Re: [PLUG] 3rd party vpn Defense evasion
--- Original Message --- On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil wrote: > Greetings, > I am tasked to identify a solution to detecting users obfuscating their ip, > using verity of VPN services. > > What we've done > - Prevent users from installing software (VPN Cliens) > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > or LAN connection prior to attaching to VPN service, > > any other ideas? Some people want to debate this ass some sort of political issue, but it's pretty straight forward. This usually is more of a concern at SMBs that don't want to splurge for company managed hardware and ask their employees to BYoD. This then creates anxiety among managers that gets projected down to IT. If you control the VDI system, then you have the ability to see who is connecting. At most companies the VPN software used to connect to the VDI is ALSO company managed, so you can see that too. So, you log all accesses to the VPN on the server side and monitor for trends. You may not be able to stop an employee from giving out access credentials, but you can see when the IP address used to connect the VPN changes. From here, you implement Zero-trust policies where only known IP addresses are able to access the network because you know the IP address, but may not have logged it effectively until now. There are additional layers of control you can add but it ultimately comes down to what a given company is willing to provide for their employees/contractors. I've worked with systems that would make the kind of subcontracting you describe very difficult but in those cases you end up with the employer buying a special wifi router for their staff. A lot of managers will ask for a magical fix without understanding how much effort it takes to lock this down. For us in IT sometimes we just need to map out all the things that would need to be implemented and assign a $$$ value to them. Most companies will decide not to bother at that point. Think of it like an arms race, at what point does your user have to jump through so many hoops that the act of enabling a subcontractor becomes more work than the actual job? Or, we could be Ted and go off on abusive rants about how IT people are autistic for even considering this type of solution. ;) -Ben P.S. Hey Denis, I would have posted this info sooner since it's a pretty interesting question but was discouraged from doing so because Ted was trying to shit on everyone. May the Facts be with me :)
Re: [PLUG] 3rd party vpn Defense evasion
I'm not the one accusing IT people of having social disorders. There's clearly a double standard here and a few of you are getting ready to team up and attack the little guy. Accsusing people of being autistic in order to win the argument is wrong. Ted has been very aggressive in this discussion and made statements that are clearly derogatory in nature. As for my contribution, I pointed out that that Ted's assertion that IT should not be involved here was wrong, and provided facts to clarify that. Maybe he (and you) can learn soemthing from that? Regardless of all that, you've made it clear that you just want to attack me. I don't appreciate the autism accusation and frankly, Ted owes everyone an apoplogy for being an abusive asshole. -Ben --- Original Message --- On Saturday, April 22nd, 2023 at 4:38 PM, Denis Heidtmann wrote: > What (positive) contribution do your insults bring to the discussion? Can > you find a less hostile way to contribute? > > -Denis > > On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig techkoe...@protonmail.com > > wrote: > > > Don't be such a dipshit. > > > > Yes, HR and Management are responsible for taking corrective action > > against employees not doing their job. "Job" in this context being defined > > by that employees contract so there's no reason for us to speculate and > > pass judgement on whether or not IT should bother. > > > > What you seem to be missing in your attempt to over-compensate for your > > sense of psychological supremacy is that in order to take correct action > > from a management perspective, IT has to identify the digital paper trail. > > That's what we do - We can and often should keep track of network > > connections and report them accordingly. Whether that person gets punished > > is not for us to say. > > > > And in some cases this has to be handled proactively. This kind of > > subcontracting can create massive legal problems for some companies so even > > if the manager goes and tells them to stop, its too late. Data has been > > leaked and lawsuits start to fly. > > > > Sadly there are a lot of people in the modern linux community that seem to > > believe that their understanding of IT trumps everyone else. Small, > > inexperienced minds that see their own personal use case as superior to all > > others. > > > > -Ben > > > > --- Original Message --- > > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > > t...@portlandia-it.com> wrote: > > > > > For employees it depends if they are exempt or not. Any supervisory > > > employee who can fire people is automatically considered exempt and many > > > other employee classifications (such as programming) are considered exempt > > > as well. (exemption is once more IRS and state taxing authority > > > determination that the company has no say over) > > > > > > If the employee is exempt from overtime then it's illegal for the > > > company to require that they work a certain number of hours, or at certain > > > times. If the company DOES tell the employee this (that they have to track > > > their time) then the employee can hit them for mandatory overtime (if they > > > exceed 40 hours) > > > > > > Exempt/non exempt classifications are more commonly referred to as > > > salaried/hourly employees. > > > > > > Long and short of it is you cannot use an online form to consider "work > > > to be valid" for a salaried AKA exempt employee. Salaried employees are > > > paid BY THE JOB not by being logged into something for a certain time. > > > > > > Companies quite often forget that putting someone like a programmer on > > > salary is a two way street. The benefit from the company's point of view > > > is > > > they don't have to pay overtime for one of those work-round-the-clock-push > > > times. But in exchange for that, the employee also doesn't have to work 40 > > > hours every week either. A decent salaried employee keeps an eye on time > > > since it's an important metric for how much work is reasonable to expect a > > > salaried employee to do but it is NOT the absolute metric. > > > > > > Companies who have tried to do it differently - that is, not pay OT and > > > make you work late during crunch time - and still make you work 40 hours - > > > regularly end up paying very large fines and back salary to people when > > > they get sued. It's healthy for that to happen for owners of those > > > companies to get slapped silly for trying to exploit workers from time to > > > time. > > > > > > Once more as I keep saying this needs to be handled from an employee > > > management standpoint via managers and HR not from the IT department > > > trying > > > to play God and the managers being wussies and afraid to talk to > > > employees. > > > > > > Is it simply that a large number of IT people are on the autism spectrum > > > and have social anxiety disorder that they will literally waste weeks of > > > company time on elaborate technical solutions
Re: [PLUG] 3rd party vpn Defense evasion
Don’t worry about it Denis. Ben is passionate about what he's doing and what he sees himself doing in security at any rate is protecting the organization from the evil people out there. Naturally he's going to be frustrated when faced with the reality of company politics and fiscal money-making that sometimes clashes with this directive. A good manager would recognize that both Ben and the employee or contractor who are outsourcing are right. Yes, outsourcing can leak company vitals. But, it can also shortcut a problem and get a product out ahead of a competitor. It is right and valid to question if it's worth the risk to outsource. I don't know Ben's CEO but if I were that CEO I would drag him and the contractors and employees he's going after into a conference room and tell both of them to convince me which one is right. Ted -Original Message- From: PLUG On Behalf Of Denis Heidtmann Sent: Saturday, April 22, 2023 4:39 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion What (positive) contribution do your insults bring to the discussion? Can you find a less hostile way to contribute? -Denis On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig wrote: > Don't be such a dipshit. > > Yes, HR and Management are responsible for taking corrective action > against employees not doing their job. "Job" in this context being > defined by that employees contract so there's no reason for us to > speculate and pass judgement on whether or not IT should bother. > > What you seem to be missing in your attempt to over-compensate for > your sense of psychological supremacy is that in order to take correct > action from a management perspective, IT has to identify the digital paper > trail. > That's what we do - We can and often should keep track of network > connections and report them accordingly. Whether that person gets > punished is not for us to say. > > And in some cases this has to be handled proactively. This kind of > subcontracting can create massive legal problems for some companies so > even if the manager goes and tells them to stop, its too late. Data > has been leaked and lawsuits start to fly. > > Sadly there are a lot of people in the modern linux community that > seem to believe that their understanding of IT trumps everyone else. > Small, inexperienced minds that see their own personal use case as > superior to all others. > -Ben > > > --- Original Message --- > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > t...@portlandia-it.com> wrote: > > > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and > many other employee classifications (such as programming) are > considered exempt as well. (exemption is once more IRS and state > taxing authority determination that the company has no say over) > > > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at > certain times. If the company DOES tell the employee this (that they > have to track their time) then the employee can hit them for mandatory > overtime (if they exceed 40 hours) > > > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > > > Long and short of it is you cannot use an online form to consider > > "work > to be valid" for a salaried AKA exempt employee. Salaried employees > are paid BY THE JOB not by being logged into something for a certain time. > > > > Companies quite often forget that putting someone like a programmer > > on > salary is a two way street. The benefit from the company's point of > view is they don't have to pay overtime for one of those > work-round-the-clock-push times. But in exchange for that, the > employee also doesn't have to work 40 hours every week either. A > decent salaried employee keeps an eye on time since it's an important > metric for how much work is reasonable to expect a salaried employee to do > but it is NOT the absolute metric. > > > > Companies who have tried to do it differently - that is, not pay OT > > and > make you work late during crunch time - and still make you work 40 > hours - regularly end up paying very large fines and back salary to > people when they get sued. It's healthy for that to happen for owners > of those companies to get slapped silly for trying to exploit workers > from time to time. > > > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department > trying to play God and the managers being wussies and afraid to talk to > employees. > > > > Is it simply that a large number of IT people are on the autism > > spectrum > and have social anxiety disorder that they will literally waste weeks > of company time on elaborate technical solutions that can be handled > in 5
Re: [PLUG] 3rd party vpn Defense evasion
Note the original post was regarding CONTRACTORS not EMPLOYEES. Big difference there. If a company contracts with a contractor then what is in the contract trumps everything. And, contracts are legally interpreted AGAINST the drafter. So if for example the company wrote the contractor's contract, and did NOT specify that the contractor may not subcontract - then if they then attempt to block the contractor from subcontracting after the contract was signed, they are in abeyance of the contract and can be sued for breech of contract by the contractor. And the company would lose because the lack of a prohibition for subcontracting would be interpreted AGAINST the company. As for BLOCKING vpn connections from a contractor that is a fuzzy legal area also. If the contract does NOT specify that the contractor may NOT use the company Internet connection then the contractor could reasonably argue in a court that being allowed to use the company Internet connection for 6 months before IT decided to crack down was an unwritten expectation in the contract, and that now since IT did crack down they have to go spend money on a hotspot or whatever so now the company owes them even more money. And yes if it went to court it WOULD be ruled against the company. As I said if the company does not want contractors subcontracting or using personal VPNs then they need to renegotiate the contract with the contractor. That is the proper way to handle this. Not sic IT on people like a trained dog to make things difficult for them. I've never known a REAL contractor to not be open to a contract renegotiation because always a contract renegotiation ends up increasing their profits. Because, by then they are familiar with workflow and the company culture and can and will insert new terms. For example years ago I was working for a software company in 1000 Broadway that used contractors. They had a contractor who as part of his contract required company paid parking. The company wanted him so they agreed and the contract was signed. However the contractor was very surprised when the paid parking turned out to be a parking lot 6 blocks away up a hill. That arrangement lasted until contract renewal time in which case the contractor renegotiated his contract and changed it from "parking" to "parking inside of the building" After the contract was signed he got his parking spot in the 1000 Broadway garage. Which was a much bigger deal than you might think because the City of Portland at that time was heavily restricting parking spots for businesses because they were trying to force employees on to trimet. There were in fact full time senior programmers who were mad because they were parking in the lot up the hill! As for employees a company can set whatever silly rule they want including like I said that the employee has to wear a pink hat to work. However, it gets very fuzzy when the employee is an exempt employee because under the law exempt employees are required to have significant discretionary decision input to the company to remain exempt. An exempt employee can for example given the pink hat rule, make a decision that they didn't need to wear a pink hat and not wear it. It is entirely situational. That is what being exempt means, legally at any rate. That input could reasonably be whether or not the employee can decide to subcontract. A ton of this is determined by job title. For example a company promotes a programmer to title of Director of Development for a product and declares them an exempt employee and tells them they will need to put in a lot of unpaid hours now since they are on salary. That director makes a decision that outsourcing to Russia is needed for a particular product. IF that director can show that this decision was in the best fiscal interest's of the company and did not increase risk to the company then IT cannot override that. Because, if they did then that directors title would be meaningless, and he could simply complain to the CEO that IT was interfering with his job - and if the CEO supported the director, then the director could simply say "fine", quit then complain to state department of labor for unpaid overtime based on the fact that as director he was not given significant power in the company to make decisions, that effectively he was being exploited with a meaningless paper title and was NOT exempt. And the Dept of Labor would definitely side with the employee. Normally you don't see this sort of thing on executive decisions because to be honest I have never once in my career ever seen a CEO side with IT against a company director. Even if it is completely obvious that what the director is doing is technologically stupid and fiscally stupid and puts security of the company at risk. AND, even if IT was given a directive by that very same CEO to crack down on private VPNS or increase security or something
Re: [PLUG] 3rd party vpn Defense evasion
What (positive) contribution do your insults bring to the discussion? Can you find a less hostile way to contribute? -Denis On Sat, Apr 22, 2023 at 4:02 PM Ben Koenig wrote: > Don't be such a dipshit. > > Yes, HR and Management are responsible for taking corrective action > against employees not doing their job. "Job" in this context being defined > by that employees contract so there's no reason for us to speculate and > pass judgement on whether or not IT should bother. > > What you seem to be missing in your attempt to over-compensate for your > sense of psychological supremacy is that in order to take correct action > from a management perspective, IT has to identify the digital paper trail. > That's what we do - We can and often should keep track of network > connections and report them accordingly. Whether that person gets punished > is not for us to say. > > And in some cases this has to be handled proactively. This kind of > subcontracting can create massive legal problems for some companies so even > if the manager goes and tells them to stop, its too late. Data has been > leaked and lawsuits start to fly. > > Sadly there are a lot of people in the modern linux community that seem to > believe that their understanding of IT trumps everyone else. Small, > inexperienced minds that see their own personal use case as superior to all > others. > -Ben > > > --- Original Message --- > On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt < > t...@portlandia-it.com> wrote: > > > > For employees it depends if they are exempt or not. Any supervisory > employee who can fire people is automatically considered exempt and many > other employee classifications (such as programming) are considered exempt > as well. (exemption is once more IRS and state taxing authority > determination that the company has no say over) > > > > If the employee is exempt from overtime then it's illegal for the > company to require that they work a certain number of hours, or at certain > times. If the company DOES tell the employee this (that they have to track > their time) then the employee can hit them for mandatory overtime (if they > exceed 40 hours) > > > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > > > Long and short of it is you cannot use an online form to consider "work > to be valid" for a salaried AKA exempt employee. Salaried employees are > paid BY THE JOB not by being logged into something for a certain time. > > > > Companies quite often forget that putting someone like a programmer on > salary is a two way street. The benefit from the company's point of view is > they don't have to pay overtime for one of those work-round-the-clock-push > times. But in exchange for that, the employee also doesn't have to work 40 > hours every week either. A decent salaried employee keeps an eye on time > since it's an important metric for how much work is reasonable to expect a > salaried employee to do but it is NOT the absolute metric. > > > > Companies who have tried to do it differently - that is, not pay OT and > make you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when > they get sued. It's healthy for that to happen for owners of those > companies to get slapped silly for trying to exploit workers from time to > time. > > > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > > > Is it simply that a large number of IT people are on the autism spectrum > and have social anxiety disorder that they will literally waste weeks of > company time on elaborate technical solutions that can be handled in 5 > minutes by a manager walking up to an employee and saying "hey dude you > know that thing you are doing with the VPN, well knock it off" > > > > Or is it that their anxiety disorder and desire to Play God just drives > them to believe that every other employee in the company is trying to screw > IT??? > > > > Sheesh!!! > > > > Ted > > > > -Original Message- > > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz > > > > Sent: Wednesday, April 19, 2023 1:39 PM > > To: Portland Linux/Unix Group plug@pdxlinux.org > > > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > > > Disclaimer: some of the following if not all could be wrong. > > > > Wouldn't it be easier to deal with the credentials side to avoid this > problem in the first place? To illustrate what I mean, here's a theoretical > idea that while it might be flawed (like potential security failures), > could be useful in terms of guidance. When an employee logs in, it sends an > email to their company Gmail account complete the login in procedure. They > click the link to a Google form which requires them to be
Re: [PLUG] 3rd party vpn Defense evasion
Don't be such a dipshit. Yes, HR and Management are responsible for taking corrective action against employees not doing their job. "Job" in this context being defined by that employees contract so there's no reason for us to speculate and pass judgement on whether or not IT should bother. What you seem to be missing in your attempt to over-compensate for your sense of psychological supremacy is that in order to take correct action from a management perspective, IT has to identify the digital paper trail. That's what we do - We can and often should keep track of network connections and report them accordingly. Whether that person gets punished is not for us to say. And in some cases this has to be handled proactively. This kind of subcontracting can create massive legal problems for some companies so even if the manager goes and tells them to stop, its too late. Data has been leaked and lawsuits start to fly. Sadly there are a lot of people in the modern linux community that seem to believe that their understanding of IT trumps everyone else. Small, inexperienced minds that see their own personal use case as superior to all others. -Ben --- Original Message --- On Wednesday, April 19th, 2023 at 4:43 PM, Ted Mittelstaedt wrote: > For employees it depends if they are exempt or not. Any supervisory employee > who can fire people is automatically considered exempt and many other > employee classifications (such as programming) are considered exempt as well. > (exemption is once more IRS and state taxing authority determination that the > company has no say over) > > If the employee is exempt from overtime then it's illegal for the company to > require that they work a certain number of hours, or at certain times. If the > company DOES tell the employee this (that they have to track their time) then > the employee can hit them for mandatory overtime (if they exceed 40 hours) > > Exempt/non exempt classifications are more commonly referred to as > salaried/hourly employees. > > Long and short of it is you cannot use an online form to consider "work to be > valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE > JOB not by being logged into something for a certain time. > > Companies quite often forget that putting someone like a programmer on salary > is a two way street. The benefit from the company's point of view is they > don't have to pay overtime for one of those work-round-the-clock-push times. > But in exchange for that, the employee also doesn't have to work 40 hours > every week either. A decent salaried employee keeps an eye on time since it's > an important metric for how much work is reasonable to expect a salaried > employee to do but it is NOT the absolute metric. > > Companies who have tried to do it differently - that is, not pay OT and make > you work late during crunch time - and still make you work 40 hours - > regularly end up paying very large fines and back salary to people when they > get sued. It's healthy for that to happen for owners of those companies to > get slapped silly for trying to exploit workers from time to time. > > Once more as I keep saying this needs to be handled from an employee > management standpoint via managers and HR not from the IT department trying > to play God and the managers being wussies and afraid to talk to employees. > > Is it simply that a large number of IT people are on the autism spectrum and > have social anxiety disorder that they will literally waste weeks of company > time on elaborate technical solutions that can be handled in 5 minutes by a > manager walking up to an employee and saying "hey dude you know that thing > you are doing with the VPN, well knock it off" > > Or is it that their anxiety disorder and desire to Play God just drives them > to believe that every other employee in the company is trying to screw IT??? > > Sheesh!!! > > Ted > > -Original Message- > From: PLUG plug-boun...@pdxlinux.org On Behalf Of Daniel Ortiz > > Sent: Wednesday, April 19, 2023 1:39 PM > To: Portland Linux/Unix Group plug@pdxlinux.org > > Subject: Re: [PLUG] 3rd party vpn Defense evasion > > Disclaimer: some of the following if not all could be wrong. > > Wouldn't it be easier to deal with the credentials side to avoid this problem > in the first place? To illustrate what I mean, here's a theoretical idea that > while it might be flawed (like potential security failures), could be useful > in terms of guidance. When an employee logs in, it sends an email to their > company Gmail account complete the login in procedure. They click the link to > a Google form which requires them to be logged in to their company Google > account for the submitted form to either work or be considered valid. Once, > it's submitted, a program will allow them to finish the login process. Also, > doing something with a company Google account could be helpful since