Why is work blocking me from viewing MeFi tag pages? December 13, 2007 12:02 PM   Subscribe

Websense is blocking the tag pages of MeFi. The message I get is "The Websense category "Sex" is filtered." - even when the tag isn't likely to have anything to do with sex (e.g., christmasmusic, maps). Yet I can read threads that definitely DO contain sexual content, such as this one or this one. Is there something in the backend telling Websense that tags = sex?

In addition, if I do a Google search for a username, what usually comes up is a list of so-and-so's posts tagged with foo. No matter what "foo" is, the link is blocked when clicking on it.
posted by desjardins to Bugs at 12:02 PM (27 comments total)

It's possible that something like the sex tag page wacked the filter out enough that it just concluded that the whole /tags/foo setup was bad news. Can you get at the root tags page?

My workplace blocks the search results page for flickr and youtube, though it doesn't block the actual content pages for either. Corporate webfilters are nuts.
posted by cortex (staff) at 12:07 PM on December 13, 2007

posted by mathowie (staff) at 12:10 PM on December 13, 2007 [4 favorites]

I have the same problem. www.metafilter.com/tags is blocked but www.ask.metafilter.com/tags is not. Weird.
posted by mattbucher at 12:20 PM on December 13, 2007

what is DTMFJA?
posted by mattbucher at 12:22 PM on December 13, 2007

cortex: Nope, can't get at the root tags page.
mathowie: If you'd like to pay my rent, I'd be happy to.
mattbucher: Same here! Weird.
posted by desjardins at 12:24 PM on December 13, 2007

Metafilter has no control over WebSense's filtering decisions.

Having examined such software before, I can tell you that there are many sites blocked for no good reason, and just as many blocked for malicious reasons.

Perhaps you can talk to the vendor and convince them of their error, but I wouldn't bet any money on it.
posted by splice at 12:28 PM on December 13, 2007

what is DTMFJA?

It's the same as DTMFA, only with "motherfucking job" substituted for "motherfucker."
posted by FelliniBlank at 12:30 PM on December 13, 2007

desjardin's tags make filtering jesus angry
posted by metric space at 12:33 PM on December 13, 2007

I get that here too.

Websense is dum.
posted by that girl at 12:34 PM on December 13, 2007

Well, the question is if Websense does real time filtering or if they're using a blacklist (I don't know and the Websense page doesn't seem to give up that information easily). If it's a pre-made blacklist, then it only matters what the content was on the blocked pages when they indexed them. Since you say that tag pages are blocked but posts are not blocked, I'd say it's a blacklist that they either update with crawling or some other method. The posts in question are just too new to have be added. But the tag pages stick around. And as splice says, Websense might have some set of rules of how blocking propagates to other pages.
posted by skynxnex at 12:35 PM on December 13, 2007

...as does my apostrophe placement. sigh...
posted by metric space at 12:36 PM on December 13, 2007

what is DTMFJA?


posted by languagehat at 1:00 PM on December 13, 2007 [6 favorites]

You need to get yourself a better employer...
posted by clevershark at 1:11 PM on December 13, 2007

Well, we all know that to Web 2.0, tagging = teh sex.
posted by klangklangston at 1:31 PM on December 13, 2007

I got the same thing too (we use WebSense at work), and I roffled.

Then I set up an SSH tunnel to a proxy server and got the QuickProxy extension. I hit a blocked site, I fire up the connection and click the proxy button.

Voila! Now I can read metachat from work!
posted by middleclasstool at 1:43 PM on December 13, 2007

oh, did I mention that they won't let us have Firefox either?!
posted by desjardins at 5:56 PM on December 13, 2007

Me neither. If you can plug in a USB drive, allow me to introduce you to the wonders of PortableApps!
posted by middleclasstool at 7:06 PM on December 13, 2007

Recipe for corporate filter circumvention, on Windows, using portable apps on a USB stick, and an openssh box you control elsewhere:

1. Put PortaPuTTY and Portable Firefox on the stick.

2. At work, use the Tunnels feature of PortaPuTTY to forward localhost port XXXX (1080 is conventional) to a Dynamic port, and bring up a ssh session on your home openssh box.

3. In Portable Firefox's preferences, under Advanced->Network Connections, make it use localhost port XXXX as a SOCKS 5 proxy. Don't fill in any of the other proxy boxes. Firefox will now direct all web traffic via the SOCKS server built into openssh on your home box.

4. Under about:config, change the network.proxy.socks_remote_dns option to True. This means that all Firefox's DNS lookups will also be done using your remote box instead of your local corporate host's DNS server(s).

5. Put a sixpack on ice for your sysadmin, who will undoubtedly be paying you a visit after becoming curious about why such a vast amount of encrypted traffic is suddenly happening between your workstation and some random IP address outside the corporate network. Be prepared to find a new job in case the sysadmin is not a beer drinker.
posted by flabdablet at 3:04 AM on December 14, 2007 [7 favorites]

Oh, and if for some reason QuickProxy doesn't suit you, you could also look into ProxyButton or SwitchProxy. I like SwitchProxy, with the toolbar turned off; right-clicking on the current proxy name in the status bar lets you pick any of your configured proxies, or none.
posted by flabdablet at 3:09 AM on December 14, 2007

Also, don't leave the ssh tunnel up all the time -- just fire it up when you're about to hit a blocked website, turn it off when you're done. Less traffic through the tunnel that way, less suspicion to arouse.
posted by middleclasstool at 5:55 AM on December 14, 2007

flabdablet and middleclasstool, thanks for the tips/instructions. Fortunately, this is only a temp job, but I may need to refer back to this in the future...
posted by desjardins at 8:12 AM on December 14, 2007

Sadly, they've blocked all ports here except approximately 80 and 23.

As another example of Websense 'intelligence,' it blocks a domain that is owned by my employer and redirects to our website. HA HA.
posted by that girl at 8:25 AM on December 14, 2007

My workplace has the usb ports disabled.
posted by happyturtle at 9:44 AM on December 14, 2007

If you can get out on port N, you can arrange for your home openssh box to establish ssh sessions over that port; easiest way is just to tell your NAT router to redirect port N on the public side to port 22 of your openssh box on the private side.

If they've blocked all outgoing connections, and the only way you can get the Web is via an approved proxy that includes a blacklist or whitelist, there's always this :-)

You can often work around disabled USB ports simply by burning your portable apps to CD. If they won't run straight from the read-only CD, just copy them to a subfolder of My Documents first and run them from there.
posted by flabdablet at 3:49 PM on December 14, 2007

i can only have internet at my workplace by picking up a wireless signal from i don't even know where.
posted by C17H19NO3 at 4:27 PM on December 14, 2007

If you're getting internet access via some random wireless router, it's extra important to work through a ssh tunnel, since doing so will prevent man-in-the-middle interception of your network traffic by the unknown evildoers operating the wireless router. You also need to make sure that all inward-bound connection attempts from that wireless connection are blocked by your workstation's local firewall (if you're on Windows, disable all firewall exceptions for that connection) lest you turn out to be the bunny responsible for a serious breach of corporate network security.

Working around an idiot content filter in pursuit of a little harmless goofing off is very small potatoes compared to deliberately (or even accidentally) compromising security.
posted by flabdablet at 6:07 PM on December 14, 2007

yeah, i work for a small municipality and only access the internet on my personal laptop
posted by C17H19NO3 at 6:42 PM on December 14, 2007

« Older GYOB   |   SF meetup? Newer »

You are not logged in, either login or create an account to post comments