Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Low-Cost Tools To Track Employees' Web Use?

Posted by timothy on from the possibly-hostile-answers-expected dept.

First time accepted submitter red-nz writes "I come from New Zealand where new anti-piracy laws have come into effect that prosecute the owner of the internet connection for copyright violations. This is now a major issue for businesses, as they of course don't want to be liable for employee infringements. We have some good firewalls that are capable of doing basic filtering by 'category,' e.g. P2P sites, etc., but ideally would love to find a low-cost or even better Open Source alternative to expensive reporting tools (such as WebMarshal or Websense) that is capable of reporting on individual employees' usage with friendly reports (i.e. dont just show the URLs of the 3000 items their browser requested that day). It may be too much to ask but if the software could also show how long they spent on each site, it would be fantastic. Anyone got any winners out there they can share?"

22 of 384 comments (clear)

  1. and it's thwarted with...... by Lumpy · · Score: 4, Insightful

    A simple encrypted proxy or VPN over port 80 to home.

    --
    Do not look at laser with remaining good eye.
    1. Re:and it's thwarted with...... by imemyself · · Score: 4, Informative

      True - but then it would be the person at home (or who runs the proxy) who would appear to be sending the traffic. So it would not be the business's problem.

      --
      Every time you post an article on Slashdot, I kill a server. Think of the servers!
    2. Re:and it's thwarted with...... by said213 · · Score: 3, Insightful

      "which is usually substantially more than they have at home."

      I realize that this is not the case for everyone, but my home cable connection is at least one degree of magnitude greater than the bandwidth available at my place of employ. The reason someone torrents from work is because they can do it while hiding behind someone else's liability.

      --
      help me fix this "Terrible" karma, please!
    3. Re:and it's thwarted with...... by Anonymous Coward · · Score: 4, Insightful

      uh, the "reason" someone torrents from work is because they are at work.
      if they were at home, they'd torrent there.

      maybe they'll lose their job and have lots of time to download stuff at home, but i'm sure they're not thinking "this is great i have so much more bandwidth here" nor are they thinking "this is great now no one will know who i really am because i'm hiding behind a corporate network"

      they're thinking "damn i hate my job, i'm so bored, i'll download some stuff to pass the time"

    4. Re:and it's thwarted with...... by gregrah · · Score: 3, Interesting

      Keep in mind that the originally poster is from New Zealand. Broadband internet in New Zealand is not like we are used to in the United States; it's all based on metered billing and has been since the start. In fact - as a student in New Zealand I used to get charged per MB (and quite a bit, actually) when using the school's computer labs.

      The result is that monthly quotas end up being just as important (if not moreso) than bandwidth to a typical user. For example, take a look at these broadband prices and the extremely low (by US standards) "data allowances".

      I'm pretty sure that the case where a employee has a better connection at home than at work would be quite rare in NZ.

    5. Re:and it's thwarted with...... by Anthony+Mouse · · Score: 3, Insightful

      Any ISP logs, etc. regarding the content accessed would show it to be accessed from the home's internet connection -- not the business's.

      If that's the case then it sounds like the solution to the problem: Have the business pay for some rack space in a country with less-draconian laws, then put the entire business behind a VPN that appears from the internet to come from the IP in the country with sensible laws.

    6. Re:and it's thwarted with...... by Anthony+Mouse · · Score: 3, Insightful

      Actually, using a whitelist proxy and firewall rules (deny all, allow email server, proxy server) you can prevent every possible way of infringing.

      No it isn't.

      Strip all email attachments except pdf and office docs.

      See, you've already lost. The pirate sends an email to his pirate friend, who sends back pirated which is either in text format natively or base64 encoded and pasted into a word document. And the size limits don't save you, because there is plenty of pirated material smaller than the size limit and equally as much legitimate material over it.

      I mean sure, you can lock down a computer enough that users can't pirate anything. Just disconnect it from the network -- or the electrical outlet. The problem is that you can't do it simultaneously with users being able to do their jobs.

  2. Alternative by ArhcAngel · · Score: 3, Interesting

    Anyone who requires internet access gets a wireless broadband card in their name that they can expense. Now they are the owner of the connection and you are off the hook.
    IANAL especially not in New Zealand

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  3. zScaler by CrudPuppy · · Score: 3, Informative

    Check out the zScaler proxy. Lots of good benefits, including what you need. I use it for all my employees and love it, especially the reporting and fine-grained control.

    --
    A year spent in artificial intelligence is enough to make one believe in God.
  4. ntop by bsDaemon · · Score: 4, Insightful

    ntop (http://www.ntop.org) should be able to do more or less what you want, but you might have to tweak a few things. However, it would also help you get a better handle on all your network usage in general, so I'd look into it anyway if I were in your situation.

  5. Wrong business plan by Dunbal · · Score: 3, Insightful

    You should be asking about low cost politicians.

    --
    Seven puppies were harmed during the making of this post.
  6. Re:Wrong approach by ShakaUVM · · Score: 3, Insightful

    >>Block everything. Allow what needs to be allowed.

    And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests for unblocking that will come pouring in.

    I used to work at a place like that. It eventually was just easier for them to give me the password to unblock sites myself, rather than pester them about it.

  7. Re:Change the employee agreement by MyLongNickName · · Score: 4, Insightful

    I am glad that you are a practicing lawyer in New Zealand and have educated us on this wonderful workaround. Could you please give us the contact information for your legal practice just in case someone in law enforcement questions the validity of your fine resolution to this problem? Because clearly your method trumps the employer-employee agency laws.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  8. Re:squid by jeffmeden · · Score: 3, Informative

    Back many years ago when I had concerns like this, I used the ACID network monitor that allows for complete tracking of all activity. It doesn't do any blocking but it does make report generation of all network activity very simple. However, it sounds like the solution to go for is something like Squid doing transparent proxying with content filtering. Also, block any ports in AND out that arent used for HTTP (80 and 443) to completely nix the chance of P2P working in any reasonable way. But alas, if the submitter were after a good filter why should they care what the users are doing; they surely aren't doing it on any illicit sites (assuming the filtering rules are effective?)

    Seems like this should be two questions: one is what free/open ruleset can be trusted (as there are many good free tools at hand to enforce the rules) and two what additional inspection should take place to all content that might not be blocked, to find employees that spend too much time doing stuff on the "edge" of permissibility?

  9. The real solution by bmo · · Score: 3, Informative

    Is to get the law repealed.

    If business owners are on the hook for the behavior of their employees, they should get together and get this law repealed. If enough do, it sounds like a slam-dunk to me. The reason why it hasn't already been done is that probably too many business owners don't know that they're on the hook.

    --
    BMO

  10. Slippery slope by Sqr(twg) · · Score: 4, Insightful

    "I'm required to stop copyright violations, so how can I best spy on my employees' surfing habits and see how much time they spend on each website?"

    First: You are not required to monitor what you employees download at all. Under NZ law it is not illegal to watch copyrighted material via direct download (youtube etc.) You only need to worry about p2p applications. These are easy to spot as they *upload* to lots of different ip addresses at the same time. If someone has 500 open ports and a Gigabit/second outgoing bandwidth, go talk to him!

    Second: People tend to leave their browsers on all day with 10 different tabs open, so even if you could view the time spent on different sites, that info would be meaningless.

    Third: Spying on your employees surfing habits can piss them off, and is likely not worth it, for the same reasons why people don't work better if you mount "security" cameras behind their backs.

  11. Re:Wrong approach by andymadigan · · Score: 4, Insightful

    I'm a Software Engineer. A peripheral part of my job involves dealing with Oracle. If I run in to a problem, I google the error message (or google what I am trying to do). I typically find the answer on some random blog or forum (no, the answer isn't always on ask tom). Are you going to claim those sites aren't "required" and therefore I don't need access to them? Otherwise, your whitelist is going to be pretty long...

    --
    The right to protest the State is more sacred than the State.
  12. Morals by WorldPiece · · Score: 4, Insightful

    Seems to me that asking this question here is like going on a vegetarian's blog and asking whats the best cheap knife to butcher a cow with...

  13. Or encrypted to a nearby country by Quila · · Score: 4, Interesting

    What would cost more, censorware acceptable to the government, or a small server hosted in the Philippines?

  14. Re:Wrong approach by pbhj · · Score: 3, Insightful

    >>Block everything. Allow what needs to be allowed.
    >And then you'll have to hire 10 more IT guys just to deal with all the legitimate requests

    You could have a click through that puts a persons name to the unblocking - so instead of hiring anyone you have the user self-certify that the page is work related and doesn't compromise any work usage policies. Internally publish the list of domains and who certified them.

  15. Understand the problem before trying to fix it by FLaMeBoY · · Score: 3, Interesting

    The 3-strikes law covers P2P traffic only. Adding web traffic reporting isn't going to do anything to help you.

    Now if you are being asked to do web traffic reporting then sit down with management and work out what they want, why and who is going to be responsible for reviewing traffic (hint - this should be HR not IT). Doing this should give you enough information to justify some expenditure, even if it is just a new server/VM for Squid.

  16. TimeTracker, used it for years by holophrastic · · Score: 3, Informative

    http://sourceforge.net/projects/ttracker/
    Basically, it does nothing but track the titlebars of every window that's open, and which one is in focus at any given time. And since every browser lists the URL in the title bar, it works like magic.

    And it writes everything to a simple CSV file, so you can analyze it any way you choose. But it also has some nifty reporting screens, if you really care.

    If you're only interested in web access, there's something else that you can do. Look into ".pac" files on windows. Basically, think a javascript file that gets run every time any URL is accessed by anything in all of windows. As in "return null" will make everything die, and "return slashdot.org" will make every URL return the slashdot homepage. You can easily write a five-line jscript file to log everything to a file through the FSO.