Sometimes I write e-mails using a web based format (yahoo). When the e-mail
is of a personal issue I use megaproxy because it is SSL. Our PCs at work
have Windows 2000. Is it safe to assume that my e-mails are kept private
from my employer since they are sent using SSL? Does Winodws 2000 Server
have monitoring tools built in or would our employer have to purchase such
monitoring tools seperately?

Also, its my understanding that using a keyboard log program is illegal.
Is this correct?

Thanks

"HB2" <bgreer24@comcast.net> wrote in message
news:Lll6d.275208$Fg5.251822@attbi_s53...
Let me start with your last question. I'm not 100% sure the legalities of
using a keystroke logger but it is definately an unethical practice. Your
best bet is assume that your computer and its data transmissions are being
watched. Using a web mail like yahoo etc. is certainly within bounds of
most employers and the preferred method by many admins./company execs. Of
course there is always a darker side of things, such as very curious admins
that have no business in your personal email - but are still looking at it.
SSL will prevent much of this sort of thing and is always a sure bet.
Generally employers will need to buy third party software in order to get a
clear view of your internet activities, but there is always open source
software that can be used for this as well. Windows 2000 doesn't have
anything that will track your activites - not known publicly at least!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HB2 wrote:
| Sometimes I write e-mails using a web based format (yahoo). When the
e-mail
| is of a personal issue I use megaproxy because it is SSL. Our PCs at work
| have Windows 2000. Is it safe to assume that my e-mails are kept private
| from my employer since they are sent using SSL? Does Winodws 2000 Server
| have monitoring tools built in or would our employer have to purchase
such
| monitoring tools seperately?
|
| Also, its my understanding that using a keyboard log program is illegal.
| Is this correct?
|
| Thanks
|
|
Actually, there is a good reason for them to be even more suspicious if
they find you doing it - how do they know you're not using it to send
confidential company data off site? Rather than try to be underhand
about it, why not just ask them what their policy is?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBWsa9qmlxlf41jHgRAk6zAJ4kostj4MZZ+IVklUFyXN AxQnq17gCePkuj
wRB14n5vlygUShXPr7I6Mlk=
=1R0Y
-----END PGP SIGNATURE-----

HB2 wrote:

didn't then you shouldn't be doing it. Do you walk into friends houses
and take over their TV and video recorders for your own purposes? Of
course you don't, so why take liberties with your employer's time, money
and equipment?

If you are writing emails that you would not like your employer to read,
don't do it at work dummy!

There are monitoring tools that can record an entire data stream however
fragmented, reassemble it and play it back. You wouldn't know wether
your employer had these tools until it was too late (Probably at the
point you are sacked)


--

------------------------------------

Real email to mike. The header email is a spam trap and you will be
blacklisted,
submitted to anti-spam sites and proably burn in hell.

In article <Lll6d.275208$Fg5.251822@attbi_s53>, HB2 wrote:
http://groups.google.com

and search for the "Surfing at Work" You'll find this covered very
well - and even find postings from wankers who have been fired for
this, whining that the employer had no right to do that to them.

Do you honestly think that because your SSL session (trivial to detect)
can't be decoded, the employer is going to ignore it? You are either
extremely stupid (and should be fired as unsuitable for the job) or are
on drugs. If they are prescription drugs, contact your doctor immediately.

You're joking, right? And you haven't seen ANY posting in this group
about stuff that runs on the firewall.

Don't ask for "legal" opinions on Usenet - they're worth less than what
you paid for them. Consult your own lawyer. And this has also been
covered many times on Usenet.

You're posting from an IP address allocated to Illinois. IF you can prove
to a judge that you were never warned that your use of the computer may
be monitored, you might get a finding in a "Wrongful dismissal" case. Do
let us know.

Old guy

"HB2" <bgreer24@comcast.net> wrote in message
news:Lll6d.275208$Fg5.251822@attbi_s53...
My $.02 worth. I am in Australia. Our corporate security policy disallows:
- Web based email. Reason: The mail and its attachments do not pass through
our firewall (as email) or antivirus.
- Unauthorised encryption of email including smime and pgp. Reason: Again
the difficulty is with checking content for fraud, theft or malware.
- Unauthorised inspection of email by IT admins. Reason: Its a people
problem and only HR can authorise inspection.

It does allow reasonable personal use of email - this discourages (but
doesn't cut out) abuse.

One other thought I've had is that the use of Baysean Inference for Spam
filtering could be extended for other purposes like automated checking for
commercial espionage, fraud and other abuses without human inspection. Once
alerted an admin/HR person could manually check.

Last thought, "Do you have an Internet connection at home?"

David Fosdike
dfosdike at nospam(leave this out and change 'dots' and 'at') dot elders dot
com dot au

On Tue, 28 Sep 2004 23:56:12 GMT, Leythos <void@nowhere.org> wrote:

You make some false assumptions. First, privacy laws and employee
rights vary by country. The EU, for instance, is much more protective
of employee privacy than the US, even when the employee is using
company resources on company time.

Second, I for instance do not fill out a time report as I am a
salaried employee. The OP may not do a time report either.

As far as theft of company resources, what is "stolen"? It may be more
accurate to say "unauthorized use" of company resources, which is
certainly a different concept than theft. While unauthorized use can
be grounds for discipline or termination based on violation of company
property, it is not a criminal act like theivery.

On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
<dfosdike@elders.com.n!o!s!p!a!m.AU> wrote:

You don't have desktop anti-virus protection?

Very valid.

Also very valid. IT should not abuse their authorized access.

Similar to the phone on your desk.

The problem is that a legitimate business email and a illicit one have
basically the same content. What makes one legit and one illicit is
mainly the recipient, not what it says. That would be hard to
automate, I would think.

Likely the best one could do is say "the following emails sent this
week referenced the Secret Omega Project" and some person would have
the vet that whole list, checking senders and recipients against a
known-good-list, for possible improper activity. That would be pretty
labor-intensive.

Firs of all who said anything about abuses? Second of all, have you ever
made a personal phone call from work?



"Leythos" <void@nowhere.org> wrote in message
news:MPG.1bc3c633d30a560e989766@news-server.columbus.rr.com...

I know the policy of interent use in my company and I do not violate it. My
questions here are related to privacy.

"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:cjegrt$8rf$1@newsfeed.th.ifl.net...

To reiterate what was said....As a Sys Admin, I (the company) own all
material on company equipment., and any data coming across the line is
considered "Company Data". If someone is using encryption, or SSL to
encrypt data, It is my job to question "why". We have a lax security
program, usually based upon the managements discretion. When we suspect
someone, I am usually tasked to get all pertinent data. We seize (copy) all
data on the server, copy or clone the data on the workstation, redirect and
read email, and monitor the activity on the line.
The net sniffing programs available will allow us to see raw data going
across the line, but usually we can, by monitoring SYSLOG info at the Proxy
server (and/or firewall), and the do a reverse IP lookup for what sites are
being used by the employee.
Privacy is a fleeting premise. At work, there is no privacy. People at
first are shocked when they find out we can read email and personal files,
then they learn there is little they can do about it.
As for whether we can see raw, encrypted SSL traffic, probably not....but we
would question what you are using on ports 445. That is a beacon that says
this person is doing something they "PROBABLY" should not be doing, on
company time.
We had one case where the employee copied personal files from home on to
a company laptop, after their personal laptop broke....in there, there were
NUDE pictures of the employee, and another of a friend of the employee.
When the laptop was turned in, she requested files that belonged to her then
DEAD brother, be sent to her...The company, not wanted to hurt the
employee's feellings asked me to copy the files from the laptop, pertaining
to the employee and the brother. That was when the files were discovered.
The employee, believing they were safe because they did not divulge the
password, weer wrong.
There was no privacy at that time....We turned the case over to an attorney,
to told us to give her only files pertaining to her brother, and erase the
hard drive...which we did.

Moral of story, there is NO Privacy working for a private company. So think
bank records, SSN's, private messages, photos...up to the discretion of the
Techncal department. Bottom line...BEWARE!!!


----------------------------------------------------
This mailbox protected from junk email by MailFrontier Desktop
from MailFrontier, Inc. http://info.mailfrontier.com

"HB2" <bgreer24@comcast.net> wrote in message
news:Lll6d.275208$Fg5.251822@attbi_s53...

Mark,

Thanks for your comments,

"Mark Landin" <mark.landin@tdwilliamson.com> wrote in message
news:l5bol0h4a1hsmqn1h7g9mooorq0c4deddq@4ax.com...
Yes we do.
The main problem here is organisations that have a large number of desktop
clients. A new virus entering from the Internet via email has a window of
opportunity until it's signature is deployed to everyone of them - this can
take days, even weeks. Disallowing web-based email for SMTP blocking every
executable, or anything known to carry an executable including .zips and
'whitelist' what you want to get through also helps - users soon fall into
line.

I think you underestimate the power of Bayesean inference. Time will tell -
at present I don't have time to test it.

David

HB2 wrote:
numerous appliances and software packages available which do a SSL
man-in-the-middle attack. Examples are WebProxy from @tStake and SSL 1Box
from FinJan

[QUOTE FROM FINJAN WEBSITE]
FinJan SSL 1Box™
This solution enables threat analysis of encrypted SSL/HTTPS traffic and
enforces SSL certification.
SSL 1Box™ decrypts SSL/HTTPS traffic and reveals the original data,
allowing Internet 1Box™ or another security proxy to perform security
analysis and defend against hidden attacks. Furthermore, the device
maintains role based policies to allow/block access of SSL traffic carrying
an invalid certificate. SSL 1Box™ maintains confidentiality and preserves
user privacy
[/END_QUOTE]

The only way to find out if your company has such a device is to examine
the SSL certificate and find out who issued it.

In companies where SSL traffic is used a lot for (actual) work (for
banking, extranets access etc.) these devices are more and more common.
Virusses, malware etc. received by webmail or downloaded via https websites
are discovered and acted upon accordingly with these appliances / software
packages.

Wimbo

]HB2 wrote:
]> Sometimes I write e-mails using a web based format (yahoo). When the e-mail
]> is of a personal issue I use megaproxy because it is SSL. Our PCs at work
]> have Windows 2000. Is it safe to assume that my e-mails are kept private
]> from my employer since they are sent using SSL? Does Winodws 2000 Server

No.

]> have monitoring tools built in or would our employer have to purchase such
]> monitoring tools seperately?
both.

]>
]> Also, its my understanding that using a keyboard log program is illegal.
]> Is this correct?

No, it is not AFAIK illegal. Employers can more or less do what they want
with their own computers. There may be some expectation of privacy, but it
is pretty weak WRT computers I believe.

"Bill Unruh" <unruh@string.physics.ubc.ca> wrote in message
news:ck17o1$l2e$1@nntp.itservices.ubc.ca...
like a charm.

In article <Lll6d.275208$Fg5.251822@attbi_s53>, "HB2"
<bgreer24@comcast.net> wrote:

Ignore the nascent Nazis who thrill to tell you you will be fired
for sending email from work, etc. Shit, never mind your internet
habits, in the fascist US you can be fired for ANY reason or NO
reason - most contracts of employment are "at will." Most of
the rest of the world is more civilized.

But, in any case, don't let officious low-level functionaries
(e.g., sysadmins) with megalomaniacal dreams of power turn you
into one of the sheeple.

You are not a medieval serf. You are selling your services for
money. There is a reciprocal benefit. Your company should value
your services and it would cost them a lot of money to replace
you. You should not rip the company off by excessive use of
company facilities for personal matters, but the company should,
in turn, not try to run the company like a Dickensian sweatshop.

If they have so little regard for you as to disregard your
privacy then you are better off without them. They don't need to
continuously shine a flashlight up your ass to make sure you are
working - they can manage by results. (A dusty old book I once
read said: By their fruits ye shall know them.)

Yes, you will get rants here and elsewhere about how you owe
every second of your existence to the company and that if you so
much as go to the can they have the right to check if there is a
turd in the bowl in case you were just malingering. You decide
if you're willing to live like that - I'm not.

But before the inevitable flames begin from the net-nazis who
revel in the vicarious thrill of telling you that you will not
just be fired but burned at the stake in the company parking lot,
let's discuss mechanics.

Encrypted communications ove the company net is one way but while
they cannot check content they can know you are doing it. So let
me explain two alternatives:

1. Get an (ordinary analog) modem and surf out on the fax
line. There are prudential issues about being unobtrusive, not
hogging the line, etc. but any reasonable person will quickly
figure these out for himself.

2. Get a digital modem (not an ordinary analog one - you'll
fry it!) and surf out through the company PBX system. Yeah,
they're a bit pricey - life's a bitch! But it is very, very rare
for companies to monitor this.

For both 1 and 2 you'll need a dial-up ISP.

There are more sophisticated methods of actually using the
company internet but I will not describe them here.

Regards,

"Leythos" wrote...
I'm glad I don't work in the US then. In the UK you could have them
for unfair dismissal if they couldn't come up with a valid reason.

[snip]

This is not true for the UK. You are entitled to regular comfort
breaks if your work involves staring at a computer screen for most of
the day, irrespective of any contract.

[snip]
Again this is not true in the UK. Various health and safety
regulations, and other laws, come into play. The company owes you a
comfortable, safe, and hassle-free working environment.

In article <hb63n01hkhr0qv59c48ma9ig64tu665327@4ax.com>, Jim Watt <jimwatt@aol.no_way> wrote:

So tell me, Jim, where do you buy those nifty brown shirts of
yours? - you know, the ones with the epaulets and insignias and
all.

Regards

PS As I predicted, the vicarious enforcers of pettiness have
already come out of the woodwork.

In article <ztS8d.24$dN5.8@text.usenetserver.com>, Wimbo <wimbo_online@_REMOVETHIS_hotmail.com> wrote:
...snip...
Only the terminally stupid do not examine certificates and
independently verify them for the encrypted proxies they use.
Moreover, sensible folks do not keep them in their certificate
store at work (which might be tampered with) but use them only on
a "per session" basis (although even that is rather sloppy
practice - I prefer to boot from a Knoppix MiB CD).

Regards,

In article
<MPG.1bdb591789b69521989873@news-server.columbus.rr.com>, Leythos
<void@nowhere.org> wrote:
...snip...
No, it has very little to do with folks stealing company services
and materials. For comparison, most companies shrug off
stationery shrinkage. A manager who made a fuss about any other
than a flagrant case would not just be regarded as a martinet but
laughed at as a bloody fool.

No, where it is not based on paranoia, suspicion, and a
pathological desire for micro-control (still uncommon but
unfortunately becoming more prevalent as the US slides ever
further to the right) corporate-net-nazism has far more to do
with company liability for harassment and so forth. Companies
have supinely acceded to the 20-year PC trend of vicarious
liability for everything their employees do. It's just part of a
larger trend of "blaming everyone else for everything that
happens in one's life" that has led to the the US being one of
the most lawyer-infested litigious societies on earth.

As for the rest of the world, it is more civilized. Not just as
a matter of customary usage but by legal right, employees have a
right to privacy except where there is a compelling need to the
contrary. And notice must be given of any monitoring.

The thought that you give up all human dignity, including all
right to privacy, when you are at work is mostly a US aberration.
The rest of us are not in bondage or serfdom: we sell our labour,
not our souls. The level of surveillance many USians are subject
to on the job is greater than that in some prisons! That USians
put up with such shit is amazing.


You owe them a fair day's work for a fair day's pay. No amount
of lawyerly verbiage turns a man into a robot - unless he lets
it, of course, which is what you urge.

But here's my suggestion: Since you owe the company your full
unremitting energies while at work, they should have the right to
video-tape you fucking the wife Sunday night, lest your
overenthusiastic exertions leave you not ready to put forth your
best efforts Monday morning. After all, you OWE it to the
company.

...snip...

I love it when the dander of a sysadmin is raised and he goes
into his "spy versus spy" story of how you will certainly be
caught and flaying alive will be the minimum penalty.

No, that isn't how it works. I've been doing this for decades
(as an engineering consultant to dozens and dozens of firms from
large to small) without ever being caught. In all but a few
cases, security budgets are thin and shrinking, and the sysadmins
are ignorant, grossly overworked, and don't have time to scratch,
let alone detect and suppress folks who use a modicum of skill
and judgment in bypassing the rules.

Don't believe me? Well I've got an "existence proof" for you:
the gigantic number of corporate security failures that continue
to happen year after year.

Regards,

PS While it varies from company to company, for instance,
the PBX system is often not even part of the remit of the
computer sysadmins - it's often in some other department, such as
office services or the like. A modest effort in research and
preparation will quickly reveal such security holes and lapses in
a particular organization.