| Author | Message | ||
     Midnightrider |
My co-workers and I have long suspected that our boss monitors (reads) our emails on the company email account. She's sly and has never specifically acknowledged this - but once did she did mention she could tell how often we access our company accounts from home (she actually "expects" that we will check that email periodically on days off, etc, to make sure we don't miss an important message - but that's a whole 'nother conversation). Consequently we don't use the company account while at work for sensitive correspondence, such as communicating with prospective employers for new jobs. Some think that if they use other email accounts such as hotmail, yahoo, etc she can't read them. I'm betting she can, though I don't know. Some of us have remote access to secure servers. I can access as https:\gimail.af.mil, but I'm not confident these can't be monitored as well, especially if she uses some sort of keystroke monitor. Anyway - appreciate any input anyone can provide d | ||
| Ourdee |
My guess is she can tell what keys you stroke. Always treat it like she wants to fire you and is looking over your shoulder with a vid. cam. on rec. 'nother conversation). Tell her you get paid a min. 4 hrs. to look at an email from home. If I'm at home, I'm the boss. And my wife said I could say that.  | ||
| Cityxslicker |
if you have an IT department, you can bet that they have the capability to read every damn thing you type, transmit, or receive. Note to safety, if you are using their computers, you have NO expectation of privacy. A company can LEGALLY internally monitor your communications to the level that they deem necessary for their business model and or paranoia. And it doesnt matter if it goes through yahoo, hotmail, msn what have you, IT can get at your info from your terminal. And if you have a company loaned laptop, you should suspect that it is not any safer. You can be fired for an email that says Betty in accounting yadda yadda yadda, and how do you think they saw that email? And since you work in the Medical field, most of your computer would also fall under HIPAA, they are required to by law do security audits if your business model has ANY patient info on them. DAMHIK | ||
| Froggy |
Slicker nailed it. Without knowing your computer or network it would be hard to say, but the technology exists. Key loggers, screen shot programs, and other monitoring and filtering software. Also if you are using Outlook/exchange, your boss can be setup to have access to your inbox so she can view/send emails as if she was at your computer. As for expecting you to monitor email from home, thats just lame. My boss even tells me not to do that! | ||
| Midnightrider |
Thanks Ourdee Our boss is a person who will, without fail, send you emails about any variety of things while she sits not even 15 feet away from our workcenter. As far as checking email from home, she tried to come at us with the concept that checking one's work email from home is a "standard" expectation for "professionals" in today's workplace. By the way, we are nurses who work in an out-of-the -hospital office environment. I countered with the opinion that it might be true for "professionals" but that I believed that was the sort of expectation that would accompany a salaried position and not an employee payed on an hourly basis. I also volunteered to call several of the nearby hospitals and see how many "expected" their staff nurses to check their work emails at home on their days off. She didn't take me up on that one. I ended it by saying that if there was something so important it couldn't wait until the next day she should simply pick up the phone ( and isn't Caller ID a GREAT feature to have?) and call me. That way, I explained, she would be certain that I received the message ( this was before she let it slip that she knew who checked their email from home and how often they did it). That was 6 months ago and we haven't heard anything more about this professional expectation Can't figure out why she doesn't like me. Such a puzzle. | ||
| Midnightrider |
Thanks guys And I know it's legal and somewhat common practice - I was just looking for someway to confirm it. Might come in handy down the road Most of do treat our emails like they are transparent. Actually a while back I had some issues at my other job (traditional Guardsman in the Air National Guard) that I needed to monitor closely so I brought my personal laptop in to work, hooked up my CAC card ( military ID with a computer chip) reader and cell phone/modem connection to access my military base email account. She came out of the office once, noticed all the paraphanalia, and asked me what I was doing. I explained I needed to access secure military websites that required use of my CAC card and since I knew it was against policy to download software to a company computer I was using my personal laptop. Oh, she said, but you are my network? Nope, I said and held up my phone and the cables and said simply "cell phone modem" Priceless | ||
| Danger_dave |
Before you press the send button on any email ask yourself if you want the system admin geek to read and CC it too - because he most probably can. | ||
| Dummkauf |
Your boss can absolutely monitor your email any time they see fit. Even if you don't have an in house IT department someone supports your mail servers and since your boss is the one paying them, they do what they are told. In fact it is common practice in a lot of companies to retain backups of all email communications for atleast 3 years. Key loggers are not needed to monitor company email. If you send email with your work account the message is sent to your work mail server, where a copy is stored for any specified amount of time(and possibly backed up for archives) and then sent on it's way to its recepient. This means that they can monitor your email even if you can check and send email from your home PC. Best practice is to never use your work PC, or email account from any PC, for personal use. It is their system and they can monitor anything going on. | ||
| Danger_dave |
A good one also knows what web sites you visit and how long you spend there on company time. 's all in the logs. | ||
| Cityxslicker |
ugh, you do realize that by accessing military sites via cell phone, you lost any security in that connection?...? I cant believe that they had their protocols set up so that you could even do it. It boggles my mind | ||
| Dummkauf |
And as far as company misuse of email. Most companies aren't concerned with a few messages here and there. It's when people start adding attachemtns, pictures & videos, that they start to worry. Someone has to pay for the bandwidth that those messages take up and the disk space used to store them on your mail servers. While this may not seem much to you, in a large company these costs can add up very quickly. | ||
| Dummkauf |
Cityslixer....depends on the connection. If they are running end to end encryption, such as a vpn, all traffic traveling over public lines is encrypted and it doesn't matter if you are going across public lines. Assuming you are using strong encryption that is anyway  | ||
| J2blue |
Having left the IT world as a systems administrator I can verify the ability to do all that CityX alludes to. However, there is a practical limit to paranoia in the work place. Yes, if you suspect your boss, in a small organization, may be "watching" you then assume all communications, digital or analog, are insecure and act accordingly. But if you are one gopher in a floor full of gophers with some faceless pinhead for a boss you probably don't need to worry too much about being spied upon. As someone who was infrequently called upon to "check" on such things I can tell you it is boring and lame to have to do. It is possible to encrypt messages inside of messages using your work or some third party email system. Your boss is probably not as sophisticated as she/he may wish you to believe. However, you have to be communicating with someone smart enough to understand how to decrypt your messages on the other end. In the end you must judge for yourself: how bad does your boss want to catch you doing something wrong, and how much effort do you think they are willing to put in to do it? Security is always a cat and mouse game. Whoever wants to "win" bad enough will win. There are many a mice grateful today that the cat just got bored and walked away. | ||
| Midnightrider |
cityslicker a little clarification most of the sites are not strictly "military" but more military friendly )like TriCare, etc) - not official DoD sites but sites that do allow you to log in with a CAC card vs login /password combo still, your point is well-taken thanks for the heads up | ||
| Ducbsa |
The boredom factor is about the same for security cameras. Apparently no one expects the guard at 3 AM to be watching every screen of a dozen intently and it is mostly for evidence if something does happen. At one place I worked, one guy spent a lot of time on the internet and was confronted with the log. But, I have a pretty strong suspicion that someone complained and IT wasn't looking for it. At new employers, I have signed off that I wouldn't do personal stuff on their computer. It is winked at, but could be used to can me if they wanted, just like a phony claim in my application. | ||
| Babired |
I work in a university with over 4,000 staff and I always felt safe with e-mails because there are so many of us to monitor. Should I still feel safe doing personal stuff on my work computer? I can also check and send e-mail from home. There are 2 big benefits to this, one is after taking a long vacation you can clean up the in-box before you get to your office, and the other is you can e-mail your boss if you need the day off. K | ||
| Corporatemonkey |
With the commonality of gadgets like Blackberries/iphones/smartphones etc... There is NO reason to access anything personal from a company network. Now this doesn't work if you are involved with a defense company, as most of them ban anything fun... As Mudbug mentioned earlier if you fall under HIPAA there are all sorts of hidden requirements. One that is downright scary is a personal liability risk. If you happen to work for company that allows remote access from a machine you own (more common than you think), your company is allowed to enter your home to check on YOUR computer. Worse if your system happens to get a virus, you can be held personally liable for any data that is compromised. If the company provides you a laptop this is usually a moot point, but I am seeing more and more insurance/healthcare companies allow (even encourage) computer staff to access with their own systems, it saves on the cost of laptop. | ||
| Corporatemonkey |
Should I still feel safe doing personal stuff on my work computer? Do you care if your coworkers know all about your personal stuff? I know it sounds paranoid, but everything can come back to bite you in the ass. Gen Y is getting a crash course on how Facebook/Myspace will ruin their future careers. | ||
| Babired |
One of the sites blocked at my work is My Space. | ||
| Badlionsfan |
When they would monitor our sales calls when I worked at summit racing, they could and did pull up your screen on their monitor. I could always tell when my supervisor was listening in to my calls, I'd get the slightest echo on the phone. To let him know I knew he was there, I'd type stuff like "Mike Sucks", "My supervisor is a retard", etc randomly thru the order entry process. He didn't like that.  | ||
| Jaimec |
If the server and network guys know what they're doing, then management pretty much knows EVERYTHING you do on your company computer. Including how much time you waste on BadWeb...  | ||
| Anonymous |
This is your boss! Quit surfing this site!! JK it's Spidey  | ||
| Typeone |
on topic, keep in mind its just as easy to have all your IM discussions logged and sent to an 'admin' where they can browse by your username and view all conversations, neat and tidy in a browser window. seen it. didnt agree with it, and i was one of the 'bosses'. bumped paranoia in the office 10-fold. not cool in my book but IT was bent on it. | ||
| Hootowl |
BadWeb shows up in Websense as an automotive site, not a message board. That means I'm not wasting time on a message board right? The only way an IT department can intercept and decrypt SSL is if they use an SSL gateway and force all SSL connections through it. Companies are becoming increasingly concerned about data leakage. There are products out there that watch everything you type, and even determine whether you can paste text in the particular web site you're at. These systems are hugely complex, and very expensive. Chances are, if you're not working for a Fortune 100, your company isn't employing this technology. It sounds to me like your boss is a busy body with control issues. I doubt that she has the brains to intercept your SSL connections. And every AV product on the market flags software key loggers as viruses. She could be using a hardware logger, but you'd see that sitting in between your keyboard and computer. Edit for spelling...spell check thinks "it" is spelled "is". Stupid computer... (Message edited by hootowl on December 31, 2008) | ||
| Hootowl |
IM logging requires an IM gateway, like Windows Live Messaging Server. If it's desktop to desktop directly, there is no central logging capability. We can't use IM outside the company for this very reason. Legal doesn't want any unrecorded conversations with customers, and we're too cheap to buy the IM gateway. Blocking the IM traffic is pretty easy, regardless of the port its on. | ||
| Typeone |
my skillz only go so deep... all i know is that IT didnt spend a lot of cash, had it up and running in minutes (privately) and youre correct, they didnt block IM traffic completely but chose to snoop instead. jus sayin' ... | ||
| Court |
I'm adopting a new personal protocol for the coming year. I am not an IT guy but have a fair grasp of the legal concepts tempered with a flavor for the economic environment in the next 5 quarters. I am aware that over 70% of the Fortune 500 companies (Harley-Davidson included) routinely and randomly monitor e-mails, telephone calls and faxes. There are a group that just kinda scan and look in on folks' screens throughout the day. You're being paid by them and they own the equipment, you have ZERO expectation of privacy. We're seeing but the tip of the iceberg in terms of the American economy. There will be things happen in the coming 18 months that would have been as unbelievable as if you had told someone, say 5 months ago, that the house they paid $500,000 for would be worth $300,000 and their 401(k) would decline by 55%. I, and this is simply my view, am not placing my job at the least bit of risk. To that end, I've taken some "work around" measures. But I'm shooting for a ZERO personal e-mails and web browsing on work computers for the next year. I am also cognizant that they can likely tack my company IBM T61 laptop and, to that end, will start leaving it at the office UNLESS I am headed to a company meeting. Nothing wrong here but I, for 2009, am going with the strict construction of the rules protocol. I figure, although the company has never laid anyone off in their history, that when the time comes to take a look around I want them to have nothing but excellent performance to look at when they get to me, | ||
| Mr_grumpy |
Jeez am I glad I don't work in an office, it's bad enough having satellite tracking in the rig, I can't use half of my favourite restaurants these days because they're not on the computer approved route! | ||
| Reepicheep |
Hootowl nailed it. Some simple truths that sort of add clarity here: 1) HTTP, Email, FTP and Telnet are terribly insecure. Any punk with an ethernet sniffer and access to the line (and on a cable modem, thousands of houses are "on your line") can trivially monitor your traffic. And probably are right now. Don't say anything on these channels that you would not say loudly in a crowded restaurant. 2) The whole point of HTTPS and VPN connections is that they allow trusted communications through an *untrusted* intermediate network, which is pretty remarkable. So web, cell phone, or carrier pigeon, it can be insanely secure. The way to intercept it (as Hoot said) is to force you to use a proxy, at which point you know you are using a proxy. If you can crack SSL (HTTPS) without a proxy, you should (are?) working for the NSA. 3) Of course HTTPS and VPN only protect the data as it goes through the untrusted middlemen. You are well and truly screwed if either the origination point (your computer) or the destination point (the web server) is compromised. So as the "middleman" attack became almost impossible, the weakness has moved to the origination and end points. It's more work as you have to crack a box, but ultimately is generally straightforward, as computers can be (a) useful or (b) secure. You choose a spot on that spectrum to operate, and neither is perfect. The fact that Windows is such a security mess (both architecturally and culturally) has made it pretty easy for a determined attacker to monitor your actions. If you are on a corporate network, where somebody else configures and secures your system, you are pretty much at their mercy. (for what that's worth). | ||
| Bluzm2 |
I work for a LARGE fortune 100 company. I couldn't even tell you how many nodes (PC's) we have globally (tens of 1000's). My previous position (just changed jobs 3 months ago)was internet security (firewalls, intrusion detection/prevention, all things network (routers, switches, etc.) topology, DNS, DHCP, etc..bla bla bla...). We have the capability of monitoring AND logging just about everything... BUT... there is the issue of bandwidth. Not network bandwidth but people bandwidth. There just isn't enough hours in a day to real time monitor all traffic or enough skilled folks to do the monitoring. If a situation comes up where someone needs monitoring, the request usually came from HR or corporate security. Obviously there had to be some behavior that triggered closer scrutiny. We would have to gather any information that was available or start active logging if requested. Then forward all information to the requestor. Next was to sign an affidavit to confirm chain of custody was properly maintained. In order to fire someone, you have to cross all the t's and dot the i's otherwise any hack lawyer will get a wrongful dismissal settlement for their new client. You really have to be a screwup to have things go this far. Our desktop folks also have their tools. Everything from key loggers to browser history. We even have at our disposal data on every connection at a network level (both in and out) your PC requested. IM logging can be done WITHOUT a common gateway. IPS/IDS devices are really good a this. There are also specific appliances available for just this purpose. When I was setting up our IPS system, you wouldn't believe some if the IM conversations we saw. When you have a global company this size you wind up with a few very odd folks with bizarre things in their personal lives... Trust me, there was a reason for browsing the IM logs and it wasn't for entertainment (but it was fun for a few minutes if you were bored.). Lots of trojans and bot nets use IM of all types for command and control, we looked for obvious machine generated messages or nicknames. You have to scan the message content manually, certain words jump out that catch your eye. Hoot mentioned SSL and gateways. If the PC has a key logger installed SSL, IPSEC or any other type of encryption doesn't make any difference. It's like someone looking over your shoulder as you type. I could go on and on about this stuff but I won't bore you... suffice to say, don't send anything in an IM or email that you would want ANYONE to read or see. They just might. Brad |
