Skip to content

Top Best Ask Show New Jobs

Ask HN: My company installed chef on all of our machines, should I be worried?

7 pointsahmgeek7y ago9 comments

It happened by our OPS team, they installed chef via usb sticks and custom bash script. They are saying it's for automating the config for our VPN and the like. I am still concerned about this, although they cleared it up it's not for surveillance. They stated in a later message that they can install surveillance software for sure, but should I be worried about the whole gig or just take it easy?

9 comments

9 comments · 6 top-level

joezydeco7y ago· 2 in thread

chef is nothing. My company is completely locked down with Forcepoint and Crowdstrike. Every PC has it installed or it doesn't get to stay plugged in.

Unless you own the company, you're not really going to change policy. Get a personal VPN in place (hint: they're watching your DNS queries too), tether to your LTE phone, or just stick to company business on their machines.

clubm87y ago

Interesting... I'm not a networking expert, but I thought if you use a VPN, DNS is routed through the ISP of the VPN's DNS resolver?

Is there a way for me to check this assumption?

joezydeco7y ago

Yeah, that's what happens. I wrote that sentence badly. A lot of times I used to just fire up Linux on Virtualbox and thought that would circumvent any web filter on the Windows host, but the DNS still ran through the same place.

akulbe7y ago· 1 in thread

Chef is for configuration management, not for surveillance.

Like they said... they can install surveillance stuff on your machine, but that was likely just as possible prior to introducing Chef into the picture.

It's likely that they just want to get (more?) efficient in how they do their operations work.

Since the company owns the equipment, there's not even an implied right to privacy. They own it, ALL of it. Assume everything is monitored, and behave accordingly.

I do Chef development. We've been asked to include monitoring software for some groups in my client's company. Just assume that's always the case, when you're using someone else's equipment.

ahmgeekOP7y ago

I agree with all of it.

dvtrn7y ago

IMO if your company wanted surveillance on the equipment they provide you, they'd already do it and (probably) wouldn't tell you. When it comes to work computers, I've found the best course of action is to assume everything you're doing is already being logged anyway.

Remember: It's their hardware, not yours.

idunno2467y ago

If a company does not install surveillance-type software on hardware they own, they are taking risk. Any company over a certain size will do it, or with some regulations. Even signing a contract with a big customer if youre b2b, that company will give a security questionaire and might ask about policy and expect it.

If your company provides a laptop, assume they can intercept all ssl traffic(hsts makes this a little tougher though), and read all your work email, and see everything you do. They probably don't, but could so better safe than sorry.

If I was concerned, it would be that they are doing it themselves with chef and not using an off-the-shelf solution. Seems like a poor use of resources not to buy it.

hluska7y ago

Two things:

First, if I planned to install surveillance software on my company's machines, Chef is pretty far down the list of ways I'd install it. They technically could install surveillance software with it, but it's certainly not the typical vector.

Second, it's safer to assume that everything you do on a corporate machine/network is being watched.

phendrenad27y ago

It's kinda common for companies to spy on company machines, so it wouldn't surprise me if that's the case.

j / k navigate · click thread line to collapse