Keeping your kids safe online

Online Safety and Kids

The internet can be a scary and dangerous place, especially for kids. Our world continues to move more and more towards and always connected society. In many instances' children are introduced to the internet at a younger age than ever before. The global pandemic COVID-19 should act as a wakeup call to the nation that we need better protections for children online. COVID-19 has pushed a lot of schools towards online education resulting in Children who didn't normally access the internet to now be forced to use it.


The standard answer you'll hear when discussing a topic like this is "well you're the parent, just set the rules and enforce them." and while that's true the true is rarely that simple. Having a dialog is always the first step but its no secret that parents can't be with their child every moment of their lives. Parents work, children go to school, they hang out with friends, they sleep in their own bedrooms away from parents (normally). To put it simply; if a child wants to rebel, they will find the time and the means to do so. You can't helicopter parent every moment of their life to make sure they're following your rules, but you can use technology to help enforce your rules.


Unfortunately, nothing is perfect and there are always ways around stuff. For each of the recommendations I make I'm going to also explain how a child can circumvent it and what you can do to stop it.


Author's Note on Mac/iOS:

Before we begin, I want to explain one thing. I'm not going to really discuss MacOS and iOS much in this article. Apple offers parental controls built into the OS but they are per device and not as strong as Android's. Part of this is Apple's decision to not allow things which control core components of the OS. There certainly are ways to lock down your MacOS/iOS devices but they are manual and require configuration on every device you own. Anytime you want to make a change you have to make the same change on every device. This may change in the future but as of 2019 this is how it worked.


Securing the Operating System:

We're going to cover two operating systems here; Windows and Android.


Android OS:

Since Family Link released back in 2017 Google has taken large steps in trying to make Android a family platform. Family link is a powerful tool that gives parents a lot of control over their Children's device. Family Link allows parents to approve or disapprove any app before a child is allowed to download it, see the child's location, set screen time, control internet access, control access to movies and music, and several other features. Family link also has powerful host level control over the device including the ability to prevent additional users, block unknown sources, disable developer options, and control location and permissions of apps.

Here's how to get started with Family Link;

  1. The parent will need a Google account. This will be the main control account which manages the "Google Family". Google accounts are free and can be made by going to accounts.google.com. Chances are though that you already have one.

  2. Next, you'll need to create a new account. This account will be for your child so fill it out with as much or little information as you want. The part that you want to be accurate however is the Birthday. Under Google's Terms of Service, you must be 13 years old to manage a Google account; however, a parent can manage a child account on their behalf until they come of age.

    1. For this reason, it's important to put the correct age. Once a child turns 13, they will be able to take control of their Google account and opt out of Family link (more on that later). So, if you fake the child's age and say they are over 13, they could then opt out of Family Link whenever they choose.

  3. Google will want you to link that child account to parental account, so link yours. This will create a "Google Family" group.

    1. Google Family groups are actually fantastic. They allow sharing paid goods between up to 6 people. If one member buys a movie from Google Play Movies, they can share that movie with everyone else in the family group for free.

  4. The next step is to set up the Android device. A Family link managed account must be the primary account on a device; meaning that you need an Android device that is not yet set up.

  5. Login to your Android Device with the child account. Google will walk you through the steps of downloading family link on the device, authorizing the login as the parent account,

  6. Finally download the parent app on your personal device to allow you control over your child's device.


This may seem like a lot of work but it's actually pretty simple and only take a few minutes. It took me longer to write out those steps than it will for you to complete them.


As I've mentioned previously Family Link is powerful. It has direct access to modify settings on the phone, which is fortunate because it's pretty difficult to bypass Family Link when configured correctly. The only real way to bypass it is if your child creates a new fake google account and adds that to the phone. Instead of logging in to the Family Link managed account they can login to their fake 13+ year old account and have full control.

So how do you as a parent prevent this from happening? Thankfully this is an easy thing to prevent. Inside of the Family Link parent app there is an option where parents can allow, or disallow, the child account from adding additional accounts to the device. Simply turn that off (disallow adding additional accounts) and your child will be unable to circumvent family link (to the best of my knowledge).

Finally, there's two additional setting I'd recommend enabling; block mature sites and force safe search. (I'll get into these more when we discuss blocking Porn).


Android also benefits from a lot of different apps that can block individual things. Many of these apps use the same techniques I discuss here but they have one major advantage, they can be placed on the phone itself and not removed so they work on cellular data. There are a myriad of these and I'm in no way going to talk about all of the. They all basically work the same way so talking about one will generally be the same for all;

Circle by Disney is a physical device and a phone app at the same time. The original circle (the physical device) used to plug into your router and used a technique called ARP Spoofing to step between your kids devices and the internet to filter. The new Circle is built into some router (mostly Netgear) and has a phone app to accompany it.

The Phone app costs $10 a month or $90 a year which is a bit expensive but it provides almost all the features we're talking about here.

Windows OS:

Similarly, to Google, starting with Windows 10 Microsoft has made great strides in making Windows a more child friendly place. Windowscentral outlines the process of setting up a child account pretty well so I won't go through it all again. Much like Google Family Link the Windows 10 Child accounts have total control over the operating system and are nearly impossible to circumvent. One of the only real ways to get around the restrictions is to login to a different account.

Unlike Android OS, Windows OS must have a user admin account on the system. A child account cannot be an administrator account so there has to be at least one additional account on the system. If you don't set a strong password for this account your child could simply use that and bypass your protections. Another important thing to understand is that some of the parental controls only work when using Bing and Edge.


Chrome OS:

This one is a lesser known operating system but it has amazing potential, particularly for work and school age children. Chrome OS has had a bit of a rough patch finding a foothold in the laptop market. Part of the issue they've had is that people assume it's just a Chrome Browser; however, it's much more than just that. At a simple level Chrome OS is a heavily modified Linux based system. What people don't realize is that Chrome and Chrome OS are extensively customizable. Part of Google's strategy with Chromebooks was making them enterprise and school devices. Because of this strategy the personal side of Chromebooks has benefited greatly. Similar to Android OS, Chromebooks can also utilize the power of Google Family Link.


Child accounts can be added to a Chromebook and parents can continue to monitor these accounts. Once again; however, this can be defeated by logging into a different account, so make sure you disable guest mode.


The main benefit that Chromebooks have over Windows laptops (for this instance) is price. Chromebooks are cheap, the Chromebook I'm writing this on right now cost me about $180. In comparison a $180 Windows laptop would probably barely function; my wife's $500 Windows laptop has been sent back to Dell three times for repairs in less than a year.


Securing the Internet:

This is a complex topic and not one that's really easily solved. Please be fully aware that this is by no means a comprehensive list of all the ways to protect your kids from the dangers on the internet; but I'm going to try to list the ones I use.


DNS Filtering:

I'm not going to get into exactly what DNS is or how it works; I'll just say it like this. DNS is the system that converts a URL like www.gravitywall.net into something the computer can understand. We can use DNS to trick the computer into not going to bad websites by feeding it something fake. Essentially what happens is that when someone types in www[.]adultwebsite1[.]com instead of DNS turning that into something the computer understands it lies to the computer and sends it somewhere that doesn't exist. This results in the web browser not actually going to the website.

Proper DNS security can also help protect against malware. Most malware uses DNS to resolve it's malicious domains so that it can connect to the command and control servers. using a DNS filtering device can

Pi-Hole:

Pi-Hole is a fantastic piece of technology. It's a very lightweight DNS server that you can host in your house and have complete control over. You will need a computer to run this DNS server on, but it works on something as small and cheap as a Raspberry Pi Zero ($5). The install script is pretty basic and if you have any question the community over at r/pihole is great. There are developers there and plenty of knowledgeable folks who are willing to help.

Pi-Hole is a DNS filtering system primarily made to block ads, but we're going to use it to block porn. The blocklist project maintains a list of Porn URLs that currently has 2,154,345 URLs on it. You can load this list into Pi-hole and start immediately blocking all of those domains.

Pi-Hole can also be used to block any other website you don't like. Want to block YouTube? Easy, just add *.youtube.com into Pi-Hole.

OpenDNS Family Shield:

OpenDNS Family Shield is another DNS filtering solution. OpenDNS is managed by Cisco (a major telecommunications company). Family shield works similar to Pi-Hole by using DNS filtering to block porn websites, gambling, and others. You have a lot of control over OpenDNS. When you set up a Pi-Hole you will need to pick an upstream DNS server so you can set up Pi-Hole as your local DNS filter with OpenDNS being your upstream. OpenDNS can also be used without a Pi-Hole by following the instructions here.

Unlike Pi-Hole which relies lists of specific domains OpenDNS relies on categories. If you link your public IP (google what's my IP and you can get it) to the OpenDNS dashboard you can then apply specific category blocks. You can make OpenDNS as specific or as broad as you choose.

OpenDNS also benefits from a large and open community. Everyday thousands of OpenDNS users discuss and vote on different domains to categorize them in the OpenDNS community. This active community results in a fairly quick categorization of new domains which can shut down attempts to circumvent parental controls by going to new domains.


Authors Note: DNS filtering is not a new concept. It's been used in major enterprises for years and with great effect to; however, determined people will always find a way around the blocks. I've seen people go to extremely strange domains in search of porn. A community like OpenDNS community makes bypassing this significantly more difficult as thousands of people are all contributing, categorizing, and voting on domains.

NextDNS:

NextDNS.io is like a Pi-Hole in the cloud. It works almost the exact same way except you don't have to manage it yourself. You do however have to pay for it. It's pretty cheap at $2 a month. NextDNS has some advanced filters that allow you to get more granular with what you block. For instance you could block Facebook while allowing Twitter, or you can block Ticktok but allow Reddit. Compare this to OpenDNS which only allows you to block categories. OpenDNS blocks either all social networks or none of them, but with NextDNS you can block specific social networks.

NextDNS also supports DNS over TLS (DoTLS). DoTLS is a privacy feature that keeps your ISP from seeing what domains your connecting to but it also allows one more advanced trick built into Android called private dns. Private DNS is a setting built in to newer Android phones where you can provide a DoTLS domain and have all the system DNS setting routed over that to the server.

Weaknesses

Let's talk about the weaknesses with DNS filtering. First and foremost, DNS filtering only works if you're still using the DNS server configured. Changing DNS servers is trivial and will completely bypass the DNS filters. Your child can simply turn the Wi-Fi off on their phone and use cellular data to get past the DNS filer (my wife does it all the time when I accidentally block a website she wants, usually shopping.)

The other issue with DNS filtering is that it has no ability to inspect past the start of the URL. Websites like Reddit, mixed content websites, host lots of content ranging from porn to safe content. DNS does not have the ability to block only the porn and not the legitimate content. You either block the entire website or none of it.

The same thing goes with things like Image searching in Google. There is no way for DNS to filter between good results and porn results. Some DNS servers can do what's known as a DNS Override where they send google searches to a specific safe search page results, but this requires a more advanced DNS resolver and is not one of the things we mentioned here. Fortunately this type of functionality is built into a lot of commercial home routers now a days.


VPNs can also be used to get around DNS filtering as they will route the DNS requests to the VPN DNS server instead.


Preventing the Weaknesses

There are ways to prevent your kids from circumventing DNS filtering, they're just not easy. I'll try to break them down here.

    1. Going to cellular:

      1. This one is really difficult to deal with. I spent a long time thinking about this and came to no real answer. Perhaps the best solution is to use Family Link. Family Link has options to block mature websites and force safe search. With Family Link you can also block specific websites on the Chrome Browser (only). Your kids can get around these protections by using a different browser however if Family Link gives you the ability to deny or block specific apps, so you can block the usage of other web browsers.

      2. Another option to deal with going cellular is to force all DNS settings back to your DNS servers. One way to do this is with a VPN. PiVPN is a one line install similar to Pi-Hole and works along side it. If it is installed on the same device you have Pi-Hole installed on the PiVPN will detect that and configure itself to use Pi-Hole. Using a VPN will force the device to use your parental control devices. The problem with PiVPN is that your kids can simply turn it off and there's no real way to force it back on.

      3. You could also set the private DNS setting in the Android settings but much like PiVPN a tech savvy child could figure out how to turn this off.

      4. Tools like Disney Circle work while on Cellular as well but they have a yearly fee associated with them. Disney Circle will still apply filters even when the phone is on cellular.

    2. Changing the DNS settings:

      1. DNS is an old protocol and like most old protocols it was built on the concept of convenience instead of security. DNS servers are specified by the DHCP server but clients are free to ignore that and use something else. That was a lot of technical mumbo jumbo to say that your kids can change their DNS settings on their own which will let they bypass filters like Pi-Hole, OpenDNS, or NextDNS. The simplest way to prevent this weakness is to not give your kids admin rights on your systems. Changing DNS settings requires admin rights.

    3. Using a VPN:

      1. I'm not going to spend a lot of time talking about VPNs but I do feel the need to clarify since I tell you to use a VPN and I say VPNs are bad. There are two types of VPNs discussed in this article; personal VPNs and Commercial VPNs. A commercial VPN is something sold to anonymize internet usage, some common examples are Private Internet Access and ExpressVPN (not Nord. Don't use Nord). Commercial VPNs can cause you problems here because they will hide what your child is doing and therefore will prevent your parental filters from acting on it.

      2. The easiest way to prevent a VPN from being installed is again to not give admin rights.

      3. If your child gets a VPN installed another option you have is to block Proxies and Anonymizers. In OpenDNS this is a simple toggle box, in Pi-Hole you would need to find a list for it. These blocks work by preventing the VPN from resolving the domain name for the VPN logins. If the VPN can't reach the login and can't connect then it won't authenticate.


DNS is one of the first and most efficient steps to securing your network and protecting your children online; however it does have some weaknesses.

Router Settings

Downtime:

This has a different name depending on your router, but regardless of the name it basically all works the same. At a certain time the router stops allowing certain devices to reach the internet. Setting up these is pretty simple, you login to your router and search for a parental control setting. From there you can set the downtime for your kids devices.

Logging into your router will differ based on ever device. For most devices your router is probably located at http://192.168.1.1 or http://10.0.0.1 however some routers like Google Wi-Fi have no admin page and instead use an app for all management. Please consult your router's manual for how to access your router settings.

Weaknesses:

Router Downtime has become so common that r/teenagers has released guides on how to defeat this. The short version of this is that every network device has a unique identifier called a MAC address. This MAC address is how the router differentiates between a phone and a computer. Every device that connects to a network has a MAC address and this is what the router looks for when it decides to stop routing traffic for a certain device at downtime. What the teenagers discovered and shared is that by changing your MAC address you could bypass the parental controls.

Preventing the Weakness:

  1. Same as above perhaps the best way to prevent this is to not grant admin privileges on computers in the house. Android is a bit different as it's now started using a "randomized" MAC address which can be toggled however I've noticed that Android will only generate one randomized MAC address per network so you can block both the real and the randomized MAC.

  2. Another way to prevent your child from spoofing their MAC address to bypass filters is to use MAC whitelisting. MAC address whitelisting has been around for a long time but its been mainly focused on keeping hackers off your network. This technique fell out of favor a while ago because it was not as effective as hoped (I still use it) but it is finding new favor in parental controls. Different routers do MAC whitelisting differently, some will outright prevent a device from connecting and others will allow a device to connect but will block it from internet access. Either way it achieves the same effect, unknown and unapproved devices are cut off from the internet. If your child switches their MAC address to something new MAC address whitelisting will prevent them from bypassing the filter.

  3. If you don't have the ability to set a whitelist only than there are tools you can use to monitor your network for new devices.

    1. Circle By Disney has two features for this; first the physical device can alert you when a new device joins the network. Second the physical device also uses a concept of privilege. You set a default level of privilege for devices not in a group, any new device gets placed into this default privilege group and is restricted based on that level's privileges. In short this means that if you set the default group to be extremely restrictive then if your child creates a new MAC address they will still land in the default group with very few privileges.

    2. If you have set up Pi-Hole then you can also set up Pi.Alert which acts similarly to Circle by Disney. Pi.Alert monitors your home network using the Pi-Hole and notifies you of new devices that join your network. Pi.Alert does not stop new devices, it only alerts you of new devices.

    3. A lot of newer routers include device alerts. Google Wi-Fi and NetGear Orbi both have the ability to alert you when a new device joins.

    4. Finally I want to mention another internet of things (IoT) device that I use. It's a little device called a FingBox. The FingBox is a small circular device that you plug into your router and it monitors your network. I have mixed feelings on the Fingbox which I documented in detail on a previous blog. I've changed my opinion slightly over the last few years and now am willing to recommend about half of what Fingbox offers. For this case it's an easy recommendation. The FingBox will alert you when a new unknown device joins the network, but the Fingbox also has the added benefit of automatically blocking all new devices until you manually approve them. FingBox works on networks where the router doesn't support MAC address whitelisting. I personally use FingBox for this purpose as its simple to block and then whitelist new devices.

Admin Accounts:

I've mentioned a few times that one of the best options for securing your systems against kids is to not give them admin accounts on the system. This is an important step and only a system admin can change a lot of the settings we put in for defense; however, like everything else there is a weakness here too.

Weaknesses:

This weakness is commonly referred to as a SAM file overwrite and it will give your child admin access to the system. This technique is used by a lot of tools including some popular ones like KONBOOT. The short version of this technique is that Windows stores user password in a file known as SAM. Your child can use a bootable Linux USB to load a Linux operating system, from there they can access the hard drive and find the SAM file. They can then write over the SAM file with a new password for the Admin account, or they can make their own account admin.

Another weakness they can exploit, which is very similar, is to simply load a Linux operating system from the USB and not use the Windows OS at all. If they use a Linux USB than any protections you have set in DNS, router, or on the OS itself can be avoided.

Preventing Weakness:

  1. The first issue with the SAM file is relatively easy to deal with. The main technique to deal with it is to enable encryption on the hard drive. If you have Windows 10 Pro then Bitlocker is available by default. Bitlocker is Microsoft's encryption standard and is actually really good. Aside from protecting your information if someone steals your computer encryption also prevents someone from using a Linux OS and accessing the SAM file.

  2. The second issue is significantly more challenging to deal with as it requires a few things. The easiest way to deal with this is with a TPM chip. TPM chips are chips built into the motherboard of the computer and they make the computer check the bootable device before they boot it. If the device is not signed by Microsoft then it won't boot. Since Linux Operating systems aren't signed by Microsoft they won't load. This is called "secure boot"

  3. Secure Boot can be disabled though, so if you're child does that then you'll need to set a BIOS password. BIOS passwords will prevent the computer from booting at all without the password. If the computer can't boot then it can't read the USB and load the Linux OS. On a Laptop it is possible to remove a BIOS password by removing the CMOS battery and then reattaching it. At this point however if your child is taking apart a laptop and removing parts of it to bypass a parental filter than there's nothing more that software can do. At that point your best option is probably to only allow the use of the Laptop in a common area and then put it away when school is over.

Closing:

Parental controls on child electronics are a constant game of cat and mouse. Parental authority matters, but it only matters as much as you can back it up. Hopefully this guide of various parental control methods and ways to counter your child's attempts to counter then will be helpful.