Sophos Cloud Optix
The US school system of Los Angeles, in the state of California, spent $1 billion this year to equip every student with an iPad.
Half of the funds were dedicated to purchasing the tablets, while the other half went to power the WiFi infrastructure that ideally should have fed the students a steady, nourishing diet of bore-your-brains-out curriculum material.
Unfortunately, a virulent plague of fun broke out within the first week of iPad possession after students quickly learned how to kick over the so-called firewall keeping them away from truly interesting things such as Twitter and Facebook.
300 high school ‘hackers’
According to the Los Angeles Times, nearly 300 students at Theodore Roosevelt High School managed to “hack” through security (if you can use that word with a straight face, given how simple it was) so as to surf the Web on their new school-issued iPads.
The LA Times reported on Wednesday that it had gotten a peek at a confidential memo sent by top school brass to senior staff.
In that memo, LA Unified School District Police Chief Steven Zipperman suggested that the district might want to delay distribution of the devices.
It had come to light the day before that students were suffering an outbreak of non-schoolwork-related glee caused by sending tweets, socializing on Facebook, watching videos on YouTube and streaming music through Pandora.
Zipperman wrote:
I'm guessing this is just a sample of what will likely occur on other campuses once this hits Twitter, YouTube or other social media sites explaining to our students how to breach or compromise the security of these devices. ... I want to prevent a 'runaway train' scenario when we may have the ability to put a hold on the roll-out.
The LA Times reports that the problem of iPad-related fun was also an issue at Westchester High and the Valley Academy of Arts and Sciences in Granada Hills.
When the newspaper asked students to explain what sophisticated hacking technique was used to break the security on the iPads, Roosevelt students explained that the trick was to delete their personal profile information.
Students had begun to tinker with the security lock on the tablets because “they took them home and they can’t do anything with them,” Roosevelt senior Alfredo Garcia told the newspaper.
With their profiles deleted, the students were then free to surf at will.
I’m making fun of the incident only because it boggles my mind.
This school district is on track to spend a total of $1 billion on a technology rollout of expensive gadgets that were secured with a user profile that could be deleted.
Seriously? That was the extent of the security put on these devices?
Was this quote-unquote security vetted by anybody, at any point in the process?
Mind: boggled.
It’s funny, but this incident actually represents a serious problem.
As two senior administrators said in a memo to LA schools Superintendent John Deasy that the LA Times reviewed, the lack of strong security meant that outside of the district’s network, children were free to download content and applications and browse without restriction.
The memo read:
As student safety is of paramount concern, breach of the ... system must not occur.
Endangering the school network is one potential danger of unrestricted surfing. The internet can be a slimy place even for grownups, what with the nastyware you can pick up at dodgy sites.
For children, unsupervised, unfettered surfing is dangerous on a deeper, far more disturbing level still.
Those dangers include sextortion, often targeting children, as well as cyberbullying.
From trolls making death threats against children on Facebook to creeps who hack into cell phones to steal and distribute explicit images of children, the internet can be a swamp.
LA has reportedly stopped distributing iPads.
I would sincerely hope that before it starts handing them out again, it finds a way to secure the devices a bit more thoroughly and makes sure it properly configures its firewall.
Kids, it’s not that we don’t want you to have fun online.
We just don’t want you to walk in front of a rattlesnake to do it.
Image of girls with iPad courtesy of Shutterstock.
So am I right in thinking that this problem could have happened with a windows, android or RIM device ? Just seems that your linking the iPad in as part of the problem or am I reading this wrongly.
I think you're reading it wrongly.
You can't write an article like this – which is IMO interesting, importatant and informative – without identifying what sort of device was chosen (not least because it's a matter of public record 🙂
They're iPads. They were deployed in a way that didn't meet intended security levels.
Note that Lisa asked, "That was the extent of the security put on these devices?" And that's what the article is about: mobile device security. In this case, on iPads.
PS. No more RIM. It's all just BlackBerry now. The company is BlackBerry Ltd.
Yes, what Paul said. Thank you, Paul.
If anyone actually believes that these students aren't already doing all these social networking things on their personal smart phones, I have a bridge I would like to sell you….
We adults need to get real: this is a normal part of life today, it is not going to go away, and it becomes our job to teach the children how to proceed safely through the social network. Adults need to learn how to navigate it, become as familiar with it as the students already are, and STOP being afraid of things that are new and different.
I totally agree, they should give up on "securing" those devices (which will always fail) and replace that with courses on the dangers of internet (and life)…
If you want people to behave intelligently treat them intelligently!
Children are not cattle to be protected from the outside with electric barriers.
I kind of sort of agree that you can't pen children in like cattle (those RFID chips just keep surfacing through the subcutaneous fat… kidding! … but not really! http://nakedsecurity.sophos.com/2013/01/14/studen….
Safety-wise, it's incumbent upon parents to teach their kids Internet smarts, and that involves a slew of lessons, including a) Justin Bieber is highly unlikely to message you and ask that you be his girlfriend (http://nakedsecurity.sophos.com/2013/09/18/justin-bieber-imposter-jailed-after-tricking-children-into-stripping-in-front-of-webcam/) b) how to deal with cyberbullying, and c) how to respond to sextortion/any attempts to get you to strip or engage in sexual acts in front of an electronic device, on top of, of course, d) not clicking or downloading screwiness.
But there must be a boatload of legal ramifications involved when you're talking about a school handing out devices. Keeping kids corralled only makes sense when you're talking liability, never mind protecting the children themselves.
And seriously, why not pen them in when they're using taxpayer-funded gadgets? I don't believe that most taxpayers feel the need for schoolchildren to receive subsidized YouTube viewing sessions. And goll darn it, what about that there learning part of this? Like, the curriculum itself?
If it's going to be a purpose-built gadget—i.e., the purpose being education—I say pen them in.
But first, learn how to build a proper pen.
This pen was made out of toothpicks.
Bring that up to the teacher unions and tenured teachers that have been in districts for 20+ years. They have zero obligation, legally, to learn how to do anything different no matter how many professional development days are scheduled throughout the year. Educators, in my experience, are the absolute worst learners.
Ten years ago (or so), I was advocating this very thing at a national teacher's conference. You can't "protect our children" by using technology to wall them off from the internet. Instead, you teach them about the dangers and how to deal with them. Even likened it to teaching your kids about "Stranger Danger" rather than never letting them leave the house.
Turns out, the teachers and administrators didn't want to hear that. What they want is a turn-key solution that protects them from litigation.
I agree whole heartedly with naked security. I love technology. I think it has helped us tremendously. And perhaps if this were done in a much more controlled fashion, it might work. But why on earth would anyone think handing out a ton of expensive mobile computing devices to a bunch of kids with very, very, VERY horrible security locking them down is a good idea?
First off, kids tear up normal text books. I saw some pretty messed up books in my day. Do we actually think they will take better care of devices that cost hundreds of dollars more? Have they looked at the state of the desktop machines in the classroom/libraries? I've seen kids wreak havoc on those for decades now.
Secondly, if these kids are taking these devices home, they are then free to poke and prod these things until they have them "hacked", and that's if they don't physically destroy them first. Once unlocked, they are free to surf all sorts of sites ranging from warez or porn to facebook and twitter. They most certainly should not be used to expose a child to illicit or raunchy material. And I'm not saying facebook and twitter are as bad as the prior two site genres, but these devices were meant to supplant text books and aide in learning. They were not meant to be a child's personal play thing/social outlet. I think sites such as facebook also offer their fair share of malware infection, while allowing the continuance of cyber bullying. Now kids can cyber bully in the classroom without making a sound!
Then after the kids have infected these devices with all sorts of garbage, they are free to infect the schools network with malware, and other children's minds with who knows what sewage they churned up from the depths of the net.
We had computer lab sessions in school when I grew up. It's part of what got me interested in technology. They were great, but those environments were closed off and closely monitored. There wasn't 24/7 free access. The damage children could do was very limited. Now it's as if kids are entitled to free range on devices they didn't pay for or earn.
If I were a parent in one of these districts, I would be furious. We may not have paid for these devices with tax payer money directly as I believe this was money donated by someone. But we ARE paying for the IT support and future upkeep of the network infrastructure. They are not just securing a network or a device. They are securing our children and their futures. Do we want them growing up thinking any of this is acceptable? Do we want them to learn and obtain a decent education?
I wanted to respond to where you said "But we ARE paying for the IT support and future upkeep of the network infrastructure".
Sure, you're paying for those things, but you're not paying well. Something that boggles my mind is that education is 100% centered on technology now, yet IT as a department is not well compensated and virtually ignored in "administration meetings". That is exactly how things like this happen.
They don't have any technical IT attend administration planning meetings to catch problems before they rain money down on something they don't understand. It's also quite possible they aren't even paying well enough to have any competent IT on staff to do such a thing.
As a systems admin at a high school, I was paid less than the school janitors. The folks that would be in charge of securing the iPads in our surrounding districts are "IT Engineers", in charge of 5 or 6 schools, and are paid less than the teachers. You get what you pay for.
I completely agree with you, and it is very sad to see the IT staff paid less than teachers, yet have to manage 5 to 6 schools. I hope you have either been compensated better or perhaps moved on.
There is a technical high school in my area of which I have a contact. He has regaled me of stories about the district cutting budgets and how he has resorted to dumpster diving to get almost all the network appliances he uses in his classes. While I applaud him for his resourcefulness, it is extremely disheartening to hear that a new technical high school won't buy actual learning tools like routers/switches, while other schools happily "make it rain" iPads.
@Concerned: “… these devices were meant to supplant text books and aide in learning…”
The schools should have provided simple e-book readers (without wireless communications) with the needed textbooks, handouts, and other written learning materials installed. Those e-books could be locked down to prevent adding materials not related to school. This would avoid the expense of printed textbooks, exchange an 8 ounce device for 15 pounds of books, and prevent misuse of school-provided devices.
iPads or other computer tablets waste money and provide the ability for students to waste time in class while appearing to do work. School districts buy them for appearances: such purchases make it look like the schools have entered the 21st century (when their educational techniques are still based on the 1970s).
That is an excellent idea! I think they should have gone with a 1st gen Nook for a 1st gen test in schools. Use something that does the job, and only the job required.
why the hell do they need ipads? what a waste of money.
stupid spoilt kids. stupid spoilt state.
makes me so angry
Congratulations for spelling 'complement' correctly; that's refreshing. Pity you spoiled it by not proof-reading your post for grammatical correctness.
Has Apple come forward to help the School District establish some decent security?
You mean point them to the documentation in Profile Manager that prevents the profile from being deleted without a passcode or better yet, not at all?? Assuming they were using and OS X server to manage these. What MDM doesn't include a mechanism to prevent removal of profiles?
I'm pretty sure that most all MDM profiles are able to be removed at the whim of the end-user. Apple's stance is that the device is a consumer device and they should be able to opt-in or opt-out of being tethered to any MDM.
The cyber age has presented endless opportunities for educational excellence – software solutions enabled by genius programmers, hardware enabled by organisations with years of experience of information storage and access, almost infallible publicly available security solutions to protect children; all merged together in a small mobile computing device – purchased and distributed to children by utter idiots. Who employs these dumb-a**ed decision makers?
What a waste of state funds this was !
I wonder, from those who signed this questionable state law, how many have Apple ties ??
Yeah, I can't believe they pay these IT Admins to not secure their shit.
How did the school district ever think that creating a profile would ever work? I wouldn't be surprised if that was cracked during the first hour of being the hands of your average high school student!
It is impossible to fully lock down ios and android devices as the EULA heavily favors the end-user. All MDM's are extremely limited in fully locking down the devices, and all policies will be removed once the profile is removed.
This is not news to anyone who has a child in a school that uses laptops/notebooks/tablets. I don't believe there is a school out there that has prevented students from being able to hack their firewall. My kids have gone to a private school that has used laptops for years, 8 to be exact, to do all their school work and classroom work and the kids have always been able to access anything they wanted firewall or not.
Why are they bothering? This is real life people. These kids have to learn how to deal with all this stuff at their fingertips in University and at work. If kids are given computers early enough, Junior High even, by the time they really need to buckle down and learn, say 11th and 12th grade to prepare for University, they have learned how to focus and handle the distractions when it really matters which sets them up very well for success in University. Some kids will thrive no matter what is available to them and some will always have their attention on gaming or social media. It is not the computer holding them back it's their personality. If it's not the computer it would be something else. The whole excitement of being able to use it in school fades after a while once they are use to having it at their fingertips 24//7. I don't get the uproar? They need to chill and let these kids figure out how to succeed despite the distractions, it will be there the rest of their lives. Sink or swim….nothings changed!
It seems to me that by your logic, they should next spend a billion dollars more on drugs and alcohol to distribute to the students, so that they can " figure out how to succeed despite the distractions."
Unfortunately, it would not surprise me much if some high-level school administrator is already working up such a plan!
"Kids, it's not that we don't want you to have fun online.
We just don't want you to walk in front of a rattlesnake to do it."
Rich coming from the security company who also specialize in network filtering software/hardware!
And I'm assuming it's pretty darn impossible to fully secure an iPad with physical access. Simple solution would be to restore the firmware to stock using iTunes and an IPSW file.
You know what the students wouldn't be able to hack? Books and teachers. School systems should invest in people, not toys.
Did the school even consider getting parental approval before handing the phones out to every child ?
"LA Unified School District Police Chief"
School districts have their own police forces now??
Steven Zipperman has come unzipped!
No no Nanette…. police dept staff from LAPD patrol the grounds of Unified School Districts.
I know, huh??? That thought occurred to me as well…
Who thought it was a good idea to give these kids iPads? Dumb idea. Now there's talk about who will be responsible if they damage or lose their iPads. Will the parents be? I think most of these kids are from poor families so I doubt their parents can afford to pay for a new iPad. Just go back to the old fashioned way of teaching, with books. Or maybe get cheap Kindles at least.
My son and his classmates where able to hack the school Wi-Fi almost every year. Somebody would get a password and then it would get spread around school in no time.
At times the school would just shut down the Wi-fi during lunch period due to the high spike in online activity, so I figured the school knew about it. Then they banned the MAC address of his iPod for a while.
Apple Ipads?
Didn't know the LA schools had so much money to spend.
For me school's intention is very genuine but I think they miss that "deleting profile" part. Will the change of security measures work? It is interesting to know their next move without sacrificing the benefits of the schoolchildren.