Parental controls

How good are they?

I have a friend who installed this

http://www.enuffpc.com/

on her computer for her daughter. She's happy - the MOM, that is. BUT -

I hear through the grapevine that the daughter brags to her friends that she can "beat" it - if so - how? Is this true? I'd like to tell the Mom, but I'd also like to give her the skinny on how the daughter's doing it ('cause I don't think she'll believe me otherwise. . . ) - and maybe how she can catch her?

From what I hear the girl is engaging in some questionably dangerous activities (giving out personal info in chatrooms and acting very "flirty" (and she's just 13), etc. Any advice?

If nothing else, is there a really GOOD parental control for those who need it?

The cardinal rule of local computer security: Physical access is root access.

Put in less techie terms, whathat means is that someone who has physical access to a machine that contains the hard drive with the system information can break pretty much any security that has been placed on it given enough time and knowledge. And it usually doesn't take much time given that most people who set these things up are trying to do it in as "user friendly" a way as possible. That is, they're not physically locking the machine with a key that requires the child to get permission even to turn the computer on. They're not password protecting the BIOS or setting a boot password that requires parental permission even to login. They're not enforcing a security policy for the system as a whole, meaning the child's account runs with administrator privileges and can change any system setting at will that they know how to change.

A simple example: Linux is becoming popular enough that even non-techies at least know about it, and I happen to know some teenagers who pass around "Live" discs as a method of bypassing security on their Windows machine at home or at school. If the BIOS isn't protected by a password -- or worse yet, if it's already set up to do so -- you can instruct the computer to check the CD drive as a first boot device. If it finds the Live disc, it'll boot from that, and assuming there's no exotic networking hardware to manage, you have an instant Internet connection already set up for chat, e-mail, web browsing, etc.

A lot of parental control software I've seen (and I haven't see a lot of it since I gave up on relying on outside sources for this sort of thing after seeing what I saw) can be defeated simply by installing a program that allows you to shut down services, something like Codestuff Starter. Processes the Windows task manager can't or won't kill can be killed easily with this. It's a necessary tool for those who tweak their systems the way they want them, but anything usefull can be used for many purposes. You can completely shut down your firewall with Starter, even if the firewall is password protected from shutdown. If the parental control program is running as a service, then it would be easy to kill it. I've even seen others that are so easy to bypass, all you have to do is hold down the shift key when booting the machine, and it never starts. (I think most of the decent ones avoid this now, so that's an extreme example.)

Having said all that general stuff, I'll note that the product description for this says it has elements in place to prevent all this. Unless it is running in a multi-user environment that is enforcing a good security policy, which takes time to set up outside using this program, I don't see how. I could be wrong, though, and I'm not running Windows at the moment and so can't test it. (Although since I'm working on another PC at the moment, I may mess with it later and let you know if I do.)

I know this isn't what you're looking for, but the best parental control for computer access is physical observation and restriction. Put the computer in a "public" room so that the possibility of happening across what they are doing always is present. Restrict access with a boot password that's needed just to start the thing, and *never* just give it out to save the hassle. This takes time, but I also put together a list of IP addresses associated with chat networks and other sites I don't want her visiting and put them in a HOSTS file resolving to 127.0.0.1 for my daughter's account on my computer. If she ever tries to access them, they loop back to my computer and never go anywhere. For stuff I don't know about, I have the monitor in a place where I can always look at it while she's on it.

**but the best parental control for computer access is physical observation and restriction. Put the computer in a "public" room so that the possibility of happening across what they are doing always is present. **

That's *my* opinion, too. Neither computers nor TV's belong in a kid's room, IMHO. This girl has hers in her room (both).

**Restrict access with a boot password that's needed just to start the thing, and *never* just give it out to save the hassle. **

Good idea when the time comes - so far I'm not having these kinds of problems other than wanting to play Harry Potter too long.

**This takes time, but I also put together a list of IP addresses associated with chat networks and other sites I don't want her visiting and put them in a HOSTS file resolving to 127.0.0.1 for my daughter's account on my computer. If she ever tries to access them, they loop back to my computer and never go anywhere.***

Ummmm - how do you do that? Can that work for any "type" of site you don't want your kid even accidently stumbling across - or is just very specific. Do you have a list of the "chat natworks"? I'd love to be able to pass these on to some of the other moms.

I loaded this into my daughter's computer, which I've been fixing, and set it up to be as restrictive as it seemed to allow. I shut it off in about 5 minutes. I couldn't do it using the tools of Windows itself. I just had to download the right tools, install them, and use those. Finding and downloading was the bulk of the time required. It'd take more if you didn't already know what to do.

What I did could be prevented if the account had been set up as a limited account without the ability to install any programs. However, other tools exist that do essentially the same thing that don't go through the typical Windows installation process and so couldn't be blocked that way. There's also a file in the \Windows folder that controls some aspects of the program. Delete it or rename it, reboot, and it's non-functional. Rename it back to what it originally was before you log-off, and no one knows the difference unless they look at the "last modified" time stamp on the file to see if anyone has messed with it.

Also, perhaps I missed it, but I didn't see anything that truly restricted the ability to use chat networks or even access web sites, so if I didn't miss it, her daughter could just be bragging about getting around it. It has an option not to allow Internet access, but that seemed to be it, either on or off. Again, I may have missed it. Seeing that I could turn it off from within a restricted account so easily, I concluded whatever protections it does provide don't really matter.

As for the HOSTS method of blocking access, it's specific. You have to know what sites you're wanting to block. Most people I know use it as a pop-up/spyware blocker. For example, you set it so doubleclick.net doesn't resolve to its real IP address, rather 127.0.0.1, which is your home machine, and doubleclick gets no hits from you.

And I was mistaken before. I've forgotten all the details of how I did things and have to go back and look. I set up my firewall to block access to most of the chat networks, not the HOSTS file. I've never found a Windows based firewall quite as configurable as IPTables on Linux, so I couldn't begin to guess how to translate what I did into something usefull for you. Sorry.

they're now looking into some different "parental control" software - though they still don't quite get that having the computer where THEY CAN SEE IT AT ALL TIMES (or any given time without notice) would be optimal. :(

Anyway - they're looking at this now. Any comments on it?

www.e-surveiller.com

Well, if the advertising and press can be believed, it's appears to be a good solution if what you're wanting to do is monitor activities from a remote computer, keep logs of chat sessions for later viewing, etc. If they'll actually take the time to do that and make it clear that they are looking at what she does, it might work as a preventative tool, but it sounds to me like they're more interested in a hands-off approach. This software is really intended for use by network administrators in an environment that makes physically watching users all the time impossible. Like you I believe, I don't see the point in spending money on something that could be done by moving the physical machine to a common room. The latter would accomplish the same purpose, probably more efficiently and certainly less expensively.

What, exactly, are they trying to accomplish, restrict access during certain times, restrict websites, chat networks altogether, or what? There are different ways to go about each problem, but the important thing to remember is that any software based solution can be beaten if the kid knows what he or she is doing. Again, physical access is root access. Put in all the best software imaginable, fail to password protect the BIOS, and you can get around it with a simple Live disc.

I hate to put it this way, but if what they are wanting to do is keep her out of chat rooms, it's going to take a low-tech solution to really address the problem, i.e. old-fashioned parenting and teaching your kids it is an incredibly stupid thing to randomly flirt with faceless strangers, and at the end of the day, you just have to hope you've taught the right lessons. You can get in a chat room just about anywhere. We've got display computers at work set up with MSN Messenger, and random people off the street come in and will stand there until they're tired of us asking to help them, chatting with random people elsewhere. It's like drinking or sex. They may not be doing it at home, but that's not going to keep them from it elsewhere.

As for the home solution, if they refuse to put the computer in a common room, they're going to need to start from scratch and set up the computer with a carefully considered security policy. First, they need to password protect the BIOS to prevent anyone from changing it. If they're using Windoze, they need WinXP Pro (or maybe 2000) so they can create administrator accounts and user accounts, and they'll need to learn the difference. They will need to set up her account for her, installing all the software they will allow her to use, maybe a web browser and an e-mail client and NO chat programs. The account needs to be restricted from installing any software, and the administrator account should have a complex password the parents never give her for any reason. Then they need something like Net-Nanny to block out everything they don't want her accessing. (Net Nanny is very hard to break on a properly configured system. It's possible, but not as simple as the previous program you mentioned.) This can be an expensive solution and time consuming, but it's a start.

If they're running WinXP Home or some earlier version of Windoze that doesn't allow you to really restrict user accounts, they may as well forget the software solution if the girl is a reasonably intelligent person or has access to techie friends who can help her out.

for taking the time to answer this.

I'll forward the information - and let other parents know, too.

I think the parents are just in denial. She says she's "not doing anything like that" yet, the other kids are telling their parents - who are telling HERS - that she IS! They say they don't really "believe" she's doing that but will monitor "just in case". They want her to be able to "have freedom" to chat with her friends, etc.

I don't think they know this girl has a serious problem with the truth. My son came home yesterday and said this girl had told some others that they'd "gone on a date!" (He's 12!!)

On reflection, I do want to add that I approach questions like these as someone who has made it his business to figure out how to break things and then figure out how to keep them from breaking. Realizing how easy it can be to do the former, I often forget that doing this requires some degree of specialized knowledge, not to mention patience. When I was 12, I was taking apart machines and trying to figure out how to trap the break function on a TRS-80. In one of my more idiotic moments, in a "why did I bother" sort of way, I spent a week figuring out the assembly code to make my computer route input from a tape recorder thru a television speaker. It never occurred to me to just plug in the stupid cable and use the command "SOUND ON." :-)

The point of this is that I may be overstating to some extent the difficulty of securing the computer in this particular case. As I said, but did not emphasize, it took me five minutes to shut down enuffpc, but it might take someone else a lot longer if they don't already have some idea what they are doing.