Tuesday, February 23, 2010

Malum in se

Ay! what 'mong men as knowledge doth obtain!
Who on the child its true name dares bestow?
The few who somewhat of these things have known,
Who their full hearts unguardedly reveal'd,
Nor thoughts, nor feelings, from the mob conceal'd,
Have died on crosses, or in flames been thrown!
- Goethe, Faust
Internet Security has come a long way since I first started in it, back in the 1980s. The technology has advanced enormously, although there is much that is lacking on that score. But the biggest advance has been the public's understanding of the problem.

In a sense, we've come full circle. The original hacker culture had no problem with breaking the rules (malum prohibitum, things that are proscribed by regulation). This hacker culture had nothing in common with what's commonly called "hacking", other than they didn't care about the silly rules. There was a very strong culture against doing harm to other people - to the hackers themselves, this was a line not to be crossed. Not because it was against the rules, but because it was wrong in and of itself: Malum in se.

The Lower Merion School District looks like it has an IT administrator that crossed that line. The more that comes out about the story, the more it seems impossible to believe that this was in any way accidental. The details are ugly, very ugly:

In a September 2009 post that may come to haunt this investigation, [the administrator] posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when [he] puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

"what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking"
It looks like it was designed to keep people from being able to see whether they were being monitored. Worse, the spy software used on the Macbook computers is (surprise!) filled with security holes. And by "filled with security holes" I mean that it appears that security wasn't an afterthought; it wasn't thought of at all:
With some of my colleagues, I began a reverse engineering effort against LANRev in order to determine the nature of the threat and possible countermeasures. Some of the things we found at first left us aghast as security pros: the spyware "client" (they call it an agent) binds to the server permanently without using authentication or [encryption] key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port... runs as root. I'm not kidding. For those unfamiliar with the principle of least privilege- this is an indicator of a highly unskilled design.
'Unskilled design"? Boy, howdy.

What makes this double plus ungood is the regulations that the school imposed. While by definition the regulations cannot be malum prohibitum, it's simply impossible to see how they could not be malum in se:

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

  • Possession of a monitored Macbook was required for classes

  • Possession of an unmonitored personal computer was forbidden and would be confiscated

  • Disabling the camera was impossible

  • Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion
JayG left a comment to yesterday's post on the matter:
You can remotely activate a webcam to send video?


I need a hammer.
Yes, they can remotely activate the webcam. What you need, Jay, is a band-aid (srlsy, to put over the webcam on Baby Girl G's school-issued laptop; duct tape will leave adhesive on the camera lens). Then you need some personal time with the school administrators, so that they understand that (a) you want a list of all school-installed software that could be used for monitoring your child, (b) you want written documentation of all procedures under which a school employee might monitor your child, and (c) a guarantee that no such monitoring of your child shall be done without either your consent or a court order. I would even suggest that you let them know that you know (or can find out) how to file a Freedom Of Information Act request, and can very likely make them the #1 Google result for your town.

You might also remind them of the "Washington Post" rule, taught these many moons ago to fledgling engineer Borepatch at Three Letter Intelligence Agency:
Nothing that you read in the Washington Post about this Agency is good for this Agency.
The risk to early hackers was not so much in getting caught (malum prohibitum). Security was lousy, and system owners were incompetent or simply didn't care. The danger to the early hacker was getting so caught up in exploring the technology that you hurt someone. That the thrill of flying would cause you to fly too high, and Icarus-like melt your wings. Of making that Faustian bargain. It is not for nothing that it's called malum.

I know that some of the folks who read this blog are IT Administrators, and are cringing inside right now. Or fuming, like me. To protect their reputations, I hope that there's jail time involved for the IT Administrators who implemented this at Merion, and for the School Administrators who authorized it. The School Administrators in particular cannot credibly plead ignorance, not with those regulations prohibiting jailbreaking the laptops.

If any readers have a child with a school-supplied laptop and want some pro bono technical Internet Security help for a chat with their child's school system, please leave a comment or email me directly at borepatch {at} gmail {dot} com. This sort of behavior by school districts is a cancer, and needs to be purged from the Body Public.


soulful sepulcher said...

This is outrageous! thanks for writing about it!

George said...

Great write up.

I am wondering how much longer the notion of a third party entity providing your computer for you will exist. I've often thought that a PC should be one of the tools that you bring to the job, school, whatever. IT departments spend lots of time and energy selecting hardware and locking down and hardening OS builds in the naive theory that it improves security and productivity. Security would be much improved if everyone (not just the security experts like yourself but everyone in the chain) understood that each and every device on your network is untrusted and a potential bad actor. Mental models that rely on trusted devices are made of fail.

A few years ago, I was working with a major bank (think top 5) when the "SQL Slammer" worm came out. Despite my advice, the bank felt that they didn't have to worry...they had blocked the ports at their firewall. And for about 24 hours, they were right. Until a contractor brought his machine that he had had on the Internet, put to sleep, brought into their network, and powered back up. The worm spread and took down quite a few machines.

I NEVER trust a machine provided by a third party unless I have personally built it. Assume that every keystroke is logged, and that your webcam is on and watching you.

Eagle said...

Not forgivable.

I agree with JAIL TIME for all of the administrators who implemented, agreed to, or authorized this travesty.

Meanwhile, Post-It Notes make great covers for built-in webcam lenses. I use one, and recommend that others do the same thing.