andygates

Once again I've been pushed into the Acceptable Use Police role. The questions that have been asked are "did this person do anything nasty?" and "could we have spotted it in advance?"

I've done web security before in different places with different policies. What I've found is that a deny-all-except-specified-sites policy is useless, it is simply too restrictive. With larger organisations, it gets more useless - and with 1500 active users and 5000 staff, it is impossible.

A permit-all-except-specified-sites policy works but needs full-time attention to keep the banned-sites list up to date. Someone has to eyeball the logs and visit any suspicious-looking domains to check their suitability. That's a staff and cash resource which needs to be balanced against the percieved resource drain / exposure to liability that the organisation suffers from.

Automatic filters don't seem to be clever enough - especially with a paeds department and a gynae department and a GUM clinic and lots of images and videos of surgery, most of which are wet and pink. We tried Snitch and it's false-positive rate was funny; we tuned it down and it found nothing at all.

Trawling through these logs looking for eye-bending filth, I'm struck by a few things. First is the sheer weight of advertising - banners and popups galore, maybe a quarter of the bandwidth is taken up with this chuff. Then there's dynamic pages: MySpace and its friends, which are very hard to examine as the material is all served on a per-session basis with lots of unique URLs. User profiles are okay - create a profile of your own and you can see them - but there's no easy way to see the user's messages or blog comments to see if they're stalkery.

It's a weird thing. I have no problem with monitoring and policing illegal use, but I'm edgy with the idea of policing inappropriate content. I know that the Big Suits and IT geeks are the biggest inappropriate users - they're the ebay whores and MP3 mavens and forumheads. And dammit, a bit of webly recreation makes the workplace a lighter and less grinding place to be. But I still find myself looking through logs and thinking, "most of this applies to me, and to you too, Mr Manager," and yet here I am looking for a witch-mark.

S	M	T	W	T	F	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

Most Popular Tags

3d printing - 5 uses
arctic - 14 uses
badger - 6 uses
cats - 9 uses
climate - 15 uses
climate change - 11 uses
comics - 8 uses
cthulhu - 8 uses
culture - 8 uses
cycling - 47 uses
diy - 9 uses
dunwich dynamo - 5 uses
ebooks - 6 uses
enviroment - 15 uses
environment - 29 uses
fitness - 53 uses
games - 12 uses
garmin - 6 uses
gear - 7 uses
geek - 59 uses
gps - 6 uses
green - 23 uses
ice - 6 uses
kayak - 5 uses
lejog - 6 uses
mars - 9 uses
media - 13 uses
meme - 10 uses
movies - 10 uses
music - 7 uses
openstreetmap - 17 uses
politics - 11 uses
rant - 11 uses
running - 14 uses
science - 15 uses
second life - 6 uses
space - 17 uses
star wars - 6 uses
steam - 7 uses
steampunk - 8 uses
surf - 8 uses
swimming - 23 uses
tech - 8 uses
training - 8 uses
triathlon - 61 uses
tv - 7 uses
twitter - 7 uses
weather - 7 uses
wii - 5 uses
work - 11 uses

Flat | Top-Level Comments Only

From:

justoneway.livejournal.com

A good way of demonstrating your ethical dilemas with the policing is to use the suits as your test cases. Not mischeviously but seriously, as a way to point out to them that the decisions are fuzzy. (And more than likely that they want to put in an "okay for me but not for the plebs" system which they now have to justify in all its ugliness.)

andygates.livejournal.com

Aye, and that's what I did for a lot of non-work content. But basically, the big suits believe that they add so much value to an organisation that they're special and should be given dispensation. Listening to classical music while writing a report, or checking the Guardian site, is so much less inappropriate than MP3-shuffling Robbie and checking the surf weather sites, you see.

skean.livejournal.com

"Mavens"?

ankaret.livejournal.com

Person with interest and expertise in; see wonk.

Heavy, deep users. People who are Into It. Strictly, "a person who has special knowledge or experience; an expert."

flitljm.livejournal.com

We are allowed any personal use outside work hours; with the exclusion of p0rn. The policy probably says something about offensive material but I'm not sure where to look it up.

Policing of "inappropriate" content is mainly political. Policing of unlawful content isn't: at the end of the day, inappropriate content causes some manager somewhere to get hissy; unlawful content means the Police take six of your PCs away for examination (and we're lucky we didn't lose a fileserver or proxy box too).

Managers tend to obsess over inappropriate content because it annoys them: it's like their staff reading Heat under their noses. I couldn't give a howling damn - that's a management issue. Keep the staff busy and they won't have time to waste.

It's the unlawful stuff that I'm picking around with. Given that I can't get a trusted blacklist, what tools are available to get early awareness of dodgy action? In particular: Google searches for "preteen felch" - for example. And, of course, are those tools smart enough or will it suck up someone's entire workday? There's a lot of crossover between dodgy and legitimate wording and people really really don't like being accused of being paedophiles and white supremacists on spec.

Especially not managers ;)

thudthwacker.livejournal.com

Pity that "unlawful" really isn't any easier to find than "inappropriate," but can cause boatloads more trouble.

I may be pessimistic, but my take is that it's flatly impossible to flag all "bad" (whether unlawful or inappropriate) activity without whitelisting -- as you say, sites suitable for blacklisting pop up too quickly, and some sites (like Google) can be used for licit activities as well as il.

So, I think your best option is not to try to find a perfect solution, but rather hunt one down that proves due diligence should la policia come sniffing around. This perhaps won't save you from having equipment impounded, but then the only thing that will is a whitelisting solution, and that's unworkable unless you want to hamstring your entire user population, and it should at least keep the IT staff and upper eschelons from getting hit with whatever charges sound most like "contributory negligence" in your neck of the woods.

I agree: it isn't possible. But that seems like a feeble response - maybe that's just because of how we percieve people's use of the web. We don't expect to catch every criminal phone call, just to make sure that people don't overuse the privilege. We don't expect to find every skin mag in people's bags. In all of these cases detection occurs opportunistically or after suspicion is aroused.

I'm content that we do have something like due diligence in place - or we would, if certain people did their damn jobs, but that's out of my hands and my views are noted.

jonnycowbells.livejournal.com

Good post this. Several nails have been struck squarely on heads.

Hunting naughties in the logs

Hunting naughties in the logs

no subject

no subject

no subject

no subject

no subject

no subject

no subject

no subject

no subject

no subject

Profile

April 2017

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags