Comment by mikestorrent
3 days ago
> give parents strong monitoring and restriction tools
The problem is that it's bloody hard to actually do this. I'm in a war with my 7yo about youtube; the terms of engagement are, I can block it however I want from the network side, and if he can get around it, he can watch.
Well, after many successful months of DNS block, he discovered proxies. After blocking enough of those to dissuade him, he discovered Firefox DNS-over-HTTPS, making it basically impossible to block him without blocking every Cloudflare IP or something. Would love to be wrong about that, but it seems like even just blocking a site is basically impossible without putting nanny-ware right on his machine; and that's only a bootable Linux USB stick away from being removed unless I lock down the BIOS and all that, and at that point it's not his computer and the rules of engagement have been voided.
For now I'm just using "policy" to stop him, but IMO the tools that parents have are weak unless you just want your kid to be an iPad user and never learn how a computer works at all.
As a parent of young children, this is your entire problem:
> the terms of engagement are, I can block it however I want from the network side, and if he can get around it, he can watch.
You're treating this as a technical problem, not a parental rules problem. Your own rules say he's allowed to watch!
You have to set the expectations and enforce it as a parent.
Depends on what the goal is. But yeah I agree if you really don't want them on YouTube (or whatever) and really do want them to tinker with their devices then you're likely going to have to eschew technical measures for more overt ones.
Well, the point of it is to turn learning about network security and TCP/IP into a game that encourages him to dig in deeper than just the typical surface level interaction with a computer. Firefox has just made the job harder for me than I'd like. I have no issue with simply having him turn the thing off, or taking it away. It's moderated, I'm not totally hands off, c'mon.
I think the point is that it's not enforceable.
Correct. I think that's the purpose of DoH, but it's not helping me with my little game.
I remember when I was a kid that age there were rules and some were technically enforced. But if you found a way around the technical enforcement you were in huge trouble. The equivalent here would he been, if you used a proxy to watch what you weren't meant to, then you lose all screen time indefinitely. Sneaking around parents' rules was absolutely not on.
Sounds like a smart kid, is part of you secretly proud of him for his tenacity?
Is it impractical to keep an eye on what he's doing on his computer, i.e. physically checking in on him from time to time?
How about holding him responsible for his own behavior, to develop respect for the rules you impose? Is it just hopeless, and if so how come? Is it impossible for him to understand why you don't want him watching certain content or why he should care about being worthy of your trust?
I'm not judging here, I'm genuinely curious.
Personally I wouldn't want to expose a child to "the algorithm" ie recommendations. It turns up useful stuff but (IMO) the stream contains an unacceptable concentration of radioactive waste and becomes increasingly concentrated if you click on any of it.
I might suggest explaining this to him, providing a uBlock filter to sanitize the page, and requiring use of said filter.
> is part of you secretly proud of him for his tenacity?
Of course! That's the whole point. The computer's in a highly visible area of the home. The point was to try to get him to learn a little about networks with some built-in motivation, but I didn't expect the arms race to end so easily.
The obvious solution would be TLS interception and protocol whitelisting. Same as corporate IT. Stick the kids' devices on a separate vLAN if you don't want to catch all the other devices in the crossfire.
Still, there's an awful lot of excellent educational content on YouTube. It seems unfortunate to block access to that. Have you considered self hosting an alternative frontend for it?
> TLS interception and protocol whitelisting
Well, that means directly doing things on the endpoint, which I don't want to do. One could work around that with a Linux USB; I could block USB boot, but then I'm just giving him an iPad, right? What's the point?
The goal is the learning exercise that puts Youtube as a reward mechanism for getting around my blocks. I just hoped to not run out of options so quickly.
No? A firewall at the edge of the network performs a MitM attack against all TLS connections, substituting in your own (ie self signed) root certificate for the connection on the local side. It also performs protocol filtering because the only realistic way to prevent leaks is a whitelist approach.
The end user is faced with a choice. Either add the local root certificate or else all TLS connections will be rejected. Booting off a USB won't get around it.
At this point this is a bog standard approach taken by any corporate IT department that takes network security even half seriously.
Granted, certain types of proxy will still work since automated approaches to filtering page content itself are not particularly robust. You could always write a custom heuristic to detect the YouTube frontend though. Would probably be quite easy since the elements have predictable names.
That said it doesn't really seem like blocking is what you're actually after. It's unfortunate the cat and mouse game being used as a learning activity concluded so quickly but maybe just have a chat with him about the psychological issues posed by algorithmic feeds and user generated content in general?
I'll mention again, a self hosted alternative frontend for YouTube might address most of the objections you have to it in the first place.
Putting controls on the machine you want to restrict is pretty normal. While I agree with your first sentence that it's hard for parents to get proper monitoring tools, the rest of this sounds like a self-imposed problem. If you don't want to mess with the actual machine then run a proxy it has to use.
At this point why not just emancipate him. Hook him up with an easy remote job, put a lock on his bedroom and hand him the keys, and make him start paying rent. Because I’m having trouble figuring out what part of society you’re preparing him for at this stage. Respectfully.
Well, what jobs are even going to exist in 15 years??
Look, I get what you mean. Sort of watching out for where the puck is moving instead of worrying about where it’s at now.
Maybe it would help not to think that your son is out on the ice with you right now. Because I feel like that’s how you’re treating him. And at least in the situation you described he’s beginning to skate circles around you!
If he’s smart enough to outwit you then maybe he’s smart enough for you to start explaining to him whatever the reasons are you don’t want him to do certain things. I get it. You don’t want him to do some things but at the same time you don’t want to curtail his ambition and agency to do other things. Am I on the right track?
I won’t tell you what to do about that. I mean I could, but I hope that this was useful enough, whatever I mean to be doing here.
Maybe you need to take a step back and revise your feel for the game that you’re playing on your own before you intend to prepare him to start too. The ‘game’ of life and making one’s living.
Whats so hard about taking the iPad out of they're hands? or laptop or whatever, once you catch them on sites they shouldnt be on?
You missed the point. I take it away all the time! The goal is to teach him about networking, by forcing him to learn it to work around the limitations.