Schneier on Security
A blog covering security and security technology.
« Detecting Cheating at Colleges |
| Friday Squid Blogging: Squid Sex Organs »
July 9, 2010
TSA Blocks Access to Websites with "Controversial Opinions"
I wonder if my blog counts.
EDITED TO ADD (7/13): The TSA reversed itself. Or, at least, they now claim that isn't what they meant.
Posted on July 9, 2010 at 1:08 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I like the bit where they're blocked from websites that discuss "criminal activity". If the purpose of the TSA was actually to prevent any sort of crime or terrorist activity, that would be a terrible misake. I guess in reality it won't have a downside.
"The TSA did not return calls seeking comment by publication time."
Maybe they aren't allowed to answer controversial phone calls, either.
I've long suspected that TSA (and their subsidiaries: FBI, NSA and CIA) were jealous of the powers held by their counterparts in Russia and China. This pretty much confirms that.
Not sure what the big deal is - they merely turned on blocking of certain categories on their web browsing filtering software. We block roughly the same categories. What I find amusing is that "Adult Sites" wasn't listed.
(and schneier.com is not listed under 'controversial' in the software we use)
Yes, this is old news - so old that I already read the rebuttal on the TSA blog before it showed up here.
As the previous commenter said, they are just blocking their employees from going to KKK, etc. websites.
Oh, and there are usually filter bypasses for those working in law enforcement intelligence roles.
Reminds me of when I had to tune web proxies for several very different clients.
A retailer that sold knives, for example, needed their staff to access and research weapons sites whereas other clients wanted any/all weapons sites blocked. I wonder if the TSA should really be blocking access to hate/terror group sites.
I mean the best solution is to monitor and record access to whatever sites are deemed "controversial" rather than block, except in situations where sites have a high risk of being attack platforms and the cause of infection (e.g. "vice" sites).
Nothing to see here, people, move along.
Seriously, this is just a routine IT action, no doubt implementing an acceptable-use policy created by HR.
As to the claim by Louis Maltby of the National Workrights Institute that it could cross the line of violating a worker's right to information (http://www.cbsnews.com/8301-31727_162-20009752-10391695.html), well, hogwash. The right of an employer to control how its computers are used by its employees is well established in law.
That categorization phrasing, plus it being government, sounds like they're using the McAfee (nee Secure Computing) "Smartfilter" product.
Over at http://www.trustedsource.org/en/feedback/url you can look up a given URL to find its categorization. "http://www.schneier.com" is listed as "Technical Information". :)
**Updated Blog 8:20 pm, 7/6/10: TSA Reverses "Controversial Opinion" Web Policy
Curiously they are not blocking access to the category "proxies".
If my web site gets on the TSA's "no browse" list, how do I get it off?
They are an employer. I think a Government employer should be able to use the exact same powers to restrict employee behavior (while at work) that private sector companies can and do use.
If this was about Dow Chemical or Proctor and Gamble, rather than the government, would this article even be news worthy?
Note that adult porn sites are not in the prohibited category! Maybe somebody in the Inspector General's office decided that looking at porn for "hidden terrorist messages" does not constitute "fraud, waste, or abuse" of government resources. Hey, where's that TSA agent? He went to his office 15 minutes ago and hasn't come out yet. What could he be doing on his office computer?
I dunno--the government always has more accountability in employment than the private sector. After all, private sector employers don't have to stick to a strict payscale, jump through stringent hoops when interviewing candidates, purchase from the lowest bidder, use a certain % of small-business suppliers--there's a lot of stuff the government has to do that private business don't because, well, it's the government.
And people wonder why government is so inefficient.
"I mean the best solution is to monitor and record access to whatever sites are deemed "controversial" rather than block, except in situations where sites have a high risk of being attack platforms and the cause of infection (e.g. "vice" sites). "
Adult sites are significantly *safer* (in terms of malware that attacks web browsers) than the web as a whole these days. That market is so competitive that admins have to have their act together or go under. I believe the worst offendrs for "drive-by" malware are still song lyrics sites, though my data there may be stale.
"As the previous commenter said, they are just blocking their employees from going to KKK, etc. websites."
The commercial censorware invariably includes all sites that people complain about for expressing controversial opinions. Since most complaints to censorware companies come from outraged puritans, "controversial opinion" basically means any political or religious beliefs that are not accepted in the US bible belt. People on the other end of the political spectrum get outraged too, but they don't write to censorware companies and demand the suppression of things that outrage them, which is where the bias in censorware lists comes from.
It's not some grand conspiracy though. It's just a really good demonstration of the stupidity of crowds.
Bruce, your site isn't blocked, else I wouldn't be able to post. This is a non-issue. Some disgruntled employee/contractor not able to update their facebook status sent this to stir something up. I guess it did!!
@bruce " ...block my Blog?"
I should certainly hope so. else why bother?
When I followed your link, I found that the TSA had reversed its blocking of "controversial opinions."
No matter how incompetently the TSA implements its "mission," we do have to give them credit for consistently doing one thing extremely well. Whenever an embarrassing incident or story that portrays the agency in a bad light gets media publicity, they immediately take strong defensive action.
That's entirely different from corrective action, of course, unless it's something simple and unimportant like overzealous censorware that's someone else's fault. We all accept as an indisputable fact that when it comes to their mission of protecting aviation from terrorists, the TSA is incapable of error. So there's nothing to correct, even when the GAO issues a report that could be inappropriately interpreted as suggesting that their highly effective security measures lack any validation of their effectiveness.
So it's vital to National Security that the TSA's Anti-Defamation Team respond immediately to any erroneous reports to make sure the public knows the truth. Anyone who insists on portraying the TSA as something less than the highly effective Bulwark Against Aviation Terrorism is obviously hates America and seeks to aid the enemy. So as always, whoever reported this insignificant IT problem is clearly in league with al-Qaeda. So just ignore it, take off your shoes, and put your arms above your head in perfect equilateral triangle immediately after you enter the brand-new Freedom Scanner.
"They are an employer. I think a Government employer should be able to use the exact same powers to restrict employee behavior (while at work) that private sector companies can and do use."
Sure, they have the right to block employees from anything they want. But is it smart of them to do so? They're a government agency tasked with setting policies, supporting politicians with factual information and so on. Do you (whose government it is) really want them to try to carry out this work without being able to use the net to research opinions and facts about things that might be controversial to someone? Do you want them to research possible threats from extremist groups without being able to find out what those extremists boast publicly on the web?
This seems a surefire way to guarantee the lowest possible quality of the work the employees do.
I don't know about vulnerabilities to hacking, but I've used chat/IM in industry to communicate with colleagues-- it bridges the gap between "instant, yet disrupting" telephones and "not disrupting, but could be awhile before it gets read" email, and offers the instant communication of a phone conversation. Nice for debugging things without creating office noise.
Oh wait-- the TSA isn't interested in debugging things.
This is really nothing new, no one wants to find out that government emplyees are surfing hate group sites at work. I see the possibility of abuse when it comes to this category, but the mistake will happen in the vendor's categorization more so than intentional manipulation if the software.....
@ NE Patriot: Hamachi, bought out by LogMeIn Inc., offers hacker-resistant IM by VPN with AES-256 encryption, and you can create and control your own networks, deciding who gets to join which (if any) -- or colleagues can give you the password (through secure email or other secure means, of course) for you to join theirs.
Free for non-commercial, personal home use, but probably worth looking into for enterprise use -- the security would surely be worth a decent price.
Disclaimer: I am not in any way connected with the above companies; just a very satisfied user.
So it appears that the process could be summed up by:
TSA puts head in sand; TSA takes head out of sand; TSA cannot decide whether to put head in sand...
America deserves better.
...robots... are... not... allowed... to... think...
The headline is seriously misleading.
I took it to mean that the TSA was somehow blocking all access to websites with "controversial opinions", or maybe blocking access from all computers in the USA. That would really have been newsworthy.
But that's not what's going on. They're just restricting what their employees can waste time on during working hours. A lot of employers do that; employees are not paid to surf the web. They can look at all the "controversial opinions" they want - on their own time, using their own equipment, in their own homes.
This is a brilliant plan! Hiding security problems from your security staff is SO MUCH more efficient than letting them actually work on these problems.
Once the local supermarket employees are under strict orders not to look at shoplifters, crime will be practically stopped in its tracks! :)
Sorry, but this is most likely an example of IT technical staff trying to implement a proxy with filtering (e.g. Bluecoat) without a proper inappropriate material, acceptable use, and malicious code standard that has been endorsed and approved by a governance body and that was created using a risk management based approach.
Sounds more like they need some help getting their ISMS is proper working order than a boogy man to me.
> Oh, and there are usually filter bypasses for those working in law enforcement intelligence roles.
Not always. I know someone who was a government investigator (though not in the gun-carrying, arresting, 'law enforcement' sector); when they were investigating a casino, they had to do a bunch of work from home because the government agency firewall banned all gambling sites.
I know this is a bit late but who gets to judge the controversial opinions? Sounds like TSA wants to stay blind to the controversy it causes in the first place. I believe that the policy should be the opposite. The governement exists to serve the needs of the people and government employees should be aware what is being said of their work.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.