staying secret online at work

A couple of weeks ago I wrote a quick post about Staying Safe and Secret Online at Work in which I talked about TOR. In addition to keeping your browsing secret I pointed out a very legitimate work-related function I have for TOR:

TOR is also useful to me for my work. Because I work in the web department and our IT department has a lockdown on the web servers that we use, it’s a tremendous pain to try to get them to set-up anything out of the ordinary scope. So a few weeks ago, my bosses bought their own commercial hosting to use as our playground. The problem was that they couldn’t even login to our new hosting control panel because the corporate firewall blocked it. I told them about TOR and we got around that obstacle.

This morning my supervisor asked me if I’d gotten any emails from IT about TOR. I said I hadn’t. He said we weren’t allowed to use it anymore. I replied ironically, “I’m shocked.”

A few things:
1) I never assumed we were “allowed” to use it. I wasn’t going to call up IT and say, “Hey, I know a way around your pain-in-the-ass corporate firewall. Is that cool?”

2) How did they discover we were using it? My guess: human intelligence. I had really debated whether to tell my superiors how to get around the firewall in order to use our third-party web server. Now I know I shouldn’t have.

2a) The real kick in the pants is that we’ve never used our own web server even after I got us access to it. Corporate bureaucracy is corporate bureaucracy. My superiors would rather go through all the legit, nonsense channels rather than upset the status quo and use a non-corporate web server to accomplish our tasks faster and easier.

3) I’m using TOR right now. Short of them uninstalling it and then locking my PC down so I can’t install my own programs, I don’t know how they can block it. There probably is a way. But they obviously haven’t found it yet.

4) Bottom line, while TOR may keep you secret, the fact that you’re running it may not be a secret. So use wisely.

UPDATE: My supervisor showed me the email from IT. They didn’t mention TOR. They only noticed that a few of us had installed Privoxy which is packaged with TOR. At least, that’s all they say they’ve noticed. As I pointed out before, you should probably assume IT knows everything you do on your computer all the time. But at least I got a little clarity on what exactly seems suspicious to them. They didn’t say, “your employees are visiting forbidden sites” only “we see you’ve installed a program that might possibly be used maliciously.”

Still, I keep learning that “dynamic” web team or not, we’re still super corporate and there’s no point in telling my superiors about anything “hacky” even when it improves our work. They won’t take advantage of it anyway.