Family History Center Firewall Bypassed

[russellhltn]

Before I take any steps beyond physically securing the network hardware I want to hear how the young man accessed the sites.

Yes, I'm sure that will be interesting. I would suspect that many schools filter their connection and as a result there's a sizable pool of students who are skilled at getting around filters.

I'm thinking the best security is simply limiting the "patron" account to specific times. It would be nice to come up with a login script that would require a password if the login was taking place outside of normal FHC hours. People who have a legitimate need for the machines would have the password or an alternative login.

[aebrown]

The user enters the URL for an anonymous proxy such as www.sugarwhip.com. From this site, the user can type in *any* URL and bypass the filtering. Test this by going to www.sugarwhip.com and then enter a site (non-porn) that you know should be blocked. The only way Websense or any filtering vendor can avoid this workaround is to remain vigilant and add these new URLs as they are created by the "anti-censorship" crowd. This particular site was created and distributed to its mailing list on 7/10/08 (I still receive the mailings). There are new sites added each week to keep filtering vendors on their toes.

One indication of the vigilance of those who maintain the filtering used by the Church is that www.sugarwhip.com has already been blocked as a "Proxy Avoidance" site. So that is encouraging.

[mkmurray]

The programmers tend to treat their area under C:\Program Files as their own little data storage, but "user" typically has no rights to write or modify that area.

With Vista, you are forced to change your philosophy about writing to Program Files, even if the current user is an Administrator. Just google "Vista Virtual Store" and you'll find out why; you may even find my blog post on it. In the .NET programming world, they offer something called "Isolated Storage". You can google that too if you're bored.

Anyway, sorry, this is a tangent; just thought I'd quickly throw it in.

[russellhltn]

With Vista, you are forced to change your philosophy about writing to Program Files, even if the current user is an Administrator.

Yeah, I've heard a little about that. I think the right way has been the right way since Win2000, but too many programmers still kept on with Win95/98 code/programming methods because it worked as long as the user was a "Power User". But I digress.

[The_Earl]

Yes, I'm sure that will be interesting. I would suspect that many schools filter their connection and as a result there's a sizable pool of students who are skilled at getting around filters.

I'm thinking the best security is simply limiting the "patron" account to specific times. It would be nice to come up with a login script that would require a password if the login was taking place outside of normal FHC hours. People who have a legitimate need for the machines would have the password or an alternative login.

There are lots of non-technical solutions that can help with this. You probably can't find a purely technical solution that a determined individual couldn't bypass.

So:
Turn monitors toward public areas of the library, especially toward the librarian.
Audit browser logs, histories, bookmarks and image caches to spot problems early. Keep in mind empty logs and caches might indicate a problem.
Do not allow internet access when the library is unsupervised.
Aggressively investigate and report problems.
Audit software for 'anonymizing' services. If you don't recognize a program, google it.

Accountability and transparency are your two best weapons. You can't solve a problem if you do not know who is responsible, and you can't hide a problem in plain sight.

[russellhltn]

Do not allow internet access when the library is unsupervised.

That's close to what I had suggested. The question is how to do that.

Audit software for 'anonymizing' services. If you don't recognize a program, google it.

How would you suggest that be done? "Unknown" programs shouldn't be on the computer - period. As for anatomizing services, many of them are Internet based, so there's nothing on the computer except maybe the URL history.

I believe that using DeepFreeze would wipe out any URL history, so that becomes a useless tool.

[rdavies]

Yes, I'm sure that will be interesting. I would suspect that many schools filter their connection and as a result there's a sizable pool of students who are skilled at getting around filters.

This is what I deal with everyday. I manage a high school system with 850 workstations and almost 3000 users. These kids can be very adept at by-passing proxy servers. For every program we block, two more are out there for them to use. Our policy of zero tolerance seems to be the only limiting factor. It only takes a few friends serving suspensions and having no further network access to put the brakes on them. Limiting physical access seems to be the only real deterant.

We also use Deepfreeze. It is fantastic for keeping the computers in top working condition but you do erase any evidence of foul play. You have to catch them in the act.