Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Piracy The Internet IT

Ask Slashdot: Low-Cost Tools To Track Employees' Web Use? 384

First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Low-Cost Tools To Track Employees' Web Use?

Comments Filter:
  • by Lumpy ( 12016 ) on Thursday September 15, 2011 @11:50AM (#37410306) Homepage

    A simple encrypted proxy or VPN over port 80 to home.

    • by imemyself ( 757318 ) on Thursday September 15, 2011 @11:52AM (#37410332)
      True - but then it would be the person at home (or who runs the proxy) who would appear to be sending the traffic. So it would not be the business's problem.
      • by jhoegl ( 638955 )
        All of this can be easily thwarted by the following

        GPO to lock down browser history options, script to pull browser history from system nightly, browser history viewer.

        You see, edge hardware is effective, but browser history will tell all.
      • by Quila ( 201335 ) on Thursday September 15, 2011 @01:35PM (#37411746)

        What would cost more, censorware acceptable to the government, or a small server hosted in the Philippines?

    • by Anrego ( 830717 ) *

      True but pointless.

      The reason someone torrents from work is to use their employers bandwidth, which is usually substantially more than they have at home.

      If you are going to ultimately be transfering the data from your home connection.. why not just do it from home...

      • Re: (Score:3, Insightful)

        by said213 ( 72685 )

        "which is usually substantially more than they have at home."

        I realize that this is not the case for everyone, but my home cable connection is at least one degree of magnitude greater than the bandwidth available at my place of employ. The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

        • by Anonymous Coward on Thursday September 15, 2011 @12:10PM (#37410596)

          uh, the "reason" someone torrents from work is because they are at work.
          if they were at home, they'd torrent there.

          maybe they'll lose their job and have lots of time to download stuff at home, but i'm sure they're not thinking "this is great i have so much more bandwidth here" nor are they thinking "this is great now no one will know who i really am because i'm hiding behind a corporate network"

          they're thinking "damn i hate my job, i'm so bored, i'll download some stuff to pass the time"

          • Not in the slightest.

            "I'm bored". 3 clicks later you're downloading stuff that will take a while to finish. Still bored? Yeah, thought so.

            Two reasons to torrent from the office. First, as mentioned above, is bandwidth. Second, also mentioned above, is liability.

            I don't usually reply to AC but I was bored and this took 15 seconds.

        • The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

          Because that season of True Blood is worth so much more than your job.

        • I'm pretty sure any company that finds out you've been torrenting their bandwidth will fire you. especially if they get legal threats from the MPAA. You could lose your job, which could cost you substantially more than your internet connection.

      • by Lumpy ( 12016 )

        Sorry but Cable internet at home is faster than the T3 we have here at work. most businesses dont have a T3 but instead have a T1 that most DSL can equate or beat.

        • most businesses dont have a T3 but instead have a T1 that most DSL can equate or beat.

          And, ironically, most T1's are provisioned over DSL these days. Businesses think they're getting a better SLA with a T1. I usually convince them to get DSL and Cable and setup failover between them and they're quite happy.

        • by gregrah ( 1605707 ) on Thursday September 15, 2011 @12:47PM (#37411086)
          Keep in mind that the originally poster is from New Zealand. Broadband internet in New Zealand is not like we are used to in the United States; it's all based on metered billing and has been since the start. In fact - as a student in New Zealand I used to get charged per MB (and quite a bit, actually) when using the school's computer labs.

          The result is that monthly quotas end up being just as important (if not moreso) than bandwidth to a typical user. For example, take a look at these broadband prices [] and the extremely low (by US standards) "data allowances".

          I'm pretty sure that the case where a employee has a better connection at home than at work would be quite rare in NZ.
    • which brings the point that unless your computers are very expensively locked down just about everything you could do is useless

      you might be able to to something at the gateway but then again you will still have problems. i would say that this law has mandated the purchase of some very expensive hardware. Even if you find something cheap that would work you still could be tagged for not complying with the law due to "not having the required certified hardware".

    • Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it wouldn't take very long to become a policy in an environment that wants to monitor all your web traffic.

      • by 1u3hr ( 530656 )

        Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it

        Yep. and you'd stop people wasting time accessing banks, email, etc.

        And fire anynoe who clicks on a https link. Zero tolerance is the only way to keep the *AAs profits safe.

    • I personally like socks over port 443, encrypted traffic on the expected encrypted port!

    • by pcardno ( 450934 )

      And it immediately goes from being a relatively minor slap on the wrists disciplinary issue for accessing dodgy websites to being a gross misconduct instant dismissal issue for deliberately going out of your way to circumvent corporate policy.

    • by mwvdlee ( 775178 )

      How about having a webserver in a non-totalitarian country, have it download whatever you want to download, the download it over the border through (S)FTP?

  • You don't even have to plug them in - just point them at each desk and make sure they have a little blinking red LED. Remind everyone in cubicleland to welcome their security-cam-wielding pointy-haired overlords.
  • Block everything except port 80 and 443.

    If anyone needs any other port, demand a written request.
  • Alternative (Score:4, Interesting)

    by ArhcAngel ( 247594 ) on Thursday September 15, 2011 @11:56AM (#37410378)
    Anyone who requires internet access gets a wireless broadband card in their name that they can expense. Now they are the owner of the connection and you are off the hook.
    IANAL especially not in New Zealand
  • by drolli ( 522659 ) on Thursday September 15, 2011 @11:57AM (#37410398) Journal

    just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.

    • just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.

      This is novel and effective. Find the total use, divide by the number of users, and then seriously question anyone who uses more than 2 or 3 times the average. Unless *everyone* is torrenting, of course.

  • by morcego ( 260031 ) on Thursday September 15, 2011 @11:57AM (#37410402)

    Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).

    That is the only way to have a somewhat working control system (and even that is not perfect).

    Block everything. Allow what needs to be allowed.

    • Re:Wrong approach (Score:4, Insightful)

      by ShakaUVM ( 157947 ) on Thursday September 15, 2011 @12:05PM (#37410516) Homepage Journal

      >>Block everything. Allow what needs to be allowed.

      And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests for unblocking that will come pouring in.

      I used to work at a place like that. It eventually was just easier for them to give me the password to unblock sites myself, rather than pester them about it.

      • You'd think so, but in my experience, that hasn't been the case. The company that I work for basically uses a "block everything and open up what is needed" policy, and our IT department consists of five people. One works exclusively on our billing software. Two are desktop support, and two of us are network admins. These questions pretty much exclusively come to me, and it's not overwhelming -- not even close. Granted, it's a fairly small company -- just a couple hundred employees -- but stil
      • Re:Wrong approach (Score:4, Insightful)

        by pbhj ( 607776 ) on Thursday September 15, 2011 @03:09PM (#37412814) Homepage Journal

        >>Block everything. Allow what needs to be allowed.
        >And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests

        You could have a click through that puts a persons name to the unblocking - so instead of hiring anyone you have the user self-certify that the page is work related and doesn't compromise any work usage policies. Internally publish the list of domains and who certified them.

    • Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).

      That presumes two things. 1) that the overhead of whitelisting is not prohibitive and 2) That your users have rather specific and unchanging needs. Speaking for our business, the overhead of whitelisting would be incredibly burdensome. We deal with many vendors and have to research topics all the time. There is no reasonable way to know in advance exactly which websites we will need to visit. Furthermore it requires a significant investment of time which could be better spend elsewhere.

      The best alterna

      • Then you need a better way to do the whitelisting :)

        We use a Squid proxy to filter HTTP traffic, and squidGuard to create the filtering policies. Shalla, IIRC the company that created squidGuard, has a really good list of domains and URLs that fit into various categories (i.e., porn, drugs, violence, social networking, spyware, etc.). You tell squidGuard which categories to block based upon your business needs, and squidGuard does the rest. You can even add rules that allow more liberal policies at ce
    • That's pretty much what my employer has done. Sites are categorized and when we attempt to visit a blocked site, we get a page with details of why the site isn't accessible and a link is included to make a request to change access. For some categories, we also get a link to override the block (have to login with our VPN IDs) or we get a link that basically says we acknowledge that we're visiting a site where caution needs to be used. I'm not sure what software is being used, but seems a reasonable approa
    • No, you have to assume your employees are mostly professional and use the corporate web access to support their job. Only block and restrict when employees visit sites they shouldn't. Every employee shouldn't have to request each and every site they visit just because a couple of employees are too cheap or lazy to download from their home connection.
      • I really hate this assumption that everything should be allowed for convenience. There is no reason to take the 'lets be open and free until a problem arises approach'. 95% of office workers DO NOT NEED FULL UNRESTRICTED INTERNET AT THEIR DESK. Office computers are tools and until you demonstrate a viable need for particular sites for your WORK, i see no need to allow you to see ANYTHING on the internet. That is not what the corporate IT structure is for, I dont get paid to let you play Facebook games.
    • This is another example of the Owner mentality where they thing they own everything, everyone, that their workers don't need or deserve any privacy, because they Own it all even them. The problem is that now Copyright owners have paid for friends in Governments and have them getting everyone else to collect their copyright tax just like they get individuals and companies to collect government and sales tax. I think we are going in the wrong direction. Towards micro charges for breathing and viewing and e

    • Re:Wrong approach (Score:5, Insightful)

      by andymadigan ( 792996 ) <> on Thursday September 15, 2011 @12:51PM (#37411140)
      I'm a Software Engineer. A peripheral part of my job involves dealing with Oracle. If I run in to a problem, I google the error message (or google what I am trying to do). I typically find the answer on some random blog or forum (no, the answer isn't always on ask tom). Are you going to claim those sites aren't "required" and therefore I don't need access to them? Otherwise, your whitelist is going to be pretty long...
  • You should probably worry more about people using P2P protocols than just browsing the web. A web proxy is probably not the best tool to reduce your business's risk in that situation. I would wager that there is a substantially higher risk of being "caught" using P2P software to share copyrighted content, than browsing websites that have content for download.

    Regardless, if there is a substantial financial risk to the business from copyright violations, it should be easy to justify spending money on somet
  • zScaler (Score:4, Informative)

    by CrudPuppy ( 33870 ) on Thursday September 15, 2011 @11:58AM (#37410418) Homepage

    Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.

  • So in New Zealand if somebody steals my car and uses it to rob a bank I will be arrested for robbing a bank?
  • by White Flame ( 1074973 ) on Thursday September 15, 2011 @11:59AM (#37410430)

    If the employer also becomes a private ISP, and every employee is charged 1NZD per month for internet access at their workstation (taken straight from the paycheck, after everybody gets a 12NZD/year raise), then they own and are liable for the internet connection at their desk, not the company.

  • ntop (Score:5, Insightful)

    by bsDaemon ( 87307 ) on Thursday September 15, 2011 @11:59AM (#37410442)

    ntop ( should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.

  • by Dunbal ( 464142 ) * on Thursday September 15, 2011 @12:00PM (#37410452)
    You should be asking about low cost politicians.
  • lots of the tools and FW's are based on linux and open source

    we use one called xangati. it's an appliance that track's the amount of everyone's data use. there are alerts that trigger if you use too much data in a specified time

  • by LoudMusic ( 199347 ) on Thursday September 15, 2011 @12:04PM (#37410508)

    I honestly am unsure of pricing but I believe it's fairly inexpensive. We use Kerio Control and are migrating to the 3110 appliance. []

    It does all kind of neat reporting.

    We also use Cymphonix traffic shaping devices that have insane detail on reporting but I believe they're very expensive. []

  • by Ceriel Nosforit ( 682174 ) on Thursday September 15, 2011 @12:10PM (#37410592)

    Remember to track how much this tracking is costing you so that you have numbers to point to when you complain about it. You also need to sanitize the URLs for personal information since a lot of personal information gets passed through them. You could get sued, possibly face criminal charges, for gathering too much data.

  • DansGuardian [] with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.

    If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.

    • Agreed on DansGuardian. You'd want all ports closed for all users in the organization, including 80 and 443, then you'd want to create an exception for the Dansguardian box.

      Also, even if it's on older hardware, consider setting up a second box to serve as backup. Look into proxy autoconfiguration files. You can return two proxy addresses in an autoconfig file, and if your main proxy is down, your clients will silently fail over to the other box. The config files also allow your internal traffic to skip the

  • I've set up several squid proxies for companies that claimed to want to keep track of employee's web surfing. The log files are pretty extensive and there are several 3rd party utilities out there that can provide reports that even managers can read. Most of the time. Going through the reports is a lot of work and usually the Achilles heel of this sort of project in my experience.

    A couple of things...
    1. Set your border router to accept connections from the Squid box and your Exchange (or email) servers only.
    2. Check for MAC addresses mapping to the same IP address. (Most employees don't understand how to spoof a MAC address but lots of them can change their IP address.)
    3. Fire the first person to be caught and make sure everyone in the company knows about it.

    If you set a Policy that mandates firing and don't do it then word will get out. If you don't bother to check the reports then word will get out. None of the companies that paid me exorbitant sums of money to set this sort of thing up ever fired anyone and all of them stopped bothering to check the reports after a few weeks. I think mostly because the managers were the ones doing most of the abuse and, after all, we can't fire *them*!.

  • The real solution (Score:4, Informative)

    by bmo ( 77928 ) on Thursday September 15, 2011 @12:19PM (#37410706)

    Is to get the law repealed.

    If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.


    • by King_TJ ( 85913 )

      Yep! I'd mod this comment up if I could. Not that I don't appreciate reading the comments to learn more about various proxy solutions out there -- but this is clearly a situation where the law itself is what's really unacceptable.

      It's simply not a good law, any time it's designed to punish someone other than the perpetrator as the responsible party. I don't live in New Zealand, but if I did? I'd definitely question whether I wanted to even provide ANY internet access to my employees, if I ran a business

      • It's simply not a good law, any time it's designed to punish someone other than the perpetrator as the responsible party.

        Agreed, so long as we go the other way as well: no more letting people off the hook for crimes they commit acting under the aegis of a corporation. I don't know how NZ law is about this, but US law is lousy with it.

  • by 1u3hr ( 530656 ) on Thursday September 15, 2011 @12:21PM (#37410734)
    "show how long they spent on each site"?

    How on earth could any software determine that? You may open a tab for a dozen sites . You can load a page of text, once, and spend an hour reading it with no further fetches. You could have a stock ticker/ weather stats/million other things running in a small window, gettign data every few seconds.

    Basically, unless you look over their shoulder, you can't know how much of their attention was on a site for how long.

    Classic mission creep: start with monitoring illegal downloads, end up checking on how the staff spend each minute at work, just because you can. Think how intrusive this is and how much it would be resented.

    • by mzs ( 595629 )

      And what in fact does that do to to help the submitter's employer in the face of the new law? I think it is more indicative of the submitter's approach to users more than anything.

  • by whoever57 ( 658626 ) on Thursday September 15, 2011 @12:22PM (#37410742) Journal
    Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.
    • Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.

      I would also use the authentication features that Squid has which can be integrated with Active Directory. This way a username can be more easily associated with an employees web activity. Finally, you might also use SquidGuard or DansGuardian for more granular (i.e. regex) filtration.

  • Sounds like your current solution - "category" based filtering at the border combined with a strong company policy - is already more than adequate to cover most potential liability to the company.

    The rest of your question sounds like you're using this legislation as an excuse to implement some downright draconian and invasive "productivity enforcement" measures that have nothing to do with the stated problem.

  • Just pirate one of the commercial spyware tools.

  • Hire and continue to employ people you trust. If you don't trust them to be responsible with their internet usage, why are you paying them? The only thing web monitoring will do is let them know that you don't trust them, and give them permission to act in an untrustworthy manner.

  • Both of these have pretty colors that management will like.

  • Slippery slope (Score:4, Insightful)

    by Sqr(twg) ( 2126054 ) on Thursday September 15, 2011 @12:41PM (#37411000)

    "I'm required to stop copyright violations, so how can I best spy on my employees' surfing habits and see how much time they spend on each website?"

    First: You are not required to monitor what you employees download at all. Under NZ law it is not illegal to watch copyrighted material via direct download (youtube etc.) You only need to worry about p2p applications. These are easy to spot as they *upload* to lots of different ip addresses at the same time. If someone has 500 open ports and a Gigabit/second outgoing bandwidth, go talk to him!

    Second: People tend to leave their browsers on all day with 10 different tabs open, so even if you could view the time spent on different sites, that info would be meaningless.

    Third: Spying on your employees surfing habits can piss them off, and is likely not worth it, for the same reasons why people don't work better if you mount "security" cameras behind their backs.

  • How does this work in Hotels, Motels, B&Bs? The ones that offer internet access. Or are we going to find that visiting NZ means going offline for the trip?
    I've been to NZ, so I know that internet access at such locations is patchy at best, but it could get a lot worse.

  • be google

  • by Lazy Jones ( 8403 ) on Thursday September 15, 2011 @01:03PM (#37411312) Homepage Journal
    There's no 100% safe method to provide an internet connection for employees and prevent abuse. So if these ridiculous laws persist, you will need to transfer ownership of each employee's internet connection to said employee. Ask your lawyers how to accomplish that ...
  • Morals (Score:4, Insightful)

    by WorldPiece ( 2462300 ) on Thursday September 15, 2011 @01:04PM (#37411328)
    Seems to me that asking this question here is like going on a vegetarian's blog and asking whats the best cheap knife to butcher a cow with...
  • by SlippyToad ( 240532 ) on Thursday September 15, 2011 @01:07PM (#37411374)

    "Next time you purchase an election, make sure you don't elect morons who slap stupid laws up without thinking about their undesired consequences."


    "This is what you wanted, so this is what you're getting. You wanted business-friendly government, and now you have it. PAY UP."

    I wouldn't offer them a cheap solution at all. In fact, I'd offer them the most expensive solution you can find.

  • Hire somebody to infiltrate the lobbyists for those laws offices. Have them download your company's stuff which you do not license to them and report it. Do the same for any politician that voted this law into office.

  • by Sheik Yerbouti ( 96423 ) on Thursday September 15, 2011 @01:52PM (#37411990) Homepage

    Untangle is probably what you want

    I know I know where do i get off actually answering the questions asked.

  • by FLaMeBoY ( 177281 ) on Thursday September 15, 2011 @05:44PM (#37414638)

    The 3-strikes law covers P2P traffic only. Adding web traffic reporting isn't going to do anything to help you.

    Now if you are being asked to do web traffic reporting then sit down with management and work out what they want, why and who is going to be responsible for reviewing traffic (hint - this should be HR not IT). Doing this should give you enough information to justify some expenditure, even if it is just a new server/VM for Squid.

  • by holophrastic ( 221104 ) on Thursday September 15, 2011 @06:38PM (#37415040) []
    Basically, it does nothing but track the titlebars of every window that's open, and which one is in focus at any given time. And since every browser lists the URL in the title bar, it works like magic.

    And it writes everything to a simple CSV file, so you can analyze it any way you choose. But it also has some nifty reporting screens, if you really care.

    If you're only interested in web access, there's something else that you can do. Look into ".pac" files on windows. Basically, think a javascript file that gets run every time any URL is accessed by anything in all of windows. As in "return null" will make everything die, and "return" will make every URL return the slashdot homepage. You can easily write a five-line jscript file to log everything to a file through the FSO.

  • by lewko ( 195646 ) on Thursday September 15, 2011 @10:08PM (#37416258) Homepage

    Run everyone through a proxy. At the end of every week, print out the name of every user and every site they have visited. Display the printout in the lunch room.

    1) Accountability. Nobody's going to visit if they know everyone in the office will know about it.
    2) Information Sharing: People will learn of other (hopefully work related) sites and tools, and will know with whom to discuss them.
    3) Reduced bandwidth. Nobody wants to be accused of wasting time at work, so people will naturally reduce their casual web browsing.

    Total cost of implementation: A few reams of paper and a few minutes a week.

    We tried this in an office of 50 people who were fed up with a content filtering firewall that thwarted legitimate work. First week's results were a little off-colour (we kinda forgot to remind people we were doing it) but subsequently almost every bit of web browsing was work-related, relevant and minimal. Facebook use at work all but vanished. However, staff didn't feel they were being treated like children by a machine controlling where they surfed.

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27