[jeena]

I would be interested of the reason because we've been fighting this successfully for a number of years with our clients IT departments (while we were smaller). They hired us to make the developement process better and one of the things we always found problematic was that when the software developers didn't have normal internet access (but instead tunneled everything through some bottleneck http proxy) they both lost the good developers because they were fed up with not being able to do their job efficently and thus the quality of their software went down.

A year ago we've been bought by a big company to help them do what we did untill then but on a much bigger scale. The first thing we did was to get rid of the restricted internet. And now we again help our customers (big car manufacturers) to make their processes better. And even for here every developer has free access to the Internet to be able to work efficiently.

But as I said in the beginning, I'm really interested in the reasons for this behaviour of those large companies. My suspission is that it's just easier for the IT department to work against the developers instead of helping them to do their job.

[tptacek]

There are IT shops with large dev teams that don't put proxies between their users and the Internet, but in every one of them that I'm aware of, developer laptops are subject to intrusive continuous monitoring. And, even at firms where there are no proxies, VPNs are problematic.

The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.

[patio11]

The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.

If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.

[mcny]

> If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.

Even assuming we don't care about worker privacy and all the stuff, I think we can still do better.

I have no insider information about this (not a Google employee and definitely not associated with the project) but I read some good things about BeyondCorp

https://news.ycombinator.com/item?id=14596613

Regardless of the threat model, "security" has be practical. The main thing business should care about is productivity. I've done subversion checkouts that slow down to a crawl because the malware detection hogs down the disk IO. I've seen "anti-theft" agent go haywire sending a heartbeat too often and making network access unusable.

I haven't had to deal with being denied access to stack overflow and frankly I would take the first offer and quit if I ever had to.

That being said, I think I am OK with random crap running on company owned machines as long as it is reasonable and does not hurt performance. Oh and there should be no expectation that I will take them home with me.

This reminds me of another funny story. One place I worked at, we were not allowed to leave our computers at our desk at the end of the day. We either had to put it in a locked cabinet or take it home with us. Nobody believes me when I tell this story but it is true.

[jeena]

That would only make sense if tethering via your phone, USB-sticks, cameras, and every other way of doing copies weren't allowed on those premisses either. But this is (almost) never the case.

[fulafel]

In some jurisdictions the monitoring is forbidden due to privacy or labour protection laws.