Spyware: the parent's friend

[Tale]

http://www.snoopstick.com/

Simply plug the SnoopStick into the computer you want to monitor. Then run the setup program to install the SnoopStick monitoring components on the computer. The whole process takes less than 60 seconds.

The SnoopStick monitoring components are completely hidden, and there are no telltale signs that the computer is being monitored.

[Trippy]

Umm...no, that's not a parent's best friend, that's a computer data thief's best friend.

[Ironwood]

USB Devices :  Invented by the Devil.

[Tale]

Umm...no, that's not a parent's best friend, that's a computer data thief's best friend.

HI THAT IS WHY I POSTED IT

[Ironwood]

I don't think he was talking to you, but the manufacturers.  In fairness, they probably know it as well...

[Der Helm]

You can even log the user off, disable internet access, set time restrictions or even turn the computer off. All using your SnoopStick from any computer.

This can only end in a lawsuit ...

[Ironwood]

Well, it's an American company, so you're probably right.

[HaemishM]

Wow, yeah let's just ditch that whole talking with kids things, just put unsafe spyware on your computer and let the viruses walk right in.

Fuckheads.

EDIT: If shit is far enough gone that I feel the need to install monitoring software on my kid's computer, I might as well just remove the kid's computer.

[Ironwood]

Would you guys stop pretending that it's about the quite blatantly see-through rationalisation ?

This is not going to be bought by concerned parents.  This is for the suspicious and over-controlling MD on the go.

[Furiously]

No - it's for the husband that thinks his wife is chatting it up with her old boyfriend.

[Riggswolfe]

No - it's for the husband that thinks his wife is chatting it up with her old boyfriend.

Or overzealous bosses.

[Paelos]

Or stalkers.

[Ironwood]

No - it's for the husband that thinks his wife is chatting it up with her old boyfriend.

Or overzealous bosses.

You know what an MD is, right ?

[Evangolis]

As an aging hipster, union rules prevent me from having a clue.

[Signe]

Isn't the word "hipster" from like the 40s and 50s?  That would make you in your 60s or 70s and I'm not buying it.  Maybe you meant "hippie".  That would still make you old enough to forget words.

[Nebu]

Hipster was a popular 60's style term for skirts/pants that were low on the hip.  If you were lucky, people wore them with a crazy wide belt with a big buckle. 

Yes, I'm old.

[Evangolis]

"Aging hipster" was a joke used by some guys I knew in college in the 70s.  I've sort of taken it as a long term career goal.  Besides, I still don't know what 'MD' is slang for.  And where is the Snoop Dogg penis joke in this thread?  There's work to be done here, you young whippersnappers!

[Signe]

Nebu called you a tatty old skirt.  Are you going to let him get away with that?

(old man fight!  old man fight!  old man fight!)

[Furiously]

So it's not Medical Doctor?

[Paelos]

So it's not Medical Doctor?

That's what it means to me, but I'm sure Ironwood will tell us it's scottish slang for "nuts" or something. I can never understand what the hell they are saying when I go over there anyway.

[Signe]

Meat dog?

[Calantus]

I don't know what MD is either, but I'm putting money on it meaning redundant. Any takers?

[Stephen Zepp]

Umm...no, that's not a parent's best friend, that's a computer data thief's best friend.

Actually, it's a computer forensic expert's best friend.

Chances are, if your company has any security staff at all, they've already gotten professional versions of this installed on every computer in the company.

[bhodi]

Actually, it's a computer forensic expert's best friend.

Chances are, if your company has any security staff at all, they've already gotten professional versions of this installed on every computer in the company.

Not anywhere that I would work. I also think any (other) security professional would advise against it in all but the most extremely security sensitive of cases.

A policy like that is shooting yourself in the foot. Yes you can legally monitor your employees routine desktop matters, no, you shouldn't. Not only does it open up another hole in your enterprise security (desktops, bar none, are the first things compromised), but if you trust your employees enough to have them routinely manage hundreds, thousands, sometimes millions of company dollars, your public image, your websites, proprietary data, and essentially your company's future, than there is no reason you should stoop to monitoring desktop activity.

To de-facto spy on your employees shows a remarkable level of distrust for almost no gain that doesn't come near to breaking even on any sort of risk/reward or morale/cost scale. It fosters animosity, resentment, and a general reciprocated mistrust that can eat companies from the inside.

It's also ripe for abuse by those who administrate it. There are very sensitive internal items that are better off not being monitored by technical people -- everything from payroll spreadsheets to HR terminations and reviews to CEO conversations are considered sensitive information not to be disseminated or viewed by those not authorized to do so. Also, I shouldn't have to spell out why it might not be a good idea to have screenshots and real-time watcher data of all employees dumped to a database somewhere (or, even worse, on the desktops themselves.)

Chances are, your companies' security staff has already rejected the idea, since it's pitched quite often, generally by overzealous slightly suspicious managers. They have likely come to the same conclusion as I have laid out above and gently and tactfully explained it thus: A blanket policy like this would be bad news. There could be on-demand targeted monitoring, but that is a different scenario.

[Stephen Zepp]

Actually, it's a computer forensic expert's best friend.

Chances are, if your company has any security staff at all, they've already gotten professional versions of this installed on every computer in the company.

Not anywhere that I would work. I also think any (other) security professional would advise against it in all but the most extremely security sensitive of cases.

Was gonna go ALL over this one, but meh, not worth it.

Curious though...when did you get your CISSP again? Cause you seem to have forgotten quite a bit...

Chances are, your companies' security staff has already rejected the idea, since it's pitched quite often, generally by overzealous slightly suspicious managers. They have likely come to the same conclusion as I have laid out above and gently and tactfully explained it thus: A blanket policy like this would be bad news. There could be on-demand targeted monitoring, but that is a different scenario.

Chances are, your company has never had to go to the FBI with terrorism reports, never caught contractors using work laptops with internal net access to store stolen credit card numbers, and hasn't gotten more than 20 or so FBI cases won, including banking scams involving movie star names we all know and hate.

Yes, all the above are true scenarios where having forensic tracking apps made the cases no brainers. And I know the guy personally that is the head of the security team, since he's my brother.

[bhodi]

I will say that work experience and personal leanings do tend to color my opinions in this matter. Mileage may vary, since there are endless varieties of requirements, but I've seen two specific situations where policies like this have been (or tried to be) implemented, with hilarious results (one had operator abuse, one caused company-damaging office politics), so I'm not talking completely out of my ass here. Things can look good on paper, and I know my information security theory, but you can't underestimate the human element.

It sounds like that company may have deeper issues, or a wider work audience that necessitates some stronger security if stuff like that is going on. I don't know what company this is, but it really does sound like an atypical place to work. I know Righ and some others have security experience, and there are loads of technical people on here, but to me you're using an extreme example. Maybe it's my experience that is atypical.

I'm also not arguing it's effectiveness -- it's AWESOME for forensic evidence -- I'm arguing that the benefits don't outweigh the cost of putting something like that in place for a majority of companies. It's too big of a hit to direct cost, upkeep, morale, potential for abuse. There are other methods, procedural and technical, that might minimize the risks and provide sufficient security/risk mitigation without opening yourself up to all those disadvantages. At the end of the day, you do have to put trust in your employees, even if security fundamentals tells you to never trust them. There's a balance there, and desktop monitoring is the nuclear option.

(lots of edits)

[Lantyssa]

It would never fly where I work.  But then I imagine myself and the other IT person would shoot it down before it ever reached the faculty.  I would not want to be the person telling them we're going to implment something like that...

[Stephen Zepp]

It would never fly where I work.  But then I imagine myself and the other IT person would shoot it down before it ever reached the faculty.  I would not want to be the person telling them we're going to implment something like that...

First, you don't tell anyone. Hell, I've known companies where the CEO and President didn't know...just the CSO (Chief Security Officer) and his staff, and -sometimes- the CIO.

The factor you are missing/implying is when management gets involved. You DO NOT EVER let management know that this type of tool is present on their networks, and you absolutely do not allow it used for "monitoring employees".

It's a security measure. And it's used after the fact, and/or with an automated detection system to catch early incidents. I think you guys are confusing what I'm talking about with the stated use of the device originally posted--which is not what I'm saying at all. I was talking about the underlying technology--and it's more prevalent than you'd ever know.

BTW, the comment about CISSP was because of the moral and business ethics oath they take as part of the certification, which covers how they do their jobs.

[Selby]

My company uses things like this.  I know they do.  They are in serious competition with another company for global dominance of their market, so they need to make sure no one is selling company secrets.

Of course, there's always remote desktop software like LANDesk and whatnot that is easy to see.  I just choose not to do any surfing at work besides a handful of sites...

[bhodi]

Well as far as prevalence, the 'underlying technology' is pretty much present on every single network out there. Port spanning comes standard on virtually every (business level) router in existence.

Some of the stuff is "out there" and even pretty common; everyone has a web proxy. A lot of business subscribe to websense, but proxy combing is a bit different than desktop spyware. Generally, companies end up compromising and watch the network borders, not internal communications or 'over the shoulder' action.

[Tebonas]

Actually, it's a computer forensic expert's best friend.

Chances are, if your company has any security staff at all, they've already gotten professional versions of this installed on every computer in the company.

That is illegal without telling the target of your search beforehand over here. And the works council must give their ok. Every data you get without those two things happening can't be used against the employee. And he can sue you if you are stupid enough to tell him you have that data.

Yay for Pinko Communism and the surf time it provides me !

[Tale]

In 1999 my boss called me into his office, furious about an email I had written to him. He was ready to kick my ass.

The email he described was something I had spent an hour writing after work the previous night. I was very upset about something he had done and I had written an angry, insulting email.

Thing is, I never sent it. I had thought the better of it, saved it in my drafts folder and chalked it up as therapy.

When I pointed this out, he turned bright red, ended the conversation, and showed me out of his office.

Never trust a work computer.

[eldaec]

Actually, it's a computer forensic expert's best friend.

Chances are, if your company has any security staff at all, they've already gotten professional versions of this installed on every computer in the company.

That is illegal without telling the target of your search beforehand over here. And the works council must give their ok. Every data you get without those two things happening can't be used against the employee. And he can sue you if you are stupid enough to tell him you have that data.

Yay for Pinko Communism and the surf time it provides me !

Obviously this post needs 'in Germany' inserting somewhere.

In most countries, the logon warning notices everyone uses would be enough to constitute a warning.

Anyway, people overestimate the prevalance of these tools, they might be available to security teams, but use is limited by a shortage of people who can use them properly and the sheer quantity of data they generate.

Plus people in security teams are naturally averse to storing anything which adds to the number of things that then need to be secured.

[Tebonas]

I'm terribly sorry that "over here" wasn't clear enough to show you I talk about the country I live in. I'll try to be more precise in the future . Also, maybe I should include a world map newer than 1945, where Austria isn't still a part of Germany.

That being said, yes the people in security teams are averse to that but in larger companies they are usually not the ones making the decisions one way or the other. In our company for example that is decided by the internal revision with feedback from the law department.

[Signe]

I call Austria "Old Germany." 

No place I've ever worked has spied on me, at least not using any sort of technology.   If anyone tried, I'd make them sorry.