Re: centrally monitored "keylogger"

From: Atom 'Smasher' (atom_at_suspicious.org)
Date: 10/15/04

  • Next message: Hayden Searle: "RE: Firewall Implementation Strategy ?" 
    Date: Thu, 14 Oct 2004 19:29:16 -0400 (EDT)
To: security-basics@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    On Wed, 13 Oct 2004, xyberpix wrote:

    > Can't offer any advice on this one, but one thing that I would be really
    > interested in knowing is how you got away with doing this, as surely
    > this is an invasion of privacy? We want to do the same at our co, but
    > haven't figured a way around it yet.
    ===============

    getting away with it is simple: the computers and network are owned by the
    company and the company can do what they want with those assets.

    the real questions are moral, ethical, liability and logistical issues.

    moral/ethical:
              who is or isn't monitored?
              quid custodiet ipsos custodes? (who shall watch the watchers?)
                      this is an old question.
              what information or activity are you looking for? what is done
                      when you find it?

    liability:
              if an employee (on their break) logs into a bank or paypal,
                      what recourse do they have if their account is
                      compromised? how much trouble can their attorney
                      cause for you? (whether or not the employee violated
                      company policy is really irrelevant here)
              what if an employee is being sexually harassed or stalked
                      by someone who's reading their email (or compromised
                      their password) on company time?

    logistical:
              for every employee you have doing work, it would arguably take
              0.2-1 employees to spy on them. this could effectively cut
              productivity in half! are you looking for keywords? even then,
              how accurate do you think it could be? what if an employees
              password triggers a filter intended for something else? you are
              looking at collecting MASSIVE amounts of data... it can't be
              reviewed as quickly as it's collected.

    if you have a reason to suspect that an employee is up to no-good, then by
    all means use every resource that you have to fire or prosecute them...
    but to have a policy like this over an entire workforce would only be
    demoralizing and counterproductive.

    really, if an employee is violating company policy by checking their web
    mail between calls, but all of their other metrics are outstanding, do you
    ~really~ want to give them a hard time? the other side of this coin is the
    employee who has crappy metrics and just drools on the keyboard or touches
    them-self between calls... this is an employee you want to retain and
    promote?

    one analogy here is the difference between a beat cop who knows all the
    store owners and locals by name and can ~sense~ when something is wrong
    versus the riot cops who go in and bash heads. instead of taking a
    riot-cop attitude towards your employees, the resources that would be
    wasted on this type of spying could be better used to "reach out" and "get
    to know" the employees... if you have good people doing that (ideally it
    should be good management, but inept management will compound these
    problems) then you'll know immediately who is or isn't doing what they
    should be doing.

    there are plenty of ways to monitor employee metrics without demoralizing
    the workforce. making a guess here, this is a workforce with high
    turnover...? don't make it worse by giving people have one more reason to
    dislike working there.

               ...atom

       _________________________________________
       PGP key - http://atom.smasher.org/pgp.txt
       762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
       -------------------------------------------------

              "It really depends upon how our nation
               conducts itself in foreign policy. If
               we're an arrogant nation, they'll
               resent us. If we're a humble nation,
               but strong, they'll welcome us."
                      -- George "dubya" Bush
                      Bush-Gore debate, 11 Oct 2000
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.3.6 (FreeBSD)
    Comment: What is this gibberish?
    Comment: http://atom.smasher.org/links/#digital_signatures

    iQEcBAEBCAAGBQJBbwvRAAoJEAx/d+cTpVcixCcIAJnRUmOX0IeAfwjEqe0KelGp
    UhkVoX3Knd9OYuJP2qM87xqz2XhLnDFWzeozJiehrRF8xLpbGhspBzCRWZ5+yVTj
    mbs781ZZWW5UWhsyp4HizZhimYO5kEw0G6dZHOjLjD+UjRo1zr4fHrM0FU614VJ+
    /UGK3ikGaCHHwLBi+vN/fPOhz3V9UsrCKWvrSt7RNSg652En9QS8iFHQoiVEOn+2
    29pBy8X6VvkZJUDmKiPYD/I8da18egqT1+jAEkSddd58AGIjJjmOk5Q4lBZW7v42
    Dy3TlPl87adgSFvhRaaOevcukobMy5LfAvcsGJkMrzFQQTVP6MB2MwFcqlFrtMM=
    =9H99
    -----END PGP SIGNATURE-----

  • Next message: Hayden Searle: "RE: Firewall Implementation Strategy ?"