back to article Attention sysadmins! Here’s how to dodge bullets in a post-Ashley Madison world

If the Ashley Madison saga has taught us one thing – well, many things, but one main thing – it was never, ever, ever use a work email account for personal pursuits online. Once trawled, data from the leaked site revealed that thousands of those with Ashley Madison accounts – presumably men, given the site’s overwhelming …

  1. Chris Miller

    This means things like paying your credit card bill or doing some other non-work related item should be avoided. People can and do use company IT to access their email.

    You should also be aware that using SHTTP won't protect you from the systems administrators, who will (if they're competent) have installed a trusted certificate on your (company) system so that everything can be decrypted (and then, hopefully, encrypted again) at the firewall. How else can they be sure you're not posting customer data to a competitor?

    1. Destroy All Monsters Silver badge

      They must be REALLY competent to do MITM attacks on HTTPS. Unless they have subverted the browser. I think there are laws against that. In Europe, this would be "workplace surveillance" and is a no-no 110%.

      1. Chris Miller

        Every single 'data leak prevention' device works this way. Unless you prefer to believe in magic bunnies.

        If you don't have control over your list of trusted root certificates (and if you're using a machine belonging to someone else, this is almost certainly the case) anyone can insert their won and then forge a certificate for Google.com (or any other site at all) and you'll be none the wiser (unless you look carefully at the full trust chain). No 'cleverness' required.

        1. Chris Miller

          Erratum

          For 'won' read 'own', throughout.

      2. Tom 38 Silver badge

        They must be REALLY competent to do MITM attacks on HTTPS. [...] In Europe, this would be "workplace surveillance" and is a no-no 110%.

        You don't have to be that competent to install an extra root certificate via AD. As to legality, it would be a no-no except...

        when you joined the company you more than likely signed a contract that effectively stated that the company reserves the right to monitor any and all usage of their infrastructure

        which means, if the target agrees to your monitoring of their activities before you monitor them, its not illegal.

        Don't forget point 5. Anything you do on a company supplied computer or network is fair game.

        1. Adam 52 Silver badge

          " the target agrees to your monitoring of their activities before you monitor them, its not illegal"

          Nope. Still illegal. Still criminal. Even if you've told someone the little green padlock gives them a "reasonable expectation of privacy". There have been plenty of court cases confirming that you can't just monitor everything, you need a good reason to monitor a specific individual.

          1. Wzrd1

            "There have been plenty of court cases confirming that you can't just monitor everything, you need a good reason to monitor a specific individual."

            We monitor *everyone* and we're international.

            We *check* when there is a suspicion of something awry, such as malware, a chap from the UK logging in from China, etc.

            I've even retrieved e-mails via pcap, as they were avoiding our mail server. Turned out it was malware trying to spam.

            We've also retrieved e-mails from our e-mail processing software, deleting spam and malware spear phishing employees.

      3. BlartVersenwaldIII

        > They must be REALLY competent to do MITM attacks on HTTPS

        Nope, it's a doddle and has been pretty much standard on all commercial proxying kit for years. It's needed for a) scanning for data leakage and b) checking SSL-enrypted streams for malware payloads (otherwise your hugely expensive scanning proxy would be useless if malware vendors deigned to use HTTPS, which they do).

        * All company desktops talk to t'internet via a proxy

        * Proxy has an SSL cert on its internal interfaces signed by MYCOMPANY CA

        * All company desktops have the MYCOMPANY CA cert chain installed

        * Therefore every connection from a client machine to the proxy can be SSL encrypted, but the admins have the private key for the MYCOMPANY CA certificate and can thus decrypt the traffic

        * NIC on the external side of the proxy connects to https://somesiteorother.com and passes along your re-encrypted HTTP stream

        Compliance laws mean that the company will always tell you that confidential (private) stuff isn't necessarily private and they routinely snoop on it and that if you don't agree with this then to use a different internet connection. Common courtesy at least in the places I've worked (and this should also be detailed in the company correspondence) is that common personal-private domains, such as internet banking, don't have their SSL intercepted.

      4. SImon Hobson Silver badge

        > They must be REALLY competent to do MITM attacks on HTTPS

        No, they just need to be competent enough to locally generate a server key and associated certificate for "*" (that's "everything"). Install the certificate on the clients, and they'll trust your proxy box for absolutely everything without any warnings whatsoever. The only user visible difference is that they won't get the "green bar" or whatever their browser normally gives for EV certificated sites.

        Given that this is work equipment being talked about, installing the client "root" certificate is trivial as well.

        It is neither hard nor time consuming to do. Doing so will also mean that anyone bringing in "non company" equipment and connecting to your network will gets loads of certificate errors (namely, every ssl enabled site will throw an error) which ought to frighten most people off.

        1. Anonymous Coward
          Anonymous Coward

          but you have to prevent the use of Chrome

          Since Google, sorry: Alphabet, preloads their CA list, it will flag your internal CA, unless you purchase a sub-CA certificate from a public CA.

          1. Crazy Operations Guy Silver badge

            Re: but you have to prevent the use of Chrome

            Any place that does MitM packet inspection would block any encrypted packets going out the internet that couldn't be read. People using Chrome would be completely screwed and might complain, but then IT would just list Chrome as unsupported software and just go about their day. Security will always trump the preferences of the users.

            Plus, the enterprise version of Chrome allows installing whatever root CA you want, so companies could still do all the packet scanning they want while only inconveniencing people that installed their own copy.

            1. Wzrd1

              Re: but you have to prevent the use of Chrome

              " Security will always trump the preferences of the users."

              Yep, this BOFH turned information security chap has uninstalled undesired software via its product SQUID. Pushed the instruction out via SCCM, called it a day after reviewing remote logs to confirm removal.

    2. Vic

      You should also be aware that using SHTTP won't protect you from the systems administrators, who will (if they're competent) have installed a trusted certificate on your (company) system

      My personal webmail server has a duff certificate for exactly this reason - if I don't get a certificate warning, I know someone is eavesdroppping. If I do get a warning, I can compare the cert thumbprint to the one I carry in my wallet...

      Vic.

    3. LucreLout Silver badge

      @Chris Miller

      Firstly, hello to my sysadmins. I'm not doing anything neferious with the works gear, so feel free to check. However...

      Chris - I have a question if you or others have time to answer it please?

      You should also be aware that using SHTTP won't protect you from the systems administrators, who will (if they're competent) have installed a trusted certificate on your (company) system so that everything can be decrypted

      How would that present itself to a user in the browser? I'm thinking it would show itself in the certification path? Or does it not appear at all?

      If we take Amazon as an example, I see a verisign root cert, followed by a verisign class 3 cert, followed by amazon.co.uk I don't see my company certs anywhere.

      1. Chris Miller

        Hi LucreLout

        There'd be nothing obvious in the browser (HTTPS still green, no big red bar) because the certificate authority issuing the 'fake' Google (say) certificate will have been inserted into the list of trusted CAs on your system (assuming no BYOD or other stuff going on). If you actively check the certification path (which 99.99% of users won't, of course) it will show the actual CA, which will normally say something like "Megacorp" (if that's who you work for) or "Cisco" (if that's the device doing the spoofing).

        If, as you say, you check the certification path and it all looks valid, including a Verisign (or other major CA) at the top of the tree, it sounds to me like there's no spoofing going on. It's possible that the root CA is fake, but has been carefully made to resemble a valid one, but I can't see any reason (other than pure devilment) why anyone would bother!

        As others have said, in most cases if you can't or don't want to accept the CA, you won't get any HTTPS access beyond the firewall (that's certainly how I'd recommend my clients to configure things).

        The point of all this is not so the BOFH can read all your billets-doux to your mistress (most of them are a bit too busy for that), but (mainly) so encrypted malware can't sneak past the virus checker, and (secondarily) to make it more difficult for sensitive information (maybe simply personal data) to be sent outside the corporate boundary.

        But you have to remember that any large organisation (say more than 1,000 people) is highly like to contain at least one {insert illegal activity of choice here}, and you can't risk the local plods breaking down the server room door, because "we've reason to suspect ..." Back in the dim and distant, when I was gainfully employed, rather than a consultant, we found one of our staff was posting on bulletin boards how they wanted to "kill kafirs". I'm 90% confident that he was just acting big, but we felt we had no choice but to dob him in, anyway. The police raided his house, but didn't find anything - he lost his job, though.

        1. LucreLout Silver badge
          Pint

          @Chris

          Thanks for taking the time to reply.

          If, as you say, you check the certification path and it all looks valid, including a Verisign (or other major CA) at the top of the tree, it sounds to me like there's no spoofing going on. It's possible that the root CA is fake, but has been carefully made to resemble a valid one, but I can't see any reason (other than pure devilment) why anyone would bother!

          Yeah, I checked it, and it looks ok. They quite probably have carefully assembled a fake cert, as much as an intellectual challenge as for any need to convince me they haven't. It's a very big company with a huge Ops presence. It's what I'd do in their shoes.

          The point of all this is not so the BOFH can read all your billets-doux to your mistress

          With working full time, a lengthy commute, a wife & small kids to keep happy, and a million other things going on, I've not got the time, the energy, or the inclination for one of those. I blame middle age.

          but (mainly) so encrypted malware can't sneak past the virus checker, and (secondarily) to make it more difficult for sensitive information (maybe simply personal data) to be sent outside the corporate boundary.

          The first one I'll give them, the second one is the stated intention, but there's a mile wide hole in the remote connectivity process that means I could circumvent much of their checking. There's a second not so wide hole in the setup that I've used only for wholly legitimate purposes (sending training notes home after courses, for further study).

          I've no problem with any of it. The company own the kit and they own the data, the code, and all my other output. Plus, I've always viewed moving employers as an opportunity to ditch my older code and rebuild it with the knowledge I acquired first time out. I just have an interest in how things work, so thanks again for your input.

  2. Hud Dunlap
    Facepalm

    Why do people use work email for personal use?

    I could understand it in the old days. Now I just use my phone.

    1. Anonymous Coward
      Meh

      Re: Why do people use work email for personal use?

      Not everyone has a smart phone.

      Many are banned in various places.

      Don't have data allowance's

      Personal / Work lines blurred.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why do people use work email for personal use?

      I would guess a work email helps ensure that the spouse doesn't see unwanted mail accidentally...

    3. Jason 24

      Re: Why do people use work email for personal use?

      We recently went to migrate a customers domains and emails onto our server to run hosted exchange for them.

      Just as we were about to press the big red button someone noticed that ex wives and all sorts were still using their old work email address for their personal email and had their entire lives tied into that domain, and so moving them all was just a big no. The cost and security risk to us in allowing people who did not have a commercial contract with us access to the servers just didn't add up.

      So the company set up a new domain minus an "S" and have switched their main email addresses to this. Lord knows what headache that is causing them.

      1. Anonymous C0ward

        Re: Why do people use work email for personal use?

        What should have happened is you go right ahead with the migration, tell anyone it causes personal problems for to come and see you on a case-by-case basis, and hand them an official written warning.

    4. Wzrd1

      Re: Why do people use work email for personal use?

      I never use my work e-mail for personal use. Too big of a risk. I do check my personal e-mail, but that is tested on a read-only VM.

      If that gets compromised, it's only compromised with private e-mails between myself and my family until COB.

  3. Smooth Newt Silver badge

    BYOD...

    ...is also a really bad idea if you want to firewall people's work lives from their personal ones.

    1. Crazy Operations Guy Silver badge

      Re: BYOD...

      Indeed. One of my favorite clients put a ban on BYOD. You can plug your devices into the guest wireless all you want, but that network is a completely separate network from the corporate network and is connected to the internet using a business account from the local ISP.

      As for the corporate network, all internet access requires a whitelist exception for both endpoints. Any exception also requires that whoever owns the remote system sign a contract that requires a 3rd party annual security audit.

      For remote access, it must be done on a company-issues laptop that has had secure-boot turned on (Which only has a key for the company-customized / compiled Linux kernel). All the smartphones are set-up to proxy all voice and data traffic through a company-run proxy / PBX. That way if anyone wants to have access to their personal stuff and work stuff, they carry two devices. Beside, devices are so small and light nowadays that there really isn't an excuse for not carrying a second one.

      --goddamn do I love defense contractors...

      1. Wzrd1

        Re: BYOD...

        "--goddamn do I love defense contractors..."

        I remember when the US DoD banned all USB mass storage, as it cost them multiple billions of dollars cleaning up a bit of cyber spying malware kit.

        Where I worked, no mobile devices were permitted, we had a locker outside to store them in.

        You won't imagine the delight when I had AD shutter all USB mass storage on the base!

        1. Crazy Operations Guy Silver badge

          Re: BYOD...

          Mobile devices were allowed for the simple reason that if we allowed the users to play on their own kit, they were far less inclined to try and get around the protection we put in place.

  4. Anonymous Coward
    Anonymous Coward

    The email dilemma

    If you ban webmail, then users are going to be tempted to use their work mail for all their non-work related crap. But it you allow webmail, then it effectively bypasses all the security you have in place. almost all the mail-borne malware contacts we see are through webmail.

    We're fairly relaxed about what we allow users to access, we trust users to exercise good judgement. We like them to restrict their non-work internet use to outside working hours, and of course we block things like porn and other high-risk sites. And ads. This approach makes people a bit happier..

    ..but of course there are always some who utterly, utterly take the piss. I've seen things you people wouldn't believe.

    1. ciaran

      Re: The email dilemma

      In France if you ban webmail then the work mail becomes "private", you're not allowed to monitor it.

      Webmail is good, it helps enforce the separation between work and play.

      Also, for email addresses, doesn't everyone use Trashmail?

      1. Anonymous Coward
        Anonymous Coward

        Re: The email dilemma

        Also, for email addresses, doesn't everyone use Trashmail?

        Nope. Spamgourmet here :)

      2. LDS Silver badge

        Re: The email dilemma

        No, unluckily webmails are pure evil, from a company point of view. They are an open door to let each and every company data go outside, and let each and every treat come inside, with no control (unless you proxy and check everything there too).

        One solution, yet expensive and not very comfortable, is a kiosk separated from the company LAN. But really, if you're so bound to your private email, and you don't own a smartphone today, there's really something wrong.

    2. TonyJ Silver badge

      Re: The email dilemma

      This is one of the [many] reasons I've always liked the AppSense product range.

      By using a trusted ownership model, it stops things being executed unless said file is owned by a named trusted owner. So even if a user is in a position to download something, they cannot by default run it.

      This allows users the use of their personal webmail/email accounts and as long as the rule about non-admin account use is followed adds a pretty bullet-proof layer of security that pretty much works straight out of the box.

      What's more, it's not just for Citrix/RDS and hasn't been for some time.

    3. Wzrd1

      Re: The email dilemma

      I had to have a sysadmin fired. He kept checking his gmail on servers on a US DoD network.

      He was repeatedly warned as well!

  5. Anonymous Coward
    Anonymous Coward

    Can I suggest that people don't put password reset tools in play?

    I'm not being funny but if you think I'm going to give my mother's maiden name/pet name/first school etc... to my work login then you are mistaken.

    To be honest every place and I mean every place I've worked (some very big multinationals) it is a simple phone call with zero checks to reset a password, I would look at that massive security hole if I were you as it would be easy to obtain an I.T. phone number and username. Give it a try today and see if your own company is that easily fooled. You employ first line support monkeys you get peanuts.

    1. Anonymous Coward
      Anonymous Coward

      "Give it a try today and see if your own company is that easily fooled." -- AC

      Giving it a try make well be illegal in some jurisdictions; pretty sure it is in the UK. So whilst giving it a try is a good idea, following the correct procedure before you do is an even better one.

      1. Anonymous Coward
        Anonymous Coward

        Of course but if it's the company you work for and your own username you are just checking if any controls are actually in place. I wouldn't condone attempting this with random ltd.

        My point is that while it's all well and good having all these measures in place such as strong/changing passwords we all know the weakest link is 1st line support and password changes. I'm pretty sure that every 1st line support will reset your password to Password01(Sometimes with a !) which in itself is a security problem.

      2. Anonymous Coward
        Anonymous Coward

        Only if you impersonate someone else - you could always ask to reset your own password.....

        I recently had to do this via a shared service centre for a corporate account - no security questions

        Me: 'I can't log in and after 3 tries I'm locked out, and I need to get this done this evening'

        Me: 'My user id is xxxx'

        Them: 'OK - we have reset your password to yyyy'

        Me: 'Thanks'

        They might have used caller id on my phone, but that's hardly ultra secure. Still, if they hasn't actioned my request that would have had it's own costs and risks - so maybe they weren't too cavalier.

        1. Anonymous Coward
          Anonymous Coward

          I think the solution would be simple checks on information that should already be stored,

          What is your full job title?

          What is your location?

          When did you join the company?

          Do you drive a car? what is the reg no?

          Although these aren't foolproof they would go someway to stopping it.

          1. D@v3

            password re-set security

            don't know about other places, but here, we generally recognise the voice of the person asking for a re-set.

            If we can't audibly confirm who it is, we take other methods to authenticate

            1. Anonymous Coward
              Anonymous Coward

              Re: password re-set security

              don't know about other places, but here, we generally recognise the voice of the person asking for a re-set

              We employ 3000 people, Good luck (although to be fair, it is usually the same muppets)

              1. Wzrd1

                Re: password re-set security

                "don't know about other places, but here, we generally recognise the voice of the person asking for a re-set"

                We have around 100000 users. No way in hell to remember all of those.

            2. Anonymous Coward
              Anonymous Coward

              Re: password re-set security

              don't know about other places, but here, we generally recognise the voice of the person asking for a re-set.

              If we can't audibly confirm who it is, we take other methods to authenticate

              Do you have, like, ten users?

              1. D@v3

                Re: password re-set security

                few more than that, but like Lost all Faith said, it's almost always the same, err, people

          2. Anonymous Coward
            Anonymous Coward

            What is your full job title?

            God knows, something in no way related to my actual job

            What is your location?

            At home, why?

            When did you join the company?

            Far to long ago to give you any sort of accurate date

            Do you drive a car? what is the reg no?

            Yes and it's not on any system you have access to.

          3. harmjschoonhoven

            Do you drive a car?

            What is the chassis number?

            FTFY

    2. Vic

      every place I've worked (some very big multinationals) it is a simple phone call with zero checks to reset a password,

      I worked for a place a while back who did a password reset[1] for my with some (albeit minimal) identity checks.

      At the end of the conversation was the most phenominal line ever - "We will send you your new password by email"...

      Vic.

      [1] I'd been contracting there, then left for a while. When I came back, my account had been locked for inactivity.

  6. Destroy All Monsters Silver badge
    Windows

    This means things like paying your credit card bill or doing some other non-work related item should be avoided. People can and do use company IT to access their email.

    Yes they do. Because when you get out of work, shops are closed, state employees have left about 6 hours earlier and with luck you can get a sammich at the petrol station...

    1. Anonymous Coward
      Anonymous Coward

      Indeed, the reality is that people spend a third of their lives at work (a lot of which is time wasted as most people brain isn't great at focusing for that long without R&R) Then chuck in an hour either end of the day to get to work.

      So cryptolocker got in via the users personal email - why didn't the local AV pick it up? Why was the users machine left on over the weekend? Why was the user able to run unsigned executables? etc...

      It's coming up with the right balance of personal freedom to disengage their brains for sanity reasons and protecting people from themselves. Now a lot may be achievable with a mobile, but then a lot of buildings kill almost all signal.

      Anyway it's a touchy area that can seriously damage moral if done wrong, and company moral collapsing can be just as bad the odd breach.

      1. dotdavid
        Headmaster

        "Anyway it's a touchy area that can seriously damage moral if done wrong, and company moral collapsing can be just as bad the odd breach."

        Company moral collapsing, in my experience, can lead to excessive monitoring and a subsequent collapse of morale :-P

      2. Mark 85 Silver badge

        Why was the users machine left on over the weekend?

        Many places insist on this as remote "start" doesn't work. Weekends are when the updates are run and, at least where I work, we have less problems on Monday morning if the computer has been left on rather than shutdown on Friday.

        1. Anonymous Coward
          Anonymous Coward

          That's why I have two machines both with rdp and the bios set to wol and restart after power cut...

          If you work from home as I do you soon learn these tricks, one machine can restart the other on a crash.

          Another attention for sysadmins is please don't leave the admin password in a txt file after installing, also when you set your permissions up on active directory lock down the installations folder. Lazy lazy sysadmins....

          1. Mark 85 Silver badge

            I'm not the guy(s) who set this up. They had "issues" with wol and unattended rdp. The wol was hardware/firmware issue that can't be resolved and the rdp is paranoia. Given the way things have been lately, I don't blame them on paranoia.

            1. Anonymous Coward
              Anonymous Coward

              Besides, if you're afraid something bad will happen to a machine left on over the weekend, don't even turn it on during work hours.

              1. LDS Silver badge

                No, during working hours if something bad happens, people usually notice something. 48+ hours of fully unattended machines are more dangerous.

                There are also other types of damages and risks - in at least two occasion where I was working there was water "floods" from the ceiling - machines turned off risk far less than those left on.... there could be also elecrical issues if not all devices are under UPS. Or AC may stop working while left on PCs churn out heat. To keep devices running 24x7, you need the proper environment, otherwise it's just an hazard, under many point of views.

                1. Anonymous Coward
                  Anonymous Coward

                  It's pretty silly to leave a desktop on 24x7 without good reason as it will chew up power. Which is bad for the companies power bill and the environment. Power is a big cost and there are simple things that can be done to bring it down. What's the point in a company having motion detecting lights if everyone is leaving their computers on?

                  1. LucreLout Silver badge

                    @AC

                    It's pretty silly to leave a desktop on 24x7 without good reason as it will chew up power

                    My works PC runs 24x7x365. I never know when or if I'll need to dial in to rectify something or assist someone with something they really ought to know how to do. Security aren't allowed to turn on our PCs for us if we call them out of hours, so there's not a lot of other choices.

                    Sure, there's lots of alternatives that we could be doing but they all cost time & money, and are "strategic decisions" above my pay grade.

  7. Anonymous Coward
    Anonymous Coward

    Paying a CC bill (mine has a min payment DD set up so I don't need to worry on a specific date) and checking mail is something that you can and should do on your own kit during lunch/after work, it simply isn't time sensitive. People know I have a dedicated "mobile" address for really urgent stuff - but its still better to text me - the mobile address is the only one in my phone, anything else can wait till I am home.

    I have never understood why people tie so much of their lives to a company email account, the company could go belly up tomorrow you could be made redundant/ fired.... employment is not guaranteed to remain forever. Then you have to "unknit" your life from the company address - and this could be at short notice.... especially if your personal use is responsible for a major incident happening in the firms IT.

    My Partner works for a UK govt Department, No personal email is transacted by him through them, in fact he doesn't even use the onsite internet access that is allowed during a work break, much better to use your own access on your own equipment and avoid all contact with the onsite protocols and rules governing personal use - aka - "If I don't use it - I cant run afoul of it". Whatever hits his inbox comes from the "business" of the Department so he cannot be held liable for this traffic - much of which comes from other offices - its a core part of his job.

    Seriously, if you wanna play - bring your own marbles.

    1. James O'Shea

      In times past I would do things like check personal email, banking, etc., using MY personal laptop (not company issue) and a connection which went via a USB stick from MY personal cell phone account which wasn't with a cellco that the company did business with. I made very sure that the laptop only touched company networks when I actually wanted it to and when I was actually doing company business. I have replaced the USB stick with an iPad and a tethering arrangement, again one which _I_ pay for, not the company. The company does not need to see my personal business.

      There was one idiot who tried to suggest that the company had an interest in anything I did on company time; my reply was that did these things while on break, and was therefore NOT on company time. My machine. My connection. Not on the company net. Bite me. M'man's main objection appeared to be that I was 'bypassing' the blocks set on accessing certain sites (no, not pron sites, though those were blocked too, and not Arsebook or similar sites, also blocked; m'man had a problem with 'hacker sites', including el Reg. Be proud, El Reg, you're known as a dangerous hacking site, at least amongst the dimmer bulbs out there. Just don't be too proud, CNET's on the 'hacking site' list too.) I pointed out that I wasn't bypassing a damn thing, I was using my own connection, the company's net was unpolluted by contact with the nefarious hack sites that are El Reg and CNET. (Not that I spend much time at CNET...)

  8. chivo243 Silver badge
    Meh

    I know people that...

    ...tie so much of their lives to a company email account"

    1) Do not understand IT one iota.

    2.) Lazy.

    3.) Say\think "Nothing I do is cause for alarm."

    4.) "Everyone already has this address in their contacts."

    5.) "It's all too confusing."

    I could go into all the excuses I've encountered in my time, but I won't bore you with them, you've already heard them.

  9. Anonymous Coward
    Anonymous Coward

    Cryptolocker

    ... that was a weekly occurrence when I worked at the NHS.

    Am I not supposed to open the attachment from Bank of America?

  10. Bill M

    How about looking at The Register on work kit ?

    1. Tom 38 Silver badge

      Depends. If your boss is like mine, and views reading the register as part of keeping technically up to date (even these comment board malarky), then you're fine.

      If your boss views it as a waste of time, I'd do it at home (or get a different boss).

  11. Anonymous Coward
    Anonymous Coward

    I know of someone who had his car registered at the dvla to his office desk, and also applied for a large personal loan giving that as his residential address. That for me takes some severe beating in the "not operating any seperation at all between work and personal life" stakes...

    What was funny, was a few years later he was suddenly sacked for inappropriate behaviour to some female member of staff. Must have been fun sorting the aftermath of that one out.

    Work pc for professional clienty stuff only here, personal for other with own connection and the only thing joining the two is the kvm. I get more spearphising and malware on the clients equipment as it goes.

  12. Nate Amsden

    I'm sure I'm an edge case

    1) I've hosted my own email for the past 19 years, currently on a 1U server in a co-location facility(for the past 4 years or so). Running Postfix + Cyrus IMAP on Debian.

    2) I have at least a half dozen domain names where my email addresses are scattered about.

    3) I have roughly 340 email addresses (of which about 120 are currently disabled since they haven't been used in some time, simply a comment character in the postfix virtual file). All 340 accounts are accessed using a single login(none of them have their own authentication credentials). I have about 75 different inboxes, again all accessible with one login. Inboxes continue to receive email whether or not I am "subscribed"(IMAP) to them. Some inboxes go months or longer without being checked(like my inbox for el reg). I used to have a 1:1 mapping inbox:address. Last year or the year before I started cutting down on the inboxes and just directing more addresses at fewer inboxes, just to reduce the labor involved, seems to work pretty well.

    4) I retired the email address associated with my email login ID (due to 10+ years of spam build up), so even if someone wanted to try you can't determine what even my username might be for email from my email addresses(didn't do it for security reasons just coincidence).

    5) I don't do the thing where people say my_email+someuniquestring@mydomain. My email addresses are all <some unique string usually tied to the organization I am dealing with>@(one of my domains).

    6) Have never worked at a company that did invasive internet monitoring, first job was the closest they watched http urls(well technically my friend who was in IT watched them the software was on his desktop, the most frequent abuser was one of the VPs trying to find european porn sites to get around the filter this was 15+ years ago). Obviously every company I have worked for I knew the IT staff well, even though I have not been in internal IT in 13 years(and never will be again).

    7) have never had a CxO come ask for a root password to anything, sometimes they have as a joke but they know they should not have that information and so do not pursue it beyond the joke phase.

    8) With one exception, all of my jobs I was responsible for installing the operating system on my own computer. That one exception I was not, but I had full admin rights(job ended more than a decade ago), and it ran Windows XP I think, I replaced the shell and other things to make it more linux-like, worked really well for me.

    9) My linux systems run firefox as a different user using sudo(transparently I just click the icon and it launches under a different user id). A little more secure, though it does take co-ordination some times managing downloads(e.g. I usually can't edit a document I download from firefox without changing permissions on it or copying it to another location).

  13. Anonymous Coward
    Anonymous Coward

    Has someone taken an emontion pill ?

    Come on folks - this is 2015....not 1995.....

    There was a car-hire firm in a fly-on-the-wall documentary about 5 to 10 years ago here in Blighty....they gave verbal warnings for sending a single non-work related email and fired for a second..

    Do we really want people to segregate their lives that much ?

    On a personal level, each company I have worked for (note, not in!) really doesnt care that much about what I do on the internet - as long as its nothing NSFW or dodgy....(e.g. I currently work in financial services and we aren't allowed to trade using the company network).

    Do I care if my own company is snooping on what Im doing - simple answer - NO....Ive nothing I need to hide - do I pay my creditcard....yes....but hey - as its not my bank account, they are welcome to pay off my debt anytime they like!

    Seriously though - there needs to be a bit of give and take - act like that abhorrent car rental company and folks will be unhappy and just leave....

    And working in the big banks, etc where due to reporting requirements, personal phones are banned in some areas and webmail is not allowed - then why not sign up for concert tickets, etc to your work email - just be careful what you click on...

    The problem comes with the less techy savvy lusers....and yes, I get it that some folks shouldnt be trusted with a Nokia 6210 let alone an internet connected PC....but in general, if things in the internal network are secured properly, that shouldnt matter...

    Should you use your work email for sex....errr no....and I dont care who you are, you should be immediately fired....

    Should you use your work email for cinema tickets, tesco.com login, hotels.com, etc - sure, why not .....just make sure you use a different password

    Also, the number of companies where my loginid is the same as my email address is shocking - there should be no correlation to me as a user.....and my email address noticeable....

    1. jonathanb Silver badge

      Re: Has someone taken an emontion pill ?

      I pay my credit card using the online banking app on my phone. Apart from anything else, it is much quicker than doing it on the website.

  14. LDS Silver badge

    One thing I forbid, unless there are good reason for that...

    ... is to keep people PC on outside working hours. Exactly because I want to make the window where a successful attack can go unnoticed for too long smaller. Moreover is often just wasted power, and most desktop/laptop hardware is not designed for 24x7 operations.

    Sorry if people have to reopen a few application and files... hibernate would work anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: One thing I forbid, unless there are good reason for that...

      .....this is okay when you provide the requisite infrastructure......

      For example - do you have a jump box available on your VPN so your users can wake their PCs up if they are working from home - or a windows roaming profile so that all their applications are available on a system they can RDP to ?

      The main reason I leave my windows PC on all the time at work is if I need to do something from home - which happens more than Id like....

      Being a windows BoFH is not a great plan for productivity.....and user friendliness in an organization and its precisely these dumb ideas of over-protective sillynesses that cause people to find even more stupid ways around things.....

      There needs to be a little sence and sensibilities - weighing up both security and productivity - its not about the 30secs someone wastes sleeping their PC, its about how folks use their systems...and how silly little rules harm the company.

  15. raving angry loony

    Dodge the bullet?

    The real way to dodge the bullet is to carefully document all the suggestions and requests for a budget to improve security (because it costs time and money to both obtain the right equipment AND configure things correctly, and keep them correctly configured in the face of multiple threats), and all the refusals by know-it-all managers who once read a marketing tract by Microsoft and believe THAT rather than the people they're actually paying to know the issues. Cries of "you're so pessimistic" and "you should be more of a team player" (which means: don't keep contradicting the utter dead-goat-fellating stupidity of management, although I admit calling the CTO an incompetent idiot in a meeting was probably politically incorrect, even if it was subsequently shown to be completely true, along with "criminal") will be thrown about rather than actually providing a budget or, heaven's help us, management support for any kind of security improvements such as, heaven forfend, passwords that aren't embedded in scripts written by the owner's second-cousin's hairdresser's nephew.

    Even then, you won't dodge the bullet. When the shit well and truly hits the fan because some manager or their favourite ignores the carefully crafted policies or demands (or worse, creates) a back door into the system, the sysadmins will yet again invariably be blamed for the mistakes made by management. It's as sure as the sun rising in the morning. Always have a backup plan for your employment, especially if you're stuck in that kind of environment for any length of time.

  16. UncleZoot

    It doesn't matter. Major corporations are ripe with people that even after getting a briefing on Spearphishing still has the same people violating policy.

    When the secretaries of most departments have user and passwords for their bosses because the boss is too lazy to read his own e-mail, nothing is going to change.

    My old system required mandatory PW changes every 30 days. I had access to more than 10 systems that didn't allow for using the same password or reuse of a password. You can't write them down, and can't by policy drop them on a thumb drive.

    The SOD's at phishme can't take a joke when you zip up their attack and then use another account to send it back. Pretty simple to just look at the headers and squash the attack.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020