Wednesday, 30 September 2015

Children and online safety

This is always a hot topic, and I'm probably wading into a hornets nest of trouble, but this has crept up on me as my two children are getting older (12 and 8) and starting to use electronic devices more and more for school, for entertainment, etc.
They've always had gadgets, probably my fault, but as they start to use them on their own and increasingly need to find things out on the big bad internet I'm thinking of further solutions to help keep them 'safe' or at least to help know when they're wandering away into something they shouldn't so we can talk about it.

This is the first issue, do you give unfiltered access to your children (or anyone in your house?) and then tell them off for going onto something they shouldn't, or should you filter the access then explain why something came up as blocked to them and explain? As an ISP network engineer this is a particularly thorny question as various ISPs now apply network-wide blocks on content, which I believe is totally WRONG. I do not agree with external 3rd parties determining what I can or cannot do or connect to. That is because I'm an adult and I know when I choose to view something that is questionable, that it is questionable. I don't need to be told that, nor do I need to be told off for it!
However, when it comes down to children then I believe it is the parents responsibility to help safeguard that child. You wouldn't let your child play on a main road, the internet is comparable (ish! creative/written license here) and so you would want to protect and guide them.
This is where I firmly believe the onus is on the parents. And as such I am taking that responsibility on and looking at how do achieve this in the best possible way. In my case I am lucky, I've worked around ISPs and the internet since before 2000 and so have a bit more knowledge than most on what you can and cannot do practically speaking.

Devices, my children have access to several devices around the house, so whatever protection I use needs to be consistent and also ensure that devices don't slip through the net. They use android tablets (The excellent Hudl2), iphone's (evil devices, but they are must-have's for children now apparently) and a desktop PC running Windows. I have two WIFI SSID's setup at home, one for the children and 'guest' access and another for myself and my wife with unfiltered, access to work, etc.
All the children's devices are connected to their WIFI SSID and using that router I have forced the DNS provided to use opendns (now part of Cisco). They provide very basic category filtering based on your public IP address as an identifier and you can then tick which categories you wish to permit. This is a very simple filter set and not very granular, it's also not 100% foolproof as anybody who works in IT knows, it bases it on the devices accepting the DNS entries given out by DHCP on your WIFI router and that the child doesn't tinker with these settings. It also doesn't fully work around proxies, so this I use as a 'simple' filter point but don't entirely trust it to work fully. An example of how this could FAIL would be, permit youtube access, so opendns will then let them get to youtube but that that point they could search and do anything on youtube, so it doesn't do anything further to protect them. That said, it does log access and will tell you on violations and also the general amount of internet traffic being used (again it's a rough estimation as it's based on DNS queries, not website hits, so it's a rough number). Accounts with opendns are FREE so this is good to get started with.

I'm going to digress here a little and talk about losing devices. Since we have portable devices (android tablets, iPhone) we have the potential of them being lost. For android devices the excellent Avast antivirus solves that so easily. Install the software onto the android device, set it with the right anti-theft and location features and attach it to your Avast account. You then have an amazing suite of tools that will help you locate the device, lock it, erase it, monitor it, etc. This is all FREE and is excellent, I've used it many times and it works perfectly. Even better you can connect multiple devices so I've also protected my own phone, wife's and families phones so should any phone be stolen it can be located, locked and erased remotely. Unfortunately the iphone is a different matter. There is the locate option from Apple, however this has never worked when I tried it and unfortunately Avast doesn't support the iPhone yet, so on these devices I've struggled. I've installed Lookout and Prey which have similar lock and erase features but they don't have a huge capability and I've not tested these in anger. They have a free version which is what I use.

So the next problem is protecting content of websites, youtube and sites that are visited. This is where things get a little grey. I don't want the children to be bothered by the filtering that's taking place, but I also expect them to know I'm doing it and that they should be responsible when it comes to using the internet (It's a privilege not a right. Keep saying that over and over. When I was young, the internet didn't exist!). So I started to look for an application that would primarily log and then do basic blocking. Two seemed to fit the bill, Qustodio http://www.qustodio.com/  and Kidlogger www.kidlogger.net . I went onto both and they both provide a free trial which you have to sign up for and get an email, etc. I signed up to both and as Qustodio's email came through first I put in my kids details (Which is good, it only took their name and year of birth, nothing else. So no compromise there in security). My details it just needed email, and a password so again no nasty data gathering.
They provide a windows client to install on the machine and then you use separate logins for each child on the PC which then attaches to their Qustodio profile. It was simple to use and easy to install. The client app seems to be a little resource hungry but I guess that's because of everything it logs (and the PC I'm running it on is ancient).
They give you a 3-day unlimited trial which lets you try everything out, and I'm quite impressed. It will log how long they've been logged in/active for, what applications they are using and for how long (word, excel, browser, etc), what searches and search terms they're using, and will log url's they hit and browse+visit in a timeline view which is pretty nice. It also has the ability to log facebook+social media activity separately but I haven't used this as the children are banned from these until they are age appropriate (I can't believe how many people let their children on these systems when it is clearly prohibited in their AUPs). Each website and application used can be individually logged or completely blocked by the application, or you can set it to ignore to ignore that application or websites activity, so it's good in that you can ignore known safe or sites you don't want to track or monitor. Logging is kept for 30 days, history-wise and you can have up to 5 children and 5 devices on the premium account. After the 3-day trial you revert to 1 child and 1 device and a limited history (unsure how long).
All in all, I'm impressed with Qustodio. It looks like it will help me teach the children about blocking, also I'm going to show them the logging it does and explain that almost everything they do on the internet is logged somewhere along the line, which I think is a good message to give to them and teach them.
If they feel that something they do is worrying if it's logged, then my thoughts are they shouldn't be doing it. That is the principle I believe is the one that works when it comes to internet security.

I welcome comments to this as I really do want to know what others think to my stance on this, be it right or wrong as I think everyone has a slightly different view. Feel free to comment below and I'll try and reply if relevant to all of you.


Tuesday, 22 September 2015

Asterisk BLF for Queues and Cisco SPA504G phones

I was puzzling over an issue on our VOIP phone system the other day, and have finally solved it so thought I'd share it with you and also for when I forget myself how I made it all work.

The problem: Have an option for users to add themselves in and out of their pre-defined queue, and to have a visual indication of if they are in or out of the queue on the phone handset (I also have wallboards, but it's nice to see on the phone handset itself)

The requirements:
 Cisco SPA504G handset (Most newer Cisco handsets handle this too, unfortunately the older Linksys ones don't)
 Asterisk - Freepbx 12.0.5 or newer (That's all I've tested)
 Queues setup

Firstly, go into your Queue setup via freepbx webadmin and make sure "Generate Device Hints" is ticked for the queue. This will generate the function code *45EXT*QUEUE which is what we need for the phone to dial and jump in and out of a queue.

Then we need to tell the phone to allow you to dial such a weird function code. On the Cisco SPA504G web-panel, go into advanced and select EXT1 and go to the "Dial-Plan" option. You need to add in "*xxxxxx*xxxx" to this. My full dial plan shows "(*xxxx|*xx|*xxxxxx*xxxx|[3469]11|0|00|[2-9]xxxxxx|1xxx[2-9]xxxxxxS0|xxxxxxxxxxxx.)" - this may or may not work for you too, but works for me!

Once you've saved that, try it by manually dialling *45EXT*QUEUE (change ext to be your extension number, and QUEUE to the queue you want to join/leave). You should get the asterisk voice confirming you've been added or removed from the queue.
(If you don't and get invalid extension on the phone screen, your dial-plan is still failing to pass it to asterisk)

Finally you can set the BLF button to show and control this. On the Cisco SPA504G these are the 4 line buttons to the right of the LCD. I'm using the bottom one for this.
Choose the PHONE tab on the Cisco SPA504G web panel, go down to LINE KEY 4 and set extension to DISABLED, then share call appearance to SHARED. In the extended function box, put in:
fnc=blf+sd;sub=*45$AUTHID*5150@$PROXY;ext=*45$AUTHID*5150@$PROXY
(Where *45 is the feature code setup in Freepbx, 5150 is the queue name. $AUTHID should be translated to the phone extension number and $PROXY to the asterisk server IP address)

After a reboot the display should show QUEUE against a green light on the 4th button. Press it, and it should log you into the queue (and hear the voice message) and then set the light to RED to show you as being logged in. Press it again and it should log you out and the light go back to GREEN.

Excellent!


(BTW in the photo you'll see I've actually assigned the QUEUE to button 3 as I use button 4 as DND indicator)