Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Best Setup a School Internet Filter?

Posted by samzenpus on from the watch-how-you-play dept.

An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

61 of 454 comments (clear)

  1. Don't by Simulant · · Score: 5, Insightful

    Just block it all together. Not worth it.

    1. Re:Don't by ThatsMyNick · · Score: 5, Insightful

      Or whitelist a few websites and be done with it.

    2. Re:Don't by jhoegl · · Score: 4, Funny

      Until the dean says "I promote the school through Facebook!" and you reply with "You can do that at home".

    3. Re:Don't by buchner.johannes · · Score: 2

      There is a lot of great content and features on Facebook

      Like what? What are you trying to protect against? What should pupils be allowed to see?

      It's pointless anyways, kids have Facebook on their phones these days.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    4. Re:Don't by jbolden · · Score: 2, Informative

      We're now having to look into decryption which brings its own issues pertaining to certificate management.

      What do you even mean there? You aren't going to be able to pull off a man in the middle attack. You either block https or game over.

    5. Re:Don't by Jamu · · Score: 4, Insightful

      Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.

      --
      Who ordered that?
    6. Re:Don't by cpu6502 · · Score: 4, Insightful

      Exactly my thought. I would also include a note on the "block page" to send an email to admin@whatever if the user wants a site opened. That way brand-new sites like teenskissingtheirpussies will be blocked by default, but if someone requests a site like PBSkids.com you can whitelist it ASAP.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    7. Re:Don't by sqlrob · · Score: 4, Insightful

      It's easy to pull off a man in the middle attack if you control the computers.

      You generate your own certs with a CA that you've installed on the computer. At least one commercial product does this automatically.

    8. Re:Don't by Anonymous Coward · · Score: 5, Funny

      Um, so, teenskissingtheirpussies. Linky??

    9. Re:Don't by chrb · · Score: 3, Informative

      What do you even mean there? You aren't going to be able to pull off a man in the middle attack.

      Oh but you can, and it's increasingly being done and the people being intercepted are probably completely unaware of it. All of the big providers of content filtering hardware offer SSL interception now (actually that article was written in 2006, so it's been going on for a while now). The sysadmin just has to deploy a trusted CA key to each desktop. I still think it is probably a violation of various wiretap laws because, regardless of what the local user has agreed to, the remote side (Google, your bank etc.) have not agreed to your interception of their encrypted communications. But, afaik, surprisingly nobody has yet sued over this issue.

    10. Re:Don't by Joce640k · · Score: 4, Insightful

      There is a lot of great content and features on Facebook

      Like what? What are you trying to protect against?

      Facebook whores hogging the computers all day long so nobody can do any work...?

      --
      No sig today...
    11. Re:Don't by houghi · · Score: 4, Informative

      You could add them automatically, as long as a teacher asks for it (and is verified that it was a teacher).
      Let them know that it will be logged and verified later.
      They will control themselves better then you can, as long as you do the follow up and explain why things are removed.

      Obviously this should not be your only line of defense. When I look at openDNS, it says that 1 in 3 schools are already using it. and they have something like http://www.opendns.com/business-solutions/k-12-education-old as well as free solutions.

      --
      Don't fight for your country, if your country does not fight for you.
    12. Re:Don't by jbolden · · Score: 2

      I hadn't thought of that. Yep that would work. I stand corrected.

    13. Re:Don't by datavirtue · · Score: 4, Insightful

      So we used to authority policing our content consumption? I work at a college and we do no filtering of any kind due to academic freedom. There are issues from time to time but it is tolerated in the name of freedom.

      --
      I object to power without constructive purpose. --Spock
    14. Re:Don't by fuzzyfuzzyfungus · · Score: 2

      In the US, at least, I don't know the dirty details on other jurisdictions, the name of the game is CIPA'. The "Children's Internet Protection Act"(what could go wrong, eh?)

      After the "Communications Decency Act" and the "Child Online Protection Act" were banhammered for being grossly unconstitutional, we got CIPA. Many thanks to Sen. John McCain (R-AZ), Sen. Ernest Hollings (D-SC), Rep. Bob Franks (R-N.J.), Rep. Chip Pickering (R-MS), and the justices writing for the majority on UNITED STATES V. AMERICAN LIBRARY ASSN., INC. (02-361) 539 U.S. 194 (2003).

    15. Re:Don't by cayenne8 · · Score: 5, Interesting

      I work at a college and we do no filtering of any kind due to academic freedom. There are issues from time to time but it is tolerated in the name of freedom.

      I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.

      Also, if that is the case...wouldn't most of these kids be too young to have FB accounts per the TOS for Facebook? If that's the case...no problem in banning FB entirely, eh?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    16. Re:Don't by ShanghaiBill · · Score: 3, Informative

      I work at a college and we do no filtering of any kind due to academic freedom.

      High school is not college. College students are adults fully responsible for their own behavior. High school students are legally children, and giving them access to things their parents don't approve of is not only going to cause administrative problems, but may even be illegal in some cases.

    17. Re:Don't by xstonedogx · · Score: 2

      This is what you do:

      You give parents and students a piece of paper that says the students are authorized to use the internet, but that the parents and students agree that the student will use it responsibly or will be held responsible for its misuse. Parents and student alike are required to sign.

      Then you don't worry about it. If the student(s) abuse the privilege, the parents cannot complain because they not only authorized the use, but agreed that their child would use the resource appropriately.

    18. Re:Don't by Anonymous Coward · · Score: 5, Insightful

      I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.

      Back in the mid-1990s when I was at the elementary school level, we had a 10BASE2 coaxical network and an unlimited Internet access. And oh boy did we find lots of both questionable (nude, porn) and illegal content (games, software and MP3s were already flooding to the websites from the soon-to-be-legacy private BBSes and FTPs), and guess what all that did to me? Nowadays I post anonymous comments to Slashdot, have a job and pay my taxes (oh, and MSE in the works).

      So, unless you want your kids to grow up as future Slashdot users and engineers with university grade degrees, block everything (I mean *everything*), throw them to your basement and never open the door. Everything else is just plain stupidy and both wasted time and effort.

    19. Re:Don't by Vegemeister · · Score: 2

      The very basics of research, in 2012 CE, involve a search engine.

    20. Re:Don't by Xest · · Score: 4, Insightful

      It doesn't work anyway. I worked supporting schools for some years and we ran a WAN that they connected through to the internet (around 150 schools connecting via 10mbps links to a central pipe) and the fact is you just can't do anything about kids accessing what they shouldn't.

      They're far more resourceful, far more motivated, and have far more time than your IT staff. Like the music industry trying to clamp down on piracy, IT staff trying to clamp down on kids whilst still keeping the internet somehow useful is a lost cause. The kids know any number of proxy sites, they'll find any number, sites you didn't even know existed as a long time IT professional, and hell, even if you do lock down the internet completely (and make it largely useless in the process) kids are only going to bring in porn mags and CDs/memory sticks with porn and such on anyway.

      The best solution is entirely with the teachers. It's with the teachers to catch kids browsing things they shouldn't, and to punish them and make an example that doing what you shouldn't in school hours will get you in deep shit. Anything else is doomed to fail, and even this method isn't going to stop every kid, but it'll be far more effective than any kind of technological solution will be. If we're talking about really young kids and you want to protect their precious little eyes then internet access should be treated the same way as it would be by a "good" parent - supervise them whilst they're using it.

    21. Re:Don't by xenobyte · · Score: 2

      Cell phones aren't allowed on school premises, and will be confiscated if a student is caught in possession of one.

      Really? - What if a parent needs to contact a student?

      The old method of calling the administration office and have them page the student is both costly, disruptive to both class and administration, and often involves the student talking while standing right next to an administration employee, which is an obvious invasion of privacy.

      The correct way to do it is to allow cell phones set to a silent ring, and ban from making outgoing calls and texts during school hours (students must comply with inspection requests). This way they can be reached and are able to go somewhere private to take a call, which obviously should be of a certain importance to be allowed.

      Confiscation is an epic Bad Idea (tm) which makes the school liable both for damages relating to missed calls and for the cost of a new phone. If you need to take away a cell phone, make a parent come pick it up after school and let him/her/them handle the situation from there. A school should not steal student property, no matter what the excuse.

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    22. Re:Don't by demonlapin · · Score: 2

      Then they can provide unfiltered internet at home. Or, if they really have a compelling school usage, they can present their case to a teacher, who can then go to bat for them. I'm not a fan of censorship in general but this is more like just maintaining decorum in public. It's like the eternally nude people in SF: it bothers me not because I think that the human body is evil, but because it's someone who can't be bothered to make the most simple concessions to public decency and hygiene. Tanning your whole body in a quiet park is one thing; flying your junk like a flag as you roll down the street (or shop in a store!) is just being a jerk.

    23. Re:Don't by demonlapin · · Score: 4, Funny

      which is an obvious invasion of privacy

      I cannot imagine any actual important secret that I would entrust to an elementary or middle-school child's confidence, but if I really had one I wouldn't tell it to anyone over the phone. I'd announce that I was coming to pick them up, that there were some urgent family matters to deal with, and that they could not wait until school let out. Then I'd pick them up and tell them whatever it was so important to get a 13-year-old's opinion on right now.

    24. Re:Don't by crashumbc · · Score: 3, Interesting

      In addition or "better" make the parents give you a E-mail address where a monthly report of every high website the student visited will be mailed...

    25. Re:Don't by Bastardchyld · · Score: 2

      That is totally dependent on where you are...

      http://en.wikipedia.org/wiki/Age_of_majority

      Oddly enough that Wikipedia Article shows only 6 countries that have age of adulthood at less than 18, and none of them are 16. In the US it is 18 except for Alabama (19), Nebraska (19), Mississippi (21), and Puerto Rico (21). Canada is about 50/50 between 18 and 19. The UK is 18. Most of Africa is 21. Japan 20.

      So your point is flatly incorrect.

      --
      $diff terrorists hippies
      $
      $rm -rf *terrorists *hippies
    26. Re:Don't by Forty+Two+Tenfold · · Score: 2

      What should pupils be allowed to see?

      They are actually holes in the iris, so they don't really "see" anything. It's the retina that... oh, I see...

      --
      Upward mobility is a slippery slope - the higher you climb the more you show your ass.
  2. Don't by infogulch · · Score: 2

    Just don't set up a filter. Done!

  3. Who decides what's "inappropriate" by Anonymous Coward · · Score: 5, Funny

    My mother was a porn star. There's not much that I wouldn't want her to see.

    Slippery slope, my man.

    1. Re:Who decides what's "inappropriate" by Anonymous Coward · · Score: 2, Funny

      Cool, I thought I saw your Mom in "Slippery Slope - Volume III"

  4. lulz. good luck by girlintraining · · Score: 2

    There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

    In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks. No filtering software yet designed has survived more than a few months in a public school without leaving the server running it as little more than a smouldering carbon scorch mark on the floor.

    If this were a corporate environment, you could count on the fear and paranoia of being fired. You have no such power over teenagers... and many of them would do it even if you threatened them with life in the electric chair, because teenagers do not have good judgement. Even if you ask them "Is that a good idea," and they reply, "No," they'll probably keep doing it. And if you ask them why, they'll give you about as good of an answer as randomly seeking to some point in addressable memory and reading out whatever strings may or may not be present.

    My advice... turn off the internet, lock the systems down, bolt them to the tables, put epoxy in all the USB ports, remove the optical drives, put everything behind plexiglass (little fingerholes for the keyboards), load up your operating system of choice and lock it down as much as you can, and then maybe, just maybe... you have a chance.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:lulz. good luck by LateArthurDent · · Score: 5, Interesting

      In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks.

      Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

    2. Re:lulz. good luck by clockwise_music · · Score: 2

      I disagree.

      It is the original poster's intention to block inappropriate content. It is probably his duty to take reasonable steps to ensure that porn.com is blocked. If people want to go out of their way to deliberably bypass filtering then they can do that if they wish - but at least now they know that they shouldn't, and they should be held responsible for that.

    3. Re:lulz. good luck by girlintraining · · Score: 3, Interesting

      Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

      Most people aren't bright, and for every person it fosters a love of exploration and challenge, it'll create fifty more who view it as normal and try to club the other kid over the head for trying to get them all into trouble. The best solution is not to censor at all, and to simply be open to the kids about what's okay and what's not, and why, and if they have questions to have role models they can talk to about it that won't judge them for being curious or looking. Telling a kid not to do something just makes them want it more.

      My mom tried for years to get my sister to wear mittens and hats when it was cold out (this is Minnesota, where winters can and do kill people very year). She'd never let her go outside without them, and was generally overbearing on the matter. Then she went on vacation for a few weeks in January and little sister asked to go for a walk. I saw how she was dressed -- no hat, no gloves, and asked if she thought she was dressed appropriately. She said yes. I opened the door. 10 minutes into our walk, she started complaining about how cold she was. I kept walking. She whined and said she wanted to go home. I kept walking, reminding her she said she was dressed appropriately and I was going to hold her to that. Another 10 minutes goes by and now she's shivering, stuffing her fingers in her sleeves, her pockets, finally pulling her arms out of the jacket entirely so her hands could stay out of the cold. Her nose and ears were red, and she looked miserable. Another 10 minutes goes by and she's stopped whining now and limping along miserably. We get back in the house, and she doesn't take off the jacket or anything, just goes to her room, pulls the blanket over her head, and remains miserable. About 5 minutes later I came in and took her shoes and socks off (which had become wet), put dry ones on, and put an electric blanket on her feet to warm them back up. She was fine after that.

      She's never left the house without a hat or gloves since. Lesson learned.

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:lulz. good luck by serviscope_minor · · Score: 4, Insightful

      the flipside to that isn't to make them suffer for your crappy teaching methods

      You've missed the point.

      Making the kid suffer would be to say something like "so you think its ok, right? Now I'm going to force you outside and force you to suffer".

      What the GP did was to allow the kid to teach herself. She let the kid make the decision that the kid wanted to, and see what consequences that led to.

      It's actually a really good teaching method: let the kid learn and explore, but be there in the background to make sure that they don't accidently kill themselves or suffer permenant injury.

      No lesson sticks quite as well as one hard learned onesself.

      --
      SJW n. One who posts facts.
  5. Good Kids by dark+grep · · Score: 5, Insightful

    Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'

    If I had a daughter, I probably would have sent her to that school.

    1. Re:Good Kids by tibit · · Score: 2

      The nun is partly right, partly wrong. Yes, restrictions will exacerbate the problem. No restrictions, though, won't make the problem magically go away either. I mean, there *is* a problem to begin with -- that they'll run into porn, or whatever else passes for inappropriate content. Porn-wise, I think that kids who are raised in a home where nudity is no big deal will react appropriately: shrug it off, saying "so what, haven't you seen a naked guy/girl?!". Sex isn't exactly a visually engaging thing if you don't pay much attention to nudity to begin with. Up to a certain age, at least, I'd think. In homes where privates were verboten to see except by yourself in the mirror -- oh well, those will be the problem kids. There's no way to ensure, much less be sure of, "all our girls [being] good".

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:Good Kids by DaveGod · · Score: 2

      Internet filters aren't about protecting children, they are about protecting the school from their parents.

  6. Re:opendns by Anonymous Coward · · Score: 5, Informative

    OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.

    It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.

    Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?

    So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.

    Yeah, going from free to outrageous isn't exactly a viable business plan.

    DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?

  7. Don't waste time and money on it. by Anonymous Coward · · Score: 2, Insightful

    This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.

  8. You can't even trust Facebook the company... by JK_the_Slacker · · Score: 2

    Given the utterly dismal record of Facebook the company when it comes to the privacy of its users, I wouldn't bother allowing access. Not only do you have your users to worry about, you have external Facebook users and Facebook itself - that sounds like a recipe for disaster to me. Aren't we due for a reset of our privacy settings to 'Everything shared with everyone' any day now?

    --
    I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
    1. Re:You can't even trust Facebook the company... by tibit · · Score: 2

      Agreed. I don't see the value of Facebook on student-accessible computers. As for the teachers, they should have access to everything. Anything else would be stupid. It's an education of learning, you can't a priori decide that some things have no educational value. Besides, why on earth ban Facebook use during teacher's off time. I mean, give me a break, you already provide teachers with a lounge, perhaps a cafeteria, etc. Barring recreational internet access on school grounds makes no sense to me at all.

      --
      A successful API design takes a mixture of software design and pedagogy.
  9. The real question - how do you filter lunch? by Chemisor · · Score: 4, Funny

    There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.

    The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.

  10. If unsafe use of the internet is a concern... by fm6 · · Score: 4, Insightful

    ... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

    I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

    1. Re:If unsafe use of the internet is a concern... by fm6 · · Score: 2

      I never said he shouldn't put up a filter. But he wants a filter that protects kids from doing stupid stuff, and there's no such thing.

  11. Employ a teacher! by multiben · · Score: 3, Insightful

    Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.

  12. Can't by tverbeek · · Score: 4, Insightful

    You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.

    And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".

    --
    http://alternatives.rzero.com/
  13. Dogbert, the network administrator by linebackn · · Score: 4, Funny

    Obligatory Dilbert strip:

    http://dilbert.com/strips/comic/1996-09-07/

  14. It's a race... by sillivalley · · Score: 2

    And it's a race you will lose, should you choose to enter.

    But if you really want to play -- take a look at Untangle (http://www.untangle.com) for a Linux-based appliance (free versions available) that will do other things such as spam filtering, basic AV, and more. Paid modules (inexpensive) let you add web caching, which cuts down on traffic, especially when you have a bunch of kids in a computer lab accessing the same web resources. So you can solve the problem for the hard-connected machines that are fairly well locked down individually.

    But in the end, it's a pain in the ass. My wife is a middle school teacher, and she complained about their school's filtering "solution" keeping her from researching and accessing useful sites until my son reconfigured her laptop to use a proxy that he and some friends run so that they can get around school filtering solutions...

    Set expectations early and often -- you will be able to block most of the kids (and adults). Some will always get around the barriers you put in place, often just for the sport of it.

    Unless you set expectations, you will successfully block things for 598 students -- 2 will get through and you will be castigated as a FAILURE.

    Still want to play the game?

  15. Re:opendns by Anonymous Coward · · Score: 5, Insightful

    You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.

    How much for a business with 200-220 PCs? $3000 a year.

  16. How old are these kids? by dacut · · Score: 4, Informative

    If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.

    From Facebook's terms of service:
    You will not use Facebook if you are under 13.

    This is due to the Children's Online Privacy Protection Act, which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.

    Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.

  17. PfSense + DansGardian + OpenDNS + Unbound DNS by Anonymous Coward · · Score: 4, Informative

    Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.

    OpenDNS will help with malware prevention and botnet computers.

    Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.

    Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.

  18. Re:can't partially-filter Facebook by Nonesuch · · Score: 4, Informative

    Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!

    --

    I do not deploy Linux. Ever.
  19. Nothing by ericartman · · Score: 2

    Been working in Education for the last decade and I can say give it up. I have never seen any filter work more than a day at best. Lightspeed whatever just doesn't last very long. Kids start with proxy, but quickly switched to stealing passwords. The school year is only a week old and I have already seen a fairly complete list of staff passwords and ever our sys admin password. Get a Federal approved filter and do the best you can, keeping the systems working will kill all the time you have believe me.

  20. Re:can't partially-filter Facebook by SydShamino · · Score: 2

    One such company is Socialware, for example. I think for a lot of these settings Facebook has exposed assets and you can directly manipulate things in a "whack-a-mole" fashion, but hiring a company like Socialware gives you all of that managed for you in a proxy. Obviously this is out of reach of one guy running an elementary school, though.

    --
    It doesn't hurt to be nice.
  21. Whitelists? by Compaqt · · Score: 2

    Yeah, but which ready-to-go Linux firewall/proxy combo really supports whitelists.

    I've research (though not used) ClearOS and a bunch of the others, and whitelist seem to be a feature that people ask about in the forums as opposed to something that's a first-class feature.

    For a restricted use environment, like elementary school, it would great to add 10, 100, 1000, or even 10000 or 100,000 websites to a list and be done as opposed to chasing every new weird site.

    As far as 1st Amendment issues, think of it like this: The library doesn't subscribe to every magazine on Earth, right. At most, it gets 100 or so. So just consider whitelists as subscribing to ten thousand websites.

    What would be awesome would be: You (attempt) to go to a non-whitelisted site. You get an error message with an HTML form. Since you believe it to be useful, you fill in your whitelist request along with a reason, hit Submit, and it instantly goes to the librarian (?) or whoever's in charge of whitelisting, and they have a quick look at the site and approve or deny.

    Anything like that available for Linux?

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Whitelists? by sc0ob5 · · Score: 3, Informative
      Not a bad idea for elementary kids. A simple redirect using squid to a PHP form which would email someone a link to the site in question and another PHP form for approval which would then automatically append to a whitelist if approved and to a blacklist if denied so students can’t keep submitting the same site. There are a few sites around that have whitelists for education purposes opendns.com springs to mind. The problem is with so many sites being created daily it’s impossible to keep up with educational resources for middle school and high school kids and you are better off with just a blacklist which are more readily available.

      When I was first starting out in IT I worked at a reasonably large high school and found the best way to filter was using squid and have a large blacklist automatically updated weekly and use a log analyser such as Sarg to generate reports on a daily basis and anything that seemed out of place or got a lot of traffic and wasn’t related to education would go on the blacklist. Of course none of this was available off the shelf back then, but it’s still probably the best way to go about it considering that it’s a non-profit school. As for facebook, it should be blocked in any school environment, there is nothing on there of any education value.

      I don’t know the age range the OP is talking about, kind of seems contradictory. People not able to protect themselves but yet have shame.. doesn’t really make sense.

  22. The unfortunate reality comes down to liability by Voyager529 · · Score: 5, Insightful

    Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.

    That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.

    If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.

    Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.

    Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.

    1. Re:The unfortunate reality comes down to liability by Voyager529 · · Score: 4, Insightful

      Mommy can throw a tantrum all she wants about Timmy seeing a boob online. The question of whether the situation is able to escalate beyond that is where filters come into place.

      Scenario 1:
      Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
      IT Dept witness: "Your honor, the school has had content and proxy filtering on their network for years. This is the filtering system that the Board of Education has chosen for us to be using, configured using industry standard practices, and being appended weekly with additional 'creative' ways the students have found to bypass these filters. Here are the log files in the traffic, indicating that the student performed an end-run around the filter by using multiple VPN endpoints, SSL traffic, and a virtualized operating system running executable files explicitly designed to evade our application whitelist, and did so using a batch script as to prevent the teacher from catching him doing it."

      Scenario 2:
      Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
      IT Dept witness: "Since web filters are mostly ineffective anyway, we felt that it was a waste of tax dollars to even try. If he were dedicated he'd get through them anyway."
      Mommy: "All he did was go to bigtits.com and it let him!"
      IT Dept witness: "He has the right to not be censored!"
      Mommy: "He's twelve!"

      You'll never avoid a tantrum from a psychotic parent trying to sidestep their responsibility to actually be a parent. What you *will* avoid, however, is those kinds of allegations actually sticking, unless you have a set of like-minded psychos two and three tiers above you on the corporate org chart who are too technologically inept to realize that there is a chasm of difference between "filters unable to stop extremely determined, skilled, and clever students clearly violating the acceptable use policy and leaving traces of their actions" and "no filter at all". If that's what you have, then I propose the same thing - the issue is not technological and cannot be solved technologically, but will append it to say that the issue isn't with the students and the issues seen in the students are a reflection, not a cause.

    2. Re:The unfortunate reality comes down to liability by Voyager529 · · Score: 2

      Pardon my use of hyperbole to prove a point. Whether it requires half a dozen hops and tools of that level of sophistication is largely orthogonal. The point is that using a proxy or VPN or portable Ubuntu or whatever clearly expresses intent. Whether the system requires that quantity of hoops isn't the point, but the point that "trivial" is an extremely relative term and whether trivial or determined, it shows sufficient amounts of determination by the student and due diligence on behalf of the IT department. As long as both of those can be shown, Timmy's mom won't have much of a leg to stand on.

      If I bypassed that point before I apologize, but here's the thing: filtration and making responsibility known are NOT mutually exclusive solutions. Filtration helps prevent accidents. Thus, if someone goes off-script by accident, there's no harm, no foul. If it's intentional and the student is unfamiliar with the system or insufficiently determined, they will likely be slowed down enough to be caught by the teachers. If they are intentional and smart and motivated...filters are indeed useless except to PROVE that the students are intentional and smart and motivated. That's where the policy and education come in. They are responsible for proper use of the school's resources. They should be made aware and taught how to use the internet responsibly. It is NOT impossible to do this without some level of filtration happening. A parent can absolutely opt out of letting their child use the internet despite there being filters in place. Parents can absolutely be given resources to educate their children about the shady side of the internet. None of what you are saying indicates that nontechnical rules and nontechnical punishments are useless because filters are in place. Heck, if a lesson needs to be taught about the shady side of the internet, then fine - disable the filters for that lab for that lesson, but the internet isn't exactly the best place for 'trial by fire' regarding elementary school students and the internet.

  23. Impossible task by phorm · · Score: 2

    As a former school-district sysadmin, I'd say that blocking (bad) content from a school while allowing (good) content is nearly an impossible task. Obviously you can make a good effort, but it's an arms-race you can't win.

    One should not underestimate the resourcefulness of a school full of bored teens. Hell, some of the most amazing stuff I've done was while I was in High School.

    As an adult, it's not easy to pick this stuff up with the time available. Being young with an active brain and free time is a powerful thing, and a school full of semi-intelligent bored teens can be a pretty interesting place.