Hacker News new | past | comments | ask | show | jobs | submit login
How to secure your notes and home network when using a company laptop? (nickjanetakis.com)
39 points by nickjj on Dec 6, 2022 | hide | past | favorite | 21 comments



I have two ISPs, one dedicated for work. Dedicated switches, wiring,etc... never use wifi or bluetooth, try to disable them until the OS turns them back on.

If someone is looking at all your private devices, etc...at work it's someone like me lol. Arp table on your pc collects the macs of everything in that LAN. Now, I don't care about that but seeing my own devices log that and my IP and evey USB drive and knowing how many people, devices and companies have/process that information is what led me to those precautions. It's also standard practice to look at all the SSIDs you've connected to or sometimes USB pid/vid inserted before file writes when doing foresnsic investigations (usuallu happens when you're suspected of being naughty or simply because of a special/sensitive role you hold)

When it comes to personal devices, USBs are the ones I have to track down a lot because of worms and all mostly. But I have ran into people that mount smb shares or whatever to a device in their personal lan that has all sorts of malware infested pirated shit (I just get them to stop connecting it).

Also, urmmm... how can I put it? There are some really terrible people out there including people that may or may not work at your company's IT/sec/mgmt.

YMMV -- I know what I've seen :(


Why not route a single ISP connection into two seperate nattes subnets to save cost? Are you worried about your work correlating with ISP data through some data broker service or is there a different risk that I’m missing?


Public IP would be shared and admining that took too much time, tried that first. Even tried VPNing, it was the best/cleanest/simplest solution.


Might be way cheaper to spring for an extra IP address from your ISP.


Nah, it's not that expensive plus the redundancy has paid for itself I could switch to the home isp but with double tunnel (work vpn = slooow but usable).


I use the guest Wi-Fi strategy with the company computer isolated from the rest of my network, thinking mostly about my own privacy.

I can't do much in terms of personal usage of my company issued laptop (MacBook M1 Max Pro), so I never use it for anything personal, and even stuff like +1 a comment on a public GitHub repository for a random opensource project that we might use and that I discover while working I prefer to just reopen the link with my personal computer and do so. I've no personal accounts for anything whatsoever configured on my machine.

I don't think this should be the default for everyone, though. These limitations depends on the industry you're in, and your actual security risks/exposure.


I recommend this for everyone. I think it should be the default.

Now not everyone will be capable of doing all of this but I still think it's a good idea for everyone.

What everyone can do and should do by default because you never know and better safe than sorry: You definitely shouldn't mix personal and private on the work laptop. Nothing private is done on the work laptop. If we're at the office, use your mobile device instead. If you're at home, your own laptop/computer isn't far away, use that. It's really not so hard to type in some URL or do a quick google search to "earmark" something interesting your found during work on your personal device. And yes I'd go as far as "just a spotify account".

Network wise I agree, "guest" Wifi should be the minimum. Even regular router firmware AFAIK should all have that nowadays, so definitely put the work laptop in that one. Much of the HN crowd should go further and have something like Tomato where you can define lots of virtual wireless LANs and if you're the "wired" guy, put the work laptop onto its own VLAN on a dedicated port and never plug it in anywhere else. There is so much corporate spyware out there that you never know if you can really trust your company or its employees not to snoop around your network. It's so easy to set up that it should be a no brainer even if you fully trust both your company and all its IT employees and their boss and boss' boss etc. And they don't even have to actively snoop now, just regular operating system auto discovery stuff that ends up in logs can be enough for 'later'.

I go further w/ the wifi and actually have an automated access restriction set up that disables any network traffic from some time in the evening to my usual start time in the morning so the work laptop won't even be able to communicate w/ the internet let alone corporate headquarters during that time. It doubles as my "oh it's that late already? I should really stop working and make dinner" reminder, when network requests suddenly start failing ;) but it's easy enough to re-enable temporarily if there's an exceptional situation going on.


> There is so much corporate spyware out there that you never know if you can really trust your company or its employees not to snoop around your network. It's so easy to set up that it should be a no brainer even if you fully trust both your company and all its IT employees and their boss and boss' boss etc. And they don't even have to actively snoop now, just regular operating system auto discovery stuff that ends up in logs can be enough for 'later'.

True, the EDR product (one of the big names) has this feature where it explores the network environment around each laptop using nmap-style techniques.

This feature is also actively being used so I've decided to do the same at home, set my work computer on a locked down VLAN.


I loved the timing restriction. So bad I can end up working on unusual hours sometimes, or I'd consider doing the same.


How often is "sometimes"? How regular is "sometimes"?

I ask because Tomato for example makes this relatively flexible so if you work certain hours but different per day that's easily done with just regular configuration through the UI. I have it set up to completely block the work WiFi on weekends for example.

If it's something like an on call week or something like that I would still set it up and only temporarily disable the entire rule if a page comes in that needs attention. If during pager week you basically need constant access consider whether this is a place you really want to work. If no efforts are being made by everyone to reduce the amount of pages I would strongly suggest you don't want to work there.


I run a virtual machine on the work laptop that has a wire guard vpn connection out.

The note taking took used is Joplin which syncs encrypted notes to the cloud (here free Dropbox account).

There are many ways to skin a cat, and this way is not bullet proof as I’m still typing on the keyboard and keystrokes of course can be monitored. Also screenshots.

The only fool proof solution is to use a seperate computer all together. Know your threat model and adjust accordingly. This is what I have done.


How to secure your computation on a compromised device??? Is this a joke?


Company laptop?

Easy, setup a guest WiFi at home.


This made me think.. if my partner and mother in law are on the same guest wifi, are the computers all doing recon at each other? Is that a problem if you work for competitors in some way?


Often the guest network has client separation where the router doesn't allow any device on the guest network to see any other device. So possibly not, but depends on your router setup


What information can be pulled from home network just by being connected?

Why should I care (not addressed by the article or any comments so far)?


The article and video addresses this:

> On Windows and macOS you can run command line tools like arp -a to get a list of some devices on your network and then you can run an nslookup on those device IP addresses to get the names of the devices on your home network.

Basically it can get a list of device names on your network, including VMs.


So they can see I have a phone and a computer?


> So they can see I have a phone and a computer?

Yes, and whatever other devices you have on your network. If you have a family that could include information about your kids (even potentially medical information). If you're working on a personal project and decide to make a VM on your own personal computer and temporarily name the VM's hostname "fuckyoudns" while troubleshooting something, your company could see that and potentially build an internal profile on you that could lead to you being fired.

Of course no company would admit to firing you because of that but it plants a seed on their end and if it came down to (2) employees of equal skill and one of them doesn't have aggressively named personal VMs, you're put at a disadvantage for something you did on your own time on a Sunday afternoon while learning more about networking.

You could also flip this and ask if you worked at a physical office and your work machine never left the office, should your employer keep tabs on your local network at home for a typical software development position? Would it be expected for them to demand they install a black box with video, audio and external network capabilities on your home network saying if you don't install this, work access will be suspended and ultimately you'll be fired?


Some 'next-gen' security agents may assess what's running on the network that it's connected to.


And I thought this would be about keeping your work laptop safe. :-)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: