The Results: Our Experiment in Crowdchecking the "Wisconsin WiFi" Claim
BY Nancy Scola | Thursday, February 24 2011
So, let's check back in on our little ad hoc experiment in collaboratively factchecking the Wisconsin governor's explanation for why a pro-union website was blocked on a statehouse wireless network. The short of it is that, well, frankly, some more straightforward reporting would do much to get us a firm handle on the situation. But the long of it is that the responses were quite mixed. To generalize, several people who work in online politics (on the left side of things, mostly) thought spokesperson Cullen Werwie's widely-reported contention that whitelist system restricts access to websites new to the network was, as one put it, "absolute jibberish." Others, though, including some specialists in network security, argued that while it might be misguided and unusual to configure a public network that way, it's possible that that's indeed the case.
Let's take a look at some of what came over the transom, as well as notes on the topic elsewhere on the web.
Someone with deep roots in both the technical and political sides of tech emails:
It's been a decade since I did much on the technical side of network security, so I'm not totally up on all of the blocking techniques people use. That said, I do pay attention to all of the government related security stories that are out there and have developed a general assumption that government security practices tend toward the slow, arcane and sometimes illogical. It's always on the bottom of their list until something like this comes up to bite them. Then they deal with it. So while it's totally plausible somebody on the staff decided to block the group, I think it's just as likely that's their "security" policy to be closed vs. open on default. I don't agree with it and I still think it's worth sniffing around, but I'm never surprised when I hear stories about odd practices from government offices at any level.
It's like our tax code. They just patch band-aids on top of it over time and then it turns into this convoluted mess.
Another email, not, as he or she points out, a 'network security' person per se, but someone who has spent years working in Democratic online politics:
That guy’s explanation is absolute jibberish. Can you imagine some massive bureaucratic army getting a feed of every website created, thousands an hour, and running them through some program to see if they have viruses or porn or something? It’d be different if state capitol workers were restricted to looking at govt websites or something so they don’t waste time on FAILblog or whatever, but ultimately they did let this one through so clearly that’s not the case.
The folks at Herdict, the Berkman Center project that relies on reports by members of the public to figure out what's being blocked around the world, tweet along a link to a post by their Laura Miyakaw:
Let’s think about how this would work. We don’t think they mean all new sites to the internet, which would be challenging, costly, and unnecessary (why bother finding and blocking sites that no one is trying to get to). We believe they mean new sites relative to their network, so a site commonly visited on their wireless internet, like Wisconsin.gov, would appear on the white list and would connect automatically, while a site that had never been accessed from their network, like, say, MinnesotaRules.com (ok, we made that up, but some one should create that site), would be entered into a queue to be approved. This is a very restrictive and potentially expensive solution. Would all sites in this queue have to be manually checked for both “appropriate” content as well as lack of malware? If there is a manual process, we think we may have found a place for Wisconsin to cut its budget. If it’s automatic, then we want to know what software they’re using to process these requests, how long the queue is, what the average delay is between a request for a site and its approval, and what criteria is used to determine an “appropriate” site to be served on the guest network. We have further concerns about what metadata is collected on the users who are requesting these sites. Are such requests personally identifiable? What happens to these requests once they are processed? Is the information discarded, or retained, and for how long?
Here's an email from someone deeply enmeshed in the building of digital infrastructure on the Democratic side of things:
It's total bullsh_t. Websites don't have creation timestamps. The closest you could get is the DNS registration, but that's date, not time, and rare is the website that would be "live" and used with 30 minutes of DNS registration. At first i thought they were saying that new sites are blocked when they're first accessed from the network, not created. But it makes no sense to have a 30 minute speed bump, and they're clear that it's an automated process.
But "bigfatdrunk" emails to make a case for it being plausible:
Was in IT or ITSec for 16 years, including for a Fortune 1000 company, but I have been out of that business for a year. So there's your tiny disclaimer.
The answer is yes, their explanation is plausible, though it's not a practice I've heard employed. Basically, a new site could trigger a flag (of sorts). What they do during the delay I honestly have no idea. They could perform a light security scan against the site, or they could run the site through a list of known "bad" sites that contain malware, etc. In other words, they are doing selective white-listing after doing....something.
Technically, it's feasible and would be quite easy to do. It would also add a thin layer of protection to Government agencies, which isn't a bad idea. From a security perspective, it is a justifiable move, though I would be interested to learn about its overall effectiveness (how many sites were really evil and were blocked, for example).
An easy test to do would be to go to a random new URL and see if it's blocked. If it is, and then it's unblocked after 30 minutes, their story holds water. And as I've sat here writing this email and thinking about it, the practice doesn't sound overly Orwellian and could actually be helpful from a security perspective.
And then Anthony Rickey directs our attention to comments of the Center for American Progress's ThinkProgress blog, "No_Rush" adds his or her take that the Wisconsin governor's office's explanation would jibe with the use of a common online security package:
Here's an alternate possibility: "Walker’s decision to take steps to block certain types of internet access to protestors" never actually occurred, and this is all the result of a chain of technical events and policies that, who knows, may date back to the last administration. Technology is like that. I've marked what is evidence and speculation below.
a) Wisconsin uses Websense, or something similar, to block websites. Evidence: WisDems's screenshot is using blocklist.cgi script. Google for that, and you get a lot of Websense support sites. Additionally, there are at least some contract-like documents between Wisconsin and Websense on the web (dating from the previous administration).
b) Websense appears to have added defendwisconsin.org to the "Advocacy Groups" filter, which also hits sites like RightWingNews. Evidence: http://yro.slashdot.org/commen... It may also have been added to a group of newly-registered sites, though I can't confirm this.
c) We don't know, however, when Websense updated its Master Database, or when Wisconsin downloaded the updated file. We do know that defendwisconsin.org couldn't have been in the file before 14 February, because the site didn't exist.
So: the site would work until Wisconsin updated its copy of the database (and once Websense had added it to a restricted category). Let's assume that happened on the weekend. Once added, the site would be blocked until a user notified helpdesk that access was required, and the site was blacklisted.
Technically, the Department of Administration spokeswoman might be very slightly wrong: new sites would be blocked ones a Master DB update was downloaded identifying them (and adding them to a presumptive blacklist), but not before. This would explain why it worked before Friday (according to WisDems) or Monday (according to DefendWisconsin.org.
Obviously, I can't prove any of it, and there are some questions (such as whether Websense is set up to update on an irregular basis rather than in real time, and when Websense added DefendWisconsin to its list). But it's at least plausible.
Clarifying, no? Well, kinda. What I'm, personally, left with is that where this experience had a taste of success was in sharpening questions that should be followed up. On this narrow topic of whether the Wisconsin governor's office's explanation could hold water, it seems like the thing to pursue is just how their security configuration is built. And then, of course, you'd want to ask why it's built that way. Is that something that the governor's office did with a great deal of thought? Or was that the default that came with the security package they built.
Governor Scott Walker's office didn't respond to a request for comment sent this morning, and Werwie hasn't yet responded to one sent later in the day. The main phone line at the Wisconsin state house has been ringing busy.
One additional newsy note that came from poking around on this topic. The folks over at New America's Open Technology Initiative are working to put together a flier that explains to protestors in Wisconsin how they can turn their cell phones into wireless hotspots, so that they might not have to depend on a free wireless network floating around in the air at the state house. The expect to have that circulating in Madison in the next few days.