Hacker News new | ask | show | jobs
by Cpoll 2251 days ago
A lot of people are saying "not news worthy," but I think this is a far more useful article than the majority of articles posted here:

- It's applicable to most people on this site

- It's actionable: be conscious of what you use your company-issued computer for

I'm convinced that most people aren't aware that this is a common practice. I've talked to people who think it's not possible or that their company doesn't do it. On the flip side, I've worked with enough IT departments to know that most of them have the capability, even if they're not actively using it.

If your computer has any sort of remote management software on it (typically used for pushing mandatory updates), IT can probably also surreptitiously access your filesystem or observe your screen.
1 comments
Guest42 2251 days ago
What I wonder is the best way to determine whether this is going on and if so what it is doing exactly (or in broad terms)
link
geofft 2251 days ago
If it's on a computer built for you by work / owned by work, all bets are off. Even if they're not taking screenshots, they can be logging keystrokes or web traffic or anything.

If it's on a device you own:

- Do not install software from your employer that requires admin permissions (i.e., requires typing your password).

- If you're on recent versions of Windows or macOS, various powerful actions like taking screenshots are restricted by default and should at least trigger a permission prompt. You can go to Settings or System Preferences and see which apps have been given permission. If you can, try to install apps only from the OS's app store (because those apps are sandboxed more tightly than traditional desktop apps) or apps from reputable publishers (e.g., it's fine to install Word or Photoshop or whatever, but don't install MyCompany Productivity Helper For Employees).

- Try to get work to give you a corporate device, or a way to work via a web browser or via remote-desktop to a computer on your desk in the closed office or something (and make sure that way doesn't involve installing custom software...).

- If you have to install custom apps, make a separate non-admin user account and don't type your admin password when you're logged into it. Then your company can watch your company work but not your personal stuff.

- If you're installing on a mobile OS, installing apps is generally fine but be very careful about installing a mobile device management (MDM) profile. When you install one, you'll be prompted about what sort of access you're giving your company; make sure you're comfortable with it.

BTW, the same goes for schools - for instance, if your school wants you to install some sort of app for taking remote exams, the purpose of the app is almost certainly to intentionally take screenshots so they know you're not looking at Wikipedia. See if you can install it in a non-admin account, or if your school is issuing laptops, use that (and don't use that laptop for personal stuff).

(Shameless plug: a friend and I run a personal security newsletter and we talked about this a bit last issue: https://looseleafsecurity.com/episodes/newsletter-2020-04-05... and we also have a guide to checking up on MDM on your phone: https://looseleafsecurity.com/episodes/newsletter-2019-12-07...)

link
Bombthecat 2251 days ago
In germany, this would be highly illegal though. (screenshots, keystrokes)
link
Guest42 2251 days ago
Thank you very much for the detailed answer.
link