I would add: do not use corporate "guest" wifi for your personal devices. Your employer is monitoring what you do on this network and may be man-in-the-middle-ing your SSL connections.
If your corporate instructions for using the "guest" wifi include registering devices and adding trusted certificates, your device usage is being monitored and associated with you personally and your SSL connections are probably getting MITM'd.
The company I work for does this in all countries including all European ones. Even in Germany, Italy, France... Which have strong privacy laws. So I'm pretty sure it's allowed as we're too big to not have this checked by legal.
The fact that it's done doesn't mean it's allowed (and this is very true in Italy, unfortunately).
Monitoring the connection of an employee (which is different from blocking certain domains) is possible under certain conditions, but always at the individual level and when there is a reasonable suspicion that the employee might be misbehaving: https://www.laleggepertutti.it/507663_controllo-navigazione-...
> do not use corporate "guest" wifi for your personal devices. Your employer is monitoring what you do on this network and may be man-in-the-middle-ing your SSL connections.
Unless I'm missing something, this is not possible (unless you install a certificate root supplied by your employer) because any man-in-the-image attempt would be flagged as a failed certificate authentication. Indeed, that's exactly why certificate chains tied to domain names exist.
It's not possible with SSL/TLS. But there are ways to downgrade to http in some cases. All the corporate inspection tools I know don't use this by the way.
Many of these corporate inspection tools seem to leave traffic on nonstandard ports alone by the way, just saying ;)
They can however look at your DNS queries, and even if you use encrypted DNS they can still inspect the certificates of sites you are going to to figure out what the domain is.
In the past it was possible to quickly swap the physical sata hard disk on some laptops to segregate work/personal use, but that's no longer viable with modern laptops.
On the plus side carrying 2 modern laptops weighs the same as one oldshool laptop and they use the same usb-c charger...
> as one oldshool laptop and they use the same usb-c charger
Be careful with this. My MacBook Air will charge off anything, including a 5V battery bank. My Dell won’t charge off anything less than 18V over USB-C.
Got caught in a bind once when I brought my “slow” charger thinking that would be fine for light use on a trip away. It was not.
It likely also depends on the company itself and where they’re at in their lifecycle when it comes to this stuff.
When I set up my original laptop (a MacBook Pro) for my current job I asked them if I should set up a new Apple ID or what.
They said to do whatever I wanted but that people mostly just used their personal ones so they could easily text and make calls and all that from their machines.
I asked someone in the C-Suite a question about our antivirus and he said he didn’t know, he never got around to installing it (years later I got him to finally encrypt his damn drive).
The same guy got us all to install steam on the company laptop to do a random end of day hour of gaming when it was relatively quiet. That would not fly today.
Fast forward a few years and now we’re less startup-like and more corporate and there are very clear official rules about how to set up encryption, what the mandatory corporate antivirus is, certificates, MFA and password rules and expiration policies, and a Meraki router in each office that is actively and seriously monitored (to the point that I gave them a heads up before wiping and resetting 4 laptops in one day and putting them on WiFi to download what I needed to get them up and running again to avoid worrying anyone).
I’ve always had a personal laptop, but I could’ve easily fallen into the trap of using the work laptop for everything back in the early days.
These days we have real HR, real security teams, serious network policies, semi-regular external pen tests, etc. That makes it easier to remember that this is a job and personal stuff doesn’t belong on corporate hardware.
Back in the day, some people would also clone their work setup (VPN, PKIs, ssh keys, etc) on their home computers to avoid having to carry their laptops home every day in case of an incident.
These days that’s a fireable offense (as it should be, there are times when my work laptop holds many millions of dollars in clients’ IP, plus millions of our own IP, and PII that’s subject to GDPR and CCPA regulations).
I found it easier to be lax with my work laptop usage back in the earlier days when things felt less serious and structured.
These days, I filter my jokes and I don’t screw around on the company laptop, and both feel like parts of a natural evolution of the workplace, if that makes sense.
I don't think it's only the company's lifecycle affecting this. I've been working for multinationals my entire career and I've seen a bit of a 'wave'.
When I started my career in the late 90s, personal use was extremely low. This was because there was not much internet yet in the workplace, you actually had to request internet access and if you got it it was very restricted. Most people only had desktops, you were really special if you had a laptop. Work was a 9-5 thing and jobs and IT were very strictly focused on your role. There just wasn't much non-work-related stuff to do except perhaps playing solitaire. Security was pretty good actually but really focused on the on-prem networks. If a hacker did make it on there they could run wild as nothing was encrypted. Nobody had admin rights.
Then in the 2000s-2010 things started loosening up. Everyone had internet access and it was mostly used for non-work. Most people still had desktops but were doing their webmail a lot. Extracurricular activities were less frowned upon. I remember one time walking into the customer care centre (I was admin) and pretty much everyone was playing this flash game online where you had to swing a penguin and throw it a long distance, it was a bit like an early "angry birds". Managers were walking around and didn't really care, as long as the calls were answered when they came in. More and more people started getting laptops as they were getting cheaper. The old CRTs started disappearing for TFTs. If you had a work mobile phone (mostly managers) it was highly restricted like a blackberry or still a dumbphone.
Then came the cloud in the 2010s, blurring the line between 'internet' and 'work' much further. All people started getting laptops as they were no longer more expensive than PCs. The credit crisis in the late 2000s left its mark and there was a strong focus on productivity, no matter where or when. People logged in to O365 from home which was totally open, with username/password and no MFA. People had all kinds of work stuff on their phone, as MDM was still pretty basic. This period was peak security laxness. Security was viewed as an auxiliary cost not providing productivity. Not just in our company, this was the age of "USB stick with state secrets lost in taxi" headlines. Only financial institutions and government really had real security. People were using all kinds of cloud storage for work besides the official one and attempts from security to put a stop to it were hampered because 'people have to be able to work'. People were working at any hour on any device and this also made the burnout (and on the personal side, smartphone addiction) a common thing.
And then of course the reality check came in the shape of WannaCry. Things didn't change overnight but security was suddenly back on the map. The word of security was once again critical in the process, investment in it was no longer seen as unnecessary. MFA was introduced pretty quickly and restrictions to what users can do on the cloud. Limiting to official online storage tools only, we banned dropbox for example. As a result we've been slowly returning to a phase where security is on the map again. At the same time privacy became more important. Both for the company (GDPR was a big driver!) but in the minds of the users in terms of "what work can see".
These days we're not really ruling out personal use or work use on personal devices, but doing it in a much more conscious way. MDM restrictions are more common. Android got Work Profile which is a pretty ideal way of providing work access on a personal device IMO. Strong restrictions from work but no visibility on what the user does on the 'personal side' of the phone. We're starting to implement document encryption with Azure Information Protection, meaning a document can be tracked and protected all the time. This is also the time of SSL inspection proxies, and limitations on wha...
Past places I’ve worked they did a lot of monitoring, it was a for profit place and cared a big deal about metrics. So they would regularly remind us that you have no expectation of privacy (which is true), but I always laughed when people would be shocked to hear management talking about people checking personal email or banking (just before smartphones being prevalent). But now I trust my employer more but they don’t need to see anything I’m doing. So my work laptop is pure work and then I have my Pinebook pro or iPad nearby if I need to do any personal things. Great to compartmentalize.
I shouldn't be, but I am little surprised this is non-obvious to some/needs to be said.
It's one thing to occasionally log into personal email from a work machine, or listen to music from Spotify while working on your personal account, or whatever. I even sometimes keep Discord or other personal messaging apps open while I'm working.
But my company certainly wouldn't want me playing games or browsing anything NSFW on my work machine, and I wouldn't want them knowing what I do in my free time, nor would I want any personal projects I might work on to end up as something they might be able to claim ownership over because I used their device to make them (this is a not-uncommon clause in software engineer contracts).
We all make certain allowances for convenience, but there is and should be a line.
20 comments
[ 2.9 ms ] story [ 37.0 ms ] threadIf your corporate instructions for using the "guest" wifi include registering devices and adding trusted certificates, your device usage is being monitored and associated with you personally and your SSL connections are probably getting MITM'd.
Monitoring the connection of an employee (which is different from blocking certain domains) is possible under certain conditions, but always at the individual level and when there is a reasonable suspicion that the employee might be misbehaving: https://www.laleggepertutti.it/507663_controllo-navigazione-...
You mean your big enough that legal answered "In the unlikely event that an employee knows their rights, we can afford to get sued"?
I second that this is immensely illegal in Germany.
Unless I'm missing something, this is not possible (unless you install a certificate root supplied by your employer) because any man-in-the-image attempt would be flagged as a failed certificate authentication. Indeed, that's exactly why certificate chains tied to domain names exist.
Many of these corporate inspection tools seem to leave traffic on nonstandard ports alone by the way, just saying ;)
They can however look at your DNS queries, and even if you use encrypted DNS they can still inspect the certificates of sites you are going to to figure out what the domain is.
In the past it was possible to quickly swap the physical sata hard disk on some laptops to segregate work/personal use, but that's no longer viable with modern laptops.
On the plus side carrying 2 modern laptops weighs the same as one oldshool laptop and they use the same usb-c charger...
Be careful with this. My MacBook Air will charge off anything, including a 5V battery bank. My Dell won’t charge off anything less than 18V over USB-C.
Got caught in a bind once when I brought my “slow” charger thinking that would be fine for light use on a trip away. It was not.
Of course they’d lose their ability to issue public certificates if it became widely known, but they have it within their power.
When I set up my original laptop (a MacBook Pro) for my current job I asked them if I should set up a new Apple ID or what.
They said to do whatever I wanted but that people mostly just used their personal ones so they could easily text and make calls and all that from their machines.
I asked someone in the C-Suite a question about our antivirus and he said he didn’t know, he never got around to installing it (years later I got him to finally encrypt his damn drive).
The same guy got us all to install steam on the company laptop to do a random end of day hour of gaming when it was relatively quiet. That would not fly today.
Fast forward a few years and now we’re less startup-like and more corporate and there are very clear official rules about how to set up encryption, what the mandatory corporate antivirus is, certificates, MFA and password rules and expiration policies, and a Meraki router in each office that is actively and seriously monitored (to the point that I gave them a heads up before wiping and resetting 4 laptops in one day and putting them on WiFi to download what I needed to get them up and running again to avoid worrying anyone).
I’ve always had a personal laptop, but I could’ve easily fallen into the trap of using the work laptop for everything back in the early days.
These days we have real HR, real security teams, serious network policies, semi-regular external pen tests, etc. That makes it easier to remember that this is a job and personal stuff doesn’t belong on corporate hardware.
Back in the day, some people would also clone their work setup (VPN, PKIs, ssh keys, etc) on their home computers to avoid having to carry their laptops home every day in case of an incident.
These days that’s a fireable offense (as it should be, there are times when my work laptop holds many millions of dollars in clients’ IP, plus millions of our own IP, and PII that’s subject to GDPR and CCPA regulations).
I found it easier to be lax with my work laptop usage back in the earlier days when things felt less serious and structured.
These days, I filter my jokes and I don’t screw around on the company laptop, and both feel like parts of a natural evolution of the workplace, if that makes sense.
When I started my career in the late 90s, personal use was extremely low. This was because there was not much internet yet in the workplace, you actually had to request internet access and if you got it it was very restricted. Most people only had desktops, you were really special if you had a laptop. Work was a 9-5 thing and jobs and IT were very strictly focused on your role. There just wasn't much non-work-related stuff to do except perhaps playing solitaire. Security was pretty good actually but really focused on the on-prem networks. If a hacker did make it on there they could run wild as nothing was encrypted. Nobody had admin rights.
Then in the 2000s-2010 things started loosening up. Everyone had internet access and it was mostly used for non-work. Most people still had desktops but were doing their webmail a lot. Extracurricular activities were less frowned upon. I remember one time walking into the customer care centre (I was admin) and pretty much everyone was playing this flash game online where you had to swing a penguin and throw it a long distance, it was a bit like an early "angry birds". Managers were walking around and didn't really care, as long as the calls were answered when they came in. More and more people started getting laptops as they were getting cheaper. The old CRTs started disappearing for TFTs. If you had a work mobile phone (mostly managers) it was highly restricted like a blackberry or still a dumbphone.
Then came the cloud in the 2010s, blurring the line between 'internet' and 'work' much further. All people started getting laptops as they were no longer more expensive than PCs. The credit crisis in the late 2000s left its mark and there was a strong focus on productivity, no matter where or when. People logged in to O365 from home which was totally open, with username/password and no MFA. People had all kinds of work stuff on their phone, as MDM was still pretty basic. This period was peak security laxness. Security was viewed as an auxiliary cost not providing productivity. Not just in our company, this was the age of "USB stick with state secrets lost in taxi" headlines. Only financial institutions and government really had real security. People were using all kinds of cloud storage for work besides the official one and attempts from security to put a stop to it were hampered because 'people have to be able to work'. People were working at any hour on any device and this also made the burnout (and on the personal side, smartphone addiction) a common thing.
And then of course the reality check came in the shape of WannaCry. Things didn't change overnight but security was suddenly back on the map. The word of security was once again critical in the process, investment in it was no longer seen as unnecessary. MFA was introduced pretty quickly and restrictions to what users can do on the cloud. Limiting to official online storage tools only, we banned dropbox for example. As a result we've been slowly returning to a phase where security is on the map again. At the same time privacy became more important. Both for the company (GDPR was a big driver!) but in the minds of the users in terms of "what work can see".
These days we're not really ruling out personal use or work use on personal devices, but doing it in a much more conscious way. MDM restrictions are more common. Android got Work Profile which is a pretty ideal way of providing work access on a personal device IMO. Strong restrictions from work but no visibility on what the user does on the 'personal side' of the phone. We're starting to implement document encryption with Azure Information Protection, meaning a document can be tracked and protected all the time. This is also the time of SSL inspection proxies, and limitations on wha...
It's one thing to occasionally log into personal email from a work machine, or listen to music from Spotify while working on your personal account, or whatever. I even sometimes keep Discord or other personal messaging apps open while I'm working.
But my company certainly wouldn't want me playing games or browsing anything NSFW on my work machine, and I wouldn't want them knowing what I do in my free time, nor would I want any personal projects I might work on to end up as something they might be able to claim ownership over because I used their device to make them (this is a not-uncommon clause in software engineer contracts).
We all make certain allowances for convenience, but there is and should be a line.