Ask HN: My company installed chef on all of our machines, should I be worried?
It happened by our OPS team, they installed chef via usb sticks and custom bash script. They are saying it's for automating the config for our VPN and the like.
I am still concerned about this, although they cleared it up it's not for surveillance. They stated in a later message that they can install surveillance software for sure, but should I be worried about the whole gig or just take it easy?
9 comments
[ 3.6 ms ] story [ 29.0 ms ] threadRemember: It's their hardware, not yours.
Unless you own the company, you're not really going to change policy. Get a personal VPN in place (hint: they're watching your DNS queries too), tether to your LTE phone, or just stick to company business on their machines.
Is there a way for me to check this assumption?
First, if I planned to install surveillance software on my company's machines, Chef is pretty far down the list of ways I'd install it. They technically could install surveillance software with it, but it's certainly not the typical vector.
Second, it's safer to assume that everything you do on a corporate machine/network is being watched.
If your company provides a laptop, assume they can intercept all ssl traffic(hsts makes this a little tougher though), and read all your work email, and see everything you do. They probably don't, but could so better safe than sorry.
If I was concerned, it would be that they are doing it themselves with chef and not using an off-the-shelf solution. Seems like a poor use of resources not to buy it.
Like they said... they can install surveillance stuff on your machine, but that was likely just as possible prior to introducing Chef into the picture.
It's likely that they just want to get (more?) efficient in how they do their operations work.
Since the company owns the equipment, there's not even an implied right to privacy. They own it, ALL of it. Assume everything is monitored, and behave accordingly.
I do Chef development. We've been asked to include monitoring software for some groups in my client's company. Just assume that's always the case, when you're using someone else's equipment.