«

On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
<!o!s!p!a!m.AU> wrote:

>"HB2" <> wrote in message
>news:Lll6d.275208$Fg5.251822@attbi_s53...
>> Sometimes I write e-mails using a web based format (yahoo). When the
>e-mail
>> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
>> have Windows 2000. Is it safe to assume that my e-mails are kept private
>> from my employer since they are sent using SSL? Does Winodws 2000 Server
>> have monitoring tools built in or would our employer have to purchase such
>> monitoring tools seperately?
>>
>> Also, its my understanding that using a keyboard log program is illegal.
>> Is this correct?
>>
>> Thanks
>>
>>
>
>My $.02 worth. I am in Australia. Our corporate security policy disallows:
>- Web based email. Reason: The mail and its attachments do not pass through
>our firewall (as email) or antivirus.

You don't have desktop anti-virus protection?

>- Unauthorised encryption of email including smime and pgp. Reason: Again
>the difficulty is with checking content for fraud, theft or malware.

Very valid.

>- Unauthorised inspection of email by IT admins. Reason: Its a people
>problem and only HR can authorise inspection.

Also very valid. IT should not abuse their authorized access.

>It does allow reasonable personal use of email - this discourages (but
>doesn't cut out) abuse.

Similar to the phone on your desk.

>One other thought I've had is that the use of Baysean Inference for Spam
>filtering could be extended for other purposes like automated checking for
>commercial espionage, fraud and other abuses without human inspection.

The problem is that a legitimate business email and a illicit one have
basically the same content. What makes one legit and one illicit is
mainly the recipient, not what it says. That would be hard to
automate, I would think.

Likely the best one could do is say "the following emails sent this
week referenced the Secret Omega Project" and some person would have
the vet that whole list, checking senders and recipients against a
known-good-list, for possible improper activity. That would be pretty
labor-intensive.

In article <>,
says...
> On Tue, 28 Sep 2004 23:56:12 GMT, Leythos <> wrote:
>
> >In article <Lll6d.275208$Fg5.251822@attbi_s53>,
> >says...
> >> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
> >> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
> >> have Windows 2000. Is it safe to assume that my e-mails are kept private
> >> from my employer since they are sent using SSL? Does Winodws 2000 Server
> >> have monitoring tools built in or would our employer have to purchase such
> >> monitoring tools seperately?
> >>
> >> Also, its my understanding that using a keyboard log program is illegal.
> >> Is this correct?
> >
> >The simple answer is that your employer owns everything that crosses
> >it's network and has a right to inspect anything on the network. Your
> >employer also has the right to fire you for theft of company resources
> >and turning in false time reports.
>
> You make some false assumptions. First, privacy laws and employee
> rights vary by country. The EU, for instance, is much more protective
> of employee privacy than the US, even when the employee is using
> company resources on company time.
>
> Second, I for instance do not fill out a time report as I am a
> salaried employee. The OP may not do a time report either.
>
> As far as theft of company resources, what is "stolen"? It may be more
> accurate to say "unauthorized use" of company resources, which is
> certainly a different concept than theft. While unauthorized use can
> be grounds for discipline or termination based on violation of company
> property, it is not a criminal act like theivery.

The op was posting from a ComCast account, so he's in the US, so it does
apply - nothing false about the assumption there.

The time sheet may not be filled out, but you are expected to put in a
certain amount of hours and you are paid for them - screwing off during
business hours, unless you make up the time, is theft.

As for company resources, they pay for the service, to maintain a
certain level of performance. When you utilize the network for non-
company reasons you decrease the performance that is available for
company benefit. Since the company PAYS for the connection you are
utilizing for your own personal reasons, against company policy, you are
stealing company resources - much like taking paper, pens, etc..

You may not like it, but sooner or later it's going to end up in court.
Just like a idiot that violates company policy, takes down the network
due to a virus they brought into the company while using GoToMyPC or a
personal email web client. If it can be traced back to the individual it
will get into court.

--
--

(Remove 999 to reply to me)

Firs of all who said anything about abuses? Second of all, have you ever
made a personal phone call from work?



"Leythos" <> wrote in message
news:...
> In article <Lll6d.275208$Fg5.251822@attbi_s53>,
> says...
>> Sometimes I write e-mails using a web based format (yahoo). When the
>> e-mail
>> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
>> have Windows 2000. Is it safe to assume that my e-mails are kept private
>> from my employer since they are sent using SSL? Does Winodws 2000 Server
>> have monitoring tools built in or would our employer have to purchase
>> such
>> monitoring tools seperately?
>>
>> Also, its my understanding that using a keyboard log program is illegal.
>> Is this correct?
>
> The simple answer is that your employer owns everything that crosses
> it's network and has a right to inspect anything on the network. Your
> employer also has the right to fire you for theft of company resources
> and turning in false time reports.
>
> Actually, in addition to the above, it's very easy to SEE you connected
> to the proxy service through the firewall. Since there is little reason
> for you to have an outbound SSL connection you abuse of company policy
> will stand out like a red beacon in the night.
>
> All versions of Server have monitoring tools, but it's a lot easier to
> monitor the firewall to catch abuses like yours.
>
> --
> --
>
> (Remove 999 to reply to me)

I know the policy of interent use in my company and I do not violate it. My
questions here are related to privacy.

"andy smart" <> wrote in message
news:cjegrt$8rf$...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> HB2 wrote:
> | Sometimes I write e-mails using a web based format (yahoo). When the
> e-mail
> | is of a personal issue I use megaproxy because it is SSL. Our PCs at
> work
> | have Windows 2000. Is it safe to assume that my e-mails are kept
> private
> | from my employer since they are sent using SSL? Does Winodws 2000
> Server
> | have monitoring tools built in or would our employer have to purchase
> such
> | monitoring tools seperately?
> |
> | Also, its my understanding that using a keyboard log program is
> illegal.
> | Is this correct?
> |
> | Thanks
> |
> |
> Actually, there is a good reason for them to be even more suspicious if
> they find you doing it - how do they know you're not using it to send
> confidential company data off site? Rather than try to be underhand
> about it, why not just ask them what their policy is?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBWsa9qmlxlf41jHgRAk6zAJ4kostj4MZZ+IVklUFyXN AxQnq17gCePkuj
> wRB14n5vlygUShXPr7I6Mlk=
> =1R0Y
> -----END PGP SIGNATURE-----

In article <cF%6d.84074$wV.71029@attbi_s54>,
says...
> Firs of all who said anything about abuses? Second of all, have you ever
> made a personal phone call from work?

Yes, I have - after asking for permission. I'm of the impression that
anything at the office belongs to the company, that they provided, and I
"may" use it to do my work, but I have to ask permission if I want to do
something personal at work.

Use of the phone, even for local calls, when not permitted, can be
theft, some phone systems utilize metered rates or other plans that
charge for all outbound traffic.

If it's not your personal material, service, etc... and you don't have
express permission to take or use it, it could be considered theft.

--
--

(Remove 999 to reply to me)

In article <5H%6d.84093$wV.57423@attbi_s54>,
says...
> I know the policy of interent use in my company and I do not violate it. My
> questions here are related to privacy.

To answer your question, not that all the other stuff is out of the way:

1) Any traffic, even encrypted, belongs to the owner of the network.

2) It's easy to see where a SSL tunnel is connected - in fact, they
stand out like a red beacon on a dark night. There are few reasons for
employees to have external SSL connections from their desktop.

3) Use of a proxy, even without the SSL connection (or with it) is going
to be detected if the IT department is worth their salt.

4) Sustained or repeated traffic patterns are easy to catch.

--
--

(Remove 999 to reply to me)

To reiterate what was said....As a Sys Admin, I (the company) own all
material on company equipment., and any data coming across the line is
considered "Company Data". If someone is using encryption, or SSL to
encrypt data, It is my job to question "why". We have a lax security
program, usually based upon the managements discretion. When we suspect
someone, I am usually tasked to get all pertinent data. We seize (copy) all
data on the server, copy or clone the data on the workstation, redirect and
read email, and monitor the activity on the line.
The net sniffing programs available will allow us to see raw data going
across the line, but usually we can, by monitoring SYSLOG info at the Proxy
server (and/or firewall), and the do a reverse IP lookup for what sites are
being used by the employee.
Privacy is a fleeting premise. At work, there is no privacy. People at
first are shocked when they find out we can read email and personal files,
then they learn there is little they can do about it.
As for whether we can see raw, encrypted SSL traffic, probably not....but we
would question what you are using on ports 445. That is a beacon that says
this person is doing something they "PROBABLY" should not be doing, on
company time.
We had one case where the employee copied personal files from home on to
a company laptop, after their personal laptop broke....in there, there were
NUDE pictures of the employee, and another of a friend of the employee.
When the laptop was turned in, she requested files that belonged to her then
DEAD brother, be sent to her...The company, not wanted to hurt the
employee's feellings asked me to copy the files from the laptop, pertaining
to the employee and the brother. That was when the files were discovered.
The employee, believing they were safe because they did not divulge the
password, weer wrong.
There was no privacy at that time....We turned the case over to an attorney,
to told us to give her only files pertaining to her brother, and erase the
hard drive...which we did.

Moral of story, there is NO Privacy working for a private company. So think
bank records, SSN's, private messages, photos...up to the discretion of the
Techncal department. Bottom line...BEWARE!!!


----------------------------------------------------
This mailbox protected from junk email by MailFrontier Desktop
from MailFrontier, Inc. http://info.mailfrontier.com

"HB2" <> wrote in message
news:Lll6d.275208$Fg5.251822@attbi_s53...
> Sometimes I write e-mails using a web based format (yahoo). When the
> e-mail is of a personal issue I use megaproxy because it is SSL. Our PCs
> at work have Windows 2000. Is it safe to assume that my e-mails are kept
> private from my employer since they are sent using SSL? Does Winodws 2000
> Server have monitoring tools built in or would our employer have to
> purchase such monitoring tools seperately?
>
> Also, its my understanding that using a keyboard log program is illegal.
> Is this correct?
>
> Thanks
>

In article <4h17d.22596$ >, "KG6VQE"
<info<nospam>@thecomputerdood.com> says...
> To reiterate what was said....As a Sys Admin, I (the company) own all
> material on company equipment., and any data coming across the line is
> considered "Company Data". If someone is using encryption, or SSL to
> encrypt data, It is my job to question "why". We have a lax security
> program, usually based upon the managements discretion. When we suspect
> someone, I am usually tasked to get all pertinent data. We seize (copy) all
> data on the server, copy or clone the data on the workstation, redirect and
> read email, and monitor the activity on the line.
[snip]

This is such a great example of what is expected of the network security
people. I can't tell you how many times we've been called in to a
company to determine "if" something is happening, and then find that a
lot is happening.

We had one case where we installed a firewall and call logging software,
an employee was seen using his cell phone and a pay phone frequently
after that. Combining his actions and his network logs we were able to
determine that something was amiss with this person - we seized his
computer and managed to recover a massive amount of deleted file/folders
that contained project bids for a competitor of the company he was
working for - he had been working for the competitor during company
hours and using the company resources to bid on projects for the other
company (he signed the documents with his real name)....

Then there was a firewall monitoring that indicated someone (we knew
who) was arriving early to visit porn sites - we mentioned that ALL
network activity (including sites visited and what workstation) were
logged and reviewed on a random basis - the new acceptable use policy
specifically forbids use of the network for non-company reasons. The
user never visited a porn site again, but he was just one of a dozen
doing it. People were actually fired over that.

What most workers don't seem to understand is that the network is
company property, and they pay for it, and the company is responsible
for anything the employees do on the network - including abusive things
they consider personal. Not to mention the waste of network bandwidth
when running streaming audio, playing Quake, etc....

If users looked at the network as a tool, or as a copier, and their
using it for their own personal needs, they would understand that what
they are doing is stealing company resources.

If they have never run your own company, never managed a group of
people, or if they have no proper business (or personal) ethics, then
this may not bother them, but it should.

I'm always amazed at how people thing the network isn't monitored - in
todays times, when we can put video cameras inside a pack of candy,
people should just assume that everything they do is monitored. You
never know who is monitoring things in your home (spouse, kids, etc..)

--
--

(Remove 999 to reply to me)

Mark,

Thanks for your comments,

"Mark Landin" <> wrote in message
news:...
> On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
> <!o!s!p!a!m.AU> wrote:
>
> >"HB2" <> wrote in message
> >news:Lll6d.275208$Fg5.251822@attbi_s53...
> >> Sometimes I write e-mails using a web based format (yahoo). When the
> >e-mail
> >> is of a personal issue I use megaproxy because it is SSL. Our PCs at
work
> >> have Windows 2000. Is it safe to assume that my e-mails are kept
private
> >> from my employer since they are sent using SSL? Does Winodws 2000
Server
> >> have monitoring tools built in or would our employer have to purchase
such
> >> monitoring tools seperately?
> >>
> >> Also, its my understanding that using a keyboard log program is
illegal.
> >> Is this correct?
> >>
> >> Thanks
> >>
> >>
> >
> >My $.02 worth. I am in Australia. Our corporate security policy
disallows:
> >- Web based email. Reason: The mail and its attachments do not pass
through
> >our firewall (as email) or antivirus.
>
> You don't have desktop anti-virus protection?

Yes we do.
The main problem here is organisations that have a large number of desktop
clients. A new virus entering from the Internet via email has a window of
opportunity until it's signature is deployed to everyone of them - this can
take days, even weeks. Disallowing web-based email for SMTP blocking every
executable, or anything known to carry an executable including .zips and
'whitelist' what you want to get through also helps - users soon fall into
line.

>
> >- Unauthorised encryption of email including smime and pgp. Reason:
Again
> >the difficulty is with checking content for fraud, theft or malware.
>
> Very valid.
>
> >- Unauthorised inspection of email by IT admins. Reason: Its a people
> >problem and only HR can authorise inspection.
>
> Also very valid. IT should not abuse their authorized access.
>
> >It does allow reasonable personal use of email - this discourages (but
> >doesn't cut out) abuse.
>
> Similar to the phone on your desk.
>
> >One other thought I've had is that the use of Baysean Inference for Spam
> >filtering could be extended for other purposes like automated checking
for
> >commercial espionage, fraud and other abuses without human inspection.
>
> The problem is that a legitimate business email and a illicit one have
> basically the same content. What makes one legit and one illicit is
> mainly the recipient, not what it says. That would be hard to
> automate, I would think.
>
> Likely the best one could do is say "the following emails sent this
> week referenced the Secret Omega Project" and some person would have
> the vet that whole list, checking senders and recipients against a
> known-good-list, for possible improper activity. That would be pretty
> labor-intensive.
>
>

I think you underestimate the power of Bayesean inference. Time will tell -
at present I don't have time to test it.

David

HB2 wrote:
> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
> have Windows 2000. Is it safe to assume that my e-mails are kept private
> from my employer since they are sent using SSL? Does Winodws 2000 Server
> have monitoring tools built in or would our employer have to purchase such
> monitoring tools seperately?
>
> Also, its my understanding that using a keyboard log program is illegal.
> Is this correct?
>
> Thanks
>
>
The use of SSL isn't always as secure as you might think. There are
numerous appliances and software packages available which do a SSL
man-in-the-middle attack. Examples are WebProxy from @tStake and SSL 1Box
from FinJan

[QUOTE FROM FINJAN WEBSITE]
FinJan SSL 1Box™
This solution enables threat analysis of encrypted SSL/HTTPS traffic and
enforces SSL certification.
SSL 1Box™ decrypts SSL/HTTPS traffic and reveals the original data,
allowing Internet 1Box™ or another security proxy to perform security
analysis and defend against hidden attacks. Furthermore, the device
maintains role based policies to allow/block access of SSL traffic carrying
an invalid certificate. SSL 1Box™ maintains confidentiality and preserves
user privacy
[/END_QUOTE]

The only way to find out if your company has such a device is to examine
the SSL certificate and find out who issued it.

In companies where SSL traffic is used a lot for (actual) work (for
banking, extranets access etc.) these devices are more and more common.
Virusses, malware etc. received by webmail or downloaded via https websites
are discovered and acted upon accordingly with these appliances / software
packages.

Wimbo