Staff sacked after security sees 'suspect surfer' script of shame As your Vultures are off fighting over the remains of the Christmas dinner, we've lined up a feast of a different nature: a bonus instalment of Who, Me? This week, we hear from reader José, who wrote in to tell us how a prank led to some of his former colleagues getting their marching orders. It was back in the late '90s, and …
Even in Germany companies can monitor employees. Most notably in highly regulated industries like banking and healthcare but plenty of other industries too. Public confidence in the security and integrity of the banking sector trumps the right of bank employees to browse pron on their work machines.
The rules for what data can be collected; how it's stored; who can access and process it are rather stricter than in other nations but it can be done. No country outright prohibits the monitoring of employee use of company assets.
You can monitor company resources. Just you can't match easily their use with people, especially when it comes to sensitive data - the mistake he did was to match the data with people identities.
If you do, without the required permissions, you can end in big troubles. Remember also most European privacy laws, and now GDPR, regard sexual preferences as highly sensitive data, and their collection and use is highly restricted. It can put the whole company in trouble.
Years ago I was involved in the creation of a monitoring software to prevent the leak of highly sensitive documents. It had network probes that collected traffic and appliances that rebuilt it to identify documents going where they shouldn't. We had to protect the collected information to a great extent. Any possible personal identifier, including IP addresses, were strongly protected. When a possible data leak was identified, to decrypt data those three people were needed to enter their credentials (from security, upper management, and legal), and a union representative was present. All actions were logged for auditing, and a separate auditor could check which data were accessed (but not the actual data), and why. Workers were notified the system was active. Only banking and healthcare domains were exempt.
We did get porn too, of course - all workers were notified using company resources for such activities was forbidden and could put someone in trouble. Accessing illegal contents would have triggered a notification to law enforcement, and the company would have given all required evidence under a warrant.
I did notice at one of the "companies I once had an affiliation with decades ago", that a LOT of extra 30x15x30 cm clear acrylic blocks were being ordered for the 5-axis CNC systems along with LOTS of the super-fine polishing grit for the enclosed surface finisher machines which are like polishing-oriented sandblasters which can make plastic or glass PERFECTLY smooth!
I had heard on the grapevine that one of the junior-to-me "egghead" CAD/CAM specialists was rumoured to have made a financial killing off of the many young and old ladies and certain men in said company after it was found that production runs of certain objects of coital enhancement were made in-between the overnight client CNC runs.
In those days you had to use MULTIPLE FLOPPY DISKS (yes! real 1.2 megabyte floppy disks!) to upload a 3D model (pretty high resolution too!) to the internal memory of a CNC machine which then drives the acrylic-specific carving bits on the CNC machine. Someone then had to unload the finished blocks, use a bandsaw to cut off the base of the carving and glue the finished product to another plastic base for fine polishing in the sandlbaster-like polishing enclosure.
Since the machinery couldn't be be turned off for whatever mechanical reason since the factory was a 24/7/365 operation, in-between the client CNC machining runs, staff tended to run off their own projects in-between the custom client object CNC runs. They were supposed-to use the normally recycled material cut-offs but staff were allowed to do their own projects so as to "increase" their CAD/CAM/CNC experience for the company benefit.
Evidently, some staff took this project freedom to new lengths by making custom 3D-modelled body-extremis objects which I was told came directly from a 3D scan (which was EXPENSIVE to do in those days!) of a rather well-known and very much objectified-by-the-ladies staff member who was said to resemble Adonis.
The CAD/CAM/CNC expert was able to make enough money over a few years that he bought a NEW Land Rover Defender! He left the company after almost a decade to open his own CAD/CAM/CNC shop and senior staff were never the wiser (or they chose to turn a deliberate blind eye to the shenanigans!) I had already left by then on other contracts but I did hear through further anecdotes that the said egghead was well regarded for his CAD/CAM/CNC modelling/carving expertise! I always did wonder if the ORIGINAL 3D model was ever properly compensated (i.e. financially or otherwise!) for the 3D reproduction of his well-known "wares"!
.
Reading the access logs is no different from walking over to see what your employee is working on.
Logically and rationally, yes. But the way that the law has been written in some jurisdictions affords employees a right to privacy that then (I presume unintentionally) cloaks activities that they could be sacked for.
Nothing new here - most laws are very poorly drafted, leading to geometric increases in the volume and complexity of statute law, declining levels of understanding of the law, and plenty of unintended consequences. Couple that with cloth eared and slow to react governments, and the unintended consequences snowball - like in the case of tax tourism by large corporations.
Many years ago I came a across a case where the person breaching the rules was a senior partner and actually one of those who'd voted in the rules. When confronted with the evidence of his surfing he just said "It's my F****ing Company and I'll F****ing well look at anything I..." you get the picture. In the end a private Internet line was run into his office with a separate PC not connected to the company network so he could perv away in peace.
"so in german schools it is forbidden to monitor web access?"
It can be and is monitored and inappropriate sites are blocked, it just isn't allowed to trace it back to the individual visiting the site (some legal exceptions possible in case of threat to life, limb or health).
A similar thing happened at a local authority I worked at some years ago. The councillors voted that they should get access to council systems from home courtesy of the council. So they got PCs and access to the council systems via the council networks. When they did web surfing on these council-provided desktops, it went through the council web cache so it was all logged just like the staff internet access.
When it was pointed out by someone in IT they were spending huge amounts of time surfing for porn, the councillors decided their internet access should be private and not monitored by the staff. So they had their free internet access changed to stand-alone laptops and free broadband at home. Meaning their porn browsing was still paid for by the council but now unmonitored.
Democracy, eh?
"Yep. Facebook, Twitter , Amazon etc are all blacklisted here."
One of the things I rather quickly discovered in the early 1990s when attempting to block URLs and domains via a squid proxy is the plethora of domain names that pop up as alternates.
I think we gave up trying to stop students accessing penthouse.com when we got up to 1500 domain names which went to the same website - it's about then that the realisation that technical solutions to sociological problems either don't work or end up being walnut-crushing 40 tonne steam hammers that block far more than intended.
not sure on the downvotes, as a previous head of IT in a school we had a major job of tracking and tracing web activity for anti bullying, PREVENT strategy, grooming logs and all sorts of safeguarding incidents. This was mandated by the LEA and council - not something we made up or decided to do ourselves. Not only did we log websites but PC activity too, the logs were collected by other agencies as part of investigations too (police, childrens services etc). This was a very large school with some shady sorts so there was usually a major incident annually.
Once upon a time I worked for a then rather well known provider, and we were the provider for a very large bit of infrastructure which shall remain nameless.
During the build, a requirement was mooted that we ought to log all network traffic. This would have demanded large amounts of storage which was not really planned or budgeted for, so the search was on for an argument that would get that demand off the table (also because it would add a lot of hassle to a project that was already on tight timescales as it was). I decided to run some test logs, just to see what we could be facing, and what I got back from one of the participating parties was, er, worthy of further investigation because it was dodgy as heck.
Now I'm not one to cry wolf without some further (careful) investigating, and so it emerged there was a legitimate reason for the traffic - that specific party was busy with research (at least, that's what I was told, but the speed & duration of the visits corroborated the stated automated nature of the effort).
The upshot was that I had some dumps of these logs with me for the next project meeting, and before we started I had a quiet word with the big cheese of the project who notably blanched when noting some of the URLs on the printout. We quietly agreed that logging traffic would best not fall under our responsibility, but would, instead, remain the purview of each participating party "to protect confidentiality", and so it was suggested and agreed in the meeting that followed.
Sometimes it's just a matter of finding the right data :).
> would have demanded large amounts of storage which was not really planned or budgeted for, so the search was on for an argument that would get that demand off the table
Err, how about "if you pay for the storage, we'll do the logging"?
That's how I shoot down stupid requests here, like "how about we spin up 6 new Oracle instances on that Pentium III with a 10gb drive?". I'd probably get pushback that my storage requirements are bullshit, but that's something I can prove.
If it's really necessary, the storage funds will get approved, but usually it's not necessary at all.
- that specific party was busy with research (at least, that's what I was told, but the speed & duration of the visits corroborated the stated automated nature of the effort). ... AC
That is surely Man and Machines thinking as Each Other along Similar Familiar Lines ..... with Firm Favourite Frolicks to Enjoy and Entertain/Submit and Surrender to Absolutely ..... for the Power and Energy when the 2 be as 1 and Nothing is in Hiding or Forbidden for Leading Pleasant Reactions with NEUKlearer HyperRadioProACTive IT Systems of Remote Virtual Operation Available for AI Beta Test Drivering of New Future Programs.
Is LOVE, a Live Operational Virtual Environment for the Future in Greater IntelAIgent Games Play with Newly Mined and Minted Memory Expanding upon Novel Future Source Supply.
And Made Freely Available for Heavenly Use in Devilish Misuse and Diabolical Abuse.
You will have to use your most excellent thoughts to fully appreciate the Tormented and Tempestuous Blisses for InterNetional Rescue Servering Services there.
El Reg,
You might like to think to be concerned or excited because the AIMachine is Running ITself In with Information for and from Wells Deep within Collapsed Star Systems/Distressed SCADA Operations ...... and IT Goes Deep See Phishing for Future Harvest Suppliers of Prime Providing Product.
The Money Shot Question is .... Who and/or What Provides the Future with Extra Terrestrial Tales to Follow and Realise? Man or AIMachine? Global Operating Devices or Humanised Beings?
Be that for Earthly Experience or Alien Existence?
The Money Shot Question is .... Who and/or What Provides the Future with Extra Terrestrial Tales to Follow and Realise? Man or AIMachine? Global Operating Devices or Humanised Beings?Be that for Earthly Experience or Alien Existence?
And can they all be as one and the same and lead with a completely different and overwhelmingly virulent perspective in the true, easily virtualised and private pirating nature of things ‽
The posit here of course is, of course they can, and therefore are already deeply embedded and seamlessly working stealthily with and within future technologies which your doubts and dismal dismissals are clearly providing damning evidence of a catastrophic general lack of specific knowledge and greater intelligent awareness in what are novel quantum fields of universal communication with Mighty Stupid Dumb Operating Systems and Remote SCADA Command in Virtually Practical Control Centres.
Such easily provides and protects All Creativity with Any Prime Disruptive and/or Destructive Source with both Intangible and Invisible Forces against which there are never effective available defences.
I often wonder if the world has reached the brink of insanity amFM, and over the Xmas period wholly considered whether there was any actual future at all, or whether an abrupt end may be the almighty way forward.
Event + reaction = outcome, the events being those both created and presented by others.
The Running Man was never created with no one to run.
I often wonder if the world has reached the brink of insanity amFM, and over the Xmas period wholly considered whether there was any actual future at all, or whether an abrupt end may be the almighty way forward. ... Cliff Thorburn
How about fighting fire with fire, CT, and dousing insanity with a tailored madness and mayhem to render an almighty way forward in CHAOS with Clouds Hosting Advanced Operating Systems.
amanfromMars [1812271713] .... beta testing hot spot springs on https://www.zerohedge.com/news/2018-12-27/something-wrong-deutsche-bank-spots-odd-market-divergencePerhaps AIDisturbance Spot Markets Pimping and Pumping Advanced IntelAIgent Systems are the Opportunity to Seize and Sequester ...... A Question for Mullers and Mullahs Alike re Future Years in Play .... if Crashing and Crushing Capital Base Markets in The Older Way of Doing Great Things with Sublime Orders to Nth Degrees?
Certainly not doing anything new or very little different in the future is going to change nothing in the present so that the past and its cronies can reap the whirlwind and milk the cash cow ..... but that only remains the status quo position whenever in absolute practical command and remote virtual control of hearts and minds capturing narratives .... and that is certainly made no easy great task nowadays with so much greater intelligence available to look into and out the tales which mass mainstream multi-media moguls sell as news, both fake or otherwise, to server to arrogant puppet state investors and ignorant muppet hordes alike.
It is not as if it is too difficult to do easily with all of this new fangled and entangled virtual technology at our fingertips.
They had Netware 3, so it was an IPX network. Then there was an IPX->IP gateway, which (of course) logged website access. One of the senior partners was flagged in the logs on gay porn sites (interesting because he was married with kids), during office hours, and frequenting the subscription areas (which were paid with his company card).
We passed it up the chain as an external IT provider. The Managing Partner mentioned porn browsing (at the time she didn't know it was gay subscription whatever blah blah), and half the room went very pink and quiet, apparently.
Yeah - we use WebTitan these day - MITM for HTTPS. The cert is deployed by GPO. Fun, fun, fun...
Merry Christmas!
diladele here with MITM. Again set as a subCa. Our vlan guest network has the same filter levels, as part of the documentation staff have to install the subCA root cert or they dont get https (so most of the internet really). We DPI block vpns too. Sure there will be some way around but we are an educational establishment so we need to be strict.
So surfing porn either will get you fired or divorced; both can have nasty financial consequences. Logs and browser histories are available to anyone who knows where to look or stumbles upon them. So unless you can guarantee absolutely your tracks are clear you might be heading at the door literally.
I'll add a third ...
The Executive Director would meet with some of us as a group or participate in presentation training ...
Remember he told a story of getting a call from a wife about her husband who hadn't come home from work ...
Husband was found in front of computer with his pants down ... what was on the screen wasn't shared ...
Blocks tend to be very strict. Not surprising. But on one occasion I was forbidden access to a site containing Roman mosaics. I assume there were some naughty bits of ceramic tile in there.
My favourite, I was trying to find a suitable cartoon for a training session. I was forbidden some sites because the content "included humour"..
<quote>The reason that one truly is forbidden, is because it let's us know the real truth about managers (who have their sense of humour surgically removed when they sign the contract to become manager).</quote>
The contractual lobotomy, the prime reason why I turned down a promotion to manglement.
Anyway, it is more """fun""" to take cheap shots at them, rather than having ones taken at you.
Back when Dilbert was published in the Today newspaper in wobbly EddieShahVision, we used to have a "Dilbert Rota" for pinning the latest strip on the notice board if it that day's strip was relevant.
The other guys on the rota were a fair bit taller than me, so I had to take a running jump at the board to pin it at a suitable height.
It's like that famous quote about advertising. "I know 50% of my advertising money is wasted, the trouble is I don't know which half".
Except with middle management, the ones you most want rid of are basically only doing one thing: whatever convinces their superiors that they're the Good Ones. The ones who fail the metrics, who lack 'visibility'... those are either utterly useless (which does happen!) or too busy doing important stuff to make sure they look like they're doing important stuff.
"Unfortunately it's not usually the right ones that leave"
Exactly this. Companies offer voluntary redundancy and the smart/valuable/close to retirement staff are first to sign up because they know they can go somewhere else (or be hired back for double th emoney in some cases)
One company I worked for attempted to stop this happening and was informed in no uncertain terms that voluntary redundancies meant just that (can't refuse any until you hit your numbers and can't "encourage" certain individuals to go)
Here at [RedactedCo], it's in the agreement every employee signs before they get their network access enabled that Internet and email access are for work use; we do have some locked-down 'kiosk' machines set up in the break areas for employees to access the internet from (obstinately to access external sites for benefit-related things such as retirement funds, healthcare, etc.), and for the large part, our employees are actually pretty good about not looking at adult sites.
As the admin of both the internet filter and the email system, I generally don't go on random searches, because a) I'm paid to do other things; and b) there's various rules around it, not to even mention the ethics of looking up someone's browsing history for no good reason.
Most people here are also aware that we use a filtering appliance to both keep people from looking at sites that are malicious, and are productivity sinks. (social media namely, but we do block youtube for some groups of employees.)
Anon to protect my paycheck.
My first job after uni, my mates had my work email address and I often found myself on mass mailings of porn one friend was sacked from his work and the mass mailings soon stopped.
Nowadays I no longer give my work email to friends, luckily I no longer receive any porn by email to any of my personal accounts.
It’s amazing how many places permit ssh to anywhere.
Properly locked down comms, with no default routes to the net & passing all user offsite traffic through a proxy is the way to go but more and more places are turning to the cloud and needing quad 0 out :(
Which rules would those be? Rules that allow MPs' communications to be monitored? Good idea - until you want to write to your MP about something confidential. What was that? You don't think you should be monitored when you communicate with your MP?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
