How to stop a content filter becoming a career-shortening network component "Be careful what you wish for." Words that might strike a chord with the IT boss in today's edition of Who, Me? "Lee", for that is not his name, told us of his time as an IT consultant in the Far East, working for a family-owned bank. The bank was extremely wary of this new-fangled internet thing and allowed a favoured few …
never heard of "security endpoint"? I'm a sysadmin in a medium company (500-ish people) and we have been WFH'ing for the past year... Filtering content on company laptopts whatever network they connect to? Piece of cake: new security endpoint with tamper protection and cloud management...
I've seen many things scrolling through the logs, from torrent traffic to people installing steam (i don't even know why - company laptops only have the iGPU)...
"if the content scanner was turned on then the IT department would have firm evidence and have to confront him."
Why? It's not IT's role to police what people do/see, Information Security/IT's use of a content filter is to ensure that users cannot access/download any malicious or dangerous links/files, cannot leak data, or impact the performance of the internet link.
It's a purely HR issue as to what undesirable content is permitted or not, and they also have to deal with offenders.
"How much experience have you, even in this country, with small family businesses?"
And also businesses run in slave mode, with passports of expats now local confiscated, and the CFO being the local "sponsor" (aka, real owner) of said business.
Can't really mess this up, and put all feelings under the carpet. This or find another job in another country ...
Anon, who only spent a couple of years in said countries.
These things do just happen "over there", they don't just happen in small family businesses.
I remember a case in London back in the 90s at a major partnership where one of the partners was not following the guidelines they themselves had voted for.
When confronted they replied it was "their company and anyone who didn't like it could f*** off".
As in this story the answer was to provide an isolated system and network connection.
Agree: IT's job is to look without seeing. You observe only what is needed to ensure functionality, without actually seeing the content. Exactly the same in my job in NHS IT. I have to "look at" patient records in order to ensure the system is working, but I never "see" them.
"Agree: IT's job is to look without seeing. You observe only what is needed to ensure functionality, without actually seeing the content. Exactly the same in my job in NHS IT. I have to "look at" patient records in order to ensure the system is working, but I never "see" them."
Which is also perfectly explained in the role of "processor" in GDPR, see https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/
Oh dear. Someone's only had experience with the West... *tsk*
The Middle and Far East are *very* different animals where this kind of thing is concerned. Hence the "it's... errr... not convenient". The regions have their ways to mean no whilst actually saying yes, and have their problems when dealing with organisations that are rife with nepotism.
Audits of branch offices also included compliance with local regulations. Given that some countries in the Middle East had (and probably still have) some rather strict anti-prawn laws, I had the "joy" of searching for such content on any local storage. And then delivering lists of files that better be deleted to their owners...
… unless the Quran overrides it, e.g. chapter 5, verse 96.
Note that it’s only the Halafi school of Sunni jurisprudence that considers prawns to be makruh (disapproved), but not haram (forbidden); the other Sunni schools, all of the Shia schools, and the Ibadi school regard prawns as halal (permissible). These are in contrast to Leviticus 11:9–12, where prawns are forbidden.
No — neither text exactly describes a “prawn”. The Leviticus text states that “whatsoever hath fins and scales in the waters, in the seas, and in the rivers” is permissible to eat, and whatever lacks fins and scales there is forbidden to eat. The Quranic text states that “Lawful to you is the game of the sea and its food”. Finer distinctions can be drawn by the dietary laws of each religion; perhaps the Torah and the Quran could be thought of as constitutions, under which Jewish and Islamic dietary laws act as legislation for their respective constitutions.
In the early 2000's, I was working for a large manufacturing company and helped with their roll-out of internet for everyone – up until then it had only been available for us in the IT ivory tower.
We ran a big information campaign – email, posters, training courses on browser use, acceptable use policy, yadda yadda yadda. One of the things we stressed was that all access was logged by IT, with full details of sites, addresses, user ID, etc.
One of my tasks was to setup and manage a proxy server and produce weekly usage reports for the IT manager to peruse. Not long after we went live, a certain username and dodgy looking URL kept appearing in the reports. Being a conscientious sort, I followed the link and landed on a hardcore BDSM site.
I showed my boss the site and the username of the frequenter. He decided, as it was still early days, to send out an email to all staff, reminding them that IT were logging ALL their online activity. No change, the same name and site kept coming up in the reports. The boss sent an email directly to the culprit, warning of consequences if the activity continued. It did.
In a final attempt to fix the problem, before getting HR involved, my boss arranged a face-to-face meeting with the user. He never disclosed the full details of their conversation, but when he returned from the meeting, me and the rest of the team were genuinely concerned for his health – his face was bright red and he was covered in sweat.
Apparently, the drop-dead-gorgeous, part time model, marketing assistant wasn’t phased in the slightest about her browsing habits being subject to scrutiny, and in fact complained that it wasn’t fair for her “stress relieving” internet activity to be restricted.
Shortly afterwards I was tasked with finding a more sophisticated proxy solution that could actually block sites, based on content.
It wouldn't have helped here, but if the Chair of the organisation is on board with the message it can help when trying to stop This Sort Of Thing
back in the day my company implemented a content monitoring and blocking solution.
this lead to the below notable events
1. the head of IT writing up a list of search terms he wanted blocked on his white board i.e. foot fetish ,BDSM , etc (he was clearly an expert at such things) then afterwards taking a meeting with a customer. with the list still there queue a lot of swearing and apologises.
2. when it went live during the week between christmas and new year we needed to "test the system" queue IT spent the week playing Flash games and doing quizes and googling the soon to be blocked search teams to give us results to test when we turned blocking on.
3. when post new year came head of IT returned from holiday and wanted to review the stats decided on an some adjustments and to delay the blocking phase a week. and give a presentation to the c-level about all the wasted time we would get back be blocking porn , online shopping, games, etc. but seems he hadn't told the C-level in advance of the presentation we were doing this work. day of the presentation we pulled up the biggest users of blocked sites.(minus IT's "Testing")
all the c-level were in the list plus some of the PA's everything from porn browsing to configuring there new cars , they were by far the worst offenders.
surprisingly the system went in still but with an exceptions policy for those who weren't to be reported on.
I used to build the damn things, and I can say unless you hate yourself, don't keyword filter.
I have stood in front of so many managers in front of so many white boards over the years and had to dismantle their illusions with just a few words. "Brass" was usually a good one.
If you think you need keyword blocking, buy an appliance with a better categorization library instead. That's what you are really paying for anyway. The rest of the stuff might as well be open source(or literally is).
Keyword lists are both too easy to bypass, and virtually guaranteed to randomly break the traffic of mission critical systems without painfully exhaustive whitelisting. You also have to be be able to break into the traffic, which can get you in even more hot water. (I could tell you a tale about a customer who's networking team got themselves in a heap of trouble when the "banned searches" we helped them track down were found to be coming from the companies lactation room and going to the HMOs "Wellness portal", and on a related note never crack ssl till you check where it's going first, or you may be talking to a lawyer or HR)
Agree.
At a previous employer, we had an internal collaboration system which had some filtering applied for banned words.
It would let you type something but then remove offending words and send a report to management.
Sadly it was a little zealous...
"Push down hard on cover plate and turn locking screw clockwise"
would end up as
"Push down ** cover plate and turn locking ** clockwise. THIS POSTING HAS BEEN REPORTED FOR FAILING TO MEET GUIDELINES"
There was quite a fad for excessively wordy circumlocutions in communications with some folks e.g. "tapering connector with externally raised helical binding" and the obvious descent into acronyms for others. Of course, adding in an extra space would defeat it anyway (though the spellchecker may object)
I may well have told this previously, but what teh hell, if I had it's still worth it.
When I did jury service years ago the attempted murder case we were on had to be delayed. The defendant's statement was being sent electronically from the nearby nick*. But it was blocked by the software because said defendant's words included several that were banned. We had to wait while it was rewritten.
*And no, I have no idea why they couldn't have just brought a paper version in. This was never explained to us
Not sure if I should do this or if it works -
"Scunthorpe is a real place? I thought it was made up for comedic purposes."
https://twitter.com/Ben_Aaronovitch/status/1400732052576739331
"Rivers of London" is an urban fantasy series, novels and spinoffs, about police and magic in the 21st century, but this is "just" arresting a young street thief: the women are police officers. But the boss of the street gang turns out to be an elf. (Probably not. It isn't all out yet.)
Go to the front of the class, Richard Speed, for that excellent performance taking advantage and remote virtual ownership of a diabolically engaging phish. :-)
Where one's every worthy wish is constantly more than Just Satisfied and Sated and Overwhelmingly EMPowered and Universally Energised. ..........for Advanced IntelAIgently Designed Streaming/Dedicated Direct Designated Broad Band Casting.
At a previous position, my task was to implement a shiny new Web Proxy at our European head office, which would service all our satellite offices around Europe. Since UK law appeared to mandate that we made an attempt to prevent in-workplace browsing of pr0n, a netnanny was also installed to filter the traffic. This clever software would allow us to log some things (job search websites) and block others (pr0n), and get nicely formatted stats by subnet (IE by office/country).
We brought the various offices online sequentially. Most would have an initially flurry of pr0n-browsing attempts, followed by realisation and then no more problems.
Paris took a little longer than others to realise pr0n was interdit, though possibly this was simply due to their having a greater number of sites to test.
However, one site never learned - and that would be the London office, where the C-suite hung out. They just kept at it, attempting to find the pr0n. I even had one phone me up at one point, angrily insisting that I unblock their Internet access. This was likely the one who a few months later sent their laptop in to Support to be fixed, and it was discovered to have a number of borderline-illegal gay porn images on it. Or possibly the one who tried to expense a trip to an Amsterdam brothel on his company credit card.
We also had one office where a shared PC was being used to view some nasties. I set up a trigger to notify the office manager when pr0n was detected, so that he could go down and find the miscreant - who turned out to be Unfireable due to skillset and so was permitted to continue with his dubious practice.
We could also use the statistics to identify which days company announcements appeared in the various offices, by tracking when there was an increase in people browsing Jobs websites ...
At a previous position, my task was to implement a shiny new Web Proxy at our European head office, which would service all our satellite offices around Europe. Since UK law appeared to mandate that we made an attempt to prevent in-workplace browsing of pr0n, a netnanny was also installed to filter the traffic.
Seen similar attempts. Didn't go down so well in mainland Europe where such blocking was not apparently legal. This was decades ago so things may have changed since.
A net nanny would have been less embarassing than using SpamHaus' blocklists back in the day. While at <<major oil company>> (think: the one with the Flora Margarine logo), I was using a totally innocent text editor that I'd originally obtained from some freeware site or other that ended up in the middle of one of their notorious blocked IP ranges.
This mattered not a jot until the night the software decided to phone home to check for updates.
Next morning, the head of IT security came into my office armed with a pretty substantial printout carried by an underling.
"I wouldn't normally come in on one of these, but I just wanted to see the idiot who tried to access a blocked site over 1200 times last night."
A few moments' contemplation persuaded him that even an IT whizz like me couldn't have typed the URL in quickly enough to attempt access several times a second, and I was able to show him on my own personal device that the URL was innocent enough, but the look on my colleagues' faces when he arrived was classic.
I worked for a broker many years ago when SurfControl was all the rage and we implemented it. All staff were alerted that we would be doing so and all internet traffic would be monitored.
Initially the plan was to monitor only. However after the first week, we realised that we would be in a world of hurt if we went after the big offenders
In Broking, the brokers are the money makers and therefore tend to be much higher on the totem pole that the IT cost centre.
We started out by sending warning emails that certain websites had been browsed from a machine allocated and logged in as the user, and that further infractions would be reported to HR. When it kept being a problem, we decided we would go for the search and destroy method, adding all suspect websites to the block list (DNS proxy), as this was in the control of IT.
Problem was that one of the websites was Adultshop.com and happened to be one of our clients as they had just listed on the ASX :) Add to that the brothel company that also listed and we suddenly had to open sites up again that we thought could safely be blocked :)
Back in the days of Exchange 5.5, our mail server would regularly fall over (by design, given that we were on the standard edition which limited the size of the EDB file to some stupidly low limit) because the sales team were hard at work swapping porn videos with their counterparts at the company's main retailers. After speaking to the CEO it was decided to implement content filtering in order to prevent this happening. Cue the Sales Director walking up to my desk, throwing his laptop down telling me that "I can't work like this! You can't stop us doing this - it's not wrong - we're Italian!". They guy was Australian, the company was the Australian arm of an Italian company.
The CFO then got wind of this and asked me if I could export all of the offending files and then delete them, thus freeing up space in the EDB. However, the request was firmly made to burn all of the offending material to a DVD before deleting it, so that he could, erm, "inspect" it all from home.
Those guys had some balls, I tell you.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
