back to article How to stop a content filter becoming a career-shortening network component

"Be careful what you wish for." Words that might strike a chord with the IT boss in today's edition of Who, Me? "Lee", for that is not his name, told us of his time as an IT consultant in the Far East, working for a family-owned bank. The bank was extremely wary of this new-fangled internet thing and allowed a favoured few …

  1. Hubert Cumberdale Silver badge

    In any case, I guess it's much harder to do anything about that sort of thing these days, what with so many people on their own connections w##king from home.

    1. diguz

      never heard of "security endpoint"? I'm a sysadmin in a medium company (500-ish people) and we have been WFH'ing for the past year... Filtering content on company laptopts whatever network they connect to? Piece of cake: new security endpoint with tamper protection and cloud management...

      I've seen many things scrolling through the logs, from torrent traffic to people installing steam (i don't even know why - company laptops only have the iGPU)...

  2. Anonymous Coward
    Anonymous Coward

    SquidGuard Logs

    For when you really didn't want to know about your boss's foot fetish porn ( true story, left shortly after )

    1. Dave314159ggggdffsdds Silver badge

      Re: SquidGuard Logs

      What about the right?

      1. The First Dave

        Re: SquidGuard Logs

        If left shortly after, then right must have been first, shirley?

        1. Aladdin Sane Silver badge

          Re: SquidGuard Logs

          I believe the middle leg was tugged first.

          1. Anonymous Coward
            Anonymous Coward

            Re: SquidGuard Logs

            Pierson's puppeteer?

            1. Richard 12 Silver badge

              Re: SquidGuard Logs

              I'd draw a diagram, but this is a company phone.

            2. WonkoTheSane
              Thumb Up

              Re: SquidGuard Logs

              Pic goes here

            3. WhereAmI?

              Re: SquidGuard Logs

              Up vote for the Larry Niven reference.

            4. Strahd Ivarius Silver badge

              Re: SquidGuard Logs

              As long as it doesn't ends with a mote in God's eye...

  3. This is not a drill

    Not an IT issue.

    "if the content scanner was turned on then the IT department would have firm evidence and have to confront him."

    Why? It's not IT's role to police what people do/see, Information Security/IT's use of a content filter is to ensure that users cannot access/download any malicious or dangerous links/files, cannot leak data, or impact the performance of the internet link.

    It's a purely HR issue as to what undesirable content is permitted or not, and they also have to deal with offenders.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not an IT issue.

      It sounds like

      A. You have not had much experience in the middle east.

      B. You are not familiar with extreme senses of entitlement.

      How much experience have you, even in this country, with small family businesses?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not an IT issue.

        "How much experience have you, even in this country, with small family businesses?"

        And also businesses run in slave mode, with passports of expats now local confiscated, and the CFO being the local "sponsor" (aka, real owner) of said business.

        Can't really mess this up, and put all feelings under the carpet. This or find another job in another country ...

        Anon, who only spent a couple of years in said countries.

      2. tyrfing

        Re: Not an IT issue.

        From the article this was the Far East, not the Middle East.

        Probably much the same attitudes though.

      3. Anonymous Coward
        Anonymous Coward

        Re: Not an IT issue.

        These things do just happen "over there", they don't just happen in small family businesses.

        I remember a case in London back in the 90s at a major partnership where one of the partners was not following the guidelines they themselves had voted for.

        When confronted they replied it was "their company and anyone who didn't like it could f*** off".

        As in this story the answer was to provide an isolated system and network connection.

    2. J.G.Harston Silver badge

      Re: Not an IT issue.

      Agree: IT's job is to look without seeing. You observe only what is needed to ensure functionality, without actually seeing the content. Exactly the same in my job in NHS IT. I have to "look at" patient records in order to ensure the system is working, but I never "see" them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not an IT issue.

        "Agree: IT's job is to look without seeing. You observe only what is needed to ensure functionality, without actually seeing the content. Exactly the same in my job in NHS IT. I have to "look at" patient records in order to ensure the system is working, but I never "see" them."

        Which is also perfectly explained in the role of "processor" in GDPR, see https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/

    3. KillStuffMount

      Re: Not an IT issue.

      Reasonably certain the evidence would have been further along Moh's scale than simply "firm".

      Ahem.

    4. anothercynic Silver badge

      Re: Not an IT issue.

      Oh dear. Someone's only had experience with the West... *tsk*

      The Middle and Far East are *very* different animals where this kind of thing is concerned. Hence the "it's... errr... not convenient". The regions have their ways to mean no whilst actually saying yes, and have their problems when dealing with organisations that are rife with nepotism.

      1. Strahd Ivarius Silver badge
        Joke

        Re: Not an IT issue.

        From a Californian point of view, Middle-East is New England, and Far-East in England, right?

        1. Anonymous Coward
          Anonymous Coward

          Re: Not an IT issue.

          Which would make Midwest be what most folks call Far-East, and Far West would be the Middle East.

  4. Evil Auditor

    Audits of branch offices also included compliance with local regulations. Given that some countries in the Middle East had (and probably still have) some rather strict anti-prawn laws, I had the "joy" of searching for such content on any local storage. And then delivering lists of files that better be deleted to their owners...

    1. WonkoTheSane
      Trollface

      Anti-prawn laws?

      Did they have to deport Troy McLure at one point?

      1. MrReynolds2U Bronze badge

        Ha ha, I was thinking about Wikus van der Merwe instead.

        "Fookin' prawns!"

    2. Arthur the cat Silver badge
      Headmaster

      Given that some countries in the Middle East had (and probably still have) some rather strict anti-prawn laws

      Well yes. Leviticus 11:9-12 is relevant to both Judaism and Islam.

      1. Irony Deficient Silver badge

        Leviticus 11:9–12 is relevant to both Judaism and Islam …

        … unless the Quran overrides it, e.g. chapter 5, verse 96.

        Note that it’s only the Halafi school of Sunni jurisprudence that considers prawns to be makruh (disapproved), but not haram (forbidden); the other Sunni schools, all of the Shia schools, and the Ibadi school regard prawns as halal (permissible). These are in contrast to Leviticus 11:9–12, where prawns are forbidden.

        1. martinusher Silver badge

          Re: Leviticus 11:9–12 is relevant to both Judaism and Islam …

          Do any of those texts describe exactly what a 'prawn' is?

          1. Irony Deficient Silver badge

            Re: Leviticus 11:9–12 is relevant to both Judaism and Islam …

            No — neither text exactly describes a “prawn”. The Leviticus text states that “whatsoever hath fins and scales in the waters, in the seas, and in the rivers” is permissible to eat, and whatever lacks fins and scales there is forbidden to eat. The Quranic text states that “Lawful to you is the game of the sea and its food”. Finer distinctions can be drawn by the dietary laws of each religion; perhaps the Torah and the Quran could be thought of as constitutions, under which Jewish and Islamic dietary laws act as legislation for their respective constitutions.

            1. Strahd Ivarius Silver badge

              Re: Leviticus 11:9–12 is relevant to both Judaism and Islam …

              And it took some time to decide the platypus case in the 1700's if I remember well.

        2. Terry 6 Silver badge

          Re: Leviticus 11:9–12 is relevant to both Judaism and Islam …

          Or as I had it explained to me by a colleague when we were comparing Kosher and Halal laws (both of us working in a C of E school).

          "I can eat shellfish, but not go to the mosque straight afterwards"

          1. Anonymous Coward
            Anonymous Coward

            Re: Leviticus 11:9–12 is relevant to both Judaism and Islam …

            Bad breath?

    3. mr-slappy
      Alien

      "strict anti-prawn laws"... enforced by Wikus van der Merwe?

  5. Ikoth

    In the early 2000's, I was working for a large manufacturing company and helped with their roll-out of internet for everyone – up until then it had only been available for us in the IT ivory tower.

    We ran a big information campaign – email, posters, training courses on browser use, acceptable use policy, yadda yadda yadda. One of the things we stressed was that all access was logged by IT, with full details of sites, addresses, user ID, etc.

    One of my tasks was to setup and manage a proxy server and produce weekly usage reports for the IT manager to peruse. Not long after we went live, a certain username and dodgy looking URL kept appearing in the reports. Being a conscientious sort, I followed the link and landed on a hardcore BDSM site.

    I showed my boss the site and the username of the frequenter. He decided, as it was still early days, to send out an email to all staff, reminding them that IT were logging ALL their online activity. No change, the same name and site kept coming up in the reports. The boss sent an email directly to the culprit, warning of consequences if the activity continued. It did.

    In a final attempt to fix the problem, before getting HR involved, my boss arranged a face-to-face meeting with the user. He never disclosed the full details of their conversation, but when he returned from the meeting, me and the rest of the team were genuinely concerned for his health – his face was bright red and he was covered in sweat.

    Apparently, the drop-dead-gorgeous, part time model, marketing assistant wasn’t phased in the slightest about her browsing habits being subject to scrutiny, and in fact complained that it wasn’t fair for her “stress relieving” internet activity to be restricted.

    Shortly afterwards I was tasked with finding a more sophisticated proxy solution that could actually block sites, based on content.

    1. Anonymous Coward
      Anonymous Coward

      fyi

      s/phased/fazed/

      1. Zarno Silver badge
        Coat

        Re: fyi

        Given her proclivities, poly-phasing might be a thing.

        Certainly would get the electricity flowing.

        Could be a real live wire.

        Many sines and co-sines to deal with, and there's likely more than a few angular relationships.

        I'll get my coat.

  6. harmjschoonhoven

    Re: "That would not be... convenient"

    The English also have very polite ways to say NO - in my experience.

    1. J.G.Harston Silver badge

      Re: "That would not be... convenient"

      "A very brave choice, Minister"

      1. Aladdin Sane Silver badge

        Re: "That would not be... convenient"

        Conversely:

        "You might very well think that, but I couldn't possibly comment."

    2. chivo243 Silver badge

      Re: "That would not be... convenient"

      niet mogelijk? sorry hoor... So do the Dutch!

      1. The Oncoming Scorn Silver badge
        Pint

        Re: "That would not be... convenient"

        Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals.

        1. snowpages
          Headmaster

          Re: "That would not be... convenient"

          The pedant in me has to point out that the Swedes don't use "ø" - that is the Norwegians and Danes. The Swedish equivalent is an "ö"

          (disclaimer: wife is Swedish so I had the differences pointed out to me very early on..)

    3. Norman Nescio

      Re: "That would not be... convenient"

      Up to a point, Lord Copper.

  7. Admiral Grace Hopper
    Stop

    It helps if management are on board

    It wouldn't have helped here, but if the Chair of the organisation is on board with the message it can help when trying to stop This Sort Of Thing

  8. Anonymous Coward
    Anonymous Coward

    exceptions policy.

    back in the day my company implemented a content monitoring and blocking solution.

    this lead to the below notable events

    1. the head of IT writing up a list of search terms he wanted blocked on his white board i.e. foot fetish ,BDSM , etc (he was clearly an expert at such things) then afterwards taking a meeting with a customer. with the list still there queue a lot of swearing and apologises.

    2. when it went live during the week between christmas and new year we needed to "test the system" queue IT spent the week playing Flash games and doing quizes and googling the soon to be blocked search teams to give us results to test when we turned blocking on.

    3. when post new year came head of IT returned from holiday and wanted to review the stats decided on an some adjustments and to delay the blocking phase a week. and give a presentation to the c-level about all the wasted time we would get back be blocking porn , online shopping, games, etc. but seems he hadn't told the C-level in advance of the presentation we were doing this work. day of the presentation we pulled up the biggest users of blocked sites.(minus IT's "Testing")

    all the c-level were in the list plus some of the PA's everything from porn browsing to configuring there new cars , they were by far the worst offenders.

    surprisingly the system went in still but with an exceptions policy for those who weren't to be reported on.

    1. Alister

      Re: exceptions policy.

      Please learn the difference between cue and queue.

    2. Anonymous Coward
      Anonymous Coward

      Keyword filtering

      I used to build the damn things, and I can say unless you hate yourself, don't keyword filter.

      I have stood in front of so many managers in front of so many white boards over the years and had to dismantle their illusions with just a few words. "Brass" was usually a good one.

      If you think you need keyword blocking, buy an appliance with a better categorization library instead. That's what you are really paying for anyway. The rest of the stuff might as well be open source(or literally is).

      Keyword lists are both too easy to bypass, and virtually guaranteed to randomly break the traffic of mission critical systems without painfully exhaustive whitelisting. You also have to be be able to break into the traffic, which can get you in even more hot water. (I could tell you a tale about a customer who's networking team got themselves in a heap of trouble when the "banned searches" we helped them track down were found to be coming from the companies lactation room and going to the HMOs "Wellness portal", and on a related note never crack ssl till you check where it's going first, or you may be talking to a lawyer or HR)

      1. A____B

        Re: Keyword filtering

        Agree.

        At a previous employer, we had an internal collaboration system which had some filtering applied for banned words.

        It would let you type something but then remove offending words and send a report to management.

        Sadly it was a little zealous...

        "Push down hard on cover plate and turn locking screw clockwise"

        would end up as

        "Push down ** cover plate and turn locking ** clockwise. THIS POSTING HAS BEEN REPORTED FOR FAILING TO MEET GUIDELINES"

        There was quite a fad for excessively wordy circumlocutions in communications with some folks e.g. "tapering connector with externally raised helical binding" and the obvious descent into acronyms for others. Of course, adding in an extra space would defeat it anyway (though the spellchecker may object)

        1. Terry 6 Silver badge

          Re: Keyword filtering

          I may well have told this previously, but what teh hell, if I had it's still worth it.

          When I did jury service years ago the attempted murder case we were on had to be delayed. The defendant's statement was being sent electronically from the nearby nick*. But it was blocked by the software because said defendant's words included several that were banned. We had to wait while it was rewritten.

          *And no, I have no idea why they couldn't have just brought a paper version in. This was never explained to us

      2. Rob Daglish

        Re: Keyword filtering

        Yup. I live in the county of Cumbria... although I understand those in Sussex, Essex and Middlesex may have similar issues.

        1. irrelevant

          Re: Keyword filtering

          Worse, I used to live in Chorlton-cum-Hardy ...

          Typically referred to as "The Scunthorpe Problem" ..

          1. Robert Carnegie Silver badge

            Re: Keyword filtering

            Not sure if I should do this or if it works -

            "Scunthorpe is a real place? I thought it was made up for comedic purposes."

            https://twitter.com/Ben_Aaronovitch/status/1400732052576739331

            "Rivers of London" is an urban fantasy series, novels and spinoffs, about police and magic in the 21st century, but this is "just" arresting a young street thief: the women are police officers. But the boss of the street gang turns out to be an elf. (Probably not. It isn't all out yet.)

  9. amanfromMars 1 Silver badge

    Have you been there yet? Those Spaces of Heavenly Nirvana Trading Perfecting Almighty Temptations

    Go to the front of the class, Richard Speed, for that excellent performance taking advantage and remote virtual ownership of a diabolically engaging phish. :-)

    Where one's every worthy wish is constantly more than Just Satisfied and Sated and Overwhelmingly EMPowered and Universally Energised. ..........for Advanced IntelAIgently Designed Streaming/Dedicated Direct Designated Broad Band Casting.

  10. Daedalus Silver badge

    Sibling rivalry?

    Even in the Far East, it might be that one sibling would gladly use any little bit of dirt to bring down another. A little strategic leaking might have worked wonders...

  11. Anonymous Coward
    Anonymous Coward

    Well played...

    not the most bastardly solution, but that is also probably a good career move at a bank in the far east. With adequate hardware "Lee" could have also put him in his own DMZ, but it wouldn't have stroked the guys ego as much.

  12. Anonymous Coward
    Anonymous Coward

    Some learn, some don't

    At a previous position, my task was to implement a shiny new Web Proxy at our European head office, which would service all our satellite offices around Europe. Since UK law appeared to mandate that we made an attempt to prevent in-workplace browsing of pr0n, a netnanny was also installed to filter the traffic. This clever software would allow us to log some things (job search websites) and block others (pr0n), and get nicely formatted stats by subnet (IE by office/country).

    We brought the various offices online sequentially. Most would have an initially flurry of pr0n-browsing attempts, followed by realisation and then no more problems.

    Paris took a little longer than others to realise pr0n was interdit, though possibly this was simply due to their having a greater number of sites to test.

    However, one site never learned - and that would be the London office, where the C-suite hung out. They just kept at it, attempting to find the pr0n. I even had one phone me up at one point, angrily insisting that I unblock their Internet access. This was likely the one who a few months later sent their laptop in to Support to be fixed, and it was discovered to have a number of borderline-illegal gay porn images on it. Or possibly the one who tried to expense a trip to an Amsterdam brothel on his company credit card.

    We also had one office where a shared PC was being used to view some nasties. I set up a trigger to notify the office manager when pr0n was detected, so that he could go down and find the miscreant - who turned out to be Unfireable due to skillset and so was permitted to continue with his dubious practice.

    We could also use the statistics to identify which days company announcements appeared in the various offices, by tracking when there was an increase in people browsing Jobs websites ...

    1. Martin Silver badge

      Re: Some learn, some don't

      ....who turned out to be Unfireable due to skillset ...

      If you have someone who is unfireable, and takes advantage of it - fire them. If your company can't manage without them, how are they going to cope if they go under a bus?

    2. Down not across Silver badge

      Re: Some learn, some don't

      At a previous position, my task was to implement a shiny new Web Proxy at our European head office, which would service all our satellite offices around Europe. Since UK law appeared to mandate that we made an attempt to prevent in-workplace browsing of pr0n, a netnanny was also installed to filter the traffic.

      Seen similar attempts. Didn't go down so well in mainland Europe where such blocking was not apparently legal. This was decades ago so things may have changed since.

    3. DiViDeD Silver badge

      Re: Some learn, some don't

      A net nanny would have been less embarassing than using SpamHaus' blocklists back in the day. While at <<major oil company>> (think: the one with the Flora Margarine logo), I was using a totally innocent text editor that I'd originally obtained from some freeware site or other that ended up in the middle of one of their notorious blocked IP ranges.

      This mattered not a jot until the night the software decided to phone home to check for updates.

      Next morning, the head of IT security came into my office armed with a pretty substantial printout carried by an underling.

      "I wouldn't normally come in on one of these, but I just wanted to see the idiot who tried to access a blocked site over 1200 times last night."

      A few moments' contemplation persuaded him that even an IT whizz like me couldn't have typed the URL in quickly enough to attempt access several times a second, and I was able to show him on my own personal device that the URL was innocent enough, but the look on my colleagues' faces when he arrived was classic.

  13. Hazmoid

    implementing Surf control was fun

    I worked for a broker many years ago when SurfControl was all the rage and we implemented it. All staff were alerted that we would be doing so and all internet traffic would be monitored.

    Initially the plan was to monitor only. However after the first week, we realised that we would be in a world of hurt if we went after the big offenders

    In Broking, the brokers are the money makers and therefore tend to be much higher on the totem pole that the IT cost centre.

    We started out by sending warning emails that certain websites had been browsed from a machine allocated and logged in as the user, and that further infractions would be reported to HR. When it kept being a problem, we decided we would go for the search and destroy method, adding all suspect websites to the block list (DNS proxy), as this was in the control of IT.

    Problem was that one of the websites was Adultshop.com and happened to be one of our clients as they had just listed on the ASX :) Add to that the brothel company that also listed and we suddenly had to open sites up again that we thought could safely be blocked :)

    1. Terry 6 Silver badge

      Re: implementing Surf control was fun

      Maybe I'm being a bit over-imaginative, but I do detect a slight hint of hypocrisy there. It's OK to wok for a sex-trader, but not view their products?

      1. Robert Carnegie Silver badge

        Re: implementing Surf control was fun

        I don't really want to invest time thinking of something witty to say about "insider dealing", but it could apply.

  14. Anonymous South African Coward Silver badge

    Played around with Squid and SARG on Smoothwall when it was the rage...

    ...and yup, dodgy URL's in the URL filter as well... one was curvycastle.com which for some reason is still in my mind, the others I have forgotten.

  15. bigphil9009

    It's not wrong - we're Italian!

    Back in the days of Exchange 5.5, our mail server would regularly fall over (by design, given that we were on the standard edition which limited the size of the EDB file to some stupidly low limit) because the sales team were hard at work swapping porn videos with their counterparts at the company's main retailers. After speaking to the CEO it was decided to implement content filtering in order to prevent this happening. Cue the Sales Director walking up to my desk, throwing his laptop down telling me that "I can't work like this! You can't stop us doing this - it's not wrong - we're Italian!". They guy was Australian, the company was the Australian arm of an Italian company.

    The CFO then got wind of this and asked me if I could export all of the offending files and then delete them, thus freeing up space in the EDB. However, the request was firmly made to burn all of the offending material to a DVD before deleting it, so that he could, erm, "inspect" it all from home.

    Those guys had some balls, I tell you.

  16. s2bu

    Who, Me?

    Where's the Who, Me? on what caused Who, Me? to get posted on a Tuesday instead of the normal Monday?

    1. diodesign (Written by Reg staff) Silver badge

      Tuesday

      It was a public holiday in the UK on Monday so we moved Who, me? to Tuesday so that it wouldn't be missed by people.

      We do notice that readers disappear a little over holidays, from the traffic logs.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tuesday

        (I asked about it in Friday's On Call comments.) Ah, that would explain it. Being leftpondian, I wasn't aware of the holiday.

      2. s2bu

        Re: Tuesday

        Makes sense. Although if you want to turn that into a Who, Me? you really should spice up the story a little. :)

      3. Jou (Mxyzptlk)

        Re: Tuesday

        I am one of those who APPEAR during the free days to read WhoMe and OnCall for leisure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021