Safe and Secure Web for your kids

We live in a time when the internet provides us access to an incredibly valuable trove of information.  Unfortunately, along with this access to data comes exposure to risks that we definitely need to mitigate.  We all have computers, smartphones, and even digital assistants that increase our exposure to technology, and this can seem very daunting to secure.  The good news is that in the last few years the Eco system has matured, and unlike the internet of my youth, devices offer solutions for limiting access and presenting only the facets that you find acceptable for your children.

We might have smart phones lying around that could get into the hands of our kids. Rather than fearing smart phones and technology in your home, I would like to help you explore ways of making these devices safer.

The layers that you have to be concerned about are:

  1. network
  2. operating system
  3. application
Network

What most people do is to get a wireless router as part of their cable/internet subscription.  This comes with both wired and wireless access to your network. If your house is wired with Ethernet cables your service provider will probably connect this up, and then you will also get WiFi access through the same device.

These devices tend not to have very rich features for limiting access to the internet.  Also, the range is often not very good and so people end up with a WiFi extender, which normally does not have the same filtering features.

The best philosophy is to minimize the number of different networks you have in your home. This reduces the number of places you have to go to control access to your network.

I recommend a mesh WiFi system such as Google WiFi, but there are many. I have heard good things about Orbi. Here is a review of some of the best.

Google WiFi gives the the ability to create groups of devices in your home and schedule their activity.  This means that you can provide tight windows within which your kids can access screens, media, and devices.  It also blocks inappropriate web sites.

A mesh WiFi system also allows you to extend the range of your WiFi by simply adding an additional device. My recommendation would be to turn off any additional routers:

  • Turn off any other WiFi sources in your home (such as your default ATT WiFi).
  • Remove all network cables so nobody can bypass your controls by plugging into the wired network.
  • If your child is using a device with cellular connectivity, then ensure you turn off data at you service provider’s portal. Once you schedule time windows for your child’s device on your network, you don’t want them to be able to bypass that by switching to cellular data. If you are disabling the phone at the operating system level, this is not necessary, but still recommended.
Operating System

Whether you are giving your child access to a “smart” device or a computer, you are best off giving them access via their own profile.  The access you require is certainly greater than what your child needs and so shared profiles is not a good practice.

Devices such as iPad’s are a great culprit because Apple does not offer multiple profiles on iPhone’s and iPad’s.  They do offer family security but it is at the device level so many people let their kids have access to a shared device on which they can go wherever they like.   Don’t let this happen. Apple does allow you to restrict access for you child’s account by following these steps.

Android runs on many phones ranging in price from under $50 up to the high-end at over $1000. It allows you to set up profiles so you can share a device between guests and a child.  Adding a new profile with a gmail login gives the new user completely private access to the phone with the ability to install apps.

On the Android Play store is a great free tool called Family Link.  If you create an account for anyone under 13 it will by default be a managed minor account.  The Family Link app has 2 parts, the parent and the child apps.  The parent app allows control of the device.  The child app wipes the entire operating system and comes up at the operating system level.  This is why it is so secure. There are other apps that attempt to keep your kids in a tight sandbox but if it is not at the operating system level the kiddos will find a way of shutting down the app that is preventing them getting to their desired content. Family Link cannot be shut down without re-installing the device.

Here is a useful site for setting up Family Link.

Applications

Using Family Link or Apple Family controls and limits the sites your kids can go to, and also disallows all applications that have not been approved by you. I recommend that you:

  • disallow Google search (www.google.com).
  • disallow any apps within which they can chat unsolicited to anyone.
  • don’t allow YouTube access to kids.  Rather consider YouTube kids which you can get here.

Other benefits of Family Link or Apple Family:

  • when your kid needs access to a site, they can explain why they need access and this provides a valuable learning moment for them as you reason through why it is or is not a good idea.
  • although I do not allow Facebook access, I have found Facebook messenger to be the most parent friendly messenger since the child cannot add anyone. The parent must add any contacts.  Once again this philosophy is best and provides a valuable moment to discuss whether or not a back-channel to class-mates is in fact valuable. Here is a link to Facebook messenger.

Conclusion

Hopefully this has given you some food for thought.  This is a constantly evolving topic. I look forward to hearing your feedback and possibly digging into other topics, technologies and devices to help parents help their children thrive in safety and security.

Nest Hello Doorbell

Neat, clean, small and incredibly effective

 

My wife and I both work and we frequently have to negotiate access to the property for a myriad of  service providers.  We also have guest from far-flung places, so rather than proving keys we have invested in the Schlage lock to control access to the front door.  We used to have one of those old push buttons but once Austin became the target of a parcel bomber, I decided that we needed a video doorbell to push the evidence to the cloud.  This is in addition to the nest cams we already have inside.

 

Schlage lock

 

The Installation Process

The hardest part of the installation process was verifying that I did have a compatible 15-20vac transformer powering my existing doorbell.  The transformer was tucked away in the attic, piggy-backing off the furnace power.  The nest “wizard” for verifying ease of installation was then very explanatory and I felt confident I could pull this off.

 



My front door has only a very small gap between it and a wall and so I was concerned that the camera would show mostly wall, but nest had covered this based by including a 30% wedge to angle the camera away from the wall.  My cladding is sandstone and is very rough, so I did seal around the back of the wedge to prevent water getting to the wires.

 

 

Thoughts after 2 weeks of use

I am very happy with it and my children love the fact that when their friends from the cul-de-sac show up while we are out, they can still chat through the very loud speaker (A volume adjustment would have been nice).  I no longer have to provide a code to anyone requiring entry. They can ring the bell and if it seems like the right thing to do, I let them in by unlocking the Schlage.  The Schlage incidentally is controlled by my wink hub.

The Hello now has 11 familiar faces and announces arrivals accordingly via the 6 google home devices inside.  Actually I have turned this feature off as every visit from a local kid caused a uproarious chorus of out of sync devices inside and upset everyone.  It’s really the unknowns that need to be announced and the notification to my Android phone and WearOS watch is quite enough notice of impending visitation.

 

 

Setting up a GCE based linux machine with multiple persistent disks & GUI

Create a Machine

Create a machine with your required specifications and label it “vnc-server”.

Your machine comes with a boot disk automatically but once you add an additional persistent data disk, you need to think about formatting and mounting as part of the process. Uncheck “delete boot disk when instance is deleted”  so you can cannot mistakenly delete your hard work.  You will probably find for some projects you will want to resize your machine for faster compilations.

Here are some useful links to help with that.  I will flesh this out over time but for now, here are my sources that helped get this going.

https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux
https://askubuntu.com/questions/626353/how-to-list-unmounted-partition-of-a-harddisk-and-mount-themhttps://www.cyberciti.biz/faq/mount-drive-from-command-line-ubuntu-linux/

–This site describes the process.  Just be careful of the /etc/fstab update because following the instructions burnt me
https://cloud.google.com/compute/docs/disks/local-ssd

Now install a remote accessible GUI

–Added a 250 GB disk and mounted it under /mnt/disks/data

sudo apt-get install gnome-core

sudo apt-get install vnc4server
–open the GCE firewall to tag vnc-server and forward 5901
–install java https://tecadmin.net/install-oracle-java-8-ubuntu-via-ppa/#
–install eclipse http://www.krizna.com/ubuntu/install-eclipse-ubuntu-14-04/

Configure remote access

set the resolution of vncserver, when you run
  • vncserver :1 -geometry 1024×768 -depth 24
  • You can automatically run vnc on restart by following this link.
    Adding:
  • /etc/init.d/vncserver
    ~/.vnc/xstartup

Create a new cert locally if you dont have one using:

ssh-keygen -t rsa -C “{email address}”

Give the key pair a name so you dont mess with your defaults.

copy the public key up to the machine you want to connect to ({key pair name}.pub)

You will also need to run an ssh tunnel locally, to use your certificate to connect.

ssh -N -i ~/.ssh/{key pair name} -L 5902:127.0.0.1:5901 -2 {user name in cert}@{remote machine ip address}

Do the above for vnc access. 590x where x corresponds to the session number (normally 1).

You then just connect to localhost::5902 and you are in.

 

xstartup is slightly different for gnome.  Write this to xstartup

#!/bin/sh
# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER
#[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
#[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources

x-window-manager &
metacity &
gnome-settings-daemon &
gnome-panel &

——————————————————————–
–install node 9

curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash –

sudo apt-get install -y nodejs

When ssh’ing in remember that you need the public key on the target corresponding to a private key stored locally.

Use the -i parameter to tell ssh which cert to use:

ssh -i ~/.ssh/{key pair name}  {correponding user}@xxx.xxx.xxx.xxx

qualify with the user name from the certificate.

Install IntelliJ Idea

Download idea from the intellij web site

https://stackoverflow.com/questions/30130934/how-to-install-intellij-idea-on-ubuntu

 

 

What you now have is a cloud based development box that you could use from anywhere, including your slick new chrome book.  You can also dial in as much power as you require.  Just remember not to leave it running as you will start to pay real money for it.  I have been using my cloud dev box for a couple of months and I can get away with under $30 per month of costs.

 

Install Atom, for Python scripting

https://codeforgeek.com/2014/09/install-atom-editor-ubuntu-14-04/

 

Bitnami