Civil Servant Watching Porn At Work Blamed For Government Malware Outbreak

An anonymous reader quotes a report from TechCrunch: A U.S. government network was infected with malware thanks to one employee's "extensive history" of watching porn on his work computer, investigators have found. The audit, carried out by the U.S. Department of the Interior's inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and "exploited the USGS' network." Investigators found that many of the porn images were "subsequently saved to an unauthorized USB device and personal Android cell phone," which was connected to the employee's government-issued computer. Investigators found that his Android cell phone "was also infected with malware." The findings were made public in a report earlier this month but buried on the U.S. government's oversight website and went largely unreported.

Single Rogue Host

Single rogue host infects network. Defense-in-depth anyone? Bueller? ..

Re:Single Rogue Host

[guruevi]

Wanna bet it was Windows based?

Re:Single Rogue Host

[cayenne8]

Wanna bet it was Windows based?

Wanna bet that since the person is a civil servant, that even after being caught, will still NOT be able to be fired?

Re: Single Rogue Host

The only time a Windows machine is safe is during its forced biweekly reboot.

Re:Single Rogue Host

[Opportunist]

Wanna bet that he will be? You need a scapegoat after something like that, after all, and he's neither a politician nor a CEO.

Re:Single Rogue Host

[Kiaser+Zohsay]

Wanna bet they used IE 6 on XP to support some gawd-awful "legacy system" built by a low bidder back in the 90's?

Re:Single Rogue Host

"Wanna bet that since the person is a civil servant, that even after being caught, will still NOT be able to be fired?"

'We have the best people.'

Re: Single Rogue Host

This is why you don't make all government computers openly connect to one another, or else some jerk-off (being literal here) infects your military/etc through some gardening branch of government.

Re:Single Rogue Host

Just because the idiot is a government employee doesn't make him any worse than the millions of employees in corporations and schools who also watch porn. I agree the network should be more locked down, but that assumes one is able to hire higher quality sysadmins, and most likely the gov't can't afford to pay them. (remember, our current fearless leader thinks we ought to reduce the size of our federal government.)

Re:Single Rogue Host

[ThurstonMoore]

Well we know his infected phone was Linux based, what's your point?

Re: Single Rogue Host

Do you want to get work done, and make money, or do you want to spend all your time maintaining, upgrading, retraining, and supporting changes? There is an old saying, if it ain't broke, don't fix it. You either have agility in business, or agility in I.T., rarely do you have both.

Re: Single Rogue Host

[cayenne8]

Why would you fire the employee who committed a relatively unimportant and meaningless act when the real problem is in the security system, or even in the overtly infected porn industry?

Your priorities are entirely wrong, as usual for somebody who lacks perspective.

Seriously?

My base perspective is...the idiot is getting paid my MY (and yours) tax dollars, and I"m guessing the job description says nothing about surfing porn on the federal dollar?

Are you telling me that someone that did this very same thing in the private sector wouldn't be canned in a new york minute??

Seriously...are you saying you think it is acceptable to surf porn at work?

Sure, better security, that's a given, but you think this person should not be held directly responsible for doing something that EVERYONE knows they are not supposed to do at work on the clock on work computers.

Hell, government computers come with all kinds of warnings the second you try to log onto them, it isn't like anyone on a federal computer wouldn't know this a forbidden thing to do.....

Re: Single Rogue Host

Hazarding a guess here, you're posting this from your work PC/laptop aren't you?

Re:Single Rogue Host

[lactose99]

This is, sadly, all too common.

Re: Single Rogue Host

[cayenne8]

Hazarding a guess here, you're posting this from your work PC/laptop aren't you?

Nope.

And even if I were...it isn't pr0n.

And, work policies allow for some personal web time during the work day, as long as it isn't against company policies such as viewing pr0n, etc.

Most workplaces allow some person computer time, but I don't know of any that allow pr0n surfing on the clock on work equipment...save maybe at FB searching for bad content to remove.

Re: Single Rogue Host

"Are you saying it is acceptable to surf porn at work?"
No, they're saying you lack perspective. And they're right.
The biggest problem here isn't that someone was looking at naughty pictures, it was that the network security posture couldn't handle it.

Re: Single Rogue Host

[mhail]

Old IT admin here. We had a user that was not only downloading gigs at work to his work laptop, he was also using his processor at 100% for 8 hours a day. When we investigated, he was downloading gigs of regular porn and using his work computer to process them into "3D" like google street view. ALL DAY for weeks until we noticed. Dude got shit canned real fast. Higher ups just wanted to know if it was ALSO anything illegal. Got paid to watch his 3D porn for "research"

Re: Single Rogue Host

[Kiaser+Zohsay]

If it ain't broke don't fix it, but broke is highly subjective. It might happen slowly, but at some point the reliance on outdated, unsupported, insecure tech crosses the threshold into broke territory, and your frog gets boiled.

Re: Single Rogue Host

[doesnothingwell]

but I don't know of any that allow pr0n surfing on the clock on work equipment...

My old boss just told me to - Put it on the server and send me a link.

Re:Single Rogue Host

[TomGreenhaw]

With less than a 2% usage rate for Linux on total desktops out there (quick google search), there is little doubt is was Windows.

For this to occur, there couldn't have been a firewall with content filtering, anti-virus, or likely even a patch management policy.

For gross network security management negligence like this, any operating system would likely have been compromised.

Re: Single Rogue Host

Why play with a green bean when the eggplant offers so much more!

Re:Single Rogue Host

[PmanAce]

Android is not windows based you idiot or are you trolling and leaving key information out?

Re:Single Rogue Host

[hey!]

Securing hosts from other, rogue hosts doesn't do much to protect them if the attack vector is a rogue user.

This is a data management agency and if you compromise the right user's devices those devices can be used to launch attacks on many hosts.

Re:Single Rogue Host

[poptix]

If he had so much time to surf porn at work, and none of his superiors noticed, clearly they should have all been part of that reduction of government.

Re: Single Rogue Host

Seriously?

Did my post get modded Funny or something?

My base perspective is...the idiot is getting paid my MY (and yours) tax dollars, and I"m guessing the job description says nothing about surfing porn on the federal dollar?

And that is where you perspective is demonstrated as myopically flawed as you continue to say nothing about the real issues with your inane focus on a trivial concern.

Are you telling me that someone that did this very same thing in the private sector wouldn't be canned in a new york minute??

The numerous security breaches at corporations indicate that they aren't doing much better.

Seriously...are you saying you think it is acceptable to surf porn at work?

I'm focusing on you and your faulty focus on a single employee.

Sure, better security, that's a given, but you think this person should not be held directly responsible for doing something that EVERYONE knows they are not supposed to do at work on the clock on work computers.

Surfing port didn't cause the problem, and no, it is not a given, rather the opposite, hysterical prudes such as yourself scream over an inconsequential action while ignoring the matters of substance so hard you blithely declare it isn't a problem.

Hell, government computers come with all kinds of warnings the second you try to log onto them, it isn't like anyone on a federal computer wouldn't know this a forbidden thing to do.....

And just think how they wasted effort on that and not on actual matters of importance.

It's like sending thousands of military personnel on a bogus mission to the point they forget the sentries at Fort Knox.

Learn to perceive real problems.

Every second you spend fuming about this single employee while ignoring the whole flawed security apparatus in the industry itself is the real waste.

Re: Single Rogue Host

And even if I were...it isn't pr0n.

You may want to set your threshold a bit lower.

Re: Single Rogue Host

Are you telling me that someone that did this very same thing in the private sector wouldn't be canned in a new york minute??

Had a GS-11 show up for work shitfaced at 7AM. She got told to go home for the day.

Re: Single Rogue Host

Had a GS-13 claim vampires attacked the President.

Was given six months leave and transferred to a job with "top men" in Montana.

Re: Single Rogue Host

[saloomy]

Clearly at $3t and with its ability to afford to pay people to watch porn, it needs to be reduced. He was stealing from tax payers.

Re:Single Rogue Host

Recently, I used to work in a government lab, and it is astonishing how hard it is to fire someone with a permanent appointment. It was far easier for remove a subcontractor for watching porn on other people's computers, but a permanent employee may just be put in a "performance improvement plan" if they do something similar. In fact someone who said offensive and inappropriate things to some of the younger co-ops just got their wrist slapped.
It's very sad.

Re: Single Rogue Host

civil servant assigned to the USGS network at the EROS center
 
  and our poor confused lowly civil servant, who early on in his career had been accused of having a one-track mind, took the EROS assignment the wrong way. And stuck to his job the only way he knew how, by going online with this sole purpose. waiting to get caught

Re: Single Rogue Host

Depends upon the role. Worked for a company where the goddamned CEO was the one doing the porn surfing and got the fucking networked ratfucked and then had the temerity to send out an email admonishing the company for using company resources improperly. Mother fucker, it was you, we know it was you, you know we can see the fucking reflection of your monitor off the window behind you, IT says it was you, fuck you.

Glad I left that company.

Re: Single Rogue Host

[myth24601]

My base perspective is...the idiot is getting paid my MY (and yours) tax dollars, and I"m guessing the job description says nothing about surfing porn on the federal dollar?

.
Maybe he was working on a government study of Pr0N use when monkeys are given a computer. It could happen, I have seen governments study stupider stuff.

Re:Single Rogue Host

[guruevi]

The Android seems to have been a carrier of the data. Not how the Windows host got infected, as far as I know there isn't any malware that infects both Android and Windows

Re: Single Rogue Host

[guruevi]

Old IT admin here but also knowledgeable about legal frameworks. You shouldn't be investigating anyone for anything illegal, you don't have the knowledge, legal standing or tools for proper forensic examination. If you did find something, the evidence would be declared botched by any first year attorney and a mistrial would be declared, you may even become liable yourself.

If your employer wants to know if your employee did something illegal, get the right people involved to do the right kind of investigation. That means third party or police/government agency.

Re: Single Rogue Host

[morethanapapercert]

I'm former IT as well, but from Canada, so the actual laws are different, but I think the underlying legal principles should be very comparable.

With that in mind, let me say that the duly appointed sysadmin or anyone from the IT staff can look at things without it being considered to "taint" evidence, otherwise we'd never be able to convict the sick (and stupid) people who take their computer into Best Buy for repair while leaving a folder full of child pornography.

What I was taught in school, and instructed to do at several jobs (including one internship at the provincial gov't level) was this: Do your job, which may include examining data a user has stored on their work issued equipment. IF you see anything that you think is illegal or even questionable, tell the boss and call the cops. Do not touch the machine any further. Do not even shut it down. The boss will then see to it that physical access to the device is restricted and the police will show up to handle the disconnection from the network and possible shut down. (did you know the police actually have a device that lets them fake a network connection and keep a desktop machine fully powered while driving it across town? I found the bit where they slipped a probe between plug and outlet to seamlessly transfer power source from wall to battery pack particularly fascinating).

The reason for this policy is three fold:

1) A lot of successful prosecutions, especially for illegal porn, rely on happen-stance. A tech stumbling over something, a creep forgets to log out and his wife finds it, whatever. As long as the discoverer can swear in court that they just stumbled across it and did nothing that would alter the data, then the data is still admissible.

2) The police just do NOT have the manpower to handle every "we fired John for surfing porn at work, can you come and check his machine to see if he did anything illegal as well?

3) The report of the discoverer is often the basis for probable cause and issuance of a warrant. If I didn't tell the police I saw something off, they would have no legal basis from which to proceed with an investigation.

One last thought: Even if a guy does surf or create child porn on the work issued equipment, while sufficient for conviction, it may not always be the sole source of such evidence. Any one making illegal porn on a work machine probably has more of it on his personal machine back home as well. (pedos are also notorious for amassing large collections) Thus, even if the evidence I uncover is not enough to convict on its own, it's still enough to justify warrants and investigation to collect more, better quality evidence.

Re: Single Rogue Host

[guruevi]

Yes, I agree, you can "stumble across" something but you can't go out and hunt for evidence. If your company is truly worried but has no sufficient proof, get a professional third party forensic investigator (and an attorney to give you advice). Otherwise it's just a suspicion/allegation/gut feeling but in many cases you can't just go out and look for something you suspect.

I had something similar fairly recently (allegations of sexual harassment with HR-goons subsequently botching the thing) and the CIO simply searched employee email to "resolve" the issue. A civil case ensued and the judge ruled that the company didn't have a clear enough policy on searching email (which just stated "we can search your email" somewhere deep in a trail of related IT policies) and violated the expectation of privacy of those involved.

Re:Single Rogue Host

[NicBenjamin]

Presumably he got an Android virus doing stupid shit on his Android phone, and got a Windows virus because he was doing stupid shit on his desktop.

EROS center?!

The jokes write themselves!

Re:EROS center?!

[HarrySquatter]

Those cheeky bastards!!!

Re:EROS center?!

Right, I thought the same thing.
But venture a guess on how many get the joke...?

Re:EROS center?!

[CosineHamster]

Poor guy,he didn't search for porn long enough ; with enough hits on EROS; he would have found his way back to his own company.

Re:EROS center?!

[Thud457]

At least this time it didn't lead to the lockdown of the office and conspiracy theories about alien contact.

Re:EROS center?!

[Scarletdown]

You are not the only one to take note.

To quote Buck Murdock (Airplane II: The Sequel), "Irony can be very ironic."

I bet

[Revek]

He go a promotion. Its not like they fire employees.

Re:I bet

[Revek]

Nope, not offtopic. The problem with these public organizations is that they are allowed to do these things due to the fact they are rarely fired for them. Its almost impossible to get fired from a government job. This person will most likely get a little slap on the wrist and after a year or so be promoted and or receive a raise. The IT in their organization will most likely not face any penalty for not having secured their network and the devices operating on it. They talk about a blacklist of sites when they should be talking about a whitelist of allowed sites. I wonder if there is any data out there on how many people have been fired from the USGS?

Re: I bet

He go? What do you think this is? Second grade?

Re:I bet

[arth1]

They talk about a blacklist of sites when they should be talking about a whitelist of allowed sites.

While this sounds nice in theory, in practice it is very hard to implement in a way that works and doesn't just hinder work. The people who administer the whitelist are not going to know what is needed for every job function. Nor will they have the capacity to monitor every whitelisted object to ensure that it remains safe. (One of the whitelisted sites might start serving ads proxied through their server - ads which aren't safe.)
And for the users, requesting sites being added to a whitelist as needed can delay entire teams for days on end. What do you mean, we cannot download the schematics for the microcontroller we just discovered a problem with until it's added to a whitelist? And when it delays a high level manager who needs to look at a web site of a potentially new supplier or customer, the whitelist system will be gone.

Re:I bet

[Revek]

I admit its not easy on the front end but you can easily get a good start by logging sites visited for a month and start with that. I've helped with the implementation of a white list at a few businesses and after a month or two its just a matter of maintenance.

Re: I bet

[Revek]

Yeah, its called a typo. You should look that up.

Re:I bet

Free market, the government would already be in bankruptcy and we could push our tax dollars to a more efficient organization.

Re:I bet

[NicBenjamin]

At a business. Where everyone works in the same industry, and needs the same sites. My emplyers (Home Depot and H and R Block) would generate very different whitelists.

If you're talking about the government the scale of required sites goes up exponentially. A single IRS office will probably need access to most of the finance sites H and R Block uses, plus all the sites Home Depot uses (might be auditing a contractor and need to find out how many boxes of nails are needed for a $50k expense to be justified), etc.

Re:I bet

[Revek]

Its obvious that a whitelist would be specific to the business. It depends on weather you want you're employees to be able to access the whole of the internet. One eye doctor had us lock it down until they literally couldn't access anything unrelated to the job. She maintains the list herself and since it was installed none of her machines have become infected. On a larger scale it would require someone to work that desk full time but it would have the benefit of reducing this types of breach. You don't have to have a sysadmin to maintain it. You can train almost anyone to manage the list once its configured. You talk about cost but whats the cost of having unrestricted internet access in a large organization?

Re:I bet

[NicBenjamin]

I didn't actually bring up cost. I brought up the scale of he whitelist, and the difficulty of administering it, but not the cost. This is the Federal government, there are literally millions of users, so any costs would be trivial on a per-user basis. The problem is creating some system that will actually whitelist the right websites for the right offices. A single small business does like one thing, for one segment of the market. The government does almost everything.

Knowing the Feds, what you'd end up with is some interestingly-acronymed government department to do all the work. Other government agencies would spend a significant amount of time arguing with interestingly-acronymed-ones about what's on the whitelist. For example, just think of the sites required if a DEA Agent in Reno has to figure out whether a shipment of garden gnomes is cover for cocaine.

A government-wide black-list would make more sense, because it's much less likely some rando Federal employew\e will have a need for a porn site or something,

Not the only one at blame

[Somebody+Is+Using+My]

The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

But that sort of thinking would require a costly revamping of the entire computer infrastructure, so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

Re:Not the only one at blame

[lgw]

use secure operating systems

Let me know when you find one. All browsers are vulnerable to something. Every OS has privilege excalation exploits and zero-days.

Or were you just thinking "don't use Windows XP"? Yeah, I think everyone gets that now.

so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

Paid porn sites have damn good security, and are about the safest place on the web. The problem is the sites that come up when you google for porn (SEO malware sites), plus the ad networks used by free porn sites.

To your point: an ad blocker would probably have prevented this, along with the default behavior of most browsers to block known malware sites.

Re: Not the only one at blame

Maybe this guy was the IT department?

Re:Not the only one at blame

[coofercat]

Here in the UK, the government makes sure the potential infection is huge so it makes all that work to protect them from it worth the investment. https://www.telegraph.co.uk/ne...

Re:Not the only one at blame

who could just as easily have gotten the malware from an ad on a perfectly legitimate site

Exactly. The press could have written "Government Malware Outbreak caused by web browsing", but no, they had to violate someone's privacy in passing. It's like writing "car accident on Main Street, the faulty driver was on his way to an extramarital affair". Why do reporters do this?

Re:Not the only one at blame

[Bite+The+Pillow]

His manager, who didn't realize thus guy is spending a lot of time not working

The network support, who didn't notice high band with use and try to figure if it was legit

His coworkers who almost certainly knew he wasn't working

Re:Not the only one at blame

Let me know when you find one. All browsers are vulnerable to something. Every OS has privilege excalation exploits and zero-days.

While that may be true, your choice in browser and OS determines how much flexibility you have as an IT manager to lock shit down. Windows and IE just don't provide that level of control, but Linux and Firefox can be stripped down to barely nothing if necessary. Windows could "helpfully" open up vulnerabilities you thought you closed down months ago, whereas most Linux distros wait for you to merge in config changes instead of clobbering the defaults back in without asking or telling. I've never had to worry about remote root login being re-enabled on my ssh daemon. I turned it off, that means it's fucking staying off.

Re:Not the only one at blame

While that may be true, your choice in browser and OS determines how much flexibility you have as an IT manager to lock shit down.

Per the article, the infection transferred from his laptop to the facility network by USB.

Re:Not the only one at blame

[arth1]

Every OS has privilege excalation exploits

There are OSes with no privilege separation, and thus no privilege escalation, and thus no privilege escalation exploits.

Of course, that's not the type of operating systems an end-user would use, but still, your "every" is wrong.

Re:Not the only one at blame

[StormReaver]

Let me know when you find one.

While no browser is completely secure, EVERYTHING is more secure than I.E./Edge. And while no operating system is completely secure, most everything is more secure than Windows (which has very little to do with its market dominance; its security is like Swiss cheese) or MacOS (which sacrifices a lot of security to make it shiny).

Yes, Linux is WAY more security than both of them combined, but Javascript and Intel-based CPU's are the major vectors for concern nowadays. Both of them significantly negate all operating system security, and should be relegated to the shitcan of history.

Re:Not the only one at blame

Yes yes, you bored us already about this...

https://slashdot.org/comments.pl?sid=12647836&cid=57359796

Re:Not the only one at blame

[geekmux]

The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

But that sort of thinking would require a costly revamping of the entire computer infrastructure, so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

The porn-watcher might have been the patient-zero of this outbreak, but I think as much if not more blame needs be laid at the feet of the IT staff that allowed the malware to get as far as it did. Limit user privileges, lock down access ports and use secure operating systems and the damage would not have been as severe; it might only have been limited to that single user's machine.

I do agree with you regarding the IT policies that are severely lacking, but I'll believe there was an actual "outbreak" when the evidence presents itself. Neither TFS or TFA really says anything about the extent of this "outbreak" or the true damage that was caused, which tends to turn this entire article into nothing more than sensationalist bullshit. In fact, if you read the actual report, it states quite clearly that a single computer was found to have malware present, and it "exploited the USGS' network." with zero additional detail.

But that sort of thinking would require a costly revamping of the entire computer infrastructure, so better to put the blame on a single user, who could just as easily have gotten the malware from an ad on a perfectly legitimate site. Fortunately, he was viewing porn (naked bodies entwined together! The most evil threat America has ever faced!) so it's easy to throw him to the wolves.

Speaking of sensationalism, let's put aside the Americanized moral arguments here. Porn in the workplace is unprofessional at best and offensive and damaging at worst. That's common sense, and regardless of country. And there's more that just a good chance this infection was caused by that activity given the sheer volume of that activity, so it's hardly innocent activity no matter your moral stance or acceptance of pornography.

Re: Not the only one at blame

[LordWabbit2]

It's not only intel CPU's, ARM have their own issues as well. From an article about Spectre and meltdown.
"In particular, we have verified Spectre on Intel, AMD, and ARM processors."

Re:Not the only one at blame

[lactose99]

Paid porn sites have damn good security, and are about the safest place on the web. The problem is the sites that come up when you google for porn (SEO malware sites), plus the ad networks used by free porn sites.

Never really thought about it before but this is a damn good point. Too bad pay-for-porn doesn't market it as such.

Re: Not the only one at blame

Because it sells ads. You did know that's what news outlets exist for, right? They don't exist so you can get the news.

Re:Not the only one at blame

[CosineHamster]

Operating Systems with no privilege separations? By that; do you mean operating systems where everyone is an administrator? That doesn't seem like a very good solution to preventing privilege escalation exploits. That's like saying "We don't worry about prisoners escaping to masquerade as guards! Everyone here is a guard already! "

Re:Not the only one at blame

Don't blame IT so quickly. "Scientists" utterly rage at any attempt to "control" they're usage of computer resources. Having local admin is common place and expected from the user base, and supported by management. Even content filtering tends to be a "taboo", again also supported by management who are often or were scientists themselves.

Re:Not the only one at blame

I call BS on that - with build configuration options coupled with an incredible breadth of GPO options you can severely lock down a windows machine and IE. Most orgs don't do that but it can be done - I've seen it done and I've done it to some extent myself as well.

Re:Not the only one at blame

[arth1]

There are some older operating systems like DOS where users did have full control, but there are also modern operating systems where there is no privilege separation, like microcontroller operating systems. Your kitchen scales don't need to prevent privilege escalation exploits.
(Although it would be a good hack to have the scales report too high weights of anything healthy and too low weights of anything unhealthy, slowly increasing the risks of death for the users.)

Re:Not the only one at blame

[lgw]

Windows and IE just don't provide that level of control

Windows lets you lock down just about anything via GPO. IE is being end-of-lifed, but you did have decent control over it. The big problem IE always had was lack of a common ad-blocker to force people to use (there were some, but none free).

Re:Not the only one at blame

[Tablizer]

manager [didn't realize this guy] is spending a lot of time not working

Not necessarily. He/she could be an efficient worker who does in 3 hours what most do in 8. I've met some like that.

Normally such a person would go to the private sector instead, but maybe they valued "play time" over money.

Re:Not the only one at blame

The network support, who didn't notice high band with use and try to figure if it was legit

Porn websites wouldn't be high use compared to the kind of data the USGS throws around. Now the sources of that data certainly should have raised red flags.

Re:Not the only one at blame

[lgw]

hile no browser is completely secure, EVERYTHING is more secure than I.E./Edge.

Edge is definitely more secure than Firefox. Pay attention the the Slashdot stories on hacking events and the like: IE and Firefox are being excluded as "too easy", while Chrome and Edge are harder targets. It's not 1998 any more, or even 2008.

most everything is more secure than Windows

That stopped being true with Vista, which was a long time ago now. XP sucked because in practice most people ran as local admin, and had admin privileges. Vista was much like Ubuntu: you get a pop-up whenever you need to elevate to admin/root. It's not 1998 any more, or even 2008.

Re:Not the only one at blame

[thegarbz]

at the feet of the IT staff that allowed the malware to get as far as it did.

Why are we talking about malware? How about the IT staff that allowed someone to visit "thousands" of porn sites without being flagged down for disciplinary measures. I'm willing to bet that this happened over quite a period of time.

Re:Not the only one at blame

[Zontar+The+Mindless]

The press could have written "Government Malware Outbreak caused by web browsing", but no, they had to violate someone's privacy in passing. It's like writing "car accident on Main Street, the faulty driver was on his way to an extramarital affair". Why do reporters do this?

Ex-reporter here to inform you that, if it's in a police report, it's not private.

Re:Not the only one at blame

[aberglas]

Or his manager may have decided the less work he does the less damage he can do.

Or his manager liked watching porn on his computer.

Re:Not the only one at blame

[NicBenjamin]

And while no operating system is completely secure, most everything is more secure than Windows (which has very little to do with its market dominance; its security is like Swiss cheese) or MacOS (which sacrifices a lot of security to make it shiny).

Yes, Linux is WAY more security than both of them combined, but Javascript and Intel-based CPU's are the major vectors for concern nowadays. Both of them significantly negate all operating system security, and should be relegated to the shitcan of history.

You're exaggerating. Back in the days of the "I'm a Mac"/"I'm a PC" commercials Apple was absolutely right to mock the fuck out of Windows security. It sucked. But these days almost all the holes are gone, and with Windows Defender you don't even really need Windows Anti-Virus software anymore. Which is just like OS X.

As for the rest of "most everything," I respectfully a couple of clusters of Unixen used primarily by Sysadmin/High Geek types better be more secure then the shit us hoi polloi use.

Re:Not the only one at blame

Don't get out much, do you? "The porn-watcher might have been the patient-zero..." Yes, watching porn on a work computer is something that could happen to anyone! In fact they were browsing on a perfectly legitimate site, and suddenly, there was the porn! Oh noes, how did that happen!? How does one shut off tey evul porn, it can't be done!

The responsibility chain goes something like this:

1). The porn hound;
2). The porn hound's supervisor;
3). Corporate HR;
4). Corporate IT.

It's certainly not, "as much or more blame for IT". Locking down software, web sites and all the rest are fundamentally defensive measures. While they are great and all, if that's the main thing between you and security Armageddon, you have a problem with corporate priorities.

Well, it is called the EROS center

He might have thought he was okay.

Reminder to be careful what you make your acronyms

He worked at the EROS Center. Of course he was watching porn

Once again

We learn that defense in depth should include regular monitoring. Surely "thousands of pages" should make even a basic report on traffic volume.

Does competence matter anymore?

Re:Once again

competence doesn't matter with government. And don't call me Shirley.

Yeah, this happens. Not just in the USG either.

[Da+w00t]

If you work computer security for any company of decent size, you're gonna discover someone surfing porn. Most times we give folks the benefit of a doubt the 1st time in case it's some porn ad something on an otherwise "okay" site (gray, but not really a policy violation), but once a pattern of porn surfing is discovered, it usually results in someone getting written up, potentially ending with them losing their job.

Don't do this at work. You're not on your personal computer, it could be a shared computer (ewwww), and it's not your network. There's always someone watching to the benefit of the company, not you. It makes for an awful work environment for the people in the office, and can bring in malware. There's a joke I heard, of people clicking on the Yes/Accept/Install buttons ... "do I have porn yet?" [click] "do I have porn yet?" [click]. Lots of malware comes down in the form of a "video codec" or plugin you need to watch the media. It's just awful.

You did notice where he worked?

"The EROS Center..." Oh, can irony get any better than this??!!

Re:You did notice where he worked?

This is only about as ironic as rain on your wedding day.

Re:Yeah, this happens. Not just in the USG either.

Lots of malware comes down in the form of a "video codec" or plugin you need to watch the media. It's just awful.

LOL, and that is why I do all of my porn watching on a FreeBSD VM with a locked down Firefox which doesn't allow scripts or plugins.

No way in hell I trust a bloody porn site to not be infested with malicious shit.

Happens probably a lot

Many security experts say the weakest link is the employee who does stupid things. But let's also consider the amount of wasted time as well. If its not porn, its shopping, social sites, or other non job web use.

Re:Happens probably a lot

[Opportunist]

In my experience (with more than a decade in IT security), the weakest link is that CEO secretary that curiously needs to bypass the corporate content filter and also needs for some godawful reason admin access on her PC, despite the fact that she can't turn on the machine without causing a security incident.

Re:Happens probably a lot

[Kiaser+Zohsay]

or other non job web use.

Like, oh, say, Slashdot?

Re:Happens probably a lot

[arth1]

A reasonable amount of non-work at work makes the employees more content, and content workers is usually a plus.
It should of course be reasonable, but if you expect people to work like slaves for hours straight with no amount of non-work activity interspersed, expect malcontents and burn-outs.
Fifteen minutes of shopping or news reading or something a couple of times a day might be acceptable. Hours on end, not so much.

Re:Happens probably a lot

In my experience (with more than a decade in IT security), the weakest link is that CEO secretary that curiously needs to bypass the corporate content filter and also needs for some godawful reason admin access on her PC, despite the fact that she can't turn on the machine without causing a security incident.

Fucking A.

Also a soft target for social engineering.

Re:Happens probably a lot

[dissy]

Many security experts say the weakest link is the employee who does stupid things. But let's also consider the amount of wasted time as well. If its not porn, its shopping, social sites, or other non job web use

Two points to that.

One, shopping sites (at least such as Amazon and the like) in my experience actually have far more benefits than not to allow.

I commonly see and hear of people doing their grocery shopping on their 3pm break to line up with 2 hour prime delivery for when they get home.
Those who have managers that disallow it have a *far* higher rate of requests to leave a full hour early to do the same shopping physically.

That's the difference between a quarter sized chunk of time the employee is legally entitled to not working during, vs a full hour of pay adjustment with lack of that hours productivity.

Other than that one item on your list however I do agree the rest are at best huge time wasters and at worse an infection method and workplace disruption.

The second point however is a bit more general. While there are certainly technical steps one can take to at least protect from malware and known bad websites, for the most part such time wasters (think social media) are by far more of a people problem than a technical one, and need to be solved accordingly.

Locking things down does have an effect on morale to people who can act like adults and behave themselves. This is harder to measure but does exist, and at the end of the day it comes at the cost of attempting and ultimately failing to punish the time waster with ineffective technical means.

Ever hear the old "standing around the water cooler telling hour long stories" meme?
That's the thing, time wasters will always find a way to waste time, and it doesn't need to be by technical means.
This is a problem with the person that needs addressed, not with the technology we run.
If a person is not putting in the hours they are being paid for, that is the problem, no matter the reason for it.
If a person is paid for an end result and not delivering, that is the problem, no matter the reason for it.
This is true no matter if it's wasting time on facebook or wasting time hovering around the break room water cooler, and that fact alone shows this isn't an IT/technical problem to fix.

Spending IT time and resources fixing one tiny avenue of wasting time will not fix all the other ways to do it, and will not fix the problem which is the person wasting time. It simply costs more for nearly zero benefit.

Food for thought.

This is why i use Apple products

If this upstanding civil servant was using a mac and an iphone this wouldnt have happened

Re:Yeah, this happens. Not just in the USG either.

And yet we had awhile back were commentators said they wouldn't work at a company that didn't allow internet access. Guess they had to get their porn fixing somehow and externalize the costs to their employers.

public shaming by media

So now slashdot has brought it to the front to publicly shame the individual?

Trial by media... shame on you slashdot.

Re:public shaming by media

[aitikin]

So now slashdot has brought it to the front to publicly shame the individual?

You must be new here...

Re:public shaming by media

[hduff]

So now slashdot has brought it to the front to publicly shame the individual?

Trial by media... shame on you slashdot.

Welcome to the Internet. Have a good time!

“G” stands for Geological

[93+Escort+Wagon]

But this dude apparently thought he worked for the United States Gynecological Survey.

Re: “G” stands for Geological

[LordWabbit2]

Well at least he was hard at work.

Re: “G” stands for Geological

[93+Escort+Wagon]

I was going to reply with *rimshot* but then realized that might not be the best choice, given the context.

Re: “G” stands for Geological

I was going to reply with *rimshot* but then realized that might not be the best choice, given the context.

This is why we can't have nice things.

Re: “G” stands for Geological

Well at least he was hard at work.

I thought he was working on getting hard...

Re:“G” stands for Geological

[Deep+Esophagus]

First they'll erect a new firewall to guard against repeated penetration. Then they're going to take a long, hard look at employees' computer usage patterns. Anyone caught will face stiff punishment. And if you think you'll escape detection, you'd best disabuse yourself of that notion.

Porn at **EROS** center? Seriously?

It's not March 31st yet, slashdot!

https://www.greekmythology.com/Other_Gods/Eros/eros.html

The guy probably thought he signed up for Peeping Satellite Tom Duty.
Not that he's called Tom or anything. Or that I would know.
Or that such things happen, or are even technically possible with satellites.. AHEM.

-f

Re:Yeah, this happens. Not just in the USG either.

[mark-t]

If you work computer security for any company of decent size...

And just how many people is that, precisely? 20? 50? 100? 1000?

Re:Yeah, this happens. Not just in the USG either.

I used to work for a bank where one of the IT staff was found hosting porn on company servers.
Turned out he was a semiprofessional gay porn "star," and he liked not paying for bandwidth.

How? Why?

[CustomSolvers2]

I am seriously considering the option of becoming a public servant and this information seems quite useful. Note to myself: when visiting porn sites at work, never download anything! LOL.

Seriously, who downloads an executable from a porn site?! Part of the pathetically-nonsensical spam I am getting lately includes pretty crappy messages saying that I have to pay because they have recorded me watching porn? That otherwise they would destroy my reputation!! (I guess that they are planning to firstly build me a good reputation. LOL). By ignoring its overall nonsensical essence ("you can increase your available time by writing ++ in the calculator of your computer"!!), the first idea coming to my mind was precisely why would anyone download a piece of malware (not a video) from a porn site with the huge number of available alternatives where you don't need to do anything of this sort? I mean... this is at least what someone from my church told me. LOL.

Re:How? Why?

[freeze128]

You have never heard of a drive-by download?

Re:How? Why?

[CustomSolvers2]

You have never heard of a drive-by download?

You mean something being downloaded to your computer without your consent or any kind of warning? Is this possible?

Re:How? Why?

[ahodgson]

There are multiple announced vulnerabilities per month that allow this to happen. Mostly in Flash the last few years, but also in image decoders, sound decoders, and web browsers in general.

Software security sucks.

Re:How? Why?

[CustomSolvers2]

There are multiple announced vulnerabilities per month that allow this to happen. Mostly in Flash the last few years, but also in image decoders, sound decoders, and web browsers in general.

Quite scary stuff. In any case, you have still to be in the wrong place with the wrong tools (what usually means obsolete or not updated or not particularly good software) and to perform some wrong actions (even by assuming that a malicious application can be downloaded without your permission, it would still need to be run either by the user or by other application/SO what would imply one further layer of insecurity/negligence). Just visiting a shady website doesn't seem enough to provoke what is described here, not even in the most unfortunate scenario.

Re:How? Why?

[CustomSolvers2]

With "application/SO", I really meant "application/OS". FYI, SO is the Spanish version of OS.

Not the only one at blame-"never my fault"

Why shouldn't the blame be put on him. Did personal responsibility die in the age of "it's all your fault for my poor decisions"?

Re:Yeah, this happens. Not just in the USG either.

If you work computer security for any company of decent size...

And just how many people is that, precisely? 20? 50? 100? 1000?

2.

Randy Marsh Strikes Again

South Dakota / South Park ... same thing.

Re:Randy Marsh Strikes Again

[Outta_the_way_peck!]

It was a ghost!

Mr Anderson...

[bill.pev]

"I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species and I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Human beings are a disease, a cancer of this planet. You're a plague and we are the cure."

So?

[Murdoch5]

Surely his computer was running Quebes OS (or something similar), with the USB ports disabled. If this wasn't the case, why not?

Watch porn

[freeze128]

What else is there to do in South Dakota?

Re:Watch porn

Lots of sheep?

Where's the obligatory...

...the internet is for porn?

Re:Yeah, this happens. Not just in the USG either.

[DNS-and-BIND]

There are people out there who watch porn. I don't mean rub one out and close the window. No, they watch for hours and hours. They get addicted. They can't stop. Watching at work? Of course. Alcoholics drink at work, drug addicts are high at work, why wouldn't porn addicts watch porn at work?

No such thing; no such thing as a "civil servant".

No such thing; no such thing as a "civil servant".

now if there are stuck on old IE ActiveX may admin

[Joe_Dragon]

now if there are stuck on some old IE ActiveX software then users may admin to get work done.

It's 2018 and the report suggests a blacklist?

[schwit1]

"Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”

WHITELIST FFS. Not perfect but infinity better than a blacklist, also know as wack-a-mole.

Re:It's 2018 and the report suggests a blacklist?

"Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”

WHITELIST FFS. Not perfect but infinity better than a blacklist, also know as wack-a-mole.

This sounds so racist. Also, you call it a mole? Most people call it a monkey.

Re:It's 2018 and the report suggests a blacklist?

[thegarbz]

WHITELIST FFS.

Or better yet, just turn off their internet complete. But on a more serious note, white-listing the internet is a recipe for disaster. A far better solution is to generate a blacklist and then flag up people who hit one of the blacklisted sites for further surveillance.

Blacklisting allows the internet to still be a usable resource. Whitelisting just pisses off your workers at best or cripples your productivity (depending on the work you do) at worst.

Lax network security.

[gerald.edward.butler]

But, Oh noes! The BOGEY-MAN PORN is to blame. What a crock! How do you know it wasn't from sports sites, shopping sites, joke sites, running your mouth sites? No, it has to be the BOGEY-MAN PORN!

The #MeToo movement is a collective witch-hunt that is not interested in justice for those legitimately wronged (which there are a lot of), they are only interested in using sex as a weapon to seize more and more power for ineffectual, weak, dictator wannabes!

Re:Lax network security.

Says the guy who likes to watch porn at work on his employer's dime.

Re:Lax network security.

[hduff]

Says the guy who likes to watch porn at work on his employer's dime.

Oh, snap . . .

Re:Lax network security.

[gerald.edward.butler]

Says the ANONYMOUS CHILD MOLESTER who sexually assaults prepubescent boys! Stay anonymous so you can hide your child molestation habits. What's your name? Chester the Molester!

Re:Lax network security.

[Zontar+The+Mindless]

Were you actually frothing at the mouth when you typed that?

Re:Lax network security.

[gerald.edward.butler]

Do you actually have his dick-froth in your mouth? Gross.

Re:Lax network security.

Gets called out by a 4-digit uid, doubles down. So... that's basically a yes. Surprised the rivers of spittle haven't shorted out your keyboard already.

Re:Lax network security.

Poor little fakename gerry - somebody dunks on him and he goes full snowflake and has a spazz attack. Could you be any more pathetic?

Re:Lax network security.

[gerald.edward.butler]

What the fuck do UID's have to with anything? Is that the best you can do with your Ad-Hominem attacks. Because I won't accept the bullshit Ad-Hominem attacks and attack back at a bunch of worthless pricks who don't even have the courage to name themselves when speaking that means I'm proving your point? Fuck you. You have no logical or rational reasoning whatsoever. Look who is being attacked by AC's. I didn't attack them first. So fuck you. Fuck your 4-digit UID. It would've been better if your mother had used and IUD.

I am sick and fucking tired of both sides of the political spectrum and all their bullshit. As far as I'm concerned the whole fucking country needs burned to the ground. Having served in the military, If I had to do it again, I wouldn't. The people of this country (including yourself) are not worthy of having been served. So fuck off and kill yourself you lousy fucking prick!

Re:Lax network security.

[gerald.edward.butler]

Fuck off child molester. When you are ready to name yourself, we'll talk. Until then, fuck off ANONYMOUS CHILD MOLESTER!

Re:Lax network security.

And there is that the river of spittle. Along with the fake claims to having served. You are lower than a fucking boot.

Re:Yeah, this happens. Not just in the USG either.

"If you work computer security for any company of decent size..."

And just how many people is that, precisely? 20? 50? 100? 1000?

LOL ... 2 is the threshold for being guaranteed at least one is surfing porn.

Though, I still can't wrap my head around viewing porn at work. I mean, is this guy sitting there at his desk with a huge boner and then sneaking off to the loo for a quick wank?

Paid leave

Seems like enough of a punishment

Ad Blockers

[kackle]

Would ad blocker plug-ins have prevented this?

Re:Ad Blockers

Very likely, ad networks are a security risk as it allows a 3rd party to place code on your website. So even a legitimate site with a built in ad network would be a risk factor. The ad networks allow very detailed targeting of users, so its been known and has been used to attack workstations of sysadmins on cooperate organizations. The DigiNotar hack was such a case.

I just don't get the association with porn though.

So lesson learned: use ublock and umatrix to defend your browser.

Re:Yeah, this happens. Not just in the USG either.

[Bob+the+Super+Hamste]

Most times we give folks the benefit of a doubt the 1st time in case it's some porn ad something on an otherwise "okay" site (gray, but not really a policy violation)

Had that happen to me once, but it wasn't a bad ad but a bad search result. Was looking for how to solve some SQL Server issue clicked on a link that looked like it had relevant info, but nope, porn site. My boss was behind me and saw it and asked what I was doing. I explained to her the problem I was working on showed the search result page with the relevant search result I clicked on and then showed that it went to the porn site instead. Thankfully it was at a small company so there was not a HR battle to be had.

Tree huggers prefer natural porn?

Tree huggers prefer natural porn and are bad at computer security?

Lighten Up

[hduff]

He's helping pay for repairing potholes and clearing snow from streets . . .

Cryptofeces Lepidoptera Creimerus

Cryptofeces Lepidoptera Creimerus infestation is a serious problem. Not only are they capable of reproducing asexually like amoebas, they can also lay eggs hermaphroditically in unexpected places. They can disguise eggs as something useful to fool the unaware, sometimes pretending to be a haiku author, blogger, vlogger, or IT closet cleaner.

Very dangerous. They can seemingly reproduce out of the cosmic background radiation, even if you step on twelve of them, there's always one you miss.

Don't be fooled by the C. Lepidoptera Creimerus's innocuous, rolly-polly, and almost friendly appearance; despite its great size, stupid demeanor, and bedraggled toothless appearance, they have the hardiness of a tardigrade.

Only a concerted, targeted downmodding campaign has been shown effective in controlling this dangerous pest.

Experience shows that stopping such a campaign leads to C. Lepidoptera Creimerus returning within days.

Don't let it happen again!

MOD THIS MOTHERFUCKING SHITMOTH NUISANCE DOOOOOOOOOOOOOOWNN!!!!!!

Re:Yeah, this happens. Not just in the USG either.

[hduff]

I mean, is this guy sitting there at his desk with a huge boner and then sneaking off to the loo for a quick wank?

"Huge boner"?

I think you give him too much credit.

Could be anyone

Civil Servant could literally be any politician

Re:Yeah, this happens. Not just in the USG either.

[hduff]

Lots of malware comes down in the form of a "video codec" or plugin you need to watch the media. It's just awful.

LOL, and that is why I do all of my porn watching on a FreeBSD VM with a locked down Firefox which doesn't allow scripts or plugins.

No way in hell I trust a bloody porn site to not be infested with malicious shit.

YouDaRealMVP.jpg

Re:Yeah, this happens. Not just in the USG either.

So this is why APK was let go back in 2007.

Re:Yeah, this happens. Not just in the USG either.

[Da+w00t]

If you work computer security for any company of decent size...

And just how many people is that, precisely? 20? 50? 100? 1000?

I really don't see how that is relevant, do you expect me to quote a scientific study that shows MTTP (mean time to pr0n)? "decent size" was very obviously a generalization.

Oh the irony!

[mark_reh]

Of course he was watching porn! He worked at the EROS center!

Re:Yeah, this happens. Not just in the USG either.

Like doing the office hunnies without protection!!!

Re:Yeah, this happens. Not just in the USG either.

[mark-t]

I was simply curious as to whether or not the places I have worked in the past decade may not be large enough, or if your generalization of "any company" was, in fact, an overgeneralization.

Re:Yeah, this happens. Not just in the USG either.

If you work computer security for any company of decent size...

And just how many people is that, precisely? 20? 50? 100? 1000?

I really don't see how that is relevant, do you expect me to quote a scientific study that shows MTTP (mean time to pr0n)? "decent size" was very obviously a generalization.

Clearly, size matters.

I'm here all week! Tip your server..

Should not be possible

[TomGreenhaw]

Jeesh - can't our government use a firewall with content filtering???

Good luck terminating him

As someone who's seen behavior that would get someone escorted from the premises immediately at any private company, but result in only in a letter of reprimand at a government agency, good luck firing this guy due to exceptionally powerful public sector unions. His judgment is terrible, he's probably not that bright, and he probably has little to offer other than being a warm body in a budgeted position.

As a side note, I think unions can definitely provide a social benefit, but if either unions or management gets too strong, it warps the system. How to avoid that warping is the 64K dollar question.

Re:Yeah, this happens. Not just in the USG either.

[mhail]

That's all true but an addict should know the difference between cellular data and company wifi.

Secure Operating system...

I found one... http://www.ecomstation.com/

Nathan

Re:Yeah, this happens. Not just in the USG either.

I thought it had something to do with HOSTS files.

what is the assshole's name?

the public would like to know who is subverting the republic

Lack of insight on how to lock computers down.

[Darkk]

Most government entities don't have a clue on their network infrastructure let alone on locking the computers down. Too many different standards and different ways of their networks are built. Guess how many system admins come and go over the years without an once of documentation. Router passwords changed and no one seems to know them. Since no one bother to enforce industry standards of best practices this is what got them.

Best they could do in the interim is enforce policy rules on the firewall to disallow porn sites and block unauthorized VPN connections (this can be done via the application level on the firewall). Also keep eye on access logs and fetch keywords. Since neither one of them are used is a sign of lazy admins.

And that's also why POTUS keeps his cell phone.

'nuff said.

Give him a break

[reboot246]

At least he was doing something, which is more than you can say for most Federal workers.

Oh oh oh!

Hey there is a story about people not upgrading their phones!!!
https://apple.slashdot.org/story/18/10/30/1918239/people-are-keeping-their-phones-longer-because-theres-not-much-reason-to-upgrade-study-finds
Great opportunity to retell the story about your sprint plan for the 100th time!!!
https://apple.slashdot.org/story/18/10/30/1524243/mac-mini-receives-first-overhaul-in-four-years-new-ipad-pro-with-no-home-button-announced
Hey don't you have a story you tell every time someone mentions mac mini??

Re:Oh oh oh!

Hey don't you have a story you tell every time someone mentions mac mini??

That would be Friday's video and a followup to my iPhone XR video from two weeks ago. Make sure you are subscribed and clicked on the notification bell. ;)

Re:Oh oh oh!

Why? You're below the cosmic background radiation noise ...

I Hold The Director Responsible

He failed to properly secure the resources under his control, and should be sacked. If he says that "IT" is not his realm of expertise, explain to him that's worse than an employee who surfs porn at work. Fire these grey haired idiots, who refuse to seek advice from professionals and hide from their responsibilities.

blacked

The real question is what genre of porn was being consumed?

Wait, What?

[dcw3]

OMG, it wasn't a contractor? Seriously, this is typical government workforce in the US.

OMG

I was shocked by some comments here saying "how hard" it is to implement proper web content filtering, ACLs and the like with the objective of avoiding improper web surfing.

After 25 years in this industry (not in US), and with the technology mature as it is, I can assure most bigger companies and corporations easily filter this sort of behavior out, can't understand why US government does not do the same.

And you claim you are 1st world, what a joke.