Postcards From The Edge Case: When One Size Doesn't Fit All

Two: Be Secure Without Sacrificing Functionality

When Internet Filters Block Work

There's a clear need for security in computing applications, and especially those that handle any sort of personal data. Companies want to be sure that their information isn't being leaked out or mishandled and that their workers aren't bringing in viruses, worms, and other horrible things past the network firewalls to wreak merry havoc on the machines inside the suppsoedly safe zone. I get the need for security. It is important.

First and foremost, the public computers used a shared login whose Internet access has been filtered fairly heavily in the way one might expect a corporation to do, by blocking "game sites", "download sites", and a few other categories that an office worker in an office building wouldn't necessarily need to go visit a whole lot of the time. The problems with this type of blocking decisions came through in force when attempting to staff test the latest iteration of our summer program for teens, Teen Summer Challenge A category of activities devoted to Nintendo, another to the Ludum Dare challenge, and a third devoted to Pokemon all ran into the same issue - "games" sites were blocked, so the activities that asked people to design a classic Super Mario Brothers level or look at the entries from the latest Ludum Dare could not be completed on staff computers that hadn't specifically had their filters turned off. On those same computers, if someone wanted to know more information about an upcoming game or wanted to read reviews of it, the staff computers might not be able to provide that information because of the filter's inability to distinguish between sites with news content and sites that were offering various games to play while on work time. If the site had a keyword that involved gaming, then the site was blocked. Certainly a good way of securing the computers against possible intrusions, but the overblocking zeal interfered with the functionality of a legitimate enterprise for the library system.

Then there's the software issues on all of the library's computers, whether their Internet access is filtered or not. I can see the reasons why my organization decided that when our computers got upgraded, they were all going to be a single image, with a predetermined suite of software installed on them and an enterprise rule that said no other programs could be installed on the machines and nothing other than what was already installed and on the whitelist would be allowed to execute. Trying to get the smallest amount of exposed attack space possible while still providing enough software for the normal functioning of the library is a perfectly valid goal and choice.

I understand that having a single image also makes it easier to troubleshoot what's going on, easier to make replacements if necessary, and easier to engage in damage control if something does manage to get out and try to find something to start playing with. These are all sensible security decisions. And they don't work at all in supporting the work that I do as part of my job as a Youth Services Librarian.