Fair question, but I use a lot of things that are varying degrees of helpful for my work:
* personal ChatGPT and copilot subscriptions, since company doesn’t pay for these
* Trello account for keeping track of my todo list (following up with people, running deploys)
* Obsidian for keeping notes, as a personal knowledge-base (things like technologies and reminders)
* Apple account for music, copy/paste, sharing photos from my travel with coworkers, synching docs related to my work visa and taxes
* Personal slack login for communicating with my partner in our private server
* personal GitHub account credentials for synching my private dotfiles repo with my neovim config. basically can’t work without my dotfiles, but I could theoretically email these to myself or something, to prevent this one.
And sure, I could be stubborn and not use any of this, but I’d be way less productive and kinda miserable.
I don't remember if Jetbrains needs a password to get to personal licenses, but they definitely do to use their bug database. I suspect they're not the only one.
Letting other people blow off steam can be an act of self-preservation. Insisting that people only ever do 100% work things at work or on work hardware slightly raises your low-but-never-zero chances of being murdered by coworkers. Or less ironically, hilariously intense bridge-burning activities.
Also most of this conversation is happening during work hours so I think we can infer that grandparent is being a little hypocritical.
We are probably all little people here, and nothing like this would ever happen, but say you were high profile enough like that Google self-driving guy that Uber poached, and there was a lawsuit - anything you did on that computer would be up for grabs. All your personal projects, documentation, DMs.. it would be super messy. I’m pretty sure companies like having this kind of situation because it gives them legal ammo in the rare case where there is an action.
Let me ask you one follow up question: if you and the company had a disagreement of sorts and they examined your activity, would you believe they find nothing that they’d deem privileged?
> personal Trello account for keeping track of my todo list.
> personal Obsidian for keeping meeting notes, and recording conversations as a personal knowledge-base
I'm not a lawyer, but I'm pretty sure these could subject a lot of your other personal data to potential subpoena should your employer get sued by a sufficiently determined attacker.
> Obsidian is free for personal and non-profit use. However, if you use Obsidian for work-related activities that generate revenue in a company with two or more people, you must purchase a commercial license for each user. Non-profit organizations are exempt from this requirement.
> Q3. Can I buy a license for myself, or do I have to ask my company to buy it for me?
> Yes, you can buy a license for yourself; just put your name in the company > field. You can use such a license to work for any company.
You use so many personal accounts for work that it's unfathomable for me. If some hacker manages to hack into your account and find so much valuable information about your work, your work is going to be mightily pissed about it. Imagine you are working on an upcoming product launch and the attacker used your personal account to leak the launch. Or imagine they just decided to leak your company's internal source code. Or imagine they simply use the technical information in your personal attacks to steal user data (even Cloudflare says they worry about this: "Our aim was to prevent the attacker from using the technical information about the operations of our network as a way to get back in").
You are making your work take on an extraordinary risk in hiring you.
It’s a fair concern, but there really isn’t so much there. If they compromise my trello account then they know I have some meetings coming up with people, and that I’m starting on ticket 927109 and planning to deploy ticket 901223 on Tuesday. Just referencing items in our ticket management system with very sparse details.
My notes are text files on the computer, so we’d have problems regardless if they got that. But maybe I should’ve left it out of the list above in that case… nothing else seems very damning.
But you do raise a valid concern, and it’s worth reevaluating!
Convenience, I suppose… and that doesn’t solve all of the issues (eg Copilot)
I’m fine with it because I know there’s no management software on this laptop, but yeah it’s a totally different story if I had to use a newer one with SSO and management software
Part of the comp. package is presumably paying for you to endure some level of inconvenience at the company's request. Such as isolating work and personal things on separate systems.
At least that's how it works in the vast majority of companies.
I’ve been in the same situation. With two laptops you lose the ability to, say, send email directly to your task system.
It’s really easy to say ‘don’t use your personal stuff at work’, but when work is some locked-down behemoth whose view of productivity software is ‘just use Office’, and you’re really trying to be better at your job, using your own tools can be the only solution.
And in my situation, yeah, they didn’t want you bringing things in. I worked in a secure area.
Because I was working with friends, on a project that was interesting, mentally valuable, and in the national interest.
Just because the org that hires you is a shambles doesn’t mean you give up and quit. Thank fuck we don’t all think like that.
And, again, reputation. I have a stellar reputation because I stick it out, and I care. I’ve worked with people who quit because ‘it’s shit here’. Nobody will ever work with them again.
That is what you said… tools don’t matter enough to make you quit the job, and considering the language used in the previous comment, it seems far enough from your top priority that it likely never will. Hence a minor quibble in relative terms as it has almost no impact on your final decision to stay or leave.
Hurts who? If you’ve worked around it then it doesn’t hurt you, at least not too badly. It still hurts the company as a whole. But is that your problem?
You might feel a sense of social obligation or solidarity with the company. I usually do. But if I was placed in a dehumanizing situation like that – forced to work inefficiently due to overly rigid policies that assume everyone’s needs are the same – well, whether I worked around it or not, my empathy for the company would be at a nadir whenever I thought about it.
Why carry a second laptop when you can log in wherever you need to on your work laptop? It's easier for me to store all my passwords in a password manager and log in to the websites I need from my work laptop.
This all makes perfect sense - but just seems like your employer is too large to be effective, they're not offering you the right tools/you're not demanding them, and you're in an abusive relationship with them - probably because they pay you well enough.
The parent's view does seem a bit extreme, but there is always some overlap. Whatever HR system you have is going to be in a weird area of personal/employee overlap, as it'll need to have a password that your personal life has access to. (As tax documents, pay stubs, benefits stuff, etc. all impact the "personal" side of one's life. E.g., I need to store — in my personal archives — the years W-2.)
Also, people just do things for convenience. (Although I tend to pipe these passwords over an SSH connection, so that they're not resident on the work laptop. Though there is a good argument to be had about me permitting my work laptop SSH access to my personal laptop. From a technical standpoint, my employer could hack/compromise my personal laptop. From a legal and trust standpoint, I presume they won't.)
>From a technical standpoint, my employer could hack/compromise my personal laptop. From a legal and trust standpoint, I presume they won't.)
You trust all personnel with access to your employers network?
What's more surprising is that they trust you to setup adhoc ssh connections to arbitrary endpoints; unless you're the person in charge of network security?
Would anyone notice if you, or an intruder, dumped terabytes of data over that connection?
I don't work in IT but this just doesn't feel right to me.
I've used a corp laptop to SCP data onto a non-corp device. Technically both devices were corporately owned, but nobody logging the packets would have known that.
Honestly it sounds like you’re sheltered due to working in a certain sort of organisation and have had no exposure to the myriad ways in which organisations tend to be run. You’re acting like this is a big surprise, but it’s not.
It's not extreme at all, it's the bare minimum that professionals do.
Absolutely none of my personal stuff ever touches a corporate machine. Ever. I wouldn't even log in to the W2 downloading app as an employee from the work machine.
Granting work ssh keys access to your personal machine is crazy; if your work machine gets compromised, they steal your entire personal system's home directory too. Why would you unnecessarily expand the blast radius of a compromise like this?
What's the realistic threat model here? Someone hacks your company and during their exploitation window they're going to focus on... keylogging/MITMing random devs (likely far more paranoid/observant than the average computer user) so that they can get access to their personal machines via some artisan crafted attack to maybe make a fraudulent transfer from one person's bank account? In what world is that a low-hanging fruit to go after?
Devs in small companies often have a ton of access to systems and almost certainly aren’t heavily scrutinized about random novel binaries (being devs), so those are some of the first machines you’d target in an org.
You wouldn’t keylog “random devs”, you’d keylog all of the ones doing ops.
Would someone making a serious, targeted attack on the company focus on ops staff, and maybe go to the trouble of keylogging them? Sure. But those are precisely the attackers who wouldn't get distracted (and risk detection) going after those staff's personal machines.
I love these sorts of comments. Could you please just be more direct and call GP “not a professional” for not working in the way that you do? It’s so unnecessarily passive-aggressive.
