[tptacek]

There are IT shops with large dev teams that don't put proxies between their users and the Internet, but in every one of them that I'm aware of, developer laptops are subject to intrusive continuous monitoring. And, even at firms where there are no proxies, VPNs are problematic.

The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.

[patio11]

The reason is that large firms are legally obligated to make sure that insiders aren't exfiltrating protected or confidential information.

If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.

[mcny]

> If it makes people feel better about this, the same countermeasures also help with the case "Adversary pops any laptop in the company via e.g. phishing or malware and then pivots to All The Things." i.e. you don't need to posit non-trust of employees to want to implement continuous monitoring of work equipment.

Even assuming we don't care about worker privacy and all the stuff, I think we can still do better.

I have no insider information about this (not a Google employee and definitely not associated with the project) but I read some good things about BeyondCorp

https://news.ycombinator.com/item?id=14596613

Regardless of the threat model, "security" has be practical. The main thing business should care about is productivity. I've done subversion checkouts that slow down to a crawl because the malware detection hogs down the disk IO. I've seen "anti-theft" agent go haywire sending a heartbeat too often and making network access unusable.

I haven't had to deal with being denied access to stack overflow and frankly I would take the first offer and quit if I ever had to.

That being said, I think I am OK with random crap running on company owned machines as long as it is reasonable and does not hurt performance. Oh and there should be no expectation that I will take them home with me.

This reminds me of another funny story. One place I worked at, we were not allowed to leave our computers at our desk at the end of the day. We either had to put it in a locked cabinet or take it home with us. Nobody believes me when I tell this story but it is true.

[jeena]

That would only make sense if tethering via your phone, USB-sticks, cameras, and every other way of doing copies weren't allowed on those premisses either. But this is (almost) never the case.

[fulafel]

In some jurisdictions the monitoring is forbidden due to privacy or labour protection laws.