Hacker News new | past | comments | ask | show | jobs | submit login


I never got the BYOD thing.

My employer should provide the required tools, if not, then the work is done within the constraints of what is available.

The problem with employer-provided tools is that they sometimes barely meet the minimum requirements. Sure it gets the job done, but it’s no fun.

I’d rather buy and manage my own device, which is then powerful enough for my needs.

If your employer doesn't provide the tools you need it's time to talk to them about how much time you lose due to crappy hardware and how many hours of your salary would pay for a better machine.

From experience it's usually that the employee thinks they need the most powerful 15" Macbook pro when their job entails something like writing blog posts or running code in AWS

And from experience, those squeaky wheels get the grease and the engineers flog along with what they have because they are too busy to put the necessary amount of complaining in.

Can confirm. The ergonomic setups of some non-tech staff I've worked with has definitely out-paced myself.

But some of the differences lie in understanding how to work around constraints.

I've been putting off requesting some specific administered software removal from my own machine for months because I keep getting caught up in much more pressing work. In most cases I'm able to just work around it. In other cases, it just eats up time. But I can see the path through to a solution more clearly than any corporate wrangling.

Different budgets, different departments, different people.

In smaller or more nimble companies you or rather your line manager can influence hardware budget as an offset of your salary v productivity. Also in some larger organisations where departments/teams are more autonomous and have more slack your manager may be able to influence that.

But in many large organisations, those who decides what standardised underpowered hardware you shall have may never have even met your line manager and they can not influence that policy.

I have once worked with a client that handed out a completely hamstrung laptops with barely any memory and slow disks to all contractors. Project builds would take 30 minutes or more, and I'd watch paint dry by reading slashdot(a long time ago), jousting on chairs in the corridor etc... Plus more time lost as you don't realise instantly when the build has finished and the time to reload all the context back into your own brain's memory...

The difference in cost between a top spec machine and the one they handed out was less than the invoice cost of the lost productivity in a day or two. I was there for two years... Granted after a while I did get better and better machines but never good.

Though I no longer really work for clients that do that, and my last few contracts have been BYOD which is fine by me. As long as they provide a quality external monitor and the sit-stand desk then I'll bring my own macbook.

Which is nice in theory, but irrelevant to the employer when they can just tell you to 'work smarter' or face a PIP. Expenditure: $0. Of course the long-term cost is higher, but that's not a line-item expense.

Honestly, I've been there; coding on a single 15" screen. Eventually most employees brought in a second monitor from home.

It's a good signal, these people are cheap and are going to nickel and dime you time to move on.

People who are willing to bring their own device are helped by a few people who refuse to and just work less efficiently as a result. This puts a limit on how much surplus the employer can squeeze out of the more efficient employees as the less efficient ones set a lower floor for productivity.

Then it is time to change employer.

That’s a stupid hill to die on. Pick your employer based on important things like comp, work life balance, advancement opportunities, etc. If you have to fork over $300 to buy your own work phone then so be it, buy one and move on with your life.

Yep, move on with my life to another employer.

If the other employer pays more or works you less you should move anyway, BYOD or not. If the other employer e.g pays less then you’re an idiot to take a 5 figure paycut or work 10 extra hours a week just to avoid buying a $300 phone. BYOD policies are irrelevant in the grand scheme of career planning.

In the grand scheme of things, one should not weight only BYOD policies, but they are certainly a red herring, a sign of employers that don't give a damn.

That’s not what a red herring is, but you are correct that it is a red herring.

wouldn't the ideal be that the employee gets to pick his own tools in coordination with the employer. And the "minimum requirements" is often so short sighted, compared to what an employee costs, spending 500 or 1000 Dollar/Euro more on a proper device should be net positive given increased productivity (both from device being more productive and employee being more happy)

You're doing it on their time, not yours. If they don't want you to be productive, you don't have to be.

I very much agree. I'd still look for a different job sooner or later. My time is much too valuable to spend it on underpowered computers.

It's kind of weird that the employer wants the employee to bring their device, but don't want to trust the employee's device anyway.

Sometimes it is not about trust. It is about regulations within the industry one works/contracts in.

But if this is the case I believe strongly, that the employer must provide the necessary tooling.

Which regulation requires spyware on endpoints, and where in the text does it say that?

In Germany for example most companies in the automotive space require all contractors to conform to the [TiSAX](https://enx.com/tisax/tisax-en.html) regulations.

These state, that there needs to be proof of several data security aspects on all devices of all people working in a facility for one of these companies/clients as a contractor:

- Anti Virus software up to date - Firewall active - Harddisk encrypted - Ability to remotely lock device - Ability to remotely wipe device

To ensure that this is in place at all times on all devices one needs a programatic solution - Endpoint Management. And as this needs to be root (for remote wipe) - this could be seen as spyware (as I like to call it internally).

So yeah - there are a lot of companies/industries enforcing this. As someone above said - banking is another industry, insurance, medical and other high profile stuff with sensitive data might come to mind.

The text does not say this - but this I added just from experience. And I actually hope that someday companies like mine could go the Apple way and ensure Endpoint Management on a per user account basis. That way I could still take home my company laptop and use it privately with a different user.

What kind of anti-virus is required on a Mac? (Not debating, just curious.) I work for a FAANG on fairly sensitive projects and I’ve never heard of anyone in my org having anti-virus. FileVault, remote wipe, etc., but not anti-virus. Are their credible anti-virus systems form Mac and Linux?

Don't ask me. It is in the enrollment standard.

I strongly believe all this software only enlarges the potential attack surface.

Not sure if this "zoo" of software is more of a security theater and a legal protection to be able to tell everybody "we did all we could possibly do" in case of an attack/hack/what not.

But even if I strongly suspect my device was more secure before, I know, that lot's of less tech-savvy people will have at least some standard (encrypted SDD, and such) enforced. So I am not yet decided if in the end the net benefit is positive.

Symantec or Macfee come to mind, regardless what we might think about them.

It all about fulfilling IT and law checklists.

iOS allows remote wipe functionallity in the standard mail client. Hopefully this doesn't enable any spying... Personally, I'm happy for my employer to have this functionality (trusting them not to abuse it)... My personal data is backed to the cloud anyways, so if I lose my phone I want it to be wiped.

Lots of them. It's under reasonable and appropriate security measures.

You say spyware; I say software that guarantees there is a password, that there is a reasonable lock-out time, that encryption is enabled, etc. Leaking data because you let your most gullible employee install whatever he or she liked on their laptop and phone (eg facebooks spyware certs so they can read all your traffic) is going to get you in trouble in a hurry.

For example, CCPA. Which applies to a lot of us in 6 months.

> duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information


> You say spyware; I say software that guarantees there is a > password, that there is a reasonable lock-out time, that > encryption is enabled, etc.

I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.

And I know, that in a global corp this isn't feasible.

Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.

I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.

So while there is light there is also quite some shadow.

If in the end this proves to be net positive. We will have to wait and see.

Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.

As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."

And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.

fwiw, I've done SOC-x stuff, and I talked our auditors out of requiring routine password changes. That said, we seriously invested in 2fa, with high-pri stuff protected via yubicos.

I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.

I can see this approach as something quite interesting. Suspect it would not work in our current environment. But we will have to see.

But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.

Anything in financial services and probably health requires you to secure company data.

A regulation is a specific text, not a general idea about the importance of security or the sensitivity of an industry.

This is common anywhere you work with ITAR-controlled data.

My employer offered to buy me a laptop. It was a perfectly good laptop in most respects, but I turned it down because I didn’t like the keyboard.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact