Management Caught Monitoring Employee Info With Concerns
[DEVELOPING STORY]
Exist Global Inc., Pasig City, PHILIPPINES — Reports have been confirmed here of management found responsible in the indiscriminate monitoring of its employee’s activities. The management had been keeping track of varied and sensitive employee data on a regular basis, and had done so without regard to privacy.
An insider, who wishes to be concealed under the name “Boy Bakal”, has informed us that the management uses a mix of tools to perform this devious operation. He admits to being deeply involved in the scheme and describes the process below.
Management extensions are used together with programming to aspects, and the Spring framework is used to bind them all, he says. “JMX is a technology that provides tools for managing and monitoring applications and systems,” the informant expounded. “We are looking at the indiscriminate way that this management has used MBeans, MBeanServers, and agents to get at all that data,” he adds. “By taking advantage of our cross-cutting concerns, the management is able to monitor when we eat, when we go to the bathroom, who we make friends with… it’s terrible!”
Boy Bakal then proceeds to explain in detail how the covert scheme was perpetrated. We present a condensed version of his account:
JMX is used in conjunction with the AOP facilities in Spring and hooked up to the employee information application. The application serves the welfare of the employees and fulfills the contract described below:
public interface EmployeeWellBeingService {
public Food[] giveSustenance( Employee employee, MealType mealType );
public void relieve( Employee employee );
public void addFriend( Employee employee, Employee friend );
}
The definition of the big brother MBean interface that corrupted this well-meaning services was deduced to be as follows:
public interface EmployeeBigBrotherMBean {
public void initiateEmployeeMealAction();
public void initiateEmployeeRelievingAction();
public void initiateEmployeeSocialzingAction();
}
An MBean is simply a Java class that follows specific rules as determined by the JMX specification. Instances of MBeans are responsible for exposing management interfaces for tampering with and accessing our employee information. Bits and pieces of the class definition for the employee big brother MBean was smuggled out of Exist Global’s maximum security servers at high risk, and is shown here for the first time ever:
@ManagedResource( objectName="exist.bigbrother:name=EmployeeBigBrother" ) [1]
@Aspect [2]
public class EmployeeBigBrother implements EmployeeBigBrotherMBean {
@Around(argNames="employee,mealType", value="bigBrotherWatchMeal(employee,mealType)") [3]
public Object recordEmployeeEating( ProceedingJoinPoint pjp, Employee employee, MealType mealType ) { [4]
StopWatch stopWatch = new StopWatch();
stopWatch.start();
Object result = pjp.proceed( pjp.getArgs() ); [5]
stopWatch.stop();
long eatingTime = stopWatch.getTime();
logEmployeeMeal( employee, mealType, (Food[]) result, eatingTime,
Calendar.getInstance().getTime() ); [6]
return result;
}
... public void recordEmployeeRelieving() { ... } [7]
... public void recordEmployeeSocializing() { ... }
@Pointcut( "execution(* com.exist.service.EmployeeWellBeingService.*(..)) && "+
"args(employee,mealType)")
public void bigBrotherWatchMeal( Employee employee, MealType mealType ) { } [8]
@ManagedOperation [9]
public void initiateEmployeeMealAction() {
PerformanceMonitor.spikeEmployeeFood( DataBank.getAllEmployeeMeals().getAllDrinks(), Enhancers.RED_BULL ); [10]
}
@ManagedOperation
public void initiateEmployeeRelievingAction() { ... }
@ManagedOperation
public void initiateEmployeeSocialzingAction() { ... }
...
}
[1,2] The big brother is defined to be a managed resource in JMX and goes into a lifecycle suitable for MBeans. It is also declared as an aspect. The annotations are detected and handled by the Spring framework.
[3,4] This devious method is an around aspect, meaning that it intercepts the sensitive employee service both before and after execution of its methods.
[5] A stopwatch is used to record how long the employee takes to finish his or her meal. Devious indeed!
[6] All monitoring data are gathered and recorded in the secret big brother data center. This is where the crime occurs!
[7] Our infiltration only allowed us to retrieve an incomplete, but highly descriptive, look at the big brother.
[8] This method serves as a declaration for a pointcut, and allows the big brother to specify which methods it wants to intercept.
[9] Specifies that this is a JMX operation for manipulating a managed resource. In a JMX console, this will appear under “operations” and will appear as a method taking no arguments. All they need to do is push the button!
[10] The management is using its big brother powers to turn us into Energizer bunnies!
These are then bootstrapped into the application from the application context xml file. Our highly developed but inadequate sleuthing skills only produced the following configuration snippet:
<bean id="wellBeingService" class="com.exist.service.EmployeeWellBeingServiceImpl"> [1]
...
</bean>
<aop:aspectj-autoproxy /> [2]
<bean id="exporter" class="org.springframework.jmx.export.MBeanExporter" lazy-init="false">
<property name="assembler" ref="assembler" />
<property name="namingStrategy" ref="namingStrategy" />
<property name="autodetect" value="true" />
<property name="autodetectModeName" value="AUTODETECT_ASSEMBLER" />
</bean> [3]
<bean id="jmxAttributeSource" class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" /> [4]
<bean id="assembler" class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<property name="attributeSource" ref="jmxAttributeSource" />
</bean> [5]
<bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<property name="attributeSource" ref="jmxAttributeSource"/>
</bean> [6]
<bean id="bigBrother" class="com.exist.devious.bigbrother.EmployeeBigBrother" /> [7]
[1] The target service is configured somewhere.
[2] Enables Spring support for AspectJ aspects. This automatically processes beans annotated with AspectJ annotations.
[3,4,5,6] Enables JMX annotations and sets up the big brother for operating in a JMX environment.
[7] The big brother enters.
The informant’s exposition ends there and he declines any further comment. The authorities are still undertaking a complete investigation at this point; in the meantime, all parties that may be affected are advised to exercise judgment and discretion in any activity.
- BROWSE / IN TIMELINE
- « Feed Finds
- » What Sustains Web 2.0
- BROWSE / IN Technology
- « Sexy Development
- » What Sustains Web 2.0
SPEAK / ADD YOUR COMMENT
Comments are moderated.
