Comment by ChrisMarshallNY
9 days ago
> This project was born out of a desire to help a friend who couldn't use his favorite Bluetooth mouse and keyboard due to Bluetooth being disabled on his work laptop.
Protip: If their company's IT section is like the one at my old company, they are quite unlikely to like this solution, either.
But it's very clever. Kudos.
IT departments that are too restrictive will soon find that people have a parallel world executing in Excel sheets and using some external messaging app to keep the company operations running despite IT efforts to ensure it doesn't - I mean to ensure it is "secure"...
There's a name for this: Shadow IT
> "to keep the company operations running despite IT efforts to ensure it doesn't"
Love this!
My CTO is quite adamant that he hates shadow IT. Especially those with mac, full of... well software used by those artsy employees. Or with strange software not validated by the IT.
Well.
Other departments ask for equipment, but only hear no back. Management product like Monday? No. Dedicated solution for jobs they don't understand? Hell no!
It's tough to be part of this. I know security is hard. Budget limit stuff. But we can, and should do better.
My company is the same, but it's not necessarily about it being "hard." It's about not hiring the right people.
My company's IT department is Windows clickops people who hire other Windows clickops people. When something goes wrong that requires the command line, they spend five figures on a consultant to fix it. Ditto for the few dozen Linux machines in the company.
Some of our departments, including mine, run Macs. I can't count the number of times I've had someone from IT tell me "OK, now click 'Start'…" or whatever the Windows convention is these days.
All they'd have to do is hire one guy who knows the command line, and one guy who knows how to support Macs. There must be a hundred people in the IT department, but they keep hiring the same type of people over and over.
I wish it was unique to my company, but there was an identical situation where I worked a few years ago.
As someone who has worked in IT support: The problem is that people using that shadow IT will come running when they produce real tangible damage, because they lose data or some totally ridculous workflow stops working and you now have to reverse engineer some undocumented database format to extract at least the most urgent data. I am not a fan of IT GESTAPO, and everything should be measured, butbif I learned one thing it is that people will do the dumbest, riskiest shit if left tontheir own devices.
Also: if you work with certain customer data a good way to not only loose your job, but a ton of money would be to e.g. put that data into your shadow IT that might be running on some servers somewhere. E.g. people constantly asked us to use Zoom "because it is free and works", but we were in the public sector and a contract with them that guaruantueed the privacy of our clients would have costed a significant fraction of our yearly IT budget — and we are required by law to have such a contract.
When you then ask those people if they want to part with that money suddenly nobody is so adamant anymore.
1 reply →
We wrote optimized C++ software.
We had all kinds of scary tech, like custom-compiled metrics software from Intel.
They insisted that all of our machines run their malwa- er, security software.
It would totally screw up our measurements.
Thank you for sharing your thoughts, I had thought about this as well but came to the conclusion that from the company's perspective, this is no different than connecting a random keyboard bought from Amazon, what do you think?
Another thought around this is that I don't even think there's anything intrinsically insecure about BT as an attack vector but most likely some old policy based on security issues that existed in the early days of Bluetooth. Or at least I don't know of any, but I'm no expert in this so I would love to hear other people's insights here.
Secure bluetooth requires manufacturers to get the cryptography right. Even big brands like Logitech have gotten that wrong in recent memory, allowing attackers both to decrypt what you type [1] and to inject keystrokes [2]. And these are long-lived devices, even if vulnerabilities get patched in newer devices there are still plenty of 5 year old or older mice and keyboards with outdated firmware floating around. Not to mention the possibility of 0-days known to your attacker.
Wired connections are inherently more difficult to attack. In security critical applications banning bluetooth is perfectly reasonable.
[1] https://www.youtube.com/watch?v=GRJ7i2J_Y80
[2] https://www.youtube.com/watch?v=EksyCO0DzYs
Same with keyboards and mouses which use insecure usb radio receivers. This company policy doesn't really prevent that.
The best way to correctly fight Shadow IT is to provide equipment and services so good nobody would even care using something else.
3 replies →
In my experience, the IT section didn't trust anything they didn't approve, themselves. They certainly wouldn't allow us to buy any random device from Amazon.
It sucked. Big time, but they had the clout.
In my experience, I just never asked for permission when I was going to work around an annoying policy. I think while the company IT department will not love you, as long as you don't show up in one of their dashboards, it's pretty unlikely they will care. For years. Even if someone does bug you, I doubt it will amount to much other than being forced to adhere to the policy. As long as you ensure it doesn't look too much like you did it on purpose. (I would at least recommend a nice case for the device and picking innocuous USB IDs. Might be able to make it seem like a reasonable looking product, like a normal wireless keyboard receiver.)
Remote work at startups has largely removed my need for this kind of behavior. Now I'm mostly just mad that I can't always run Linux at work anymore.
1 reply →
The irony of it is that these types love to then support software and hardware that is full of vulnerabilities. "Oh, our management software/SSL-VPN has just been pwned for the sixth time in two years? Well at least the vendor has a fix and the security team can deal with the problem!" or "well our infrastructure is so poorly managed that a single Bluetooth device could, in fact, take over the whole company!"
No, it's just a USB device at that point. Unless they are against USB mice and keyboards, it's fine.
It's a USB device that types stuff sent through the air into the computer. For example, if the BT keyboard is vulnerable, you just opened a door for an attacker to remotely type things into the company laptop. I don't think it has the same risk profile as a wired keyboard
Our IT would not allow any USB that wasn't purchased through them, to be connected to the machine.
This was especially true for memory sticks, but keyboards, and even bus-powered things like fans (or nerf turrets) would get banned.
They had the power to get you fired, if you crossed them.
They did not like my team, because we were the only ones in the building, that knew what bullshitters they were.
The clever IT department will put hot glue in all USB ports.
99% IPA will make it removable easily without dissolving it and will not damage any of the electronics.