The Support Puzzle

Jigsaw

By Tony DePrato | Follow Me on LinkedIn

I was recently in a conversation with a large group of people who provide IT Support. Many do not work in education, which is why I like the group. One of the members was recently asked in an interview to rank the following support requests in terms of importance.

1) A teacher has standardized testing starting in 30 minutes however she is unable to access the testing site.

2) The principal (aka your immediate supervisor) can’t open a spreadsheet that she needs to have ready for a presentation later that same day.

3) A teacher is unable to start a lecture because her PowerPoint won’t open. Students are waiting in the classroom.

This scenario truly exemplifies the difference between EdTech and CorpTech. In EdTech the order of importance should be, 1-3-2. In CorpTech it could easily be 1-2-3, or, even 2-1-3. Anyone who has worked with a demanding boss in a Hire-At-Will employment environment would understand why.

In a school, unless the school is on the bad side of accreditation standards, the answer would be 3-2-1.

Here is why.

Teaching and Learning

Most people look at the options and see time and urgency. And although the right answer can be derived from time and urgency, that metric will not always apply. A universal metric is to always focus on Teaching and Learning (TL).

This means that all processes at the school, IT included, need to be on mission and that mission is to support Teaching and Learning. In order to do that, students and teachers come first, and everything else later.

The business of the school is education, education happens within the TL dynamic.

Most school administrators will not even interrupt classes unless there is a real emergency. School administrators will inconvenience themselves to reduce the impact on teachers and students.

In organizations with a head of school or superintendent, those offices may have their own separate support for the technology to further reduce any impact to TL.

The Eisenhower Matrix

I am a big fan of using time management and decision management frameworks. My favorite is The Eisenhower Matrix. I have written about it here if for those who are not familiar with it. 

matrix22

I use the layout above for decision making and project planning. I also use Agile and Scrum when executing the actual pieces of projects. I need these tools to prevent reacting emotionally to problems.

In the scenario above this is how I would categorize each of the three support problems.

DO, Do it Now: 1) A teacher has standardized testing starting in 30 minutes however she is unable to access the testing site.

The reasoning here is that standardized tests have controls that the school must follow. This is a tricky scenario because unless you have implemented IT procedures for standardized testing you would not realize that the pre-testing is completed well in advance. That means the school has already scheduled and guaranteed a test window. The test either has to occur or be canceled and rescheduled. I would write a guide on test implementation, and they vary greatly. For older children, there is a high risk if these test fail.

DECIDE: 3) A teacher is unable to start a lecture because her PowerPoint won’t open. Students are waiting in the classroom.

As a school administrator, I would, of course, ask IT to go help the teacher immediately. In this case, you really need to know the schedule before deciding when to go. If classes are 70-80 minutes every other day, you would want someone in there immediately. If classes are 35-40 minutes daily, you would want to send someone at the end of the class.

The technology has made achieving the lesson goals impossible if the lesson is short. However, the lesson occurs so often that the impact on TL is low. In fact, taking more time in the end when the students are transitioning will allow someone to look at prevention instead of just adding a quick solution that only deals with the symptom.

Most schools have requirements that teachers should be able to run their lessons in the event of an IT failure. This should not happen every day, but it can happen, and teachers are required to work through the issue. If a teacher follows protocol going into the class 5-10 minutes after class has begun, could interrupt their backup plan.

This is why it is a DECIDE. It varies based-on campus and culture.

Delegate: 2) The principal (aka your immediate supervisor) can’t open a spreadsheet that she needs to have ready for a presentation later that same day.

Anyone can do this job as soon as the others are in progress. If there is one IT support person, they will do this last. It is not time-sensitive. Most principals would angry if a teacher or class of students were put in lower priority.

If there is a team, the leader could assign someone to this with a reasonable timeframe.

If you are in EdTech IT Support, make sure you are connected to the culture of your school. Understanding the policies and procedures outside of IT is key to understanding how to support Teaching and Learning.

 

 

Cubit Robotics: Probably Better Than What You Are Doing

654724647_780x439

By Tony DePrato | Follow Me on LinkedIn

I have been working with robotics since 2005. I have worked with students from US Grade 4 to students competing in university competitions.

As of late, I have been shocked by this trend: remote control.

https://www.jpl.nasa.gov/news/news.php?feature=2082
https://www.jpl.nasa.gov/news/news.php?feature=2082

Remote control is not the future. The future is autonomous and AI-driven. So why are schools teaching robotics via remote control at all levels with very little autonomous programming?

The software that was once easy to access, often free, and allowed for fairly deep programming has reverted to big graphical blocks.

This is why I am very excited about Cubit Robotics/Electronics for STEM.

I asked Cubit for a sample kit, and they sent it along. My robot frame and build were simple because I wanted to focus on programming.

cubit-rover

The Cubit was loaded with sensor options, and the programming interface was Bluetooth.

For the record, I was using a Macbook, and I was very happy to get back into a programming environment that empowered real coding on an Apple. As of late, most of the robotics packages I have used on an Apple have removed the text-based coding options.

The flexibility was nice, and the educational scaffolding was clear.

You can start with the colorful blocks, and easily get things working.

Screen Shot 2020-01-16 at 7.44.43 AM

Then, you can get into the code, and make things work the way you want.

Screen Shot 2020-01-16 at 7.45.03 AM

Cubit uses Lua language. I found it to be an excellent primer for going in a variety of programming directions. I have always found that using robotics and electronics as a prerequisite for IB or AP computer science is a better primer than simply having an introductory course based solely in a language. Let’s be honest, robots are fun, and they can really help build the programming competency base.

If you are new to robotics and have no idea where to get started, Cubit is an excellent solution. Cubit provides a built-in curriculum with projects ranging from elementary to high school. The programming environment guides users through the initial steps.

Screen Shot 2020-01-16 at 8.10.41 AM

Robotic’s education needs to move away from the obsession with remote control. I believe this obsession emerged from the ubiquity of mobile devices, and the realization that automation is usually a low scoring and frustrating endeavor. When students can use a remote control, they can get more points and do more in less time.

The process, stress, and failure should be the goal when using robotics for K-12 education. If a student can understand the complexities of automation before they leave high school, then they are better prepared for the AI-driven future and their place within it.

It is small, affordable, and easy to build, but Cubit is a step towards authentic learning and forward-thinking.

AI Research

  1. https://www.grandviewresearch.com/industry-analysis/artificial-intelligence-ai-market
  2. https://www.pwc.com/us/en/services/consulting/library/artificial-intelligence-predictions-2019.html
  3. https://apnews.com/Business%20Wire/df8bdcfa4de84f6aa301d3683c2e1b55
  4. https://www2.deloitte.com/content/dam/Deloitte/br/Documents/technology/DI_TechTrends2019.pdf

Are Your Files Public? The Edlio Example

one

By Tony DePrato | Follow Me on LinkedIn

I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.

I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.

However, I can say it is generally bad practice for:

  1. Personal information to be public and openly searchable
  2. Budget information to be public and openly searchable (aside from summaries and annual reports)
  3. Versions of documents, that are not the final version, to be public and openly searchable
  4. Calendars and other data about large group events to be enabled without security

Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:

one

two

I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.

three

four

Using a search based on the date, I was able to further sort documents from different schools:

five

six

Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.

The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.

If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com

 

 

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.

 

 

 

 

CyberSecurity Part 2: OPSEC and Post-it Note Passwords

Password 123456 written on a paper

By Tony DePrato | Follow Me on LinkedIn

How many times have you seen it? You walk into an office or classroom, and a Post-it is proudly announcing a user’s password. Why? Because schools are trusting environments.  Maybe the password is not for the computer, maybe it is for the teacher/staff WiFi. A WiFi network that has no other security aside from the password: TeacherWifi1.

Before spending thousands of budgetary funds on security consultation, all schools (and organizations) should focus on their Operational Security or OPSEC. OPSEC is officially defined as:
Operational security (OPSEC), also known as procedural security, is a risk management process that encourages managers to view operations from the perspective of an adversary in order to protect sensitive information from falling into the wrong hands.

Developing a solid OPSEC plan is not that difficult. A bit of common sense and creative thinking goes a long way. Let’s walk through some simple practices that will help improve a school’s operational security, and the school’s ability to react to problems.

Follow Normal Child Safety Practices All the Time and in all Departments

The basic child safety concepts are: keep students away from unverified adults and make sure adults are not alone with children (and if they are alone they are visible).

The standards seem to be prevalent in all child safety courses and certifications. Following these two standards, and applying them to a technology plan would yield the following rules:

  • Students are never allowed on the same network as teachers/staff/guests
  • Students share information through the cloud or monitored middle process (such as a Synology share that requires user login)
  • Students should not be allowed to peer share with teachers (e.g. no more AirDrop)
  • The guest network is limited and separated from everyone else
  • No access to the network etc. unless all users provide an ID or their devices are identified as approved devices

You can find more detailed standards here for securing your network and developing a better level of OPSEC.

Office and Classroom Access Should Be Managed by Policy

The worst hacking scenarios I have personally experienced, and that resulted in child and family trauma, began with data being printed and left in unattended offices/classrooms.

Simple and reasonable practice can deter most people from crossing the privacy line. Here are some suggestions:

  • Laptops should be secured in a bag or other area when unattended; on the desk, lid open is bad practice
  • Documenting passwords should be discouraged
  • Desktops and other devices should be logged out when unattended; or secured with a password screensaver
  • Teams should split their lunches and breaks to ensure that the office/classroom always has someone present
  • Office/classroom hours should be posted so that everyone knows when the space is open for meetings or visitors
  • Desktop phones should have a security code to make calls off-campus
  • Students, parents, and others should have a demarcated area for meeting and working with staff and teachers; certain areas should remain off-limits
  • Printing from offices needs to terminate in a secure space; it should be difficult for an unauthorized person to make physical contact with an office printer

Walk Around and See What You Can Do

School administrators often conduct classroom walkthroughs and observations. This process is similar.

The leadership team needs to be scheduled to break-in to areas on-campus. They should test closets, offices, doors, etc. Printers should be checked for abandoned documents, and those documents should be sampled. Did someone print and leave any confidential information? Any tests or assessments? When guests are in the building, how freely can they move beyond common areas before they are politely challenged?

The team should document what they find, and question why the access was possible. A formal review of all vulnerabilities is going to inform the necessary actions that need to be taken.

If there is a plan to work with an external contractor, having all this research is essential. Focusing on unrealistic threats and problems will not strengthen security or cybersecurity. A misaligned plan will waste resources, provide a false sense of security, and overall weaken any future response to a real threat.

 

 

 

 

CyberSecurity Part 1: Social Engineering

Lock
Lock
Source: https://www.youtube.com/watch?v=JsVtHqICeKE

By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.

    An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.

    Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.

  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.

    A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.

    The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.

  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.

    A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.

    Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.

  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.

    Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.

    Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.

    Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.

  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.

    Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.

  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com

 

Resources

 

  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
  2. I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8

  3. What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
  4. Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/

 

 

 

Swimming in the Data Lake

hacker-2883632_960_720

By: Tony DePrato | Follow me on LinkedIn

Educational organizations are face with the constant influx of seemingly new technology. This creates pressure (even a demand) to review, to compare, to challenge, and often, to change.

The business around software is not understood nor recognized by most educational institutions. Schools trust. Schools hope. Industry, generally, tries to profit. The constant churning of technology companies through mergers and venture capital initiatives creates an unstable environment. This environment breeds havoc and forces decision makers to ask: Will your vendor be your vendor tomorrow?

The game is rigged. But. There is way to take the game back. There is way to design flexibility into the ecosystem and empower decision makers to relentlessly negotiate for the deals they need, and when they need them.

For years we have focused on controlling the box, the physical interface, and the platform. In most cases, these concepts are now irrelevant. Software as a Service (SAS) has evolved to allow a tablet to carry the power of a laptop, and a laptop the power of a GPU driven workstation. SAS is just the beginning, in fact, it is only a replacement for the platform. The heart of the system is the data, and the data controls the decisions more than anything else.

The next evolution for education, K-12 and above, is to adopt new standards allowing the organization to choose their modality but maintain the standard of communication.

Educational institutions need to build a data lake, or data repository, using data from all their vendors. Any vendor that cannot meet a few basic standards, needs to be eliminated from the pool of options. These standards would be simple, and would include:

  • Data, all data, can be exported in a single data pump when required
  • Data, all data, can be exported into at least one or all of the following formats: csv, tab, sql, or xlsx
  • Downloaded Data, all downloaded data, will only have encryption if the client chooses
  • APIs and other methods to sync real time data are optional; even if these tools exist, the data export requirements must be maintained

By insisting these standards be met by vendors, educational organizations will not only be able to constantly analyze all their data, they will be able to recreate themselves when they choose. Vendors will not hold the fear of data loss, or opportunity cost, over the decision makers.

The only remaining conundrum is: how do we show every school how to do this, and how to find opportunity within this new environment?

When TurnItIn Fails

cermicsfinalBy: Tony DePrato | Follow me on LinkedIn

 

Plagiarism is serious issue for most high schools. It is rare to find a school without a detailed plagiarism policy. Most of these policies have a few tiers, because it is common for students to commit plagiarism more than once in their academic career.

Unfortunately, the tools educators rely on only cover a small portion of things students can plagiarize. In the last decade I have seen inauthentic:

 

  • Computer Science projects
  • Art projects
  • Websites
  • Math internal assessments (IB)
  • Research papers with a perfect Turn It In score
  • Foreign language course work
  • 3D printing
  • etc…

 

In many of these cases, the student and their parents argued that the work was not plagiarized. These people had full legal ownership of the end product, because they paid for the work, or paid for someone to help guide the work.

 

The work is often a result of tutoring, where the student did technically do the work, but was aided along the way. Sometimes this support did result in the tutor physically contributing to the final product.

 

These situations are complicated. They are well beyond someone simply copying an academic paper.

 

Identifying Inauthentic Work and Projects

 

As soon as I mention plagiarism, people are quick to react. In every conversation, people ask me, “How did you know it was not their work?” or “How did you prove they did not do it on their own?”.

 

I find the first problem with most project-based planning is a lack of pre-assessment. Students need a baseline assessment. Teachers should be assessing projects on some sort of trendline. The measurements being used need to monitor growth, and not simply check off rubric boxes.

 

If teachers set baseline assessments for every project, they can clearly find students who are developing seemingly accelerated skills in a very short time. If the teacher suspects a problem, they can require all the students to do an in-class timed assignment. These assignments need to encourage the students to practice their skills without risking their grades. Students who have been submitting inauthentic work will most likely show signs of stress, become angry, and/or ask to leave the room.

 

Rubrics Can Be a Roadmap for Cheating

 

Rubrics should guide students toward a standard, but they should be flexible enough that the end result is a product of a student’s imagination and creativity. In fact, if a student has a great idea, the rubric could be put to the side (a discussion for another time.)

 

I have seen an increase in teachers providing students with highly detailed rubrics, designed to meet detailed criteria. In those cases, it does seem as if the teacher would like all the student work to be nearly identical. Those highly detailed rubrics are essentially a blueprint for a tutor.

 

Rubrics that leave no room for personalization, are going to increase cheating. There is a sense that students need to be trusted, and educators must trust students to make good decisions. However, schools usually do not let students use phones during exams, or walk into copy rooms with cameras. Why? Because they are young and impulsive. They will sometimes make bad choices, and simply using good practice to remove temptation is not a violation of trust.

 

Projects are Assessments, Plan them Accordingly

 

Many schools have an assessment calendar or planner. These are used to ensure students do not have three or four tests (or exams) on a single day. Projects are often left off of these planning documents. I have made this mistake numerous times leading project-based courses.

 

Project due dates are often pushed and changed, and therefore the final due date may shift. Adding a due date to an assessment calendar requires other teachers to plan their assessments around those dates. Changing those dates can create havoc. Not being able to change those dates can impact students who need more time, or were denied time due to some unforeseen past issue.

 

When students feel the pressure of a final project they might make the choice to seek outside help. Having a tutor is not plagiarism, but often project-based disciplines lead to the tutor doing the work on behalf of the student.

 

Planning projects with three or four important due dates allows student work to be assessed in stages and reduces the risk of missing the final deadline. I personally feel that having multiple stages reduces stress, although my evidence is purely anecdotal.

 

Current technology and online services cannot identify cheating within project-based courses. Teachers need to know their students, and plan accordingly to reduce those impulsive and misguided choices teenagers often make.