This video reviews a method to extract staff email and names from the popular Finalsite CMS used by K12 schools.
Disclaimer: This video is not documenting any known bugs or issues with Finalsite. This video is demonstrating how Personal Information can be harvested using options end-users select. Solutions to this problem are available by adjusting the options in any existing Finalsite implementation. Specific tools and process will not be fully revealed in the video. Anyone wishing to learn more must arrange for a private demonstration.
I’m on a quest and here is the next forray into that quest. I present to you the Mersive Solstice. On paper this thing looks great! It really does. It can allow many people to connect to a single screen at one time, you can even bridge multiple Solstices together so people in other room can see and hear what is happening. It supports 4K output and has Apple AirPlay built in so it is just as easy for Apple devices to connect to the Solstice as an Apple TV. Not to mention that it has a dashboard that you can remotely manage and configure multiple Solstices at one time, troubleshoot, etc. So, do I like it? Not really but we will get there soon enough.
FYI- If you are interested in the Mersive Solstice, you can contact them through their website to arrange for a demo unit like we did 🙂
Let’s start right here. The Solstice costs $1199 or $1399. The difference between the price is one includes a dashboard to remotely manage your Solstices and the other does not. Either way, it is very expensive. Just to be clear that is the cost for one device.
Setting it up
While the Apple TV is ridiculously easy to set up the Solstice ain’t too bad either. As you can see from the picture below, you have an HD or 4K output option, an ethernet point and audio out a power adapter plug and two USB 3 ports. On the other side is an HDMI port and a USB C port.
What’s really nice here is that the ethernet port supports POE (Power Over Ethernet). This means if you have a switch that is POE or POE+ then the switch will provide enough electricity to run the device itself. Something the Apple TV cannot do. So you get your Internet connection and the electricity needed to power the device all in one port. Very snazzy and convenient.
It’s also pretty small and light, so connecting it and placing it on our mounting near a projector is a real possibility. This means you can install this in house and save a bit of money. Here is a picture next to a current generation Apple TV.
Once you plug it in you need to connect a keyboard and mouse to the Solstice. This will let you access the settings for the device. If you have the dashboard feature you could merely plug it in and configure it from the dashboard, but this is a demo unit so we did all the configuration on the device itself.
It really was pretty simple. You could connect it through the WiFi if you wished (though an ethernet connection is far more stable and recommended), you can name it, give some security features if you like, configure the name and more. It was very easy to find and get going.
Connecting to it
First off – anything can connect to this thing (well maybe not Linux). Android, Mac OS, Windows – no problem. If you have an Apple Device you can connect through AirPlay (like the Apple TV). You can also use the Solstice app which is a free download. The app gives you many more options which we will get to.
Either way you connect, it will ask you for a 4 digit code which is prominently displayed on the screen. Once connected you have some choices. You can Share your Desktop, Share just an App or Share a Media file.
Here we run into some issues but there is also some good stuff as well.
The Apple TV you can share or extend your screen and that was all. The option of sharing just an app or a media file is pretty great. You don’t have to worry about notifications popping through onto your Mac screen (iMessage notifications) or accidentally showing your email or gradebook on the screen. Nice.
You can also have multiple people share their screen at the same time and the Solstice handles that pretty well. The screens resize to who all the other screens and as a teacher you have the ability to hide all the other screens and bring one forward and then quickly switch to another screen. The Apple TV cannot do this – in fact it takes a little bit of time switching devices. As a teacher, I think we can all appreciate what downtime between presentations is like and minimizing this makes it really handy.
What is also neat about this is that it shows a live view of each screen, so you can see what is happening in real time. Now, if you were thinking of throwing 20–30 screens on the Solstice to monitor what is happening in your class – that is not what this is designed to do and I would be surprised to see if this even works. If it does, I bet it doesn’t work all that well. Go find a monitoring tool – there are plenty out there.
There are other features too, but we didn’t really explore them too much. The reason why is that video streaming is not good. It just isn’t. It doesn’t matter if you are streaming through AirPlay or using the Solstice app on your computer. Streaming wirelessly is not good. We saw it go from laggy, dropping frames to down right unbearable where the difference between the image and the sound was at least 1 second. Check out the video below. It is a short clip (11 seconds) of a TED talk. The lag is very noticeable and in our testing we had seen it even worse.
What was even more surprising is that we connected our computers directly to the Mersive Solstice via an HDMI cable and there was still lag. I am not sure why this happened. Just to be sure, we unplugged the Mersive and then connected our computer directly to the screen we were testing the Solstice out of and it worked fine.
Add the Solstice in between the computer and the screen and there was a subtle lag. We tested this with local video on our computer and YouTube.
Another downside we found to the Solstice was that it was not as straight forward as we would like. There was one time when we had it set up to extend our desktop and didn’t realize it. We spent a good five-seven minutes trying to figure out where the setting was. We knew what we were looking for, but couldn’t remember or quickly find where it was. A regular classroom teacher with a room full of students doesn’t have that time to dedicated to troubleshooting problems like this.
The Mersive Solstice can do a lot – there is no question, but in offering so many options it needs to offer those options in a far easier and more intuitive manner. I am not sure what this would look like or how they could pull this off, but the current model does not accomplish this. I can see teachers getting lost and frustrated with the settings and not wanting to venture too far away from simple mirroring or streaming so as not to put a lesson at risk. If that’s the case there are far cheaper options out there.
I know what you’re thinking dear reader and you are right. Workshops and PD preparing the staff for the change would be necessary but there would always be those who still forget. Also, we are a Mac school – getting our teachers to not use AirPlay on the MacBooks would be near impossible and if they only use that – then they would be missing out on some other great features.
If this whole package cost say $300–400 dollars per device I could work with this but at more than $1000 it is hard to accept these compromises. At this price point it not only has to work but has to work better than an Apple TV. While it can do more than an Apple TV it cannot stream or mirror as well as an Apple TV which is what our teachers (and many other educators0 want.
Why it is not for us
The Solstice is not a terrible device. If you are in a mixed environment (BYOD or Windows/Mac mix) then this could work. For us, I cannot justify switching from an Apple TV (less than $200) to something that is more than five times that cost. We are almost all Macs and this does not work nearly as well as an Apple TV. While walking to each individual Apple TV to make changes is a pain, it is not a deal breaker for us.
Also, we are a single building. If you have multiple buildings or maybe even multiple campuses, a device that allows the Tech department to see them all, manage their updates, power cycle them, make changes to settings, etc. all from a single dashboard, then this is definitely more appealing than an Apple TV despite its lacking performance when it comes to streaming.
The Mersive Solstice has great potential. It can do a lot but it’s too complicated for many teachers to use in their day-to-day, the streaming video performance is bad and the cost should make everyone pause before writing the check. Right now, this is a product to watch but I honestly cannot consider it a strong contender to replace our Apple TV’s.
How many times have you seen it? You walk into an office or classroom, and a Post-it is proudly announcing a user’s password. Why? Because schools are trusting environments. Maybe the password is not for the computer, maybe it is for the teacher/staff WiFi. A WiFi network that has no other security aside from the password: TeacherWifi1.
Developing a solid OPSEC plan is not that difficult. A bit of common sense and creative thinking goes a long way. Let’s walk through some simple practices that will help improve a school’s operational security, and the school’s ability to react to problems.
Follow Normal Child Safety Practices All the Time and in all Departments
The basic child safety concepts are: keep students away from unverified adults and make sure adults are not alone with children (and if they are alone they are visible).
The standards seem to be prevalent in all child safety courses and certifications. Following these two standards, and applying them to a technology plan would yield the following rules:
Students are never allowed on the same network as teachers/staff/guests
Students share information through the cloud or monitored middle process (such as a Synology share that requires user login)
Students should not be allowed to peer share with teachers (e.g. no more AirDrop)
The guest network is limited and separated from everyone else
No access to the network etc. unless all users provide an ID or their devices are identified as approved devices
Office and Classroom Access Should Be Managed by Policy
The worst hacking scenarios I have personally experienced, and that resulted in child and family trauma, began with data being printed and left in unattended offices/classrooms.
Simple and reasonable practice can deter most people from crossing the privacy line. Here are some suggestions:
Laptops should be secured in a bag or other area when unattended; on the desk, lid open is bad practice
Documenting passwords should be discouraged
Desktops and other devices should be logged out when unattended; or secured with a password screensaver
Teams should split their lunches and breaks to ensure that the office/classroom always has someone present
Office/classroom hours should be posted so that everyone knows when the space is open for meetings or visitors
Desktop phones should have a security code to make calls off-campus
Students, parents, and others should have a demarcated area for meeting and working with staff and teachers; certain areas should remain off-limits
Printing from offices needs to terminate in a secure space; it should be difficult for an unauthorized person to make physical contact with an office printer
Walk Around and See What You Can Do
School administrators often conduct classroom walkthroughs and observations. This process is similar.
The leadership team needs to be scheduled to break-in to areas on-campus. They should test closets, offices, doors, etc. Printers should be checked for abandoned documents, and those documents should be sampled. Did someone print and leave any confidential information? Any tests or assessments? When guests are in the building, how freely can they move beyond common areas before they are politely challenged?
The team should document what they find, and question why the access was possible. A formal review of all vulnerabilities is going to inform the necessary actions that need to be taken.
If there is a plan to work with an external contractor, having all this research is essential. Focusing on unrealistic threats and problems will not strengthen security or cybersecurity. A misaligned plan will waste resources, provide a false sense of security, and overall weaken any future response to a real threat.
Ah yes, the Apple TV. This is currently what we are using in my school and while it is pretty good there are problems I will get into. First, let’s talk about what is, what it does, how much it costs and all that good stuff.
Here are the different connection types on the back. As you can see pretty good stuff here but a dedicated audio out would be nice like they had on some of the older models the HDMI always makes things easy.
The Apple TV is not only a streaming box (like a Roku or Firestick) but it also has the ability to extend or mirror a teacher’s MacBook or iPad/iPhone. This technology is called AirPlay and it is built into all Apple devices (except the Apple Watch).
You can’t do this with a Windows computer or Android device. This feature only works with Apple products.
The good thing here is that it is built into the operating systems. There is no app or program to launch. It is just there. On a Mac it looks like this.
As you can see all those listed are separate Apple TVs. We have set up a little security on each that requires the user to input a 4 digit code that the Apple TV randomly generates and displays on the screen. This helps keep unwanted people from joining or accidentally joining.
Where it shines
The Apple TV shines if you have a school that uses primarily Apple devices. This is not a surprise to anyone. From a tech department stand point we merely connect it to our projectors through a receiver and then plug it into power and do minimal configuration (changing the name, setting up the security PIN code option, etc.) and then we basically leave it alone and it just works. It is very simple and for the staff or students, using the Apple TV (which requires just connecting their Apple device to it) is very simple, requires minimal training and the results are pretty good.
The price is also a great feature. When a school or organization is looking for a way to let their users share their screen with a common display you will not find much out there that is as good.
The quality of the image and the quality of streaming video is also very good. The image and the sound match up seamlessly and there is little lag when just displaying your desktop screen.
Where it falters
When the Apple TV does not work it just doesn’t work. We have had times when it does not show up in the Airplay list. No reason why it does this and it requires us to unplug it back in. Sometimes it shows up but will not a connection. Again, there is no setting or reason why this is happening, it just happens and we usually perform a power cycle (turn it off and back on again by unplugging it).
Sometimes it just disconnects from an active screen. While it is a box that just sits there, it is also very much a black box that we cannot peer into. We have no idea why it performs this way or what causes it. This makes managing many of them in a networked environment a little problematic.
From and tech department standpoint, they are difficult to manage remotely. You would need to use a mobile device management (MDM) solution like Filewave to manage them and the options you can control are pretty minimal. I don’t believe that we can power cycle these devices remotely even with an MDM solution.
Also, there is no power button. If we want to restart the Apple TV we have to walk to the classroom, unplug it, plug it back in and then wait for it to reboot. A power button or a quick way to restart it would be awesome.
Also, being able to brand it would be nice. A lot of solutions will let you have a splash screen or a screen where your school name and logo are presented. Not the Apple TV. It does have a conference room mode which hides the Apple TV video options but it is replaced with a video screen saver of a flyover of famous cities around the world (this is mesmerizing by the way).
Finally, the most obvious shortcoming of the Apple TV – it only works with Apple laptops, desktops, iPads and iPhones. I’m not talking about AirPlay which has found itself in a number of Sony, Samsung screens. I’m talking about taking a computer, smartphone or tablet other than an Apple and sharing your screen to it. It’s not going to happen.
You have Chromebooks? Forget it. You have a guest speaker with a Windows device? Nope. It does this to help lock you in and as a school you may not have nor want that total lock in. We have teachers on staff who want a Windows device and the Apple TV in the mix throws a wrench into their plans.
Summing it up
The Apple TV is a really good device for streaming and sharing ones screen if your school is heavily invested in Apple products. Despite its shortcomings this may be the best option for you. Sure, they can be a bit of a pain to manage, but their reliability and long life (we have some in our building that over five years old!) they are quite the bargain.
If you are in a BYOD situation or use a lot of Windows, this is not feasible for you. If you’re currently a Mac school but even thinking about the possibility of switching down the road, then avoid it. That lock in situation is very real and having options is good.
If you want it to do more than just share a screen, then look elsewhere. I’m not sure if you will find anything that can that is near the price point of an Apple TV but you can look – that’s what we are doing and why I’m chronicling this search!
Please leave comments below – all criticisms and points of view are welcome!
Tony and Patrick and talking Cyber Security (more like Cyber Fear) and Patrick’s quest to find a good wireless streaming option for classrooms other than Apple TVs. As always please subscribe to us on your favorite podcasting app or on Apple Music.
I’m on a quest! I’m on a quest to find the best wireless streaming solution for a classroom. 2020 is nearly here and there are more than a few options out there and at a wide variety of price points.
Unfortunately, I cannot look at every possible Frankensteined configuration so I will be focusing on some of the big names that are already out there and their solutions. Right now here is what’s on our table to demo and review.
Mersive Solstice Airpod
Crestron AirMedia 2
Apple TV (latest generation)
To be fair we already have a deployment of Apple TV’s so I will probably start with that device first. My school just recently received a demo unit of the Mersive Airpod so that will most likely be the next post after that. Then we will just see.
Our teachers and staff use Apple laptops and the Apple TV’s are really good for that. However, the inexplicably drop the teacher connectinos, sometimes had serious lag with video and sometimes just don’t want to cooperate at all. We are looking for a device that will allow teachers to stream video and mirror their displays with very high reliability all the while maintaining high resolution and not dropping too many frames.
We (the IT team at my school) would also like to be able to manage them remotely from a single dashboard. This allows us to control when to update them, how to configure them and to download logs to analyze or send to the manufacturer for technical assistance.
Obviously to find a solution that works and that is reasonable in price that is relatively straight forward to use. Will our school find a solution? I am not so sure but it is certainly worth exploring and you, my friendly reader, are invited to join me on this journey.
I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.
Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.
Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.
Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.
Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.
Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.
It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.
Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.
Defending Against Social Engineering in a Friendly Manner
Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:
Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.
An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.
Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.
A common mistake schools make, is to use these network/electrical closets to store cleaning supplies. Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.
The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.
A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.
Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.
Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.
Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.
Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.
Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.
I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.
I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at firstname.lastname@example.org
Tony and Patrick have got law questions. This means that we had to go out and get a real, honest-to-God lawyer in the form of Keith Wurzbacher. Listen to a (mostly) serious conversation regarding schools, email addresses and much more. As always be sure to subscribe to us on Apple Music or with your favorite podcasting app.
World Series Predictions?
Should or can schools give email to people who do not work (or have worked) or are associated with the school
Not too long ago, Google announced a bunch of really handy short URL’s that will let you create new types of files. I wrote about it here. For a quick refresher, here they are:
docs.new = New Google Doc
sheets.new = New Google Sheets
slides.new = New Google Slides
Now there is one more to add and if you read the title, this will be no surprise. If you type cal.new, it will create a new calendar event. It is super handy.
Of course you must be logged into a Google account for this to work. So, if you don’t use Google or your school uses Office 365 or some other system then you can forget you ever read this post.
For me this is a big convenience. Most of my calendar events are appointments or meetings with other people. When you create a new event the old fashioned way of actually going to the calendar and clicking on the day you want an event. Here is what you get.
I want more options than what is there. I just do. I like to add notes, link to other Google Docs that are necessary for the meeting or maybe just a joke to lighten the mood (my meetings can be unnecessarily serious).
That's what we are here for. We want to help teachers and educators integrate technology in the classroom in sensible and relevant ways. Just drop us a line by commenting on any of our posts and we will get back to you as soon as we can.
And don't get stressed out...crack open a cold one on us :o)