Ask Slashdot: Using Company Laptop For Personal Use

An anonymous reader writes "I'm starting a new job soon, and I will be issued a work laptop. For obvious reasons I cannot name any names, but I can state that I do expect my employer to have tracking software on the laptop, and I expect to not be the administrator on the device. That being said, I am not the kind of person who can just 'not browse the internet.' If I ever have to travel with this laptop, I may want to read an ebook or watch a movie or maybe even play a game. I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it. I can use portable apps off a usb key and browse in private mode. The machine will be encrypted, but I can also make myself my own little encrypted folder or partition perhaps. Are there any other precautions I could or should take?"

No

[Anrego]

I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it.

Is your new job worth it? Not saying you'll automatically lose your job over that, but I can't imagine it'll go over well. Especially as you'd be using your (non-work prepared) laptop for doing work and might inadvertantly put them at risk (the kind of risk they hope to eliminate by issuing you the laptop in the first place).

The simple solution is get yourself a USB / livecd type distro. Don't touch the hard drive.. and if it's encrypted, you shouldn't be putting your company at risk (assuming you don't use the same key for anything else). Personally I'd ask your IT guys if they are ok with this before doing it. Sometimes they can actually be reasonable about this kind of stuff.

The real solution here is to leave your work laptop alone completely and get your own laptop for personal use.

Re:No

[jhoegl]

Agreed. As an IT Director, I can tell you I would be pissed someone took company inventory and did this.
Security is based off of locking down that laptop so you dont do something stupid like install a "free game" with a trojan in it.
Not that I dont trust employees to know better, but I dont trust ALL employees to know better. A breach only takes one infected system.

Re:No

[Collapsing Empire]

Once you lose physical control of a machine, you really can't say much about the security of it. You don't know where that laptop has been or who else might have tampered with it while it has been traveling the globe. The best you can really do is the standard antivirus scans. But that doesn't stop a 0-day or a custom written trojan.

You really ought to be treating all portable devices as potentially hostile devices and securing (and monitoring) your networks accordingly.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

Re:No

[Guspaz]

You can lock down a laptop sufficiently so that even though you've lost physical control of the machine, nothing short of replacing the hard disk is going to compromise the system. If your employees are doing that just to circumvent IT policy, maybe THEY should be treated as the hostile one, not the laptop.

Re:No

[HornWumpus]

If someone has gone to the lengths of locking down the laptop they must have concerns. Important IP and known active industrial espionage would be the kind of head space I'm describing.

Given that mode of thinking, I would assume you would check the image of returning employees laptop hard drive for malicious changes installed by professionals.

Even if you trust your employee completely, the laptop has been in the hands of customs and other unknown people while in the world. It can't be assumed safe until re-imaged. Finding any attackers code would be a bonus of the 'standard' harddrive swap by IT on return.

And no it wouldn't be that bad. Employee has only had laptop for a few days. Tech pulls old drive, installs standard image replacement, checks for nonstandard flash, updates crypto, puts back on shelf. Tech installs old drive in USB enclosure, enters crypto key, scans then copies data folders to employees user folder, then runs paranoia process on OS and drive. If nothing found drive re-imaged and put back on shelf.

To the employee it looks like he turned in his machine and his data showed up in his folder 30 minutes later. To the tech it looks like he has a job doing paranoid shit, until one day he finds the next Stuxnet.

I assume, more or less this, is routine at many corporate R&D centers. In that world they do have to treat employees as, at least, potentially hostile.

Re:

[celtic_hackr]

You've never taken any computers into China have you?

Re:No

[Bill_the_Engineer]

I'd hope that the people I issue laptops to are responsible and trustworthy. Personally I don't care if they use the laptop for personal web browsing or e-book, as long as they do it on their own personal time. Most appropriate use agreements say the same thing. I do draw the line at installing programs on the laptop.

However I always strongly suggest people to have their own laptops/computers for personal use. Information stored in the form of cookies, browser history, etc. can be embarrassing or worse. There was a local county worker who was dismissed for inappropriate material being found on his work laptop while it was being serviced by the IT contractor. No one thinks about the laptop failing and having your personal data locked up for the IT repair guy to find. I find it amusing that they warn of key logging (which isn't as wide spread) but aren't as cautious about being caught in a compromising position.

Another (and more appropriate reason for the people I work with) reason being that the company I work for (and most others) consider the use of company equipment for personal financial gain as an offense worthy of dismissal and any goods produced on company equipment as their property. Lawyers are more expensive than a laptop - a.k.a an ounce of prevention is better than a pound of cure.

You really ought to be treating all portable devices as potentially hostile devices and securing (and monitoring) your networks accordingly.

Placing company laptops in a DMZ doesn't always make for a productive work environment nor is your monitoring idea that effective. A compromised laptop can still "behave" in a company private LAN and once connected to a public hotspot send its payload to whomever. There is a reason we like locking down company equipment. Locking down company equipment also has a "cover your ass" attribute that network monitoring alone can't offer. Also depending on the industry there are regulations that may dictate such measures to be taken.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

The employee should stick to his/her paid job assignment and let IT do the job for which they are paid. I have company equipment that have two or more operating systems on them, but they were all approved by IT first and my job directly depends on it. I believe altering the contents of a company laptop in such a drastic manner without the consent of IT may be a severe violation of the use agreement.

Re:No

[PNutts]

Holy jebus. You should be embarrased to post that in what used to be technical forum. A laptop in possession of a trustworthy employee governed by policy is not losing physical control. It's not your resource to do what you please and you don't manage it. You also didn't build and tweak it so don't assume the things that work on yours will work at it. The company will have policies on what's appropriate ranging from "no personal use" to "occasional use" to "go forth and surf". The OP didn't mention what the policies and so this entire thread will be a flame war. The rest of what you say is so obvious as to be insulting. Except the last paragraph which is dangerously naive. Any decent IT shop will evaulate the risks before rolling out a patch just because it's Tuesday. It might not be necessary at all.

Just because the OP has no self-control to 'not browse the internet' that doesn't mean his company has to assume the cost and risk of him doing so.

Re:

[Runaway1956]

"A laptop in possession of a trustworthy employee governed by policy is not losing physical control."

You, me, the US Army, and Bradley Manning might kick that around in a discussion. We might come to some interesting conclusions.

Re:

[FormOfActionBanana]

That is retarded. Why?

1. The laptops carry sensitive data. Treating them as hostile is a good start, but it in no way validates leaving the user to install his own malware/crapware, etc.

2. IT departments are pretty good about patching Windows/MS Office etc. It's the little 3rd party applications and homegrown software that is being left in the dust. This was carried on /. a few weeks back.

Re:No

[Tom]

You can lock down a notebook well enough that it requires malicious intent and considerable technical skill to tamper with it.

The fact that there is no 100% security doesn't mean that there isn't 99% security.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

Maybe. But that "more" of security could be in the wrong place, while the security that actually matters for the threat scenarios that the risk assessment has defined has been reduced.

Re:No

[Tom]

somebody has physical access to the laptop for a minute or two. A backdoor is loaded on the laptop during the distraction.

I think you need to be a little more detailed at the "and then magic happens" step.

If I can compromise your notebook in two minutes, it was never properly secured. How do you intend to get your backdoor on there? Type it in? Oh, you assume I have an optical drive and USB ports that will accept any arbitrary device someone happens to plug in?

Again, the question goes back to what this employee is really doing.

No, it doesn't. It goes back to what the company is doing. If they are in any business where lives are on the line, or actual damages could occur - I'm not talking about a dent in profits - then what the employee wants to stroke his ego doesn't matter.

Not all mobile users handle sensitive data or are really targets for attacks.

If your notebook goes on a network I'm responsible for, then it is a potential target. Even if it contains no data worth anything, it can bring malware into the system, or a nice piece of malware could download sensitive data unto it once it has connected to the network.

Read up on Stuxnet and how it got across not only firewalls, but airwalls.

Re:No

[the_B0fh]

It really doesn't fucking matter - *IT IS NOT YOUR LAPTOP*

My solution

[AliasMarlowe]

I bring a Knoppix live CD, a ruggedized 500GB USB drive (Adata SH93 [adata.com.tw], which is powered from a single USB port), and headphones. In total, this adds less than half a kilo to the mass I have to carry, and almost nothing to the bulk. The laptop hard disk is untouched, as it's not even mounted when Knoppix boots. I'm only using the laptop for personal purposes in hotels to either (i) surf the web, (ii) access non-work email accounts, or (iii) watch movies. I generally copy a selection of movies from the home media server to the USB drive before traveling - hotels often charge outrageous amounts for their limited selection of premium channels, and the company won't cover such charges. If I download anything, it also goes to the USB drive.

Re:My solution

[hokeyru]

Even better, if the laptop supports it, buy a second hard drive tray and hard drive, and swap between them for business and personal use.

Re:My solution

[AliasMarlowe]

You don't even need a live cd, you can run it all off of the usb hard disk.

Not in my case. USB media are not bootable due to BIOS lockdown.

Re:

[Anonymous Coward]

Interestingly, there are some USB devices which enumerate as an optical drive, but have flash memory -- for purposes like installing some OSes on netbooks -- and they might work for this, depending on how the boot lockdown is implemented, some bioses treat USB-attached CD-ROM differently from USB mass storage for such purposes. Still two things to carry, but less bulk than a CD-ROM, and a little less susceptible to mechanical damage.

Re:My solution

[AliasMarlowe]

Just get your own net book man.

Why? My present solution is better in several ways.

First, the work laptop has a 17" 1920x1200 LCD, and I have full HD videos on the USB disk, while I have yet to see a netbook with a remotely comparable screen. Second, the USB disk and CD add almost nothing to either weight or bulk, while any netbook would occupy more space and mass, especially if it has a decent display. Third, the USB disk and CD are rather cheaper than even a budget netbook, and far cheaper than any netbook with an adequate display (or a tablet, as another pundit opined).

BTW, I already have a personal laptop which also has a 17" 1920x1200 screen (actually slightly nicer than the work laptop's). However, I choose not to carry it around when I travel on business, since it has mass and bulk far greater than the USB drive and CD, and for my purposes would provide no additional functionality. Note that I carry several other work-related items along with the laptop, so airplane carry-on mass and space are not to be wasted.

Re:

[ILongForDarkness]

But your personal laptop does provide additional functionality namely not having to screw around with your works equipment to try to do something with it you shouldn't be in the first place. I can almost guarantee you that your corporate IT policy doesn't allow personal use of their equipment. So keeping your job is a nice additional function IMHO.

Another option ... might be ... talk to your work. Tell them hey I'm traveling and have nothing to entertain myself with when I'm not working. Can I use the lapto

Re:No

[Deorus]

As a software engineer, whenever I have to work with IT people like you, I happily leave the company's laptop unused and locked in a drawer beneath my desk and use my MacBook Pro instead. All the information needed to access corporate services is in my possession anyway, so you're none the wiser. If you block Internet access at work, I will happily tether to my iPhone or bring my iPad.

To put it simple: in this day and age you can't afford to think you have that kind of control. If there's sensitive information, the only way to be on the safe side is to ensure that it never leaves the company, which is something that you can still do.

Re:No

[Tom]

All the information needed to access corporate services is in my possession anyway, so you're none the wiser. If you block Internet access at work, I will happily tether to my iPhone or bring my iPad.

Let me get this straight: You would connect to the corporate network using a private, unapproved machine? And you would then connect that machine directly to the Internet?

In several environments in which I've worked, as the IT Security/Compliance Officer I would recommend you for immediate termination.

Just because you think that you are entitled to your own rules doesn't make it so. If you don't like my rules, you are welcome to come into my office and discuss them with me. You better have good reasons, because I do.
You are not free to just break the rules and open up the corporate network to the world at large, bypassing all the security layers that are there for a reason.

Re:No

[sensationull]

No, arogant users, the job it to work with, not against the company and its interests. Only one of those interests is catering to all the whims of some prissy dev. Security, stability, liability and supportability are some of the other large factors your self centered world view completly misses.

Re:No

[Tom]

That's assuming you'd know. As I said above, you'd be none the wiser.

That's a criminal lawsuit right there, you are aware of that, yes?

As an IT professional you are supposed to work WITH me, not AGAINST me. Until you understand that, deceit is all you deserve.

I will gladly work with you. I told you how to initiate such a cooperative effort. Bypassing the corporate security measures is where you are working against the company.

I am 100% for making security a lot more user-friendly and cooperative than it is today. In fact, I've given the keynote on a security conference on that exact topic two weeks ago.

But that doesn't mean any joker who thinks he's smart can just go and violate all policies, bypass all security measures and put the entire corporate network at risk.

Re:No

[Tom]

You have a black-and-white image of trust and security that we abandoned somewhere in the 80s, I think.

Mobile devices are by nature less trustworthy than devices that remain within the physical perimeter you control, but there is no such thing as 100% or 0% trust in any halfway modern security view.

By all that is entirely besides the point, so let's burn the strawman down quickly and get back to the original point: Mistrusting the mobile devices was, in this example, exactly what the company is doing and is why our friend is putting his employer at risk so he can play FarmVille.

Security often relies on humans, like it or not. You can, theoretically, construct an entrance that guarantees through technological means that no unauthorized person can enter. In the real world, very few people outside certain TLAs would put up with something like that, and very few companies would even entertain the thought after you've told them what it would cost. Almost every real-world physical entry control has a human element.

The IT world is not so different, just less visible and touchable. Real-world security measures are a combination of technological and organisational countermeasures. You may be more familiar with the other term for "organisational measure": Policies.

Re:

[Tom]

You sound like a modern dictator and the whole stuff sounds like modern slavery.

Please don't diminish the horrible reality of slavery by comparing it to policies within a corporation.

While i can see your point from a security stance of view, it's still not a valid argument to think you -and you alone- have absolute control over someone else.

No, but is the concept of "here are the rules, we expect you to follow them" really so hard to grasp? I am strict on enforcing the policies, yes. At the same time, I made it clear that the rules are not set in stone - give me a good reason to change them and I will be on your side.

Also, your arguments will be bull. The information is not safe, whatever locked-up solution you use. People could always just make a photograph of the screen, if not anything else.

Your safety should come from the fact that you _trust_ your employees. And to tell a little secret. Trust must come from both sides, else it won't work.

I'm not trying to protect against the user. That's idiotic, and any company feeling that it needs to do that needs its leadersh

Re:

[Tom]

That is why the Security/Compliance Officer reports to the C-level executives, and isn't some kid stuffed away in the IT department. If your boss has a boss who talks to the IT director, then you aren't a Security Officer, no matter what your business card says.

Look, when I say "for a reason", I don't mean "I made something up". I mean there has been a risk analysis, signed off by top management, resulting in a corporate security plan, signed off by top management.

With that in my pocket, I will tell anyone

Simplest is goodest.

[blackicye]

Buy yourself another laptop.

Re:Simplest is goodest.

[The Good Reverend]

Perhaps you're injecting your own life into your posts here?

I love the internet. I love web surfing. I love communicating with friends and family that aren't close to me. But I also like to read, to go drink beer with friends, and to spend too many hours in my garden. The two are not mutually exclusive.

To say that he has an addiction because he's asking about technology tells much more about you than it does about him.

Re:

[Samantha Wright]

I think that really depends on the length of the trip. If it's a two-week-long adventure, then yes, you're right that my suggestion is unreasonable. Not so much if it's just an over-nighter; this is something that can get you sacked (as some other comments higher up on this story have testified) and really shouldn't be done just on a whim.

Re:

[Samantha Wright]

I do, too, to be quite simply honest. I just don't think it's a good thing that we're so dependent on it!

Re:Simplest is goodest.

[John Bresnahan]

This is one of the reasons the iPad is so popular. It makes a good personal web-surfing device when traveling on business with the company laptop.

Re:

[jowifi]

The solution I came up with was to buy a spare hard drive and caddy for the machine. When I wanted to do my own thing, I swapped out the drives. No risk of contaminating either system with data from the other, and it's a lot easier to carry around than an extra laptop or even a tablet. It also tends to be faster that a cd or usb drive.

Re:No

[CohibaVancouver]

The solution I came up with was to buy a spare hard drive and caddy for the machine. When I wanted to do my own thing, I swapped out the drives.

If a) you're running windows on your second drive and b) the employer has deployed tracking software like Computrace then Computrace will self-heal onto your second drive and the swap will be detected. No worries if you're running Linux on the swapped drive.

Re:No

[maxwell demon]

Another solution is to simply ask the employer, if some personal use of the laptop is OK, and if so, to what extent. Maybe you'll get the answer that your intended usage is fine, and then you'll not have to worry at all about how to hide it.

Indeed, if I were the employer, if someone asked I'd probably be fine with it, but if someone were playing tricks to hide and I'd find out, I'd seriously consider firing him.

Re:No

[Rary]

This is exactly right. It's amazing how many people immediately look for ways to go behind the employer's back. Why not start by just asking them? If the employer is expecting you to travel for extended periods of time, then there is an obvious need for getting a reasonable amount of personal use out of the laptop, as traveling with two laptops (one for work, one for pleasure) is just silly. Your employer is human, and likely a reasonable one at that (and if not, you should be looking to replace her or him). So, just explain your needs and come to an agreement.

Re:

[Wescotte]

Because we are taught it's easier to ask for forgiveness than to ask for permission.

Re:No

[Glonoinha]

Smartest thing I've read all day. It is literally a perfect match to the original question, which is probably the dumbest thing I've read all day (drive image your work laptop, smoke it and install your own warez, and restore the drive image before giving it back to them.)

OP - here's the one piece where your plan fails : the active directory connection establishing your machine as a trusted member of the domain, and your user as the domain with the same name ... disconnects if it hasn't been refreshed in a while. I don't know how long it takes, but it happens. And it is a particularly uncomfortable discussion with corporate IT explaining why, given that your machine looks exactly like it did when they gave it to you, and you have been using it for a few months. The question is going to come up 'What did you do to it?' and you are going to answer just like they expect you to 'Nothing.' ... and it goes downhill from there.

Technical answer for you is same as Anrego : USB Thumbdrive install of Linux : Pen Drive Linux [pendrivelinux.com] has a zillion distros you can pick from, and they give you step by step instructions on making it work.

If technical answer #1 doesn't work for you, here's technical answer #2 for you : remove the work hard drive, install a new hard drive, install your own OS on that and swap out drives for work / pleasure. Downside is limited to the danger of physically borking the work drive while removing it or storing it while it is out of the machine. Explaining how you managed to mangle the SATA connector on a work laptop is a very difficult discussion.

Personal preference answer is also same as Anrego : don't do anything on your work laptop that you wouldn't do with representatives from corporate HR, IT, your boss and his boss standing over your shoulder. Buy a cheap used netbook for $150 on Craigslist and take it with you to do your warez/internet surfing/pr0n viewing.

Read the company policy

[klubar]

You might first check with the company policy on use of company-owned equipment. It may be acceptable for you to watch a netfilix movie, read an ebook, do some shopping or check personal email via a website like gmail. The company policies may actually be reasonable. On the other hand, if the work you are doing requires the highest level of security , then no you shouldn't use the computer for anything else. Check first. If the answer is no, then respect it or get another job.

If you are not allowed to use

Re:No, there's no need

[icebike]

The parent correctly points out that you can use a live distro and avoid having to touch the company's hard drive.

Maybe, maybe not. There may be key-loggers installed which still grab your keystrokes.
Further, you can set up machines to prevent booting from anything other than the hard drive, then lock the bios.

Re:No, there's no need

[Anrego]

I would take any of that as a sign that your employer is serious about controlling their equiptment and trying to subvert their control is a sure way to find your stuff in a box at reception when you get back from your trip.

In other words, a sign to buy your own laptop ;p

Re:No, there's no need

[Bluecobra]

Maybe, maybe not. There may be key-loggers installed which still grab your keystrokes.
Further, you can set up machines to prevent booting from anything other than the hard drive, then lock the bios.

How exactly will a software keylogger installed on the operating system on the local disk be able to grab keystrokes if you booted off a livecd? If you are talking about hardware keyloggers, that may make sense for a desktop computer in where the keylogger lies between the USB or PS/2 connection. I really doubt that a company would go through the trouble to install a keylogger in the proprietary ribbon cable between the laptop keyboard and the motherboard.

Re:

[Deorus]

Unless they act like viruses or the person using the laptop is running MS-DOS, there should be absolutely no reason for concern, because no modern operating system uses the BIOS to read input from a keyboard....

Re:No, there's no need

[buzter]

Keyloggers can be installed in the BIOS, though this is rare, it can be done.

Actually, it is not that rare. A company called Absolute is a pretty big player in the firmware level asset security control and recovery business. Every major vendor has models that embed their agent into the firmware of select machines. These agents persist through imaging/formatting. They allow tracking of IP address, geolocation on models with GPS, keylogging, remote bios lockdown, remote wiping, and more. You can see a list of models on their website at: http://www.absolute.com/partners/bios-compatibility [absolute.com]

In short, I agree with the above posters. Play it safe and talk to your IT department. Ask them if you should buy your own laptop for non-work use or use a live cd.

Re:No, there's no need

[Bill, Shooter of Bul]

While, I agree you should play safe, I have to also call BS on the ability of the BIOS to keylog a linux distro that isn't preprogrammed to allow it.

Take a look at the system requirements:

http://www.absolute.com/products/endpoint-security/computrace [absolute.com]

Notice it doesn't support any distro of linux. I imagine you'd be quite safe using a live cd of any OS not on that list.

Re:No, there's no need

[Anonymous Coward]

Today you're going to learn about something new (to you). It's called SMM, or system management mode. Go look it up. It might also interest you that the Intel CPU isn't the only processor in your computer: http://www.youtube.com/watch?v=tmZ4yXuDSNc [youtube.com]

Executive summary: There is a software level below the OS even without virtualization.

Re:

[fast turtle]

There is nothing to prevent the OEM from installing a 4+GB flash drive on the Mobo as part of this program. Does the app need to be larger then that? Don't think so if it's working at the hardware level.

Re:No, there's no need

[centuren]

I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it.

Is your new job worth it? Not saying you'll automatically lose your job over that, but I can't imagine it'll go over well. Especially as you'd be using your (non-work prepared) laptop for doing work and might inadvertantly put them at risk (the kind of risk they hope to eliminate by issuing you the laptop in the first place).

The simple solution is get yourself a USB / livecd type distro. Don't touch the hard drive.. and if it's encrypted, you shouldn't be putting your company at risk (assuming you don't use the same key for anything else). Personally I'd ask your IT guys if they are ok with this before doing it. Sometimes they can actually be reasonable about this kind of stuff.

The real solution here is to leave your work laptop alone completely and get your own laptop for personal use.

The parent correctly points out that you can use a live distro and avoid having to touch the company's hard drive.

Maybe, maybe not. There may be key-loggers installed which still grab your keystrokes.
Further, you can set up machines to prevent booting from anything other than the hard drive, then lock the bios.

Just to be clear, OP is saying he is "not the type of person who can't look at pornography" right? In this work-related scenario, if that's the case, get your own laptop, tablet, or smart phone.

If that's not the case and he is worried any personal use will get you in trouble, that's probably something he should clarify. I know plenty of unreasonable work places are around, but it is unreasonable to expect no personal use from a company laptop in constant possession of an employee (especially outside of work hours).

If neither is the primary case and you are expecting the laptop to be so locked out that you can't run anything but an office suite and the company-modded IE-engine software, then, as was pointed out, run a separate OS off a thumb drive. If the hardware is completely locked-down, back to the tablet/smartphone concept. Look up the policy, talk to the IT guys, but, essentially, DON'T do something that can mess up IT's carefully locked down security, and DON'T do things that are illegal or NSFW.

If the issue isn't "I want to look at pornography on my work laptop", why would the company care if he reads an ebook or watches a movie, if it's done responsibly (and somewhat out in the open, so all that's monitored is a lot of "unknown activity")? It kind of sounds like it's a porn thing, though. Maybe it's the inferred metaphorical air quotes.

Re:No, there's no need

[unixisc]

I know plenty of unreasonable work places are around, but it is unreasonable to expect no personal use from a company laptop in constant possession of an employee (especially outside of work hours).

The only case I can think of where personal use of one's work laptop may be unavoidable is if the employee is travelling out of town on a business trip somewhere - he's not likely to take 2 laptops w/ him. In such a case, it may make sense for him to use IE's InPrivate Browsing or something similar. Or else, better idea - if he has his tablet or smartphone w/ him, use that. I'm assuming that it would be for afterhours entertainment (once all the meetings and dinners are over) and he's done checking his work stuff on the laptop.

Otherwise, get another laptop/tablet/smartphone for what you need to do. Laptop if a lot of typing will be involved, and tablet/smartphone if it won't. Whether it's porn or visiting otherwise blocked websites, do it on your own equipment - and on your own time.

Not just don't WANT to...

[raehl]

...but can't.

There are several countries where going through customs with TWO laptops will ding you for import fees on the 2nd laptop.

Re:No, there's no need

[icebike]

A tiny tiny portion of the real early internet was funded by the govenrment. There has been no funding of infrastructure by government for the last 20 year.

Many companies turn off usb booting in the bios, and then lock the bios.

Re:No

[unixisc]

I fully agree w/ this. In all my jobs, I made it a point to not do any personal stuff on work laptops (and once they disabled webmail sites like gmail, the only potentially urgent personal thing to do was out the window). On my home laptop, I did whatever non-work related stuff I wanted. Never faced any issues - particularly given how it's well known that there is no guarantee of privacy as far as one's work laptop is involved.

Don't go there...

[icebike]

Just get a Tablet/Netbook of your choice and use that for web surfing, personal email, video and music streaming, etc.

Its a far more honest way of going about it, and by shopping around you will find a tablet that fits your needs, and can be slipped into the same carrying case the laptop uses. You may only need a wifi model, but tablets with data plans are not that expensive. You can add encryption to the tablet, if you want.

This gives you the freedom to do as you wish, and you can still move things back and forth between the tablet and the laptop as needed via any number of means when you have a legitimate reason to do so.

If you expect there to be tracking software on the machine out of the gate, then trying to go down the deception road is just a Bad Idea. Key loggers will log what ever you do, and removing them is not likely to go unnoticed. Key loggers things, if properly installed, can even read work you do in a USB thumb-drive based Linux distribution. And depending on how savvy your company's IT department is you may find any attempt to use the laptop in way other than what was intended will trigger alarms. Wiping the drive and restoring it to some back level state amounts to an admission you were doing something you weren't supposed to do. And you may not be given the opportunity to do so, when IT walks in (or accesses it remotely) to do a routine upgrade, and finds all sorts of ebooks and games, etc.

Nope, my advice is to celebrate your first pay check with a gift to yourself of that Tablet or Netbook you've always wanted. This way, you and your employer stay on each other's good side.

Re:Don't go there...

[Anonymous Coward]

Agreed. It's THEIR notebook, not yours. They bought it. It belongs to them. They have loaned it to you for work purposes. Don't abuse that by messing around with it.

If you want to do other stuff, buy your own notebook, tablet or smartphone.

Re:Don't go there...

[icebike]

If they give you a company car to take home, chances are they allow grocery shopping.

But if you have to jump on Slashdot and ask about GPS jammers and how to disconnect your built in Nav in a company car so that the company can't know that you routinely stop by the strip club on the way from/to customer meetings, you already have stepped over the line.

Re:Don't go there...

[Oligonicella]

Company cars aren't for leisure time. Use your own car.

Re:Don't go there...

[Patch86]

I doubt they'll mind him reading his favourite news website or going on Amazon on the new work laptop, you know. They might take issue with him installing a pirated copy of Crysis, or downloading porn.

The question isn't really whether they'll mind him doing stuff on their laptop, but whether they'll mind him massively messing with their software and hardware setup- live booting, partitioning, wiping and restoring, swapping out HDD, and all the other stuff suggested in this thread. If nothing else, it's classic "guilty behaviour"; how do they know whether he's doing it to hide his porn habit, or hide his massive illegal company fraud? If they think he's going to a lot of effort to deceive them and hide his behaviour, they're going to assume the worst.

Going on Amazon on the company laptop is the equivalent of going to the supermarket in the company car. Wiping the company laptop's HDD is the equivalent of popping the company car's bonnet and replacing components with ones you've bought on eBay.

Re:

[moronoxyd]

Agreed. And if you happen to recollect that you have to stop by the grocery store on your way from work while driving your company's car, park it at home, get into your own vehicle and only then go shopping, because that's clearly the most reasonable thing to do.

Apples and oranges.
Driving around with two cars at once isn't possible.
Carrying two laptops (or a laptop and a tablet) is.

Plus, the equivalent to do grocery shopping would be browsing some news sites or reading private email. That would probably not be a problem with the work laptop.

But making an image of the hard drive and installing a different system is more like changing the engine of your company car because you want something with more power and storing the original one in your garage.
I'm pretty sure

Wow

[Isarian]

You're kidding right? Don't be an idiot, follow the terms of your employer and get your own damned machine.

Re:

[rew]

So you enjoy lugging around two laptops when sent on a business trip?

Re:Wow

[Alan Shutko]

Nope. But that's life.

In my case, I worked to get rid of the company-issued laptop in favor of citrixing into my desktop at work. That means I have to carry less, and since I'm not constantly on the road, works well for me.

Re:

[tepples]

Do you do your citrixing even when your laptop is out of range of public Wi-Fi? If so, how many cellular gigabytes per month does your citrixing use?

Re:

[TheSHAD0W]

They keep getting smaller. A pad or a netbook added to your bag is barely noticeable. Dual-core netbooks are awesome and cheap; just look for one with an Atom N550.

Re:

[Beelzebud]

Try construction work for one year, then tell me how horrible it is to lug around 2 laptops.........

Re:Wow

[Oligonicella]

That was 2007. I'm pretty certain those same people are showing up at 9 and working until done now. Changing the situation of "more jobs than kids" to "less jobs than kids" changes a helluva lot.

Read the policy

[Jethro]

Read your company's employee handbook and policies. it's very likely that they allow "limited personal use". Just don't do anything stupid like watching porn or pirating stuff on the thing.

If you have any doubts about running any specific software on it, talk to your boss or call HR. They should know what the company's policies are.

I have a work-issued laptop. I'm allowed to browse the internet on it so long as it's a reasonable amount, and the corporate image came with media players, including a DVD player, so I'm fairly sure I can watch movies/listen to music on it when I travel.

But I never do. I take my own personal laptop with me. It's just a lot more comfortable that way.

Grow up

[clickclickdrone]

As others have said, it's not yours to mess about with and that crap about 'I just can't not surf the web' - jeeze, grow up already. Use your own kit for your non work related computer activities.

Read policy

[minstrelmike]

If your company policy is 'limited personal use," then you're covered.
That's a range of behavior. I would _NOT_ create encrypted partitions or do anything that would look like you're trying to hide stuff.
That's a big red flag and may get you noticed. Most of the time, they aren't going to examine your browsing history. Too much other stuff to do.

Legally, no one is sure what the 'limited' part of personal use means. Facebook and Slashdot and reading email and news items are probably okay.

Just don't do

Are you serious?

[Pollux]

If you're seriously thinking that you need to go through that much trouble to hide your "bad work habits," the problem really is you. You appear to be aware of your less-than-exceptional work habits. Reading between the lines, it almost appears as though you lost another previous job because of your self-distractions during work.

Rather than try and hide your browsing history, why not try working for a change? They are paying you to work, after all. And on periods of downtime, bring your own laptop.

Re:

[tixxit]

Pretty sure he's talking about his use of the laptop off company hours. That is, he gets home from a long day of work and wants to browse the web. He's on a plane and wants to play a game. That kind of stuff.

use a live usb stick

[Anonymous Coward]

I would use a persistent live distribution of some operating system. Just boot it off the USB stick. Your company OS won't be touched.

Yep, don't do that...unless you're allowed to.

[SecurityGuy]

I agree with everyone else. Trying to subvert your company's security policy, especially as a new employee, is an excellent way not to be an employee for very long. Just ask them if you're allowed to use the laptop for personal use. If they say no, then don't do it. If they say it depends, tell them what you have in mind. My employer wouldn't care if I was reading ebooks on it. Reasonable personal use also wouldn't be an issue. Messing around on FB on my own time? No problem. Browsing porn? Yeah, that's not going to be ok. Watching movies? Depends. DVD? Fine. Netflix (or anything else you have legit rights to)? Fine. Downloading them illegally to watch? Not a chance.

Basically, don't be an idiot.

Re:

[Quirkz]

Yep, pretty reasonable, assuming the company isn't completely paranoid. Particularly when it comes to travel, I have no qualms using the work computer after hours for my own entertainment. The computer may belong to the company, but after hours my life belongs to me, and if they're going to sent me away from the comforts of home they'd be pretty unreasonable to expect me to travel with two computers just to avoid doing a little web browsing or game playing on theirs.

Slow Nerd Day?

[Trip6]

The answer is so obvious to get your own laptop that I can't believe this even made it on the boards. Slow nerd day?

Yes there is

[Billly Gates]

Want to browse porn?

Bring your own laptop or smart phone.

Want to hack, code for fun or use online banking?

Bring your own laptop or smart phone.

Subverting and sabatoging company equipment is not only a firable offense, but it is immoral and unethical. Yes the HR weenies will consider this sabatoge and hacking if you dick around with encrypted system volumes and corporate mandated software. It is not yours and belongs to someone else. Your employer wont care if you browse cnn or read your gmail or maybe even

boot off a USB fob when you're "off the clock"

[Ritz_Just_Ritz]

When I am stuck traveling with the company laptop, I bring along a bootable USB fob with the latest Linux Mint on it and use that when I'm "off the clock." Some companies will try to lock down the bios so you can't even do that (forces the encrypted HD to boot first). So if that's the case, I'd just bring your own laptop/tablet along and call it a day.

I don't agree with companies to do this kind of thing, but in these economic times it's not worth losing a job over.

Best,

Miranda

[Jazari]

Anything you do on a computer which doesn't belong to you may be used against you in a court of law.

Carry a live-VD, buy a tablet, or use any other means to do your personal computing. Never use someone else's computer to log into your email accounts, surf, etc. And if you think you have "nothing to hide" and can't even imagine how it could be used against you, then you *definitely* need to heed this advice.

Re:

[Maow]

Carry a live-VD

I've got a live-VD that I'm just itching to share if anyone's interested.

Anyone? Hello? Is this thing on?

I am absolutely stunned

[msobkow]

I know people will go to great lengths to complain about their "right" to abuse company resources for their own benefit, but this takes the cake.

You want to WIPE the company hard drive and all the software that is provided for you to do your job, and you don't see a fundamental flaw in this reasoning?

You, sir, are a selfish, greedy, ignorant, and probably USELESS fuck who shouldn't be hired by ANYONE.

Locked

[Zemran]

If their choice of hardware and ability of IT staff are good you will be unable to do anything as the settings should be locked (password protected) and it should not boot from anything other that the disk they set up. If they are useless enough to allow you in then I have little sympathy for them but they will not see it like that. I remember one company that I worked at where I could not do my job because I did not have the software I needed installed. After a few days I installed it myself (using the correct install disk which was waiting on my desk but involved changing the Admin password). It was 2 weeks before IT came along and I got into a lot of trouble. The fact that I would have been doing nothing for 2 weeks and I had customers that needed my work etc. did not count for anything against an established IT manager given that I was obviously a "Hacker". It is not really worth the risk unless you are a belligerent trouble maker like me.

Short Answer: Don't

[monk]

Long Answer: Reword you request and the risk becomes a little clearer. "I'm starting a new job soon, and I will be issued equipment which I have agreed not to use for personal use. I am compelled to use it for personal use anyway. How can I do that." You have to first weight the cost and the benefit. Is surfing the web worth losing your new job?

On the other hand, screw Greyface, here's how you do it. Don't try any of the approaches you've mentioned. If they have tracking software installed they may have software keyloggers and remote desktops as well. They MAY have hardware keyloggers. They probably don't, but that's the risk you're taking.

Get an live Linux distro [livecdlist.com] you can boot off of USB, one that allows you to store stuff back to the USB stick. Damn Small Linux [damnsmalllinux.org] is a good one. Do your personal stuff EXCLUSIVELY when booted to the stick. That's about the best you can do. Best of luck. May the Source be with you.

Don't do it. Carry your own laptop.

[ChrisKnight]

If I may, I'd like to address a couple of assumptions in your post:

"I can make an image of the drive, then wipe the machine, and restore it back to its former state if I ever have to return it."
You can't guarantee this. I am on the security team at my company. When a person is being let go they called into a meeting and someone collects their laptop or desktop while they are in the meeting. In only one case have we allowed someone to access their system after it was collected, and that was under supervised conditions. We pull the laptop hard drive, label it, and shelve it. If that were your drive, we could have your personal information sitting on a shelf for years, waiting for someone to access it. While this didn't happen to me, a friend of mine was asked to peruse the hard drive of a terminated employee, and what she found led to criminal charges being filed against the ex employee. Not saying you would do anything illegal, but never put yourself in a situation where someone else has unlimited and unrestricted access to your personal data.

Also, this could be a violation of company policy and could be grounds for disciplinary action.

"I can use portable apps off a usb key and browse in private mode."
Yes, you can, but that doesn't mean you can bypass any monitoring or filtering software installed on the machine.

"Are there any other precautions I could or should take?"
It's just not worth the hassle, and potential employment repercussions, to modify your company owned system. I have two laptops that go with me everywhere. One is my work laptop, the other is my personal laptop. I keep both realms deliberately separated. Buy yourself a Macbook Air, or other maybe just a tablet since you mostly indicate you are browsing. Keep your work and personal life separate.

Common Sense

[buckeyeguy]

If you have a laptop that has remote admin/update software like Altiris on it, you'll probably screw up the PC if you start messing with partitions, folders, settings, etc. Would recommend against that. My latest work laptop (c/o the Fortune 25 company I work for) has the disk encryption, but no USB block or oppressive admin rights, and no huge caveats except to not install unlicensed software on it.

As for general use, are you traveling a lot? Employees that travel tend to have a bit more leeway with the use of their PC, browsing should be no big deal, but I would still recommend not loading up games or media on it. Get a smartphone or 2nd PC for that. And have some common sense; no porn browsing, period.

OT: sounds like there are a lot of 'bosses' on this thread ;0

Is the employer really that draconian?

[swillden]

The other posters have covered well the fact that you really shouldn't try to work around the employer's policies. Getting caught is likely, and almost certainly grounds for termination. Don't go there.

That said, you should find out what the employer's policies actually are, rather than just assuming they're going to be insane. I've had a company-issued laptop since the mid-90s, with several different employers, and none of them have done what you describe. Moreover, I've also spent years consulting with dozens of companies about their IT security policies, including management of laptop use, and none of them have approached it the way you describe, either.

Most employers care about (in decreasing order of importance):

1. The security of their data. There are lots of good reasons for this, obviously. This includes things like full-disk encryption to ensure that if the laptop is lost the data it might carry is not revealed, and mal-ware prevention in order to prevent mal-ware from revealing important data.

2. The security of their network. Since you'll bring the laptop into the office and connect it to the network, employers don't want the laptop to be a vector for malware or targeted attacks.

3. Preventing HR problems. Stuff like porn on screens in the office can create sexual harassment lawsuits. This is the primary reason for anti-porn rules.

4. Productivity. Misuse of company equipment on company time means (arguably) that productive work that should be done isn't. This is another reason for anti-porn and anti-surfing rules.

Different companies take different approaches to managing these risks. A common, if very authoritarian, approach to limiting malware, for example, is to allow only software which is specifically approved by IT to be installed on the machine. Keylogging doesn't really accomplish any of the above, however, and I've never seen any company who does it, with the exception of one company that installs a browser plugin which watches for users typing their corporate password into non-company web sites.

If you're using the laptop at home, on your own time, I don't think most employers will care if you surf a little, check your personal e-mail, watch Netflix, etc. They may or may not care if you surf porn. I think most would rather not know. Outside of that, if it doesn't require changing the security configuration of the laptop, doesn't require installing software and doesn't interfere with productive work, I doubt they're going to care.

Check out the policy carefully, ask questions to make sure you understand it, and then comply with it. But I would be surprised if the policy truly is as draconian as you say.

There's an easy answer...

[slk]

This is what tablets and smartphones are for. Bring your own tablet and/or smartphone, keep the personal surfing personal. Nobody will ask, nobody will care... your iPad is for watching movies on the plane, reading eBooks, random surfing, etc.

Also, having written a few AUPs myself... the exact restrictions tend to be pretty well documented, and driven by security and compliance requirements that your employer would be in trouble for violating. Read the AUP in full and make sure you understand it, ask questions if needed. Those of us who have to help maintain compliance / security would much rather get a few "silly questions" than have to clean up a mess. When in doubt, use a personal device. There's absolutely no excuse not to have one.

And to the employer... think about VDI+BYOD. Move the security back into the server room, let employees use "whatever". Keeping the personal surfing out is a losing battle, no matter what your compliance requirements are.

Two easy steps...

[Shoten]

1, read their acceptable use policy.

2, follow it.

Is your paranoia justified?

[HapSlappy_2222]

In my experience, having a company laptop issued to you is much like having a company car issued to you. Take care of it, don't do anything you're not supposed to with it, and remember it's issued to you to make your job easier, so make sure it does. I can't think of a single thing that you should be doing on a company laptop that you'd need to encrypt or hide from your employer (remember, THEY own the hardware), so a lot of your question is moot.

Stuff like reading an e-book, browsing the web, or customizing it to your specification is probably fine, assuming it doesn't interfere with your actual work. Well, unless your company has specifically told you NOT to do these things, in which case you really should bring a second, personal, laptop (or kindle, or ipad, as others have said) with you. Doing anything you'd be embarrassed to have your boss find out about is simply not a good idea, though. Think of it like it's your work desktop, only portable, and adjust your usage accordingly.

I don't see why this question needs a more complicated answer than this. If you still have questions, ask your boss. None of us on Slashdot are policymakers for your company, and asking us to decide for them is silly.

Don't be so paranoid

[scamper_22]

I'm sure your laptop has monitoring software, but the question is... who is actually looking at the monitoring and do they care?

I have a laptop issued for work. At work I used my desktop, but when I need to remotely work, I used my work laptop.

If you're honest with yourself, chances are you won't get in trouble. Unless you work for a hyper security company. Are you putting in an honest days work at the office? Beyond that, they're giving you a laptop . Just like if they gave you a company car. Some amount of personal use is generally tolerated.

When I'm at home, I use my laptop quite liberally. Some small games, web browsing... are all good.

I don't do anything 'illegal' on it though.

I think you need to relax a little bit. By all means find out what monitoring policies your company has... but if its like 99% of companies, all the data goes into a giant pit no one looks at... until you give them a reason to look at it.

Wow, lots of hate

[aztektum]

Yeah the person is going over board with talk of wiping his laptop and all that noise.

But what is with all the vitriol? He's a "cheap bastard". He has horrid working habits. His life is hollow and he should read a book? How any of that was deduced from one post on /. is beyond me.

My advice, as someone who has written AUP for companies: If your company policy is that ridiculous, you should question working there. Odds are it is not. My guess is if you get your work done they really won't give a rats arse. The laptop is their property, a worker is not. If they cannot accept you checking YouTube or /. while off the clock (including a quick break here and there), they're crazy.

But, should you seriously just want to avoid it: Make a bootable Linux USB drive and encrypt /home

Step One....

[Hasai]

....Try reading the corporate SOP.
Step Two: When in doubt, ask.
Step Three: If the SOP isn't something you can abide by, find another job. Dishonesty WILL ruin your career.

Backup image won't work

[alispguru]

If your IT regime has any sort of remote update system, your backup image will gradually get outdated as IT pushes patches onto the standard one. It will be seriously out-of-date if you ever restore it before returning the machine.

don't play games

[roc97007]

I have re-imaged my laptop issued by the company, granted myself admin rights and stripped off some of the cruft with which company laptops come equipped and installed non-standard software, but I work in IT, and I have access to all the tools and images and am in a better policy position than it sounds like you are. Were I not deep in IT and secure in my position, I would not try it. You are issued a laptop to do a particular job, and that's what it's for. If you just can't make yourself not surf naughty teens websites, get yourself a tablet of your very own and use that.

One possible geeky solution would be to create a virtual instance on your laptop and use that to watch naughty nurses. But even that might not be safe depending on whether there's traffic analysis software on the laptop or just hooks into the browser.

What it comes down to is this: There's a recession on, buddy. Be happy you're employed. Don't screw around with company property.

VMware Player

[Sounder40]

They're not (usually) going to sniff your internet traffic... They'll more likely look at browser history and file contents, and usually in the "normal" places for the usual file extensions. Running an alternate operating system renders the issue moot.

1) Download and install VMware Player
2) Download and install the Linux distro of your choice, with a small disk so it doesn't waste too much space.
3) Enjoy all the surfing you want.

Yeah, you said it was probably locked down, I know. But maybe this is something you can ask about? This is what I do, but I usually carry my own personal laptop.

Alternative 1:
1) Download your favorite distro's "live" CD
2) Boot it up and have a good time.

You should be able to do that at least, right? You can save files/configurations to a stick.

Alternative 2:
1) Download your favorite distro
2) Write it to a stick with LiLi USB Creator (Windows) or one if the million such apps on Linux, such as usb_creator.
3) Boot that up and rock on.

Re:Buy your own

[ribit]

We don't know what the terms or the job are. If you travel a lot with work, having to haul two laptops around may be unreasonable.

Re:

[Albanach]

Perhaps, but lugging around an iPad or similar tablet won't add much. It's also probably a better device for things like reading a book, watching a movie or quickly checking email.

As others have suggested, a live CD/USB distro could be used as an alternative OS if the OP needs more, assuming the laptop can boot from either. He could even boot from a portable hard drive.

Re:

[Kjella]

Try working at a consultancy house, then at times I ended up with three. Their laptop, the client's laptop and my laptop. Still, unless it's the difference between carry-on and checked in luggage I don't see it as a big deal as corporate travel generally meant taking a taxi anyway and the few meters I walk it's on wheels. If you feel a spare notebook is too much to haul around then drop it and spend you time in the hotel's exercise room. Seriously.

Re:Buy your own

[pla]

Buy your own laptop to fuck around with you cheap bastard. The laptop is the property of your employer and if you don't agree to the terms they set then don't work for them.

This is an entirely fair point of view.

To which I would respond, if my employer presented it as an argument, by leaving said laptop at the office 24/7/365. I might take it to (on-site) meetings so I could actually get some work done in the back of the room while the 3rd assistant VP of Buzzword Optimization drones on with a variety of incorrectly-used physics metaphors.

Companies provide people with laptops in the hope that those people will do "free" extra work for the company. In some cases, the use of a laptop for whatever-the-hell-I-want while stuck in a hotel room for four days between conference sessions makes up for that extra work they might occasionally get out of me. If I can't use it for anything but work, I view it as nothing but an albatross to lug around, feed, and check through security. And if it actively tracks me while on my own time - thankyouverymuchbutfuckrightoffnow, 'kay?

Re:

[icebike]

Even if such a policy existed, I'd do everything that was personal use related in the browser, (gmail account, or something similar), and not have the machine remember passwords, and set it to clear the browser cache upon close.

I'd use a different browser for work related stuff.

I'd never install anything on the machine itself for personal use. To hard to remove totally when the company "upgrades" your laptop and re-purposes the old one. (Or should you switch jobs).

Re:

[tepples]

And how many bucks for a laptop bag that holds two laptops? And how many bucks for gym training so that you won't notice a second laptop?

Re:

[cloudmaster]

You might try getting a portable computer made in the last 20 years; they've come down in weight since the switch to LCDs.

Re:

[Geeky]

No. For the most part it doesn't.

http://www.hmrc.gov.uk/manuals/eimanual/eim21613.htm [hmrc.gov.uk]