More Details Emerging About School Laptop Spying, And It Doesn't Look Good
from the a-bit-proud-of-your-spying... dept
Following up on this morning’s post, new details are emerging about the school spying scandal in which a student was punished for apparently chowing down on Mike&Ike candy (which the school thought were drugs). In our comments, someone named Paul points us to a blog post from a security consultant, who digs much deeper into the story — focusing on one of the techies who worked at the school and apparently had a noticeable internet presence, having said a few things that could come back to haunt him. Note, that the school itself has said that only two techies on staff had the power to initiate the use of the remote spying tool.
Apparently, in various forums, blog posts and videos, one of the school’s techies talked about the technology they were using and how to set it up so that the user would not realize they were being spied on. He also discussed how to prevent a laptop using this software from being “jailbroken,” so users couldn’t discover that their computers were being used in this manner. Other forum posts from students at the school show that they were told they could not use other computers, could not disable the cameras and could not jailbreak their laptops on the risk of expulsion.
Furthermore, in looking at the software that was being used, the security consultant found serious security problems with it, in some ways similar to the famed Sony BMG rootkit:
With some of my colleagues, I began a reverse engineering effort against LANRev in order to determine the nature of the threat and possible countermeasures. Some of the things we found at first left us aghast as security pros: the spyware “client” (they call it an agent) binds to the server permanently without using authentication or key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port… runs as root. I’m not kidding. For those unfamiliar with the principle of least privilege- this is an indicator of a highly unskilled design. Unfortunately, when we got down to basic forensics, LANRev appears to cover its tracks well.
Things keep looking worse for the school, and school officials have done little to actually explain what happened, if the prevailing story is not actually the case.
Comments on “More Details Emerging About School Laptop Spying, And It Doesn't Look Good”
You can turn off the camera
Bah, I don’t care what they claim you can easily turn off that camera with a clip of a notecard and some tape 😀
“Bah, I don’t care what they claim you can easily turn off that camera with a clip of a notecard and some tape :D”
By the sounds of it they had something more akin to Bo2k but without the security measures. Personally I’d be less concerned about the camera than the effective yet insecure root kit. Who cares what they can do with your camera, with a rooted machine they could screw your life up without you ever finding out what caused it.
Re: Re:
> with a rooted machine they could screw your life up without you
> ever finding out what caused it.
How could a school-owned laptop that you use to do your homework screw your life up?
Re: Re: Re:
>How could a school-owned laptop that you use to do your homework screw your life up?
Do you just do work on your work machine?
Re: Re: Re: Re:
> Do you just do work on your work machine?
Yep. It’s actually a requirement where I work.
Re: Re: Re:2 Re:
Do you do important work on your work machine? Use work credit cards, perhaps make purchases that you will charge back to the company with your card.
Re: Re: Re:3 Re:
> Do you do important work on your work machine?
> Use work credit cards, perhaps make purchases
> that you will charge back to the company with
> your card.
It’s not a company, it’s the US government, and no, I don’t do any of that. Our computers aren’t even connect to the internet for security reasons.
Re: Re: Re:
“How could a school-owned laptop that you use to do your homework screw your life up?”
By someone else using it for things other than homework, obviously. Actually, I could probably come up with some pretty damaging scenarios involving homework too.
Silver Lining
Maybe this case will prove the importance of being able to ‘jailbreak’ your appliances.
Re: Silver Lining
Or it will reinforce to the authorities the importance of being able to keep you from doing it.
@3
um my computer is not a toaster thank you
its a TOOL a mathematical tool that does wonderful things i make it do. while a toaster can be said to be a tool to burn bread it can do very little else and doesn’t add or do any math. you could i supposed make a toaster with ten slots and do math but your going to need a lot of bread to count to 100.
AND last i checked a toaster doesn’t require DRM, nor spyware to see what your up to while you wander around the kitchen ( playboy nude models aside )
Re: @3
AND last i checked a toaster doesn’t require DRM, nor spyware to see what your up to while you wander around the kitchen ( playboy nude models aside )
Maybe, but I’m pretty sure I’ve read about Internet connected refrigerators.
Re: Re: @3
Internet refrigerator.
Even has a built-in camera.
Re: Re: Re: @3
does the camera point inside the fridge? so the supermarket knows when your out of milk?
Re: Re: Re:2 @3
no, It points out and snaps a pic when you open the fridge so you can find it if it gets stolen.
Re: @3
um my computer is not a toaster thank you
If you can’t jailbreak it, then it is.
See the above story.
Re: @3
Actually, 10 slots is more than enough to count to 100, if you use binary. I think I could do it with seven slots and 6 slices of bread…
Re: @3
http://ilovemytoaster.com/?attachment_id=16
“Other forum posts from students at the school show that they were told they could not use other computers, could not disable the cameras and could not jailbreak their laptops on the risk of expulsion.”
I think Cory Doctorow (from Boing Boing) described something very similar in his novel “Little Brother”.
In the not too distant future
It is easy to say that a bit of tape will cure this particular problem, but I have seen articles about the next great display technology which intergrates many webcams within the pixels of the display. You can not tell where they are. Disabling this monster will take a bit more hacking than a bit of tape.
Re: In the not too distant future
Fine, I’ll just get an infrared source (a frequency slightly lower than visual light, where humans can’t see it but cameras still can) with a reasonable amount of intensity and shine it on the cameras overwhelming it with light that the camera can see but we can’t hence interfering with its ability to see us.
for instance, take your televisions remote control, aim it in a camera, press the button, you’ll see a light through the cameras display but you won’t see it with your eyes.
Re: Re: In the not too distant future
but of course I will find an infrared light source with more intensity than your televisions remote control.
Re: Re: In the not too distant future
Better yet, long exposure to high intensity light will damage many camera receivers/antennas much like it’ll ruin your eyes, and most cameras are certainly much more sensitive to it than your monitor/computer screen. Just aim your monitor at the sun for a while and it’ll probably damage the antenna of the camera.
Re: Re: Re: In the not too distant future
Heck, a laser pointer might even do more damage. You want to get away with a red light ticket aim a laser pointer at the camera.
Re: Re: Re:2 In the not too distant future
You want to get away with a red light ticket aim a laser pointer at the camera.
Well, the problem to accomplish this was actually a bottleneck at computing capability. The computing capability necessary to accomplish such a task is very much possible. GPS data on ground is more accurate than in the air.
This may be possible in the not-so-distant future. After all, earlier this month, a major defense contractor was able to shoot down missiles using laser technology. The contractor was then sent to the drawing board. What was the problem? It was too near-field. Does that make it not applicable to other applications? Not at all.
In fact, application of techniques and new technology such as a car-mounted chemical oxygen iodine laser, may hold promise to fix the red light camera problem that enslaves us all. It’s possible that a small-scale implementation that would fit in a trunk would be quite marketable.
Re: In the not too distant future
Something like this?
http://www.appleinsider.com/articles/08/03/26/apples_patent_for_an_lcd_display_that_also_takes_photos_video.html
Re: In the not too distant future
Yep. In that case, you just don’t use the laptop at home at all. (Assuming this nonsense is legal– which it isn’t.) You do your homework on your own machine, save it to a thumb drive or email it to yourself, then transfer it to the school computer at some later time. Leave your school laptop powered down, closed, and stored in your bookbag whenever you’re at home.
Re: Re: In the not too distant future
Yep. In that case, you just don’t use the laptop at home at all.
So you just don’t do homework? You might as well drop out.
You do your homework on your own machine,
No go. Homework assignments can require the use of programs which the school only allows to be used on it’s own computers. They can also require access to resources which the school only allows to be accessed from the the school’s own computers. Or the school can simply require that all assignments be completed on school computers (so that no one has an unfair advantage or cheats).
Leave your school laptop powered down, closed, and stored in your bookbag whenever you’re at home.
Again, that could make it impossible to do the required homework assignments. I doubt if most parents want to see their kids flunk out.
Re: Re: Re: In the not too distant future
> > You do your homework on your own machine,
> No go. Homework assignments can require the
> use of programs which the school only allows to
> be used on it’s own computers.
Unless the school writes the apps themselves (and I haven’t encountered one who does that), how can they allow or not allow anything?
> Or the school can simply require that all assignments
> be completed on school computers
Again, unless they’re using some kind of proprietary software, how would they know? And even so, there’s ways around that, too. I can write my English paper up as a text document, e-mail it to myself, then copy and paste into their special word processing app, they’re none the wiser.
Re: Re: Re:2 In the not too distant future
Unless the school writes the apps themselves (and I haven’t encountered one who does that), how can they allow or not allow anything?
It’s called “licensing”. Look it up.
Again, unless they’re using some kind of proprietary software,
Well there you go. Get a clue.
And even so, there’s ways around that, too.
So, people should disregard laws and other rules if they think they can get away it? That’s your solution? What do you do for a living anyway?
I can write my English paper up as a text document, e-mail it to myself, then copy and paste into their special word processing app, they’re none the wiser.
Man, how dense can you be? Do really think the computers are limited to using them for word processing? Often times they can’t even receive the evening’s assignments unless they log onto the schools network using the school computer and those assignments must then also be completed and submitted on line that evening.
The more you try to defend your ignorance, the more ignorant you look.
Re: Re: Re:3 In the not too distant future
> > Unless the school writes the apps themselves (and I haven’t
> > encountered one who does that), how can they allow or not allow
> > anything?
> It’s called “licensing”. Look it up.
Oh, look! You’ve decided to start being a sarcastic asshole. That’s always productive.
The point is, if I want to my homework on my own computer at home, the school can’t tell me what software and is not “allowed” on it. If they’re using MS Word on the issued laptops, I can go out and buy my own copy of MS Word, put it on my home computer, and do my assignments with it.
The only way this doesn’t work is if the school is writing its *own* proprietary software– it’s own spreadsheets, word processors, etc.– and that’s not something that most schools can afford to do.
> > Again, unless they’re using some kind of proprietary software,
> Well there you go. Get a clue.
So you’re basically criticizing me for not knowing something that I obviously knew. Seems like you’re so intent on being a humorless jerkoff that you’ve lost all sense of basic logic. Well done!
> So, people should disregard laws and other rules if they think
> they can get away it?
They’re just rules, not laws, bright eyes– public schools can’t impose laws on the populace. What was it you said earlier about getting a clue?
And if the school is imposing those rules with a nefarious (and illegal) purpose in mind– namely to force me to use a device in such a way that they can monitor me in contravention of state, federal and constitutional law, then you bet I have no problem with circumventing that purpose.
> Do really think the computers are limited to using them fo
> word processing?
No, that was just an example, chief. I would have thought that obvious. Apparently I gave you too much credit. That’s my mistake and I apologize. Since you seem to require it, I’ll certainly attempt to be more pedantic for you in future.
> Often times they can’t even receive the evening’s assignments
> unless they log onto the schools network using the school computer
And what happens with homes that don’t have internet service? Or whose service goes down some night? There has to be other ways of getting the assignments.
> The more you try to defend your ignorance, the more ignorant you look.
Behold the irony.
Re: Re: Re:2 In the not too distant future
“I can write my English paper up as a text document, e-mail it to myself, then copy and paste into their special word processing app, they’re none the wiser.”
Copy and paste outside the application is disabled, as is printing, screen capturing and offline saving. Supposedly to prevent students from copying from each other or violating copyrights.
Re: In the not too distant future
> I have seen articles about the next great display technology which
> intergrates many webcams within the pixels of the display
I wonder what they’re gonna do when they get some student who’s an exhibitionist and starts purposely doing all sorts of self-stimulation exercises in front of the camera?
Seems like a good way to get the school authorities in a lot of hot water. Maybe make a few of them into sex offenders.
Re: Re: In the not too distant future
“Seems like a good way to get the school authorities in a lot of hot water. Maybe make a few of them into sex offenders.”
Selective enforcement. Authorities live by different rules than plebs.
Rest of story
I find the people defending the school district disturbing. this is a serious F*up by the school. That said, did anybody else spot the blurb that the school district recently started letting the kids take the computers home? I remember it somewhere but cannot find it now.
Re: Rest of story
“people defending the school district” Whiskey-Tango-Foxtrot Who would be that stupid? From what I have heard even the school district has been backpedaling and apologizing…
This should constitute unwarranted searches and seizures.
I found the part of Cory Doctorow’s “Little Brother” that this this thing reminded me of:
“I turned to my SchoolBook and hit the keyboard. The web-browser we used was supplied with the machine. It was a locked-down spyware version of Internet Explorer, Microsoft’s crashware turd that no one under the age of 40 used voluntarily.
I had a copy of Firefox on the USB drive built into my watch, but that wasn’t enough — the SchoolBook ran Windows Vista4Schools, an antique operating system designed to give school administrators the illusion that they controlled the programs their students could run.
But Vista4Schools is its own worst enemy. There are a lot of programs that Vista4Schools doesn’t want you to be able to shut down — keyloggers, censorware — and these programs run in a special mode that makes them invisible to the system. You can’t quit them because you can’t even see they’re there.
Any program whose name starts with $SYS$ is invisible to the operating system. It doesn’t show up on listings of the hard drive, nor in the process monitor. So my copy of Firefox was called $SYS$Firefox — and as I launched it, it became invisible to Windows, and so invisible to the network’s snoopware.”
It’s a great book. I highly recommend it. Should be required reading for any teenager or young adult. 🙂
I can’t believe you’re all being so glib about this
THE KID WAS EATING MIKE & IKE’S
This nation is in the middle of a youth obesity epidemic! Think of the children!!!!!!
Wow ...
Follow the links from the comments at ….
http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html
That is pretty sick stuff
What?
You get a computer from the school and then you’re amazed they spy on it? Duh!!!
whats with all this jail breaking stuff. What if I dont want to have to break my electronics from the confines of authority. My electronics are free and that is how they should all be. I payed for my pc…I can do what I want with it(Linux). I bought my phone…guess what, I can do what I want(Android). Its sad that only techies are allowed to have freedom on there electronics.
Wait so...
Is anyone going to talk about all the kiddy pr0n these admins probably saw? You’d think that the FBI would be allll over that. All those laptops in all those high school girls rooms…I wouldn’t doubt that a network admin that looked like that didn’t get a few good wackings in.
Re: Wait so...
This is what horrified me when I first heard about it. I am like what gives the school the right to spy on kids at home…
As far as I see the network Admin and school board should be thrown in jail for this kind of screw up
Re: Wait so...
So a girl has the laptop in her bedroom and comes in from the shower to get dressed and the admins salivate and copy the images and post them on pr0n sites and then the kids parents find out about it. Now what do you think the kids parents will do about it? And how about the school board? Just picture one of the school board members finding pictures of their kids on the web undressed. oh my. The sheer magnitude of a lawsuit allowing this to happen would be enormous.
First annual CFW-(RTB) party "TrollinTime"
Some people were were asking my /b/rothers who strydehax was throughout Saturday and Sunday.
It all makes sense now. I’d let it go.
First annual CFW-(RTB) party "TrollinTime"
“CWF-(RTB)” is so interchangeable with “CFW-(RTB)”
Mike, you are super sexy for changing letters around. Grrr!
I can see it now …
Teacher: Ok, everyone email in your homework.
Student: Ms Overbearing? … umm my laptop ate my homework.
Defending the school
IF (and a big if) the school had only used this for stolen laptops, took the minimum pictures necessary to recover them and was being sued by a student that didn’t like being caught, then I could understand people defending them.
But reading the article, seeing the creepy administrator brag about how he could do everything without the kids knowing and seeing the comments from the parents and students feeling like they had no say in the Big Brother experiment makes it clear that the district acted unconscionably and that the district is in serious trouble.
After seeing that guy brag, I wouldn’t be surprised if most of the pictures were deleted very quickly into the beginnings of the investigation. There is no way they only snapped 42 pictures total with all the complaints of lights coming on at random intervals.
holy crap that school is paranoid!
Looooots of T-Shirts
http://www.zazzle.com/lower_merion_school_district_scandal_parody_tshirt-235568003500926676
Gotta love that they used HAL as the base image there. Well played.
Frontline spin on this...
Recent pbs “frontline” episode “digital_nation” casually describes this same topic. At about 30 minutes in – journalist sitting w/high school vice (?) principal. He’s demoing the ability to observe student laptops remotely – including web cam. I believe in this case the laptops & network are both owned by a public school district. Might put a different spin on it. I was surprised the topic of privacy didn’t even come up.
One more detail – by chapter it’s “4 – Teaching With Technology”.
how this ends
At what point does the school counterattack by having its lawyers try to settle on these terms: if the boy’s family drops its suit, the school won’t pursue its allegations into illegal behavior, although it also won’t admit any wrongdoing, just that “mistakes were made, and policies are being reviewed”?
Re: how this ends
And the kid has to promise to not eat so much candy
i think
i think this is totally wrong i know my school can see everything i type and can take control even at home, ment to be for school use only and have a blue coat proxy(on laptop) that blocks sites, when connected to internet i think it updates the database and blocks and new sites added to it, guessing, the laptop has a sim card to im a techy person they say they have satalite tracking, i dont believe they could afford it, then again it is the government
I can write my English paper up as a text document, e-mail it to myself, then copy and paste into their special word processing app, they’re none the wiser.”
And the kid has to promise to not eat so much candy
And the kid has to promise to not eat so much candy
So a girl has the laptop ...
So a girl has the laptop in her bedroom and comes in from the shower to get dressed and the admins salivate and copy the images and post them on pr0n sites and then the kids parents find out about it. Now what do you think the kids parents will do about it? And how about the school board? Just picture one of the school board members finding pictures of their kids on the web undressed. oh my. The sheer magnitude of a lawsuit allowing this to happen would be enormous.
du lich nha trang
This is what horrified me when I first heard about it, I think, need to more closely manage
Just picture one of the school board members finding pictures of their kids on the web undressed. oh my. The sheer magnitude of a lawsuit allowing this to happen would be enormous.
du lich mien trung
Man, how dense can you be? Do really think the computers are limited to using them for word processing? Often times they can’t even receive the evening’s assignments unless they log onto the schools network using the school computer and those assignments must then also be completed and submitted on line that evening.
Camera ip g?a rẻ
This is a crazy idea, there’re something we shouldn’t know. If you use that way, no one safe anymore.
Anyone who doesn’t have a problem with this needs to learn the fourth amendment. If the NSA or law enforcement can’t get away with this without a signed warrent by the FISA court, how can the school? And no dumbassess, the public school system is NOT the US government. I’m guessing your all kids, right?!
program to 'việt nam
But reading the article, seeing the creepy administrator brag about how he could do everything without the kids knowing and seeing the comments from the parents and students feeling like they had no say in the Big Brother experiment makes it clear that the district acted unconscionably and that the district is in serious trouble.