September 17, 2004
Curious George: Spies everywhere?
At a recent meeting, my boss said They are monitoring internet usage. I vaguely know there's stuff out there that can do this, but I avail myself of the vast technological expertise of the Monkeys: Is there a way I can tell if They really are doing this?? Many thanks...
-
Nope. Basically, the company can structure their network so that all incoming and outgoing traffic has to go through a certain machine to get through any machine in the building. This machine can look at the packets going by, but not change them, so it looks the same to everyone.
-
More details: If you have a decent number of people in your building, then you've got too much traffic to effectively look at all of it. You can filter it- say, pick out all the instant message traffic, or list all the servers people are connecting to (and then filter that for xxx words), or list all servers employee #285 is connecting to. Also, in some cases, anyone else on a network can do this. What you'd need is a packet sniffer, which looks at any packets that go by on the network. In some networks, all the machines are connected to each other in a big line. One machine sends out some packets and says they're intended for machine x. All the other machines can pick it up, but they ignore it unless they're machine x. A sniffer would look at what those packets are. This can be used for bad things, but sniffers are useful for ethical purposes like testing networking applications, analyzing and troubleshooting a network that is having problems, and detecting network-based attacks.
-
My IT experience is necessarily limited, but as I understand it, our tech guys monitor an individual's net usage in two ways: First, if you access the internet through a proxy server (which you probably do), IT can render a list of all websites that are visited by your login information - basically, an exhaustive list of every webpage you've accessed, the time you went there, etc. Once they have this and suspect that you are doing, ah, other things on the company dime with the company resources, then what they do is use a software program that allows them to passively view your desktop (ours is called "Remote Agent") coupled with a screenshot program, that takes pictures of what you are doing at regular intervals. They can also install a keystroke monitor, which records every keystroke you make, which I understand is popular but my company does not do. Anyway, once they are passively viewing, they can see everything on your screen and monitor everything you are doing as it happens, or leave the screenshot thing running and review the images later. Our company's policy is, non-work net usage within reason is ok, no gambling, no pr0n. The stated policy is "we are watching all the time," but the reality is that they only begin to monitor someone if (a) someone complains, or (b) there is a significant change in the person's work habits, enough to draw the attention of his or her superiors. Then they start watching. First offense is a warning; second is firing. We have had two firings, one each for gambling and pr0n, since we went net-live.
-
Most places have some form of proxy server, through which all internet traffic goes, both incoming and outgoing. Most proxy servers can generate logs, and there are tons of tools available to extract juicy information from log files. So, if they want to, there's absolutely no reason why your employer can't find out all about your internet usage. One step up from this is another type of proxy that does active usage monitoring. That can be used to block specific sites, and to generate alerts for proscribed sites. And what smallish bear said.
-
At my old company we had WhenWhatWhere installed on all the comps. It's a pretty comprehensive monitoring system that ended up catching one of the employees with child and animal porn on his computer.
-
Wow, leaving aside how disgusting that is for a moment, let's focus on the absolute stupidity of viewing pr0n at work, seriously. An old buddy of mine got busted for that (nothing exotic like f8x's coworker, but pr0n nonetheless), and it still ranks as the most dickbrained thing he's ever done.
-
It is a dumb idea. Obviously, the pragmatic solution is to download the pr0n and save it for detailed viewing *after* work. f8x: I hope they nailed that guy's ass to the wall.
-
tinfoil hat for your computer.
-
If all you want to know is if they are monitoring some traffic, then it is pretty difficult. If you can hack IP, there are ways to have a reasonably good idea of the number of hops your packets take before they leave your network. You can also try using nmap in fingerprinting mode to see if there are any obvious proxies on your path. All of these methods are easily defeated. It is a good idea to assume that yes, they are capable of monitoring everything ("omniscient adversary assumption", aka Dolev-Yao model). If they are only monitoring traffic, then you can easily set up an ssh tunnel to a machine outside the company's network that you own or have access to. Do this with two or three different networks (preferably in different countries), and your traffic is virtually untracable. (They will still know how much traffic went by. Also, this method is not recommended except in dire situations; eg. you are collecting evidence to sue your boss.) This of course won't work if they are running keyloggers. However, that is pretty invasive monitoring. I'm not 100% sure, but ISTR are laws that say that employers can't do that.
-
On re-read: if your boss said they are "monitoring usage", he/she could have meant something entirely innocuous, i.e., that they are seeing if they have adequate (peak or non-peak) bandwidth or enough redundancy to handle any planned growth in the network or whatever. If you don't have reason to be paranoid already, try to find out what sort of monitoring this is.
-
Your boss may be spying on you. Get used to it.
-
Who the fuck're 'They'? Spies? What colour? Don't make me laugh. Your boss is schizophrenic, more likely.
-
He was slapped on the wrist, given a one year leave of absence. Typical for a higher up. He's now back at that same place, doing God knows what.
-
At work we have SmartFilter. It has a list of no-no sites that it blocks, mostly on sports, sex, 'perosonal' (most blogs fall in this category), extreme and, oddly enough, 'art'. We're constanlty battling with the IT guys for tweaking; for some time, it blocked hotmail and yahoo mailservers, and everybody protested. Still, it's a mess: google's translation services are blocked due to its' sexual content (!), a few things like espn aren't, and of course, new sites not yet on the list are OK, no matter what 's in it. And, for those sites you need to get to, well, we've found a couple proxy servers that get the job done. Still, I've always considered work connections to be monitored, so the best policy is to avoid doing stupid things. Prtivacy? Well... even the ideas you have during works hours can be owned by your boss, so...
-
As for 'they' being some governmental agency: as long as you're not using Echel*n code words, you're safe. For now.
-
M-x spook munitions computer terrorism Vickie Weaver counter intelligence Steve Case cypherpunk basement FSF Perl-RSA class struggle EuroFed beanpole Rand Corporation infowar Mole
-
Flagpole: Eschelon doesn't work on code words. It works using statistical groupings of characters. We know this because there's a patent.
-
There's a place in NZ from which They supposedly monitor global email and phone communications. We call the location Spy Valley, and there's a good winery out there too.
-
There is no reasonable way to monitor the monitors, unless you are one of the initiated. As a firm rule, NEVER USE YOUR WORK CONNECTED INTERNET FOR PERSONAL USE! There is no way of knowing exactly what they are monitoring or when, or in particular, how it will come back on you. While I used this rule already, and never had a problem abiding by it, it was driven home recently by what happened to an acquaintance in the same industry. She had been approached with a couple rival job offers and while not that interested, was sussing out the details by email, from her home computer, using a company provided internet account. She was a star manager, well respected. Her company was monitoring the email from her home computer. She was summarily fired. She had no reasonable recourse. Use any work connected internet for only the most innocuous of things. Do it only during company approved time periods, such as lunch hour or after hours, and if that approval isn't somewhere in writing as a company policy it's worthless. Use a web mail account that offers SSL secured connections, such as Yahoo or Hushmail. Assume your company or the tech department could be using key stroke loggers to grab your online account passwords, even for SSL connections. And always remember, it is very easy for the company to archive all of these internet records. Just because they've never had a problem with anything you've done on the company internet, doesn't mean someone can't pull those old records up easily and find something outside the rules when they want to give you grief. It's a great way to find an excuse to fire someone or bend them over. I've seen it. This has perhaps rambled on, but I am a firm believer in information privacy and fair dealing.
-
Even if your company isn't interested in shelling out for a program that will monitor your internet usage, they will most likely try to get a worker-bee to do it. A couple of years ago I was a receptionist at a small defense contractor, and I was asked to check up on the internet usage of workers (engineers, office personnel), from a list generated by the (2 person) IT department. I was supposed to go to every site and check it out, then determine if it was "work appropriate." I pretended to do so, typing in the addresses so they would show up on "my" list, then moving on. I only ratted people out if it was something like kiddie pr0n, but mostly I felt stupid checking up on others. The only good thing about that part of my job was that *I* could do anything online. (But still, I must say. Suckest. Job. Ever!)
-
buy your network admin or IT guys some weed, beers, a box of donuts, or all of the above if you've been really naughty. seriously. problem solved.
-
In the last real job I had before I ran off to hide in academia, the 'IT guys' were in a different state. I'm pretty sure sending weed across state lines is more illegal than child porn. (OTOH they paid for a 1.2Mb SDSL link to my house and didn't really give a fuck what I did all day as long as I met my deadlines. I miss 1997.)