Using Brave's “Private Window with Tor” could get you fired
old.reddit.comThere are industries where compliance requires all work-related communications be logged and monitored.
This logging is typically done through proxy servers on the network, and avoiding them is a _bad_thing_. They will also track web traffic through a proxy and MITM any https traffic by forcing the use of specific keys. They're trying to look for insider trading. Avoiding the proxy is the problem.
Staff using their own apps for regulated communications just cost JPMorgan USD$200m.
https://www.cnbc.com/2021/12/17/jpmorgan-agrees-to-125-milli...
It's absolutely reasonable to have security requirements. It's not reasonable to fire someone for a single, accidental violation. I hope the people in the above story realize that they've made a mistake.
It is if you have a zero-tolerance policy and they break it.
Their IT department will certainly ban Brave to prevent future uses of Tor, now that they’re aware!
But there are many industries where a zero tolerance policy for Tor session origination from a desktop is absolutely legitimately appropriate, as it could otherwise be (even just one-time) exploited for massive potential harm to wealth and people.
There’s a popular view with some freedom folks that we shouldn’t have the right to search people who are visiting family in jail, and while they’re right from a purely theoretical “my rights” standpoint, from a pragmatic stance it is generally understood that it’s fair to try not to let weapons be given from visitors to criminals, even if abrogation of rights occurs — and if you forget and bring a knife someday, you may get banned from the jail, even though it’s just a mistake, because of how serious the safety and lives are at stake.
Who would be comfortable working under such a policy? You'd never know what accidental action on your computer could lead to you being fired. Using a computer to do work is not like getting dressed and carrying a knife with you. You knew you put the knife there, you chose it. If you weren't thinking about the rules, that's on you.
A regime where any accidental fat-finger or triggering of an unknown keyboard shortcut results in dismissal will quickly produce an environment where nobody is able to work or do anything useful - as seems to be happening here.
It doesn’t sound like a fun workplace, but nor should every workplace be fun. I’d really appreciate it if bankers and health insurance companies had to keep audited records and were disallowed encrypted / disposable backchannels, like Tor.
I assume that IT didn’t install Brave, the user did. No IT department at this strict of a company would approve a browser that actively inserts its own advertising into websites, much less has a Tor option builtin. So, then, why on earth would the user risk their employment by installing unapproved software without IT signoff?
If IT approved Brave and pre-installed it, then they would have grounds to contest the firing. That they’re let go suggests otherwise. One could likely predict the demographic of the let-go employee just by filtering for “would know and care about Brave” and “would not seek IT permission first”.
Typically, workplaces this strict don't allow users to install software on their machines themselves at all.
This whole story still just sounds to me like a huge overreaction. I think we can invent a hypothetical situation where the company's behavior makes sense, or the employee's motives are impure, but I think it's much more likely that they just got scared and were rash and hurt an employee.
You can remove admin rights but portable software will still run just fine. It's actually really hard to stop unapproved software from running on Windows. You'll basically have to cut off all the methods of ingress like USB sticks and internet.
I thought in American prisons visitors mostly talk through glass? But maybe that's just something used in movies. Never been to an actual prison even here lol.
I'm not an expert, but my understanding is: Often, but not all the time. Depends on how high-security the prison is, and what the purpose of the visit is. Meeting with an attorney, for example, you're likely in private and there may or may not be glass.
The addition of plexiglass (for instance) was considered an unwelcome one recently in some prisons: https://thecrimereport.org/2021/07/20/captives-behind-plexig...
Imagine not having a key logger and mouse tracer on your computer at work. Our machines also lock your account, computer and ID if you plug mass storage devices.
What good will a mouse tracer do without context of what's on screen? Never heard this being put in place for workplace surveillance. Complete screen recording yes but just mouse (or even keyboard which does make some sense) no
This is why I'm never not working from home again
Having a work machine and a personal machine side by side is invaluable to me..
What do they do about personal devices?
I'm not in the industry, but I am aware of this from various news articles. Quick googling...
Typically, devices are banned from restricted areas (trading floors). Where BYOD is "allowed", apply a corporate profile which prevents the installation of problematic apps. What these people do outside of office hours can get them in trouble too.
NYSE Rule 36 seems to cover this:
https://nyseguide.srorules.com/rules/document?treeNodeId=csh...
(d) Floor brokers must maintain records of the use of telephones and all other approved alternative communication devices, including logs of calls placed, for a period of not less than three years, the first two years in an accessible place. The Exchange reserves the right to periodically inspect such records pursuant to Rule 8210.
UK rules seem to ban BYOD?
https://www.lawyer-monthly.com/2018/03/fca-says-employees-ca...
Jeez even at home? Glad I don't work in that industry. I hate anything economic or financial anyway :P
In the interim, have the IT folks setup a group policy to disable Brave's Tor feature so no one else accidentally gets caught in this: https://support.brave.com/hc/en-us/articles/360039248271-Gro...
But would you if it isn't even an allowed application in the first place?
My company blocks so much inane crap it’s ridiculous. Any site not explicitly reviewed by the firewall company? Blocked. Want to Google restaurants for lunch? Half the restaurants websites are blocked under the firewall rule against “alcohol and bars”. So much more.
Trying to talk to IT about it is painful. I had to go through three levels of support over a week just to get a single site unblocked.
Before Work-from-Home started, Brave’s Tor support was a godsend just for getting actual work done.
Before my department got bought out, our old company had pretty draconian blocking as well, but if you explicitly plugged into the ethernet ports in the developer area they were wide open.
And no, we’re not in any sort of industry where it really matters. Privately held educational software company.
I used to work for a financial company that used such extensive blocking. One day I had to download a particular version of boost libraries (the C++ ones). Of course all official sites to download from were blocked. So I searched for the specific file name (a tar.gz archive). And eventually I found something that was not blocked: a misconfigured server somewhere in Russia. Misconfigured because it served entire contents of its hard disk - and Google indexed it all. And there it was - my coveted boost archive which I promptly downloaded.
That seems super risky. How did you know the file was authentic? What if the archive contains backdoored code?
Yeah it was risky. It is quite common for excessive security practices to actually decrease security and that particular example was not nearly the most egregious one in that company.
I don't really get why you did it though. You risked your job, and potentially regulatory issues for the company just to get a build done? I'd have just submitted a request to unblock the official download site. Then it's security's problem.
I've also come across this at a major international company. Came there to install an update. Too big to email so I had a clean USB stick. No way to use it in their workstations though, so the IT guy offered to just walk to the DC and plug it directly into the server.
Pretty sure that was not the intention of that policy. The problem is, that they didn't seem to have considered this usecase at all. More security theater than anything.
Seems like an odd proposition for an attack vector. Maybe, just maybe if I make this look like a misconfigured server, maybe, just maybe, someone will grab the boost files from the server and compile them? I can’t imagine.
The open server does not have to be a deliberate attack setup. It could be compromised itself, or someone could have downloaded a bad artifact to it unknowingly. It could be someone's malware research storage (admittedly this is pretty unlikely). It's the simple fact that the provenance is unknown.
I've heard of people doing similar things before. Maybe people working in high security environments downloading libraries from random websites is common enough that some attackers are actually targeting those people by backdooring common Python packages, C++ libraries, etc. and trying to get their server to bypass enterprise blocking somehow.
From another perspective (perhaps not popular here): How does allowing access to restaurant websites help the bottom line? What is the risk? One malware outbreak can be enormously damaging.
How much time should IT employees spend unblocking restaurant websites instead of, for example, developing new applications that increase productivity? Arguably, an IT employee who is spending time unblocking restaurant websites might be viewed as negative ROI for their salary.
And users have phones, so there is an easy workaround.
Not restaurant specifically, but I suspect the loss of innovation from the general chilling effect is pretty high. When I have trouble researching something, that’s money lost for them in time I am wasting, and potentially worse from the side effects.
Every time an engineer doesn’t look into something at all, because they know odds are good they’re not going to be able to, that’s potentially millions lost.
Yeah imagine a developer not being able to use stackoverflow or one of the many similar sites that just happen to have the bug that they're struggling with. Could cost hours of extra work.
It's not blocking restaurants per se. It's doing some heuristic based match and seeing entries on the site with words like "wine" "whiskey" "cocktail" and determines the website is "alcohol and tobacco" and bans or limits it.
Ran into this at $lastco, as a chemist. Used to look up alcohol water azeotrope charts and half would be on homebrew sites and got blocked.
I just used my phone to email the charts to myself.
>How does allowing access to restaurant websites help the bottom line?
Humans need to eat to survive, and one consequence of survival is that tickets are closed.
> From another perspective (perhaps not popular here): How does allowing access to restaurant websites help the bottom line? What is the risk? One malware outbreak can be enormously damaging.
Just visiting a website shouldn't be a major risk. Any code injection exploits can be mitigated in the proxy (those MITM proxies are not just for logging!). And proper patching.
Really if you run browsers so old that they can be exploited in this way you have a bigger problem than banning unknown websites solves.
Yes. Exactly. Which is why they shouldn't be blocked, forcing people to spend time and energy unblocking them.
Indeed. Somehow people managed to eat lunch before the internet.
> Trying to talk to IT about it is painful. I had to go through three levels of support over a week just to get a single site unblocked.
Don't talk to IT using their support channel. Escalate to your boss (and his boss potentially) about what you are trying to do, what's blocking you and how it's stalling the (revenue generating) project you are working on.
I work in IT security and this overzealous blocking is also a problem. Many sites with great security info are blocked because of the "hacking" category. Um yeah that's work-related for me so...
I'm surprised they didn't just block tor though. I'm sure we do though I've never tried :) Our proxy MITMs everything.
Do they allow your cell phone to be out when you are working? I'd just plug my cell phone in a USB port ("I'm charging my phone" if anyone asks), and use IP over USB to talk to the phone, and run non-business internet through the phone's data connection. On step further if the PC is locked down to prevent this, plug the keyboard/mouse/monitor into a Raspberry Pi, with a soft KVM plugged into one of the Pi's USB ports so your primary connection is to a device you control. Then use the KVM software to view your PC in full screen mode. Of course, this won't work if you are in an open office and your Pi's environment looks suspiciously different from your normal Windows desktop (but that can be fixed with theming).
Of course if I worked at a place that was constantly looking for an excuse to fire you, I wouldn't work there for long (because I'd either find a more relaxing job, or get fired).
At my job plugging in a USB device gets you paperwork and loss of computer use for at least 3-6 months. Fun fact my job also can't fire you, but it can make you wish you could.
Meanwhile at work I can't convince the "firewall guy" to block YouTube to save bandwidth for actual work ... Even porn websites aren't blocked!
I once triggered my domain account and PC intranet connection to be disabled because I started a Linux ISO download via BitTorrent. I didn't get in any trouble. Assuming this is even real, it's obviously just an example of bad management or there's more to the firing than what's being said.
I was "caught" torrenting Knoppix on a university computer. I had left it running in the background, and not realised it wouldn't exit when I logged off.
After I'd shown what it was, the sysadmins suggested leaving it seeding to see if we could get the university domain name to the top of the "top seeders" list.
When I started my CS degree they specifically made a point to say "Do not use bittorrent. Even for legitimate uses like Linux ISOs, you will get in trouble with the IT dept"
I can fully understand why a company doesn't want Tor traffic coming from inside the firewall. But this case, if the sort description is accurate, should have been cleared up with a conversation with the employee possibly resulting in temporarily banning Brave until they can actually deploy it in a configuration that works with company policy.
Again, IF the description is accurate, the employee was using a browser allowed by IT and did not have any ill intentions.
According to what I read, the manager attempted to go to bat for the employee, and basically did everything they could short of flat out refusing to fire the person. After this incident, the manager and most of the remaining devs on the team are now looking for new jobs. I can't say as I blame any of them.
I've been working in the IT industry way too long. Any devices provided by my employer will only have whatever the employer has preloaded in terms of software. I will not browse any private or personal things on that device. I'm under constant assumption that device is keylogged/monitored. Even when working from home, I have it connect to it's own private network on it's own VLAN.
If I do go into the office, I'll just use my cell-phone for personal browsing.
I have that same mindset, but at the last two companies I've been at, I was a bit disturbed that the software policy was basically, "If you need it, just go to the website and download it. Don't download a virus, good luck!"
Exactly. It's the employer's property, and aren't there such things as devices you own?
Why blur the lines on something like that? This reads more like an overreaction to a lapse of judgment more than anything else.
I skimmed through the reddit thread but couldn't find an answer. Why do companies not want you using Tor ?
In my brush with a similar issue, the intrusion detection system flagged Tor traffic as potential malicious traffic. The IDS can't tell if this is malware calling back to a command and control node via Tor.
We allow developers to install their own software, so there isn't a good way to enforce browser policies. We ended up letting the developers know that connections to Tor generate alerts, and that these tie up security resources. That was enough that we haven't seen the issue again.
In our case the developer was using Brave and had opened the private window with Tor. That gave us a plausible explanation that didn't include malware, so we closed the ticket.
I'd say that there are very few legitimate reasons a Tor connection would come from a corporate network. So we'd like to keep the alert on, but any false positives tie up resources. Developers sometimes accidentally install malware, so we need to be vigilant about detecting and remediating that.
Speculation: it looks a lot like a data exfiltration attempt, or like malware trying to reach its control network.
Just don't do things unrelated to work using work resources.
This is definitely the case. Most of these people are worried about you ferreting away company secrets over a connection they cannot monitor.
Tor enables content that work can't monitor or block. And it's associated with child porn, dark web drug networks, sex trafficking, and similar. In reality, it's a small part of Tor. In the media, that's all it's used for.
The biggest use statistically is bot and malicious traffic.
> Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious.
https://blog.cloudflare.com/the-trouble-with-tor/#:~:text=Ba....
This needs to be compared to clearnet for it to paint an accurate picture, which has reached 64% recently[1]. Though this figure comes from summing "good bots" with "bad bots", Cloudflare seems to have done the same ("automated requests", "content scraping").
[1] https://www.digit.fyi/two-thirds-of-internet-traffic-is-now-...
The initial post mentions FUD and top-level management, so it's possible management associate Tor with dark net drug dealing, CP, and assinations and so on. Non-tech people aren't likely to have heard of Tor in any other context.
I've never used Onionshare, but it would allow untraceable file transfers bidirectionally through any (permitting) corporate firewall, and keybridging/mitm cert rewrites could not see into the session.
Malware and other attackers use Tor for C&C.
So blocking Tor hinders attackers using it.
Every company I've worked for has had DLP, firewalls, and content filtering in place, and circumventing those is a violation of acceptable use policies, and thus grounds for termination... so it seems pretty cut and dry to me.
Sounds like they did the employee a favor. Who would want to work in those conditions?
Well, it appears to be over zealous management. One might as well say “eating at your desk can get you fired”. The problem isn’t the eating. It’s the management.
One of the few comments in this thread that isn't rooted in Stockholm syndrome. Sure, it's prudent to do one's personal computing on personal devices - get a personal laptop or a GPD pocket or something like it for use at work, and only use their uplink via a wireguard link to something else you control (and/or get a cell modem). But management that fires people for using a protocol, and furthermore for using it incidentally? It makes me want to publish everything I do as onion only.
Yeah, the level of idiocy here is almost as high as in the "reporter may be prosecuted for using 'view source'" article.
What's next? Using https could get you fired because they can't MITM you?
Most of them use group-policies and other software to install root-certs onto company devices. HTTPS won't help you with MITM in that case.
It was good while it lasted tho.
Fun times getting blocked by the public/corporate firewall for something, hovering the mouse in the right place and pressing “s” and going, ahhh, “fixed it!”
Don't browsers these days loudly warn you if something like that is happening?
Most browsers (with the exception of Firefox which has its own store) trust root certificates installed on the OS (at least for Windows/Linux/macOS.)
With mobile devices (iOS/Android), web browsers also trust custom root certificates, but apps have the ability to reject them.
Firefox on Windows can also be configured to use the system store. Most corporate admins would do this because it makes for only having to manage them in one place. On Mac it can't though, and on Linux there isn't really a definitive system one (unless you consider OpenSSL's).
No not if the cert is preloaded into the system store or browser.
However mobile platforms are more finicky now. For example in Android 7 and above you can no longer add certs to the system store in most management modes. Only to the user store. And apps can choose whether to obey the user store or not. So many apps then refuse to work.
There's a few management modes that do allow it but they require a full wipe to start the enrollment process which starts from the setup wizard.
I noped out of the corporate CA that came per-installed for the purpose of MitM my machine. Getting rid of the corporate malware increases my productivity anyway (via faster computing).
Its not allowed to installed in my company since long time.