From owner-freebsd-questions  Tue Jun 29 20:20:29 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from pops.interhack.net (pops.interhack.net [209.190.37.60])
	by hub.freebsd.org (Postfix) with ESMTP id 66EC515406
	for <freebsd-questions@FreeBSD.ORG>; Tue, 29 Jun 1999 20:20:15 -0700 (PDT)
	(envelope-from cmcurtin@strangepork.interhack.net)
Received: from strangepork.interhack.net (strangepork.interhack.net [192.168.1.12])
	by pops.interhack.net (8.8.8/8.8.8/spamkiller) with ESMTP id XAA15652;
	Tue, 29 Jun 1999 23:32:17 -0400 (EDT)
Received: (from cmcurtin@localhost)
	by strangepork.interhack.net (8.8.5/8.8.5) id XAA05968;
	Tue, 29 Jun 1999 23:29:17 -0400 (EDT)
From: Matt Curtin <cmcurtin@interhack.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14201.36621.135367.877478@strangepork.interhack.net>
Date: Tue, 29 Jun 1999 23:29:17 -0400 (EDT)
To: Evan Brastow <ebrastow@automatedemblem.com>
Cc: Joe Konecny <jkonecn@green-mfg.com>,
	FreeBSD List <freebsd-questions@FreeBSD.ORG>
Subject: RE: internet monitoring
In-Reply-To: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com>
References: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com>
X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2)
X-Attribution: Matvey
X-URL: http://www.interhack.net/people/cmcurtin/
X-Face: L"IcL.b%SDN]0Kql2b`e.}+i05V9fi\yX#H1+Xl)3!+n/3?5`%-SA-HDg<IT;O8XnF>Pk9uTk<3dv^J5DCgal)-E{`zN#*o6F|y>r)\<<ui53(fC)EM]42*oF|P@Hm"Z+GK%"b#q'ycf=2s5%NNR0S;8"vcNN"O;O}YpB{&^1xazqDMg^v!6LS7S"5|}2uTl$NKV5}Bkca{M|Y^cZD@{1
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>>>>> On Tue, 29 Jun 1999 19:11:11 -0400,
      Evan Brastow <ebrastow@automatedemblem.com> said:

Evan> Why is it evil for an employer to monitor what their employees
Evan> are doing with computers that belong to the employer?

Evan> In my opinion, it is wise for an employer to protect themselves,
Evan> both from things such as sexual harassment

For sexual harassment to take place, someone must be unwillingly
exposed to something of a sexual nature after having made it clear
that they do not wish to be exposed thusly.

For that reason, monitoring would actually *increase* the probability
of harassment.  Someone doing the monitoring is much more likely to be
exposed to something like that than someone else randomly doing their
job.

Evan> and defamatory lawsuits,

Now that is silly.  When was the last time that a company was sued
because of something that joe random employee wrote on the Internet
whilst on "company time"?

Do you monitor the telephone?  Someone could make a phone call, and
the name of the company would show up on the caller-ID box, after
all. 

Do you monitor the mail?  Anyone could write a letter on a piece of
letterhead. 

Evan> as well protecting themselves from employees spending company
Evan> time (read: money) on non-work related web sites.

You didn't read the part of the Firewalls FAQ I referenced:

Matt> http://www.interhack.net/pubs/fwfaq/#head_siteblock 

I'll post it here so you don't need to follow it.

----------------------------------------------------------------------
A few years ago, someone got the idea that it's a good idea to block
"bad" web sites, i.e., those that contain material that The Company
views "inappropriate". The idea has been increasing in popularity, but
there are several things to consider when thinking about implementing
such controls in your firewall.

 o It is not possible to practically block everything that an employer
   deems "inappropriate". The Internet is full of every sort of
   material. Blocking one source will only redirect traffic to another
   source of such material, or cause someone to figure a way around the
   block.

 o Most organizations do not have a standard for judging the
   appropriateness of material that their employees bring to work,
   i.e., books, magazines, etc. Do you inspect everyone's briefcase
   for "inappropriate material" every day? If you do not, then why
   would you inspect every packet for "inappropriate material"? Any
   decisions along those lines in such an organization will be
   arbitrary. Attempting to take disciplinary action against an
   employee where the only standard is arbitrary typically isn't wise,
   for reasons well beyond the scope of this document.

 o Products that perform site-blocking, commercial and otherwise, are
   easy to circumvent.  Hostnames can be rewritten as IP addresses. IP
   addresses can be written as a 32-bit integer value, or as four
   8-bit integers (the most common form). They can be written as two
   16-bit integers, or one 24-bit and one 8-bit integer, or
   vice-versa. Connections can be proxied. Web pages can be fetched
   via email. You can't block them all. The effort that you'll spend
   trying to implement and manage such controls will almost certainly
   far exceed any level of damage control that you're hoping to have.

The rule-of-thumb to remember here is that you cannot solve social
problems with technical solutions. If there is a problem with someone
going to an "inappropriate" web site, that is because someone else saw
it and was offended by what he saw, or because that person's
productivity is below expectations. In either case, those are matters
for the personnel department, not the firewall administrator.
----------------------------------------------------------------------

Monitoring is evil.  Employees are adult human beings.  Don't treat
them like property to be inventoried and audited.

-- 
Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message