Question about security when accessing work networks (Onedrive, Exchange) on private computer

Hello everyone,

I have a question regarding the security of accessing my work’s network of OneDrive and Exchange on my private computer. I’m just a hobbyist, not someone with an IT background, although I’ve learned a lot in the past few years. Nonetheless, mostly I just make do with fiddling around by looking at guides that inform me on improving my setup. But in this case, I really want to make sure I’ve not created a security flaw.

The situation is as follows. I have a work laptop with Windows which is using Onedrive and Teams and Outlook and Exchange. Most of my work consists of Outlook, Teams, Word, and browsing. The whole system is locked down, we can’t install anything, even a lot of browser addons are blacklisted and only a few are allowed. We are allowed to access mail, contacts and calendar (via Exchange) on private hardware like phones and computers.

I’ve been using Linux for a few years as my little revolt against Big Tech and it was increasingly bothering me that while I did everything on Linux in my own time, I spent so much time in Windows doing things I could easily do in Linux. The lack of control and privacy also annoyed me. I have in the past looked at adding Onedrive like I’ve added my Nextcloud, but that seemed like a hassle back then: either paid options, or “complicated” terminal tools. Onedrive was the major issue, since I lacked a syncing tool for my documents if that didn’t work on Linux.

However, when I looked again this week, I stumbled upon Onedrive by Abraunegg and was up for a little challenge. I usually limit myself to GUI stuff, but have done some stuff in the terminal now and then. I managed to get it all up and running and it works like a charm.

So I created a new user on my private laptop, to limit work apps. Installed the Onedrive client, Teams, added my mail to Evolution, Thunderbird and Geary (but found it impossible, or at least I didn´t see how, to see my colleagues calendars to make appointments) so I made Outlook with Nativefier. And in this current setup I can do about 95% of my work in Linux.

But then I started to wonder. Am I being a security risk with this setup for our company? Since Exchange is already allowed and easy to setup and the Onedrive client is working via the API in https, I thought I should be fine. But still I wanted to make sure.

I’m very curious what you guys think!

If your company runs Windows on its machines, then they are a greater security risk to you and to all of their customers than you are to them.

Haha that is a great reply. I’ll keep that in mind!

So essentially my worries are twofold. One: that I might be producing some weird traffic for someone monitoring and than contacting me about this. Two: I’m currently rewatching Mr. Robot and they make it seem like one could easily crawl the internet to find some sort of backdoor and enter it to exploit it. Yes, I know it’s fiction, but it would be stupid and tragic if that happened and I’m not entirely sure something like that isn’t possible in my setup. So in case One happens and they worry about Two, I want to be able to have a good reply.

No, not normally. In fact, it’s probably Windows that causes most of the weird traffic, considering it phones home all the time.

Nothing is ever without flaws, but GNU/Linux is significantly more secure than Microsoft Windows.

Okay, listen, I’ll give you a couple of examples regarding the accuracy of the Hollywood presentation of computers and security…

There used to be a series on TV called “JAG”, a crime series centered around a couple of US Navy officers. The female officer was a computer expert.

Now, in one of those episodes, they were investigating the murder of a female military officer who shared her apartment with a roommate. At some point, they found a desktop computer that was shared between the deceased woman and her roommate, and when switching on the computer, the female officer sighed and said “Windows 95…”, as if she was badly disappointed by the login prompt on the screen.

It took her quite a while to break into the system, but being the computer buff she was, she eventually managed.

Personally, I would have just pressed Esc at the login screen, because it was bogus ─ Windows 98 had a similar login screen ─ and she would then have been able to peruse each and every file on the computer, given that Windows 95 (and its successors 98 and ME) ran on top of DOS and had no support for permissions, security or genuine multi-user access.

Here’s another couple of neat ones…

• The l33t }-{4x0rs depicted in Hollywood movies and series never use the mouse. They also never use the space bar, nor the Enter key. And yet you see little windows popping up on the screen left and right.

• Disabling a rogue AI running on a mainframe is very easy, even if it’s an extraterrestrial computer. You write a 100% bug-free computer virus ─ which only takes you a couple of minutes ─ on an MS-DOS or Windows PC, and then you store that on a floppy disk, and you take it to the mainframe. You then insert the floppy disk into the mainframe’s floppy drive ─ because mainframes have floppy drives, you know? ─ and that’s it. Just inserting the floppy into the drive will contaminate the mainframe with the virus and bring its operating system to its knees.

Must be true, because they showed it on TV!

The only thing I actually found cool in that regard was that in one particular episode of “Stargate: Atlantis”, the character known as Dr. Elizabeth Weir was paging through a report on a laptop, and every time she turned a page, the picture on the screen rotated to the right like the pages were each on the side of a 3D cube.

This effect was in fact the cube effect of the then popular Compiz window manager on GNU/Linux. Albeit that I can’t imagine that anyone would use the cube effect for paging through a report ─ it’s a way to map virtual desktops onto the sides of a spinning 3D cube. And that’s why I liked it, because at least it told me that the laptop was running GNU/Linux, in a time when Microsoft was still spending a lot of money and media attention on their “I Hate Linux” campaign.

Haha that’s a cool and extensive reply that was fun to read. You do make a great point though, and I agree. Although I do think Mr Robot is an exception to an extent. They really show him working on Kali Linux and the real code is shown. Some of my friends in IT said it was very realistically done, for fiction. And there are some articles on [this] as well(Why USA Network's 'Mr. Robot' Is The Most Realistic Depiction Of Hacking On Television). “‘Mr. Robot’ is the most accurate portrayal of security and hacking culture ever to grace the screen,” a member of Anonymous told International Business Times in a webchat.”

On topic again, then. There have of course been real vulnerabilities like Meltdown and Spectre and recently the worldwide ‘PrintNightmare’ caused by a print spooler vulnerability. With such vulnerabilities in mind, it isn’t that weird to be wondering whether there might be some sort of tiny opening in a seemingly random unofficial tool found on Github, right?

Which is why you should stick to software from the official Manjaro repositories.

And when it comes to the AUR, practise caution!

Great. Thanks for your extensive replies. But to be sure: no such tool is in the official Manjaro repositories, right?

For future reference: I just stumbled upon Onedriver, which is a little more intuitive and less ‘scary’ since it has a graphical interface. Should anyone be looking for a similar solution, that might also be worth checking out.

If you mean malware, then indeed, there is no malware in the Manjaro repositories. The software in the repositories was either developed by the Manjaro developers themselves, built from sources by the Manjaro developers, directly imported from Arch, directly made available by Manjaro’s partners ─ such as SoftMaker ─ or obtained from the official websites.

Haha no, I meant a tool to either access or sync Onedrive. To not have to fall back to the AUR in this specific case.

No, none that I can see.

Before you connect your own PC to access anything company-related, you should ask about the IT/security policy. If you do not follow the IT/security policy, you could be seen as a risk and that could put your job at risk if you use something other than what is in the policy.

For example, if employees are permitted to use only company computers to join any network or service that connects to company accounts, then using your own computer is a violation.
If the policy states to only use Windows PCs with particular anti-virus and firewall, and you use a non-windows machine with no anti-virus, you are violating the policy.

Well, that is good advice, thanks!

Your company gave you a laptop for a reason (assuming that’s what you mean by a work laptop), and it was probably so you didn’t use your own to circumvent the company’s IT/security requirements. Just use the laptop provided to you for work stuff. The computer may be locked down because it is for work purposes only and has everything you need installed for work.

It’s not worth losing your job over. Violating the IP/security policy could be regarded as gross misconduct.

Linux is by design a secure envirionment - no doubt about that.

I have a minor Nebengeschäft maintaining an old business application and let me provide some history here.

The application has grown more and more difficult to maintain due to windows system updates and and the ever increasing protection of end-users from bad habits. The Windows ransomware protection is a major PIA and creates major obstacles because the application creates PDF files and stores them in the users local documents folder.

With the amassing promotion of Onedrive the gets worse every day as every windows update agressively blocks the application.

I am frequently asked to prepare windows laptops - cheap €400 laptops - and my horror is Windows S because I have to reinstall the system and after that- luckily CtlShiftF3 can get me into sysprep and from there I can run the some decrappifying scripts - and remove everything - even Windows Store - so I can control the environment.

Even then company employees manage to create problems - so I will reiterate what has been stated

Never go outside company IT policy if they provided a laptop for work - use it for work.

Never mix your private environment with company files - always keep it separate - company files are not intended to leave company hardware or network - unless of course it is part of correspondence using company computers and network.

Right, those are clear answers. I’ve in the meantime asked our information security officer regarding our policy of the access to our Microsoft accounts on our private hardware. As I stated, or intranet is clear on the use of mail/agenda/contacts on private hardware, which is allowed.

I would like to point out that both your replies assume that we’ve been given a laptop for work due to IT policies. However, it could also be to provide us with a certain standard of hardware or even because of mental health aspects, like being able to separate work and private time, etc… That’s not to downplay the importance of your advice and warnings.

It was a good idea to just ask about this. Which I’ve done. I’ll post an update once I get a reply.