ContentControl

  • The IdeaPool had a recommendation for a "child-friendly" mode in which Web browsing was disabled. While I am deeply against censorship, I believe it is the right and responsibility of a parent to filter out questionable content for their children. Disabling Web would restrict access to all information, useful and detrimental. Rather than this extreme, the incorporation of Squid and DansGuardian could be used to create a method for parents to configure at the host or at the gateway the filtering of a variety of questionable materials in a modular manner. This has several applications.

    • The most obvious ContentControl application is parental guidance. Parents can configure DansGuardian to deny, log, or deny and log access to any combination of pages which heuristics definitions exist for, including pornography, drugs, racism, violence, etc.

    • Businesses may wish to apply ContentControl on their gateways to prevent access to inappropriate materials. Such access could indirectly lead to loss of productivity or legar strife.

    • Public institutions such as schools and libraries may wish to use ContentControl on their most open terminals. Leaving child-accessable terminals uncontrolled may lead to angered parents or activists who would raise lawsuits against these institutions, causing large amounts of political and social strife.

    • In its lowest denomination, ContentControl can be used to filter out malware. Viruses, worms, and trojans embedded in programs and media can be filtered at the host or at the gateway, optionally (proxy settings on the host) or forcibly (gateway configuration to hijack HTTP). This may merit two "Disabled" modes: one for only filtering malware, and one for completely disabling ContentControl.

    • With a little work, the implementation can be very robust, much more than simple proxy implementations or host based implementations like NetNanny (which can be evaded by changing proxy settings or editing the registry).

      • It is possible to forcibly hijack the HTTP protocol--the major delivery system of undesirable content--via iptables and pass it to Squid. This can be done for outgoing packets from the host, forwarded packets from the internal network, or both. Thus, without proper authentication or root access (via legitimate means or booting a LiveCD), even skilled users would have difficulty evading the proxy without an external proxy on a non-HTTP port.
      • Any combination of pornographic, violent, or racist content could be filtered. This would be a great policy enforcement tool for parents, schools, and businesses.

      • The filtering should be configurable enough to allow the addition of "Explicitly Allowed" and "Explicitly Denied" domains and URIs. Sometimes DansGuardian filters an appropriate site, or fails to filter an inappropriate site. While the former case is unique to heuristics filters, the latter is a concern for any type of filtering. Both of these cases should be addressable with an easy configuration UI.

      • The potential to use ClamAV in conjunction with DansGuardian allows for the filtering of malware. This allows a router/gateway running Ubuntu to protect clients behind it from infection by Internet worms embedded in content, as well as viruses and trojans embedded in downloaded program files, by preventing their download.

    • The formation of a team dedicated to ContentControl would allow the enhancement of this functionality in Ubuntu.

      • Easy and pseudo-intuitive administrative interfaces could be created to control the content control systems.

      • Authentication could be advanced to be more suited for real world environments. Squid and/or DansGuardian support authentication, making it possible for certain users to configure their software to authenticate and gain free access to otherwise filtered data. This is not acceptable, because it means that any access to those accounts gives unrestricted access to all content. Extending this functionality creates a complete solution.

        • Aletring DansGuardian to require time-limited manual authentication via Web interface presented on the Access Denied page would create a more controlled situation.

        • The authentication should only be valid if the proxy connection is also authenticated; connections from other accounts on the same host would otherwise match for the duration.

        • The authentication should be specific to the authentication used to connect to Dan'sGuardian, and the session should be restricted to the Account:Host pair rather than simply Account. This is useful for poor setups where other hosts use the same Proxy authentication, which would result in opening them up to restricted content if the authentication was simply validated by Dan'sGuardian against the Account.

        • This alteration can also be made to Squid, allowing a user to tell Squid to avoid using its parent for a time; however, this creates a much less robust situation, as Squid cannot tell DansGuardian to alter its rules and i.e. continue to restrict Pornography and Viruses while no longer restricting Racism (useful for when your child is writing a paper on aspects of social racism, etc).

    • This has a side-effect of creating a situation in which it is appropriate to establish Squid as a part of a default installation. This possibility should be examined as well.

CategoryArchive

ContentControl (last edited 2008-08-06 16:29:16 by localhost)