Date: Tue, 29 Jun 1999 23:29:17 -0400 (EDT) From: Matt Curtin <cmcurtin@interhack.net> To: Evan Brastow <ebrastow@automatedemblem.com> Cc: Joe Konecny <jkonecn@green-mfg.com>, FreeBSD List <freebsd-questions@FreeBSD.ORG> Subject: RE: internet monitoring Message-ID: <14201.36621.135367.877478@strangepork.interhack.net> In-Reply-To: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com> References: <500E74157A46D211A87F006097295AFB090038@mail.automatedemblem.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> On Tue, 29 Jun 1999 19:11:11 -0400,
Evan Brastow <ebrastow@automatedemblem.com> said:
Evan> Why is it evil for an employer to monitor what their employees
Evan> are doing with computers that belong to the employer?
Evan> In my opinion, it is wise for an employer to protect themselves,
Evan> both from things such as sexual harassment
For sexual harassment to take place, someone must be unwillingly
exposed to something of a sexual nature after having made it clear
that they do not wish to be exposed thusly.
For that reason, monitoring would actually *increase* the probability
of harassment. Someone doing the monitoring is much more likely to be
exposed to something like that than someone else randomly doing their
job.
Evan> and defamatory lawsuits,
Now that is silly. When was the last time that a company was sued
because of something that joe random employee wrote on the Internet
whilst on "company time"?
Do you monitor the telephone? Someone could make a phone call, and
the name of the company would show up on the caller-ID box, after
all.
Do you monitor the mail? Anyone could write a letter on a piece of
letterhead.
Evan> as well protecting themselves from employees spending company
Evan> time (read: money) on non-work related web sites.
You didn't read the part of the Firewalls FAQ I referenced:
Matt> http://www.interhack.net/pubs/fwfaq/#head_siteblock
I'll post it here so you don't need to follow it.
----------------------------------------------------------------------
A few years ago, someone got the idea that it's a good idea to block
"bad" web sites, i.e., those that contain material that The Company
views "inappropriate". The idea has been increasing in popularity, but
there are several things to consider when thinking about implementing
such controls in your firewall.
o It is not possible to practically block everything that an employer
deems "inappropriate". The Internet is full of every sort of
material. Blocking one source will only redirect traffic to another
source of such material, or cause someone to figure a way around the
block.
o Most organizations do not have a standard for judging the
appropriateness of material that their employees bring to work,
i.e., books, magazines, etc. Do you inspect everyone's briefcase
for "inappropriate material" every day? If you do not, then why
would you inspect every packet for "inappropriate material"? Any
decisions along those lines in such an organization will be
arbitrary. Attempting to take disciplinary action against an
employee where the only standard is arbitrary typically isn't wise,
for reasons well beyond the scope of this document.
o Products that perform site-blocking, commercial and otherwise, are
easy to circumvent. Hostnames can be rewritten as IP addresses. IP
addresses can be written as a 32-bit integer value, or as four
8-bit integers (the most common form). They can be written as two
16-bit integers, or one 24-bit and one 8-bit integer, or
vice-versa. Connections can be proxied. Web pages can be fetched
via email. You can't block them all. The effort that you'll spend
trying to implement and manage such controls will almost certainly
far exceed any level of damage control that you're hoping to have.
The rule-of-thumb to remember here is that you cannot solve social
problems with technical solutions. If there is a problem with someone
going to an "inappropriate" web site, that is because someone else saw
it and was offended by what he saw, or because that person's
productivity is below expectations. In either case, those are matters
for the personnel department, not the firewall administrator.
----------------------------------------------------------------------
Monitoring is evil. Employees are adult human beings. Don't treat
them like property to be inventoried and audited.
--
Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14201.36621.135367.877478>