Episode 184 – HIFLEX

This is a different type of episode.

Today, Patrick interviews Tony DePrato about his HIFLEX set up in the classroom. HIFLEX is a term that refers to students who are in the classroom and also at home and both are learning synchronously. Tony utilizes iPads and a few other items and tools to bring this affordable solution to life.

As always be sure to find us on Apple Podcasts or your favorite podcasting app.

Episode 183 – Damn Fine Cans

Tony and Patrick are back! It has been long overdue too. It’s a longer than normal episode but there is a lot to talk about! As always, subscribe to us on Apple Music or your favorite podcasting app.

1) Back at school in a COVID world
a) Tony’s motto: “You have to think of every student as a virtual student that occasionally comes to school and if you do that your planning will fit every scenario.”
b) GoGuardian: https://www.goguardian.com
c) Cisco Umbrella: https://security.umbrella.com

2) Why your online streaming is bad and mine is good
a) iPad solution
b) Euro Mic Stand with Klip
c) Disable iPad audio
d) DJ Podiums
e) iPad is a “person” in the meeting

3) Virtual Parent Conferences
a) Zoom
Waiting rooms
b) Prep with teachers and parents
c) Google Meet deadline – Sept
ember 20, 2020

4) Streaming in the Classroom – Final verdict!
a) Windows schools – Microsoft Wireless Display Adapter
b) Mac schools – Apple TV
c) BYOD schools – BenQ Instashow/Barco WePresent

You can download the episode HERE!

Sneaky, sneaky kids and electronic tests

This week, is a good week. I learned a whole lot about something this week and I thought I’d share it with you my good reader.

So let me layout the scenario for you. It is the end of an grading period at my school and like many other school this is a time for tests and projects. One class giving quite a few tests is our Spanish class. The teacher there uses on an online assessment tool, Edulastic for this tests and the students use Chromebooks. Since it is a language test and it is offered online, there are some ways that kids can, shall we say, get some online assistance (AKA cheating).

We, the tech department, thought we had this locked down. With Edulastic we can make a “Scene” that only allows the Edulastic website to open and that is it. No new tabs or searches allowed. We also blocked Google Translate from the Google translate control panel so that site or the extension could not be used and we patted ourself on our backs.

So students took the test and when we looked at GoGuardian to make sure they weren’t able to open any webs we noticed something odd. Something didn’t make sense. Check out the image below of a timeline of two different students.

Problem #1

We are stupid, or at least I am. There are plenty of translation extensions that students can download and install.

Guess what, extensions don’t need a website, so they are invisible to GoGuardian, so at the beginning of the week we thought there were students who were installing the extension before the test and then uninstalling it afterwards.

So, we disabled students’ ability to install apps/extensions from Google control panel. Pretty easy and we set up a Google form for students to request apps/extensions to be allowed that we could vet.

OK – now we can really pat ourselves on the back . . . right?

Problem #2

Did I mention that I was stupid? During a test that we were monitoring on GoGuardian we saw this.

So the student on the bottom is what it should look like during a test. A solid green line showing a student consistently on the Edulastic test. The student above was odd. Why was it so fragmented? Those gray slivers are open and empty tabs. What was happening?

So we looked a little deeper and saw this.

 

 

 

 

 

 

 

 

How could this be? I mean we plugged all the holes . . .didn’t we? Right?

The teacher spoke to this student and he was pretty forth coming. He said that if you type a question the Google Omnibar, it will give an answer without performing a search!

Of course he is absolutely correct.

What you are seeing here is what Google calls instant search and there is a way for us to turn that off in the Google. There was also a translate feature in Google that we turned off as well. I guess this is what offers a translation for sites in foreign language.

Now do I pat myself on the back? No because I am sure the students will find another way. Just like the Dutch Boy and the leaky dike. I am just plugging holes as students find new and inventive ways to . . . “gain assistance.”

What have I become

I always thought that being working in technology – I’d be the cool guy on campus. I’d be the person people would go to with problems and want to talk tech with. I am that person, but I have also become something else.

I’ve become . . . The Man.

I’m OK with that.

 

Cubit Robotics: Probably Better Than What You Are Doing

654724647_780x439

By Tony DePrato | Follow Me on LinkedIn

I have been working with robotics since 2005. I have worked with students from US Grade 4 to students competing in university competitions.

As of late, I have been shocked by this trend: remote control.

https://www.jpl.nasa.gov/news/news.php?feature=2082
https://www.jpl.nasa.gov/news/news.php?feature=2082

Remote control is not the future. The future is autonomous and AI-driven. So why are schools teaching robotics via remote control at all levels with very little autonomous programming?

The software that was once easy to access, often free, and allowed for fairly deep programming has reverted to big graphical blocks.

This is why I am very excited about Cubit Robotics/Electronics for STEM.

I asked Cubit for a sample kit, and they sent it along. My robot frame and build were simple because I wanted to focus on programming.

cubit-rover

The Cubit was loaded with sensor options, and the programming interface was Bluetooth.

For the record, I was using a Macbook, and I was very happy to get back into a programming environment that empowered real coding on an Apple. As of late, most of the robotics packages I have used on an Apple have removed the text-based coding options.

The flexibility was nice, and the educational scaffolding was clear.

You can start with the colorful blocks, and easily get things working.

Screen Shot 2020-01-16 at 7.44.43 AM

Then, you can get into the code, and make things work the way you want.

Screen Shot 2020-01-16 at 7.45.03 AM

Cubit uses Lua language. I found it to be an excellent primer for going in a variety of programming directions. I have always found that using robotics and electronics as a prerequisite for IB or AP computer science is a better primer than simply having an introductory course based solely in a language. Let’s be honest, robots are fun, and they can really help build the programming competency base.

If you are new to robotics and have no idea where to get started, Cubit is an excellent solution. Cubit provides a built-in curriculum with projects ranging from elementary to high school. The programming environment guides users through the initial steps.

Screen Shot 2020-01-16 at 8.10.41 AM

Robotic’s education needs to move away from the obsession with remote control. I believe this obsession emerged from the ubiquity of mobile devices, and the realization that automation is usually a low scoring and frustrating endeavor. When students can use a remote control, they can get more points and do more in less time.

The process, stress, and failure should be the goal when using robotics for K-12 education. If a student can understand the complexities of automation before they leave high school, then they are better prepared for the AI-driven future and their place within it.

It is small, affordable, and easy to build, but Cubit is a step towards authentic learning and forward-thinking.

AI Research

  1. https://www.grandviewresearch.com/industry-analysis/artificial-intelligence-ai-market
  2. https://www.pwc.com/us/en/services/consulting/library/artificial-intelligence-predictions-2019.html
  3. https://apnews.com/Business%20Wire/df8bdcfa4de84f6aa301d3683c2e1b55
  4. https://www2.deloitte.com/content/dam/Deloitte/br/Documents/technology/DI_TechTrends2019.pdf

Are Your Files Public? The Edlio Example

one

By Tony DePrato | Follow Me on LinkedIn

I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.

I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.

However, I can say it is generally bad practice for:

  1. Personal information to be public and openly searchable
  2. Budget information to be public and openly searchable (aside from summaries and annual reports)
  3. Versions of documents, that are not the final version, to be public and openly searchable
  4. Calendars and other data about large group events to be enabled without security

Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:

one

two

I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.

three

four

Using a search based on the date, I was able to further sort documents from different schools:

five

six

Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.

The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.

If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com

 

 

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.