Interesting security issue with Google Apps for Education

I’ve come across a feature of Google Apps for Education that people should really be aware of. It goes like this…

When a school or college signs up for Google Apps for Education, a single email account is used to register a local administrator. This administrator then has control over the sub-accounts, including creation, passwords and monitoring. This would be someone at the school you can trust, right? Because they have access to all your children’s data. And it’s only for school use, so where’s the problem?

Well here’s the problem: that data will probably include a GMail account, and they may not be using it for education-related matters. Creepy. Assuming you trust the monitor, do you snoop on the pupils for their own protection or leave it completely unmoderated, with all the implications for child safety. You’re between a rock and a hard place. By forcing pupils to use an insecure channel you’re responsible for the consequences: if you look you could be accused of voyeurism; if you don’t you can be accused of allowing abuse which you could have prevented.

And it gets worse, because you’re basically logging in using a Google Account. How many people log out when they’re finished? And if a child logs in on a home computer and someone else uses it afterwards without realising, the administrator at the school gets to snoop on data inadvertently added to the account by other members of the household.

Are you a parent, and were you aware of this? You are now!

If you’re a school, my advice is to (a) monitor the monitor; and (b) make sure children know to log out after use; and (c) make very sure that you have parents’ specific permission to allow their children to use the system, being aware of the above. If not and you end up monitoring someone you don’t have permission to (i.e. not your pupil), you’re probably looking at an offence under the Misuse of Computer Act 1990 in the UK, and a class action law suit in the USA. Remember that school in Philadelphia that took snapshots using students’ Macbook webcams without telling anyone? (Robbins v. Lower Merion School District). There was no suggestion of foul play, just naivety on the part of the school district. And it cost them $600K to settle, plus a great deal of embarrassment.

London Low Emissions Tax Grab on the Poor

The GLA has sprung a public consultation on us, trying to get us to agree to a tax on horrible polluting vehicles to improve the air quality in central London. It’s the kind of thing that gives environmentalists a bad name – a money grab in the guise of a clean-up.

The idea is that vehicles that don’t meet current emission standards, decided by age, will be clobbered an additional £12 on top of the congestion tax for driving through London. Who’s it going to hit? Not the commercial users (generally speaking) as their vehicle fleets are going to be fairly modern. And not the Chelsea Tractors – they’re too new. It’s going to affect the people least able to afford it – those with an older family car that they keep going rather than scrapping because either they can’t afford a shiny new one, or simply think the conspicuous consumption of the new car market is immoral.

The consultation has some interesting, but cooked, figures for the source of the problem. Even then it doesn’t stack up. But on a proper survey of pollutants like this one it’s even more revealing.

First off, a half of some pollutants come from brake, tyre and road surface wear. Taxing older vehicles isn’t going to change that – it’s got nothing to do with the engine. Then about a third comes from burning gas, and most of that commercial use. The GLA doesn’t mention this!

Then we get to the breakdown from vehicle NO2 emissions. The (current, measured) figures show that:

35% comes lorries (articulated or rigid)
28% is from busses and coaches
21% is from taxis
16% is from cars and motorbikes.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Of the last figure, 90% of that is likely to be from diesel cars and 10% petrol cars.

Hmm. So which type of vehicle is going to be caught by the tax the most – probably the older cars, and these will probably be petrol (most cars are). Yet they’re responsible for only 2% of the problem.

Okay, if the GLA wishes to slap a £100 charge on coaches and lorries, this will work – it will hasten the replacement of ageing clapped-out diesel engines which will have done enough miles by the time this is introduced in 2020. People with older cars simply don’t operate this way. They’ll just have to pay up, proving this is just a money generating exercise.
The GLA was serious about reducing emissions, they should go for the low-hanging fruit – ban diesel taxis and make them go electric would save 21% at a stroke. And the same with the LRT busses (possibly not coaches). And the beauty of this system is that it won’t cost very much to run.

LGVs (big lorries) are more of a problem. They’re probably not going to head through central London unless they really have to, and the technology doesn’t exist (yet) to replace them. Emissions from these have already been reduced, but they still produce most of the problem. And they’re not going to be taxed, because they meet modern standards. It needs some investment in clever solutions.

The plan appears to be to raise this by taxing the low-income or occasional motorist (i.e. anyone with an older car). That’s not right. If you agree, and want to have your say, click here.

 

Sad to hear of aircraft down at Popham

So sad to hear of the loss of life at Popham today when a small light aircraft came down south of the A303 in poor weather, almost certainly attempting a descent to land on runway 26. One of the three on board survived, and was driven to Southampton hospital in critical condition. Apparently the aircraft wasn’t based at Popham, but had left from Bembridge and was presumably diverting there due to the weather.

Another aircraft came down in about the same place in September 2012, but with no loss of life.

I was flying yesterday in a similar aircraft but thought better of today due to visit; and it’s both sad and sobering. My thoughts are with their relatives and everyone else at the Spitfire Club.

 

Update: 04-Jan-2015

The names of the occupants have been released as Lewis and Sally Tonkinson, with their six-year-old son as the sole survivor. Looking at the photographs of the crash site in the Isle of Weight County Press, the aircraft in question appears to be very “light”, consistent with a Pioneer 300 Hawk registration G-OWBA, of which Mr Tonkinson is a connected and on which 37 hours have been logged. Curiously, this is a two-seater with a 20Kg luggage capacity. LAA registration number is LAA 330-15155

Update 07-Jan-2015
I’ve seen reported elsewhere that the aircraft in question was a Pioneer 400 G-CGVO, but can’t tie this to Mr Tonkinson. The 400 is a “stretched” 300, with four seats, which would make more sense, but I’ve seen no official confirmation. There’s an AAIB report on G-CGVO (door opened on takeoff), but it was in Herefordshire, and the aircraft was based in Wales. It’s obviously possible that it subsequently changed hands.

Do I have SoapSoap in my WordPress?

Apparently, 100,000 WordPress sites have been compromised by this nasty. It injects redirect code in to WordPress themes.

According to an analysis posted by  Tony Perez on his blog, it’s going to be easy to spot if you’re a server administrator as in injects the code:

php function FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

In to wp-includes/template-loader.php

So,

find / -name template-loader.php -exec grep {} swfobject \;

should do the trick. I’m not a PHP nut, but I don’t think swfobject is common in that file.

Update: 06-Jan-2015

The web site linked to above has an on-line scanner that’s supposed to check for this problem, so I’ve just run it against this blog. It found something here. False positive, methinks! I’ve written to them pointing out that the search may be a little naive given the subject matter of that post! Fair play for providing such a tool free of charge though. It’s a little hard to see how such a scanner could work at all, but not pick up text lifted from a compromised site.

 

Sony and Microsoft games network hack

Both the Sony an Microsoft games network servers have been badly disrupted from Christmas day. The cyber vandals Lizard Squad have admitted responsibility.

This outage has nothing to do with millions of new games consoles being unwrapped and connected at the same time. Oh dear me no. Their network servers would have taken the huge spike in workload in their stride. This is definitely something to blame on those awful hactivists, and any suggestion that it was teetering on the brink and all it needed was a little push is a foul slur on the competence of Microsoft and Sony.

The extent to which Lizard Squad was involved may be in question, but major respect for the expert way they’ve played the media. Again.

BT Parental Controls Hack

In a move of spectacular incompetence, BT Broadband has hacked the HTTP data stream to customers in order to pop up a message concerning it’s “Parental Controls”. It’s done this without seeking any permission from the customer, and to add insult to injury, the code they’re injecting is buggy.

The injected popup  says “How to protect your family online with BT Parental Controls”, with an “Are you keeping your family safe?” online in order to worry the ignorant. It goes on “Safeguard all the computers, tablets and phones(sic) connected to your Home Hub”. The “Home Hub” is the weak and feeble excuse for a router they send you “free” when you sign up, and which anyone who knows anything about networking will have kept in the shrink wrap.

BT Parental Controls Popup
The popup you can’t kill. BT appears to be injecting this in to the HTTP stream of unsuspecting customers

As you can see from the pop-up above , there is a “No thanks” option, but it simply doesn’t work. Several commonly used websites such as Amazon have become unusable as a result – you just can’t get rid of the BT popup. Even clicking on “Yes please, Set it up” leads you nowhere except to a login to which the credentials are a mystery. Quite possibly because I’m not one of the lusers with a “Home Hub” (or business hub).

And this is on a standard Windoze 7 PC running the current version of the Chrome browser. And no software firewall to blame it on.

I called BT to complain and ask for it to be removed. They don’t even know what I’m talking about, which is odd because there was a spate of this stupidity earlier in the year. Fortunately they stopped before a full roll-out, but you can’t keep a good idiot now – the same idiot has resurrected the idea and rolled it out, possibly wholesale this time. Whoever it was should be publicly named and sacked.

Sony Hack – whodunnit?

Details are starting to emerge about how Sony was compromised. Sagie Dulce from Imperva reckons he’s seen the Destover back-door software used before, in 2012 in Saudi and then again in the 2013 Dark Seoul.

A few days ago Jaime Blascoof AlienVault Labs sent me a note about malware samples he’s got hold of, with the following comment:

“From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony’s network and even credentials – usernames and passwords – that the malware uses to connect to systems inside the network. The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems.”

I’ve had other reports that the malware was compiled using a Korean language development environment. This means nothing to me – a lot of these generic malware kits are.

To me, this is looking more and more like the work of the usual suspects. An inside job – not a sudden and spontaneous lashing out by the North Koreans. This kind of attack requires time to put together.

 

North Korea Refuses to Deny Sony Cyber Attack

The popular media is in a frenzy – those dastardly North Koreans have launched a cyber-attack on Sony, pinched a lot of films and posted them on-line in revenge against the company for a disrespectful comedy making fun of their glorious leader. According to the BBC, they have refused to deny the attack, with a spokesman saying “Wait and see.”

The north Koreans must be loving this – they were, apparently, pretty hacked off about the depiction of Kim Jong-un. They have no sense of humour as far as he’s concerned. However, this bears all the hallmarks of a bunch of script kiddies ripping off a load of films to add to the pirate haul. The North Korean’s response, when doorstepped about the incident, suggests to me that they think their “enemy’s” predicament is hilarious, but stops well short of taking credit for it. Why would they be so coy? Because when the real culprits break cover they’d look stupid.

Yes, it could have been the North Koreans, but they’re not exactly high-tech. As far as I can tell there are only about a thousand IP addresses for the whole country. If it were China in the frame, I could believe it. Would the Chinese pull a stunt in support of their southern “friends” – I somehow doubt that; not over a film.

Given the extensive nature of the compromise, I wouldn’t be surprised if it was an inside job. Did the people involved set out to purpetrate the hack of the decade? There’ll be trouble now.

Daily Telegraph and The Independent web sites compromised by “Syrian Electronic Army”

I’m getting reports from people reading the Daily Telegraph web site saying that a dialog box saying “You have been hacked by the Syrian Electronic Army (SEA)”. The implication is that their PCs have been compromised, but I have no evidence that this is actually true. The web sites of the newspapers do appear to have been breached, however, in order to cause the pop-ups to appear.

Reports already exist of the problems with the Independent and the Evening Standard, with a time of 12:20 GMT, but the Telegraph problem appears to be new.

The problems don’t appear on all pages of the Telegraph – in fact the problem seems to be on the Alex cartoon only. The Independent has been off-line, but at time of writing is back – but slow.

Given the preponderance of adverts on this page, one possible method of attack could be via the advert feed. It certainly doesn’t happen of every access. However, reports suggest of a redirect to a page showing the Syrian logo. This could be JavaScript, a server change or a DNS hijack. People at the papers probably know which, but they’re a bit busy right now…

 

Tristram Hunt, Education and New Labour Posh Boys

New Labour posh boy Ed Milliband (Corpus Christi and Oxford) must be so busy worrying about his position that he’s left New Labour posh boy Tristrum Hunt (University College School and Cambridge) to talk about a subject neither can conceivably know about from experience – state education. The latter’s only qualification in this respect is that the former made him Shadow Education Secretary.

I’ve got nothing against so-called Posh Boys, but they shouldn’t speak about matters they don’t understand, and I’ve just been listening to Tristrum Hunt on Today talking about how private schools (which he should know all about) will be forced to provide services to the local state sector – in particular lend their superior teaching staff to local state schools. I wonder how state school teachers feel about this assessment of their relative merit?

I’d also be interested to know whether he and millionaire Milliband had properly checked this with their Trade Union Paymasters. You see the teaching trade unions are currently mounting a campaign against the use of unqualified teachers. “You can’t let unqualified teachers teach our kids!” seems to be the general emotive argument for this closed-shop arrangement. And it sounds reasonable until you consider where teachers might come from. Either they train and obtain the necessary paperwork immediately following their own education, or they have a career, gain life experience and then convert to teaching later in life based on enthusiasm and aptitude.

In spite of government initiatives to attract more experienced people into the “profession”, it’s an up-hill struggle to obtain the paperwork mid-life. We’re talking about scientists and engineers here. Who can afford to take a huge drop income while training once you’re married with responsibilities?

There is an answer, however – the private sector. There it’s up to the head teacher to select teachers on merit, not paperwork. Good teachers need communication skills, a good knowledge of their subject and a transferable enthusiasm to pass it on. They don’t need paperwork.

So what are Ed Milliband and Tristrum Hunt thinking? Have they realised that the NUT is wrong, and this is an attempt to smuggle good “unqualified” teachers in to state classrooms by the back door? Or did they just not think it through?

Incidentally, I don’t share Milliband and Hunt’s assessment that state school teachers need help from the private sector, nor that career teachers are poorer than those bought in from industry, although life experience and hands-on knowledge is definitely an advantage when it comes to engineering and other real-world skills. State school teachers know a lot about education, which isn’t to be underestimated. And private schools have good and bad teachers, just like everywhere else.

People like me already volunteer to help out in state schools out of a desire to spread knowledge and experience to the next generation. In the state sector, however, the NUT has seen to it that we can only be “teaching assistents”; but we do it for the next generation – not the state.