Kerberos Spying on Work PC?
May 29, 2007 9:02 PM   Subscribe

I was reviewing the Application Logs on my XP machine at work and noticed an error message which concerned Kerberos and mentioned the computer name of a manager in the HR department for my company. The log said something about an incorrect password. Does this indicate that my online activities are being monitored?

I don't do anything glaringly inappropriate, however I do my share of browsing news, blogs, etc. The logged time of the error was just a couple of minutes after I booted up my computer last week. Any ideas on what could be going on? Are there any other tell-tale signs I can look for? I've checked the task manager processes list and haven't noticed anything out of the ordinary.
I've altered my behavior to reflect the possibility that I'm being monitored but I'm just concerned about how invasive this monitoring might be - keystroke loggers, etc. Is this a routine audit or should I be more concerned? I've read a number of posts on workplace privacy but haven't seen information on Kerberos being used for online monitoring.

Thanks for any info on what might be going on!
posted by anonymous to Work & Money (10 answers total)
 
First, Kerberos isn't used for monitoring or auditing - it's used for authentication.

Second, it seems likely to me that if any monitoring is taking place, the probability of it causing the errors you mention is low. Tracking your online habits could take place at a proxy server or other piece of hardware that wouldn't require access to your computer.

I wouldn't worry.
posted by sanko at 9:36 PM on May 29, 2007


Kerberos is an 'authentication protocol,' something to log in with. The bit about the incorrect password suggests that it's not working.

I'm not familiar with workplace computer monitoring. I do seem to recall that, legally, they're supposed to give you notice if they monitor your actions. (A blanket "We may monitor your computer usage" in your contract would do.) With no such policy, it's shaky legal ground. IANAL, of course.

It might not be too crazy any idea for you to contact the named manager, and ask him if he knows anything about it, playing the situation as if you think it's a security threat, but don't ask if he's snooping on you.
posted by fogster at 9:43 PM on May 29, 2007


Kerberos has to do with the Active Directory authentication mechanism.

Unfortunately that's about as far as I go with it :)
posted by puddpunk at 9:48 PM on May 29, 2007


If you are being monitored, there is no reason you'd see anything unusual on your computer. Monitoring network activity would be done by a box in the networking closet. It is unlikely they would put monitoring software on your box since it's a hassle, you might see evidence of it, and you could probably circumvent it.

I know this doesn't put you at ease but it's the truth.

And yeah, Kerberos isn't used for snooping on folks. Is it possible someone was trying to reach one of the network shares on your box?
posted by chairface at 9:52 PM on May 29, 2007


There's a big difference between corporate-policy-sanctioned big-brother monitoring -- the type that would be done via methods that don't leave a trail, as mentioned above -- and a nosy boss without official permission to access your box, but who tries to surf your shares and such anyway. That's the sort of thing that will trigger a Kerberos error.

However, other things will do this as well: your boss accessing your share by accident while trying to access another share they're allowed to access, or needing a document from you and, thinking you're not around, trying to see if you make certain docs available publicly via share for just such an occasion.

So your best bet, then, is to assume the company is officially monitoring you in ways that you can't detect, AND your boss is a snooping type -- and act accordingly vis a vis what you do with and store on your computer.
posted by davejay at 11:11 PM on May 29, 2007


My best guess is that manager in HR is poking around the network, trying to see if there are open shares on PCs. Depending on how your IT is set up, usually HR doesn't get the ability to snoop around like that, which makes me think it's just someone's curiousity.

If your concerned about extra programs running on your PC download a program called HiJackThis which will give you a list of startup programs, BHO's, and services that are against the norm.

You can also check to see which groups or users have administrative permissions on your PC, just to make sure (its under computer management, same area you were viewing your logs). As mentioned Kerb is an encrypted authentication method for remotely accessing a PC
posted by samsara at 12:18 AM on May 30, 2007


As likely as anything, the guy clicked on the wrong icon. I wouldn't worry about it.
posted by dhartung at 1:10 AM on May 30, 2007


Alternatively, that HR person's PC may be infected with something and the virus could be trying (without his or her knowledge) to find network shares so it can replicate.
posted by JaredSeth at 3:55 AM on May 30, 2007


There are three common methods for tracking usage:

1. A locally running 'snoop' program.
2. A network device logging usage.
3. Network sniffing.

None of which will bring up any kerberos errors.
posted by damn dirty ape at 7:08 AM on May 30, 2007


I'm with JaredSeth on this one. I've worked with a fair share of HR folk, and I don't think any of them would have known how to snoop for random shares, let alone have the time or inclination to do it.

I'd bring it to IT's attention, it smells of virus.
posted by mkultra at 8:22 AM on May 30, 2007


« Older How to have a Happy Happy Fun Family Vacation   |   Fe3O4 + Al = Fire Newer »
This thread is closed to new comments.