Ask HN: My client want an agent on my laptop. Is this the new normal?

408 points by illud_tempus ↗ HN
I work from home in the EU as a freelancer for a US startup.

A few days ago, an email came out of the blue, demanding that I install an "agent" from a company named "Drata"* on my laptop. The motivation is that my client badly want a SOC 2 certification.

I have worked as a developer for more than 30 years. Tiny shops. Startups. Major league. I have never even heard about someone putting agents on developers laptops.

I'm pretty pissed off. So are the teams I work with.

Is this the new normal now?

Just for the record: I don't have credentials to production systems, and I don't work with production data. I just figure out how to transform dreams into code, I write parts of that code, and then I fix it as needed.

* Drata (https://drata.com/about) is on a "Mission to Help Build Trust Across the Internet". Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising". When I confronted them about this, they replied: "Feel free to reach out to your Drata administrator internally with concerns. Do note, that when your company contracted with Drata, any edits or redlines they provided will prevail for all employees of your company." - basically to just bend over and smile.

505 comments

[ 2.7 ms ] story [ 305 ms ] thread
I would decline. There are other jobs out there.

Another alternative might be to install it into a VM or old but freshly-paved computer.

So far my strategy is to just ignore it and pray that the problem goes away by itself. If I have to deal with it eventually - quitting is the most appealing option.

However, the reason I asked here is to get a feeling about how common this thing is. Is this normal? Am I the rat in the lab, or am I just late to the party?

I don't know first hand, but I would suspect it's more common in financial services and/or with government contractors.
I do not know Drata, but an endpoint agent on a company machine is not that odd. Generally, they come from the big EDR companies, such as Carbon Black, CrowdStrike, etc. They would mostly run in the background and scan for malware, push out Group Policy changes, and yes, provide a backdoor to run scripts on your machine. Drata sounds a bit more like spyware though. Technically, EDR agents can do session captures (recording the screen, showing what was run on the computer over history, processes, network traffic). Generally, though its only utilized for incident response and not tracking a contractors time, making sure they are working, etc. Although I must admit, theoretically there is nothing preventing that, although its at a more technical level then most management would know how to decipher. I second the recommendations above. Only agree to install it on a company machine, same for any agent or company AV, etc. If they wont provide it then its a no go on any personal hardware of yours.
This is spreading but still we must try to stop it. We will fail as we have failed so many times in the past but still we must try.

Say, we fought against DRM and while the music industry have completely abandoned it, that victory turns out to be useless because the video streaming industry have embraced it total and there's not even resistance against it this time.

I am so, so tired of fighting against these. I translated Doctorow's anti DRM speech in 2004 into my native tongue as one of my last acts as a Hungarian journalist. We have been fighting for so long. And the DRM war is lost.

Nonetheless , we need to stand. We, who have the privilege to be able to say "meh, I quit" because we know the next job is just days away. We need to for the sake of all those who do not have such a privilege.

> We will fail as we have failed so many times in the past but still we must try.

This is a thing the unions would have exterminated in the past. Problem is, most developers are not in a union.

There is still the choice to "just say no".

Am a contractor and have to use their VPN. It has provision for "end point scanning" on logon but they don't use it, yet.

Recently they provided a Macbook pro, in which I installed Little Snitch and taped the camera, so I don't worry any more.

> So far my strategy is to just ignore it and pray that the problem goes away by itself. If I have to deal with it eventually - quitting is the most appealing option.

It won't go away by itself because if they're asking it means you are in their corporate directory and showing up as noncompliant in the Drata dashboard.

It's extremely normal on company hardware used for business purposes. The conflict here is trying to run multiple clients on the same personal hardware. Never do that.

If they're willing to give you a company-owned laptop, take that. Then it is their machine to configure however they like. If not, tell them you'll lease a laptop dedicated to them only and pass on the monthly cost (with some profit margin) as part of your monthly invoice.

You have two options: (1) quit or (2) "renegotiate the relationship", as the saying goes.

Specifically, it's perfectly reasonable for you to say "OK -- if you're willing to provide me with a dedicated laptop". They can say no of course, but so can you. Or you can request a rate increase (which they would probably say no to, if they won't provide you with a laptop).

Either way, those are you choices. Yes it sucks to a degree, but that's what work does generally and which is why it pays money. All we can do is moderate the suckiness-to-money ratio as best we can.

My client is quite reasonable, and is willing to compensate a new laptop.

It took me less then a few minutes after I read the mail to come up with algorithms to implement this thing without compromising my security or privacy. VM. Using an old laptop and remove the wi-fi card. Get a new PC or laptop. Wire whatever I choose on a vlan that goes directly to a VPN server in another country.

However, I still don't like the idea of running an agent on my/a machine. It's a road I feel strongly against going down. But then, I came from a different time, when people still trusted each other and acted in good faith.

Just get the laptop, use it for work only. This is the best way forward.

They are looking for their interests (minimize security breaches) and that's a perfectly understandable position and solution to the problem. In this day and age the risk from a breach is much larger than in the past.

Since they are willing to provide the necessary equipment for that then there is no issue from your end.

Since when a backdoor is useful to minimize security breaches?
When you don’t trust the person on whose machine you want to install the backdoor.
> They are looking for their interests (minimize security breaches)

No. This comes from the sales people. They want to provide a "SOC 2 Audited" certificate to their potential customers. They don't give a rats ass about actual security.

The upper management does care about security. But I don't think this particular requirement offer much of that.

I googled "SOC 2 Audited" - and I've got: """ A SOC 2 audit is a company-wide certification that evaluates an organization's standards regarding its core data security infrastructure, information handling practices, consumer privacy, and confidentiality. For this purpose, an SOC 2 auditor needs to evaluate various aspects of a company's systems and processes """ So it is about security. I guess your point is that it is just a security theatre and not related to the real thing - but that is a different discussion. It would be a discussion about https://slatestarcodex.com/2014/07/30/meditations-on-moloch/ and https://www.amazon.com/Moral-Mazes-World-Corporate-Managers/... and etc
It's trivial for software inside to VM to detect that. So, I'd expect any competent agent software to report that back to base.

Whether or not the people monitoring the agent's output will care, is a different question. ;)

> It's trivial for software inside to VM to detect that

QEMU can get you very far in masking the presence of a VM. If it can work around Nvidia's cash grab of not allowing consumer cards to be used in VMs, it should be able to deal with whatever bullshit spyware.

If you run `dmidecode` inside a Linux VM running (on QEMU), do the returned strings not show extremely obvious VM-only things?

When doing so on VMware or KVM, things are extremely obvious. I haven't tried just plain QEMU though. :)

With QEMU you can configure that and make it say whatever you want ( which is how you can lie to an Nvidia card).
But then you have to install an authenticator app on your phone for 2FA and they won't run on a SIM-less burner.
RFC 6238? It can be implemented on any hardware.
> ...My client is quite reasonable, and is willing to compensate a new laptop.

I wonder, if "in the spirit and for the strength of mutual trust" would they be willing to provide you with the reports on the agent-collected data about you. Basically, the copy of how you are being shown in those dashboards.

It's fairly reasonable, as you're not an employee by definition, yet such policy or a requirement to operate on client-controlled work means is an employee's realm, not an independent contractor's one.

Here's IRS independent contractor test:

https://www.irs.gov/businesses/small-businesses-self-employe...

Don't forget option C: Talk with all the other teams and present a united front, whatever you decide to do.
Only if you trust those teams to not stab you in the back.
Honestly, I wouldn't trust anyone. Reasonable trust in your employer starts and stops at your paycheck.
No, "quitting" is rarely the right option - you do not need to proactively respond to the situation they created! If you're willing to no longer work there over this (as you should be), then that is a pretty strong BATNA. You soft refuse and give them alternative options that are acceptable to you (perhaps supplying their own equipment to run the spyware, a higher rate so you can procure your own dedicated equipment, etc), etc. Let them be the ones to terminate the relationship.

The same goes for other bullshit sprung on you out of the blue - noncompetes, piss testing, etc. There's a decent chance that if you just passively stonewall, they will eventually give up.

Let them be the ones to terminate the relationship.

Disagree - in general you never want to be expressly terminated. Layoffs are a different matter, of course. But an explicit "for cause" termination is always a red flag to any future employer.

There's a decent chance that if you just passively stonewall, they will eventually give up.

You really can't stonewall these things and I wouldn't suggest to anyone that they try. If they foist unacceptable conditions on you as a condition for continued employment, then whatever it is -- moving to Dallas, a shitty NDA, taking a piss test -- you need to be an adult and say some version of "Thanks, but no thanks" and move on.

Or stick it out and be prepared to be miserable and feel like a suck-up if you want. But either way, those are the choice, unfortunately.

(comment deleted)
I should have said "let them end the relationship", not "terminate". There is a generally a long road from failing to install some spyware on your own device, or failing to give them some piss to play with, to "you are being fired for cause". If you're given a hard ultimatum (do this by next Friday or else), or if it looks like the process is definitely heading in that direction, then you can bail.

Every situation is a negotiation. I'm not advocating outright aggressive rejection, but rather passive stonewalling or responding with a counteroffer. Ultimately it depends on your position and what value you're providing. If management loves you (or needs you), that will go a long way in a sane place. You're a known quality employee getting the job done, and someone from HR or IT is coming along and rocking the boat. Obviously if you're already on shaky ground, then you've got a lot less leeway to play around.

>Is this the new normal now?

In my last four engagements, every single laptop provided by the employer had something. Usually Tanium or Carbon Black. Network interfaces being disabled entirely if you're not connected to their VPN. One client requiring the use of a Meraki hardware VPN appliance.

This was an investment bank, a university, a software company and a health insurance company.

Just ask them to send you a company issued computer. Use that one to do the work for that one client.
This is the standard operating procedure. No employer or client should expect you to install software on your personal machine. They should provide you with a machine if they want to keep an eye on you.
Soc compliance is not ensured by spying on employees activities. That excuse alone is a complete bullshit. If this were happening to me, I'd tell them exactly that and refuse to work under surveillance. This is completely unacceptable even if it is getting somewhat common.
> Soc compliance is not ensured by spying on employees activities

That part is clearly Security Theater. Having worked with real security for decades (consulting, training, building server monitoring and alerting tools, building commercial firewalls) I get quite provoked by fake security. For example, this "agent" checks for disk encryption. It does not check for password strength, or even if there is a password (you can use full disk encryption under Linux without any password). It also require anti-virus, which under Linux is more likely to do harm than any good.

What I don't understand is why they choose to do this to their engineering team. I don't know much about SOC 2, but from what I have read, the "concern" is mainly production related. Most of the engineers, including most of the really senior ones, never access production systems.

Had a quick look at drata.com. Looks like vendorware. Some manager got hoodwinked into buying the product to justify their existence. Now they have to force everybody to use it to justify the exorbitant price.
> hoodwinked

Or they just saw an opportunity :)

Nice day out (aka Jolly) at the golf club :-)
Or they got a fat kickback
You have a third option: Install a VM for working with your client and let their agent run in that.
I second this. Create a VM for work or a VM per client. It makes it much easier to say “I don’t have any of your intellectual property” at the end of your contract when you can delete the whole VM.
That's what I do today. One VM per customer, on a pretty decent workstation.

My host file system is encrypted. If I install the agent, it will complain about the VM's file system not being encrypted. If I double encrypt, compilation times will go up quite a bit. Besides, running the agent in a VM will just be theater. If the host machine is compromised, no security in the VM will mean anything. I could just as well run the agent on dedicated VM with antivirus and disk encryption and just forget about it. Theater is theater. The audience would be the same, and they would see the same Play. However, it would not be ethical. It wold also lower my local security, as it's not impossible for malware to escape from a VM to the host machine. (I have worked for a VM vendor. I know a thing or two about VM's).

I have reasonable good security on my devices. Complying faithfully with this requirement would lower my security. If I silo it in it's own LAN, on it's own hardware, it would lower my job satisfaction and my performance.

> If I double encrypt, compilation times will go up quite a bit.

And that's the (poor) choice the company gets to make. Document/communicate that they're getting less work per money and let them deal with it.

I don't want to punish them for being stupid. I want them to not be stupid :)

I like the challenges I work on. I work with very smart people. The managers I know well are mostly good people.

But the company is growing fast, and there are new managers running loose every week, marking their territory and making signature changes. That's a bit exhausting.

Ideally, someone would hit the breaks, and come up with a solution where the company get whatever certifucations they need, without pushing me into "I'm hurt, so I'll hurt them back by being less productive" mode. I enjoy being productive.

Add an unecrypted disk on which you can store VMs that require VM-level encryption.
(comment deleted)
There are no easy technical solutions to social/political issues. They'll simply make the software detect that it's running in a VM and ban that use. Then you'll work a few hours cheating the software, make your VM look extra realistic. Then the software will get upgraded and your contract gets a clause where you'll pay a fine if they catch you using a VM.

Then managers will get the idea they might get complete control over an employee's life, scan their network, track what websites they visit, keep tabs on their social media. If they don't have social media where they should be posting how amazing their company is, they're fired.

Many of these things are already happening. We have to fight it, unless you want to spend 90% of your time finding technical solutions to avoid it.

Why would anyone ban VMs? What difference does it make?
I don’t think this is the new normal, though I would caveat my answer based on the structure of the business relationship and ownership of the device. I would most likely not agree to this arrangement for myself or any of my employees except on a client-provided device. I may be open to installing a limited management profile that I’m able to inspect, but my preference would lean hard toward writing requirements into the contract and providing evidence to the client that we had met the identified requirements.

It’s an interesting question, and one that we’ve evaluated with respect to our own customers, who lean on freelancers and other small vendors. Getting back to my original statement about the nature of the business relationship, we’re asking questions about what level of technical sophistication a freelancer has and whether they’ve established enough of their own policies and procedures to meet regulatory requirements independently.

Often times, that’s just not practical. Even then, my preference is for the client to provide a managed device to the freelancer or to offer them self-managed options with documentation requirements to prove compliance. Forcing a contractor to install an agent like you’re describing onto their own device feels like a privacy intrusion, and may also represent a risk to the contractor’s other customers.

Ask them to provide a temp laptop for you.
+1. If it’s their laptop and you’re only using it for their work, no problem.

If they’re expecting you to provide the hardware, then politely decline.

It's not normal. Ask them if they and Drata are willing to be on the hook for all your potential bank breach in the future, as they are key-logging your online banking access. Ask them if they can put up a surety bond or insurance for any of your financial loss due to breach of privacy.
I believe reducing loss of privacy to only financial costs is the wrong approach. How will you quantify this cost when, for example, Drata runs some fancy ML algorithm on the gathered data, and starts offering employers a "unionization risk" score for new hires that they have intel on? What do you do when being without an evaluation by some spy company like Drata, since you're so privacy conscious, itself becomes a black mark for employers?

Rights should not be thought of in terms of their financial cost.

> Rights should not be thought of in terms of their financial cost.

Agree!

The Drata agent is a lightweight osquery agent that is read only that reads things like - screen saver timeout, auto-updates turned on, is AV software installed, etc. We collect that data to show the device is compliant with the companies policies and the compliance frameworks they have agreed to. The company this person contracts with requires the agent be installed to monitor compliance for all devices, employee and contractor. Most companies these days require devices meet xyz requirements around patching, av/edr, etc. if they hold company data.

It never "key logs" anything or collects any of that type of information.

Our agent has been third party security validated and we are happy to share the report with any prospect/customer as well as the configuration.

Source: Work for Drata as the CISO

Does your software run as a Windows service? Is it installed as the System user or Local Admin user? Does it auto update over network? It’s just one update away from adding key logging.

Put money on your claim. Put up a surety bond or insurance for users’ data breach. All the security audits won’t beat putting your own financial stake on the table.

How does the agent know what user it is monitoring?

What other kinds of personal information does it process or collect, locally or in it's server endpoint?

An external IP address is personal information. A UUID identifying a block device is personal information. A hostname is personal information. Anything in "/usr/home" is personal information.

Somewhat tangentially: I note that most managers seem to equate hours at the keyboard with productivity. I have heard of some employees being monitored via the notebook's video camera.

Is it so difficult to define deliverables and pay for completed and tested work? The business value of any given function point is the same whether it took 100 hours to develop or 10 hours. Of course, more productive programmers would benefit under such an arrangement.

Oh wait ... the problem is that requirements specifications are never clear nor complete enough and there aren't any tests to confirm correctness of the implementation.

> Is it so difficult to define deliverables and pay for completed and tested work

It is? It's a problem as old as the hills — how do you measure the amount of work done? I can churn out several new features in very short time, but then spend two days chasing a bug which results in a single-line fix. From the management POV this looks like I've been very productive for a few hours and then spent two days doing fuck all.

Ideally you'd have a competent team lead that can evaluate whether people are bored out or overloaded with tasks and if their output quality matches expectations.

JIRA, Trello or other tools are (usually) not used for the team's benefit, but as "actionable items" or whatever for clueless upper management.

The manager then can look at data and think, "Hm, these bugs are costly. What we can use to reduce number of bugs to reduce costs?"

Bugs are a waste. Number of bugs can be reduced with better practices: peer review, various tests; better software: linter, automatic verifier, compile time checkers (-Wall + -Werror, rust), code generators, libraries; or additional business process: quality assurance.

To improve something, your manager need to measure it first. You can propose everyday reporting of spent time instead of spying tool, e.g. "2h working on #1234, 6h fixing bug #23456", which is much more valuable to your manager than raw data.

In my previous company, we reduced the number of bugs and time to fix by an order of magnitude, because we were able to see the effect of changes in tooling and development process.

> The business value of any given function point is the same whether it took 100 hours to develop or 10 hours.

That's the point of paying proportionate to hours and not value of your output. There's some delta! You can try the value of deliverables model but you'll have to be quite irreplaceable.

Talk to your union. This is nonsense. We are SOC2 compliant at my employer without any surveillance tools. There are plenty of other controls that are perfectly reasonable though.
The agent isn’t mandatory for SOC2, there is an option to just upload screenshots of settings periodically. I had the same situation and I opted to upload the screenshots.
What control is that for? I've worked at multiple SOC2 shops and not encountered any such requirement.
Sounds like you'll be purchasing a new laptop for that client and bill them for the price of the laptop, and several additional hours on maintaining said laptop.
I'd also throw in whatever equipment is needed to VLAN all of that away from everything else in your home. Even a second internet connection and router seems reasonable.
OP could just use virtual machines.

I use my own equipment for my work and it's all on a VM. Everything work related is done on the VM. If I leave all I have to do is delete the VM.

I'm surprised I had to scroll this far into the comments to find this obvious answer. Each of my customers has a dedicated VM and I compartmentalize all sensitive data into each environment. In this manner, I can run each customer's goofy VPN client, endpoint scanning, device policy compliance etc without any of it touching my primary system. If there is some security exposure in one of the VMs, it won't impact my primary system or adjacent systems (short of a VM escape exploit).
Do you have Drata (the software mentioned by OP) installed in any of your VMs? Does it complain that it's installed in a VM?

I've read that Valorant refuses to work on VMs and requires full hardware access for its anti-cheat software. I can imagine "corporate security" agent software doing the same.

OMG, a comment with a clue!
(comment deleted)
I haven't been in this case yet as most companies I've contracted for were/are small companies <25 employees where everyone brings their own laptop (or at least the contractors do).

There was one company which required devices to be up to date on the latest security updates from the OS and every wednesday an employee was chasing everyone to get confirmation that our systems were updated.

If a client would require an agent to be installed I would ask for a company laptop to do the work on.

The concept of "working from home" forced by the pandemic is harming the "remote working" community by extensive invigilation and moving harmful office behaviors to private space.

I talked to an Intel HR person (informal chat, I never applied there nor planned to) 2-3 months ago and after I stated that after a decade of remote work, I see pandemic-driven introduction of harmful concepts like spying on previously trustworthy contractors by control-freaking managers that have no idea how to prove themselves in new reality, I was given a look which would usually be reserved for a psychotic person believing that they're being watched 24/7. Quite an unique experience, contrasting with how HR folks are trained to do sect-like "love bombing".

You want me to work for you and deliver results? My pleasure - that's what I do.

You want me to hang a company logo in my place and sit in front of camera multiple times a day, log every minute of my time and creep on me in other ways? I never worked in "Office Space"-like environment and I'm not planning to. Go fuck yourself, I'm out.

This reminds me of how adblocking software worked great when only a handful of nerds used it. Then when adblocking became more mainstream, sites bothered to develop workarounds to make ads show up anyway. Adblockers now try to develop workarounds to the workarounds, but it's a constant battle.

Was it great when I was the only one with adblocking software? Yeah, for me. But it was worse for society as a whole, most of whose members had no adblocking whatsoever.

And now we have the majority-share browser vendor Google moving to cripple ad blockers with ManifestV3.

So I guess we're winning?

We as in tech nerds, or we as in whole society?
We just need some proper laws to remove the possibility of interfering with adblocking software
(comment deleted)
Very common at least in my experience. Almost all previous and my current job run a whole suite of stuff on all endpoints and feed everything from things your corporate laptop resolves, all the process invocations, all network flows being established back for analysis. These are all Fortune 100 businesses and things may be different in smaller shops?

I don’t conduct personal business of any sort on a corporate device. Just not having direct access to production won’t exclude you from security protocols, else how can you guarantee nobody slipped adjustments into software you have checked out,a ‘git push’ originating from your endpoint, which then gets deployed?

I do some contracting work, and would almost for sure refuse such a demand, even if I end up losing the contract. That doesn’t sound reasonable to have a mandatory surveillance software to install, unless they want to provide their own laptop (or you buy one just for them and send them the bill).

Really weird stuff, I hope that won’t become a trend.

(comment deleted)
They provide a laptop not on your personal machine because you other client data, right
This. If "work [...] as a freelancer" means that you are not their employee, and they need the legal fiction that you normally have other 'clients' who you freelance for... If they do not provide the laptop, do they mind if your other clients also have agents & such on your machine?

If they are honest about this, then providing you with a nice laptop would be far cheaper than dealing with multiple-agent issues. Let alone getting into "how do we need to do this, to comply with laws & regulations?" conversations with lawyers. If they are not honest...

They have an exclusive clause, so at the moment I work only for them (and on a few open source projects).

Legally I work for a company in the EU which I own.

They are willing to pay for a decent laptop. That is not the issue. The issue is that I feel quite upset about this requirement. My motivation to discuss it here is to get an idea if I am out of touch with current reality (like some old guys some times are) - or if this is a form of cancer it's worth fighting against.

Are you able to, as Your Company LLC, (self) certify yourself as a SOC2 complaint entity? Maintain your own records and be able to provide them for audits from the parent company?

I agree with much of what has been said, security theatre etc etc; but at the highest level, should companies take IT security seriously, absolutely. Is the implementation correct? Probably / certainly not. The real cancer is the total disregard for security and data privacy that has metastasized to the point where a leak containing everything from a company doesnt even register as an incident anymore.

If your contract was with the CIA and they had requirements, you would probably be on board with them. We have all been around the block and seen the state of some peoples computers; even technically gifted people with malware and spyware riddled computers, with the CashFollowerDataScrape Browser Toolbar installed and Password123 securing everything. Do these tools stop this sort of stuff, not really.

Work / Personal device seperation is always the answer, the red flags are the companies that demand compliance, but refuse to provide equipment. If the contract wants you to do something you are free to accept or decline. If the contract wants code written using their style guide it would be a similar cosideration, even if it meant spaces instead of tabs. if the contract wants you to code only using your index fingers only, are comfortable with it taking 10x longer and will pay 10x your normal hourly rate, you are free to accept or decline.

> Are you able to, as Your Company LLC, (self) certify yourself as a SOC2 complaint entity? Maintain your own records and be able to provide them for audits from the parent company?

I recognize that you are just making a creative suggestion here, but that is impossible. SOC2 certification is incredibly complex and hard to manage (not to mention, costing tens of thousands of dollars a year). It is difficult to the point of impossibility for one person to achieve.

Not only is is practically impossible, it is also literally impossible for a one-man show to achieve SOC2, because there are control objectives that require separation of duties and verification of one person's work by another. I think the absolute smallest a company could be and achieve a SOC2 would be three people.

(comment deleted)
Drat.

One of our clients at $Day_Job is a laboratory - subject to arbitrary (from their viewpoint) rules for certifications, etc. If the certifying agency says "round this value to 3 decimal places" - it doesn't much matter if $Client hates that idea, or if it is (science-wise) wrong. One can argue with them...if done wisely, that occasionally works.

I'd be tempted to look into the SOC 2 stuff. Especially real-world accounts of how the AICPA interprets and applies the rules. There can be wide gulfs between what the written rules (plus "reasonable professional" logic) say, and the standards which the auditors (with their own mindsets and habits) actually apply.

Hmm...does the US startup you're working for have someone really familiar with SOC 2 certification working for them? Or just some energetic manager-type, who's zealously trying to apply his own interpretation of the written rules?

Best wishes.

> have someone really familiar with SOC 2 certification working for them?

Not that I'm aware of.

I don't know the details. My interpretation is that some manager hired some company to help them with this certification that the sales people says that they need.

Install it on a spare laptop.
I recently did something similar.

The ironic thing is that I work for a privacy-focused startup where such a practice is in total opposition to personal values held dearly by most people who work there. They claimed (and I assume that it's the truth) that this requirement was forced on them by the insurance industry. Apparently insurers are at the moment super-focused on cybersecurity threats and it's simply impossible for them to obtain general commercial insurance without having this in place. Going without the insurance means greatly diminished valuations and prospects for an exit.

So I installed the agent on a webserver that I have that has absolutely no data other than the static files that it serves to the web and that consequently are by definition public. So far they haven't noticed that it's not my actual work machine, and I expect that, with this being a mere box-ticking-exercise that they don't really care about and are on some level even opposed to, they have zero intention of taking it beyond "don't ask don't tell".

The thing I'm slightly worried about is that the agent logs logins and failed login-attempts. The problem is that employers who under normal circumstances never look at that data might suddenly get the idea of looking into it when employment disputes come up. So I'm a bit worried about creating an audit trail that basically says I never log in to my machine.

Maybe I need a cron job which, with a small amount of random variance, logs into the machine in the mornings and out again in the evening, but that would be crossing a line, legally speaking. With the current state of affairs I can plausibly plead negligence (I meant to install it on my personal device and just didn't notice that I was actually connected to the server when I hit "install"), but with an elaborate setup involving cron jobs and such, I'm clearly establishing that I'm acting in bad faith.

I can easily engineer myself out of this crap. But that feels like a much worse solution than just dropping out.

I have two qualities that makes customers willing to pay a premium. I am very good at what I do. I am honest. I don't want to compromise my integrity.

Charge them a premium for it too.
(comment deleted)
Anything corporate software is a no go on my personal devices. I like to draw a clear line between work and personal life. The only exception I made is having google authenticator on my cellphone, I feel like I would have been unreasonable to ask a company provided phone for this application only...

kvm switch are great to be able to re-use your input/output devices without mixing up personal and corporate stuff... this is what I use... A physical button to separate the 2 environments.

If you are a freelancer then your contract should allow you to do work for others. In which case, your response to this client has to be "Sorry, but my business laptop potentially has data from other clients on it. I can't let you install this monitoring agent without violating my contractual confidentially agreement with those other clients. I always maintain client confidentiality and will do the same for you. If you want to ship me a dedicated laptop for your engagement, I would be happy to install whatever you want on it."
> If you want to ship me a dedicated laptop for your engagement, I would be happy to install whatever you want on it

And they will install a trojan which would eavesdrop your talks, scan your home network and analyze its traffic.

Network segmentation with vlan is what I would do.
Yep, exactly. I used to put client devices on a segregated network and tunnel their traffic out to pfSense running on a cheap cloud box somewhere. Worked well.

(I should say that intentional monitoring of my private comms was never a concern for me when I freelanced, but I was somewhat worried about infections in my clients' devices moving laterally to my home network.)

Who the fuck has time to do that?
As someone who isn't well versed in networking could you describe your setup in overview? Like, what software/hardware, etc.? Thank you
Mini-rant: people on hacker news frequently undervalue their knowledge and don't consider the things they know to be of much worth. A classic example of this is the "I can't see why dropbox is a thing, simply build a cloud file sync service - easy" post. This poster is running their own semi-professional router (pfsense) on whitebox hardware. I would not want to do that unless I already knew what I was doing or wanted to spend some time learning.

The type of network segmentation being discussed is not rocket science, but it's not trivial either. VLAN segmentation can have tricky edge cases that cause things to break in a non-obvious way, nothing that can't be worked around but for someone who "isn't well versed in networking" would probably be more than you're up for. Also keep in mind that you can't do this with most consumer networking gear becasue it's too complicated to setup and support without some experience and knowledge.

I'd not recommend VLAN segmentation unless you want to become someone who is more versed, which I don't oppose, but it's not a switch you can flip in 5 seconds and never think about it again.

I very much agree with this. I don't think that this is the solution for most home users/consultants working from home.

The more obvious solution would be to get a separate WiFi router and internet connection strictly for work purposes.

At that point you could also consider it a 100% home office expense and it may be tax deductible (talk to your accountant).

Can one use two internet connections from a single phone line?
Sure. I didn't actually use a VLAN: I had a spare TP-Link router lying around, so I installed OpenWRT[1] on that and gave it a static IP on the home network side, then plugged it into my broadband provider's box. On the cloud side, I basically followed a guide, maybe [2] but I don't remember exactly. Once I had pfSense installed, I first set it up as an OpenVPN server.

I then went back and configured the OpenWRT box to create a WiFi hotspot and serve DHCP on a different subnet to that used by the home network. I configured an OpenVPN client tunnel from the router to pfSense, then set up a NAT ("masquerade") from the segregated network into the tunnel. I think I actually left a couple of ports open on the OpenWRT from the segregated network, but properly I should have firewalled them off so that the router was only accessible from the home network, since I doubt OpenWRT has been seriously pen tested by anyone. I'd probably also use Wireguard if I did it again.

The above config worked, but the CPU on the TP-Link was too underpowered to get more than a few Mbit/sec throughput. Since I didn't particularly care about having a VPN (I was going to throw this traffic on the internet anyway), I messed around and managed to change the tunnel type to L2TP. L2TP pretty much just takes the packet you give it and adds a UDP header for routing, so that approach gave me full bandwidth. I think I had to mess around a bit more getting MTUs set correctly to account for the L2TP header, and maybe had some trouble with auto-restarting the tunnel on failure.

One of the (flagged) responses to my original comment was "Who the fuck has the time to do that?" I actually think that is a fair comment. This all took a day or two to set up and debug, it isn't something that the casual user is going to do and, to be honest, I probably wouldn't have done it either except that I wanted to play with pfSense.

I'd do it again, though -- it was fun.

[1] https://openwrt.org/

[2] https://silasthomas.medium.com/how-to-import-a-pfsense-firew...

Thank you! Though I agree with the sibling comments that it's probably not something to dabble in unless you're pretty confortable with this... May I ask, is this somewhat in your area of expertise, what kind of development do you do (supposing you're a developer?). Sorry if too inquisitive, just curious :).
I think you should dabble in it! This stuff isn't magic, it's just a bit esoteric in places. That makes it a great (and valuable) skill to learn.

I do cyber/data stuff, often on the network-y end.

This is what I do for a variety of different things:

  - $CORP devices are on a VLAN + Wifi that has access to the internet, but no other internal networks
  - Internal network for file servers/printers and the like
  - Personal device network, think laptops/phones/tablets that are mine, can reach internal network
  - IoT network - Think sensors/robot vacuums/"smart devices"
  - Guest network, for well visitors to my home
  - AirPlay network, has all my Apple devices on it to allow for music to be airplay'ed to TV's/HomePods, can be reached from internal/personal/guest network
Now I also understand that I am outlier, I am running a fully segmented, firewall, traffic inspected/logged home network with small business or even large business network gear, with FreeBSD as the router/firewall with a managed switch/WAP platform from TP-Link.

This is not something the average home user or consultant is going to setup/configure/manage and I don't expect it either.

The worry that the $CORP device will be abused to "validate the security of the network its connected to" is very much a possibility. Most corporations have no desire to do so, and endpoint protection is their primary goal, and they don't need to scan your home network to do so, it is all local to the device. It's about protecting the integrity of the device, not the rest of the network around it.

Capture traffic and sue the f outta everything they do that‘s not covered by a contract.

Someone has to start stopping this madness and protect less informed people. We are all steering into a dark future. And i lose hope when i see all these smart programmers complaining but not stepping up.

> Capture traffic and sue the f outta everything they do that‘s not covered by a contract.

Whatever the app they would ask you to install would do probably is going to be allowed by its EULA (and I bet the EULA is also going to prohibit you from analyzing the app and whatever it does/communicates) and chances are you don't read it. And even if you do you most probably agree because you know all EULAs are brutal and there never is a button to object its specific part and continue.

What we need is legislation to recognize all the data and metadata about your PC, all its software, your home networks&devices and their usage a kind of personal data and apply the same rules GDPR applies to tracking cookies - giving you the right to continue without agreeing to be spied on.

EULA has nothing to do with this. Question is whether software installed by company you’re working for spies on you in ways you haven’t agreed to. If so, sue them, not the co that wrote the spyware.
EULA is between the user and the vendor of the software, it isn't a agreement between the user and the users employer. Capturing traffic like that runs afoul of hacking laws.
The employer can just give you an executable and say you must install it. The executable would show you an EULA and require you to accept it.
EULAs are irrelevant if they go against the law. You don’t renounce all your rights because some law intern wrote in the EULA that you sold yourself into chattel slavery. And for those things you can give up (such as some of your data) you have to give explicit consent, clicking “I agree” under a 500 page unreadable legal document is not enough.
You keep your work laptop in your home network? Tut tut.
I work frim home ... pandemic and all that. What else am I supposed to do?
VLAN is the obvious and most cost-effective mitigation
Not really. VLAN provides segmentation, but it does not provide any mechanisms to limit access to other vlans in your network - which are most likely routed by your router. You will need to add some L3 filtering (acls/iptables/whatever) to isolate segments.
That's only true if use of VLAN tags is controlled by hosts; if you use a smart switch to assign VLANs to ports it's pretty much as-if you have multiple, physically separated networks.
Segmenting your broadcast domains doesn't help much if traffic is routed freely between them.
All nice, but now you need managed switches and stuff plus some amount of unbillable time to configure it all and fix it when it breaks. Might be worth it if your bill rate accommodates it though.
Sounds like a great approach. Any recommendations for such a switch for WFH?
You'd still need the router to tag/untag those VLAN's and allow traffic to flow. So if the router does VLAN tagging but just routes between the different network segments you haven't fixed anything.

You'd also need a firewall, and to configure it correctly.

If I couldn't trust my company on my home network, why would I work for them?
My employers laptop is in a separate VLAN. What makes you sure that no-one else than the employer has access to it. This laptop has Windows 10 installed for example. And a shit-ton of McAfee crap. I would trust my employer but not the many companies who have a foothold on the machine as well because my employer is too cheap to install decent stuff on it.
> If I couldn't trust my company on my home network, why would I work for them?

Your employer isn't your friend.

It might be an awesome company to work for perhaps, but it's still a company (unless you work for like a 2 person startup). A company subject to audits and regulations and all kinds of other pressures (some of them actually valid, though many are theater) to monitor and control data and flows on their hardware.

You don't want those monitors etc on your personal data and network which has nothing to do with work.

So, keep them separate is the best possible advice.

Yes my company monitors the network at work and on my work computer, as they must do so.

But they are not allowed to scan my home network and other devices, and they have no reason to break the law. I trust them to not do that more than half of the devices running on my home network.

Many of these technologies have been built in the assumption of a world where they run in the company LAN.

No reason to trust, better to isolate.

If this is really the kind of things this company would do… why are you working for them?
Because people need money to pay bills. And it's a sad fact that companies who do shady shit tend to have more money. Simply because they outcompete companies who don't, all else being equal.

Tugging against this evolutionary pressure is really hard, not only for individuals but also on the society level.

"Just quit LOL!" is a commendable act of grassroots activism, but not everyone is able (or willing) to afford such luxury.

> If this is really the kind of things this company would do…

Because, until last week they didn't.

Now I have to figure out if I'm just an unreasonable, stubborn old guy, or if this requirement is out of band.

Tell them to provide you with a Virtual Desktop or a dedicated Laptop..never install Spyware on your own machine.
It is out of band. Refuse or this becomes normal.
I like others idea of getting them to spring for a dedicated computer. You just have to make it palatable to their accounting department. Maybe lease a laptop and expense the payments or something. If you have an accountant, I'd consider asking them for suggestions on "good ways" on how to make your client pay for your laptop.

In my case, I just outright said "hey, you guys I really want you to be my client but I'm gonna need a new laptop". So we bought a new laptop as part of the contract.

Presumably the client will terminate your contract with them if you don't comply. So you don't actually have to install the agent until the day that they terminate the contract which is also the day that you no longer have to install the agent.
That's why you tape off cameras and stick a needle in condenser mics on any new laptop.
Don't they use MEMS microphones nowadays? (https://en.wikipedia.org/wiki/Microelectromechanical_systems) Either way, solid advice!
sticking a needle in a MEMS microphone is just as effective, you just have to [find the damn thing, and] push the needle all the way through!

If brute force isn't working, you're just not using enough of it yet.

Learn a thing every day I guess. Nonetheless, is inconsequential to task at hand if you apply the "Rosemary Kennedy" method to the laptobotomy: activate the mic, jam that needle in the hole and wiggle it around until the girl can no longer sing, no activity is detected on the vu-meters and nothing is played back in the recording.

You have audio-video input sensors on all sort of programable devices nowadays, even some TVs can be turned into two way communication devices. That's a nice 1984ish vibe to ruin your late night matrimonial TV browsing.

> And they will install a trojan

They WILL

> which would eavesdrop your talks

That absolutely WILL - use the microphone and listen to everything being said (why not the camera too and watch everthing?)

> scan your home network and analyze its traffic.

That absolutely WILL - do all this stuff

I mean if this is definately going to happen, then the company can go ahead and cut an 8 figure cheque straight away. Which company and where do I sign up?

> why not the camera too and watch everthing

Because who doesn't have a lid/sticker over their webcam yet?

I have also kill-switched the built-in mic in the BIOS set-up but I'm not sure how secure this is. I would prefer there to be no built-in microphones in any hardware (except phones) at all. Sadly every modern laptop is equipped with a mic.

Most mics have mediocre sensitivity. Stick a blob of blu-tack or similar cohesive putty on it, take it off when you want to use the mic. Test by making recordings -- some machines have two or three mics.
That's one plus point for desktops and nettops with no-frills motherboards. No mic, no speakers, no bluetooth, no wifi.
That's a stretch.

Most companies don't want to spy on their employees' free time. They want to 1- make sure they are compliant with the law and their confidential stuff is secure and 2 - make sure that you are actually working for them when you say you are.

Installing something to listen to non-work related stuff serves neither of these goals, and would open them up to lawsuits and PR nightmares.

The people who decide the spyware must be installed are likely so far removed from the actual spyware and the people who admin it as to have no knowledge or understanding of the distinction.
Where are these IT depts that have all this unlimited time and resources to spy on their employees?

Sure you might get a bad actor voyeur, but as a matter of policy, companies just don't care what you're doing at home as long as their security interests are protected.

Go to your router's settings and create a separate wifi for just these work situations. Connect client hardware to that wifi only. This keeps them out of your LAN. If your router can't do this, get a better router.
Don't put a work laptop on your internal home network!

I have a separate network for work machines at home, which goes straight to Internet and can't route in or out of my actual home network which is behind its own firewall.

> If you want to ship me a dedicated laptop for your engagement, I would be happy to install whatever you want on it.

I wouldn't offer this. You're still going to need to login to Github/email/wherever with your personal password, manage private keys, and stuff like that. Just say no.

Login in GitHub/whatever on your other laptop. Then send via e-mail bits of code you need from one to the other. When asked why is taking longer vs. other clients point this as the culprit. And also charge this client more.
I’d like to say no, but I’m not sure it’s an unreasonable request.

I’ve recently been contracting and the only private account I used was GitHub, and that was a conscious decision to maintain a single public developer identity.

Otherwise, I expected them to provide all hardware and software required to perform my role.

And likewise, for security purposes, that’s exactly what they wanted as well.

Tho I would note, they wanted to perform a background check prior to starting. And while i didn’t have a problem with the employer having those details (for the period of the contract) they performed this function through a 3rd party, who has stated they won’t delete my data (I will be following up post-contract). I was not happy for a 3rd party to have this data.

I would also not login to or install any apps, or certificates on my phone. Again, if that’s required, send me a phone.

The company I was working for had SOC2 / ISO2700 / what ever and I think this is exactly why they wanted all this. But it suited me to seperate things as well.

Why not make a Virtual Desktop for your Developers instead of ~forcing them to install crap-ware.
Thats a solution thats used to be common for well run large shops(well sometimes using things like remotely accessed hardware prior to modern virtualization) but as this creates work and expenditure for the client many smaller outfit's kind of want it both ways and expect the contractor to fund hardware/software completely identical to what their IT is deploying for employee's.
If you can pay 7500$/y for spyware you can surely pay for a VDI-Product.
The problem is rarely the monetary costs alone it's more about the need for handling an one-off situation that require special policies, and becomes an special item on the budget.

For large companies supplying VDI to consultants tend to be an standardized package that gets billed back to whatever project is hiring the consultants but for mid-sized organisation VDI is a big scary word that's going to require special handling.

Most desktop support teams are completely dependent on standardization to the point where they tend to turn into complete control freaks, that panic at the thought of anything that is not "by the book", so they often just apply the book without additional budgets to external consultants.

I am not interested in politics or humans when the problem is a technical one, i understand you but that's my stand ;)
I have worked in such an environment. It was likely running on an overprovisioned server, that had to be accessed via an Internet Explorer ActiveX plugin. I'd rather be using a green-phosphor VT100 at that stage.
> Internet Explorer ActiveX plugin

Virtualized desktops have been solved. All the major players offer them. FFS, you can run Xbox One games in the cloud and play in your browser now.

That sound's like it is a looong time ago, todays VD's are extremely responsive just have a look at Shadow for example.
~6 years ago. I'd be surprised if such things weren't still deployed in places.
why not spin up a VM dedicated to that client and confine all crapware to that VM?
One of the legal guidelines for whether or not someone is a contractor (vs an employee) is whether they provide their own tools.

It’s not a hard rule. It’s just one of a number of tests. But contractors are generally expected to provide their own tools.

You could reasonably invoice an upfront tooling cost ("isolated development workstation to meet customer IT policy requirements. Apple Macbook Foo, $BIGNUM")

If you want to be really cheeky, could get some value-added margin on it too, and as a bonus, AIUI it would be yours to keep after the engagement, rather than having to return hardware they've assigned to you.

Might be tough to get past finance though, unless they really want that certification :)

We've got a few machines we've inherited this way. For one client they needed confirmation that we had a sanitized infrastructure for our pentest and that we captured and logged all traffic to and fro. We billed them for the equipment and network link etc. Upon completion of the project we provided a certified copy of data destruction in accordance with their policies / guidelines and were left with a bunch of stuff. Scored two GPU cracking rigs, couple laptops, and some Cisco gear. I didn't complain. Granted now those rigs are a bit dated, but at the time 1080's were hard to get during the last mining rush so they definitely weren't cheap.
But in that case I’d agree with the OP. I’m not installing what ever you want on my hardware.

I probably was more of a “temporary employee” than a contractor. But what’s the difference at that point? I was paid more than the value of entitlements as cash. It suited both parties, and was mutually agreed.

In hindsight, having them provide the hardware, and then handing it back at the end of the engagement would be my preference. It reduced any risks for them and me.

Tho I can easily imagine on/off or short infrequent contracting scenarios that this would not work for.

> I probably was more of a “temporary employee” than a contractor. But what’s the difference at that point?

If you’re a temporary employee, the employer is responsible for payroll taxes, and has additional obligations to you (depending on the state). You’re obligations— both to your employer and to the IRS—are different as well.

I’m addition to unlawfully skirting regulations, misclassifying an employee as a contractor is essentially stealing from the employee by reducing the company’s tax burden and increasing the employee’s.

Just compartmentalize your passwords and private keys. That said, private keys are generated on the dedicated hardware and always stay there - that's all you need to manage them.
+ 2fa + sensible rotation of keys and passwords (especially if you use say github for personal / work / multiple clients) - they can have the password at that point and it is of limited use.
I store all my keys in a yubikey (including ssh keys). The client can’t have the keys if I don’t have the keys.
I would strongly advise to not use personal accounts for customer.

Yeah like sending invoices arranging contracts I use my main mail account. For doing customer things I rather setup new email account or get one from the customer.

If they are sending a dedicated laptop, I'd recommend using dedicated accounts for that client. I don't use personal accounts on my work system even as a full-time employee.
It's a widespread practice that companies provide laptops to contractors to compartmentalize the way they interact with the company's IT. But I'm really quite opposed to it.

At one point I had 3 sets of machines: Two different 14" laptops from two different clients and my own machines. At some point you simply run out of space on your desk and end up constantly either working on screens that are too small (14" really isn't enough to be productive), or plugging laptops in to and out of screens as you're context-switching. Carrying three laptops with you when you're travelling if you anticipate having to work for both clients during that timeframe is also not exactly my definition of great fun. And you end up duplicating a lot of effort around managing that IT, like tweaking settings the way you like them etc.

The argument "we own this laptop, so we can do with it whatever we want, including spying on you" is just not valid. They're either doing things that I'm okay with, in which case I'm okay doing it on my own hardware. Or they're doing things I'm opposed to, in which case I'm opposed to it no matter who owns the hardware.

Also: In many European countries, authorities are clamping down hard on practices whereby companies pass people off as contractors who really are employees. They usually work off of lists of criteria of what makes an employee, and if you fit too many of those criteria while, on paper, passing yourself off as a contractor, then you and your client can be in for a world of pain. One of the criteria that makes you look more like a contractor and less like an employee to the government is providing your own facilities like the computer you work with.

And, last but not least, it's just not a good way of dealing with the planet's resources.

I have a dedicated laptop for a client that is in a room of my basement. I remote into it from my personal machine whenever I do work for them. Works very well!
I still have two lying around. One of them was a 15” dell brick.

I had informed the client that I will be disposing of them when I’m back if they don’t handle it and that any and all third party liability well fall on the direct supervisor if he can’t organize the transfer.

Needlessly to say even me connecting them directly to the courier was not enough.

My guess is that the OP depends on the money otherwise he wouldn’t be asking for help. So either but a cheap laptop and then control it with barrier[1] from your main driver and don’t ask(because whatever you ask they will probably say no). Or let them ship theirs to you, but I’m willing to bet that it be worse than whatever second machine you get.

In the meantime I would suggest you look for a new client because judging from experience there is a lot more pain to come. I didn’t do it in time and ended up paying dearly for my lack of initiative on that front.

[1] https://github.com/debauchee/barrier

I think there are absolutely a list of things that I don't want the company doing on my hardware, but I'm okay with on their hardware.

Off the top of my head, remote wipes/resets make sense. Frankly, I prefer the company has that option, just in case I lose my work laptop. Encryption should cover it, but I'll take the backup.

Compliance agents also have a legitimate reason to exist, but I don't want them on my personal PC. Some places maintain lists of allowed software (I think in part so they can track/inventory them for compliance stuff). I respect that they have the right to restrict what I install on my work laptop, but I reserve the right to install whatever I please on my own computer.

It would also not be insane for a company to do automated backups of company laptops to company servers. You want a way for Joe in marketing to get his data back when his cat pees on his laptop. I do not want all my personal documents on company servers.

This is really the thing people miss. It's a company laptop first and foremost and the right to privacy goes away.

The amount of compromising content we've seen and or found on investigations is mind blowing. No one needs that on a work computer. Keep your private life private from your employer.

The OP was about a contractor though. The way I think about somebody who is truly a contractor is that they are their own IT department, and their capabilities in the IT space should be at least on par with whatever the client's IT department enforces for in-house employees.

The above two comments however seem to be arguing from the viewpoint "this is just an individual person and any individual person surely needs babysitting by a big mighty corporate IT department because otherwise they can be expected to do stupid things like losing storage media with important data and not having backups, never doing updates, having their computers full of spyware, intermingling private stuff and work stuff from different clients in such a way that there's data leakage, etc. etc."

If you want to truly treat a contractor as a contractor, you should think about it as your IT needing to interface with their IT in such a way that it makes sense for both parties. And "here, use this laptop" is just frequently a bad solution from the point of view of the contractor's IT.

I also heavily object to the notion that any expectation of privacy goes away on a company laptop.

You can disagree with the expectation of privacy but it’s been held up in court multiple times that personal actions ok a corporate resource are not protected.

Ideologies and realties are different. If you care about personal data, don’t put it on the company. The company however has a huge liability with your personal data. I’ve mentioned else where I have dealt with issues of personal data becoming an issue for the company via blackmail, or in a couple cases, the company was legally required to report child pornography. So yeah, if you don’t want the company to know, don’t put it on their equipment. If you buy dedicated equipment for work, use it for work and work only. If you want to use your machine for Everything, that’s fine, but understand the risks and the lack of an expectation to privacy.

We're agreed that separation of work and private spheres is good practice.

But I'm not sure what country and what legal concept it is that you are referring to when you say "it's been held up in court multiple times that..." I'm based in Germany and have recently undergone GDPR-related training with a lawyer specializing in privacy law. In the training, the lawyer explained court cases that involved regrettable intermingling of work and private data in a company's IT. The result was that the law then started looking at that company's IT as being more akin to a telecommunication provider, with similar legal provisions coming into effect regarding telecommunication privacy.

Also: Anyone who lets their mind jump straight from "privacy" to "porn" is missing a big part of the picture of what privacy is all about. The way I think about it, it's a basic psychological need. Your psyche can be in a "public mode" where it assumes that any and all information flows emanating from you are out there for everyone to see and do with as they please. The result is that you have to put up huge amounts of self control which is psychologically exhausting. Therefore, the psyche seeks private spaces, where you don't need to control yourself as much because you know that nobody is watching.

The fight for privacy in the digital sphere is about ensuring that, just because our psyches are nowadays constantly linked to digital devices, this doesn't result in our psyches having to operate in "public mode" all the time.

It's about establishing clear delineations of who gets to receive what information flows relating to you and how they can potentially use that information against you.

For example: A company does time tracking through Excel sheets, but they also have IT security logs that keep track of people logging into and out of work machines. One day the company decides to run a project: They put the two data sources side by side and identify employees likely to be cheating on their time sheets. They fire the employees. ...this sets in motion a psychological effect in the remaining employees: They realize that they have a very poor understanding of what information the company's IT is collecting, and they don'T know how that information might one day be used against them. So all they can do is assume the worst. That means putting their psyches in "public mode" all the time, assuming the machine knows and sees everything, and the employer will use that information against employees at whatever time and in whatever manner suits them. The psychological damage done by this is precisely what we need to avoid!

And the GDPR will usually actually prohibit such things: The company's register of data processing activities will tie the security logs to the purpose of providing IT security. And it will tie the Excel timesheets to the purpose of time tracking. If you start using the security logs for time tracking purposes, you are using the data cross-purpose and are in violation of the GDPR and risk a hefty fine. This is a model usecase of what the GDPR is actually good for, and it clearly relates to protecting individuals' reasonable expectations of privacy in relation to their company's IT.

If you can afford to spend a bit of money on the problem, it's possible to use something like PiKVM or KVM-over-IP to just leave a stack of client laptops or mini-PCs out of the way somewhere and connect to them remotely in a reliable way, so you can reset the machine if the remote desktop software fails.
"either working on screens that are too small (14" really isn't enough to be productive)"

I work primarily from a 13" xps. Given the high-res display + that I can switch desktops easily via i3, it's really a non issue for what I do.

You can also use a dock. For my work laptop, I use the Caldigit TS3+ thunderbolt and it's great.

How comfortable would you be if you learned that your cloud provider allowed a contractor in a random overseas country to connect to your production servers from a laptop on which he also read his personal email?

Would you like them to have some controls in place to prevent that?

Would you like that to be enforced consistently and audited?

Would you like them to provide you with a certification that their procedures to ensure that doesn’t happen meet some minimal standard?

Congratulations, you have invented ‘demanding SOC2 compliance from vendors’.

And the upshot of it is that some contractors have to put up with jumping through some hoops.

Between a) using my own machine, b) using a company machine and c) firing the client, option B is pretty sensible. Option C is for when the client won't compromise at all.

You can always make separate github accounts, SSH keys, and so on, specifically for the job.

I don't use my private accounts for anything related to this client.
if only you could make a new set of those...

a lot of developers have separate everything

this can be bad when encountering the recruiters and hiring managers that still look at github activity as clout, but these days you still have to pass the technical interview no matter how much clout you have so I wouldn't worry about it

> personal

Uh, hell no. You should have business accounts.

Personal and business never mix.

No sane person would use their personal logins or private keys for customer work. Create ones for that project! Yes, it is a pain but having a bunch of expensive lawyers breathing down your neck is an even bigger one!

You want to separate your customer's work from your personal or other clients' data, even if they don't install any spyware on your computer. How are you supposed to ensure that you don't accidentally breach any NDAs (that you, no doubt, had to sign) if you are commingling the stuff?

I think this is the correct advice, but keep in mind that procuring the laptop might be a difficult thing for them to do bureaucratically. On the other hand, you renting a laptop and charging them for it, would be pretty simple, presumably your contract covers expenses and all you'd need is an OK from the manager.

I worked for a big company that had various spyware thingies installed on all the company laptops, but they let you use your personal mobile devices for work (including iPad which was pretty nice) -- and wanted you to install their preferred spyware on it. I didn't do that but I expected they would eventually tell me to do it or stop using my personal iPad.

It seems like now that it's technically feasible, big corporate IT managers want their spyware of choice running everywhere. Someday you will have an arm full of Apple Watches, one for each client. You should embrace this future and price it in.

Arguably, the new laptop being difficult to procure is a feature, not a bug. It serves as a deterrent to installing that agent, if it's easier to just make an exception.
Or they reimburse the consultant when they procure their own dedicated laptop for the client's work.
And hey, when the gig is over you got a new laptop that just needs to be formatted and it's all yours!
At my agency we have a client that always ships us locked down laptops (healthcare space so understandable). Thing is this client, while very good at getting the laptops out to you, is horrible at actually getting them back and pretty much lets you keep them....I have 4 Macbook Pro's sitting on a shelf behind me, all from this client.
Are they all still locked to an MDM profile, if so while they're yours, at any point you could lose access to them and that sucks. There's a ton of laptops that have been up on Ebay that ended up having mdm. We bought a few on accident for our non-profit. Fortunately we were able to find the original owners and they were gracious to remove them. We were also lucky they hadn't been disabled. Thing is most people don't realize that when you restore / setup that laptop it will pull that profile regardless of how you wipe or clear it.

TLDR; Make sure MDM profiles are gone and the laptops are cleared before doing anything personal :D

woo... linux and windows don't have that, at least not windows yet. you never know.... they might make uefi behind a subscription making mdm thing over to windows/linux side
Used to work in Healthcare, we'd use Computrace which operated at the motherboard firmware level. It can remotely brick a device and also automatically manage installing additional payloads in Windows once an internet connection was formed.
Doesn't this put you in a position of potential liability, if, say, someone breaks into your home/agency, steals those 4 laptops, and leaks personal healthcare data off them?
Plus the 25% management fee on top of the price :-)
It also creates friction for the client, making it less likely that you get paid.
Wouldn't the source of the friction be them asking to install spyware on your personal machine?
There are multiple points of friction in this scenario. Their asking you to install spyware is friction for you, your asking them to buy a laptop is friction for them.
Charge them for laptop rental. As another poster said. If you have other clients you are betraying their trust by installing the spyware.
(comment deleted)
> procuring the laptop might be a difficult thing for them to do bureaucratically

Not if they are at the point where they need SOC2 cert, and where they install agents on their employees computers (and want to extend that to their suppliers).

My company is going through our SOC2 audit. We do not have such software and everyone is remote. I call BS as to the justification. This smells like a desire for corporate monitoring.
Definitely.

My point is that if/when you get to need a SOC2 certification, you put the resources towards this, and you definitely have the financial/org means to procure hardware to suppliers if required.

A lot of it comes down to the agency thats doing your audit. Its supposed to be a fair process, but just like PCI compliance, there's a huge amount of variability. Most auditing houses are going to be pushing 'solutions' to problems they find so they can milk the company out of more money. Its all snake oil.
SOC2 isn’t prescriptive. SOC2 is just a certification that you are following your own internal policies.

If the company made the mistake of creating a policy that they use this software as one of their controls, then the auditor will ding them if they don’t use it.

It’s an absurd system.

Reminds me when I was doing PCI compliance.

A PCI question asks if all outbound traffic is explicitly authorized. I took that to mean getting a list of all the IPs for the APIs of services we hit, and even constructed that entire list except for one, the payment processor itself.

The payment processor did not have any stable IPs, and could not give me a list. Their official solution was to have our policy be that we explicitly allow _all_ outbound traffic.

If such an option is allowed by PCI, what is even the point of making it a requirement?

The point, with a TON of these certifications/auditing/whatever, is usually "Are you aware of risk X/Y/Z and are you either mitigating it or accepting it?" In this case, you are now aware that all outbound traffic is allowed, and you are accepting that risk as a risk of doing business with that payment processor.
As Vendan said, the point is to get explicit acknowledgement that you're aware of something and have either mitigated it or accepted it. Which sounds kind of dumb, like ISO9000 certification, where the joke is "it doesn't matter how bad our processes are as long as we write them down!"

I made that joke to a VP once, and he brightened up and said "Yes! Exactly! Because until you're actually following explicit processes, you don't even know what you're doing wrong, in order to fix it!"

So I'm a lot less cynical about auditing certifications like this now.

> If such an option is allowed by PCI, what is even the point of making it a requirement?

The point of all those certifications (I took companies through the processes required for PCI, SOC2, and ISO27001 ) is security theater, a path in the back for the execs, the ability to have "I'm not to blame, I have this cert" in case of some shit happening, and the ability for sales to throw TLAs to prospects to show how Seriously(tm) the company takes security. Oh, and to check boxes to be able to transact with some large corporations.

There are plenty of stories of highly certified companies that were deeply penetrated and exposed, and all their security theater did not help.

It's an extremely low bar for cluefulness. There is space between the bar and the ground, but most serious going concerns clear it easily unless they screw up the compliance process and make things hard for themselves.

The problem isn't these low bars, but rather the market for services to "help" people clear them, and the widespread perception that the bars are higher than they actually are.

Yes and no. SOC2 doesn't say you need to install an agent, and may not be explicitly prescriptive about whether computers that have access to production data or systems need encrypted drives, screenlocks, etc. But a non-hack SOC2 auditor is going to expect you to have some reasonable policy and controls in that area. So yeah, the main thrust of SOC2 is "are you following your own internal policies", but the auditors are also expected to hold you to some minimal standards on your policies (or ask you to provide a good explanation why they shouldn't apply in your case). You definitely would't want to tie yourself to a particular agent in your policy, but the auditors will want to see some kind of policy and then require evidence for that, either from something like an agent or screenshots/etc.
More importantly: once you start using agents as a control, your auditor is very much going to expect you to be consistent about it; that's essentially the core thing SOC2 measures, is consistent enforcement of a documented policy. The whole point is not making random exceptions.
The same thing happened in the early days of ISO 9000
ISO9000: We make a piece of shit product, but it's a very well documented piece of shit product.
My company didn't need endpoint monitoring for SOC2, but does need it for ISO27001
You're mostly wrong here. First: many, many companies install agents as one of their SOC2-stated controls. More importantly: depending on where they are in their SOC2 process --- ie, if they've already had their Type 1 --- they may essentially be required to keep instrumenting machines: once you state a control, it's a mess to get rid of it. You can't just decide to make a random exception for a noisy contractor.
As others have said this area of SOC2 is often about "are you actually following the policies you've set" rather than "you have to do things this way" – most of our staff have company owned devices with MDM and an agent which mainly tracks installed applications versions, that Disk Encryption is turned on, and the OS patch level.

But there are a couple of our contractors that rejected this for exactly this reason (they had other clients). For one of them, we just bought him a laptop that he does all our work on (it cost less than 1 day of his time, so it was a no brainer), and the other, we realized we didn't have to as long as he did periodic (documented) reporting of screenshots of his OS version being up to date, Disk Encryption enabled, and screen saver settings are appropriate. And they legally attest that they make a best faith effort to delete any sensitive data off their laptops (if they ever download it).

We've talked to a couple of auditors and that seems to be sufficient and pragmatic as it accomplishes the same goal.

This.

Every company I’ve ever worked at, and that includes very large ones, will have legal, HR, and finance tell you at some point that “you must do X”. Sometimes X is no big deal and you do it. Sometimes it’s hard, and you ask the business to fund it or remove the requirement. Sometimes it’s nonsensical in your context and at that point the job becomes understanding why X is a requirement and how you can satisfy that requirement in some more pragmatic way.

At the end of the day, these functions are there to support the business.

I had an employer that, once or twice a year would send out mandatory agreements we were "required" to sign-- under threat of dismissal. (I don't think this was legal at all).

One day they sent out a particularly onerous "agreement" that said that we agreed not to use a phone while driving a car and doing so would be cause for termination etc.

I went down to HR and asked them if they were really trying to regulate what I was doing in my personal vehicle with my personal phone and they replied "No, its only meant for when you're in a company vehicle or using a company phone."

But the agreement itself clearly stated any phone any car.

The workaround I came up with was this-- a friend of mine and I swapped forms, and signed each others names. HR had their illegal, unenforceable agreement, and life moved on.

I got my "revenge" 6 months or so later. HR was frantically calling me for some reason-- I was stuck on the freeway as is our custom in Orange County. I ignored them for something like two hours, and explained that "I was stuck in traffic and as they were no doubt aware, we are prohibited by company policy from using our phones while operating a vehicle."

The HR gal was visibly pissed off, but to be fair, I could have been fired for answering that phone call.

You're in the US --- California, to boot. I'm not sure what you accomplished by making the agreement "unenforceable", as your employer does not need to secure your agreement to terminate you for virtually any reason. Discovering that you text and drive in your spare time, off hours, is something they'll likely have no trouble firing you for, unless you have an employee contract that somehow gives you tenure except for for-cause hiring (almost nobody has one of those).
Perhaps I didn't explain myself well.

I am not a lawyer, obviously, but what I meant was, threatening someone to sign a legal document can't be legal, even if its your employer.

Sure it can? All sorts of jobs are contingent on signing contracts (NDAs, acceptable use policies, background check authorizations). Why would you think it wouldn't be legal? The "threat" is simply to stop employing you, which your employed (in the US) has an almost absolute right to do anyways.
Where's the line then? What could they "force" me to sign and what couldn't they, in your opinion?
> I think this is the correct advice, but keep in mind that procuring the laptop might be a difficult thing for them to do bureaucratically

That's not OP's problem.

It is if OP loses work because of it.
Also as a freelancer you may end up with a farm of a dozen single purpose laptops....
All rented out? Seems like an easy win on the PaaS market (and make enough profit on them).

Just remember to put some customized adhesives telling what laptop is rented to what customer.

Sure but I think most corporate spyware prevents things like mining software, cause get real thats all it will be rented for.
> You should embrace this future and price it in.

Should we though? what you and the parent outline is a most sensible way of accommodating it while minimising invasion of privacy, however I question the underlying reasoning, and therefore whether or not we should encourage it. What perceived gains are to be had beyond merely box checking for accreditations? and in those cases why is it part of those accreditations, what is the intended effect? I can think of a few but they are all flawed or attempting to enforce something impossible:

1. Preventing leaking code/IP (But if you can't trust them they could just as easily take a picture of the screen, capture the HDMI, copy the drive, even log their own keyboard... there are always side channels unless you physically control the environment).

2. Preventing them from doing something malicious... But if they are writing code for you and they are untrustworthy, isn't it already game over?

3. Bean counting, monitoring time spent at keyboard etc - which we all know is not an accurate metric of productivity for cognitive work.

4. Similarly to #1 and #2, unintentional breach or security issues, i.e you trust the person but not their device or their ability to secure their own device - In which case spyware seems wholly inadequate to cope with this situation, if you are serious about this, you should be controlling the hardware and OS (which lots of orgs with highly sensitive info do).

In all these cases spyware is futile. Am I missing something?

Enforcing/auditing sane security settings on the device.

Very much required for compliance, zero trust, protection of IP, and foundational to a reasonable security plan.

I think I added #4 after your comment. Which is essentially my response. It seems like a very weak measure, at the cost of privacy considering it's the worker's personal device... If our solution is to require separate devices anyway, then spyware seems like a waste of time, they should be providing secured hardware/OS.

On second thought, this _is_ the answer... they are making a compromise on security, it's an economic decision. Maybe it makes sense from a business perspective: check some boxes, get a bit of security (not much) for almost nothing - but as you can probably tell, I think it's both pretentious and disrespectful.

Yes, it's definitely a economic decision. They're going to run this type of software on their own fleet and want it on everything connecting to the network. If you're willing to run it on your own device that saves them the hardware cost.

That said, a lot of users _want_ to use their own devices (maybe they have better equipment, maybe it's less locked down, maybe they don't want duplicates). It's not sane for the business to allow a device that is more likely to be compromised and/or have poor security hygiene on the network.

I'm a fan of privacy but... At least on my team, we're definitely not spying on you, we're making sure you have a password, encryption, antivirus, and updates installed before you can connect to resources. It's shocking how many people don't have authentication enabled and run as root, if they have a choice, on their home system. That said - we could flip switches and do a lot more spying if it was mandated :/

Why don’t you write an opensource “agent” then, with no remote code execution capability? I doubt people would mind running some opensource bash script that hardens their devices.

Anything but this, and it’s clear you’re just evil.

The ship has totally sailed on whether it's a best practice to instrument machines employees use to conduct work, in the name of compliance and security. That's an utterly standard control, and unless you have a remarkably potent new argument against doing so, arguing that companies shouldn't do this sort of thing is kind of uninteresting. If anything, the prevailing sentiment (for better or worse, mostly worse) is that companies should be doing more of this, not less.
> Someday you will have an arm full of Apple Watches, one for each client.

Noooo. Armfuls of watches are just for hilarious movies and such. It's not supposed to have a corporate elementttt. The cyberpunk vibes are too much with this.

Can you run all that in a cloud vm, and RDP into it for work?
This is the better option. I used to have a separate laptop just for one client and it was a pain in the ass. What happens when it gets damaged? They could charge you for the repair. Not worth the hassle of keeping track of it, lugging it around everywhere, keeping it charged & updated. Definitely a pain in the ass. Just do a cloud VM that the client owns with VPN access to the client's network. These are common now with Amazon Workspaces.
Seconded. We use Amazon Workspaces with access to our VPC for an offshore contracting firm we are working with.
> If you want to ship me a dedicated laptop for your engagement, I would be happy to install whatever you want on it."

That's what Statnett in Norway did when I did some work for them a year ago (Lenovo X1 Carbon). The difference being that installing anything on it was pretty much impossible. All traffic went through the Statnett VPN. It's the most security conscious company I have had any experience of.

But I was also able to use my own laptop by installing the Citrix client and that was much better. I had never used Citrix before and was pleasantly surprised at how fast it was.

I would just charge them for a new laptop that is used exclusively for that project.
> If you are a freelancer then your contract should allow you to do work for others

Not only that, in some EU countries it's even illegal for a freelancer to work for 1x customer.

> Not only that, in some EU countries it's even illegal for a freelancer to work for 1x customer.

How does that work? Is it more "exclusively for one customer" similar to the how the IRS rules work?

Simply - if you are working only for a single customer within a certain time period/receiving the majority of your income from a single source, you are considered to be an undeclared employee and not really a freelancer (= business) - and that exposes both you and the company to big fines. It is not the only criteria for this but a pretty large one.

Both France and Germany have such laws but other countries do too.

The point is that many companies would otherwise stiffle workers by forcing them into becoming freelancers because then they don't have to provide legally prescribed healthcare benefits, paid vacation, contributions to pension, etc. that employees get.

And at the same time those workers don't have really the position to meaningfully negotiate their contracts to e.g. include extra pay for that missing vacation or healthcare/pension insurance. I.e. we are not talking about IT consultants but delivery drivers, cleaners, etc. - low paying jobs.

I.e. Uber's business model - and that's exactly why it was banned/had big problems in many EU countries (in addition to completely flouting the existing taxi service regulations).

In France in practice you can work 2-3 years for the same client without too much problem from what I could see. They just make sure to change the mission once in a while, so that the contract does look like it's lasting too long.
Well, that it is poorly enforced doesn't make it any less illegal. If you get an audit from the social security or tax office there, good luck.
Uk has this law too. If you freelance to just one company you’ll be classed as an employee of that company instead of self employed.

The reason is companies were abusing self employment laws by only recruiting freelancers even for full time roles so they didn’t have to provide sick pay/parental leave/holidays/pensions/etc.

Keeping their software segregated is sound advice, but as they are your client there are a couple of other ways I'd offer to handle it:

1) Keep all software related to work for their company segregated inside a VM. Then you can install whatever they require without interfering with your main system or potentially exposing data for other clients.

2) If they want a separate physical system, tell them you would be happy to provide it for a fee: an upfront fee for the cost of the system and an ongoing fee for maintenance of it. Be sure to mark everything up as you don't work for free.

Since you're not an employee, you really shouldn't be asking them to provide hardware as (in the U.S., at least) this could create tax problems.

We provide hardware to contractors all the time. They don't own the hardware so the loaner does not trigger a taxable event for them. When the contract is over, they return the hardware. The hard part about this in the current day and age is getting the units through customs.
In the U.S. the issue isn't a taxable event, as in a gift. The issue is 'independent' contractors working on equipment supplied by their 'client'. This is one of several tests the IRS can use to reclassify them as an employee for tax purposes.

This tends to be more of an issue for solo contractors rather than contract houses as the IRS tends to look the other way on most of the larger contracting outfits.

This sounds good on the surface but then you are still giving in to unnecessary surveillance during your workday.

I would want a big compensation increase to deal with this. Like on the order of 2x my rate.

^^^ - This!

You don't 'require' anything on equipment you don't provide. full stop. period.

For independent technical consulting for over a decade, I had only a small number of high-value clients, so I ended up dedicating a ThinkPad to each client.

I also had email account specific to each client, so that I could have a mail program on that ThinkPad access only the respective account.

There are many reasons to do one laptop per client (especially if you're WFH, not traveling), including not exposing personal and other-client stuff to whatever weird stuff is in the build environment of one client.

Another reason, though this never came up for me, is that there can be legal orders to permit inspection of the computer, online accounts, etc., including by computer forensics. If that happened for one client, that could be in conflict with your obligations to another client (as well as in conflict with your SO's private vacation photos, if they were on the same device). Being able to reassure that everything for a client was compartmentalized to certain devices and accounts might come in handy.

At one point, I even had color-coded labelmaker tape to help keep track of what was compartmentalized to what. And photos of the devices with the physical labeling on them, in case I ever needed to convey that I took it seriously.

(Related: One time, I had a hard drive fail such that (despite encryption) I couldn't do an approved wipe of it before disposal or warranty return. That client's compliance policies required that I physically destroy the drive platters, and ship the remnants to them via Registered Mail. It was a slightly fun/cool exercise, especially since the platters shattered nicely. And the neighborhood of $100 lost was well-invested in professionalism goodwill with a client who paid a few orders of magnitude of that amount over time.)

(In some ways, I'm now happy to no longer be running a consulting business, mainly because a predictable, consistent amount of money just appears in my bank account every couple weeks. :)

This is almost exactly what I said when I was asked to install end-to-end protection software into my laptop as a freelancer. I stood my ground and they understood. They initially said they would send me another laptop to work from, but eventually relented on the requirements altogether and just limited my access to customer data.