Software, technology, sysadmin war stories, and more. Feed
Saturday, August 25, 2012

Chasing users who looked at naughty web sites from work

One of the side-effects from running a big web proxy with a bunch of users for a school district was catching people who were looking at (ahem) "naughty pictures". These events would frequently be discovered by digging through the log files after the fact. The boss had taken it upon himself to review those logs and would add new domains to our local filter.

One time, he had a most unusual request for me. I was to go into the work area of one of our electronics techs and disconnect his computer. Then I was to put it in my car and drive all of the parts up to the admin building, where I would then put it all back together in the superintendent's office. There, I would have to figure out a way around the BIOS password someone had enabled on the device.

I did as requested and carted the machine up there, then proceeded to crack the lid and messed with the jumpers until it released its password. Fortunately, the box had not also been physically locked. Once in the OS, I then had another task ahead of me. I was to dig up all of the browser cache and history entries to see where this machine had been going on the web. I had a pretty good idea what was going on at this point, but it made no difference to me, so I did as I was told and got it going.

I ultimately discovered that this guy had been visiting all kinds of porno sites from his work machine right there at his desk. Then, apparently, he was "curating" the content by copying some of them to a floppy disk which presumably went home with him at night. There were enough traces of things on the machine itself to suggest this sort of activity: things like "file" URLs with the A drive embedded.

The boss was acting strangely, too. While I was doing this, he stopped by the superintendent's office to either check on me or drop something off, and he made a point of saying "notice, you're here, so I'm not alone with this machine". I just thought "okay..." at the time. I guess it makes sense now from a paranoid legal standpoint.

A couple of days later, I showed up for work and the tech in question was there as well, and he was looking flustered. He basically told a few people who had also just gotten there for work to "not believe anything you hear", and then got into his car and vanished. I never saw him again. I guess he had been fired on the spot.

I later found out what really did him in: his work wasn't being finished. Someone from one of the schools would send in a VCR or overhead projector to have it repaired, and it would just sit there forever. The electronics shop had become something of a bad joke at all of the schools, and even earned a nickname like "the black hole". Apparently, it's hard to fix electronics when you're collecting porn images. Who knew?


Several years later, we had another "situation". The boss was trying to track down someone based on their IP address, and it didn't make sense. They had a pattern of visiting certain sites, so that much was obvious, but they kept jumping around. Our DHCP leases were set up so that any given host would keep their addresses from day to day in most cases, so that probably meant this individual was using a whole bunch of systems in the school.

This was pretty weird, since normally someone only uses the machine in their classroom or office. To show up at a bunch of them would suggest they had access to other classrooms or offices and would brazenly use their machines to do ... whatever. Well, it started making sense. The only people who were around at the times when this stuff happened were also the people who had access to everywhere: the janitorial staff.

Trouble is, this particular school was physically attached to our offices where all of the networking and computer stuff was, and the boss was worried that his prime suspect would "figure out we were on to him" and "might come into our offices and start screwing with things", or words to that effect.

He wanted me to set up something which would take pictures any time someone came into his office, and he wanted it right now. Fortunately for him, I actually had a way to do exactly that. It was an ugly, ugly hack, but I had it set up at home and it worked just fine. I would just need to bring the parts to the office and set them up there.

My detection system was an unholy combination of parts. Back in those days, X10 was more than just popunder ads, and they actually made home automation electronics. You could buy a little motion sensor from them which would send "ON" and "OFF" signals when triggered. Normally, you'd use this to control a light directly, but it would also make a nice signal for doing other things.

All you had to do was get the signal from the wireless realm into the wired realm, and that called for a small box with an antenna which I already had. Then you needed to read the signal off the power line and do something with it. I had already created a small daemon which did exactly that for my own purposes, so it was no big deal to make it watch for the "A 1 ON" or whatever and system() out to a hard-coded script.

Finally, the script just ran a frame grabber a couple of times for every time it was started. This meant that every event the motion sensor saw would yield a handful of pictures, and then it would go back to sleep. This kept it from filling up the disk. Back in those days, even horrible little webcam type images still took up a fair amount of disk space.

I had never tried any of this stuff in a commercial environment with unknown power distribution and noise figures, but I got lucky and everything worked out just fine. Stacking the wireless receiver and computer interface on top of each other probably helped overcome any powerline interference a data room full of equipment would otherwise generate.

Ultimately, we didn't catch anything unusual. My setup sat there for a couple of nights and didn't see anything it wasn't supposed to see. Still, I felt like I had accomplished something by building a nasty little "security system" from available parts with no notice.

Today, you might try to do this with video analysis, but I still have a soft spot for infrared detectors. It's hard to go wrong with them.