I'm paid as a developer I'm not paid as an actor.
| google_expat wrote:
| Yesterday I was working and my three year old came running
| -- directly out of the shower -- into the room to show me
| her doll's "new hairstyle".
|
| Can you answer this directly: How many people's computers,
| servers, and backups should video of my child be on?
| exabrial wrote:
| Please quote the part of my comment above where I said
| literally anything about a webcam.
| BriggyDwiggs42 wrote:
| My concern is that workers who produce the desired output
| for their company, ie perform the labor they are paid to
| perform, will not be able to use excess time to be with
| their family, take care of chores, rest, or otherwise live
| life, and will instead need to pretend to be busy as though
| they're still in an office under the watchful eye of an
| overpaid manager. Monitoring should be reserved exclusively
| for cases where an employee's output is not measurable in
| any other way, and should then be kept to a minimum. If we
| exclude the possibility of webcam or audio monitoring, then
| my primary concern is that a worker will be made to waste
| their time satisfying the arbitrary metric by which
| present-ness on their company computer is measured, and so
| the thing I am worried about being seen is the absence of
| activity.
| fwip wrote:
| Different person here, but: literally anything. I don't
| have "anything to hide," but I don't trust the company's
| judgment (or, more specifically, that of every possible
| "company representative." It only takes one to make
| something a federal fucking issue.)
|
| If I do a google search for "cake toppers for lesbian
| wedding" while my code's compiling, that's morally fine.
| But if a bored "company representative" decides to take
| offense to that, now it's a whole goddamn situation that I
| have to deal with.
|
| Or if I'm on Stack Overflow to copy&paste, and one of the
| "Hot Network Questions" in the sidebar has an "offensive"
| phrase in it, is it going to trip their automated flagging
| criteria?
| singleshot_ wrote:
| I would not accept employment under any terms that allowed
| my employer to look at me without my knowledge, or snoop
| around on my computer without my acquiescence.
| dymk wrote:
| It's not your computer, it's a company laptop.
| nonameiguess wrote:
| How can this be a serious question? Much of my company is
| in an earlier time zone and I frequently log into meetings
| and start work while my wife is still ambling about,
| showering and walking around naked. My naked wife is
| something I don't want my employer seeing. A house is a
| shared space. No one in it except me accepted any sort of
| consent to monitor agreement.
| imzadi wrote:
| Why should employers be allowed to take pictures and videos of
| me without my permission or knowledge? If I work from home, how
| much of my home is now the company's business? Should my
| employer be allowed to see my home office at will? What if my
| home office is a bedroom and have private things around that I
| don't want them to see? Or a living room and I have family
| moving around in the background? Does my employer actually have
| a right to film my spouse or children?
|
| There are also issues beyond those. What about employers that
| require you to install software on your person phone so you can
| access MFA or work email? Some of that software requires you to
| sign all rights away from your personal phone and there's a
| risk you may have all your data deleted on your personal phone
| when you leave the company.
| jonathankoren wrote:
| You want to know how the Overton window shifted from workers as
| humans, to workers as property? Look at laws around the
| telephone.
|
| If you have a telephone on your desk, it is illegal for your
| employer to secretly listen into those calls. However, if you
| send an email, you employer has every right to secretly read
| them.
|
| The only difference is, emails don't exist in the 30s, but
| telephones did.
| kyleee wrote:
| I always ponder from this perspective as well, think about
| the strength of laws regarding physical mail as well. Most of
| those privacy/tampering laws should have been applied to
| email from the get go.
| Havoc wrote:
| Never seen anything like this IRL despite working at various
| major companies. Hell the other day I explained to my rather
| senior boss that the yellow teams icon means away from desk.
|
| Work is me trading my time for money, and I can begrudgingly
| accept some level of monitoring. That's after all what a boss is
| - they supervise aka monitor.
|
| However the blurrying of boundaries really irks me. This is part
| of the reason why I carry two phones, refuse to use remote
| desktops from personal devices and definitely don't connect
| personal devices to corporate wifi. Similarly that aggressive
| invasive student exam monitoring software in use makes me
| thankful I studied in more classic times.
| ryandrake wrote:
| Yep, my policy is to never "cross the streams." Work stays on
| work-provided (and controlled) devices and personal stays on
| personal devices, and _never the twain shall meet_. I work
| remotely, so I even go so far as to ensure all my work-provided
| devices are on their own VLAN which is isolated from the rest
| of my network and only have limited Internet connectivity. I
| don 't really understand people who use work devices for
| personal (sometimes VERY personal) tasks, or even worse vice-
| versa: Bring Your Own Device for work tasks.
| Daviey wrote:
| First time i've looked at kolide in a couple of years, and two
| things jumped out at me: - They got acquired by
| 1Password - They've pivoted away from a managed osquery
| product.
|
| A few years ago, I wanted to throw money at kolide to manage
| compliance in a large enterprise using osquery, but their
| product/sales team was quite underwhelming. Whilst we were
| testing it, they switched to requiring slack integration as their
| control and management plane and wouldn't support the existing
| workflow... So I had to reluctantly drop them.
| halfcat wrote:
| Having run this kind of thing for customers over the years, my
| takeaway is that every place that wanted this was a completely
| toxic and paranoid work environment.
|
| Except for one. This place that seemed to have a reasonable use
| case. They dealt with very sensitive legal cases involving
| children, and they wanted an audit trail to ensure sensitive
| media was handled according to their policy.
| hi-v-rocknroll wrote:
| Yep. The need signals a lack of trust within an org, and
| perhaps a management attitude of infantilism and/or a lack of
| professionalism amongst workers. There is no quick-fix
| technology solution to business culture dysfunction.
| paxys wrote:
| Everyone replying with "what's the big deal?" is showing their
| tech privilege. You may not have to deal with intrusive
| monitoring, but warehouse workers are increasingly being made to
| wear ankle bracelets so every movement of theirs can be monitored
| and stack ranked. Workers in WFH "gig" jobs are made to install
| always-on keyloggers and other monitoring software on their
| personal computers and phones (which are required for the job).
| Companies take photos/videos of them in their homes every few
| minutes throughout the day. Plenty of jobs require you to hand
| your social media passwords to your employer. There is an entire
| class of companies that specialize in all of this.
|
| Not everyone is able to say "no" to all this and still make rent
| next month. I'm happy the government is finally stepping in.
| JanisErdmanis wrote:
| > Plenty of jobs require you to hand your social media
| passwords to your employer.
|
| Can you elaborate with examples or references?
| paxys wrote:
| Why exactly do you think a half dozen states have passed laws
| specifically banning it?
| https://www.foley.com/insights/publications/2024/03/ny-
| socia...
| vundercind wrote:
| > Not everyone is able to say "no" to all this and still make
| rent next month. I'm happy the government is finally stepping
| in.
|
| More good news is that since workplace surveillance is already
| heavily-limited by law in some other highly-productive
| developed-economy states, this shit's all probably pointless
| _anyway_. Just one of many cases of execs going full "seeing
| like a state" and wanting everything down to the finest detail
| to be "legible" and able to sort-by on a spreadsheet, even when
| it's actually just noise.
___________________________________________________________________
(page generated 2024-05-15 23:01 UTC)