The parent's view does seem a bit extreme, but there is always some overlap. Whatever HR system you have is going to be in a weird area of personal/employee overlap, as it'll need to have a password that your personal life has access to. (As tax documents, pay stubs, benefits stuff, etc. all impact the "personal" side of one's life. E.g., I need to store — in my personal archives — the years W-2.)
Also, people just do things for convenience. (Although I tend to pipe these passwords over an SSH connection, so that they're not resident on the work laptop. Though there is a good argument to be had about me permitting my work laptop SSH access to my personal laptop. From a technical standpoint, my employer could hack/compromise my personal laptop. From a legal and trust standpoint, I presume they won't.)
>From a technical standpoint, my employer could hack/compromise my personal laptop. From a legal and trust standpoint, I presume they won't.)
You trust all personnel with access to your employers network?
What's more surprising is that they trust you to setup adhoc ssh connections to arbitrary endpoints; unless you're the person in charge of network security?
Would anyone notice if you, or an intruder, dumped terabytes of data over that connection?
I don't work in IT but this just doesn't feel right to me.
I've used a corp laptop to SCP data onto a non-corp device. Technically both devices were corporately owned, but nobody logging the packets would have known that.
Honestly it sounds like you’re sheltered due to working in a certain sort of organisation and have had no exposure to the myriad ways in which organisations tend to be run. You’re acting like this is a big surprise, but it’s not.
It's not extreme at all, it's the bare minimum that professionals do.
Absolutely none of my personal stuff ever touches a corporate machine. Ever. I wouldn't even log in to the W2 downloading app as an employee from the work machine.
Granting work ssh keys access to your personal machine is crazy; if your work machine gets compromised, they steal your entire personal system's home directory too. Why would you unnecessarily expand the blast radius of a compromise like this?
What's the realistic threat model here? Someone hacks your company and during their exploitation window they're going to focus on... keylogging/MITMing random devs (likely far more paranoid/observant than the average computer user) so that they can get access to their personal machines via some artisan crafted attack to maybe make a fraudulent transfer from one person's bank account? In what world is that a low-hanging fruit to go after?
Devs in small companies often have a ton of access to systems and almost certainly aren’t heavily scrutinized about random novel binaries (being devs), so those are some of the first machines you’d target in an org.
You wouldn’t keylog “random devs”, you’d keylog all of the ones doing ops.
Would someone making a serious, targeted attack on the company focus on ops staff, and maybe go to the trouble of keylogging them? Sure. But those are precisely the attackers who wouldn't get distracted (and risk detection) going after those staff's personal machines.
I love these sorts of comments. Could you please just be more direct and call GP “not a professional” for not working in the way that you do? It’s so unnecessarily passive-aggressive.
Also, people just do things for convenience. (Although I tend to pipe these passwords over an SSH connection, so that they're not resident on the work laptop. Though there is a good argument to be had about me permitting my work laptop SSH access to my personal laptop. From a technical standpoint, my employer could hack/compromise my personal laptop. From a legal and trust standpoint, I presume they won't.)