Slashdot Mirror
Ask Slashdot: How To Best Setup a School Internet Filter?
An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
Just block it all together. Not worth it.
OpenDNS has parental control addresses, so it's a start.
Just don't set up a filter. Done!
You are obviously going to ignore this so don't forget to burn the books in the library on your way out.
My mother was a porn star. There's not much that I wouldn't want her to see.
Slippery slope, my man.
There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks. No filtering software yet designed has survived more than a few months in a public school without leaving the server running it as little more than a smouldering carbon scorch mark on the floor.
If this were a corporate environment, you could count on the fear and paranoia of being fired. You have no such power over teenagers... and many of them would do it even if you threatened them with life in the electric chair, because teenagers do not have good judgement. Even if you ask them "Is that a good idea," and they reply, "No," they'll probably keep doing it. And if you ask them why, they'll give you about as good of an answer as randomly seeking to some point in addressable memory and reading out whatever strings may or may not be present.
My advice... turn off the internet, lock the systems down, bolt them to the tables, put epoxy in all the USB ports, remove the optical drives, put everything behind plexiglass (little fingerholes for the keyboards), load up your operating system of choice and lock it down as much as you can, and then maybe, just maybe... you have a chance.
#fuckbeta #iamslashdot #dicemustdie
Exactly. Additionally, I would like to know what "great content" exists on Facebook anyway. "Person X has posted a photo." "Person Y likes Person X's photo!" Yeah, that's some great content there.
Really, just block the whole site completely. Any valid educational content that might possibly maybe be found on there can also be found elsewhere in greater amounts.
Love sees no species.
The best way to filter is to make sure that their screens are easily visible to passers-by. Kind of hard to watch porn when your screen is set up nice and high where everyone can see it.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'
If I had a daughter, I probably would have sent her to that school.
Until someone offers your boss a compelling case demonstrating the educational value of access to Facebook, you block all of it. The purpose of the computers is to be an aid to the school's educational mission.
This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.
Untangle is a free, linux based web appliance. Its basic functions are free, but there are subscriptions you can buy to enhance certain areas. Put it on a machine with plenty of CPU and Ram, with 2 nics, and you got a bang up free web filter. I use it at a school of 1000+ students and teachers on an old HP DL3800 G3, and it runs the 20meg line just fine, not too much overhead.
Given the utterly dismal record of Facebook the company when it comes to the privacy of its users, I wouldn't bother allowing access. Not only do you have your users to worry about, you have external Facebook users and Facebook itself - that sounds like a recipe for disaster to me. Aren't we due for a reset of our privacy settings to 'Everything shared with everyone' any day now?
I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.
The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.
... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.
I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility
Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.
You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.
And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".
http://alternatives.rzero.com/
Additionally, I would like to know what "great content" exists on Facebook anyway.
Class groups and study session events.
Obligatory Dilbert strip:
http://dilbert.com/strips/comic/1996-09-07/
Use the hosts file!
Worry about bandwidth, not content. Find some way to throttle video streams based on bandwidth. That will discourage watching porno and videos, and keep the upstream link from becoming choked.
Make each student install a proxy on their parents' internet connection and give the student access to the proxy from school. All other internet access is blocked. If the parents will not allow the proxy, the student will not have internet access at school.
I'm only half joking
And it's a race you will lose, should you choose to enter.
But if you really want to play -- take a look at Untangle (http://www.untangle.com) for a Linux-based appliance (free versions available) that will do other things such as spam filtering, basic AV, and more. Paid modules (inexpensive) let you add web caching, which cuts down on traffic, especially when you have a bunch of kids in a computer lab accessing the same web resources. So you can solve the problem for the hard-connected machines that are fairly well locked down individually.
But in the end, it's a pain in the ass. My wife is a middle school teacher, and she complained about their school's filtering "solution" keeping her from researching and accessing useful sites until my son reconfigured her laptop to use a proxy that he and some friends run so that they can get around school filtering solutions...
Set expectations early and often -- you will be able to block most of the kids (and adults). Some will always get around the barriers you put in place, often just for the sport of it.
Unless you set expectations, you will successfully block things for 598 students -- 2 will get through and you will be castigated as a FAILURE.
Still want to play the game?
Your bosses and the parents of your students, whose desires are expressed to your bosses.
Ensure you don't own the decision.
The purpose of filtering is to demonstrate you have filtering.
After your bosses define what they want, give it to them as best you are able but get it in writing (spieling that it protects everyone to do it that way). Have a written AUP, etc.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.
If you nothing more to say then "Don't Filter A Thing," you waste his time and ours. It is not his decision to make.
The small non-profit school won't have the money to hire extra staff simply to monitor whatever passes for a computer lab. The geek may not like the idea, but a filter will have to carry part of the load.
Your assumption that content people might find--Facebook or elsewhere--that is more harmful to them than a censorship policy just handed down to them--is false. This is your chance to confront the people asking you to implement the policy with a couple of questions:
1. Given all the ways people get uncensored internet even under autocratic regimes where the penalties are brutal, what makes you think any censorship policy could work?
2. Which feasible projects are you willing to divert resources from in order to tilt at this windmill?
Don't let them answer 2. until they've got 1. well in hand.
What part of "A well regulated militia" do you not understand?
If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.
From Facebook's terms of service:
You will not use Facebook if you are under 13.
This is due to the Children's Online Privacy Protection Act, which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.
Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.
Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.
OpenDNS will help with malware prevention and botnet computers.
Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.
Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.
Forgive me if I'm wrong, but does a School not have a duty of care towards the students - and thus all mature and most social media sites should be blocked, not just to prevent access by the majority, but to avoid offending the minority who might see over another student's shoulder.
Also I hear a lot of "have the computers facing the teacher" comments, but nobody is discussing one-to-one laptop programs where the screen is a lot easier to hide.
If you implement filtering, then the first time "something bad" gets through, be prepared to be the fall-guy.
Don't waste your time with filtering. It will just make the kids want to see the "blocked" sites more. Anything you do a kid can get around in no time. If the kids are under 18 then it should be the parents call on whether they are on FB or not. The teachers can surf on their own time OFF the clock.
Just put the modem in a locked closet or the principals office with an on/off switch. When you need to get online to download software or access some educational site you can turn it on just for that.
There is a lot of great content and features on Facebook,
Oh my sides. Please! Stop!
and its a great way to stay in contact with friends
This doesn't need to be done in class or at work.
I have to return some videotapes...
Among managing IT for approaching 100 users I run the internet filter for a youth group. We provide free internet terminals for them to use. We used to score pages on facebook myspace bebo etc based on keywords. We need to allow https traffic for various reasons. Facebook are now pushing their user base towards https for profile pages to prevent various cookie hijack based attacks, this means we cant effectively filter their traffic, therefore I have suggested it should be entirely blocked. You cant filter https.
Class groups and study session events.
Do you mean "everyone doing their homework together" on facebook? Do you mean actually teaching a class on facebook? Seems kind of inappropriate to me. Maybe your idea is to make it more appropriate by filtering it, but I don't think they want you to. They make money showing you ads, building a dossier on what you click on, etc. So I would suggest that you not use it as a teaching tool. In fact it's kind of unfair if all the students are required to use facebook to participate in this "content". What if they don't want to start out their lives feeding all their personal info to an evil mega-corporation? (Unlikely I know.) There are probably educational sites out there you could have everyone sign up for that have some kind of chat.
(ps - If they're younger than 13 they're not supposed to be on fb.)
Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!
I do not deploy Linux. Ever.
You can't solve a social problem with technology. You can try but you'll fail. Any protection you build someone will go that extra mile to break it - and break it he/she will.
It is always better to be a first grade version of yourself than a second grade version of someone else.
If you control the terminal, and don't mind invading the user's privacy (and possibly increasing your liability, e.g. if passwords are compromised), then yes, you can filter HTTPS just like you filter HTTP. All the major commercial web filtering appliances can do it, as can Squid: http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
I do not deploy Linux. Ever.
The trouble with not-for-profit schools is their budgets are very low for things like this. The OP clearly wants a free as in beer solution.
If you are looking for a free program to filter with... Snort does a good job. It is an IDS (Intrusion detection system), but it is flexible enough that it would work as a very good filter, allowing you to filter by keywords, domains, ports, have-at-you...
You can combine that with lists of questionable content and you'd have yourself a pretty effective and versatile system.
These kinds of rules are probably most relevant to your interests.
http://comments.gmane.org/gmane.comp.security.ids.snort.general/33780
The arch foe.
Facebook is near imposible to filter. My suggestion is use something else such as Moodle, MyBigCampus, or Gaggle that either is filter for you or that you would have complete control.
Make subnet the schools machines on unroutable. Setup a squid http://www.squid-cache./ proxy and use http://www.squidguard.org/ http://www.squid-cache.org/. Point all machines at the squid cache. It is how my friend got threw teen years with his kids. The easier approach: K9 Web Protection - Free Internet Filter and Parental Control ...
www.k9webprotection.com/ is another interesting choice.
Still a lot of arguments are correct, sometimes it isn't worth trying to sanitize things, better to try to learn about them.
DNS Redirector all the way http://dnsredirector.com/ Block everything, or block by categories, never any subscription fees.
Been working in Education for the last decade and I can say give it up. I have never seen any filter work more than a day at best. Lightspeed whatever just doesn't last very long. Kids start with proxy, but quickly switched to stealing passwords. The school year is only a week old and I have already seen a fairly complete list of staff passwords and ever our sys admin password. Get a Federal approved filter and do the best you can, keeping the systems working will kill all the time you have believe me.
As natural progression of our computer revolution, wasting time on a cellphone is a lot more conpicuous than doing the same on a computer. This is due to generational / cultural novelty: Decades ago parents and friends could NOT be convinced that my sitting for hours staring at a monitor was in itself "work."
For now, cellphones moved into that role of "wait, tapping away at it cannot be more serious than the conversation / class still in progress". I do recall that playing solitaire in a lab setting was barely frowned upon, partly because it is so hard to distinguish from real activity if the instructors are far away. But looking down into a phone is more obvious and even enforced / penalizable thru commonplace cell bans in schools. Can't *ban* the PC that they're each supposed to learn with (including self owned laptops for notes), though.
I think it hinges on how modern cells had their root on phones --2-way ACTIVE communication systems-- and are notorious for distractingly active texting. Full PCs are still seen as work tools for more PASSIVE chatting when employer/instructor allows it a work setting. Yes, the moral "honor system" largely determines how hard we'll work on not using a superset of the assigned functions. Remember the graphing calculator bans from most tests?
Surely theose came AFTER the then-unconventional abuse was deemed too rampant. Not before.
One such company is Socialware, for example. I think for a lot of these settings Facebook has exposed assets and you can directly manipulate things in a "whack-a-mole" fashion, but hiring a company like Socialware gives you all of that managed for you in a proxy. Obviously this is out of reach of one guy running an elementary school, though.
It doesn't hurt to be nice.
1. Block outbound dns and force all queries to go through a central DNS server
2. Filter the domains that server allows to resolve
3. Adopt zero tolerance policy to evasion of firewalls
4. Do random audits of network traffic and punish anyone caught bypassing the firewall by any means.
5. Install deepfreeze so that students can't monkey with the machines
number 4 is good because you don't want your policies to become a joke. Kids these days are hardly technophobes, and you may need to be prepared to match wits with another nerd in the making. You need to instill a healthy respect for your rules.
If this sounds overbearing, then reconsider what sites you wish to filter out. Just remember, a policy is no good if it is not enforced.
. The filter list I use catches the vast majority of smut, adverts and other undesirables but there's no way you'll catch them all.
Look, no SIG!
Yeah, but which ready-to-go Linux firewall/proxy combo really supports whitelists.
I've research (though not used) ClearOS and a bunch of the others, and whitelist seem to be a feature that people ask about in the forums as opposed to something that's a first-class feature.
For a restricted use environment, like elementary school, it would great to add 10, 100, 1000, or even 10000 or 100,000 websites to a list and be done as opposed to chasing every new weird site.
As far as 1st Amendment issues, think of it like this: The library doesn't subscribe to every magazine on Earth, right. At most, it gets 100 or so. So just consider whitelists as subscribing to ten thousand websites.
What would be awesome would be: You (attempt) to go to a non-whitelisted site. You get an error message with an HTML form. Since you believe it to be useful, you fill in your whitelist request along with a reason, hit Submit, and it instantly goes to the librarian (?) or whoever's in charge of whitelisting, and they have a quick look at the site and approve or deny.
Anything like that available for Linux?
I'm not a lawyer, but I play one on the Internet. Blog
Buy a DNS-based service like Internet Guide from DynDNS and move on to the next project. The admins can tell you which twiddly bits to flip on their configurator, othewise what you see is what you get.
Possibly set up an internal recursive DNS with zones to allow some machines to go out unfiltered.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I work for a non-profit that has teen centers. Its not fool proof, but a setup of squid + dansguardian + OpenDNS does a decent job of filtering for the good ole price of nothing but the hardware. Of course nothing ever beats having an adult in the room keeping an eye on things. Plus you can do some url matching in squid to allow only certain Facebook sites if you want.
For decades, 'social media' sites and their precursors were blocked by the various services under the DoD. Facebook is available today, along with all the attendant problems, because the Secretary of Defense ordered it available, along with youtube and various other sites.
I can't imagine a Dean having much less power to simply declare it an educational tool and tell you to 'make it work'.
I don't read AC A human right
I worked for a company that sold web filtering devices primarily to schools. The school admins spent more time hunting down proxy sites, web proxy sites, figuring out how to block kids running SSH tunnels off their home PCs and tunneling with putty on a USB stick. The web filter did awesome, until you got one smart alec in the mix and taught everyone else how to bypass it. THEN you start in on locking down the PCs with GPOs, adding layer 3 filtering for external proxy sites, prohibiting any unknown executables from ever running (yeah, makes those self-extracting printer drivers fun).
Glad I'm out of that business.
Yeah, and what kind of moron company pays for MS Office, the cracks are easily downloaded.
Dunno about you IT schmucks, but if my boss wanted me to break someone's user agreement to save 3 grand, I'd be concerned that the next paycheck is gonna bounce.
Effective Internet filtering cannot be done at this time. The only option would be to have every page cleared by a human being in real-time.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Just find an open proxy with a Chinese IP, and send all traffic through it. Or, you can just send all the kids to China. Your move fascist.
Do you find it strange that most of the comments pro-Facebook on this thread are anonymous? (Remember when Facebook hired an astroturf company to go against Google?)
Anyway, as far as study groups and whatnot: That's what Moodle's for!
I'm not a lawyer, but I play one on the Internet. Blog
But, of course, log everything.
Let the school do what it's intended for, and educate the kids on how to use the internet safely...
If you setup a strict filtering policy it will never be perfect, and people will still come across content they aren't meant to see, or as mentioned in the summary they will make dangerous levels of information available to the public via sites like facebook. Also you will always get a few kids who will actively try to bypass the filter, being told no is the biggest motivator for some kids (i was one of those).
Another thing to consider, is while you can try to protect them from potential dangers on the internet while they're on campus, all you are really doing is leaving them less prepared for the real world. They won't consider that you were trying to protect them, they will just think you were trying to restrict them, and when they find themselves with access to an unfiltered internet connection they will encounter and/or seek out all manner of content.
So the key is education... And that's what a school is supposed to do, prepare kids for what they will encounter in the real world, not hide them away from it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Just drop the domain, kids shouldn't be on Facebook at school
#include <sig.h>
You need to either make the filter whitelist of approved sites with a librarian able to add things on the fly, or don't even waste your time because the kids will be spending their days searching for porn sites that you haven't yet blocked.
If it's a computer lab dedicated to research and approved uses, then whitelist. If it's computers for general use, where they can check email, there's no excuse for blocking. Partly this is about the age of the students -- I'd expect younger kids to be on whitelist only, while in high school, they've already got live streaming hardcore porn on their smartphones.
"Setup" is a noun, not a verb. Your title should read "Ask Slashdot: How To Best Set up a School Internet Filter?".
I don't think this is about a cultural or generational thing"
For now, cellphones moved into that role of "wait, tapping away at it cannot be more serious than the conversation / class still in progress".
Well, no. If you start tapping away on a phone while in the middle of a conversation, you're being a dick unless you (e.g. apologise and say you have to repoly to an urgent email or something). It's just about as dickish as picking up a newspaper and reading it when someone is talking to you or wandering off when they are in mid sentence. It's basically a dick move unless neither of you are invested in the conversation and are both on phones in which case it's a wash.
As for in class, well...
Yeah.
I was at school before cell phones were common. Graphical calculators had become readily available, however. I, and several of my frends, spent a good fraction of lessons dicking around on that. We would compete on who could write the best games, then play the games.
By happy coincidence, the things that I enjoyed (hacking) was possible on the calculator and in fact about the only thing you could do on it. So I got to learn, too. The fact that it worked out for me very well doesn't alter that the lessons were so mind-crushingly dull.
SJW n. One who posts facts.
Back in 1999 or so, I was asked to do something similar for my church. (Believe it or not, people were really coming to church in the middle of the night and using church computers for porn. Actually, 'person'.) At that time, there were no good OSS filtering proxies, so I settled on a simple solution: accountability. We setup a squid proxy with a login requirement, and then we emailed the account holder a list of all the websites they had visited each day. Instantly, we had no porn problem.
Not sure I'd want to take this approach in an academic environment; a great deal would depend on the school, the age of the kids, and the values of parents, but I thought I'd mention it.
Nowadays, I'd just use a filter in the router forcing all DNS requests to go to OpenDNS, and use OpenDNS' content filtering. It's not as fine grained as you might want (it only works at the domain level) but it's still pretty effective. In this area, there's no such thing as 100% -- all you can do is try to keep it down to a dull roar.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Unfortunately, quite a few people out there bought some shares in the IPO... Every little bit of positive spin helps...
I am very sucseptible to "let's have another drink"
Many years ago I setup some school filters with Squid and DansGuardian. If wouldn't make any sense to do it today. Kids have unfiltered Internet at home and usb keys and phones to carry files around. Lots of school Internet connections have quotas and performance that are years out of date and filters that go completely overboard. Many kids have faster Internet connections in their pocket. The Internet isn't a scarce resource you can be gatekeeper of anymore. Adults, both parents and teachers, need to engage with kids again instead of relying on companies and technology to do their job for them.
The best thing to do is educate the students (that's what the school is there for, right?). Teach them proper security and privacy guidelines and why they are there. Kids will follow a rule if there is a valid reason for the rule and the kid knows the reason. (If there is no valid reason the rules are in place, then they don't need to be in place.) Then these kids will be safe not only on the school computers, but on their home computers, cellphones, ipads etc. etc. etc. If they break the rules then punish them for that. But don't treat them like rule breakers before they have even broken the rules, and don't hobble them by refusing to educate them.
For a private school, executive went for e-Safe (http://www.safenet-inc.com/data-protection/content-security-esafe/) on Mac and PC.
It a system that transmits a machine ID along with running a keylogger and screen capture. Key presses are filtered through a central filter that alerts on things such as IM preening, online bullying, self-harm indicators, and inappropriate search terms. Screen caps are thumb-nailed, identified by machine ID, and monitored by humans for inappropriate images or video, etc. The content filter blocks and logs URLs any websites we request or fit their blocklists..
The House Heads are emailed logs of inappropriate activities on a weekly basis, and self-harm or bullying activities are emailed or SMSed immediately.
My role is servers and I haven't seen any of the logs, I just provide login logs and supporting documentation. All devices on the "guest" or "mobile devices" SSID are have a school captive portal that requires their school login.
It seems to work well, in that people are educated post infringement. It has also alerted staff to possible at-risk students (including boarders) and a couple of webcam sessions involving minors. Since it's installed, it does have the vulnerability of being tampered with, but they also alert us to attempts to circumvent e-Safe.
Note: I can't verify it's effectiveness since I don't see Pastoral Care issues. You will need to decide whether it fits your situation. I have some moral objections, but I don't make those kind of decisions...
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.
That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.
If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.
Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.
Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.
I work for a school myself as an IT director. Before you get too far into making a custom filter you need to familiarize yourself with CIPA (Children's Internet Protection Act). If you are working at a school receiving public money you have to follow CIPA to a "T" or your school may lose its E-rate funding which is likely paying for the internet access in the first place.
Find some trustworthy high schooler who has study hall each period. Let that student hang out in the computer lab instead of study hall, in exchange for monitoring obviously inappropriate websites. Give them a line to a teacher if some douche is looking at porn and won't stop when they tell them to.
This is what my high school did; I was a computer lab monitor sometimes and it worked out pretty great. Only rarely even had to do anything (there was totally one moron who kept looking at stuff that he tried to claim wasn't softcore porn even though it really obviously was. He did get in trouble for it eventually.)
As for why you block porn in school - it isn't because kids shouldn't be allowed to see it if they want. I truly believe that you should block elementary schoolers from seeing that kind of garbage, but if you want to see it in junior high (i.e. after you've at least hit puberty), go ahead. You block porn in school because most people -don't- really want to see it, and it's a public space. Go view it in your bedroom by yourself.
I don't think there's really much you can do about blocking peoples' ability to give away information they shouldn't, without going crazy and blocking damn near fracking everything...
Class groups and study session events.
Has anybody tried Edmondo? Seems like Facebook for schools.
You want the taste of dried leaves boiled in water?
> Essentially we want to protect people who aren't able to protect > themselves, at least while on campus.
No you don't, or if you do, then I question how much thinking you really did about this motivation you claim to have.
What are you protecting them from? It seems to me like you are trying to protect yourself from parents who would complain. I understand that but, be honest about your motivations. Filtering doesn't protect the person who is denied access to what they wanted to see.
"I opened my eyes, and everything went dark again"
Get you a computer, just about anything modern will do, and a couple of supported nic's. I used the TEG-PCITXRL because I have use older model low profile optiplexes.
http://www.pfsense.org/
Firewall port 80 and port 443
set up squid
set up squidblock
Create a wpad.dat file and put it on the web server, so browsers will automatically configure to use the proxy as long as they are set to automatically configure
Then download some freely available pre-categorized sites. I used these, but you can also use shalla's if you are a non-profit.
1. http://dsi.ut-capitole.fr/documentations/cache/squidguard_en.html#contrib
2. http://squidguard.mesd.k12.or.us/blacklists.tgz
3. http://www.shallalist.de/
I also downloaded the list of websites that adblock uses from easylist, and put it in the right format with a quick macro in my text editor:
https://easylist-downloads.adblockplus.org/easylist.txt
You can get really fancy if you want, and if you have a domain you can do a man in the middle proxy by creating a certificate then installing it on your pfsense box and each desktop. This would allow you to just route all 80 and 443 traffic through squid, and then you could use dansguardian to do keyword filtering. For your application I would probably steer clear of this for now, because you need to have a good way of making sure that EVERYONE knows that you can see their passwords to banks, emails, etc, and it's in a policy they sign or you could get in deep doo doo.
As a former school-district sysadmin, I'd say that blocking (bad) content from a school while allowing (good) content is nearly an impossible task. Obviously you can make a good effort, but it's an arms-race you can't win.
One should not underestimate the resourcefulness of a school full of bored teens. Hell, some of the most amazing stuff I've done was while I was in High School.
As an adult, it's not easy to pick this stuff up with the time available. Being young with an active brain and free time is a powerful thing, and a school full of semi-intelligent bored teens can be a pretty interesting place.
http://www.opendns.com/
Teacher: We don't want them on facebook, because they might take embarrassing/inappropriate pictures of other kids and post them online. We need you to block facebook.
Me: How are they taking these pictures
Teacher: With their camera phones. We're worried they may take pictures in the locker rooms etc. We need you to block it
Me: We can't block somebody's phone. It's using the phone network, not the school's
Teacher: It's in the school. You should block it. We can't let this happen
Me: Why not just deal with the students who are behaving inappropriately?
Teacher: I don't have time to deal with them. I have too many students. Just deal with it. Setup a block or something.
Use your bandwith to launch spam, DOS, and other attacks at facebook and wait for them to block your ip addresses. Then problem is solved!
In the communications closet, you'll see a box labeled "Router" or something like that. Into it there will be plugged a cable labeled "AC" or "DC" or "Power."
Simply remove that cable.
Since it's a school network I would think you'd just make anything they type in the URL bar would take them to wikipedia. But seriously though, I would spend a week creating a whitelist of sites and then whenever they reach a blocked site have it go to a page where they can request access to the site which would then email you a URL, the person requesting it, and their supplied reason for access. After which you'd just have to click approve a lot for a while and eventually it will die down. Whitelist with ability to add it is the only way to manage this sort of problem. Blacklist is impossible and never a good idea.
We must combine filtering, surveillance, and education.
Education alone does not cut it.
No one leaves poison at the reach of children; we know that teaching them is not enough, we also have to keep the poison away, and also we need to watch the kid.
For the same reasons, teaching children about pornography or perverts is not enough; we also need to filter the computer at home, to put the computer where the parents can see it, to ask the school to do the same, and still we have to watch the kids.
Moodle no good. No Mafia Wars or Farmville. It doesn't have a "timeline". You can't "like" anything. No great content. ;o(
I've seen this handled a few different ways. There's a tendency to let the technology staff dictate website appropriateness since they're in direct control of the filters. However, what seems to work best is to leave these decisions up to the curriculum department. They may in turn leave it up to the teacher's discretion. I see my role as an adviser. Let the people in charge of what goes on in the classroom know the risks, and what our tools are capable of, then let them decide. (I'd suggest these decisions be in email/writing, to cover your ass.) Now, as for the tools, there's some pretty slick filters out there that can block certain elements of Facebook, such as games/third party apps, chatting, etc. without blocking the entire site. We used Palo Alto firewalls for this, but I know there are other products out there that can do the same. Good luck! Just let me know if you have any questions.
Kids are getting Samsung Galaxy 3 phones and with it comes wifi, and data. Via data, they can do everything that is possible, as if the school has no firewall.
I would block facebook, except for lunch hours. Ditto for the other sites.
Leslie Satenstein Montreal Quebec Canada