Sr. Systems Admin here. IT does not give 2 shits about what you browse UNLESS something is reported or something trips our Alerts (has to be something major like Child Porn).
We don't sit there and actively monitor and watch what you are browsing. We investigate when something is reported by a worker or an Alert/Filter gets tripped
Second. I once had a staff member come to me all embarrassed because someone sent a dick pick via some dating app while they was on our corporate wifi. I was like, "I promise we don't care".
Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment... They are what allow a corporate device to connect to WiFi networks without a password.
All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.
Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.
And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.
I say “attacks” in quotes because they own the hardware and they own the time of the person using it.
Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.
I'm not sure what you're saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.
Usually a manager asks a sysadmin to watch someone's stuff, then the sysadmin and manager tell HR what they find.
We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn't have been able to pull this info since they don't have access to the system that tracks it
That only applies to work devices. If you're using your personal device, they would be able to see traffic to/from a dating website but not the actual content.
Yeah, but the it's a good rule anyway, for some of the same reasons as the "Don't put it in an email if you wouldn't want it read aloud in a deposition" rule.
Everybody has a cell phone nowadays. There's no excuse not to use your cell phone for private stuff. In fact don't use the company Wi-Fi. You must use the company Wi-Fi then you must use a VPN
But no excuse anymore not to use your phone, you don't need to use the word computer to browse, send emails, flirt, whatever
All of my colleagues have work provided phones and laptops. They do all their personal shit on these devices (they don't have their own)
They think i'm a huge weirdo for having my own personal devices.... "Why waste money? Work gives us computer/phone... Lol, you carry two phones like a drug dealer?"
Like IT gives you any time to get anything off a corporate-owned device.
When I got laid off, IT sent a bullet to my laptop immediately kicking me off and completely locking me out of it.
I was supposed to have another 4 days to transition my work. I contacted IT and was told once the bullet goes out, that’s it. Any and all access to everything has been terminated. Might as well just go home and enjoy the extra 4 days because no one’s going to undo a bullet going off early unless it comes from the C-suite. So I did.
Mine does. They also keep an eye on it because I had gotten through it and that only worked a few days before it was blocked too. Didn't want to press my luck after that.
I’ve done both. I wrote my own scripts to generate the WG config files to handle variations in configure I needed to make for my different networks (masking, IPv6, cross multiple WG networks).
After converting to Tailscale, WG is just an extra level of hassle I can now easily avoid.
I never browse personal stuff on a company device. That's what phones are for. I also don't connect to company Wi-Fi on any personal device, because my company makes me sign in with my company's credentials. This should be common sense.
Of course they can, they literally own the machine. You don't own it, so don't treat it like it's your own private job hunting platform or porn viewer.
Then they must have been able to capture his whole screen. Idk how they'd do that days later, but they had a screenshot of a private conversation in slack. Maybe he had already set off some flags before then and they were watching him or something.
It actually depends on what tier of Slack license the company uses. Private is a black hole for anything short of Enterprise Grid, unless they reset your password and login as you, obviously doable but not at all subtle.
Until you get asked by HR why you're breaking their policies by clearing history and why you're doing it. If it's a work device that's not yours, don't expect privacy. It's their property.
They don't need the computer to see everywhere you've gone. I've never heard of anyone getting in trouble for clearing their history, but lots of people who have had problems visiting questionable sites.
I have a very hard time believing that lol. Doesn't matter what country, it's still the companies property, and the work you're doing in it is still considered their property. It's not a personal device. What a pretentious statement.
Quoting from this article, which references the same supreme court case as the above article:
Mr. Justice Fish, writing for the majority of the Supreme Court, delineated the following instructive principles:
Whether at home or in the workplace, computers are reasonably used for personal purpose and contain information that is meaningful, intimate and touching on the user’s biographical core;
The user may reasonably expect privacy in the information contained on their computer particularly where personal use is permitted or reasonably expected;
While ownership of the computer and workplace policies are relevant considerations, neither is determinative of a person’s reasonable expectation of privacy;
The totality of all the circumstances will need to be considered to determine whether privacy is a reasonable expectation in any particular case;
Workplace policies and practices may diminish an individual’s expectation of privacy in a work computer; however they may not in themselves remove the expectation entirely;
A reasonable, though diminished expectation of privacy, is nonetheless a reasonable expectation of privacy, protected by s. 8 of the Charter and subject only to state intrusion under the authority of a reasonable law.
Accidentally deleted my post lol, but the court case ultimately ruled for the company, and that these laws aren't very strong to begin with.
It is recommended that employers should implement clear policies that define, in unequivocal terms, the employer’s expectations surrounding workplace computer use, including smartphone use, if employers provide such equipment to employees in an employment context. Although Fish J., in R. v. Cole, stated that workplace policies are not determinative of a person’s reasonable expectation of privacy, if properly drafted a workplace policy combined with consistent employer actions in the workplace, may diminish, objectively, the employee’s reasonable expectation of privacy. For example, where both the employer’s workplace policy and the employer’s actions in the workplace are consistent in prohibiting any personal use by employees of employer-issued computers or smartphones and where the employee has acknowledge receipt of employer’s policy that provides that any data sent, stored or received using the employer’s computer or smartphone is the property of the employer and the employer reserves the right to perform random checks or audits of the employee’s computer or smartphone use, the employee may be hard pressed to argue that he or she has a reasonable expectation of privacy.
And the article you linked still suggests it's a bad idea to assume privacy.
While it may be tempting to use an instant chat application for workplace gossip, it is best to follow the golden rule: if you wouldn’t share it with your boss voluntarily, it’s probably best saved for a face-to-face conversation.
This is more so to protect employees who are browsing facebook or something on a personal computer, that the employeer isn't then allowed to snoop on their private social media accounts. For work related stuff, the rule still applies that it's work property.
Unfortunately, words on paper frequently fail to prevent organizations, public of private, from doing things they are technically not allowed to do. See the security state apparatus of any of the nations around the world including the 5, 9 and 14 eyes, or any number of tech companies that claim and market privacy respective policies only for people to uncover later that what they pitch publicly diverges in spirit from what they do or what is in the actual terms of service.
Hopefully if people find their employer going outside the bounds of the contract they can catch it, catalog it and hold them to account. Accountability can often be tricky and costly though.
Any personal matters I may have attended to during work hours were done on a personal device, through a VPN, preferably borrowing some other WiFi signal than one run by any company I work for.
If its even more personal, just drop WiFi I don't control all together. Either use the phones data plan for 10 minutes, or tether it to a computer and do the same.
Hmm, no Onionshare is for anonymity, Wormhole or Syncthing are good for security, anything AES basically. You are simply using random Tor servers to share files withing a company...
We have that capability but dont really have the time or need for it. having said that, it only takes one rouge employee to mess it up for everyone else.
I'm not on the IT team but have elevated permissions. I can dial into any of my subordinates computers "invisibility" I might add, and watch their screen. I can copy data remotely. It'll take me a few minutes to grab an image of their computer "for backup" reasons, restore it on another computer, and then safely view their history.
By invisibility, I still leave log traces on their computer.
I'm not going to, because wtf. But I totally do have that power.
I work in cybersec - I’m not going to speak for all businesses or individuals but I will give you my perspective.
Sometimes we need to see browser history to help with timeline correlation, it’s mainly to see “how did this file get here, was it downloaded etc.
Sometimes the investigators need to check out the things they need to check out, BUT
BUT
It needs to be done precisely and sparingly where needed only. This means instead of going through the entire history file, or doing unrelated correlation work (spying on you without cause) you are going to only grab specific timeframes from things you suspect explicitly to prevent any overreach. It’s a tricky balance to hold but also why it’s so important for people in tech to be privacy advocates as well.
There’s a difference between searching for answers to a problem that arose and looking for/predicting problems (thought crime detected!)
I also work in cybersecurity. Second everything this person said.
This thread is a good reminder, because at many organizations HR / management can and will look at your browser history (and computer activity in general) as a method of monitoring performance and staying in control.
But at my organization, we have never once looked at anyone's browser history (and I know that HR hasn't because they would have to go through us). We certainly could if we were asked to and we would if there was an incident (what we would care about is sensitive / confidential information getting leaked or suspicious activity on the network using a specific person's credentials, suggesting those credentials may be compromised). But in almost 2 years (we're a startup in the aerospace electronics sector) we have never once had cause to do that and we have a philosophy that happy relaxed employees who feel trusted by their employer are the kinds of employees that we want, so we wouldn't intrude that way without cause ever.
I third(?) this. Security and IT teams are too busy to be monitoring your everyday habits. Sure, they can see your history if they wanted to, but they won’t unless there is an appropriate justification to do so, and it’s usually triggered by an incident or HR. There also stricit rules with doing so because employees still have the right to their own privacy. It’s not like HR can just go over to the security guy and ask them to pull someone’s browsing history.
Another Cybersec worker here, and I'll broadly agree with all this. That said, I'd also point out that, depending on your site setup, the browser history may be nothing more than another place to correlate information we have from elsewhere.
Several sites I have been at have used Data Loss Prevention (DLP) software which automagically records (and possibly blocks) data moving into and out of the environment. This can be very detailed, to the point of knowing when someone copy/pastes data to a web form. I've also been at sites which sniff web traffic at the firewall and record full pcaps and extract metadata for quick analysis. So yes, for those not aware, deleting browser history or using "in private" browsing or other steps to avoid us seeing your porn browsing, may not be as effective as you think.
All that said, I've never been on a Cybersec team which has had enough time to really care about porn browsing, so long as you are not putting the network at risk. And, so long as HR/Management doesn't tell us to care. We have better things to spend our time on.
Lastly, if you don't want us seeing it, don't so it on a work computer. Look, we have lots of ways to see what you are doing. Just, do that stuff at home, on your own hardware. And leave the work computer for work. Writing up misuse reports is something I really hate doing.
Oh no, my employer might find out I'm looking for other jobs after being overloaded for a year and a half and constantly having my concerns/feedback/process improvement initiatives brushed aside.
I have been hinting to my manager for 6-9 months that he needs to move part of my workload elsewhere so that I can focus and actually achieve something. To think, all it took was for me to tell him straight that I was unhappy and unfulfilled to the point that I was considering resigning. Suddenly he's all apologies and let's make changes because you're kind of vital and we don't want to lose you.
Yeah pretty outrageous, I soon found out employment rights in Ontario Canada are practically useless. I had no idea, I thought I had some basic protections, it's almost nothing.
I’m an infrastructure analyst and at my workplace I implement such rules for specific reasons: 1) we need to be able to have evidence should an employee act maliciously with a company device. We do also monitor all queries but it’s passive. We can drill into your browsing history in great detail but won’t unless we have to (speaking personally here as I follow the code).
2) people will do dumb shit. And will lie to get support. Now, having been on the other end of a support ticket, I get it. Unless you lie a little, you may not get support promptly. Therefore, it’s part of my job to check what’s the lie and what’s the actual issue, which includes being able to see the download history. I would not be surprised if malware is accidentally downloaded and then it autonomously removes itself from the download history as It has happened before.
Strictly speaking, this is done for both your safety as well as that of the company. And generally speaking, you should NEVER use your work laptop/phone/iPad for personal use because of all of the above.
I use my personal laptop at work, no issues. Employer can't see what I'm doing which is the way it should be.
If they don't trust me, don't hire me then.
I would never work anywhere where people like you can watch what I'm doing. Luckily I'm in IT so I choose where I work.
I despise companies who don't give employees privacy. The reasons you gave means nothing. You can always argue for anything to protect the company. Who protects the employees?
Safest for the company would be if you have employees in small cells being watched by guards around the clock. That would be really good for the company.
If you've connected your personal laptop to your work wifi, they 100% can see all your browsing history (specifically whats passed through their network).
Hell, I only run a simple homelab and I can see the exact traffic/browsing history of every device on my home network. I'm only tracking via dns traffic, but your https traffic can even be intercepted and decrypted pretty easily. So don't even trust that.
This doesn't require installing anything on your device to fully monitor you.
You’re not wrong. It really comes down to how ethical the IT/company is. And we are, purposely so. Also we have dns-over-https and No other identifier is parsed through. So we can see and block someone browsing porn on the guest Wi-Fi, but we’d never know who it was.
Look, I’m not saying things are perfect, but there are people like me who look out for both the user and the company. The goal is ensure that users privacy is respected and that the company is protected agains misuse, malicious intent or just plain bad-luck. This is the “code” I was referring to. As IT people we have to behave ethically for business we operate in. It’s not perfect but nobody is trying to be. This is all best effort from all parties.
Sure but I work from home. Don't use their wifi except when I'm in the office. I could connect to a VPN and they would also see a connection to a VPN, but I don't care enough to do that.
But when I'm at home, working on my computer, they don't see anything.
I hear you, and fully get where you’re coming from.
I work in the finance industry and we have auditors to answer to as well as a ridiculous number of compliance regulations we have to abide by. Not every business is the same. I’m personally on the no-trust policy when you have more than 50 users to manage but it also depend on company policy.
No one is saying you can’t use your personal device at work. We don’t monitor the guest Wi-Fi in any way specifically because that would be an invasion of privacy.
I was referring specifically to using a work device, managed by the business, for personal use.
The employee is protected by being briefed during first day induction of he does and don’t with regards to the equipment that is provided to them to do their job.
Their personal privacy is not infringed upon as there is a clear agreement about what is expected from them. By the way, I’m in the uk (not sure if relevant).
Eh, not really, at least in the US. You are paid to do your job. The company doesn't own you during work hours. You can refuse to do work that was not in your job description, or ask for additional compensation. The company may fire you for this, but you would have a very compelling wrongful termination lawsuit.
There's a big difference between a giant corporation (that wants you to continue using its products) seeing every site you've visited, and your fucking employer, source of not being homeless and starving to death.
No not really. I mean you could never connect to the internet I guess. But that's the best mitigation there is as long as your using windows. Or run it in a VM?
So you can understand how this works, each device in your computer has a uid or hid, a unique id, or hardware id. This remains consisten as long as you have the hardware. Things that have this are like hard drives pcie cards, etc.
There's also just the fundamental unique ways your PC is built. Of all windows users how many have an Nvidia card? 90% of those 90% how many have the same drive configuration. 5% of those how many are running Intel CPU. Etc etc...
My work has a 100% mandatory vpn and mitm proxy for ssl scanning. I just use parsec to view my laptop from my desktop and browse what I want on my actual personal computer
My work has a 100% mandatory vpn and mitm proxy for ssl scanning
These are worse than useless. They are anti safety. If this box or its private keys get compromised ALL tls traffic of all employees is immediately plaintext.
Any company that buys one of these appliances from mcafee or whatever is asking for it (losing most/all their secrets)
That sort of thing is required for a lot of enterprise certifications. When you do work for government, healthcare, banking, etc. stupid "security" is mandatory for checking off compliance requirements. Not that any of it has to be in any way effective...
when breaking the internet and end-to-end encryption are part of any kind of "enterprise certification" that certification is worthless (or worse) and probably some kind of chinese or russian (or the CIA or whoever, certainly not your friend) psyop. Only a mindless idiot would implement it.
That doesn't mean someone isn't going to pull those up to reprimand you, or monitor your work.
There's privacy from personal things, then there's overbearing micro management who will literally track "Mouse hovering" and "Keyboard Idle Time" or how long you take to write an email.
Amingst the other creative ways they can try to keep you at a level "non promotable" status or whatever leverage to control you.
I've never had to suffer from it, I do my job, but as a systems admin/engineer for over 15 years, I've definitely worked at places that implemented it at our expense, or we had to set it up for our clients using it against their own staff.
This is assuming that the website is encrypted (it starts with https://, not http://), which nowadays luckily most websites are. Otherwise they can see the specific page, it's content and most likely also all information you input on that page.
My work runs MITM with corporate certificates, so they can see everything no matter whether it's encrypted or not. If you don't accept the certificates to let them monitor, you can't browse.
Corporate networks (especially those utilizing MITM) block vpn access altogether.
You can't reach your vpn server, falling back to plain un-tunneled https. Then instead of dns retuning the true ip, it returns a local corporate ip; you connect to that with https and it serves you a cert generated on the fly for that particular domain signed by a root cert your browser already trusts. Your browser sees nothing wrong and transmits via that compromised connection.
You can usually check for this by connecting via mobile data, taking a screenshot of the cert details, then doing the same on work wifi and compare.
If the cert details change on wifi, your traffic is being intercepted, decrypted, read/logged, then re-encrypted and passed to the server you're trying to reach.
Can you link to something with more info on how it works? I know how certs work and CAs but not how some random wifi network can hijack that whole trust system. It sounds like it would defeat the whole purpose of https. Thanks in advance.
Depending on the nature of the work and security protocols it isn't the WTF. When you're working, on your work device, on the work network, there is zero assumption of privacy (and there really shouldn't be). The company wants to maintain it's security and so it is ensuring it is aware of things happening on its network.
It's not necessary for everyone everywhere but it has valid use case that isn't some mega shady weird thing.
if the company had installed something that uses similar technology as a pihole, wouldn't they technically be able to see everything even if you use https?
Mostly no. PiHole works by providing a DNS server.
A DNS server is responsible for turning domain names such as en.wikipedia.org into internet protocol addresses such as 185.15.58.224.
PiHole has a list of known ad serving domains and when asked to resolve one just replies with an invalid address.
Running the DNS server itself would only give them access to the above mentioned data. However, they could respond with wrong addresses to redirect all traffic over a man in the middle proxy.
For an https secured connection this would just result in a certificate error, warning the user to not proceed. Https secured websites have a certificate electronically signed by a trusted outside party, that verifies that they really are the owner of a specific domain.
Another option would be to redirect the user to a man in the middle proxy that pretends to not support https in order to trick the browser and server into opening an unencrypted connection. This works on some websites, but can be noticed by the user (as the browser now displays "Not Secure" and "http://") in the address bar) and is protected again by newer security mechanisms like HSTS that allow websites to tell browsers to always contact them over https in the future.
Basically if the site supports HSTS and you have visited it before this also won't work.
Ah I see. When I run adguard on a mac and enable system wide protection, I think it registers itself as a trusted certificate authority and works similar to the "man-in-the-middle" component that you mentioned. This is just my assumption based on the fact that on https websites, if I click the padlock, the certificate info says "Adguard CA". It also has an explicit option for a deep packet analysis which explicitly states that it can provide better protection by inspecting https traffic so I am guessing that in theory it's possible.
Yes. This works because AdGuard is installed on your Mac and adds itself to the trusted authorities there. Basically computers with adguard installed will trust the certificate while computers without AdGuard installed will not trust it.
Some companies do something similar (like another commenter here mentioned), where they install their own certificate on all work provided devices, allowing them to man-in-the-middle all connections. Personal devices without the company certificate installed will then just show the certificate error.
Every URL visited minimum unless you are going to an encrypted VPN outside their network first, then they will still see the network traffic to that vpn . I Know someone that got caught redditing on work wifi. granted they also had their device name set to use their name in it... so some of that is on them
Legacy software with incredible backwards compatibility, exponetially more software options, user familiarity, pretty much everything that active directory provides from user management to group policies, the list goes on.
Im a linux guy, but the thought of rolling out even the most user friendly linux distro gives me nightmares.
Aren't they? Changing a legacy app can take years to do the needed research, approval, procurement, and implementation. "Because my IT guy doesn't like Windows" is a terrible reason to undergo that process.
The same with retraining users on a whole new OS. You'll spend hours over the course of months answering "where did my C:\ drive go?". That's a lot of time you'll never get back.
Active Directory provides a lot of tools that are familiar to senior techs and easy enough for junior techs to figure out. I might prefer how Salt Stack works but I don't have time to train dozens of fellow techs.
Linux is cool for a number of reasons, but it isn't a magic easy button and a wise admin doesn't swap out fundamental parts of his tech stack without careful consideration.
I'm in the process of convincing my management to switch to Linux. The most important thing to them is having a way to remotely delete the pc in case it's stolen. Does someone know of a solution in Linux for that?
That might not be enough. I could monitor that on all the devices I manage, if I need to. There are tools to dump browsing info as it's being committed, or it's easy to pipe all the traffic from your machine through a VPN to a firewall I manage with a trusted cert injection into your device and inspect the traffic in transit. If you don't want your employer to see what your up to, don't use their infrastructure.
Well, yeah, if I worked at home I would use my personal computer for personal things and the workstation for work, it would be pristine. But alas, in the office there's so much time I can spend pretending that I'm working because I finished my tasks before I implode.
Some risks are necessary :)
It's not really about IT not knowing, but about being discreet enough that your boss doesn't see your personal accounts logged in or even worse, to have two chrome profiles, both with obscure names, press the wrong one and to share the screen of saved tabs with Facebook, Instagram, pornhub.... Yeah I've seen those bookmarks.
It's... Wtf... If you're going to be that deranged, at the very least be discreet... Sigh.
All true, and I'm sure your IT doesn't care as long as you're not taking stupid risks
If you're going to be that deranged, at the very least be discreet
...
I've seen things you people wouldn't believe... a folder full of photos of a sales rep's feet taken under the table at a meeting... a bookmarked playlist of adult baby porn labelled "Potential Suppliers"... I watched a modded BitTorrent client try to fake VLAN tags for unrestricted Internet access. All those moments will be lost in time, like that expensive label printer from my locked desk drawer... time to get another coffee..
As an IT administrator, if your org has GPOs controlling if you can delete your browsing history or not, there is no chance you will be able to install a second browser without admin credentials.
Sure but people see that you are on the phone while the IT people don't really care what you do and by bosses aren't checking those logs so idc. it's about being discreet on some layers.
If I were at home I wouldn't need to do anything to hide it since I would use my pc but since I'm in the office I have to get creative.
Same can be said for any browser, any app, any connection while on the employers network IF they wished to monitor it. Even if you were able to delete all local browsing history and used private browsing, your employer would still be able to know every site you visit if they wished.
If you've authenticated with your credentials on the device, IT is able to see IPs visited and DNS queries and has access to all sorts of network tools to track, shape and otherwise manage your activity.
It's best to assume that nothing you do on your employers network, even when logging into their corporate VPN from a personal device, is private.
I'm always shocked by privacy conscious people who do not have complete segregation of work and personal equipment and devices.
They could even force you to connect to a mainframe instead of your own computer in order to work, and only allow you to click on 3 allowed buttons if they wanted to.
Only tangentially relevant, human beings get along better with their agenda (that is, are more productive) when they're freely allowed to check email and their lemmy feeds, shop on Amazon and whatever other social media stuff they do. In fact, studies have shown an improvement when they drag overly-focused clerks to their mandated coffee breaks (actual coffee optional).
So if you're getting into trouble for chatting with your kids, or answering emails or resupplying your household with dog food, that might be an indicator your work environment is toxic and you might want to keep looking out for better offers.
Also when game dev teams are crunched, their productivity drops below 50%. When they're crunched for more than two weeks, it drops below 10%. So don't crunch your devs.
I won't even connect to a wireless network at work with my phone without VPNing to my home network to browse. People use their work computers to browse for personal reasons? They are all.
No, no, no. Private browsing isn't private like that. Your ISP and network adminstrator (in this case your employer) can still see every website you access. This is usually explained on the "New private tab" on browsers.
We record network traffic, not data from your browser. We can see every URL any device on the network hits, regardless if the traffic comes from a browser or even a phone app.
How is this with mobile devices from your employer. I have a company iPhone and understand that there is a certain “space” on the phone which is controlled by the company, mostly all the Microsoft 365 apps (so, for example it is not possible to copy/paste stuff between MS and non-MS apps).
However, for the rest I would assume that all the other traffic does not go through company servers (probably no traffic at all, as I usually have a local IP), and that they can’t see what I am doing in my other apps. Otherwise they could spy on all my transactions I do in my banking apps for example. But AFAIK iOS apps are pretty much sandboxed anyway.
This might be different on my company PC / Laptop, though.
Most companies deploy management software on their mobile devices. They have the ability to monitor activity and do things like remote wipe the device if you're fired. On iPhone go to settings->general->vpn and device management to see if anything's there.
Thanks for pointing me to this setting. There are two profiles, one is my personal VPN, which I use for device-wide ad-blocking (AdGuard Pro), another one is the MDM management profile. The latter one consists of a list of managed Microsoft apps (e.g. Outlook, OneDrive, Teams, etc.) and various (device) certificates. I guess nothing to be concerned about.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
That device would not be able to reach th custom DNS in the scenario I mentioned. If it cannot fall back to the network's DNS it would simply fail to reach any websites.
In addition, some companies install software on each employee's machine that enhances what they can monitor on that machine. It may not be labeled "corporate spyware" but something like "endpoint security", yet it may have the capacity to track pretty much everything you do.
Products such as Cisco Umbrella cover both. There's a DNS appliance inside the network, as well as a client software that installs on devices that forces them to use Umbrella's public DNS server when being used on another network.
This means we can track everything on the company owner device, even when you are at Starbucks or at home.
Never expect privacy on any device and/or network you don't have ownership and control over.
You can use Tor and your IT won't be able to see what you're browsing. They will be able to see that you're using Tor, and might get grumpy about that, though.
Private mode is absolutely not private at work even if it's enabled. They see everything you access with their network and know exactly where the traffic is coming from and going to.
For US government employees USAJobs is probably one of the most accessed websites.
Also in Google searches, if you click the vertical ... next to the URL on results, click the down arrow in the pop-up, and click Cached you can likely access a version of the website your white/blacklist service doesn't block. If there are SFW sites you need access to. Generally all scripts are disabled, though.
I know I'm here a week later, but a large number of system administrators disable browser proxy systems, dns over https, and incognito. It's a neverending war.
Never do anything on work machines/networks you don't want to have to explain to hr/legal.
Sr. Systems Admin here. IT does not give 2 shits about what you browse UNLESS something is reported or something trips our Alerts (has to be something major like Child Porn).
We don't sit there and actively monitor and watch what you are browsing. We investigate when something is reported by a worker or an Alert/Filter gets tripped
HR also doesn't know unless we tell them.
Second. I once had a staff member come to me all embarrassed because someone sent a dick pick via some dating app while they was on our corporate wifi. I was like, "I promise we don't care".
I mean, its HTTPS right?
Https is no match for work monitoring: pre-installed software, certs.
Pre installed certs would be a huge vulnerability
Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment... They are what allow a corporate device to connect to WiFi networks without a password.
All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.
Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.
And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.
I say “attacks” in quotes because they own the hardware and they own the time of the person using it.
Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.
RADIUS doesn't depend on preinstalled certs. But I wouldn't use Windows anwyay.
I'm not sure what you're saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.
Usually a manager asks a sysadmin to watch someone's stuff, then the sysadmin and manager tell HR what they find.
We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn't have been able to pull this info since they don't have access to the system that tracks it
That only applies to work devices. If you're using your personal device, they would be able to see traffic to/from a dating website but not the actual content.
Depends on the company size and the people above IT. Sometimes the boss is a chode and demands everyone be supervised like children constantly.
Probably for audit/investigation reasons.
IT generally doesn't care (doesn't want to care) but you still shouldn't do personal stuff on work machines/profiles.
Yeah, but the it's a good rule anyway, for some of the same reasons as the "Don't put it in an email if you wouldn't want it read aloud in a deposition" rule.
Also do some really weird things that are innocuous so the HR lady looks at you weird from now on.
Examples please?
Reload every five seconds the global doomsday countdown clock.
You sick €%#¥! /s
Absolutely. Everyone could use that reminder
Everybody has a cell phone nowadays. There's no excuse not to use your cell phone for private stuff. In fact don't use the company Wi-Fi. You must use the company Wi-Fi then you must use a VPN
But no excuse anymore not to use your phone, you don't need to use the word computer to browse, send emails, flirt, whatever
All of my colleagues have work provided phones and laptops. They do all their personal shit on these devices (they don't have their own)
They think i'm a huge weirdo for having my own personal devices.... "Why waste money? Work gives us computer/phone... Lol, you carry two phones like a drug dealer?"
Then they have nobody to blame but themselves when drama happens.
IT: "You've been fired. Please return your laptop..."
"But how do i retrieve all my personal files?"
IT: [Shrug emoji]
Like IT gives you any time to get anything off a corporate-owned device.
When I got laid off, IT sent a bullet to my laptop immediately kicking me off and completely locking me out of it.
I was supposed to have another 4 days to transition my work. I contacted IT and was told once the bullet goes out, that’s it. Any and all access to everything has been terminated. Might as well just go home and enjoy the extra 4 days because no one’s going to undo a bullet going off early unless it comes from the C-suite. So I did.
@EmbeddedEntropy @9488fcea02a9 Okay. Note fur future me: BACKUP🙃
Just tell them "I don't want to spend company's resources for my own private life."
The only way is to give them back that guilt and fear they are feeling.
it's one thing if they pay for them but if they are actually company devices that's fucking weird
Nope. It's not a pay and reimburse situation
Pure company owned devices
WTF? What country? Even at jobs where I was given a phone no one felt like ditching their personal devices.
I suspect its a millenial thing....
A few of us old guys keep personal devices.... Our young colleages just expect the company to provide devices for them and never have to buy their own
Or we can’t afford our own 😕.
Decent used laptops are quite affordable. I recently scored one on Ebay for under $100. It runs Linux and everything is snappy.
Hustlah 4 lyfe
I mean if all of them have them and use them, then i would definitely see you as a weirdo.
If a company would have fired someone for what the searched on a company computer, everyone would know by now.
Are there even these cases?
Don't most work Wifi networks prevent VPN use?
This has not been my experience
Mine does. They also keep an eye on it because I had gotten through it and that only worked a few days before it was blocked too. Didn't want to press my luck after that.
No.
where the hell do you work dude
Not sure why you're down voted. Yes some definitely do. You could get around it by hosting your own VPN on 443 or something but some do lock it down.
Their network, their rules. Makes sense.
then spin up your own wireguard instance and connect to it?
If only it was that easy...
Tried that. And openvpn tun+tap configs, Various ports incl 443, even shadowsocks. None of it gets through.
Use Tailscale. Much easier to configure and manage than raw WireGuard.
I’ve done both. I wrote my own scripts to generate the WG config files to handle variations in configure I needed to make for my different networks (masking, IPv6, cross multiple WG networks).
After converting to Tailscale, WG is just an extra level of hassle I can now easily avoid.
And if you don't have a VPN set up, use Tor on your phone:
https://play.google.com/store/apps/details?id=org.torproject.torbrowser
https://apps.apple.com/us/app/onion-browser/id519296448
That's fair, bur if your not using a VPN just don't connect to wifi at all. Too easy to make a mistake
The Tor website provides .apk files for Android, and there is an F-Droid release too. https://www.torproject.org/download/#android
Guardian Repo on FDroid... preinstalled
The company VPN or the client VPN, sadly
I mean if your personal device is attached to a work network use a always on personal VPN.
If you can't for whatever reason then don't connect to the wifi!
They see and scan all traffic, even what doesn't go through the browser.
No one should use work laptops other than for work
Yeah. Nobody competent is checking your browser history on your PC.
Until HR needs to dig up a reason to justify firing you.
But my state is at will employment only, so they don't need a reason.
They still won't be looking at your PC. They'll look at the network logs.
get fucked nerd
Most just monitor your browsing through the Antivirus.
Since they don't want you visiting porn or malware websites on the corporate network, for good reasons.
I never browse personal stuff on a company device. That's what phones are for. I also don't connect to company Wi-Fi on any personal device, because my company makes me sign in with my company's credentials. This should be common sense.
This is why my phone will never join the company wifi.
You could join using a vpn on your phone.
The few I tried back in the day were blocked at my company.
Smart. Everyone reading this thread who cares about privacy and separation of work and personal life should follow your lead.
Of course they can, they literally own the machine. You don't own it, so don't treat it like it's your own private job hunting platform or porn viewer.
Unless you work in recruitment or porn…
Or maybe you're a porn recruiter, that's a double whammy.
Yes I imagine it might be!
Yea, this regular "surprise" that work computers are... IDK... owned by work and are configured as the owner requires... is so strange to me.
Anyone that uses work equipment for personal stuff deserves to be found out
Your work can also read your private Slack messages. You have been warned.
I was the slack admin. We could not see private messages of clients. We could see company wide channels.
They can see it. I know because someone had an HR investigation happening and they showed me screenshots of his Slack conversations.
If it was a screenshot then they didn't get it from slack. They have spyware that takes screenshots.
Obviously if they install malware that records keystrokes or the screen then they can see what you type and what's on your screen.
But slack doesn't let admins export private chats
Then they must have been able to capture his whole screen. Idk how they'd do that days later, but they had a screenshot of a private conversation in slack. Maybe he had already set off some flags before then and they were watching him or something.
It actually depends on what tier of Slack license the company uses. Private is a black hole for anything short of Enterprise Grid, unless they reset your password and login as you, obviously doable but not at all subtle.
Until you get asked by HR why you're breaking their policies by clearing history and why you're doing it. If it's a work device that's not yours, don't expect privacy. It's their property.
They don't need the computer to see everywhere you've gone. I've never heard of anyone getting in trouble for clearing their history, but lots of people who have had problems visiting questionable sites.
You underestimate just how dumb some corporate policies are lol. Even if you are completely right.
When I turn on my pc I get a prompt saying "this computer is managed by your organization, expect no privacy"
That's not how it works in civilized countries that provide worker's rights by law
I have a very hard time believing that lol. Doesn't matter what country, it's still the companies property, and the work you're doing in it is still considered their property. It's not a personal device. What a pretentious statement.
In Canada employees may have a limited expectation of privacy on work computers.
Quoting from this article, which references the same supreme court case as the above article:
Accidentally deleted my post lol, but the court case ultimately ruled for the company, and that these laws aren't very strong to begin with.
And the article you linked still suggests it's a bad idea to assume privacy.
This is more so to protect employees who are browsing facebook or something on a personal computer, that the employeer isn't then allowed to snoop on their private social media accounts. For work related stuff, the rule still applies that it's work property.
Unfortunately, words on paper frequently fail to prevent organizations, public of private, from doing things they are technically not allowed to do. See the security state apparatus of any of the nations around the world including the 5, 9 and 14 eyes, or any number of tech companies that claim and market privacy respective policies only for people to uncover later that what they pitch publicly diverges in spirit from what they do or what is in the actual terms of service.
Hopefully if people find their employer going outside the bounds of the contract they can catch it, catalog it and hold them to account. Accountability can often be tricky and costly though.
This is why unions and NGOs exist.
So... not the United States. France, maybe? Germany?
Sadly this.
Any personal matters I may have attended to during work hours were done on a personal device, through a VPN, preferably borrowing some other WiFi signal than one run by any company I work for.
If its even more personal, just drop WiFi I don't control all together. Either use the phones data plan for 10 minutes, or tether it to a computer and do the same.
This, but it won't matter if you delete history. They know anyway if the want, and can enable logging it if they choose.
I used TOR at work once, to download some RPMs. Corp IT had a fucking meltdown
I can't imagine why
i think they are a package of some distribution.
like .deb for Ubuntu or .exe for windows.
RedHat Package Manager
Actually it’s Raunchy Porn Movies
We’re not cool enough to know
Revolutions per minute. Was a limited time mod for their car.
I worked in security and trained all our staff on how to use Tor. Good data hygiene is important around the office.
Also Onion Share is the best way to securely share large sensitive files between users
Hmm, no Onionshare is for anonymity, Wormhole or Syncthing are good for security, anything AES basically. You are simply using random Tor servers to share files withing a company...
Why would you download RPMs from a browser, to a work PC, and do they use RHEL?
Some of our servers used RHEL, and were airgapped, so I had to use TOR because they blocked the site (rpm.pbone I think)and then sneakernet that shit.
Possibly, if they've bothered to configure their machines that way. And only on the browsers they've configured that way and only on their machines.
Also, please don't assume that your work operates the same way as everyone else's work.
We have that capability but dont really have the time or need for it. having said that, it only takes one rouge employee to mess it up for everyone else.
What about a pink employee?
They were tickled?
I'm not on the IT team but have elevated permissions. I can dial into any of my subordinates computers "invisibility" I might add, and watch their screen. I can copy data remotely. It'll take me a few minutes to grab an image of their computer "for backup" reasons, restore it on another computer, and then safely view their history.
By invisibility, I still leave log traces on their computer.
I'm not going to, because wtf. But I totally do have that power.
I work in cybersec - I’m not going to speak for all businesses or individuals but I will give you my perspective.
Sometimes we need to see browser history to help with timeline correlation, it’s mainly to see “how did this file get here, was it downloaded etc.
Sometimes the investigators need to check out the things they need to check out, BUT
BUT
It needs to be done precisely and sparingly where needed only. This means instead of going through the entire history file, or doing unrelated correlation work (spying on you without cause) you are going to only grab specific timeframes from things you suspect explicitly to prevent any overreach. It’s a tricky balance to hold but also why it’s so important for people in tech to be privacy advocates as well.
There’s a difference between searching for answers to a problem that arose and looking for/predicting problems (thought crime detected!)
I also work in cybersecurity. Second everything this person said.
This thread is a good reminder, because at many organizations HR / management can and will look at your browser history (and computer activity in general) as a method of monitoring performance and staying in control.
But at my organization, we have never once looked at anyone's browser history (and I know that HR hasn't because they would have to go through us). We certainly could if we were asked to and we would if there was an incident (what we would care about is sensitive / confidential information getting leaked or suspicious activity on the network using a specific person's credentials, suggesting those credentials may be compromised). But in almost 2 years (we're a startup in the aerospace electronics sector) we have never once had cause to do that and we have a philosophy that happy relaxed employees who feel trusted by their employer are the kinds of employees that we want, so we wouldn't intrude that way without cause ever.
I third(?) this. Security and IT teams are too busy to be monitoring your everyday habits. Sure, they can see your history if they wanted to, but they won’t unless there is an appropriate justification to do so, and it’s usually triggered by an incident or HR. There also stricit rules with doing so because employees still have the right to their own privacy. It’s not like HR can just go over to the security guy and ask them to pull someone’s browsing history.
Another Cybersec worker here, and I'll broadly agree with all this. That said, I'd also point out that, depending on your site setup, the browser history may be nothing more than another place to correlate information we have from elsewhere.
Several sites I have been at have used Data Loss Prevention (DLP) software which automagically records (and possibly blocks) data moving into and out of the environment. This can be very detailed, to the point of knowing when someone copy/pastes data to a web form. I've also been at sites which sniff web traffic at the firewall and record full pcaps and extract metadata for quick analysis. So yes, for those not aware, deleting browser history or using "in private" browsing or other steps to avoid us seeing your porn browsing, may not be as effective as you think.
All that said, I've never been on a Cybersec team which has had enough time to really care about porn browsing, so long as you are not putting the network at risk. And, so long as HR/Management doesn't tell us to care. We have better things to spend our time on.
Lastly, if you don't want us seeing it, don't so it on a work computer. Look, we have lots of ways to see what you are doing. Just, do that stuff at home, on your own hardware. And leave the work computer for work. Writing up misuse reports is something I really hate doing.
I agree with you completely
Oh no, my employer might find out I'm looking for other jobs after being overloaded for a year and a half and constantly having my concerns/feedback/process improvement initiatives brushed aside.
I have been hinting to my manager for 6-9 months that he needs to move part of my workload elsewhere so that I can focus and actually achieve something. To think, all it took was for me to tell him straight that I was unhappy and unfulfilled to the point that I was considering resigning. Suddenly he's all apologies and let's make changes because you're kind of vital and we don't want to lose you.
And I was fired for it. Depends on the market demand I suppose, some industries there is no denying your worth, in others you're disposable.
I love the fact that firing me what the person you're answering mentioned is illegal here.
Peace of mind.
Yeah pretty outrageous, I soon found out employment rights in Ontario Canada are practically useless. I had no idea, I thought I had some basic protections, it's almost nothing.
Shot, i regularly browse jobs websites even though Im not looking to change jobs again soon. Just to keep them guessing.
Forget chrome management. Any IT shop worth their salt is protecting their egress with a proxy, explicitly or transparently set.
Don't browse the net on your employer's network or devices. Use your phone. Get on 4G/5G.
I’m an infrastructure analyst and at my workplace I implement such rules for specific reasons: 1) we need to be able to have evidence should an employee act maliciously with a company device. We do also monitor all queries but it’s passive. We can drill into your browsing history in great detail but won’t unless we have to (speaking personally here as I follow the code). 2) people will do dumb shit. And will lie to get support. Now, having been on the other end of a support ticket, I get it. Unless you lie a little, you may not get support promptly. Therefore, it’s part of my job to check what’s the lie and what’s the actual issue, which includes being able to see the download history. I would not be surprised if malware is accidentally downloaded and then it autonomously removes itself from the download history as It has happened before. Strictly speaking, this is done for both your safety as well as that of the company. And generally speaking, you should NEVER use your work laptop/phone/iPad for personal use because of all of the above.
I use my personal laptop at work, no issues. Employer can't see what I'm doing which is the way it should be.
If they don't trust me, don't hire me then.
I would never work anywhere where people like you can watch what I'm doing. Luckily I'm in IT so I choose where I work.
I despise companies who don't give employees privacy. The reasons you gave means nothing. You can always argue for anything to protect the company. Who protects the employees?
Safest for the company would be if you have employees in small cells being watched by guards around the clock. That would be really good for the company.
If you've connected your personal laptop to your work wifi, they 100% can see all your browsing history (specifically whats passed through their network).
Hell, I only run a simple homelab and I can see the exact traffic/browsing history of every device on my home network. I'm only tracking via dns traffic, but your https traffic can even be intercepted and decrypted pretty easily. So don't even trust that.
This doesn't require installing anything on your device to fully monitor you.
You’re not wrong. It really comes down to how ethical the IT/company is. And we are, purposely so. Also we have dns-over-https and No other identifier is parsed through. So we can see and block someone browsing porn on the guest Wi-Fi, but we’d never know who it was. Look, I’m not saying things are perfect, but there are people like me who look out for both the user and the company. The goal is ensure that users privacy is respected and that the company is protected agains misuse, malicious intent or just plain bad-luck. This is the “code” I was referring to. As IT people we have to behave ethically for business we operate in. It’s not perfect but nobody is trying to be. This is all best effort from all parties.
Your ethics goes out the window when being told to do something by your employer.
Maybe you try to look out for the user, but it's completely wrong that employees should have to trust you to do that.
"Company being protected from misuse" is a blanket term for survellience, same as "fighting terrorism".
I still stand by my opinion. Companies need to trust employees and not run survellience programs against them. It's just wrong.
Sure but I work from home. Don't use their wifi except when I'm in the office. I could connect to a VPN and they would also see a connection to a VPN, but I don't care enough to do that.
But when I'm at home, working on my computer, they don't see anything.
I hear you, and fully get where you’re coming from. I work in the finance industry and we have auditors to answer to as well as a ridiculous number of compliance regulations we have to abide by. Not every business is the same. I’m personally on the no-trust policy when you have more than 50 users to manage but it also depend on company policy. No one is saying you can’t use your personal device at work. We don’t monitor the guest Wi-Fi in any way specifically because that would be an invasion of privacy. I was referring specifically to using a work device, managed by the business, for personal use. The employee is protected by being briefed during first day induction of he does and don’t with regards to the equipment that is provided to them to do their job. Their personal privacy is not infringed upon as there is a clear agreement about what is expected from them. By the way, I’m in the uk (not sure if relevant).
No. The way it should be is using a work-issue laptop at work, but provisioned by you.
Your time during work hours belongs to the company. If you spend it on private stuff, you're breaking your contract.
Eh, not really, at least in the US. You are paid to do your job. The company doesn't own you during work hours. You can refuse to do work that was not in your job description, or ask for additional compensation. The company may fire you for this, but you would have a very compelling wrongful termination lawsuit.
So only watch mainstream porn on work computers, got it.
I've always assumed work will be looking at the browser history. Anyone who assumes they won't is an idiot.
Softcore is expressly permitted in the IT policy.
Those IT guys need to get off as well you know.
I mean, MS can literally track you between Windows installs, as long as you're on the same hardware. No surprises here.
There's a big difference between a giant corporation (that wants you to continue using its products) seeing every site you've visited, and your fucking employer, source of not being homeless and starving to death.
The only way those large corporations can use that ability, is when your employer pays for it.
Otherwise it wouldn't happen.
Since if it did happen, they would get sued by every company that uses their software.
How? Is there a way to mitigate this?
No not really. I mean you could never connect to the internet I guess. But that's the best mitigation there is as long as your using windows. Or run it in a VM?
So you can understand how this works, each device in your computer has a uid or hid, a unique id, or hardware id. This remains consisten as long as you have the hardware. Things that have this are like hard drives pcie cards, etc.
There's also just the fundamental unique ways your PC is built. Of all windows users how many have an Nvidia card? 90% of those 90% how many have the same drive configuration. 5% of those how many are running Intel CPU. Etc etc...
You are sadly very unique.
Yep, I guessed this was the way. Thanks for clarifying :)
Install a Linux distro.
I use Gentoo on my main computer. I was just curious.
No thanks
Theclouds it is your friend trust me bro
My work has a 100% mandatory vpn and mitm proxy for ssl scanning. I just use parsec to view my laptop from my desktop and browse what I want on my actual personal computer
These are worse than useless. They are anti safety. If this box or its private keys get compromised ALL tls traffic of all employees is immediately plaintext.
Any company that buys one of these appliances from mcafee or whatever is asking for it (losing most/all their secrets)
That sort of thing is required for a lot of enterprise certifications. When you do work for government, healthcare, banking, etc. stupid "security" is mandatory for checking off compliance requirements. Not that any of it has to be in any way effective...
when breaking the internet and end-to-end encryption are part of any kind of "enterprise certification" that certification is worthless (or worse) and probably some kind of chinese or russian (or the CIA or whoever, certainly not your friend) psyop. Only a mindless idiot would implement it.
Oh I 1000% agree. But you try to convince my opsec colleagues
Don't forget the agents they install that take screenshots every 10 seconds!
Nothing to screenshot if all of my personal stuff is on a completely different pc
That doesn't mean someone isn't going to pull those up to reprimand you, or monitor your work.
There's privacy from personal things, then there's overbearing micro management who will literally track "Mouse hovering" and "Keyboard Idle Time" or how long you take to write an email.
Amingst the other creative ways they can try to keep you at a level "non promotable" status or whatever leverage to control you.
I've never had to suffer from it, I do my job, but as a systems admin/engineer for over 15 years, I've definitely worked at places that implemented it at our expense, or we had to set it up for our clients using it against their own staff.
Yep. Good point.
Anyone know exactly what they could see if you're on a personal device but work-wifi?
Usually the websites and apps you use, but not what specific page you visit and it's content.
If you for example visit https://en.wikipedia.org/wiki/Labor_unions_in_the_United_States they could see that you visited https://en.wikipedia.org/ but nothing more.
This is assuming that the website is encrypted (it starts with https://, not http://), which nowadays luckily most websites are. Otherwise they can see the specific page, it's content and most likely also all information you input on that page.
My work runs MITM with corporate certificates, so they can see everything no matter whether it's encrypted or not. If you don't accept the certificates to let them monitor, you can't browse.
Therefore, I just don't use it.
Is that for the VPN, or actually all wifi connections? Not sure how it would be possible for wifi
Corporate networks (especially those utilizing MITM) block vpn access altogether.
You can't reach your vpn server, falling back to plain un-tunneled https. Then instead of dns retuning the true ip, it returns a local corporate ip; you connect to that with https and it serves you a cert generated on the fly for that particular domain signed by a root cert your browser already trusts. Your browser sees nothing wrong and transmits via that compromised connection.
You can usually check for this by connecting via mobile data, taking a screenshot of the cert details, then doing the same on work wifi and compare.
If the cert details change on wifi, your traffic is being intercepted, decrypted, read/logged, then re-encrypted and passed to the server you're trying to reach.
I was talking about work VPN, the thing I connect to every morning to access work's internal services.
I don't see how a 3rd party device connecting to wifi can have https MITM. Otherwise many wifi out there would do it and steal your info.
Can you link to something with more info on how it works? I know how certs work and CAs but not how some random wifi network can hijack that whole trust system. It sounds like it would defeat the whole purpose of https. Thanks in advance.
WTF?
Depending on the nature of the work and security protocols it isn't the WTF. When you're working, on your work device, on the work network, there is zero assumption of privacy (and there really shouldn't be). The company wants to maintain it's security and so it is ensuring it is aware of things happening on its network.
It's not necessary for everyone everywhere but it has valid use case that isn't some mega shady weird thing.
I see, thanks
if the company had installed something that uses similar technology as a pihole, wouldn't they technically be able to see everything even if you use https?
Mostly no. PiHole works by providing a DNS server.
A DNS server is responsible for turning domain names such as en.wikipedia.org into internet protocol addresses such as 185.15.58.224.
PiHole has a list of known ad serving domains and when asked to resolve one just replies with an invalid address.
Running the DNS server itself would only give them access to the above mentioned data. However, they could respond with wrong addresses to redirect all traffic over a man in the middle proxy.
For an https secured connection this would just result in a certificate error, warning the user to not proceed. Https secured websites have a certificate electronically signed by a trusted outside party, that verifies that they really are the owner of a specific domain.
Another option would be to redirect the user to a man in the middle proxy that pretends to not support https in order to trick the browser and server into opening an unencrypted connection. This works on some websites, but can be noticed by the user (as the browser now displays "Not Secure" and "http://") in the address bar) and is protected again by newer security mechanisms like HSTS that allow websites to tell browsers to always contact them over https in the future.
Basically if the site supports HSTS and you have visited it before this also won't work.
Ah I see. When I run adguard on a mac and enable system wide protection, I think it registers itself as a trusted certificate authority and works similar to the "man-in-the-middle" component that you mentioned. This is just my assumption based on the fact that on https websites, if I click the padlock, the certificate info says "Adguard CA". It also has an explicit option for a deep packet analysis which explicitly states that it can provide better protection by inspecting https traffic so I am guessing that in theory it's possible.
Yes. This works because AdGuard is installed on your Mac and adds itself to the trusted authorities there. Basically computers with adguard installed will trust the certificate while computers without AdGuard installed will not trust it.
Some companies do something similar (like another commenter here mentioned), where they install their own certificate on all work provided devices, allowing them to man-in-the-middle all connections. Personal devices without the company certificate installed will then just show the certificate error.
Understood. Makes sense.
Every URL visited minimum unless you are going to an encrypted VPN outside their network first, then they will still see the network traffic to that vpn . I Know someone that got caught redditing on work wifi. granted they also had their device name set to use their name in it... so some of that is on them
I'm on Ubuntu at work! The only employee on Linux at a tech company of >150 people! (Where are my Linux nerds?)
Kind of yeah, the rest of the working world uses Windows for good reasons.
Legacy software with incredible backwards compatibility, exponetially more software options, user familiarity, pretty much everything that active directory provides from user management to group policies, the list goes on.
Im a linux guy, but the thought of rolling out even the most user friendly linux distro gives me nightmares.
Aren't they? Changing a legacy app can take years to do the needed research, approval, procurement, and implementation. "Because my IT guy doesn't like Windows" is a terrible reason to undergo that process.
The same with retraining users on a whole new OS. You'll spend hours over the course of months answering "where did my C:\ drive go?". That's a lot of time you'll never get back.
Active Directory provides a lot of tools that are familiar to senior techs and easy enough for junior techs to figure out. I might prefer how Salt Stack works but I don't have time to train dozens of fellow techs.
Linux is cool for a number of reasons, but it isn't a magic easy button and a wise admin doesn't swap out fundamental parts of his tech stack without careful consideration.
I’m in a company that uses Microsoft stuff, but I use a lot of fedora and Linux mint in VMs. The latter is based off Ubuntu at least!
It’s actually kind of nice to be able to save the state of my VM since forced restarts are so infrequent.
I'm using it, as well as my boss!
I'm in the process of convincing my management to switch to Linux. The most important thing to them is having a way to remotely delete the pc in case it's stolen. Does someone know of a solution in Linux for that?
if you don't have your personal browsing using a private profile of a secondary browser which you know you can delete, you are doing it wrong.
That might not be enough. I could monitor that on all the devices I manage, if I need to. There are tools to dump browsing info as it's being committed, or it's easy to pipe all the traffic from your machine through a VPN to a firewall I manage with a trusted cert injection into your device and inspect the traffic in transit. If you don't want your employer to see what your up to, don't use their infrastructure.
Well, yeah, if I worked at home I would use my personal computer for personal things and the workstation for work, it would be pristine. But alas, in the office there's so much time I can spend pretending that I'm working because I finished my tasks before I implode.
Some risks are necessary :)
It's not really about IT not knowing, but about being discreet enough that your boss doesn't see your personal accounts logged in or even worse, to have two chrome profiles, both with obscure names, press the wrong one and to share the screen of saved tabs with Facebook, Instagram, pornhub.... Yeah I've seen those bookmarks.
It's... Wtf... If you're going to be that deranged, at the very least be discreet... Sigh.
No, it's zero-trust all the way down!
All true, and I'm sure your IT doesn't care as long as you're not taking stupid risks
...
I've seen things you people wouldn't believe... a folder full of photos of a sales rep's feet taken under the table at a meeting... a bookmarked playlist of adult baby porn labelled "Potential Suppliers"... I watched a modded BitTorrent client try to fake VLAN tags for unrestricted Internet access. All those moments will be lost in time, like that expensive label printer from my locked desk drawer... time to get another coffee..
As an IT administrator, if your org has GPOs controlling if you can delete your browsing history or not, there is no chance you will be able to install a second browser without admin credentials.
I can confirm there are places where that is possible.
Also as long as they do not whitelist executables, you could use a portable version of a browser.
And you would still get caught on the company device trusting company CAs, thus enabling them to decrypt all your traffic.
Use a personal device on a personal network for personal stuff.
I was talking about the history on device, of course I agree: never expect privacy on a device controlled by someone else.
Yeah, I can still see that activity. You're still doing it wrong.
Personal device not on corporate network or you're doing it wrong.
Sure but people see that you are on the phone while the IT people don't really care what you do and by bosses aren't checking those logs so idc. it's about being discreet on some layers.
If I were at home I wouldn't need to do anything to hide it since I would use my pc but since I'm in the office I have to get creative.
Also, 5hisbpost was 7 days old :)
Not my work.
What are you talking about? They definitely dont see what I browse in a whonix Qube..
Joke's on you, I'm the network admin in the office.
Trust an IT guy, we all do linux shit for fun. But at the office it's called "work". You are qualified.
Arch on work is called centOS or debian. Just a hint for your new job.
Wow, didn't know that is possible. Is it same behavior with other browsers?
Same can be said for any browser, any app, any connection while on the employers network IF they wished to monitor it. Even if you were able to delete all local browsing history and used private browsing, your employer would still be able to know every site you visit if they wished.
If you've authenticated with your credentials on the device, IT is able to see IPs visited and DNS queries and has access to all sorts of network tools to track, shape and otherwise manage your activity.
It's best to assume that nothing you do on your employers network, even when logging into their corporate VPN from a personal device, is private.
I'm always shocked by privacy conscious people who do not have complete segregation of work and personal equipment and devices.
They can monitor anything they want.
They could even force you to connect to a mainframe instead of your own computer in order to work, and only allow you to click on 3 allowed buttons if they wanted to.
It is their hardware, they can do what they want.
Well, since I am IT, I am not about go to snitch on myself.
Only tangentially relevant, human beings get along better with their agenda (that is, are more productive) when they're freely allowed to check email and their lemmy feeds, shop on Amazon and whatever other social media stuff they do. In fact, studies have shown an improvement when they drag overly-focused clerks to their mandated coffee breaks (actual coffee optional).
So if you're getting into trouble for chatting with your kids, or answering emails or resupplying your household with dog food, that might be an indicator your work environment is toxic and you might want to keep looking out for better offers.
Also when game dev teams are crunched, their productivity drops below 50%. When they're crunched for more than two weeks, it drops below 10%. So don't crunch your devs.
I won't even connect to a wireless network at work with my phone without VPNing to my home network to browse. People use their work computers to browse for personal reasons? They are all.
What about private browsing or running a Firefox portable exe?
No, no, no. Private browsing isn't private like that. Your ISP and network adminstrator (in this case your employer) can still see every website you access. This is usually explained on the "New private tab" on browsers.
We record network traffic, not data from your browser. We can see every URL any device on the network hits, regardless if the traffic comes from a browser or even a phone app.
How is this with mobile devices from your employer. I have a company iPhone and understand that there is a certain “space” on the phone which is controlled by the company, mostly all the Microsoft 365 apps (so, for example it is not possible to copy/paste stuff between MS and non-MS apps).
However, for the rest I would assume that all the other traffic does not go through company servers (probably no traffic at all, as I usually have a local IP), and that they can’t see what I am doing in my other apps. Otherwise they could spy on all my transactions I do in my banking apps for example. But AFAIK iOS apps are pretty much sandboxed anyway.
This might be different on my company PC / Laptop, though.
Most companies deploy management software on their mobile devices. They have the ability to monitor activity and do things like remote wipe the device if you're fired. On iPhone go to settings->general->vpn and device management to see if anything's there.
Thanks for pointing me to this setting. There are two profiles, one is my personal VPN, which I use for device-wide ad-blocking (AdGuard Pro), another one is the MDM management profile. The latter one consists of a list of managed Microsoft apps (e.g. Outlook, OneDrive, Teams, etc.) and various (device) certificates. I guess nothing to be concerned about.
If your company also pays for your phone's data bill, we can see a general overview of what sites you visit.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
The security on your device doesn't matter at all.
For ANY device to reach ANYTHING on the Internet it has to send a lookup request to a DNS server to get the IP of the server.
A privately controlled network can easily force all of those requests through their own private DNS server which captures all activity.
I am actually running AdGuard Pro with a custom DNS on that device.
That device would not be able to reach th custom DNS in the scenario I mentioned. If it cannot fall back to the network's DNS it would simply fail to reach any websites.
That’s what I meant to say, that your scenario is unlikely in my case.
In addition, some companies install software on each employee's machine that enhances what they can monitor on that machine. It may not be labeled "corporate spyware" but something like "endpoint security", yet it may have the capacity to track pretty much everything you do.
Products such as Cisco Umbrella cover both. There's a DNS appliance inside the network, as well as a client software that installs on devices that forces them to use Umbrella's public DNS server when being used on another network.
This means we can track everything on the company owner device, even when you are at Starbucks or at home.
Never expect privacy on any device and/or network you don't have ownership and control over.
How about DoH? Firefox supports it, and not every IT admin has blocked the ability to use it. (mozilla.cfg)
That only provides a secure connection to the DNS server. The DNS server can still log your activity.
When on a private network, all DNS traffic can be forced to use a inhouse DNS server that records everything.
They can see what IPs you connect to, doesn't matter what browser you use or if the connection is made from a browser at all
Anything on a work computer, or on a work network, you have to assume is recorded by the office
You can use Tor and your IT won't be able to see what you're browsing. They will be able to see that you're using Tor, and might get grumpy about that, though.
"Tor browser bundle" is the version of Firefox that doesn't reveal browsing data to the local network.
I mean it's not blocked, but if you're connected to their network, they can still see your traffic if they wanted to.
Unlimited mobile data with tethering and no blocking of piracy websites ftw
That's a nice dream. Not a reality in many places.
Private mode is absolutely not private at work even if it's enabled. They see everything you access with their network and know exactly where the traffic is coming from and going to.
I mean yes it can be locked. It can all be controlled by the group policy.
But either way, they can monitor all network traffic going through their network.
For US government employees USAJobs is probably one of the most accessed websites.
Also in Google searches, if you click the vertical ... next to the URL on results, click the down arrow in the pop-up, and click Cached you can likely access a version of the website your white/blacklist service doesn't block. If there are SFW sites you need access to. Generally all scripts are disabled, though.
If allowed, doesn't DoH/DoT mitigate this issue?
Not if your employer has installed a root CA on your machine, enabling them to man-in-the-middle all your TLS connections.
Oh that's a thing? That's kinda frightening
Not necessarily, as the browser is still logging the history.
Well that's what private mode is for, to dump the local data after closing the browser session
I know I'm here a week later, but a large number of system administrators disable browser proxy systems, dns over https, and incognito. It's a neverending war.
Pretty much, but (noob question) how can they block DoH, wouldn't they have to block HTTPS completely as well?
They control the browser settings itself. It's either a work managed device or profile.
Ah ok that makes sense
you don't know shit about my work fuck you!