The wrong sort of radio
This post is about the madness of corporate web filters in the age of ubiquitous consumer devices with Internet connectivity.
I typically see three types of connectivity in any given corporate setting:
- The company network. Usually wired, but sometimes with a wireless adjunct, this network offers the same liberty as an oppressive Middle East regimes. This is a network where you can’t use social networks, check your webmail or see pictures (or business charts) uploaded by others. This network has been locked down for your own protection, and for the protection of the company.
- Guest WiFi. When coffee shops started becoming a better place for business than company meeting rooms something had to be done, and guest WiFi was that something. Sadly in many cases it’s locked down with many of the same measures and policies as the corporate network[2,3] – the only real change is that ‘foreign’ devices are allowed to connect.
- Mobile networks. Increasingly these come by default with some degree of nannyistic filtering, but in my experience it’s pretty benign – you can go to the places and ports that you want to and use the services that live there.
Trying to control where radio waves go
In 1 and 2 the legal and compliance department seeks to control what happens over the radio waves, in 3 they cannot – hence the title of this post.
I was recently at an event run by a large security software and solutions vendor where they said that ‘they too were having trouble with this stuff’ (referring to executives using iPads) so they’d had to ‘turn off some of the WiFi’. So what – the executives couldn’t afford the 3G iPad?
The nonsense of inconveniencing your own people
This whole thing is nonsense. Companies can’t control what employees access on the Internet, because nobody wants to become like a top secret military installation and take everybody’s phone away from them at the gate. The reality is that employees will have iPhones and iPads and other smartphones and other tablets and netbooks with 3G cards and MiFis and Kindle 3Gs and all manner of other stuff that can get to a (mostly) unfiltered web. For sure you can make life less convenient for your own people by making too many of them share a limited pool of bandwidth, but if you’re worried about people wasting time on social networking or personal email then do you really want to make it slower?
At this point it’s probably worth unpacking some of the concerns:
For a very long time we’ve had corporate networks that follow a confectionery design pattern – hard on the outside, soft in the middle. The whole point of hard on the inside is to stop damage to soft in the middle. Despite the best efforts of the Jericho Forum very few organisations have done deperimiterisation (or even my preferred ‘reperimiterisation’), which leaves them stuck with a model where you can only allow approved devices, software etc. An associated concern is that browsing the seedier parts of the Internet brings with it infections that may not be spotted by anti virus software and similar defences.
Security is probably a valid reason for the behaviour we see on company networks, but doesn’t justify controls on guest/employee WiFi, and of course the security guys don’t really have any say on what happens on mobile networks.
Not Safe For Work (NSFW)
One of the initial reasons for introducing web filters was a desire by HR to block porn. I don’t ever recall the epidemic of people surfing XXX rated material (and upsetting their co workers by doing so), but clearly enough people thought this was a problem and were willing to spend money on it.
What’s curious is that the arrival of broad(ish)band connected mobile consumer Internet devices with no filters hasn’t caused some catastrophic outbreak of inappropriate material being poked in the faces of inappropriate people. It looks like people are able to behave like mature adults after all.
Of course filters don’t always work, and I’ve seen an instance or two of objectionable spam make their way through. Somehow this is more of a problem when using Outlook (which renders images by default) rather than Gmail (which doesn’t).
The NSFW argument doesn’t hold up in my view, and HR were probably suckered into playing the paternalist in order to justify buying a bunch of kit that some IT folk wanted for other purposes.
Time is money
This is the one where employees shouldn’t be spending their valuable (company paid for) time checking their personal email and chatting to their friends on Facebook/Twitter/AIM or whatever the next flavour of the month is.
Firstly this expresses a very Victorian work ethic towards time management (that my US cousins still seem all too attached to). As we move from the industrial age to the information age we’re slowly seeing a shift from clocking in/out towards flexibility and ‘work/life balance’, but whilst we still have people around that we pay by the day (or even hour) then we will continue to fool ourselves that time is valuable rather than outcome.
I guess the quid pro quo here is that my wife hates me using my Blackberry at home just as much as most companies would hate me using Facebook at work (even if I’m using the Blackberry to check Facebook).
The information age is changing the nature of work and how it interacts with time. The productivity of ‘Knowledge workers’ can vary dramatically, with short bursts of great output set in a broader context of information gathering (and many seemingly aimless conference calls).
Secondly there’s the assumption that social interaction is somehow utterly unrelated to work. That people shouldn’t be able to ask their ‘friends’ for help.
Once again we see that employees are using this stuff anyway (at work) on their own devices, and the time that’s being ‘wasted’ isn’t hurting.
The common sense approach
What I think companies should be doing here is protecting their corporate networks where that is still necessary (and moving towards reperimiterisation around the data centre core) and offering their employees, partners, clients and other parties an otherwise unfettered path to the Internet (via unfiltered WiFi). This should simply be a question of cost and convenience where for very good infrastructure reasons mobile data costs more (and is often less convenient) than WiFi built on a wired bearer.
Why is this so hard?
 Hardly surprising as the companies that sell lists of stuff to be blocked have these countries as their primary customers, and business users just tag along for the ride.
 To stop employees from sidestepping the policies on the corporate network, and doing the stuff that they want to do on the Internet.
 I’ve come across some cases where companies have invited in telcos to provide WiFi. I think this is a win-win – guests (and employees) get the connectivity that they want (and more reliably than a mobile connection), the telco gets paid for an hour/day/longer subscription, and the legal and compliance people get to sleep at night knowing that they’ve passed a potential liability on to a third party. I’ve also come across some legal and compliance people (mostly in the US) who take the view that this can’t be done because liability for what happens (on the Internet) within the boundary of a company’s premises can’t be passed on. Don’t ask me what happens if you have an on site Starbucks in a leased building.
 Canary Wharf is an awful place for mobile devices given the poor ratio of infrastructure to people based there.
 I recall a frustrated network engineer one day recounting how he’d presented a business case to the executive board and they come back at him with ‘you want us to spend $5m on a better porn filter?’ – clearly there was some kind of communication issue and somebody was missing the point.
 One of the insane arguments here is that people surfing Internet porn at work were costing the company money (by using the precious resource of their Internet connection) and therefore it was worth spending even more on web filters to stop this from happening.
Filed under: security, technology | 5 Comments
Tags: 3G, data, filter, filtering, HR, mobile, policy, security, social, time, web, wifi
Raspberry Pi Downloads
- AppSecUSA - Docker, DevOps, Security
- Raspberry Pi TV/PVR
- Raspberry Pi GPIO Joystick
- Raspberry Pi Satellite TV
- Making an image file from an SD card on Windows
- AirPlay on Raspberry Pi the easy way
- Using Amazon EC2 as a web proxy
- Docker Networking
- Securely accessing your home network with Raspberry Pi - Pt. 1
- Making OpenELEC images for Raspberry Pi
WRTnode team on wrthelp – a demo app for… wrthelp – a de… on OpenWRT on TP-Link TL-WR2… Technology Short Tak… on Connecting Docker containers b… Chris Swan on Why my X230 might be my last L… @ndy on Why my X230 might be my last L…
- You can be a kernel hacker!
- Keyless SSL: The Nitty Gritty Technical Details
- How CloudFlare promises SSL security—without the key
- Pranking My Roommate With Eerily Targeted Facebook Ads
- The Psychology of Color in Marketing
- Announcing Keyless SSL
- Quick Mesh Project - Experimenting with the WRTnode
- The Four Paths to SDN
- The MSRs of EC2
- @justincormack I'd have thought that you'd just use Lua stuff on OpenWRT 4 hours ago
- [blog] Introducing wrthelp – a demo app for the WRTnode wp.me/salij-wrthelp 5 hours ago
- Slides of my #AppSecUSA talk yesterday about Docker, DevOps and Security now with added YouTube capture wp.me/palij-Ah 22 hours ago
- RT @justincormack: "firmware development is software development with worse compilers." mjg59.dreamwidth.org/32369.html 23 hours ago
- DEN-SFO anybody around for a beer this evening? 1 day ago