Home Computing Teaching Bushcraft Games Writing About
More tools to combat cyberbullying
Hat tip to our fantastic elementary school integrator, Cheryl Bohn, who found this great news, http://mashable.com/2011/03/10/facebook-anti-bullying/ .
From the article:
Facebook is announcing a new suite of tools to protect users from bullying, foster a stronger sense of community in the social network, and “create a culture of respect” among Facebook users.
Facebook’s latest changes boil down to two main aspects: an improved safety center with more multimedia resources, and better, more social tools for reporting offensive or bullying content.
You can see the Facebook parent and teen safety center by clicking the links below.
disabling private browsing: a pain in the neck
I was working with some parents last night discussing internet safety. These parents had children in our elementary school (ages 6 to 11).
Parents want to know where their tweens are going online, and were shocked to learn all major browsers support private browsing. Of course, we discussed putting the computer in a public place, making an agreement with your child, looking for furtive gestures, etc… But part of being a good digital parent is snooping.I know, kids can install a USB-based browser, or revert your changes, but all kids aren’t as savvy.
If you are on a public terminal, I can see the utility of private browsing, but for the cases of home computers, the only reason I imagine private browsing exists is to look at adult sites.
I have discussed filtering at the router as a great solution, but many parents simply don’t have the technical skill, time, or inclination to set that up.
The options for disabling private browsing are a pain in the neck, more technical than filtering at the router, and in some cases may actually break the browser, but for the curious:
Disabling private browsing in Safari
Looks like you actually can’t disable private browsing in Google Chrome
How to disable private browsing in Internet explorer
How to disable private browsing for Opera
All of the solutions above are highly technical. For a slightly better solution parents might want to check in with open DNS.
Parents: your kids will probably see these movies soon. Beware.
Looks like the fine gents at the lonely island have released another chart-topper for the Christian charts! This one is entitled “I just had sex” (vid here). The Lonely Island is a comedy troupe who, among other things, creates these funny videos. The videos often have inappropriate language, racy themes, and pretty much everything disdainful and horrible to well-adjusted parents of young children. The same comedy troupe made a very popular video (over 30 million combined views) entitled “I’m on a boat” (vid here). Again, inappropriate for young kids, and certainly questionable for teenagers.
This video has been viewed 30 million times, and there is a pretty good chance your kid has seen it, will see it, or will soon hear about it, and then watch it.
So what should you do?
I suggest you talk to your kid about their internet use, create clear expectations of behavior, and be aware these videos are around. As always, we prefer a proactive approach to computer issues rather than reactive.
Parent technology partnership is filtering at the router
Last week, a parent installed some internet filtering software on his son’s school-owned computer. His son is 11 years old, and has just started discovering, you know, the internet that 11 year old kids find. Unfortunately, the software the dad installed conflicted with our pre-installed AV software, Kaspersky. The son, perhaps being less than 100% honest, told us he needed to install some printer drivers. Normally students can do this without any intervention on the part of IT. However, we noticed we couldn’t install the software.
After spending the requisite 15 minutes trying to install the software, we realized we couldn’t get around the dad-installed software, so we re-imaged the machine. The son came back a day later with a clean machine, the printer drivers installed, but no dad-installed software.
The dad is, quite understandably, pissed. Our current blocking strategy is to restrict DNS queries to our internal DNS or to an outside DNS service (openDNS). We block any DNS queries that don’t go to one of our approved dns servers. Inside our school, we feel fairly comfortable that “joe average student” can’t access unauthorized content. Even so, we monitor network traffic carefully. But outside of school, students can change DNS settings and access inappropriate content (for a whole lot of reasons we grant student admin access on their laptops, so we can’t easily block access to dns settings).
What could we do differently, better?
I think the real challenge here is how can we support parents to block according to their standards? Some families will want very strict blocking, and some not at all. My take on this is to help parents understand how to use router-based filtering. Unless you child connects to another unsecured wireless network, the best place to block is at the router.
Next up: a list of resources to help parents control their wireless connection
On Gawker and Passwords
Looks like Gawker was hacked. I’m not a “gawker” guy, but I am a lifehacker reader. And, in 2008, I left a comment about my favorite RSS reader. And, after downloading the torrent, I saw my password and email. I’m sure this will be indexable by google in a few days. I guess they didn’t store the passwords securely. oops.
I’ve been using the interwebs since AOL and 2400 baud modems, and this is the first time I’ve been aware of being compromised. Thankfully, I used my normal stupid web password, and not one of my stronger passwords. However, I will now be searching for my username and changing my password whenever I see it pop up. I’m also using a new easy-to-remember web password.
Of course, the moment lifehacker lets me delete my account, I will.
On blocking and banning and somesuch
On blocking and banning and somesuch
I've never liked the idea of blocking or filtering. My students will be living in a digital world; they need to learn how to communicate in it. They need to learn digital literacy. Basic skills in being safe, appropriate communication, boundaries, the commercial aims of many social networking sites. They need to learn how to be in a digital world.
I don't think filtering or blocking helps students learn, I think it actually prevents them from learning how to live and learn in a digital world. I understand as a school, we have a duty to keep students safe; we also have a duty to teach them. Herein lay the balance schools must maintain.
We /do/ block sites that are unquestionably bad - adult, openly illegal*, violent, and sites that could harm your computer. But many sites are not unquestionably bad; nor are they unquestionably good. And this is where we need to tread carefully.
One other point: it is not impossible to bypass filters. Kids are rather clever about getting around these things, and with the rise of handheld smartphones, schools can do very little to prevent a student from logging onto facebook, posting a picture or movie, or accessing the internet.
I dont thing removing access is a good thing.
What's good about facebook
Facebook is popular. The Whitehouse has a facebook page, the UK Parliment, every major political candidate has a facebook page, every major corporation hasd a facebook page. Any social cause you can think of has facebook page. Colleges and Universities use facebook to communicate and stay in touch with applicants and students. Teachers use facebook because it is so easy to communiate with their students (teachers should use a separate facebook account, though). Many teachers report joy in staying in touch with their students over the years.
Let me repeat: facebook is so popular because it is easy to stay in touch and communicate. It is a major vehicle for communication and collaboration.
But it's not all good, is it?
Facebook can distract students from learning (unless you are learning something on facebook). Facebook has numerous add-on and games that can distract students from work. There are privacy concerns related to facebook. There are add-ons and modules to facebook that make it easy for kids to say very hurtful things to each other. If a student exercises poor judgement, they can be quite embarassed. Fads, half-truths, and even lies can be very quickly passed around to a large group of people.
Not all that different from doodling on a piece of paper or a bad day on the playground.
What should schools do?
Schools need to engage in a genuine partnership with parents. We need to educate parents about the internet and technology. We need to share what we see and hear. We need to share our professional expertise with parents and help them make wise decisions about technonology and their kids.
But I don't think we should think of ourselves as parents. I think we should think of ourselves as teachers. Hard lines need to be drawn in the world, but you need to be careful when you draw them. Our job is to develop kids, to support them and to encourage intellectual curiousity and learning. I'm not sure completely blocking access to a popular site fits into that model.
Where can parents look for help?
Click here for Google's family internet safety.
Click here for Microsoft's parent safety guide.
Click here for Facebook safety tips for parents
Click here for the Child Exploitation and Online Protection (CEOP) Centre
Click here for netSmartz
* even this is tricky; is blocking a site which protests against a law appropriate? If we looked at some legalize marijuana sites, we would see advocating marijuna. Should we block that?
Really? Microsoft? Do you really write such bad code?
This Tuesday, October 12th, I'm going to have over 600 machines downloading a patch so big that Microsoft needed to warn system administrators about it.
Massive Link here and here's the PDF in case Microsoft wants us to forget this ever happened.
So now I need to buy a Windows update server so I can serve my updates internally. I'm going to have to pay for an update server and manage it; can someone please explain this whole "macs are more expensive" things to me again?
Important Online Safety Technology Working Group report
Please click here for PDF of the Online Safety Technology Working Group internet safety report. Really good stuff.
Why I love Linux:
I was doing some simple system administration yesterday, and realized someone (most likely a bot) was targeting my server.
1. more /var/log/auth.log revealed several lines that looked like this:
Failed password for invalid user user from 188.8.131.52
2. so I tried grep invalid /var/log/auth.log which revealed this:
Feb 1 20:57:06 grue sshd: Failed password for invalid user oracle from 184.108.40.206 port 39871 ssh2
Feb 1 20:57:10 grue sshd: Failed password for invalid user oracle from 220.127.116.11 port 40085 ssh2
Feb 1 20:57:14 grue sshd: Failed password for invalid user oracle from 18.104.22.168 port 40337 ssh2
Feb 1 20:57:18 grue sshd: Failed password for invalid user oracle from 22.214.171.124 port 40555 ssh2
Feb 1 20:57:26 grue sshd: Failed password for invalid user admin from 126.96.36.199 port 40958 ssh2
Feb 1 20:57:30 grue sshd: Failed password for invalid user admin from 188.8.131.52 port 41160 ssh2
Feb 1 20:57:34 grue sshd: Failed password for invalid user admin from 184.108.40.206 port 41357 ssh2
Feb 1 20:57:38 grue sshd: Failed password for invalid user admin from 220.127.116.11 port 41559 ssh2
Feb 1 20:57:41 grue sshd: Failed password for invalid user admin from 18.104.22.168 port 41749 ssh2
Feb 1 20:57:45 grue sshd: Failed password for invalid user admin from 22.214.171.124 port 41917 ssh2
Feb 1 20:57:49 grue sshd: Failed password for invalid user admin from 126.96.36.199 port 42119 ssh2
Feb 1 20:57:53 grue sshd: Failed password for invalid user admin from 188.8.131.52 port 42321 ssh2
Feb 1 20:57:57 grue sshd: Failed password for invalid user admin from 184.108.40.206 port 42511 ssh2
Feb 1 20:58:01 grue sshd: Failed password for invalid user test from 220.127.116.11 port 42721 ssh2
Feb 1 20:58:04 grue sshd: Failed password for invalid user test from 18.104.22.168 port 42924 ssh2
Feb 1 20:58:08 grue sshd: Failed password for invalid user test from 22.214.171.124 port 43093 ssh2
Feb 1 20:58:12 grue sshd: Failed password for invalid user test from 126.96.36.199 port 43291 ssh2
Feb 1 20:58:16 grue sshd: Failed password for invalid user test from 188.8.131.52 port 43489 ssh2
Feb 1 20:58:20 grue sshd: Failed password for invalid user test from 184.108.40.206 port 43700 ssh2
Feb 1 20:58:24 grue sshd: Failed password for invalid user test from 220.127.116.11 port 43889 ssh2
Feb 1 20:58:28 grue sshd: Failed password for invalid user test from 18.104.22.168 port 44092 ssh2
Feb 1 20:58:32 grue sshd: Failed password for invalid user anda from 22.214.171.124 port 44295 ssh2
Feb 1 20:58:36 grue sshd: Failed password for invalid user jb from 126.96.36.199 port 44493 ssh2
Feb 1 20:58:40 grue sshd: Failed password for invalid user cvsuser from 188.8.131.52 port 44679 ssh2
Feb 1 20:58:45 grue sshd: Failed password for invalid user cvsuser1 from 184.108.40.206 port 44885 ssh2
Feb 1 20:58:49 grue sshd: Failed password for invalid user mana from 220.127.116.11 port 45087 ssh2
Feb 1 20:59:01 grue sshd: Failed password for invalid user vicky from 18.104.22.168 port 45713 ssh2
Feb 1 20:59:05 grue sshd: Failed password for invalid user setup from 22.214.171.124 port 45927 ssh2
Feb 1 20:59:09 grue sshd: Failed password for invalid user setup from 126.96.36.199 port 46143 ssh2
Feb 1 20:59:14 grue sshd: Failed password for invalid user print from 188.8.131.52 port 46359 ssh2
Feb 1 20:59:17 grue sshd: Failed password for invalid user print from 184.108.40.206 port 46580 ssh2
Feb 1 20:59:21 grue sshd: Failed password for invalid user raul from 220.127.116.11 port 46773 ssh2
Feb 1 20:59:25 grue sshd: Failed password for invalid user user1 from 18.104.22.168 port 46983 ssh2
Feb 1 20:59:28 grue sshd: Failed password for invalid user user from 22.214.171.124 port 47173 ssh2
Feb 1 20:59:33 grue sshd: Failed password for invalid user user from 126.96.36.199 port 47370 ssh2
Feb 1 20:59:37 grue sshd: Failed password for invalid user user from 188.8.131.52 port 47584 ssh2
3. Looking at the time stamps, it certainly seems like a normal “guess the user, guess the password” attack. Out of curiosity, I poked around for information about this IP address. Oh look! China!
Location of the IP address
Hangzhou in China.
This IP address is also on several blacklists for brute forcing attacks (of which this is one)
4. Now it simply a matter of blocking this IP address:
iptables -A INPUT -s 184.108.40.206 -j DROP
5. And of course, consistent monitoring and REALLY STRONG PASSWORDS!
Google security whitepaper for schools
One of the reasons we haven’t switched to google applications is because of our concerns about security and data ownership. I’d like to move us into the cloud, but these concerns are legit. In the “yea, google is ok” corner, Google has released the shortest whitepaper in the history of whitepapers to help assuage our fears that a monster is going to eat our student data.
Twitter and the same old passwords - I’m guilty of this also.
Looks like the nice folks at twitter got bit by a hacker. They report the problem stems from a twitter employee who the same password on different systems.
Oh man, I am so guilty of this.
I basically have three passwords I use for all services (including hosting!). After reading the twitter post, I am starting the process of changing my stuff. I’m thinking of something like:
Get the idea? Maybe I should just rotate my passwords more frequently.
Some equipment went missing at my school - discovered today (Monday), after a school vacation. It’s a pity. We have an inventory of the computers serial numbers, MAC addresses, etc, etc, but it doesn’t help our kids.
Times like these I find myself asking, what could we have done differently? The machines are secured - admin passwords are good, there is an admin password on the bios, so it won’t be easy to start from a CD or USB stick. We had them locked in a cart. I just don’t know what we could of done differently. Maybe change the combination lock password more often? Who does this? We recently had inventory management come - thank God -
I know there are stolen laptop programs but when we buy 30 laptops at a time, and we are pinching every penny, this is the sort of thing that gets cut. I’m investigating adeona as we speak.
Internet and computer safety often focuses on the risk of meeting a stranger online and being physically attacked. There is no doubt this danger exists, and our children need to be very careful about the sort of information they put online. The most important rules of internet safety must always be: don’t talk to strangers and don’t put highly personal information about yourself online. A helpful reader has added that stranger abductions are quite rare, more often children voluntarily agree to meet some stranger somewhere. This also must be pushed into the mind of our kids - Never, ever agree to meet someone you met online. It’s just not safe.
While being attacked is the most serious threat online, our teenagers also face:
Here is a list of topics you could discuss with your students in an effort to support them being safe online.
1) What happens online, stays online, for a long time. sometimes it is difficult to erase a comment, picture, or forum post. Are you putting stuff online you would be embarrassed about 5 years from now? Are you writing anything that might reflect poorly on your character?
2) Some online social-networking sites such as myspace aren’t easy to secure - personal details and photographs are readily available for anyone to see. Do you have a myspace page? Mind if we take a look at it together? Is there anything online that could be used to identify you to strangers?
3) Our teenagers have a hard time understanding that something they put online can be visible to anyone anywhere. Let’s google your name and see what pops up. Who do you think looks at this information? How would you feel if a complete stranger looked at this information/image?
4) A special word about facebook. Facebook is a social-networking site like myspace with a very important difference; it’s invitation only. This means only people who a student knows are accepted as a “facebook friend”. However, there are “groups” in facebook which may have people a student does not know. Teens should be careful about what they write on facebook, and what they include on their facebook profile. Facebook users have a wall, which they can use to send messages back and forth. Let me see your facebook page. who are your facebook friends? do you belong to any facebook groups? Who last wrote on your wall?
5) The internet has opened up a new avenue for airing frustrations and arguments with peers. These arguments can often turn ugly, and teens can be harassed or bullied online. It’s important to talk about online bullying as you would talk about bullying in school; forthright and clear. Have you ever felt bullied online? How do you respond to online harassment? You know you can always talk to me about this stuff, right?
Here are some specific steps you could take with your students to help encourage safe computer use:
1) Put computers in public places (not in a bedroom)
2) Adopt an open door policy for discussing computer habits
3) Look for furtive gestures. If your teen quickly closes, moves or minimizes a window, ask them to show you what they are doing.
And finally, some common sense:
This internet thing is new for many parents. I think we need to teach our kids how to live in a digital world safely. I recommend against completely shutting off the internet or computers, and instead, take an active role in your child’s internet and computer use. Part of being a parent is being nosey. Talk with your teenager about computers and internet safety.
Security and the absense of reason
I had (am having) an interesting conversation with my supervisor. Several Elementary school teachers have expressed concerns that their computers (Windows XP) are locked down to tightly - that they cannot install trivial peripherals, try new software, etc…
My position in our conversation is that a few trusted users should be granted power-user privileges. It strikes me as asinine that computers are put into a teachers room, and then so locked down that the teacher cannot use them! This is a classic fear-based response to network management, and qualifies as a “think-about-what-is-easiest-for-the-network-administrator-and-not-the-teacher” error. As I’ve mentioned before on this blog, there is a connection between how a teacher feels about technology and how the teacher implements technology.
Should a network be wide-open, with full administrator access to everything? no. Should a school be skillfully managed, balancing the needs of the users versus the needs of the organization? Yes. It makes me crazy when this happens in schools…what if we said to our kids…here is a computer, but you can only do 5 things with it…don’t bother exploring, or engendering curiosity… it’s better for everyone if the device just sits there, locked down.
Of course, these are windows machines, so some extra effort must be taken to keep them safe. But when security locks down a machine so much a user can’t explore it or use it, or try anything new, it’s an object-lesson in frustration.
Allow trusted users limited administrative access so they can experience the joy of trying something new in the teachable moment - the moment when they see something and want to try something, curious, motivated, and engaged.
Educational Network Security - part 2
What is security?
The process of ensuring confidentiality, integrity, and availability of computers, their programs, hardware devices, and data (source).
- Making sure everything works
- Ensuring data integrity
- Only allowing authorized users to access data and resources
- Keeping physical hardware safe
- Ensuring data is keep private
Just a short list, I know. I suppose it could be shortened to “keeping stuff safe”.
Where is the best place to implement?
The best place to implement security is low on the OSI chain. Routers, switches, and network-level devices are an excellent place to start. These devices control communication, and are an excellent way to secure a network. All the other layers are important as well, but security without the low level stuff really isn’t secure, is it?
Before an attack of infection happens, what is happening on our network? With the right tools, we can analyze traffic, and sniff packets in and around our network. We use router and switch logfiles to see from what MAC address is traffic originating from, shape traffic, prioritize traffic, etc… This has the double advantage of being able to optimize our network, and troubleshooting problems as they arise. You also have a history to look back on when diagnosing problems.
After something like this happens, we need to gather as much information as possible. I ask who, what, when, why, where and how, applying each question to the issue at hand. I pay attention to disease vector (how did the virus spread, where did it start).
Of course networks and computers need to be secure. But if this security comes at the price of usability, it doesn’t make sense, does it? I have seen corporate-types lock down a computer to the point of it being unuseable! I suppose we could build a metal box around a PC, unplug it and proudly exclaim, “She’s Secure, Sir!” This leads us naturally to…
Multiple layers of security
The thinking of “stopping them at the beachhead” is good, but doesn’t really work in a very dynamic network. Yes it is important to block as much as you can as it comes into your network, but it is equally important to keep each node protected - updated, current anti-virus, etc…
Moreover, it is important inside the organization to block unknown IP addresses, MAC addresses, and require authentication inside the network. Using an authentication server adds a degree of control to the network and creates a virtual paper trail should there be an issue.
Educational Network Security - part 1
Having spent the majority of my professional life in an OS X environment, moving to a Windows-based school was quite an adjustment. However, over the last few months, I have been managing with the overall, basic functionality of Windows. It certainly doesn’t have the same ease of use; and I note the included windows software is light-years behind what is available for OS X.
So last Friday we noticed the school network was sluggish, and then about noon, we had many faculty members reporting pop-ups on their computers. About 30 or 40 minutes later, we had a call from the college, telling us a virus was port scanning everything in site. We have a pretty standard Windows layout - ghosted machines, anti-virus corporate edition with updated definition files, and we use a fortress-like tool to secure our labs. We have a competent network administrator, and a strong IT team.
Still, though, the sad thing is only one computer on a network needs to be unsecured for the entire system to fall like dominos. It is, actually, a rather classic manifestation of malicious software infestation.
We disabled all incoming and outgoing traffic to our school, and started the painful and arduous process for reissuing passwords and scanning every single machine in the school. Some machines will need to be re-ghosted, and anything saved locally will be erased.
The downtime looks to be moderate (a few hours if we are lucky), but it is a massive pain the neck. Fortunately, it gives me a few hours to write this series of articles about educational network security. I’ve been meaning to do this for a while.