Hunting naughties in the logs
Apr. 4th, 2006 12:48 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andygatesOnce again I've been pushed into the Acceptable Use Police role. The questions that have been asked are "did this person do anything nasty?" and "could we have spotted it in advance?"
I've done web security before in different places with different policies. What I've found is that a deny-all-except-specified-sites policy is useless, it is simply too restrictive. With larger organisations, it gets more useless - and with 1500 active users and 5000 staff, it is impossible.
A permit-all-except-specified-sites policy works but needs full-time attention to keep the banned-sites list up to date. Someone has to eyeball the logs and visit any suspicious-looking domains to check their suitability. That's a staff and cash resource which needs to be balanced against the percieved resource drain / exposure to liability that the organisation suffers from.
Automatic filters don't seem to be clever enough - especially with a paeds department and a gynae department and a GUM clinic and lots of images and videos of surgery, most of which are wet and pink. We tried Snitch and it's false-positive rate was funny; we tuned it down and it found nothing at all.
Trawling through these logs looking for eye-bending filth, I'm struck by a few things. First is the sheer weight of advertising - banners and popups galore, maybe a quarter of the bandwidth is taken up with this chuff. Then there's dynamic pages: MySpace and its friends, which are very hard to examine as the material is all served on a per-session basis with lots of unique URLs. User profiles are okay - create a profile of your own and you can see them - but there's no easy way to see the user's messages or blog comments to see if they're stalkery.
It's a weird thing. I have no problem with monitoring and policing illegal use, but I'm edgy with the idea of policing inappropriate content. I know that the Big Suits and IT geeks are the biggest inappropriate users - they're the ebay whores and MP3 mavens and forumheads. And dammit, a bit of webly recreation makes the workplace a lighter and less grinding place to be. But I still find myself looking through logs and thinking, "most of this applies to me, and to you too, Mr Manager," and yet here I am looking for a witch-mark.
I've done web security before in different places with different policies. What I've found is that a deny-all-except-specified-sites policy is useless, it is simply too restrictive. With larger organisations, it gets more useless - and with 1500 active users and 5000 staff, it is impossible.
A permit-all-except-specified-sites policy works but needs full-time attention to keep the banned-sites list up to date. Someone has to eyeball the logs and visit any suspicious-looking domains to check their suitability. That's a staff and cash resource which needs to be balanced against the percieved resource drain / exposure to liability that the organisation suffers from.
Automatic filters don't seem to be clever enough - especially with a paeds department and a gynae department and a GUM clinic and lots of images and videos of surgery, most of which are wet and pink. We tried Snitch and it's false-positive rate was funny; we tuned it down and it found nothing at all.
Trawling through these logs looking for eye-bending filth, I'm struck by a few things. First is the sheer weight of advertising - banners and popups galore, maybe a quarter of the bandwidth is taken up with this chuff. Then there's dynamic pages: MySpace and its friends, which are very hard to examine as the material is all served on a per-session basis with lots of unique URLs. User profiles are okay - create a profile of your own and you can see them - but there's no easy way to see the user's messages or blog comments to see if they're stalkery.
It's a weird thing. I have no problem with monitoring and policing illegal use, but I'm edgy with the idea of policing inappropriate content. I know that the Big Suits and IT geeks are the biggest inappropriate users - they're the ebay whores and MP3 mavens and forumheads. And dammit, a bit of webly recreation makes the workplace a lighter and less grinding place to be. But I still find myself looking through logs and thinking, "most of this applies to me, and to you too, Mr Manager," and yet here I am looking for a witch-mark.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-04-04 12:40 pm (UTC)no subject
Date: 2006-04-04 02:21 pm (UTC)Managers tend to obsess over inappropriate content because it annoys them: it's like their staff reading Heat under their noses. I couldn't give a howling damn - that's a management issue. Keep the staff busy and they won't have time to waste.
It's the unlawful stuff that I'm picking around with. Given that I can't get a trusted blacklist, what tools are available to get early awareness of dodgy action? In particular: Google searches for "preteen felch" - for example. And, of course, are those tools smart enough or will it suck up someone's entire workday? There's a lot of crossover between dodgy and legitimate wording and people really really don't like being accused of being paedophiles and white supremacists on spec.
Especially not managers ;)
no subject
Date: 2006-04-04 05:19 pm (UTC)I may be pessimistic, but my take is that it's flatly impossible to flag all "bad" (whether unlawful or inappropriate) activity without whitelisting -- as you say, sites suitable for blacklisting pop up too quickly, and some sites (like Google) can be used for licit activities as well as il.
So, I think your best option is not to try to find a perfect solution, but rather hunt one down that proves due diligence should la policia come sniffing around. This perhaps won't save you from having equipment impounded, but then the only thing that will is a whitelisting solution, and that's unworkable unless you want to hamstring your entire user population, and it should at least keep the IT staff and upper eschelons from getting hit with whatever charges sound most like "contributory negligence" in your neck of the woods.
no subject
Date: 2006-04-04 09:29 pm (UTC)I'm content that we do have something like due diligence in place - or we would, if certain people did their damn jobs, but that's out of my hands and my views are noted.