Note the original post was regarding CONTRACTORS not EMPLOYEES. Big difference there.
If a company contracts with a contractor then what is in the contract trumps everything. And, contracts are legally interpreted AGAINST the drafter. So if for example the company wrote the contractor's contract, and did NOT specify that the contractor may not subcontract - then if they then attempt to block the contractor from subcontracting after the contract was signed, they are in abeyance of the contract and can be sued for breech of contract by the contractor. And the company would lose because the lack of a prohibition for subcontracting would be interpreted AGAINST the company. As for BLOCKING vpn connections from a contractor that is a fuzzy legal area also. If the contract does NOT specify that the contractor may NOT use the company Internet connection then the contractor could reasonably argue in a court that being allowed to use the company Internet connection for 6 months before IT decided to crack down was an unwritten expectation in the contract, and that now since IT did crack down they have to go spend money on a hotspot or whatever so now the company owes them even more money. And yes if it went to court it WOULD be ruled against the company. As I said if the company does not want contractors subcontracting or using personal VPNs then they need to renegotiate the contract with the contractor. That is the proper way to handle this. Not sic IT on people like a trained dog to make things difficult for them. I've never known a REAL contractor to not be open to a contract renegotiation because always a contract renegotiation ends up increasing their profits. Because, by then they are familiar with workflow and the company culture and can and will insert new terms. For example years ago I was working for a software company in 1000 Broadway that used contractors. They had a contractor who as part of his contract required company paid parking. The company wanted him so they agreed and the contract was signed. However the contractor was very surprised when the paid parking turned out to be a parking lot 6 blocks away up a hill. That arrangement lasted until contract renewal time in which case the contractor renegotiated his contract and changed it from "parking" to "parking inside of the building" After the contract was signed he got his parking spot in the 1000 Broadway garage. Which was a much bigger deal than you might think because the City of Portland at that time was heavily restricting parking spots for businesses because they were trying to force employees on to trimet. There were in fact full time senior programmers who were mad because they were parking in the lot up the hill! As for employees a company can set whatever silly rule they want including like I said that the employee has to wear a pink hat to work. However, it gets very fuzzy when the employee is an exempt employee because under the law exempt employees are required to have significant discretionary decision input to the company to remain exempt. An exempt employee can for example given the pink hat rule, make a decision that they didn't need to wear a pink hat and not wear it. It is entirely situational. That is what being exempt means, legally at any rate. That input could reasonably be whether or not the employee can decide to subcontract. A ton of this is determined by job title. For example a company promotes a programmer to title of Director of Development for a product and declares them an exempt employee and tells them they will need to put in a lot of unpaid hours now since they are on salary. That director makes a decision that outsourcing to Russia is needed for a particular product. IF that director can show that this decision was in the best fiscal interest's of the company and did not increase risk to the company then IT cannot override that. Because, if they did then that directors title would be meaningless, and he could simply complain to the CEO that IT was interfering with his job - and if the CEO supported the director, then the director could simply say "fine", quit then complain to state department of labor for unpaid overtime based on the fact that as director he was not given significant power in the company to make decisions, that effectively he was being exploited with a meaningless paper title and was NOT exempt. And the Dept of Labor would definitely side with the employee. Normally you don't see this sort of thing on executive decisions because to be honest I have never once in my career ever seen a CEO side with IT against a company director. Even if it is completely obvious that what the director is doing is technologically stupid and fiscally stupid and puts security of the company at risk. AND, even if IT was given a directive by that very same CEO to crack down on private VPNS or increase security or something like that. IT will ALWAYS lose in any political argument with an exempt employee. Remember that. Unless of course, that exempt employee is not actually working in a position that legally qualifies as exempt. For sure, there are foolish companies out there that think they can exploit workers and con them into working unpaid overtime who do not quality as exempt from OT. And those companies routinely end up paying serious fines when they get caught. I don't know why there is such confusion over what being an exempt employee means. Being exempt from OT, ie: being salaried, effectively means that YOU are expected to be out there making money for the company any legal way possible because you are a stakeholder. If you can do this by working 20 hours a week from home and never be in the office, then if the company has a CEO with any brains at all, they will tell every other employee in the company that complains about it to go pound sand. If you can do this by violating every tenant of secure networking that IT hold dear, then if IT complains about it to the CEO IT will be told to pound sand. Well run companies do NOT kill the geese that lay the golden eggs. Even if those geese are stupid idiots. And yes I have learned this from my years in IT. I don't say that I like it. But, I like eating more, and food costs money so I too will side with the geese in a company laying the golden eggs even if it means telling my junior IT guys who have gotten puffed up reading the Best Practices security manual to pound sand. Sorry about that. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Ben Koenig Sent: Saturday, April 22, 2023 4:02 PM To: Portland Linux/Unix Group <[email protected]> Subject: Re: [PLUG] 3rd party vpn Defense evasion Don't be such a dipshit. Yes, HR and Management are responsible for taking corrective action against employees not doing their job. "Job" in this context being defined by that employees contract so there's no reason for us to speculate and pass judgement on whether or not IT should bother. What you seem to be missing in your attempt to over-compensate for your sense of psychological supremacy is that in order to take correct action from a management perspective, IT has to identify the digital paper trail. That's what we do - We can and often should keep track of network connections and report them accordingly. Whether that person gets punished is not for us to say. And in some cases this has to be handled proactively. This kind of subcontracting can create massive legal problems for some companies so even if the manager goes and tells them to stop, its too late. Data has been leaked and lawsuits start to fly. Sadly there are a lot of people in the modern linux community that seem to believe that their understanding of IT trumps everyone else. Small, inexperienced minds that see their own personal use case as superior to all others. -Ben ------- Original Message ------- On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt <[email protected]> wrote: > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and > many other employee classifications (such as programming) are > considered exempt as well. (exemption is once more IRS and state > taxing authority determination that the company has no say over) > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at > certain times. If the company DOES tell the employee this (that they > have to track their time) then the employee can hit them for mandatory > overtime (if they exceed 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to be > valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE > JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on salary > is a two way street. The benefit from the company's point of view is they > don't have to pay overtime for one of those work-round-the-clock-push times. > But in exchange for that, the employee also doesn't have to work 40 hours > every week either. A decent salaried employee keeps an eye on time since it's > an important metric for how much work is reasonable to expect a salaried > employee to do but it is NOT the absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and make > you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when they > get sued. It's healthy for that to happen for owners of those companies to > get slapped silly for trying to exploit workers from time to time. > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > Is it simply that a large number of IT people are on the autism spectrum and > have social anxiety disorder that they will literally waste weeks of company > time on elaborate technical solutions that can be handled in 5 minutes by a > manager walking up to an employee and saying "hey dude you know that thing > you are doing with the VPN, well knock it off" > > Or is it that their anxiety disorder and desire to Play God just drives them > to believe that every other employee in the company is trying to screw IT??? > > Sheesh!!! > > Ted > > -----Original Message----- > From: PLUG [email protected] On Behalf Of Daniel Ortiz > > Sent: Wednesday, April 19, 2023 1:39 PM > To: Portland Linux/Unix Group [email protected] > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > Disclaimer: some of the following if not all could be wrong. > > Wouldn't it be easier to deal with the credentials side to avoid this problem > in the first place? To illustrate what I mean, here's a theoretical idea that > while it might be flawed (like potential security failures), could be useful > in terms of guidance. When an employee logs in, it sends an email to their > company Gmail account complete the login in procedure. They click the link to > a Google form which requires them to be logged in to their company Google > account for the submitted form to either work or be considered valid. Once, > it's submitted, a program will allow them to finish the login process. Also, > doing something with a company Google account could be helpful since Google > records the devices you logged in with, which if a company can check that, > they can see if there is any suspicious devices. > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil [email protected] wrote: > > > We're chasing this from data science side as well. As far as > > charting the pattern of activity and flag anomalies. > > This should trap the subs since he/she won't be checking email, > > responding to chat messages etc, or hopefully time of activity could give > > us clues. > > > > I do agree, there are many VPN commercial services and they will > > never advertise servers properties, besides there's lots of other > > open-VPN options. > > > > We shall conquer! > > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > [email protected] > > wrote: > > > > > -----Original Message----- > > > From: PLUG [email protected] On Behalf Of John Jason > > > Jordan > > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > > > > It would be nice if VPN services advertised how effectively they > > > > stop others from finding out who and where you really are. > > > > > > They are never going to do this because they are constantly > > > tweaking their proprietary protocols to get around firewalls, and > > > they don't want the firewall vendors knowing when they made a > > > change to get past firewalls. > > > And given who some of the firewall vendors are, and what they do > > > to people they don't like, this is very understandable. > > > > > > This stuff is getting very advanced nowadays since many firewalls > > > are doing deep packet inspection, and looking specifically for > > > patterns in packet traffic that indicate it is VPN traffic > > > encapsulated in regular http or https traffic. So the proprietary > > > vpn clients will modify the encrypted traffic to make it look like > > > regular https traffic. > > > > > > Never forget that for you, me, and probably all the readers of > > > this list, that creating using blocking and messing around with > > > VPNs is really mainly an intellectual exercise, but that there are > > > many people in the world in places like Russia and China where a > > > secure VPN means not having people breaking their doors down in > > > the middle of the night and hauling them off to prison - or worse. > > > > > > Ted
