Ask HN: My company installed chef on all of our machines, should I be worried?
It happened by our OPS team, they installed chef via usb sticks and custom bash script. They are saying it's for automating the config for our VPN and the like.
I am still concerned about this, although they cleared it up it's not for surveillance. They stated in a later message that they can install surveillance software for sure, but should I be worried about the whole gig or just take it easy?
Chef is for configuration management, not for surveillance.
Like they said... they can install surveillance stuff on your machine, but that was likely just as possible prior to introducing Chef into the picture.
It's likely that they just want to get (more?) efficient in how they do their operations work.
Since the company owns the equipment, there's not even an implied right to privacy. They own it, ALL of it. Assume everything is monitored, and behave accordingly.
I do Chef development. We've been asked to include monitoring software for some groups in my client's company. Just assume that's always the case, when you're using someone else's equipment.
IMO if your company wanted surveillance on the equipment they provide you, they'd already do it and (probably) wouldn't tell you. When it comes to work computers, I've found the best course of action is to assume everything you're doing is already being logged anyway.
If a company does not install surveillance-type software on hardware they own, they are taking risk. Any company over a certain size will do it, or with some regulations. Even signing a contract with a big customer if youre b2b, that company will give a security questionaire and might ask about policy and expect it.
If your company provides a laptop, assume they can intercept all ssl traffic(hsts makes this a little tougher though), and read all your work email, and see everything you do. They probably don't, but could so better safe than sorry.
If I was concerned, it would be that they are doing it themselves with chef and not using an off-the-shelf solution. Seems like a poor use of resources not to buy it.
First, if I planned to install surveillance software on my company's machines, Chef is pretty far down the list of ways I'd install it. They technically could install surveillance software with it, but it's certainly not the typical vector.
Second, it's safer to assume that everything you do on a corporate machine/network is being watched.
chef is nothing. My company is completely locked down with Forcepoint and Crowdstrike. Every PC has it installed or it doesn't get to stay plugged in.
Unless you own the company, you're not really going to change policy. Get a personal VPN in place (hint: they're watching your DNS queries too), tether to your LTE phone, or just stick to company business on their machines.
Yeah, that's what happens. I wrote that sentence badly. A lot of times I used to just fire up Linux on Virtualbox and thought that would circumvent any web filter on the Windows host, but the DNS still ran through the same place.
Like they said... they can install surveillance stuff on your machine, but that was likely just as possible prior to introducing Chef into the picture.
It's likely that they just want to get (more?) efficient in how they do their operations work.
Since the company owns the equipment, there's not even an implied right to privacy. They own it, ALL of it. Assume everything is monitored, and behave accordingly.
I do Chef development. We've been asked to include monitoring software for some groups in my client's company. Just assume that's always the case, when you're using someone else's equipment.
Remember: It's their hardware, not yours.
If your company provides a laptop, assume they can intercept all ssl traffic(hsts makes this a little tougher though), and read all your work email, and see everything you do. They probably don't, but could so better safe than sorry.
If I was concerned, it would be that they are doing it themselves with chef and not using an off-the-shelf solution. Seems like a poor use of resources not to buy it.
First, if I planned to install surveillance software on my company's machines, Chef is pretty far down the list of ways I'd install it. They technically could install surveillance software with it, but it's certainly not the typical vector.
Second, it's safer to assume that everything you do on a corporate machine/network is being watched.
Unless you own the company, you're not really going to change policy. Get a personal VPN in place (hint: they're watching your DNS queries too), tether to your LTE phone, or just stick to company business on their machines.
Is there a way for me to check this assumption?