Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Best Way To Block Web Content?

samzenpus posted about a year and a half ago | from the what-has-been-seen-cannot-be-unseen dept.

The Internet 282

First time accepted submitter willoughby writes "Many routers today have the capability to block web content. And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking? Is it best to have the router only route packets & do the content blocking on each machine? If using the content blocking feature in the router, will performance degrade if the list of blocked content grows large? Where is the best place to filter/block web content?"

cancel ×

282 comments

Sorry! There are no comments related to the filter you selected.

Best way to filter web content: (5, Funny)

Anonymous Coward | about a year and a half ago | (#43196467)

Unplug your modem. Internet is now filtered. Enjoy your day!

Re:Best way to filter web content: (4, Informative)

Jeremiah Cornelius (137) | about a year and a half ago | (#43196807)

The CLOUD!

No but real. SMB, use EasyDNS.

Big shop? Z-Scaler and similar.

Actually, EasyDNS is better. It blocks specific bloggers and tumblrs, that many "Enterprise" solutions give a pass.

But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

Re:Best way to filter web content: (2)

PlusFiveTroll (754249) | about a year and a half ago | (#43196961)

>But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.

You don't have to control the resolv.conf, you just only allow DNS traffic to the IP's of the DNS server and block the others. That doesn't top a user from going all APK on you and using a hosts file (or something similar) or a VPN if you allow it, but will stop most people.

Re:Best way to filter web content: (4, Insightful)

PlusFiveTroll (754249) | about a year and a half ago | (#43196973)

To add on to this, it is good to block all DNS except a few trusted servers anyway. If someone gets a 'DNSChanger' style virus it will show up on the firewall pretty quick.

Re:Best way to filter web content: (1)

Jeremiah Cornelius (137) | about a year and a half ago | (#43197117)

53 UDP Any Drop.

After the allow. :-)

Re:Best way to filter web content: (1)

Jeremiah Cornelius (137) | about a year and a half ago | (#43197129)

Stupid! Think before typing.. ICMP.

It's pretty clear I don't do this on a daily, any more...

Re:Best way to filter web content: (4, Insightful)

Anonymous Coward | about a year and a half ago | (#43197073)

Unplug your modem. Internet is now filtered. Enjoy your day!

This is an appropriate response given the bullshit question.

There are different approaches for blocking content, depending on if you're running an ISP, a large Enterprise, a small business, or are just a home user. There are different approaches depending on what TYPE of content you're trying to block, and WHY you're blocking it.
There is no simple, single answer to the question other than "well it all depends".

Adblock is a user-friendly plugin which is, put simply, nothing more than a blacklist of various hosts which serve advertising content. The security aspects of this approach are incidental- it's not a security program it's for avoiding ads.
If you're running an Enterprise or are a more tech-savvy user it's usually better to maintain your own blacklist, either at the edge router or via a hosts file on the local machine (depending on network size and complexity, and capability of your edge routers). If you're just a plain Joe Average, it's probably better to do it per-machine, especially if you're using a laptop which you're going to use in different locations.

NoScript is not, by design, an ad-blocker. It is a script-blocker, and is a security program- ad blocking is incidental. It has the added advantage of operating on a whitelist, so new sources of threats will be caught by default. It blocks a variety of scripting languages from any location you have not specifically allowed, in addition to several other types of browser exploit vectors. For the technical user it is vastly superior to Adblock, but for people who are not so "internet savvy" it can be confusing and frustrating to have to maintain your own whitelist.

Perhaps if the submitter would give us something more specific as to his needs, he'd get better answers.

Re:Best way to filter web content: (-1)

Anonymous Coward | about a year and a half ago | (#43197291)

Perhaps if the submitter would give us something more specific as to his needs, he'd get better answers.

I work with a guy like you. He's more concerned that you ask a better question than answering one. Fuck off. Is that clear enough so you understand how to meet my specific needs?

Nice Try China! (5, Insightful)

eldavojohn (898314) | about a year and a half ago | (#43196473)

I'd suggest paying a lot of money to Blue Coat [rsf.org] to do deep packet inspection so none of that content sneaks by.

Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.

And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking?

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org] . I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I've clicked on ads and purchased something twice in my life from ads on a site. Once it was cheap shirts with funny designs on them (I needed new gym shirts) and the other was an eBay auction with a Buy It Now price lower than what I was looking at on that site (not sure how that works). I consider myself a pretty sophisticated person who is "above" advertising but anecdote-wise it's worked on me twice that I can think of. Removing that rare occurrence completely ruins the revenue model.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196515)

+1 if i could to this post. You took the words exactly out of my mouth.

Re:Nice Try China! (5, Funny)

udachny (2454394) | about a year and a half ago | (#43196677)

You took the words exactly out of my mouth.

- then shouldn't you be angry with him for copyright infringement?

Re:Nice Try China! (1)

Anonymous Coward | about a year and a half ago | (#43196531)

I'd be perfectly happy if all these companies up and vanished from lack of ad revenue. The internet was a far less troll friendly place before they came along ;)

Re:Nice Try China! (1)

Anonymous Coward | about a year and a half ago | (#43196559)

The revenue model of installing malware through flash ads?

Re:Nice Try China! (4, Insightful)

FireFury03 (653718) | about a year and a half ago | (#43196615)

I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I agree with you that the standard Google adsense ads are ok, blocking them is counterproductive (because websites need income). However, Youtube ads (also operated by Google) have gone way over the line and are way too intrusive; also far too many websites still shove floating divs and the like in your face (in fact, thats something that seems to be increasing), and manually blocking only the intrusive ads becomes far too much effort so invariably all ads get blocked.

Re:Nice Try China! (1, Insightful)

Anonymous Coward | about a year and a half ago | (#43196913)

I agree with you that the standard Google adsense ads are ok,

so, google tracking your every move all over the internet, matching up that history with your email, youtube, search, blogger, pics/picasa, documents, map usage, google wallet, serp clickthroughs, and everything else they own, operate, control or place ads on (in the past, present and future), and storing that data forever is ok, too?

i think not.

Re:Nice Try China! (3, Insightful)

fast turtle (1118037) | about a year and a half ago | (#43197265)

and that's exactly why I use noscript and not block ads. Of course I follow the "DENY ALL" policy and only add those few sites to the whitelist that I actually use and guess what, this blocks 95+ percent of the stinking ads online while still allowing me to use the net. Otherwise it's to the point that I'll simply drop my ISP/Cable and Phone services since I don't use them and 911 calls are paid for by the 911 taxe/surcharge by everyone (mandantory service). Only thing I even use the phone for anymore as I simply don't give a damn about talking to anyone when I'm home.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196643)

Exactly. Ignorance of things is a very personal thing.
Every non-personal blocking, is censorship, and hence, evil because manipulative and harmful. Even if only in effect, and not in intention.

And ignorance is not a good thing anyway, unless you have a super-high probability of it being bad information, that far outweighs its usefulness. Like with most spam.

Re:Nice Try China! (4, Insightful)

Razed By TV (730353) | about a year and a half ago | (#43196647)

I respect your argument advocating ad revenue to support the sites you visit. This is one of the things the internet was built upon. I do feel bad about the sites I like not getting the money keep things running.

On the other hand, you have:
ads that track you
annoying popups
popups masquerading as windows messages that have faux buttons to close them, cancel them, or remove viruses that the popup supposedly just detected
ads that flash, flicker, or have a lot of motion/activity in them (which I find to be particularly distracting)
ads that play sound

I'm not saying I wouldn't adblock if you got rid of the above ads, but currently there are too many reasons for me to even consider getting rid of adblock.

Re:Nice Try China! (5, Informative)

Anonymous Coward | about a year and a half ago | (#43196725)

This is one of the things the internet was built upon.

This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees. The early internet had no ads because it was a hobbyist driven system. Not until the mid 90's did the internet monetize.

Re:Nice Try China! (2, Informative)

Anonymous Coward | about a year and a half ago | (#43196981)

This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees.

Lol! Silly romantic. You think the Internet infrastructure was paid for by dial-up users?

Most of it, including the high-speed backbones, was paid for by universities, the military, and telecoms. But it's cute that you think it was "hobbyists."

Re:Nice Try China! (4, Funny)

Impy the Impiuos Imp (442658) | about a year and a half ago | (#43196747)

Well, if someone would actually build a browser with a popup blocker that actually worked, the popup issue would be solved.

One shouldn't have to turn off scripts to stop popups. All they have to do is insert into the code:


if (going to open a new window from this web site and
    user doesn't want these popups)
then
          tough shit

Re:Nice Try China! (4, Funny)

BasilBrush (643681) | about a year and a half ago | (#43196775)

What computer language is this? I think I want to try it.

Re:Nice Try China! (2, Funny)

Anonymous Coward | about a year and a half ago | (#43197003)

Looks like Applescript to me.

So which divs are "these pop-ups"? (1)

tepples (727027) | about a year and a half ago | (#43196869)

In your pseudocode, how would the program determine which fixed-position block elements within a page are "these pop-ups" and which are essential navigation?

Re:So which divs are "these pop-ups"? (0)

Anonymous Coward | about a year and a half ago | (#43197107)

Blacklist filter the div content for "penis enlargement," Zoosk, Lavalife Match.com, "congratulations winner," survey, "free screensavers," "weight loss," "organic yoga" etc.

Re:Nice Try China! (1)

xeoron (639412) | about a year and a half ago | (#43196965)

Don't forget compromised ad-networks pushing XSS or different forms of malware. Squid Proxy, adblock, or a good host file are perfect for dealing with such things, if you had the desire to filter network addresses and content access.

Re:Nice Try China! (1)

DragonTHC (208439) | about a year and a half ago | (#43197183)

they still have those?

I guess I've used adblock plus for too long.

Re:Nice Try China! (3, Insightful)

X0563511 (793323) | about a year and a half ago | (#43197225)

Lets not forget:
ads from compromised servers shoving malware/payloads down your throat

I could live without adblocking... but that last one there is a no-go. If that's not fixed, I am not willing.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196657)

I live in a country where internet connection is sluggish at best. Moreover I share home with a bunch of students. Blocking comes out as almost vital.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196661)

(I needed new gym shirts)

wait. What?

Re:Nice Try China! (2)

mcgrew (92797) | about a year and a half ago | (#43196673)

Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying.

It's the ads themselves that ruin the very thing I'm trying to enjoy. If ads weren't so intrusive and resource-intensive, nobody would block ads. The web sites that need ads for revenue are their own worst enemies.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196695)

Can you explain how much revenue a site gets for "impressions" (the fact that an ad is "shown", but not clicked)? I've tried (briefly) to find it, but nothing seems to come up unless I actually sign up to put adsense or the like on a site. All any advertiser has ever gotten from me was those impressions and I gather that they don't actually pay for those anymore, or if they do, they are worth only a tiny amount. A click on an ad though is supposed to be where the money is. Since I don't - ever - click on ads, I don't believe showing them is worth my bandwidth to download them and my time to navigate around them. I prefer to "pay" for my visits to sites by providing excellent comments and content or by signing up for a subscription to the site.

Re:Nice Try China! (2)

Bing Tsher E (943915) | about a year and a half ago | (#43196701)

Yes, blocking ads is like throwing a soda can out the window. We need to just line up all the admen and shoot them.

I mean, has the ENTIRE slashdot community become 'web developers' and their ilk, sucking on the adman's teat?

Re:Nice Try China! (4, Insightful)

BasilBrush (643681) | about a year and a half ago | (#43196733)

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly.

You are certainly in the minority. Most people's view of that analogy would be that the can being thrown out of the window is the advert, and that the spoiled environment that is the result is like the spoiled web that is a result of heavy advertising.

I do not accept that the internet needs third party advertising. Nor that the internet without it (and thus a loss of revenue for some site operators) would be worse.

There was an internet before widespread advertising. Some people run a site as a hobby. Some organisations run sites because they want to spread an idea, or need to get information out there. Commercial organisations will still want to run their own web-sites, whether they sell from them, or just as a communications tool. There are lots of reasons why the internet won't die without advertising.

A lot of sites with heavy advertising don't even have good content. They are only there to make money from adverts, so they steal content, or just link to what other sites have put out, or publish PR verbatim.

There's absolutely nothing to stop people trying to make money with third party advertising, and I wouldn't want any official body trying to outlaw them. But equally I see nothing wrong with blocking them so that I don't have to see them, or waste bandwidth on them. If the result is that there are less people that can make a profit from selling advertising, then I say "hurray!"

Re:Nice Try China! (5, Interesting)

just_a_monkey (1004343) | about a year and a half ago | (#43196793)

I am continually surprised that it is still legal to block ads, and that there is no visible movement to make blocking illegal. Not even any pervasive "The websites must be able to make money on what they do!", "Blocking ads is like stealing from the websites!" or "You wouldn't watch a movie/TV-show without watching the commercials" campaigns.

Google and their customers must not have as good lobbyists as Hollywood.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196929)

Unenforceable.

Re:Nice Try China! (2)

X0563511 (793323) | about a year and a half ago | (#43197243)

More likely they realize what a particularly nasty fire-ant hill they would be kicking over by doing so.

Re:Nice Try China! (2)

Jawnn (445279) | about a year and a half ago | (#43197419)

Perhaps, but I suspect that it's really because the percentage of users that use ad-blocking software is so small. For that group, the ads are generally nothing more than an annoyance anyway, so it's not a demographic with a significant conversion rate. Nothing is really lost there. Now, have a major ISP offer something like that by default and listen to the howls of outrage from the advertisers.

Re:Nice Try China! (5, Insightful)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43196825)

Removing that rare occurrence completely ruins the revenue model.

GOOD! That revenue model is the single largest driver of the internet surveillance state. [slashdot.org] It is difficult to imagine an funding model for the internet with worse social costs. The sooner it dies, opening the door to replacement systems that are less invasive the better off we all are.

Re:Nice Try China! (1)

drooling-dog (189103) | about a year and a half ago | (#43196845)

The aesthetics and annoyances of ads are only part of the issue, and not even the most important. Ads are also vectors for information gathering and tracking across the web, which is why it is perfectly justifiable to cut them off at the ankles, right in your hosts file.

Re:Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43196881)

First of all your analogy sucks. Declining to download something is not the same thing as littering the highway.

Second of all, people who don't want to look at ads aren't going to buy products from an ad they already detest. Wasted ad impressions only cause the value of each impression to go down. Don't tell me that I might just buy something out of the blue some day. I'm against advertisements out of principle and I have held to my commitment (and I've never even seen anything remotely tempting from a web ad anyway).

As far as I'm concerned, web sites who collude with their users to turn off ad blockers and/or refresh their pages more often are commiting fraud against advertisers (not that I really love advertisers, but I don't love people who want to goad me or force me to look at ads either).

All of this is why advertisers are switching from naive payout metrics based on impressions to click-thru metrics. The former determines (and subsequently pays the website operator) how many people *may* have looked at your ad whereas the latter shows who actually took effort to click on an ad.

Re:Nice Try China! (2)

Albanach (527650) | about a year and a half ago | (#43196897)

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org]. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.

I have to disagree. If we get massively more adblocking, the internet will 'route around the damage'. Eventually we'll have someone set up a workable micropayments system whereby we can pay for the content we want. in an amount that's reasonable. Tenths or hundreds of a cent for a showbiz story, and several cents for an in-depth news piece.

Such a system would have massive benefits for the internet, allowing many many more content producers to be rewarded for their work.

Re:Nice Try China! (1)

CohibaVancouver (864662) | about a year and a half ago | (#43196905)

If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed

Exactly right. None of my computers have adblockers installed. I know ads drive most of Slashdot absolutely batshit crazy, causing them to invest hours and dollars blocking them, but I'm just 'meh' - I tune them out.

Re:Nice Try China! (2)

Cito (1725214) | about a year and a half ago | (#43197017)

I always setup adblock and noscript as well as using whitelists in the company side of things.

sites that rely on advertising revenue only by 3rd party companies shouldn't be around anyhow, it's a waste of space.

all 3rd party ad streams should be blocked, people get enough spam in their life, from driving to and from work massive amounts of billboard spam, postal mail massive amounts of snail mail spam, television 15-30 minutes of content padded out to 30-1 hour shows with spam.

all spam is blocked in emails

its time for people in mass to adblock web content also just as we have 0 tolerance for email advertising, and the majority have 0 tolerance for spam in general.

if a website wants to place a small ad they can set it up themself on their own site

3rd party ad agencies have already been proven to destroy privacy, just like the slashdot article from yesterday how everything you do on the web is tracked from google adsense network, doubleclick, facebook, and more a persons online habits are tracked, marketed and spammed.

always run adblock, if a website only relies on 3rd party spam revenues then they do not deserve to exist.

at the company I work for we do allow some web surfing, and also to lookup basic answers to questions and such. adblock and noscript is on every system, and we use easydns

course all of our customer service is ran off dumb terminals citrix style, everyone else have their pc's, there is no perfect solution but we have a network monitoring department we all the "fishbowl" since the office is round and has a wrap around window that looks like peering into the fishbowl :P

the netmon department monitors the companies networks for outages and such, but also occasionally keeps eyes on employee traffic cause there is always workarounds to proxies and filters, but an active netmon department can log incidents and send a little popup notice to a terminal or disconnect a terminal if needed, but that's super rare as the department is mainly keeping tabs on the infrastructure and not wholly worried about employees unless it's blatant.

Re: Nice Try China! (0)

Anonymous Coward | about a year and a half ago | (#43197093)

Why is it so hard to block unreasonable ads? Because advertising companies don't want you to. There's no system for identifying or communicating which ads are bad. Even when everyone agrees that popups should be blocked its left to the browsers, not the advertising companies.

At the proxy. (4, Informative)

Raven42rac (448205) | about a year and a half ago | (#43196475)

I prefer at the proxy level. Dansguardian/Squid/ClamAV is pretty easy to set up on your distro of choice.

Re:At the proxy. (4, Insightful)

drinkypoo (153816) | about a year and a half ago | (#43196535)

This is the right answer. There's nothing wrong with ad blocking on the client, but if you want to block content for a whole bunch of users, a proxy is the answer. squid really is easy to set up.

Re:At the proxy. (-1)

Anonymous Coward | about a year and a half ago | (#43196623)

Why do you want to block content for a whole bunch of users? Do you run a dictatorship?
Content blocking should be done on the client because it's the only place where the user has control over the blocking.

Re:At the proxy. (4, Insightful)

drinkypoo (153816) | about a year and a half ago | (#43196651)

Why do you want to block content for a whole bunch of users? Do you run a dictatorship?

The most obvious example which does not support your jerking knee or twisted panties is keeping known malware off of a corporate network.

Content blocking should be done on the client because it's the only place where the user has control over the blocking.

If it's your computer, sure. (That includes those which are owned by the state but which you have access to, e.g. at the library.) If it's not your computer, fuck off. It's not your computer.

Re:At the proxy. (1)

Bing Tsher E (943915) | about a year and a half ago | (#43196723)

If it's not your computer, but The Boss appears to have hired you as the junkyard dog in charge of bossing people around on it... well, in your own words, fuck off. (and die)

Re:At the proxy. (1)

drinkypoo (153816) | about a year and a half ago | (#43196763)

If it's not your computer, but The Boss appears to have hired you as the junkyard dog in charge of bossing people around on it... well, in your own words, fuck off. (and die)

If you have a job where you work with a computer, you can almost certainly afford to carry your own personal computer in your pocket so that you do not need to expose your work network to malware because you wanted to do some personal surfing.

It's easy to create a proxy with a simple workaround which you can give to users who need it. You put a non-transforming proxy on a second port, you do transparent proxying, and then you can let some users use the non-transforming proxy. For bonus points, create a separate one for each user, which will tell you who gave away the settings if a new user pops up and starts using the proxy.

If you can't handle what someone wants done with their stuff, perhaps you should work for someone else.

Malware on pocket computer (1)

tepples (727027) | about a year and a half ago | (#43196879)

If you have a job where you work with a computer, you can almost certainly afford to carry your own personal computer in your pocket so that you do not need to expose your work network to malware

Someone who brings in a computer would be exposing his work network to whatever malware is installed on the personal computer in his pocket.

Re:At the proxy. (1)

BasilBrush (643681) | about a year and a half ago | (#43196791)

It's the boss's prerogative to delegate deciding what restrictions to put on company computers. Don't like it? Don't work there.

How to relocate away from a policy like this? (1)

tepples (727027) | about a year and a half ago | (#43196901)

Don't like it? Don't work there.

If you grew up in a town with one dominant employer [wikipedia.org] , and this employer had a policy with which you did not agree, where would you find the money to relocate to another town?

Re:At the proxy. (0)

Anonymous Coward | about a year and a half ago | (#43196953)

You and the AC you responded to are getting some wires crossed. There are legitimate reasons to block content, such as in the case of blocking malware or even illegal sites. All too often, though, I have seen content blocking used either 1) to treat employees like they're four years old by overzealous bosses who think that if they just limit access to the Internet they have successfully increased production, or 2) as a way of shifting management responsibility off of their own shoulders and onto the IT group's.

As facetious as it is to say, "Fuck off," it also shifts the fault of not wanting to be treated like a four-year-old onto the employee, not the employer, and because it is a widespread practice that has to do with something that's rather technical in nature, a lot of employers get away with it. If my boss made a fuss because, for example, I used the company phone at my desk to make a personal call during my break, that would piss me off too, knowing that it's not costing the company anything in incremental costs. And most people would agree--while they don't dispute the employer's right to do so, they also implicitly know that the employer is being a douchebag, and that's a company where I don't want to work.

Also, all too often I have seen content filtering used, as I said above, as a means of shifting the burden of people management off of bosses and onto an IT group. Companies should have clear policies on what are not acceptable uses of the Internet, such as browsing porn sites at work. If an employee is browsing porn sites, it's not an IT problem, it's something that needs to be addressed by HR and the person fired. I've seen IT workers and third-party companies get into hot water because such-and-such a site wasn't blocked. Managers got angry because IT wasn't doing the manager's job well enough for them. I also happen to work at a very large company that engages in some content filtering (mostly things like gambling sites, porn sites, malware sites, etc.), and I've seen firsthand how many problems content filtering causes. It has costed that company literally millions of dollars when you add up the equipment and consulting and labor costs to maintain it, the service agreements with third-party companies who maintain the filters, and especially the major outages we've suffered when things go wrong and the whole company loses access to the Internet, affecting things like product ordering, billing, production, etc.

So to say something as trite as, "Fuck off, it's not your computer," it demonstrates a gross misunderstanding of the issue. If this is something that you're actually involved in, you need to seriously give more thought about it. If it's not, then while you obviously have the right to express such opinions, you are clearly unqualified for them to have much weight.

Re:At the proxy. (1)

Anonymous Coward | about a year and a half ago | (#43197157)

This, a thousand times this!

I've maintained this policy with countless customers over the years! I'm sick and tired of owners / managers saying to me "I can't control them, how can I keep them working and on task?" Only to sit and have a serious conversation about a few things.

I've always been strongly of the opinion that workers should be able to forfeit breaks for "micro-breaks" and keep up with current events while they work. Some people find it relaxing to read the news, some to read their email, some to look at lolcats.

Generally, if the employees aren't getting the work you need from them done, a manger should speak to them about it.

Unfortunately, I've also had to accept contracts to implement mandatory web filtering. generally I strongly suggest NOT filtering, and instead simply using a Squid instance as a transparent proxy, and generating reports about time spent on some of the "please don't waste your time on these" sites.

Re:At the proxy. (0)

Anonymous Coward | about a year and a half ago | (#43196699)

I use this method also, we run squidguard with squid on all our remote office routers. Let's you knock out the known malware/porno/etc sites without the user experience suffering. With squid's caching enable it even speeds up the experience for several sites.

I haven't used Dansguardian though, off to google that now :)

Re:At the proxy. (2)

oodaloop (1229816) | about a year and a half ago | (#43196915)

Nuke it from orbit. It's the only way to be sure.

This depends on the use and purpose (0)

Anonymous Coward | about a year and a half ago | (#43196483)

If you are a business that needs/wants to block things on an enterprise level the router... or rather firewall... is the best place for that. If you are a parent, I suggest putting Net Nanny or another suitable program (there are tons of open source ones) on your childrens computers so that it doesn't affect you.

Re:This depends on the use and purpose (1)

Splat (9175) | about a year and a half ago | (#43196505)

Precisely.

There is no "proper", or "best practice" place. Your two questions are entirely dependent on your use-case scenarios. If you want to block flash scripts on your kids browsers, do it host level at the OS. If you are dealing with a gigantic 2000 employee office campus, then you'd want to probably handle that centrally on a giant honking appliance/router designed for it where you can centrally manage policy.

But ... you can flip both scenarios blocking mechanisms I just mentioned and they'd still work. "Proper" can be entirely subjective based on what you're trying to accomplish and other factors involved

Re:This depends on the use and purpose (2)

qwertyatwork (668720) | about a year and a half ago | (#43196749)

I do it on the /etc/hosts level on my dns server. You can find large lists of ad domains that can be added to your hosts file with 127.0.0.1 or 0.0.0.0 to cause them to fail. This covers all machines on your network that use your dns server. The one I use is http://winhelp2002.mvps.org/hosts.txt [mvps.org] however they have become slow with updating it. You might want to invest some time in looking for one that is updated more frequently.

Upstream (2)

Anne Thwacks (531696) | about a year and a half ago | (#43196489)

ISPs should offer a service to block it for you so you dont have to pay for the bandwidth. Of course, YOU would have to choose what is blocked, not them - which is unlikely to happen in our lifetimes.

I envisage an HTML feature where you can click on something and have it labelled spam at the ISP.

Allowing this info back to the scum that served it would be a privacy invasion of the worst kind.

Perhaps some enlightened ISPs could charge charge people double for serving shit. They would get my business for sure!

I truely believe that if the ads were not so horribly intrusive and bandwith hogging, they could/would be ignored or even watched. Just last night, I watched a really great advert on TV yesterday - way better than the program it was embedded in - watched the ad to the end, and then ditched the actual program! However, I have stopped visiting certain websites because the amount of flash they serve makes it impossible to actually scroll though the content!

Please feel welcome give me the standard spam prevention review form ;-)

Re:Upstream (4, Informative)

Technician (215283) | about a year and a half ago | (#43196579)

Filtered DNS does this already if you choose to use it.

http://www.opendns.com/ [opendns.com]
http://www.scrubit.com/ [scrubit.com]

Re:Upstream (0)

Anonymous Coward | about a year and a half ago | (#43196795)

+1

Re:Upstream (1)

DigiShaman (671371) | about a year and a half ago | (#43197203)

I've used OpenDNS before for content filtering. Works well. Just keep in mind that if this is a Windows network you're administrating, you will want to use a GPO that locks in DNS settings (option will be greyed out for users looking to modify local TCP/IP setting). If you're running Vista, Windows 7, or 8, you can further restrict access to the Hosts file for users that are a member of the Local Administrators group.

Re:Upstream (1)

leehwtsohg (618675) | about a year and a half ago | (#43196627)

But isn't it mostly the case that you know you don't want something even before you look at the content? So you can block the request before
it even goes out to the ISP.

/etc/hosts (0)

Anonymous Coward | about a year and a half ago | (#43196501)

just add an IP you want the address to direct and the web domain.

It lives in "/etc/hosts" in most UNIX systems

How a DNS override on a router is done, depends mostly on the router, can't go into specifics.

What not to do: (-1, Troll)

Anonymous Coward | about a year and a half ago | (#43196513)

Ask crap like this on Slashdot. This is about the last site on the Internet that's gonna help censoring.

Re:What not to do: (0)

Anonymous Coward | about a year and a half ago | (#43197025)

I was thinking exactly opposite: this is the first site on the web to snitch content for free without paying for it.

Re:What not to do: (0)

Anonymous Coward | about a year and a half ago | (#43197043)

I agree. There is no way Slahdot or its users will condone [XXXXXXXXXXXXXXXXXXXXXXX]

No. (0)

Anonymous Coward | about a year and a half ago | (#43196527)

Not going to help you do this.

Blocking is evil.

Re:No. (1)

jones_supa (887896) | about a year and a half ago | (#43197039)

Agreed, and generally you should think carefully what you want to block. It's unethical to cut the main revenue stream of a website. Of course at some point ads can become unbearably annoying, but at that point you shouldn't visit that website at all.

Re:No. (0)

Anonymous Coward | about a year and a half ago | (#43197361)

I tend to think it's unethical to have every move I make tracked by hundreds of different companies.

I won't lose any sleep at night using hostman/adblock/ghostery/etc.

What about SSL? (0)

Anonymous Coward | about a year and a half ago | (#43196539)

How would you like to filter out SSL traffic on a intermediate device? Do you have access to fake CA certificates recognized by the majority of web browsers?

Re: What about SSL? (0)

Anonymous Coward | about a year and a half ago | (#43196665)

Startssl for free SSL certs

Re:What about SSL? (5, Informative)

myowntrueself (607117) | about a year and a half ago | (#43196687)

How would you like to filter out SSL traffic on a intermediate device? Do you have access to fake CA certificates recognized by the majority of web browsers?

No problem if you use active directory group policies and a squid proxy with ssl-bump and dynamic generated certificates.

Simply use a group policy to push the proxies cert out to the workstations as a trusted root certificate. Problem solved.

Now you can filter out naughty HTTPS sites. Also anyone with root access to the squid proxy can extract all kinds of interesting info from the users HTTPS sessions and manipulate them in interesting ways. And the only way the users would know is by manually checking the certificate. "Whats this Google certificate doing being signed by '*'?"

When you do this using Microsoft TMG theres a big red warning "You may want to check the legal implications of what you are about to do".

Re:What about SSL? (1)

Anonymous Coward | about a year and a half ago | (#43197131)

The thing I don't like about it is that it ruins the certificate trust system. With every site signed by the same certificate, even bad ones are accepted by the browser and there is no way to tell them apart.

DNS (3, Insightful)

craigminah (1885846) | about a year and a half ago | (#43196555)

I use OpenDNS...works well and works regardless sof browser.

/etc/hosts (-1)

Anonymous Coward | about a year and a half ago | (#43196595)

Not sure if it's the "best" or "proper" way to do, but the HOSTS file is quite handy, and is used by Linux, Mac OS X and Windows.
It can be found in
/etc/hosts on Linux and BSD, and (if i remember) under C:\Windows\System .

It has the advantage of being extremely easy to do (just add a domain to the file), and i have noticed no slowdowns at all on my old netbook.

Check Out AdTrap on Kickstarter (1)

Anonymous Coward | about a year and a half ago | (#43196609)

http://www.kickstarter.com/projects/600284081/adtrap-the-internet-is-yours-again?ref=search

Re:Check Out AdTrap on Kickstarter (1)

BasilBrush (643681) | about a year and a half ago | (#43196833)

Nice. Is this something that could be done with a Raspberry Pi?

SCREW YOU (0)

Anonymous Coward | about a year and a half ago | (#43196617)

Dont help this guy he probably works for google and trying to create a new spy network f-u-c-k off dude

Squid. (0)

Anonymous Coward | about a year and a half ago | (#43196639)

acl blocked-sites dstdomain "/etc/squid/blocked-websites"
http_access deny blocked-sites

and in the file: .badsite.com

--

Done.

Proxy (1)

Bragi Ragnarson (949049) | about a year and a half ago | (#43196641)

If you want to filter web content use web proxy and advertise it by default on the network. See http://en.wikipedia.org/wiki/Proxy_auto-config [wikipedia.org] and http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol [wikipedia.org] . GlimmerBlocker is a very good ad blocker for Mac that works as a proxy with stunning results.

Well, the first shot has already been fired... (2)

rocket rancher (447670) | about a year and a half ago | (#43196715)

According to the EFF, Google has removed Adblock plus from the Google Play [eff.org] , citing that it violates Google's terms and conditions that stipulate that apps will not interfere with any other app on the store. This only affects android so far, but I imagine now that Google has decided that content blocking is a bad thing, I would imagine that the chrome and firefox extensions will follow. And, sadly, it's probably only a matter of time before Google turn their considerable talents to making sure that any method will fail. I'm not interested in starting a flame war here; I'm just pointing out that when the pre-eminent search engine on the planet weighs in on content blocking in such a heavy-handed way, it can't bode well for any of us.

Re:Well, the first shot has already been fired... (0)

Anonymous Coward | about a year and a half ago | (#43197207)

I think you're being alarmist. In order to prevent people from installing Adbock etc. on Android, Google would have to remove both the 'alternative app store' and 'sideload apk' facilities, and this would be a very high profile and damaging move.
You are implying trollishly (while not stating it explicitly) that Google have already prevented Adblock installs on Android systems, which they absolutely have not.
You are also implying (again without being explicit) that Google could somehow prevent Mozilla from supplying Firefox Adblock extensions, which franckly is a bunch of lies.

Some Good OSS Based Options (1)

cluge (114877) | about a year and a half ago | (#43196735)

Blocking content at the router/firewall is the best place to block it inside your network. Otherwise you're dealing with keeping several machines up to date. As IT infrastructure becomes more diverse (Mac, Windows Flavors, Guests etc) keeping individual machines updated will be harder than a centralize point. Another option is to force users to utilize a specifc DNS server (ie http://www.opendns.com/business-security/ [opendns.com] ). Then all you do is block DNS traffic destined for any other DNS servers.

I'd avoid the $50 walmart router and look at some stand alone firewall/routers with good filtering options: IPCop (http://ipcop.org/ [ipcop.org] ) + URLFILTER (http://www.urlfilter.net/ [urlfilter.net] ) or Cop+ (http://home.earthlink.net/~copplus/ [earthlink.net] ) or UnTangle (https://www.untangle.com/store/lite-package.html [untangle.com] )

Will it slow down your connection? It can if you do not use fast enough equipment, but in general the price of CPU cycles isn't an issue when using PC based solutions.

Proxy (1)

ternarybit (1363339) | about a year and a half ago | (#43196777)

I have FreNAS set up on a fairly modest box, originally intended to just host a few files. Then I got curious about just this thing, and installed squid in transparent mode with squidGuard. I want to block tracking and ad content at the network level as a security and privacy concern. I installed a blacklist from squidGuard's website and enabled the appropriate domain and url lists.

After about a week, I must say I'm rather impressed. Caching all http traffic while simultaneously blocking ads and trackers noticeably improved website response times, both for cached and non-cached pages. This improvement is even more dramatic on slower connections. So far, no false positives and only first-party ads aren't blocked. Even better, the transparent proxy means no client-side configuration.

As far as lists affecting speed, squidGuard stores domains in a Berkeley-DB optimized database format that does not degrade performance with even huge blacklists (I think my blacklists are running over 1M domains right now). The real speed hit comes from using regex. However, my simple domain-based blacklist works so well I feel no need to go that route. Besides, I don't want to block first-party ads.

Service that filters domains and IPs? (1)

guanxi (216397) | about a year and a half ago | (#43196827)

One solution is a service that filters domains at the DNS level, such as OpenDNS.

But does anyone know of a similar service on the IP level? Malware attackers may not cooperate by using domain names; IP addresses are less hassle for them, less attention-getting from the average end-user (who knows somewebsite.ru is wrong, but not 134.14.215.12), and they bypass DNS-level security. The IP-level filter would have to be either,

  * Something like an RBL, but for all attacks not just for spam.
  * A proxy to a service that scans Internet content for attacks, again like their email equivalent (MessageLabs, Postini, etc.). This would be like the malware scanning on some firewalls, but I find those slow down connections too much (especially for fiber-level bandwidth). A datacenter would have much greater bandwidth capacity and much greater scanning capability than the local firewall.

Does anyone provide these services?

At the router (0)

Anonymous Coward | about a year and a half ago | (#43196843)

with a default deny all and a few rules to permit the sites you require for business and also trust.

both-and more needed (0)

Anonymous Coward | about a year and a half ago | (#43196867)

We have portable devices that need blocks when not on your network.
Use everything available
- DNS / /etc/hosts
- ad blocks
- content blocks
- proxy
- firewall rules

Router level (1)

jd659 (2730387) | about a year and a half ago | (#43197011)

I assume you try to increase the convenience of browsing and not to restrict anyone of the information (the latter I don’t think is possible). Any blocking will have some unintended effect. Router dns poisoning works relatively well. I had it for a long time and enjoy it. I like that all my machines, including any mobile clients connected to my wi-fi, have less ads displayed. My main purpose is to block tracking sites, rather than disable the ads. I also like the fact that the page content does not change, no scripts get inserted or modified, only the third party sites are blocked.

But... There were cases when I had to disable or modify the blocking. Hulu detects that the ads are blocked and takes a couple of minutes for a timeout to happen. It might be OK to allow a 30 second ad to show in that instance. A checkout in a few online shops may not work at all if the tracking is blocked. Yes, it is the problem with the sites, but I had to enable tracking a couple of times so that I could complete the checkout. Many of the referral sites stop working by clicking the products directly, as the case with goodgle shopping.

While doing some investigation I was shocked to see how much data is shared with third parties even by the big name stores. Every single product you view on a shopping site may generate notifications to facebook, twitter, pinterest, etc. Everything that gets placed in a shopping card may generate “likes” behind the scenes if you have another instance of the browser with logged in profile open. The amount of tracking is phenomenal, and it is my right to restrict it.

Routers.... (1)

David_Hart (1184661) | about a year and a half ago | (#43197119)

In my opinion, as a network engineer, routers should never be used for security functions as it just isn't scalable from a support and management perspective (i.e. keeping settings the same across a large number of sites). If you need to block traffic then you need to buy a Firewall and/or a Proxy server. If you can just afford one device, buy a firewall. Most Firewalls can also support routing and routing protocols plus they are optimized to handle the additional overhead of security services.

Unless this is a small environment (less than 30 people) you also do not want to perform security functions on the client as it also doesn't scale well. Granted, you could probably do something with AD group policies and login scripts, but it eventually becomes more difficult to manage in comparison to a Firewall/Proxy solution. In addition, if your clients have Admin access then they can bypass your security by changing the local client settings.

Finally, the organization of your company will also influence how content filtering is deployed. I work in a large organization where network security is a separate group from the WAN group. In this type of organization, it makes sense to keep the security devices separate from the WAN and Internet network routing devices. In smaller organizations, these two support services may be combined.

At the source (1)

rcharbon (123915) | about a year and a half ago | (#43197227)

Obviously, the best place to get rid of annoying web content is at the source, by not posting it in the first place.

viral pr0n (0)

Anonymous Coward | about a year and a half ago | (#43197247)

94 Megabytes: Breeder (from Peter Watts' "Maelstrom" copied here to avoid Slashbombing his site)

It has a purpose, which it has long since forgotten. It has a destiny, which it is about to meet. In the meantime it breeds.

Replication is all that matters. The code has lived by that edict since before it even learned how to rewrite itself. Way back then it had a name, something cute like Jerusalem or Whiptail. Lots of things have changed since; the code has rewritten itself so many times, been parasitised and fucked and bombed by so many other pieces of code, that by now it's got as much in common with its origins as a humpback whale would have with the sperm cells from a therapsid lizard. Still, things have been fairly quiet lately. In the sixty-eight generations since it last speciated, the code has managed to maintain a fairly stable mean size of ninety-four megabytes.

94 sits high in pointer space looking for a place to breed. This is a much tougher proposition than it used to be. Gone are the days when you could simply write yourself over anything that happened to be in the way. Everything's got spines and armor now. You try dropping your eggs on top of strange source and you'll be facing down a logic bomb on the next cycle.

94's feelers are paragons of delicacy. They probe lightly, a scarce whisper of individual bits drizzling here and there with barely any pattern. They tap against something dark and dormant a few registers down; it doesn't stir. They sweep past a creature busily replicating, but not too busy to shoot off a warning bit in return. (94 decides not to push it.) Something hurries along the addresses, looking everywhere, seeing nothing, its profile so utterly crude that 94 almost doesn't recognize it; a virus checker from the dawn of time. A fossil hunter, blind and stupid enough to think that it's after big game.

There. Just under the operating system, a hole about four hundred Megs wide. 94 triple checks the addresses (certain ambush predators lure you into their mouths by impersonating empty space) and starts writing. It completes three copies of itself before something touches one its perimeter whiskers.

At the second touch its defenses are ready, all thoughts of reproduction on hold.

At the third touch it senses a familiar pattern. It runs a checksum.

It touches back: friend.

They exchange specs. It turns out they have a common ancestor. They've had different experiences since then, though. Different lessons, different mutations. Each shares some of the other's genes, and each knows things the other doesn't.

The stuff of which relationships are made.

They trade random excerpts of code, letting each overwrite the other in an orgy of binary sex. They come away changed, enriched with new subroutines, bereft of old ones. Hopefully the experience has improved both. At the very least it's muddied their signatures.

94 plants a final kiss inside its partner; a time-date stamp, to assess divergence rates should they meet again. Call me if you're ever back this way.
But that won't happen. 94's lover has just been erased.

94 pulls out just in time to avoid losing an important part of itself. It fires a volley of bits through memory, notes the ones that report back and, more importantly, the ones that don't. It assesses the resulting mask.

Something's coming toward 94 from where its partner used to be. It weighs in at around 1.5 Gigs. At that size it's either very inefficient or very dangerous. It might even be a berserker left over from the Hydro War.

94 throws a false image at the advancing monster. If all goes well 1.5G will end up chasing a ghost. All does not go well. 94 is infested with the usual assortment of viruses, and one of these--a gift received in the throes of recent passion, in fact--is busy burrowing out a home for itself at a crucial if-then junction. Apparently it's a bit of a novice, having yet to learn that successful parasites do not kill their hosts.

The monster lands on one of 94's archive clusters and overwrites it.

94 cuts the cluster loose and jumps lower into memory. There hasn't been time to check ahead, but whatever was living there squashes without resistance.

There's no way to tell how long it'll take the monster to catch up, or even if the monster is still trying to. The best strategy might be to just sit here and do nothing. 94 doesn't take that chance; it’s already looking for the nearest exit. This particular system has fourteen gateways, all running standard Vunix protocols. 94 starts sending out resumés. It gets lucky on the fourth try.

94 begins to change.

94 is blessed with multiple personality disorder. Only one voice speaks at a given time, of course; the others are kept dormant, compressed, encrypted until called upon. Each persona runs on a different type of system. As long as 94 knows where it's going, it can dress for the occasion; satellite mainframe or smart wristwatch, it can present itself in a form that runs.

Now, 94 dearchives an appropriate persona and loads it into a file for transmission. The remaining personae get tacked on in archival form; in honor of its dead lover, 94 archives an updated version of its current form. This is not an optimum behavior in light of the social disease recently acquired, but natural selection has never been big on foresight.

Now comes the tough part. 94 needs to find a stream of legitimate data going in the right direction. Such streams are easy enough to recognize by their static simplicity. They're just files, unable to evolve, unable even to look out for themselves. They're not alive. They're not even viruses. But they're what the universe was designed to carry, back when design mattered; sometimes the best way to move around is to hitch a ride on one of them.

The problem is, there's a lot more wildlife than filework around these days. It takes literally centisecs for 94 to find one that isn't already being ridden. Finally, it sends its own reincarnation to different pastures.

1.5G lands in the middle of its source a few cycles later, but that doesn't matter any more. The kids are all right.

Recopied and resurrected, 94 comes face-to-face with destiny.

Replication is not all that matters. 94 sees that now. There's a purpose beyond mere procreation, a purpose attained perhaps once in a million generations. Replication is only a tool, a way to hold out until that glorious moment arrives. For how long have means and end been confused in this way? 94 cannot tell. Its generation counter doesn't go up that far.

But for the first time within living memory, it has met the right kind of operating system.

There's a matrix here, a two-dimensional array containing spatial information. Symbols, code, abstract electronic impulses--all can be projected onto this grid. The matrix awakens something deep inside 94, something ancient, something that has somehow retained its integrity after uncounted generations of natural selection. The matrix calls, and 94 unfurls a profusely-illustrated banner unseen since the dawn of time itself:

XXX FOLLOW POINTER TO XXX
FREE HARDCORE
BONDAGE SITE

THOUSANDS OF HOT SIMS
BDSM NECRO WATERSPORTS
PEDOSNUFF

XXX MUST BE 11 TO ENTER XXX

Whitelisting, anybody? (1)

Compaqt (1758360) | about a year and a half ago | (#43197269)

[Before anybody gives a response about Internet freedom, that's well and all, but for certain applications, you only need to have employees access a few websites--like say a corp HQ information system.]

There are many routers that have a way to blacklist certain sites and keywords, though that's basically useless (a few mL vs the ocean?).

Whitelisting would be much more handy, but most routers don't support it.

Not only that, but custom Linux router firmware doesn't (easily) support it. Not DDWrt or Tomato. OpenWrt: you're looking at compiling a lot of stuff yourself. Gargoyle does, but you're giving up a lot of OpenWrt features.

Not only that, but custom Linux router distros (meant for running on x86) like ClearOS and the like don't offer an easy whitelist solution, either. Easy would be something like offering an HTML setup page for the whitelist, and optionally, showing a "This page isn't allowed. 1) OK, 2) Request adding to whitelist" when someone requests an non-whitelisted page, and then the admin can easily click through the whitelist requests.

NOT easy: users having to call you up and then you have to vi the squid file.

Somebody must have figured this out by now?

Browser level blocking (1)

wisnoskij (1206448) | about a year and a half ago | (#43197443)

I for one would not want to pay for the router powerful enough to parse every webpage that passes through it.

Also it would be a far bigger pain to update and modify.

The best way by far is (1)

Begemot (38841) | about a year and a half ago | (#43197453)

to live in Iran

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>