They're totally watching you... right?
November 4, 2008 5:20 PM Subscribe
I am having a debate with someone about privacy whilst using a work laptop at home, using your own internet connection. Help settle this!
Excuse me if I sound a little dumb about this but my understanding of computer networking is limited to one undergraduate MIS course (which I hated).
The scenario: User is browsing the internet via a work laptop at home, using his own internet connection (no VPN). In this particular situation, web pages that would normally be blocked from work are not blocked. However, google chat in gmail is not functional at work or at home. I'm super paranoid so I think this is indicative of something. But I'm not sure what. He thinks this is irrelevant, and that it is highly unlikely the company will find out what you are doing if you are not connected to their network.
So, am I right? Please give me specific scenarios that would give evidence to the employer being able to monitor or review activities at some point. For the purposes of the debate, let's assume that cookies/cache/internet history are getting cleared, and also that there is no spyware installed locally on the machine.
Excuse me if I sound a little dumb about this but my understanding of computer networking is limited to one undergraduate MIS course (which I hated).
The scenario: User is browsing the internet via a work laptop at home, using his own internet connection (no VPN). In this particular situation, web pages that would normally be blocked from work are not blocked. However, google chat in gmail is not functional at work or at home. I'm super paranoid so I think this is indicative of something. But I'm not sure what. He thinks this is irrelevant, and that it is highly unlikely the company will find out what you are doing if you are not connected to their network.
So, am I right? Please give me specific scenarios that would give evidence to the employer being able to monitor or review activities at some point. For the purposes of the debate, let's assume that cookies/cache/internet history are getting cleared, and also that there is no spyware installed locally on the machine.
If you're using work hardware, assume that anything you do can and will be reported back to the IT staff the next time you connect to your work network.
posted by Jairus at 5:32 PM on November 4, 2008 [1 favorite]
posted by Jairus at 5:32 PM on November 4, 2008 [1 favorite]
It's possible to block Google Chat via DNS. If your computer is still using your employer's DNS server when it's connecting from home (possible depending on the network configuration), then it might be blocked even when you're not in the office.
You block GMail Chat / GTalk by redirecting DNS lookups of "chatenabled.mail.google.com" to 127.0.0.1.
You can test this, I think, by running "nslookup chatenabled.mail.google.com" from the command line and seeing what it returns? If it doesn't return a valid IP, then you know it's being blocked that way.
That strikes me as the most likely issue, aside from a firewall package or similar (although the Gmail chat feature works over HTTP so it should get caught up by port blocks).
posted by Kadin2048 at 5:35 PM on November 4, 2008
You block GMail Chat / GTalk by redirecting DNS lookups of "chatenabled.mail.google.com" to 127.0.0.1.
You can test this, I think, by running "nslookup chatenabled.mail.google.com" from the command line and seeing what it returns? If it doesn't return a valid IP, then you know it's being blocked that way.
That strikes me as the most likely issue, aside from a firewall package or similar (although the Gmail chat feature works over HTTP so it should get caught up by port blocks).
posted by Kadin2048 at 5:35 PM on November 4, 2008
Also, if you want to basically guarantee that whatever you're doing isn't getting phoned home, boot the computer from a Linux LiveCD or similar; this bypasses the employer-installed OS completely and just "borrows" the computer's physical hardware for the duration.
There are still ways to spy on a computer that's booted from a LiveCD, but they're a lot harder than snooping on user actions when you have control of the OS.
posted by Kadin2048 at 5:38 PM on November 4, 2008
There are still ways to spy on a computer that's booted from a LiveCD, but they're a lot harder than snooping on user actions when you have control of the OS.
posted by Kadin2048 at 5:38 PM on November 4, 2008
Response by poster: Re: Kadin2048's answer. If the computer is using the DNS server to block chat, wouldn't the websites normally blocked at work still be blocked as well? Or is that something else? I originally thought the likely scenario was a firewall based on some googling I did on common ways to disable gogle chat, but I was not sure how a firewall and monitoring would work while off the corporate network. Thoughts?
posted by smalls at 5:58 PM on November 4, 2008
posted by smalls at 5:58 PM on November 4, 2008
Generally, restrictions to access are handled at various layers, depending on how they started, ease of administration, and so on.
Some ports and apps may not work due to active-directory or other enforced policies, which would remain cached if you went home.
Network-based filters will obviously not bet there if you are home. Web pages are usually blocked by a proxy server at the office.
Regarding waht is okay or not, it's pretty simple:
a) What is the official policy regarding what you are allowed to do with the laptop when out of the office.
b) What is the expected use of the laptop when you are out of the office (Why did they give it to you).
If B conflicts with A - you might have some arguing room, but otherwise, A prevails.
posted by TravellingDen at 6:00 PM on November 4, 2008
Some ports and apps may not work due to active-directory or other enforced policies, which would remain cached if you went home.
Network-based filters will obviously not bet there if you are home. Web pages are usually blocked by a proxy server at the office.
Regarding waht is okay or not, it's pretty simple:
a) What is the official policy regarding what you are allowed to do with the laptop when out of the office.
b) What is the expected use of the laptop when you are out of the office (Why did they give it to you).
If B conflicts with A - you might have some arguing room, but otherwise, A prevails.
posted by TravellingDen at 6:00 PM on November 4, 2008
Okay, while the respondents above have pointed out valid technical methods by which a work laptop used at home could fairly easily report one's browser history to one's employer... really now. Let's not be paranoid.
Sure, gtalk not working would seem to indicate that they've configured the software to look for the company DNS server, but what is his employer going to do exactly? Fire him for using his work laptop to look at a gaming site on his own time? Really? As long as he isn't surfing pr0n or installing programs, the browser history really shouldn't be all that big of a deal. Unless you're concerned about the morality of anyone else looking at your history, you really don't trust your employer, or you're doing something you'd rather your employer not know about, don't sweat it.
posted by valkyryn at 6:00 PM on November 4, 2008
Sure, gtalk not working would seem to indicate that they've configured the software to look for the company DNS server, but what is his employer going to do exactly? Fire him for using his work laptop to look at a gaming site on his own time? Really? As long as he isn't surfing pr0n or installing programs, the browser history really shouldn't be all that big of a deal. Unless you're concerned about the morality of anyone else looking at your history, you really don't trust your employer, or you're doing something you'd rather your employer not know about, don't sweat it.
posted by valkyryn at 6:00 PM on November 4, 2008
Best answer: If you run nslookup, what you're looking for is the
server: name_here
address: IPaddress.
If you're running on a local router (one of those $50 from best buy), you'll most likely get
server: unknown with address: 192.168.0.1, which is fine. If you're getting another address:, check out your network settings for a DNS server. However, I don't see a company's DNS servers being external very often, though it's certainly possible.
A lot of corporate AV products (Norton, Sophos, etc), also come with built-in firewalls nowadays which base blocking on both ip address and application name and can easily block apps such as Google Talk, even while off-site.
I originally thought the likely scenario was a firewall based on some googling I did on common ways to disable gogle chat, but I was not sure how a firewall and monitoring would work while off the corporate network. Thoughts?
Two different things.
A firewall is like a gateway where all traffic goes through. Depending, they can be configured to log all traffic (ours does). Unless you're connected through a VPN or some tunneling method, you're not going to be going through your corporate firewall off-site. Firewalls,
OTOH, logging can be centric to your computer through any number of methods, which can report to a logging server completely transparent to you when you connect to your company's network again.
posted by jmd82 at 6:08 PM on November 4, 2008
server: name_here
address: IPaddress.
If you're running on a local router (one of those $50 from best buy), you'll most likely get
server: unknown with address: 192.168.0.1, which is fine. If you're getting another address:, check out your network settings for a DNS server. However, I don't see a company's DNS servers being external very often, though it's certainly possible.
A lot of corporate AV products (Norton, Sophos, etc), also come with built-in firewalls nowadays which base blocking on both ip address and application name and can easily block apps such as Google Talk, even while off-site.
I originally thought the likely scenario was a firewall based on some googling I did on common ways to disable gogle chat, but I was not sure how a firewall and monitoring would work while off the corporate network. Thoughts?
Two different things.
A firewall is like a gateway where all traffic goes through. Depending, they can be configured to log all traffic (ours does). Unless you're connected through a VPN or some tunneling method, you're not going to be going through your corporate firewall off-site. Firewalls,
OTOH, logging can be centric to your computer through any number of methods, which can report to a logging server completely transparent to you when you connect to your company's network again.
posted by jmd82 at 6:08 PM on November 4, 2008
On the DNS thing ... basically, Google intentionally provides a method by which network operators can block the chat features of Gmail (probably to keep them from blocking all Google services, or even all Gmail services, when they only want to block chat).
What I think happens is: the GMail web app does a DNS lookup of a special address, "chatenabled.mail.google.com", and if that address doesn't resolve to Google's servers (i.e., if your network admins have their DNS servers configured to resolve it to 127.0.0.1) then it disables chat.
Setting chatenabled.mail.google.com to 127.0.0.1 would disable GMail chat, and possibly GTalk, but wouldn't disable any other Google services, or block any web sites.
posted by Kadin2048 at 6:15 PM on November 4, 2008
What I think happens is: the GMail web app does a DNS lookup of a special address, "chatenabled.mail.google.com", and if that address doesn't resolve to Google's servers (i.e., if your network admins have their DNS servers configured to resolve it to 127.0.0.1) then it disables chat.
Setting chatenabled.mail.google.com to 127.0.0.1 would disable GMail chat, and possibly GTalk, but wouldn't disable any other Google services, or block any web sites.
posted by Kadin2048 at 6:15 PM on November 4, 2008
It's also possible you have local firewall software installed that's blocking outbound connections to gtalk. A firewall can block connections in both directions, not just inbound.
It's likely that your work 'net connection is forced through a filtering proxy - i.e. webpage access goes through a server that allows some sites and denies others. That obviously doesn't apply when you're using your own ISP at home. Although it's possible your laptop is being controlled and monitored by your IT department remotely using any number of pieces of logging software, it's more likely just a local connectivity problem causing your problem, such as the DNS or firewall.
Have you confirmed the problem isn't your home network, i.e. can another pc on your network access gtalk ok? A linux livecd (such as ubuntu 8.10) would also be a good way to isolate the problem to a software configuration on your work laptop.
posted by ArkhanJG at 10:08 PM on November 4, 2008
It's likely that your work 'net connection is forced through a filtering proxy - i.e. webpage access goes through a server that allows some sites and denies others. That obviously doesn't apply when you're using your own ISP at home. Although it's possible your laptop is being controlled and monitored by your IT department remotely using any number of pieces of logging software, it's more likely just a local connectivity problem causing your problem, such as the DNS or firewall.
Have you confirmed the problem isn't your home network, i.e. can another pc on your network access gtalk ok? A linux livecd (such as ubuntu 8.10) would also be a good way to isolate the problem to a software configuration on your work laptop.
posted by ArkhanJG at 10:08 PM on November 4, 2008
Depending on the employer, an "agent" may have been installed on the laptop. This agent can and will record anything from applications opened and sites browsed to every single keystroke made complete with a screenshot taken any time the mouse is clicked.
Some employers state that no programs whatsoever may be run on work computers, whether they be physically on premise or not, unless those programs are installed by the company IT staff, and at one company I am familiar with installing any game, even solitaire, or having a single .mp3 on the computer (legit or not) was grounds for immediate dismissal.
As stated above, you want to assume that every single thing you do on this computer is monitored (if not in real time, by logging which will be inspected when on the company network), and not take any action that will put you in violation of IT policy. Nor should you expect any privacy whatsoever - if you do not want your personal life known to your company IT staff (and possibly your supervisors) you cannot send/write/compose/scan/view that information on a work computer, no matter where that computer is physically located.
In short, you have absolutely -no- privacy while using a work computer, and no expectation of such.
posted by Nixie Pixel at 11:13 PM on November 4, 2008
Some employers state that no programs whatsoever may be run on work computers, whether they be physically on premise or not, unless those programs are installed by the company IT staff, and at one company I am familiar with installing any game, even solitaire, or having a single .mp3 on the computer (legit or not) was grounds for immediate dismissal.
As stated above, you want to assume that every single thing you do on this computer is monitored (if not in real time, by logging which will be inspected when on the company network), and not take any action that will put you in violation of IT policy. Nor should you expect any privacy whatsoever - if you do not want your personal life known to your company IT staff (and possibly your supervisors) you cannot send/write/compose/scan/view that information on a work computer, no matter where that computer is physically located.
In short, you have absolutely -no- privacy while using a work computer, and no expectation of such.
posted by Nixie Pixel at 11:13 PM on November 4, 2008
you have absolutely -no- privacy while using a work computer, and no expectation of such.
second that. print it out in 72pt type and paste it on top of your screen.
you need your own laptop pre monster/pr0n/etc sessions.
posted by krautland at 11:40 PM on November 4, 2008
second that. print it out in 72pt type and paste it on top of your screen.
you need your own laptop pre monster/pr0n/etc sessions.
posted by krautland at 11:40 PM on November 4, 2008
Depending on the employer, an "agent" may have been installed on the laptop.
Is there any way to find out what agents, audit policies, applications, etc. to track my activity might be running on a work system? I totally accept that I may be being watched, but not knowing just stokes the fires of paranoia...
posted by jluce50 at 6:35 AM on November 5, 2008
Is there any way to find out what agents, audit policies, applications, etc. to track my activity might be running on a work system? I totally accept that I may be being watched, but not knowing just stokes the fires of paranoia...
posted by jluce50 at 6:35 AM on November 5, 2008
Response by poster: Thanks all. He agreed that I was probably right, so I think the debate is settled. And for the record, I know what happens when people use their work laptops for extracurricular activities... my workplace is one of those that locks out all internet use unless it's VPN, monitors (and disciplines for) IM chat, and logs ALL your shit. It's a lovely place to work, as you can imagine. So no need to warn me not to look at teh pornographies on a work computer!
posted by smalls at 1:57 PM on November 5, 2008
posted by smalls at 1:57 PM on November 5, 2008
« Older A place for liberals in Fort Worth? | How do I modify this script so I can change the... Newer »
This thread is closed to new comments.
The operating system can be set up to log all events - application opening, application closing, etc. through built-in audit policies (assuming Windows).
Basically, the computer can have anything on it. If you're using it, it can be set up to know everything that you do.
posted by meowzilla at 5:30 PM on November 4, 2008