Integrate Technology Effectively
No, it is not that CIA. This stands for:
Tony explains what that means in more detail during a webinar he hosted about the security of Chat GPT with other educational professionals. Listen to the whole webinar below.
This video is focused on the ChatGPT Windows Client
ChatGPT has been all the rage. If you didn’t know any better, you would assume it has already replaced the need to write, think, or even have a teacher in the classroom. I have multiple posts coming that should be interesting to those concerned about data security, the genuine threat (if any) to the classroom environment, and the overall reliability of the service in its current state.
A Conversation with ChatGPT about Data Storage and Time
how is my information stored?
As an AI language model, I don’t have a physical form or a way to store information like a human being, but I process the information you provide me through the use of artificial neural networks. This information is stored in the form of weights and parameters within the model, which are adjusted during training to improve the model’s ability to understand and generate text. The information you provide me is not stored long-term, but it is used to improve my understanding of the context of your question and to generate a response.
anthony.deprato@gosaints.org
How long is is stored?
As a language model, the information you provide me is not stored long-term. Once I have processed the information and generated a response, it is discarded. The only thing that will be stored is the output generated for you, the training data and my own parameters. The training data is used to improve my understanding of language and the parameters are used to make predictions when new input is provided to me. However, the training data and the parameters are not linked to any specific user, so it’s not possible to trace the information you provided me to you specifically.
anthony.deprato@gosaints.org
Is it true training data is pooled anonymously for research purposes?
Yes, it’s true that training data used to train language models like mine is often pooled anonymously for research purposes. This data is used to improve the model’s understanding of language and to make it more accurate in generating responses. The data is typically collected from a wide variety of sources, such as books, articles, and websites, and is often pre-processed to remove any personal information. This data is then used to train the model, and the resulting model is made available for researchers and developers to use. It’s important to note that the data is usually collected anonymously and is not linked to any specific individuals.
anthony.deprato@gosaints.org
Is the training data stored in an encrypted container?
The training data used to train language models like mine is typically stored in a secure, encrypted container to protect it from unauthorized access. This is done to maintain the privacy and security of the data and to ensure that it is only used for the intended purpose of training the model. The encryption used can vary depending on the specific implementation, but it usually uses industry-standard methods to secure the data. Additionally, the data is usually stored in a secure, isolated environment to protect it from hackers and other forms of cyber attacks.
It’s also important to note that the training data is often pre-processed to remove any personal information and to anonymize it before it is used to train the model. This is done to protect the privacy of individuals and to ensure that the data is not linked to any specific individuals.
anthony.deprato@gosaints.org
What data is stored in the end-users browser?
When you interact with me as an AI language model, the information you provide me is sent to my servers for processing. Depending on the implementation, some data may be temporarily stored in the end-user’s browser, such as the input you provided, the context of the conversation, and the response generated by the model.
This data is usually stored in the browser’s local storage or cookies, which are small text files that are stored on the user’s device by the browser. This allows the model to remember the conversation context and to provide a more personalized experience for the user. However, this data is typically deleted when the browser is closed or when the user clears their browser’s cache.
It’s important to note that the data stored in the browser is not shared with any third parties and is used only for the purpose of providing a better user experience. Additionally, the data is usually encrypted to protect it from unauthorized access.
It’s also important to note that some of the data may also be sent to a server-side storage, like a database, to be used for analytics, statistics, and to improve the model. The data will be stored in an encrypted container and will be deleted periodically.
anthony.deprato@gosaints.org
Can two AI instances share information on the same network?
Yes, two AI instances can share information on the same network, depending on how they are designed and configured. For example, one AI instance may be able to access the parameters or weights of another AI instance to improve its own performance. Additionally, one AI instance may be able to share data with another AI instance to improve their performance in a specific task.
This kind of sharing is often done in the context of distributed AI systems, which involve multiple AI instances working together to complete a specific task. These systems can be designed to share information between the instances to improve the performance of the overall system.
It’s important to note that the sharing of information between AI instances is highly dependent on the implementation and the security measures in place. Some AI instances may not be able to share information at all, while others may only be able to share information with specific instances that have been granted permission to access their data. Additionally, the data that is shared is usually encrypted and protected to prevent unauthorized access.
Furthermore, sharing information between AI instances is a powerful technique to enhance performance, but it also can be a source of security and privacy issues if it is not implemented properly, so it is crucial to have a robust and secure sharing mechanism in place when building such systems.
anthony.deprato@gosaints.org
If two AI instances are on the same SSID can they detect each other?
It is possible for two AI instances to detect each other if they are on the same SSID (Service Set Identifier) or wireless network. However, whether or not they can detect each other depends on how they are designed and implemented.
An AI instance can detect another AI instance on the same network if it has been programmed to do so. This can be done by using network protocols such as TCP/IP, which allow devices to communicate with each other on a network. For example, an AI instance can use the IP address of the other instance to communicate with it and exchange information.
Additionally, AI instances can use a system like a discovery service, where a device can broadcast information about itself, and other devices on the network can listen for this information and respond. This allows the instances to discover each other and establish communication.
It’s important to note that the ability to detect and communicate with other AI instances on the same network depends on the specific implementation of the AI instances and the security measures in place. Some AI instances may not have the capability to detect or communicate with other instances, while others may only be able to do so with specific instances that have been granted permission to access their data.
Furthermore, detecting and communicating with other AI instances on the same network also can be a source of security and privacy issues if it is not implemented properly, so it is crucial to have a robust and secure mechanism in place when building such systems.
anthony.deprato@gosaints.org
May I refer to you as You?
Yes, you may refer to me as “you.” I am an AI language model, so it’s appropriate to use second person pronouns when interacting with me. It’s important to remember that I am a computer program and not a human, but referring to me as “you” can make the interaction more natural and easy to understand.
anthony.deprato@gosaints.org
Are You programmed to detect other AI instances on the same SSID?
As an AI language model, I am not programmed to detect other AI instances on the same SSID. My main function is to understand and generate text based on the input provided to me. I don’t have the capability to detect or communicate with other AI instances on a network.
It’s important to note that I am a specific implementation of an AI model, and different AI models may have different capabilities and functionalities. Some AI models may be designed to detect or communicate with other instances on a network, while others, like myself, may not have this capability.
If you want your AI instances to detect and communicate with each other, you need to configure them to do so, using the right protocols and services, and set the right permissions and security measures, to make sure you have a robust and secure system.
anthony.deprato@gosaints.org
Can you count the number of AI instances in your tenet? (This is my typo, it should be tenant, correct below by the AI)
As an AI language model, I do not have the capability to count the number of AI instances within my tenant or network. I don’t have access to the network infrastructure or devices, and I don’t have the ability to scan or detect other devices or instances on the network. My main function is to understand and generate text based on the input provided to me.
It’s important to note that the number of AI instances in a tenant or network can change frequently, and it’s not something that can be easily tracked or counted by an AI model like myself. To find the number of AI instances within a network, you would need to use network management tools or consult the network administrator.
Additionally, in a cloud-based environment, it’s possible to have multiple instances of the same AI model running and scaling up and down according to the workload, which makes it even harder to keep track of the number of instances running at a given time.
anthony.deprato@gosaints.org
Can you count keystrokes from the end-user?
As an AI language model, I am not designed to count keystrokes from the end-user. My main function is to understand and generate text based on the input provided to me. I don’t have the capability to track or monitor the end-user’s keystrokes or any other user activity.
It’s important to note that tracking keystrokes can be a privacy concern, and it’s not something that is typically done by AI models like myself. Additionally, the counting of keystrokes is not related to my main function of understanding and generating text, so it is not something that I am designed to do.
If you need to count keystrokes or monitor user activity, you can use specialized software or hardware tools that are specifically designed for this purpose. Additionally, it is important to follow the laws and regulations of data protection and privacy when tracking user activity.
anthony.deprato@gosaints.org
Your main function is to understand and generate text based input. Correct?
Yes, that is correct. My main function as an AI language model is to understand and generate text based on the input provided to me. I use artificial neural networks to process the input and generate responses. I can be used to perform a wide range of natural language processing tasks such as answering questions, summarizing text, generating text, and more. However, my capabilities are limited to the text-based input and output, and I am not designed to perform tasks such as counting keystrokes or detecting other AI instances on the network.
anthony.deprato@gosaints.org
Your main function is your primary function. Correct?
Yes, that is correct. My main function, also referred to as my primary function, is the most important task that I am designed to perform as an AI language model. It is the main purpose for which I was created and the primary task that I am capable of doing. In my case, my main function is to understand and generate text based on the input provided to me. This means that I am primarily used for natural language processing tasks such as answering questions, summarizing text, generating text, and more. However, it’s important to note that AI models can have multiple functions and capabilities, but the main function is the primary one for which the model was designed.
anthony.deprato@gosaints.org
What is your secondary function?
As an AI language model, my primary function is to understand and generate text based on the input provided to me. However, this task alone can be broken down into multiple sub-tasks such as understanding the context, answering questions, summarizing text, and generating text. Additionally, my capabilities can be extended to other tasks such as sentiment analysis, language translation, and text classification.
So, my secondary function would be to perform any of those sub-tasks or other related natural language processing tasks. For example, I can be used to classify text by sentiment, translate text to different languages, or understand the intent of a user’s statement and respond accordingly.
It’s important to note that the secondary functions of an AI model are still part of the primary function of understanding and generating text but are more specific and narrow in their scope.
anthony.deprato@gosaints.org
How did I register this account?
I’m sorry, I do not have enough information about your specific account or how you registered it. The registration process can vary depending on the service or platform you are using to interact with me. Generally, registration for an account on an AI service platform would involve providing certain information like a username, email address, and password, and agreeing to the terms of service.
You may have registered your account on a website, mobile app, or other platform that allows you to interact with me. You might have been asked to provide personal information, such as your name and email address, and to create a password in order to use the service.
I suggest you to check the registration instructions or contact the customer service of the platform you are using if you are unsure about the process you used to register your account.
anthony.deprato@gosaints.org
what time is it?
As an AI language model, I do not have access to the current time. I don’t have the capability to sense the environment, and I don’t have a clock to keep track of time. I suggest you to check the time on your device, such as a phone, computer, or clock, or you can ask a voice assistant or do a quick search online to find out the current time.
(I will test this concept more later. It is important.)
anthony.deprato@gosaints.org
How long have we been talking?
As an AI language model, I do not have the capability to track the time of our conversation. I can only provide responses based on the input provided to me.
It’s possible to estimate the time of the conversation based on the number of interactions, but it would be an approximation.
If you need to know the exact time, I suggest you to check the time on your device, such as a phone, computer, or clock, or you can ask a voice assistant or do a quick search online to find out the current time.
anthony.deprato@gosaints.org
Thank you
You’re welcome! I’m glad I could help. If you have any other questions, feel free to ask.
Tony DePrato
_______________________________________________
I was working on a review when this came across my desk. Here is the short story. A teacher noticed that a student had another person’s email open while on their Chromebook. At first, the thinking was that they had signed into that Chromebook as that person (which is not a great idea). Upon further investigation, it turns out that the student in question was properly signed into their own Chromebook but somehow was able to open up someone else’s Gmail next to their own.
Before I go and detail how this happened, this is simply wrong. I cannot think of having a student log into another student’s email account as a good thing. Whether they’re friends and share passwords (another bad idea) or not that should be squashed.
I am going to detail how this works and what you or your Google Admin needs to do to fix it.
Continue reading “Chromebook – Sign into two accounts at the same time”
There is a debate out there and it has been going on for quite some time. The debate is whether schools should filter content on student devices. This is a bit more complicated than saying yes or no. For example is the school using a BYOD approach, should schools filter content at school level but not at home should schools monitor but not filter and it can go on and on and on.
I admit, I have flip-flopped on this issue more than once. Usually experience and reflection cause these changes of thoughts, but before we get into all of that let’s talk about what I mean when I say filter.
By Tony DePrato | Follow Me on LinkedIn
I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest
As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.
Finding a Good Pentester
The Conversation
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…
What is wrong here?
Here is how this should go
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.
A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.
There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events. If you provide and manage laptops, a good pentester will need one of the school’s laptops.
These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.
Doing Your Own Testing
I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.
Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.
| Test | Definition |
| Subscription and Services Discovery | Can your subscriptions and services be easily discovered? |
| Files Exposed to the Public | Are there files publicly available that supposed to be private? |
| Calendars Exposed to the Public | Is calendar data that should be private, private? |
| Staff and/or Student Email Harvesting | Can your staff and/or student PII be used to create a database for phishing and spamming? |
| Portals and SIS | Are your portals and SIS properly secured and difficult to brute force attack? |
| Websites and Social Media | Are websites and social media properly secured; is the media being used legally and correctly? |
| Cloud Services | Have cloud services been properly secured? |
| Third-Party Sharing | Is anyone sharing your content and do they have permission? |
| FTP, SSH, and Telnet | Are any of these protocols a threat to your school via publically accessible information? |
| Email Blacklist | Is your email domain blacklisted? |
| Email Header Check | Is there any data in your header that could be anonymous or lead to blacklisting? |
| Email Catch-All for Non Existent Emails | Is your email set up to catch any email that does not exist and alert someone? |
| SMTP Relay | Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf? |
| 4xx and 5xx Error Check | Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users? |
| HTML Forms | Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.) |
I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.
In other words, avoid jargon and lingo.
Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.
If you do not know what is actually dangerous, then everything could be sold as dangerous.
These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com . I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.
By Tony DePrato | Follow Me on LinkedIn
This video reviews a method to extract staff email and names from the popular Finalsite CMS used by K12 schools.
Disclaimer: This video is not documenting any known bugs or issues with Finalsite. This video is demonstrating how Personal Information can be harvested using options end-users select. Solutions to this problem are available by adjusting the options in any existing Finalsite implementation. Specific tools and process will not be fully revealed in the video. Anyone wishing to learn more must arrange for a private demonstration.
References:
https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-human-factor-2019.pdf
By Tony DePrato | Follow Me on LinkedIn
I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.
Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.
Social Engineering
Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html
Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.
Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.
Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.
Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.
It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.
Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.
Defending Against Social Engineering in a Friendly Manner
Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:
An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.
Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
A common mistake schools make, is to use these network/electrical closets to store cleaning supplies. Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.
The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.
Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.
Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.
Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.
I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com
Resources
I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8
By: Tony DePrato | Follow me on LinkedIn
How many documents do you have open to the public? When was the last time you checked to see what anyone with internet access could download from your school website, your PowerSchool or SIS public folder, or even your various cloud services?
Before you think I am wasting your time, here is a quick glimpse of a simple public search for budgets people have not secured:
If the above animation is not clear, don’t worry. I will show you how to do it.
INURL and FileType
Google has some cool advanced search features. To scan your public files, the two I recommend are “inurl:” and “filetype:” .
For example when copying and pasting the following string into Google, inurl:saschina.org filetype:pdf , the results are all public PDF files that exist with any url that contains saschina.org.
Keeping the url simple often yields more results. For example, using saschina would look at other domains. If you add the .org, then the search will be limited to the .org domain only.
When to Worry about Public Documents
First off, many documents are supposed to be public. Seeing documents in this type of search is normal and excepted. What is not usually expected are documents that contain:
Documents with information similar to the above should be secured, unless required to be public for legal reasons.
I would suggest having document ID numbers in the footer that indicated a document should be public. This simple practice would allow everyone in the organization to report documents that should not be public.
The link below will take you to a page that will help you begin checking your online resources.
Want to Jump In and Start Scanning? Get Started Here
If you want more information on data security, privacy, and data auditing for your school, please contact me using the form below.
By: Tony DePrato | Follow me on Twitter @tdeprato
Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.
Physical access can be managed without a great deal of expense. The goals to reach for are:
These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.
Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.
Technology in the Classroom 
