Ask Slashdot: Low-Cost Tools To Track Employees' Web Use? 384
First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"
and it's thwarted with...... (Score:5, Insightful)
A simple encrypted proxy or VPN over port 80 to home.
Re:and it's thwarted with...... (Score:5, Informative)
Re: (Score:2)
GPO to lock down browser history options, script to pull browser history from system nightly, browser history viewer.
You see, edge hardware is effective, but browser history will tell all.
Re: (Score:3)
Re: (Score:3)
Actually, using a whitelist proxy and firewall rules (deny all, allow email server, proxy server) you can prevent every possible way of infringing. Simply deny all, allow work related domains through proxy. Let them do the rest of their surfing on their smartphones, give them a slight raise and make them pay for their own phones (so if they steal with their phones, it's their own account). Strip al
Re:and it's thwarted with...... (Score:4, Insightful)
Actually, using a whitelist proxy and firewall rules (deny all, allow email server, proxy server) you can prevent every possible way of infringing.
No it isn't.
Strip all email attachments except pdf and office docs.
See, you've already lost. The pirate sends an email to his pirate friend, who sends back pirated which is either in text format natively or base64 encoded and pasted into a word document. And the size limits don't save you, because there is plenty of pirated material smaller than the size limit and equally as much legitimate material over it.
I mean sure, you can lock down a computer enough that users can't pirate anything. Just disconnect it from the network -- or the electrical outlet. The problem is that you can't do it simultaneously with users being able to do their jobs.
Or encrypted to a nearby country (Score:5, Interesting)
What would cost more, censorware acceptable to the government, or a small server hosted in the Philippines?
Re: (Score:2)
Re: (Score:3)
If you're on a VPN then the data still ends up being stored on your computer, so if someone is downloading a torrent onto a business machine, the business could still end up in trouble. Your home connection is just another hop on the data's journey, the same as any other switch that it passes through on its way to you. Both the home connection and business connection would be involved in the download, though since the traffic between your house and work is encrypted, then a naive observer might assume that
Re:and it's thwarted with...... (Score:4, Insightful)
Any ISP logs, etc. regarding the content accessed would show it to be accessed from the home's internet connection -- not the business's.
If that's the case then it sounds like the solution to the problem: Have the business pay for some rack space in a country with less-draconian laws, then put the entire business behind a VPN that appears from the internet to come from the IP in the country with sensible laws.
Re: (Score:2)
True but pointless.
The reason someone torrents from work is to use their employers bandwidth, which is usually substantially more than they have at home.
If you are going to ultimately be transfering the data from your home connection.. why not just do it from home...
Re: (Score:3, Insightful)
"which is usually substantially more than they have at home."
I realize that this is not the case for everyone, but my home cable connection is at least one degree of magnitude greater than the bandwidth available at my place of employ. The reason someone torrents from work is because they can do it while hiding behind someone else's liability.
Re:and it's thwarted with...... (Score:4, Insightful)
uh, the "reason" someone torrents from work is because they are at work.
if they were at home, they'd torrent there.
maybe they'll lose their job and have lots of time to download stuff at home, but i'm sure they're not thinking "this is great i have so much more bandwidth here" nor are they thinking "this is great now no one will know who i really am because i'm hiding behind a corporate network"
they're thinking "damn i hate my job, i'm so bored, i'll download some stuff to pass the time"
Re: (Score:2)
Not in the slightest.
"I'm bored". 3 clicks later you're downloading stuff that will take a while to finish. Still bored? Yeah, thought so.
Two reasons to torrent from the office. First, as mentioned above, is bandwidth. Second, also mentioned above, is liability.
I don't usually reply to AC but I was bored and this took 15 seconds.
Re: (Score:3)
The reason someone torrents from work is because they can do it while hiding behind someone else's liability.
Because that season of True Blood is worth so much more than your job.
Re: (Score:3)
I'm pretty sure any company that finds out you've been torrenting their bandwidth will fire you. especially if they get legal threats from the MPAA. You could lose your job, which could cost you substantially more than your internet connection.
Re: (Score:2)
Sorry but Cable internet at home is faster than the T3 we have here at work. most businesses dont have a T3 but instead have a T1 that most DSL can equate or beat.
Re: (Score:2)
most businesses dont have a T3 but instead have a T1 that most DSL can equate or beat.
And, ironically, most T1's are provisioned over DSL these days. Businesses think they're getting a better SLA with a T1. I usually convince them to get DSL and Cable and setup failover between them and they're quite happy.
Re:and it's thwarted with...... (Score:4, Interesting)
The result is that monthly quotas end up being just as important (if not moreso) than bandwidth to a typical user. For example, take a look at these broadband prices [telecom.co.nz] and the extremely low (by US standards) "data allowances".
I'm pretty sure that the case where a employee has a better connection at home than at work would be quite rare in NZ.
Re: (Score:2)
Re: (Score:2)
And for every business like your father-in-law's, there's at least 2 or 3 cheating and getting the residential pricing.
Re: (Score:3)
which brings the point that unless your computers are very expensively locked down just about everything you could do is useless
you might be able to to something at the gateway but then again you will still have problems. i would say that this law has mandated the purchase of some very expensive hardware. Even if you find something cheap that would work you still could be tagged for not complying with the law due to "not having the required certified hardware".
Re: (Score:2)
Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it wouldn't take very long to become a policy in an environment that wants to monitor all your web traffic.
Re: (Score:2)
Encrypted traffic over port 80 is easy to detect. A policy to block it and fire anyone using it
Yep. and you'd stop people wasting time accessing banks, email, etc.
And fire anynoe who clicks on a https link. Zero tolerance is the only way to keep the *AAs profits safe.
Re: (Score:2)
I personally like socks over port 443, encrypted traffic on the expected encrypted port!
Re: (Score:2)
And it immediately goes from being a relatively minor slap on the wrists disciplinary issue for accessing dodgy websites to being a gross misconduct instant dismissal issue for deliberately going out of your way to circumvent corporate policy.
Re: (Score:2)
How about having a webserver in a non-totalitarian country, have it download whatever you want to download, the download it over the border through (S)FTP?
Security cameras (Score:2)
Re: (Score:2)
== Too expensive to monitor and it is kinda hard to tell what website someone is on via a camera that is looking over their shoulder. ==
Especially when they aren't plugged in. Reading is hard.
Also: http://www.amazon.com/SE-Dummy-Security-Camera-Flashing/dp/B000XBMP5E [amazon.com]
Re: (Score:2)
I think you missed the "you don't even have to plug them in" part.
Combine that with simple logging thru a proxy server and you're done, because once people think a camera is keeping an eye on them all the time, they tend to not surf pr0n sites from work as much, so you have far fewer log files to go through in the end if there IS a problem.
Re: (Score:2)
Security Theater is not effective.
Example, I used to work in shipping at Dell, we had to walk though metal detectors to leave work everyday. We were also required to wear steel toe shoes, therefor the metal detectors always went off. People were stealing shit right and left because they knew that security was ineffective.
Re: (Score:3)
Years ago I worked for an employment center that had a public-use phone for job hunting and the like. Some people would abuse it to phone the girlfriends, make drug deals and so on. The price of a new phone system that could be monitored was looked at it, and while not steep, there were some privacy concern. Finally, someone had the bright idea and put a sign over the phone "All Phone Calls Are Monitored And Recorded", and almost overnight the problem all but disappeared.
It's the Big Brother theory of su
Re: (Score:2)
Nobody said to watch them.
"Fear will keep the local systems in line..." - Tarkin
Re: (Score:3)
Firewall (Score:2)
If anyone needs any other port, demand a written request.
Re: (Score:2)
I agree that would block most possibilities for infringement...
would just note that you do still have rapidshare and friends
Re: (Score:2)
Wouldn't stop them from torrenting, though.
Alternative (Score:4, Interesting)
IANAL especially not in New Zealand
accumulate the data usage (Score:3)
just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.
Re: (Score:2)
just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.
This is novel and effective. Find the total use, divide by the number of users, and then seriously question anyone who uses more than 2 or 3 times the average. Unless *everyone* is torrenting, of course.
Re: (Score:3)
That exactly is the reason why you should never give hacking ideas to idiots. Would you really raise the bar from doing something for which you just can be fired to something which implies at least 2-3 crimes (circumventing security measures, sabotaging, wrongly planting evidence suggesting that others are involved in criminal acts) and at least 3 possibilities for civil lawsuits (for trouble finding, possibly for compensating you co-workers, a contractual punishment, and abuse of your working time)? And t
Wrong approach (Score:3)
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That is the only way to have a somewhat working control system (and even that is not perfect).
Block everything. Allow what needs to be allowed.
Re:Wrong approach (Score:4, Insightful)
>>Block everything. Allow what needs to be allowed.
And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests for unblocking that will come pouring in.
I used to work at a place like that. It eventually was just easier for them to give me the password to unblock sites myself, rather than pester them about it.
Re: (Score:3)
Re:Wrong approach (Score:4, Insightful)
>>Block everything. Allow what needs to be allowed.
>And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests
You could have a click through that puts a persons name to the unblocking - so instead of hiring anyone you have the user self-certify that the page is work related and doesn't compromise any work usage policies. Internally publish the list of domains and who certified them.
Whitelisting has too much overhead (Score:3)
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That presumes two things. 1) that the overhead of whitelisting is not prohibitive and 2) That your users have rather specific and unchanging needs. Speaking for our business, the overhead of whitelisting would be incredibly burdensome. We deal with many vendors and have to research topics all the time. There is no reasonable way to know in advance exactly which websites we will need to visit. Furthermore it requires a significant investment of time which could be better spend elsewhere.
The best alterna
Re: (Score:3)
We use a Squid proxy to filter HTTP traffic, and squidGuard to create the filtering policies. Shalla, IIRC the company that created squidGuard, has a really good list of domains and URLs that fit into various categories (i.e., porn, drugs, violence, social networking, spyware, etc.). You tell squidGuard which categories to block based upon your business needs, and squidGuard does the rest. You can even add rules that allow more liberal policies at ce
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is another example of the Owner mentality where they thing they own everything, everyone, that their workers don't need or deserve any privacy, because they Own it all even them. The problem is that now Copyright owners have paid for friends in Governments and have them getting everyone else to collect their copyright tax just like they get individuals and companies to collect government and sales tax. I think we are going in the wrong direction. Towards micro charges for breathing and viewing and e
Re:Wrong approach (Score:5, Insightful)
Rethink (Score:2)
Regardless, if there is a substantial financial risk to the business from copyright violations, it should be easy to justify spending money on somet
zScaler (Score:4, Informative)
Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.
Car Analogy (Score:2)
Re: (Score:2)
Only if you are the driver.
Or a Maori, or an ab.
Change the employee agreement (Score:3, Interesting)
If the employer also becomes a private ISP, and every employee is charged 1NZD per month for internet access at their workstation (taken straight from the paycheck, after everybody gets a 12NZD/year raise), then they own and are liable for the internet connection at their desk, not the company.
Re:Change the employee agreement (Score:5, Insightful)
I am glad that you are a practicing lawyer in New Zealand and have educated us on this wonderful workaround. Could you please give us the contact information for your legal practice just in case someone in law enforcement questions the validity of your fine resolution to this problem? Because clearly your method trumps the employer-employee agency laws.
ntop (Score:5, Insightful)
ntop (http://www.ntop.org) should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.
Wrong business plan (Score:4, Insightful)
xangati (Score:2)
lots of the tools and FW's are based on linux and open source
we use one called xangati. it's an appliance that track's the amount of everyone's data use. there are alerts that trigger if you use too much data in a specified time
Kerio Control (Score:3)
I honestly am unsure of pricing but I believe it's fairly inexpensive. We use Kerio Control and are migrating to the 3110 appliance.
http://www.kerio.com/control [kerio.com]
It does all kind of neat reporting.
We also use Cymphonix traffic shaping devices that have insane detail on reporting but I believe they're very expensive.
http://cymphonix.com/ [cymphonix.com]
More than one kind of tracking (Score:3)
Remember to track how much this tracking is costing you so that you have numbers to point to when you complain about it. You also need to sanitize the URLs for personal information since a lot of personal information gets passed through them. You could get sued, possibly face criminal charges, for gathering too much data.
DansGuardian (Score:2)
DansGuardian [dansguardian.org] with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.
If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.
Re: (Score:2)
Agreed on DansGuardian. You'd want all ports closed for all users in the organization, including 80 and 443, then you'd want to create an exception for the Dansguardian box.
Also, even if it's on older hardware, consider setting up a second box to serve as backup. Look into proxy autoconfiguration files. You can return two proxy addresses in an autoconfig file, and if your main proxy is down, your clients will silently fail over to the other box. The config files also allow your internal traffic to skip the
Squid is your friend. (Score:3)
I've set up several squid proxies for companies that claimed to want to keep track of employee's web surfing. The log files are pretty extensive and there are several 3rd party utilities out there that can provide reports that even managers can read. Most of the time. Going through the reports is a lot of work and usually the Achilles heel of this sort of project in my experience.
A couple of things...
1. Set your border router to accept connections from the Squid box and your Exchange (or email) servers only.
2. Check for MAC addresses mapping to the same IP address. (Most employees don't understand how to spoof a MAC address but lots of them can change their IP address.)
3. Fire the first person to be caught and make sure everyone in the company knows about it.
If you set a Policy that mandates firing and don't do it then word will get out. If you don't bother to check the reports then word will get out. None of the companies that paid me exorbitant sums of money to set this sort of thing up ever fired anyone and all of them stopped bothering to check the reports after a few weeks. I think mostly because the managers were the ones doing most of the abuse and, after all, we can't fire *them*!.
The real solution (Score:4, Informative)
Is to get the law repealed.
If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.
--
BMO
Re: (Score:2)
Yep! I'd mod this comment up if I could. Not that I don't appreciate reading the comments to learn more about various proxy solutions out there -- but this is clearly a situation where the law itself is what's really unacceptable.
It's simply not a good law, any time it's designed to punish someone other than the perpetrator as the responsible party. I don't live in New Zealand, but if I did? I'd definitely question whether I wanted to even provide ANY internet access to my employees, if I ran a business
Re: (Score:3)
It's simply not a good law, any time it's designed to punish someone other than the perpetrator as the responsible party.
Agreed, so long as we go the other way as well: no more letting people off the hook for crimes they commit acting under the aegis of a corporation. I don't know how NZ law is about this, but US law is lousy with it.
how long they spent on each site... (Score:3)
How on earth could any software determine that? You may open a tab for a dozen sites . You can load a page of text, once, and spend an hour reading it with no further fetches. You could have a stock ticker/ weather stats/million other things running in a small window, gettign data every few seconds.
Basically, unless you look over their shoulder, you can't know how much of their attention was on a site for how long.
Classic mission creep: start with monitoring illegal downloads, end up checking on how the staff spend each minute at work, just because you can. Think how intrusive this is and how much it would be resented.
Re: (Score:2)
And what in fact does that do to to help the submitter's employer in the face of the new law? I think it is more indicative of the submitter's approach to users more than anything.
Squid as transparent proxy plus calamaris (Score:3)
Re: (Score:2)
Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.
I would also use the authentication features that Squid has which can be integrated with Active Directory. This way a username can be more easily associated with an employees web activity. Finally, you might also use SquidGuard or DansGuardian for more granular (i.e. regex) filtration.
What is lacking in your current solution? (Score:2)
Sounds like your current solution - "category" based filtering at the border combined with a strong company policy - is already more than adequate to cover most potential liability to the company.
The rest of your question sounds like you're using this legislation as an excuse to implement some downright draconian and invasive "productivity enforcement" measures that have nothing to do with the stated problem.
Irony? (Score:2)
Just pirate one of the commercial spyware tools.
Trust (Score:2)
Hire and continue to employ people you trust. If you don't trust them to be responsible with their internet usage, why are you paying them? The only thing web monitoring will do is let them know that you don't trust them, and give them permission to act in an untrustworthy manner.
Squid Cache with Webalizer and/or Ntop (Score:2)
Both of these have pretty colors that management will like.
Slippery slope (Score:4, Insightful)
"I'm required to stop copyright violations, so how can I best spy on my employees' surfing habits and see how much time they spend on each website?"
First: You are not required to monitor what you employees download at all. Under NZ law it is not illegal to watch copyrighted material via direct download (youtube etc.) You only need to worry about p2p applications. These are easy to spot as they *upload* to lots of different ip addresses at the same time. If someone has 500 open ports and a Gigabit/second outgoing bandwidth, go talk to him!
Second: People tend to leave their browsers on all day with 10 different tabs open, so even if you could view the time spent on different sites, that info would be meaningless.
Third: Spying on your employees surfing habits can piss them off, and is likely not worth it, for the same reasons why people don't work better if you mount "security" cameras behind their backs.
Hotels? (Score:2)
How does this work in Hotels, Motels, B&Bs? The ones that offer internet access. Or are we going to find that visiting NZ means going offline for the trip?
I've been to NZ, so I know that internet access at such locations is patchy at best, but it could get a lot worse.
simple (Score:2)
be google
With such laws, why bother trying? (Score:3)
Morals (Score:4, Insightful)
I would tell the business owner (Score:3)
"Next time you purchase an election, make sure you don't elect morons who slap stupid laws up without thinking about their undesired consequences."
--OR--
"This is what you wanted, so this is what you're getting. You wanted business-friendly government, and now you have it. PAY UP."
I wouldn't offer them a cheap solution at all. In fact, I'd offer them the most expensive solution you can find.
Get somebody in the lobbyist's office (Score:3)
Hire somebody to infiltrate the lobbyists for those laws offices. Have them download your company's stuff which you do not license to them and report it. Do the same for any politician that voted this law into office.
Untangle (Score:3)
Untangle is probably what you want
www.untangle.com
I know I know where do i get off actually answering the questions asked.
Understand the problem before trying to fix it (Score:3, Interesting)
The 3-strikes law covers P2P traffic only. Adding web traffic reporting isn't going to do anything to help you.
Now if you are being asked to do web traffic reporting then sit down with management and work out what they want, why and who is going to be responsible for reviewing traffic (hint - this should be HR not IT). Doing this should give you enough information to justify some expenditure, even if it is just a new server/VM for Squid.
TimeTracker, used it for years (Score:4, Informative)
http://sourceforge.net/projects/ttracker/ [sourceforge.net]
Basically, it does nothing but track the titlebars of every window that's open, and which one is in focus at any given time. And since every browser lists the URL in the title bar, it works like magic.
And it writes everything to a simple CSV file, so you can analyze it any way you choose. But it also has some nifty reporting screens, if you really care.
If you're only interested in web access, there's something else that you can do. Look into ".pac" files on windows. Basically, think a javascript file that gets run every time any URL is accessed by anything in all of windows. As in "return null" will make everything die, and "return slashdot.org" will make every URL return the slashdot homepage. You can easily write a five-line jscript file to log everything to a file through the FSO.
Low Tech, Amazingly Effective (Score:3)
Run everyone through a proxy. At the end of every week, print out the name of every user and every site they have visited. Display the printout in the lunch room.
Benefits:
1) Accountability. Nobody's going to visit LesbianMidgetAmputeeFisting.com if they know everyone in the office will know about it.
2) Information Sharing: People will learn of other (hopefully work related) sites and tools, and will know with whom to discuss them.
3) Reduced bandwidth. Nobody wants to be accused of wasting time at work, so people will naturally reduce their casual web browsing.
Total cost of implementation: A few reams of paper and a few minutes a week.
We tried this in an office of 50 people who were fed up with a content filtering firewall that thwarted legitimate work. First week's results were a little off-colour (we kinda forgot to remind people we were doing it) but subsequently almost every bit of web browsing was work-related, relevant and minimal. Facebook use at work all but vanished. However, staff didn't feel they were being treated like children by a machine controlling where they surfed.
Re: (Score:2)
Since we started allowing bootloaders to post, duh.
Re: (Score:2)
Since the management is gone... =(
Re: (Score:2)
I agree: Squid + SARG is the best free solution.
Re:squid (Score:4, Informative)
Back many years ago when I had concerns like this, I used the ACID network monitor that allows for complete tracking of all activity. It doesn't do any blocking but it does make report generation of all network activity very simple. However, it sounds like the solution to go for is something like Squid doing transparent proxying with content filtering. Also, block any ports in AND out that arent used for HTTP (80 and 443) to completely nix the chance of P2P working in any reasonable way. But alas, if the submitter were after a good filter why should they care what the users are doing; they surely aren't doing it on any illicit sites (assuming the filtering rules are effective?)
Seems like this should be two questions: one is what free/open ruleset can be trusted (as there are many good free tools at hand to enforce the rules) and two what additional inspection should take place to all content that might not be blocked, to find employees that spend too much time doing stuff on the "edge" of permissibility?
Slashdot vs. Google (Score:3)
I've got an idea: Since the sum total of ideas expressed on Slashdot comments have probably already been expressed elsewhere, and are available on Google [lmgtfy.com], it's probably superfluous to post comments on Slashdot.
Also, since all of the articles posted on Slashdot are (obviously) available elsewhere on the Web, and hence, also via Google, it would make sense to also not post articles on /., being redundant.
In fact, to the logical geek mind, the thing that would make the most sense is for slashdot.org to simply
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I don't know what I'm doing for my job, and I would like you to do my research for me. Preferably your solution should be "open source", although I don't really know what that means, I just don't want to pay for it.
What's wrong with minimizing the financial impact of regulatory compliance?
Re: (Score:2)
Because the law states the owner is responsible, and laws don't care about right, wrong, justice or morality.
Re: (Score:2)
Re: (Score:3)
Actually, we pretty much got screwed here. Quite a lot like PATRIOT got jammed through in the post 911 environment, actually. National figured out they had a wonderful opportunity with the CHC earthquakes and used the state of emergency powers (intended to streamline govt during those sorts of situations and respond as required to real emergencies) and instead rammed through unpopular stuff. They tried to put through another copyright bill about 3-odd years ago but it went through the normal review process,
Re: (Score:3)
There's a sucker born every minute and most suckers get to management somehow. Those manager will try to cover their asses and thus implement some expensive solution from someone which is promoted in one of those free CIO magazines but in the end does nothing.
Once it's legislated it's usually too late. The law is there and hard (if not impossible) to remove. Those that want these laws are not going to go for the big companies, they're going to go for the small ones that don't have the money to put up a figh