Re: Surfing at Work

From: David Q F (!o!s!p!a!m.AU)
Date: 10/02/04

Date: Sat, 2 Oct 2004 10:14:40 +0930


Thanks for your comments,

"Mark Landin" <> wrote in message
> On Thu, 30 Sep 2004 10:38:03 +0930, "David Q F"
> <!o!s!p!a!m.AU> wrote:
> >"HB2" <> wrote in message
> >news:Lll6d.275208$Fg5.251822@attbi_s53...
> >> Sometimes I write e-mails using a web based format (yahoo). When the
> >e-mail
> >> is of a personal issue I use megaproxy because it is SSL. Our PCs at
> >> have Windows 2000. Is it safe to assume that my e-mails are kept
> >> from my employer since they are sent using SSL? Does Winodws 2000
> >> have monitoring tools built in or would our employer have to purchase
> >> monitoring tools seperately?
> >>
> >> Also, its my understanding that using a keyboard log program is
> >> Is this correct?
> >>
> >> Thanks
> >>
> >>
> >
> >My $.02 worth. I am in Australia. Our corporate security policy
> >- Web based email. Reason: The mail and its attachments do not pass
> >our firewall (as email) or antivirus.
> You don't have desktop anti-virus protection?

Yes we do.
The main problem here is organisations that have a large number of desktop
clients. A new virus entering from the Internet via email has a window of
opportunity until it's signature is deployed to everyone of them - this can
take days, even weeks. Disallowing web-based email for SMTP blocking every
executable, or anything known to carry an executable including .zips and
'whitelist' what you want to get through also helps - users soon fall into

> >- Unauthorised encryption of email including smime and pgp. Reason:
> >the difficulty is with checking content for fraud, theft or malware.
> Very valid.
> >- Unauthorised inspection of email by IT admins. Reason: Its a people
> >problem and only HR can authorise inspection.
> Also very valid. IT should not abuse their authorized access.
> >It does allow reasonable personal use of email - this discourages (but
> >doesn't cut out) abuse.
> Similar to the phone on your desk.
> >One other thought I've had is that the use of Baysean Inference for Spam
> >filtering could be extended for other purposes like automated checking
> >commercial espionage, fraud and other abuses without human inspection.
> The problem is that a legitimate business email and a illicit one have
> basically the same content. What makes one legit and one illicit is
> mainly the recipient, not what it says. That would be hard to
> automate, I would think.
> Likely the best one could do is say "the following emails sent this
> week referenced the Secret Omega Project" and some person would have
> the vet that whole list, checking senders and recipients against a
> known-good-list, for possible improper activity. That would be pretty
> labor-intensive.

I think you underestimate the power of Bayesean inference. Time will tell -
at present I don't have time to test it.