The unintended consequences of blocking webmail

No matter how hard you try, you can’t effectively block anything on the internet. My favorite angry tech geeks just mentioned the great quote from John Gilmore, “the internet interprets censorship as damage and routes around it.” That’s not exactly what happened when they blocked webmail at work, but it might as well have been. There’s a free wifi signal in our building provided by the DC government. I have no idea why it’s there, or who it’s meant to serve, but it’s been great for me. However, it goes in and out a lot. You have to authenticate with an email address every time it drops you, and sometimes that would happen every few minutes. It could be really frustrating, especially when I really needed that connection. It was the only connection I had for the laptop where I do all my work, and when it wasn’t working, I couldn’t get to source control, I couldn’t do all sorts of necessary work tasks. So, when they blocked webmail on the official work network, the DC wifi took a beating. They started blocking on a Monday, and through Wednesday, the DC wifi was totally useless. Even when it would successfully authenticate me, it wouldn’t let me do anything. What happened next? Whoever runs that wifi network must have upgraded some equipment, because now that connection is better than it’s ever been. They must have gotten complaints from whoever is actually supposed to be using that network, and took steps to improve it. And now I have a pretty reliable connection. It hurts my argument that work needs to buy me a Blackberry, but I didn’t really need a Blackberry. In some sense, everyone wins here. People aren’t checking webmail on the official work network. As misguided a security policy as that is, it remains their right to block webmail. And I have a better uncensored connection that helps me be more productive at work. Clearly I’m not the only one using it, and the others undoubtedly benefit from the increased quality of the wifi service. More and more, we have to realize that everything is available on the internet. You can accept that, figure out how it affects your business, and move forward. Or you can waste resources fighting against it until you realize that no amount of censorship, lawsuits, or new laws will ever stop the flood of information.

Webmail isn’t evil, IT departments are

The IT department at work has decided to block all webmail beginning August 18th. This is a big problem for me, because I’m a contractor and don’t really use the work email. It’s a pain, and I can’t get to it from home without jumping through hoops. My actual work email is my Gmail account. So this is going to cause me a ton of problems. And for what? I did a little Googling for the security risks associated with webmail.

“Any pop-up ad that appears in a webmail message could potentially contain a virus when it opens,” she said. “An attachment that comes in from a webmail message could possibly bypass all the safeguards all the way to the user’s computer.” In addition, just opening a Web browser window to these commercial webmail sites can leave a computer open to outside attack. (Source)

This is a bit of a strawman argument. First, you can get popups or viruses or whatever from all sorts of sites. It’s not restricted to webmail. But if you use good, up-to-date software, this shouldn’t be an issue. There are some really good free, open-source tools to protect your computer. If your users are getting viruses and hacked computers, it’s not the fault of Gmail or Hotmail. It’s your users, and it’s the tools you’ve chosen to give them.

I’m an . . . advocate of the “block access” point of view. Personal webmail, if accessible, provides another vector for your data to fly out of the window but one that you have poor control over and little ability to monitor and audit. Neither can you comply with data storage and archiving regulations if the service is being used to legitimately send and receive business data to and from external addresses. (Source)

Archiving is a legitimate concern. Although I can’t imagine why the author thinks it’s not possible to comply with regulations – there is nothing stopping you from hooking up your webmail account to Outlook or Thunderbird and downloading it all. Then you can archive to your heart’s content. Actually, I think Yahoo and Hotmail make you pay for POP3 access, but that’s because they hate their customers.

If anything, what’s [sic] it’s partly demonstrating is the problems in the usability associated with security products. By making them too cumbersome, it’s natural for people to seek routes around them — making the security procedures a risk in their own way. (Source)

This I totally agree with. I use a ton of Google’s web tools for legitimate work purposes because they are easy and useful. If you block them, I’m going to try to get around the blocks, like the way you can use https instead of http to get around some filters that block Gmail. But I more or less know what I’m doing. I’ve heard of some ridiculous unsafe hacks to get around work-imposed security. Some of the workarounds are much more dangerous than the thing being blocked. But you know what’s more dangerous to security than all of this put together? Stupid people. And, to a perhaps greater extent, smart but ignorant people. People who think they know better, but don’t, are a huge source of problems. Much better to know you’re incompetent and stop trying. I remain entirely unconvinced that this will do any good. You can’t possibly block all possible routes for sensitive information to leak out of the office. By blocking webmail, you’re taking away one of the most convenient methods, but what you may end up doing is driving the leaks to more and better hidden channels. Maybe now one person is going to start Twittering all day, while another is going to use some other service. The information can still get out. And what about someone who goes to do a little online banking and accidentally hits a phishing site that steals their banking info and deposits a virus on their computer, giving a hacker total control of their PC? Are you going to ban bank sites, too? Why not just ban everything? Chain employees to the desk in rooms with white walls and no windows. Give them three breaks a day where they can use the bathroom and buy lunch from the company (Wouldn’t want them sharing company secrets at the local deli, would we?). Maybe we should just stop sharing secrets with employees altogether. Just keep it all with the executives, who can lock themselves in ivory towers, making angels in piles of FOUO and COMPANY PROPRIETARY documents. Maybe we shouldn’t even do any work. The dangers of compromised secrets are too great. We should all go back to a hunter-gatherer economy, where there were no documents in need of protection from the horrors of webmail. Better for the environment, too, as a majority of Americans would die of starvation within the year. Or we could save time and trouble by committing mass suicide in orderly rows. That would teach Google to make a great webmail service with an intuitive, helpful interface. Stupid jerks.

Maybe my SEO with Drupal is working

I posted a little while ago about my attempts to optimize my blog for search engines. I think it’s working. Take this example. This morning, I linked to an article on Prince of Petworth about a new restaurant opening in Columbia Heights, CommonWealth Gastropub. Now, PoP is a near-deity in the greater Columbia Heights/Petworth/Logan/Shaw area. It’s a good blog. I read it regularly. I, on the other hand, am a relative unknown who complains too much. PoP went to an early preview at CommonWealth and took pictures, then wrote an article about the experience. I linked to the article, and offered very limited commentary. Now, go do a little Google search for commonwealth dc gastropub. you will notice that item seven is my post. The first item from PoP is item 23, and it’s not even a link to the most recent article. So, on one hand, you have a good blog that did some real journalism. On the other, you have a blog, where half the readership was at the author’s wedding, that just linked to the real journalism. But I show up first on Google.

Oddly Enough, You’re an Idiot

Have you ever posted to an internet forum or commented on a blog post and began with, “Oddly enough”? If the answer is yes, then I don’t like you very much. Has anyone ever followed “Oddly enough” with something really odd? Not in my experience. It’s pretty meaningless. If what you’re saying really is odd, we’ll know. Are you trying to forewarn us of the oddity so we don’t think you’re weird for saying something odd out of the blue without acknowledging it? That is, are you embarrassed to be thought strange by people you don’t know? I realize now that the likelihood of someone commenting on this post and beginning with “oddly enough” is now near 100%. Just remember that I have admin rights on all the comments.