Ask HN: My client want an agent on my laptop. Is this the new normal?
A few days ago, an email came out of the blue, demanding that I install an "agent" from a company named "Drata"* on my laptop. The motivation is that my client badly want a SOC 2 certification.
I have worked as a developer for more than 30 years. Tiny shops. Startups. Major league. I have never even heard about someone putting agents on developers laptops.
I'm pretty pissed off. So are the teams I work with.
Is this the new normal now?
Just for the record: I don't have credentials to production systems, and I don't work with production data. I just figure out how to transform dreams into code, I write parts of that code, and then I fix it as needed.
* Drata (https://drata.com/about) is on a "Mission to Help Build Trust Across the Internet". Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising". When I confronted them about this, they replied: "Feel free to reach out to your Drata administrator internally with concerns. Do note, that when your company contracted with Drata, any edits or redlines they provided will prevail for all employees of your company." - basically to just bend over and smile.
505 comments
[ 2.7 ms ] story [ 305 ms ] threadAnother alternative might be to install it into a VM or old but freshly-paved computer.
However, the reason I asked here is to get a feeling about how common this thing is. Is this normal? Am I the rat in the lab, or am I just late to the party?
Say, we fought against DRM and while the music industry have completely abandoned it, that victory turns out to be useless because the video streaming industry have embraced it total and there's not even resistance against it this time.
I am so, so tired of fighting against these. I translated Doctorow's anti DRM speech in 2004 into my native tongue as one of my last acts as a Hungarian journalist. We have been fighting for so long. And the DRM war is lost.
Nonetheless , we need to stand. We, who have the privilege to be able to say "meh, I quit" because we know the next job is just days away. We need to for the sake of all those who do not have such a privilege.
This is a thing the unions would have exterminated in the past. Problem is, most developers are not in a union.
There is still the choice to "just say no".
Recently they provided a Macbook pro, in which I installed Little Snitch and taped the camera, so I don't worry any more.
It won't go away by itself because if they're asking it means you are in their corporate directory and showing up as noncompliant in the Drata dashboard.
It's extremely normal on company hardware used for business purposes. The conflict here is trying to run multiple clients on the same personal hardware. Never do that.
If they're willing to give you a company-owned laptop, take that. Then it is their machine to configure however they like. If not, tell them you'll lease a laptop dedicated to them only and pass on the monthly cost (with some profit margin) as part of your monthly invoice.
Specifically, it's perfectly reasonable for you to say "OK -- if you're willing to provide me with a dedicated laptop". They can say no of course, but so can you. Or you can request a rate increase (which they would probably say no to, if they won't provide you with a laptop).
Either way, those are you choices. Yes it sucks to a degree, but that's what work does generally and which is why it pays money. All we can do is moderate the suckiness-to-money ratio as best we can.
It took me less then a few minutes after I read the mail to come up with algorithms to implement this thing without compromising my security or privacy. VM. Using an old laptop and remove the wi-fi card. Get a new PC or laptop. Wire whatever I choose on a vlan that goes directly to a VPN server in another country.
However, I still don't like the idea of running an agent on my/a machine. It's a road I feel strongly against going down. But then, I came from a different time, when people still trusted each other and acted in good faith.
They are looking for their interests (minimize security breaches) and that's a perfectly understandable position and solution to the problem. In this day and age the risk from a breach is much larger than in the past.
Since they are willing to provide the necessary equipment for that then there is no issue from your end.
No. This comes from the sales people. They want to provide a "SOC 2 Audited" certificate to their potential customers. They don't give a rats ass about actual security.
The upper management does care about security. But I don't think this particular requirement offer much of that.
Whether or not the people monitoring the agent's output will care, is a different question. ;)
QEMU can get you very far in masking the presence of a VM. If it can work around Nvidia's cash grab of not allowing consumer cards to be used in VMs, it should be able to deal with whatever bullshit spyware.
When doing so on VMware or KVM, things are extremely obvious. I haven't tried just plain QEMU though. :)
I wonder, if "in the spirit and for the strength of mutual trust" would they be willing to provide you with the reports on the agent-collected data about you. Basically, the copy of how you are being shown in those dashboards.
It's fairly reasonable, as you're not an employee by definition, yet such policy or a requirement to operate on client-controlled work means is an employee's realm, not an independent contractor's one.
Here's IRS independent contractor test:
https://www.irs.gov/businesses/small-businesses-self-employe...
The same goes for other bullshit sprung on you out of the blue - noncompetes, piss testing, etc. There's a decent chance that if you just passively stonewall, they will eventually give up.
Disagree - in general you never want to be expressly terminated. Layoffs are a different matter, of course. But an explicit "for cause" termination is always a red flag to any future employer.
There's a decent chance that if you just passively stonewall, they will eventually give up.
You really can't stonewall these things and I wouldn't suggest to anyone that they try. If they foist unacceptable conditions on you as a condition for continued employment, then whatever it is -- moving to Dallas, a shitty NDA, taking a piss test -- you need to be an adult and say some version of "Thanks, but no thanks" and move on.
Or stick it out and be prepared to be miserable and feel like a suck-up if you want. But either way, those are the choice, unfortunately.
Every situation is a negotiation. I'm not advocating outright aggressive rejection, but rather passive stonewalling or responding with a counteroffer. Ultimately it depends on your position and what value you're providing. If management loves you (or needs you), that will go a long way in a sane place. You're a known quality employee getting the job done, and someone from HR or IT is coming along and rocking the boat. Obviously if you're already on shaky ground, then you've got a lot less leeway to play around.
In my last four engagements, every single laptop provided by the employer had something. Usually Tanium or Carbon Black. Network interfaces being disabled entirely if you're not connected to their VPN. One client requiring the use of a Meraki hardware VPN appliance.
This was an investment bank, a university, a software company and a health insurance company.
That part is clearly Security Theater. Having worked with real security for decades (consulting, training, building server monitoring and alerting tools, building commercial firewalls) I get quite provoked by fake security. For example, this "agent" checks for disk encryption. It does not check for password strength, or even if there is a password (you can use full disk encryption under Linux without any password). It also require anti-virus, which under Linux is more likely to do harm than any good.
What I don't understand is why they choose to do this to their engineering team. I don't know much about SOC 2, but from what I have read, the "concern" is mainly production related. Most of the engineers, including most of the really senior ones, never access production systems.
Or they just saw an opportunity :)
My host file system is encrypted. If I install the agent, it will complain about the VM's file system not being encrypted. If I double encrypt, compilation times will go up quite a bit. Besides, running the agent in a VM will just be theater. If the host machine is compromised, no security in the VM will mean anything. I could just as well run the agent on dedicated VM with antivirus and disk encryption and just forget about it. Theater is theater. The audience would be the same, and they would see the same Play. However, it would not be ethical. It wold also lower my local security, as it's not impossible for malware to escape from a VM to the host machine. (I have worked for a VM vendor. I know a thing or two about VM's).
I have reasonable good security on my devices. Complying faithfully with this requirement would lower my security. If I silo it in it's own LAN, on it's own hardware, it would lower my job satisfaction and my performance.
And that's the (poor) choice the company gets to make. Document/communicate that they're getting less work per money and let them deal with it.
I like the challenges I work on. I work with very smart people. The managers I know well are mostly good people.
But the company is growing fast, and there are new managers running loose every week, marking their territory and making signature changes. That's a bit exhausting.
Ideally, someone would hit the breaks, and come up with a solution where the company get whatever certifucations they need, without pushing me into "I'm hurt, so I'll hurt them back by being less productive" mode. I enjoy being productive.
Then managers will get the idea they might get complete control over an employee's life, scan their network, track what websites they visit, keep tabs on their social media. If they don't have social media where they should be posting how amazing their company is, they're fired.
Many of these things are already happening. We have to fight it, unless you want to spend 90% of your time finding technical solutions to avoid it.
It’s an interesting question, and one that we’ve evaluated with respect to our own customers, who lean on freelancers and other small vendors. Getting back to my original statement about the nature of the business relationship, we’re asking questions about what level of technical sophistication a freelancer has and whether they’ve established enough of their own policies and procedures to meet regulatory requirements independently.
Often times, that’s just not practical. Even then, my preference is for the client to provide a managed device to the freelancer or to offer them self-managed options with documentation requirements to prove compliance. Forcing a contractor to install an agent like you’re describing onto their own device feels like a privacy intrusion, and may also represent a risk to the contractor’s other customers.
If they’re expecting you to provide the hardware, then politely decline.
Rights should not be thought of in terms of their financial cost.
Agree!
It never "key logs" anything or collects any of that type of information.
Our agent has been third party security validated and we are happy to share the report with any prospect/customer as well as the configuration.
Source: Work for Drata as the CISO
Put money on your claim. Put up a surety bond or insurance for users’ data breach. All the security audits won’t beat putting your own financial stake on the table.
What other kinds of personal information does it process or collect, locally or in it's server endpoint?
An external IP address is personal information. A UUID identifying a block device is personal information. A hostname is personal information. Anything in "/usr/home" is personal information.
Is it so difficult to define deliverables and pay for completed and tested work? The business value of any given function point is the same whether it took 100 hours to develop or 10 hours. Of course, more productive programmers would benefit under such an arrangement.
Oh wait ... the problem is that requirements specifications are never clear nor complete enough and there aren't any tests to confirm correctness of the implementation.
It is? It's a problem as old as the hills — how do you measure the amount of work done? I can churn out several new features in very short time, but then spend two days chasing a bug which results in a single-line fix. From the management POV this looks like I've been very productive for a few hours and then spent two days doing fuck all.
JIRA, Trello or other tools are (usually) not used for the team's benefit, but as "actionable items" or whatever for clueless upper management.
Bugs are a waste. Number of bugs can be reduced with better practices: peer review, various tests; better software: linter, automatic verifier, compile time checkers (-Wall + -Werror, rust), code generators, libraries; or additional business process: quality assurance.
To improve something, your manager need to measure it first. You can propose everyday reporting of spent time instead of spying tool, e.g. "2h working on #1234, 6h fixing bug #23456", which is much more valuable to your manager than raw data.
In my previous company, we reduced the number of bugs and time to fix by an order of magnitude, because we were able to see the effect of changes in tooling and development process.
That's the point of paying proportionate to hours and not value of your output. There's some delta! You can try the value of deliverables model but you'll have to be quite irreplaceable.
I use my own equipment for my work and it's all on a VM. Everything work related is done on the VM. If I leave all I have to do is delete the VM.
I've read that Valorant refuses to work on VMs and requires full hardware access for its anti-cheat software. I can imagine "corporate security" agent software doing the same.
There was one company which required devices to be up to date on the latest security updates from the OS and every wednesday an employee was chasing everyone to get confirmation that our systems were updated.
If a client would require an agent to be installed I would ask for a company laptop to do the work on.
I talked to an Intel HR person (informal chat, I never applied there nor planned to) 2-3 months ago and after I stated that after a decade of remote work, I see pandemic-driven introduction of harmful concepts like spying on previously trustworthy contractors by control-freaking managers that have no idea how to prove themselves in new reality, I was given a look which would usually be reserved for a psychotic person believing that they're being watched 24/7. Quite an unique experience, contrasting with how HR folks are trained to do sect-like "love bombing".
You want me to work for you and deliver results? My pleasure - that's what I do.
You want me to hang a company logo in my place and sit in front of camera multiple times a day, log every minute of my time and creep on me in other ways? I never worked in "Office Space"-like environment and I'm not planning to. Go fuck yourself, I'm out.
Was it great when I was the only one with adblocking software? Yeah, for me. But it was worse for society as a whole, most of whose members had no adblocking whatsoever.
So I guess we're winning?
So poetic.
I don’t conduct personal business of any sort on a corporate device. Just not having direct access to production won’t exclude you from security protocols, else how can you guarantee nobody slipped adjustments into software you have checked out,a ‘git push’ originating from your endpoint, which then gets deployed?
Really weird stuff, I hope that won’t become a trend.
If they are honest about this, then providing you with a nice laptop would be far cheaper than dealing with multiple-agent issues. Let alone getting into "how do we need to do this, to comply with laws & regulations?" conversations with lawyers. If they are not honest...
Legally I work for a company in the EU which I own.
They are willing to pay for a decent laptop. That is not the issue. The issue is that I feel quite upset about this requirement. My motivation to discuss it here is to get an idea if I am out of touch with current reality (like some old guys some times are) - or if this is a form of cancer it's worth fighting against.
I agree with much of what has been said, security theatre etc etc; but at the highest level, should companies take IT security seriously, absolutely. Is the implementation correct? Probably / certainly not. The real cancer is the total disregard for security and data privacy that has metastasized to the point where a leak containing everything from a company doesnt even register as an incident anymore.
If your contract was with the CIA and they had requirements, you would probably be on board with them. We have all been around the block and seen the state of some peoples computers; even technically gifted people with malware and spyware riddled computers, with the CashFollowerDataScrape Browser Toolbar installed and Password123 securing everything. Do these tools stop this sort of stuff, not really.
Work / Personal device seperation is always the answer, the red flags are the companies that demand compliance, but refuse to provide equipment. If the contract wants you to do something you are free to accept or decline. If the contract wants code written using their style guide it would be a similar cosideration, even if it meant spaces instead of tabs. if the contract wants you to code only using your index fingers only, are comfortable with it taking 10x longer and will pay 10x your normal hourly rate, you are free to accept or decline.
I recognize that you are just making a creative suggestion here, but that is impossible. SOC2 certification is incredibly complex and hard to manage (not to mention, costing tens of thousands of dollars a year). It is difficult to the point of impossibility for one person to achieve.
Not only is is practically impossible, it is also literally impossible for a one-man show to achieve SOC2, because there are control objectives that require separation of duties and verification of one person's work by another. I think the absolute smallest a company could be and achieve a SOC2 would be three people.
One of our clients at $Day_Job is a laboratory - subject to arbitrary (from their viewpoint) rules for certifications, etc. If the certifying agency says "round this value to 3 decimal places" - it doesn't much matter if $Client hates that idea, or if it is (science-wise) wrong. One can argue with them...if done wisely, that occasionally works.
I'd be tempted to look into the SOC 2 stuff. Especially real-world accounts of how the AICPA interprets and applies the rules. There can be wide gulfs between what the written rules (plus "reasonable professional" logic) say, and the standards which the auditors (with their own mindsets and habits) actually apply.
Hmm...does the US startup you're working for have someone really familiar with SOC 2 certification working for them? Or just some energetic manager-type, who's zealously trying to apply his own interpretation of the written rules?
Best wishes.
Not that I'm aware of.
I don't know the details. My interpretation is that some manager hired some company to help them with this certification that the sales people says that they need.
The ironic thing is that I work for a privacy-focused startup where such a practice is in total opposition to personal values held dearly by most people who work there. They claimed (and I assume that it's the truth) that this requirement was forced on them by the insurance industry. Apparently insurers are at the moment super-focused on cybersecurity threats and it's simply impossible for them to obtain general commercial insurance without having this in place. Going without the insurance means greatly diminished valuations and prospects for an exit.
So I installed the agent on a webserver that I have that has absolutely no data other than the static files that it serves to the web and that consequently are by definition public. So far they haven't noticed that it's not my actual work machine, and I expect that, with this being a mere box-ticking-exercise that they don't really care about and are on some level even opposed to, they have zero intention of taking it beyond "don't ask don't tell".
The thing I'm slightly worried about is that the agent logs logins and failed login-attempts. The problem is that employers who under normal circumstances never look at that data might suddenly get the idea of looking into it when employment disputes come up. So I'm a bit worried about creating an audit trail that basically says I never log in to my machine.
Maybe I need a cron job which, with a small amount of random variance, logs into the machine in the mornings and out again in the evening, but that would be crossing a line, legally speaking. With the current state of affairs I can plausibly plead negligence (I meant to install it on my personal device and just didn't notice that I was actually connected to the server when I hit "install"), but with an elaborate setup involving cron jobs and such, I'm clearly establishing that I'm acting in bad faith.
I have two qualities that makes customers willing to pay a premium. I am very good at what I do. I am honest. I don't want to compromise my integrity.
kvm switch are great to be able to re-use your input/output devices without mixing up personal and corporate stuff... this is what I use... A physical button to separate the 2 environments.
And they will install a trojan which would eavesdrop your talks, scan your home network and analyze its traffic.
(I should say that intentional monitoring of my private comms was never a concern for me when I freelanced, but I was somewhat worried about infections in my clients' devices moving laterally to my home network.)
The type of network segmentation being discussed is not rocket science, but it's not trivial either. VLAN segmentation can have tricky edge cases that cause things to break in a non-obvious way, nothing that can't be worked around but for someone who "isn't well versed in networking" would probably be more than you're up for. Also keep in mind that you can't do this with most consumer networking gear becasue it's too complicated to setup and support without some experience and knowledge.
I'd not recommend VLAN segmentation unless you want to become someone who is more versed, which I don't oppose, but it's not a switch you can flip in 5 seconds and never think about it again.
The more obvious solution would be to get a separate WiFi router and internet connection strictly for work purposes.
At that point you could also consider it a 100% home office expense and it may be tax deductible (talk to your accountant).
I then went back and configured the OpenWRT box to create a WiFi hotspot and serve DHCP on a different subnet to that used by the home network. I configured an OpenVPN client tunnel from the router to pfSense, then set up a NAT ("masquerade") from the segregated network into the tunnel. I think I actually left a couple of ports open on the OpenWRT from the segregated network, but properly I should have firewalled them off so that the router was only accessible from the home network, since I doubt OpenWRT has been seriously pen tested by anyone. I'd probably also use Wireguard if I did it again.
The above config worked, but the CPU on the TP-Link was too underpowered to get more than a few Mbit/sec throughput. Since I didn't particularly care about having a VPN (I was going to throw this traffic on the internet anyway), I messed around and managed to change the tunnel type to L2TP. L2TP pretty much just takes the packet you give it and adds a UDP header for routing, so that approach gave me full bandwidth. I think I had to mess around a bit more getting MTUs set correctly to account for the L2TP header, and maybe had some trouble with auto-restarting the tunnel on failure.
One of the (flagged) responses to my original comment was "Who the fuck has the time to do that?" I actually think that is a fair comment. This all took a day or two to set up and debug, it isn't something that the casual user is going to do and, to be honest, I probably wouldn't have done it either except that I wanted to play with pfSense.
I'd do it again, though -- it was fun.
[1] https://openwrt.org/
[2] https://silasthomas.medium.com/how-to-import-a-pfsense-firew...
I do cyber/data stuff, often on the network-y end.
This is not something the average home user or consultant is going to setup/configure/manage and I don't expect it either.
The worry that the $CORP device will be abused to "validate the security of the network its connected to" is very much a possibility. Most corporations have no desire to do so, and endpoint protection is their primary goal, and they don't need to scan your home network to do so, it is all local to the device. It's about protecting the integrity of the device, not the rest of the network around it.
Someone has to start stopping this madness and protect less informed people. We are all steering into a dark future. And i lose hope when i see all these smart programmers complaining but not stepping up.
Whatever the app they would ask you to install would do probably is going to be allowed by its EULA (and I bet the EULA is also going to prohibit you from analyzing the app and whatever it does/communicates) and chances are you don't read it. And even if you do you most probably agree because you know all EULAs are brutal and there never is a button to object its specific part and continue.
What we need is legislation to recognize all the data and metadata about your PC, all its software, your home networks&devices and their usage a kind of personal data and apply the same rules GDPR applies to tracking cookies - giving you the right to continue without agreeing to be spied on.
You'd also need a firewall, and to configure it correctly.
Your employer isn't your friend.
It might be an awesome company to work for perhaps, but it's still a company (unless you work for like a 2 person startup). A company subject to audits and regulations and all kinds of other pressures (some of them actually valid, though many are theater) to monitor and control data and flows on their hardware.
You don't want those monitors etc on your personal data and network which has nothing to do with work.
So, keep them separate is the best possible advice.
But they are not allowed to scan my home network and other devices, and they have no reason to break the law. I trust them to not do that more than half of the devices running on my home network.
No reason to trust, better to isolate.
Tugging against this evolutionary pressure is really hard, not only for individuals but also on the society level.
"Just quit LOL!" is a commendable act of grassroots activism, but not everyone is able (or willing) to afford such luxury.
Because, until last week they didn't.
Now I have to figure out if I'm just an unreasonable, stubborn old guy, or if this requirement is out of band.
In my case, I just outright said "hey, you guys I really want you to be my client but I'm gonna need a new laptop". So we bought a new laptop as part of the contract.
If brute force isn't working, you're just not using enough of it yet.
You have audio-video input sensors on all sort of programable devices nowadays, even some TVs can be turned into two way communication devices. That's a nice 1984ish vibe to ruin your late night matrimonial TV browsing.
They WILL
> which would eavesdrop your talks
That absolutely WILL - use the microphone and listen to everything being said (why not the camera too and watch everthing?)
> scan your home network and analyze its traffic.
That absolutely WILL - do all this stuff
I mean if this is definately going to happen, then the company can go ahead and cut an 8 figure cheque straight away. Which company and where do I sign up?
Because who doesn't have a lid/sticker over their webcam yet?
I have also kill-switched the built-in mic in the BIOS set-up but I'm not sure how secure this is. I would prefer there to be no built-in microphones in any hardware (except phones) at all. Sadly every modern laptop is equipped with a mic.
Most companies don't want to spy on their employees' free time. They want to 1- make sure they are compliant with the law and their confidential stuff is secure and 2 - make sure that you are actually working for them when you say you are.
Installing something to listen to non-work related stuff serves neither of these goals, and would open them up to lawsuits and PR nightmares.
Sure you might get a bad actor voyeur, but as a matter of policy, companies just don't care what you're doing at home as long as their security interests are protected.
I have a separate network for work machines at home, which goes straight to Internet and can't route in or out of my actual home network which is behind its own firewall.
I wouldn't offer this. You're still going to need to login to Github/email/wherever with your personal password, manage private keys, and stuff like that. Just say no.
I’ve recently been contracting and the only private account I used was GitHub, and that was a conscious decision to maintain a single public developer identity.
Otherwise, I expected them to provide all hardware and software required to perform my role.
And likewise, for security purposes, that’s exactly what they wanted as well.
Tho I would note, they wanted to perform a background check prior to starting. And while i didn’t have a problem with the employer having those details (for the period of the contract) they performed this function through a 3rd party, who has stated they won’t delete my data (I will be following up post-contract). I was not happy for a 3rd party to have this data.
I would also not login to or install any apps, or certificates on my phone. Again, if that’s required, send me a phone.
The company I was working for had SOC2 / ISO2700 / what ever and I think this is exactly why they wanted all this. But it suited me to seperate things as well.
For large companies supplying VDI to consultants tend to be an standardized package that gets billed back to whatever project is hiring the consultants but for mid-sized organisation VDI is a big scary word that's going to require special handling.
Most desktop support teams are completely dependent on standardization to the point where they tend to turn into complete control freaks, that panic at the thought of anything that is not "by the book", so they often just apply the book without additional budgets to external consultants.
Virtualized desktops have been solved. All the major players offer them. FFS, you can run Xbox One games in the cloud and play in your browser now.
It’s not a hard rule. It’s just one of a number of tests. But contractors are generally expected to provide their own tools.
If you want to be really cheeky, could get some value-added margin on it too, and as a bonus, AIUI it would be yours to keep after the engagement, rather than having to return hardware they've assigned to you.
Might be tough to get past finance though, unless they really want that certification :)
I probably was more of a “temporary employee” than a contractor. But what’s the difference at that point? I was paid more than the value of entitlements as cash. It suited both parties, and was mutually agreed.
In hindsight, having them provide the hardware, and then handing it back at the end of the engagement would be my preference. It reduced any risks for them and me.
Tho I can easily imagine on/off or short infrequent contracting scenarios that this would not work for.
If you’re a temporary employee, the employer is responsible for payroll taxes, and has additional obligations to you (depending on the state). You’re obligations— both to your employer and to the IRS—are different as well.
I’m addition to unlawfully skirting regulations, misclassifying an employee as a contractor is essentially stealing from the employee by reducing the company’s tax burden and increasing the employee’s.
Yeah like sending invoices arranging contracts I use my main mail account. For doing customer things I rather setup new email account or get one from the customer.
At one point I had 3 sets of machines: Two different 14" laptops from two different clients and my own machines. At some point you simply run out of space on your desk and end up constantly either working on screens that are too small (14" really isn't enough to be productive), or plugging laptops in to and out of screens as you're context-switching. Carrying three laptops with you when you're travelling if you anticipate having to work for both clients during that timeframe is also not exactly my definition of great fun. And you end up duplicating a lot of effort around managing that IT, like tweaking settings the way you like them etc.
The argument "we own this laptop, so we can do with it whatever we want, including spying on you" is just not valid. They're either doing things that I'm okay with, in which case I'm okay doing it on my own hardware. Or they're doing things I'm opposed to, in which case I'm opposed to it no matter who owns the hardware.
Also: In many European countries, authorities are clamping down hard on practices whereby companies pass people off as contractors who really are employees. They usually work off of lists of criteria of what makes an employee, and if you fit too many of those criteria while, on paper, passing yourself off as a contractor, then you and your client can be in for a world of pain. One of the criteria that makes you look more like a contractor and less like an employee to the government is providing your own facilities like the computer you work with.
And, last but not least, it's just not a good way of dealing with the planet's resources.
I had informed the client that I will be disposing of them when I’m back if they don’t handle it and that any and all third party liability well fall on the direct supervisor if he can’t organize the transfer.
Needlessly to say even me connecting them directly to the courier was not enough.
My guess is that the OP depends on the money otherwise he wouldn’t be asking for help. So either but a cheap laptop and then control it with barrier[1] from your main driver and don’t ask(because whatever you ask they will probably say no). Or let them ship theirs to you, but I’m willing to bet that it be worse than whatever second machine you get.
In the meantime I would suggest you look for a new client because judging from experience there is a lot more pain to come. I didn’t do it in time and ended up paying dearly for my lack of initiative on that front.
[1] https://github.com/debauchee/barrier
Off the top of my head, remote wipes/resets make sense. Frankly, I prefer the company has that option, just in case I lose my work laptop. Encryption should cover it, but I'll take the backup.
Compliance agents also have a legitimate reason to exist, but I don't want them on my personal PC. Some places maintain lists of allowed software (I think in part so they can track/inventory them for compliance stuff). I respect that they have the right to restrict what I install on my work laptop, but I reserve the right to install whatever I please on my own computer.
It would also not be insane for a company to do automated backups of company laptops to company servers. You want a way for Joe in marketing to get his data back when his cat pees on his laptop. I do not want all my personal documents on company servers.
The amount of compromising content we've seen and or found on investigations is mind blowing. No one needs that on a work computer. Keep your private life private from your employer.
The above two comments however seem to be arguing from the viewpoint "this is just an individual person and any individual person surely needs babysitting by a big mighty corporate IT department because otherwise they can be expected to do stupid things like losing storage media with important data and not having backups, never doing updates, having their computers full of spyware, intermingling private stuff and work stuff from different clients in such a way that there's data leakage, etc. etc."
If you want to truly treat a contractor as a contractor, you should think about it as your IT needing to interface with their IT in such a way that it makes sense for both parties. And "here, use this laptop" is just frequently a bad solution from the point of view of the contractor's IT.
I also heavily object to the notion that any expectation of privacy goes away on a company laptop.
Ideologies and realties are different. If you care about personal data, don’t put it on the company. The company however has a huge liability with your personal data. I’ve mentioned else where I have dealt with issues of personal data becoming an issue for the company via blackmail, or in a couple cases, the company was legally required to report child pornography. So yeah, if you don’t want the company to know, don’t put it on their equipment. If you buy dedicated equipment for work, use it for work and work only. If you want to use your machine for Everything, that’s fine, but understand the risks and the lack of an expectation to privacy.
But I'm not sure what country and what legal concept it is that you are referring to when you say "it's been held up in court multiple times that..." I'm based in Germany and have recently undergone GDPR-related training with a lawyer specializing in privacy law. In the training, the lawyer explained court cases that involved regrettable intermingling of work and private data in a company's IT. The result was that the law then started looking at that company's IT as being more akin to a telecommunication provider, with similar legal provisions coming into effect regarding telecommunication privacy.
Also: Anyone who lets their mind jump straight from "privacy" to "porn" is missing a big part of the picture of what privacy is all about. The way I think about it, it's a basic psychological need. Your psyche can be in a "public mode" where it assumes that any and all information flows emanating from you are out there for everyone to see and do with as they please. The result is that you have to put up huge amounts of self control which is psychologically exhausting. Therefore, the psyche seeks private spaces, where you don't need to control yourself as much because you know that nobody is watching.
The fight for privacy in the digital sphere is about ensuring that, just because our psyches are nowadays constantly linked to digital devices, this doesn't result in our psyches having to operate in "public mode" all the time.
It's about establishing clear delineations of who gets to receive what information flows relating to you and how they can potentially use that information against you.
For example: A company does time tracking through Excel sheets, but they also have IT security logs that keep track of people logging into and out of work machines. One day the company decides to run a project: They put the two data sources side by side and identify employees likely to be cheating on their time sheets. They fire the employees. ...this sets in motion a psychological effect in the remaining employees: They realize that they have a very poor understanding of what information the company's IT is collecting, and they don'T know how that information might one day be used against them. So all they can do is assume the worst. That means putting their psyches in "public mode" all the time, assuming the machine knows and sees everything, and the employer will use that information against employees at whatever time and in whatever manner suits them. The psychological damage done by this is precisely what we need to avoid!
And the GDPR will usually actually prohibit such things: The company's register of data processing activities will tie the security logs to the purpose of providing IT security. And it will tie the Excel timesheets to the purpose of time tracking. If you start using the security logs for time tracking purposes, you are using the data cross-purpose and are in violation of the GDPR and risk a hefty fine. This is a model usecase of what the GDPR is actually good for, and it clearly relates to protecting individuals' reasonable expectations of privacy in relation to their company's IT.
I work primarily from a 13" xps. Given the high-res display + that I can switch desktops easily via i3, it's really a non issue for what I do.
You can also use a dock. For my work laptop, I use the Caldigit TS3+ thunderbolt and it's great.
Would you like them to have some controls in place to prevent that?
Would you like that to be enforced consistently and audited?
Would you like them to provide you with a certification that their procedures to ensure that doesn’t happen meet some minimal standard?
Congratulations, you have invented ‘demanding SOC2 compliance from vendors’.
And the upshot of it is that some contractors have to put up with jumping through some hoops.
You can always make separate github accounts, SSH keys, and so on, specifically for the job.
a lot of developers have separate everything
this can be bad when encountering the recruiters and hiring managers that still look at github activity as clout, but these days you still have to pass the technical interview no matter how much clout you have so I wouldn't worry about it
Uh, hell no. You should have business accounts.
Personal and business never mix.
You want to separate your customer's work from your personal or other clients' data, even if they don't install any spyware on your computer. How are you supposed to ensure that you don't accidentally breach any NDAs (that you, no doubt, had to sign) if you are commingling the stuff?
I worked for a big company that had various spyware thingies installed on all the company laptops, but they let you use your personal mobile devices for work (including iPad which was pretty nice) -- and wanted you to install their preferred spyware on it. I didn't do that but I expected they would eventually tell me to do it or stop using my personal iPad.
It seems like now that it's technically feasible, big corporate IT managers want their spyware of choice running everywhere. Someday you will have an arm full of Apple Watches, one for each client. You should embrace this future and price it in.
TLDR; Make sure MDM profiles are gone and the laptops are cleared before doing anything personal :D
Not if they are at the point where they need SOC2 cert, and where they install agents on their employees computers (and want to extend that to their suppliers).
My point is that if/when you get to need a SOC2 certification, you put the resources towards this, and you definitely have the financial/org means to procure hardware to suppliers if required.
If the company made the mistake of creating a policy that they use this software as one of their controls, then the auditor will ding them if they don’t use it.
It’s an absurd system.
A PCI question asks if all outbound traffic is explicitly authorized. I took that to mean getting a list of all the IPs for the APIs of services we hit, and even constructed that entire list except for one, the payment processor itself.
The payment processor did not have any stable IPs, and could not give me a list. Their official solution was to have our policy be that we explicitly allow _all_ outbound traffic.
If such an option is allowed by PCI, what is even the point of making it a requirement?
I made that joke to a VP once, and he brightened up and said "Yes! Exactly! Because until you're actually following explicit processes, you don't even know what you're doing wrong, in order to fix it!"
So I'm a lot less cynical about auditing certifications like this now.
The point of all those certifications (I took companies through the processes required for PCI, SOC2, and ISO27001 ) is security theater, a path in the back for the execs, the ability to have "I'm not to blame, I have this cert" in case of some shit happening, and the ability for sales to throw TLAs to prospects to show how Seriously(tm) the company takes security. Oh, and to check boxes to be able to transact with some large corporations.
There are plenty of stories of highly certified companies that were deeply penetrated and exposed, and all their security theater did not help.
The problem isn't these low bars, but rather the market for services to "help" people clear them, and the widespread perception that the bars are higher than they actually are.
But there are a couple of our contractors that rejected this for exactly this reason (they had other clients). For one of them, we just bought him a laptop that he does all our work on (it cost less than 1 day of his time, so it was a no brainer), and the other, we realized we didn't have to as long as he did periodic (documented) reporting of screenshots of his OS version being up to date, Disk Encryption enabled, and screen saver settings are appropriate. And they legally attest that they make a best faith effort to delete any sensitive data off their laptops (if they ever download it).
We've talked to a couple of auditors and that seems to be sufficient and pragmatic as it accomplishes the same goal.
Every company I’ve ever worked at, and that includes very large ones, will have legal, HR, and finance tell you at some point that “you must do X”. Sometimes X is no big deal and you do it. Sometimes it’s hard, and you ask the business to fund it or remove the requirement. Sometimes it’s nonsensical in your context and at that point the job becomes understanding why X is a requirement and how you can satisfy that requirement in some more pragmatic way.
At the end of the day, these functions are there to support the business.
One day they sent out a particularly onerous "agreement" that said that we agreed not to use a phone while driving a car and doing so would be cause for termination etc.
I went down to HR and asked them if they were really trying to regulate what I was doing in my personal vehicle with my personal phone and they replied "No, its only meant for when you're in a company vehicle or using a company phone."
But the agreement itself clearly stated any phone any car.
The workaround I came up with was this-- a friend of mine and I swapped forms, and signed each others names. HR had their illegal, unenforceable agreement, and life moved on.
I got my "revenge" 6 months or so later. HR was frantically calling me for some reason-- I was stuck on the freeway as is our custom in Orange County. I ignored them for something like two hours, and explained that "I was stuck in traffic and as they were no doubt aware, we are prohibited by company policy from using our phones while operating a vehicle."
The HR gal was visibly pissed off, but to be fair, I could have been fired for answering that phone call.
I am not a lawyer, obviously, but what I meant was, threatening someone to sign a legal document can't be legal, even if its your employer.
That's not OP's problem.
Just remember to put some customized adhesives telling what laptop is rented to what customer.
Should we though? what you and the parent outline is a most sensible way of accommodating it while minimising invasion of privacy, however I question the underlying reasoning, and therefore whether or not we should encourage it. What perceived gains are to be had beyond merely box checking for accreditations? and in those cases why is it part of those accreditations, what is the intended effect? I can think of a few but they are all flawed or attempting to enforce something impossible:
1. Preventing leaking code/IP (But if you can't trust them they could just as easily take a picture of the screen, capture the HDMI, copy the drive, even log their own keyboard... there are always side channels unless you physically control the environment).
2. Preventing them from doing something malicious... But if they are writing code for you and they are untrustworthy, isn't it already game over?
3. Bean counting, monitoring time spent at keyboard etc - which we all know is not an accurate metric of productivity for cognitive work.
4. Similarly to #1 and #2, unintentional breach or security issues, i.e you trust the person but not their device or their ability to secure their own device - In which case spyware seems wholly inadequate to cope with this situation, if you are serious about this, you should be controlling the hardware and OS (which lots of orgs with highly sensitive info do).
In all these cases spyware is futile. Am I missing something?
Very much required for compliance, zero trust, protection of IP, and foundational to a reasonable security plan.
On second thought, this _is_ the answer... they are making a compromise on security, it's an economic decision. Maybe it makes sense from a business perspective: check some boxes, get a bit of security (not much) for almost nothing - but as you can probably tell, I think it's both pretentious and disrespectful.
That said, a lot of users _want_ to use their own devices (maybe they have better equipment, maybe it's less locked down, maybe they don't want duplicates). It's not sane for the business to allow a device that is more likely to be compromised and/or have poor security hygiene on the network.
I'm a fan of privacy but... At least on my team, we're definitely not spying on you, we're making sure you have a password, encryption, antivirus, and updates installed before you can connect to resources. It's shocking how many people don't have authentication enabled and run as root, if they have a choice, on their home system. That said - we could flip switches and do a lot more spying if it was mandated :/
Anything but this, and it’s clear you’re just evil.
Noooo. Armfuls of watches are just for hilarious movies and such. It's not supposed to have a corporate elementttt. The cyberpunk vibes are too much with this.
That's what Statnett in Norway did when I did some work for them a year ago (Lenovo X1 Carbon). The difference being that installing anything on it was pretty much impossible. All traffic went through the Statnett VPN. It's the most security conscious company I have had any experience of.
But I was also able to use my own laptop by installing the Citrix client and that was much better. I had never used Citrix before and was pleasantly surprised at how fast it was.
Not only that, in some EU countries it's even illegal for a freelancer to work for 1x customer.
How does that work? Is it more "exclusively for one customer" similar to the how the IRS rules work?
Both France and Germany have such laws but other countries do too.
The point is that many companies would otherwise stiffle workers by forcing them into becoming freelancers because then they don't have to provide legally prescribed healthcare benefits, paid vacation, contributions to pension, etc. that employees get.
And at the same time those workers don't have really the position to meaningfully negotiate their contracts to e.g. include extra pay for that missing vacation or healthcare/pension insurance. I.e. we are not talking about IT consultants but delivery drivers, cleaners, etc. - low paying jobs.
I.e. Uber's business model - and that's exactly why it was banned/had big problems in many EU countries (in addition to completely flouting the existing taxi service regulations).
The reason is companies were abusing self employment laws by only recruiting freelancers even for full time roles so they didn’t have to provide sick pay/parental leave/holidays/pensions/etc.
1) Keep all software related to work for their company segregated inside a VM. Then you can install whatever they require without interfering with your main system or potentially exposing data for other clients.
2) If they want a separate physical system, tell them you would be happy to provide it for a fee: an upfront fee for the cost of the system and an ongoing fee for maintenance of it. Be sure to mark everything up as you don't work for free.
Since you're not an employee, you really shouldn't be asking them to provide hardware as (in the U.S., at least) this could create tax problems.
This tends to be more of an issue for solo contractors rather than contract houses as the IRS tends to look the other way on most of the larger contracting outfits.
I would want a big compensation increase to deal with this. Like on the order of 2x my rate.
You don't 'require' anything on equipment you don't provide. full stop. period.
I also had email account specific to each client, so that I could have a mail program on that ThinkPad access only the respective account.
There are many reasons to do one laptop per client (especially if you're WFH, not traveling), including not exposing personal and other-client stuff to whatever weird stuff is in the build environment of one client.
Another reason, though this never came up for me, is that there can be legal orders to permit inspection of the computer, online accounts, etc., including by computer forensics. If that happened for one client, that could be in conflict with your obligations to another client (as well as in conflict with your SO's private vacation photos, if they were on the same device). Being able to reassure that everything for a client was compartmentalized to certain devices and accounts might come in handy.
At one point, I even had color-coded labelmaker tape to help keep track of what was compartmentalized to what. And photos of the devices with the physical labeling on them, in case I ever needed to convey that I took it seriously.
(Related: One time, I had a hard drive fail such that (despite encryption) I couldn't do an approved wipe of it before disposal or warranty return. That client's compliance policies required that I physically destroy the drive platters, and ship the remnants to them via Registered Mail. It was a slightly fun/cool exercise, especially since the platters shattered nicely. And the neighborhood of $100 lost was well-invested in professionalism goodwill with a client who paid a few orders of magnitude of that amount over time.)
(In some ways, I'm now happy to no longer be running a consulting business, mainly because a predictable, consistent amount of money just appears in my bank account every couple weeks. :)