A Myspace Lockdown - Is It Possible? 180
Raxxon asks: "We (my business partner and I) were asked by a local company to help 'tighten up' their security. After looking at a few things we ran some options by the owner and he asked that we attempt to block access to MySpace. He cited reasons of wasted work time as well as some of the nightmare stories about spyware/viruses/etc. Work began and the more I dig into the subject the worse things look. You can block the 19 or 20 Class C Address Blocks that MySpace has, but then you get into problems of sites like "MySpace Bypass" and other such sites that allow you to bypass most of the filtering that's done. Other than becoming rather invasive (like installing Squid with customized screening setups) is there a way to effectively block MySpace from being accessed at a business? What about at home for those who would like to keep their kids off of it? If a dedicated web cache/proxy system is needed how do you prevent things like SSL enabled Proxy sites (denying MySpace but allowing any potentially 'legal' aspects)? In the end is it worth it compared to just adopting an Acceptable Use Policy that states that going to MySpace can lead to eventual dismissal from your job?"
The 2nd best way is random incomplete blocking... (Score:5, Insightful)
Nonetheless, the best solution that I came up with (I don't think I "invented" this, but I did come up with it after many days of contemplating) was to have a revolving DNS change for those 20 MySpace Class C addresses. We made it intermittent enough that the employees "thought" it was MySpace downtime, and eventually usage dropped significantly. Every 5-10 minutes a CRON job would add its own random address for one of the MySpace addresses, then 5 minutes later it cleared that and then did it to another address.
The only guy that I am aware of that noticed it is the guy who ran his own DNS on his workstation, but he was geeky enough to probably realize that it wasn't MySpace that wasn't resolving.
I still think that it is wiser to discuss WHY employees might be needing some downtime versus locking them out of applications. Happy employees are efficient, productive and fun to work with. I would never block my employees access to any sites (then again, I would never drug test, delve into their private lives, run a credit report, or any of the usual steps employers take).
Re:The 2nd best way is random incomplete blocking. (Score:4, Insightful)
Re:The 2nd best way is random incomplete blocking. (Score:4, Insightful)
Seriously, I have left so many jobs simply because I wasn't happy being treated like a child. Give me a job and I do it, to the best of my ability... don't concern yourself with what I do when I'm not working, and certainly don't tell me that I am expected to spend every minute during business hours working.
You already know the answer. (Score:3, Insightful)
It's just a like a fence. (Score:5, Insightful)
There was a small wooden fence around an area containing the moat and some potential dangerous ruined stonework.
I said: "what is the point of that fence, it's tiny, I could climb over it easily? it really doesn't do anything to stop me ending up in the moat"
They said: "well, the thing with fences is that they're not there to stop you getting somewhere. They're there to make you KNOW that you're not supposed to go somewhere. If you just fell into the moat, the castle owners are in trouble. If you climb over a fence and fall in the moat, the castle owners can say, 'well, come on, he climbed over the fence that clearly marked that area off limits. You can hardly blame us, and he can hardly claim he didn't realise he wasn't supposed to be going into that area'."
Likewise with your problem.
Yes, technical measures can always be defeated by the determined myspacer, such as via a proxy. However, I would say some technical measures are worth considering hand-in-hand with the AUP, as a sort of 'fence'. If myspace is banned by the AUP, but not blocked, then everyone will go there, and when they do, they can claim they didn't realise it was against the AUP, or they clicked a link which took them to myspace without realising that's where the link led, "honestly"... etc, etc.
If myspace is blocked, on the other hand, then you force people to "climb over the fence". Yes, they can still get to it via a proxy - but the fact they've gone to it via a proxy means it is explicitly, unarguably obvious that they knew they weren't supposed to be going there, and deliberately went out of their way to get around the rules. This, imho, means you will be able to enforce the AUP more stringently.
Instead of Blocking the Bad, Allow the Good (Score:2, Insightful)
Instead of trying to keep up with every potential "myspace bypass" and blocking every site like it, just block all access to the internet by default, and then allow them out into only those few sites they actually need.
I can't imagine actually working at a company that did this, I treasure my ability to mindlessly surf from time to time when I get stuck/bored, but I believe this would solve your issue. This way you'd only occasionally need to allow access to another "good" website, instead of trying to keep up with countless "bad" ones.
Re:don't block the site... (Score:3, Insightful)
The damage of content filtering (Score:5, Insightful)
I have no mod points, but I'm modding you up in spirit.
<soapbox>
I absolutely cannot stand it when employers filter content. The thing is, even if people are wasting too much time at work browsing MySpace (or the Internet in general), that is a management problem, not a technical one. If you take away their MySpace or whatever it is they're browsing, they're just going to move on and browse some other site. If you put a whitelist in place, they'll just find some other way to goof off. The problem isn't that the Internet is distracting, it's that the employee is easily distracted.
I work at a big company as a contractor. It just recently blocked access to the big Internet e-mail services (Gmail, Yahoo Mail, etc.) because it didn't like employees wasting time with their personal e-mail at work. Of course, being a contractor, it doesn't take into account that I use my personal e-mail to communicate with my contract agency about stuff that I'd rather not have stored on company e-mail servers. It's easy to say, "Well, you shouldn't use company resources for that type of stuff," but practically speaking, my ability to communicate effectively with my contract agency is essential to me doing a good job for them. It also totally ignores the fact that I keep personal stuff like vacations and such on my personal Gmail calendar to know when I should ask for time off, when my coworker's birthday is, and so on.
The company spends a fortune on content filtering. There's the hardware itself, the update service, the support contract, the personnel cost for the guy who maintains it, the internal support costs of handling trouble tickets related to it, the cost of Internet downtime due to it periodically failing, the cost of packaging the software end of it and deploying it to the workstations (so that you can't browse them at home on your laptop, of course!), and so on ad nauseum. Just as one example, some of our customers are casinos. So we can't just put a rule in that says, "block gambling sites," because our marketing and sales folks have to be able to access their sites. No, we have to have rules that say things like, "This group can access these sites, that group can access those sites, everyone else can't access any of the sites, ..."
Even in the extreme case of porn sites, the answer to controlling it is to make a company policy prohibiting browsing them, and if you catch someone doing it, fire them for it. If you try to block them all, you're just setting yourself up for someone saying something like, "Well, it wasn't blocked, so I thought it was okay to go there!" I've found that if you treat people like 12-year-olds, they tend to not disappoint you. When policies like this go into place, you're also going to have the contingent of people who deliberately goof off more as a form of passive-aggressive rebellion. It's just stupid, you're only causing more problems, and there's no need.
I know that some of you will probably reply, "But you have to filter content to avoid sexual harassment lawsuits!" No, you don't. As long as you make a company policy about it and you take the appropriate action when someone breaks that policy, you'll win any lawsuit that someone may file. The law does not require you to spend a fortune to be a babysitter, it only requires that you take reasonable action to prevent a hostile work environment. The reason we have content filtering in the first place is because managers, in general, are lazy and don't want to do it themselves. The people who would sue you for not content filtering will sue you anyway. The only important thing is whether or not you'll win. Besides, at my company, the cost of defending itself against such frivolous lawsuits is negligible compared to the cost of maintaining our content filtering services.
Content filtering is no substitute f
If you're blocking sites that eat time ... (Score:5, Insightful)
Re:I mean, like, duh. (Score:3, Insightful)
Not illegal at all.
Wanted: Senior widget designer. Minimum five years experience.
Wanted: Administrative assistant. Must be responsible, hard-working individual.
And so on. Yeah, technically you can't explicitly exclude teenagers, but you can set job requirements that effectively do so. :-)
As the old saying goes... (Score:3, Insightful)
Locks only keep honest people honest.
If you block MySpace succesfully, the people who visit MySpace during their work time will just find another way to waste time and expose the company's computers to spyware/etc. risks. It's a losing battle. Think of it as DRM for your employee's time.
Re:Myspace is Always Having an Outtage Here (Score:1, Insightful)
Re:I work for a state government IT department (Score:3, Insightful)
There are folks who have a genuine problem with web porn. I have, unfortunately, had a hand in marching them out the door. Warnings after warnings don't work, and it turns into a giant game of he-said she-said. Monitoring software lets you arbitrate and maintain a healty work environment. Do I sit on logs and reign in evil-doers? No. HR needs to authorize me to gleen the logs.
Simply throwing your ass in the air and saying "ALL MONITORING IS EVIL" is niave. At best.
Re:I work for a state government IT department (Score:4, Insightful)
For troublesome sites, filter, it makes sense, just don't get carried away with it.