Ask Slashdot: How To Best Setup a School Internet Filter? 454
An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
Don't (Score:5, Insightful)
Re:Don't (Score:5, Insightful)
Or whitelist a few websites and be done with it.
Re:Don't (Score:5, Insightful)
Exactly my thought. I would also include a note on the "block page" to send an email to admin@whatever if the user wants a site opened. That way brand-new sites like teenskissingtheirpussies will be blocked by default, but if someone requests a site like PBSkids.com you can whitelist it ASAP.
Re:Don't (Score:5, Funny)
Comment removed (Score:5, Informative)
Comment removed (Score:5, Insightful)
Re:Don't (Score:5, Interesting)
I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.
Also, if that is the case...wouldn't most of these kids be too young to have FB accounts per the TOS for Facebook? If that's the case...no problem in banning FB entirely, eh?
Re:Don't (Score:5, Insightful)
I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.
Back in the mid-1990s when I was at the elementary school level, we had a 10BASE2 coaxical network and an unlimited Internet access. And oh boy did we find lots of both questionable (nude, porn) and illegal content (games, software and MP3s were already flooding to the websites from the soon-to-be-legacy private BBSes and FTPs), and guess what all that did to me? Nowadays I post anonymous comments to Slashdot, have a job and pay my taxes (oh, and MSE in the works).
So, unless you want your kids to grow up as future Slashdot users and engineers with university grade degrees, block everything (I mean *everything*), throw them to your basement and never open the door. Everything else is just plain stupidy and both wasted time and effort.
Re:Don't (Score:5, Insightful)
It doesn't work anyway. I worked supporting schools for some years and we ran a WAN that they connected through to the internet (around 150 schools connecting via 10mbps links to a central pipe) and the fact is you just can't do anything about kids accessing what they shouldn't.
They're far more resourceful, far more motivated, and have far more time than your IT staff. Like the music industry trying to clamp down on piracy, IT staff trying to clamp down on kids whilst still keeping the internet somehow useful is a lost cause. The kids know any number of proxy sites, they'll find any number, sites you didn't even know existed as a long time IT professional, and hell, even if you do lock down the internet completely (and make it largely useless in the process) kids are only going to bring in porn mags and CDs/memory sticks with porn and such on anyway.
The best solution is entirely with the teachers. It's with the teachers to catch kids browsing things they shouldn't, and to punish them and make an example that doing what you shouldn't in school hours will get you in deep shit. Anything else is doomed to fail, and even this method isn't going to stop every kid, but it'll be far more effective than any kind of technological solution will be. If we're talking about really young kids and you want to protect their precious little eyes then internet access should be treated the same way as it would be by a "good" parent - supervise them whilst they're using it.
The unfortunate reality comes down to liability (Score:5, Insightful)
Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.
That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.
If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.
Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.
Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.
Re:The unfortunate reality comes down to liability (Score:5, Insightful)
Mommy can throw a tantrum all she wants about Timmy seeing a boob online. The question of whether the situation is able to escalate beyond that is where filters come into place.
Scenario 1:
Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
IT Dept witness: "Your honor, the school has had content and proxy filtering on their network for years. This is the filtering system that the Board of Education has chosen for us to be using, configured using industry standard practices, and being appended weekly with additional 'creative' ways the students have found to bypass these filters. Here are the log files in the traffic, indicating that the student performed an end-run around the filter by using multiple VPN endpoints, SSL traffic, and a virtualized operating system running executable files explicitly designed to evade our application whitelist, and did so using a batch script as to prevent the teacher from catching him doing it."
Scenario 2:
Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
IT Dept witness: "Since web filters are mostly ineffective anyway, we felt that it was a waste of tax dollars to even try. If he were dedicated he'd get through them anyway."
Mommy: "All he did was go to bigtits.com and it let him!"
IT Dept witness: "He has the right to not be censored!"
Mommy: "He's twelve!"
You'll never avoid a tantrum from a psychotic parent trying to sidestep their responsibility to actually be a parent. What you *will* avoid, however, is those kinds of allegations actually sticking, unless you have a set of like-minded psychos two and three tiers above you on the corporate org chart who are too technologically inept to realize that there is a chasm of difference between "filters unable to stop extremely determined, skilled, and clever students clearly violating the acceptable use policy and leaving traces of their actions" and "no filter at all". If that's what you have, then I propose the same thing - the issue is not technological and cannot be solved technologically, but will append it to say that the issue isn't with the students and the issues seen in the students are a reflection, not a cause.
Re: (Score:3)
Pardon my use of hyperbole to prove a point. Whether it requires half a dozen hops and tools of that level of sophistication is largely orthogonal. The point is that using a proxy or VPN or portable Ubuntu or whatever clearly expresses intent. Whether the system requires that quantity of hoops isn't the point, but the point that "trivial" is an extremely relative term and whether trivial or determined, it shows sufficient amounts of determination by the student and due diligence on behalf of the IT departme
Re: (Score:3)
Re:Don't (Score:4, Informative)
I work at a college and we do no filtering of any kind due to academic freedom.
High school is not college. College students are adults fully responsible for their own behavior. High school students are legally children, and giving them access to things their parents don't approve of is not only going to cause administrative problems, but may even be illegal in some cases.
Re: (Score:3)
This is what you do:
You give parents and students a piece of paper that says the students are authorized to use the internet, but that the parents and students agree that the student will use it responsibly or will be held responsible for its misuse. Parents and student alike are required to sign.
Then you don't worry about it. If the student(s) abuse the privilege, the parents cannot complain because they not only authorized the use, but agreed that their child would use the resource appropriately.
Re:Don't (Score:4, Interesting)
In addition or "better" make the parents give you a E-mail address where a monthly report of every high website the student visited will be mailed...
Re: (Score:3)
Re: (Score:3)
http://en.wikipedia.org/wiki/Age_of_majority [wikipedia.org]
Oddly enough that Wikipedia Article shows only 6 countries that have age of adulthood at less than 18, and none of them are 16. In the US it is 18 except for Alabama (19), Nebraska (19), Mississippi (21), and Puerto Rico (21). Canada is about 50/50 between 18 and 19. The UK is 18. Most of Africa is 21. Japan 20.
So your point is flatly incorrect.
Whitelists? (Score:3)
Yeah, but which ready-to-go Linux firewall/proxy combo really supports whitelists.
I've research (though not used) ClearOS and a bunch of the others, and whitelist seem to be a feature that people ask about in the forums as opposed to something that's a first-class feature.
For a restricted use environment, like elementary school, it would great to add 10, 100, 1000, or even 10000 or 100,000 websites to a list and be done as opposed to chasing every new weird site.
As far as 1st Amendment issues, think of it l
Re:Whitelists? (Score:4, Informative)
When I was first starting out in IT I worked at a reasonably large high school and found the best way to filter was using squid and have a large blacklist automatically updated weekly and use a log analyser such as Sarg to generate reports on a daily basis and anything that seemed out of place or got a lot of traffic and wasn’t related to education would go on the blacklist. Of course none of this was available off the shelf back then, but it’s still probably the best way to go about it considering that it’s a non-profit school. As for facebook, it should be blocked in any school environment, there is nothing on there of any education value.
I don’t know the age range the OP is talking about, kind of seems contradictory. People not able to protect themselves but yet have shame.. doesn’t really make sense.
Re:Don't (Score:5, Funny)
Re: (Score:2)
Or put the dean on the whitelist that allows him to access whatever sites he deems appropriate, but are blocked for students. Typical residential-grade routers have this functionality.
Re: (Score:2)
I'd only whitelist the dean for appropriate sites. No blanket access for anyone. Last thing you want to find out is the dean has been using the office for porn.
Re: (Score:3)
Like what? What are you trying to protect against? What should pupils be allowed to see?
It's pointless anyways, kids have Facebook on their phones these days.
Re:Don't (Score:5, Insightful)
Like what? What are you trying to protect against?
Facebook whores hogging the computers all day long so nobody can do any work...?
Re: (Score:2)
Re: (Score:3)
Cell phones aren't allowed on school premises, and will be confiscated if a student is caught in possession of one.
Really? - What if a parent needs to contact a student?
The old method of calling the administration office and have them page the student is both costly, disruptive to both class and administration, and often involves the student talking while standing right next to an administration employee, which is an obvious invasion of privacy.
The correct way to do it is to allow cell phones set to a silent ring, and ban from making outgoing calls and texts during school hours (students must comply with inspection requ
Re:Don't (Score:5, Funny)
which is an obvious invasion of privacy
I cannot imagine any actual important secret that I would entrust to an elementary or middle-school child's confidence, but if I really had one I wouldn't tell it to anyone over the phone. I'd announce that I was coming to pick them up, that there were some urgent family matters to deal with, and that they could not wait until school let out. Then I'd pick them up and tell them whatever it was so important to get a 13-year-old's opinion on right now.
Re: (Score:2)
I second this. You either allow it or you don't. Trying to filter Facebook at an intermediate level is nearly impossible in the best circumstances.
A far bigger challenge is the expanding use of SSL by default. It solves a lot of problems for the individuals but it makes life more difficult for the enterprise admin who is supposed to filter these things. I flagged this recently at work as we enforce SafeSearch on search engines but with Google and others going SSL by default, it's possible to search for
Re: (Score:3, Informative)
We're now having to look into decryption which brings its own issues pertaining to certificate management.
What do you even mean there? You aren't going to be able to pull off a man in the middle attack. You either block https or game over.
Re:Don't (Score:5, Insightful)
It's easy to pull off a man in the middle attack if you control the computers.
You generate your own certs with a CA that you've installed on the computer. At least one commercial product does this automatically.
Re: (Score:3)
I hadn't thought of that. Yep that would work. I stand corrected.
Re: (Score:2)
Re: (Score:2)
There's also the direct attack on the browser and/or client network stack: Between Browser Helper Objects and Winsock LSP trickery, IE is an open book to anybody with admin access to the client, and other browsers are probably not too much better(and have their own plugin interfaces).
It isn't as elegant as a network-side setup; but various sorts of browser monkeying and monitoring are relatively common features of 'enterprise' AV or "endpoint management" software, and they usually stick their dirty little f
Re: (Score:2)
Re:Don't (Score:4, Informative)
What do you even mean there? You aren't going to be able to pull off a man in the middle attack.
Oh but you can, and it's increasingly being done and the people being intercepted are probably completely unaware of it. All of the big providers of content filtering hardware offer SSL interception now [blogspot.co.uk] (actually that article was written in 2006, so it's been going on for a while now). The sysadmin just has to deploy a trusted CA key to each desktop. I still think it is probably a violation of various wiretap laws because, regardless of what the local user has agreed to, the remote side (Google, your bank etc.) have not agreed to your interception of their encrypted communications. But, afaik, surprisingly nobody has yet sued over this issue.
Re: (Score:2)
It's legitimate. The decryption happens while it's still on our network, and we have complete control over every packet that goes through. Part of the agreement signed by the employees every year is that nothing that goes over the network is private. We have the right to decrypt and inspect anything that goes through. Were it a legal problem, it would have already been tried long ago, presuming that it hasn't been tried already.
If/When it's implemented, there will be exceptions for financial or certain
Re: (Score:2)
There are lots of wiretapping laws that apply to both parties. Google when they have SSL traffic has an expectation of privacy. They haven't been notified that the person logging in is using a wiretapped / compromised machine.
I'm not sure how the courts will rule on this one but the first time this setup is used to do something like have IT clean out someone's brokerage account by snooping their SSL traffic I suspect the company will be found liable.
Re: (Score:2)
I saw the list about creating an CA on the client. I hadn't thought of that. I stand corrected. That's the of thing that would be really hard to train users against.
Re: (Score:2, Informative)
This is correct. In a managed environment it's not exactly rocket science to put your cert on the computer, allowing you to resign anything HTTPS. Make it clear to the users that EVERYTHING is being monitored and they have no expectation of privacy on said computers and go for it.
Using a bogus cert that throws warnings in the browser is just an idiotic way to train your users that clicking through SSL warnings is normal.
Can't (Score:5, Insightful)
You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.
And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".
Re:can't partially-filter Facebook (Score:5, Informative)
Re: (Score:2)
The trouble with not-for-profit schools is their budgets are very low for things like this. The OP clearly wants a free as in beer solution.
Re: (Score:3)
One such company is Socialware, for example. I think for a lot of these settings Facebook has exposed assets and you can directly manipulate things in a "whack-a-mole" fashion, but hiring a company like Socialware gives you all of that managed for you in a proxy. Obviously this is out of reach of one guy running an elementary school, though.
Re: (Score:2)
Re: (Score:3)
In the US, at least, I don't know the dirty details on other jurisdictions, the name of the game is CIPA'. The "Children's Internet Protection Act"(what could go wrong, eh?)
After the "Communications Decency Act" and the "Child Online Protection Act" were banhammered for being grossly unconstitutional, we got CIPA. Many thanks to Sen. John McCain (R-AZ), Sen. Ernest Hollings (D-SC), Rep. Bob Franks (R-N.J.), Rep. Chip Pickering (R-MS), and the justices writing for the majority on UNITED STATES V. AMERICAN
opendns (Score:2, Informative)
Re:opendns (Score:5, Informative)
OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.
It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.
Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?
So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.
Yeah, going from free to outrageous isn't exactly a viable business plan.
DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?
Re:opendns (Score:5, Insightful)
You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.
How much for a business with 200-220 PCs? $3000 a year.
Don't (Score:2)
Just don't set up a filter. Done!
Re:Don't (Score:5, Insightful)
Re: (Score:2)
Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.
That's about the best you are going to get. And if they are all your own computers you can filter https too (although you have to make sure kids won't be doing any banking etc or there might be liability issues), but it's harder if you want to filter devices that people bring from home.
If you filter, and a poor innocent child captures glimpse of a nipple and is scarred for life, you'll have to explain to the concerned parents why you allowed this to happen. If you allow all content then you have less respon
Re: (Score:2)
Re: (Score:2)
"Theoretically the students are all adults."
Um... many schools have children in them. Like... most of them do. (If he meant he worked for a "college", he should've said "college". And demanded that their paid staff do this.)
Re: (Score:2)
Heck many workplaces who have grown adults act like children. Block Facebook altogether. And make sure to block on HTTPS connection as well.
Who decides what's "inappropriate" (Score:5, Funny)
My mother was a porn star. There's not much that I wouldn't want her to see.
Slippery slope, my man.
Re: (Score:2, Funny)
Cool, I thought I saw your Mom in "Slippery Slope - Volume III"
Re: (Score:2)
No, that slope was some kind of huge inflatable mattress.
lulz. good luck (Score:3)
There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks. No filtering software yet designed has survived more than a few months in a public school without leaving the server running it as little more than a smouldering carbon scorch mark on the floor.
If this were a corporate environment, you could count on the fear and paranoia of being fired. You have no such power over teenagers... and many of them would do it even if you threatened them with life in the electric chair, because teenagers do not have good judgement. Even if you ask them "Is that a good idea," and they reply, "No," they'll probably keep doing it. And if you ask them why, they'll give you about as good of an answer as randomly seeking to some point in addressable memory and reading out whatever strings may or may not be present.
My advice... turn off the internet, lock the systems down, bolt them to the tables, put epoxy in all the USB ports, remove the optical drives, put everything behind plexiglass (little fingerholes for the keyboards), load up your operating system of choice and lock it down as much as you can, and then maybe, just maybe... you have a chance.
Re:lulz. good luck (Score:5, Interesting)
In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks.
Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.
Re:lulz. good luck (Score:4, Interesting)
Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.
Most people aren't bright, and for every person it fosters a love of exploration and challenge, it'll create fifty more who view it as normal and try to club the other kid over the head for trying to get them all into trouble. The best solution is not to censor at all, and to simply be open to the kids about what's okay and what's not, and why, and if they have questions to have role models they can talk to about it that won't judge them for being curious or looking. Telling a kid not to do something just makes them want it more.
My mom tried for years to get my sister to wear mittens and hats when it was cold out (this is Minnesota, where winters can and do kill people very year). She'd never let her go outside without them, and was generally overbearing on the matter. Then she went on vacation for a few weeks in January and little sister asked to go for a walk. I saw how she was dressed -- no hat, no gloves, and asked if she thought she was dressed appropriately. She said yes. I opened the door. 10 minutes into our walk, she started complaining about how cold she was. I kept walking. She whined and said she wanted to go home. I kept walking, reminding her she said she was dressed appropriately and I was going to hold her to that. Another 10 minutes goes by and now she's shivering, stuffing her fingers in her sleeves, her pockets, finally pulling her arms out of the jacket entirely so her hands could stay out of the cold. Her nose and ears were red, and she looked miserable. Another 10 minutes goes by and she's stopped whining now and limping along miserably. We get back in the house, and she doesn't take off the jacket or anything, just goes to her room, pulls the blanket over her head, and remains miserable. About 5 minutes later I came in and took her shoes and socks off (which had become wet), put dry ones on, and put an electric blanket on her feet to warm them back up. She was fine after that.
She's never left the house without a hat or gloves since. Lesson learned.
Re:lulz. good luck (Score:5, Insightful)
the flipside to that isn't to make them suffer for your crappy teaching methods
You've missed the point.
Making the kid suffer would be to say something like "so you think its ok, right? Now I'm going to force you outside and force you to suffer".
What the GP did was to allow the kid to teach herself. She let the kid make the decision that the kid wanted to, and see what consequences that led to.
It's actually a really good teaching method: let the kid learn and explore, but be there in the background to make sure that they don't accidently kill themselves or suffer permenant injury.
No lesson sticks quite as well as one hard learned onesself.
Re: (Score:3)
It is the original poster's intention to block inappropriate content. It is probably his duty to take reasonable steps to ensure that porn.com is blocked. If people want to go out of their way to deliberably bypass filtering then they can do that if they wish - but at least now they know that they shouldn't, and they should be held responsible for that.
Good Kids (Score:5, Insightful)
Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'
If I had a daughter, I probably would have sent her to that school.
Re: (Score:3)
The nun is partly right, partly wrong. Yes, restrictions will exacerbate the problem. No restrictions, though, won't make the problem magically go away either. I mean, there *is* a problem to begin with -- that they'll run into porn, or whatever else passes for inappropriate content. Porn-wise, I think that kids who are raised in a home where nudity is no big deal will react appropriately: shrug it off, saying "so what, haven't you seen a naked guy/girl?!". Sex isn't exactly a visually engaging thing if you
Re: (Score:3)
Internet filters aren't about protecting children, they are about protecting the school from their parents.
Simple (Score:2)
Until someone offers your boss a compelling case demonstrating the educational value of access to Facebook, you block all of it. The purpose of the computers is to be an aid to the school's educational mission.
Don't waste time and money on it. (Score:2, Insightful)
This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.
You can't even trust Facebook the company... (Score:2)
Re: (Score:3)
Agreed. I don't see the value of Facebook on student-accessible computers. As for the teachers, they should have access to everything. Anything else would be stupid. It's an education of learning, you can't a priori decide that some things have no educational value. Besides, why on earth ban Facebook use during teacher's off time. I mean, give me a break, you already provide teachers with a lounge, perhaps a cafeteria, etc. Barring recreational internet access on school grounds makes no sense to me at all.
The real question - how do you filter lunch? (Score:5, Funny)
There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.
The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.
If unsafe use of the internet is a concern... (Score:5, Insightful)
... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.
I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility
Re: (Score:2)
Kids aren't responsible enough for that. It makes sense to set up filters at home, and asking the school to do the same.
Re: (Score:3)
I never said he shouldn't put up a filter. But he wants a filter that protects kids from doing stupid stuff, and there's no such thing.
Re: (Score:2)
Critical information missing. What is the age of the kids, or are these young adults, and what do you want to accomplish by filtering.
If these are kids, say under 13, I think whitelists are absolutely appropriate. They are the only way to block proxy and https workarounds
For older students ad blocking is basic, along with whatever policy states, be it violence, sex, shopping or hookups. Keep in mind that more mos
Employ a teacher! (Score:4, Insightful)
Re: (Score:2)
Dogbert, the network administrator (Score:5, Funny)
Obligatory Dilbert strip:
http://dilbert.com/strips/comic/1996-09-07/ [dilbert.com]
*Raises hand* Oh, oh... I know! (Score:2)
Use the hosts file!
Worry about bandwidth, not content. (Score:2)
Worry about bandwidth, not content. Find some way to throttle video streams based on bandwidth. That will discourage watching porno and videos, and keep the upstream link from becoming choked.
Let the parents deal with it (Score:2)
Make each student install a proxy on their parents' internet connection and give the student access to the proxy from school. All other internet access is blocked. If the parents will not allow the proxy, the student will not have internet access at school.
I'm only half joking
It's a race... (Score:3)
But if you really want to play -- take a look at Untangle (http://www.untangle.com) for a Linux-based appliance (free versions available) that will do other things such as spam filtering, basic AV, and more. Paid modules (inexpensive) let you add web caching, which cuts down on traffic, especially when you have a bunch of kids in a computer lab accessing the same web resources. So you can solve the problem for the hard-connected machines that are fairly well locked down individually.
But in the end, it's a pain in the ass. My wife is a middle school teacher, and she complained about their school's filtering "solution" keeping her from researching and accessing useful sites until my son reconfigured her laptop to use a proxy that he and some friends run so that they can get around school filtering solutions...
Set expectations early and often -- you will be able to block most of the kids (and adults). Some will always get around the barriers you put in place, often just for the sport of it.
Unless you set expectations, you will successfully block things for 598 students -- 2 will get through and you will be castigated as a FAILURE.
Still want to play the game?
You have people to please... (Score:2)
Your bosses and the parents of your students, whose desires are expressed to your bosses.
Ensure you don't own the decision.
The purpose of filtering is to demonstrate you have filtering.
After your bosses define what they want, give it to them as best you are able but get it in writing (spieling that it protects everyone to do it that way). Have a written AUP, etc.
They shouldnt have facebook accounts (Score:2, Informative)
I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.
The IT guy does not make policy decisions. (Score:2)
If you nothing more to say then "Don't Filter A Thing," you waste his time and ours. It is not his decision to make.
The small non-profit school won't have the money to hire extra staff simply to monitor whatever passes for a computer lab. The geek may not like the idea, but a filter will have to carry part of the load.
Wrong from the get-go (Score:2)
Your assumption that content people might find--Facebook or elsewhere--that is more harmful to them than a censorship policy just handed down to them--is false. This is your chance to confront the people asking you to implement the policy with a couple of questions:
1. Given all the ways people get uncensored internet even under autocratic regimes where the penalties are brutal, what makes you think any censorship policy could work?
2. Which feasible projects are you willing to divert resources from in ord
How old are these kids? (Score:5, Informative)
If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.
From Facebook's terms of service [facebook.com]:
You will not use Facebook if you are under 13.
This is due to the Children's Online Privacy Protection Act [wikipedia.org], which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.
Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.
PfSense + DansGardian + OpenDNS + Unbound DNS (Score:4, Informative)
Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.
OpenDNS will help with malware prevention and botnet computers.
Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.
Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.
Re: (Score:2)
Having done this before for a school a few years ago... this anon comment above is the best way to go. All of the above is cheap to free.
Only thing I would add is to check with your state educational network admins, assuming you're using a state internet connection. They may also have a service available built into their WAN you can use.
Legal liability is pretty high for filtering (Score:2)
If you implement filtering, then the first time "something bad" gets through, be prepared to be the fall-guy.
Re: (Score:2)
Alternatives (Score:2)
Nothing (Score:2)
Been working in Education for the last decade and I can say give it up. I have never seen any filter work more than a day at best. Lightspeed whatever just doesn't last very long. Kids start with proxy, but quickly switched to stealing passwords. The school year is only a week old and I have already seen a fairly complete list of staff passwords and ever our sys admin password. Get a Federal approved filter and do the best you can, keeping the systems working will kill all the time you have believe me.
how to (Score:2)
1. Block outbound dns and force all queries to go through a central DNS server
2. Filter the domains that server allows to resolve
3. Adopt zero tolerance policy to evasion of firewalls
4. Do random audits of network traffic and punish anyone caught bypassing the firewall by any means.
5. Install deepfreeze so that students can't monkey with the machines
number 4 is good because you don't want your policies to become a joke. Kids these days are hardly technophobes, and you may need to be prepared to match
Outsource This One (Score:2)
Buy a DNS-based service like Internet Guide from DynDNS and move on to the next project. The admins can tell you which twiddly bits to flip on their configurator, othewise what you see is what you get.
Possibly set up an internal recursive DNS with zones to allow some machines to go out unfiltered.
Re: (Score:2)
Exactly. Additionally, I would like to know what "great content" exists on Facebook anyway. "Person X has posted a photo." "Person Y likes Person X's photo!" Yeah, that's some great content there.
Really, just block the whole site completely. Any valid educational content that might possibly maybe be found on there can also be found elsewhere in greater amounts.
Re: (Score:2)
Class groups and study session events.
Do you mean "everyone doing their homework together" on facebook? Do you mean actually teaching a class on facebook? Seems kind of inappropriate to me. Maybe your idea is to make it more appropriate by filtering it, but I don't think they want you to. They make money showing you ads, building a dossier on what you click on, etc. So I would suggest that you not use it as a teaching tool. In fact it's kind of unfair if all the students are required to use facebook to participate in this "content". What if the
Re: (Score:2)
Re: (Score:2)
There was this kid at our school who always used the PC at the end of the room, reduced the contrast of his screen and tilted it away from the main viewing area of the room. He was suspicious as hell.
And the only one of them I would consider hiring.
Re: (Score:2)
As natural progression of our computer revolution, wasting time on a cellphone is a lot more conpicuous than doing the same on a computer. This is due to generational / cultural novelty: Decades ago parents and friends could NOT be convinced that my sitting for hours staring at a monitor was in itself "work."
For now, cellphones moved into that role of "wait, tapping away at it cannot be more serious than the conversation / class still in progress". I do recall that playing solitaire in a lab setting was b