Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How To Best Setup a School Internet Filter?

samzenpus posted about 2 years ago | from the watch-how-you-play dept.

Facebook 454

An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

cancel ×

454 comments

Sorry! There are no comments related to the filter you selected.

Don't (5, Insightful)

Simulant (528590) | about 2 years ago | (#41018213)

Just block it all together. Not worth it.

Re:Don't (5, Insightful)

ThatsMyNick (2004126) | about 2 years ago | (#41018251)

Or whitelist a few websites and be done with it.

Re:Don't (4, Insightful)

cpu6502 (1960974) | about 2 years ago | (#41018423)

Exactly my thought. I would also include a note on the "block page" to send an email to admin@whatever if the user wants a site opened. That way brand-new sites like teenskissingtheirpussies will be blocked by default, but if someone requests a site like PBSkids.com you can whitelist it ASAP.

Re:Don't (5, Funny)

Anonymous Coward | about 2 years ago | (#41018477)

Um, so, teenskissingtheirpussies. Linky??

Re:Don't (-1)

Anonymous Coward | about 2 years ago | (#41019079)

I hope you're handsome, because intelligence obviously isn't your hallmark.

Re:Don't (4, Funny)

jhoegl (638955) | about 2 years ago | (#41018253)

Until the dean says "I promote the school through Facebook!" and you reply with "You can do that at home".

Re:Don't (1)

tverbeek (457094) | about 2 years ago | (#41018499)

Or put the dean on the whitelist that allows him to access whatever sites he deems appropriate, but are blocked for students. Typical residential-grade routers have this functionality.

Re:Don't (1)

pkinetics (549289) | about 2 years ago | (#41018935)

I'd only whitelist the dean for appropriate sites. No blanket access for anyone. Last thing you want to find out is the dean has been using the office for porn.

Re:Don't (2)

buchner.johannes (1139593) | about 2 years ago | (#41018261)

There is a lot of great content and features on Facebook

Like what? What are you trying to protect against? What should pupils be allowed to see?

It's pointless anyways, kids have Facebook on their phones these days.

Re:Don't (4, Insightful)

Joce640k (829181) | about 2 years ago | (#41018689)

There is a lot of great content and features on Facebook

Like what? What are you trying to protect against?

Facebook whores hogging the computers all day long so nobody can do any work...?

Re:Don't (1)

Martin Blank (154261) | about 2 years ago | (#41018267)

I second this. You either allow it or you don't. Trying to filter Facebook at an intermediate level is nearly impossible in the best circumstances.

A far bigger challenge is the expanding use of SSL by default. It solves a lot of problems for the individuals but it makes life more difficult for the enterprise admin who is supposed to filter these things. I flagged this recently at work as we enforce SafeSearch on search engines but with Google and others going SSL by default, it's possible to search for and display things that normally wouldn't come up. We're now having to look into decryption which brings its own issues pertaining to certificate management.

Re:Don't (2, Informative)

jbolden (176878) | about 2 years ago | (#41018287)

We're now having to look into decryption which brings its own issues pertaining to certificate management.

What do you even mean there? You aren't going to be able to pull off a man in the middle attack. You either block https or game over.

Re:Don't (4, Insightful)

sqlrob (173498) | about 2 years ago | (#41018429)

It's easy to pull off a man in the middle attack if you control the computers.

You generate your own certs with a CA that you've installed on the computer. At least one commercial product does this automatically.

Re:Don't (0)

Anonymous Coward | about 2 years ago | (#41018471)

Our company does the man in the middle. It is not done covertly, the user's (i.e. me) get the certificate warning message but most of them (i.e. not me) continue on anyways. Besides the company IT folks being able to see all your data, there is also the significant risk that another man in the middle could introduce themselves and you would have no way of even knowing they are there.

Re:Don't (1)

Anonymous Coward | about 2 years ago | (#41018651)

Training users to ignore security warnings, what an awesome job your IT dept is doing!

Re:Don't (1, Informative)

wolrahnaes (632574) | about 2 years ago | (#41018713)

This is correct. In a managed environment it's not exactly rocket science to put your cert on the computer, allowing you to resign anything HTTPS. Make it clear to the users that EVERYTHING is being monitored and they have no expectation of privacy on said computers and go for it.

Using a bogus cert that throws warnings in the browser is just an idiotic way to train your users that clicking through SSL warnings is normal.

Re:Don't (3, Informative)

chrb (1083577) | about 2 years ago | (#41018547)

What do you even mean there? You aren't going to be able to pull off a man in the middle attack.

Oh but you can, and it's increasingly being done and the people being intercepted are probably completely unaware of it. All of the big providers of content filtering hardware offer SSL interception now [blogspot.co.uk] (actually that article was written in 2006, so it's been going on for a while now). The sysadmin just has to deploy a trusted CA key to each desktop. I still think it is probably a violation of various wiretap laws because, regardless of what the local user has agreed to, the remote side (Google, your bank etc.) have not agreed to your interception of their encrypted communications. But, afaik, surprisingly nobody has yet sued over this issue.

Re:Don't (1)

Martin Blank (154261) | about 2 years ago | (#41019009)

It's legitimate. The decryption happens while it's still on our network, and we have complete control over every packet that goes through. Part of the agreement signed by the employees every year is that nothing that goes over the network is private. We have the right to decrypt and inspect anything that goes through. Were it a legal problem, it would have already been tried long ago, presuming that it hasn't been tried already.

If/When it's implemented, there will be exceptions for financial or certain medical sites. But going to Gmail or a forum would see the traffic decrypted, check, and re-encrypted on-box.

Can't (4, Insightful)

tverbeek (457094) | about 2 years ago | (#41018481)

You can't partially-filter Facebook, not in any meaningful or effective way. If you try, you'll fail. Either users have access to it, or they do not.

And for a school (assuming K-12), the hypothetical benefits are massively outweighed by the problems. Not just the content-filtering ones, but the waste-of-resources and distraction-from-task kind. Give kids easy access to Facebook at school, and your computer lab will become a Facebook lab. It serves no educational purpose, and just like the Gameboys, Walkmans, transistor radios, whatever toys earlier kids tried to play with at school that distracted from what they were there for, it's perfectly appropriate to say "not at school".

Re:can't partially-filter Facebook (4, Informative)

Nonesuch (90847) | about 2 years ago | (#41019091)

Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!

opendns (1, Informative)

twistedcubic (577194) | about 2 years ago | (#41018223)

OpenDNS has parental control addresses, so it's a start.

Re:opendns (5, Informative)

Anonymous Coward | about 2 years ago | (#41018385)

OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.

It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.

Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?

So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.

Yeah, going from free to outrageous isn't exactly a viable business plan.

DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?

Re:opendns (5, Insightful)

Anonymous Coward | about 2 years ago | (#41018691)

You're god-damn right it was a scam. The main part of OpenDNS that pissed me off was their filters were created and filled BY THE USERS. And now they're charging for something they got for free. We thought it was going to be a symbiotic relationship but it ended up being a parasite.

How much for a business with 200-220 PCs? $3000 a year.

Re:opendns (0)

Anonymous Coward | about 2 years ago | (#41018761)

OpenDNS is easy to defeat with a Proxy, or a manual DNS address. Some filters only work on Port 80, such as Untangle Webfilter Lite and are easily defeated with UltraSurf on port 443 or simply by typing https://website.com. Host Tables, Privoxy, Squidgard, DansGuardian, Webwasher, even Google Safe Search are all easy to defeat on their own. If you do get it right, the students will just use their phones as WiFi hotspots.

Security is like a fruit tree. Make the low hanging fruit difficult to get at and most people will give up. Use a combination of technologies. Set up logging on a per user basis.

Make sure that the school policy forbids circumvention of whatever you set up and spell out the consequences. Most students will comply. Deal with those that don't. In my area, that can mean banning students from high tech classes, banning them from computer usage, suspension, and even expulsion.

Don't (2)

infogulch (1838658) | about 2 years ago | (#41018225)

Just don't set up a filter. Done!

Re:Don't (-1)

Anonymous Coward | about 2 years ago | (#41018313)

this.

I would have transfered schools had they tried something like this. Theoretically the students are all adults. Maybe you should treat them like it?

Re:Don't (1)

tverbeek (457094) | about 2 years ago | (#41018523)

"Theoretically the students are all adults."

Um... many schools have children in them. Like... most of them do. (If he meant he worked for a "college", he should've said "college". And demanded that their paid staff do this.)

Re:Don't (1)

pkinetics (549289) | about 2 years ago | (#41018949)

Heck many workplaces who have grown adults act like children. Block Facebook altogether. And make sure to block on HTTPS connection as well.

Adults?!? (0)

Anonymous Coward | about 2 years ago | (#41018555)

this.

I would have transfered schools had they tried something like this. Theoretically the students are all adults. Maybe you should treat them like it?

Adults?! Surely you jest, Mr. Coward?

They are children and should be treated as such. Their brains aren't developed enough to understand many things out there, they lack judgement and are prone to do somethng quite stupid and even harmful. And even if they're over 18, I STILL wouldn't trust them too much.

Here's a prime eample. [telegraph.co.uk] Fortunately for Ms. Dell, she had a team of guardian angels watching her. Do you think the average kid has parents or guardians that have the time to watch everything a kid does - especially when not at home?

And this is a school we're talking about. All you need is one girl to get postings from an old guy and that school and this guy will be up to their asses in lawyers and cops.

Re:Adults?!? (0)

Anonymous Coward | about 2 years ago | (#41018849)

They are children and should be treated as such.

Right. They should be treated as human beings, and when they make an argument, you should attack the argument and not their character. If you wish to be logical, that is.

Here's a prime eample.

I can point to many examples of us adults acting extremely foolishly. Surely you understand that what applies to some individuals does not necessarily apply to all?

Their brains are still developing, yes, but they're still human beings. And frankly, I can't think of any harmful content on the Internet that they need to be 'protected' from. I'm not a prude, I'm not a soccer mom, and I'm not keen keeping children in bubbles to keep them away from content that is harmful only in my imagination.

All you need is one girl to get postings from an old guy and that school and this guy will be up to their asses in lawyers and cops.

Our lawsuit society is in need of some fixing, but this is definitely true. I see no other arguments for the filtering than they simply want to cover themselves from lawsuits.

Re:Don't (4, Insightful)

Jamu (852752) | about 2 years ago | (#41018369)

Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.

Re:Don't (1)

jamesh (87723) | about 2 years ago | (#41018515)

Best way to stop them looking at inappropriate content is don't set up a filter, but keep a record of every website they visit and who visited it. Tell the students you are doing this.

That's about the best you are going to get. And if they are all your own computers you can filter https too (although you have to make sure kids won't be doing any banking etc or there might be liability issues), but it's harder if you want to filter devices that people bring from home.

If you filter, and a poor innocent child captures glimpse of a nipple and is scarred for life, you'll have to explain to the concerned parents why you allowed this to happen. If you allow all content then you have less responsibility for this, in theory.

Re:Don't (1)

Revotron (1115029) | about 2 years ago | (#41018723)

That would lose them any Federal grant money they're currently receiving or could potentially receive for IT.

Just don't allow it at all (0)

Anonymous Coward | about 2 years ago | (#41018229)

No need to be doing that during school - it can wait, no, really, it can wait!

Re:Just don't allow it at all (0)

Anonymous Coward | about 2 years ago | (#41018255)

They're just going to do it via their smartphones anyway, so it's not a big deal

Re:Just don't allow it at all (1)

KermodeBear (738243) | about 2 years ago | (#41018345)

Exactly. Additionally, I would like to know what "great content" exists on Facebook anyway. "Person X has posted a photo." "Person Y likes Person X's photo!" Yeah, that's some great content there.

Really, just block the whole site completely. Any valid educational content that might possibly maybe be found on there can also be found elsewhere in greater amounts.

Re:Just don't allow it at all (1)

Anonymous Coward | about 2 years ago | (#41018485)

Additionally, I would like to know what "great content" exists on Facebook anyway.

Class groups and study session events.

Re:Just don't allow it at all (1)

mark_elf (2009518) | about 2 years ago | (#41019041)

Class groups and study session events.

Do you mean "everyone doing their homework together" on facebook? Do you mean actually teaching a class on facebook? Seems kind of inappropriate to me. Maybe your idea is to make it more appropriate by filtering it, but I don't think they want you to. They make money showing you ads, building a dossier on what you click on, etc. So I would suggest that you not use it as a teaching tool. In fact it's kind of unfair if all the students are required to use facebook to participate in this "content". What if they don't want to start out their lives feeding all their personal info to an evil mega-corporation? (Unlikely I know.) There are probably educational sites out there you could have everyone sign up for that have some kind of chat.

(ps - If they're younger than 13 they're not supposed to be on fb.)

Don't. (1)

Anonymous Coward | about 2 years ago | (#41018237)

You are obviously going to ignore this so don't forget to burn the books in the library on your way out.

Who decides what's "inappropriate" (5, Funny)

Anonymous Coward | about 2 years ago | (#41018257)

My mother was a porn star. There's not much that I wouldn't want her to see.

Slippery slope, my man.

Re:Who decides what's "inappropriate" (2, Funny)

Anonymous Coward | about 2 years ago | (#41018539)

Cool, I thought I saw your Mom in "Slippery Slope - Volume III"

Re:Who decides what's "inappropriate" (1)

Anonymous Coward | about 2 years ago | (#41019047)

>Slope
that's racist. my mom isn't asian.

Google for it!! (0)

Anonymous Coward | about 2 years ago | (#41018271)

Not being too unfriendly here given the fact that almost every other week the same thing gets asked here on Slashdot...
but I've had enough of these questions.

As far as I'm concerned,

You can a.) google for it
                            b.) hire someone

They all have smart phones. (0)

csumpi (2258986) | about 2 years ago | (#41018297)

So don't bother.

Even if you block the filth and facebook, they'll find a way to numb their minds. Like watch youtube.

If you really don't want them to use the school computers for extra curricular web browsing, don't connect them to the internet.

Re:They all have smart phones. (0)

Anonymous Coward | about 2 years ago | (#41018601)

Institutions have to worry about what content a user accesses over their connection. No big deal if little Jimmy blows his hand off making explosives that he got the instructions from his home internet. But if he got it from a school PC? That makes all the difference in the world. Well, at least according to the lawsuits. Not to mention stuff like child pr0n or predatory behavior.

lulz. good luck (2)

girlintraining (1395911) | about 2 years ago | (#41018301)

There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks. No filtering software yet designed has survived more than a few months in a public school without leaving the server running it as little more than a smouldering carbon scorch mark on the floor.

If this were a corporate environment, you could count on the fear and paranoia of being fired. You have no such power over teenagers... and many of them would do it even if you threatened them with life in the electric chair, because teenagers do not have good judgement. Even if you ask them "Is that a good idea," and they reply, "No," they'll probably keep doing it. And if you ask them why, they'll give you about as good of an answer as randomly seeking to some point in addressable memory and reading out whatever strings may or may not be present.

My advice... turn off the internet, lock the systems down, bolt them to the tables, put epoxy in all the USB ports, remove the optical drives, put everything behind plexiglass (little fingerholes for the keyboards), load up your operating system of choice and lock it down as much as you can, and then maybe, just maybe... you have a chance.

Re:lulz. good luck (5, Interesting)

LateArthurDent (1403947) | about 2 years ago | (#41018363)

In a word, don't. Unlike adults, teenagers won't have any qualms about bypassing your filtering. They'll use proxies. Tor. Thumb drives with other operating systems on it. Mobile phones. Secret non-broadcasting wifi networks.

Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

Re:lulz. good luck (3, Interesting)

girlintraining (1395911) | about 2 years ago | (#41018769)

Honestly, that's almost a good argument for implementing filtering. It challenges bright people to come up with clever solutions. Then they'll grow up with an interest in computers and networking, as well as a healthy distaste for censorship.

Most people aren't bright, and for every person it fosters a love of exploration and challenge, it'll create fifty more who view it as normal and try to club the other kid over the head for trying to get them all into trouble. The best solution is not to censor at all, and to simply be open to the kids about what's okay and what's not, and why, and if they have questions to have role models they can talk to about it that won't judge them for being curious or looking. Telling a kid not to do something just makes them want it more.

My mom tried for years to get my sister to wear mittens and hats when it was cold out (this is Minnesota, where winters can and do kill people very year). She'd never let her go outside without them, and was generally overbearing on the matter. Then she went on vacation for a few weeks in January and little sister asked to go for a walk. I saw how she was dressed -- no hat, no gloves, and asked if she thought she was dressed appropriately. She said yes. I opened the door. 10 minutes into our walk, she started complaining about how cold she was. I kept walking. She whined and said she wanted to go home. I kept walking, reminding her she said she was dressed appropriately and I was going to hold her to that. Another 10 minutes goes by and now she's shivering, stuffing her fingers in her sleeves, her pockets, finally pulling her arms out of the jacket entirely so her hands could stay out of the cold. Her nose and ears were red, and she looked miserable. Another 10 minutes goes by and she's stopped whining now and limping along miserably. We get back in the house, and she doesn't take off the jacket or anything, just goes to her room, pulls the blanket over her head, and remains miserable. About 5 minutes later I came in and took her shoes and socks off (which had become wet), put dry ones on, and put an electric blanket on her feet to warm them back up. She was fine after that.

She's never left the house without a hat or gloves since. Lesson learned.

Re:lulz. good luck (2)

clockwise_music (594832) | about 2 years ago | (#41018411)

I disagree.

It is the original poster's intention to block inappropriate content. It is probably his duty to take reasonable steps to ensure that porn.com is blocked. If people want to go out of their way to deliberably bypass filtering then they can do that if they wish - but at least now they know that they shouldn't, and they should be held responsible for that.

what (0)

Anonymous Coward | about 2 years ago | (#41018321)

Either your organization agrees with facebook's content policy and you don't filter anything or you disagree and you block facebook. Why are you making this hard on yourself?

Also, you also didn't tell us exactly what kind of content on facebook you feel is inappropriate. Why are you making this hard on us?

My mom watches porn... (0)

Anonymous Coward | about 2 years ago | (#41018331)

So allow porn in your school?

More seriously... Just block Facebook, YouTube, and twitter. And then add some porn/warez filter.

Rules for filtering (0)

Anonymous Coward | about 2 years ago | (#41018333)

Remember that in order for auto-filtering to occur, content that should be blocked must be defined by a set of rules that the computer has the ability to interpret (i.e. you can block pages with a certain number or type of profanity words, but you can't block pictures with a certain content). Keep in mind that a transparent proxy may not be able to block SSL pages, and they are encrypted everywhere between server and client. You'll need client software on each computer to get around that limitation.

First, like any project, define scope. What filtering is necessary, and what is "nice to have"? If you had a choice between allowing Facebook 100% and blocking it 100%, which would you choose? Both of those are easy. Then decide if it's worth it to put in the extra work to block only 50% of it, and decide how to define that 50%.

Panopticon (1)

Megane (129182) | about 2 years ago | (#41018357)

The best way to filter is to make sure that their screens are easily visible to passers-by. Kind of hard to watch porn when your screen is set up nice and high where everyone can see it.

Re:Panopticon (0)

Anonymous Coward | about 2 years ago | (#41018487)

There was this kid at our school who always used the PC at the end of the room, reduced the contrast of his screen and tilted it away from the main viewing area of the room. He was suspicious as hell.

Good Kids (5, Insightful)

dark grep (766587) | about 2 years ago | (#41018377)

Many years ago I connected an Internet feed for a private girls school - a very conservative, christian, and very well respected one - in Sydney. During the setup I was talking to the Headmistress about if she had any concerns regarding the content the girls might access. I thought her response was particularly enlightened; her comment was something like 'Whatever you try to restrict will make them want to access it more, which they will do secretly and unguided. If we don't make any restrictions then it will never be a big deal, and anything they feel uncomfortable about they can discuss with their teacher. Good kids will know to do the right thing, and all our girls are good.'

If I had a daughter, I probably would have sent her to that school.

Re:Good Kids (2)

tibit (1762298) | about 2 years ago | (#41018871)

The nun is partly right, partly wrong. Yes, restrictions will exacerbate the problem. No restrictions, though, won't make the problem magically go away either. I mean, there *is* a problem to begin with -- that they'll run into porn, or whatever else passes for inappropriate content. Porn-wise, I think that kids who are raised in a home where nudity is no big deal will react appropriately: shrug it off, saying "so what, haven't you seen a naked guy/girl?!". Sex isn't exactly a visually engaging thing if you don't pay much attention to nudity to begin with. Up to a certain age, at least, I'd think. In homes where privates were verboten to see except by yourself in the mirror -- oh well, those will be the problem kids. There's no way to ensure, much less be sure of, "all our girls [being] good".

Simple (1)

blackcoot (124938) | about 2 years ago | (#41018391)

Until someone offers your boss a compelling case demonstrating the educational value of access to Facebook, you block all of it. The purpose of the computers is to be an aid to the school's educational mission.

Education (0)

Anonymous Coward | about 2 years ago | (#41018395)

Only educating the users would work. Explain how and why, then revoke user-IDs of the offenders.

Don't waste time and money on it. (2, Insightful)

Anonymous Coward | about 2 years ago | (#41018401)

This not only the wrong message to children, it's also impossible to outsmart a teen who wants to get on facebook.

Untangle (1)

Anonymous Coward | about 2 years ago | (#41018407)

Untangle is a free, linux based web appliance. Its basic functions are free, but there are subscriptions you can buy to enhance certain areas. Put it on a machine with plenty of CPU and Ram, with 2 nics, and you got a bang up free web filter. I use it at a school of 1000+ students and teachers on an old HP DL3800 G3, and it runs the 20meg line just fine, not too much overhead.

You can't even trust Facebook the company... (2)

JK_the_Slacker (1175625) | about 2 years ago | (#41018413)

Given the utterly dismal record of Facebook the company when it comes to the privacy of its users, I wouldn't bother allowing access. Not only do you have your users to worry about, you have external Facebook users and Facebook itself - that sounds like a recipe for disaster to me. Aren't we due for a reset of our privacy settings to 'Everything shared with everyone' any day now?

Re:You can't even trust Facebook the company... (2)

tibit (1762298) | about 2 years ago | (#41018891)

Agreed. I don't see the value of Facebook on student-accessible computers. As for the teachers, they should have access to everything. Anything else would be stupid. It's an education of learning, you can't a priori decide that some things have no educational value. Besides, why on earth ban Facebook use during teacher's off time. I mean, give me a break, you already provide teachers with a lounge, perhaps a cafeteria, etc. Barring recreational internet access on school grounds makes no sense to me at all.

CIPA (0)

Anonymous Coward | about 2 years ago | (#41018419)

You need to start reading up on the laws that govern this for school including CIPA. There are also K12 Tech specific sites like www.tech-geeks.org [tech-geeks.org] that have forums and mailing lists where topics like this are discussed all of the time.

Just don't (0)

Anonymous Coward | about 2 years ago | (#41018421)

plug it in to the net.

The real question - how do you filter lunch? (4, Funny)

Chemisor (97276) | about 2 years ago | (#41018437)

There is a lot of great content and features in homemade lunches, and they are a great way to stay in contact with friends and enjoy eating, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more than should be shared, and not everyone follows proper nutritional and safety guidelines.

The solution is obvious: open a cafeteria on the premises and make it illegal to bring any outside food. This way total control over food quality and nutritional content can be achieved. Additionally, making the cafeteria highly visible uses public shame and humiliation to limit inappropriate activity, such as enjoying food.

If unsafe use of the internet is a concern... (4, Insightful)

fm6 (162816) | about 2 years ago | (#41018451)

... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

Re:If unsafe use of the internet is a concern... (1)

JOrgePeixoto (853808) | about 2 years ago | (#41018497)

... then your school should be teaching kids how to use the Internet safely. There just isn't any technology that will protect your kids from everything they might do wrong.

I suppose you have to block sites that would offend parents (though the kids probably know all about them) but relying on filtering software to keep your kids safe is abdicating the school's responsibility

Kids aren't responsible enough for that. It makes sense to set up filters at home, and asking the school to do the same.

Re:If unsafe use of the internet is a concern... (1)

Anonymous Coward | about 2 years ago | (#41018583)

Maybe trying to protect the kids is out of the schools' scope of responsibility, but what about protecting the schools' computers from malware?

Re:If unsafe use of the internet is a concern... (0)

Anonymous Coward | about 2 years ago | (#41018681)

their parents don't use the internet safely, why should they? it's rather pompous how people underestimate the savvy of people born into a world with all this stuff sort of assumed. normally its the kids teaching the adults in this in my experience.

Re:If unsafe use of the internet is a concern... (1)

fermion (181285) | about 2 years ago | (#41018993)

yes teach kids tomuse internet, but we do not teach kids to ride ambike on the freeway.

Critical information missing. What is the age of the kids, or are these young adults, and what do you want to accomplish by filtering.

If these are kids, say under 13, I think whitelists are absolutely appropriate. They are the only way to block proxy and https workarounds

For older students ad blocking is basic, along with whatever policy states, be it violence, sex, shopping or hookups. Keep in mind that more most students these restrictions are more to cover the schools liability than to actually keep kids off these sites. Most wil have smart phones, and increasingly these smart phones tether. That is why education is so important. You can't keep a 13 year old girl from trying to get a date with an older guy who has a car and cash. You can only educate

For young adults don't even waste the time. Give them a workload that does not allow time to play and provide consequences for those who do not finish.

Employ a teacher! (3, Insightful)

multiben (1916126) | about 2 years ago | (#41018463)

Don't bother with the filters, stick all the computers in a supervised area and kick out any students who break the rules. Speaking as someone who is personally sick to death of being managed by dumb computer programs (time management and performance evaluating software), why not have a responsible adult present to help guide the students? An old fashioned notion I know, but they are at school after all.

Pfsense (0)

Anonymous Coward | about 2 years ago | (#41018493)

If you are looking to set up a proxy/firewall, take a look at Pfsense. It scales well and appliances can be purchased
rather cheaply on the web.

*Raises hand* Oh, oh... I know! (1)

macraig (621737) | about 2 years ago | (#41018495)

Use the hosts file!

"Setup" is not a verb. (0)

Anonymous Coward | about 2 years ago | (#41018503)

Damn it. Learn to spell.

Worry about bandwidth, not content. (1)

Animats (122034) | about 2 years ago | (#41018531)

Worry about bandwidth, not content. Find some way to throttle video streams based on bandwidth. That will discourage watching porno and videos, and keep the upstream link from becoming choked.

Let the parents deal with it (1)

trentfoley (226635) | about 2 years ago | (#41018537)

Make each student install a proxy on their parents' internet connection and give the student access to the proxy from school. All other internet access is blocked. If the parents will not allow the proxy, the student will not have internet access at school.

I'm only half joking

It's a race... (2)

sillivalley (411349) | about 2 years ago | (#41018545)

And it's a race you will lose, should you choose to enter.

But if you really want to play -- take a look at Untangle (http://www.untangle.com) for a Linux-based appliance (free versions available) that will do other things such as spam filtering, basic AV, and more. Paid modules (inexpensive) let you add web caching, which cuts down on traffic, especially when you have a bunch of kids in a computer lab accessing the same web resources. So you can solve the problem for the hard-connected machines that are fairly well locked down individually.

But in the end, it's a pain in the ass. My wife is a middle school teacher, and she complained about their school's filtering "solution" keeping her from researching and accessing useful sites until my son reconfigured her laptop to use a proxy that he and some friends run so that they can get around school filtering solutions...

Set expectations early and often -- you will be able to block most of the kids (and adults). Some will always get around the barriers you put in place, often just for the sport of it.

Unless you set expectations, you will successfully block things for 598 students -- 2 will get through and you will be castigated as a FAILURE.

Still want to play the game?

You have people to please... (1)

couchslug (175151) | about 2 years ago | (#41018563)

Your bosses and the parents of your students, whose desires are expressed to your bosses.

Ensure you don't own the decision.

The purpose of filtering is to demonstrate you have filtering.

After your bosses define what they want, give it to them as best you are able but get it in writing (spieling that it protects everyone to do it that way). Have a written AUP, etc.

Not ethical; don't censor (0)

Anonymous Coward | about 2 years ago | (#41018577)

The only right thing to do is not censor. Censorship is wrong and your ethics should not be forced onto the students.

The only way (0)

FreakyGeeky (23009) | about 2 years ago | (#41018589)

Fuck you, that's how.

Go with an appliance (0)

Anonymous Coward | about 2 years ago | (#41018609)

I re-evaluated my works network filtering solution a couple years ago. The best class of solutions at the time were dedicated network appliances. There are a lot of vendors in this category. I liked iBoss and Barracuda the best. At the time we had a solution from 8e6 technologies and it wasn't dealing with the bandwidth that we had. At the end of the day I went with iBoss because they gave us development support to add some new features. Something that just didn't happen with any other vendor we were talking to. The box is pretty solid. No issues in 3 years and it has all of the features that I needed (blocking the bad stuff, logging everything and cross platform SSO). Also, no issues with ~1800 users. That said the Barracuda wasn't a bad solution either and I have a friend who implemented one for his organization. For what it's work the iBoss was a bit cheaper.

If you don't want to go that route there is always Untangle [http://www.untangle.com/] and the like.

Hope that helps!

close everything (0)

Anonymous Coward | about 2 years ago | (#41018645)

and do not let them access so called "social" networks. if you do that you open yourself up for liability.

Verbs vs Nouns (-1, Offtopic)

Snowdog (3038) | about 2 years ago | (#41018649)

It's set up — two words.

Setup is a noun. Set up is a verb.

(Sorry — my grammar-ness finally got the best of me.)

They shouldnt have facebook accounts (1, Informative)

headhot (137860) | about 2 years ago | (#41018655)

I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.

Re:They shouldnt have facebook accounts (0)

Anonymous Coward | about 2 years ago | (#41018875)

13. Their ToS directly reflects the legal guidelines about collecting information about children.

https://www.facebook.com/help/parents

Re:They shouldnt have facebook accounts (1)

nickb64 (1885128) | about 2 years ago | (#41018903)

I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.

I just looked at the ToS, you have to be at least 13, which many, if not all, 8th graders would be. This is per the Registration and Account Security section, line 5.

Re:They shouldnt have facebook accounts (0)

Anonymous Coward | about 2 years ago | (#41018905)

I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.

From the Facebook Website [facebook.com] :

          What is the minimum age required to sign up for Facebook?
          In order to be eligible to sign up for Facebook, people must be 13 years of age or older.

The IT guy does not make policy decisions. (1)

westlake (615356) | about 2 years ago | (#41018675)

If you nothing more to say then "Don't Filter A Thing," you waste his time and ours. It is not his decision to make.

The small non-profit school won't have the money to hire extra staff simply to monitor whatever passes for a computer lab. The geek may not like the idea, but a filter will have to carry part of the load.

blotto box (0)

Anonymous Coward | about 2 years ago | (#41018739)

Locate Facebook's main data center (Prineville, OR ?), and find the nearest electrical relay (big green thing). Hook up Honda generator. Run. Run fast. Done.

Wrong from the get-go (1)

dfetter (2035) | about 2 years ago | (#41018753)

Your assumption that content people might find--Facebook or elsewhere--that is more harmful to them than a censorship policy just handed down to them--is false. This is your chance to confront the people asking you to implement the policy with a couple of questions:

1. Given all the ways people get uncensored internet even under autocratic regimes where the penalties are brutal, what makes you think any censorship policy could work?

2. Which feasible projects are you willing to divert resources from in order to tilt at this windmill?

Don't let them answer 2. until they've got 1. well in hand.

Leave it to the mothers (0)

Anonymous Coward | about 2 years ago | (#41018831)

You could just setup per user vpns that go through their individual home networks. If the parents want to filter, let them do it. Give them a grace period when the student registers or starts. If the parents don't opt-in and provide the home vpn after the deadline, that child browses unfettered.

How old are these kids? (4, Informative)

dacut (243842) | about 2 years ago | (#41018845)

If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.

From Facebook's terms of service [facebook.com] :
You will not use Facebook if you are under 13.

This is due to the Children's Online Privacy Protection Act [wikipedia.org] , which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.

Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.

PfSense + DansGardian + OpenDNS + Unbound DNS (4, Informative)

Anonymous Coward | about 2 years ago | (#41018847)

Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.

OpenDNS will help with malware prevention and botnet computers.

Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.

Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.

Duty of Care? (1)

MF4218 (1320441) | about 2 years ago | (#41018867)

Forgive me if I'm wrong, but does a School not have a duty of care towards the students - and thus all mature and most social media sites should be blocked, not just to prevent access by the majority, but to avoid offending the minority who might see over another student's shoulder.

Also I hear a lot of "have the computers facing the teacher" comments, but nobody is discussing one-to-one laptop programs where the screen is a lot easier to hide.

Different filters for different locations (0)

Anonymous Coward | about 2 years ago | (#41018885)

While it's not clear from the OP what the age range is, assuming K-12, I would suggest different classes of filters for different computers/connection types. I don't like filters, but begrudgingly consider them a necessary evil in schools. At best, they prevent accidental access to "material nobodies mother should see, and at worst, they either try to enforce a particular brand of ideological puritanicalism or create a false sense of security and oppressive environment students will rebel against. If your organization is hellbent on imposing a particular world view based on some strict religious definition of morality through filters, I hope you fail miserably.

Soap-boxing aside, Age ranges, and how public the computer is are the main factors that determine how strictly you should filter. Your public computer labs are easily monitored by having a staff member present, and the knowledge that the screen is visible to others in the room should be sufficient to prevent misuse. Filters for the lab should therefore be tailored to prevent accidental access to obscene material and malware, otherwise students should be able to access almost anything in a controlled setting.

Less public locations are the real problem if this is a K-12 environment. Honestly, I'd completely block social media on any computer that isn't constantly watched as part of a lab environment, particularly if the location of the computer is relatively secluded. The harder it is for a staff member to approach from behind without the chance for the student to alt-tab or alt-f4 their way out of something they shouldn't be accessing, the more restrictive that computer's internet access should be. If your school offers Wifi access to students, this should probably default to being the most restrictive form of connection in the school. Access to social networking, private email accounts, and the like should be broadly blocked from poorly supervised computers. If email is part of the instructional program, it should be with school provided email accounts which have no expectation of privacy - if students have social network profiles or private email accounts they can access them in a public lab if you permit that or from home where it's not your problem.

Staff members should be able to override filters on a case by case basis for students. If this capability is provided, I highly recommend you set it up so that the way it works requires that the teacher or other staff member add exceptions from their desk and never from the student's computer. Exceptions by most staff members should be temporary and confined to their area of responsibility with the ability to request review by the administrator for a longer term exception - ie a teacher should be able to unblock facebook for the day in their classroom in order to use it for a lesson, but not for the whole school.

Also important, assuming you are dealing with K-12 students, you should monitor student's computer use, you should be up front about such monitoring and it's extent, and you should follow up on it.

You should also strongly consider talking to your institution's lawyers about some sort of permission form/disclaimer to be sent to parents stating the extent and limitations of filters. IANAL, but it probably needs to spell out that filters are never perfect, and that the administration is making a best effort, but can't guarantee the ability to foresee everything harmful that might exist on the internet. Ultimately, a lot of online safety is not filtering, but educating children to be smart online and protect themselves.

Legal liability is pretty high for filtering (1)

tlambert (566799) | about 2 years ago | (#41018909)

If you implement filtering, then the first time "something bad" gets through, be prepared to be the fall-guy.

Air gap. (1)

CrAlt (3208) | about 2 years ago | (#41018975)

Don't waste your time with filtering. It will just make the kids want to see the "blocked" sites more. Anything you do a kid can get around in no time. If the kids are under 18 then it should be the parents call on whether they are on FB or not. The teachers can surf on their own time OFF the clock.

Just put the modem in a locked closet or the principals office with an on/off switch. When you need to get online to download software or access some educational site you can turn it on just for that.

There is a lot of great content and features on Facebook,

Oh my sides. Please! Stop!

and its a great way to stay in contact with friends

This doesn't need to be done in class or at work.

How to best filter facebook? My experience?totally (1)

agoodm (856768) | about 2 years ago | (#41018983)

Among managing IT for approaching 100 users I run the internet filter for a youth group. We provide free internet terminals for them to use. We used to score pages on facebook myspace bebo etc based on keywords. We need to allow https traffic for various reasons. Facebook are now pushing their user base towards https for profile pages to prevent various cookie hijack based attacks, this means we cant effectively filter their traffic, therefore I have suggested it should be entirely blocked. You cant filter https.

pfsense (0)

Anonymous Coward | about 2 years ago | (#41019053)

www.pfsense.org Setup squidguard. Easy, fast and with carp you can put in two for failover.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>