• toastal@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    7 months ago

    Why do IT teams think being able to snoop any users screen is a good thing? Leave folks alone. Get authorized key consent to SSH into their box iff necessary.

    This is why I only work with BYOD operations…

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      There’s a lot of trust required in IT. You must be a trustworthy person. Being fired for a trust related reason is basically a death sentence for an IT career. That being said, none of the tools I typically work with will provide previews of a user’s screen, or such previews will be low enough resolution that reading what is on screen is basically impossible.

      When we connect to a system and get a full resolution image of what’s going on, pretty much always there’s some on screen indication of us being connected.

      IMO, this is how it should be.

      The only time I’ve actively tried to “spy” on a user’s activity, has been when requested to do so by a manager/owner, usually when pursuing an allegation of inappropriate use of a work computer. Even then it’s been very rare, and I can only recall one such instance of it happening at all.

      As an IT person, I will say, I could care less what you do with the equipment. I’m busy enough, I don’t need to fill my day with watching you do your job. Yes, we have tools which can allow us to eavesdrop on everything you do, I don’t touch them unless I absolutely must, usually only if I’ve been ordered to.

      Another poster pointed out that work resources do not belong to you and legally, they’re right. The system, including all data and work contained therein is legally the property of your employer. This includes your email and any correspondence, and anything else that work provides as a function of your employment. If you create an excel work sheet that does some data processing for you, or reformats information in a better way, during work hours, that sheet isn’t yours. The ownership of the sheet is your employer. Though you did the work in creating it, your employer owns it because they paid you for the time/effort to do so.

      Personally, I do whatever I can to avoid interacting with users unique files. I recently refused to work on someone’s personal iPhone because it contained personal data. Though their work email was probably present on the device, I didn’t want to touch it. I did however, provide instructions for them to do what they were asking themselves.

      When interacting with work-owned systems, I’ll modify the registry, and run command line commands without the users knowledge, in an effort to reduce the disruption to their workflow, while solving an issue. Generally this is when I have a request from that user, or the company, to get something done, such as install a piece of software. You’ll be working away and poof, new software appears.

      Anyone in IT unnecessarily snooping in on your files, can be fired with cause, ruining their career, if they’re caught.

      We have access to everything, and I mean everything, in an organization. Your email, files, databases, software… Partly for troubleshooting, and partly for performing backups. If we don’t directly have access, typically we have permission to grant access, so we can grant ourselves permission to access whatever we need to. This means that IT is one of the highest trust areas of the business. We can read the CEO’s emails, send mail as anyone, access everyone’s files, and delete all data on everything in such a way that it is impossible to recover. We need the access to do our jobs and violating the trust we have with that access, is unforgivable and a career-ending event.

      I will say that I have not met any IT professionals who will snoop, spy, eavesdrop, or otherwise examine what you do or what data you have or interact with, without a good reason. If it happens, it’s likely that someone else, such as a manager, has requested that we do. We are merely the middleman in that scenario. Bluntly, we’re too busy than to just do it for kicks.

      If any IT professional has violated trust, I would report it to management. It is grossly inappropriate to access a user’s system without just cause.

      As for notifications, that varies depending on the request. I typically only inform people when I need to remotely control their desktop (interrupting their work) and I’m generally very receptive to being asked to wait before connecting so any sensitive information can be dealt with and closed before the session is established. I have no issue with that. I don’t need, nor want to know any more than I do. I’m never looking for illicit or illegal things unless they are creating a problem (excessive bandwidth use, excessive disk use, etc). For the most part, I try to stay in my lane. I’m here to help, not spy on you to get you fired.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Thanks for confirming some of my suspicions about how it all actually operates & the reasons for doing so.

        I really just don’t like this in principle as it is way too easy to accidentally do private stuff out of convenience on a machine which is why I do like I said with BYOD & will be present for all attempts to troubleshoot a device. I don’t really see a conceptual different in my digital desktop vs. my physical one & I wouldn’t let an employer install a camera at my desk just as much or would I think it is cool for a business to have cameras in the bathroom just because they own the rental agreement. It feels like there should be some form of privacy even in these digital scenarios that never happens & it leaves a sour taste in my mouth. Is there a solution to allowing users privacy in their system or is it only considered fully private property?

        • MystikIncarnate@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          Legally, it’s fully owned by the company.

          My current workplace uses mostly cloud desktops. Basically, even if you’re using a personal system, you install a remote desktop client software (it provides access to another system, it does not allow access to your system), which is used to connect to a server farm of virtual desktop servers. So the work desktop you use kind of overlays itself on your system. Your system is still there, humming away in the background, with it’s only task being to shuffle your input up to the cloud, and bring down the images of your cloud desktop and display them.

          There’s some other features, but that’s the core of it. We use a third party “remote monitoring and management” (RMM) tool to administrate company owned systems. You are perfectly capable of using the remote desktop client on a system that’s not company owned. I like this model, since you can minimize or close the remote desktop at any time, and since we (the IT team) have full access to the remote desktop server farm, we can connect to your remote desktop session and see what you see, but only what’s within the remote window. We can’t escape it to see your computer. So if you have a problem with your work stuff, we have access to that. If you have a problem with your personal computer, we need to use a one-time-use (or ad-hoc) remote connection software like LogMeIn or something similar (specifically the LMI rescue type feature set). Once we disconnect from your personal system after doing whatever troubleshooting you asked for, we lose access to that system.

          The programs change, but they do the same thing in concept. There are a number of company owned laptops and desktops we have our RMM tools on which allow us to dive into a system whenever we want.

          I run a homelab, personally, and when my workplace does not give me the necessary stuff to be productive from home, what I do is build a small virtual system on my home lab, which I remote into when I work (from my desktop), so I can maintain a work/personal division. It’s similar to the cloud system I’m doing at my current job, but the “remote” desktop is a VM on a server in my basement. Other times I’ve been given a laptop, and I’ll set it up in a corner and turn on its built in remote desktop service (to allow remote desktop connections into it), then use the same protocols to connect to my work laptop.

          When I’m done work, I just shut down the remote desktop connection and poof, back to my stuff on my PC.

          With my current job I went another way, I got a KVM switch, which allows me to switch between two physical computers at the push of a button. (KVM is keyboard/video/mouse) When I’m done work now, I push a button and my screens (I have several) and KB/mouse all switch back to my personal desktop. Same idea but different.

          I couldn’t imagine using my personal computer to do work stuff directly. That’s just not kosher in my mind. I have work’s RMM and tools all installed on the system I use for work, and my personal system is entirely free of such things.

          I also want to include a short story. Recently a client started a ticket about our company logo being on their personal computer. I grabbed that ticket up and immediately identified the system, and removed it from our system. I followed up with the user to verify that by removing it from our system, the icon disappeared (indicating our monitor agent was fully uninstalled), they confirmed, and I closed the ticket. I kept thinking it’s grossly inappropriate for our software to be on their personal system, and I wanted to get it fixed ASAP. Not everyone is the same, I’ve known users that want or e remote management tools on their personal systems. I don’t understand it, but I can’t tell them that it can’t be there either (the customer is always right, applies in this context).

          As I hope I’ve demonstrated, neither myself, nor anyone I work with, nor anyone I’ve worked with in the past, would ever take such an opportunity to snoop or spy on them, but I’d rather not have that liability hanging over my company. All it takes is for one person to have the software on there and accuse us of stealing their private data (say, leud pictures) and publically posting that information on the internet, and I’m sure the policy would change. Of course, we wouldn’t do that, but all it would take is the accusation.

          It’s a bad day for us when we see something we shouldn’t, especially if upon seeing it, we’re morally obligated to contact the authorities (in the case of illegal content such as child porn). If course, if something like that is observed by a tech, we must do something about it, but we don’t want to have to get involved in that sort of thing, so we’re pretty careful about it. To put it simply, we’re not looking for anything, and we don’t want to snoop through your stuff, because if we do and we find something we shouldn’t, there’s going to be hell to pay. Not only in the fact that now we need to report it to the police, but also that we need to be able to justify why we were able to see it in the first place. If we can’t justify why we were looking at the content, that’s probably grounds for termination and getting blacklisted from IT, even if it had a positive result (like a pedo being sent to jail).

          Bluntly, it’s not worth the risk, paperwork, or inevitable trouble that we’ll face if we do.

          Keeping a good separation between personal and work minimizes the risk of IT seeing something that shouldn’t, even if it’s not illegal/illicit. Even your personal financial information. I don’t want to know. I had a call recently with a user who couldn’t log into their bank, and through testing, I was on the lookout for errors while they logged in. As soon as login was successful and their accounts were up, I minimized my remote control so I didn’t see more than I absolutely had to, of their bank info. I got them into the accounts. I don’t care what the accounts are, or what is in them. It seems minor, but that is that users personal information which I do not need to know. I solved their login problem with the site, so I’m done.

          I probably have a hundred of other examples, even some where my co-workers had to contact authorities, I’m pretty sure… Every decent IT tech knows that this is a risk and we do what we can to avoid getting caught up in it. We don’t want to have to answer those questions.

          If you ever have IT connect to your computer and your background goes black, there’s a reason. At first it was bandwidth related, and we’ll still say that as the reason, but a large reason why we still do it, even into an age of high speed internet, is because a lot of people put pictures of their family, friends, sometimes even inappropriate content, as their desktop wallpaper. It’s hard to miss when it’s your wallpaper. So if it’s blacked out when we connect, that’s one less possible problem we have to deal with.

          I’ll stop, but if you have questions for a random internet IT guy, please feel free to ask.

          Take care.

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            That I could prefer: using a remote VM for the work & being able to opt out of a company provisioned device if possibre. It’s much easier to not pollute a VM & you will want to disable it as soon as you are done anyhow to free up local resources/connections.