Life in the Trenches with Security for Security’s Sake

Being an IT dweeb, I work an internal Helpdesk occasionally. I’m on the receiving end of a lot of complaints about the websites the web-blocking software blocks. And they all ask me why. Sometimes I can take a good guess. Gambling, porno, hate speech, those are pretty easy to explain, even to upper management. But other sites, even though they can be perceived as time-wasters, should they be blocked? Should we only be blocking the stuff department guidelines specify as illegal, or should we be making judgments on attractive nuisances?

We had our office Christmas party (Ok, for political correctness, “holiday” party) at a local bar and grill. Its website was blocked. The Websense reason? Liquor. Liquor? What? Someone found a way to drink online?

How about this one? A fan fic site is blocked. The Websense reason? Alternate Religion. Now “a fan fic site” is one containing fan-written stories about characters in movies, tv shows or whatever. It usually has something to do with Star Trek. Is this an alternate religion? Hmm. Some might think so. What exactly does a religion have to do to be termed “alternate”? If we do not block “standard” religions, why are we blocking “alternate” ones? I smell a future lawsuit coming over this one.

I could go on. There really doesn’t seem to be any rhyme or reason to the categories Websense blocks and their contents. I doubt we spent all that much time configuring it. We may have simply clicked one of the “out of the box” configurations when we set the thing up. Obviously we haven’t spent a lot of time thinking about this nuance. But after attending many cross-agency meetings on Web policy, I see that no one else has this nailed down either. Some agencies won’t let users even go to Amazon.com and others are wide open, even for things considered illegal. As usual, the need for a fair and well thought out policy on this evidences itself.

This all is frustrating enough, but it is not my major complaint. What I really hate is when you ask authorities why something is blocked (I do this so I can then relay this intelligent reason to the user who asked me) you usually get some canned response like “It’s a security risk” You can tell that they have never heard of this website, know nothing about it or the types of information it serves up, but they would have you believe that they know what you’re talking about and that they reached this decision after due consideration. Oh please. What was it Peter Lorre said to Humphrey Bogart in THE MALTESE FALCON? “I wish you had thought up a better story. I felt distinctly like an idiot repeating it.”

Leave a Comment


Leave a Reply

jana gallatin

AMEN! (Wait, is that an alternate religion thing?)

Websense here blocks “Cake Camp.” (Yes, a camp for cake decorating.)

Adam Harvey

My agency recently implemented a new firewall, and now I’m blocked from a fair amount of sites. I can’t even get GovLoop to work correctly, since it references CSS files from another URL. I think the simplest explanation is the most likely; self-preservation. The folks in charge of security make their jobs easier, with less likelihood of a security breach, by tightening things down as much as possible.

One of the security guys at my work even wanted to block access to ALL blogs and forums, until a bunch of us complained that we use those for tech support and help solving networking and web development issues.

This is a thorny problem for me. Many of the employees at my County can only access sites on our network, and can’t get to the Internet at all. This has prevented us from using Flash (since it tries to check the latest version, and most systems can’t DL it in the first place users complain that the proxy login pops up all of the time) and the array of Google products.

The reaction from management has been “If County employees can’t use it, get rid of it” as if there weren’t 1.4 million other people in the County who might want to use our customized Google Map to find their polling location.

In some cases, like the one I just mentioned, we managed to figure out a workaround that let us provide the service at no impact to employees without access. In others, the process to gain approval from the security folks is arduous. I’d really like to use Google Analytics to monitor some of our webstats, but in order for that to work, I have to convince the guys in charge of the firewall of a whole list of safety measures, including a signed statement from someone at Google that they will not disclose any information gathered. I’m a web designer, I have no idea where to begin to complete the list of things I need for their approval. It’s a challenge, and an opportunity for me to learn more about how Gov IT is run. I almost feel like I need to go to interpersonal relationship counseling with the security guys, since we’re coming from completely different angles.


I understand the need for firewalls for security but I think there are a number of different approaches that can be taken. One, start with nothing and start blocking sites as you see problems. So start from nothing but if you see inappropriate sites affecting the networking and performance then block them. Also, if you are going to have a tight policy, it should be easy to have a sight unblocked as long as it’s not obscene. Too often the process requires a ton of proof and can be a little scary.

Al Fullbright

Guys like me must add a lot of work sorting information. I was quite surprized that I was able to access the Gov Loop site and even set up a page. I am only loosely affilliated, because I am not a government employee, but I am developing a web-site to network with the disabled and keep tract of government responses to the disabled.
Most of the sites use a beuracratese dialect of the English Language anyway. However, I am not sure that transparency and letting just anyone access some of these sites is a good idea. It may just create a larger work-load that produces no results except some recipes and jokes.