Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Privacy

Web-Based E-mail Isn't Safe From Corporate Eyes 212

Posted by timothy from the just-so-you're-clear-on-that dept.
Ant points to this CNET story, a snippet from which reads thus: "[S]ecurity experts say many employees would be surprised to know that Web-based email services also offer little privacy. Messages sent via a Yahoo or Hotmail account, or through instant messaging products, such as ICQ or America Online's Instant Messenger (AIM), are just as accessible to nosy employers." I know some people who this ought to make nervous;)
This discussion has been archived. No new comments can be posted.

Web-Based E-mail Isn't Safe From Corporate Eyes More

Web-Based E-mail Isn't Safe From Corporate Eyes

Comments Filter:
  • My coworkers often make fun on me because I use pine for my personal mail (have to use Netscape for work e-mail because of attachments) and lynx to surf the web. I ssh into a Linux server and use pine, nothing to it. Plus, no one can look over my shoulder and see a web browser. Look, a xterm, it must be work.

    BTW, I know that I should use something better like mutt. I've been using pine for over 6 years and I am just to lazy to relearn.

    --weenie NT4 user: bite me!

  • So do I.. If I'm sat in my cube when I do anything net-related my employer is welcome to watch it - If they can show me a single instance when I mised a deadline or otherwise didnt get the work done because of it then I'll deserve anything they throw at me but I have no worries there because there are no such incidents. All the same, there isnt any reason I have to make it easy for them, the only way they can read any email I send from my home accounts is either to do screen/keystroke capture (which I'd know about pretty quick as I regularly sniff my own network traffic as part of my job) or pull a fullscale man-in-the-middle attack on my ssh connection to my home LAN at the corporate firewall. If they are that paranoid and want to waste that much time and resources on the project then they are welcome to. If my boss wants to sink that much budget into completely non-productive tasks then he's on a bigtime losing streak and I'll soon have his job myself. Alternatively if he is getting pressure from upstairs to account for my net traffic all he has to do is ask and I'll hand him a logfile. With nothing to hide theres no loss in telling them what you're doing, its just polite for them to ask for the info rather than simply grab it.
    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • Of COURSE it's not safe...it's unencrypted and easily readable by a snoopy admin.

    I do all my private email and IRC via SSH when at work. I also do use ICQ because many friends are on it, and I do realize that it is unsafe, so I watch what I say if it's something I don't want anyone else to hear.

    Wouldn't it be great if all those silly little chat clients were encrypted? How long is it going to take for someone to develop one and have it catch on enough to where all your friends are using it? That'd be nice. (the second part is the hardest part for sure)

    In the mean time, I'll stick with SSH and my shell account. Of course, I'm lucky enough to work at a place where the port is open through the firewall...the last place I was at had the great firewall of china. Only way to telnet was through a gateway. If it wasn't HTTP it didn't leave the place...

    --Mike
    harlock@raindrop.com
    www.raindrop.com [raindrop.com]

  • Any management that thinks auditing is an effective way of encouraging good work ethics...

    I think your post misses a key point. Most companies do not implement auditing to encourage good work ethics. It is done primarily for accountability. As someone already said in this discussion, the computers of a company do not belong to the user, but the company. For the same reason, the company is responsible for their use. If a computer is being used for non-business, illegal, or malicious purposes, they have to be able to hold the appropriate person accountable. I am an engineering consultant and have been in many environments that audit certain computer use. I can tell you that rarely, if ever, do most companies actively track audit records (except maybe for statistics generation like: most visited site(s) this month). It is usually done ex post facto (after the fact). In other words, it is done to see who performed some certain action after it has already been performed. Most audit records would go untouched if there were not a reason to review them. Auditing is something that is and should be used by responsible admins.

    BTW- Auditing can also be effectively used to troubleshoot certain problems as well as foresee future ones.

  • Actually, I am a consultant for a corporation who, on a totally switched network, monitors almost every e-mail coming in or out by hand. It would be trivial, if the web usage logs showed a large amount of web-based e-mail, to capture the sessions for later perusal. The usage of SSL like on http://www.Hushmail.com would be the only way to get around it. At that point, I am almost positive the management would block hushmail at the firewall. Point being: if your company wants to know what your'e doing bad enough, it doesn't matter whether or not web-based e-mail is in plaintext. They own your workstation, and can block what they can't watch.
  • Any decent distro *cough*Debian*cough* sets up sulogin to spawn from single user bootup, not just bash. So you're prompted for the root password or it starts up normally.

    Just started using Debian last week after too much RedHat... Thanks for the info, might save my Axx some time! :)

    --8<--

  • You know, your post sounds just like a (former) member of my company's management, who would try to meszerize people with his endless repeating of buzzwords, hand gestures, and ending every sentence with "Right?"
  • Hell, if it's not your employer, it's the FBI with Carnivore. Unencrypted traffic is like writing it on a postcard. If you don't care if everyone reads it then there is no problem.. but you should have no expectations of privacy.. period.
  • Use an anonymizing service [anonymizer.com]. Of course they could block that too. But if the Akamai censorware workaround [slashdot.org] still works (and it seems to) then you're set. They'll have a lot of trouble justifying blocking Akamai.

  • Which is why I always ssh home... (Score:3)

    by Greyfox ( 87712 ) on Sunday October 08, 2000 @04:28PM (#721903) Homepage Journal
    When I want to send those job applications out on work hours.

    I'm reasonably sure of my system security there, since I installed the system myself. It's kind of a pity I have to view my employer as my enemy, but the corporate world's pretty much proved they are anyway.



  • Repetition sells.

  • heck on my network i'd setup a sniffer on the line going out, all traffic funnels to 1 or 2 places, even if i was sniffing both with 2 laptops catching all the data would be easy.

    -actual mileage may vary
  • nuff said.
  • Hey, we English majors are not all dumb. In fact, some of us are even BSD users, you unsophisticated prick!

    Technical know-how has no relationship to how intelligent a person is, I'd expect an English major to know that.

    Second Law of Blissful Ignorance

  • The problem is when a company already has people that their job is to keep out an eye on employees. If they are told to watch for stuff coming out of e-mail then the boss, who doesn't know how to, could tell them to also watch for freemail services. Most (all?) employees need to go through a company server to get on the net, and because the freemail services only encrypt log-ins (exceptions apply) they smart network admin guy can the set-up filters to record mail being sent to/from hotmail, yahoo etc.

    The lesson however is encrypt the connection from the start all the way to the log-off. If Yahoo or Hotmail does this, there will be a jump in the number of other freemail services who offer the always encrypt option.

    --
    From: Aaron "PooF" Matthews

  • Note that keystroke logging will let them read mail that I'm writing, but they'll need something a bit more powerful to figure out what I'm reading. Keystrokes logging will let them see that I typed:

    [my password]
    pine[enter]
    I
    [enter]
    ...

    Not very informative if you're tring to see whether the bad guys are sending me secred messages. OTOH, they can read my password unless I'm truly paranoid and bounce back and forth between the place where I'm typing it in an another text box where I type gibberish.

    Fortunately, I don't work somewhere paranoid enough to do that kind of thing. Heck they let me install SSH on their machines without complaint, which no organization that was really paranoid about security would do, and they let me plug my laptop into the company network- so I can actually be reasonably confident that on at least one computer they aren't doing keystrokes monitoring. Part of the reason that I like my current job and haven't gone somewhere that would pay a lot more is because I like that kind of attitude; I'd advise anyone who's really worried about this stuff to consider that before they jump straight for the job with the best pay.

  • I expect you to do that, when I collect welfare checks under three different names. I also run a black market viagra ring out of Tijuana and sell live goat porn on the internet.

  • Yep. (Score:1)

    by buffy ( 8100 )
    If it's on the corporate network (LAN/WAN/whatever) it's owned by the company. Expect no right to privacy whatsoever. There have been plenty of court cases which have upheld the right of corporate ownership in such cases. Minimally, a compay may be required to provide a statement of said ownership to it's employees, but that may not be necessary in many cases.

    If you don't want the company to see it...don't do it on their network. Done. 'nough said.
  • Depends on how good they think I am, and what kind of job security I've built into the solutions I've implemented. ;)
  • I'm running Debian 2.2 (Potato) on my server with IMP [horde.org] as the webmail program. It's very cool.

    You'll need to install MySQL, Apache-SSL (if you want to be secure and encrypted :) and horde as well, but the dependencies will take care of that. (I just LOVE apt! :)

    If you choose to install it, my recommendation from personal experience is to install MySQL first (by itself), set the MySQL root password, then install imp/horde/apache-ssl.

    Requires a bit of tweaking of the Apache files, but hey if I can figure it out, anyone can. :)

    Cheers....

  • ...probably comes from the fact that all the web-based services use phrases like "for your protection" and "to ensure your privary" and they only go on to remind you to log out. How silly.

    However, let's not forget the Slashdot story [slashdot.org] that Yahoo! will soon begin offering encrypted mail. That's a certain exception, and should prove employer's snooping efforts fruitless. Right?

  • If you can monitor what web page URLs employees visit from the office, it is trivial to monitor the HTML content of those pages as well. Other protocols likewise can be easily decoded. I do not see what the big deal is here. Employers likely could pick up your password from many of these web-mail systems with ease at their Internet gateway.

    Even if a page is https:// encrypted, I can think of a proxy game good enough that most "secure pages" could likely be made readable by your employer as well.

    On the other hand, at my university of all places, the administration has set up keyboard, screen, and local disk drive file monitoring in many of the computer labs. I do not know if the monitor network traffic (yet). Talking about taking "usage implies consent to monitoring" to an extreme. But I have yet to see anyone be discouraged from using the systems, or stop from installing personal programs on them, despite the risk of losing their network account.

  • A while back I had to deal with a similiar problem of everything but port 80 being blocked. They did have a proxy server where I could connect to port 80. Doing some very evil things I managed to hack ing up a copy of SSH on a server and the client to do something like this..

    Connect to port 80 of the SSH server:
    Send GET / HTTP/1.0

    The hacked up SSH server ends up sending..

    HTTP/1.0 Okay
    SSH-1.5-1.2.25

    And then the SSH transaction proceeded as normal...I dunno if this would work with all proxy software, but if its just a simple port blocker, you might not even need to do this, just talk on port 80...

    If anybody wants the patches for my hacked up ssh server let me know...

  • Re:encryption (Score:3)

    by PooF ( 85689 ) on Sunday October 08, 2000 @03:17PM (#721917)

    There is a plugin called PGP For ICQ [samopal.com] that will allow you to encrypt ICQ messages, and I think that PGP 7.0 has this built in. The linked plug-in has source code also (as of now source for 0.5 only, the current release is 0.9)

    Correct me if I'm wrong...

    --
    From: Aaron "PooF" Matthews

  • So...is this article trying to say that I should not leak super secret confidential trade secrets over AIM when I am on a company phoneline?

    *sarcasm* I never woulda thought...*/sarcasm*


  • I really don't see the importance of this. We've already seen, repeatedly, that web-based mail isn't even secure from 12-year-old script kiddies. There's nothing less secure than web-based mail - most of them use cleartext passwords, cleartext everything. Their backends are weakly protected and the frontends are buggy and unreliable. If you expect any kind of security - be it from sniffing or from backend intrusion - from web-based mail, you're a complete fucking idiot and should have your computers taken away.

    You want security, use GPG-encrypted mail through SSL tunnels on both the SMTP and IMAP sides on a mail server you own on bandwidth you pay for. And make damn sure your machines are physically and electronically protected, are running Unix, are behind a firewall, and are well-maintained. If you need more security than that, I'd suggest something involving code names, lasers, high-frequency burst transmissions, and guys wearing trench coats milling around in a fog-bound park.

  • ...after all, you do work for the government; seeing government bandwidth being chewed up by frivolous cavorting by government employees is a disgrace and a public relations disaster waiting to happen. However, most of this happens at big businesses where the cubicle makes a great hiding spot for the employee to go check out their e-mail or chat with that guy in the next building.

    I'm glad to see this display of morality by a government employee; however, I wish that I'd seen the same from someone higher up in the government ladder (Slick Willy).

  • Some employers *severely* discourage this under the aegis of "we don't want to be liable if your nice toy gets lifted".
  • The whole mailbox, or just the inbox? I noticed that they encourage you to move your messages out of the inbox as soon as possible.

    In any case messages to/from non-Hushmail users leave/arrive in non-encrypted form. That's still too much openness for really sensitive messages.. If you really want to protect your messages, you should send and receive with public key encryption.

    I have to admit that I've used web mail to avoid sending email through an employer's server. This wasn't actually my choice -- I was working for a job shop that asked me to communicate with them this way. But, as this news item points out, I wasn't really gaining any privacy. If the portal company had conspired with my emplyoyers...

    As with any security measure, securing your email is a question of making it too much trouble for people to crack with perimeter. If you think you're getting absolute security, you're fooling yourself -- and that's more dangerous than no security at all.

    __________

  • For several years I was part team that ran corporate web proxies for 30,000 employee firm. There was at the the time not a policy against using web based email. But in one incident I can remeber we did review proxy logs in attempt to determine the source anonymous email that was directed at employee. We did so by searching the log for logins to web based email system that happen to have userid in url. It was an effort to determine if email was actually from another employee. We never had cause to sniff the entire http activity of single user. But we could have with little effort, and would have if directed by HR.
  • Why would the boss need to know how to do the sniffing? He can just order admin to collect the traffic.
  • Agreed. There's nothing that says overkill like using LICQ to send strongly-encrypted packets to the person in the next cubicle. I love that sort of thin.

    Hmmm I wonder if the managers two or three levels up realize the guys at the bottom can sniff just as easily as the IT department :)

  • I read up on the TOC protocol a while ago (before it went 'closed'), and read the GAIM code a bit too... It seemed that it wouldn't really be hard at all to put SSL in to encrypt the messages - one could set it up so that before sending, the body part of the message could be encrypted (and maybe be html-encoded), keep the headers intact, and then have the other side decrypt...

    (gazes off into the distance, as Garth would) It just seems too easy...

    Seriously, though: If this could be in high demand, e-mail me and I'll consider using my 5th period (Directed study... Only no one else can figure out what I'm doing :) ) to work on it

    -Brian
  • I'm guessing you're talking about VNC (virtual network computing). That's some pretty scary stuff - it is really insecure.

    We were using it for a while at work, so we could restart server processes without getting up off out arses and walking over to the server. (Incidentally, I guess that tells you we aren't using UNIX) Anyway, I was working one day, and noticed that the mouse was moving around on ther server, and the only person who should have been on VNC was me. Freaked me right out... Upshot of it is, we don't use it anymore

  • Not to use the office internet connection for personal use. Except on breaks.

  • Use the anonymizer! (Score:3)

    by zgreppuppy ( 241494 ) on Sunday October 08, 2000 @07:44PM (#721929)
    Buy an account from anonymizer.com, and sign up for the "Secure Tunneling" option -- $10 per month. On your local machine, you use SSH configured to port-forward ports 25 (SMTP) and 110 (POP3) to mail.anonymizer.com. You configure your local POP3/SMTP clients to connect to localhost, and the connections are securely forwarded through the Anonymizer. This can be done with Netscape, for example.

    This assumes that you have some way of setting up SSH locally, and that there's no keystroke monitoring going on. In both cases, you're probably better off if you have a linux box.

    GP

  • The CEO's wife (Score:4)

    by xant ( 99438 ) on Sunday October 08, 2000 @02:58PM (#721930) Homepage
    That's why, when I send my love letters messages to the CEO's wife, I wait until my boss goes to lunch and use his computer. And sign it with his name.
    --
  • I recieved a message this summer from an individual that worked for a State government agency. It had a faked from address, but the header information showed the IP it came from. I contacted the agency and forwarded the message and info. I was contacted by phone and ended up tracking the individual done w/them. They found out who it was, but they apparently never did anything more than warn him. Now. This is a state government agency... They obviously didn't intercept the message, and really didn't care that he broke several of their rules concerning proper conduct on the Internet from their machines.. Do other companies really give a flying rats ass? With plugins to ICQ that support SSL and ssh for telnet, I would see no reason why anyone wouldn't be protected (even if they were to give a shit what you said or did).

    Just my worthless .02
    - Bill
  • It's a great IBM app very similar to PC Anywhere that allows you simulate a host desktop through any java enabled browser.

    When I get to work I simply open up a browser window and connect to my computer at home, then I can ICQ to my heart's desire while downloading songs from Napster and working on my web pages from home. How easy is it for my employers to see the data I transmit if it is going through a java applet?

    Anyone else doing this?
  • People have been telling me to post the URL so here it is:

    www.licq.org [licq.org]

    Silly me, I should have thought to post it. It really is an excellent peice of software.

  • You are incorrect if you are using their network to read you email where ever it may be you are using company resources and are bound by what ever they company wants to do with its network.

    If you don't like the rules don't play the game.
  • Except, even keystroke logging can't read an email sent to you... although they could have screen capture software, but come on, you know they don't. The last five jobs I've been at, the management wouldn't have known how to install a keystroke logger if you had whapped them on the ass with a genius stick.

  • Re:Not really . . .. (Score:1)

    by Anonymous Coward

    If you're really paranoid you can get around keystroke monitoring by going to a frequently updated website such as Slashdot and using copy and paste to put letters and words into you're [sic] message.

    Umm...no. You are dumb.

    1. That is stunningly impractical. If you have information that really needs to be hidden, you probably aren't someone who has the time to sit around looking for the exact phrase, word, or even letters you need to copy and paste into your important document.
    2. Keystroke loggers aren't the only such technique. Commonly available software such as BackOrifice and NetBus (and their more corporately accepted cousins) are completely capable of taking a screenshot, recording copy/paste commands (and buffer contents), etc. Just taking a screenshot at the right moment would be enough to completely defeat this technique.
  • with the switch from shared to switched band Local Area Networks snooping is almost impossible anymore. On Cisco equipment, monitoring all traffic types is only possible if you have enable priveleges. Bosses usually dont and if they do they wouldnt know how to set up the nescessary listening apps (tcp, udp). Not to blow my cover but LAN admins usually can snoop quite well because of their access rights and know-how. Weve fired two people from telecomm at my University for just such intrusions.
  • awhile ago there was an article about ip over DNS. that might be the trick
  • Is there any plug-in for any of the message services that offers encryption?

  • Serves them right (Score:4)

    by lkaos ( 187507 ) <anthony@NOspaM.codemonkey.ws> on Sunday October 08, 2000 @03:01PM (#721940) Homepage Journal
    I work in as a consultant for the government and it pisses me off to see so many employees goofing off at work. If people did what they are supposed to do, then the government wouldn't need to hire consultants. It doesn't bother me that people read personal email but people will spend all their time online and NOT get their work done. It just really pisses me off.
  • The keystroke monitors can capture what you type, even before it is encrypted!

    Then encrypt it BEFORE you type it in. Print up a page of barcodes representing the standard printable keys on a keyboard, and use your :CueCat scanner to type. Let them try and decipher THAT plain text :)

    A very evil NipokNek

  • I've worked in places where they didn't mind,
    many of which explicitly said so. I don't
    understand why you think it's problematic if
    they don't think it is, especially if they
    explicitly say so. Many places one might work
    have the idea that being nice to their
    employees is good business. I imagine you think
    this is a strange concept?
  • The sysadmin could easily deny access to SMTP servers, thereby preventing you to send e-mail. They could then claim that they're not inconvencing you; after all, you can still use your POP3/IMAP server to read e-mail.
  • A well designed proxy setup eliminates the need to snoop the network. Just have the proxy record what gets sent (which, in case you're wondering, is fairly trivial). The real bear with this sort of thing is finding the specific thing you want amongst all the crap.

    But I'm sure it's not a problem that a bored Perl programmer couldn't help out with ;)
    --
  • If you were on my network I wouldn't even need to use a keystroke recorder. To use the web you have to go through the a proxy, all other traffic is blocked. And your browser is setup to send plain text to the proxy, and the proxy then uses SSL between it and the site you are going to. Therefore even SSL traffic is easily recorded, and you are less the wiser.

    If you don't know the rules, don't play the game.
  • First off, how many people know what a packet sniffer is? It isn't obvious unless you live in a fantasy world full of geeks. Non-techs should not only be better informed but also don't need apthetic people like you saying, "too bad."

    Imagine if my conservative company has a list of words they like to keep track of going over their network, like pot, work sucks, aids, etc. I IM or email a buddy about getting high, think that I could have a terrible illness, or what parts of my job suck and now the admins go and tell the execs that I'm suddenly high risk. They could easily come up with some bullshit reason to fire me, like "not being a team player."

    What they won't do is read my email off to me and say "Okay looks like you've smoked pot before and don't like 3 people in your department, it says it right here to the people you emailed over the last six weeks."

    In other words they won't admit to violating my privacy (which last I checked they dont have a right to if its on a remote server) but will easily use that information against me.

  • SSL protection for AIM and email (Score:3)

    by alee ( 64786 ) on Sunday October 08, 2000 @04:54PM (#721967)
    Although the SSL certificate is expired, using https://toc.oscar.aol.com [aol.com] will allow you to access AOL Instant Messenger with an SSL encryption wrapper. Requires Java.

    Using services like http://www.pop3now.com [pop3now.com] will let you access POP3 email through the web while protecting you from your employer's prying eyes.

    There are also other SSL wrapper services out that will get you out of untrusted workstations. However, keep an eye out for programs that record keystrokes and/or record screen activity.

  • So? (Score:2)

    by fm6 ( 162816 )
    It hardly matters. According to this ZDNet article [zdnet.com], you can't even assume that what you're reading in your web email is what was sent!

    Seriously, though, anybody who knows how packets flow across the internet knows that ordinary email, non-secure web forms, etc., are the electronic equivalent of post cards. Expecting anything approaching privacy from them is just plain silly. If you don't want your boss, the Yahoo webmaster, or the NSA to know about your tastes in software porn (I'd find it embarrassing, but it wouldn't be the end of the world) do some elementry public key encryption. That's enough for most purposes -- ordinary encryption is all too easy to crack, but most of us don't have secrets that are worth the trouble.

    If you're sending something really sensitive (ho hum, another hippie wants to overthrow the government), make a serious study of encryption issues.

    If you're sending something really really important (it will cost somebody money if the fact gets out), use a fax machine.

    If you're sending something really really really important (your competition actually cares about what you're up to!), call FedEx.

    __________

  • bah. (Score:2)

    by kirwin ( 71594 )
    I am a SysAdmin, and I really don't care for the CEO, I just browse company traffic for the sheer fun of it....er....I never, ever sniff packets. yeah.

  • Re:Not really . . .. (Score:3)

    by spellicer ( 146331 ) on Sunday October 08, 2000 @03:29PM (#721973) Homepage
    with the switch from shared to switched band Local Area Networks snooping is almost impossible anymore.

    This would only apply if employees were concerned with employers snooping internal communication. Unless these employees each have a personal line to the Internet, the shared pipe out provides a pretty good perch to sniff from.

    On Cisco equipment, monitoring all traffic types is only possible if you have enable priveleges. Bosses usually dont and if they do they wouldnt know how to set up the nescessary listening apps (tcp, udp).

    Switched networks aside, it's not the executives that are setting up monitoring. It's the net admin. If they can't set up a sniffer they shouldn't be in charge of this stuff. They also don't need anything too specific. Even the most rudimentary sniffer will be enough to get whatever an employer wants.

    Along the lines of the point to point solutions such as SSL'ed web based e-mail, hushmail and the like, you're really just upping the ante for the system administrator. The article (if anyone actually ever reads the articles slashdot references) make a good point of keystroke grabbers, etc. It's always possible for an adept admin to trojan your box for "official business." If it ain't your box, you lose. Very few ifs, ands, or buts about it. Hell, a really persistent admin can grab PGP keys out of memory and escrow :) them for you.

    Bruce Schneier's new book has great stuff on these extremes and how they aren't as extreme anymore. He puts it best throughout his book with the futility of trying to protect data using as system you don't control. He mostly looks at it from the angle of the user being the attacker, but obviously the concepts apply in the reverse. This time the chump sitting at the keyboard is us.

    If it ain't yours, don't trust it.

    Stephen
  • I'll say it again. Anything sent over a non-encrypted IP connection is about as private as a postcard. OK, so Hushmail prevents your boss from copying your email. He can still spy on your web browsing habits, figure out your Slashdot pseudonym, and find out a lot of other stuff you ought to be worried about.

    Anyway, if your boss is totally indifferent to your privacy, he's going to forbid you to use hushmail isn't he?

    If you're really concerned about workplace privacy, you should discuss it openly with your employers and get them to set an explicit privacy policy. Imposing half-assed encryption solutions on your own gives you nothing but a false sense of security (pun intended).

    __________

  • Due to the SSH tunneling features, many corporations block outbound SSH from the desktop, due to the obvious security risks.

    SSL is a much better solution, no employer is going to block outbound HTTPS connections without good cause.

  • There is no true defense against company snoops. Even if you used a super-duper encrypted email package, the company can still install a keystroke monitor on their computer. The safest course is to forget using the company machine and get your own email-capable device like one of the new 'pagers' or an email-equipped cell phone. And don't have the company pay for it. Then if they want to read your emails they'll have to subpoena them.
  • I would wager most companies that institute any sort of e-mail monitoring policy only go that deep into message contents when an employee is under active investigation. Even the most paranoid of companies typically log only the presence of messages, or individual HTTP requests made, never actual content.
  • There are very few proxies which proxy https- as in http in, https out, since most client browsers can do SSL for themselves, and most that don't grumble immediately when seeing a https:// so they don't even bother asking the proxy.

    So usually if clients visit a HTTPS site, it's encrypted all the way. Maybe your network is really set up differently, but have you really checked? Run a sniffer and see. I have for mine, and it's satisfactorily encrypted.

    Basically the clients contact the proxy, and then issue a CONNECT dest.ip.address.blah. The proxy makes the connection, then you have a channel between the client and the destination server. You don't even get the URIs in the proxy logs.

    However, over here, users must still log in to the proxy server to have internet access. So if they really misbehave it's not too difficult to track them.

    Tracking severe abuse is quite simple and doesn't require any spying of payloads or even urls.

    When the Boss asks "Why is the Internet connection so slow?" or worse "Why are the emails slow" then the people who have been downloading movies and mp3s better watch out.

    Link.
  • lilo: linux single

    # passwd



    --8<--
  • I have seen some clueless posts on Slashdot but this takes the cake. My response to this article is a resounding "Duh". The entire article can be summarized by this quote
    1. The information is essentially being sent back and forth via text as long a wire. Anyone along that wire, inside or outside of your company, has the ability to intercept, read and change the text," said David Kennedy, director of research services for ICSA.net in Reston, Va. "Is it technically possible? Yes, and it's fairly easy to do."
    For Slashdot to sensationalize what is basic knowledge to anyone with a smidgeon of technical know-how (my girlfriend's an English major and she knows this) and make it seem like there is some sinister plot underway by AOL, Yahoo, MSN, etc to cooperate with employers to steal employee rights is irresponsible.

    Second Law of Blissful Ignorance

  • I should note that the scheme I can thought of to proxy https:// pages so an employer can read them in real-time does give the fact that it is there away in most cases. This is because all https:// traffic would be routed through a server (say spyonssl.mycomp.123) that would then establish its own secure connection to yourbank.456 or whatever. URLs and referrers would be rewritten to keep everything working. This would be required without your employer becoming their own certificate certifying authority, because most web browsers will complain bitterly if the certificate does not match the site. Most users would likely spot this, unless the secure page was quickly switched away from.

    Of course, no one is stopping them from installing their own certifying certificate on your PC, generating fake SSL certificates in near real-time on a fast computer, and playing a "man-in the middle" attack that few people would know how to spot. But now, we are *really* getting paranoid... and so are many employers nowadays. It is likely that at least a few companies out there have systems that try to decode your secure web pages out there, even if it means taking a year or two with a Cray...

    One should realize that most web-email services do use secure https:// for the login, but send your mail as insecure http:// . So they likely can't get your password too easily, but they can get everything else. As we speak, companies are likely working on the former, considering it a "trivial issue" that needs to be overcome. Given that most people only use one password for everything, I would not be surprised if many employers can guess your web mail password anyway.

  • Re:Not really . . .. (Score:5)

    by darf ( 182630 ) on Sunday October 08, 2000 @03:35PM (#721996)
    I'll assume by your post that you are in a university environment. Well I'll tell you that the corporate world is very different.

    For starters, many, many companies still use hubs for their networking. If you are plugged into a hub then you can hear anything on your subnet. I have personally worked with small to medium sized companies, with tens to thousands of users, who still link end stations to the LAN with hubs. In these cases snooping by the boss is actually less of a threat than your neighbor running an SMB sniffer and cracking your clever M$ password of "password".

    Second, with the proliferation of intrusion detection system it is becoming less and less possible for your traffic to not be examined. Large organization use IDS not only on their Internet connections, but on their internal networks as well. This is because a majority of security viloations occur on the inside of a network. By definition, an IDS system must hear everything that happens on a segment it is to protect.

    Third, bosses may not be technically capable of setting up a sniffer, but they are very aware that the opportunity exists. They will order the use of sniffing technology if they believe that they must use it to accomplish something. In practice, they will only do this if there is a significant reason to do so because of legal liability.

    Fourth, something like 60% of US companies actively monitor their employee's use of Internet resources. They may not look at each payload, but if you are spending 50% of your day going to Hotmail with your browser, chances are that they already know about it.

    Remember that in the US the current opinion is that if you are using a company's computer then the company owns the data input into or produced from that computer. If you are doing something that might be a no-no, you'd better not do it.
  • C'mon people, RSA is now in the public domain, you have no right to complain about not using it.

  • Is ssh1 more secured? (Score:3)

    by antdude ( 79039 ) on Sunday October 08, 2000 @04:03PM (#722006) Homepage Journal
    I read most of my non work-related e-mails and download big files (don't want to hog the company's bandwidth) on various UNIX boxes with ssh1.

    How secured is ssh1? Can people still sniff this beside reading off my monitor? Once in a while, I have personal stuff (nothing illegal) that I don't want people to read.

    TIA for replies. :)

  • Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.

    While this is all true, there are many situations in smaller companies where this doesn't work.

    My workplace is a case in point.

    We used to be a division of Litton [litton.com], but were sold off because we weren't part of the "core business".

    The guy who bought the company, our old GM under Litton, is paranoid.

    The boss knows enough about computers to have mirrored his Windows 95 installation up through every machine he's had since his 486DX-33, but still doesn't know why it's dangerous (or why he can't make a partition bigger than 512 megs).

    The boss is paranoid enough that while he wants me to administer the mail server, he also doesn't want me to have access to the mail. Same with the fileserver.

    The boss wants to be able to watch *everything* going across the LAN at all times and is willing to sit in front of the server in my office to do it.

    That's the mentality you might have to deal with. If you can't, get another job. Things were great while we were a Litton company - the philosophy in our division allowed everything but XXX sites and *excessive* non-profitable useage - but since our old GM became our owner, the paranoia has increased and things have gone downhill. I'm looking, as are most of the rest of our staff.

  • The Electronic Communications Privacy Act of 1986 gives protections against interception and wiretaping. My employer can look at my mail that's saved and transmitted between her servers but cannot attempt to intercept my mail going to Hotmail or a remote ISP. This would be like Ameritech saying "we own these wires, we're going to record all your conversations."
  • Imagine you're the boss. You've got a few min to spare, why not watch an AIM conversation go by?

    Lots of people get off on snooping in other people's business. This is why 'reality' TV shows are such a hit.

    Now imagine you're the boss or the network guy, and there's an employee you don't like using AIM and you've got a few min to spare. You don't think there's a real chance that people might casualy skim through your stuff? And if the boss(or network guy) is out to get you fired then there's a serious chance people are going to look through your stuff.

  • The ineptitude of management (Score:5)

    by Ergo2000 ( 203269 ) on Sunday October 08, 2000 @05:38PM (#722020) Homepage
    An open letter to managers the world over

    Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fireed immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver. I am not kidding.

    The only true measure of an employees worthiness is output and nothing but. This is a very important concept as we move to more telecommuting/contract type employment anyways (and boy will the lines get blurry when employers are monitoring employees in their own home). The vast majority of us in this business get paid by salary, not by punching a card in a clock, and while there are some general expectations regarding hours, generally the salary structure is based upon perforance not time. For our salary we are expected to contribute a certain amount of worth to the company versus the salary that we are receiving. If an employee doesn't contribute that worth then firstly examine the management structure and corporate supports to determine if they are the problem, and if not FIRE THEM. That is the only way to manage effectively in the information age. If you've got some company outcast sitting in a room packet scanning whether someone is using hotmail then you've got your priorities totally messed up : There are a million ways of wasting away time and if you think you're creating a super efficient workplace by totalitarianistic network policies then you are completely ignorant of the real world.

    If you have a worker that you think might be dicking away a lot of time simply set goals and performance requirements and you should have a system in place that measures metrics (not keystrokes as that is worthless, but some other metric). Reward exceptional performance and punish under performance. The time an employee needs to accomplish that goals is irrelevant. Obviously if someone is sending offensive mail from a company email address that is poor judgement and should be punished, however if someone is sending emails to friends on Hotmail you really shouldn't give a shit if you have the performance metrics and good measurement systems. If you think you will improve the worthiness of your company by instituting superficial monitoring systems then you are will soon be out of a job as your company will be out of business.

    BTW : For the corporate outcasts that feel the supreme justice of being the one's "in charge" of monitoring employees : Firstly these systems are never unbiased -> It is usually targetted at whichever persons these losers feel a dislike towards recently. Secondly there is no justification based upon what I was saying above (except for a few positions which are more time based : i.e. answering phones). Pathetic claims about "company resources" and the like are ridiculous. Do you abscond from drinking lest you use the sacred company water pissing? Do you partake of company provided refreshments? Do you happily request a 14" monitor over a 19" because really netmon runs just as good at 800x600? If not then shut up : The "wear and tear" on a computer system for someone to visit hotmail is rather minimal and of minimal costs.

  • Encryption doesn't matter (Score:3)

    by Texodore ( 56174 ) on Sunday October 08, 2000 @03:44PM (#722022)

    Too many companies these days are installing clients that allow them to see your screen. Typing an e-mail? They can read it while typing. Talking on ICQ? They can get the conversation, too.

    The PGP/SSL argument's don't hold water. If they see you doing something personal, either by sniffing or peeking into your computer, they can monitor whatever they darn well please. And read whatever they want to. And watch what you're doing.

    It is impossible for you to hide what your personal web usage from the IS department. There are no solutions when they can take over your monitor from another box and packet sniff.

  • Hushmail strikes me as pretty useless. You can only send encrypted mail to other Hushmail users. If you're sending email anywhere else, you're using ordinary email -- and your messages are just as open to spying by the hosting web staff as with Yahoo or Hotmail.

    Of course, Hushmail doesn't encrypt its client-server connection. That does protect you from your boss -- but do you really want to work for somebody who spies on his employees?

    Hushmail does offer digital signatures -- but all that proves is that your email headers aren't forged. It doesn't prove that the owner of the hushmail account is who he says he is.

    __________

  • Not to use the office internet connection for personal use. Except on breaks.

    Not even breaks are safe.

    To keep the stuff I really want to keep private private. I use my palm pilot, modem and TGPostman over a VPN link to home to get and send my email. Sure thay can tap the phone, but all they will get is encrypted garbage.

  • The INternet at-large is a public network, for all intents and purposes. So treat it as such.

    Treat any traffic generated as a public radio broadcast. You have no control over who sees it.

  • The usage of SSL like on http://www.Hushmail.com would be the only way to get around it

    Not really. Sure, it'll keep things private from a sniffer, but as the article pointed out:

    Keystroke monitoring is an even more extreme surveillance tool that enables employers to read every key employees push--from the URLs of Web sites to email and instant messages, including deletions or changes they make in the process.

    Some programs, including the Silent Watch software that tracks employee computer use, retail for as little as $39.99. As many as 35 percent of all corporations already have these systems installed, according to Internet surveillance company Websense.

    The keystroke monitors can capture what you type, even before it is encrypted!

    Instead of engaging in a contest of cat-and-mouse with my employer, I look at it that I am there to provide a service for which I am paid. If I cannot realistically justify an on-line activity while I am at work, then I just wait until I get home. Keeps it simple.

    For example, I had a close relative who recently had major surgery and made a few e-mails (and phone calls) to keep in touch as to how the surgery went, when the visiting hours were, etc. I can't imagine my employer having trouble with that. I wouldn't work for a company that was so lacking in compassion.

  • woops (Score:3)

    by TheBongo ( 233809 ) on Sunday October 08, 2000 @03:02PM (#722034) Homepage
    Me: Man, I always wonder if I ever get any work done in this office. Then I look around and I wonder if ANYONE gets any work done. Me: Dude you need to come down to the office, we're printing out PORN on the laser jet printers, then shredding the paper and putting acid on it! Me: My boss reminds me that left nuts do grow out of porportion. Me: Work reminds me that life is nothing but a big orgy, often on keyboards. This would explain why my keyboard is hairier then Rosseane's legs. I hope this reminds the majority of you unemployed, disillusioned stiffs like myself why we constantly get fired. God bless the internet, and all it's pornographic glory.
  • In reality, since we run a SOCKS proxy server at work, and already monitor URLs, capturing AIM conversations can't be very difficult, plus we've in the past been able to take snapshots of sites users are visiting through some creative sniffer work. So this really isn't a big surprise. When you think about it though, people are right, your work PC, internet connection, and your office are there for work. You don't hold tupperware meetings in your office, why should you chat online during office hours. Although, there are occasions where using applications such as IM in the workplace are appropriate. When I use to work for an ISP (Thank god I dont' any more) we used IM to communicate with other techs while we were on the phone. Very useful instead of having to say "Maam' can I put you on hold" go ask a question then come back.

  • SSL (Score:3)

    by Jeffrey Baker ( 6191 ) on Sunday October 08, 2000 @03:02PM (#722041)
    If you take the stance that people should be using business resources for personal email, which is a stance that I disagree with strongly, an SSL connection to your webmail provider is the easy answer.
  • wrong. see one of my previous posts [slashdot.org]

    //rdj

  • Re:SSL won't cut it either... (Score:3)

    by Wookie Athos ( 75570 ) on Sunday October 08, 2000 @05:51PM (#722049)
    HTTPS through a proxy simply uses the CONNECT method to get a direct connection to the SSL server at the other end. It requires an end-to-end byte stream.

    The proxy can sniff the traffic, but they then need to decode the SSL...

  • Use hushmail (Score:5)

    by bradams ( 241228 ) <slashdot1&mynetpad,com> on Sunday October 08, 2000 @03:04PM (#722050) Homepage
    HushMail.com [hushmail.com] uses strong encryption end to end. It's the strongest web based email that i know of...
  • How easy is it for my employers to see the data I transmit if it is going through a java applet?

    Well, that depends - it's still an IP stream, and the packets are still going through your employer's network so they can sniff the packets. Whether or not they can understand those packets depends on whether the applet does encryption at all.
    --

  • Re:Not really . . .. (Score:3)

    by mindstrm ( 20013 ) on Sunday October 08, 2000 @03:48PM (#722055)
    ? But that's not the point at all.

    It's not some rogue boss who has a sniffer that people dislike... it's when the company itself officially tracks things. THat means the IT dept. is involved, and that means they CAN do it.

    LAN admins can snoop? Isnt' that missing the point? It's the IT departments job to manage all aspects of information technology, including hte lan. If the company has a mandate to analyze that traffic, then it is the IT department who would do it.

  • And what happens when the line gets fuzzy? (Score:3)

    by jabbo ( 860 ) <jabbo AT yahoo DOT com> on Sunday October 08, 2000 @03:50PM (#722057)
    When you work from home, for example. As a sysadmin and programmer, it happens plenty. My solution for some time now has been to collect email from various (not publicly available) addresses into an account which I ssh to (as do other users on the box) and read mail at my leisure. I don't engage in any activities nefarious to be more paranoid than that anymore (no gun running, drug manufacture, or espionage, for example). I occasionally chat with people from competing companies or fix up someone's resume, and once in a while I might flame someone.

    Basically, I wouldn't work for an employer who was so paranoid that this arrangement made me nervous, and I would encourage others to consider whether they should. I'm a fairly decent systems programmer and administrator, but I don't believe that my leverage with my employers is excessive. On the other hand, I also don't try to rip off my employers or do a substandard job, which sometimes seems like apostasy in modern-day working America, so YMMV.
  • A company I consulted at had a proxy specifically set up to capture Hotmail, Yahoo and other webmail sites and archive the messages off so the bosses could read through them. At least they let us know this (we were the "good" consultants as opposed to those "bad" contractors that were always hunting for new jobs or mailing of company secrets or whatever.)

    Don't know the product name, but that was 2 years ago.
  • So just encrypt the stream between the monitor and the eyeballs.
    ---
  • How do you get around that? My guess would be to do some kind of key exchange beforehand so you're sure you're talking to the computer you think you're talking to, and then use https or stunnel or something on a different port.

    --

  • And to further extend your remarks, it's a felony, with a maximum 10-year penalty, for *EACH* email they intercept.

    A previous employer of mine thought this wasn't true; their lawyers, the top-rated law firm in that state, set them straight.

    -
  • Why doesn't hotmail or yahoo (or the other big browser email folks) use HTTPS. Doesn't that effectively scramble the browser based emails from prying employers?

    I've wondered about this before and can see this being an attractive marketing tool for the privacy consious.
  • Cool news blurb, but I hope that no one that reads /. was really all that surprised by this.
  • well, had you read the article, you would have noted that using yahoo mail to conduct personal email should be encouraged to limit liability if that person is sending sexist/racist, or bad taste emails. This 'waste of time browsing or chatting' is probably a well needed break. Where i work it is actually encouraged to do this b/c it allows us to get back to work more quickly if we are having a mind block or are doing something tedious. Would you rather someone browse the web for 10minutes or stare blankly at the screen for 20? You incorrectly assume that people only surf for porn. I searched the web b/c i wanted to set something up on my network at home. I proably would not have been able to do it with out spending just a little time at work researching it. It payed off when i overheard they needed pretty much the same thing done there. I was able to implement it much faster b/c i already had the expenience from at home. I worked for an company that was heavily into montoring and control; the turnover rate is around 50%. Thats not the only reason, but its just one more of many. Buinesses like your need to wake up and realize that people are not machines, and cannot concentrate hours on end at ONE task. Minds wear down. You may not notice it in your job, since i'm sure each task you have usually does not last more then a few hours, and even then must be broken up so you can deal with other things. But thats not how it is with most jobs. Just as the article states, people also have a life, they have personal buinsess to attend to. How are they to get anything down if most of the day they are locked up, especially if the buinsess is discussing something with another buinsess, only open M-F, 8-5. Its difficult, to say the least. My company respects the needs of its employees, and gives them a pretty large leaway in what is acceptable to take care/do of at work. In return, each employee pours their heart and soul into the company, and genuenly wants the company to succeed .
  • And there was me thinking that slavery had been made illegal..

    If an employer thinks that I am just a machine, capable of nothing but churning out code, and that I enjoy nothing more than staring at pages and pages of PERL for the 50 - 60 hours a week I'm in the office then thats fine. I can get other jobs. I'm in my last week at my current job, my primary reason for leaving is a restrictive web surfing policy. People who vote with their feet and leave jobs because of this are rare, but I'm one of the few.
  • If you're in an office environment, the computer on your desk belongs to the company. Not you, the company. It is not "your" computer. Therefore the company can regulate what you do with it, and they can monitor what you do with it. You are not entitled to privacy.

    Moreover, it is not your God-given right to customize the computer. Yet when some twit installs the latest Leonardo DiCaprio screen saver and it breaks all of the applications installed on the machine, said twit still feels entitled to yell at the poor tech from the IT department who is dispatched to fix the problem, and removes it.

    You want to do personal stuff? You want to customize? You want to use the computer for any reason other than to do your job? Then go home and use your own computer. I can see this getting modded down by someone who wants to use their computer to goof off at work, but think about it. If your employer is ok with you casually surfing the web during slow times at work, that's fine, but in the end it's their computer and they make the rules.
    --
  • I don't think any employer would really have a problem with using their equipment and resources from time to time. The problem arises from employee abuse. Spending 5 hours a day reading and posting to /. when you're behind schedule on shipping a new product is one example of abusing your company's resources. Finish the job and if you have time during your lunch period or a break then browse the web if your company's policies permit it. If not, then browse from home. It's no different than it was 15 years ago really.. it's just a new communications tool. 15 years ago the abusers spent their day chatting on the phone.. now they're just chatting on ICQ.
  • You are right, of course. I'm a tech for a WV computer company, and we waste a number of hours that could be billable to customers doing in-house crap for the sales people (who don't know anything about computers), or worse, the boss's wife, who is dumb as a log, but is the president... This is why we are going to install ZENworks on every machine except the tech computers.
    However, as another poster said, the best and ONLY criteria for measuring performance is by productivity. If I'm producing a satisfactory level of results, then it shouldn't matter how I get there. If I'm not, then I suppose stuff like `net usage would be a legitimate beef.

  • If this surprises anyone... (Score:5)

    by meckardt ( 113120 ) on Sunday October 08, 2000 @03:06PM (#722099) Homepage

    then they probably deserve what they get.

    If it goes over a company network, there is always the chance that the company can intercept it. Live with it.

    Do I let it worry me? Well, if the company wants to listen in to my IM conversation between my wife and myself, they are welcome to hear all about who's turn it is to pick up the kids, or who has to stay late. If they want to tap my email, they can read all they want about my opinions about some book, show, or event in some mailing list or other. I am very careful to not post anything that would be considered undesirable from work, and fairly careful to limit "ok" emails.

    You want to send inflammatory material? Do it from home.

  • Due to the SSH tunneling features, many corporations block outbound SSH from the desktop, due to the obvious security risks.

    So they block ports 22 and 23. So what? Just pick another one that they haven't blocked. Like RealAudio...

    /usr/local/sbin/sshd -p 554
    /usr/local/sbin/sshd -p 7070

  • Licq is a really great program. It has more features than any other ICQ client, the most interesting of which is encryption. As far as I know, it is the only ICQ client that encrypts instant messages sent to other users of the same client. And it has frontends written in both QT and GTK+ so it is great for anyone.

    If you are paraniod about people snooping in on your instant messaging, use Licq and get your friends to do it to!

Slashdot Top Deals

If all else fails, lower your standards.

Close