[sclug] Personalised web content filtering

David Given dg at cowlark.com
Thu Jun 16 12:08:57 UTC 2011 

Dickon Hood wrote:
[...]
> In short: you're right: it's an HR problem, not a technical problem.  No
> technical solution you put in place will do anything other than severely
> piss your horses off, to the extent that they may well consider bolting.

Particularly since any horses worth having will see such blocks as a
challenge, and *immediately* start thinking of ways to work around
them... which won't be hard, as opening *any* hole to the outside makes
it nigh trivial to work around this sort of thing, and computers these
days are basically made out of holes --- the holes are what make them
useful!

In terms of local I/O:

- Printer ports support high-speed two-way data transfer. Remember ZIP
disks?
- Serial ports.
- Bluetooth.
- Keyboards. You may have blocked the USB ports, but PS/2 is a
bidirectional protocol...
- Taking pictures of the screen. You can get a lot of bandwidth in a
full-screen barcode.

In terms of remote connectivity, once you've allowed *any* network
access you have to think about:

- Bouncing data of remote websites.
- Non-IP protocols.
- Tunnelling data through ICMP.
- Tunnelling data through DNS.

I once worked on-site at a company in Korea with this sort of policy.
They had some 'security software' called WaterWall that enforced it. It
was, basically, a hideous trainwreck. I could access the public internet
without it, but no internal services, and we needed access to their
compilers. The installation process consisted of:

- attempt to install on clean laptop our IT department provided. Didn't
work.
- much investigation. Eventually we discover that it doesn't work with
IE 8. Or 7. It only works with 6.
- discover that you can only have one version of IE on a Windows PC at a
time. Attempt to uninstall 7 and 8. Discover that you can't uninstall IE
if it's been slipstreamed into the Windows installation disk, which it
was, because our IT department (hi, Dave) is, like, efficient.
- borrow a Windows XP disk. Reinstall windows.
- Download and install Microsoft Security Essentials.
- Remove virus that was on borrowed XP disk.
- Install SP1. Install SP2.
- Install WaterWall. Wait all day as it continuously rebooted.
- Discover that I now cannot access internal resources *or* the public
internet. Apparently their IT department didn't add the right
permissions to my ActiveDirectory account.
- File ticket. Wait four days for them to actually do it.
- While waiting, discover that all WaterWall does is block ports 25 and
80. Connect to my home machine via ssh, download cygwin installer,
install cygwin via alternate HTTP port. Actually get some work done.

-- 
???? ?????????????? ????? http://www.cowlark.com ?????
? "I have always wished for my computer to be as easy to use as my
? telephone; my wish has come true because I can no longer figure out
? how to use my telephone." --- Bjarne Stroustrup

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://sclug.org.uk/pipermail/sclug/attachments/20110616/29396c5d/attachment.bin

More information about the Sclug mailing list