Webcams Activated by School on Student Macs
 

Now here's the ultimate invasion of privacy by public officials... remotely turning on the web cam, and possibly microphone, of student computers while the computers are at home and possibly in the student's bed room. All without pre-knowledge or permission of the families or students. OUCH!

http://news.yahoo.com/s/ap/us_laptop...ng_on_students

But hey, trust us we will only use this capability for good cause.

Then again, the kids got a free Mac.

Technically, it isn't his Mac. Since he's using government property he has no expectation of privacy. Let's face it, they probably only noticed him because he was going to prohibited sites.

The school claimed that it was so they could trace stolen laptops. At no point since this story broke, however, have they claimed that this particular computer was stolen; instead the story broke because they accused him of something they saw him doing in his own bedroom. Question: Why were they looking at him? They don't say. IMHO, this is exactly equivalent to a peeping tom peeking in the kid's window.

@CWT: the police would not be permitted to do this without a warrant; why should the school?

Well, I am shocked. Really don't care if they have that capability as long as they give notice that it exists, state the reason for it, and have hard procedures for when it can be used, for example only when the student or her family tells them the laptop is lost. Users should be told explicitly that they have no expectation of privacy, so no homework after one is dressed for bed.

I am most curious to see if the ITs out there have a different view than the rest of us. So far, CWT is sounding a lot like an IT.:)

The police do do this. They have dash cams, cameras and other recording equipment at the station house, jails and prisons routinely record conversations, etc.

I'm not saying it's right for the school to randomly watch students, but I doubt that's what happened here. What's more, it's been pretty well documented that it is done regularly. I don't see how anyone could be surprised or claim they didn't know about it.

Wouldn't it be ironic if the schools 'acceptable usage' policy resulted in the officials doing 10 years for manufacture and transmission of child porn. i would think this capability would be a megaton-class time bomb for the school administration.

CWT: dash cams, in the station house, prisons etc. are in their house, no someone else's

Next must-have accessory for school laptops: 2cm of vinyl tape.

i cover all laptop cam w/ that stuff

Not safe! Not safe… why do I have to be at a school? Good thing I never have a school laptop, and they're Windows PCs so if they get stolen, they're not worth anything much.

No, those things are on government property, just as is the web cam on the computer. The fact that you willingly bring it into your house is of no consequence.

Not that I've ever seen anywhere, CWT.

I will admit to not even knowing this was possible absent a remote login with a password and/or both parties running Skype or something.... I am assuming all the student Macs are not on the same network and home use would be behind a wireless router, firewall, etc.

Course, I'll also admit my technical knowledge is pretty feeble. My Mac use was desktop publishing primarily, with some web page and database development, and that was all years ago.

I think the ownership of the Mac is a non-issue. Wouldn't that be the same as saying you have no right to privacy because you rent your home... so your landlord can install a camera in your bedroom? Or, you rent a TV and the company delivers it with a recording device installed?

It's well documented that the school maintains admin rights and that those rights are enforced. Everyone who gets a school computer is made aware of that fact. Terms of use are spelled out, and students regularly get into trouble for violating them. This is no different.

When you rent your home you do it with a contract that specifies your rights as well as your landlord's rights. If you accept terms that say the landlord can inspect the entire property at any time, then you must live by those terms. That's what you do when you accept the school's laptop. They can and will inspect it at any time.

Thus creating kiddie porn, perhaps?

From the Q&A section of the school principal's announcement dated 2/19/10:

3. Were students and families explicitly told about the laptop security system?
• No. There was no formal notice given to students or their families. The functionality and intended use of the security feature should have been communicated clearly to students and families.

http://www.lmsd.org/sections/news/de...d_anno&id=1143

:rolleyes:

They probably didn't explain how ssh works either, and they shouldn't. That's up to the user to understand, and accept the consequences when they don't. I'm all for making computers user friendly, even idiot proof, but that doesn't mean I'm for letting people be idiots without consequences.

In the case of the police station, the entire room is government property, not private property with a reasonable expectation of privacy. That 'reasonable expectation' starts where the computer ends.

By now I expect every machine in the school district has the camera covered.

And further to that, if parents are concerned about what else the kid might use the laptop for then that's up to them, not the school. If the school is worried about porn, for example, or sexting, perhaps, then their best option is to operate a proxy at the school and set up the machine so it must use it.

Yes, and the computer ends just at the edge of its camera's view and its microphone's range. It's silly to think that the school would set rules and not have a system to enforce them. It is unreasonable to ask that the school disclose every possible measure it might take in enforcing its rules.

So, if I set up a school computer across the street and aim the camera into your bedroom, streaming the content live on the school's website, you'd be ok with it? That's 'at the edge of the camera's view'.

No, because they would be aiming it in my bedroom. If they got me to aim it in there, then I wouldn't have anyone to blame but myself.

A coupe thoughts. First off, I don't think the facts on this particular case are clear in the slightest and they probably won't be until this case hits the courts (assuming it does.)

Secondly, on a more philosophical note, just because you state something (or imply it) doesn't actually make it legal to do it. The real question that this whole debate will come down to is whether or not the school districts actions should be legal rather than asking is it legal. My guess is either this question, or one similar, will make it's way to the Supreme Court, because it's a morals debate more than it is a legal issue.

Agreed. And I would add that just because they can, that doesn't mean they should.

Isn't there a better way to track stolen, lost Macs?

I am confident the school's intentions were honorable. But if the plaintiff can find one example where the capability was accessed and not logged, the school will take a hit. One example of an inappropriate pic, too, would sink them in court. Think the school was foolish to put themselves in this position.

A Jewish lawyer friend of mine whose dad was a Rabbi would call the last few entries of this thread a pilpul. Classically this is an argument between scholars over the fine points of the Talmud, but colloquially (at least in New York City) it's defined: casuistic hairsplitting. One side tries to think of examples and the other shreds them on the details. Goes nowhere because it's really an argument about personal feelings for what "expectation of privacy" means.

Surely we can all agree that secret activation of a monitoring device given to a person in (literally) a Trojan Horse qualifies as invasion of privacy?

I suspect the judge is about to tell them just that.

Yes, but a Trojan Horse doesn't come with specified rules of use. Something that does come with rules is hardly a Trojan Horse.

What rules of use are you referring to? What someone does in their house is their business. The school board in this case does not have eminent domain over whatever the camera sees when they secretly activate it.

Try this Reductio ad Absurdum argument:

Sidwell Friends School gives identical laptops to Sasha and Malia Obama. They take them home and use in the normal manner. As part of 'routine' checks they get imagery of interior parts of the White House that are probably not on the public tour.

I'll bet good money the IT department won't get out of Attica for at least a couple of OS versions.

Yes, what they do in their house is their business. If they choose to allow a government owned camera to operate in their house, that is their choice and they must accept the consequences associated with that choice.

As for Sasha and Malia, I'll bet good money that their laptops don't make it into the White House without modifications and/or restrictions on where and when they can use them.

Those computers are probably hardened to this level, at least:
NSA Security Configuration Guides for Mac OS X

They're pretty strict, talking about removing kernel extensions that support various ports and the camera.

Exactly! The White House recognizes that if those computers were used to spy on the First Family and/or the government then the people most at fault would be the Secret Service. Most parents don't have the Secret Service working for them, so it's their responsibility to secure any device brought into their house. There is no excuse for not being aware of the Macbook's capabilities or how it is being used. "They didn't tell me!" certainly doesn't qualify as one.

Well, working in a 1:1 with 6,000 Macbooks and where students can take them home and being in public education I can clarify a few things for all of you.

First off let me start with Federal Regulations:

The Federal Government requires that we censor and block certain content from all students in a K-12 environment, even those students who are 18 years of age. These standards are set by the FCC, and directly affect our eRate eligibility. eRate is a government protocol that allows school systems to purchase massive amounts of technology at a flat guaranteed rate. This means that both the schools and the companies have to be eRate compliant. I don't know all the ins and outs of eRate because I am not in charge of writing checks and stamping POs here at my job. However, I do know that is allows both companies and academia to purchase mass amounts of technology. It is win:win for both sides when this happens. The federal government also enforces the school systems to provide a safe learning environment, which is totally up for interpretation of what safe means. Each state has different regulations on how this should be. There are many other federal mandates, like us keeping HIPPA info safe and to HIPPA standards, and us keeping back ups of archived files and emails for every user for a particular amount of time in case a federal investigation ever occurs, via the Patriot Act. Plus many other federal mandates are applied as well. Which is why when a student complains about us filtering their Internet I tell them to write their government representatives to have such federal policies changed.

Now lets look at how schools handle this:

School systems are forced to take zero tolerance policies, this is to protect the school from lawsuit. This can get quite out of hand, but let me give you an example that is relevant to technology. Student gets a school owned laptop issued to them. Student goes home and commits crime with laptop or does something illegal with said laptop the parent will end up blaming the school and ask, why did the school not set up precautions for such things? The same people that bark up the schools trees are the same parents that are active at school board meetings and voice their needs to the school board, these exact needs to be exact.

How the school handles technology:

Each student, teacher and other classified employees are required to sign an AUP, also all minors must have their parents sign. The AUP states that all information created and stored on technology is not private and may be searched whenever called for. It also states that the technology is property of the state and thus all state regulations are applied and it is not anyone's personal property.

Now, the web cam issue, well I think it is clear violation of the 4th amendment. The school being allowed to spy on any data on the computer is legal, and think fairly covered. However, turning the web cam on to spy on things outside the computer should require probable cause and a warrant. If the computer was stolen, then I would say that would be probable cause and easily have a warrant on it, since the property was stolen.

The software in question is third party too, it is something that Apple did not build into their laptops.

As far as tracking stolen laptops, we use a service called Comp-U-Trace, which is the enterprise version of lojack. What it does, is it has a client piece that phones home every day, with various information. Last known WAN IP, reverse DNS look up, which ISP is hosting that, MAC address and some unique hardware information, what user account is logged in during this time, and so forth.

When we report a laptop stolen Comp-U-Trace contacts the local police/sheriff of where the last phone in occurred. Then a subpoena is issued for that stolen equipment after a police report is filed. This subpoena would then legally allow for things like a web cam to be activated. The product actually is embedded in firmware (on the PC side) and cannot be deleted or wiped. It also allows for features like remote wipe if a laptop has sensitive data on it.

This service is obviously not free, but if you go back to my last post about eRate you can get their service under eRate I believe which makes it affordable to public educational institutes.

We use remote desktop and products like Comp-U-Trace to track stolen assets, and we use law enforcement to do so. Also, our country prosecutor does in fact charge the person stealing the laptop with a felony as they are valued at over $1,000 each.

After reading the links in the post in the Hardware section, there are some real questions here as to what the school was using the laptop access to accomplish... school accused of taking a photo in a bedroom (obviously not a lost computer, huh?) of a kid alleged to have drugs and confronting the child/parents with the evidence. School also accused of counseling students about inappropriate home behavior, including parents. To be fair, school is denying those two allegations.

Since my little one has a macbook (not from school), I am hoping someone can explain how to shut down this apparent loop hole in security..... short of setting the mic to mute and taping over the webcam. Is there a real threat here for an off the shelf Macbook?

There is no loop hole and zero threat to your personal Mac. You need admin rights to do it, which basically means that you must be the owner. In this case, that was the school system.

The hysteria over this is mind boggling. Companies routinely fire people for using company property to do things just like what this kid did. Where is the uproar in those cases? The kid used government property in violation of the rules, possibly even the law, and he got caught! He and his parents should take the penalty and stop their whining.

Does anyone here really believe that his parents didn't have to sign some sort of agreement, and do you further believe that agreement didn't warn them and the kid about the rules?

You sure? I don't think there's enough extra space in the firmware for that much functionality. Hidden partition perhaps?

Do you end up with a good cost/benefit ratio at the end of the year? e.g. cost of service < cost of stolen machines ?

It seems to me that ideally you'd have a system that deterred theft to the point where the cost of stolen machines was zero. Such a service would certainly be worth much more than $0.00

As it happens, the kid was eating some kind of candy that looks exactly like an illicit drug.

As it happens, the kid was apparently eating some kind of candy that looks exactly like an illicit drug (not familiar territory for me).

Thanks for confirming that, CWT.

Really don't think this issue is creating hysteria. It's different because it is in the home.... our last sanctuary from public intrusion. Already cameras are going up all over the place monitoring our activities. Feds sometimes reading our emails (or searching them for key words). Autos can be stopped and searched for little or no cause. And on and on. The home is the final place where we have a right to expect privacy, and nobody wants to see an attack on that right for any reason whatsoever.

Also, the presumption by all was this involved teenagers (and it probably did), but looking at the school's web site, they appear to have some very small children with MacBooks, too.

Companies using webcams to watch employees in their homes would rapidly be sued out of existance. At work and within the physical boundaries of the computer are fair game. Plus, when you have people take things home you have to expect a reasonable amount of personal use. Capturing passwords and checking their hotmail account is too far.

What violation? Doesn't appear the kid did anything illegal.

a) it appears the details were conveniently omitted. (the original article states that the waivers did not include the cameras)
b) Do you read everything put in front of you? In detail, considering all implications of each sentence? Without looking, what is in clause 10 of the iTunes EULA and how does it affect you?

That woud be the ideal. My question for tlarkin was does the theft protection cost more than the theft itself.

It is not a loop hole, it is a command line utility that is installed, and then some client based software is also installed to control it remotely. Most consumer routers support NAT out of the box, which by default, disallows remote hosts to connect to the machines in your network with out the proper ports being forwarded. Remote desktop won't even work unless you forward the ports to the proper client. I doubt any student is going to do that.

Yes I am sure it is embedded in firmware, but only on PCs because Apple is not quite agreeing with this concept yet, though I hear it is in the works. That way if a machine's HD is wiped your client software is also not wiped. I would say it is worth it since it is tracked, they contact local authorities, and it is backed by an insurance premium and if they can't recover it they pay for the loss of product.

It's nothing at all similar. They haven't spied on your computer. They've looked at their sales records and sent you an e-mail.
The school wasn't keeping an eye on their own property, they were keeping an eye on the student. Keeping an eye on their property would have been inspecting the contents of the computer, either remotely or in person. Turning on the camera is drastically different.
Using the camera to help locate a stolen device would be valid, but there's no evidence that they thought it was stolen. In fact, the student captured in the screenshots was the "owner" of the device, which is evidence that it wouldn't have been thought to be stolen.

It looks like they were using the LANrev suite from Absolute software. I have pretty much no experience with it, but I do use their anti-theft product called Comp-U-Trace. We use Casper to manage the Macs at work

http://www.computerworld.com/s/artic...?taxonomyId=12

Here's Techdirt's take on it: More details emerging...

There are many laws about the use of cameras. Many gyms ban phones in locker rooms, people who look middle eastern can't photograph tourist attractions or bridges w/out getting hassled. Just owning one doesn't allow you to do whatever you want with it.

I'm sure people would be alarmed if I started secretly taking pictures of kids while they were doing homework in their own bedrooms.

A more reasonable use of this big brother technology would be to implement a policy that this remote safety measure violation of privacy is only used when the student is on the school's LAN.

The company I work for constantly reminds people that the computers are company equipment. At the same time we respect their privacy and ask permission before we connect. Extending this same courtesy to students would be a good move.

Looks like subpoenas are already in process.

I know that CWT feels that this is within the rights of the owners of the machine and that might legally be the case. What's dead wrong about this however is that laptops are often used in bedrooms in which teenagers might well be getting undressed. If I were the father of a young daughter in that school I'd be very upset at the possibility that someone for entirely illicit reasons could observe her when she happened to leave her laptop on. We've argued about privacy in the home, but there's an even greater expectation of privacy in bedrooms.

And that is precisely why schools should treat this technology as if it was high-level nuclear waste - run away, very very fast.

Nuke waste is rare too. But that's a stupid thought.
What I still don't get is the why they would do this? If they are connected to the Internet, they would be able to get your coordinates anyways (IP, Skyhook…). So you would know if they were stolen. Deeueheh…

Amazon has a terms and agreements page that you are required to agree to before opening an account. It's not their fault if you didn't read it before accepting the terms. You opted in when you opened the account. It's your responsibility to understand what you're joining. And it's not their responsibility to opt-in or opt-out. They're providing a service according to terms that they set forth. No one is forcing you to join if you don't agree with the terms.

To bring it back to this spying case, the school has admitted that they did not disclose that monitoring was possible or likely. If you're going to hold Amazon accountable for sending you an e-mail, in accordance with their terms, how could you possibly give a free pass to this school that actively monitored a student in their home without informing them that this monitoring might occur? Or is it now the student's responsibility to sort out every hidden (and invisible) option?

More info on the school spy
 

I just found some new, astonishing links to this spying story. The first contains an article that names a tech at the school, Michael Perbix, as being in charge of the monitoring software, and goes into some technical detail:

http://strydehax.blogspot.com/2010/0...gton-high.html

And Michael Perbix's website:

http://bestsinceslicedbread.blogspot...n-and-off.html

None of this answers my original question, but it's still important stuff.

Among a number of disturbing aspects of this story, many students at the school (maybe most, maybe even all) were seeing the webcam activity light activate frequently, and when they mentioned this to school officials, they were told it was a glitch common to Macs. Though Apple says something similar, I think the school was using this as cover for their activities--Perbix says in his video, that there were a number of cases in which they thought various laptops were stolen, but the laptops were right in the classroom, in use, and that he had to go through a number of snapshots of kids and teachers in the classroom before determining that the laptops were where they were supposed to be. He never adds that they also had supposedly erroneously collected photos of kids at home, and elsewhere outside school grounds, as a result of whatever supposed glitch was causing this to happen (which seems like a really sloppy glitch). For all we know, they're using the story about erroneous in-classroom "stolen laptops" as cover for why they also have pictures of kids outside school grounds.

Yes, and I'm sure the parents agreed to terms when the kid got his laptop. I have little doubt that those terms will eventually exonerate all involved, with a possible exception being the kid.

As has been said several times, both here and in other media, the school's terms did NOT mention this capacity.

Question for school IT staff: If a school laptop is required for classes, and an agreement is required to get the school laptop, what happens if the parents refuse to sign it?

http://arstechnica.com/tech-policy/n...of-lawsuit.ars

"Parents were never made aware that someone could remote desktop into their kids' computers—and possibly take a snapshot. The district now claims that it won't turn the feature back on without written notification to students and families."

Have you read any of the reports about what's going on here? What parent would sign an agreement that stated their children may be monitored by a 3rd party over video at any point?

Dude, you're giving them your credit card number. You're entering into a contract with the company. You don't think it'd be a good idea to read through their terms or see what they're going to do with your personal information?

And again, it's not your responsibility to wade through a terms of agreement document, but it is the responsibility of someone else to wade through the terms to find the monitoring clause, that you claim existed (with no supporting evidence), for these laptops?

Every parent who's ever accepted a school computer.
Being made aware is a red herring. The rules were set, and how they were to be enforced is up to the school.

No, I don't think it's a good idea. Legally, you enter into a contract when you buy a cup of coffee. That doesn't give the vendor the right to sell your contact information.

So then you agree that Amazon is on equally shaky ground with the school? I have no problem giving the school a hard time over this as long as we do the same with corporations like Amazon.

Re: Quibbling
 

.
CWT,

While your earlier posts were on topic, you’re now quibbling and pushing the thread off on a tangent. Poster after poster has told you so. Please cease and desist!

There can be no reasonable comparison between activating a webcam in a student’s bedroom and sending an innocuous but unwelcome email.

The idea of Amazon invading your computer is patently absurd! Amazon’s unwelcome email was not sent to your computer -- it was sent to your mailbox. You yourself used your computer to fetch it from that mailbox. ;)

If you wish to discuss spam and unwelcome email -- or argue the point -- you must do so in a separate thread.

-- ArcticStones

.

That secret, hard to remove program is not installed on your computer. It's installed on their computer. When anyone installs anything on their own computer, it is not spying.

Honestly, I see this thread as being about two things:

1.) Sexism, as parents are mostly concerned with protecting their daughters, who they obviously see as the weaker sex.

2.) Rampant anti-government hysteria that's been generated by international corporations like Fox News ever since the Democrats won last year. Businesses do far worse every day, but one school district has a small public relations problem and it becomes a big issue. Sad.

.
I believe you’re right.
Thread locked for now.
.

NB. Split thread
 

.
PLEASE NOTE:
In a series of posts, Webcams activated by a school were compared to Amazon sending out unwanted email. As this is a very different issue, I have started a separate thread and moved over the posts in question. For those interested in discussing that issue, do so in Amazon, privacy and spam.

This thread is reopened. Let’s keep it on topic!

-- ArcticStones
.

D'oh! I just posted a winded and well thought out response in the other web cam thread since this was closed:

http://forums.macosxhints.com/showpo...6&postcount=19

Here are my thoughts on it.


[Moderator’s edit:
I am duplicating that post here, as it is highly relevant to both threads.]


I also work in a 1:1, which means I manage 6,000 Macbooks. Students all over the district tape their isight over since they think we are spying on them. Truth is, I build all the software installs and images and I have never once put the command line application to control the isight remotely.

This is most likely how the story went, as I have been in IT in academia for 5 years now.

1) School board has a meeting about possibly going 1:1 with their students

2) They get budget approval, parents feedback, project management

3) Concerns are raised about asset control, and how to mitigate stolen laptops

4) Board implements plan and tells IT to just make it work

While, I do not know this guy personally, so I cannot pass judgment on his character, but I can tell you how school systems work. Directors and executives sometimes go to IT and say here is a bunch of random technologies we want and this is how we want to use them, now make it work. This guy figured out how to deploy and control the command line binary to control the isight through the LANrev and when the beacon feature on absolute's end they were able to get the remote WAN IP and DNS and send out a policy to the client and have it execute. The guy probably thought he had figured out a really cool method of anti-theft. Which, we know is effective from previous stories of people's Mac laptops being stolen and users using things like logmein.com to remotely activate the web cam and take pics. That was probably the most famous one as it made several newspapers, but there are other stories where this proves as a valid tactic to recover your stolen equipment.

see this article: http://www.switched.com/2008/05/12/s...back-to-my-mac

Some people are saying that LANrev is a trojan and used as spyware by the IT crew on the students and staff. LANrev is a power tool, used by IT for enterprise implementation. There is a launch daemon that controls these tools that does in fact run as root. This is because some of the features are like if you can't recover a stolen laptop you can do a remote wipe of the drive rendering it useless and also possibly saving any "top secret" data your company may have on that laptop. These sorts of things need to run as root to execute, as well as installing packages and so forth. These tools give you great power over the system, and just like anything with great power comes great responsibilities. You need to use best practices and you need to not overstep your boundaries, but you also need to protect your organizations assets, because nobody wants to lose money on stolen equipment.

So, given the situation, when a computer is not your property, and many company's and organizations will flat out in their AUP say that you can and will be monitored while on company equipment and that is all with in the company's right to do so. The company is it's own entity and has the right to protect it's own property, which is a strange concept maybe but one that is stated here in our country. This laptop was considered stolen property, from what I can tell, and the method used to recover it may have been what I would call, "NOT a best practice." If the kid did indeed take the laptop home and was not suppose to, then that laptop is considered stolen, this is how it would be at my school district. I also think that activating the web cam is an OK practice if they had used, "Best practices."

Example, when a laptop gets stolen at my district we have the student or the person who is claiming it to be stolen (or missing) file a police report with the school officers. Then we take that police report with all the given info and go to Absolute's website since we use computrace and report it stolen on their end. We then activate the beacon, find out where it is and subpoenas and warrants are issued. Most of the time the school will give the person a chance to turn it back in before they press charges. When you get the police involved, people tend to give back your stolen property. I think we have recovered around 90% of our laptops this way that have been stolen. There have been several people that did not turn them back in and got prosecuted and since they are valued at over $1,000 each (after you include apple care and software licensing) it is actually a felony charge of theft. This also validates the police using that laptop as evidence for any other crime committed. This is where the 4th comes into play. If we did it on our own, and found the kid was selling drugs or committing crimes and there was evidence of this all around his room which was caught on the web cam, but none of it was on his computer it would be dismissed from court. However, you file it stolen, and there is a warrant and probable cause that changes the situation.

Some of the students are a pain in the ass, they love to break policies and give everyone a head ache, but that is how teenagers are. I was kind of a hell raiser myself back in the day. I think the worst part of this whole ordeal is that it is going to hurt that school's 1:1 program, which is a shame because I think high school kids benefit exponentially from having a laptop to use every day. Day to day computer use is an actual viable job skill, and can lead to many other jobs as well. Someone will most likely have to resign from their position, if not multiple people, the family may be able to file suit against the school in civil court and drain an already busted and under budgeted system crippling their 1:1 program. If the kid stole the laptop I don't think he should be rewarded anything for breaking the law, but like many people have said there is a lot of facts missing from the whole situation.

Family's attorney has asked a federal judge to issue an order preventing any deletion of materials on ALL school issued laptops.... seeking class action.

http://www.centredaily.com/2010/02/2...ol-laptop.html

Somebody is going to look at every file on every student's laptop. Some 2300 of them.

If the school prevails in its argument that the computers belong to them and they therefore have a right to look at anything on them, then they have opened Pandora's box. The school is a public entity which means anything on those hard drives is public information. Public information can be demanded by any citizen under the state's Freedom of Information Act. This has been tested in court in my state and the public right to know has always prevailed.... even when the data was extremely personal in nature (in this case emails sent/received on a state owned computer).

Sorry no they are not public record. There are many federal acts which would prohibit public access to such data. HIPPA, CIPA, ECPA, and many other acts which could prevent them from being public access. You think it would be legal to post a student's transcript, or perhaps any medical data that might be on a school system?

When it involves a minor a lot of those things go out the window, and some of the information that a school could have on a kid could be protected by several pieces of legislation.

In the end, all this is doing is killing their 1:1 program. Plus we don't know all the facts and I read a blurp about that family on another blog, where someone else who lives in that same city accused this family of being lawsuit happy. Apparently according to this random post (which I have had a hard time trying to verify via google) they are also involved in several other lawsuits to other organizations which are local. In the end this may kill a great program and opportunity for children to actually get a better education in this country.

I am still waiting for all the facts to surface.

That will be the school's argument of course. The attorneys will argue that information protected by statute can be deleted, simply provide all data that is not protected. They might well get access to every file with the protected information blotted out and the other information still present.... like the old CIA documents with three words not blotted out. They can withhold the protected information, but that does not give them the right to withhold everything else in the document or hard drive.

Any data the attorneys need to build their case (discovery) will be provided, I think, and once introduced into court, then for sure that becomes public information unless the judge seals it to protect the minors.... e.g. minor's name not released. School will not be permitted to simply say no and build a brick wall around all the potentially damaging evidence.

Like you I am hoping there is more to the story, but given FBI and Federal Court involvement my sense is there have been some violations. We'll see.

Much of this may come down to the State's Freedom of Information Act, as opposed to the Federal FOI version, and I don't know for sure if Penn has such an Act. Most states do. We're into the courts now, the opportunity to just do what's right is gone.

Another investigative post: http://www.saveardmorecoalition.org/blog/2
Not nearly as in depth as strydehax, but still interesting.
Also, Bruce Schneider has a post, characteristically devoid of commentary, but the comments are usually interesting.

The most interesting opinion that I've seen lately is sympathy towards the IT guy who deployed the monitoring system. It's likely true that the school administration decided to implement computer tracking and then said "Do it". But, I don't think I buy the "Just following orders" argument.

Sheesh, even Absolute Software (owners of Absolute Manage, formerly LANRev, the software used by LMSD) have thrown the school under the bus and will be removing the camera monitoring feature.

The LMSD initial response

From my understanding this is what happened. Absolute acquired LANrev, then during this process Absolute was integrating some of their products with LANrev and taking out features they did not want, but I also read somewhere that the feature to remotely activate the camera is not part of their package.

I think actually, either an old legacy version of LANrev, or the IT guy bundled iSightCapture with their image/deployment and management software.

Unfortunately, there are those people that sit in positions of authority and they overstep their boundaries. I admit I have used remote desktop to spy on students before but it was never to single anyone out. I was observing, finding what proxies they were using, compiling a list of proxies and then blocking them with our filter. Since for us to maintain our eRate status we must be fully CIPA compliant, and if you get into CIPA, it is pretty vague. It is pretty much up to the person auditing you to decide if you are with in the standards or not.

Working IT in academia sharpens your skills compared to working in the private sector. You have so many federal regulations upon you, you have so many pressures from the school board and the directors and executives to maintain a good role model status, and the software developers that write educational software typically make crappy products. So, you have to get real creative with the systems you build.

I posted a few responses on Stryde's blog expressing my feelings towards Absolute's product not being the issue here, nor the company to blame, nor the IT guy that built it up. After all, most likely he got 15 projects dumped on his lap and some director asking him to just make it work, and I know from experience when you want to request another technology to help make all these technologies to coalesce, you typically get the no response.

If someone came into my school system in my 1:1 and started accusing me and my co-workers of such nonsense I would be pretty mad. I work my ass off there and I create all the back end and develop all the creative methods and policies to get the job done with our servers and the Casper Suite. I mean, when I created the dual boot policy that allowed managed users to dual boot with never ever needs an admin log in, my Apple SE told me universities at that time (this was 2 years ago) couldn't accomplish what I was doing. They did not have the tools or the know how. The funny thing is, I got most of my concepts from picking part Mike Bombich's code for netrestore, ccc, and looking at the source code for refit. Luckily, for us where I work, I think we do use "best practices," when it comes to these sort of things.

I totally gave every principal in one building a flat screen monitor, a mac mini, and ARD admin, then deployed a special hidden ard access account they could use (so if it leaked or got out I could easily shut it down) to observe and control student laptops during school hours. Which took the whole spying on kids thing off IT's hands and into the hands of the people who are in charge of discipline.

On a side, and sort of off topic note. These 1:1 programs are really awesome. I can't really express how cool I think they really are. Especially, at a school system where I work where most kids are extremely under privileged. If there is one great thing I will take away from this job, is humility, and the fact that I know I have lived a privileged life compared to many out there. I grew up lower middle class so for a long time I kind of saw myself as a "has not," but now working in this school system I really feel that I have had a very lucky and privileged life. These kids, get to learn how to shoot and edit videos as part of their lessons. They get to create music in garage band. I mean how awesome is that? When I was in school, we had like 3 computer labs total of 386s and a few Apple IIe computers. I really hope lawsuits like this don't stop American public education to suspend such plans. So far the our standardized testing results have gone up each year since the laptops, and I think kids are more inclined to research and write papers using the Internet over the library system.

I think we need to play it cool until we know the facts.

I guess by nature most on this forum will be focusing on the IT issues. I'm not. It was the school administration that crossed the line by using the technology for purposes other than the stated purpose (apparently) . It was the vice principal who confronted the student/family with the snapshot of the child eating candy... woefully unaware of what he/she was doing and had done and the consequences of those actions.

Sure, if would have been nice if the capability didn't exist w/i the school's system. But, it was the use of that technology that violated privacy, not the existence of a capability.

The technology was used to enforce the rules. Does a store need to inform you that they use video cameras for security? No. You know you're in their store just like you know that you're using school equipment, and that is enough.

Stores don't have the right to put cameras in your car and in your home to make sure you didn't steal anything just in case the in-store cameras missed it.

Not YET!!! *cue black helicopter sounds...wait, they don't make sound*

I think the disconnect in this thread seems to stem from the ambiguity of the laptop. Was the laptop

1) issued to this student as a tool for them to use? or
2) was it loaned for "homework use only"? or
3) was it used as a tool by the administration to investigate it's student body?

Since this whole issue was exposed by the Mike & Ike incident...it's clear the admins were using this as an investigative tool. If they mistakenly took a picture of a student while looking for a stolen laptop then they should have ignored the content. Instead they tried to bust a kid for eating candy.

Cameras in public spaces are a completely different issue. I understand that on my walk to work my picture is taken by many, many cameras...as well as every time I get cash from an ATM, walk into a restaurant/cab/hotel/corner store, but it's my choice to leave the house and interact with society.

If I stay holed up in my living room all eating bon-bons and watching Jersey Shore I don't want someone watching me in turn...just sayin

CWT, is there a limit, anywhere, where you would consider the school's delving into a family's private life without their knowledge would cross the line? Yes, without their knowledge.... they did not know and I don't think you can prove or even assume they did.

No limit because it is both with the family's knowledge and with their help. The camera does nothing if the computer is not on, and the school does not bring the computer into the house. That's up to the family. There is no reason to expect the school not to have some system (and secret is better than not secret, especially with kids, who are likely to try to subvert the system if they're aware of it!) for enforcing its rules.

One more thing: protecting little Johnny or Jane from every little embarrassment is a good way to set them up for huge problems when they become adults. Corporations do spy on their employees, not all the time, but they do, and when it makes the news (if at all) it's because they've used that information to fire them. The reaction to this incident is not a good sign for this particular kid's future when he will not have mommy and daddy to make a big stink over some perceived slight.

.
CWT, I need to be blunt: The views you express are beyond surreal.
.

Private corporations have an inherent right to protect their property, be it tangible or not. They have a right to assess security measures by many different means, as they see necessary to ensure no one is selling out trade secrets, clients, and so forth. Just like an individual has every right to protect and defend their own private property.

However, there is a fine line here in our society. Things like this are against our rights, and things like the Patriot Act are a huge affront to our rights and civil liberties.

No one should ever be searched or have their property seized with out proper and due process of the law. The rights are there for a reason, it is so people do not get abused by the government or anyone else. This country was founded upon such principals. Our fore fathers could not have even fathomed what technology would have brought us. If they would have known the amount of privacy the Internet takes away, I am sure they would have added some privacy clauses.

If the school activated the camera in reaction to a theft, it could be justifiable, but if they activated the camera to spy on kids after school hours off of school grounds not only are they way out or their jurisdiction, they are also violating these people's rights.

I think we are rapidly entering an era where this whole area is going to need some serious legal clarification. Maybe this case is the first step.

Just a couple years down the road, companies and maybe schools are going to be issuing iPhone & iPad type devices to their employees/students. These things go everywhere with you, including rest rooms, bedrooms, bars and on and on. People will be carrying a 24x7 monitoring device with them complete with a GPS locator and a camera.

My last job, I turned down a company issued cell phone and just used my personal phone for business. They couldn't understand why I would do that, but they were happy to say okay. Neither would I take one of their laptops home... I just burnt a cd or emailed the files I needed to my private email address and worked at home that way. Until somebody defines exactly where the line is, I'm staying as far away from it as possible.

Really? Can you site an example in the US where an adult has used a Corporate computer, their manager turned on some remote information gathering software and the manager ended up in hot water? Of course not. We take it as a fact of life that a Corporation has a right to protect its property but we're aghast when a government agency tries to protect property bought with taxpayer dollars! Then of course we'll all claim to be shocked when they don't! Now that's surreal.

*sigh* Can we just delete the above, ban the user and get back to Tlarkin's frankly brilliant insights into how technology works in a school? Please? I was learning here...

Nice thought Jay, but....

Please provide an example where a manager remote-activated a webcam in the employee's residence. Looking at company email is ok.

Many companies here in Japan ban webcams on any company computer - they are concerned that someone will do exactly this. Similarly, mobile phones with cameras are put in tiny lockers just outside the door. Schools are sufficiently backwards that the issue hasn't come up.

On topic, please!
 

.
*Sigh...* I agree, Jay and Acme -- this is an artificial tertiary issue, and a bloody distracting one at that.

Looks like I may have to establish a separate thread entitled "Webcam activated by employer in worker’s home"? All it requires is one more derailing post.

Let’s keep this on topic!
.

Agree. TL is a lot more on top of these issues than me, so I was learning, too. Easy to yell "invasion of privacy" but that doesn't begin to explain the issue because we have not heard from the school. Given we may never hear the school's side, or maybe years from now, I for one appreciate TL's views.

A related thread: "How to detect webcam activity"
 

.
I would like to point out that Tom Larkin, Fracai, DE9 and others have made a number of fascinating posts in a thread started by John Sawyer, How to detect webcam activity, under Hardware & Peripherals. These posts discuss the more technical aspects of this.

Enjoy! :)

-- ArcticStones

.

Post deleted by moderator.

Thanks! I was just thinking about this one aspect people are forgetting about public school systems. The media is turning this into an outrage, and really damaging the image of what a public school system is and should be.

For one, every single school system out there views students are their number 1 priority. Everything is done for the benefit of the students and nothing else. Some children, and this is at almost every public school district, have less quality home lives than others. Sometimes they don't get fed until they come to school, or they don't have heat until they come to school. Sometimes they have family issues and school is the only way to escape their family life. Schools ultimately care about the students, and I think if any spying was done, it was done originally with the best intentions. I do think though, that when you cross the line, even with good intentions, it is still not excusable. A lot is yet to be revealed to us though, so I urge everyone that reads this to wait until the facts come out.

Now, I have been reading some comments around the web, and have seen some interesting things pointed out, which should be non issues but people are making them issues. Things like:

1. students are required to have a laptop
2. students laptops are required to have tracking software
3. students are not allowed to bypass any security to disable said "spying software"

OK, well if you are going to have a 1:1, and want it to be effective it has to be part of your curriculum, that is a no brain-er. Sure, require them so both the students and the teachers can use them in the class room. Otherwise, why have a 1:1?

No matter how many people want to say a school system is a business it is not. They are based on budgets and most 1:1s probably budget their laptop purchases to last 4 years or more. So, it is important that they keep track of their assets because those laptops are going to be passed down to more students for the next 4 years. If the plan fails miserably to theft, they may not continue it. The school systems want to give each and every kid an actual equal opportunity, thus putting a laptop in every child's hands. Them tracking their assets and requiring the software is totally feasible and justifiable. You are spending tax dollars and you don't want to piss off your tax payers. How many of you that pay taxes would be angry if a school system just let millions of dollars of tax paid laptops walk off campus and have no way to track them? This is common sense people. Companies track their assets for the same reasons.

Now, the bit on hacking the system. I will start by giving a small little back story. There were some machines that were showing up on my network at work that were running local admin accounts. We first noticed this by computers checking in (Casper client is set to do a daily inventory check in) did not have computer names matching our standard naming convention. Naming convention is important to us on the IT side because we create smart groups of computers by their name, and each building has a unique set of initials to distinguish where the computer is at. We also use network segments which are IP ranges that are chopped up into VLANs for other management. So, I decide to investigate how this happened because I know that no one is allowed to change their computer name via group policy (enforced by Casper, not MCX but I am going to change it to MCX soon). The very first thing I did when I ssh'd into the student machine while they were on it is did a check of dscl . read /Groups/admin GroupMembership which displays the short name of every user that is in the admin group. Sure enough, there was some foreign local account that had been created on the machine. I knew of a few ways of doing this, and contacted the administrators to pull the kids laptops and to not give them back until they confess on how they did it. Almost every kid had the same story. "Well, I just rebooted my computer one day and this screen just popped up asking me to create an account so I did." Which I knew was a blatant lie. They were removing sticks of RAM, clearing out the firmware password, booting into single user mode, mounting the HD manually and running a command that removes the .AppleSetupDone file which flags the OS to run that create an initial account screen at boot up. Which allows them to choose admin account. I knew that this was easily found via google and I knew that some kids did that or booted from an OS X installer DVD and did it that way. Finally some kid confessed that it was SUM method. Now, when I was looking at their computers before we reimaged them, I saw that a few of them were playing around in the command line. Some of them probably were trying to delete or modify things that they should not be.

This is why it is not allowed, and it is also obvious. If they root the machine and unmanage it, remove the computrace client, remove the internet filter client ( which is a huge federal no no, and the FCC and the government would not be pleased with this), and also ultimately render their machine useless from not knowing what they were doing. You give a teenager that has tons and tons of free time a laptop, and they are determined to figure out how to hack it and they have physical access to it off school grounds, some of them are going to find a way.

Now, in retrospect, them doing this has forced me to make up some real creative ways of checking for admin accounts and using dummy packages to put the computers that do into policy logs that I can build reports off of. So I run a simple policy (a shell script) that checks for local admin access and if it exists it gets a dummy receipt that puts it into a log which then I can generate reports off of and know which kids are hacking and which aren't. Now that the kids know this, and yes many have been busted, they seemed to have stopped trying, or maybe stop bringing their computers on campus. So, this type of behavior is frowned upon, but it also enables me to expand my skill set by trying to undo the malicious things they do. Also, since by design, all of my images for the Macs put any local administrator account in /private/var/homes instead of /Users, so I know that my design there should always be zero home folders in /Users that belong to local admin accounts. This also allows me to hide my local admin accounts from the end user as well. So, being in the position I am in, it does force me to come up with very creative implementation on how I do things here. I can tell you all that I have collaborated with many other school districts with conference calls over the past 3 years. A school system in LA wanted to go 1:1 and they heard about what were doing and they contacted me. When I told them what was possible and how we did it, they were all very excited and it gave them the confidence to go ahead with their deployment. Same thing for schools in Seattle and New York.

Schools have so much pressure and federal regulations and everyone is always worried about the students, and always wants to take care of the students that sometimes maybe they care too much and cross lines. Maybe, they get too involved with their ways, and yes sure there are bad administrators and bad teachers, but there are also bad students. There are also bad cops, bad customer service reps, bad managers, bad sales reps, mechanics, engineers and so forth.

Hmm, something happened to my post...
 

Argumentative post deleted by moderator. User warned.

Wow, TL. Really excellent!

OK, one more thing I want to add. We are looking into a way to allow video chat with the students so they can collaborate with other students in and out of district. The web cams have a very powerful and valid use. Just think if a group of students from here in the USA could collaborate on say a science project with students in China? How freaking awesome would that be? I mean the experience alone would look good on a job application. You could put have foreign collaboration experience with people from another country. Those types of skills are invaluable. The problem is, how do we do this and ensure the students are safe guarded from the nasty stuff on line, sexual predators, or perhaps even people that have court orders to stay away from said student?

If you are interested on the business and regulation side of technology in academia you can read up on eRate here:

http://www.fundsforlearning.com/

This is where the tricky stuff comes in and while these regulations are always created in the benefit and protection of the student, they sometimes to make it a real pain to apply practical usage of said technology in the school systems.

@Tlarkin

I just wish all of these regulations would be clarified in the ongoing story. The article gives the impression that these sorts of things happen in a vacuum. They hardly seem to realize that there may have been a considerable amount of outside pressure for these IT people to spy on these kids, pressure created by a government bureaucracy that is worried about students being attacked somehow through these computers.

And where doe that pressure come from? Us, the voters. I think local government worries that if a story about some kid using a computer to check out porn sites got out, they could possibly lose their job (and honestly, there is a good chance they're right). So they put pressure on the district, who in turn puts that pressure on IT. So the problem is at least partly environmental.

That being said, someone has to draw a line somewhere. And that's what needs to be addressed here. Clear expectations need to be laid out regarding what is and is not acceptable IT behavior. All I hope is that when these guidelines are laid out, they invite a lot of IT guys to help. It would be terrible if a "pitch fork wielding mob" were to make the rules, rather than the experts.

jay

They also get pressure from the parents. Something goes wrong at the school and it is the schools fault always. Never the students fault. I just don't like how people are having the attitudes that schools in general are inherently evil. However, certain lines should never be crossed and schools should not have the right to invade people's privacy off of school property and outside of school hours. That should be the responsibility of the parent, not the school system.

It sees there was someone quoting that they only used the software 42 times to assess over 30 stolen laptops. I wonder if 42 was just a Douglas Adams reference that the IT guy tossed out???

After all, that does reference deep thought, the most sophisticated and advanced computer system ever.

I'd think a school/university would arrange to purchase computers with RAM soldered in, and expansion slots removed (or fill 'em with rubber epoxy or something). That would pretty much lock those suckers down.

[FWIW, from SU mode there's an even easier way to escalate any existing account's privileges by simply tweaking the /var/db/dslocal/nodes/Default/groups/admin.plist (or, heaven forbid: wheel).]

well, these laptops get very heavy usage. I have a high hard drive failure rate too, and I think there will be a repair extension from Apple due to the higher failure rate on all their model Macbooks in that era of machines. That would make them very hard to repair and most likely void any warranty with Apple.

They use the rm -rf /private/var/db/.AppleSetupDone command because it is the easiest one found on google.

They could also use the dscl command line, if they loaded and started the directory services daemon, which is by default not active in SUM. Just by appending the Group admin by adding Group Membership via the command line.

[Excuse this off-topic interjection]

As an old guy let me comment that as a boy my parents always sided with the teacher. A note sent home was taken as gospel. When I was a parent of school children 40 years ago, I took exception to a teacher only once. Now my oldest daughter has been in to see the Principal of the school her boys go to over entirely outrageous behavior on the part of a teacher. There's been a gradual shift over the last 60 years. I won't argue why, but it seems to have been as much the Schools' fault as it is modern parents.

More on webcams in school computers by Cory Doctorow:

School administrator boasts to PBS about his laptop spying

Frankly, TL, I would have been shocked and most disappointed if some of our brighter students hadn't managed to find a way around the roadblocks. That's what young people are supposed to do.... right? Or at least try! :)

Hence my use of the adjectives "even easier" when (vaguely) describing the direct assault on the plist. [it's just a plain text file (xml) so, no daemons running or frameworks loading needed... either defaults write or a basic nano will do.]

I guess that's only effective while not bound to the school's server though [or?].


I don't see how having its RAM chips soldered in (or the memory modules physically secured somehow) would make a Mac very hard to repair. Seems like Apple would even offer some options along those lines to edu purchasers... what with the proliferation of students getting usage of school laptops these days, etc.

I don't ever try to modify directory services from single user mode, can't speak a lot from experience here. However, the XML file in question you are talking about is huge and XML to a computer novice is quite overwhelming and seems very convoluted. Where as removing the AppleSetupDone file is one command and you are done.

However, Hal, you are right there are many ways for them to compromise the machines, not just one.


So every time you need to replace a stick of RAM, you gotta replace a whole logic board? No AASP will solder parts on or off a warranty Apple part. Also, Apple has had a history of having "pain in the ass" laptops to take apart. I think them keeping it more simple and easy is really in their best interest over all.

I would call this something different, very different.

cwt- you have really surprised me. I figured that you, if anyone on here, would be the first in line railing on these people for invasion of privacy, draconian enforcement, etc. I'm truly flabbergasted.

The policy set forth by this school district specifically stated that the use of this technology was going to be limited to tracking laptops that were reported stolen. There was no mention of spying on people in their homes. In fact, they specifically stated that this was never going to happen. They then banned students from using their own personal laptops for any school-related work (even confiscating them if brought onto campus), and threatened immediate expulsion for anyone who jailbroke their given laptop, or in some way disabled the webcam.

Now, I fully support a company or school keeping tabs on their equipment. What is done to it, what software has been put on it, etc. Scan the hard drive to make sure nothing bad has been installed, filter and log my network traffic to make sure I'm not going to tentacle porn sites. But it stops there.

Snapping pictures of kids in their bedrooms from a webcam is not just ludicrous, but illegal. Make no mistake, some heads will roll for this. It's an egregious violation of privacy, to the point of illegality. This is what wiretapping laws were written for.

And I have never in my life heard of a company spying on employees in this manner. They would be sued (and rightly so) into oblivion for trying this crap. They might read my emails, monitor my web traffic, check my drive for illicit software... but they cannot take pictures or recordings of me at home.

Jasen, we also do not allow any non district computers on our network. We have no idea what is on them, if it is legit software or pirated, if they have a mass mailer virus or a trojan or whatever. That is pretty standard policy across the board. We also ban PSPs, iPods, iPhones, Gameboys, and any other device that has a wifi connection.

It is for security purposes mostly.

How is this handled? The iPhone can also get it's data from the phone company. Does 'ban' mean blocked at the network level or not allowed on the property? (seems like that would be impossible to do)

p.s. just noticed this discussion pushed TL over 10,000 posts. Celebrate with a new keyboard?

We obviously cannot stop them from using third party networks. However, those third party networks are separate from ours and if they had say a sprint broad band card in their laptop, they would still be filtered which is our major concern for the laptops. However a phone on it's own data plan cannot transfer any security flaws, trojans or anything else to our network. We also run 802.11A radios only, so over half of the wireless devices out there won't even connect, like my iPod touch. Which sucks because I wanted to use it for remote desktop connections.

You know, ironically, I bought myself a new keyboard and mouse this week. Shipped out today and I should have it by Monday I am guessing. Got an all black led back lit Razor keyboard and a new Razor gaming mouse. Specials on this weeks woot off. Retail price, combined they would go for a total of about $120, but I got them for a total of $45 off of woot this week.

So your school network is basically open and you restrict what the students can access on the machine itself? The University here allows access by ethernet address only - you take your device to the IT department and fill out some paperwork. This, interestingly, produced the following conversation:

"Bring in your laptop and show us you have the latest anti-virus software."

"It's a Mac."

"Oh. No problem then."

There's a separate network for students and for staff. Presumably the students can hack each other all they want.

Can I assume that the keyboard is black and the LEDs are probably red, as opposed to black LEDs?

We use a shared WPA2 AES encrypted passkey for authentcation to the wifi. We had so many issues in the beginning but since then Apple has released two major OS updates that help the Macs connect in a very large, spanning wireless network. We run layer 3 switches, so the roaming machines keep the first IP they pick up all day no matter what AP they connect to (since everything is chopped up into many VLANs. My buddy who works at a local college here, tells me they use RADIUS, and my old job at the prior school system used a shared WEP key but right when I left about 3.5 years ago they did start migrating it to RADIUS. We looked at it, and we can do it, and it would be nice to just authenticate to the WiFi via your LDAP account. Maybe someday we will do that, not sure.

Here is a pic of said keyboard (and nice Douglas Adams reference, one of my all time favorite authors)

http://www.electrobeans.de/bilder/20...zer_lycosa.jpg