Ask Slashdot: How To Best Setup a School Internet Filter?

An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

Don't

[Simulant]

Just block it all together. Not worth it.

Re:Don't

[ThatsMyNick]

Or whitelist a few websites and be done with it.

Re:Don't

[Jamu]

Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.

Good Kids

[dark grep]

Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'

If I had a daughter, I probably would have sent her to that school.

Don't waste time and money on it.

[Anonymous Coward]

This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.

Re:Don't

[cpu6502]

Exactly my thought. I would also include a note on the "block page" to send an email to admin@whatever if the user wants a site opened. That way brand-new sites like teenskissingtheirpussies will be blocked by default, but if someone requests a site like PBSkids.com you can whitelist it ASAP.

Re:Don't

[sqlrob]

It's easy to pull off a man in the middle attack if you control the computers.

You generate your own certs with a CA that you've installed on the computer. At least one commercial product does this automatically.

If unsafe use of the internet is a concern...

[fm6]

... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

Employ a teacher!

[multiben]

Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.

Can't

[tverbeek]

You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.

And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".

Re:Don't

[Joce640k]

There is a lot of great content and features on Facebook

Like what? What are you trying to protect against?

Facebook whores hogging the computers all day long so nobody can do any work...?

Re:opendns

[Anonymous Coward]

You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.

How much for a business with 200-220 PCs? $3000 a year.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Don't

[Anonymous Coward]

I guess the person asking the question didn't specify, but I was under the assumption that this was for an elementary level type school....so, you're policing children, and you'd likely start with things mostly turned off, and then let on what you needed as required by the instructors.

Back in the mid-1990s when I was at the elementary school level, we had a 10BASE2 coaxical network and an unlimited Internet access. And oh boy did we find lots of both questionable (nude, porn) and illegal content (games, software and MP3s were already flooding to the websites from the soon-to-be-legacy private BBSes and FTPs), and guess what all that did to me? Nowadays I post anonymous comments to Slashdot, have a job and pay my taxes (oh, and MSE in the works).

So, unless you want your kids to grow up as future Slashdot users and engineers with university grade degrees, block everything (I mean *everything*), throw them to your basement and never open the door. Everything else is just plain stupidy and both wasted time and effort.

Re:Don't

[Xest]

It doesn't work anyway. I worked supporting schools for some years and we ran a WAN that they connected through to the internet (around 150 schools connecting via 10mbps links to a central pipe) and the fact is you just can't do anything about kids accessing what they shouldn't.

They're far more resourceful, far more motivated, and have far more time than your IT staff. Like the music industry trying to clamp down on piracy, IT staff trying to clamp down on kids whilst still keeping the internet somehow useful is a lost cause. The kids know any number of proxy sites, they'll find any number, sites you didn't even know existed as a long time IT professional, and hell, even if you do lock down the internet completely (and make it largely useless in the process) kids are only going to bring in porn mags and CDs/memory sticks with porn and such on anyway.

The best solution is entirely with the teachers. It's with the teachers to catch kids browsing things they shouldn't, and to punish them and make an example that doing what you shouldn't in school hours will get you in deep shit. Anything else is doomed to fail, and even this method isn't going to stop every kid, but it'll be far more effective than any kind of technological solution will be. If we're talking about really young kids and you want to protect their precious little eyes then internet access should be treated the same way as it would be by a "good" parent - supervise them whilst they're using it.

Re:lulz. good luck

[serviscope_minor]

the flipside to that isn't to make them suffer for your crappy teaching methods

You've missed the point.

Making the kid suffer would be to say something like "so you think its ok, right? Now I'm going to force you outside and force you to suffer".

What the GP did was to allow the kid to teach herself. She let the kid make the decision that the kid wanted to, and see what consequences that led to.

It's actually a really good teaching method: let the kid learn and explore, but be there in the background to make sure that they don't accidently kill themselves or suffer permenant injury.

No lesson sticks quite as well as one hard learned onesself.

The unfortunate reality comes down to liability

[Voyager529]

Yes, there's going to be a group of kids who are more determined and resourceful than the person asking. In a nontrivial number of cases, they're called "future sysadmins". That's not to say that they'll all do so or that it should be a motivation for whether things get filtered at all, but it is a byproduct worth mentioning.

That said, you raise an argument of questionable logic. Essentially, you've stated that because he CAN'T block EVERYTHING that he SHOULDN'T block ANYTHING. That's not really the way things work in K-12 education. See, if it takes a proxy, a VPN, and a memorized IP address to get to content deemed inappropriate by the powers that be, then anyone who has gotten to it has shown clear determination to do so. Thus, it's significantly easier for the IT staff to say "We have had filters in place from the get-go that block this content. This student used an incredibly elaborate method to get around these filters, and this method no longer works as we've updated our filters to accommodate it" and thus place blame squarely on the student for determination and intent. Using your method of leaving the floodgates of the internet opened means that answering to those same people when a student accidentally stumbles upon objectionable content will sound like, "we don't have any filters because they don't work 100% of the time". Reference-free job hunting starts in the morning.

If a student wants to get into the building after-hours and orders his own RFID card off the internet and programs it to minic another card to unlock the door, it's going to be much tougher for the school to sue the security company than if the security company left the doors open 24/7 because there are 20-foot high windows.

Sure, students will bring in their issues of Penthouse or USB sticks with the contents of the latest pr0n torrent if they're determined to do so, but once again, it's how and where. A student walking into school with Penthouse in his backpack didn't get it from the school, therefore the school can't be held liable for the actions of the student. If the student downloaded an issue of Penthouse on a school computer, by contrast, now the school has made possible something that (for the sake of argument) the parents find objectionable and it's easy to point the finger at the IT admins since even a basic content filter would have mitigated the issue - or at the very least raised the barrier to entry significantly such that the IT staff can once again say "we can't block everything, but the filters do block all but the most determined attempts to get where he got" and absolve themselves from responsibility.

Yes, supervision absolutely needs to happen. The original post explicitly asks how to make supervision easier for that very reason. The question being asked isn't how to replace adult supervision with a technological solution, it's how to assist the teachers and try to fill in the gaps for the moments when the teacher is focusing on student #1 who happens to be seated at an inconvenient angle to observe student #2 doing the same thing.

Re:The unfortunate reality comes down to liability

[Voyager529]

Mommy can throw a tantrum all she wants about Timmy seeing a boob online. The question of whether the situation is able to escalate beyond that is where filters come into place.

Scenario 1:
Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
IT Dept witness: "Your honor, the school has had content and proxy filtering on their network for years. This is the filtering system that the Board of Education has chosen for us to be using, configured using industry standard practices, and being appended weekly with additional 'creative' ways the students have found to bypass these filters. Here are the log files in the traffic, indicating that the student performed an end-run around the filter by using multiple VPN endpoints, SSL traffic, and a virtualized operating system running executable files explicitly designed to evade our application whitelist, and did so using a batch script as to prevent the teacher from catching him doing it."

Scenario 2:
Mommy: "Timmy saw pr0n at school! the IT department is incompetent and needs to pay me *raises pinky to mouth* one MILLION dollars!"
IT Dept witness: "Since web filters are mostly ineffective anyway, we felt that it was a waste of tax dollars to even try. If he were dedicated he'd get through them anyway."
Mommy: "All he did was go to bigtits.com and it let him!"
IT Dept witness: "He has the right to not be censored!"
Mommy: "He's twelve!"

You'll never avoid a tantrum from a psychotic parent trying to sidestep their responsibility to actually be a parent. What you *will* avoid, however, is those kinds of allegations actually sticking, unless you have a set of like-minded psychos two and three tiers above you on the corporate org chart who are too technologically inept to realize that there is a chasm of difference between "filters unable to stop extremely determined, skilled, and clever students clearly violating the acceptable use policy and leaving traces of their actions" and "no filter at all". If that's what you have, then I propose the same thing - the issue is not technological and cannot be solved technologically, but will append it to say that the issue isn't with the students and the issues seen in the students are a reflection, not a cause.