Forgot your password?
typodupeerror
Facebook Education Security IT Your Rights Online

Ask Slashdot: How To Best Setup a School Internet Filter? 454

Posted by samzenpus
from the watch-how-you-play dept.
An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Best Setup a School Internet Filter?

Comments Filter:
  • Don't (Score:5, Insightful)

    by Simulant (528590) on Thursday August 16, 2012 @07:27PM (#41018213) Journal
    Just block it all together. Not worth it.
    • Re:Don't (Score:5, Insightful)

      by ThatsMyNick (2004126) on Thursday August 16, 2012 @07:30PM (#41018251)

      Or whitelist a few websites and be done with it.

      • Re:Don't (Score:5, Insightful)

        by cpu6502 (1960974) on Thursday August 16, 2012 @07:47PM (#41018423)

        Exactly my thought. I would also include a note on the "block page" to send an email to admin@whatever if the user wants a site opened. That way brand-new sites like teenskissingtheirpussies will be blocked by default, but if someone requests a site like PBSkids.com you can whitelist it ASAP.

        • Re:Don't (Score:5, Funny)

          by Anonymous Coward on Thursday August 16, 2012 @07:53PM (#41018477)
          Um, so, teenskissingtheirpussies. Linky??
        • Re:Don't (Score:5, Informative)

          by houghi (78078) on Thursday August 16, 2012 @09:01PM (#41019095)

          You could add them automatically, as long as a teacher asks for it (and is verified that it was a teacher).
          Let them know that it will be logged and verified later.
          They will control themselves better then you can, as long as you do the follow up and explain why things are removed.

          Obviously this should not be your only line of defense. When I look at openDNS, it says that 1 in 3 schools are already using it. and they have something like http://www.opendns.com/business-solutions/k-12-education-old [opendns.com] as well as free solutions.

          • Re:Don't (Score:5, Insightful)

            by datavirtue (1104259) on Thursday August 16, 2012 @09:21PM (#41019217)

            So we used to authority policing our content consumption? I work at a college and we do no filtering of any kind due to academic freedom. There are issues from time to time but it is tolerated in the name of freedom.

            • Re:Don't (Score:5, Interesting)

              by cayenne8 (626475) on Thursday August 16, 2012 @10:19PM (#41019545) Homepage Journal

              I work at a college and we do no filtering of any kind due to academic freedom. There are issues from time to time but it is tolerated in the name of freedom.

              I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.

              Also, if that is the case...wouldn't most of these kids be too young to have FB accounts per the TOS for Facebook? If that's the case...no problem in banning FB entirely, eh?

              • Re:Don't (Score:5, Insightful)

                by Anonymous Coward on Friday August 17, 2012 @03:02AM (#41020829)

                I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.

                Back in the mid-1990s when I was at the elementary school level, we had a 10BASE2 coaxical network and an unlimited Internet access. And oh boy did we find lots of both questionable (nude, porn) and illegal content (games, software and MP3s were already flooding to the websites from the soon-to-be-legacy private BBSes and FTPs), and guess what all that did to me? Nowadays I post anonymous comments to Slashdot, have a job and pay my taxes (oh, and MSE in the works).

                So, unless you want your kids to grow up as future Slashdot users and engineers with university grade degrees, block everything (I mean *everything*), throw them to your basement and never open the door. Everything else is just plain stupidy and both wasted time and effort.

              • Re:Don't (Score:5, Insightful)

                by Xest (935314) on Friday August 17, 2012 @04:13AM (#41021275)

                It doesn't work anyway. I worked supporting schools for some years and we ran a WAN that they connected through to the internet (around 150 schools connecting via 10mbps links to a central pipe) and the fact is you just can't do anything about kids accessing what they shouldn't.

                They're far more resourceful, far more motivated, and have far more time than your IT staff. Like the music industry trying to clamp down on piracy, IT staff trying to clamp down on kids whilst still keeping the internet somehow useful is a lost cause. The kids know any number of proxy sites, they'll find any number, sites you didn't even know existed as a long time IT professional, and hell, even if you do lock down the internet completely (and make it largely useless in the process) kids are only going to bring in porn mags and CDs/memory sticks with porn and such on anyway.

                The best solution is entirely with the teachers. It's with the teachers to catch kids browsing things they shouldn't, and to punish them and make an example that doing what you shouldn't in school hours will get you in deep shit. Anything else is doomed to fail, and even this method isn't going to stop every kid, but it'll be far more effective than any kind of technological solution will be. If we're talking about really young kids and you want to protect their precious little eyes then internet access should be treated the same way as it would be by a "good" parent - supervise them whilst they're using it.

                • by Voyager529 (1363959) <voyager529@yaho o . com> on Friday August 17, 2012 @08:26AM (#41022371)

                  Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.

                  That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.

                  If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.

                  Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.

                  Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.

            • Re:Don't (Score:4, Informative)

              by ShanghaiBill (739463) on Thursday August 16, 2012 @11:45PM (#41019937)

              I work at a college and we do no filtering of any kind due to academic freedom.

              High school is not college. College students are adults fully responsible for their own behavior. High school students are legally children, and giving them access to things their parents don't approve of is not only going to cause administrative problems, but may even be illegal in some cases.

              • This is what you do:

                You give parents and students a piece of paper that says the students are authorized to use the internet, but that the parents and students agree that the student will use it responsibly or will be held responsible for its misuse. Parents and student alike are required to sign.

                Then you don't worry about it. If the student(s) abuse the privilege, the parents cannot complain because they not only authorized the use, but agreed that their child would use the resource appropriately.

      • Yeah, but which ready-to-go Linux firewall/proxy combo really supports whitelists.

        I've research (though not used) ClearOS and a bunch of the others, and whitelist seem to be a feature that people ask about in the forums as opposed to something that's a first-class feature.

        For a restricted use environment, like elementary school, it would great to add 10, 100, 1000, or even 10000 or 100,000 websites to a list and be done as opposed to chasing every new weird site.

        As far as 1st Amendment issues, think of it l

        • Re:Whitelists? (Score:4, Informative)

          by sc0ob5 (836562) on Friday August 17, 2012 @12:45AM (#41020195)
          Not a bad idea for elementary kids. A simple redirect using squid to a PHP form which would email someone a link to the site in question and another PHP form for approval which would then automatically append to a whitelist if approved and to a blacklist if denied so students can’t keep submitting the same site. There are a few sites around that have whitelists for education purposes opendns.com springs to mind. The problem is with so many sites being created daily it’s impossible to keep up with educational resources for middle school and high school kids and you are better off with just a blacklist which are more readily available.

          When I was first starting out in IT I worked at a reasonably large high school and found the best way to filter was using squid and have a large blacklist automatically updated weekly and use a log analyser such as Sarg to generate reports on a daily basis and anything that seemed out of place or got a lot of traffic and wasn’t related to education would go on the blacklist. Of course none of this was available off the shelf back then, but it’s still probably the best way to go about it considering that it’s a non-profit school. As for facebook, it should be blocked in any school environment, there is nothing on there of any education value.

          I don’t know the age range the OP is talking about, kind of seems contradictory. People not able to protect themselves but yet have shame.. doesn’t really make sense.

    • Re:Don't (Score:5, Funny)

      by jhoegl (638955) on Thursday August 16, 2012 @07:30PM (#41018253)
      Until the dean says "I promote the school through Facebook!" and you reply with "You can do that at home".
      • by tverbeek (457094)

        Or put the dean on the whitelist that allows him to access whatever sites he deems appropriate, but are blocked for students. Typical residential-grade routers have this functionality.

        • by pkinetics (549289)

          I'd only whitelist the dean for appropriate sites. No blanket access for anyone. Last thing you want to find out is the dean has been using the office for porn.

    • There is a lot of great content and features on Facebook

      Like what? What are you trying to protect against? What should pupils be allowed to see?

      It's pointless anyways, kids have Facebook on their phones these days.

      • Re:Don't (Score:5, Insightful)

        by Joce640k (829181) on Thursday August 16, 2012 @08:14PM (#41018689) Homepage

        There is a lot of great content and features on Facebook

        Like what? What are you trying to protect against?

        Facebook whores hogging the computers all day long so nobody can do any work...?

    • I second this. You either allow it or you don't. Trying to filter Facebook at an intermediate level is nearly impossible in the best circumstances.

      A far bigger challenge is the expanding use of SSL by default. It solves a lot of problems for the individuals but it makes life more difficult for the enterprise admin who is supposed to filter these things. I flagged this recently at work as we enforce SafeSearch on search engines but with Google and others going SSL by default, it's possible to search for

      • Re: (Score:3, Informative)

        by jbolden (176878)

        We're now having to look into decryption which brings its own issues pertaining to certificate management.

        What do you even mean there? You aren't going to be able to pull off a man in the middle attack. You either block https or game over.

        • Re:Don't (Score:5, Insightful)

          by sqlrob (173498) on Thursday August 16, 2012 @07:48PM (#41018429)

          It's easy to pull off a man in the middle attack if you control the computers.

          You generate your own certs with a CA that you've installed on the computer. At least one commercial product does this automatically.

          • by jbolden (176878)

            I hadn't thought of that. Yep that would work. I stand corrected.

          • There's also the direct attack on the browser and/or client network stack: Between Browser Helper Objects and Winsock LSP trickery, IE is an open book to anybody with admin access to the client, and other browsers are probably not too much better(and have their own plugin interfaces).

            It isn't as elegant as a network-side setup; but various sorts of browser monkeying and monitoring are relatively common features of 'enterprise' AV or "endpoint management" software, and they usually stick their dirty little f

          • by jmerlin (1010641)
            That's not technically a MITM attack. You've changed an endpoint, so it's a little more involved. But it's a good thing to point out: things like SSL won't protect your data from malware.
        • Re:Don't (Score:4, Informative)

          by chrb (1083577) on Thursday August 16, 2012 @07:59PM (#41018547)

          What do you even mean there? You aren't going to be able to pull off a man in the middle attack.

          Oh but you can, and it's increasingly being done and the people being intercepted are probably completely unaware of it. All of the big providers of content filtering hardware offer SSL interception now [blogspot.co.uk] (actually that article was written in 2006, so it's been going on for a while now). The sysadmin just has to deploy a trusted CA key to each desktop. I still think it is probably a violation of various wiretap laws because, regardless of what the local user has agreed to, the remote side (Google, your bank etc.) have not agreed to your interception of their encrypted communications. But, afaik, surprisingly nobody has yet sued over this issue.

          • It's legitimate. The decryption happens while it's still on our network, and we have complete control over every packet that goes through. Part of the agreement signed by the employees every year is that nothing that goes over the network is private. We have the right to decrypt and inspect anything that goes through. Were it a legal problem, it would have already been tried long ago, presuming that it hasn't been tried already.

            If/When it's implemented, there will be exceptions for financial or certain

            • by jbolden (176878)

              There are lots of wiretapping laws that apply to both parties. Google when they have SSL traffic has an expectation of privacy. They haven't been notified that the person logging in is using a wiretapped / compromised machine.

              I'm not sure how the courts will rule on this one but the first time this setup is used to do something like have IT clean out someone's brokerage account by snooping their SSL traffic I suspect the company will be found liable.

          • by jbolden (176878)

            I saw the list about creating an CA on the client. I hadn't thought of that. I stand corrected. That's the of thing that would be really hard to train users against.

    • Can't (Score:5, Insightful)

      by tverbeek (457094) on Thursday August 16, 2012 @07:54PM (#41018481) Homepage

      You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.

      And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".

      • by Nonesuch (90847) <nonesuch.msg@net> on Thursday August 16, 2012 @09:00PM (#41019091) Homepage Journal
        Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!
        • The trouble with not-for-profit schools is their budgets are very low for things like this. The OP clearly wants a free as in beer solution.

        • One such company is Socialware, for example. I think for a lot of these settings Facebook has exposed assets and you can directly manipulate things in a "whack-a-mole" fashion, but hiring a company like Socialware gives you all of that managed for you in a proxy. Obviously this is out of reach of one guy running an elementary school, though.

    • Why is a school blocking content, and is Slashdot going out of business, because quite frankly, I've never seen it this dead around here.

      • In the US, at least, I don't know the dirty details on other jurisdictions, the name of the game is CIPA'. The "Children's Internet Protection Act"(what could go wrong, eh?)

        After the "Communications Decency Act" and the "Child Online Protection Act" were banhammered for being grossly unconstitutional, we got CIPA. Many thanks to Sen. John McCain (R-AZ), Sen. Ernest Hollings (D-SC), Rep. Bob Franks (R-N.J.), Rep. Chip Pickering (R-MS), and the justices writing for the majority on UNITED STATES V. AMERICAN

  • opendns (Score:2, Informative)

    by twistedcubic (577194)
    OpenDNS has parental control addresses, so it's a start.
    • Re:opendns (Score:5, Informative)

      by Anonymous Coward on Thursday August 16, 2012 @07:44PM (#41018385)

      OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.

      It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.

      Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?

      So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.

      Yeah, going from free to outrageous isn't exactly a viable business plan.

      DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?

      • Re:opendns (Score:5, Insightful)

        by Anonymous Coward on Thursday August 16, 2012 @08:14PM (#41018691)

        You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.

        How much for a business with 200-220 PCs? $3000 a year.

  • Just don't set up a filter. Done!

    • Re:Don't (Score:5, Insightful)

      by Jamu (852752) on Thursday August 16, 2012 @07:43PM (#41018369)
      Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.
      • by jamesh (87723)

        Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.

        That's about the best you are going to get. And if they are all your own computers you can filter https too (although you have to make sure kids won't be doing any banking etc or there might be liability issues), but it's harder if you want to filter devices that people bring from home.

        If you filter, and a poor innocent child captures glimpse of a nipple and is scarred for life, you'll have to explain to the concerned parents why you allowed this to happen. If you allow all content then you have less respon

    • by Revotron (1115029)
      That would lose them any Federal grant money they're currently receiving or could potentially receive for IT.
  • by Anonymous Coward on Thursday August 16, 2012 @07:31PM (#41018257)

    My mother was a porn star. There's not much that I wouldn't want her to see.

    Slippery slope, my man.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Cool, I thought I saw your Mom in "Slippery Slope - Volume III"

  • by girlintraining (1395911) on Thursday August 16, 2012 @07:35PM (#41018301)

    There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

    In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks. No filtering software yet designed has survived more than a few months in a public school without leaving the server running it as little more than a smouldering carbon scorch mark on the floor.

    If this were a corporate environment, you could count on the fear and paranoia of being fired. You have no such power over teenagers... and many of them would do it even if you threatened them with life in the electric chair, because teenagers do not have good judgement. Even if you ask them "Is that a good idea," and they reply, "No," they'll probably keep doing it. And if you ask them why, they'll give you about as good of an answer as randomly seeking to some point in addressable memory and reading out whatever strings may or may not be present.

    My advice... turn off the internet, lock the systems down, bolt them to the tables, put epoxy in all the USB ports, remove the optical drives, put everything behind plexiglass (little fingerholes for the keyboards), load up your operating system of choice and lock it down as much as you can, and then maybe, just maybe... you have a chance.

    • Re:lulz. good luck (Score:5, Interesting)

      by LateArthurDent (1403947) on Thursday August 16, 2012 @07:42PM (#41018363)

      In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks.

      Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

      • Re:lulz. good luck (Score:4, Interesting)

        by girlintraining (1395911) on Thursday August 16, 2012 @08:23PM (#41018769)

        Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

        Most people aren't bright, and for every person it fosters a love of exploration and challenge, it'll create fifty more who view it as normal and try to club the other kid over the head for trying to get them all into trouble. The best solution is not to censor at all, and to simply be open to the kids about what's okay and what's not, and why, and if they have questions to have role models they can talk to about it that won't judge them for being curious or looking. Telling a kid not to do something just makes them want it more.

        My mom tried for years to get my sister to wear mittens and hats when it was cold out (this is Minnesota, where winters can and do kill people very year). She'd never let her go outside without them, and was generally overbearing on the matter. Then she went on vacation for a few weeks in January and little sister asked to go for a walk. I saw how she was dressed -- no hat, no gloves, and asked if she thought she was dressed appropriately. She said yes. I opened the door. 10 minutes into our walk, she started complaining about how cold she was. I kept walking. She whined and said she wanted to go home. I kept walking, reminding her she said she was dressed appropriately and I was going to hold her to that. Another 10 minutes goes by and now she's shivering, stuffing her fingers in her sleeves, her pockets, finally pulling her arms out of the jacket entirely so her hands could stay out of the cold. Her nose and ears were red, and she looked miserable. Another 10 minutes goes by and she's stopped whining now and limping along miserably. We get back in the house, and she doesn't take off the jacket or anything, just goes to her room, pulls the blanket over her head, and remains miserable. About 5 minutes later I came in and took her shoes and socks off (which had become wet), put dry ones on, and put an electric blanket on her feet to warm them back up. She was fine after that.

        She's never left the house without a hat or gloves since. Lesson learned.

    • I disagree.

      It is the original poster's intention to block inappropriate content. It is probably his duty to take reasonable steps to ensure that porn.com is blocked. If people want to go out of their way to deliberably bypass filtering then they can do that if they wish - but at least now they know that they shouldn't, and they should be held responsible for that.
  • Good Kids (Score:5, Insightful)

    by dark grep (766587) on Thursday August 16, 2012 @07:44PM (#41018377)

    Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'

    If I had a daughter, I probably would have sent her to that school.

    • by tibit (1762298)

      The nun is partly right, partly wrong. Yes, restrictions will exacerbate the problem. No restrictions, though, won't make the problem magically go away either. I mean, there *is* a problem to begin with -- that they'll run into porn, or whatever else passes for inappropriate content. Porn-wise, I think that kids who are raised in a home where nudity is no big deal will react appropriately: shrug it off, saying "so what, haven't you seen a naked guy/girl?!". Sex isn't exactly a visually engaging thing if you

    • by DaveGod (703167)

      Internet filters aren't about protecting children, they are about protecting the school from their parents.

  • Until someone offers your boss a compelling case demonstrating the educational value of access to Facebook, you block all of it. The purpose of the computers is to be an aid to the school's educational mission.

  • by Anonymous Coward

    This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.

  • Given the utterly dismal record of Facebook the company when it comes to the privacy of its users, I wouldn't bother allowing access. Not only do you have your users to worry about, you have external Facebook users and Facebook itself - that sounds like a recipe for disaster to me. Aren't we due for a reset of our privacy settings to 'Everything shared with everyone' any day now?
    • by tibit (1762298)

      Agreed. I don't see the value of Facebook on student-accessible computers. As for the teachers, they should have access to everything. Anything else would be stupid. It's an education of learning, you can't a priori decide that some things have no educational value. Besides, why on earth ban Facebook use during teacher's off time. I mean, give me a break, you already provide teachers with a lounge, perhaps a cafeteria, etc. Barring recreational internet access on school grounds makes no sense to me at all.

  • by Chemisor (97276) on Thursday August 16, 2012 @07:48PM (#41018437)

    There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.

    The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.

  • by fm6 (162816) on Thursday August 16, 2012 @07:50PM (#41018451) Homepage Journal

    ... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

    I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

    • ... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

      I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

      Kids aren't responsible enough for that. It makes sense to set up filters at home, and asking the school to do the same.

      • by fm6 (162816)

        I never said he shouldn't put up a filter. But he wants a filter that protects kids from doing stupid stuff, and there's no such thing.

    • by fermion (181285)
      yes teach kids tomuse internet, but we do not teach kids to ride ambike on the freeway.

      Critical information missing. What is the age of the kids, or are these young adults, and what do you want to accomplish by filtering.

      If these are kids, say under 13, I think whitelists are absolutely appropriate. They are the only way to block proxy and https workarounds

      For older students ad blocking is basic, along with whatever policy states, be it violence, sex, shopping or hookups. Keep in mind that more mos

  • Employ a teacher! (Score:4, Insightful)

    by multiben (1916126) on Thursday August 16, 2012 @07:52PM (#41018463)
    Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.
  • by linebackn (131821) on Thursday August 16, 2012 @07:54PM (#41018489)

    Obligatory Dilbert strip:

    http://dilbert.com/strips/comic/1996-09-07/ [dilbert.com]

  • Use the hosts file!

  • Worry about bandwidth, not content. Find some way to throttle video streams based on bandwidth. That will discourage watching porno and videos, and keep the upstream link from becoming choked.

  • Make each student install a proxy on their parents' internet connection and give the student access to the proxy from school. All other internet access is blocked. If the parents will not allow the proxy, the student will not have internet access at school.

    I'm only half joking

  • by sillivalley (411349) <sillivalley@com[ ]t.net ['cas' in gap]> on Thursday August 16, 2012 @07:59PM (#41018545)
    And it's a race you will lose, should you choose to enter.

    But if you really want to play -- take a look at Untangle (http://www.untangle.com) for a Linux-based appliance (free versions available) that will do other things such as spam filtering, basic AV, and more. Paid modules (inexpensive) let you add web caching, which cuts down on traffic, especially when you have a bunch of kids in a computer lab accessing the same web resources. So you can solve the problem for the hard-connected machines that are fairly well locked down individually.

    But in the end, it's a pain in the ass. My wife is a middle school teacher, and she complained about their school's filtering "solution" keeping her from researching and accessing useful sites until my son reconfigured her laptop to use a proxy that he and some friends run so that they can get around school filtering solutions...

    Set expectations early and often -- you will be able to block most of the kids (and adults). Some will always get around the barriers you put in place, often just for the sport of it.

    Unless you set expectations, you will successfully block things for 598 students -- 2 will get through and you will be castigated as a FAILURE.

    Still want to play the game?
  • Your bosses and the parents of your students, whose desires are expressed to your bosses.

    Ensure you don't own the decision.

    The purpose of filtering is to demonstrate you have filtering.

    After your bosses define what they want, give it to them as best you are able but get it in writing (spieling that it protects everyone to do it that way). Have a written AUP, etc.

  • I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.

  • If you nothing more to say then "Don't Filter A Thing," you waste his time and ours. It is not his decision to make.

    The small non-profit school won't have the money to hire extra staff simply to monitor whatever passes for a computer lab. The geek may not like the idea, but a filter will have to carry part of the load.

  • Your assumption that content people might find--Facebook or elsewhere--that is more harmful to them than a censorship policy just handed down to them--is false. This is your chance to confront the people asking you to implement the policy with a couple of questions:

    1. Given all the ways people get uncensored internet even under autocratic regimes where the penalties are brutal, what makes you think any censorship policy could work?

    2. Which feasible projects are you willing to divert resources from in ord

  • by dacut (243842) on Thursday August 16, 2012 @08:31PM (#41018845)

    If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.

    From Facebook's terms of service [facebook.com]:
    You will not use Facebook if you are under 13.

    This is due to the Children's Online Privacy Protection Act [wikipedia.org], which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.

    Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.

  • by Anonymous Coward on Thursday August 16, 2012 @08:31PM (#41018847)

    Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.

    OpenDNS will help with malware prevention and botnet computers.

    Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.

    Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.

    • by _Sharp'r_ (649297)

      Having done this before for a school a few years ago... this anon comment above is the best way to go. All of the above is cheap to free.

      Only thing I would add is to check with your state educational network admins, assuming you're using a state internet connection. They may also have a service available built into their WAN you can use.

  • If you implement filtering, then the first time "something bad" gets through, be prepared to be the fall-guy.

  • Don't waste your time with filtering. It will just make the kids want to see the "blocked" sites more. Anything you do a kid can get around in no time. If the kids are under 18 then it should be the parents call on whether they are on FB or not. The teachers can surf on their own time OFF the clock.

    Just put the modem in a locked closet or the principals office with an on/off switch. When you need to get online to download software or access some educational site you can turn it on just for that.

    There is a lot of great content and features on Facebook,

    Oh my sides.

  • Facebook is near imposible to filter. My suggestion is use something else such as Moodle, MyBigCampus, or Gaggle that either is filter for you or that you would have complete control.
  • Been working in Education for the last decade and I can say give it up. I have never seen any filter work more than a day at best. Lightspeed whatever just doesn't last very long. Kids start with proxy, but quickly switched to stealing passwords. The school year is only a week old and I have already seen a fairly complete list of staff passwords and ever our sys admin password. Get a Federal approved filter and do the best you can, keeping the systems working will kill all the time you have believe me.

  • 1. Block outbound dns and force all queries to go through a central DNS server
    2. Filter the domains that server allows to resolve
    3. Adopt zero tolerance policy to evasion of firewalls
    4. Do random audits of network traffic and punish anyone caught bypassing the firewall by any means.
    5. Install deepfreeze so that students can't monkey with the machines

    number 4 is good because you don't want your policies to become a joke. Kids these days are hardly technophobes, and you may need to be prepared to match

  • Buy a DNS-based service like Internet Guide from DynDNS and move on to the next project. The admins can tell you which twiddly bits to flip on their configurator, othewise what you see is what you get.

    Possibly set up an internal recursive DNS with zones to allow some machines to go out unfiltered.

2.4 statute miles of surgical tubing at Yale U. = 1 I.V.League

Working...