Slashdot Mirror
Unlock Internet or Risk Losing Staff?
Dan Warne writes "People don't want to work for employers who heavily restrict internet access, a senior Microsoft executive said in a keynote speech at the opening of Tech.Ed 2006 Sydney today. From the article: 'These kids are saying: forget it! I don't want to work with you. I don't want to work at a place where I can't be freely online during the day," said Microsoft Senior Design Anthropologist Ann Kiera. She dubbed internet-wary employers "digital immigrants" and said the new wave of younger workers were "digital natives".'"
Why is this in YRO? You have no right to internet access of any kind while at work. Yes, it's common, and I believe any loss of time from a worker doing a little browsing or IMing (within limits) is more than made up for by the productivity gained from a happier worker, but it isn't a violation of your rights to not have access or to have limited access.
As a sysadmin myself, I was put in charge of our Internet security and web site filtering strategy.
Initially, they implemented a Squid proxy that was set up so either you were granted "completely unrestricted" access, or "restricted" - which meant you could *only* visit web sites in an "allowed" list. The "unrestricted" access was, of course, originally only intended to be used for the sysadmin himself, and perhaps the owners of the company.
What ended up happening over the years (before I ever worked for them) was "key" people in many different departments received "unrestricted" access, because they threw huge fits or became too big a drain on the admin's time - asking for access to slews of sites needed for puchasing, getting price quotes, etc.
After looking at a number of options, I ended up using Dansguardian site filtering combined with Squid. The cost of software licensing or subscriptions was zero - making it MUCH easier to get approval for. (And if it didn't work out, nobody was going to "force" me to keep trying to use a broken solution, just because we spent $$$'s on it already.)
Our goal was always to put the brakes on productivity losses (and even to prevent potential lawsuits stemming from someone viewing porn and another employee being offended at seeing said porn, or what-not). As has been proven time and time again, unless you completely deny someone Internet access, he/she can eventually find ways to get to sites you'd rather not have them using while at work. The idea is to implement a solution that stops as many "grave offenses" as possible, while appearing pretty much invisible to regular Inet users.
I've found that a nice "side benefit" of doing this is the fact that you also tend to screen out some of the biggest contributors to loading spyware and other nasties on people's PCs. (Porn sites are a big offender in this area, for example.) But no, we didn't get into the site filtering as primarily a "computer security" issue at all.
It's not hard. You don't even need a separate subnet if you can do VLANs. Set up a Linux box with tagged VLANs and hook it up to a managed switch. Using iptables, redirect port 80 on each VLAN to Squid on a different port (8081, 8082, etc). You can create ACLs in Squid based on "Proxy Port" so that people connecting to 8081 get one set of ACLs and people on 8082 get another, etc. Of course you can also set ACLs based on client IP/subnet, but setting up VLANs is cooler.
If you want to add authentication to the mix, instead of transparent proxying you will need users to configure their browsers for your proxy on port 3128 or 8080 (you can still use the VLAN redirect thing for ports 8081 8082 etc). Use the msnt_auth plugin for Squid and now users can use their Windows domain login for web access. Only problem with msnt_auth is it only allows up to 12 chars for the password and some characters are not allowed, so users with wacky passwords may need to change them in order to get online.
DRM 'manages access' in the same way that a prison 'manages freedom'
I worked for a company that went from wide open to proxy. As I was the most internet-experienced tech on the support team, anything that needed to be researched fell to me. Also, I browse with multiple sessions of a browser open. Always have. Next thing I know, I'm getting called into the IS Director's office and given a list of where I've been. I pointed out each url and explained exactly why I'd been there, all work related. Their reply, "well.. this looks like you're not working, so don't do this again." Basically, they were asking me to not do my job. Until I left, I spent more time worrying about if I looked like I wasn't working.
Next company was wide open. Sure I had AIM open, bounced ideas off some techs I knew on IRC once in a while, but the pressure was off and I got more done.
{} ------ When I think of a good sig, I'll put it here
I've worked in numerous corporate and gov't centers ranging from 200 to 1000+ in size. All of them implemented some sort of phone restrictions that don't let you dial certain area codes. Heck, when new cell phone exchanges were introduced here (Northern, VA - DC - MD) it took a few days before someone realized the new exchanges weren't on the approved list. As you say, companies don't pay the same way consumers do for LD calls, but few companies are willing to deal with the penny-ante hassle of tracking down who made what calls and billing them for individually (or disciplining etc), let alone just swallow the cost of employees making the calls.
Some people do need more default access; sales people, CEO's, VPs and their secretaries, but the bulk of any office certainly doesn't need that type of access. Even if they do it is usually protected with charge codes to prevent people from making calls and then claiming it wasn't them who called.
So it comes down to tailoring the usage to the employees true needs. As has been mentioned, developers need access to technical resources (which are fairly hard to blanket qualify since blogs and other stuff sometimes is of great help).
People in cars cause accidents....accidents in cars cause people
Thats true if you have a manager who is responsive and actually knows what they are doing. The manager was the one that instated the policy. He was from a totally non-tech background and was one of those "promote from within" managers from a different department. Im sure he is probably gone now but he was adamant he knew better no matter how difficult it made the job for the rest of us.
I am a little surprised. I don't think I saw anyone admit that they recognize their own surfing habits cost them. It seems many recognize "other" people can have issues with it.
Full unfettered access destroys my productivity at times. I follow a thought and boom an hour has gone by. I would definitely prefer to be subject to whitelisting/blacklisting. First things to block: Slashdot and digg of course.
I know I would be doing a much better job if aimless surfing could be eliminated. But it is just so easy to click a link and read stuff, or comment on stories on slashdot. Our buisness communication depends heavily on our internal web so we all have contstant connectivity and at times external access can be handy, but I would be 100% in favor of restrictions.
I really think productivity would go up quite a bit. Most of my friends all admit to surfing too much on the job (we are all techies).
I am an info junky and always have been, even before getting Fidonet, I used to read tons of magazines about technology/science etc. In an environment with unfettered access is like a kid in a Candy store. Look: Shiny new Mazda roadster with retractable hardtop, planets 8, 9, 12 or 50?, New rumored Canon 400D DSLR, New ATI Radeons (damn I got sidetracked while writing this to read about new Radeon). You get the idea.
So Yes please, bring on the filtering. Some of us just can't handle unlimited access to information.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That's not how dual licensing works. Trolltech Qt is an example of dual licensing: it's open sourced, but you can also pay them for a commercial license which permits you to use it in non open source software, ie you can create derived works that don't have their source code released.
I don't think you can release something under the GPL and then say it's not for commercial use, like another poster said, anybody can just download the code and redistribute (that's the right the GPL grants!) without strings attached. Of course, they're free to release it under a license that permits redistribution only to non-commercial users, but that license isn't the GPL and it's not GPL compatible, either, so you can't incorporate derived works into the software.
Switch back to Slashdot's D1 system.
I currently have all non-work related internet access shut off in my company. This is not because I wish to, or because management is paranoid or whatnot. It's becuase of the Payment Card Industry Cardholder Information Security Program. It states that if any company that accepts/processes/stores/handles credit card information HAS to lock down interent access. Failure to comply with this program could lead to losing your merchant account or fines of up to %$500,000 per instance of fraudulent credit card use. I would love to let my employee's check the news/e-mail/slashdot, but unless this regulation is modified or done away with completely, I can't afford to take the chance. For more info on this see www.visa.com/cisp. BTW, my company actually does enough credit card volume that we have to have security audits, even though we've never had an instance of fraud. Open internet access would fail me on the audits.