[ previous ] [ next ] [ threads ]
 
 From:  Claude Morin <klodefactor at gmail dot com>
 To:  Chris Bagnall <m0n0wall at minotaur dot cc>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking outbound traffic - concessus
 Date:  Thu, 31 Mar 2005 17:02:55 -0500
I agree, and have had several similar cases with my employer of ten years, 
where I refused to provide unethical monitoring results. I say "results" 
because -- as much as practical -- we have audit logs for everything. Those 
logs are only used in the event of a security incident, to investigate 
criminal behaviour (not to search for it, but for forensic analysis), or as 
input to automated intrusion detection systems.

Having said that, I think William wasn't referring to nasty behaviour by 
people, but by compromised machines. In the specific case of P2P software, 
the software's authors and my users might have the best of intentions, but a 
flaw in the P2P software could expose the user's whole hard drive instead of 
just the P2P sharing folder.

-klode

On Mar 31, 2005 4:14 PM, Chris Bagnall <m0n0wall at minotaur dot cc> wrote:
> 
> > You are absolutely correct. This is the reason I often
> > recommend a proxy server. The combination of squid
> > (http://squid-cache.org ) and Dan's Guardian
> > (http://www.dansguardian.org ) and a strict set of rules to
> > only allow port 80/443 traffic from the proxy server allows
> > for filtering,blocking etc via Dan's Guardian. :)
> 
> I would strongly discourage going down that route. You'll only generate
> resentment amongst the workforce who feel they aren't being trusted as 
> they
> should be by their employer.
> 
> I have in the past refused to work for employers who feel it's their right
> to either monitor my web browsing, or restrict my access to important (to
> me!) services such as instant messaging.
> 
> When I explain my position on censorship, most of my clients are very
> understanding, and once we've had a discussion about it, they've 
> understood
> why I won't do it. I've only ever had to bluntly refuse a client once - 
> that
> was when they wanted unrestricted access to an employee's email account.
> 
> Treat your employees like people, not like potential criminals. If you 
> need
> to discourage P2P, fair enough, log the common ports, and if someone's 
> using
> it, it's damned easy to spot. A quiet word in that person's ear is a lot
> nicer than draconian blocking / filtering some companies implement. Any
> other bandwidth control can be accomplished using QoS.
> 
> Sorry for the rant, but it is a topic on which I feel quite strongly.
> 
> Regards,
> 
> Chris
> --
> C.M. Bagnall, Director, Minotaur I.T. Limited
> Tel: (07010) 710715 Mobile: (07811) 332969 Skype: minotaur-uk
> ICQ: 13350579 AIM: MinotaurUK MSN: msn at minotaur dot cc Y!: Minotaur_Chris
> This email is made from 100% recycled electrons
>