Student Surveillance: How Hackers Can Help Protect Student Privacy

all right folks thank you uh we're talking uh we're going to listen to Jesse Irwin talk about uh student surveillance how hackers can help protect student privacy uh Jesse is a marketing Communications professional working in San in Security in San Francisco she's an outspoken advocate for stronger privacy and security Protections in education technology and spends as much time as possible teaching Educators about online privacy and security she regularly rants about student data privacy security and surveillance on Twitter and her current passions include dinosaurs big necklaces tacos and dropping the F-bomb during bsides [Applause] presentations uh on a more serious note I've been asked to provide a trigger warning for any of you who might be a

science fiction fan or social justice Warrior uh because apparently there will be puppies uh I do urge you to try and stick around anyway because you wouldn't want to miss out uh so let's all give it up for someone whose hand I once shook uh my now very close personal acquaintance and fellow puppy ficado Jesse

Irwin thank you every one I'm going to warn you I am nervous as [ __ ] and I don't know why so apologies If I Stumble all over myself um today I'm here to talk a little bit about how hackers can help protect student privacy one of my favorite topics in the world um thank you so much for the lovely introduction but as we do it hacker cons we usually have a who am I slide I don't totally love these but I feel like this is a thing I need to do so that I can get a little comfortable so who am I I'm Jesse I work in marketing and Communications um and I specialize in privacy and

security it's my happy place I have about four years experience in education technology and I've been on both sides of the fence there so I've been on the technologist side where we're building and developing all these tools for kids and I've been the person in the classroom who's trying to get kids to actually use this [ __ ] and maybe do their homework not so easy um it would take me way too long to figure out how to explain how I found my way into security but I think the love affair is three or four defcons long now kind of serious um and I do spend my off time working to raise security awareness and

I work with Melanie this year um who was spoke before me on organizing Roots Asylum at Defcon for the kids so that we can teach them how to hack uh so that being said what is this talk about ultimately this talk is going to be about security and the very large lack thereof that exists in education technology I'm just going to give you a warning that this is not going to be a really technical talk I like to make jokes about dropping OD days I don't have any to give you today um we're going to end up covering some of the kinds of technologies that are being used in the classroom some of them are kind of creepy in

surveillanc um we're also going to talk about some of the regular security vulnerabilities and things that are kind of [ __ ] attacks that technologists are doing to kids in the classroom in their products uh but yeah fair warning not going to be massively technical talk so to kick things off I just want to give a really brief overview of the education technology industry it's kind of boring but it's a necessary setup um for the most part A lot of the people who are Building Technology tools have this idea that technology is just going to be the absolute Silver Bullet that fixes all of the societal ills that we're trying to take care of with

education um for the most part though as an industry education technology tends to raise raise less money um from investors for products than consumer technology um even though they raise a little bit less they still tend to have a lot of money flowing in every time I look at a number the next year it's two to three billion dollar higher um in the same way though that teaching doesn't necessarily attract the best and the brightest people education technology doesn't tend to get the best and the brightest technologes because generally like somebody can pay them a quarter a million dollars a year to figure out how to go click a link or make a like button

happen um that kind of sucks I don't like that part uh when you're launching a company especially from the Silicon Valley there's a lot of pressure to get out of the gates as quickly as possible with a new tool there's this race to Market and one of the most frustrating experiences that I have had in my career is being inside of a company that's working really hard to just run for the market and say okay guys where's the security what are we doing for the privacy angle typically though the answer that I got is that security is a luxury it doesn't matter that we have all of these open source software libraries out there and they're not

really that hard to implement or maybe to audit to make sure that they fit within what your product should be doing it's way too hard to do security is way too expensive because it takes too much time it's obviously unnecessary and one of my favorite excuses which I think if you're sitting in this room you understand people will say oh but if we put too much Security in it's going to slow the site down I mean if it slows your site down you're probably doing it wrong but that being said the thing that sucks is that this industry walks around with all of this money and says whatever nobody's who wants to hack kids homework that's

not important that's not going to happen another problem with the industry is that your end users and your purchasers aren't necessarily going to be technically literate so when one side when I'm working with a group of developers they would say well we don't really get a demand to build in all of this security stuff into our app well of [ __ ] course you're not going to get a demand for security you are selling to teachers you are selling to Educators they're not security Engineers they're not going to ask you if you're accidentally using mda5 as your password hash which by the way is a no no I think we understand that but it's really

frustrating because on one side you have all of these people with all of this money saying yeah let's go Revolution some education stuff and then they say but we don't need to do the security piece it's too expensive it's too much another problem schools typically don't have a lot of budget they don't have the Manpower they don't have a single person on staff who is in a position where they take ownership of security so you have an IT person who just makes sure that stuff runs but there's no one who says oh well what about Network segmentation what about all of this device management we might have to deal with with B BYOD what what

do we do about that that doesn't exist what's really frustrating about that too is that education tends to be one of the most heavily data mined Industries there is out there and you're having a lot of data collected on all sides so you get you get data from the school side you get data from the product side you're getting data that's being sent back and forth from Departments of education and governments you have data that's really private and really sensitive flowing everywhere and when you ask about security there's just a whole bunch of well I mean it's not my job I don't want to do it so that being said when I talk about education tools and I talk about all of

this data mining what I'm really talking about there are a lot of tools out there and they do some creepy things they tend to contain more sensitive information and more personal identifying stuff about kids than just a school assignment so this attitude that no one's going to hack a kid's homework or no one's really interested in student data is kind of [ __ ] um right now in the market there are a lot of Adaptive Technologies and what these Adaptive Technologies do is they basically monitor what kids are doing in the classroom for an assignment and collect as many data points as possible and then they data mine and Big Data the hell out of those data points

to try to draw insights and to try to draw conclusions there are a lot of Behavioral Technologies so teachers can walk around a room with a mobile device and say well this kid's behaving this kid's not behaving and that's a little creepy but there are also tools that guidance counselors and special ed counselors will end up using with students and they're maybe protected by Hippa but they're really not that secure either in terms of what goes on in the classroom there are a lot of content distribution channels for math lessons science lessons YouTube videos you name it but even though these may not have as much important personal identifying information they do have grades and

grades are kind of a big deal in school uh you still have Learning Management Systems there's all kinds of data storage and warehousing I could I could name names but we would be here at least until tomorrow and that's probably not cool I don't think anyone wants to like Miss the parties later um but that being said for all of this information in some cases these companies build profiles that are like 400 500 600 data points large all of this information is just kind of swimming around and if it gets out especially in a data breach and it's everything about a kid's life and a kid's family that's a huge freaking catastrophe in some cases we're not even

just talking about high school students or middle school students we're talking about five-year-olds five-year-olds with Huger profiles on the internet than like your Facebook profile so that being said I want to talk a little bit about some of the specific things that are out there that are creepy one of the stories you tend to hear about education the most is the data mining that tends to be one of the creepiest aspects but it's not the absolute worst um this is the thing that gets the headlines there are companies like in bloom and that's one of the ones that keeps all of the data about kids um that end up getting shuttered because privacy Advocates and

parents just don't want something with that much information about their kids out there um and then you have places like the Gates Foundation or companies like Newton that really want to try to unlock the whole big data thing on kids and they have really creepy programs like the Gates Foundation wanted to stick biometric bracelets on kids so that you could collect this information and figure out if they were paying attention during class and if they weren't paying attention during class then you could go get the data from yes pretty much it's like oh this kid's not paying attention here because the data said so how do we hack that so the kid like doesn't keeps paying attention for

as long as I want it to pay attention what that's a little creepy um some of the other things that they've wanted to put in classrooms surveillance cameras like what terrorist oh that's what that's about I'm sorry am I doing this in colleges are they doing this in colleges it really depends so between k12 and universities it's a little different some colleges do have surveillance cameras maybe not in a classroom sometimes in larger lecture halls I know that about Virginia Tech that's a long story but there are kind of experiments going on where they're trying to figure out how to hack how much kids can learn so they can get more information in there and I just think I

think that's [ __ ] creepy and I don't want to see it um there's some other weird things that go on with education technology tools too too um in schools it departments tend to be more focused on monitoring and filtering and blocking web traffic so that kids like can't go watch porn they can't look at any like graphic M none of the good [ __ ] on the web that we actually get to enjoy can kids do which is just [ __ ] ridiculous because what ends up happening is all of these kids are in the classroom and their teacher says Hey and go make a YouTube video well your web filtering tools say no YouTube no Twitter No

Wikipedia how are you supposed to get anything done in that environment in the real world you know if you go home and you do your homework and you have access to these things you get a ton of stuff done but what tends to happen um in a lot of especially disadvantaged areas is that kids have their own devices in school that they bring home and because so much of this web filtering keeps moving to the cloud and keeps it it actually ends up following them to their homes so for the kids who have free internet access and can get them mom and dad's computer they have one experience of the internet for the kids who have to

use a device that is school issued and has the cloud filtering that's just meant to watch what they're doing they have a completely different internet experience and that really impacts their digital literac literacy skills that [ __ ] sucks I'll say that probably 800 more times so just fair warning um the the main reason for this is there's one piece of legislation called eate and that's the rule that says kids can't watch porn in school or on their computer or whatever which is just stupid because it's a qualitative rule it's a it's a judgment value it is a thing where someone says kids can see this but not this I can't give you a fact or a math number or a reason why

but no I am just saying no more often than not these filters are set up to actually like catch certain web activities and there will be a flag that goes up for an IT administrator and suddenly the kid kid who went to that one site by accident because of a typo is in trouble because they accessed or tried to access something that they shouldn't have um in other situations and this is one of the reasons I really love kids these days kids have figured out how to circumvent this filtering I don't know if you guys have heard of this thing called tour there's like something with an onion involved kids [ __ ] love that tour

thing they know about it they're like oh no I can open this tour thing and I can go do whatever I want on the internet and nobody else knows about it so like that that is one of the only tools that kids have to actually get around this on the other side you have this creepy ass email filtering where schools get really pissed if they think that they're using Google apps for edu and Google Apps is going to be scanning and taking away a little bit of data and like trying to serve ads to the kids well get mad at Google and then turn around and pay another company tens of thousands dollars a year to scan for certain words

to pop up in your email filters flag the word to administrator and then go discipline a kid I mean we're supposed to be spending money on education technology to actually educate kids and give them learning experiences and instead we're forking money over to web filters and email filters so they can go to the principal's officea yeah H what about email monitoring because I know my school uses Google to serve us email well so with Google they actually have changed some of the way that they've structured apps for edu they don't like monitor or anything like that so that they can serve ads they don't send out ads to kids but there's this huge uproar where

people will the first example they will have is we don't want Google in our school because of ads it's like well that's fine we're not giving the kids ads but your administrators are doing the same damn behavior and you're not drawing a line between what's okay and what's not okay okay lost me spot in my notes hold on oh no we're good uh so that being said there's a couple of other surveillance things that are really creepy some of these you might actually recognize as things that criminal groups on the internet do notice I didn't say hackers because hackers don't do this on the Internet it's criminals um there's one case in lower Maran Pennsylvania

where a student was disciplined because an administrator actually accessed his laptop computer camera turned it on and saw what was on his desk and thought that the kid had drugs on his desk at home um and the kid got in trouble there was a huge court case but why the hell you need to have rat software in a kid's machine and turn it on when they're not in school to see what they're doing there's some other cases where that software has been used by administrators to turn on a camera when girls are having a sleep over or changing clothes or something like that which is even creepier that's not a permission that school devices should have that's that's

not a thing they should be able to do um one two three that [ __ ] sucks yeah basically are these are these School owned computers or are they privately owned they're School owned computers and you can argue that if a student and a parent agree to an acceptable use policy like okay fine we wrote that in the rules for it you agreed to it we can do it but it doesn't mean it's okay especially if you're in a situation with a student where they don't have the means at home to access another machine like their hands are completely tied um there are other situations where outside of school grounds there are companies who get paid hundreds of

thousands of dollars a year to actually do social media monitoring of students so they will see what the teenagers are tweeting about by the way I don't know what this Fleek thing is but I'm pretty sure somebody gets like $100,000 a year just to figure out what's on fleek and what's not Fleek or whatever these teenagers are doing right now your lipstick is on fleek oh okay got it got it okay does that mean it's on wait does that mean it's on my teeth or um another creepy thing schools are starting to do as well is they're trying to actually stick RFID chips into student badges so like we use RFID chips to track cattle but if you send your SK

your your kid to school we're also going to track it with the equivalent of of a cattle yeah yeah yeah so ultimately like a lot of the things that I tend to see schools doing with technology they're not about learning they're about controlling Behavior they're about getting people in trouble they're about discipline and it's really creepy on the other side and moving to the next portion um we've had a brief overview of some of the the things that suck in schools um we have all these tools that are building up and and sucking up massive amounts of data there's not really any consensus on security there's not really any legislation that's helping us at least

establish a baseline so as a result we get a lot of security holes and we get security holes that are they should be absolutely unimaginable and they're not so that being said let's let's talk about some of the attacks and the vulnerabilities that are pretty common I would name drop here I would spend so much time listing the names of companies and putting logos up here it it's just unbelievable so one of the things that tends to happen with education technology sites is like I've said they collect a ton of data but when the data is in transit and sometimes when it's in rest it's not being protected properly um education Technologies hate talking about SSL https throw out whatever

encryption word you want to use the thing that puts the lock next to the HTTP with the S on it and the browser they hate talking about it they say it's a non-issue except that's the tool that we as security practitioners know provides privacy to our end user usually reasonable privacy unless somebody in this room's really amazing at hacking around that and we'll have that conversation later um but what ends up happening is these education technology companies say nope it's too much pressure to encrypt the whole site it's too much crap to take the time and deal with session cookies and all of that we're just going to encrypt the login page that's it nobody's going to try to

steal the kids homework nobody would have any reason to try to like log in and change grades or Math assignments or anything never never ever so they just don't bother um there's one really good example of this so there's a security researcher named Tony Porterfield um I'm so sad he couldn't be here today because he would be dropping OD days with me but he did some research a couple of years ago on a learning management system called Edmodo and at the time I think Edmodo had 30 million users so it was pretty well established within K12 schools and I think they had raised about $60 million and he realized that his kids use this tool all the time but the login

page was encrypted nothing else he realized he could literally fire sheep all of his kids with the browser plugin and see what they were doing with their homework what they were doing when they were communicating with other people in their class and in their school and he wasn't comfortable with that so it might have ended up in the New York Times I don't know exactly how that happened but it might have been in the New York Times um atoto said well you know we don't really we have this feature but it's an optin we're talking about kids and we're talking about kids talking to kids and kids talking to teachers that's not okay that's not okay

at all it's been a couple of years since this happened and it has been fixed instead of making their users opt into the encryption now it's default but it should have been default all along we're talking about extremely sensitive data here and we're talking about kids kids I mean no freaking way um in another bit of research that Tony did he found this list that's been running around the internet since October there a whole bunch of companies who have signed a student privacy pledge so they signed the Privacy pledge and they all promis that they're not going to advertise and Market to kids and they take privacy really really seriously so if you go through the list

and you go look at who has sitewide encryption and who doesn't you'll figure out really quickly who cares about privacy and who doesn't when he first started going through the list he was up to 16 companies that didn't have any encryption anywhere at all they were sending things in the clear so like tell me again how you're signing a student privacy pledge but you're not actually building technologies that will take care of student privacy when you're shipping them out there and when the kids are using them well the other thing is you know fire sheep happened in what like 2011 to Facebook it's 2015 it's been for [ __ ] years like you can't figure out maybe

how to make all of that lifting on the other side of of how how is this even possible it just shouldn't be even if we get the education Technologies to actually follow the best practices in encryption we still have another problem and that's the web filtering that I was talking to about earlier so one thing that tends to happen with web filtering and it's not that much unlike um a recent vulnerability that we were all yelling about on Twitter with goo where they were basically breaking this secure connection between the end user and the server and inserting their own self-signed certificate that's happening in the majority of the filtering software that is being used in schools

today and when that self- sign certificate gets stuck in the middle it ALS there also some really creepy Tools in there because I haven't said creepy 10,000 times already um there are some really creepy Tools in there that can figure out what the kids are doing report back and send the kinds of flags that get them in trouble uh the majority of filtering software does this and especially since so many schools are deploying one-on-one programs and it's moving to the cloud like this is not something that is going to get better we recognize man in the- middle of tax as practitioners and we need to be able to really spend some time looking at these

things calling them out and saying hey like maybe it's not not cool that this is the vulnerability that everybody got mad about with superfish and with go go and we're doing this to miners the last thing it's kind of it's story time now um in addition to man in the middling kids in addition to not encrypting things and using the appropriate privacy measures a lot of Education Technologies just don't know what that oasp top 10 thing is they don't know what that security thing is either but if you spend enough time poking around these sites you will find really common vulnerabilities that are outside of the threat model that's been established by the education industry which is

advertising and marketing so in one case and this is relatively recent um I'm sure everyone's heard of the lizard kids I think they're actually called the lizard Squad but I like to call them the lizard kids I have a little beef to pick with them so I would say early January they were poking around in the web and they realized that there was a cross-site scripting vulnerability in a piece of database software so cross-site scripting we've been trying to eradicate that for how long now yeah not new this shouldn't be a problem so these lizard kits they're not really highly technical at all they know how to get behind a met exploit they know how to get behind barp they know

how to make that thing work and they know how to EXP of vulnerability what they did was they found one vulnerability in a piece of software and then they discovered that that piece of database software was shared across 33 different universities what they claimed to have done was to have drained all three 33 universities of all of their Student Records now I haven't gone through the entire list and there are some people who are doing that work but so far in seven or eight cases these kids who don't have really high technical capacity are on the web and they're draining these these universities of tons of student records and the only way you find out is if you know to go look on

ppin or you see them on Twitter showing off that's something that we can prevent that's something we can build for that's something that we can protect from but there's this absolute and complete just total ignorance of security best practices that allows things like this to happen I mean we know the threat model of the web is that you have to be able to survive an automated scanning tool and these companies who are building all of these products for kids and sucking up data and sharing them left and right everywhere aren't at least protecting their end user by following at least the bare minimum practices that we have as developers one reason that this thing tends to persist is you have the people

who don't know anything about security being decision makers so if you're talking to someone and you're saying well I just want to make sure that we're all together in privacy the company will say yeah we take privacy really seriously but end users don't know how to go through and how to evaluate what these products are doing and how they're actually doing that there's no outside signal they tend to look for a badge they tend to look for a piece of marketing information there's no other way way to rate something unless you have the technical skill to dig through it and say yes or no so if I haven't already made this point clear everything [ __ ] sucks and

everything's broken it just is so between developers and technologists there's not really great um you're not really paying attention to the best security practices that are out there in terms of legislation we don't have any bare minimum Baseline to meet I mean there's furpa but furpa which is the family educational rights and Privacy Act hasn't been touched since the since the 1970s so that doesn't really help apply to all of the things that we are doing on the web right now and all of the things that we are building it's not good enough for the world that we live in in terms of network security I mean at the school district level most schools are still running on Windows XP

it's been almost a year since Windows XP was sunset so that's a whole bunch of unpatched OD days I don't if anybody would actually want to burn one of those on a school we would have to talk about that but that's a whole bunch of unpatched insecure software that's holding on to a whole bunch of Records pretty much longer than all of our natural lives um and then in terms of end users I cannot even begin to explain the lack of end user security awareness that is there in schools if we're able to educate teachers we can make this a lot better because teachers have the ability to impact you know 30 40 students that are in their classrooms

at a time if we arm them with best practices and we teach them about password managers and not [ __ ] clicking the link with the malware in it oh my God please don't Ransom wear your whole school district if we teach them these things they can pass them on to kids and we can make our future a little bit better but we don't really have any tools to do that either um so that being said there are a few people in this world who do have have the power to help do that and that's us that's hackers we have the power to be able to look at a piece of technology and say whether it

does what it promises to do and we can take its creators to task for doing that or for not doing that one thing with education is that it is a massive piece of critical social infrastructure and as hackers we talk about infrastructure a lot we talk about op SSL we talk about power grids we talk talk about trains and planes and Automobiles but this is social infrastructure and it's doing some really terrifying [ __ ] to kids and we don't even know what some of the surveillance that I talked about earlier is even going to do to kids in the case of Education words and policies aren't really mapping back to some of the Technologies and find their way in the

classroom and right now we don't have enough security researchers even paying attention to this issue to be able to push back I can think of maybe three or four and I have been watching this particular particular issue for a few years now some of the information that is contained within all of these school systems can affect to students entire future and with education if you don't like it it's not very sexy that's fine but it's full of all kinds of gaping holes that endanger privacy and it's a place where we can make a huge difference specifically because kids don't have any consent they don't get to walk into a classroom and say well I don't think your API rapper is really

secure so I think I'm going to take the other class or oh I don't like the way you handle Google Docs because of the way that you set up your network there might be a little hole over here I'm going to go take French and basket weaving that's not how this works when there's bad Security in a school district it's actually a lot like when there's bad security at your insurance company you can't just pick up and leave you have to actually have a life-changing event to get out of that system and that's not something that's usually an option here in a lot of cases the self regulation that the industry is really looking for they all want to

establish their own security principles is just not going to fix this problem over the past few years a lot of the success that we've had specifically in getting education Technologies to pay attention to these issues has been when there's a parent or there's a security researcher who calls it out and calls it out very publicly they may even use some of the skills that Melanie was describing earlier um for reaching out to the media but that's the only way that we get any change one thing I'd like to point out too is that when we have college students who are really smart and they poke around their school networks and they try to do what they can to point

out security holes more often than not they report a security hole and they've been labeled a miscreant or a hacker and they're in trouble or in the absolute worst case I have seen situations where you've had someone who is their fifth year of college they're an engineering student and 3 weeks before graduation they discover a vulnerability that would allow them to change everyone's grades and they get suspended from school so the five years of work that they did before that moment that they tried doing the right thing and actually reporting the vulnerability didn't even count because they found one hole and somebody got scared about it so how can everyone help well go hack at things that are education tools if

you're a parent you can go poke around and see what's happening with the tools that your kids use in school if you're not a parent and you want to help just go find a list of student privacy pledge signatories I can tell you that the fields are vast and they are ripe with OD days I promise um there's a lot of mobile security issues there's a lot of web application security issues there's tons of API security issues if you have one specific subset of security that you really enjoy it's not hard to find an application for it in education and if you do actually find something I don't care how you disclose it you can

coordinate your disclosure you can be full with your disclosure you can do whatever you want but if you're able to draw a parallel between some of the awful things that we have seen happen in consumer technology and fix them and then turn around and point them out in education that's going to be one of the most powerful tools we have to push the entire industry forward to doing the right thing for kids it kind of depends so if you are the student and you find a vulnerability you might actually want to go talk to the company first and maybe not your Administration I've I've seen successful cases of that absolutely not immediately and shut the hell up until you done it

actually that's better advice y That's better advice he's a lawyer he knows

better yeah for the most part if you find something figure out the right way to say something if that means you have to encrypt it 85 different whatever find it report it share it it's an opportunity to get something fixed that can help a lot of people um at one point I was really worried about actually standing up in front of a whole room of people who identify as hackers and saying look this is a huge vast industry that is full of all kinds of holes go run after it because I was afraid that if I screamed too much about it black hats would show up and we would have situations like the lizard kids

where all of these databases are getting downloaded and getting sold on black markets and the dark web and that would be the story at this point we already know these criminal groups and the black hats are kind of poking around so what I'm really hoping that we're a we can do as hackers is throw some white hats at this and get a few steps ahead of them and really take care of all of the kids who are stuck using these tools and have no other way to protect themselves except to trust the adults that make the decisions for them uh that that being said as promised we have made it to the end here is the

puppy his name is Winston and he has a heart on his nose and I love him and if you see me in jail it's because I dognapped him um any questions yes not yours he's not mine no yeah yet legally um Cooper

yeah out disallowing access to any https yep how prev I actually oh so repeating the question um the question is are there is is it a thing that schools are actually not whitelisting traffic to secure connections so they're blocking https um I have seen a little bit of this but there's really no one doing like widespread data analysis of this it's hard to get and you're probably going to have someone throw furpa in your face but yeah that being said though I know that being said though I have been working with Educators for the past two years on raising security awareness and I can think of a few schools even in the Bay Area that have like School

districtwide implementations of https everywhere so yay follow are are schools treatings bundle are theying kids download it or that how is that being seen by the administration so the question is how are schools treating the Tour Browser Bundle really depends um in some cases they really don't care the IT guy is really cool and he's is like yeah you found it you're leite now and other cases um you can look at entire school districts like La USD um in Los Angeles the kids figured out a way around the iPad filtering and that was using um The Onion Browser and they got called hackers and they all have notes on their permanent records and they have a mark against

them yes Dan less of a question more of a statement there's a lot of parallels between what you're describing in education security and corate security yeah there's a lot of V diagram is like 80% same and the other thing because check box right yeah um the other the other talking point is um speaking from personal experience the bad guys are already there um you are not disclosing that there are new vulnerabilities that people should go find um speaking as a guy who has been crucified for scanning all the things the bad guys are allowed to scan whatever Fu they want and we we can't scan [ __ ] we have to get it in writing

they're 10 years ahead of us so by all means submit this to as many conferences as you can you're not going to hurt anything there is a lot of overlap between corporate problems and between this a lot of times when I bring up the topic of Education security I hear well but we already have these problems and I'm thinking well yeah you do have these problems but kids don't have consent on this particular issue and these are their Futures that we're protecting with all of this data that's the thing we have to take care of um so I know you sort of touched on the administrators making the decisions on which software package to purchase um

so my understanding that it's sort of ran to the pharmaceutical where there's a lot of bathroom deals and packages vacation packages food for these teachers and is there any instances where they may Overlook security because they got that nice trip for yeah so the question is um like what we see with pharmaceutical companies is there a way that maybe schools can be talked into or bribed into ignoring security vulnerabilities there are complicated relationships and I would say that I've seen quite a bit of the kind of backend handshake sort of thing um with Los Angeles's iPad program um there's actually an a FTC lawsuit right now I just because of some of the funny things

that have been taking place there I think in general school districts are becoming aware of security issues but I don't think that security is so strong of a selling point for them that you would have to like ignore it or talk around it 97% of the time schools forget to actually negotiate a sorry 93% of the time they forget to actually negotiate in the contract that they keep the rights to student data that the company doesn't own it so I feel like if they can't even remember to maybe preserve the rights of student data they're probably not going to say hey by the way do you have like a secure content header policy what's going on

here a private school network is wide open re there's one person supposed to be in charge it he doesn't have time so um after my son was

detention manool um I had to put mon software on his laptop to show them the stats in three days I had him on average at school on the web looking I had over 110 different websites um 36 of them were gaining sites so I my stats presented that to them and in exch

in last Ste 23 oh my God at school so I kind of introduce this like's like two things there's a lot going on here but when inol should be Nots the really addictive as all know some of yeah I see a I see a hand over here used the word creepy a few times yeah um I I'm wondering I mean a lot of the things that you described as go well Beyond in terms of being actually illegal like you talk about know watching watching kids undress in front of the webcam or something like that that's not creepy that's that's criminal yeah criminal so Su you work on sort of refining and and using more specific words to describe

that make Point sure especially when I'm working with an education audience I'm really careful about that like if I tell them creepy they're like yeah we hear kids say that word all the time uh but yeah thank you yes yeah um just recently I blew the whistle on a very high level College administrator in the state of California for lying about his academic credentials I was wondering if you've ever seen any examples of malicious administrators taking false data they said s students email account or activity has that's a paranoia I have for the whistle I haven't really seen anything um the question is if there's any evidence of malicious manipulation of Records or anything like that I haven't

seen it it doesn't mean that it's not happening um but I just really haven't seen it yes I actually want to address the already spying on kids when they're dressing isn't wrong because it's illegal it's wrong because it's a [ __ ] adult spying on a [ __ ] child uned it has nothing to do with legality issues and everything to do with the fact that that kid can't [ __ ] consent your behavior and it's not okay and that's that's not an issue of legality or criminality is an issue of shitty [ __ ] ethics can [Applause] I understand what you were trying to [Music]

say

yeah anyone else yes

rights a lot of not understanding right this they don't understand what it is technologists going to District administrators look I will show you I'm show why why is absolutely because the majority of people who are in positions where they're making decisions about technology in schools do not have the technical skills that or the knowledge that we might expect they're more focused on the instructional implementation and instructional practice and learning and kind of less about what all of this other stuff that touches the technology is so if you ever have the opportunity to say hey you might want to think about this or you might need to know this about tour or when you find out

something about an education technology tool ask how they you know how they treat encryption how they absolutely it's an opportunity for us to build Bridges and to educate a wider audience and to really be able to I mean if we're able to touch one District administrator with that knowledge that person's making decisions for like three to 5,000 kids on average that's a pretty awesome thing to be able to do yes and

sadly

yes com just for other people who may not know this there's an who recently charged with because they changed

the want to say extra the yes show [Music]

discrep I mean do we really need to give a kid a felony because he stuck some porn on his teacher desktop like wait what the one that I read was a kid who changes teacher desktop to porn you guys are talking oh my God I'm done ah I read about one kid who did that with porn and he like got in massive trouble but it was in Canada oh my God so your inability to security is why a kid now has all right any anything else

yes right well the behavior is not a new Behavior it's just so much easier because of how easy technology is to manipulate and to use so anyway I think that's all unless anyone has a sneak surprise question and I just want to thank everyone for putting up with me saying the word creep 500 times and did anyone count how many times I said [ __ ] thank

you well done thank you I was a little ranchy