For any task you should be able to find information to teach yourself at least basic monitoring. If you can't get good at doing it, you can at least be reasonably good to judge if it's working.
Accountants, lawyers, and doctors all have associations who set professional standards they must abide by. They often also owe you a higher duty of care than someone in i.e. marketing or sales.
I still see where op is going, but accountants, lawyers, and doctors aren't the greatest counterexamples to use here.
To some degree, you may be correct, that there will be companies that refuse to upgrade for many years. By and large, I think most people will start to switch:
* Small orgs will begin to see costs of maintaining legacy code skyrocket as it becomes harder and harder to get 2.7 interpreter support for newer kernels. Those that aren't already transitioning now will eventually bite the bullet.
* Medium orgs will probably be the laggards. They have enough funds to pay someone else to make compatible interpreters for them. Your observation about manager authorization very likely applies here so many probably won't bother to upgrade without an internal skunkworks-style initiative.
* Large orgs will upgrade. Their infosec departments will freak out that an old, "potentially insecure" language is being used, regardless of third party vendor support. I see this a fair bit now in the PHP space; where RHEL supports and backports patches for old, insecure versions of PHP, but the infosec people still can't stand it. These days, infosec is getting more and more pull in every huge organization, so it wouldn't surprise me at all to see them start to treat 2.7—or the old, un-updated packages that are locking someone to 2.7—as a possible attack vector and force a change.
All that said, you are right about jobs. If someone knows 2.7 inside and out, they will start to see higher and higher paying contract gigs over the next 15-20 years. Just like the COBOL programmers saw.
...and then there's Mega Large orgs, like Google, who are used to maintaining their own software.
I am super curious what Google will do. The thing to watch is whether Chrome/Chromium (and therefore Node.js) can ever be built without using Python 2.7.
Mega large orgs have already moved, in some cases. They have the advantage of being able to throw significant resources into infrastructure to make switching easy.
Your employer owns the data, not you. The owner of something doesn't need special permission to look at it. It could be a company provided computer, email, or filing cabinet; they all belong to your work and they do not need to ask anyone to get in and look at the contents.
Even something that has a reasonable expectation of only containing personal belongings (eg. a locker) may or may not be protected from employer search as each state in the US has slightly different rules.
For work related tools, the rules are almost entirely stacked towards having no right to privacy whether a company policy exists or not.
> you mean they can potentially sell my personal conversation with a friend as if its a company owned data
Don't do it on company slack then?
Whether or not this news is a surprise to you, you must already be separating concerns. At most competently run places emails/chat logs etc are logged.
Assuming you and your friend both work at the same company using the same Slack Workspace and someone would be willing to pay for the data? Yes, it is a possible scenario. I have no idea why a company would offer to sell it's employee chat logs but I am sure there's a more clever individual out there who can think of reasons.
It really isn't genius at all. At least in my state, either party can object to the small claims status by simply sending a letter. Then it moves over to normal court with normal lawyers. Already you are out the small claims filing fee (yes, you have to pay the court to even bring a small claims case).
Once in normal court, you would need to hire a lawyer, and they would just find some local representation. At this point, you would probably withdraw the case because it isn't worth that investment.
But suppose you kept going. Their local council is going to proxy their attempts to change venue to where they are located. Unless you had a really compelling argument, they would probably win the change of venue. Now you need to find another lawyer somewhere else, and it is probably an expensive locale like New York or LA where they have a firm on retainer. Still want to push the case? Me neither.
By all means, try the small claims route. But don't think for one second that it is a slam dunk.
"...is run by the field agent directly from an USB stick; it requires administrator privileges..."
So?
This just in - people with physical and administrative access to a machine can install monitoring software - news at 11. Be sure to tell every MSP or Enterprise IT group to tune in.
Just because a threat vector is well known and not cutting edge does not make the SPECIFIC information of its existence, implementation, and capability completely worthless
Just very very close to worthless. Other than CIA and security cams, I'm straining to figure out what is worthful about this story. Can you help us out?
Confirmation that this is something real and not a theoretical risk. Similarly to Snowden, it wasn't newsworthy because it was possible and probably done, it was newsworthy because it existed and was currently done. (obviously the scope of this news is much more reduced)
If you are a US citizen, that tells you how you tax money is being spent. If you are a foreigner, you may have a few more ammunitions to get the funding for whatever security project you are working on.
Even on HN very few front page items are really worthy of anything more than procrastination material and it succeeded perfectly well at that: both you and I had better things to do than comment on this article.
That's a very blasé attitude btw, reminds me of the first time I have seen a wild tortoise, my family just commented: "yeah I see them all the time on TV, what's the interest?"
This was public then and you can expect the black hats knew this years before. So again, what is new about this other than CIA? Yes, the CIA does these things; they wear black hats and that's also something we've known for quite some time.
Perhaps a more enlightening article would have been a wiki dump of manufacturers and distributors of these 'security' cameras not giving a shit about this problem.
From my comment, the SPECIFIC details of the tool's concepts of operation, implementation, and capability.
The field guide provides great detail on operations and limitations of a specific existing tool (sample GUI screen shots, potential detection threats from personal security products and full crash dumps, detection of cam software process restarts, abilities to stall NIC cards, abilities to BSOD, ability to corrupt existing files, limitations based on cam emulation, limitations of previously saved cam files, the tool's PE names(32bit wscupd.exe, 64bit running outside of system32 wermgr.exe. GUI.exe present in the same folder as above PEs), example of the log.txt file written to the attacking USB, information on differences between winXP requirements vs other systems(scanner.sys driver needs)).
First, that is CBP scooping up data at the border, not the CIA. If the CIA were targeting you, you would not know.
Second, CBP asks for your password. This is not the same as an administrator password, and certainly in the case of some business travelers, they may not know the admin creds.
Not the commenter, but guessing AFS = andrew file system.
This has been used for decades by a lot of the universities who were original internet consumers (MIT, Univ of Michigan, Carnegie Mellon, etc). In fact, it is still used by a lot of these universities and research institutions for data sharing and distributed computing, afaik.
Our department is still using it, but it is crumbling. E.g. the macOS clients are outdated. Even when there were still updates, they would come months after a new OS X release.
(It must be a lot of work for the AFS maintainers to keep everything up to date.)
Obviously, they should consult a lawyer, but I want to clarify this point, because the parent comment can be very misleading.
If you have a specific employment contract, all bets are off and only your lawyer and the courts can really determine what is/is not a permissible dismissal.
Assuming no contract, "cause" needs vary by state, so you can't just trust the parent message. In At-Will states, most of the time, you can be fired for any reason (except protected reasons) at any time including "asking too many questions", "asking the wrong questions", "not asking enough questions", or "he/she looked at me funny and I was in a bad mood." All are perfectly valid reasons for an on-the-spot dismissal in an At-Will state.
Now where it gets trickier is filing for unemployment. This can be harder to navigate than simple At-Will rules. In my state, all of the following will be docked against the employer for unemployment compensation:
* Just felt like firing someone
* Asks too many/not enough questions
* Constant quality issues
* Couldn't actually code and in a developer role
In all of the above, it is expected that the employer either should have figured it out before hiring, or should train/retrain to address the situation.
If an employer fires you for a policy violation, then unemployment will not be charged back to the employer (and likely the employee is not "unemployment eligible"). Usually this involves a longer paper trail with multiple meetings and "official" written notice of a policy violation in your company file before being terminated. Generally, this is a CYA thing for the employer so you cannot claim "you didn't know."
Protip: If there is a bs policy that everyone violates, you can still be fired for-cause for violating it. Chances are if this happens, someone really doesn't like you and they want a good reason to get you out.
But in all cases in an At-Will state, you are still out of a job.
(PS: You notice I do not name my state. Since this is an already tricky situation, assume my state is fictitious, and the rules and experiences are equally made up. Ask your lawyer or the equivalent of your state's (un)employment department/commission/branch for how things apply in your state.)
I think you are confusing termination in an at will state with "termination-with-cause" which means that you cannot collect unemployment, and cannot be rehired by the same firm.(or maybe I'm wrong)
When someone asks if you've been fired by a previous company usually they are asking about the second. They will call the previous company and ask if you are eligible for rehire.
No, not confusing it. Your original message was WRT paper trail, which is not required in all cases.
To your message here, fired means something very specific. Though fired can be for cause or no cause. And the reason of cause matters for unemployment.
Laid off means something else.
So really, there are four categories from an unemployment standpoint:
1. Fired - policy violation
2. Fired - "incompetent" (note: in the eyes of the employer)
3. Fired - no cause
4. Laid off
Both 1 and 2 are bad for new job prospects. 3 is hit and miss from a job prospect perspective, but still generally negative. 4 has no impact.
For unemployment in my state, 2, 3, and 4 will all let you collect (and bills back to the company who terminated the working relationship) where #1 makes you unemployment ineligible.
Circling back to your original message about paper trail, #1 is the only one that companies essentially always keep (or should keep) the paper trail for in my state, because it is the only one that is needed to to defend the company in an unemployment hearing if it ever gets there. For the other categories, there may or may not be a paper trail, and it certainly isn't required.
Depends on who is asking, what they ask, and for what reason. Though it is generally avoided.
If it is a simple reference check (never minding why a terminating company would be listed as a ref...) then as little information as possible would be given; possibly as small as "so and so no longer works here and that is the limit of what we can disclose with them" in order to avoid a bad reference lawsuit.
If it is an employment verification firm, depending on how rigorous the verification, it may come up by direct questioning and this should be expected by all parties.
Some companies do have strict policies about not disclosing some/all details. I am aware of a few firms, that wether good or bad, have policies against providing any reference, similarly, to avoid any potential lawsuit.
Now, when it comes to unemployment, if an ex-employee files a claim, the gloves will very likely come off. If the company can avoid a claim being made against their account, that is the difference of a lot of money on a recurring basis. So in this sense, reason very much matters.
And if you have a specific employment contract (and you're in an at-will state), take a close look at it since it likely includes an arbitration clause.
So going to a lawyer & the courts might make you feel like you're going to get a resolution, but likely you aren't going to get very far.
As others have said, the general stack is good for small businesses, and they will likely just run it on a mac mini.
The one component that any sized org can really benefit from is the caching server, which stores app store and OS updates on the local network so your 10 or 1000 machines aren't all saturating your internet connection. Even here, running it on a Mac Mini isn't that big of a deal as it is neither mission critical nor underpowered for this one task. And given the size, a mini almost fits anywhere.
Step 2: Pick the one thing you do the worst. Hire one person (probably a part-time contractor) to do that.
Step 3: Do everything else until you can't.
Step 4: Goto "Step 2"