I can't think of any potential benefit for internet access to these sort of work stations, and I can think of all kinds of downside intrusion and data compromise risks as described above.

A properly configured proxy could block the majority of things, combined with good malware protection on the client side...

Nothing is 100% ever, but there are ways to pretty safely protect a client system that is exposed to the internet...

AIM is the biggest trojan of them all, and legal at that! LOL

If you really believe this, you place your own employers computers at risk. Your statement is false. A proxy can minimise risk, but not eliminate it.

Many companies have security features in place that would allow you to go to "I need flowers for mom's birthday.com" while blocking "who is the hottest pole dancer.com", along with not being able to install unauthorized software. Plus we don't know if this specific computer was connected to a secure network or a separate computer setup for use during time off or slow periods.

No filtering solution is 100%. And the computer in question was inside one of the booths where the agents sit to actually clear folks.

Yes, it is entirely possible that they have implemented some security measures to help protect those systems. I'm sure that there is a firewall of some sort involved and also probably also some local client security solution in place. That still doesn't mean that allowing access is a secure action.

Consider a similar situation. Boeing is claiming that they can have the same wiring in the 787 carry both flight control data and IFE communication. Even with "security" solutions in play no one in their right mind would agree that it is a secure implementation.

The real question is whether those computers are or should be considered secure. Considering the access that I assume they have to the passport data, I would hope that they are secure. If they are, they should be isolated.

Do you mean the CBP/DHS agency is not security conscious

I have no idea about the technical ramifications, but a few years ago, I was flying in to BOS to give a talk. I was using my British passport under vWP.

At initial screening, the CBP officer said that I had "visited the US too often" and asked why -- I said that it was mostly because I was an academic, but also have friends/family here. Anyway, I was asked to go for more detailed screening...

Some long wait later, I go up to be interviewed, the guy asks me why I'm here, I say I'm giving a talk at a university. He asks what my field is, I reply, then he starts quoting one of my academic papers at me! I was in total shock, thinking the CIA or whatever had a file on me. After a brief pause, I asked him how he found that out. One word response: "google".

To be honest, if I was a determined threat, I would have prepared a thorough back story anyway, including google-accessible data, but to the casual liar/ illegal, it may be of some limited value.

tb

Hey do any of you realize just how much sensitive data is collect on foreign guest??? Now this stuff is obviously wide open to be skimmed. Now some of YOU wonder why I am worried?

Two thoughts come to mind.............

(A) Garbage in = garbage out

(B) The more hay in the haypile = the more difficult to find the needle

MisterNice

How many of the people complaining here are the same ones that complain when their employers limit their access to the internet?

I work for the government and the computers are locked down so tight that it becomes impossible to work efficiently (i.e. thumb drives, preventing us from getting on required govt web sites, etc...). I especially liked when they blocked the website to complete the mandatory computer security training.

Any time you use an ATM that info is going over the internet. Every Company you do business with likely puts your information on a server. It is encrypted as I am sure that CBP info is to their servers.

Yes, there is risk at plugging any computer into the internet. We either must accept that risk as a part of doing business today, or the internet becomes a vast repository of pirated music and porn and we go back to paper records for everything.

What if the user's internet sessions is being run in a Citrix window... which is easily setup and run. No direct internet access to the machine at that point...

If it was, it was a darn good seamless window session. I do not think that was the case.

That's still not the same thing as operating on an isolated network. But it does demonstrate how such proxy services are ineffective at accomplishing their purpose.

I am not 100% certain that the transactional information for the CBP/ICE apps is encrypted, but that is irrelevant to the discussion at hand. If the confidential/secure information is on a terminal that is also connected to an insecure network then the assumption must be that the data is insecure. That's the way the security industry looks at things.

You couldn't tell with our Citrix apps if it was running local or from Citrix... no frame around the app, and the window can be maximized just like it was a regular app.

On a lot of the secured machines, we have applications running off Citrix, no local apps installed, works great, especially as the end user can't mess with things, and can only use the application.

Unless they've fixed things, the icon on the taskbar is still different. It might have been a citrix session, but I don't think it was.