[K12OSN] dansguardian filter

Chuck Kollars ckollars9 at yahoo.com
Sat Sep 8 06:08:57 UTC 2007

We use DansGuardian(&Squid) at our building, which
contains both a middle school (6-8) and a high school
(9-12) for a total of ~1100 students. At the
elementary schools (K-5) in this same district we use
IPCop. Under the covers the current version of IPCop
uses a preconfigured DansGuardian. It's settings are
about right for elementaries, but would be quickly
hooted down if we tried to implement them at the high

(We _also_ use firewalls at all schools. Web Filtering
by itself can't provide adequate security. No matter
what you do, don't throw out your firewall. Run
DansGuardian _together_ [or if necessary
_in_parallel_] with a firewall.) 

One thing that DansGuardian can do easily is have
different "classes" of restrictions for different
computers (or even for different individual users if
you're techie enough to deal with NTLM:-). I find the
needs and expectations of younger students are very
different from those of older students. If I was
handling a building with K-8 all in one place, I'd set
up a couple (or maybe even three) different
DansGuardian filter classes, then assign the computers
in the lower grade classrooms to one and the computers
in the upper grade classrooms to the other. Common
facilities like libraries might be the tricky part of
this approach. For those, having an automagic script
move computers from one class to the other at
different times of day might be a solution. 

(Squid alone could very conveniently handle all the
time-of-day restrictions. You'd just have to configure
it once then you could completely forget it. And Squid
can handle blacklists too [although not quite as
conveniently as DansGuardian]. Unfortunately Squid
isn't [in my mind:-] up to the task of doing the sort
of phrase filtering or search term vetting you'd want
to do for an elementary.) 

(Let me stress the age differences a little more: A
photo of a bare bum in a first grade class results in
an emergency call and can escalate to shutting down
all the computers in the whole school if not handled
quickly and satisfactorily. The same bare bum photo in
an eighth grade class is probably just part of the
health class curriculum.)

Although we've gotten pretty fancy over time, that's
neither necessary nor is it the way we started out.
DansGuardian comes with a whole bunch of preconfigured
suggestions. You basically just have to decide
"yes/no" for each category. We didn't even _start_ to
think about supplying our own word recipes or
modifying the DansGuardian presupplied ones for a
whole year. 

By the way, our experience is even filtering
technologies like DansGuardian are almost useless
without really good blacklists. We pay a small yearly
fee to http://urlblacklist.com (no 's', that's a
different site and you don't want it), and get regular
updates from them. Last I counted their lists were
around 300,000 (!). (A blacklist only half or a third
that size is sufficient for elementaries.) You
couldn't possibly do anything remotely equivalent.
It's semi-heresy to say that the DansGuardian phrase
filtering alone isn't worth a whole lot ...but that's
how I feel. 

This is partly a question of philosophy. Our
philosophy is to comply with CIPA, keep our principals
happy, and make it difficult for students to do
illegal or stupid things -- and otherwise to let the
chips fall where they may. We don't have a population
of overly litigious parents, we've got the backing of
our School Committee, and we can point to the
situation not so many years ago when access was
completely unfiltered and truthfully say we're doing a
_whole_ lot better now. 

CIPA requires being careful about 'porn', one of our
principals is very concerned about 'chat', and both
principals constantly hear from their teachers they
want 'online games' blocked. Keeping students from
doing illegal and/or stupid things means blocking
'online gambling' and 'ecommerce' sites. And reserving
our bandwidth for academic purposes means discouraging
file downloads and file sharing. 

Trying through technical means to get to ZERO risks is
a quixotic quest for several reasons: The amount of
technical effort is huge and more expensive than most
schools really want to pay. Even with huge effort and
the best of intentions, being outfoxed technically
once in a while will be inevitable. Any reasonable
technical implementation is always backstopped by
enforcement of an AUP (Acceptable Use Policy) - it
can't stand on its own. Kids have easier web access at
the local public library and completely open access at
home. And if they're too locked down, computers aren't
useful academically. (That's a continuing discussion
point on this and several other mailing lists.) 

Also, if one of the school's goals is to _teach_ the
students how to conduct themselves safely on the net,
totally restricting everything isn't the way to do it.
The only way to learn is to have the opportunity to
fail once in a while. Hopefully the school can keep
the injuries in bounds ...but it makes no sense to
prevent slips and falls altogether. Going suddenly
from very tight limits at school to no limits at all
after graduation is like going from skateboarding to
driving in just one day. 

The "whitelist" approach is _extremely_ draconian, to
be considered only as a very last resort, and arguably
impossible to implement reasonably in 2007. What was
still possible (albeit difficult) a few years ago is
just ridiculous nowadays. With _millions_ of
web-connected computers, having a whitelist large
enough to make the computers useful to students is
pretty much impossible. Besides, just in the last year
we've seen a trend of more and more websites
intermingling (A is the main website, but the newsfeed
is at B, the streaming video is at C, the ads are
mostly at D and E, and the traffic meter that says who
owes what is at F). In such an environment,
whitelisting is such a huge PITB it more or less
doesn't work at all. We briefly considered
whitelisting _just_for_https/443_ this school year,
but our principals decided even that was such a huge
inconvenience to users it was better to take other
administrative actions. 

One very nice feature of the most recent releases of
DansGuardian is the ability to FORCE "safe search".
(What used to be a separate "Google patch" has now
been incorporated into the base software.) Instead of
having the search engine send you everything then
trying to filter it after the fact, the "safe search"
approach tells the search engine you want their "adult
content filter" (or whatever they call it), then lets
_the_search_engine_ do most of the filtering work.
This is pretty nice for text, and invaluable for
pictures. This alone would make DansGuardian worth it
even if it didn't do anything else. (It's kinda fun to
watch a student try over and over to turn the adult
content filter off, only to see it come back on again
and again and again no matter what they do.)

Also, consider setting up a GUI admin tool for
DansGuardian such as "the Webmin patch". (You'll
probably have to tinker with it a little to get it to
work on the latest version.) With it, you can turn
preset groups of phrases on/off very easily, without
having to deal with the internals of DansGuardian at
all and without having to think very hard about which
phrases to block. 

good luck! 

-Chuck Kollars

Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

More information about the K12OSN mailing list