Agreed, HR and legal should absolutely be engaged and on-board given the risk level.
On Wed, Apr 19, 2023, 4:43 PM Ted Mittelstaedt <t...@portlandia-it.com> wrote: > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and many > other employee classifications (such as programming) are considered exempt > as well. (exemption is once more IRS and state taxing authority > determination that the company has no say over) > > If the employee is exempt from overtime then it's illegal for the company > to require that they work a certain number of hours, or at certain times. > If the company DOES tell the employee this (that they have to track their > time) then the employee can hit them for mandatory overtime (if they exceed > 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to > be valid" for a salaried AKA exempt employee. Salaried employees are paid > BY THE JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on > salary is a two way street. The benefit from the company's point of view > is they don't have to pay overtime for one of those > work-round-the-clock-push times. But in exchange for that, the employee > also doesn't have to work 40 hours every week either. A decent salaried > employee keeps an eye on time since it's an important metric for how much > work is reasonable to expect a salaried employee to do but it is NOT the > absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and > make you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when > they get sued. It's healthy for that to happen for owners of those > companies to get slapped silly for trying to exploit workers from time to > time. > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > Is it simply that a large number of IT people are on the autism spectrum > and have social anxiety disorder that they will literally waste weeks of > company time on elaborate technical solutions that can be handled in 5 > minutes by a manager walking up to an employee and saying "hey dude you > know that thing you are doing with the VPN, well knock it off" > > Or is it that their anxiety disorder and desire to Play God just drives > them to believe that every other employee in the company is trying to screw > IT??? > > Sheesh!!! > > Ted > > -----Original Message----- > From: PLUG <plug-boun...@pdxlinux.org> On Behalf Of Daniel Ortiz > Sent: Wednesday, April 19, 2023 1:39 PM > To: Portland Linux/Unix Group <plug@pdxlinux.org> > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > Disclaimer: some of the following if not all could be wrong. > > Wouldn't it be easier to deal with the credentials side to avoid this > problem in the first place? To illustrate what I mean, here's a theoretical > idea that while it might be flawed (like potential security failures), > could be useful in terms of guidance. When an employee logs in, it sends an > email to their company Gmail account complete the login in procedure. They > click the link to a Google form which requires them to be logged in to > their company Google account for the submitted form to either work or be > considered valid. Once, it's submitted, a program will allow them to finish > the login process. Also, doing something with a company Google account > could be helpful since Google records the devices you logged in with, which > if a company can check that, they can see if there is any suspicious > devices. > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil <isaa...@gmail.com> wrote: > > > We're chasing this from data science side as well. As far as charting > > the pattern of activity and flag anomalies. > > This should trap the subs since he/she won't be checking email, > > responding to chat messages etc, or hopefully time of activity could > give us clues. > > > > I do agree, there are many VPN commercial services and they will never > > advertise servers properties, besides there's lots of other open-VPN > > options. > > > > We shall conquer! > > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > <t...@portlandia-it.com> > > wrote: > > > > > > > > > > > -----Original Message----- > > > From: PLUG <plug-boun...@pdxlinux.org> On Behalf Of John Jason > > > Jordan > > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > > > >It would be nice if VPN services advertised how effectively they > > > >stop > > > others from finding out who and where you really are. > > > > > > They are never going to do this because they are constantly tweaking > > their > > > proprietary protocols to get around firewalls, and they don't want > > > the firewall vendors knowing when they made a change to get past > firewalls. > > > And given who some of the firewall vendors are, and what they do to > > people > > > they don't like, this is very understandable. > > > > > > This stuff is getting very advanced nowadays since many firewalls > > > are doing deep packet inspection, and looking specifically for > > > patterns in packet traffic that indicate it is VPN traffic > > > encapsulated in regular > > http > > > or https traffic. So the proprietary vpn clients will modify the > > encrypted > > > traffic to make it look like regular https traffic. > > > > > > Never forget that for you, me, and probably all the readers of this > > > list, that creating using blocking and messing around with VPNs is > > > really > > mainly > > > an intellectual exercise, but that there are many people in the > > > world in places like Russia and China where a secure VPN means not > > > having people breaking their doors down in the middle of the night > > > and hauling them off to prison - or worse. > > > > > > Ted > > > > > > > > >