Comments on: How to hide your tracks at work

We all know that you play when you should be working. But at least we're here to help you hide what you shouldn't be doing.

[JDubbFromGraySt]

Now we know your not really working Don!

America, F**K Yeah

[john55440]

Don't forget about Internet Explorer 8's inPrivate Browsing mode.

"While you are surfing using InPrivate Browsing, Internet Explorer stores some information?such as cookies and temporary Internet files?so that the webpages you visit will work correctly. However, at the end of your InPrivate Browsing session, this information is discarded."

Webpage History and numerous other things are also not stored.

[ccwsoftware]

Those sorts of tools or methods, including 'track eraser' or cleanup programs are fine for keeping ungood files off the local workstation. (In fact, some IT types probably like us to run some of them, just for light cleanup; I think CCleaner would be a good example -- they should love that unless it is allowed to clobber required stuff.) As others have indicated here, however, those thigns don't do a single thing about all of your connections and activities being logged elsewhere. You can't change that from your workstation unless you somehow provide a completely separate, non-corporate, personally provided 'net connection.

With that said, you would be fooling yourself to rely on ANY cleanup, masking, or 'track masking' tools or activities that run locally.

[xprojectd24]

You forgot about the Ghostfox plugin for firefox. It does basically the same thing as the outlook trick except it works in almost any program. the best part is that moving your mouse to the edge of the screen makes it disappear.

[aj37viggen]

Just keep in mind that if your employers have installed a keystroke logger and/or monitor web traffic flowing through their proxy servers -- which they are legally entitled to do -- then most of these tricks won't help and in fact may provide evidence that you're a deliberate shirker rather than merely an occasional goofer-offer.

In practice, though, this kind of evidence-gathering is probably used mostly as an excuse to dump employees that the boss has already decided to get rid of anyway -- for being too old, or not kissing up enough (aka "poor attitude"), or because there's someone else he wants to hire for your position, or whatever. So if you concentrate on your apple-polishing and kissing-up skills, you probably can play whatever games you want at work without worrying about any of these tips.

The irony is that the boss you're trying to dodge, when he's not prowling around trying to catch unauthorized employee behavior, is probably cruising eBay for bargains on golf clubs or checking out additions to his home-theater setup. But no, it won't do you any good to point that out at your disciplinary review...

[Posted from home, obviously!]

[Random_Walk]

LOL! Okay, time to give everyone a clue...

First off, those of us in IT have neither the time nor the resources to waste on constantly eyeballing a user's every keystroke. Doing so also tends to make everyone hate the IT department, which we really don't want. At the same time, we do have to make sure that we do what we can to prevent folks from doing anything obviously stupid (like, oh, surfing pr0n and the like).

So, here's what usually happens. First, everyone goes through a proxy. The proxy requires a logon (and usually integrates with the user's network logon, so it's all nice and transparent to the user, but we still know who goes where). The proxy also blocks the more obvious sites. Then, we plow through the proxy logs for keywords and for sites that tends to stand out (you know, like "addictinggames", or "myspace"). We look for files that get passed through. If anything suspicious stands out, we'll investigate it. Otherwise, we don't give a damn.

We figure that --barring illegal or pornographic behavior-- it's up to the department heads to deal with infractions as they see fit, and not ours. We only provide the tools to help 'em do it.

[Michichael]

Yup. We're relaxed about the rules at our site - don't mind people browsing etc on their breaks, checking e-mails, the occassional flash game, but we've had people abuse it and we keep full egress/ingress logs. Anyone caught using these techniques is reprimanded and/or terminated. :)

[pu2006]

I would not recommend that anyone who is not fully aware of the scope of their IT group's capabilities to monitor their utilization attempt any of these techniques.

Installation of unapproved hardware and software is strictly prohibited in my workplace. A combination of group policy restrictions, software inventory and full-system monitoring is used on all PCs, so it is literally impossible to successfully perform any of the actions that are suggested in this article without it being logged or, in the case of an attempt to connect a usb device or install software, trigger an automated alert to IT and the employee's manager. For example, if a user even attempts to plug their iPod in to their PC to simply charge it, their manager and IT is notified. All keystrokes are logged, all screens are captured for 90 days, and special monitoring modules separate all popular email systems (traditional and web-based), IM and social site activity into easily organized logs. If you post a status update to facebook or tweet, it is logged and optionally copied to their manager or IT.

The point: don't use company equipment to do personal stuff. Instead, buy an iPhone, G1 or a Blackberry and do it at your own expense.

[Random_Walk]

Must be nice to have the FTE and money to put a microscope on your users' every move. Seriously... how much SAN space do you waste just to screen-cap every user's screen and log every keystroke?

Let me clue you into the real world... outside of obvious IP issues (which are easy to restrict w/o Big Brother), we assume that our users are adults. We only monitor what they do with the Internet.

Instead of wasting terabytes of disk space and mountains of FTE time, we use a cheaper and easier solution. It involves using short cubicles that allow your co-workers to instantly see everything that you see on your screen. HR has their room and area, A/R and A/P has theirs, Sales has theirs, PR and Marketing has theirs, etc. We control who can go into which areas, but within those areas the world is wide open to everyone in it. The CEO is the only human being in the joint who gets a private closed-off room to himself. Executives have their individual offices, but those have huge windows where anyone passing by can see in.

Hell, even in IT, three of my colleagues can see my screen, and I can see theirs.

Most folks would resent such a setup, but I actually love it - it allows me to chat with them directly, and I can share my screen visually w/ them when pointing something out. It also gives us a tight-knit sense of teamwork.

...wanna surf games or pr0n under those conditions? Go ahead - I dare you.

[bourgtai]

And so three more Adobe AIR applications end up being for Twitter. Awesome.

[JohnSP]

This all mostly bogus and anyone fooled by this doesn't understand IT. Most IT companies are logging emails and URLs browsed at the firewall and server level. They can view your visits, data passed to URLs, and emails if they want , these things may work at a small shop but not big shops that are logging this way and also blocking specific sites like many do (plus it looks even worse if you are trying to get around stuff or hide stuff). The bottom line is as stated, most don't care if you browse the web or but stuff ok as long as it isn't abused over and over again throughout the day. No one can be productive by never gettin away from the work for small breaks, employees are better if they take small breaks to rest their mind and get away for a bit, and most of the good companies know that.

[fgsdfgdsfgdsfg]

gee wiz.. you would think the IT staff at most major companies are bone heads. first of all, who lets their users be adfministrators of their own machines? not any major company i have worked in IT for. so right off the bat none of the users can install software.
next all web browsing is done through a proxy server. The network firewall is configured to only allow web traffic from the proxy. So even with IE8's inPrivate Browsing or all the other little tricks here, you;re not getting internet access unless you go through the proxy, which logs EVERYTHING from EVERY USER! even if you use an annonymous proxy on the internet, you;re still accessing it through the corporate proxy so we still capture everything. not to mention our proxy/web security appliance blocks all those sites anyway.

maybe these tips may work in a small office. But if you work at a Bank, TelCo, or other major business i wouldn;t try it. you may find out the hard way that all that is offered here is a lot of bad advise.

[mchcaribbeancats]

In addition to the previous comments I would also like to add that besides your wishful assumption that your employer is not quite as 'slick as you', is the obvious fact that here in this country in case you have not been payinnot been paying attention people are loosing their jobs.
There are a lot of people who would appreciate having employment and happy to WORK,
It nauseates me that you have the mentality that it is accptable to disregard your JOB.
It is called WORK for a reason. There are many people that would appreciate the opportunity to pprovide your employer with what he is paying for.
I don't appreciate your referrence to WE ALL play that crap either so speak for your unethical slacker self,

[Wink Junior]

Yes, I think we should take things one step further and demand employees show up at least 30 minutes before their "start time" so they can be chained to their desks (by the ankle, since they need to type) and if they do not seem to be WORKING as Mr. Mchcaribbeancats suggests, that we break out the Cat-O-Nine-Tails and whip them for not being HAPPY TO WORK, since not putting 120% of your 10+ hour/workday is obviously DISREGARD for your JOB and should be punishable by torture. In fact, it made me think of a great idea: instead of terminating poorly performing employees, we should TERMINATE them, as in KILL THEM DEAD since they are not providing what our All-Knowing, All-Seeing and of course, Best-Meaning employers are PAYING FOR.

But what do I do when I walk in on my boss' boss who was, as someone joked, actually browsing Ebay for golf clubs. Oh, that's right, the Big Boss Knows-All and What's-Best and so I should have flogged myself out of nausea for questioning my employer. Sir, as soon as I send this I will go don a Hair Shirt for the rest of my work day.

BTW, I assume you're reading this and writing YOUR REPLY on your own computer on your own time, right?

[pentest]

IT departments allow employees to install software?

No wonder corporate networks are often as easy to penetrate as your average morons private networks at home.

[RighteousSoutherner]

Do you really consider this ethical or responsible journalism telling workers how to cheat their employer's out of money?

[glaven123]

No kidding! As a buisness owner and admin for a medium sized LAN (35 users, 3 servers), we tightly regulate what users can and cannot do. Using group policy, we disallow users to install software, hardware and clean their own cookies and related web caches. This is an advantage to a Windows LAN that is often overlooked or poorly deployed. I'm sure that this could be acomplished on any similarly cofigured LDAP LAN. Time is money. Resources are money. Work is work. That's the way it is. We have a kiosk in the break room for people to check their web mail durring breaks, but that's about it. Even that machine is clamped down.

[Random_Walk]

Eh? The bits and bobs in the article are window-dressing. Those of us in IT know where you go - that information is as close as the nearest proxy log.

Heh.

[Sam Papelbon]

face it, america is a culture of cheaters. even cnn has ran articles giving tips on how to get out of speeding tickets. land of the free and home of the irresponsible.

[Orion Blastar]

It won't help if they monitor Internet usage. All I did at work was visit knowledge bases, software update sites, MSDN, Crystal Reports, and other job related web sites. Nothing that wasn't job related and I got dinged for Internet usage. For just doing my job. I asked for books to be bought, but my boss said to read MSDN and other web sites to help debug my programs. I got in trouble for just doing my job.

[glaven123]

dosen't sound like that was your job!

[Wink Junior]

Orion, FWIW, while I was lucky enough not to get into trouble, I wasted about four hours of "company time" (paid) trying to get a screw-up by these weirdo IT fascists who locked me out of doing similar work to what you were doing - research required and desperately needed (ASAP) for the report I'm writing. Now I'm working from home because the same IT weirdos can't fix their prison-like lock-down.

And to Mr. Glaven123 - uh, are you an engineer? All those sites are not just job-related, they're *necessary* for certain jobs, and *only* available on the Internet.

Why do I think almost all these replies are from retired grumpy old men who think anyone younger than themselves has never worked hard or lived through tough times, or IT ego-maniacs who think because they can try to find something in a log file somewhere, they're doing their job - rather than setting up my new PC in less than two weeks?

I really can't believe how pathetic and uneducated most of these replies are. Including my own.

[Goblecoque]

I stand back in awe at the enormous corporate stupidity displayed here.

Where I work, we don't spy on our employees. We pay them for the actual work they get done, not the time they spend doing it.

We tell them what they need to get done and when it needs to be done. They tell us what they need to achieve that, and we provide it. Then they get it done.

If they get the job done we don't care what they do at the office, or how much time they spend there.

Treating our employees like that has kept us in profit every single year since 1997.

[fgsdfgdsfgdsfg]

Some here think IT has nothing better to do than spy. Nothing could be further than the truth. As a IT manager for a business with 130 users, what I don't have time to be doing is removing spyware, viruses and other malware because users visited unsafe sites, installed those "free flash games", got a bug over a public IM network and so on.
When computers are locked down so users don?t blow them up I can spend my time on major projects; such as exchange server migrations or SQL farm deployments. This is opposed to time spent uninstalling the weather bug from an end user's computer. Such cases only reduce my effectiveness, productivity and don?t give my company a good return on their IT dollars.
Companies that don?t lock down there computers and allow unrestricted access to their users spend much more money on IT than those that do. That is an indisputable fact.
Not to mention that study after study shows that 40% of all internet traffic at the typical workplace isn?t work related. Not only is that money out the window in lost productivity as employees waste company time for which they are paid, it?s money wasted on bandwidth to support all that unnecessary internet traffic.

Picture this case. You have a worker who is browsing the web for some porn and he gets a virus. Your network is now considered compromised in the eyes of the law. Let?s say your line of work involves you taking personal information. You now are obligated under Federal law to notify each and every customer that their personal information may have been compromised. Do you think your customers are going to appreciate that? Do you think they will do business with you again in the future? Assume the data actually was compromised? Do you know your company is legally and financially liable for that?

Managing users IT experience isn?t just about policing the users. It?s about protecting the company and insuring they stay in business and get the best bang for their investment in IT dollars.

[Goblecoque]

"Companies that don?t lock down there computers and allow unrestricted access to their users spend much more money on IT than those that do. That is an indisputable fact." Interesting. Please provide a reference.

My point was of course that even if 40% of traffic is not work-related, I really don care as long as things get done.

I repeat: I DON'T PAY PEOPLE FOR TIME; I PAY FOR RESULTS!

[magicmaster]

Pretty good manifesto.

Then get down to reality.

First, not every employee is aware of IT security. They downloaded and installed softwares that are outright malicious in nature, but they have no sense of it whatsoever. Some softwares of poor programming interfered or crashed other legitimate programs. The worst case has to do with damage to the OS core that forced a reinstallation.

Second, corporates have responsibilities looking after the network. They can't simply shirk by saying "it's a matter of employee's own acts and has nothing to do with us" if getting sued because employees committed something illegal using their networks. You think juries will buy it?

[Goblecoque]

Magicmaster:

I fail to see how your comment is at all relevant to my point.

Perhaps it is because I wasn't clear enough, so I'll try again:

I pay people not for time, but for results. If I get the results I pay for, I don't care if it takes the individual 30 seconds or four hours and they spend the rest of the day on Facebook.

Naturally, If I need to lock down part of our IT structure due to the fact that we have a lot of malware problems, I'll do that. What I won't do is play Kim Jong Il and lock down access just because people spend 40% of their day on Youtube.

And of course, If you don't want to have people working for you that can't handle IT security, train them. Or dont hire them. But don't blame them for your own poor management skills.

[Matthew Hardy]

Sure. This is great for the economy.
I wonder when responsibility will be back in vogue.

[Wink Junior]

Dude, I work my a$$ off and provide extremely focused, highly technical skills that I've spent countless years learning (and paying out that same a$$ for.) Overall, I've spent what I figure is 15 years of my net income on my education and certifications. How is that not responsible?

The answer is above: pay for the RESULTS, not the TIME. Yes, I agree that IT should lock things down to keep the dimwits from downloading trojans, malware, etc. so they can focus on what they need to do: maintain and upgrade servers, etc. But note that IT professional didn't bother mentioning proxies or looking in logs, etc.

Yesterday I made $2000 gross while the IT people tried to fix locking me out of Internet access required to do my job. Who's irresponsible Mr. Hardy? Generalizations are easy; reality is a whole different thang (sic).

[tipoo_]

Great tips! These should help with my slacking skills.


Tipoo's Productivity down 32%. GREAT!

[Angmarr]

Y would you pay for these??? just clear your privacy data ... and dont run the browser maximized

[monkeyfun14]

Exactly what you should be doing when everyone is fighting for their jobs. Playing flash games when work is supposed to be done right?

[caldwdo]

Something to look forward to when I land my best next opportunity.....just kidding my future boss.

Well, if your computer network is behind a ISA proxy server you can use Ultrasurf, it's a small application you don't have to install and can work with IE and Firefox.

[nunyabidness69]

Buy a USB 3G modem and browse off the corporate network. Plug the USB in from behind so that it isn't very obvious.

[monkeyfun14]

Alot of companies lock down drivers from being installed.

[andronin]

Or lock down the use of USB ports, we do just for this reason