-3

I'm a software engineer and I use Github for all of my personal/open-source and work related stuff. In my new job, the IT department insists on giving us laptops without full admin access and I suspect they might have some snooper/keylogger installed as well.

Since I will need to have some of my personal stuff from Github installed on my work machine (e.g. dot files, Ansible scripts to setup my local dev environment, etc.), how do I carefully go about it so that I can protect my content from being spied upon? I will also have to enter my password (if not to Github, then to 1Password) and I'm unsure how to go about this...

jqp
  • 19
  • 1
  • 2
  • 2
    Sounds like more of an [security.SE] question than a Workplace question. You need answers from experts in information security, not experts in workplace etiquette & relationships, career development, and similar matters. (But please don't cross post) – ff524 Jul 27 '16 at 07:20
  • I think it has more to do with the Workplace. At least it can be answered from a workplace point of view. – clem steredenn Jul 27 '16 at 07:29
  • 2
    File a support ticket for this. And everything else, constantly. SO question about admin access. – Nathan Jul 27 '16 at 09:49
  • 1
    As to passwords, if you are concerned about keylogging: Don't access 1Password from the work computer. Get a smartphone and use that. Yes, this means you have to actually type passwords on a regular basis, but it keeps your main passphrase off the machine you believe is compromised. – Michael Kohne Jul 27 '16 at 11:51
  • Download a good github client to your phone, then email the specific files you want to your work email address (or use bluetooth file transfer if your work laptop supports that). – Stephan Branczyk Jul 27 '16 at 15:53
  • Don't type the letters to password, copy and paste the letters/numbers with mouse one at a time. And out of order :) – Dan Shaffer Jul 27 '16 at 18:50

5 Answers5

15

I will need to have some of my personal stuff from Github installed on my work machine

First rule of work computers, don't put personal files on them, EVER.

how do I carefully go about it so that I can protect my content from being spied upon?

You are on their computer, if they want to "spy" (monitor what happens on that), in most countries they can (and in some others where they have stated this in your contract). If you are concerned about things they may see you do (even if just because it's personal not embarrassing) then DON'T DO IT ON THEIR COMPUTER.

This applies to everything from personal email to banking and your own dev projects. You could find yourself on a lawsuit from your employer over the rights to your code, so better if it never goes near their computer.

If you really need scripts etc from Github, create a new repository for your company with a new work account (assuming they don't already have one of their own) and import what you need there. You stop them being able to potentially access your own account, and you have something to leave them should you go.

The Wandering Dev Manager
  • 33,609
  • 11
  • 71
  • 119
  • The part about spying is not universally true. There are countries where that is not allowed, e.g. Germany, where it needs to be explicitly part of the work contract that they are allowed to look, and you need to agree to that. We don't know in which country the OP is. – simbabque Jul 27 '16 at 12:34
  • 6
    Whether they can or can't, you don't put personal files on a work computer. You could be unfairly sacked, and the company admin can go rummaging around in your personal folders etc, just say no kids. – The Wandering Dev Manager Jul 27 '16 at 12:39
  • 3
    Eh, this is ridiculous. I specifically said some of my personal stuff and gave examples — dot files and Ansible scripts to setup my local dev environment, not banking stuff and personal projects. Do you really mean to say that I shouldn't use my curated vimrc of 15 years and spend the time re-writing it from scratch? Even if they aren't sensitive, I have no intention to make those public and I don't think that is the only way to do it. – jqp Jul 27 '16 at 13:33
  • 3
    @jqp - 'I have no intention to make those public' yes that is exactly what I mean, keep personal and work things separate and keep personal stuff off work computers, seen too many people get into trouble due to 'innocent' things. If you need the scripts, either do as above or rewrite them. – The Wandering Dev Manager Jul 27 '16 at 13:49
  • 3
    @jqp it would behoove you to take his advice. Once you put personal files on a work computer, they become property of the company. You have no idea what a world of hurt you are opening up for yourself if you ignore it. – Old_Lamplighter Jul 27 '16 at 16:04
8

If you do not use a private paid-for Github repository for that code, it is publicly accessible without logging in with your account. If you licence it accordingly from your personal account you don't have a problem. You can simply download or clone the repo to your work computer and use the tools or settings, as they are then open source. You don't need to be logged in to Github to download stuff just to use it, so the credentials cannot be stolen.

A problem occurs if you want to change one of those repos and push back. There might be the issue that your employment contract says that all the code you write at work belongs to the company. In that case, you should talk to your boss. Simply asking does not hurt.

Hey boss, we are using a lot of open source stuff. If I spot a bug in one of them, am I allowed to fix it and do a pull-request for that open source project during work?

If your boss is aware of what open-source means and that it gives free stuff to the company, he will likely not mind.

simbabque
  • 5,022
  • 1
  • 23
  • 33
  • No, a public repository does not place the contents of that repository into the public domain - it is at best unlicensed and you will need to discuss a license with the repository owner in order to use it. Comments like yours just invite copyright issues further down the line with regard to use of copyrighted but ambiguously licensed code. If it doesn't have a obvious license on it, DO NOT USE IT. You definitely shouldn't assume that its in the public domain! Please clarify this in your answer! The public git repository needs a permissive license contained within it! –  Jul 27 '16 at 10:08
  • @Moo I already say that if the OP owns the code, they can license it the way they want. They can then use it themselves while acting as the company. The part about the not private repository was badly phrased, I agree. I've edited that part to make it more clear. – simbabque Jul 27 '16 at 12:35
  • Even if the content is on a public repository, the OP's credentials may be captured on the work laptop (not his concern about keyloggers) and those are not public. – alroc Jul 27 '16 at 12:37
  • @alroc that's true, but that is not something I am addressing in this answer. My point is that there is no need to use credentials from the work laptop. We are talking about repos the OP owns that they stored on github. That implies that they have another device that they used to create them, and they can also add an appropriate licence to the repo from that device. Another sign that they have another device they consider save is the fact that they wrote this question. Given the careful nature of the question, they would not do that from the work box either. – simbabque Jul 27 '16 at 12:40
  • 1
    @simbabque I didn't have an issue with the owner being able to license it as they see fit, just the "public domain" aspect :) Thanks for editing, it clears up the issue I had - if a GH repo doesn't have a license, don't use the code, it can introduce problems later on down the line if it comes to light. –  Jul 27 '16 at 13:24
2

Set up a new Github account, transfer exactly the code you'll need, and log in with this from the work computer - if the account is hijacked or rummaged, there won't be anything visible that isn't already on the machine.

Or, load the necessary code from an external drive - this avoids any need to log in at all.

  • 1
    Or carry a secure unix-on-a-thumbdrive, and boot into that for your own work. Or just keep personal stuff off work machines, which is the cleanest solution; you can afford your own. – keshlam Jul 27 '16 at 06:58
  • 1
    Regarding hijacking of GitHub account: Keep in mind that they now offer 2-factor-authentication. It's recommended to use something like this, whenever it's available. – Radu Murzea Jul 27 '16 at 07:29
0

"On my (company) computer, which I (the company) have supplied you, I only want you to do my work, with my stuff, and to do it my way, as part of my team."   For eight hours or so, I want you to work only for ... "us."   In exchange for this, I'll pay you money.   Fair enough? ...

Don't put any of "your personal stuff" on there. Don't incorporate any outside material into the work product that you are developing. As a general statement, do everything that you do by consensus, as a team. Don't take it upon yourself to "make a decision."

Likewise, do not be concerned that you don't have administrative access. Don't be concerned if "you are being watched." Companies today have serious and legitimate concerns for security, accountability, and corporate liability. Don't take any of this "personally." So to speak, "it's not about you."

They expressed great confidence and trust in you, by hiring you. Every day, strive to show them what an excellent decision they made. Be:   "the consummate professional."

Mike Robinson
  • 8,111
  • 1
  • 17
  • 27
  • "Don't put any of "your personal stuff" on there." — So should I ask my boss for two weeks to re-write all my dot-rc and shell script files that I've curated over 15 years from scratch? This post is just some 6-sigma management BS. It doesn't answer the question. – jqp Jul 27 '16 at 13:35
  • @jqp It totally answers the question. It just doesn't agree with what you hoped the answer would be. You get paid to do a job, if your employer doesn't want you to be efficient (with your scripts and such), then so be it. You can be as efficient as you like in your personal time on your personal projects. – Masked Man Jul 28 '16 at 16:42
0

As a contractor, I've worked at many different companies, and 3 that I can recall had some form of non-local admin rights on developer machines. (Which IMHO just decreases the productivity of the developers.) The solutions I used at these companies were:

  1. Explained to the manager that I sometimes need local admin privileges, presented my case, and successfully got the policy changed for (certain) developers.
  2. Got IT to add a local admin user to my machine, which I would never use except for the times when I needed local admin privileges.
  3. Got permission to bring my personal laptop and transfer code files back and forth between my work and personal laptop anytime I needed to do something I could only do on a machine with admin privileges.

As for your particular case, I question why you:

suspect they might have some snooper/keylogger installed

That is a pretty strong statement to make. I think it's normal for companies to track website usage, and even track mouse/keyboard usage, specifically for work-from-home employees, but using a keylogger seems like a stretch to me unless you work for a spy organization. That being said, it's certainly possible, and your quickest solution, at least for GitHub seems to be pretty simple, since GitHub offers 2FA.

TTT
  • 101
  • 1
  • As in the other answer, saying that it's normal to track [stuff] is not universally true. In most European countries, that is highly illegal. – simbabque Jul 27 '16 at 19:59
  • @simbabque - can you provide a reference for that statement? This link seems to say otherwise: http://www.worktime.com/european-union-eu-employee-monitoring-laws-what-can-and-cant-employers-do-in-the-workplace/ – TTT Jul 27 '16 at 20:10
  • Your link already says it, with their agreement. That's absent from your answer, and a very valid point. There is a difference between thinking they do it and knowing they do it. In the latter case, you agreed. Your link also explains nicely when keyboard monitoring is allowed. As soon as there is a union or a work council involved, it's going to get really fun for the company. And if it gets public that a company does that, they can loose face quite a bit, as happened e.g. for ALDI with video survailance (German link). But I think this is getting off-topic. – simbabque Jul 27 '16 at 20:25