Surfing at Work

Discussion in 'Computer Security' started by HB2, Sep 28, 2004.

  1. HB2

    HB2 Guest

    Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    have Windows 2000. Is it safe to assume that my e-mails are kept private
    from my employer since they are sent using SSL? Does Winodws 2000 Server
    have monitoring tools built in or would our employer have to purchase such
    monitoring tools seperately?

    Also, its my understanding that using a keyboard log program is illegal.
    Is this correct?

    Thanks
    HB2, Sep 28, 2004
    #1
    1. Advertising

  2. HB2

    Mr. Babco Guest

    "HB2" <> wrote in message
    news:Lll6d.275208$Fg5.251822@attbi_s53...
    > Sometimes I write e-mails using a web based format (yahoo). When the
    > e-mail is of a personal issue I use megaproxy because it is SSL. Our PCs
    > at work have Windows 2000. Is it safe to assume that my e-mails are kept
    > private from my employer since they are sent using SSL? Does Winodws 2000
    > Server have monitoring tools built in or would our employer have to
    > purchase such monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?
    >


    Let me start with your last question. I'm not 100% sure the legalities of
    using a keystroke logger but it is definately an unethical practice. Your
    best bet is assume that your computer and its data transmissions are being
    watched. Using a web mail like yahoo etc. is certainly within bounds of
    most employers and the preferred method by many admins./company execs. Of
    course there is always a darker side of things, such as very curious admins
    that have no business in your personal email - but are still looking at it.
    SSL will prevent much of this sort of thing and is always a sure bet.
    Generally employers will need to buy third party software in order to get a
    clear view of your internet activities, but there is always open source
    software that can be used for this as well. Windows 2000 doesn't have
    anything that will track your activites - not known publicly at least!
    Mr. Babco, Sep 28, 2004
    #2
    1. Advertising

  3. HB2

    Leythos Guest

    In article <Lll6d.275208$Fg5.251822@attbi_s53>,
    says...
    > Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    > is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    > have Windows 2000. Is it safe to assume that my e-mails are kept private
    > from my employer since they are sent using SSL? Does Winodws 2000 Server
    > have monitoring tools built in or would our employer have to purchase such
    > monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?


    The simple answer is that your employer owns everything that crosses
    it's network and has a right to inspect anything on the network. Your
    employer also has the right to fire you for theft of company resources
    and turning in false time reports.

    Actually, in addition to the above, it's very easy to SEE you connected
    to the proxy service through the firewall. Since there is little reason
    for you to have an outbound SSL connection you abuse of company policy
    will stand out like a red beacon in the night.

    All versions of Server have monitoring tools, but it's a lot easier to
    monitor the firewall to catch abuses like yours.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 29, 2004
    #3
  4. HB2

    Leythos Guest

    In article <Lll6d.275208$Fg5.251822@attbi_s53>,
    says...
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?


    Amost forgot to address this - it's their computers, their network,
    their company, they can do anything they want with it and don't have to
    tell you squat (at least in the US).


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 29, 2004
    #4
  5. HB2

    andy smart Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    HB2 wrote:
    | Sometimes I write e-mails using a web based format (yahoo). When the
    e-mail
    | is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    | have Windows 2000. Is it safe to assume that my e-mails are kept private
    | from my employer since they are sent using SSL? Does Winodws 2000 Server
    | have monitoring tools built in or would our employer have to purchase
    such
    | monitoring tools seperately?
    |
    | Also, its my understanding that using a keyboard log program is illegal.
    | Is this correct?
    |
    | Thanks
    |
    |
    Actually, there is a good reason for them to be even more suspicious if
    they find you doing it - how do they know you're not using it to send
    confidential company data off site? Rather than try to be underhand
    about it, why not just ask them what their policy is?


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBWsa9qmlxlf41jHgRAk6zAJ4kostj4MZZ+IVklUFyXNAxQnq17gCePkuj
    wRB14n5vlygUShXPr7I6Mlk=
    =1R0Y
    -----END PGP SIGNATURE-----
    andy smart, Sep 29, 2004
    #5
  6. HB2

    Mike Guest

    HB2 wrote:

    > Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    > is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    > have Windows 2000. Is it safe to assume that my e-mails are kept private
    > from my employer since they are sent using SSL? Does Winodws 2000 Server
    > have monitoring tools built in or would our employer have to purchase such
    > monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?
    >
    > Thanks
    >
    >

    If you are doing something that you feel your employer would rather you
    didn't then you shouldn't be doing it. Do you walk into friends houses
    and take over their TV and video recorders for your own purposes? Of
    course you don't, so why take liberties with your employer's time, money
    and equipment?

    If you are writing emails that you would not like your employer to read,
    don't do it at work dummy!

    There are monitoring tools that can record an entire data stream however
    fragmented, reassemble it and play it back. You wouldn't know wether
    your employer had these tools until it was too late (Probably at the
    point you are sacked)


    --

    ------------------------------------

    Real email to mike. The header email is a spam trap and you will be
    blacklisted,
    submitted to anti-spam sites and proably burn in hell.
    Mike, Sep 29, 2004
    #6
  7. HB2

    Moe Trin Guest

    In article <Lll6d.275208$Fg5.251822@attbi_s53>, HB2 wrote:
    >Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    >is of a personal issue I use megaproxy because it is SSL.


    http://groups.google.com

    and search for the "Surfing at Work" You'll find this covered very
    well - and even find postings from wankers who have been fired for
    this, whining that the employer had no right to do that to them.

    >Is it safe to assume that my e-mails are kept private
    >from my employer since they are sent using SSL?


    Do you honestly think that because your SSL session (trivial to detect)
    can't be decoded, the employer is going to ignore it? You are either
    extremely stupid (and should be fired as unsuitable for the job) or are
    on drugs. If they are prescription drugs, contact your doctor immediately.

    >Does Winodws 2000 Server have monitoring tools built in or would our
    >employer have to purchase such monitoring tools seperately?


    You're joking, right? And you haven't seen ANY posting in this group
    about stuff that runs on the firewall.

    >Also, its my understanding that using a keyboard log program is illegal.


    Don't ask for "legal" opinions on Usenet - they're worth less than what
    you paid for them. Consult your own lawyer. And this has also been
    covered many times on Usenet.

    >Is this correct?


    You're posting from an IP address allocated to Illinois. IF you can prove
    to a judge that you were never warned that your use of the computer may
    be monitored, you might get a finding in a "Wrongful dismissal" case. Do
    let us know.

    Old guy
    Moe Trin, Sep 29, 2004
    #7
  8. HB2

    Jim Watt Guest

    On Tue, 28 Sep 2004 22:12:59 GMT, "HB2" <> wrote:

    >Also, its my understanding that using a keyboard log program is illegal.
    >Is this correct?


    Whose laws are we talking about.

    Who owns the computer.

    Who is paying you to surf the net?

    Does your company have a policy. Some might
    terminate you for doing these things.


    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 29, 2004
    #8
  9. HB2

    David Q F Guest

    "HB2" <> wrote in message
    news:Lll6d.275208$Fg5.251822@attbi_s53...
    > Sometimes I write e-mails using a web based format (yahoo). When the

    e-mail
    > is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    > have Windows 2000. Is it safe to assume that my e-mails are kept private
    > from my employer since they are sent using SSL? Does Winodws 2000 Server
    > have monitoring tools built in or would our employer have to purchase such
    > monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?
    >
    > Thanks
    >
    >


    My $.02 worth. I am in Australia. Our corporate security policy disallows:
    - Web based email. Reason: The mail and its attachments do not pass through
    our firewall (as email) or antivirus.
    - Unauthorised encryption of email including smime and pgp. Reason: Again
    the difficulty is with checking content for fraud, theft or malware.
    - Unauthorised inspection of email by IT admins. Reason: Its a people
    problem and only HR can authorise inspection.

    It does allow reasonable personal use of email - this discourages (but
    doesn't cut out) abuse.

    One other thought I've had is that the use of Baysean Inference for Spam
    filtering could be extended for other purposes like automated checking for
    commercial espionage, fraud and other abuses without human inspection. Once
    alerted an admin/HR person could manually check.

    Last thought, "Do you have an Internet connection at home?"

    David Fosdike
    dfosdike at nospam(leave this out and change 'dots' and 'at') dot elders dot
    com dot au
    David Q F, Sep 30, 2004
    #9
  10. HB2

    Mark Landin Guest

    On Tue, 28 Sep 2004 23:56:12 GMT, Leythos <> wrote:

    >In article <Lll6d.275208$Fg5.251822@attbi_s53>,
    >says...
    >> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    >> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    >> have Windows 2000. Is it safe to assume that my e-mails are kept private
    >> from my employer since they are sent using SSL? Does Winodws 2000 Server
    >> have monitoring tools built in or would our employer have to purchase such
    >> monitoring tools seperately?
    >>
    >> Also, its my understanding that using a keyboard log program is illegal.
    >> Is this correct?

    >
    >The simple answer is that your employer owns everything that crosses
    >it's network and has a right to inspect anything on the network. Your
    >employer also has the right to fire you for theft of company resources
    >and turning in false time reports.


    You make some false assumptions. First, privacy laws and employee
    rights vary by country. The EU, for instance, is much more protective
    of employee privacy than the US, even when the employee is using
    company resources on company time.

    Second, I for instance do not fill out a time report as I am a
    salaried employee. The OP may not do a time report either.

    As far as theft of company resources, what is "stolen"? It may be more
    accurate to say "unauthorized use" of company resources, which is
    certainly a different concept than theft. While unauthorized use can
    be grounds for discipline or termination based on violation of company
    property, it is not a criminal act like theivery.
    Mark Landin, Sep 30, 2004
    #10
  11. HB2

    Mark Landin Guest

    On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
    <!o!s!p!a!m.AU> wrote:

    >"HB2" <> wrote in message
    >news:Lll6d.275208$Fg5.251822@attbi_s53...
    >> Sometimes I write e-mails using a web based format (yahoo). When the

    >e-mail
    >> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    >> have Windows 2000. Is it safe to assume that my e-mails are kept private
    >> from my employer since they are sent using SSL? Does Winodws 2000 Server
    >> have monitoring tools built in or would our employer have to purchase such
    >> monitoring tools seperately?
    >>
    >> Also, its my understanding that using a keyboard log program is illegal.
    >> Is this correct?
    >>
    >> Thanks
    >>
    >>

    >
    >My $.02 worth. I am in Australia. Our corporate security policy disallows:
    >- Web based email. Reason: The mail and its attachments do not pass through
    >our firewall (as email) or antivirus.


    You don't have desktop anti-virus protection?

    >- Unauthorised encryption of email including smime and pgp. Reason: Again
    >the difficulty is with checking content for fraud, theft or malware.


    Very valid.

    >- Unauthorised inspection of email by IT admins. Reason: Its a people
    >problem and only HR can authorise inspection.


    Also very valid. IT should not abuse their authorized access.

    >It does allow reasonable personal use of email - this discourages (but
    >doesn't cut out) abuse.


    Similar to the phone on your desk.

    >One other thought I've had is that the use of Baysean Inference for Spam
    >filtering could be extended for other purposes like automated checking for
    >commercial espionage, fraud and other abuses without human inspection.


    The problem is that a legitimate business email and a illicit one have
    basically the same content. What makes one legit and one illicit is
    mainly the recipient, not what it says. That would be hard to
    automate, I would think.

    Likely the best one could do is say "the following emails sent this
    week referenced the Secret Omega Project" and some person would have
    the vet that whole list, checking senders and recipients against a
    known-good-list, for possible improper activity. That would be pretty
    labor-intensive.
    Mark Landin, Sep 30, 2004
    #11
  12. HB2

    Leythos Guest

    In article <>,
    says...
    > On Tue, 28 Sep 2004 23:56:12 GMT, Leythos <> wrote:
    >
    > >In article <Lll6d.275208$Fg5.251822@attbi_s53>,
    > >says...
    > >> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    > >> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    > >> have Windows 2000. Is it safe to assume that my e-mails are kept private
    > >> from my employer since they are sent using SSL? Does Winodws 2000 Server
    > >> have monitoring tools built in or would our employer have to purchase such
    > >> monitoring tools seperately?
    > >>
    > >> Also, its my understanding that using a keyboard log program is illegal.
    > >> Is this correct?

    > >
    > >The simple answer is that your employer owns everything that crosses
    > >it's network and has a right to inspect anything on the network. Your
    > >employer also has the right to fire you for theft of company resources
    > >and turning in false time reports.

    >
    > You make some false assumptions. First, privacy laws and employee
    > rights vary by country. The EU, for instance, is much more protective
    > of employee privacy than the US, even when the employee is using
    > company resources on company time.
    >
    > Second, I for instance do not fill out a time report as I am a
    > salaried employee. The OP may not do a time report either.
    >
    > As far as theft of company resources, what is "stolen"? It may be more
    > accurate to say "unauthorized use" of company resources, which is
    > certainly a different concept than theft. While unauthorized use can
    > be grounds for discipline or termination based on violation of company
    > property, it is not a criminal act like theivery.


    The op was posting from a ComCast account, so he's in the US, so it does
    apply - nothing false about the assumption there.

    The time sheet may not be filled out, but you are expected to put in a
    certain amount of hours and you are paid for them - screwing off during
    business hours, unless you make up the time, is theft.

    As for company resources, they pay for the service, to maintain a
    certain level of performance. When you utilize the network for non-
    company reasons you decrease the performance that is available for
    company benefit. Since the company PAYS for the connection you are
    utilizing for your own personal reasons, against company policy, you are
    stealing company resources - much like taking paper, pens, etc..

    You may not like it, but sooner or later it's going to end up in court.
    Just like a idiot that violates company policy, takes down the network
    due to a virus they brought into the company while using GoToMyPC or a
    personal email web client. If it can be traced back to the individual it
    will get into court.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 30, 2004
    #12
  13. HB2

    HB2 Guest

    Firs of all who said anything about abuses? Second of all, have you ever
    made a personal phone call from work?



    "Leythos" <> wrote in message
    news:...
    > In article <Lll6d.275208$Fg5.251822@attbi_s53>,
    > says...
    >> Sometimes I write e-mails using a web based format (yahoo). When the
    >> e-mail
    >> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    >> have Windows 2000. Is it safe to assume that my e-mails are kept private
    >> from my employer since they are sent using SSL? Does Winodws 2000 Server
    >> have monitoring tools built in or would our employer have to purchase
    >> such
    >> monitoring tools seperately?
    >>
    >> Also, its my understanding that using a keyboard log program is illegal.
    >> Is this correct?

    >
    > The simple answer is that your employer owns everything that crosses
    > it's network and has a right to inspect anything on the network. Your
    > employer also has the right to fire you for theft of company resources
    > and turning in false time reports.
    >
    > Actually, in addition to the above, it's very easy to SEE you connected
    > to the proxy service through the firewall. Since there is little reason
    > for you to have an outbound SSL connection you abuse of company policy
    > will stand out like a red beacon in the night.
    >
    > All versions of Server have monitoring tools, but it's a lot easier to
    > monitor the firewall to catch abuses like yours.
    >
    > --
    > --
    >
    > (Remove 999 to reply to me)
    HB2, Sep 30, 2004
    #13
  14. HB2

    HB2 Guest

    I know the policy of interent use in my company and I do not violate it. My
    questions here are related to privacy.

    "andy smart" <> wrote in message
    news:cjegrt$8rf$...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > HB2 wrote:
    > | Sometimes I write e-mails using a web based format (yahoo). When the
    > e-mail
    > | is of a personal issue I use megaproxy because it is SSL. Our PCs at
    > work
    > | have Windows 2000. Is it safe to assume that my e-mails are kept
    > private
    > | from my employer since they are sent using SSL? Does Winodws 2000
    > Server
    > | have monitoring tools built in or would our employer have to purchase
    > such
    > | monitoring tools seperately?
    > |
    > | Also, its my understanding that using a keyboard log program is
    > illegal.
    > | Is this correct?
    > |
    > | Thanks
    > |
    > |
    > Actually, there is a good reason for them to be even more suspicious if
    > they find you doing it - how do they know you're not using it to send
    > confidential company data off site? Rather than try to be underhand
    > about it, why not just ask them what their policy is?
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.5 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFBWsa9qmlxlf41jHgRAk6zAJ4kostj4MZZ+IVklUFyXNAxQnq17gCePkuj
    > wRB14n5vlygUShXPr7I6Mlk=
    > =1R0Y
    > -----END PGP SIGNATURE-----
    HB2, Sep 30, 2004
    #14
  15. HB2

    Leythos Guest

    In article <cF%6d.84074$wV.71029@attbi_s54>,
    says...
    > Firs of all who said anything about abuses? Second of all, have you ever
    > made a personal phone call from work?


    Yes, I have - after asking for permission. I'm of the impression that
    anything at the office belongs to the company, that they provided, and I
    "may" use it to do my work, but I have to ask permission if I want to do
    something personal at work.

    Use of the phone, even for local calls, when not permitted, can be
    theft, some phone systems utilize metered rates or other plans that
    charge for all outbound traffic.

    If it's not your personal material, service, etc... and you don't have
    express permission to take or use it, it could be considered theft.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 30, 2004
    #15
  16. HB2

    Leythos Guest

    In article <5H%6d.84093$wV.57423@attbi_s54>,
    says...
    > I know the policy of interent use in my company and I do not violate it. My
    > questions here are related to privacy.


    To answer your question, not that all the other stuff is out of the way:

    1) Any traffic, even encrypted, belongs to the owner of the network.

    2) It's easy to see where a SSL tunnel is connected - in fact, they
    stand out like a red beacon on a dark night. There are few reasons for
    employees to have external SSL connections from their desktop.

    3) Use of a proxy, even without the SSL connection (or with it) is going
    to be detected if the IT department is worth their salt.

    4) Sustained or repeated traffic patterns are easy to catch.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 30, 2004
    #16
  17. HB2

    KG6VQE Guest

    To reiterate what was said....As a Sys Admin, I (the company) own all
    material on company equipment., and any data coming across the line is
    considered "Company Data". If someone is using encryption, or SSL to
    encrypt data, It is my job to question "why". We have a lax security
    program, usually based upon the managements discretion. When we suspect
    someone, I am usually tasked to get all pertinent data. We seize (copy) all
    data on the server, copy or clone the data on the workstation, redirect and
    read email, and monitor the activity on the line.
    The net sniffing programs available will allow us to see raw data going
    across the line, but usually we can, by monitoring SYSLOG info at the Proxy
    server (and/or firewall), and the do a reverse IP lookup for what sites are
    being used by the employee.
    Privacy is a fleeting premise. At work, there is no privacy. People at
    first are shocked when they find out we can read email and personal files,
    then they learn there is little they can do about it.
    As for whether we can see raw, encrypted SSL traffic, probably not....but we
    would question what you are using on ports 445. That is a beacon that says
    this person is doing something they "PROBABLY" should not be doing, on
    company time.
    We had one case where the employee copied personal files from home on to
    a company laptop, after their personal laptop broke....in there, there were
    NUDE pictures of the employee, and another of a friend of the employee.
    When the laptop was turned in, she requested files that belonged to her then
    DEAD brother, be sent to her...The company, not wanted to hurt the
    employee's feellings asked me to copy the files from the laptop, pertaining
    to the employee and the brother. That was when the files were discovered.
    The employee, believing they were safe because they did not divulge the
    password, weer wrong.
    There was no privacy at that time....We turned the case over to an attorney,
    to told us to give her only files pertaining to her brother, and erase the
    hard drive...which we did.

    Moral of story, there is NO Privacy working for a private company. So think
    bank records, SSN's, private messages, photos...up to the discretion of the
    Techncal department. Bottom line...BEWARE!!!


    ----------------------------------------------------
    This mailbox protected from junk email by MailFrontier Desktop
    from MailFrontier, Inc. http://info.mailfrontier.com

    "HB2" <> wrote in message
    news:Lll6d.275208$Fg5.251822@attbi_s53...
    > Sometimes I write e-mails using a web based format (yahoo). When the
    > e-mail is of a personal issue I use megaproxy because it is SSL. Our PCs
    > at work have Windows 2000. Is it safe to assume that my e-mails are kept
    > private from my employer since they are sent using SSL? Does Winodws 2000
    > Server have monitoring tools built in or would our employer have to
    > purchase such monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?
    >
    > Thanks
    >
    KG6VQE, Oct 1, 2004
    #17
  18. HB2

    Leythos Guest

    In article <4h17d.22596$>, "KG6VQE"
    <info<nospam>@thecomputerdood.com> says...
    > To reiterate what was said....As a Sys Admin, I (the company) own all
    > material on company equipment., and any data coming across the line is
    > considered "Company Data". If someone is using encryption, or SSL to
    > encrypt data, It is my job to question "why". We have a lax security
    > program, usually based upon the managements discretion. When we suspect
    > someone, I am usually tasked to get all pertinent data. We seize (copy) all
    > data on the server, copy or clone the data on the workstation, redirect and
    > read email, and monitor the activity on the line.

    [snip]

    This is such a great example of what is expected of the network security
    people. I can't tell you how many times we've been called in to a
    company to determine "if" something is happening, and then find that a
    lot is happening.

    We had one case where we installed a firewall and call logging software,
    an employee was seen using his cell phone and a pay phone frequently
    after that. Combining his actions and his network logs we were able to
    determine that something was amiss with this person - we seized his
    computer and managed to recover a massive amount of deleted file/folders
    that contained project bids for a competitor of the company he was
    working for - he had been working for the competitor during company
    hours and using the company resources to bid on projects for the other
    company (he signed the documents with his real name)....

    Then there was a firewall monitoring that indicated someone (we knew
    who) was arriving early to visit porn sites - we mentioned that ALL
    network activity (including sites visited and what workstation) were
    logged and reviewed on a random basis - the new acceptable use policy
    specifically forbids use of the network for non-company reasons. The
    user never visited a porn site again, but he was just one of a dozen
    doing it. People were actually fired over that.

    What most workers don't seem to understand is that the network is
    company property, and they pay for it, and the company is responsible
    for anything the employees do on the network - including abusive things
    they consider personal. Not to mention the waste of network bandwidth
    when running streaming audio, playing Quake, etc....

    If users looked at the network as a tool, or as a copier, and their
    using it for their own personal needs, they would understand that what
    they are doing is stealing company resources.

    If they have never run your own company, never managed a group of
    people, or if they have no proper business (or personal) ethics, then
    this may not bother them, but it should.

    I'm always amazed at how people thing the network isn't monitored - in
    todays times, when we can put video cameras inside a pack of candy,
    people should just assume that everything they do is monitored. You
    never know who is monitoring things in your home (spouse, kids, etc..)

    --
    --

    (Remove 999 to reply to me)
    Leythos, Oct 1, 2004
    #18
  19. HB2

    David Q F Guest

    Mark,

    Thanks for your comments,

    "Mark Landin" <> wrote in message
    news:...
    > On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
    > <!o!s!p!a!m.AU> wrote:
    >
    > >"HB2" <> wrote in message
    > >news:Lll6d.275208$Fg5.251822@attbi_s53...
    > >> Sometimes I write e-mails using a web based format (yahoo). When the

    > >e-mail
    > >> is of a personal issue I use megaproxy because it is SSL. Our PCs at

    work
    > >> have Windows 2000. Is it safe to assume that my e-mails are kept

    private
    > >> from my employer since they are sent using SSL? Does Winodws 2000

    Server
    > >> have monitoring tools built in or would our employer have to purchase

    such
    > >> monitoring tools seperately?
    > >>
    > >> Also, its my understanding that using a keyboard log program is

    illegal.
    > >> Is this correct?
    > >>
    > >> Thanks
    > >>
    > >>

    > >
    > >My $.02 worth. I am in Australia. Our corporate security policy

    disallows:
    > >- Web based email. Reason: The mail and its attachments do not pass

    through
    > >our firewall (as email) or antivirus.

    >
    > You don't have desktop anti-virus protection?


    Yes we do.
    The main problem here is organisations that have a large number of desktop
    clients. A new virus entering from the Internet via email has a window of
    opportunity until it's signature is deployed to everyone of them - this can
    take days, even weeks. Disallowing web-based email for SMTP blocking every
    executable, or anything known to carry an executable including .zips and
    'whitelist' what you want to get through also helps - users soon fall into
    line.

    >
    > >- Unauthorised encryption of email including smime and pgp. Reason:

    Again
    > >the difficulty is with checking content for fraud, theft or malware.

    >
    > Very valid.
    >
    > >- Unauthorised inspection of email by IT admins. Reason: Its a people
    > >problem and only HR can authorise inspection.

    >
    > Also very valid. IT should not abuse their authorized access.
    >
    > >It does allow reasonable personal use of email - this discourages (but
    > >doesn't cut out) abuse.

    >
    > Similar to the phone on your desk.
    >
    > >One other thought I've had is that the use of Baysean Inference for Spam
    > >filtering could be extended for other purposes like automated checking

    for
    > >commercial espionage, fraud and other abuses without human inspection.

    >
    > The problem is that a legitimate business email and a illicit one have
    > basically the same content. What makes one legit and one illicit is
    > mainly the recipient, not what it says. That would be hard to
    > automate, I would think.
    >
    > Likely the best one could do is say "the following emails sent this
    > week referenced the Secret Omega Project" and some person would have
    > the vet that whole list, checking senders and recipients against a
    > known-good-list, for possible improper activity. That would be pretty
    > labor-intensive.
    >
    >


    I think you underestimate the power of Bayesean inference. Time will tell -
    at present I don't have time to test it.

    David
    David Q F, Oct 2, 2004
    #19
  20. HB2

    Wimbo Guest

    HB2 wrote:
    > Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    > is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    > have Windows 2000. Is it safe to assume that my e-mails are kept private
    > from my employer since they are sent using SSL? Does Winodws 2000 Server
    > have monitoring tools built in or would our employer have to purchase such
    > monitoring tools seperately?
    >
    > Also, its my understanding that using a keyboard log program is illegal.
    > Is this correct?
    >
    > Thanks
    >
    >

    The use of SSL isn't always as secure as you might think. There are
    numerous appliances and software packages available which do a SSL
    man-in-the-middle attack. Examples are WebProxy from @tStake and SSL 1Box
    from FinJan

    [QUOTE FROM FINJAN WEBSITE]
    FinJan SSL 1Box™
    This solution enables threat analysis of encrypted SSL/HTTPS traffic and
    enforces SSL certification.
    SSL 1Box™ decrypts SSL/HTTPS traffic and reveals the original data,
    allowing Internet 1Box™ or another security proxy to perform security
    analysis and defend against hidden attacks. Furthermore, the device
    maintains role based policies to allow/block access of SSL traffic carrying
    an invalid certificate. SSL 1Box™ maintains confidentiality and preserves
    user privacy
    [/END_QUOTE]

    The only way to find out if your company has such a device is to examine
    the SSL certificate and find out who issued it.

    In companies where SSL traffic is used a lot for (actual) work (for
    banking, extranets access etc.) these devices are more and more common.
    Virusses, malware etc. received by webmail or downloaded via https websites
    are discovered and acted upon accordingly with these appliances / software
    packages.

    Wimbo
    Wimbo, Oct 6, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris Gumm
    Replies:
    1
    Views:
    396
    Walter Roberson
    Dec 5, 2003
  2. °Mike°

    Re: Win 2k - surfing problems - Help

    °Mike°, Jun 28, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    397
    °Mike°
    Jun 28, 2003
  3. derek / nul

    Re: Win 2k - surfing problems - Help

    derek / nul, Jun 29, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    449
    derek / nul
    Jun 29, 2003
  4. Harvey Van Sickle

    Surfing speed

    Harvey Van Sickle, Jul 5, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    541
    Harvey Van Sickle
    Jul 8, 2003
  5. Jack \(MVP-Networking\).

    Re: IE surfing OK on dialup doesn't work on wireless HELP!

    Jack \(MVP-Networking\)., Dec 14, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    737
    =?Utf-8?B?S2Vu?=
    Dec 15, 2006
Loading...

Share This Page