if you don’t have your personal browsing using a private profile of a secondary browser which you know you can delete, you are doing it wrong.
Yeah, I can still see that activity. You’re still doing it wrong.
Personal device not on corporate network or you’re doing it wrong.
Sure but people see that you are on the phone while the IT people don’t really care what you do and by bosses aren’t checking those logs so idc. it’s about being discreet on some layers.
If I were at home I wouldn’t need to do anything to hide it since I would use my pc but since I’m in the office I have to get creative.
Also, 5hisbpost was 7 days old :)
As an IT administrator, if your org has GPOs controlling if you can delete your browsing history or not, there is no chance you will be able to install a second browser without admin credentials.
I can confirm there are places where that is possible.
Also as long as they do not whitelist executables, you could use a portable version of a browser.
And you would still get caught on the company device trusting company CAs, thus enabling them to decrypt all your traffic.
Use a personal device on a personal network for personal stuff.
I was talking about the history on device, of course I agree: never expect privacy on a device controlled by someone else.
That might not be enough. I could monitor that on all the devices I manage, if I need to. There are tools to dump browsing info as it’s being committed, or it’s easy to pipe all the traffic from your machine through a VPN to a firewall I manage with a trusted cert injection into your device and inspect the traffic in transit. If you don’t want your employer to see what your up to, don’t use their infrastructure.
Well, yeah, if I worked at home I would use my personal computer for personal things and the workstation for work, it would be pristine. But alas, in the office there’s so much time I can spend pretending that I’m working because I finished my tasks before I implode.
Some risks are necessary :)
It’s not really about IT not knowing, but about being discreet enough that your boss doesn’t see your personal accounts logged in or even worse, to have two chrome profiles, both with obscure names, press the wrong one and to share the screen of saved tabs with Facebook, Instagram, pornhub… Yeah I’ve seen those bookmarks.
It’s… Wtf… If you’re going to be that deranged, at the very least be discreet… Sigh.
Some risks are necessary :)
No, it’s zero-trust all the way down!
not really about IT not knowing
All true, and I’m sure your IT doesn’t care as long as you’re not taking stupid risks
If you’re going to be that deranged, at the very least be discreet
…
I’ve seen things you people wouldn’t believe… a folder full of photos of a sales rep’s feet taken under the table at a meeting… a bookmarked playlist of adult baby porn labelled “Potential Suppliers”… I watched a modded BitTorrent client try to fake VLAN tags for unrestricted Internet access. All those moments will be lost in time, like that expensive label printer from my locked desk drawer… time to get another coffee…
Never do anything on work machines/networks you don’t want to have to explain to hr/legal.
Sr. Systems Admin here. IT does not give 2 shits about what you browse UNLESS something is reported or something trips our Alerts (has to be something major like Child Porn).
We don’t sit there and actively monitor and watch what you are browsing. We investigate when something is reported by a worker or an Alert/Filter gets tripped
HR also doesn’t know unless we tell them.
deleted by creator
Probably for audit/investigation reasons.
IT generally doesn’t care (doesn’t want to care) but you still shouldn’t do personal stuff on work machines/profiles.
Depends on the company size and the people above IT. Sometimes the boss is a chode and demands everyone be supervised like children constantly.
That’s still inline with what they said.
Some companies try to be incredibly controlling
Yeah, but the it’s a good rule anyway, for some of the same reasons as the “Don’t put it in an email if you wouldn’t want it read aloud in a deposition” rule.
Second. I once had a staff member come to me all embarrassed because someone sent a dick pick via some dating app while they was on our corporate wifi. I was like, “I promise we don’t care”.
I mean, its HTTPS right?
Https is no match for work monitoring: pre-installed software, certs.
Pre installed certs would be a huge vulnerability
Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment… They are what allow a corporate device to connect to WiFi networks without a password.
RADIUS doesn’t depend on preinstalled certs. But I wouldn’t use Windows anwyay.
All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.
Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.
And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.
I say “attacks” in quotes because they own the hardware and they own the time of the person using it.
Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.
I’m not sure what you’re saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.
Usually a manager asks a sysadmin to watch someone’s stuff, then the sysadmin and manager tell HR what they find.
We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn’t have been able to pull this info since they don’t have access to the system that tracks it
That only applies to work devices. If you’re using your personal device, they would be able to see traffic to/from a dating website but not the actual content.
Absolutely. Everyone could use that reminder
Also do some really weird things that are innocuous so the HR lady looks at you weird from now on.
Examples please?
deleted by creator
You sick €%#¥! /s
Reload every five seconds the global doomsday countdown clock.
I’m an infrastructure analyst and at my workplace I implement such rules for specific reasons: 1) we need to be able to have evidence should an employee act maliciously with a company device. We do also monitor all queries but it’s passive. We can drill into your browsing history in great detail but won’t unless we have to (speaking personally here as I follow the code). 2) people will do dumb shit. And will lie to get support. Now, having been on the other end of a support ticket, I get it. Unless you lie a little, you may not get support promptly. Therefore, it’s part of my job to check what’s the lie and what’s the actual issue, which includes being able to see the download history. I would not be surprised if malware is accidentally downloaded and then it autonomously removes itself from the download history as It has happened before. Strictly speaking, this is done for both your safety as well as that of the company. And generally speaking, you should NEVER use your work laptop/phone/iPad for personal use because of all of the above.
I use my personal laptop at work, no issues. Employer can’t see what I’m doing which is the way it should be.
If they don’t trust me, don’t hire me then.
I would never work anywhere where people like you can watch what I’m doing. Luckily I’m in IT so I choose where I work.
I despise companies who don’t give employees privacy. The reasons you gave means nothing. You can always argue for anything to protect the company. Who protects the employees?
Safest for the company would be if you have employees in small cells being watched by guards around the clock. That would be really good for the company.
I hear you, and fully get where you’re coming from. I work in the finance industry and we have auditors to answer to as well as a ridiculous number of compliance regulations we have to abide by. Not every business is the same. I’m personally on the no-trust policy when you have more than 50 users to manage but it also depend on company policy. No one is saying you can’t use your personal device at work. We don’t monitor the guest Wi-Fi in any way specifically because that would be an invasion of privacy. I was referring specifically to using a work device, managed by the business, for personal use. The employee is protected by being briefed during first day induction of he does and don’t with regards to the equipment that is provided to them to do their job. Their personal privacy is not infringed upon as there is a clear agreement about what is expected from them. By the way, I’m in the uk (not sure if relevant).
No. The way it should be is using a work-issue laptop at work, but provisioned by you.
If you’ve connected your personal laptop to your work wifi, they 100% can see all your browsing history (specifically whats passed through their network).
Hell, I only run a simple homelab and I can see the exact traffic/browsing history of every device on my home network. I’m only tracking via dns traffic, but your https traffic can even be intercepted and decrypted pretty easily. So don’t even trust that.
This doesn’t require installing anything on your device to fully monitor you.
Yes but all we see is a MAC address and the device ip. Also we have dns-over-https and No other identifier is parsed through. So we can see and block someone browsing porn on the guest Wi-Fi, but we’d never know who it was.
Your ethics goes out the window when being told to do something by your employer.
Maybe you try to look out for the user, but it’s completely wrong that employees should have to trust you to do that.
“Company being protected from misuse” is a blanket term for survellience, same as “fighting terrorism”.
I still stand by my opinion. Companies need to trust employees and not run survellience programs against them. It’s just wrong.
Sure but I work from home. Don’t use their wifi except when I’m in the office. I could connect to a VPN and they would also see a connection to a VPN, but I don’t care enough to do that.
But when I’m at home, working on my computer, they don’t see anything.
deleted by creator
Your time during work hours belongs to the company. If you spend it on private stuff, you’re breaking your contract.
Eh, not really, at least in the US. You are paid to do your job. The company doesn’t own you during work hours. You can refuse to do work that was not in your job description, or ask for additional compensation. The company may fire you for this, but you would have a very compelling wrongful termination lawsuit.
you don’t know shit about my work fuck you!
deleted by creator
Most just monitor your browsing through the Antivirus.
Since they don’t want you visiting porn or malware websites on the corporate network, for good reasons.
Well, since I am IT, I am not about go to snitch on myself.
deleted by creator
I’m in a company that uses Microsoft stuff, but I use a lot of fedora and Linux mint in VMs. The latter is based off Ubuntu at least!
It’s actually kind of nice to be able to save the state of my VM since forced restarts are so infrequent.
deleted by creator
I’m in the process of convincing my management to switch to Linux. The most important thing to them is having a way to remotely delete the pc in case it’s stolen. Does someone know of a solution in Linux for that?
I’m using it, as well as my boss!
Kind of yeah, the rest of the working world uses Windows for good reasons.
deleted by creator
Legacy software with incredible backwards compatibility, exponetially more software options, user familiarity, pretty much everything that active directory provides from user management to group policies, the list goes on.
Im a linux guy, but the thought of rolling out even the most user friendly linux distro gives me nightmares.
deleted by creator
Aren’t they? Changing a legacy app can take years to do the needed research, approval, procurement, and implementation. “Because my IT guy doesn’t like Windows” is a terrible reason to undergo that process.
The same with retraining users on a whole new OS. You’ll spend hours over the course of months answering “where did my C:\ drive go?”. That’s a lot of time you’ll never get back.
Active Directory provides a lot of tools that are familiar to senior techs and easy enough for junior techs to figure out. I might prefer how Salt Stack works but I don’t have time to train dozens of fellow techs.
Linux is cool for a number of reasons, but it isn’t a magic easy button and a wise admin doesn’t swap out fundamental parts of his tech stack without careful consideration.
I’m on Ubuntu at work! The only employee on Linux at a tech company of >150 people! (Where are my Linux nerds?)
Forget chrome management. Any IT shop worth their salt is protecting their egress with a proxy, explicitly or transparently set.
Don’t browse the net on your employer’s network or devices. Use your phone. Get on 4G/5G.
Oh no, my employer might find out I’m looking for other jobs after being overloaded for a year and a half and constantly having my concerns/feedback/process improvement initiatives brushed aside.
I have been hinting to my manager for 6-9 months that he needs to move part of my workload elsewhere so that I can focus and actually achieve something. To think, all it took was for me to tell him straight that I was unhappy and unfulfilled to the point that I was considering resigning. Suddenly he’s all apologies and let’s make changes because you’re kind of vital and we don’t want to lose you.
And I was fired for it. Depends on the market demand I suppose, some industries there is no denying your worth, in others you’re disposable.
I love the fact that firing me what the person you’re answering mentioned is illegal here.
Peace of mind.
Yeah pretty outrageous, I soon found out employment rights in Ontario Canada are practically useless. I had no idea, I thought I had some basic protections, it’s almost nothing.
Shot, i regularly browse jobs websites even though Im not looking to change jobs again soon. Just to keep them guessing.
My work has a 100% mandatory vpn and mitm proxy for ssl scanning. I just use parsec to view my laptop from my desktop and browse what I want on my actual personal computer
Don’t forget the agents they install that take screenshots every 10 seconds!
My work has a 100% mandatory vpn and mitm proxy for ssl scanning
These are worse than useless. They are anti safety. If this box or its private keys get compromised ALL tls traffic of all employees is immediately plaintext.
Any company that buys one of these appliances from mcafee or whatever is asking for it (losing most/all their secrets)
That sort of thing is required for a lot of enterprise certifications. When you do work for government, healthcare, banking, etc. stupid “security” is mandatory for checking off compliance requirements. Not that any of it has to be in any way effective…
when breaking the internet and end-to-end encryption are part of any kind of “enterprise certification” that certification is worthless (or worse) and probably some kind of chinese or russian (or the CIA or whoever, certainly not your friend) psyop. Only a mindless idiot would implement it.
Oh I 1000% agree. But you try to convince my opsec colleagues
Luckily my work hasn’t disabled the remote desktop application protocol. So I do the same, but without parsec.
Can’t install parsec on the work computer, and the web app displays a black screen.
If allowed, doesn’t DoH/DoT mitigate this issue?
Not necessarily, as the browser is still logging the history.
Well that’s what private mode is for, to dump the local data after closing the browser session
I know I’m here a week later, but a large number of system administrators disable browser proxy systems, dns over https, and incognito. It’s a neverending war.
Pretty much, but (noob question) how can they block DoH, wouldn’t they have to block HTTPS completely as well?
They control the browser settings itself. It’s either a work managed device or profile.
Ah ok that makes sense
Not if your employer has installed a root CA on your machine, enabling them to man-in-the-middle all your TLS connections.
Oh that’s a thing? That’s kinda frightening
So only watch mainstream porn on work computers, got it.
I’ve always assumed work will be looking at the browser history. Anyone who assumes they won’t is an idiot.
Softcore is expressly permitted in the IT policy.
Those IT guys need to get off as well you know.
Wow, didn’t know that is possible. Is it same behavior with other browsers?
They can monitor anything they want.
They could even force you to connect to a mainframe instead of your own computer in order to work, and only allow you to click on 3 allowed buttons if they wanted to.
It is their hardware, they can do what they want.
Same can be said for any browser, any app, any connection while on the employers network IF they wished to monitor it. Even if you were able to delete all local browsing history and used private browsing, your employer would still be able to know every site you visit if they wished.
If you’ve authenticated with your credentials on the device, IT is able to see IPs visited and DNS queries and has access to all sorts of network tools to track, shape and otherwise manage your activity.
It’s best to assume that nothing you do on your employers network, even when logging into their corporate VPN from a personal device, is private.
I’m always shocked by privacy conscious people who do not have complete segregation of work and personal equipment and devices.
What about private browsing or running a Firefox portable exe?
No, no, no. Private browsing isn’t private like that. Your ISP and network adminstrator (in this case your employer) can still see every website you access. This is usually explained on the “New private tab” on browsers.
Anything on a work computer, or on a work network, you have to assume is recorded by the office
They can see what IPs you connect to, doesn’t matter what browser you use or if the connection is made from a browser at all
We record network traffic, not data from your browser. We can see every URL any device on the network hits, regardless if the traffic comes from a browser or even a phone app.
In addition, some companies install software on each employee’s machine that enhances what they can monitor on that machine. It may not be labeled “corporate spyware” but something like “endpoint security”, yet it may have the capacity to track pretty much everything you do.
Products such as Cisco Umbrella cover both. There’s a DNS appliance inside the network, as well as a client software that installs on devices that forces them to use Umbrella’s public DNS server when being used on another network.
This means we can track everything on the company owner device, even when you are at Starbucks or at home.
Never expect privacy on any device and/or network you don’t have ownership and control over.
How about DoH? Firefox supports it, and not every IT admin has blocked the ability to use it. (mozilla.cfg)
That only provides a secure connection to the DNS server. The DNS server can still log your activity.
When on a private network, all DNS traffic can be forced to use a inhouse DNS server that records everything.
How is this with mobile devices from your employer. I have a company iPhone and understand that there is a certain “space” on the phone which is controlled by the company, mostly all the Microsoft 365 apps (so, for example it is not possible to copy/paste stuff between MS and non-MS apps).
However, for the rest I would assume that all the other traffic does not go through company servers (probably no traffic at all, as I usually have a local IP), and that they can’t see what I am doing in my other apps. Otherwise they could spy on all my transactions I do in my banking apps for example. But AFAIK iOS apps are pretty much sandboxed anyway.
This might be different on my company PC / Laptop, though.
If your company also pays for your phone’s data bill, we can see a general overview of what sites you visit.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
That could be possible, I don’t know. I am not visiting any adult or otherwise inappropriate sites on that phone, but I do a lot of Reddit, Lemmy, Mastodon stuff in my free time. But it was this way for the past 10 years and I never had any problems. Sometimes I think about buying i private phone, but it seems kinda stupid to have two of these devices.
Most companies deploy management software on their mobile devices. They have the ability to monitor activity and do things like remote wipe the device if you’re fired. On iPhone go to settings->general->vpn and device management to see if anything’s there.
Thanks for pointing me to this setting. There are two profiles, one is my personal VPN, which I use for device-wide ad-blocking (AdGuard Pro), another one is the MDM management profile. The latter one consists of a list of managed Microsoft apps (e.g. Outlook, OneDrive, Teams, etc.) and various (device) certificates. I guess nothing to be concerned about.
The security on your device doesn’t matter at all.
For ANY device to reach ANYTHING on the Internet it has to send a lookup request to a DNS server to get the IP of the server.
A privately controlled network can easily force all of those requests through their own private DNS server which captures all activity.
I am actually running AdGuard Pro with a custom DNS on that device.
That device would not be able to reach th custom DNS in the scenario I mentioned. If it cannot fall back to the network’s DNS it would simply fail to reach any websites.
That’s what I meant to say, that your scenario is unlikely in my case.
You can use Tor and your IT won’t be able to see what you’re browsing. They will be able to see that you’re using Tor, and might get grumpy about that, though.
“Tor browser bundle” is the version of Firefox that doesn’t reveal browsing data to the local network.
The use of Tor does show up on the network. The protocol is known and understood, and has been in the detection sets of pretty much every layer 7 filtering product for the last ten or eleven years. What, exactly, is being accessed is largely concealed (but traffic patterns give away a reasonably broad picture of what’s happening).
deleted by creator
I mean it’s not blocked, but if you’re connected to their network, they can still see your traffic if they wanted to.
Yes of course. But OP is asking about Browsing history, which is basically the only think private browsing can do
Private browsing is a fig leaf at best.
Portable Firefox is hit or miss, depending upon the work environment. It’ll definitely show up in file system monitoring, might show up in the logs of the border proxy as an unexpected user agent. The initial download will definitely show up. Removable media might or might not, depending on how group policy is set up.
Everybody has a cell phone nowadays. There’s no excuse not to use your cell phone for private stuff. In fact don’t use the company Wi-Fi. You must use the company Wi-Fi then you must use a VPN
But no excuse anymore not to use your phone, you don’t need to use the word computer to browse, send emails, flirt, whatever
Don’t most work Wifi networks prevent VPN use?
No.
This has not been my experience
Mine does. They also keep an eye on it because I had gotten through it and that only worked a few days before it was blocked too. Didn’t want to press my luck after that.
where the hell do you work dude
Not sure why you’re down voted. Yes some definitely do. You could get around it by hosting your own VPN on 443 or something but some do lock it down.
Their network, their rules. Makes sense.
then spin up your own wireguard instance and connect to it?
Use Tailscale. Much easier to configure and manage than raw WireGuard.
raw wireguard is hard to setup? since when?
I’ve done both. I wrote my own scripts to generate the WG config files to handle variations in configure I needed to make for my different networks (masking, IPv6, cross multiple WG networks).
After converting to Tailscale, WG is just an extra level of hassle I can now easily avoid.
If only it was that easy…
Tried that. And openvpn tun+tap configs, Various ports incl 443, even shadowsocks. None of it gets through.
You must use the company Wi-Fi then you must use a VPN
The company VPN or the client VPN, sadly
I mean if your personal device is attached to a work network use a always on personal VPN.
If you can’t for whatever reason then don’t connect to the wifi!
And if you don’t have a VPN set up, use Tor on your phone:
https://play.google.com/store/apps/details?id=org.torproject.torbrowser
The Tor website provides .apk files for Android, and there is an F-Droid release too. https://www.torproject.org/download/#android
That’s fair, bur if your not using a VPN just don’t connect to wifi at all. Too easy to make a mistake
Guardian Repo on FDroid… preinstalled
Everybody has a cell phone
All of my colleagues have work provided phones and laptops. They do all their personal shit on these devices (they don’t have their own)
They think i’m a huge weirdo for having my own personal devices… “Why waste money? Work gives us computer/phone… Lol, you carry two phones like a drug dealer?”
Just tell them “I don’t want to spend company’s resources for my own private life.”
The only way is to give them back that guilt and fear they are feeling.
WTF? What country? Even at jobs where I was given a phone no one felt like ditching their personal devices.
I suspect its a millenial thing…
A few of us old guys keep personal devices… Our young colleages just expect the company to provide devices for them and never have to buy their own
Or we can’t afford our own 😕.
personal
Decent used laptops are quite affordable. I recently scored one on Ebay for under $100. It runs Linux and everything is snappy.
it’s one thing if they pay for them but if they are actually company devices that’s fucking weird
Nope. It’s not a pay and reimburse situation
Pure company owned devices
I mean if all of them have them and use them, then i would definitely see you as a weirdo.
If a company would have fired someone for what the searched on a company computer, everyone would know by now.
Are there even these cases?
I would love to see the look on your friends faces if they ever got caught doing something they shouldn’t have on company property.
Hustlah 4 lyfe
Then they have nobody to blame but themselves when drama happens.
IT: “You’ve been fired. Please return your laptop…”
“But how do i retrieve all my personal files?”
IT: [Shrug emoji]
Like IT gives you any time to get anything off a corporate-owned device.
When I got laid off, IT sent a bullet to my laptop immediately kicking me off and completely locking me out of it.
I was supposed to have another 4 days to transition my work. I contacted IT and was told once the bullet goes out, that’s it. Any and all access to everything has been terminated. Might as well just go home and enjoy the extra 4 days because no one’s going to undo a bullet going off early unless it comes from the C-suite. So I did.
@EmbeddedEntropy @9488fcea02a9 Okay. Note fur future me: BACKUP🙃
