The current trend in the corporate world is to implement filtering of
potentially harmful material and/or applications from their
users. At first glance this is a wonderful idea.. prevent people from
running things they shouldn't be running while also filtering content that
employees shouldn't be looking at on company time. Unfortunately there
are larger problems with this system.
When a company chooses to filter content, a legal loophole is
created. Consider this scenario: an employee views inappropriate content
in the office. The company fires the employee for viewing the content on
company time. The employee now has a possible loophole to counter-sue
stating that the company allowed the employee to view the content, so it
should have been acceptable. This also could be the case for another
employee being offended by content viewed by the first employee to sue the
company for permitting the content to be shown since the company chose to
filter rather than having it be completely up to the employee. This is
really an issue which needs to remain in the HR department, not IT.
The filtering of Java and Javascript programs is also
overrated. Javascript, although occasionally annoying when used for
pop-up ads and such, is often required on sites which have forms. Many
sites use javascript to validate form data, to setup dynamic forms;
ie: when a user selects something from a pull-down menu, the next menus
also change and similar uses. Java itself can be more harmful to the
network it's running on, however a network without direct TCP access to
the outside world has little to fear. The most common exploits people
create with java applications are those which create a network connection
to the outside world to allow those outside of your network access to your
files. In a standard network without direct TCP/IP access to the
Internet, this is not a problem. Java is used by many sites in search
engines because it does more processing on the client side depending on
the amount of data that needs to be looked through.
The other large problem with filtering is the big question "what gets
blocked?"... Websense which is one of the most popular filtering
software packages claims both that they visit the sites they filter, yet
also claim to do keyword filtering. There are some sites which have known
problems when using filtering software:
- Not all browsers are supported:
SOURCE: http://www.sgsales.com/WebSense/freq.htm
- Hotmail:
Hotmail uses 302 redirects which are incompatible with some proxy
and caching software. It also can write the reply and close the
socket before the complete request is sent which can cause other
problems.
SOURCE: http://ISP-Lists.ISP-Planet.com/isp-caching/0008/msg00565.html
- Refresh under Microsoft IE:
Some proxy/cache servers don't properly refresh content correctly.
This would be an issue when attempting to troubleshoot a site. The
customer may change their content, but the proxy may prevent us from
viewing the changes.
SOURCE: http://ISP-Lists.ISP-Planet.com/isp-caching/0006/msg00024.html
- Some streaming products fail under web proxies:
MP3s: http://service.real.com/help/faq/rp8/rp8known.html
Real Media: htp://service.real.com/firewall/configRP8.html (quality)
- Content listings out of date - not accurate
SOURCE: http://censorware.org/web_size/
The other part of the filter problems are the content itself. These are a
few of the webpages blocked by Websense:
The blocking techniques are also under question as shown here:
* Gay/Lesbian sites:
SOURCE: http://www.scotsgay.co.uk/text/sg34.txt
* Blocked by word association:
http://school.discovery.com/schrockguide/assess.html
(page about Assessment and Ruberic Information)
SOURCE: http://www.forsyth.k12.ga.us/jhobson/multimed.htm
* All blocked as "pornographic" (incorrectly):
http://www.jewishteens.com
http://www.msu.edu/user/zemkedan
http://www.visionaryvoices.com
http://www.sterlingfunding.com
http://www.abohrer.com
http://165.76.244.1/yakult/swallows (Japanese baseball team)
http://www.indiatwisters.com (socker team)
http://bloodstone.globalnet.co.uk/~probon/demon1.htm
(the above is an internet policy on censorship for the ISP)
http://www.mit.edu/activities/safe/notsee.html
SOURCE: http://www.censorware.org/reports/liza.html
http://www.digicrime.com (informational site about security)
SOURCE: http://www.specticle.org/cs/court.html
* Misc additional data:
SOURCE: http://www.peacefire.com/info/sample-letters/websense.txt
The best defense against inappropriate content and a safe network are:
- HR policy which is clearly spelled out as to what content is acceptable
- A properly configured network without direct outside access
- IT department which watches the logs from the proxy server for strange
activity (like http_tunnel which wouldn't be caught by most filtering
software yet is the most dangerous of all since it could create a
bi-directional tunnel for outsiders to get into the company's network.)
- Up to date (or auto-updating) virus protection software installed
company-wide which integrates with both the web browser and e-mail
software.