Sunday, February 21, 2010

Dumb and Dumber: School district spying, assisted burglary

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine.  Here's more of what has been reported:
The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.
Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

Saturday, February 06, 2010

Do They Ride the Same Cycle? Criminal hacking, terrorists, and other security threats

I have written this post/article/paper because I see a pattern of human behavior, the understanding of which may have some potential to improve the security of data and data subjects in the virtual world, as well as the security of persons and property in the real world. Because my thoughts about this pattern came together while I was in my favorite coffee shop, I coined the term “CAFE cycle” to describe a cycle of behavior that goes like this:
I will describe the cycle in generic terms then present two examples. Generically, a person becomes motivated by a Cause and takes Action to achieve the goal of that cause. Frustrated by failure to achieve the goal through legal means, the person takes illegal action, exposing him or her to three potentially problematic experiences: illicit thrills, illegal gains, and group membership. Continued failure to achieve the goal leads the person to pursue extreme forms of these experiences until they become an end in their own right, an Extremism that supplants the original Cause for Action, essentially rendering it irrelevant.

For a basic example consider an adolescent male who wants to learn, through direct experience, the workings of large computer networks. He exhausts the limited avenues of legal access to a large network and so he makes repeated attempts to gain unauthorized access, breaking the law as he does so.

Thursday, February 04, 2010

2 Security Tips: David Kennedy and the Symantec Threat Forecast 2010 Webinar Recording

Just a quick post to point to the archived version of the Symantec MessageLabs Threat Forecast 2010 Webinar/webcast that I mentioned in my previous post: A Good Way to Start the Year. Definitely worth watching.

Also worth watching as we make our way forward into a fresh decade of information system security challenges, are the updates from David Kennedy. You can catch them on FriendFeed and for me they are just the right mix of security alert. Not too granular, but most likely to include the stuff you don't want to miss. David's been at this a long time and become wise in the ways of the security world (for a short time in the mid-nineties we were co-workers at NCSA, later ISCA Labs and TruSecure). You can also catch David's blog at Verizon Business.