Category: cyber awareness
Are Your Files Public? The Edlio Example
By Tony DePrato | Follow Me on LinkedIn
I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.
I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.
However, I can say it is generally bad practice for:
- Personal information to be public and openly searchable
- Budget information to be public and openly searchable (aside from summaries and annual reports)
- Versions of documents, that are not the final version, to be public and openly searchable
- Calendars and other data about large group events to be enabled without security
Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:
I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.
Using a search based on the date, I was able to further sort documents from different schools:
Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.
The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.
If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com
CyberSecurity Part 3: Simple Penetration Testing for K12 Schools
By Tony DePrato | Follow Me on LinkedIn
I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest
As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.
Finding a Good Pentester
The Conversation
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…
What is wrong here?
Here is how this should go
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.
A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.
There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events. If you provide and manage laptops, a good pentester will need one of the school’s laptops.
These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.
Doing Your Own Testing
I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.
Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.
| Test | Definition |
| Subscription and Services Discovery | Can your subscriptions and services be easily discovered? |
| Files Exposed to the Public | Are there files publicly available that supposed to be private? |
| Calendars Exposed to the Public | Is calendar data that should be private, private? |
| Staff and/or Student Email Harvesting | Can your staff and/or student PII be used to create a database for phishing and spamming? |
| Portals and SIS | Are your portals and SIS properly secured and difficult to brute force attack? |
| Websites and Social Media | Are websites and social media properly secured; is the media being used legally and correctly? |
| Cloud Services | Have cloud services been properly secured? |
| Third-Party Sharing | Is anyone sharing your content and do they have permission? |
| FTP, SSH, and Telnet | Are any of these protocols a threat to your school via publically accessible information? |
| Email Blacklist | Is your email domain blacklisted? |
| Email Header Check | Is there any data in your header that could be anonymous or lead to blacklisting? |
| Email Catch-All for Non Existent Emails | Is your email set up to catch any email that does not exist and alert someone? |
| SMTP Relay | Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf? |
| 4xx and 5xx Error Check | Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users? |
| HTML Forms | Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.) |
I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.
In other words, avoid jargon and lingo.
Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.
If you do not know what is actually dangerous, then everything could be sold as dangerous.
These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com . I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.
CyberSecurity Part 2: OPSEC and Post-it Note Passwords
By Tony DePrato | Follow Me on LinkedIn
How many times have you seen it? You walk into an office or classroom, and a Post-it is proudly announcing a user’s password. Why? Because schools are trusting environments. Maybe the password is not for the computer, maybe it is for the teacher/staff WiFi. A WiFi network that has no other security aside from the password: TeacherWifi1.
Before spending thousands of budgetary funds on security consultation, all schools (and organizations) should focus on their Operational Security or OPSEC. OPSEC is officially defined as:
Operational security (OPSEC), also known as procedural security, is a risk management process that encourages managers to view operations from the perspective of an adversary in order to protect sensitive information from falling into the wrong hands.
Developing a solid OPSEC plan is not that difficult. A bit of common sense and creative thinking goes a long way. Let’s walk through some simple practices that will help improve a school’s operational security, and the school’s ability to react to problems.
Follow Normal Child Safety Practices All the Time and in all Departments
The basic child safety concepts are: keep students away from unverified adults and make sure adults are not alone with children (and if they are alone they are visible).
The standards seem to be prevalent in all child safety courses and certifications. Following these two standards, and applying them to a technology plan would yield the following rules:
- Students are never allowed on the same network as teachers/staff/guests
- Students share information through the cloud or monitored middle process (such as a Synology share that requires user login)
- Students should not be allowed to peer share with teachers (e.g. no more AirDrop)
- The guest network is limited and separated from everyone else
- No access to the network etc. unless all users provide an ID or their devices are identified as approved devices
Office and Classroom Access Should Be Managed by Policy
The worst hacking scenarios I have personally experienced, and that resulted in child and family trauma, began with data being printed and left in unattended offices/classrooms.
Simple and reasonable practice can deter most people from crossing the privacy line. Here are some suggestions:
- Laptops should be secured in a bag or other area when unattended; on the desk, lid open is bad practice
- Documenting passwords should be discouraged
- Desktops and other devices should be logged out when unattended; or secured with a password screensaver
- Teams should split their lunches and breaks to ensure that the office/classroom always has someone present
- Office/classroom hours should be posted so that everyone knows when the space is open for meetings or visitors
- Desktop phones should have a security code to make calls off-campus
- Students, parents, and others should have a demarcated area for meeting and working with staff and teachers; certain areas should remain off-limits
- Printing from offices needs to terminate in a secure space; it should be difficult for an unauthorized person to make physical contact with an office printer
Walk Around and See What You Can Do
School administrators often conduct classroom walkthroughs and observations. This process is similar.
The leadership team needs to be scheduled to break-in to areas on-campus. They should test closets, offices, doors, etc. Printers should be checked for abandoned documents, and those documents should be sampled. Did someone print and leave any confidential information? Any tests or assessments? When guests are in the building, how freely can they move beyond common areas before they are politely challenged?
The team should document what they find, and question why the access was possible. A formal review of all vulnerabilities is going to inform the necessary actions that need to be taken.
If there is a plan to work with an external contractor, having all this research is essential. Focusing on unrealistic threats and problems will not strengthen security or cybersecurity. A misaligned plan will waste resources, provide a false sense of security, and overall weaken any future response to a real threat.
CyberSecurity Part 1: Social Engineering
By Tony DePrato | Follow Me on LinkedIn
I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.
Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.
Social Engineering
Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html
Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.
Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.
Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.
Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.
It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.
Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.
Defending Against Social Engineering in a Friendly Manner
Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:
- Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
- Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.
An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.
Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
- Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.
A common mistake schools make, is to use these network/electrical closets to store cleaning supplies. Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.
The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
- Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.
A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.
Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
- Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.
Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.
Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.
Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
- Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.
Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
- Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
- Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.
I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.
I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com
Resources
- DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
-
I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8
- What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
- Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
- Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/
Scan Your School for Unsecured Public Documents
By: Tony DePrato | Follow me on LinkedIn
How many documents do you have open to the public? When was the last time you checked to see what anyone with internet access could download from your school website, your PowerSchool or SIS public folder, or even your various cloud services?
Before you think I am wasting your time, here is a quick glimpse of a simple public search for budgets people have not secured:
If the above animation is not clear, don’t worry. I will show you how to do it.
INURL and FileType
Google has some cool advanced search features. To scan your public files, the two I recommend are “inurl:” and “filetype:” .
For example when copying and pasting the following string into Google, inurl:saschina.org filetype:pdf , the results are all public PDF files that exist with any url that contains saschina.org.
Keeping the url simple often yields more results. For example, using saschina would look at other domains. If you add the .org, then the search will be limited to the .org domain only.
When to Worry about Public Documents
First off, many documents are supposed to be public. Seeing documents in this type of search is normal and excepted. What is not usually expected are documents that contain:
- Name associated with contact information
- Medical information
- Names of parents, donors, etc.
- Special codes use to tell vendors/suppliers who has organizational authority to place orders
- Bank information
- Payment information
- Usernames and Passwords
- Etc
Documents with information similar to the above should be secured, unless required to be public for legal reasons.
I would suggest having document ID numbers in the footer that indicated a document should be public. This simple practice would allow everyone in the organization to report documents that should not be public.
The link below will take you to a page that will help you begin checking your online resources.
Want to Jump In and Start Scanning? Get Started Here
If you want more information on data security, privacy, and data auditing for your school, please contact me using the form below.
It’s Time to Regulate Social Media in Schools
By: Tony DePrato | Follow me on Twitter @tdeprato
It is spring time, and once again I am planning a new network security plan for a school. The same issues as always, and the same questions.
All questions usually have answers with a price tag attached. Value in such planning is very subjective. After all, we spend money every year managing free apps on iPads, how does that make financial sense?
One question cannot be answered. Regardless of my due diligence and the school’s willingness to fund a comprehensive plan, students will still have phones. Those phones will have data plans. Those data plans circumvent all the work we do. Parents do not seem to care, because they are worried about having that device for logistics and emergencies.
These devices are addictive, and the applications are purely for entertainment and dopamine-driven feedback loops.
Yes, the network can manage the problem when students are on Wifi; but not when the students are on their own network.
Jamming signals is not legal in most countries, and localized jamming seems to cover very large spaces. Even if it was legal, it would impact other services.
I believe all problems can be solved, and I believe I have a solution for this one. Generically, I like to call it Social Media for Education.
Social Media for Education Explained
The core concept is simple. Facebook, Twitter, Instagram, etc., would offer an educational package. I firmly believe this should be a paid service for schools that can afford it, and free for schools that can demonstrate hardship. If you consider the cost of properly blocking Apps on Wifi ($10-50 USD per student per year), this service would be viable if priced appropriately.
The social media companies would follow a Google Apps or O365 model for schools to join. They would require any person under the age of 18 to register as a student connected to a school.
For example, schools who sign-up would be given a school code, and could provide a student ID based roster for cross-referencing. Any person under 18 would be required to connect their profile to a school or education program of some sort(some students are home schooled or have other types of educational plans).
Unless they are connected to some type of educational plan, they simply cannot use social media until they are 18 years of age.
Schools who join would receive these benefits:
- Social media profiles are deactivated from 8:00 am – 3:00 pm everyday, in the timezone set by the school. This prevents VPN access from spoofing the clock.
- Schools could centralized a two steps homework system. Teachers would use Social media to circulate messages related to the school, and unless students confirmed all messages have been received (read), their profiles would not be activated. Although confirming a message has been seen does not equal work completed, it does mean the student acknowledged receiving the message. Blocking all other activities until all messages are cleared would prioritize the school’s notifications.
- Since all students can be identified and connected to a school or program, cyber-bullying would be easier to manage. Schools would need to make a request for data, but that data would connect to a student ID (most likely), and a verified location.
I have thought of more options, but, I would consider the above a tier one solution.
It Cannot Work Unless There is Regulation
It is clear from current practices, such as not enforcing the age restrictions for users, that social media companies will not offer services to schools that help disconnect students during their academic day.
In places like France, the government is physically banning phones from campuses. Other schools follow strict device confiscation policies. These measures only create a black market for phones, theft among students, and a burden on families who are victims of theft.
Trying to regulate property, and potentially facing liability issues related to property, is not the path to follow to solve this problem.
Governments need to simply require social media companies, or any company making a communications product, to provide the an identity and connection management system for those under the age of 18.
Those over 18 already have to use multiple methods to verify themselves when making new accounts. However, students seem to be able to join social media using devices and phone numbers that are not even legally in their own name. Think about that? I give my child a phone and number, they use it to join Facebook? How is that legal or even verified?
Not Enrolled in School = No Social Media
Compulsory Education around the world varies. Very few countries report having no compulsory education requirements.
| No Requirement Based on Previous Data | ||
| Oman | 0 | 2007 |
| Solomon Islands | 0 | 2002 |
| Cambodia | 0 | 2008 |
| Holy See (Vatican City) | 0 | 2007 |
| Tokelau | 0 | 2007 |
| Bhutan | 0 | 2008 |
The world-wide impact of adopting social media regulation of this caliber would equate to those under 18 not being allowed on social media, if they could not demonstrate they were enrolled in some type of educational program.
Likely, many countries would not participate in such regulation at all. However, it really only has to be country by country. As international as these platforms seem to be, connections students have are usually very local. Most students have their primary social network within the school they attend. That means their social media time is literally just interacting with people they could easily look at and speak with.
If Facebook in India were not participating, that would not impact a school in Korea. If students were to move from country to country (or school to school), they would have to re-register. The meta data from that behavior alone would help confirm drop-out rates, possible issues within school districts, etc. I believe the unknown benefits of the data would be substantial. Observer effect issues and data manipulation by school administration would be reduced.
I have been working with teenagers since 2005. I have worked with students from over 100 countries. I have been a technology disruptor, more times than I have supported the status quo. I believe in BYOD programs, and any students I have worked with will confirm I empower them to lead and make decisions. I know when I see a problem in the plan and the patterns. I know when students are not engaged, and when they are not learning. Mobile devices with addictive applications are a real problem. The design is an addictive design, and the effects are powerful. I hate regulation, but unfortunately, I think we are there.
Contracts and the Reality of Using AUPs in an International School
Recently a friend of mine had a battle with a staff member over an Acceptable Use Policy(AUP). It is common to fight with students over these, but rarely with staff.
My friend was not asking for anything unrealistic in his well drafted AUP. He actually took the time to produce one AUP for the community, and it was not negative or aggressive.
The battle went on for weeks. The teacher refused to even take a school laptop. The teacher even launched an internal email campaign that involved telling the parents the AUP was disruptive to learning.
Here is the worst part of the AUP story, the AUP does not matter. It is a completely unenforceable document in an international school. Often, it is unenforceable for students as well. Here is why.
The Local Law Surrounds the School
International schools are bound by the laws around them. This includes human resource law, liability regulations, insurance practices, etc. Having an AUP say something is not permitted, when it is either permitted or not enforceable in the host country, is a waste of policy. Explaining to the community the local law surrounding the school is always a good idea, and using the law when needed is a good idea. Trying to create your own rules that are not aligned with the law is a bad idea.
Assuming the School is in a Sellers Market
A sellers market implies that demand is high, and supply is scarce, therefore businesses can charge whatever they want to consumers. AUP language often assumes that a school is in a sellers market, and therefore, can remove teachers and students from the community. Thus also assuming that these people can easily be replaced. The fact is, this is hardy ever the case. Once the staffing is done, and the year begins, schools do not want to try and deal with an HR problem unless it puts the children or community at risk.
Many schools have contracts that protect the employee (due to local regulations) and the only way to remove them (assuming they have not broken local laws) is to pay out their contract and/or wait and not renew their contract.
Students pay tuition. In most situations, a student gets a pro-rated reimbursement if they leave the school early. In many countries the law forbids the expulsion of students, and forces the school to cope with the problems. Removing students in places like the Middle East can even require numerous lobbying efforts to the ministry of education. Sometimes, legal services have to be paid just to get the paperwork done. Again, many schools will cope with the problem until a point where they are legally allowed to transfer the student out.
Schools need tuition to function, and if they are not-for-profit, they certainly do not want to reimburse fees (or pay fees) to have a student removed unless that student is breaking local laws and/or is a danger to themselves or the community.
Contracts and Equipment
When employees or students contract to join a school, they are usually told, “We will give you xyz.” Maybe that is a laptop. Maybe the school is BYOD and people get software. Regardless, most schools give teachers and students something, and that something is part of their contract. I have yet to see the initial agreement for new teachers to say, “Before you take this job you must agree that if you break the school’s AUP you will be financially responsible for xyz.”
Schools looking for staff are already vetting people as much as they can. They would never consider not hiring someone because that person had a philosophical disagreement with a liability clause on an item worth less than $2000.00. Not having a teacher, means not meeting the contractual obligation the school has with families, and the families are paying tuition.
Simply put, as with many things relating to IT, people just do not care. They only care that the majority of teachers work with IT well, and that 100% of the teachers work with children well. They will maintain their agreement to equip the teachers and students unless something very drastic occurred.
A Great Teacher Can Skip the AUP
Right or wrong, a school with a strong subject teacher or department head, is not going to strictly enforce policies that they see as trivial.
An adult, with an excellent track record and IT, proficiency should be allowed to manage their own computer. They most like manage far more complex things, and they should not need IT to install software. These are the expectations of most modern professional. Most AUPs cause conflict when they limit access or workflow. What have just written is the opinion of most administrators who are focused on finding good people, who are professional. Reflecting, many AUPs would now seem trivial.
Therefore, fighting over the AUP is not the answer to achieving what most Technology Directors want, which are standards that protect the network and equipment. Another approach is required.
Is this just Anarchy without Hope?
If I loan you (the reader who is not captivated by the heading) my car, and you damage it, you know there is an expectation that you will compensate me for the damage. We do not need a written agreement. Socially, the expectation is applied.
Teachers and students know what they own and what they do not own. Therefore, they are aware if they damage something, some compensation is required. The school may wave this compensation, but the expectation is there.
As far as network usage goes, if the school cannot afford a filter, then all users will have open internet access. Teachers, as a profession, have an expectation to not expose students to inappropriate content. Teachers breaking that expectation would fall into a different category than those violating IT procedures. An AUP is not where this type of policy should fit, as it connects to the concept of harming children.
So what should the AUP be? In a recent post by Roberto Baldizón , he argues that it should be visible, interactive, and memorable. This is what that means to me:
- The AUP should be something people can easily refer to make decisions in gray areas. Such as: How should I properly email parents?
- The AUP should contain indicators or examples of behaviour that is consider inappropriate for the community. For example, the community might always insist that in group meetings all laptops are put away.
- The AUP might list areas that will be evaluated in a end-of-year teacher evaluations.
- The AUP needs to connect to the mission of the school and the vision of the Technology Department. The language should be consistent. This joins the policy to other policies.
What about MY AUP?
My Staff AUP is filled with liability jargon. It is not fun, and mainly it is used to notify people that they are responsible for breaking things. I do this out of habit and have a very hard time squeezing money out of staff for damage under $1000.00 USD.
The best tool I have for managing behaviour is my IT Ticket system. It has, in great detail, data that allows me to go to a senior administrative meeting and identify individuals who are abusing resources, not responsible for their classrooms, and who repeat the same cycle of break-it/fix-it. This is the data principals need to have conversations with staff, and use for end-of-year evaluations.
My Student AUP is not as bad. It is connected to the student disciplinary policy and was written by committee. At no point does my AUP indicate it has the power to remove a student from the academic program, it only allows for network management and/or banning of services, to be decided by the academic office. The AUP is actually to help the academic office make decisions.
Writing policy is important. Writing unenforceable policy is a waste of time. Find the balance, research your local laws and guidelines, align with other people, and use the community to manage the individual.
Tony DePrato
Happy Safer Internet Day – from Google
This Safer Internet day (yes this is a thing) is being celebrated by the good people at Google too. They are encouraging all their users to go and do a security check up for your Google account, which is a pretty good idea to do from time to time. If you do this before February 17th Google will add 2GB of storage to your Drive account – permanently!
This is only applicable to your personal Google account so people with Google Apps accounts should still do it, but there is no reward outside of knowing that your account is secure.
Read more about it here and be sure to be safe out there. 🙂
The problem’s not the app . . .
The other day my wife showed me this article on CNN. It was about a particular app called Yik Yak. You can read all about it from there website here or read about the Android app here. The basic premise is that Yik Yak uses your location, and lets you post whatever you want anonymously and the people around you can see those posts and then everyone vote them up and down. If a post gets voted down enough it disappears. The app is free and available on iOS and Android. The article on CNN talks about how students are using this app to bully and bash people online. Since there is no account/sign up there is no way to track down who said what. This type of article usually brings about such questions as . . .
- WHAT WILL WE DO?
- HOW CAN WE STOP STUDENTS FROM USING THE APP?
- SHOULD WE BAN DEVICES?
- HOW CAN WE BLOCK THIS WEBSITE/APP?
- IS IT THE END OF DAYS?
OK, that last one is a bit of an exaggeration but it all boils down to the same thing – fear. This is not new nor is it an original idea/article. Let me show you some examples.
I have seen this article before with Facebook.
I saw it before with Twitter.
I’ve also seen it written about FormSpring.
I’ve seen it written about SnapChat too.
Let me tell you people, the problem here isn’t Yik Yak. The problem is how our students are treating each other. It is the actions of the individual or groups of students that need to change, not Facebook, Twitter, Yik Yak or any other app or website.
Think about a time when there were no apps, no smartphone, and no widespread wifi. Even without these tools bullying was around and schools were battling it. It is true, these apps can make it easier for students to bully but let’s put it in perspective. The app didn’t teach this behavior or condone the student’s action. The app didn’t tell them how to do it. The app developers weren’t wringing their hands together evilly and hoping to bring about the end to the modern world. So how is banning the app or putting it under a microscope going to stop bullying? The short answer is it won’t. At best it will drive it underground for a bit and then it’ll come back-maybe in the form of a different that app but the bullying will continue.
I’m not saying changing a person’s behavior or getting a child to see and understand the harmful effects of bullying is easy because it’s obviously not. If it were, bullying wouldn’t be a problem and we would have taken care of years ago. However, attacking the app and banning it isn’t the long term solution. I would even say that it is a poor solution. Start by education yourself. Here are some very good websites to get started:
There are plenty more out there – just search for them.
Then get your counselors involved – they are the real experts here and ignore those fear mongers at CNN and other websites that tell you to beware of certain apps. Don’t be afraid of technology, embrace it, learn about it and then teach our students the appropriate ways to use it or at the very least know how to walk away from something that isn’t healthy for them and how to seek out help if they need it. This method will yield better results than just banning and talking about an app.
Patrick Cauley
http://www.thetechjonsey.com
Technology in the Classroom 
