Slashdot Mirror
Ask Slashdot: Low-Cost Tools To Track Employees' Web Use?
First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"
A simple encrypted proxy or VPN over port 80 to home.
Do not look at laser with remaining good eye.
Anyone who requires internet access gets a wireless broadband card in their name that they can expense. Now they are the owner of the connection and you are off the hook.
IANAL especially not in New Zealand
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
just talk to the top ten users, if they have no explicit reason for consuming so much data. If they cant explain it, search their computer, if they have done something wrong fire them and make sure everybody in the office knows why.
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That is the only way to have a somewhat working control system (and even that is not perfect).
Block everything. Allow what needs to be allowed.
morcego
Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.
A year spent in artificial intelligence is enough to make one believe in God.
If the employer also becomes a private ISP, and every employee is charged 1NZD per month for internet access at their workstation (taken straight from the paycheck, after everybody gets a 12NZD/year raise), then they own and are liable for the internet connection at their desk, not the company.
ntop (http://www.ntop.org) should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.
You should be asking about low cost politicians.
Seven puppies were harmed during the making of this post.
I honestly am unsure of pricing but I believe it's fairly inexpensive. We use Kerio Control and are migrating to the 3110 appliance.
http://www.kerio.com/control
It does all kind of neat reporting.
We also use Cymphonix traffic shaping devices that have insane detail on reporting but I believe they're very expensive.
http://cymphonix.com/
No sig for you. YOU GET NO SIG!
Business shouldn't do blacklisting. They should do whitelisting (everything is forbidden, you only allow specifics).
That presumes two things. 1) that the overhead of whitelisting is not prohibitive and 2) That your users have rather specific and unchanging needs. Speaking for our business, the overhead of whitelisting would be incredibly burdensome. We deal with many vendors and have to research topics all the time. There is no reasonable way to know in advance exactly which websites we will need to visit. Furthermore it requires a significant investment of time which could be better spend elsewhere.
The best alternative is to block specific problem websites (Facebook, Twitter, etc for example) and only allow access to those via a whitelist. Keep logs of network access in case further problems arise. If someone is found to be ignoring company policies you can warn them or fire them and make an example out of them. You can solve 99% of the problem with quite a lot less work.
Remember to track how much this tracking is costing you so that you have numbers to point to when you complain about it. You also need to sanitize the URLs for personal information since a lot of personal information gets passed through them. You could get sued, possibly face criminal charges, for gathering too much data.
All rites reversed 2010
DansGuardian with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.
If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.
I've set up several squid proxies for companies that claimed to want to keep track of employee's web surfing. The log files are pretty extensive and there are several 3rd party utilities out there that can provide reports that even managers can read. Most of the time. Going through the reports is a lot of work and usually the Achilles heel of this sort of project in my experience.
A couple of things...
1. Set your border router to accept connections from the Squid box and your Exchange (or email) servers only.
2. Check for MAC addresses mapping to the same IP address. (Most employees don't understand how to spoof a MAC address but lots of them can change their IP address.)
3. Fire the first person to be caught and make sure everyone in the company knows about it.
If you set a Policy that mandates firing and don't do it then word will get out. If you don't bother to check the reports then word will get out. None of the companies that paid me exorbitant sums of money to set this sort of thing up ever fired anyone and all of them stopped bothering to check the reports after a few weeks. I think mostly because the managers were the ones doing most of the abuse and, after all, we can't fire *them*!.
No one ever had to evacuate a city because the solar panels broke!
Back many years ago when I had concerns like this, I used the ACID network monitor that allows for complete tracking of all activity. It doesn't do any blocking but it does make report generation of all network activity very simple. However, it sounds like the solution to go for is something like Squid doing transparent proxying with content filtering. Also, block any ports in AND out that arent used for HTTP (80 and 443) to completely nix the chance of P2P working in any reasonable way. But alas, if the submitter were after a good filter why should they care what the users are doing; they surely aren't doing it on any illicit sites (assuming the filtering rules are effective?)
Seems like this should be two questions: one is what free/open ruleset can be trusted (as there are many good free tools at hand to enforce the rules) and two what additional inspection should take place to all content that might not be blocked, to find employees that spend too much time doing stuff on the "edge" of permissibility?
Is to get the law repealed.
If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.
--
BMO
How on earth could any software determine that? You may open a tab for a dozen sites . You can load a page of text, once, and spend an hour reading it with no further fetches. You could have a stock ticker/ weather stats/million other things running in a small window, gettign data every few seconds.
Basically, unless you look over their shoulder, you can't know how much of their attention was on a site for how long.
Classic mission creep: start with monitoring illegal downloads, end up checking on how the staff spend each minute at work, just because you can. Think how intrusive this is and how much it would be resented.
Set up your firewall to redirect all outgoing port 80, 8080, etc packets to the proxy (running squid), then use calamaris to analyze the logs (or roll your own analysis). Squid can also block urls based or regular expression matching.
The real "Libtards" are the Libertarians!
Sounds like your current solution - "category" based filtering at the border combined with a strong company policy - is already more than adequate to cover most potential liability to the company.
The rest of your question sounds like you're using this legislation as an excuse to implement some downright draconian and invasive "productivity enforcement" measures that have nothing to do with the stated problem.
Years ago I worked for an employment center that had a public-use phone for job hunting and the like. Some people would abuse it to phone the girlfriends, make drug deals and so on. The price of a new phone system that could be monitored was looked at it, and while not steep, there were some privacy concern. Finally, someone had the bright idea and put a sign over the phone "All Phone Calls Are Monitored And Recorded", and almost overnight the problem all but disappeared.
It's the Big Brother theory of surveillance. Your surveillance apparatus doesn't have to be perfect or even near-perfect. All that matters is that everyone thinks your surveillance is near-perfect.
The world's burning. Moped Jesus spotted on I50. Details at 11.
"I'm required to stop copyright violations, so how can I best spy on my employees' surfing habits and see how much time they spend on each website?"
First: You are not required to monitor what you employees download at all. Under NZ law it is not illegal to watch copyrighted material via direct download (youtube etc.) You only need to worry about p2p applications. These are easy to spot as they *upload* to lots of different ip addresses at the same time. If someone has 500 open ports and a Gigabit/second outgoing bandwidth, go talk to him!
Second: People tend to leave their browsers on all day with 10 different tabs open, so even if you could view the time spent on different sites, that info would be meaningless.
Third: Spying on your employees surfing habits can piss them off, and is likely not worth it, for the same reasons why people don't work better if you mount "security" cameras behind their backs.
Squid setup as a transparent proxy is the way to go (squid-cache.org). It also has lots of good log parsing addons like SARG (sarg.sourceforge.net/sarg.php) that can give you detailed usage statistics. For non-http usage information you can add SNORT (snort.org) to the mix with a log parsing addon like ACID (www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html).
-=You might be a geek if your computer is worth more than your car=-
be google
DNA is the ultimate spaghetti code.
There's no 100% safe method to provide an internet connection for employees and prevent abuse. So if these ridiculous laws persist, you will need to transfer ownership of each employee's internet connection to said employee. Ask your lawyers how to accomplish that ...
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Seems to me that asking this question here is like going on a vegetarian's blog and asking whats the best cheap knife to butcher a cow with...
"Next time you purchase an election, make sure you don't elect morons who slap stupid laws up without thinking about their undesired consequences."
--OR--
"This is what you wanted, so this is what you're getting. You wanted business-friendly government, and now you have it. PAY UP."
I wouldn't offer them a cheap solution at all. In fact, I'd offer them the most expensive solution you can find.
One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
What would cost more, censorware acceptable to the government, or a small server hosted in the Philippines?
Hire somebody to infiltrate the lobbyists for those laws offices. Have them download your company's stuff which you do not license to them and report it. Do the same for any politician that voted this law into office.
Custom electronics and digital signage for your business: www.evcircuits.com
Untangle is probably what you want
www.untangle.com
I know I know where do i get off actually answering the questions asked.
An *unplugged* camera can't be illegal, since it's not actually watching anything, now is it?
If you have all users in the same location, you could use Blue Coat Enterprise Reporter. If you have mobile users, you could use the Blue Coat ThreatPulse service which is a SaaS solution.
Actually, we pretty much got screwed here. Quite a lot like PATRIOT got jammed through in the post 911 environment, actually. National figured out they had a wonderful opportunity with the CHC earthquakes and used the state of emergency powers (intended to streamline govt during those sorts of situations and respond as required to real emergencies) and instead rammed through unpopular stuff. They tried to put through another copyright bill about 3-odd years ago but it went through the normal review process, and the protest machine got going and neutered the worst of it. This time around they used the state of emergency powers to push it through with so little time that effective protests simply weren't possible.
Naturally the best solution now would be to vote the bastards out, but we still suffer from the same problem the US does, apathy looks likely to rule the day in this November's election.
Amusingly enough, the new law has one ironic effect. Before, infringement notices to ISPs generally got passed on to the offending user with a don't-be-bad note. The new law has a provision that the ISP has the right to charge for the time this takes them to research. In most cases this now means the ISP, upon receiving the infringement notice, turns around and invoices the complainant $25 before going any further (and as the complainants are usually mostly automated scripts, it mostly seems to end there). Ironically enough, at least in the short term, it probably means *less* punters getting infringement notices, and more costs to the "rights holders" for pursuing the process. In some ways a bit of a phyrric victory.
ehintz
The 3-strikes law covers P2P traffic only. Adding web traffic reporting isn't going to do anything to help you.
Now if you are being asked to do web traffic reporting then sit down with management and work out what they want, why and who is going to be responsible for reviewing traffic (hint - this should be HR not IT). Doing this should give you enough information to justify some expenditure, even if it is just a new server/VM for Squid.
There's a sucker born every minute and most suckers get to management somehow. Those manager will try to cover their asses and thus implement some expensive solution from someone which is promoted in one of those free CIO magazines but in the end does nothing.
Once it's legislated it's usually too late. The law is there and hard (if not impossible) to remove. Those that want these laws are not going to go for the big companies, they're going to go for the small ones that don't have the money to put up a fight and thus have to pay into the racket. Once that happens, they have precedent for ever larger companies and eventually individuals.
Custom electronics and digital signage for your business: www.evcircuits.com
http://sourceforge.net/projects/ttracker/
Basically, it does nothing but track the titlebars of every window that's open, and which one is in focus at any given time. And since every browser lists the URL in the title bar, it works like magic.
And it writes everything to a simple CSV file, so you can analyze it any way you choose. But it also has some nifty reporting screens, if you really care.
If you're only interested in web access, there's something else that you can do. Look into ".pac" files on windows. Basically, think a javascript file that gets run every time any URL is accessed by anything in all of windows. As in "return null" will make everything die, and "return slashdot.org" will make every URL return the slashdot homepage. You can easily write a five-line jscript file to log everything to a file through the FSO.
Run everyone through a proxy. At the end of every week, print out the name of every user and every site they have visited. Display the printout in the lunch room.
Benefits:
1) Accountability. Nobody's going to visit LesbianMidgetAmputeeFisting.com if they know everyone in the office will know about it.
2) Information Sharing: People will learn of other (hopefully work related) sites and tools, and will know with whom to discuss them.
3) Reduced bandwidth. Nobody wants to be accused of wasting time at work, so people will naturally reduce their casual web browsing.
Total cost of implementation: A few reams of paper and a few minutes a week.
We tried this in an office of 50 people who were fed up with a content filtering firewall that thwarted legitimate work. First week's results were a little off-colour (we kinda forgot to remind people we were doing it) but subsequently almost every bit of web browsing was work-related, relevant and minimal. Facebook use at work all but vanished. However, staff didn't feel they were being treated like children by a machine controlling where they surfed.
Do you or your partner snore? - Visit www.snoring.com.au
I've got an idea: Since the sum total of ideas expressed on Slashdot comments have probably already been expressed elsewhere, and are available on Google, it's probably superfluous to post comments on Slashdot.
Also, since all of the articles posted on Slashdot are (obviously) available elsewhere on the Web, and hence, also via Google, it would make sense to also not post articles on /., being redundant.
In fact, to the logical geek mind, the thing that would make the most sense is for slashdot.org to simply be turned into a DNS redirect for google.com.
Why didn't anyone think of that before? In fact, I think CmdrTaco did indeed realize that the very existence of Slashdot is futile in the face of Google, and voluntary stepped down for that reason.
I'm not a lawyer, but I play one on the Internet. Blog