Anti-spyware at the Gateway

Ridiculous. How should one update this category system if it should ever work seemlessly?

I doubt that, because it's very easy to even set up new sites again and again.

Because, how do you want to decide, what's harmless, what you don't know. Again, this results in a complete whitelist schema, and this means losing connection to the open network again.

I don't say, that Websense does not exists. Of course it exists. And of course it has the same problems like everything like that has, because those problems are by concept.

Don't think so. The problem, that you're not trusting in your own staff definitely is a social problem.

Yours, VB.

Yes. And how do you detect? Of course, problem solving by social means is a good idea for solving social problems. This is what I'm saying here all the time.

Yours, VB.

You know, I'm going to stop responding to you, because all your posts are "that's nonsense, that won't work, that's impossible, that's rediculous".

And yet I have seen such things working, at many places, even while you claim it is not possible.

You continue to operate in your world, I'll continue to operate in mine.

-Russ.

Not easily. But you can. They each have some sort of behavior that is not like their neighbors on the network. You simply have to notice it. Noticing things that are outside of the normal is a start, when you turn your full attention to it, you will figure it out.

If you are logging all traffic in and out of your pipe, it does indeed produce log entries. These can be examined and the behavior can be discovered. (the policies I was referring to above were the written policies, not electronic ones)

-Russ.

So you trust your users not to do anything wrong/bad either by accident or on purpose? Where do you work I'd like to send in my resume as your position will be opening up in the future.

Not easily == with exponential effort, so actually not at all

Simple DNS queries? Uploading unsuspiciously looking JPEG images?

Good tunneling cannot be differed from normal behaviour.

Wonderful. :-)

It cannot.

Fine. So what? Doesn't help with any technically imposed limits.

Russ,

are we talking about security here? There is no way to secure that people can only see such websites you think they would be OK without having a complete whitelist. Is this so hard to understand?

Of course, you can categorize. And you can filter by category. But this categorization then is done with heuristics and not with algorithms, do you agree?

And heuristics differ from algorithms, that their result _is_ _not_ _securely_ what you wanted, right?

So this may help to enforce a security policy. But it may not implement secure web access in the meaning, that no user can use other websites than the allowed ones.

The reason why I'm arguing here, and why I'm arguing heavy-handed is, that so many providers of such filtering systems are lying to their customers, who are believing that such filtering will solve this problem. In reality, it will not, and most of those customers are fooled.

I don't think, that you're trying such things, of course. So please accept my apology, if I was too rough for your feelings.

Yours, VB.

In a way: yes. In another way: no.

Thanks, I'm waiting for it. ;-) I'm working here:

and here:

Yours, VB.

For this problem is equivalent to the halting problem, you cannot in every case. There is no algorithm which can.

Of course, you can detect it if you're lucky. And it will help very much, if the person, who is implementing the tunneling, is dumb.

If the tunneling is done in a clever way, it will be very hard up to impossible to detect. Of course, this depends on how much data usually is transmitted regulary, and how much information is to be transmitted hidden.

Yours, VB.

I cannot see an algorithm wich can solve this problem. As a matter of fact, I think I can show that this problem is equivalent to the halting problem. It's just the same problem as detecting arbitrary encoding.

Because there is no such algorithm, I cannot agree that it has exponential effort or O(e^n).

It can by everybody who knows the encoding. It cannot in general by anybody who doesn't know the encoding.

Yours, VB.

Chi square analysis allows signal composition with any precision, so depending on how accurate your model is, you can detect any embedding.

However, such a model usually can't exist.

What about encryption?

I doubt that. Combine an arbitrary encoding with an OTP, and you have nothing.

Yes.

As encryption + key is encoding, this is true for encryption as well.

Yours, VB.

Ok, well you can tell the fellows we've caught doing this so far, that they weren't caught.

Are there others doing it? Perhaps. Will they get away with it forever? Don't count on it.

Just because *you* can't do it, doesn't mean it can't be done.

-Russ.

Encrypted data streams don't look like unencrypted data streams, and so can be detected.

When encrypted streams are allowed only to whitelist hosts, and you don't whitelist proxies, they become obvious.

-Russ.

Wrong. About every JPEG content body or any other well compressed data are indistinguishable from pseudorandom data, so are encrypted data.

Would you allow access to ?

Somebody. wrote: [Web filtering]

And it's unusable then, because Web changes every second.

Yours, VB.

In general, this is wrong. You're forgetting that there is steganography.

No.

Yours, VB.

Simple things, that are trivial to detect, are easily detected. Wow, what a realization.

Anyway, you'll waste your CPU cycles on searching for trickier methods.

I do count on it, I would actually bet.

Just because *you* claim to do it, doesn't mean it can be done even though it provably can't be done.

It is possible to catch dumb people. You cannot be secure to catch everybody. Usually, only dumb people are catched, or such people, who did not labour.

Yes.

Perhaps.

And "perhaps" exactly is the opposite of "securely", isn't it?

Yours, VB.