Webcams Activated by School on Student Macs

[cwtnospam]

Post deleted by moderator.

[tlarkin]

Quote: Originally Posted by aehurst Agree. TL is a lot more on top of these issues than me, so I was learning, too. Easy to yell "invasion of privacy" but that doesn't begin to explain the issue because we have not heard from the school. Given we may never hear the school's side, or maybe years from now, I for one appreciate TL's views.

Thanks! I was just thinking about this one aspect people are forgetting about public school systems. The media is turning this into an outrage, and really damaging the image of what a public school system is and should be.

For one, every single school system out there views students are their number 1 priority. Everything is done for the benefit of the students and nothing else. Some children, and this is at almost every public school district, have less quality home lives than others. Sometimes they don't get fed until they come to school, or they don't have heat until they come to school. Sometimes they have family issues and school is the only way to escape their family life. Schools ultimately care about the students, and I think if any spying was done, it was done originally with the best intentions. I do think though, that when you cross the line, even with good intentions, it is still not excusable. A lot is yet to be revealed to us though, so I urge everyone that reads this to wait until the facts come out.

Now, I have been reading some comments around the web, and have seen some interesting things pointed out, which should be non issues but people are making them issues. Things like:

1. students are required to have a laptop
2. students laptops are required to have tracking software
3. students are not allowed to bypass any security to disable said "spying software"

OK, well if you are going to have a 1:1, and want it to be effective it has to be part of your curriculum, that is a no brain-er. Sure, require them so both the students and the teachers can use them in the class room. Otherwise, why have a 1:1?

No matter how many people want to say a school system is a business it is not. They are based on budgets and most 1:1s probably budget their laptop purchases to last 4 years or more. So, it is important that they keep track of their assets because those laptops are going to be passed down to more students for the next 4 years. If the plan fails miserably to theft, they may not continue it. The school systems want to give each and every kid an actual equal opportunity, thus putting a laptop in every child's hands. Them tracking their assets and requiring the software is totally feasible and justifiable. You are spending tax dollars and you don't want to piss off your tax payers. How many of you that pay taxes would be angry if a school system just let millions of dollars of tax paid laptops walk off campus and have no way to track them? This is common sense people. Companies track their assets for the same reasons.

Now, the bit on hacking the system. I will start by giving a small little back story. There were some machines that were showing up on my network at work that were running local admin accounts. We first noticed this by computers checking in (Casper client is set to do a daily inventory check in) did not have computer names matching our standard naming convention. Naming convention is important to us on the IT side because we create smart groups of computers by their name, and each building has a unique set of initials to distinguish where the computer is at. We also use network segments which are IP ranges that are chopped up into VLANs for other management. So, I decide to investigate how this happened because I know that no one is allowed to change their computer name via group policy (enforced by Casper, not MCX but I am going to change it to MCX soon). The very first thing I did when I ssh'd into the student machine while they were on it is did a check of dscl . read /Groups/admin GroupMembership which displays the short name of every user that is in the admin group. Sure enough, there was some foreign local account that had been created on the machine. I knew of a few ways of doing this, and contacted the administrators to pull the kids laptops and to not give them back until they confess on how they did it. Almost every kid had the same story. "Well, I just rebooted my computer one day and this screen just popped up asking me to create an account so I did." Which I knew was a blatant lie. They were removing sticks of RAM, clearing out the firmware password, booting into single user mode, mounting the HD manually and running a command that removes the .AppleSetupDone file which flags the OS to run that create an initial account screen at boot up. Which allows them to choose admin account. I knew that this was easily found via google and I knew that some kids did that or booted from an OS X installer DVD and did it that way. Finally some kid confessed that it was SUM method. Now, when I was looking at their computers before we reimaged them, I saw that a few of them were playing around in the command line. Some of them probably were trying to delete or modify things that they should not be.

This is why it is not allowed, and it is also obvious. If they root the machine and unmanage it, remove the computrace client, remove the internet filter client ( which is a huge federal no no, and the FCC and the government would not be pleased with this), and also ultimately render their machine useless from not knowing what they were doing. You give a teenager that has tons and tons of free time a laptop, and they are determined to figure out how to hack it and they have physical access to it off school grounds, some of them are going to find a way.

Now, in retrospect, them doing this has forced me to make up some real creative ways of checking for admin accounts and using dummy packages to put the computers that do into policy logs that I can build reports off of. So I run a simple policy (a shell script) that checks for local admin access and if it exists it gets a dummy receipt that puts it into a log which then I can generate reports off of and know which kids are hacking and which aren't. Now that the kids know this, and yes many have been busted, they seemed to have stopped trying, or maybe stop bringing their computers on campus. So, this type of behavior is frowned upon, but it also enables me to expand my skill set by trying to undo the malicious things they do. Also, since by design, all of my images for the Macs put any local administrator account in /private/var/homes instead of /Users, so I know that my design there should always be zero home folders in /Users that belong to local admin accounts. This also allows me to hide my local admin accounts from the end user as well. So, being in the position I am in, it does force me to come up with very creative implementation on how I do things here. I can tell you all that I have collaborated with many other school districts with conference calls over the past 3 years. A school system in LA wanted to go 1:1 and they heard about what were doing and they contacted me. When I told them what was possible and how we did it, they were all very excited and it gave them the confidence to go ahead with their deployment. Same thing for schools in Seattle and New York.

Schools have so much pressure and federal regulations and everyone is always worried about the students, and always wants to take care of the students that sometimes maybe they care too much and cross lines. Maybe, they get too involved with their ways, and yes sure there are bad administrators and bad teachers, but there are also bad students. There are also bad cops, bad customer service reps, bad managers, bad sales reps, mechanics, engineers and so forth.

[cwtnospam]

Argumentative post deleted by moderator. User warned.

[NovaScotian]

Wow, TL. Really excellent!

[tlarkin]

OK, one more thing I want to add. We are looking into a way to allow video chat with the students so they can collaborate with other students in and out of district. The web cams have a very powerful and valid use. Just think if a group of students from here in the USA could collaborate on say a science project with students in China? How freaking awesome would that be? I mean the experience alone would look good on a job application. You could put have foreign collaboration experience with people from another country. Those types of skills are invaluable. The problem is, how do we do this and ensure the students are safe guarded from the nasty stuff on line, sexual predators, or perhaps even people that have court orders to stay away from said student?

If you are interested on the business and regulation side of technology in academia you can read up on eRate here:

http://www.fundsforlearning.com/

This is where the tricky stuff comes in and while these regulations are always created in the benefit and protection of the student, they sometimes to make it a real pain to apply practical usage of said technology in the school systems.

[Jay Carr]

@Tlarkin

I just wish all of these regulations would be clarified in the ongoing story. The article gives the impression that these sorts of things happen in a vacuum. They hardly seem to realize that there may have been a considerable amount of outside pressure for these IT people to spy on these kids, pressure created by a government bureaucracy that is worried about students being attacked somehow through these computers.

And where doe that pressure come from? Us, the voters. I think local government worries that if a story about some kid using a computer to check out porn sites got out, they could possibly lose their job (and honestly, there is a good chance they're right). So they put pressure on the district, who in turn puts that pressure on IT. So the problem is at least partly environmental.

That being said, someone has to draw a line somewhere. And that's what needs to be addressed here. Clear expectations need to be laid out regarding what is and is not acceptable IT behavior. All I hope is that when these guidelines are laid out, they invite a lot of IT guys to help. It would be terrible if a "pitch fork wielding mob" were to make the rules, rather than the experts.

[tlarkin]

jay

They also get pressure from the parents. Something goes wrong at the school and it is the schools fault always. Never the students fault. I just don't like how people are having the attitudes that schools in general are inherently evil. However, certain lines should never be crossed and schools should not have the right to invade people's privacy off of school property and outside of school hours. That should be the responsibility of the parent, not the school system.

It sees there was someone quoting that they only used the software 42 times to assess over 30 stolen laptops. I wonder if 42 was just a Douglas Adams reference that the IT guy tossed out???

After all, that does reference deep thought, the most sophisticated and advanced computer system ever.

[Hal Itosis]

Quote: Originally Posted by tlarkin They were removing sticks of RAM, clearing out the firmware password, booting into single user mode, mounting the HD manually and running a command that removes the .AppleSetupDone file which flags the OS to run that create an initial account screen at boot up. Which allows them to choose admin account.

I'd think a school/university would arrange to purchase computers with RAM soldered in, and expansion slots removed (or fill 'em with rubber epoxy or something). That would pretty much lock those suckers down.

[FWIW, from SU mode there's an even easier way to escalate any existing account's privileges by simply tweaking the /var/db/dslocal/nodes/Default/groups/admin.plist (or, heaven forbid: wheel).]

[tlarkin]

Quote: Originally Posted by Hal Itosis I'd think a school/university would arrange to purchase computers with RAM soldered in, and expansion slots removed (or fill 'em with rubber epoxy or something). That would pretty much lock those suckers down. [FWIW, from SU mode there's an even easier way to escalate any existing account's privileges by simply tweaking the /var/db/dslocal/nodes/Default/groups/admin.plist (or, heaven forbid: wheel).]

well, these laptops get very heavy usage. I have a high hard drive failure rate too, and I think there will be a repair extension from Apple due to the higher failure rate on all their model Macbooks in that era of machines. That would make them very hard to repair and most likely void any warranty with Apple.

They use the rm -rf /private/var/db/.AppleSetupDone command because it is the easiest one found on google.

They could also use the dscl command line, if they loaded and started the directory services daemon, which is by default not active in SUM. Just by appending the Group admin by adding Group Membership via the command line.

[NovaScotian]

Quote: Originally Posted by tlarkin They also get pressure from the parents. Something goes wrong at the school and it is the school's fault always. Never the students fault.

[Excuse this off-topic interjection]

As an old guy let me comment that as a boy my parents always sided with the teacher. A note sent home was taken as gospel. When I was a parent of school children 40 years ago, I took exception to a teacher only once. Now my oldest daughter has been in to see the Principal of the school her boys go to over entirely outrageous behavior on the part of a teacher. There's been a gradual shift over the last 60 years. I won't argue why, but it seems to have been as much the Schools' fault as it is modern parents.

[NovaScotian]

More on webcams in school computers by Cory Doctorow:

School administrator boasts to PBS about his laptop spying

[aehurst]

Quote: Originally Posted by tlarkin ..... Now, in retrospect, them doing this has forced me to make up some real creative ways of checking for admin accounts and using dummy packages to put the computers that do into policy logs that I can build reports off of.

Frankly, TL, I would have been shocked and most disappointed if some of our brighter students hadn't managed to find a way around the roadblocks. That's what young people are supposed to do.... right? Or at least try!

[Hal Itosis]

Quote: Originally Posted by tlarkin They could also use the dscl command line, if they loaded and started the directory services daemon, which is by default not active in SUM. Just by appending the Group admin by adding Group Membership via the command line.

Hence my use of the adjectives "even easier" when (vaguely) describing the direct assault on the plist. [it's just a plain text file (xml) so, no daemons running or frameworks loading needed... either defaults write or a basic nano will do.]

I guess that's only effective while not bound to the school's server though [or?].

Quote: Originally Posted by tlarkin That would make them very hard to repair and most likely void any warranty with Apple.

I don't see how having its RAM chips soldered in (or the memory modules physically secured somehow) would make a Mac very hard to repair. Seems like Apple would even offer some options along those lines to edu purchasers... what with the proliferation of students getting usage of school laptops these days, etc.

[tlarkin]

Quote: Originally Posted by Hal Itosis Hence my use of the adjectives "even easier" when (vaguely) describing the direct assault on the plist. [it's just a plain text file (xml) so, no daemons running or frameworks loading needed... either defaults write or a basic nano will do.] I guess that's only effective while not bound to the school's server though [or?].

I don't ever try to modify directory services from single user mode, can't speak a lot from experience here. However, the XML file in question you are talking about is huge and XML to a computer novice is quite overwhelming and seems very convoluted. Where as removing the AppleSetupDone file is one command and you are done.

However, Hal, you are right there are many ways for them to compromise the machines, not just one.

Quote: I don't see how having its RAM chips soldered in (or the memory modules physically secured somehow) would make a Mac very hard to repair. Seems like Apple would even offer some options along those lines to edu purchasers... what with the proliferation of students getting usage of school laptops these days, etc.

So every time you need to replace a stick of RAM, you gotta replace a whole logic board? No AASP will solder parts on or off a warranty Apple part. Also, Apple has had a history of having "pain in the ass" laptops to take apart. I think them keeping it more simple and easy is really in their best interest over all.

Quote: More on webcams in school computers by Cory Doctorow: School administrator boasts to PBS about his laptop spying

I would call this something different, very different.

[Jasen]

cwt- you have really surprised me. I figured that you, if anyone on here, would be the first in line railing on these people for invasion of privacy, draconian enforcement, etc. I'm truly flabbergasted.

The policy set forth by this school district specifically stated that the use of this technology was going to be limited to tracking laptops that were reported stolen. There was no mention of spying on people in their homes. In fact, they specifically stated that this was never going to happen. They then banned students from using their own personal laptops for any school-related work (even confiscating them if brought onto campus), and threatened immediate expulsion for anyone who jailbroke their given laptop, or in some way disabled the webcam.

Now, I fully support a company or school keeping tabs on their equipment. What is done to it, what software has been put on it, etc. Scan the hard drive to make sure nothing bad has been installed, filter and log my network traffic to make sure I'm not going to tentacle porn sites. But it stops there.

Snapping pictures of kids in their bedrooms from a webcam is not just ludicrous, but illegal. Make no mistake, some heads will roll for this. It's an egregious violation of privacy, to the point of illegality. This is what wiretapping laws were written for.

And I have never in my life heard of a company spying on employees in this manner. They would be sued (and rightly so) into oblivion for trying this crap. They might read my emails, monitor my web traffic, check my drive for illicit software... but they cannot take pictures or recordings of me at home.

[tlarkin]

Jasen, we also do not allow any non district computers on our network. We have no idea what is on them, if it is legit software or pirated, if they have a mass mailer virus or a trojan or whatever. That is pretty standard policy across the board. We also ban PSPs, iPods, iPhones, Gameboys, and any other device that has a wifi connection.

It is for security purposes mostly.

[acme.mail.order]

Quote: Originally Posted by tlarkin We also ban PSPs, iPods, iPhones, Gameboys, and any other device that has a wifi connection.

How is this handled? The iPhone can also get it's data from the phone company. Does 'ban' mean blocked at the network level or not allowed on the property? (seems like that would be impossible to do)

p.s. just noticed this discussion pushed TL over 10,000 posts. Celebrate with a new keyboard?

[tlarkin]

Quote: Originally Posted by acme.mail.order How is this handled? The iPhone can also get it's data from the phone company. Does 'ban' mean blocked at the network level or not allowed on the property? (seems like that would be impossible to do) p.s. just noticed this discussion pushed TL over 10,000 posts. Celebrate with a new keyboard?

We obviously cannot stop them from using third party networks. However, those third party networks are separate from ours and if they had say a sprint broad band card in their laptop, they would still be filtered which is our major concern for the laptops. However a phone on it's own data plan cannot transfer any security flaws, trojans or anything else to our network. We also run 802.11A radios only, so over half of the wireless devices out there won't even connect, like my iPod touch. Which sucks because I wanted to use it for remote desktop connections.

You know, ironically, I bought myself a new keyboard and mouse this week. Shipped out today and I should have it by Monday I am guessing. Got an all black led back lit Razor keyboard and a new Razor gaming mouse. Specials on this weeks woot off. Retail price, combined they would go for a total of about $120, but I got them for a total of $45 off of woot this week.

[acme.mail.order]

So your school network is basically open and you restrict what the students can access on the machine itself? The University here allows access by ethernet address only - you take your device to the IT department and fill out some paperwork. This, interestingly, produced the following conversation:

"Bring in your laptop and show us you have the latest anti-virus software."

"It's a Mac."

"Oh. No problem then."

There's a separate network for students and for staff. Presumably the students can hack each other all they want.

Quote: Originally Posted by tlarkin Got an all black led back lit Razor keyboard

Can I assume that the keyboard is black and the LEDs are probably red, as opposed to black LEDs?

Quote: Originally Posted by Douglas Adams "Every time you try to operate one of these weird black controls that are labeled in black on a black background, a little black light lights up black to let you know you've done it. What is this, some kind of galactic hyper-hearse?"

[tlarkin]

We use a shared WPA2 AES encrypted passkey for authentcation to the wifi. We had so many issues in the beginning but since then Apple has released two major OS updates that help the Macs connect in a very large, spanning wireless network. We run layer 3 switches, so the roaming machines keep the first IP they pick up all day no matter what AP they connect to (since everything is chopped up into many VLANs. My buddy who works at a local college here, tells me they use RADIUS, and my old job at the prior school system used a shared WEP key but right when I left about 3.5 years ago they did start migrating it to RADIUS. We looked at it, and we can do it, and it would be nice to just authenticate to the WiFi via your LDAP account. Maybe someday we will do that, not sure.

Here is a pic of said keyboard (and nice Douglas Adams reference, one of my all time favorite authors)