Slashdot Mirror
A Myspace Lockdown - Is It Possible?
Raxxon asks: "We (my business partner and I) were asked by a local company to help 'tighten up' their security. After looking at a few things we ran some options by the owner and he asked that we attempt to block access to MySpace. He cited reasons of wasted work time as well as some of the nightmare stories about spyware/viruses/etc. Work began and the more I dig into the subject the worse things look. You can block the 19 or 20 Class C Address Blocks that MySpace has, but then you get into problems of sites like "MySpace Bypass" and other such sites that allow you to bypass most of the filtering that's done. Other than becoming rather invasive (like installing Squid with customized screening setups) is there a way to effectively block MySpace from being accessed at a business? What about at home for those who would like to keep their kids off of it? If a dedicated web cache/proxy system is needed how do you prevent things like SSL enabled Proxy sites (denying MySpace but allowing any potentially 'legal' aspects)? In the end is it worth it compared to just adopting an Acceptable Use Policy that states that going to MySpace can lead to eventual dismissal from your job?"
yup. Sonicwall with thier CFS (content filter system). works like a dream.
Until somebody there goofs and flags the map image server for mapquest as porn (we are fighting that one now)
Luckilly they do have a user submission system to reclassify those goofs.
Install websense. Blocks the proxy sites AND Myspace as well as anything else you want.
It's better to be hated for who you are, than be loved for who you're not.
Squid+SquidGuard
.myspace.com
I had to do this for a school. Basically, set up Squid to act transparently. Set up an acl like:
acl myspace dstdomain
acl work_hours MTWHF 09:00-12:00
acl work_hours MTWHF 13:00-17:00
http_access allow myspace !work_hours
http_access deny myspace
That would allow access during lunch and before and after work.
If you want to block against proxies, use SquidGuard plus some blacklists. The ones at urlblacklist are good, as is the isakurldb list (it's based on dmoz). Another one is the one from shalla.de. All have social networking categories as well as proxy sites, though shalla's proxy and spyware lists tend to overblock.
I'd recommend merging urlblacklist's lists with isakurldb, and also shalla (but remove yimg.com from the redirector list manually) for both proxy and social networking. Then use SquidGuard to restrict the access.
"The Federal Reserve is a fraudulent system."--Lew Rockwell
End The FED. -
So block the class C's. Things like Myspace Bypass are not your problem, the average user probably won't know about that. At a certain point, you'll find a user who will just run an SSH proxy, and is it really worth the hassle for locking out the more advanced users like that?
American Heritage Dictionary - Cite This Source
draconian (dr-k'n-n, dr-) Pronunciation Key
adj. Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.
Words evolve. Deal with it.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
I had an employer ask me to do this for them as well. Since it was a Windows AD environment, I just set the internal DNS server to point myspace.com to 127.0.0.1 and set DHCP to hand out only the internal DNS server, which is what you want in an AD environment anyways. Obviously, it'd be fairly easy to circumvent (manually plug in an ISP's DNS server - problem solved), but it kind of ties into that "fence" idea mentioned in an earlier reply here, in that, for someone to figure out why Myspace wasn't working, they'd need to troubleshoot it, at which point they'd discover where Myspace was pointing and realize, "Hmm, someone probably intentionally did that."
I will point out that this was for a smallish company (25 people), not a school or anywhere else where the end-user can basically be assumed to be at least somewhat malicious. But, it does get the job done if you're in a hurry.
A friend of mine worked for the Gordon Flesch Company (~800 people) in Madison, WI. They had a filtering system in place, but it was pretty lax. They had a strict policy, but it had never been enforced. She was a WOW player, and would occasionally check the forums and game sites. Her work was top notch, her co-workers liked her, and her customers we always pleased with her performance.
One day she was called into her manager's office and fired due to her web usage. No warning, no verbal/written reprimand, just fired. Her last review said her performance was excellent, and there had never been a blemish on her record.
Now there's a company to avoid working for.
-AC
(It's not libel if it's true, but I'm not risking a lawsuit by putting my name on this!)
We use a similar sort of philosophy. If the employee goes to a site that the software thinks is dodgy, they will get a page warnming them that we believe it is dodgy, and why, but there is a option to continue onto the page, thereby acknowledging the warning, and choosing to view the content anyway, with such events logged and reviewed by the HR department on a monthly basis.
(Althogh most restricitions are lifted outside of normal working hours, and at lunchtime.)
Fire people that aren't doing their job.
Abaddon: An Xbox 360 Indie game