[donatj]

My company blocks so much inane crap it’s ridiculous. Any site not explicitly reviewed by the firewall company? Blocked. Want to Google restaurants for lunch? Half the restaurants websites are blocked under the firewall rule against “alcohol and bars”. So much more.

Trying to talk to IT about it is painful. I had to go through three levels of support over a week just to get a single site unblocked.

Before Work-from-Home started, Brave’s Tor support was a godsend just for getting actual work done.

Before my department got bought out, our old company had pretty draconian blocking as well, but if you explicitly plugged into the ethernet ports in the developer area they were wide open.

And no, we’re not in any sort of industry where it really matters. Privately held educational software company.

[benttoothpaste]

I used to work for a financial company that used such extensive blocking. One day I had to download a particular version of boost libraries (the C++ ones). Of course all official sites to download from were blocked. So I searched for the specific file name (a tar.gz archive). And eventually I found something that was not blocked: a misconfigured server somewhere in Russia. Misconfigured because it served entire contents of its hard disk - and Google indexed it all. And there it was - my coveted boost archive which I promptly downloaded.

[gruez]

That seems super risky. How did you know the file was authentic? What if the archive contains backdoored code?

[benttoothpaste]

Yeah it was risky. It is quite common for excessive security practices to actually decrease security and that particular example was not nearly the most egregious one in that company.

[MattPalmer1086]

I don't really get why you did it though. You risked your job, and potentially regulatory issues for the company just to get a build done? I'd have just submitted a request to unblock the official download site. Then it's security's problem.

[GekkePrutser]

I've also come across this at a major international company. Came there to install an update. Too big to email so I had a clean USB stick. No way to use it in their workstations though, so the IT guy offered to just walk to the DC and plug it directly into the server.

Pretty sure that was not the intention of that policy. The problem is, that they didn't seem to have considered this usecase at all. More security theater than anything.

[donatj]

Seems like an odd proposition for an attack vector. Maybe, just maybe if I make this look like a misconfigured server, maybe, just maybe, someone will grab the boost files from the server and compile them? I can’t imagine.

[b3morales]

The open server does not have to be a deliberate attack setup. It could be compromised itself, or someone could have downloaded a bad artifact to it unknowingly. It could be someone's malware research storage (admittedly this is pretty unlikely). It's the simple fact that the provenance is unknown.

[vkk8]

I've heard of people doing similar things before. Maybe people working in high security environments downloading libraries from random websites is common enough that some attackers are actually targeting those people by backdooring common Python packages, C++ libraries, etc. and trying to get their server to bypass enterprise blocking somehow.

[wolverine876]

From another perspective (perhaps not popular here): How does allowing access to restaurant websites help the bottom line? What is the risk? One malware outbreak can be enormously damaging.

How much time should IT employees spend unblocking restaurant websites instead of, for example, developing new applications that increase productivity? Arguably, an IT employee who is spending time unblocking restaurant websites might be viewed as negative ROI for their salary.

And users have phones, so there is an easy workaround.

[donatj]

Not restaurant specifically, but I suspect the loss of innovation from the general chilling effect is pretty high. When I have trouble researching something, that’s money lost for them in time I am wasting, and potentially worse from the side effects.

Every time an engineer doesn’t look into something at all, because they know odds are good they’re not going to be able to, that’s potentially millions lost.

[GekkePrutser]

Yeah imagine a developer not being able to use stackoverflow or one of the many similar sites that just happen to have the bug that they're struggling with. Could cost hours of extra work.

[kortex]

It's not blocking restaurants per se. It's doing some heuristic based match and seeing entries on the site with words like "wine" "whiskey" "cocktail" and determines the website is "alcohol and tobacco" and bans or limits it.

Ran into this at $lastco, as a chemist. Used to look up alcohol water azeotrope charts and half would be on homebrew sites and got blocked.

I just used my phone to email the charts to myself.

[whatshisface]

>How does allowing access to restaurant websites help the bottom line?

Humans need to eat to survive, and one consequence of survival is that tickets are closed.

[GekkePrutser]

> From another perspective (perhaps not popular here): How does allowing access to restaurant websites help the bottom line? What is the risk? One malware outbreak can be enormously damaging.

Just visiting a website shouldn't be a major risk. Any code injection exploits can be mitigated in the proxy (those MITM proxies are not just for logging!). And proper patching.

Really if you run browsers so old that they can be exploited in this way you have a bigger problem than banning unknown websites solves.

[torstenvl]

Yes. Exactly. Which is why they shouldn't be blocked, forcing people to spend time and energy unblocking them.

[vkk8]

Indeed. Somehow people managed to eat lunch before the internet.

[908B64B197]

> Trying to talk to IT about it is painful. I had to go through three levels of support over a week just to get a single site unblocked.

Don't talk to IT using their support channel. Escalate to your boss (and his boss potentially) about what you are trying to do, what's blocking you and how it's stalling the (revenue generating) project you are working on.

[GekkePrutser]

I work in IT security and this overzealous blocking is also a problem. Many sites with great security info are blocked because of the "hacking" category. Um yeah that's work-related for me so...

I'm surprised they didn't just block tor though. I'm sure we do though I've never tried :) Our proxy MITMs everything.

[derekp7]

Do they allow your cell phone to be out when you are working? I'd just plug my cell phone in a USB port ("I'm charging my phone" if anyone asks), and use IP over USB to talk to the phone, and run non-business internet through the phone's data connection. On step further if the PC is locked down to prevent this, plug the keyboard/mouse/monitor into a Raspberry Pi, with a soft KVM plugged into one of the Pi's USB ports so your primary connection is to a device you control. Then use the KVM software to view your PC in full screen mode. Of course, this won't work if you are in an open office and your Pi's environment looks suspiciously different from your normal Windows desktop (but that can be fixed with theming).

Of course if I worked at a place that was constantly looking for an excuse to fire you, I wouldn't work there for long (because I'd either find a more relaxing job, or get fired).

[oyashirochama]

At my job plugging in a USB device gets you paperwork and loss of computer use for at least 3-6 months. Fun fact my job also can't fire you, but it can make you wish you could.

[jmnicolas]

Meanwhile at work I can't convince the "firewall guy" to block YouTube to save bandwidth for actual work ... Even porn websites aren't blocked!