Hunting naughties in the logs
Apr. 4th, 2006 12:48 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andygatesOnce again I've been pushed into the Acceptable Use Police role. The questions that have been asked are "did this person do anything nasty?" and "could we have spotted it in advance?"
I've done web security before in different places with different policies. What I've found is that a deny-all-except-specified-sites policy is useless, it is simply too restrictive. With larger organisations, it gets more useless - and with 1500 active users and 5000 staff, it is impossible.
A permit-all-except-specified-sites policy works but needs full-time attention to keep the banned-sites list up to date. Someone has to eyeball the logs and visit any suspicious-looking domains to check their suitability. That's a staff and cash resource which needs to be balanced against the percieved resource drain / exposure to liability that the organisation suffers from.
Automatic filters don't seem to be clever enough - especially with a paeds department and a gynae department and a GUM clinic and lots of images and videos of surgery, most of which are wet and pink. We tried Snitch and it's false-positive rate was funny; we tuned it down and it found nothing at all.
Trawling through these logs looking for eye-bending filth, I'm struck by a few things. First is the sheer weight of advertising - banners and popups galore, maybe a quarter of the bandwidth is taken up with this chuff. Then there's dynamic pages: MySpace and its friends, which are very hard to examine as the material is all served on a per-session basis with lots of unique URLs. User profiles are okay - create a profile of your own and you can see them - but there's no easy way to see the user's messages or blog comments to see if they're stalkery.
It's a weird thing. I have no problem with monitoring and policing illegal use, but I'm edgy with the idea of policing inappropriate content. I know that the Big Suits and IT geeks are the biggest inappropriate users - they're the ebay whores and MP3 mavens and forumheads. And dammit, a bit of webly recreation makes the workplace a lighter and less grinding place to be. But I still find myself looking through logs and thinking, "most of this applies to me, and to you too, Mr Manager," and yet here I am looking for a witch-mark.
I've done web security before in different places with different policies. What I've found is that a deny-all-except-specified-sites policy is useless, it is simply too restrictive. With larger organisations, it gets more useless - and with 1500 active users and 5000 staff, it is impossible.
A permit-all-except-specified-sites policy works but needs full-time attention to keep the banned-sites list up to date. Someone has to eyeball the logs and visit any suspicious-looking domains to check their suitability. That's a staff and cash resource which needs to be balanced against the percieved resource drain / exposure to liability that the organisation suffers from.
Automatic filters don't seem to be clever enough - especially with a paeds department and a gynae department and a GUM clinic and lots of images and videos of surgery, most of which are wet and pink. We tried Snitch and it's false-positive rate was funny; we tuned it down and it found nothing at all.
Trawling through these logs looking for eye-bending filth, I'm struck by a few things. First is the sheer weight of advertising - banners and popups galore, maybe a quarter of the bandwidth is taken up with this chuff. Then there's dynamic pages: MySpace and its friends, which are very hard to examine as the material is all served on a per-session basis with lots of unique URLs. User profiles are okay - create a profile of your own and you can see them - but there's no easy way to see the user's messages or blog comments to see if they're stalkery.
It's a weird thing. I have no problem with monitoring and policing illegal use, but I'm edgy with the idea of policing inappropriate content. I know that the Big Suits and IT geeks are the biggest inappropriate users - they're the ebay whores and MP3 mavens and forumheads. And dammit, a bit of webly recreation makes the workplace a lighter and less grinding place to be. But I still find myself looking through logs and thinking, "most of this applies to me, and to you too, Mr Manager," and yet here I am looking for a witch-mark.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-04-04 09:29 pm (UTC)I'm content that we do have something like due diligence in place - or we would, if certain people did their damn jobs, but that's out of my hands and my views are noted.