Sunday, February 21, 2010

Dumb and Dumber: School district spying, assisted burglary

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine.  Here's more of what has been reported:
The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.
Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

No comments: