Reading Livejournal from Work

[randysmith]

So I recently discovered that my company reserves the right to monitor electronic communications (because they blocked some sites that were both against the company code of conduct and were being accessed). This puts me in a dilemma. I don't particularly care for my own sake if they know what I read from work--I'm happy to take whatever negative consequences come from that. But sometimes I read things that are private to other people, and I don't know what level of care to take there. My email I access through https from a computer I own and control, so I think that's basically safe. But my friends list is viewed over an open HTTP connection.

I'll note that my best guess is that this isn't a problem. I can't imagine my company using any information personal to me or my friends; I both think basically well of them (for a large company) and I don't see the motivation. Why should they go to the trouble of making trouble for someone they don't know when it won't gain them anything? But I'm not sure I should be making that decision for other people.

So I turn to my friends list. How do you deal with the issue of your employer monitoring web accesses? Do you avoid reading your friends list from work? Do you do some funky nerd thing to keep them from being able to see it? Or do you do something else? This inquiring mind wants to know :-}.

(Obviously, if this bothers you on a personal level, let me know, and I'll stop reading your journal from work. Note that this'll mean I'm more likely to miss stuff in your journal, and certainly won't respond as quickly to it).

Comments

[lyonesse.livejournal.com]

hi, i saw this on friendsfriends, and as a developer of a bunch of sniffer software i feel i must comment :)

the safest way to do this is to ssh out to a host you own, and run your lj client there. then the traffic is encrypted on the wire, and even its origin at livejournal is obscured. if you want a graphical interface you can use x tunnelling over ssh.

happy privacy :)

[randysmith]

Thanks for the suggestion! I did think of that, and I may do it, but it's a hassle (requires me to open an ssh port on my home server which I've so far been too paranoid to do), and my best guess is that's it's not necessary. But it's an option I'll definitely keep in mind.

[dajt.livejournal.com]

If you set your ssh server to only accept keyed authentication, keep your private key on a usb-fob, and give the key a good passphrase, well, it'll be much easier for the black hats to use a nine-millimeter attack on you. There are automated ssh-attack programs in the hands of the kiddies, but afaik, they can only attack servers that both left password authentication enabled and have weak paswords. I see them try to attack my machines from time to time, but I think they're about as pathetic as the folks who keep trying to access .dll files on my OpenBSD-based web server.

I don't worry much about my company's IT department monitoring my web traffic. There just aren't enough of them, and I'm probably one of the most boring employees. Xuxa tells some amusing stories about some of the folks she's had to deal with in her sysadmining career. I figure I'm safe as long as I'm way way less interesting than them.

[randysmith]

On the hassle side, I still have to type the passphrase and keep the keyfob with me all the time, and given that my best guess is that it isn't necessary, I'm resistant to that. I wasn't so much asking about "how can I make this process secure?" as "how paranoid are other people about this issue?".

Still, being a nerd, I can't help but probe at your suggestion :-}. A private key on a USB fob always struck me as being not very good security. If you're worried about the computer you're plugging into being compromised, you need to consider the ssh binary you're using on that computer as compromised. And if you're not, why not just put the private key on the computer? What you really want is a USB appliance that accepts an arbitrary string and your passphrase and encrypts that string with your private key. That, plus end to end exchange of tokens, has some real security to it.

[frobzwiththingz.livejournal.com]

So, you appear to be one of those few folk who are OK with having a box connected to the internet, yet are too paranoid to have *any* services accessible to the outside running on it, even just an SSH port.

I won't try to talk you out of this position, but will instead say that you might want to google for "port-knocking", read up a bit, and see if you'd be
willing to accept that. [And if you wouldn't accept some sort of scheme based on that, i'd ask how long you spent on your line-by-line code audit of whatever DNS package your server is using.]

[randysmith]

Chuckle. Neat concept.

It's not so much that I think it's "not safe" to have an SSH port connected, as that I'm very aware of my lack of knowledge in this area. As best I can tell, an SSH port (with all the obvious precautions) open on the net would be absolutely fine. But at the moment as it turns out, I don't think I need it (as mentioned above, the focus of this post was on how paranoid other people felt the need to be, not on technical solutions), and I've found myself reluctant to take that last step.

[ruthling.livejournal.com]

Eh, in for a penny, in for a pound, I say! If someone wanted to make trouble for me, it's out there already, and if they want to make trouble for you through me, I'd say huh!

[randysmith]

Yeah, that's pretty much what I figure. Thanks.

[catya.livejournal.com]

you could use an ssh tunnel - my theory was that if someone went back to look at the urls i had looked at, they wouldn't see my friends locked posts anyway (i've worked at places that explicitly tracked urls, but not anything past that that i know of)

[randysmith]

Yeah, they'd actually need to packet sniff and store the contents of the HTTP stream (or my cookies) for this to be an issue, and worrying about that is a level of paranoia that seems extreme to me. But while I can be semi-clear as to how paranoid I want to be for myself, it's hard for me to judge how paranoid I should be for others.

[coraline]

i know that they monitor our net access at work, though they thankfully don't block anything -- they treat us like adults. i assume that my traffic gets lost in the noise, and i also assume that anything i post, even locked, could get read by the general public anytime, so while there are things there i'd rather not tell the world, i won't fall over and die if the world knows, either.

[randysmith]

Yep, that's about where I am too. Cool; thanks.

[kuruzansuz.livejournal.com]

when I used the internet at work ... when I was in that kind of environment ... I would clear history and cache and all that when I was done. This way, if anyone went to the computer after me, they wouldn't have a record of where I'd been. However, if they track another way, they may still know. Also ... if they go to live journal ... if they are not logged in under your account, they will not see your friend's locked posts. Right?

[randysmith]

They have to go a lot further than I can really imagine monitoring going (well, ok, if I worked for the NSA I'd *assume* that monitoring actually went that far, but not elsewhere), especially since no-one but me *can* use the computer I use--I own it, and take it with me at the end of the day. So they'd actually have to monitor my packets as I read live journal, or store my cookies from that same packet stream and go back to LJ (so they could get logged in as me). I think this is way beyond anything that has any likelyhood of happening, but as I mentioned to Cat above, I'm a lot more uncomfortable making that decision for others than I am for me :-J.

[kuruzansuz.livejournal.com]

I understand that. I have no idea what my journal is going to become so I don't have qualms if you read it from work or not.

[wolfkitn.livejournal.com]

i'm relatively new with my org, and i've been cautiously and occasionally reading LJ from work. my basic take has been, there are *7000* employees, here. i'm not exactly reading anything dangerous. if they really, really want to monitor people...

on the other hand, i like my job, and i have no idea how many of those 7000 employees are actually computer or internet users; so perhaps i both have more to lose and stand out more than i'd like. so i try to keep it infrequent, low-key, and i don't open up "NWS" links...

[(Anonymous)]

I use an ssh tunnel to a machine that someone I trust owns and controls, which seems to me to be appropriately cautious without being overly paranoid :)

My take?

[morriganmoon.livejournal.com]

If the content you are reading is posted on a web-based service, it's technically public information, and people shouldn't fear others reading it...

AND-- well, the IT people would only look for things that would endanger the company some how... so livejournal probably wouldn't be their main concern... :-p

I mean, I do it. I POST while at work... :-p but, until it's Technical Journal season, I'm left with little else to do... :-p