To that extent can't kids just pop in a live USB and get a totally ephemeral and open os?
I'd push the implementation to the router and force root certs on devices and have all clients run through your proxy or drop the packets. That way even live usbs will not get network access. Have some separate, hugely locked down network for kids' friends.
Maybe put a separate honeypot network up with some iot devices on it with wifi and a weak password, and let the kids have some freedom once they figure out how to deauth and grab the bash upon reconnections.
Idk. I'm some years away from this problem myself,but someone recommended this in another thread recently.
> To that extent can't kids just pop in a live USB and get a totally ephemeral and open os?
That's a lot more difficult if you leave secureboot enabled on the computer. Plus, most devices, especially newer ones, allow you to pin your own certificates and sometimes even disable the OEM certs.
That, in addition with locking the BIOS with a password (and if the device does not have known OEM override passwords like on bios-pw.org), should be more than enough to keep a kid out.
I'd push the implementation to the router and force root certs on devices and have all clients run through your proxy or drop the packets. That way even live usbs will not get network access. Have some separate, hugely locked down network for kids' friends.
Maybe put a separate honeypot network up with some iot devices on it with wifi and a weak password, and let the kids have some freedom once they figure out how to deauth and grab the bash upon reconnections.
Idk. I'm some years away from this problem myself,but someone recommended this in another thread recently.
https://wiki.squid-cache.org/Features/SslBump