netcurmudgeon (netcurmudgeon) wrote,

  • Mood:
  • Music:

I'll take 'things I didn't want to know'

...for a thousand, Alex.

OK, memo to all of you out there who might, someday, ever write a web application. And, memo to all of you who might, someday, ever consider conducting your personal Internet affairs at work.

As part of the great cleaving-in-twain of the firewall boxes we were able to re-enable web content filtering. On the CEN side of things, because we use the State's filtering system (N2H2) to do the filtering, we're just running in 'monitor' mode, logging all web site visits to disk (as we are required to do by Federal law). On the AT&T side of things – which is used by municipal staff – we enabled content blocking on a few clearly out-of-bounds types of sites (you guessed it, pr0n, nudity and 'adult content').

I did some poking in the logs to see what we caught today. The list is pretty short; only 72 out of thousands of web sites visited. Now, one of the great things about our spiffy new-ish Fortinet firewalls is that they give full host name resolution and URL text. This is a step up from what our old Cisco PIXs gave us (host IP and URL text). You couldn't tell from the host IP what site the user was going to if the site was hosted by one of those hosting services where they stack fifty web sites on a box using virtual servers. They all have the same IP address; the web server looks into the HTTP header to figure out which virtual web site is being requested. Well, now we get that information too.

With the other data collection tools we put in place two years ago after a kiddie porn incident in the Fire Marshall's office, we can now track a web site visit right back to the individual user. Not just to the PC, but to you. I'm sure that other organizations' IT shops are at least abreast, if not ahead of us shuffling civil servants in Hartford in this Internet arms race. So, for all you folks who think that sites like are work fare, knock it off: we know who you are!

Ok, this part is ACHTUNG! for both desk-bound punters and web application developers. Along with the web server's host name, we get the full body of the URL. If you build some sort of "autologin" feature for your 'alternative lifestyle personals' web site that relies on a long string of gobbledygook to identify the user (and not something marginally more secure like placing an encrypted cookie on the user's PC) you are enabling devious sh*thead administrators like me to login to said 'alternative lifestyle personals' web site and utterly hose that user.

The fact that this URL text (/p/login.cgi?autologin=UmFuZG9tSVYtv5_l_5bVhid6z9TYUrxh9poePl1BO%2FQ-), when combined with the host name gets me in to the user account of a senior manager in one of the City departments – who I happen to know – just adds some gratuitous ick factor to the whole thing.

  • Saved by the Dell

    In the past couple of years Dell made sealed keyboards standard on the Latitude line. This makes them very spill resistant, as I discovered last…

  • Geeking along...

    Poking at several free-ware / share-ware network mapping tools tonight. CartoReso is a loss LanTopolog is at a loss with large switches and ring…

  • Progress, progress...

    Found some time today to get SpamAssassin installed on my new mail server. I did a totally default install, so we'll see what sort of tuning I have…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.