Comment by bri3d
6 hours ago
Here's the actual "roadmap" feature (scroll to the bottom where the filtered list is):
https://www.microsoft.com/en-us/microsoft-365/roadmap?search...
The actual feature brief is:
"When users connect to their organization's Wi-Fi, Teams will soon be able to automatically update their work location to reflect the building they're working from. This feature will be off by default. Tenant admins will decide whether to enable it and require end-users to opt-in."
Yuck.
Working on the systems/security/infrastructure side, we can already do this. Endpoint management systems already report wifi-ssid, internal-IP, whether you are using a vpn to try and hide info. SASE/ZTNA solutions provide location data, username, device used, connection details. Conditional access policies in the tenant already do checks against all of this anyway.
The roadmap just makes the whole thing user-facing so there's a status in Teams of where you currently are. But IT knew all along. And if IT didn't have tools deployed to get this info already count yourself lucky to work at an immature org security-wise.
Yeah, it's mostly just a weird feature in terms of ick-factor vs. utility.
I will say that "IT knows where I am" and "my manager / manager's manager / whatever sees where I am on Teams" would represent two very different personal annoyance levels at most companies I've worked at; at most places I've worked getting someone's location through IT required them to be doing something questionable or illegal (ie - working from an unapproved country) or breaking some obnoxious return-to-office policy, not just "hey is Bob out to lunch again or is he over in Building 6 so I can drive-by him with some questions real quick"
People should look up what features "carbon black" has, it's extremely frequently deployed (cb.exe in task manager) and can, (according to their own marketing) provide managers with live feeds of your desktop... So yeah...
mmhmm. Yea if someone really had the desire they could figure out my online presence and possibly even get a rough idea of what I'm actually doing with my time. Always something you could figure out from an IT network, its just about putting the history together.
But I'll agree that Teams is packaging this information into something more digest-able for middle managers, and that's the rub. There are always manager types who have the epiphany that not everyone is working 100% of the time and it bothers them enough to call it out to subordinates, or if they don't like someone enough they might do a deep dive with IT. Teams already has this indicator to show if you're online, on mobile, in a meeting, AFK, or offline entirely. Its not that the information wasn't there, its just much more front-and-center for managers to be annoying about it.
Working on the systems/security/infrastructure side, we can already do this
IT having the information for security is one thing.
In the hands of power-hungry lower middle managers, it becomes a weapon.
I think that's the difference.
First security job I had, the CISO had already declared that enforcing "no Youtube, porn, whatever" at work was a managerial problem and not a security problem [0]. And when management needed data from computers about an employee, they had to go through security -- they couldn't just fish around on their own. HR was involved, there was a paper trail, and requests were scope limited.
There are companies that do incredibly invasive employee monitoring, but those dystopias don't use EDR or whatever. They use some other vendor's spyware to replace management with creeping.
For some reason I'm reminded of the chains or cables used to keep operator hands (Posson's pull-backs) from being crushed in a press brake.
[0] The malware, etc that can come from those sites was a security problem -- but checking if creepy Bob was looking at boobs on company equipment or even just wasting time had nothing to do with infosec.
In my experience the most common use of this data is to build case for firing someone for cause when upper management wants them out. It's rarely used for actual security purposes.
I was wondering if there was more Microsoft has said/used to say about this feature because it leaves a gap between "connect to your organizations Wi-Fi" and "will show you're connected to Starbucks/Home and what that SSID is".
I followed several articles and the tree I found seems to end with this Neowin article https://www.neowin.net/news/microsoft-delays-controversial-l... but it doesn't actully clear up the sourcing. I.e. the quote in the article is the same roadmap item, yet the article talks directly to that as if it's the home SSID which will be put into Teams - where is that information in the quote it's describing? I'm not sure if they just didn't source that bit or if it's plain confusion about whether it's really limited to "connecting to your organizations Wi-Fi" which is then being picked up as a hot story.
Yeah, I couldn't find any sources that weren't rage-bait either.
Honestly, to me the feature seems so incredibly low-functionality that I'm surprised they're pushing it forward after all of the controversy it's generated. Like, sure, it might be nice to see if someone was out to lunch or in Building 17 or whatever without needing to message them, but at the cost of the whole "teams is spying on you" narrative and yuck-factor it pushes, I'm surprised they haven't pushed harder on either clarifying the functionality or just pulling it.
I think I agree. Of all things MS does, this is relatively small potatoes. It a soft creep, but also a gentle reminder that I need to somehow get out of my position, do wfh where I control my environment better ( likely my own business ), or try to convince bosses that we should move away from Windows ( as impossible as sell now as it ever was ).
Hell, if you're using Teams PSTN calling, your location has to be pulled in by Teams for e911 compliance anyways down to the building. It updates automatically already, even!
3 replies →
Is the answer to buy a travel router and give it the same SSID as another network, either work or home? Or is this doing something more sophisticated than SSID snooping?
More on this here https://news.ycombinator.com/item?id=46827756 but the short of it is where is this talk of SSIDs even originating and, if it is really the approach, how does it work right at all?
That aside, if it is SSIDs it's dead simple to fake. If it's BSSIDs it's a little more difficult and not every AP may expose a way to spoof it (but it's not too difficult to find ones which will).
Nobody knows, as far as I can tell; I haven't found any actual sources and I don't think the code is present in a public release anywhere for anyone to look at. I'm assuming it must work off of MAC at a minimum, since most offices have the same SSID across buildings. It doesn't really seem "designed" as a spyware/audit feature, since it would be a terrible flimsy one, but it also just doesn't seem that useful compared to the "yuck" factor it generates and the potential for abuse by crappy employers/managers.
This feels like a much better feature than “they can track your realtime location from the mobile app” as implied in the article? Plus employees will have to opt in?
The tracking is still gross, but limited to opt-in on office WiFi seems a lot less dramatic of a headline, especially given the main concern people have is work from home
> Plus employees will have to opt in?
If a company policy says you have to opt in, not opting in means you're breaching the policy and might get fired. Entirely legal in at-will employment places, but potentially not in places with better worker protections.
Saying that, I just got announcement from my employer they will not be turning it on for now.
Employees need to join a union
10 replies →
They can already do… pretty much any organization uses a VPN or “ZTNA” to provide access to resources so they know where you are.
> Plus employees will have to opt in?
I mean, that's not really how "opt-in" works for features that your company owns; you might have to "opt-in" technically but your company will probably make that a little more mandatory.
I do agree that the blog post, headline, and HN comments are as usual quite an overreaction, but this feature is pretty gross. It's also weird because the controversy/grossness-to-utility ratio seems awful, which either means that Microsoft product management has gotten as bad as everyone thinks it has or there's some future plan to make it more "robust."
My concern is if the employee is aware, at least let me quit before I’m silently opted into my boss realizing I can get the same work done with less time at the desk from home
>If you decide to take a "working lunch" and connect to "Starbucks_Guest_WiFi", your boss sees it instantly
Can't you just rename your home wifi SSID to be whatever your Work wifi is called?
The roadmap description is not really specific enough to either back up what the article is saying or describe if this approach would/wouldn't do anything, so I'm wondering the same kinds of things.
If I were to try to implement the given task description, I'd start with assuming this would need to be "Enterprise gives an exports of BSSIDs and locations, Teams uses that table to set the location when you connect to your organization's AP". I'm not even sure how else to make this really work right.
If it really is SSID based, the feature would be relatively useless for most organizations even before discussion trying to spoof it. E.g. the last place I worked had ~3,500 physical addresses with APs (and many more individual buildings/"office" names), all with the same "Corp_Name_Employee" SSID because otherwise it's way more work to have unique SSIDs. So how would this feature even do what it's supposed to do based on SSID?
> If it really is SSID based, the feature would be relatively useless for most organizations even before discussion trying to spoof it. E.g. the last place I worked had ~3,500 physical addresses with APs (and many more individual buildings/"office" names), all with the same "Corp_Name_Employee" SSID because otherwise it's way more work to have unique SSIDs. So how would this feature even do what it's supposed to do based on SSID?
Maybe the enterprise exports a table of AP MAC addresses, mapped to locations. It could be the SSID stuff is just a way to spy on what non-office location you were at.
2 replies →
I predict a lot of office wifi names with small typos used to share internet from smartphones.
Might need to change the MAC address and netblock to match the office one too, but entirely doable.
Travel router, use that to connect to the "host" wifi/network, and only ever connect your device through the travel router... always will show the same network, no?
(Or phone tether, if you have a good data plan)
Or ethernet? I keep the wifi on my work PCs disabled, connect via ethernet, and put them in a VLAN with only the network connectivity they need for me to work.
That’s ok, if my work cared enough about whether I was online or at my desk at any specific moment they’d have complained already. I have teams quit completely half the time. I get my work done, my performance reviews are good, I turn up to meetings on time, that’s all that should ever matter.
Also if they cared so much about where I was to punish me for it, I’d quit that company. The only companies I will work for are ones that treat me like an adult, it’s fairly simple.
And I am glad you can afford that choice. But there are a ton of people out there who can't.
Should be restricted to only "in office" vs "not in office", no showing the wifi name. Also, the lack of wired network support seems odd.
IMO that's probably how the feature will work, I haven't seen any actual non-speculation/rage bait evidence to the contrary.
Yeah it's used to list where your coworkers might be, it's a part of Microsoft Places, which is like a hotdesk thing. People have an insane response to this, and yet i assume they use their company provided laptop everyday.
I guess we need to use some VNC or so, to connect to the machine that runs MS Teams, which sits at the correct workplace. But also need to be able to accept and make calls. I am guessing, even if that data could also be sent via some protocol, the delay might be a lot?
I think its cool, so I can who is in the office for lunch.
Currently I manually check device IPs.
And there's me asking people :/
It is sometimes required to know where the user is sitting due to cross border data transfer laws. It seems that Microsoft is making it more easier to implement such requirements.
> automatically update their work location to reflect the building they're working from.
So, either this minimal description is A: an attempt to mask the feature's true purpose of dystopian pocket spying under an innocent-sounding cover, or B: negligently deploying a technical capability with far-reaching consequences without proper diligence or care.
Even if the goal was to enable a pocket panopticon for middle manager spying on WFH staff, in less than 10 seconds I came up with a list of other negative impacts and threat vectors which should freak out any large org's corporate security, legal, compliance and HR teams.
* Like lower level employees not in the 'shielded compartment' seeing that {M&A exec} is currently on {potential acquisition target company's} guest wifi. This kind of accidental location knowledge leak has actually happened between MSFT and Google via a freak analog coincidence and it changed the course of a huge acquisition. This feature makes that accident 1000x more likely.
* Or an employee sues for being dismissed and their lawyer proves through discovery that a manager could have seen they were connected to the wifi of a competitor they might have been interviewing with or an abortion clinic or gay bar, etc.
* Or as part of a harassment claim an employee says the company's required app showed them the phrase "Big Titz Rule!!!" because it was the name of a wifi network another employee was connected to.
Just having an opt-out or hours limit is woefully inadequate. Even if those should prevent senior execs and M&A teams location being accidentally visible to employees not in a trust circle (or worse contractors, vendors or customers looped into a Teams group), it STILL creates huge new threat surfaces. At a minimum the 'feature' needs ways to limit it to only show wifi network names: A. On an approved list, B. Matching a regex pattern, C. limited within a list of IP sub-domains, etc. And at many companies, as part of compliance, all those wifi network names will need to be passed through the "problematic words" list maintained by the HR and security teams (and in many companies hits on those lists trigger auto-reports which will now create discoverable "evidence" in any future lawsuit keyword search).
The unintended-but-foreseable consequences stretch for miles. And this isn't the MSFT Office/Teams group's first self-inflicted trip to this rodeo. I just don't understand how they keep repeating the Same. Obvious. Mistakes.
Our building security system updates something somewhere which ties into email. When we have incidents such as "the lifts are broken" or "the south exit is closed" or whatever, these get emailed to all staff that have been in the the building in the last so many hours (16 I'd assume). It's a handy system.
Ultimately if you are at the type of company which practices presenteeism, then the technology used is immaterial
Fucking hell. Living in Teams is bad enough without this. It’s only a tiny part of my job, but if it was a major part I’m not sure I could stomach that.