PurpleCar

If you haven’t heard of all this mess yet today, let me sum up:

Harriton High School, one of the richest high schools in the country, has been named in a lawsuit for using webcam-activation software on school-issued laptops to spy on a student. It’s come to light that all 2,000+ laptops issued (for which the students paid insurance) had been set up with remote-activation webcam software. This means that the school district could turn on the webcam in any laptop at any time. It did so in the case of Blake Robbins and used evidence obtained from the laptop in Robbins’ possession to bring about disciplinary action against Robbins. Robbins parents are now suing the district, seeking class-action status.

Here are some articles on the subject:
Ars Technica
New York Times
Philly Inquirer

One of only three International Baccalaureate Diploma Programs in the Delaware Valley (i.e. western Philadelphia suburbs); student/teacher ratio of 16:1; extensive AP programs) and honors course offerings; 94 percent of graduates attend four-year college; two-time recipient of Department of Education Blue Ribbon School of Excellence Award. The school district of Lower Merion township, in Montgomery County, PA, has an annual budget of $175.2 million. The school district serves mostly privileged upper middle class and upper class kids.

Here are a few of my questions, as a former systems admin:
How efficient is this webcam tracking system? If a real criminal stole the laptop, he or she would have the harddrive wiped clean before attempted resale, so the webcam- remote activation software would be wiped with the rest of the files on the drive. Basically, this software was installed with the intent not to catch hardened non-student criminals. It was installed to catch fellow students stealing other students’ laptops. Intentionally spying on minors without guardian consent is in violation of the wire tapping act. Plus, I’ve met a few of these students before and I’ve seen the laptops. They informed me they had to pay insurance on them. Why track them if there is money to replace them? Doesn’t this kind of action put students at risk of retaliation and violence? Just let the laptop go and replace it! This kind of spying also opens up the school district for lawsuits, obviously. It will definitely be a landmark case, however it plays out.

Did Blake Robbins, the student against whom evidence gathered from the webcam, steal the particular laptop? Did the webcam get activated upon request of the victim of theft? Harritons’ website is suggesting this in their statement.

Did the school district ever inform parents of the possibility of remote-activation of webcams? Did each student and parent give informed, signed consent for this potential action? (Everything I read says NO. A clear Terms of Service would have helped the school district in this situation).

This smacks of amateur administration to me. When I worked as a systems administrator, the Fortune 500 I worked for issued laptops to the sales force. The support staff could access the laptop remotely, but only with the user there to click through the permission screens. As soon as the user rebooted the machine, the permissions would have to be granted to the support staff again. Also, we had very, very clear policies of appropriate use of the laptop and software, including email. As an administrator, I could go into anyone’s email. Absolutely any email account in the entire company. Did I? No, of course not. Having the keys to the kingdom also means having the knowledge of the policies (Plus, who has time? I’m not interested in your emails to your mom. My team was busy enough trying to keep the manufacturing lines up and the grid healthy).

I actually got into a bit of hot water once, when a very high-ranking manager came to me, asking for access to his employees accounts. A “bad email” (i.e. racist jokes) was being sent around to his whole manufacturing site. He called me and asked me to track the emails. Together (him remotely) we paged through some email accounts.

I was too inexperienced to have the wherewithal to tell the supervisor to contact my supervisor or my boss’s boss who was equal in rank. I told my boss what happened and I was on the verge of being disciplined. They took mercy on me, because I was new. Eventually I’d come to say “No” constantly to all sorts of high-ranking CEOs in the company, but it was a lesson hard learned.

My point in telling you this story: it’s the tech administrator’s job to know what opens up the company to potential lawsuits. The installation of this webcam software without a very clear Terms of Service and informed consent was just plain stupid. If you are a techie at all, you know about the wire tapping act. You also know that the law doesn’t much care about who “owns” the camera. Your job is to know how to design the infrastructure to protect the company.

I must hold out hope for humanity by imagining that a lowly techie at Harriton High School knew the score, probably spoke up, and the non-technical department heads ignored the warnings. (I can’t tell you how many times that happened to me, telling my boss or others about a weakness in the infrastructure, me being ignored, then a few days later watch it all crash down. After a while, you just don’t even get angry anymore. You just do as you’re told and go home at the end of the day.) It’s hard for me to think that there was not one person in all of the sickeningly-well-funded Harriton school district’s employ that didn’t have 1 clue about the potential mess remote-activation of camera software would bring, no matter what circumstance. I can’t stand to think they’d ALL be that stupid.

And yet, here we are.

Let me know what you think in the comments.
-Christine Cavalier, PurpleCar

The pdf of the actual lawsuit:
robbins17

UPDATE: Feb 19, 2010: The Associated Press reports that the FBI is now looking into criminal charges against the district. The webcams were activated 42 times in the last 14 months supposedly in search of stolen or missing laptops. article here. Also, this video says that Apple released a statement about a bug in the intel-based macbooks that caused the webcam recording light to come on even though the camera wasn’t recording. NBC10 has a bit more to say, including the name of the assistant principal involved. The main question: if only 2 tech admins had access to turn on the webcams, how did the assistant principal get access? (Probably she strong-armed a tech into giving it to her, or she stood over the shoulder of the tech and watched while she/he carried out her commands, much like the email scanning situation I was in that I mentioned above).

CNN has more, citing quotes from Doug Young, the school district’s spokesman:

“Doug Young, a spokesman for the Lower Merion School District, said the district would only remotely access a laptop if it were reported to be lost, stolen or missing.

Young said if there were such a report, the district first would have to request access from its technology and security department and receive authorization. Then it would use the built-in security feature to take over the laptop and see whatever was in the webcam’s field of vision, potentially allowing it to track down the missing computer.

Young said parents and students were not explicitly told about this built-in security feature.

To receive the laptop, the family had to sign an “acceptable-use” agreement. To take the laptop home, the family also would have to buy insurance for the computer.

In an “acceptable-use” agreement, the families are made aware of the school’s ability to “monitor” the hardware, he said, but it stops short of explicitly explaining the security feature. He termed that a mistake.

Young added that mistakes might be made when combining technology and education in a cutting-edge way.”

Wow is this district in hot water or what? There are some lost careers here for sure. Unfortunately, the poor lowly techs – who should’ve known better and should’ve refused – will face criminal charges most likely, when this all comes out. Ultimately, they are the ones who broke the wiretapping laws. Take heed, fellow admins: know your limits.

And Mr. Young’s last statement is ludicrous. Oh sure, “mistakes might be made.” Yes, mistakes might be made when combining technology and dressing rooms too. Or combining alcohol or cars. How about combining idiots with security design?

Flippantly saying “oh, you know, we’re trying, and it’s all new to us” trivializes the matter and further violates and betrays the students and families in the district. It really is no excuse. He’s trying to garner public sympathy by playing on the same old fears of any new media and technology.

The family speaks: ABC6 News Apparently, Blake Robbins was “dealing” Mike & Ikes (mute your speakers before you click that link, jeez!). In the news video, listen to what the father says about worrying about his daughter being photographed when exiting the shower, then see Forrest’s comment below. This case will come down to child porn, especially if the feds are involved.

UPDATE: Feb 22, 2010: Evidence that the admins were stupid, and the administration should listen to its student leaders: http://www.philly.com/inquirer/home_top_stories/20100222_Laptop_camera_snapped_away_in_one_classroom.html The computing staff lauds the security system in this article, and there’s a link to a webcast about it. The systems administrator goes on and on about how great the camera shots are, without any sense of the law or the possible implications of using this feature with minors. Wow. Just, wow.

UPDATE: Feb. 24th 2010: More he said she said. http://www.philly.com/inquirer/breaking/news_breaking/20100224_L__Merion_spying_case_figure__I_did_not_snoop_on_kids.html

This techrepublic blog has a great round-up of tech articles about the software, LanRev, and some other similar apps, as well as commentary about the implications. http://blogs.techrepublic.com.com/itdojo/?p=1559

UPDATE: April 20, 2010 The school district releases the fact that they’ve collected over 56,000 images from the laptops. Over 2/3rds of that number, about 38,500 came from 6 stolen laptops over a 6 month period where the district worked with police and eventually charged the perpetrator with theft. No word on where those laptops were, though, and what the pictures contain. The other 17,500 images are of other students, and the district admits not all uses of the cameras were justified. Why am I not surprised? I’m sure there will be missing images… admins aren’t so stupid as to keep the kiddie porn ones on the district’s servers. http://www.philly.com/philly/news/breaking/20100419_Lower_Merion_details_Web_cam_scope.html

UPDATE: May 12, 2010: The family changes their lawsuit from a class action filing to a personal filing, so other families can individually sue the school district. This is bad news for the school district, I think. We’ll see how it plays out. http://www.philly.com/philly/news/breaking/20100512_Spy-cam_suit_family_drops_plan_for_class-action_status.html

GOOGLE EARTH IS FREE. Do not pay for any service that claims you need to subscribe!

Why am I telling you this?

Because I just received this email at my YAHOO account (not my Google account, which was Hint #1):

_________

I clicked through, not especially paying attention to the warning signs (not from google.com or anything resembling Google, hard sell, generic services, etc.). I clicked through until I got to the page that asked for money. That’s when I woke up. I tried to close the page and lo and behold, the 30% off offer of $58.97 for a 3 year subscription suddenly has a pop-down window that changes the offer to 50% off! Spam, spam, spam. And they almost got my money. I was thinking, well, that’s super cheap, only 7 bucks (US) a year for google earth?

Seriously, don’t check email when you’re tired.

While there is a pro version of Google Earth (for industry people, not you or me), this scam tries to imply that the entire product is PAY, which is not, the most common Google Earth is free. Don’t pay for services unless you really know what you and your company are doing.

Let your friends know about this scam, ASAP.

Stay safe, people, and hang on to your money!

-Christine Cavalier, PurpleCar

Phishing is the practice of trying to trick people into revealing their passwords. Email is the usual medium. The emails are designed by experts and are made to look like they are being sent from a valid service or application.

At first glance, it’s hard to tell what’s real and what isn’t. In reality, it’s easy to discern real emails from phishing spam. A little education about how systems administration works and about how we fall into the trap of misguided beliefs on privacy and ownership is all you need to avoid phishing scams. You’ll never be fooled by these “Please reset your password” emails again.

HOW ACCOUNTS WORK: FACEBOOK DINNER PARTY

Facebook owns this candlestick

Here’s a little story that sort of explains computing and user accounts work.

Let’s say that the powerful and organized Facebook Family owns a house in your neighborhood. They have lots and lots of well-planned dinner parties. You don’t know them very well, but you are going to one of their parties.

The night has come, and it’s time to go to the party. You walk up to the door and knock, and the Facebook Family lets you into the house. You sit down to a nice dinner; the silverware and place settings are beautiful and the food is scrumptious. The conversation flows. Everyone has a great time. Then the night is over, and your hosts walk you to the door, then they close the door and lock it as you leave.

Now, let me ask you a few questions:
At the beginning of the night, would you have to bring keys to the Facebook house in order to get into the party? No, that would be silly. Facebook House is owned by Facebook, naturally.

When it is time to enter the Facebook House, do you have to open the door yourself? No, you’d knock on the door. Facebook owns the house and the door, so they will open the door from the inside of the house.

When dinner is over, do you take the silverware or the plates? No. You wouldn’t even be able to if you tried.

When you leave, do you tell the Facebook Family to leave, too? No. It’s their house. They stay, you go.

We all know how this basic social situation works. It isn’t too different with online services.

If a service like Facebook, MySpace, American Express, etc. runs into some sort of technical problem, they will never ask you to reset your passwords. For Facebook to ask you to reset your password is like the Facebook Family asking you for keys to the Facebook House. They’d never need to ask because they OWN THE SERVICE; they have the “keys to the kingdom.” They will reset your password from the inside if you knock on the door and ask them to. But only if you knock and ask nicely. If you have forgotten your password, then YOU can click a button and they will send your authorized email account a reset link (remember which email account you use for each service). This is how it is supposed to work. It’s like you knocking on Facebook’s door and Facebook inviting you in to the their house. That is not Facebook wandering the streets looking for you, a stranger to them, hoping you have keys to their house. It just wouldn’t happen. Facebook never gets locked out of their own house. Ever.

The service owner (which, sadly, isn’t you) can reset any password they like. In fact, they can do WHATever they want WHENever they want. It’s their house; They can serve you whatever dinner they choose. They can read your emails, they can post using your ID, they can change any information on your account that they want. Do they fool around with user accounts? No (who has the time?!). But they’ll NEVER need your help with account administration. Ever.

So, knowing that all services have access to all aspects of their service, ask yourself why they would need you to reset your password. They wouldn’t. Phishing emails prey on the innocent who don’t know better.

HOW OWNERSHIP WORKS: THEY GOT IT, YOU DON’T

You don't own these! (photo by Peter Rice)

Western culture’s views on privacy and ownership help phishing scams work. We all think that we own our accounts. We don’t. Let me repeat: We do not own our accounts.

Don’t believe that your account is your own. It isn’t. It’s Facebook’s. You don’t own the dining room chair that you sit in at the Facebook House dinner party. You don’t own the food they serve you, or the forks or knives or napkins. You have no claim to anything within the Facebook House. You can come to dinner, enjoy yourself, and go home, but you can’t take your plate home with you, because it isn’t yours.

This was the hardest thing to drill into people’s heads when I was an systems admin for a Fortune 500: The company can control, look at, search, read, take over, claim and otherwise wreak whatever havoc they desire on your email account. The company owns it; you do not. Our inherent ideas of privacy and ownership run deep, and the fact that you don’t own your email, Facebook, or any other online account is hard to swallow for most people. But it’s the truth. No legislation is ever going to change this fact. Accept it now. I’ll give you a moment for this to sink in.

…

OK. Ready? Now that you’ve accepted the hard truth, you’ll be safer in the long run. Why? Because you will recognize phishing attempts for what they are: well-designed tricks meant to prey on your deep-set cultural notions of privacy and ownership. If you realize that services don’t need your help in administering accounts because you, in fact, don’t own the account (the service does), you will be less likely to fall for the onslaught of phishing emails coming down the pike. You’ll realize that the email must be a fake attempt by scammers who aren’t the owner of the service (because if they WERE the owner, they’d wait for you to knock on the door before they opened it).

——-

Below is the example of phishing I received today. I knew it was fake because:
1. Facebook doesn’t need my help in changing my password.
2. I didn’t ask Facebook to change my password.
3. The email was sent to the wrong email address. I use a different one for Facebook.
4. It has a zip file attachment. No way should any password reset emails (even the ones I initiate by asking the service to reset my password) should have an attachment. Only a link.
5. It’s super generic. It doesn’t address me by name, not first and last, not any. Just “Dear Facebook user.”
6. If a service contains it’s own messaging system, the service will use that messaging system first. (i.e., Facebook would just send an in-Facebook email for any announcements, etc.).

Here’s the email:

From: password@facebook.com (Facebook Security)
Subject: Facebook Password Reset Confirmation! Customer Message.
Date: February 8, 2010 10:05:38 AM EST
To: christine@purplecar.net

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
(attached file: Facebook_password_37413.zip ZIP archive 36.7 KB)

——

WHAT TO DO IF YOU’VE FALLEN FOR A PHISHING EMAIL:

1. Try to reset those passwords that you gave up immediately. Go to the service (e.g. Facebook) right away and click on the password reset button.

2. Change the password on your email.

3. Change the password on your financial accounts, if it was the same password (hopefully NOT!)

4. Consider requesting a credit report if your passwords to your accounts were the same, or if you suspect that the scammers have gotten a hold of your financial or other important private information.

5. Contact the customer service departments of all of the accounts that have the same password that you gave up to the phishing attempt.

6. Stay alert and wait to see if anything odd happens in your account over the next several weeks.

Stay safe, everyone!

Please put your rants in the comments. 🙂

-Christine Cavalier, PurpleCar
Christine@purplecar.net

Data, Media, Rice, Water. Emerging language and winds of change.

Language changes. It grows. It adapts. Nouns are turned into verbs (e.g. “friend”), words take on many meanings (e.g. “peer”) and subject/verb agreement transforms. Scholars know that the phrase “correct English” is a misnomer at best, a downright falsehood at worst. Languages are living things that grow and change.

We are on the cusp of one of those changes now. It truly could go either way. For a language geek, it’s an exciting event to watch. How will the now-ubiquitous words “data” and “media” be treated? Will the educational system catch up and drill the original usage of “data” and “media” as being plural nouns that require a plural 3rd person verb agreement? Or will colloquial usage overwhelm the textbooks and the subject will be simple, single and quick?

Let’s go over some details.

Datum is a single piece of data. Data are more than one datum.
Medium is a single type of media. Media are all the mediums lumped together.

The subject/verb agreement with these words traditionally went like this:

The datum is written on a piece of paper.
The data are enclosed in the report.

The medium was radio.
The media were newspapers.

(Or, in the case of journalists as a group of people: “The media report a storm coming up the coast.”)

Usage of “data” has morphed into the singular subject/verb agreement for many colloquial speakers (that means “regular people speakers and not specialized people like academics, scientists, etc.) “Data” and “Media” are being treated as mass nouns, like rice (e.g. “The rice is in the cooker”) or water (e.g. “This water is cold!”). Now we are seeing usage like “The data doesn’t support your claim.” and “The media isn’t welcome in the courtroom.”

We are seeing the singular subject/verb agreement usage more with the word “data” and with the word “media.” I don’t think most people would have “medium” on the tip of their tongue if they were asked to name the singular of media, but journalists have been drilling us with their self-referential phrase forever. So we know what “media” is supposed to sound like in a sentence, for the most part (If “data” usage changes, then I think “media” won’t be far behind. But we’ll leave “media” be for now).

“Data” is another problem entirely. I’ve been intimately aware of the usage rules around the word “data” for my entire adult life. When I was 18, I started at the University of Pittsburgh in a Psychology major, and I was quickly treated to a grammar lesson I didn’t soon forget. After years of psychology and biophysics research, then on to business research, I knew the expected plural subject/plural verb conjugation for the word “data.”

But here we are at the crossroads, where seemingly everyone else besides the hardcore researchers use “data” as a mass noun. Sure, the Twitterati will do their best to knock you back into their supposed knowledge and comfort zone as soon as they see a wayward “data is” or “data was.” But they aren’t looking at the big picture. Let’s think for a moment about data. This is a perfect example of why language changes. A cultural change happens, then language reflects that change. (I am now going to start using “data” as a mass noun. That means I will be using it in the singular, so those of you who are grammar-feint-of-heart, I suggest you stop reading now. But I do wish you would just hold your breath for a second and hear me out.)

Data is everywhere. It is coming at us from all sides. We have many convenient ways to get data. We have to make an effort to avoid data. We are data junkies. All of us. But in the end, we see data as a separate entity from ourselves. It is something we consume, like water. We choose to step up to it like we walk to the ocean’s very edge. We make the choice to dip our toes into it, or run away. We have our favorite ways of getting data, just like we have our favorite shoreline beaches. But we see it as a huge mass, almost one big entity of which we take small parts. We make distinctions on its bits. The grains of rice are in the container, but my rice is already cooked. No drops of water are on the window but water is leaking in everywhere. Bits of data are scattered around the internet but my data is on my blog. Wikipedia defines as mass noun as such:

“In linguistics, a mass noun (also uncountable noun or non-count noun) is a common noun that presents entities as an unbounded mass.”

An unbounded mass. Think about that. Think about all the info on the internet. Doesn’t it feel like “an unbounded mass” to you?

(ok grammarians, you can let out that breath. wasn’t too bad, was it?)

See what I mean? Which way will this go? Will data be accepted as a mass noun in the general culture? Or will everyday speakers be exposed to the word in its plural form so much that the phrase “the data are everywhere” sounds right to them?

Let me know what you think in the comments. Your data is/are important to me.

–Christine Cavalier, PurpleCar

UPDATE: Here is the paragraph on usage of the word “data” from Merriam-Websters:

“usage Data leads a life of its own quite independent ofdatum, of which it was originally the plural. It occurs in two constructions: as a plural noun (like earnings), taking a plural verb and plural modifiers (as these, many, a few) but not cardinal numbers, and serving as a referent for plural pronouns (as they, them); and as an abstract mass noun (like information), taking a singular verb and singular modifiers (as this, much, little), and being referred to by a singular pronoun (it). Both constructions are standard. The plural construction is more common in print, evidently because the house style of several publishers mandates it.”