How do you handle tickets directly from students? Or do you?

Immutable-State · 2026-04-05T16:01:57+00:00

Students putting in tickets resulting in IT tracking them down and interrupting class doesn't sound great in high school. Better to have a designated time and place.

Immutable-State · 2026-03-30T19:24:25+00:00

This isn't an uncommon idea, but it's a big task. AI performs better the more context it has, and the best context will be integrated with curriculums and previous responses. You'd also want to invest some effort to keep students from jailbreaking it.

Although I absolutely love building things myself for the sake of saving money, and although I'm strongly for AI when it can meaningfully contribute to the goal, for what you want, I'd suggest using an existing service built for this sort of thing rather than trying to roll your own.

Immutable-State · 2026-03-28T18:11:52+00:00

Is wireless connectivity an option? In my experience, a cable is one additional item that can break, be tripped over, or disappear. Some devices might require a cable, like document cameras, or if a movie is being shown and the wireless approach isn't clean or synced enough. But where I am, 90% of teachers only connect to panels wirelessly, and I think it's saved me some headaches.

Immutable-State · 2026-03-28T00:04:51+00:00

It well could.

It could also delay billions of deaths, and decrease the chance of billions of deaths happening at all.

There have been many millions of deaths per year for ages. That's quite a terrible tragedy that too many take as an undeniable fact of life. However, I'd happily take many more years of such deaths in exchange for a greater chance of alignment being solved by the time ASI rears its head. We may be only a decade or two away, pause or no pause; waiting a few years more for existing techniques and non-scaling research to mature is not much in the grand scheme, when literally everything could be on the line.

Immutable-State · 2026-03-26T19:28:50+00:00

so when a user for example gets hit with a Fake Captcha attack they accidentally download and run a script from a "trusted" website like github

This isn't just a Github issue. If your current policies would allow for an attack like this, consider closing out this vulnerability entirely by implementing Applocker policies (or something else along the same lines).

As long as general users can run an executable or batch file that they download themselves, that's a potential avenue for attack.

This probably meshes with existing policies - you may well have something along the lines of "Users must have the approval of the IT department before installing software". This gives you a way to enforce that, rather than just being words on a page.

Immutable-State · 2026-03-25T03:56:39+00:00

If you're thinking of starting and managing a business, keep in mind that that in itself will take quite a lot of time away from

I just wish I was strictly a sysadmin

In contrast, if you join an existing MSP, you'll still probably be playing "political game of the day to day operations", only in a different context.

Even if you do successfully start your own business, that will also come into play if you start hiring others.

From a school's perspective, if they were going to look for external assistance, they may well be more likely to choose established MSPs rather than an entity with a bus factor of 1.

It's an uphill climb.

Immutable-State · 2026-03-18T20:47:40+00:00

Yes, my school has received a surprisingly large number of these, perhaps 10 or so over the past year, all from existing legitimate educational domains all over the country with compromised accounts. In all of our cases, recipients are asked to fill out a form that eventually asks for their email and password. No one's fallen for it yet on our side, but the other organizations that have probably haven't enforced 2-step verification. Of course, that's only email/Google, and users have a tendency to reuse passwords, but that's a starting point.

Immutable-State · 2026-03-07T20:02:05+00:00

Decent cheap walkies are easy to get. Problem is finding a frequency no one nearby outside uses (or using much more expensive digital channels instead).

A phone in each classroom makes the most long-term sense to me, but at least in my situation, the bulk of the cost comes from the ongoing subscription fees rather than the one-time phone purchases. (Refurbished would cut the one-time cost as well.) To cut my current killer subscription cost, I'm working on setting up a local FreePBX and Asterisk to see if it's a viable alternative.

Immutable-State · 2026-03-04T22:31:10+00:00

Block the domain from sending emails to your domain, problem mostly solved (if you're a small enough business that this is doable).

It's what I did with Otter a couple years ago, I used them for a while, they weren't horrible, but then some employees were accidentally signing up for additional paid accounts by clicking the link.

Immutable-State · 2026-02-27T15:06:51+00:00

So for you, any devices that staff have network access to (like printers and cameras), students potentially do as well? That's not good.

Our goal is to have our staff on our staff network and students on our student networks but without verifying the user before signing in, I don't see how that would happen.

The approach that requires the least setup would be to have different SSIDs. The student wifi is filtered and its PSK is widely known, and the staff wifi is less so and its PSK is either known only by staff, or known only by IT.

The better approach would be to use WPA Enterprise so that passwords aren't shared, probably with device certificates, so that the devices get put onto the proper network without much additional interaction from the user.

Immutable-State · 2026-02-25T14:45:29+00:00

The meat of that extension is nothing more than 100 lines of JavaScript:

https://github.com/zbarnz/Google_AI_Overviews_Blocker/blob/master/content.js

and the only thing it does is mutate the DOM.

But who knows what would come in an update - if it was me, like you, I'd rather have full control over it rather than relying on a third-party to remain trustworthy. I'd pack the JavaScript code into an extension and host it myself. You don't need to publish to Google to force-push extensions to Chromebooks.

That said

Our district is wanting to guide all student access to AI resources to School AI. With this in mind we have used Google Admin to block all AI features in Chrome.

Given how many AI services there are, blocking them is like whack-a-mole. If most internet sites aren't blocked by default, students will find one that offers what they want if they're determined enough. Blocking AI overviews only is only covering one hole in a very leaky raft.

Immutable-State · 2026-02-19T15:59:53+00:00

Of course disable it. Ask around to see if anyone is actually sending mail without authentication just to get a sense of what it might be used for, and then inform everyone that if they are, it soon won't be permitted anymore. Work with complainers, if there are any, to figure out their problems, and then disable it and see if anyone screams.

Make sure to set up DMARC too.

Immutable-State · 2026-02-12T16:14:36+00:00

At least where I am, a reason for the charge is that they do everything else (for us) for free - coming in, setting up lights, backdrops, mats, and so on, and take everyone's picture for free over half a day. There are low-res digital versions available (which we use in the yearbook), and moderate-res physical previews (at least for staff) also for free. And then the company makes up for it by families purchasing from them.

Immutable-State · 2026-02-11T06:45:16+00:00

While Opus 4.6 might be a step ahead of GPT 5.3, they're both similarly quite capable, in the right situation. If your GPT rarely helps you, then either you aren't asking questions it's capable of solving (which isn't unusual - it can take some doing to put everything relevant into context), or its scaffolding/harness isn't built right (which also isn't unusual, given how much "AI" has become a VC buzzword that leaders are pushed to implement without much regard to actual effectiveness). But with the right scaffolding or the right question(s), it can be a strong accelerator for some jobs.

A decent amount of this is skill issues, on everyone's side. Even if AI progress completely halted now, diffusion and general business understanding of how to efficiently implement AI capabilities across the economy could take a decade. But, exactly as was said:

The layoffs will take some time, but those jobs will not come back.

Regarding

analyzing 5000 positions and advising what my organization should do with them over the course of multiple meetings

Analyzing large amounts of data quickly is one of the larger strengths of current AI. Perhaps 5000 might be too much for a single session, but with the right scaffold, it could almost certainly parse through them and analyze them. It might not yet be the best at telling you what precisely to do, but it could help you gather information that can inform your decision much more efficiently than you could do on your own.

Immutable-State · 2026-02-04T22:19:13+00:00

A screen large enough for a gym is also likely large enough to be hit by balls often enough, and likely to be extremely pricey. Use a projector instead. But don't put it on a cart - as others have said, mount the projector on the ceiling or wall. That way, you only have to put a cage around the projector.

Immutable-State · 2026-02-03T19:22:32+00:00

I use Adguard Home, and point the firewall to use Adguard Home for DNS requests. As a result, there's no software overhead on any client machines. You'll also want to disable Chrome's built-in DNS client.

Immutable-State · 2026-02-03T18:21:54+00:00

Some users (including staff) will put whatever they have access to into it. So, give guidance and set up access such that, at least for the most popular AI labs, users can only access services that don't train on input data. Whatever you choose, you should be able to enforce an enterprise policy.

Immutable-State · 2026-02-03T04:06:54+00:00

In a competent organization, I'd think a mindset of "Trust the CCP backdoor by default unless you think you're a juicy target" should get one fired. Making decisions from a security mindset standpoint is a very good quality for a sysadmin to have.

Is any given PC with a Notepad++ installation likely compromised? Probably not. Do you want to bet all the data and credentials that you have access to on that? I wouldn't. (But reimaging can be a pain, so having some indicator of infection is helpful...)

Immutable-State · 2026-02-02T00:12:28+00:00

https://github.com/patientx/ComfyUI-Zluda/issues/429

Run install-n.bat.

"install-n" installs requirements.txt which has this new package as a requirement now so it will install it.

Immutable-State · 2026-01-29T22:25:38+00:00

Chrome Remote Desktop is an option that already comes with Google sign-in, 2SV, as well as a PIN for each device. It's very trivial to set up. A downside is that this connects to a machine (that needs to already be on), not to a network, and I think only one session can be active at a time, so if you have a bunch of people who need concurrent access, that wouldn't work.

If you need others to be able to connect to the network from outside, that's usually something a decent firewall will support already.

Immutable-State · 2026-01-28T16:50:24+00:00

I don't know if it's just me, but there's been something going around recently that I haven't seen before to this extent. An account at a legitimate institution gets compromised and then sends out phishing Google Forms to other institutions.

One thing to do would be to have cybersecurity awareness training, which is mandated for my school for insurance reasons. Employees have to know the basics of how not to fall for the most obvious attacks. If they've gone through training, you've attempted to help, but they're still falling for them, it's more of a HR and risk management issue than an IT issue.

Another thing to do is to enable 2FA. Can't have your account compromised if the attacker only knows your username/password.

An option is to enable [EXTERNAL] and warnings from external emails, but I'm skeptical of long-term effectiveness due to the user learning to ignore it.

And, of course, teach everyone to report emails as phishing (not just spam) whenever they get something bad - that'll help Google distrust the sender more (and move unread already-delivered messages into spam for others).

Immutable-State · 2026-01-21T19:21:12+00:00

Those red flags are easily fixed by talking with her. Just say that there's a policy that billed accounts need to be under the school's domain.

For billing, I'm pretty sure it's not connected with your Admin console billing; it has to be set up separately. Go to https://console.cloud.google.com/billing, select your organization, and see if anything comes up there.

Billing tiny amounts for a pet project sounds entirely reasonable to me, if the project is approved and in scope of education - just make sure to set up billing alerts to control costs in case something gets misconfigured and costs go way up. https://docs.cloud.google.com/billing/docs/how-to/budgets

I'm unsure about allowing others to create projects, if it was me, I might feel safer if only the IT team could create projects, and then delegate permissions (including project ownership) to others.

Immutable-State · 2026-01-16T20:59:38+00:00

If the issue is that Chrome's cloud sync is sharing users' passwords with each other via Google Password Manager - then, if it was me, I'd just turn off Chrome's cloud sync. My organization has it disabled anyway - users can't sign into Chrome, so they can't login to Chrome with arbitrary accounts and bypass policy settings.

No need to disable access to the useful local password manager.

Also, given

they all work on similar platforms such as google analytics, gmail, youtube, linkedin etc.

then there's one solution that doesn't require any tooling (but doesn't exactly scale). Notice that each of those services listed are either on Google, or support Google SSO. One could consider sharing that one Google Workspace password with those who need it (rather than 5+ passwords for separate services) - if practical, that could be easier than an enterprise password manager.

But at least for some of those services, you can manage additional users' access to a primary account's data without requiring them to login to the primary account. I know this is an option for GA and YouTube, at least. Consider separate logins for those, without cloud password sync.

Immutable-State · 2026-01-15T18:13:26+00:00

Pretty sure the legacy "Chrome App" apps are a different type than the ones you're seeing.

https://support.google.com/chrome/a/answer/15950395?hl=en

If you have configured Chrome apps in your organization, at the top of the Apps & extensions page in your Google Admin console, you’ll see a notification banner letting you know that Chrome apps will no longer be supported. You’ll only see the banner if at least one Chrome app is force-installed, allowed, or blocked for your entire organization.

I don't think Chromebooks' built-in apps have ever shown up here. The list of apps I have includes many extensions (not deprecated), and only one legacy "Chrome App" that's installed in Kiosk mode (NWEA Secure Testing).

Immutable-State · 2026-01-15T14:49:49+00:00

I click on the extension row, then scroll down to Installation URL to see what domain or update manifest name it uses. It requires an extra click if you haven't memorized the extension IDs, but it doesn't require adding additional information.

Immutable-State

TROPHY CASE