?

Log in

No account? Create an account

Previous Entry | Next Entry

I'll take 'things I didn't want to know'

...for a thousand, Alex.

OK, memo to all of you out there who might, someday, ever write a web application. And, memo to all of you who might, someday, ever consider conducting your personal Internet affairs at work.

As part of the great cleaving-in-twain of the firewall boxes we were able to re-enable web content filtering. On the CEN side of things, because we use the State's filtering system (N2H2) to do the filtering, we're just running in 'monitor' mode, logging all web site visits to disk (as we are required to do by Federal law). On the AT&T side of things – which is used by municipal staff – we enabled content blocking on a few clearly out-of-bounds types of sites (you guessed it, pr0n, nudity and 'adult content').

I did some poking in the logs to see what we caught today. The list is pretty short; only 72 out of thousands of web sites visited. Now, one of the great things about our spiffy new-ish Fortinet firewalls is that they give full host name resolution and URL text. This is a step up from what our old Cisco PIXs gave us (host IP and URL text). You couldn't tell from the host IP what site the user was going to if the site was hosted by one of those hosting services where they stack fifty web sites on a box using virtual servers. They all have the same IP address; the web server looks into the HTTP header to figure out which virtual web site is being requested. Well, now we get that information too.

With the other data collection tools we put in place two years ago after a kiddie porn incident in the Fire Marshall's office, we can now track a web site visit right back to the individual user. Not just to the PC, but to you. I'm sure that other organizations' IT shops are at least abreast, if not ahead of us shuffling civil servants in Hartford in this Internet arms race. So, for all you folks who think that sites like www.thongbattle.com are work fare, knock it off: we know who you are!

Ok, this part is ACHTUNG! for both desk-bound punters and web application developers. Along with the web server's host name, we get the full body of the URL. If you build some sort of "autologin" feature for your 'alternative lifestyle personals' web site that relies on a long string of gobbledygook to identify the user (and not something marginally more secure like placing an encrypted cookie on the user's PC) you are enabling devious sh*thead administrators like me to login to said 'alternative lifestyle personals' web site and utterly hose that user.

The fact that this URL text (/p/login.cgi?autologin=UmFuZG9tSVYtv5_l_5bVhid6z9TYUrxh9poePl1BO%2FQ-), when combined with the host name gets me in to the user account of a senior manager in one of the City departments – who I happen to know – just adds some gratuitous ick factor to the whole thing.

Comments

( 7 comments — Leave a comment )
also_huey
Mar. 28th, 2006 02:19 am (UTC)
When I built my departmental firewall at WorldCom, I left snort and a couple other rudimentary network-monitoring things running, just to see what was going by on the wire that I could see.

Porn. Lots and lots of porn. On the company-internal-only network.

I let it run for a week or so, and then forwarded the list to my manager.

Note to the aspiring-not-to-be-laid-off BOFH: when you're in an environment bristling with layoffs, not only is it helpful to not give them any reason to let you go, if you're a devious bastard, it's also sometimes helpful to give them reasons to let other people go. They say that the nail that sticks up the most gets hit the hardest? Well, they also say that you should lift up those around you...
netcurmudgeon
Mar. 29th, 2006 12:58 am (UTC)
Back some time ago, we actually an officer in the fire department try to tell us that we couldn't filter the fire houses' Internet access because the firemen had a God-given right to porn.

Oddly enough, there was nary a peep from them this fall as we upgraded the core sites that the fire houses home to and defaulted them one by one onto the filtered access that the kids have.

Well, they also say that you should lift up those around you...

You are a mean, mean man. Remind me not to piss you off. :-)
half_elf_lost
Mar. 28th, 2006 04:51 am (UTC)
How stupid can you be? (Not YOU, the users.)

At my place of work,every single day when logging on you have to click through a very specific warning that outlines in detail exactly what the sons-of-Orwell's-nightmares are collecting and what they will do to you if they find A Very Bad Place Visited.

Yet still, the morons persist. I always wonder why, but I think that they've got this hope that with all the thousands and thousands of clicks each day, their click will go unnoticed.
netcurmudgeon
Mar. 29th, 2006 01:15 am (UTC)
I always wonder why, but I think that they've got this hope that with all the thousands and thousands of clicks each day, their click will go unnoticed.

And, often they're right. Except sometimes we're actually looking, and sometimes they do something to stand out. Two years ago there was an inspector in the Fire Marshall's office who was surfing kiddie porn. He was being very dilligent about deleting his history and cache files, but that didn't save him when he got his PC infested with viruses -- that brought his PC to our attention, where we spotted some of the creepy crap he was oggling, verified it through firewall logs, and then called the cops. Alas, he got off with just a 70 day suspension from work and won't be prosecuted. Why? Because we got bad advice from the Police Chief and contaminated the evidence. Ya know, I only saw thumbnails, but some images will stay with you for the rest of your life.
half_elf_lost
Mar. 29th, 2006 02:21 am (UTC)
Perhaps he'll get run over by a firetruck. Nice advice from the Police Chief. I'm assuming you all now have P&Ps in place so that it won't happen with your next scumbag.

Now at my place you don't get away with much. They scan even harmless sites daily and like as not, once you visit a site, a few days later you might find it shut off completely and the warning comes up. eBay and other auction sites are verboten, but I find it hilarious that ESPN remains viable. We do something else much more insidious, but I don't want to post it here.
netcurmudgeon
Mar. 29th, 2006 09:58 pm (UTC)
Nice advice from the Police Chief

Yeah, it really does set you back when the Chief himself says "downloading child pornography from the Internet isn't a crime" ... I went through a few minutes of head-scratching thinking 'but that can't be right' before some quick Google research reaffirmed what I knew to be the law: possessing kiddie porn in any form is a Federal crime. Then I had to convince the boss that the Chief of Police was wrong. At least that's the kind of convincing you only have to do once.
half_elf_lost
Mar. 30th, 2006 12:28 am (UTC)
Hearing that makes me crazy. If you didn't convince the boss, it's one of those things that makes it worth it to knock on the door of the State Prosecutor for his advice. What a moron that guy is.
( 7 comments — Leave a comment )

Latest Month

January 2017
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031    

Tags

Powered by LiveJournal.com
Designed by Lilia Ahner