I think I added #4 after your comment. Which is essentially my response. It seems like a very weak measure, at the cost of privacy considering it's the worker's personal device... If our solution is to require separate devices anyway, then spyware seems like a waste of time, they should be providing secured hardware/OS.
On second thought, this _is_ the answer... they are making a compromise on security, it's an economic decision. Maybe it makes sense from a business perspective: check some boxes, get a bit of security (not much) for almost nothing - but as you can probably tell, I think it's both pretentious and disrespectful.
The ship has totally sailed on whether it's a best practice to instrument machines employees use to conduct work, in the name of compliance and security. That's an utterly standard control, and unless you have a remarkably potent new argument against doing so, arguing that companies shouldn't do this sort of thing is kind of uninteresting. If anything, the prevailing sentiment (for better or worse, mostly worse) is that companies should be doing more of this, not less.
Yes, it's definitely a economic decision. They're going to run this type of software on their own fleet and want it on everything connecting to the network. If you're willing to run it on your own device that saves them the hardware cost.
That said, a lot of users _want_ to use their own devices (maybe they have better equipment, maybe it's less locked down, maybe they don't want duplicates). It's not sane for the business to allow a device that is more likely to be compromised and/or have poor security hygiene on the network.
I'm a fan of privacy but... At least on my team, we're definitely not spying on you, we're making sure you have a password, encryption, antivirus, and updates installed before you can connect to resources. It's shocking how many people don't have authentication enabled and run as root, if they have a choice, on their home system. That said - we could flip switches and do a lot more spying if it was mandated :/
Why don’t you write an opensource “agent” then, with no remote code execution capability? I doubt people would mind running some opensource bash script that hardens their devices.
Anything but this, and it’s clear you’re just evil.
I don't see this as drastically different than the extreme push to force migrate everyone to SaaS on most software. Most business plans appear to be migrating to rent seeking.
Some of my local restaurants are doing this - effectively becoming concierge grocers who will break down bulk quantities for their customers. Call an order in and pick it up in ~24 hours. They have and can get almost anything the grocery stores are out of including TP (in jumbo commercial rolls), flour, eggs, meats, etc.
This actually isn't all that strange a failure mode. We have several large ZFS arrays in service and replace 1-2 failed disks every month. About 90% of the time the first warning you get is exactly this - a message from the CAM controller saying it failed a read in the syslog. ZFS nor SMART often notice these until they get pretty bad/frequent. By the time they're bad enough for other software to notice, your pool is performing pretty poorly.
We deal with this by watching for these errors, printing to a log specifically for Icinga to watch for and alert on, and preemptively replace the disks. It would be nice if the other software (ZFS, SMART) would notice these in time to not become severe.
I've run into the MAC problem, but found it easy enough to deal with via my standard home Chef configs. I can't echo the stability issues, though; my two have been ticking away happily for a couple years.
Not to support his fairly trashy post in particular, but I believe his comment has utility.
As an infrastructure person this post was concerning; this company is collecting a lot of data and has a lot of access, which I wouldn't trust. I also would not be thrilled if I was a paying customer having these details shared (even without attribution, as in the article), further reducing trust. I appreciate these kind of real-world detail posts, but it's not appropriate if it's not your infrastructure.
Sure. First and foremost, do you have permission from your customers who you're researching and reporting on here? If you do, great, ignore me. If not you'd be breaching (my) trust if I was one of them. The data is not yours and it may be possible to infer who these datapoints belong to if so desired. If one could do that, they may be able to gain competitive advantage or otherwise exploit knowledge of infrastructure (social engineering for example).
There is a big difference, IMO, in someone like backblaze releasing statistics. They own all of the hardware and they choose to release the data themselves. You (on the surface) appear to be harvesting data from your customers, digging through it, and presenting it. You also point out very specific cases, rather than aggregate pseudonymous data.
You are collecting sensitive data from your customers environments. This doesn't inspire confidence that you treat it as such.
Do you think companies will/should make explicit the cause of higher/differential pricing? On the one hand, it could anger consumers. On the other hand, it would provide transparency so that consumers would understand where the price increase came from.
I was thinking a solid new business plan is to register gdpr.me (or whatever) and offer a service. $40, fill out a form, and I will send a GDPR request to every company in the world on your behalf. The data coming back is then offered back to you with the ability to create further requests (deletion for example) selectively or in full.
(1) the service is not explicitly allowed for because data subjects (and not data processors acting on their behalf) would be the ones to file such requests.
(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.
I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.
But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.
I would argue there are several sections in the GDPR that appear to allow for a 3rd party to request data on behalf of the data subject. For example:
A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.
Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?
I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.
EDIT:
Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:
"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."
This is immediately after saying businesses should create API's to allow data portability and GDPR requests.
I don't buy that that allows you to send random requests to parties that you have no way of knowing the requester has a relationship with. That is an unreasonable burden to place on the recipient of such a request. Essentially you will be sending them on a wild goose chase which is against the intent of the law, which is to give people control over their data, not for people to harass random companies, even more so to do this in an automated way.
You can of course go and approach this from a legalistic point of view but that's usually not how things work in the EU, if you are going to split legal hairs to see how you might be able to get away with something then you will be in for a surprise.
But don't take my word for it, feel free to build and launch the service and we'll see if it flies. For $40 I'll pass :)
You could maybe provide your users with a pre-filled request form for various companies they indicate they're a customer of, and have them send them directly.
IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related
> I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Exactly, and it is abuse. There are so called 'mass letter writers' here in NL that keep on sending FOI requests and other letters to local government effectively DDOSing the services and they too can be - and have been - slapped down.
Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.
Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.
Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.
I read that enforcement report. I think it was fully warranted that the 1,000 pound fine was levied against that company. (1) they did not immediately report the fact that they disclosed that customers private information and (2) they did not have appropriate technical measures in place to avoid such problems, specifically: they were tasking their cs reps to cut-and-paste information between screens that could display the information of two unrelated customers, a super stupid and error-prone set up.
The fine, 1000 pounds is proportionate given the size of the entity it is levied against, the resources at their disposal and the turnover of the company, if the company had been much smaller one would hope for leniency but the fine would have not been levied at all or it would have been 1000 pounds, no middle ground there.
I got a pair of odriod's based on price/performance to act as NTP servers and have since removed them from service.
They both had the same MAC address on the NIC, which was not impressive and more importantly have about a .5% (consistent) outbound Ethernet error rate. Not ideal for a service utilizing UDP.
I also got an odroid XU4. As a replacement for a sheeva plug I was using as a home server. I was hoping to use the HDMI out into my TV and use it for browsing and streaming media. Unfortunately none of the distros produced by hardkernel fully work. There is always something broken in each distro. It's a complete pain. I don't know why they cant just produce a distro that has all of the hardware working at install time.
My Odroid X2 and another X3 don't have a proper MAC, it's stored in /etc/smsc95xx_mac_addr.
Now that I look, there are some receive errors reported by ifconfig on the X2, but I've never investigated them. The X3 is on a different network, and reports zero errors. (I don't know how much data either has transmitted, the counter will have wrapped as it is only 32 bit.)
But, I wouldn't recommend them to anyone not thoroughly familiar with Linux. Compared to the Raspberry Pi, there's not much documentation, and the kernel is pretty old.
Very much required for compliance, zero trust, protection of IP, and foundational to a reasonable security plan.