Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Myspace Lockdown - Is It Possible?

Cliff posted more than 7 years ago | from the separate-your-workers-from-distractions dept.

Security 180

Raxxon asks: "We (my business partner and I) were asked by a local company to help 'tighten up' their security. After looking at a few things we ran some options by the owner and he asked that we attempt to block access to MySpace. He cited reasons of wasted work time as well as some of the nightmare stories about spyware/viruses/etc. Work began and the more I dig into the subject the worse things look. You can block the 19 or 20 Class C Address Blocks that MySpace has, but then you get into problems of sites like "MySpace Bypass" and other such sites that allow you to bypass most of the filtering that's done. Other than becoming rather invasive (like installing Squid with customized screening setups) is there a way to effectively block MySpace from being accessed at a business? What about at home for those who would like to keep their kids off of it? If a dedicated web cache/proxy system is needed how do you prevent things like SSL enabled Proxy sites (denying MySpace but allowing any potentially 'legal' aspects)? In the end is it worth it compared to just adopting an Acceptable Use Policy that states that going to MySpace can lead to eventual dismissal from your job?"

Sorry! There are no comments related to the filter you selected.

The 2nd best way is random incomplete blocking... (5, Insightful)

dada21 (163177) | more than 7 years ago | (#18181660)

I have customers who have asked us to do this, and we usually work to talk them out of it. As an employer myself, I have no problem with my employees "wasting time" on occasion, as long as their work is getting finished on time, and they're meeting their deadlines. Work takes more of our time than ever, so there is no reason why people can't take a recess for 5 minutes out of the hour to do personal things.

Nonetheless, the best solution that I came up with (I don't think I "invented" this, but I did come up with it after many days of contemplating) was to have a revolving DNS change for those 20 MySpace Class C addresses. We made it intermittent enough that the employees "thought" it was MySpace downtime, and eventually usage dropped significantly. Every 5-10 minutes a CRON job would add its own random address for one of the MySpace addresses, then 5 minutes later it cleared that and then did it to another address.

The only guy that I am aware of that noticed it is the guy who ran his own DNS on his workstation, but he was geeky enough to probably realize that it wasn't MySpace that wasn't resolving.

I still think that it is wiser to discuss WHY employees might be needing some downtime versus locking them out of applications. Happy employees are efficient, productive and fun to work with. I would never block my employees access to any sites (then again, I would never drug test, delve into their private lives, run a credit report, or any of the usual steps employers take).

Re:The 2nd best way is random incomplete blocking. (4, Funny)

montyzooooma (853414) | more than 7 years ago | (#18181764)

I did something similar to this except I blocked all access to the internet and told everyone that a Myspace virus had crashed the server. Then I spent the afternoon sobbing in my office to make them feel really guilty.

Re:The 2nd best way is random incomplete blocking. (0)

Anonymous Coward | more than 7 years ago | (#18184578)

The Jimmy James school of management.

Re:The 2nd best way is random incomplete blocking. (2, Funny)

triskaidekaphile (252815) | more than 7 years ago | (#18181772)

Are you hiring? ;)

Re:The 2nd best way is random incomplete blocking. (3, Insightful)

passthecrackpipe (598773) | more than 7 years ago | (#18181808)

I make no personal statement about what people should or should not be able to access from work. From a professional POV, if the customer asks for it I discuss the pro's and con's of filtering vs. log auditing (the vast majority of actual employees i spoke to prefer filtering - they feel auditing is too invasive), and usually the customer goes for filtering. It is important to point out that there is no fool-proof solution, and filtering has significant limitations. Having said that, if your customers insists on going the filtering route, try Surfcontrol or Websense.

Re:The 2nd best way is random incomplete blocking. (0)

Anonymous Coward | more than 7 years ago | (#18182880)

Surfcontrol is so painfully easy to circumvent though, there are anonymizing proxies that pop up all the time and you can block them one at a time as they pop up but it will become a losing battle.

Re:The 2nd best way is random incomplete blocking. (3, Insightful)

jhfry (829244) | more than 7 years ago | (#18181838)

Any chance your looking for an IT Manager.

Seriously, I have left so many jobs simply because I wasn't happy being treated like a child. Give me a job and I do it, to the best of my ability... don't concern yourself with what I do when I'm not working, and certainly don't tell me that I am expected to spend every minute during business hours working.

Re:The 2nd best way is random incomplete blocking. (5, Funny)

melikamp (631205) | more than 7 years ago | (#18182138)

Bill Hicks put it best:

-Why aren't you working?
-'Cuz there's nothing to do.
-Why won't you pretend to be working then?
-Why won't YOU pretend that I am working? You are paid more than me, you fantasize.

Re:The 2nd best way is random incomplete blocking. (4, Funny)

jhfry (829244) | more than 7 years ago | (#18182410)

This is exactly the reason I started smoking.

I was in the US Air Force at the time... and sitting idle in our office was a sure way to be given some mundane task to perform... so one had to look busy, or be outside having a smoke break.

In my office, the average smoke break was somewhere near 1 hour as our job was hurry up and wait. (ground computer maintenance for an aircraft based radar platform called AWACS). We could see the planes land, and the crew head in for debrief, from the "smoke pit"... so we were always there when real work needed doing.

Limited Internet == Lobotomy (2, Interesting)

Peter Trepan (572016) | more than 7 years ago | (#18182284)

Amen to your policy. I started out in print design, and got my current skills ((X)HTML, CSS, Javascript, PHP, MySQL, etc...) entirely through online tutorials and documentation. I write copy with the help of Reference.com, stop first at Wikipedia to learn the outline of any unfamiliar technology, and of course, keep up with tech news here. None of these sites were work-related when I worked in print, but they enabled me to move to web development.

And MySpace? I use it to keep up with old college friends. It's not directly productive, but it helps me avoid burnout. For those who use the full potential of the internet, restricting their access to it is like forbidding them from using a portion of their brain.

The damage of content filtering (5, Insightful)

KingSkippus (799657) | more than 7 years ago | (#18182304)

I have customers who have asked us to do this, and we usually work to talk them out of it.

I have no mod points, but I'm modding you up in spirit.

<soapbox>

I absolutely cannot stand it when employers filter content. The thing is, even if people are wasting too much time at work browsing MySpace (or the Internet in general), that is a management problem, not a technical one. If you take away their MySpace or whatever it is they're browsing, they're just going to move on and browse some other site. If you put a whitelist in place, they'll just find some other way to goof off. The problem isn't that the Internet is distracting, it's that the employee is easily distracted.

I work at a big company as a contractor. It just recently blocked access to the big Internet e-mail services (Gmail, Yahoo Mail, etc.) because it didn't like employees wasting time with their personal e-mail at work. Of course, being a contractor, it doesn't take into account that I use my personal e-mail to communicate with my contract agency about stuff that I'd rather not have stored on company e-mail servers. It's easy to say, "Well, you shouldn't use company resources for that type of stuff," but practically speaking, my ability to communicate effectively with my contract agency is essential to me doing a good job for them. It also totally ignores the fact that I keep personal stuff like vacations and such on my personal Gmail calendar to know when I should ask for time off, when my coworker's birthday is, and so on.

The company spends a fortune on content filtering. There's the hardware itself, the update service, the support contract, the personnel cost for the guy who maintains it, the internal support costs of handling trouble tickets related to it, the cost of Internet downtime due to it periodically failing, the cost of packaging the software end of it and deploying it to the workstations (so that you can't browse them at home on your laptop, of course!), and so on ad nauseum. Just as one example, some of our customers are casinos. So we can't just put a rule in that says, "block gambling sites," because our marketing and sales folks have to be able to access their sites. No, we have to have rules that say things like, "This group can access these sites, that group can access those sites, everyone else can't access any of the sites, ..."

Even in the extreme case of porn sites, the answer to controlling it is to make a company policy prohibiting browsing them, and if you catch someone doing it, fire them for it. If you try to block them all, you're just setting yourself up for someone saying something like, "Well, it wasn't blocked, so I thought it was okay to go there!" I've found that if you treat people like 12-year-olds, they tend to not disappoint you. When policies like this go into place, you're also going to have the contingent of people who deliberately goof off more as a form of passive-aggressive rebellion. It's just stupid, you're only causing more problems, and there's no need.

I know that some of you will probably reply, "But you have to filter content to avoid sexual harassment lawsuits!" No, you don't. As long as you make a company policy about it and you take the appropriate action when someone breaks that policy, you'll win any lawsuit that someone may file. The law does not require you to spend a fortune to be a babysitter, it only requires that you take reasonable action to prevent a hostile work environment. The reason we have content filtering in the first place is because managers, in general, are lazy and don't want to do it themselves. The people who would sue you for not content filtering will sue you anyway. The only important thing is whether or not you'll win. Besides, at my company, the cost of defending itself against such frivolous lawsuits is negligible compared to the cost of maintaining our content filtering services.

Content filtering is no substitute for clear company policies and good old-fashioned common sense. If I had my way, I'd totally disable it, and if I'm ever good enough and lucky enough to own my own business, I will never engage in the practice. In fact, if any management type tells me that we need to filter the Internet, I'd be tempted to fire them for not wanting to do their job, which includes dealing with employees who goof off too much or break the company policy regarding browsing Internet sites.

</soapbox>

Now, if you'll pardon me, now that I've wasted the time that I normally would have spent checking my e-mail and my brain is refreshed, I've got to get back to work.

I work for a state government IT department (2, Interesting)

spun (1352) | more than 7 years ago | (#18183952)

We filter heavily. Not any technical sites, but games, shopping, many message boards, and sex of course. Some blocked sites can be accessed using 1/2 hour discretionary time. Not the sex sites of course, but shopping and such-like. This is mandated statewide, and not up to the individual IT departments.

I work for Child, Youth and Family Development. We oversee the foster programs, youth activities, and detention centers. Even with all the filtering, we are investigating several net abuse cases per week. We have about 2,500 employees statewide. Most of the abuse cases are from the detention center guards.

All in all, I agree with filtering in this case. This is the state, and we are browsing on your dollar. Many state employees feel no compunction ripping off the tax payer through laziness or outright theft. I'm not one of them.

What do you all think? If you had a chance to vote on a ballot initiative (assuming your state is not one of those still stuck in the stone age and actually has ballot initiatives) mandating filtering for all state employees in your state, would you vote for or against?

Re:I work for a state government IT department (1)

RKThoadan (89437) | more than 7 years ago | (#18185130)

It depends, what is the price of filtering versus the price of "lost" productivity? From what I'm reading in the other posts here, filtering is very expensive.

Frankly, that is the only thing that any business should really be thinking about anyway.

Re:I work for a state government IT department (1)

spun (1352) | more than 7 years ago | (#18185742)

As we have a centralized filtering solution, the cost is spread out across state departments. As far as the cost, well, this is the state. People are going to find ways to waste time with or without Internet access. ;-)

Re:I work for a state government IT department (0, Troll)

Darth Liberus (874275) | more than 7 years ago | (#18185184)

I'd definitely vote against... why? Because I want the State to be able to hire smart people and treat them like professionals instead of wasting my money on a bunch of rule-crazy bureaucrats who do nothing but sit around patting themselves on the back about how they're more loyal to the taxpayers than the next guy.

Re:The damage of content filtering (1)

Bearhouse (1034238) | more than 7 years ago | (#18184776)

Plenty of good advice aleady given, my 10c. Seems to me people are either saying "don't block" (with or without a clear policy on acceptable use of internet) or "this is how to block". Also, "as long as I'm getting the job done, who cares?' Some problems with this. You actually need both - blocking / filtering & a fair, clear policy. 1. Blocking harmful sites is intelligent - anybody here *never* been redirected to a prOn site by accident? Some of the really nasty sites can cause a lot of harm - or distress - very fast. OK, you'll never block the really determined user, which brings us on to point 2. 2. As another poster mentioned, if someone does circumvent the controls in place, then it's hard for them to say "yup, used a proxy by accident". Not respecting policy = dishonesty = fired. On the "getting the job done" point, well, if you've finished your work, then go and find some more. Decent bosses reward initiative. If boss not decent then leave - staying with a bad boss was the worse mistake I ever made. Finally, re: the point about people (such as contractors) needing access, what I find depressing here is that nobody mentioned that it might be an idea to get people togther and talk about what needed to be used, how often, when & why... Hey, if my team can convince me that they're bringing in business or enrichening their skills, via MySpace then why not?

Re:The damage of content filtering (1)

QuantumRiff (120817) | more than 7 years ago | (#18185510)

I have no modpoints either, but damn I wish I did. Truly insightful. Why are we always looking for a technical solution for a "people problem". Which is more effective:

1. Filters, blocking, etc, with services, or people, or other things that take time and money...
or
2. Have a clear policy on acceptable use, fire the first person that breaks it...

Maybe its just me, but I think news of number 2 happening would spread much faster and effectively through the organization, and employees would remember it much, much longer.

Take away web sites, people will find other ones to kill time. Take those away, they'll start playing solitare on the PC. take that away, they'll start calling friends and family on the phone to chit-chat. crack down on that, they'll start hanging out in the break room too much... etc.. People that are bored need more or more interesting work, and better supervision.

Re:The 2nd best way is random incomplete blocking. (1)

mycroft822 (822167) | more than 7 years ago | (#18183128)

So umm, you got any job openings?

Re:The 2nd best way is random incomplete blocking. (4, Funny)

ad0gg (594412) | more than 7 years ago | (#18184000)

Working for a .com, my company had a problem with people always checking fuckedcompany to see if we were on it, so the CTO resolved fuckedcompany.com to 127.0.0.1.

don't block the site... (1)

TheSHAD0W (258774) | more than 7 years ago | (#18181774)

...block the service. If you filter out any Javascript from websites (except perhaps those on a whitelist) you'll be able to keep nearly all the malware off your systems - with the bonus of killing a lot of the enjoyment on those productiveness-destroying websites.

Re:don't block the site... (0, Troll)

drinkypoo (153816) | more than 7 years ago | (#18181882)

with the bonus of killing a lot of the enjoyment on those productiveness-destroying websites.

with the bonus of making a lot of legitimate websites not work properly.

There, fixed that for you.

Re:don't block the site... (2, Insightful)

TheSHAD0W (258774) | more than 7 years ago | (#18182236)

That's what the whitelist is for.

Re:don't block the site... (0, Troll)

LunaticTippy (872397) | more than 7 years ago | (#18182348)

Bah, whitelists. If I can't find what I'm looking for as easily or I can't do what I need to do then the punishment is worse than the disease. The weird techblog or manufacturer's site or vendor is not going to be in the whitelist. Adding some stupid site I'll use once is retarded. And if your whitelist is so big "I'll never have a problem" then you aren't filtering much are you?

You wouldn't put a whitelist on your phones would you? Or what addresses your mailroom can send mail to?

I think productivity is higher and morale is better if you secure your systems and trust your users.

If you're a sadist though, go ahead. Stick it to the little man! The frustration and delays are a small price to pay to make people feel unappreciated!

Re:don't block the site... (1)

drinkypoo (153816) | more than 7 years ago | (#18183154)

Great. So every time I hit a website that needs js, I have to contact IT, or I have to be smart enough to maintain my whitelist, depending on the level of freedom permitted me by IT. I can do the latter, but many can't, so they will need to contact IT. Then they're able to load the site, and find a link to another site... which won't work properly without js. So then they need to contact IT again. This completely interrupts the flow of their day and makes them less productive. Employees either need to access the web, or they don't. Aside from filtering known bad sites, taking away parts of the web is a horrible mistake. Use the most secure browser you can, keep up with updates, and block known bad sites aggressively, but either give me internet access, or don't.

Re:don't block the site... (1)

MikeBabcock (65886) | more than 7 years ago | (#18186036)

I use SquidGuard at work to block all the listed spyware companies and nothing more really. I've configured it to give users an HTML or image result from our internal server stating why the site/image has been blocked and who to contact if they think its an error (myself). So far, I'm the only person who's actually complained about it (to myself). It works very well and catches those laptops that get brought home, filled with garbage and then plugged back into the LAN trying to fetch various spyware utilities remotely.

Re:don't block the site... (1)

greg1104 (461138) | more than 7 years ago | (#18182454)

If you spend any length of time surfing with a Javascript blocking tool (I use NoScript with Firefox), you'll discover that enormous number of web sites are completely disfunctional without Javascript nowadays. I find myself needing to toggle it back on for sites every day, usually for menu navigation options. Today, for example, it was something on the Asus web site that didn't work; yesterday it was a tech review site. The idea that only "productiveness-destroying" sites use Javascript is naive.

Re:don't block the site... (0)

Anonymous Coward | more than 7 years ago | (#18183084)

Virtually any site using JSF (Java Server Faces) also requires javascript, since it's designed out of the box to require it for basic functionality. It's pretty shameful, and I don't believe ASP.NET has that limitation. I'm developing a JSF-based app, but it's for internal use where I know we all have JS.

I like javascript, it has appropriate uses, and there's even some places that can justify requiring it outright. But for basic navigation functionality requiring it to work at all, that's not appropriate.

Yes, you can engineer JSF sites to not depend on javascript, as long as you avoid most of the toolbox and do a lot of manual pulling of request parameters. Makes it almost as bad as raw CGI that way.

Re:don't block the site... (1)

walt-sjc (145127) | more than 7 years ago | (#18185002)

I also use NoScript, and yes, javascript is becoming more and more "required" for advanced sites. There is a difference however in "valid" versus "gratuitous" use of Javascript... Some sites require javascript in order for you to see parts of the page that should be plain simple HTML, or CSS, or trying to push server-side functions to the client (breadcrumbs for example.) On the other hand, there are sites like maps.google.com that would totally suck without javascript because they really need client-side scripting to improve usability.

Porn filters (1)

Spazmania (174582) | more than 7 years ago | (#18181794)

You know, there are companies out there that specialize in network-level content filtering. Porn filtering mostly, but they generally have a filtering set for workplace issues available as well. If you can't talk the guy out of it, consider buying a product that's actually designed to do the job.

Re:Porn filters (2, Informative)

alanshot (541117) | more than 7 years ago | (#18181862)

yup. Sonicwall with thier CFS (content filter system). works like a dream.

Until somebody there goofs and flags the map image server for mapquest as porn (we are fighting that one now)

Luckilly they do have a user submission system to reclassify those goofs.

No. (1)

koreaman (835838) | more than 7 years ago | (#18181832)

It's generally agreed that it's impossible to effectively block web sites without taking drastic and draconian measures. No, it's not possible. With proper policies and monitoring it shouldn't be a huge problem.

Re:No. (1)

tverbeek (457094) | more than 7 years ago | (#18182328)

You'll never be able to stop it completely. And this is not a technology problem; it's a management problem. So configure your DNS to resolve myspace.com to a local machine with a copy of the company's policy against accessing MySpace at work. Then let management and HR take care of anyone caught violating that policy.

I mean, like, duh. (5, Funny)

0xdeadbeef (28836) | more than 7 years ago | (#18181848)

is there a way to effectively block MySpace from being accessed at a business?

Stop hiring teenagers?

Re:I mean, like, duh. (1)

bigtangringo (800328) | more than 7 years ago | (#18182990)

Funny, but illegal :P

Re:I mean, like, duh. (2, Insightful)

dgatwood (11270) | more than 7 years ago | (#18183148)

Not illegal at all.

Wanted: Senior widget designer. Minimum five years experience.

Wanted: Administrative assistant. Must be responsible, hard-working individual.

And so on. Yeah, technically you can't explicitly exclude teenagers, but you can set job requirements that effectively do so. :-)

Internet on an "as needed" basis... (2, Interesting)

VitrosChemistryAnaly (616952) | more than 7 years ago | (#18181874)

I worked at a place (~200 employees) that had a really crappy policy.

There were about 20 people in management type positions that had absolutely no blocks set on the websites that they could visit.

The rest of the employees had a whitelist of work related websites that they could access. Everything else was strictly verboten. No checking personal email, no checking the weather or news.

To me it seemed somewhat Draconian, but that was the policy in place.

God I'm glad I left that job.

Re:Internet on an "as needed" basis... (1)

networkBoy (774728) | more than 7 years ago | (#18182014)

The only time I implemented that draconian a policy it was for the gateway from an R&D lab to the outside world.
I allowed access to equipment vendor sites (tek.com for example) and that was it. If you needed anything else go do it in your office, not my lab. To lock down a general office environment that much is going too far IMHO.
We use an automated log auditing tool. Even one or two porn hits won't cause issues (it happens by accident sometimes).

I clicked a link in google once (before firefox and during the pop-up heyday). Blew open at least a dozen porn windows before I could hit the power button (every time you closed a window a dozen more would seem to open). Called out IT dept and they said: no worries. it flags number of hits over time, so one burst like that every few months won't do anything. The same number of hits spread over a few hours would pop the alarm though.
-nB

Re:Internet on an "as needed" basis... (1)

PrescriptionWarning (932687) | more than 7 years ago | (#18182208)

It seems to me like some companies treat their employees like school kids. I mean I can understand a school system using internet filters, but come on, where's personal responsibility for adults? If the adult can't be reasoned with to not waste all their time, they can certainly be replaced.

Re:Internet on an "as needed" basis... (1)

jph (42590) | more than 7 years ago | (#18182430)

I don't understand web filtering at all, not even for schools. How are the kids supposed to learn about personal responsibility with internet in the first place if everything is filtered nice and tidy.

Of course they'll soon find numerous ways to circumvent the restrictions and learn that "bending" the rules is just fine, but personal responsibility...?

Definition of Draconian (1)

oyenstikker (536040) | more than 7 years ago | (#18182216)

Punishments are Draconian, not rules. Draconian would be cutting off your fingers for violating the policy.

Re:Definition of Draconian (1)

LunaticTippy (872397) | more than 7 years ago | (#18182476)

Says who? from mirriam webster

1 : of, relating to, or characteristic of Draco or the severe code of laws held to have been framed by him
2 : CRUEL; also : SEVERE (draconian littering fines)

It says the code of laws, not the punishment for violating the laws. Seems like a strange distinction anyway. You don't think strict rules are characteristic of Draco?

Re:Definition of Draconian (3, Informative)

Aladrin (926209) | more than 7 years ago | (#18182528)

American Heritage Dictionary - Cite This Source
draconian (dr-k'n-n, dr-) Pronunciation Key
adj. Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.

Words evolve. Deal with it.

Re:Definition of Draconian (0)

Anonymous Coward | more than 7 years ago | (#18186434)

Stolen any music lately?

Re:Internet on an "as needed" basis... (2, Informative)

Anonymous Coward | more than 7 years ago | (#18182630)

A friend of mine worked for the Gordon Flesch Company (~800 people) in Madison, WI. They had a filtering system in place, but it was pretty lax. They had a strict policy, but it had never been enforced. She was a WOW player, and would occasionally check the forums and game sites. Her work was top notch, her co-workers liked her, and her customers we always pleased with her performance.

One day she was called into her manager's office and fired due to her web usage. No warning, no verbal/written reprimand, just fired. Her last review said her performance was excellent, and there had never been a blemish on her record.

Now there's a company to avoid working for.

-AC

(It's not libel if it's true, but I'm not risking a lawsuit by putting my name on this!)

Re:Internet on an "as needed" basis... (1)

interiot (50685) | more than 7 years ago | (#18182826)

So if employees needed to download an OSS utility, or look up some technical assistance on usenet/forums, as part of their job, they basically had to drive home or borrow their boss's computer to get that information?

It seems like the company was classifying the internet as wholly negative, that random unknown parts of the internet never contain things that might be important to getting one's job done? Certainly the Internet has more distractions than help, but there's been enough times in the past year or two where I really had to do random Google searches to complete a task for work that I think I'd end up with a large forehead-sized dent in my desk if my company did this.

Re:Internet on an "as needed" basis... (1)

Feanturi (99866) | more than 7 years ago | (#18184872)

I've got a similar environment where I work. But I happen to be posting to Slashdot from there right now, so it's not all that bad. Most forums are blocked however, which is maddening when a google search for a tech problem turns up very promising looking hits that are all in blocked forums. Quite a few times I've been stalled trying to find information that I would have ready at my fingertips if I'd been working from home instead.

Re:Internet on an "as needed" basis... (1)

Original Replica (908688) | more than 7 years ago | (#18185890)

Spend a summer roofing, or working on a factory floor, or hanging drywall. Then come back and tell me how hard it was to not check you personal e-mail at work at you old desk job. Why does it make perfect sense that blue collar workers should have such a clear distinction between personal and work time, but white collar workers should be allowed to hop back and forth? What would you do if your plumber decided to check his personal e-mail while you where paying him?

okay.. (1)

cybrthng (22291) | more than 7 years ago | (#18186184)

Funny you should compare these. I've spent a few years working with general contractors and if there is one thing they're good at, its not working a full day. Sure you have those dedicated few that still believe in an honest days work equalling an honest days pay but i've had a hard enough time keeping people on site, stopping them from coming in drunk, stoned, missing work all together or complaining it may rain next week.

Every "vertical" market, whether its labeled blue colar or white has its own moral ambiguity and issues as it relates to work and work ethics. I don't see many "blue collars" that care about checking email, they're stopping at the bar to watch a race or check on the game. (and there are white collars that do that as well)

I think you miss the notion that there is a lot more in common between the two work forces than you care to admit. I've worked both and while they're different, they're both physically and mentally challenging in there own ways and they both have there ups and downs and distractions to contend with.

Websense (2, Informative)

outlaw69 (209617) | more than 7 years ago | (#18181920)

Install websense. Blocks the proxy sites AND Myspace as well as anything else you want.

Hosts File (3, Interesting)

jconley (28741) | more than 7 years ago | (#18181936)

Assuming it is a windows environment, use policy/login scripts to update the hosts file on the client to map the myspace domains to yahoo, or something else harmless.

Re:Hosts File (1)

RayMarron (657336) | more than 7 years ago | (#18184842)

Assuming it is a windows environment, use policy/login scripts to update the hosts file on the client to map the myspace domains to yahoo, or something else harmless.
Then the user just types the IP address into the browser's address bar. Thanks for playing!

Re:Hosts File (1)

lazarusdishwasher (968525) | more than 7 years ago | (#18186098)

What about all of the embedded content like pictures, movies, audio, or standard hyperlink. Will anybody rewrite all of the urls needed to browse myspace.

We went the Squid route (1)

ReidMaynard (161608) | more than 7 years ago | (#18181952)

We went the Squid route and it worked fine. Large orginization too (100K+ employees). This is done a lot in the industry.

Waste of time.. (1)

ltning (143862) | more than 7 years ago | (#18181956)

You're going to spend more time implementing blocks for myspace, not to mention all the other sites you then might think you want to block, than you would spend writing a corporate policy draft outlining acceptable use - plus installing efficient anti-virus and firewall software/hardware at appropriate places in your infrastructure.

Not to mention you'll come out of it looking less like a triggerhappy censoring dictator of some (not-so-)long-gone communist or fascist state.

If you have to block, block all and allow access only to those sites your employees need. That way it's not "selective censorship" anymore. Blocking a service is fair, blocking content is not.

One way (5, Informative)

Zonk (troll) (1026140) | more than 7 years ago | (#18181966)

Squid+SquidGuard

I had to do this for a school. Basically, set up Squid to act transparently. Set up an acl like:


acl myspace dstdomain .myspace.com
acl work_hours MTWHF 09:00-12:00
acl work_hours MTWHF 13:00-17:00
http_access allow myspace !work_hours
http_access deny myspace


That would allow access during lunch and before and after work.

If you want to block against proxies, use SquidGuard plus some blacklists. The ones at urlblacklist [urlblacklist.org] are good, as is the isakurldb [gplindustries.com] list (it's based on dmoz). Another one is the one from shalla.de [shalla.de] . All have social networking categories as well as proxy sites, though shalla's proxy and spyware lists tend to overblock.

I'd recommend merging urlblacklist's lists with isakurldb, and also shalla (but remove yimg.com from the redirector list manually) for both proxy and social networking. Then use SquidGuard to restrict the access.

You already know the answer. (2, Insightful)

Rob T Firefly (844560) | more than 7 years ago | (#18181970)

In the end is it worth it compared to just adopting an Acceptable Use Policy that states that going to MySpace can lead to eventual dismissal from your job?
In short, no. Technical measures will always be circumventable. If you really want to stop employees using Myspace, you'll have to filter the content via the keyboard/chair interface, as in telling them to stop doing it.

Re:You already know the answer. (1)

agm (467017) | more than 7 years ago | (#18185934)

Indeed. There are many technical ways to get around blocks. A client I worked for knew which websites we visited and although it wasn't an issue they were amused how much time was spent bidding on online auctions. The solution? Us NX to connect to my home computer and do remote X through NX to visit whatever site I want. All they see is encrypted traffic on port 22.

Block the Class C (3, Informative)

mr100percent (57156) | more than 7 years ago | (#18182020)

So block the class C's. Things like Myspace Bypass are not your problem, the average user probably won't know about that. At a certain point, you'll find a user who will just run an SSH proxy, and is it really worth the hassle for locking out the more advanced users like that?

Policy (1)

cyberbian (897119) | more than 7 years ago | (#18182058)

By developing an 'acceptable use' policy you can define unequivocably the sites that an employee is allowed to access while in normal working hours. Rather than blocking any content, it's better to log all accesses through a pass-through proxy or some other mechanism. This way you can screen the users and see their adherance to policy, flag those for follow up and arrange time to discuss their opportunities for change. The real truth in IT management is that it must be mandated from the top down. If 'the powers that be' define a policy limiting company resource use, then it's easier to track than to prevent. Having all users reminded at each log on of their duties and responsibilities with respect to network access is also trivial and given such daily notices they would have little wiggle room with an 'I didn't know that was wrong.' defense. In the short term, you'll experience a small amount of pain with the unlimited access, but with a sound policy, you'll soon be reaping the benefits with lower administration times.

Failing that being workable, it's always best to 'deny all' and whitelist the sites that are acceptable, further containment of this concept is possible by group restrictions. This method would allow you to tune internet access by employee type(s) giving unfettered access to R&D but limit access to clerical who may just be spinning their productivity away on a myspace romp.

It's important to remember that these network services are paid for company assets, and the disposition of assets REQUIRES policy.

Re:Policy (1)

avronius (689343) | more than 7 years ago | (#18182272)

Interesting.

I know of more people in R&D roles who waste "company time / resources" surfing slashdot, digg, youtube, etc. than in any other role.

On the flip side of that, I know of people in "receptionist only" roles that would benefit from websurfing to kill off the boredom of that position. These people are not permitted to leave the phone / desk [minor breaks to use the facilities, and a short lunch break], and many aren't permitted any other responsibilities that may take them away from the desk.

An acceptable use policy would allow both classes of users the flexibility that their jobs require.

anybody using BlueCoat Proxy ? (0)

Anonymous Coward | more than 7 years ago | (#18182088)

At my place of work, we use BlueCoat proxy server. It seems to do a fantastic job of URL filtering. I have yet to find a proxy site or link via a web-search that is not blocked.

Re:anybody using BlueCoat Proxy ? (0)

Anonymous Coward | more than 7 years ago | (#18182154)

That's what my company switched to recently. And while the actual filtering is pretty good, at times its too good.

Many times I'm looking up solutions or drivers or other search results relevant to my job and 75% of the results will be blocked.

Then again our company still doesn't block eBay, so wtf do they know?

It's just a like a fence. (5, Insightful)

soliptic (665417) | more than 7 years ago | (#18182094)

I remember once being at some old ruined castle with my parents when I was, hmm, perhaps about 10 years old.

There was a small wooden fence around an area containing the moat and some potential dangerous ruined stonework.

I said: "what is the point of that fence, it's tiny, I could climb over it easily? it really doesn't do anything to stop me ending up in the moat"

They said: "well, the thing with fences is that they're not there to stop you getting somewhere. They're there to make you KNOW that you're not supposed to go somewhere. If you just fell into the moat, the castle owners are in trouble. If you climb over a fence and fall in the moat, the castle owners can say, 'well, come on, he climbed over the fence that clearly marked that area off limits. You can hardly blame us, and he can hardly claim he didn't realise he wasn't supposed to be going into that area'."

Likewise with your problem.

Yes, technical measures can always be defeated by the determined myspacer, such as via a proxy. However, I would say some technical measures are worth considering hand-in-hand with the AUP, as a sort of 'fence'. If myspace is banned by the AUP, but not blocked, then everyone will go there, and when they do, they can claim they didn't realise it was against the AUP, or they clicked a link which took them to myspace without realising that's where the link led, "honestly"... etc, etc.

If myspace is blocked, on the other hand, then you force people to "climb over the fence". Yes, they can still get to it via a proxy - but the fact they've gone to it via a proxy means it is explicitly, unarguably obvious that they knew they weren't supposed to be going there, and deliberately went out of their way to get around the rules. This, imho, means you will be able to enforce the AUP more stringently.

Re:It's just a like a fence. (2, Informative)

BandoMcHando (85123) | more than 7 years ago | (#18182734)

We use a similar sort of philosophy. If the employee goes to a site that the software thinks is dodgy, they will get a page warnming them that we believe it is dodgy, and why, but there is a option to continue onto the page, thereby acknowledging the warning, and choosing to view the content anyway, with such events logged and reviewed by the HR department on a monthly basis.

(Althogh most restricitions are lifted outside of normal working hours, and at lunchtime.)

Automating invasiveness is not in itself invasive (1)

Lord Bitman (95493) | more than 7 years ago | (#18182136)

Install squid. Having a program be invasive for you is no more invasive than trying to do it by hand. I don't see how you could think otherwise.

Of course, there's the obvious solution of: give up, your goal is technically impossible.

Instead of Blocking the Bad, Allow the Good (2, Insightful)

Wyrd01 (761346) | more than 7 years ago | (#18182146)

Assuming your employees only "need" a finite, relatively small number of web site to do their jobs, why not approach this problem from the other direction and avoid a lot of the hassle.

Instead of trying to keep up with every potential "myspace bypass" and blocking every site like it, just block all access to the internet by default, and then allow them out into only those few sites they actually need.

I can't imagine actually working at a company that did this, I treasure my ability to mindlessly surf from time to time when I get stuck/bored, but I believe this would solve your issue. This way you'd only occasionally need to allow access to another "good" website, instead of trying to keep up with countless "bad" ones.

Re:Instead of Blocking the Bad, Allow the Good (0)

tweek (18111) | more than 7 years ago | (#18183088)

This is a basic security construct and I still get surprised when people try the other way around.

Remember kids:

Denied unless explicitly allowed.

Your network admin appreciates your cooperation.

But how is the good defined? (1)

tepples (727027) | more than 7 years ago | (#18184230)

Denied unless explicitly allowed.
Except in practice, how much work will it be to explicitly allow all traffic that needs to be explicitly allowed? For each employee permitted to use the web for research, are you going to hire another employee who views every page before forwarding it to the employee? Or is an employee expected to wait a day before viewing each page while doing research essential to his or her position?

Don't actually block it (1)

Constantine XVI (880691) | more than 7 years ago | (#18182172)

I'd say the best way to take care of the problem would be just to passively monitor their Internet access, and give them *kind* warnings in their email when they go to (insert forbidden site here). Also, you could inject little "Big Brother is watching you" messages at the top of web pages on occasion, just to keep people on their toes

Privacy (1)

Applekid (993327) | more than 7 years ago | (#18182240)

As much as I'd hate to carry a banner in this direction, I think leaving the doors open and clandestinely monitoring your employees' habits is far more illuminating on the quality of people you hire than just blocking it off.

If I were in charge of that sort of thing, one who spends more downtime in the office on myspace versus, say, wikipedia is someone I might be less inclined to give a project with challenges and forces one to learn and aquire skills. Likewise, I would be suspicious of giving high sensitivity projects to employees to frequent lots of forum sites, as they might be more inclined to share things.

Don't judge a book by its cover, judge a book by the qualities of books that are around it.

Re:Privacy (2, Interesting)

Ashe Tyrael (697937) | more than 7 years ago | (#18182626)

Likewise, I would be suspicious of giving high sensitivity projects to employees to frequent lots of forum sites, as they might be more inclined to share things.

My, what an.. interesting point of view. So people who are more social are more likely to spill your secrets? The fact that someone likes to discuss things with people means that they are more likely to be telling everyone things you've asked them not to tell people?

Sorry, but I think that's absolute bunk. Knowing what to say and what not to say, what things are secret and what are public, is a large part of learning to be social in any medium. Frankly, I'd be more worried of people selected for such a policy, not less. At the very least, I'd never want to work with them.

Re:Privacy (1)

Applekid (993327) | more than 7 years ago | (#18182928)

My forum comparison is probably a stinker in retrospect, but will you deny that one can learn a lot about you from the way you spend your free time? Not to say that downtime web surfing should be the say-all-end-all, just to judge intangible characteristics of a person.

Ever gone to someone's house only to see a bunch of braindead gossip magazines on the coffee table? If they are your friend obviously it's not going to be a dealbreaker, but still gives you fuel for the type of person they are. What if you saw a bunch of engineering journals? Girlie mags?

Re:Privacy (1)

Ashe Tyrael (697937) | more than 7 years ago | (#18183006)

While I'll agree in principle, I don't see how useful it can be. After all, you don't select an employee because you like their tast in lad-mags (or at least, I hope you don't.) the image you get is also often misleading, as many people (myself included) tend to be somewhat different in their professional lives to how they are in their private lives. As a bit of background maybe, as criteria for selecting for important projects, I find it to be very much a "can't see the wood for the trees" approach.

Use a professional Solution (0)

Anonymous Coward | more than 7 years ago | (#18182244)

I work for a school, and the most complete solution to problems with Myspace (and any other website problems) is Lightspeed Systems, Total Traffic Control. It lets you block the sites you are worried about, and it also lets you prevent your users from using proxies to access them. On top of all that it comes with a spam filter, virus protection for desktops, and a mail archiving tool so the company can be compliant with the new e-mail archiving laws.

Short answer? No. (1)

Coasterphreak (1069652) | more than 7 years ago | (#18182292)

As previously stated, the only way to truly block Myspace is by only allowing specific sites to be accessed. I am a high school student in a relatively large school system. My peers are complete Myspace addicts. No measure taken thus far has succeeded in preventing the general populace from accessing Myspace. It usually goes something like this: -Proxy being used to access Myspace gets blocked. -Bored nerd gets on Google. -New proxy is found, and has circulated the student population within 48 hours. My school system has even gone so far as to block any URL with the string "myspace" in it (including news articles on sites such as The Register). This only makes things slightly harder by requiring the use of a proxy that encrypts the URL (which also makes any kind of logging filter pointless, because you can't read the URL being visited). Google searches for any search with the string "proxy" in it have also been blocked, but again, it only requires a little more creativity. In essence, an AUP that you actually enforce is the only way you're going to discourage people from visiting Myspace and other social networking sites. A determined enough individual, especially one with a computer literate friend that knows how to set up and/or find web proxies.

Proxy (1)

the_B0fh (208483) | more than 7 years ago | (#18182346)

The only real way to do it is to proxy all outbound http/s. Then you can selectively block by domain names and so on. And the reason you have to proxy is so that the browser have to use *your* proxy rather than an offsite proxy.

Just a thought... (1)

MikeRT (947531) | more than 7 years ago | (#18182374)

Why not just block out the MySpace domains and try to get MySpace Bypass too? If they're sophisticated enough that they resort to doing a lookup for the IPs and things like that, they're probably not the sort of employee who would be using MySpace anyway. Chances are, if they are blogging, it's on their own server anyway.

If you wanna be really nasty... (5, Funny)

Anomolous Cowturd (190524) | more than 7 years ago | (#18182378)

Sniff passwords for anyone that logs into Myspace then sabotage their accounts. Declare this policy a couple of days before it takes effect.

What about something like Privoxy ? (0)

Anonymous Coward | more than 7 years ago | (#18182380)

If the are forced to go through something like Privoxy you could put a rule in there blocking all URLs that end in myspace.com. It wouldn't matter if they were SSL connections or not as Privoxy would still snag the DNS. How many users are going to go to the trouble to lookup the IP addresses of myspace in order to circumvent this ?

I know how to block Myspace.com from everyone (1)

rridgeway (1058122) | more than 7 years ago | (#18182498)

Run an internal DNS server and create a "Forward lookup zone" for Myspace. Create a new Host record for the zone and give it a bogus address that doesn't go anywhere. Or do set it up like I do and have it point to a page on my webserver that explains why Myspace isn't allowed.

Quick & dirty (3, Informative)

oatworm (969674) | more than 7 years ago | (#18182564)

I had an employer ask me to do this for them as well. Since it was a Windows AD environment, I just set the internal DNS server to point myspace.com to 127.0.0.1 and set DHCP to hand out only the internal DNS server, which is what you want in an AD environment anyways. Obviously, it'd be fairly easy to circumvent (manually plug in an ISP's DNS server - problem solved), but it kind of ties into that "fence" idea mentioned in an earlier reply here, in that, for someone to figure out why Myspace wasn't working, they'd need to troubleshoot it, at which point they'd discover where Myspace was pointing and realize, "Hmm, someone probably intentionally did that."

I will point out that this was for a smallish company (25 people), not a school or anywhere else where the end-user can basically be assumed to be at least somewhat malicious. But, it does get the job done if you're in a hurry.

If you're blocking sites that eat time ... (4, Insightful)

slim (1652) | more than 7 years ago | (#18182692)

... better block Slashdot while you're at it.

Re:If you're blocking sites that eat time ... (1)

Gunslinger47 (654093) | more than 7 years ago | (#18185046)

... better block Slashdot while you're at it.

I was fired from my first and last menial office job for browsing the Internet (Slashdot) "three times per day". I.e. during my coffee and lunch breaks. 'Course, I didn't learn the true reason until months afterward. At the time, I had broken no rule that I had been informed of and was told simply that it "wasn't working out" and that "human resources" never told "them" the reason.

*shrug*

The job sucked anyway.

DNS blackhole (1)

peacefinder (469349) | more than 7 years ago | (#18182822)

I was asked to do this, too. The network had its own DNS server, so I redirected myspace.com to the company's own intranet website.

It was a dirty hack, and wouldn't be too hard for a technically-inclined user to work around, but they didn't need an airtight blockage. They just needed the misbehaving employees to know that management saw a problem, that the gentle measures taken before that had not produced the desired corrections, and that much blunter enforcement instruments were available.

It got the message across loud and clear.

Filtering Works Great Though! (0)

Anonymous Coward | more than 7 years ago | (#18182904)

My previous company used a filter. Gmail was blocked, then it wasn't. Google portal was blocked for a while too. Slashdot was blocked at one point. Several others that I regularly visited would be blocked one day and not the next as well. I was never brave enough to try a porn site, but I wouldn't be shocked to find they weren't blocked because some upper crust management wanted access to them. The best part was when sites like google, yahoo, MSDN and others got blocked. That made my job so much fun when necessary resources fell victim to the maintenance of a web filtering system (I think they used websense).

You need to... (1)

bstempi (844043) | more than 7 years ago | (#18183024)

hire Terry Tate: Office Quarterback!

Re:You need to... (0)

Anonymous Coward | more than 7 years ago | (#18184168)

Uhh, he's a linebacker.

I know this is /. but come on.

Re:You need to... (1)

rob1980 (941751) | more than 7 years ago | (#18184702)

You kill tha joe, you make some mo!

Attempting Limiting Access != Limiting Smart Users (1)

hcmtnbiker (925661) | more than 7 years ago | (#18183200)

My meathod of choice to get arround filtering, and rather interesting, is to set up my home PC as a SOCKS5 proxy and rout all traffic through it, never once did I find a filter that did packet analysis to the point where it would block that(to much work to determine URLs for SOCKS proxies vs html body text maybe?). Of course you could always use someone else's proxy, but I always found that to be rather slow and not the uptime i wanted so i set up my own. People always find ways to be one step ahead of filtering, this is why it will never truly work, same idea holds true for DRM, you cant give limited access and expect people to just accept it.

Here's a crazy Idea: (2, Informative)

Cornflake917 (515940) | more than 7 years ago | (#18183332)

Fire people that aren't doing their job.

easy solution (1)

ajs318 (655362) | more than 7 years ago | (#18183386)

You don't need to be quite so heavy-handed about it.

Put Linux, Flash, Java, VLC and assorted codecs on a few machines in the canteen. Make it known that those machines, and no others, are to be used for accessing non-work-related sites. Then have the IT department invoice employees for computer repairs necessitated as a consequence of visiting any NWR sites on their workstations.

Depending on your local laws ... (1)

gd23ka (324741) | more than 7 years ago | (#18183484)

Okay this is a no-brainer but of course there is an easy and convenient
way to put a stop to Myspace. If your employees are a dime a dozen then
simply audit employees web usage and then fire those who continue to visit Myspace.

Now of course if you for some reason value your employee because they're
from a hard to get group that actually does real work at the low wages or
petty salaries you're paying and you'd still like to keep them, then perhaps
you will just have to ignore the fact that they're "wasting" some of the
precious time for which you pay so little.

And on the other hand you value your employees and want to keep them and
you're paying them decent salaries then why don't you just ask them to keep it down?
For the most part these folks tend to listen.

Create a MySpace Phishing site! (1)

sjorgnsn (514708) | more than 7 years ago | (#18183514)

Make a MySpace Phishing site, capture people's logins, reek havoc on their account!

Maybe taunt them mercilessly asking why Backstreet Boys is their guilty pleasure, why they like Chinese Food over Mexican, how they're too scared to try homo/bi-sexuality but secretly want to, and why Chuck Norris #18234 is one of their featured friends.

Then you also have a nice list of who has been using MySpace. Watch those people like a hawk, and at the first sign of trouble, out the door they go!

Re:Create a MySpace Phishing site! (1)

Lehk228 (705449) | more than 7 years ago | (#18184714)

no need to phish, myspace logins aren't encrypted, just sniff traffic at the uplink

Keyword filter? (1)

Odin_Tiger (585113) | more than 7 years ago | (#18183566)

Why don't you just filter anything that has *myspace* in the URL? I've seen this work before and while it can occasionally cause problems, it generally works.

As the old saying goes... (2, Insightful)

Dekortage (697532) | more than 7 years ago | (#18184660)

Locks only keep honest people honest.

If you block MySpace succesfully, the people who visit MySpace during their work time will just find another way to waste time and expose the company's computers to spyware/etc. risks. It's a losing battle. Think of it as DRM for your employee's time.

Recommend against even trying (1)

J'raxis (248192) | more than 7 years ago | (#18186222)

I would recommend against even trying to completely block it for employees. Having a policy to deal with major offenders is better than creating such a restrictive environment.

Firstly, the virus/adware problem the employer is worried about would be better solved by making sure the machines have up-to-date virus definitions, that the browser is configured properly: disabled Active-X, blocking popups, to not be Internet Explorer... the usual suggestions. Make sure their IT people are keeping the machines in order, and that the employees can't disable or otherwise futz up the antivirus software. And secondly:--

You can block the 19 or 20 Class C Address Blocks that MySpace has, but then you get into problems of sites like "MySpace Bypass" and other such sites that allow you to bypass most of the filtering that's done.

This makes me think of what happens when a government tries to outlaw something they know that people want: all it ends up doing is creating a new black market and more crime; beyond the tautology of new law = new lawbreakers, you end up with people doing all sorts of bad things they otherwise wouldn't have to do, just in order to get around a law that shouldn't've been passed in the first place. You start out by outlawing something you think people ought not have, and pretty soon you find yourself spending $40 billion a year with no end in sight, just to use one example [drugpolicy.org] .

So right now they've employees wasting a little time each day on MySpace. Do you want to create a situation where instead some of these employees waste an hour or two trying to come up with creative ways to evade proxies and firewalls? Or where an employee ends up infecting his computer with all sorts of malware because of some shady site he came across while trying to find, say, open proxy lists? Or he ends up accidentally divulging a whole bunch of private data by setting his browser to use an open proxy, not realizing all his HTTP traffic is now being routed through who-knows-what in Russia? And how much productivity will be lost when some employee gets fired over 15min of slacking off and it takes the company two weeks to find a replacement candidate?

And consider the morale impact -- and thus productivity impact -- when you start getting employees grumbling about being treated like prisoners at their workplace.

I'd recommend that the employer A) not worry about the employees who spend a few minutes a day browsing MySpace, and B) only come down on the people having major productivity issues because they're spending half their day slacking off, or the people who've caused severe security problems by getting their computers breached by malware.

Transparent Squid proxy, SARG and Dansguardian (1)

skinfitz (564041) | more than 7 years ago | (#18186302)

I spent some time trying to effectively block MySpace from our organisation. Firstly, how to detect MySpace being accessed - obviously one blocks 'myspace.com' but then finds that people are still using it. Use SARG to analyse the Squid logs and look in the top sites accessed - you will see google images, YouTube and whatever proxy they are using for MySpace listed in your most accessed sites. One starts banning proxies (tip: try monitoring web accesses for phproxy and you will be amazed at what you find) but ultimately realises that one is fighting a losing battle as for every proxy one blocks, two more will spring up.

The absolute best way I have found of banning MySpace no matter what proxy is used is to block it's content using DansGuardian - look in the HTML of MySpace pages and find strings that appear in every MySpace page, but not in others. Put the strings into DansGuardian's banned phrase lists, and voila - blocked no matter what proxy is used.

Obviously this will not work for SSL encrypting proxies, however only a lunatic would allow a free SSL proxy meaning that SSL proxies are usually pay services, and are easy to spot if you look in your logs. Use SARG regularly to monitor access and you will easily see how your users are finding a way to it if they manage that in the future. Also set up a block page where your users can ask for sites to be unblocked - when the regular 'PLZ UNBLOCK MYSPAZ KTHXBY' messages stop arriving, be suspicious and look for how they are getting to it and take appropriate action.

Did I mention I am Evil®?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?