Slashdot Mirror
Ask Slashdot: How To Best Setup a School Internet Filter?
An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
Just block it all together. Not worth it.
My mother was a porn star. There's not much that I wouldn't want her to see.
Slippery slope, my man.
In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks.
Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.
Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'
If I had a daughter, I probably would have sent her to that school.
OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.
It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.
Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?
So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.
Yeah, going from free to outrageous isn't exactly a viable business plan.
DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?
There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.
The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.
... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.
I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility
Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.
You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.
And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".
http://alternatives.rzero.com/
Obligatory Dilbert strip:
http://dilbert.com/strips/comic/1996-09-07/
You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.
How much for a business with 200-220 PCs? $3000 a year.
Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.
Most people aren't bright, and for every person it fosters a love of exploration and challenge, it'll create fifty more who view it as normal and try to club the other kid over the head for trying to get them all into trouble. The best solution is not to censor at all, and to simply be open to the kids about what's okay and what's not, and why, and if they have questions to have role models they can talk to about it that won't judge them for being curious or looking. Telling a kid not to do something just makes them want it more.
My mom tried for years to get my sister to wear mittens and hats when it was cold out (this is Minnesota, where winters can and do kill people very year). She'd never let her go outside without them, and was generally overbearing on the matter. Then she went on vacation for a few weeks in January and little sister asked to go for a walk. I saw how she was dressed -- no hat, no gloves, and asked if she thought she was dressed appropriately. She said yes. I opened the door. 10 minutes into our walk, she started complaining about how cold she was. I kept walking. She whined and said she wanted to go home. I kept walking, reminding her she said she was dressed appropriately and I was going to hold her to that. Another 10 minutes goes by and now she's shivering, stuffing her fingers in her sleeves, her pockets, finally pulling her arms out of the jacket entirely so her hands could stay out of the cold. Her nose and ears were red, and she looked miserable. Another 10 minutes goes by and she's stopped whining now and limping along miserably. We get back in the house, and she doesn't take off the jacket or anything, just goes to her room, pulls the blanket over her head, and remains miserable. About 5 minutes later I came in and took her shoes and socks off (which had become wet), put dry ones on, and put an electric blanket on her feet to warm them back up. She was fine after that.
She's never left the house without a hat or gloves since. Lesson learned.
#fuckbeta #iamslashdot #dicemustdie
If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.
From Facebook's terms of service:
You will not use Facebook if you are under 13.
This is due to the Children's Online Privacy Protection Act, which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.
Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.
Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.
OpenDNS will help with malware prevention and botnet computers.
Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.
Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.
Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!
I do not deploy Linux. Ever.
When I was first starting out in IT I worked at a reasonably large high school and found the best way to filter was using squid and have a large blacklist automatically updated weekly and use a log analyser such as Sarg to generate reports on a daily basis and anything that seemed out of place or got a lot of traffic and wasn’t related to education would go on the blacklist. Of course none of this was available off the shelf back then, but it’s still probably the best way to go about it considering that it’s a non-profit school. As for facebook, it should be blocked in any school environment, there is nothing on there of any education value.
I don’t know the age range the OP is talking about, kind of seems contradictory. People not able to protect themselves but yet have shame.. doesn’t really make sense.
the flipside to that isn't to make them suffer for your crappy teaching methods
You've missed the point.
Making the kid suffer would be to say something like "so you think its ok, right? Now I'm going to force you outside and force you to suffer".
What the GP did was to allow the kid to teach herself. She let the kid make the decision that the kid wanted to, and see what consequences that led to.
It's actually a really good teaching method: let the kid learn and explore, but be there in the background to make sure that they don't accidently kill themselves or suffer permenant injury.
No lesson sticks quite as well as one hard learned onesself.
SJW n. One who posts facts.
Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.
That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.
If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.
Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.
Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.