More from: Unix

Content Filters

(Note: this was written in 2013 – years ago, so links may or may not work.)

Reviewing web content filters: the box that scans incoming web pages, reads them, and allows acceptable content or blocks/drops unacceptable content based upon rules you set. Notes:

  1. Must read the pages, not merely scan URLs
  2. Must break open encrypted packets and scan, otherwise it is all wasted time
  3. Must not rely upon the device being used to view web pages — must be installed in the line connecting the LAN to the Internet, so it cannot be bypassed by any end user. It cannot be a mere proxy (cloud) that trusts the person being limited does not circumvent it: it must be hard wired into the building LAN so that it is impossible to evade.
  4. Preferably OpenSource so it is subject to peer review.
  5. Preferably no per seat licensing attempts to exploit
  6. Linux / BSD / Unix OS

DSCN2693

Web search possible results

Five Content Filters, Tech Republic http://www.techrepublic.com/blog/five-apps/five-content-filters-suitable-for-both-home-and-business/

Potential candidates which supposedly read the actual web page and block unacceptable content.

  1. Net Nanny http://www.netnanny.com/ — relies on intintegrity of the end user’s PC, Windows, not in LAN, costs $39.99 per seat for licenses
  2. K9 http://www1.k9webprotection.com/ — only works on Windows or some mobile devices, apparently to be installed onto the actual device and not inline in the LAN, and they want $12.50 PER MONTH PER SEAT to use it. graphic
  3. Safe Squid http://www.safesquid.com/content-filtering/linux-installation — downloads at http://www.safesquid.com/content-filtering/documentation. Seems to be free. Good Linux command line install instructions. Not sure if it scans each web page or not: looks like just a firewall with a URL blacklist (menus have nothing about content filter, key words, weights, etc). Think it might be intended to be installed inline however it comes in Linux and Windows versions. Look more at this later.
  4. DansGuardian http://dansguardian.org/?page=documentation — It was a good project, but not maintained. People in volved started a pay-per-seat for-profit project called SmoothWall that has superceeded it. It does read the pages, but it did not break open encrypted packets when I used it last.
  5. OpenDNS http://www.opendns.com Looks promising. It is a web based service BUT it works by changing the DNS lines in your firewall to point to OpenDNS. Unless the end user can break inot my firewall/router it will help. They provide a white paper on their approach here. Free with VIP subs available for $20/year. Graphic here. I’ll look more but this is potentially a high efficiency solution, so I subscribed. Summary from the web site at http://www.opendns.com/technology/ reads

    “We’ve established that DNS is used in almost all online activities, helping you get to where you want to go. But traditional DNS doesn’t discriminate the good from the bad. Regular DNS doesn’t know the difference between http://www.paypal.com and a forged clone site, aiming to trick you into providing your sensitive personal information. OpenDNS not only knows the difference, but also gives you the tools to decide what to let in, and what to block.  Think of it like a firewall for DNS. Using DNS as a filtering mechanism has powerful implications: phishing websites can be blocked from tricking users into giving up sensitive data and malware websites can be prevented from infecting computers.  Moreover, it’s not just about preventing security threats from loading.  Infected computers usually use DNS to try and “phone home” to a master computer for instructions, often leaking out confidential information, passwords, and files from computers.  OpenDNS prevents that from happening, too.”

    The bottom line is change your DNS settings to use the OpenDNS server addresses as your DNS server settings and save/apply:208.67.222.222, and 208.67.220.220. Piece of cake.
    Apparently there is more to this than meets the eye. I had my wife browse to sex dot com and she said she got pictures, lots of pictures. Ah. An email came to the address I provided when registering. First I must confirm my identity. Then enroll my IP address. Then select my level of filtering. Then wait 3 minutes for it to take effect. Works. It is clearly a URL filter, but that is better than nothing until I find a content scanning filter.
    One benefit is that URLs are submitted and rated by members through an averaging process (voting).

  6. Smoothwall Express http://www.smoothwall.net/ — looks like IPCop to me, a firewall. No apparent content filtering. Maybe content filtering is in their per seat license product. I requested pricing information on their contact web page, but have not heard back yet. I’ll update when I have more complete information. This could be a nice content scanner in addition to the OpenDNS URL scanner, but the pricing may be too high for a public charity serving the poor to afford. Their sales asked when I could chat and I suggested Monday 10/7. NOTE: I talked with the Smoothwall rep Tuesday 10/8 and there filter definitely does break open encrypted packets and examine the content.
  7. IPCop http://www.ipcop.org/ — it is only a firewall. We use it now and it works nicely. Free, no artificial limitations to coerce you into buying something unlimited. But no content filtering.

Ubuntu 11.04 Is Now Available

What does it mean to business?

Unix and Linux have long been recognized as safer for business and individuals to use, due to the way they protect from virus and spyware infections. Microsoft Windows 7 emulates some of that now. An article on https://help.ubuntu.com/community/Antivirus says:

Some people say that linux suffers less from malware because it has less than 1% of the desktop market compared to Windows 90% & suggest that if linux ever increases in popularity then it will suffer just as badly. This argument is deeply flawed & not just by the spurious statistics. Linux dominates server markets. Why struggle to write a virus that might knock out a few thousand desktops when knocking out a few thousand servers could knock out a continent? Yet it is the desktop machines that are commonly exploited.

Our web server stats 1Q2011 showed calling computers are using 30% Linux, 11% Mac, and under 60% Microsoft Windows of all flavors. Microsoft no longer has anywhere near the 90% market share they had a decade ago, hence the reason they priced Windows 7 at half the amount they were charging for the same level of Windows Vista and Windows XP. Still the author’s point is valid that zombie-fying servers would be what criminals did if they could pull it off — they zombify desktops because Microsoft is easier to infect than Linux or Unix. I am told, however, that organized crime is now beginning to target Mac users, and eventually also Linux users. An article in Inforworld.com here: http://www.infoworld.com/d/security/malware-and-hackers-increasingly-targeting-macs-780 says:

One of the more notable developments of the Mac attracting cyber criminal attention is the emergence of what’s purportedly the world’s first do-it-yourself crimeware kit primed for Mac OS X. Recently announced in some closed underground forums, according to Danish IT security company CSIS Security Group, the tool enables users to build malware to turn victim Mac OS X machines into zombies with point-and-click simplicity.

The kit, called Weyland-Yutani Bot, comprises a builder that enables a user to create malware capable of Web injections and form grabbing, according to the kit’s creator. It also boasts an administration panel and supports encryption.

Presently the kit supports Firefox and Chrome; support for Safari will follow, according to CSIS. Additionally, the creator of the kit claims that similar kits for iPad and Linux will be forthcoming.

The kit, by the way, costs about $1,000 — payable only in virtual currencies such as WMZ.

So the only constant is still change. Some design reasons that Linux is fundamentally safer than Windows are expressed here: https://help.ubuntu.com/community/Antivirus. In summary:

  • Programs are run as normal user, not Root User
  • More eyeballs on the code, nowhere for malware to hide
  • Vast diversity makes it difficult to reproduce flaws in a system
  • All software and drivers are frequently updated by Package Managers
  • Software is generally installed from vast Repositories not from unfamiliar websites
  • Developers/programmers are recognised as Rock Gods rather than treated with contempt
  • Elegant, secure code is admired & aspired to. Hasty kludges are an embarrassment
  • Ownership of the means of production is in the hands of the workers
  • No-one profits from supplying anti-virus or security products

“A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. Each of the above obstacles significantly reduces the reproduction rate of the Linux virus. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning — even before news reports start to raise the awareness level of potential victims.” by Ray of http://librenix.com

I might add to this that the level of transparency — public inspection of the total work — prohibits under the table deals to sneak in spyware or add back doors that upload private information to outsiders without the owner’s knowledge or consent. In the Microsoft world no one really knows how many deals Microsoft has going with various data warehouses and government entities to deliver private information from their customers computers. It is also true that the main way malware sneaks onto computers is more often user gullibility than software errors, in particular with the current technique that relies on ‘drive by downloads’ where the user is persuaded to do some necessary action, such as clicking a link and approving the installation of the software. A friend being stranded in a foreign country needing cash to get home, an impossibly good business deal, or promises of pictures or videos of something of interest are examples of bait.

Free anti-virus software is available for Linux, even though it is much harder to infect a Linux system than it is to infect a Microsoft Windows system. The ClamAV software is available via the automatic software center in Linux (Applications / Ubuntu Software Center), but I understand it scans mostly for Microsoft viruses so that a Windows partition on the same computer can be safely cleaned from Linux: an infected Microsoft Windows system will normally not detect any viruses because the viruses themselves are made to disable the scanners so they avoid detection: scanning from Linux is the only reasonable way to find and remove Microsoft viruses. Still anti-virus software that also scans for Linux viruses should be installed, and there is a free download for personal use here: http://www.f-prot.com/download/trial_forms/linux-ws-tgz.html. If you are using it for business use instead of personal use please be honest enough to give them the small fee they ask for a legit business license — it’s cheap compared to the McAfee and Norton Windows products.


We downloaded and are streaming (bit torrent) all six of the working torrents for the latest Ubuntu, Natty Narwhal, which was released this week. The main download page is here: http://www.ubuntu.com/download/ubuntu/download and you can find alternate means of downloading here: http://www.ubuntu.com/download/ubuntu/alternative-download. Server versions are also available here: http://www.ubuntu.com/download/server/download. The peer-to-peer bit torrrents downloaded all six cd-roms for us in about an hour total, so we feel bit torrent is the most time-efficient download method right now (high interest, large number of peers available) but the older direct FTP or HTML downloads are still available. If you have not tried Ubuntu and would like to see it without changing your computer, download the appropriate file and burn it to CD-ROM to make a Live CD that you can try without altering your computer. You can make a USB boot drive once the CD is booted, which will run faster than the CD runs.

The links to the bit torrent downloads as shown on the Ubuntu download page are:

These torrents all seem to work except the netbook download which reports that the link is broken. Our spies tell us that the netbook version is the same as the notebook/desktop version, so it is possible that someone accidentally cut/pasted a link that doesn’t have a matching file.

We have ‘updated’ one computer with the new system. A discussion of changes is provided from the Ubuntu main site here: http://www.ubuntu.com/ubuntu/whats-new. The salient points at this time are:

1. the Unity (mobile device) style desktop is the default. This is a collection of floating icons vertically on the left with a Mac style menu bar across the top. The menu bar content changes to match which ever window is active at the moment after the manner of the Apple Mac UI. The icons on the left replace the task bars like Android mobile devices. The workspace switcher is near the bottom of the list: the Home Folder is at the top. Right click icons and choose from the pop-up menu to delete them. The circular icon at screen top left is called APPS provides a list of apps — this is the major change which you should explore as it has the same functionality but it is expressed as a group of icons in a window instead of a list in a menu. Right click Apps to add them to the floaty list.

2. VMWare Player downloaded and ran first time — no compile errors. Usually takes a while before VMWare catches up to the new header files after a Linux release. Acts a little funky when you drag the VMWare window between workspaces in the workspace switcher.

3. We changed the number of workspaces available by logging in using the Ubuntu Classic session shell: in the past we would right click the workspace icon and select properties, then specify how many rows and columns we wanted. Right click on the current icon does not let us configure the workspaces. When we booted back with the Unity shell, it set the workspaces back to four on us. Psi.

4. When you log in you can select which kind of desktop you want.  It’s at the bottom- click to switch between Ubuntu, Ubuntu Classic, Gnome, KDE, or whatever on the login screen Session Menu.

Current Irritations:

1. Apps set to start at login in System / Preferences / Startup Applications have no way to control *in which* workspace they will start. Not a new problem.

2. No matter how many times or how many ways we specify that Chrome is our default browser, it keeps switching back to FireFox.


Operating System Use

Operating Systems in use when viewing our web sites. Data taken from web site stats via GoDaddy.com. NOTE: No promotions have been applied to any of these sites, and no specific steps have been taken for SEO: it is thought that this data can be considered “random” matematically, and thus probably is representative of the population at this time. Readmore..