zlacker

[parent] [thread] 12 comments
1. cm2187+(OP)[view] [source] 2017-02-28 08:18:07
Yeah. This is a firable offense. The solution to your company MITM your traffic is not to use your work computer for anything personal that matters. It's not like if we had a shortage of devices to connect to the internet.
replies(5): >>ocdtre+93 >>semi-e+38 >>jessau+Yj >>feld+5w >>compug+jI
2. ocdtre+93[view] [source] 2017-02-28 09:02:46
>>cm2187+(OP)
Kinda amazed you got downvoted for pointing out that the parent is essentially advocating for intentionally trying to take down your employer's network because you dislike their IT policy.

This isn't just a fireable offense. Especially given the tendency for computer-related criminal laws to be overly vague, it's entirely possible you could be charged with a crime if you are intentionally trying to DoS your employer's network.

3. semi-e+38[view] [source] 2017-02-28 10:26:05
>>cm2187+(OP)
If you live in a third-world country (or the US) which lacks basic functions of society like employee protection, a sensible minimum wage, universal healthcare, paid parental leave, etc., then yes, I don't recommend doing what my friend did with employing a little "civil disobedience" in such cases.

TBH, for most techies I don't think opposition to MITM boxes comes down to "I don't want them to catch me looking at cat photos" but more along the lines of "this will actually reduce security as much as it improves it, and the companies providing these products are also aiding repressive regimes and human rights violations across the globe". Personally, I would find it unethical for the company I work for to buy these products.

replies(2): >>jamesp+1i >>Anderk+Jn
◧◩
4. jamesp+1i[view] [source] [discussion] 2017-02-28 12:41:37
>>semi-e+38
What countries can you DoS your employers' network in?
5. jessau+Yj[view] [source] 2017-02-28 13:06:34
>>cm2187+(OP)
When I mentioned on a mailing list that we should probably pronounce this like "expect your personal bank info to be pwned" rather than "please don't use work resources for personal purposes", I was reminded that there are lots of perfectly reasonable work-related purposes that are undermined by TLS MitM. Corporate bank accounts, ACH transactions, payroll, vendor accounts, tax portals, employee benefits/401k, etc. All of that stuff should actually be secure.

Incidentally, "Blue Coat ProxySG 6642" was the only middlebox to get an "A" from the study referenced above. Apparently they didn't test for 1.3...

replies(2): >>cm2187+Nn >>daxelr+AP
◧◩
6. Anderk+Jn[view] [source] [discussion] 2017-02-28 13:47:17
>>semi-e+38
> Personally, I would find it unethical for the company I work for to buy these products.

Then leave the company in protest or convince it not to buy them. DDoSing the company's network is somehow not unethical, I guess?

replies(1): >>semi-e+9D
◧◩
7. cm2187+Nn[view] [source] [discussion] 2017-02-28 13:47:30
>>jessau+Yj
Absolutely, but then the right approach is to let the IT dept know that they are running the company into the ground. Often, the IT department or management may be insensitive to that argument (and then you get a Sony Entertainment hack, but then it is well deserved) or they may follow regulations that are beyond their control. But it is a management decision.
8. feld+5w[view] [source] 2017-02-28 15:03:27
>>cm2187+(OP)
My day job includes working on FreeBSD systems and also doing open source FreeBSD work (push upstream, pull down to us). There are sometimes embargoed security notices in my email. There is no chance I will permit my employer to MITM my SSL and risk some clowns in corporate IT from obtaining these mails. (highest security ones are GPG encrypted, but others are not)

I need my personal email to do my work. It needs to stay secure from even my own employer. Period.

◧◩◪
9. semi-e+9D[view] [source] [discussion] 2017-02-28 15:54:00
>>Anderk+Jn
I agree talking to IT is step 1, and I'm assuming that hasn't worked.

Collective action (strikes, "work slowly protests" etc.) as a protest against company policy has a long precedent of a) being protected by law and b) being much more effective than a single employee quitting, while simultaneously reducing the downside for employees (in L_\infty norm).

Edit: the old Keynes quote comes to mind: "if you owe the bank $100 you have a problem, but if you owe the bank $100 million the bank has a problem" -- if 1 of the company's devs commits a "fireable offense", he/she has a problem, but if 100 of them do, the company has a problem.

replies(1): >>raesen+wR
10. compug+jI[view] [source] 2017-02-28 16:31:47
>>cm2187+(OP)
Criminal possibly as well, possibly under the CFAA.

not a lawyer.

◧◩
11. daxelr+AP[view] [source] [discussion] 2017-02-28 17:17:19
>>jessau+Yj
How are any of the things you listed undermined by corporate MitM?

Everything you listed is information that the company already has access to. Why isn't it sufficient for there to be access controls by policy, the same way the company protects other sensitive information from unauthorized acres within the company?

replies(1): >>jessau+i41
◧◩◪◨
12. raesen+wR[view] [source] [discussion] 2017-02-28 17:28:08
>>semi-e+9D
However with collective action, the company is usually aware of their employees actions, here if I'm reading correctly management were not notified that this was happening, so perhaps not quote the same thing.
◧◩◪
13. jessau+i41[view] [source] [discussion] 2017-02-28 18:30:29
>>daxelr+AP
Keep up man! Upthread [0], reference was made to a study that's recently made the rounds detailing the basic insecurity of MitM devices. The problem isn't only that corporate network admins see everything, it's also that after the device downgrades TLS (or worse) attackers can also see what they want...

[0] https://news.ycombinator.com/item?id=13751715

[go to top]