Don’t worry about it Denis. Ben is passionate about what he's doing and what he sees himself doing in security at any rate is protecting the organization from the evil people out there. Naturally he's going to be frustrated when faced with the reality of company politics and fiscal money-making that sometimes clashes with this directive.
A good manager would recognize that both Ben and the employee or contractor who are outsourcing are right. Yes, outsourcing can leak company vitals. But, it can also shortcut a problem and get a product out ahead of a competitor. It is right and valid to question if it's worth the risk to outsource. I don't know Ben's CEO but if I were that CEO I would drag him and the contractors and employees he's going after into a conference room and tell both of them to convince me which one is right. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Denis Heidtmann Sent: Saturday, April 22, 2023 4:39 PM To: Portland Linux/Unix Group <[email protected]> Subject: Re: [PLUG] 3rd party vpn Defense evasion What (positive) contribution do your insults bring to the discussion? Can you find a less hostile way to contribute? -Denis On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig <[email protected]> wrote: > Don't be such a dipshit. > > Yes, HR and Management are responsible for taking corrective action > against employees not doing their job. "Job" in this context being > defined by that employees contract so there's no reason for us to > speculate and pass judgement on whether or not IT should bother. > > What you seem to be missing in your attempt to over-compensate for > your sense of psychological supremacy is that in order to take correct > action from a management perspective, IT has to identify the digital paper > trail. > That's what we do - We can and often should keep track of network > connections and report them accordingly. Whether that person gets > punished is not for us to say. > > And in some cases this has to be handled proactively. This kind of > subcontracting can create massive legal problems for some companies so > even if the manager goes and tells them to stop, its too late. Data > has been leaked and lawsuits start to fly. > > Sadly there are a lot of people in the modern linux community that > seem to believe that their understanding of IT trumps everyone else. > Small, inexperienced minds that see their own personal use case as > superior to all others. > -Ben > > > ------- Original Message ------- > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > [email protected]> wrote: > > > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and > many other employee classifications (such as programming) are > considered exempt as well. (exemption is once more IRS and state > taxing authority determination that the company has no say over) > > > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at > certain times. If the company DOES tell the employee this (that they > have to track their time) then the employee can hit them for mandatory > overtime (if they exceed 40 hours) > > > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > > > Long and short of it is you cannot use an online form to consider > > "work > to be valid" for a salaried AKA exempt employee. Salaried employees > are paid BY THE JOB not by being logged into something for a certain time. > > > > Companies quite often forget that putting someone like a programmer > > on > salary is a two way street. The benefit from the company's point of > view is they don't have to pay overtime for one of those > work-round-the-clock-push times. But in exchange for that, the > employee also doesn't have to work 40 hours every week either. A > decent salaried employee keeps an eye on time since it's an important > metric for how much work is reasonable to expect a salaried employee to do > but it is NOT the absolute metric. > > > > Companies who have tried to do it differently - that is, not pay OT > > and > make you work late during crunch time - and still make you work 40 > hours - regularly end up paying very large fines and back salary to > people when they get sued. It's healthy for that to happen for owners > of those companies to get slapped silly for trying to exploit workers > from time to time. > > > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department > trying to play God and the managers being wussies and afraid to talk to > employees. > > > > Is it simply that a large number of IT people are on the autism > > spectrum > and have social anxiety disorder that they will literally waste weeks > of company time on elaborate technical solutions that can be handled > in 5 minutes by a manager walking up to an employee and saying "hey > dude you know that thing you are doing with the VPN, well knock it off" > > > > Or is it that their anxiety disorder and desire to Play God just > > drives > them to believe that every other employee in the company is trying to > screw IT??? > > > > Sheesh!!! > > > > Ted > > > > -----Original Message----- > > From: PLUG [email protected] On Behalf Of Daniel Ortiz > > > > Sent: Wednesday, April 19, 2023 1:39 PM > > To: Portland Linux/Unix Group [email protected] > > > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > > > Disclaimer: some of the following if not all could be wrong. > > > > Wouldn't it be easier to deal with the credentials side to avoid > > this > problem in the first place? To illustrate what I mean, here's a > theoretical idea that while it might be flawed (like potential > security failures), could be useful in terms of guidance. When an > employee logs in, it sends an email to their company Gmail account > complete the login in procedure. They click the link to a Google form > which requires them to be logged in to their company Google account > for the submitted form to either work or be considered valid. Once, > it's submitted, a program will allow them to finish the login process. > Also, doing something with a company Google account could be helpful > since Google records the devices you logged in with, which if a > company can check that, they can see if there is any suspicious devices. > > > > On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil [email protected] wrote: > > > > > We're chasing this from data science side as well. As far as > > > charting the pattern of activity and flag anomalies. > > > This should trap the subs since he/she won't be checking email, > > > responding to chat messages etc, or hopefully time of activity > > > could > give us clues. > > > > > > I do agree, there are many VPN commercial services and they will > > > never advertise servers properties, besides there's lots of other > > > open-VPN options. > > > > > > We shall conquer! > > > > > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > > [email protected] > > > wrote: > > > > > > > -----Original Message----- > > > > From: PLUG [email protected] On Behalf Of John Jason > > > > Jordan > > > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > > > > > > It would be nice if VPN services advertised how effectively > > > > > they stop others from finding out who and where you really > > > > > are. > > > > > > > > They are never going to do this because they are constantly > > > > tweaking their proprietary protocols to get around firewalls, > > > > and they don't want the firewall vendors knowing when they made > > > > a change to get past > firewalls. > > > > And given who some of the firewall vendors are, and what they do > > > > to people they don't like, this is very understandable. > > > > > > > > This stuff is getting very advanced nowadays since many > > > > firewalls are doing deep packet inspection, and looking > > > > specifically for patterns in packet traffic that indicate it is > > > > VPN traffic encapsulated in regular http or https traffic. So > > > > the proprietary vpn clients will modify the encrypted traffic to > > > > make it look like regular https traffic. > > > > > > > > Never forget that for you, me, and probably all the readers of > > > > this list, that creating using blocking and messing around with > > > > VPNs is really mainly an intellectual exercise, but that there > > > > are many people in the world in places like Russia and China > > > > where a secure VPN means not having people breaking their doors > > > > down in the middle of the night and hauling them off to prison - > > > > or worse. > > > > > > > > Ted >
