ParentPay seriously broken (again)

400 Bad Request
ParentPay, the Microsoft-based school payment system that’s the bane of so many parents’ lives, has yet another problem. Since Saturday, every time I go to their web site I get a page back that displays as above. Eh? Where does this page come from – it’s not a browser message. A look at the source reveals what they’re up to:

<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

 

Okay, but what the hell is wrong? This is using Chrome Version 56.0 on a Windows platform. Can ParentPay not cope with its standard request header? If a cookie is too large, the only culprit can be ParentPay itself for storing too much in its own cookie.

I’ve given them three days to fix it.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Unfortunately, parents of children at schools are forced to use this flaky web site and hand over their credit card details. How much confidence do I have in their technology? Take a guess!

Solution

So what to do about this? Well they have the URL https://parentpay.com, so I tried that too. It redirected to the original site, with a slightly different error message sent from the remote server – one that omitted mention of cookies. So it was definitely Chrome’s header? Upgrade Chrome for 56.0 to 57.0, just in case…. No dice.

A look at the cookies it stored was interesting. 67 cookies belonging to this site? I know Microsoft stuff is flabby, but this is ridiculous! Rather than trawling through them, I just decided to delete the lot.

That worked.

It appears ParentPay’s bonkers ASP code had stored more data in my browser than it was prepared to accept back. Stunning!

 

A-Level scrappage scheme – Tony Robinson dug up to condem it

Earlier this week AQA scrapped the A-Level in Art History, and today Archeology got the chop too. The luvvies at the BBC decided to get some expert comment about this act of cultural vandalism, and naturally turned to one of their own – Left-wing comedian and actor, (Sir) Tony Robinson. He’s keen on archeology, having made some reality TV show about it. However, he was knighted for his services to politics, having been a member of Labour’s National Executive Committee. So who better to discuss it?

Sir Tony was, unsurprisingly, keen to blather on without any balance, roundly condemning AQA for their decision. He knows a lot about education; after pre-school he went to a grammer where it scraped four ‘O’ Levels, and dropped out of ‘A’s.

Unfortunately Sir Tony couldn’t directly criticise the government as it was the exam board decided to drop it, but it didn’t stop him trying. And for balance, they dug up a professor of archaeology too – not a luvvie, but definitely an academic.

The argument made by this brace of lefties is that scrapping subjects like this means poor people going to state schools won’t have the chance to study these subjects. A view that wasn’t questioned. Well I’ll question it – if AQA has scrapped it, no one can do it.

Apparently it was also “limiting choice” to concentrate on core subjects. This stands no scrutiny. Hardly any schools offer A-levels in these subjects anyway, as no one wants to do them and even if they did, there is no one to teach them. If you have a love of a subject, go and study it yourself. Apparently, last year only 400 students took Archeology.

No one was keen to make the opposite case; that such A-Levels are a really bad idea. You can go on to study a degree in archeology without having done an A-Level in it; you just need a brain and the ability to think critically. You can get that by studying anything difficult. You don’t need to be spoon-fed a subject to “try it out”, all you need to do is go to the library and read some books.

Having A-Levels in weird subjects is actually a bad thing, in my view. People may choose to do them. In itself that’s fine, but human nature leads to many choosing the easy ride. In at least one private school I know of, most of the pupils leave with an A-Level in Scripture (Religious Studies). It’s an easy one to get and boosts the A-level tally.

So what happens when you take your A-Level in Media Studies, Archeology and Divinity to university? Do they prepare you for a degree course? Well, it might for a degree Archeology, but so would self-study and a love of the subject combined with an A-Levels in Maths and Physics. THat’s true of practically any subject at degree level.

The result of the current ridiculous situation is this: I have people trying to study for a degree in Computer Science who are unable to write a proper sentence in English. Their basic arithmetic skills are almost non-existent; and as for mathematics: forget it! And, surprise, surprise, they got on the course using A-Levels in soft subjects, so they don’t know how to study anything hard.

Bring on the A-Level scrappage scheme.

Sophos UTM sets ambitions goals; and fails to score

Okay, I’m being a bit unfair on singling out Sophos here, but they’re a current source of irritation. Like all security vendors they’re selling products that don’t work. Actually, Sophos is one of the few larger players that will talk about this honestly, which is why they have been my first choice recommendation for a long time.

The problem is that if you have companies selling “total security” products, which are nothing of the sort, the public are likely to believe such a thing is possible. If you describe your product realistically the idiots will look elsewhere, purchasing based on the most outrageous claims. A look at the Sophos customer base suggests they’re not selling to idiots.

So what’s my problem with Sophos at the moment. Well I’m falling foul of their UTM Web Defender at an educational establishments. Some of my information sites are unclassified on their list of web sites, and so they’re blocked. They contain educational material that I use when teaching. Not helpful.

Okay, this isn’t default behaviour and the establishments in question have made a decision to block anything that Sophos hasn’t classified yet. Some of these sites have been there since 1992, so presumably there’s a long backlog. And this illustrates the problem very nicely; there are over 300,000,000 domain names registered, with 1,000,000 being added every month. Web filtering companies have to look at all these web sites, and sub domain web sites, and classify them all. It’s an impossible task. I know Sophos does this manually, heroic but doom to failure.

The World Wide Web was created to allow the sharing of knowledge; particularly academic and research information. Unfortunately this is just the kind of web site that’s likely to remain unclassified by content filters; obscure links to non-commercial servers giving the information needed for research.

There is a solution. A few years ago I decided to write my own web search engine for a laugh. I then modified it to try and figure out what the web sites were about. Google has built an empire on doing this extremely well, but my quick heuristic solution did a pretty good job.

So here’s what Sophos et all should do. When their web defender appliance hits an unclassified site it should automatically submit it to them for evaluation. An automated system using heuristics can then figure out the likely classification, with a probability threshold for human checking.

This doesn’t have to be instant to be a hell of a lot better than their current system. To get past a Sophos filter (for example) you have to manually submit every site to them by filling in a form, and then they’ll go and classify it within a week. Possibly. And in reality, who’s going to submit such a request to access a web site they can’t actually view because it’s blocked as “unclassified”. There’s a hole in their bucket!

BBC micro:bit finally launched

At verybbcmicrobit_s long last, the BBC micro:bit has been released. This is the educational embedded computer designed to inspire  kids to learn about real programming. A small board with a CPU, Bluetooth, two switches and some LEDs it’s ideal for… Well what? Obvious comparisons will be made with the established but overcomplicated Raspberry Pi.

The plan is to send these out to year 7 students over the Easter holiday. I’m involved in computer science education, but I can’t even buy one (although I can use the simulator). Quite how these will be received when they turn up during Summer term remains to be seen, but I suspect eBay will feature in getting them to those who are interested in this kind of thing.

Unfortunately, from it’s inception in 2012, those of us who have been watching events unfold have a one-word verdict in common: Fiasco.

I’ll let you know more if I actually get to see one.

ParentPay won’t support “insecure” browsers

This week that ParentPay, the Microsoftie payment system used by many schools, rolled out a web site update to support an even more limited range of browsers. This included dropping support Internet Explorer before 9 for “security reasons”.

By coincidence, in the same week Microsoft trumped their loyal fanobois at ParentPay by announcing that everything prior to version 10 was hereby deemed unsafe. ParentPay has yet to comment.

However, the notion that any version of Internet Explorer is “safe” is stretching the truth badly. All the mainstream browsers are dodgy; they all support unsafe scripting and embedded code. Microsoft may have the worst reputation, but they’re all undermined by their code and add-ons – and host operating system, to be fair. Only a few niche browsers, that don’t support things like JavaScript and ActiveX, can be considered safe; and those are the ones that ParentPay refuses to support because they don’t allow “rich content”. (And their developers are Microsoft fans). It’s definitely a case of form over security, yet again.

As an illustration of just how feeble their new browser support policy is, here’s a list  of those they’ll accept, taken from their web site:

  • Chrome 35 or higher
  • Firefox 30 or higher
  • Internet Explorer 9 or higher
  • Safari 6 or higher.

The the the the That’s All Folks!

Schools should be seriously considering their relationship with ParentPay, given the cost and inconvenience they’re forcing parents to go through in order to use it. Analysis of the traffic across my servers suggest that IE has around a third of the browser market. Of these, more than half are using IE 9 or earlier.

ParentPay’s assertion that this will only affect a “..small proportion of parents” may be literally true, but it’s disingenuous. Let’s do some simple arithmetic. Say there are 1500 parents in a secondary school. A third of these use IE – that’s 500. Half of these use an old IE (on an old PC) – that’s 250/1500 parents at each school who’ll be grossly inconvenienced. Cancel the fraction out and it’s 1/6, which could be described as a small proportion, but it’s still 250 per school.

The number of people who would be using”unsupported” browsers on tablets or mobile devices is probably very high. Anecdotally, parents have access to a PC somewhere that they currently have to go to in order to use ParentPay. Many would rather use a tablet.

It’s about time someone set up an alternative to ParentPay and schools were educated in to the benefits of open standards.

Microsoft plans to dump OneDrive unlimited and Windows 7

Microsoft continues to lose the plot. This week saw the announcement that OneDrive customers have a year to shift their data way, and business have a year to switch from Windows 7 to Linux Windows 10.

The problem they’re having with OneDrive is that when they sold it on the basis of “unlimited” storage, they didn’t realise the punters would actually believe them. After all, who believes what Microsoft says about any of their products? But, apparently, some credulous customers have been using it for backing up all their stuff and this has caught the folks in Redmond by surprise. So they’re withrawing the product, and users have a (at least) year to shift their stuff off, after which the Office365 subscription would have lapsed anyway. The maximum storage available after that date will be 1Tb, but they have yet explain what will happen to the excess.

And in the same week, Microsoft announced that Windows 7 will no longer be available in a year. It may surprise some to hear that it’s still available, as anyone buying a domestic PC from the high street has only had Windows 8 since 2013. However, if you buy a business machine from a business supplier, chances are it will still have Windows 7 pre-installed, with a set of Windows 8 downgrade disks in the box to satisfy an “everything now ships with Windows 8” clause in some OEM deal. Businesses don’t want Windows 8, and voted with their cheque books to keep Windows 7.

Microsoft now plans to take that choice away, and force everyone on to Windows 10. This is hardly unexpected, but now it’s official. The reasons aren’t clear to me. Okay, Windows 10 has the creepy doll sending user data back at Redmond, in order to deliver a richer user experience (and targeted adverts) and make the world a better place (for Microsoft shareholders). Possibly a case of corporate Google-envy? Is Microsoft so keen on the Google business model that they’d risk hacking off the loyal customers who’ve been buying Windows XP and Windows 7 for years? Ironically, Google is pushing it’s paid-for cloud apps, and I suspect, would like to get a larger revenue stream from selling SaaS.

Listen up, Microsoft. People buy Windows because it runs the applications they want. It has nothing to do with whether the like the colour scheme. Windows XP runs DOS stuff; Windows 7 does, just about, because it has XP emulation. This is a concept known as Backward compatibility, and Intel knows all about exploiting this and making mega $$$ if you need a reminder. Lightweight home users and kids might be impressed by the new and shiny, but business wants something that works, and if it ain’t broke, don’t fix it.

The beneficiaries of this will probably be Linux (including Android), Google GDrive and other cloud storage providers, and alternatives to Office: (Google Docs, OpenOffice.org and smaller companies like SoftMaker. The latter has just released SoftMaker Office 2016, with an offer to make it free for use in schools.

Interesting security issue with Google Apps for Education

I’ve come across a feature of Google Apps for Education that people should really be aware of. It goes like this…

When a school or college signs up for Google Apps for Education, a single email account is used to register a local administrator. This administrator then has control over the sub-accounts, including creation, passwords and monitoring. This would be someone at the school you can trust, right? Because they have access to all your children’s data. And it’s only for school use, so where’s the problem?

Well here’s the problem: that data will probably include a GMail account, and they may not be using it for education-related matters. Creepy. Assuming you trust the monitor, do you snoop on the pupils for their own protection or leave it completely unmoderated, with all the implications for child safety. You’re between a rock and a hard place. By forcing pupils to use an insecure channel you’re responsible for the consequences: if you look you could be accused of voyeurism; if you don’t you can be accused of allowing abuse which you could have prevented.

And it gets worse, because you’re basically logging in using a Google Account. How many people log out when they’re finished? And if a child logs in on a home computer and someone else uses it afterwards without realising, the administrator at the school gets to snoop on data inadvertently added to the account by other members of the household.

Are you a parent, and were you aware of this? You are now!

If you’re a school, my advice is to (a) monitor the monitor; and (b) make sure children know to log out after use; and (c) make very sure that you have parents’ specific permission to allow their children to use the system, being aware of the above. If not and you end up monitoring someone you don’t have permission to (i.e. not your pupil), you’re probably looking at an offence under the Misuse of Computer Act 1990 in the UK, and a class action law suit in the USA. Remember that school in Philadelphia that took snapshots using students’ Macbook webcams without telling anyone? (Robbins v. Lower Merion School District). There was no suggestion of foul play, just naivety on the part of the school district. And it cost them $600K to settle, plus a great deal of embarrassment.

Tristram Hunt, Education and New Labour Posh Boys

New Labour posh boy Ed Milliband (Corpus Christi and Oxford) must be so busy worrying about his position that he’s left New Labour posh boy Tristrum Hunt (University College School and Cambridge) to talk about a subject neither can conceivably know about from experience – state education. The latter’s only qualification in this respect is that the former made him Shadow Education Secretary.

I’ve got nothing against so-called Posh Boys, but they shouldn’t speak about matters they don’t understand, and I’ve just been listening to Tristrum Hunt on Today talking about how private schools (which he should know all about) will be forced to provide services to the local state sector – in particular lend their superior teaching staff to local state schools. I wonder how state school teachers feel about this assessment of their relative merit?

I’d also be interested to know whether he and millionaire Milliband had properly checked this with their Trade Union Paymasters. You see the teaching trade unions are currently mounting a campaign against the use of unqualified teachers. “You can’t let unqualified teachers teach our kids!” seems to be the general emotive argument for this closed-shop arrangement. And it sounds reasonable until you consider where teachers might come from. Either they train and obtain the necessary paperwork immediately following their own education, or they have a career, gain life experience and then convert to teaching later in life based on enthusiasm and aptitude.

In spite of government initiatives to attract more experienced people into the “profession”, it’s an up-hill struggle to obtain the paperwork mid-life. We’re talking about scientists and engineers here. Who can afford to take a huge drop income while training once you’re married with responsibilities?

There is an answer, however – the private sector. There it’s up to the head teacher to select teachers on merit, not paperwork. Good teachers need communication skills, a good knowledge of their subject and a transferable enthusiasm to pass it on. They don’t need paperwork.

So what are Ed Milliband and Tristrum Hunt thinking? Have they realised that the NUT is wrong, and this is an attempt to smuggle good “unqualified” teachers in to state classrooms by the back door? Or did they just not think it through?

Incidentally, I don’t share Milliband and Hunt’s assessment that state school teachers need help from the private sector, nor that career teachers are poorer than those bought in from industry, although life experience and hands-on knowledge is definitely an advantage when it comes to engineering and other real-world skills. State school teachers know a lot about education, which isn’t to be underestimated. And private schools have good and bad teachers, just like everywhere else.

People like me already volunteer to help out in state schools out of a desire to spread knowledge and experience to the next generation. In the state sector, however, the NUT has seen to it that we can only be “teaching assistents”; but we do it for the next generation – not the state.

Google Apps for Schools – how safe are they?

So-called Group Work is probably the bane of every tutor in higher education, myself included. As to the poor students having to collaborate; it’s always the motivated one dragging the hangers-on and possibly university’s resident idiot along with them. It’s a nightmare. The most common complaint is that they never turn up to meetings to work on the project because it’s too difficult to organise. Yeah, right!

So this week, one of my colleges persuaded me to get them all working with Google Apps. The theory is that they don’t need to be co-located in time or space to work on a common document. I suspect the lack of physical presence will actually make it easier for some of the group to loaf off, but perhaps I’ve been at this too long to be optimistic.

Google Apps, on the other hand, is gaining ground in education. Cloud-based applications that allow easy sharing of documents has to be a good thing, and I have to say I’m very impressed at the ability of several people to edit the same document at once. And it comes with the ultimate feature that will guarantee sales – it’s free.

When I say “free”, that means that Google gets to harvest your personal data instead of hard cash, and feed you targeted advertising. And this is a worry. You may be okay with this, but if it’s to be adopted in colleges or schools, supposing some students aren’t as relaxed about it? Those in the know keep away from Facebook for just this reasons, but it’s optional. If you make Google Apps part of coursework you’re forcing students to accept terms they’d otherwise reject.

So, in 2006, Google announced Google Apps for Education, with the advertising stripped out. It’s actually a pretty good deal. Features may change over time, but it’s basically business version of Google Apps with one difference – it’s also free.

Unsurprisingly, Microsoft is really hacked off about this. They’ve been giving their Windows and Office software to educational establishments at a huge discount (or free) in order to get kids hooked on it, and as a result we have a generation that believes Microsoft Office is necessary to do anything. Kids come out of education knowing nothing else, which forces companies to purchase Microsoft Office at the full price in order to make them feel at home.

So, free or otherwise, Google Apps is probably more suited to college use, and Microsoft isn’t going to like it, so is fighting back with lawyers (no surprise there).

For example, last year Microsoft backed a bill in the US state of Massachusetts to block the use of Google Apps in schools.

To quote: “An Act prohibiting service providers who offer cloud computing services to K-12 educational institutions from processing student data for commercial purposes.”

Pernicious as Microsoft’s education offering is, this bill does have a point and I find myself siding with Microsoft for once. In fact I’d go further – no one should be forced to use applications collecting personal data, even in further or higher education.

This is becoming more relevant as I understand many schools are now considering the use of Google for Education. If their students are under 18, how can they even give informed consent? And once the parents understand the issues, who would give consent on their behalf? In most Judistictions, you need to be 13 or over (or 16+ in some parts of Europe) before you are allowed by Google to have a Google account, so it’s not like Google isn’t sensitive to the issue.

My sources inside the chocolate box tell me that the new Apps for Education will be advert free. When pushed, there was no guarantee that tracking wouldn’t happen – only that no adverts would be shown in the Apps themselves. Whether they will appear, based on tracking data, on other web sites remains to be seen and when the child reaches an “appropriate” age they’ll come with years of profile data. I’m awaiting clarification from Google on this matter.

(Update: Google has now publically declared that they will not scan Apps for Education data for advertising purposes, however the devil is in the detail. They don’t say that they don’t scan it for other profiling reasons. And then I found this court document, unearthed by SafeGov, in which Google’s own lawyers admit that they do profile students email and suchlike, meaning they can target adverts in other circumstances.)

And then there’s the question of whether it’s a secure environment. Well, no, it’s not. But that applies to Office 365, most LMS (see blogs passim) and anything else that has public messaging – in this case GMail. Given the problems I’ve had with users of freemail accounts, including GMail, I can’t help but question of the wisdom of allowing children access to it. When you’re signed up for Apps for Education you are supposed to be getting 24/7 support from Google, unlike Joe Public. Whether this helps resolve the issues remains to be seen. It’s also possible to turn off features centrally, such as Chat (an obvious thing to disable). Unfortunately, if you do turn off GMail there’s no other closed
messaging system to use instead.

As with my earlier papers and articles concerning LMS systems, I’m not saying that Google Apps are inherently insecure. In fact, I’ve got a lot of confidence that Google data centres, in particular, are robust. If Google does deliver on it’s data use policy, and is providing this service free of charge and with no strings attached, that’s great news. Microsoft has had their way for far to long for it to be healthy. Google has stated that as Google was born out of a research project at Stanford, they now want to give something back to education and that’s their only motive. It’s nothing to do with scuppering Microsoft; how could you possibly think that?

Like all Internet connect IT for use in schools, it’s the social risks that worry me the most, such as abuse of Internet email. If your school plans to use Google Apps, Office 365 or any other system with open email, just ask to see the risk assessment first.

That said, I’d still prefer to see educational establishments return to the open source model; Linux if you must, and OpenOffice. Computing by and for the people. Or perhaps those days are gone. We’re already stuck with a generation that now believes computing comes from large companies like Google and Microsoft. Sadly, I feel that it’s unlikely that most will have the technical talent in-house to make it happen.

Update:

Some of the concerns expressed here about data usage have now been addressed after Google signed up to this code of conduct IN THE USA.

Faith in Free Schools – Department of Education still hasn’t done its homework

The Department of Education has just lost in its bid to keep secret the “faith affiliation” of applicants planning to up Free Schools, and has been forced publish the figures by the Information Commissioner.It’s taken two years to get this information, and it’s interesting reading if you read them carefully.

Figures are not available for the first wave of 373 applications, but is (to an extent) for the second and third waves. I’ve been doing some number crunching.

Religion Wave 2 Wave 3 Total %
None 202 183 385 74.47%
Christian 45 21 66 12.77%
Muslim 17 18 35 6.77%
Plymouth Brethren 11 3 14 2.71%
Jewish 3 5 8 1.55%
Sikh 2 5 7 1.35%
Hindu 1 1 2 0.39%

The breakdown is a little strange. In Wave 3 the different Christian denominations are specified in some cases but left as “Christian” for others, as they all are on Wave 2. Except the Plymouth Brethren, who appear always to be separate from “Christian” for some reason in both sets of data. “Muslim” and “Islam” are also two different religions, apparently. Did the compiler of these statistics know anything about religions?

I also have my doubts about whether religion has been reported at all. We’re asked to believe schools like Noah’s Kingdom (Reading) isn’t religious. To quote from their ethos description: If life is based on human values then it is incomplete, but if we base our lives on the plan of God then we have a secure path.

It’s not just the Christians – how about  the Khalsa Science Academy in Leeds? Sounds Sikh to me! A quick look at their web site confirms my suspicions.

What about the Maharishi Free Schools? Non-faith? Yogi’s might fly! There’s even “Destiny Christian School” in Bedford that’s listed as secular. The clue should be in the name. It’s actually being proposed by “Miracle Church of God in Christ”, and part of the Christian Schools’ Trust who’s attitude to creationism is that it is science and they intend to teach it as such.

In short, a quick scan through the names on the list is enough to show any reasonable person that the published data is full of errors. Journalists like those at the BBC may have  taken them at face value, but they’re an insult to any thinking person.

Whatever you feel about so-called “Faith Schools”, having the data kept from us by Michael Gove and the Department of Education isn’t going help with an informed debate.

Wave 1+2 Freedom of Information data from DofE

Wave 3 Freedom of Information data from DofE