From owner-freebsd-questions Tue Jun 29 20:20:29 1999 Delivered-To: freebsd-questions@freebsd.org Received: from pops.interhack.net (pops.interhack.net [209.190.37.60]) by hub.freebsd.org (Postfix) with ESMTP id 66EC515406 for ; Tue, 29 Jun 1999 20:20:15 -0700 (PDT) (envelope-from cmcurtin@strangepork.interhack.net) Received: from strangepork.interhack.net (strangepork.interhack.net [192.168.1.12]) by pops.interhack.net (8.8.8/8.8.8/spamkiller) with ESMTP id XAA15652; Tue, 29 Jun 1999 23:32:17 -0400 (EDT) Received: (from cmcurtin@localhost) by strangepork.interhack.net (8.8.5/8.8.5) id XAA05968; Tue, 29 Jun 1999 23:29:17 -0400 (EDT) From: Matt Curtin MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14201.36621.135367.877478@strangepork.interhack.net> Date: Tue, 29 Jun 1999 23:29:17 -0400 (EDT) To: Evan Brastow Cc: Joe Konecny , FreeBSD List Subject: RE: internet monitoring In-Reply-To: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com> References: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com> X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) X-Attribution: Matvey X-URL: http://www.interhack.net/people/cmcurtin/ X-Face: L"IcL.b%SDN]0Kql2b`e.}+i05V9fi\yX#H1+Xl)3!+n/3?5`%-SA-HDgPk9uTk<3dv^J5DCgal)-E{`zN#*o6F|y>r)\<>>>> On Tue, 29 Jun 1999 19:11:11 -0400, Evan Brastow said: Evan> Why is it evil for an employer to monitor what their employees Evan> are doing with computers that belong to the employer? Evan> In my opinion, it is wise for an employer to protect themselves, Evan> both from things such as sexual harassment For sexual harassment to take place, someone must be unwillingly exposed to something of a sexual nature after having made it clear that they do not wish to be exposed thusly. For that reason, monitoring would actually *increase* the probability of harassment. Someone doing the monitoring is much more likely to be exposed to something like that than someone else randomly doing their job. Evan> and defamatory lawsuits, Now that is silly. When was the last time that a company was sued because of something that joe random employee wrote on the Internet whilst on "company time"? Do you monitor the telephone? Someone could make a phone call, and the name of the company would show up on the caller-ID box, after all. Do you monitor the mail? Anyone could write a letter on a piece of letterhead. Evan> as well protecting themselves from employees spending company Evan> time (read: money) on non-work related web sites. You didn't read the part of the Firewalls FAQ I referenced: Matt> http://www.interhack.net/pubs/fwfaq/#head_siteblock I'll post it here so you don't need to follow it. ---------------------------------------------------------------------- A few years ago, someone got the idea that it's a good idea to block "bad" web sites, i.e., those that contain material that The Company views "inappropriate". The idea has been increasing in popularity, but there are several things to consider when thinking about implementing such controls in your firewall. o It is not possible to practically block everything that an employer deems "inappropriate". The Internet is full of every sort of material. Blocking one source will only redirect traffic to another source of such material, or cause someone to figure a way around the block. o Most organizations do not have a standard for judging the appropriateness of material that their employees bring to work, i.e., books, magazines, etc. Do you inspect everyone's briefcase for "inappropriate material" every day? If you do not, then why would you inspect every packet for "inappropriate material"? Any decisions along those lines in such an organization will be arbitrary. Attempting to take disciplinary action against an employee where the only standard is arbitrary typically isn't wise, for reasons well beyond the scope of this document. o Products that perform site-blocking, commercial and otherwise, are easy to circumvent. Hostnames can be rewritten as IP addresses. IP addresses can be written as a 32-bit integer value, or as four 8-bit integers (the most common form). They can be written as two 16-bit integers, or one 24-bit and one 8-bit integer, or vice-versa. Connections can be proxied. Web pages can be fetched via email. You can't block them all. The effort that you'll spend trying to implement and manage such controls will almost certainly far exceed any level of damage control that you're hoping to have. The rule-of-thumb to remember here is that you cannot solve social problems with technical solutions. If there is a problem with someone going to an "inappropriate" web site, that is because someone else saw it and was offended by what he saw, or because that person's productivity is below expectations. In either case, those are matters for the personnel department, not the firewall administrator. ---------------------------------------------------------------------- Monitoring is evil. Employees are adult human beings. Don't treat them like property to be inventoried and audited. -- Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message