Are you being watched at work on the Web? And how carefully?
September 11, 2002 6:53 PM   Subscribe

Are you being watched at work on the Web? And how carefully? The good news is that I finally have more than dialup at work. The bad news is that my Internet is filtered, or at least being watched via something called Websense. How common is use of such software these days? Does anyone have experience with this type of software? What information does it log? Can it be defeated?
posted by ParisParamus (43 comments total)
I'd shit a 2-by-4 if they confronted me with my http requests. Good luck.
posted by crunchburger at 6:58 PM on September 11, 2002

Since the real "sin" is spending too much time actively looking at a site, this one, for example, I wonder if the software can distinguish between an open window in the background or foreground.
posted by ParisParamus at 7:03 PM on September 11, 2002

Are you too scared to use Google?
posted by machaus at 7:04 PM on September 11, 2002

i dunno about this software in particular, but it's fairly simple to install a packet sniffer on a lan which would log every single packet traversing it, including all your http requests. no way around it, except maybe tunneling your web traffic through ssh to an outside proxy. 'actively' looking at a site probably entails links being followed within it over a period of time, rather than it just being open in a browser window, since that sort of activity would be impossible to accurately monitor remotely.
posted by bizwank at 7:11 PM on September 11, 2002

they use websense at my school, and it blocks metatalk, but not metafilter. *sigh*
posted by adampsyche at 7:16 PM on September 11, 2002

As always, the oracle of all things censorware is Peacefire. See their report on WebSENSE for information about it.
posted by waldo at 7:17 PM on September 11, 2002

they use websense at my school, and it blocks metatalk, but not metafilter. *sigh*
Is that a bug or a feature?
posted by crunchburger at 7:21 PM on September 11, 2002

Where I work they use something called WebBlocker. I understand why it's there. Our place has a finite about of bandwidth and a lot of people sharing it. They only want us to use it for work-related stuff. Still, it's frustrating.

I can't get to my own blog. The server with my homepage is on their filter list. I don't take it personally. I don't think they know. It's just a broad censoring device. I'd ask them to take it off, but then they'd know. So I just don't mention it.
posted by ZachsMind at 7:23 PM on September 11, 2002

My company is using similar software. More to spy than to block websites. From what I've been told, I know that it can at least monitor all web traffic. It's also got these "neat" features that pick out (and log) all IM traffic, IRC traffic, and external email traffic (yes, even to "private" or personal mail servers), and serve the "conversations" up, neatly formatted and in order, upon request. They also watch all posts and gets to major search engines, auction sites, and shopping sites, so they can see what people are searching for, bidding on, and shopping for respectively.

The reports are very pretty.

It's rather invasive.
posted by Lafe at 7:42 PM on September 11, 2002

I've had some experience with WebSense blocking one of my sites [self-link].
posted by rcade at 7:47 PM on September 11, 2002

My company explicitly reserves the right to monitor employees' use of the network, including but not limited to the outbound web proxy. (All the while making the use of devices in promiscuous mode a firable offense)

For the most part, they should just be seeing an awful lot of SSL connections to the handy CGIproxy that I run on an outside web server for my exclusive use. Should they blacklist that host on the web proxy, the worst case scenario is that I have to bust out my secret weapon: a secure ssh tunnel to my squid cache at home.

And if they take out the telnet proxy that makes my ssh forwarding break, I still have a fallback option or two.

Nothing in my employment contract requires me to conduct my business in cleartext. In fact, given the industry I'm in, the use of encryption is generally encouraged!
posted by majick at 7:59 PM on September 11, 2002

Well, as a tech worker at a CA State agency, I find myself torn about this type of software. On one hand I hate the invasion of my cyberspace, but each day I also see grevious abuses of employee's work time. Surfing Ebay, CNN, music download sites, etc, is not what we're getting paid to do. I feel that surfing a few 'non-work-related sites' on your break, or lunch time is no big deal. Wasting several hours each day on the net, playing games on MSN, or worse, is no way to 'earn' your paycheck. I wonder how some of those folks can look at themselves in the mirror and feel good.
posted by BlueScreen at 8:14 PM on September 11, 2002

I've been workplace-stalked-online by such programs as NICE and eQuality. Many of these types of programs, especially eQuality, actually record real-time video of your actions. While the employer may think he/she is achieving their Nazi goals, maintaining such a system is very, very tedious. The recording and transmission of data, especially for many, many users, is very stressing on any network, regardless of how big, phat, and pipey it is. Also, since the recordings are real-time, they must be viewed in real time. I don't need to say what problems that could cause. Chances are, if you screw up only ocasionally, The Man won't catch you, unless he has way too much time on his hands. Talk on the phone alot? In a call center? They can see what you're doing on the PC while you're talking, all while listening to your conversation. If you're supposed to be walking an end user thru rebuilding their tcp/ip stack, and you're looking at, you're in deep. No pun intended.

posted by JessicaRose at 8:16 PM on September 11, 2002

Oh, and there's always the corporate release of SurfWatch.
posted by JessicaRose at 8:18 PM on September 11, 2002

WebNonSense tracks all your requests on the internet. It has a database of sites it has determined fall into several categories; sex, gambling, games, etc. the customer chooses which categories he wants blocked and the software throws up a message screen. it also records the violation.
MeTa is in the Games category which we have WebNonSense block (I'm in the group administering it at work [not my choice].) and most redirection services are blocked.
Email surfing such as works for MeTa but still get's several violations logged due to the graphics. but Google cache is a work-around for older content.
as a user it is a pain in the ass.
as an administer, it does what it is paid to do, and does it quite well though some of the blocked sites are puzzling.

ParisParamus: we just went live with this 3 or 4 weeks ago and we provide access to satellites all over NY state including brooklyn, you don't suppose. . .
posted by DBAPaul at 8:28 PM on September 11, 2002

Sorry, I've left Brooklyn for the BigTime...
posted by ParisParamus at 8:33 PM on September 11, 2002

Yeah. The software is intrusive and wasteful, and blocks an ever-increasing selection of your favorite sites.

Guess you'll have to post pro-Israeli links only every other day.

(Heh. Someone had to say it...)
posted by insomnia_lj at 8:37 PM on September 11, 2002

Talk on the phone alot? In a call center? They can see what you're doing on the PC while you're talking, all while listening to your conversation.

Yep. It's creepy and draconian, and it's a really sensible idea from a management perspective. The place where I work right now is very up-front about it though -- we're all scheduled to be trained as monitors, so that the entire interviewing staff is experienced with the different types of monitoring that gets done, and to balance out the monitoring load. (See, we've got this corporate commitment thing about monitoring 10% of all our calls. So that's a whole assload of monitoring each week.)

Then again, we don't have Net access, either. At all. I asked one of the supervisors if it would be possible for me to access a Net-connected box during breaks or lunch (since They all have the stream of sweet, sweet packets available) -- she was really hesitant about the whole notion, and basically gave me a "no chance in hell" delicately wrapped in "I'll look into it."
posted by cortex at 8:38 PM on September 11, 2002

As an attorney, there are legitimate uses of lots of Web sites. But I'm a poor accident litigation slob these days. I once dated a woman who did Trademark work. It was part of her job to scour the Web for uses of names similar to her clients. Lots of fun there!
posted by ParisParamus at 8:45 PM on September 11, 2002

What I want to know is what the hell people did at work before the internet. My first desk job was post-internet, and it boggles my mind that people actually used to sit for 8 hours a day without this wonderful device. Maybe that's why we've (sadly) seen the decline of the 2-hour wet lunch. I am proudly trying to marry the two at my job...
posted by chaz at 8:55 PM on September 11, 2002

Chaz, My take on it is that legal work was always fairly solitary, and now, with computers, it's even more so. I go to Mefi, or the NYT or my e-mail when I just need a break. As an alternative survival tool, I just bought a radio to listen to jazz or classical music. (no streaming allowed on my PC : ( ) Computers let you work without interuption for much longer than was ever possible; it seems only fair they should provide you with breaks as well...
posted by ParisParamus at 9:02 PM on September 11, 2002

To defeat blocked sites, tunnel HTTP over another open TCP port to an "external" machine with full access. To defeat spying, use encryption. SSH is a protocol which provides both.

For SSH on Windows, try "putty"

This site has some suggestions for using proxies and various external accounts.

If you look around for "proxy", "ssh", "ssl", and "tunnel" you can probably find a checklist for this.

You can also tunnel SSH over HTTP (if port 80 is open), and then tunnel SSH again!! Use a tool like corkscrew

The latest 2600 magazine has an article on these techniques.

SSH is cool!!!
posted by dand at 9:04 PM on September 11, 2002

"What I want to know is what the hell people did at work before the internet."

My only desk jobs have been centered around either internet usage or internet connectivity. Without the internet I'd probably still be in machining or warehousing, perish the thought. It's nice to come home and not have to shower for an hour to remove dirt and grease.
posted by mr_crash_davis at 9:08 PM on September 11, 2002

I work at a 40 person dev firm. I am, I suppose, minister without portfolio when it comes to network management, so when a saleweasel rang, said call was put through to me. Salesweasel attempted to sell some sort of monitoring/blocking package. I politely explained that we felt a rigorous hiring policy and a culture of personal responsibility were far more cost-effective. He seemed totally bemused by this idea.

In my mind, this is akin to drug testing. If people are doing satisfactory work, I don't really care what else they do, as long as it doesn't impact the firm's ability to bill clients. If there's issues with bandwidth consumption, a simple request to curtail listening to Bulgarian internet radio will suffice.
posted by i_am_joe's_spleen at 9:47 PM on September 11, 2002

There was a thread a few weeks back about internet use and lost productivity. MetaFilter is, well... filtered at my work so I couldn't comment (I know I could have commented from home like I'm doing now, but I forgot. Such are the hidden costs of web filtering I suppose.) Thankfully they're not onto notalentassclown or MeTa, so I can at least read MeFi during the day.
posted by stefanie at 10:00 PM on September 11, 2002

"During the nine-to-five workday, 30 to 40% of Internet surfing is not business-related" warns the blurb in IT Vice President seducing prose. Yep. Well, prior to intallation of Websense, "During the five-to-nine homeday, 30 to 40% of Internet surfing was business-related" in my household.

I was doing the Fast Company thing, blurring the boundaries and getting it done faster, better, etc.

The day they installed this device, I installed a virtual filter at home which blocked all access to work related sites. My kids now love me and I'm a happier person. Thank you, WebCents.
posted by RichLyon at 11:57 PM on September 11, 2002

I have more bad news. I am sleeping with the enemy. The company I work for makes webserver and firewall log analysis software. Not only do we know what website you have been to but we also know what computer you were sitting in front of at work to view it on. We also monitor email activity, ftp, ssh, telnet, realmedia movie watching and any other port-related network activity. I am not happy about the software we make and most of the bastard features we put in are the ideas of the evil marketing team.
Sorry for letting all you guys down. :(
On the bright side, I was in the TOP 5 for internet downloads for Jan-Mar of 2002, but since it's my job to test this stuff, my MP3 collection goes un-rewarde
posted by lsd4all at 12:45 AM on September 12, 2002

Fatal flaw in their pitch -- the assumption that once prevented from web-browsing, employees will devote the time they used to spend spend goofing off, on productive work. At least, that's how their calculator seems to work.

I see they are extremely cagey about the price of an enterprise license.

I smell snake oil.
posted by i_am_joe's_spleen at 12:52 AM on September 12, 2002

As soon as my erstwhile employer fired a few folks for 'Net related infractions (and were really vague about what line these people had crossed), I got myself a Nokia 8210 cell phone, which has an IRDA Modem.

Although dialup sucks large, between my iPaq and my TiBook I was pretty much set and was a model employee from the 'Net Cops point of view.

I miss 1995 when absolutely nobody in management knew what the web was, let alone what you could find out there.

Curious - I'm not sure what censorware they were using - but it screened by domain name. IPs worked fine for all banned sites.
posted by Mutant at 1:38 AM on September 12, 2002

I used Java Anonymous Proxy to circumvent WebSense. It's a free program you run locally (doesn't need to write into the registry, so as long as you have access to some harddisk space you can run it) - the setup file fits on a floppy. It requires the Java runtime installed however, which might be a problem for some people.
posted by c3o at 4:43 AM on September 12, 2002

My access at work is filtered by websense, which is annoying because they seem to update it constantly. I used to use safeweb (an anonymous browser that was secretly run by the FBI - how about that), but they shut down long ago.

Now I use the google cache. If I try and load a url and websense shucks it, I search for the url in google. If it's got it on cache (which usually depends on how new the link is), I can browse it. My biggest beef: now they are blocking the political news section of CNN because it's a "political advocacy group".
posted by toothless joe at 6:17 AM on September 12, 2002

I have the only PC at our office, and I have to use my own ISP for company email (I set us up a Yahoo account - my boss wants email, but won't pay for it). So yes, I do surf a bit in my free time. We have a regular dial-up connection, and just this week the telco instituted 10-digit dialing in our area. It's something about an "overlay", and we have to dial the area code (no "1) for local calls now. My paranoia has kicked into overdrive - I called the operator to double-check that my access numbers were local calls (she said they were), and I looked them up on Ameritech's website, which also listed them as local. But in the back of my mind, because I'm dialing 248 before the number, I'm worried that I'm getting charged for a zone call, or that my calls will be detailed on the phone bill. Anyone have any insight into this 10-digit dialing thing?
posted by Oriole Adams at 6:22 AM on September 12, 2002

I ran network security for my last employer. But before i did, i was in the same boat. Here's what i did:

install a second network card on the machine.
run a second cable from the new NIC directly to the internet router.
in your TCP/IP settings (this is for a Mac, you'll have to do it a bit differently for the PC) specify the router's internal IP address as your router address, and put the old router address in as a secondary. This way you'll still hit servers on your internal network or external WAN.

The proxy thing would work too, but for those of us who don't want to take the time to set things up or can't locate a machine on a direct route to the internet, this is the more economical way.
posted by schlaager at 11:00 AM on September 12, 2002

Cool. I feel like I'm lreading 2600, or listening to Off the Hook!
posted by ParisParamus at 11:05 AM on September 12, 2002

What I want to know is, HOW can you find out if you're being watched or not and, if so, what program they're using? I mean, besides writing about verboten things just to test their limits...
posted by sparky at 11:42 AM on September 12, 2002

Sorry sparky, but no, you can't, at least not through technical means. Once a packet leaves your machine, you don't ever know what happens to it. (That's why securing virtually anything over the Internet is such a pain - the underlying protocols were not designed to support authentication or encryption at a low level). You'll have better luck chatting up the IT people.
posted by i_am_joe's_spleen at 12:57 PM on September 12, 2002

My company uses Websense. My favorite categories they block are "Tasteless" and "Hobbies." They use to block "gay/lesbian issues." I wrote a nice little email detailing why that was a bad plan and they got unblocked.
posted by nadawi at 2:29 PM on September 12, 2002

If you are doing your job, who cares how much time you spend online, even if it is company time. The only time that I really spend any serious time online at work is when I am bored silly. Maybe the issue is bored and unchallenged workers rather than workplace web usage.
posted by Coop at 3:54 PM on September 12, 2002

Remember the good old days when you were judged on what you actually accomplished, not assumed to be a child, a spy or an incompentent and treated accordingly?
posted by rushmc at 4:27 PM on September 12, 2002

There was no such time, rushmc. People today are judged much more on actual performance rather than just the hours they put in towards retirement, compared to 10 or 20 years ago.

Remember the "good old days" when the "good old days" were much better that the "good old days" you are talking about?
posted by dg at 8:05 PM on September 12, 2002

Guess it all depends how much one is willing to demean oneself for money, dg.
posted by rushmc at 10:51 AM on September 13, 2002

That's the problem, no matter how good your performance is, most managers give their employees hell over every 15-minute increment. We were taught as children that the winner is the one who can do the best work in the least amount of time, but in the workplace those rules don't seem to apply. Seems like managers value employees who moan about how hard they're working more than the ones who actually do the work.

(Man, I have had some bad bosses, haven't I? Thank God it's Friday, I can't believe I sound so crotchety!)
posted by sparky at 7:22 PM on September 13, 2002

rushmc, I am willing to demean myself quite a bit for money, if there is enough of it :-)
posted by dg at 4:09 PM on September 15, 2002

« Older Attempted hijack on Dallas to Houston flight?   |   U.S. troops on DEFCON 2 alert Newer »

This thread has been archived and is closed to new comments