
Ask HN: My company installed chef on all of our machines, should I be worried? - ahmgeek
It happened by our OPS team, they installed chef via usb sticks and custom bash script. They are saying it&#x27;s for automating the config for our VPN and the like.
I am still concerned about this, although they cleared it up it&#x27;s not for surveillance. They stated in a later message that they can install surveillance software for sure, but should I be worried about the whole gig or just take it easy?
======
akulbe
Chef is for configuration management, not for surveillance.

Like they said... they _can_ install surveillance stuff on your machine, but
that was likely just as possible prior to introducing Chef into the picture.

It's likely that they just want to get (more?) efficient in how they do their
operations work.

Since the company owns the equipment, there's not even an implied right to
privacy. They own it, ALL of it. Assume _everything_ is monitored, and behave
accordingly.

I do Chef development. We've been asked to include monitoring software for
some groups in my client's company. Just assume that's always the case, when
you're using someone else's equipment.

~~~
ahmgeek
I agree with all of it.

------
dvtrn
IMO if your company wanted surveillance on the equipment they provide you,
they'd already do it and (probably) wouldn't tell you. When it comes to work
computers, I've found the best course of action is to assume everything you're
doing is already being logged _anyway_.

Remember: It's their hardware, not yours.

------
idunno246
If a company does not install surveillance-type software on hardware they own,
they are taking risk. Any company over a certain size will do it, or with some
regulations. Even signing a contract with a big customer if youre b2b, that
company will give a security questionaire and might ask about policy and
expect it.

If your company provides a laptop, assume they can intercept all ssl
traffic(hsts makes this a little tougher though), and read all your work
email, and see everything you do. They probably don't, but could so better
safe than sorry.

If I was concerned, it would be that they are doing it themselves with chef
and not using an off-the-shelf solution. Seems like a poor use of resources
not to buy it.

------
hluska
Two things:

First, if I planned to install surveillance software on my company's machines,
Chef is pretty far down the list of ways I'd install it. They technically
could install surveillance software with it, but it's certainly not the
typical vector.

Second, it's safer to assume that everything you do on a corporate
machine/network is being watched.

------
joezydeco
chef is nothing. My company is completely locked down with Forcepoint and
Crowdstrike. Every PC has it installed or it doesn't get to stay plugged in.

Unless you own the company, you're not really going to change policy. Get a
personal VPN in place (hint: they're watching your DNS queries too), tether to
your LTE phone, or just stick to company business on their machines.

~~~
clubm8
Interesting... I'm not a networking expert, but I thought if you use a VPN,
DNS is routed through the ISP of the VPN's DNS resolver?

Is there a way for me to check this assumption?

~~~
joezydeco
Yeah, that's what happens. I wrote that sentence badly. A lot of times I used
to just fire up Linux on Virtualbox and thought that would circumvent any web
filter on the Windows host, but the DNS still ran through the same place.

------
phendrenad2
It's kinda common for companies to spy on company machines, so it wouldn't
surprise me if that's the case.

