Stasi-Style Crap Continues (Lower Merion Schools)
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2010-02-22 15:09 by Karl Denninger
in Education , 1 references Ignore this thread
Stasi-Style Crap Continues (Lower Merion Schools)

It just never ends..... from their "announcements"

Our goal is to be as open as possible, while preserving student privacy, and ensure that over time we have answered to your satisfaction every question about this situation and the broader issue of technology and privacy. 

I would hope that such a "goal" would then not include promulgating any lies about what you have done to date, or what you intend to do in the future.  Nor would there be any "weasel clauses" in your statement.

Let's see how well you're doing.

Despite some reports to the contrary, be assured that the security-tracking software has been completely disabled.

It has?  So you have caused it to be uninstalled on each laptop?  How and when was this done?  Please be specific, or I will assume you are lying, for the reasons I set forth in my previous Ticker.

But the point remains - it is not possible for the school to "scan" for missing computers - that is, it can't "ask the Internet to turn on the camera in machine #2323."

That is technologically impossible.

So what the school has loaded on these machines - what it has to have loaded on these machines - is in fact much more nefarious than is being disclosed.

These systems have to have software on them that "phones home" and checks in on a regular basis with some fixed IP address (belonging to the school.)  This function then gives the school the "at that instant" IP address where the machine is located.  Once the student's computer has "phoned in" the school system can then tell it to do various things - for example, capture the keyboard, turn on the web cam and take a picture, or even load and run an arbitrary piece of software (say, to look for a given file or transmit the contents of a file to the school's site.)

Again, it is not possible for the software to be "completely disabled" unless it was uninstalled and/or prevented from running entirely from each machine on which it is present.  A person with a packet sniffer can trivially determine if you're telling the truth in this regard, by the way.  One such open source program is called "Wireshark" and I would urge the technologically-savvy parents and students in the LMSD area to download and install said program on a machine on their home networks, then look to see whether or not there are "odd" packets emitted when the school notebook is connected.

Why do I doubt this statement?  Because if it was indeed de-installed then it would have to be re-installed to become operational again.  Both operations would be rather noticeable. 

It is more likely that the school district has simply turned off the "intercept machine" at their headquarters.  This, however, does not prevent the laptop software from operating, nor does it "completely disable" it.  It simply makes the intended "check-in" point inaccessible - a decision that can be literally reversed in seconds, no matter where the laptop(s) in question might be.

Now let's look at the results of said "security program."

4. How many thefts have there been? How many times was the system used? What have been the results in terms of recovery of computers?

  • During the 2009-10 school year, 42 laptops were reported lost, stolen or missing and the tracking software was activated by the technology department in each instance. A total of 18 laptops were found or recovered. This number (18) is an updated number given the information we have compiled today.

5. What was the total cost of implementation of the laptop program?

  • The approximate cost of each laptop is $1,000 and during the two years of the program, there were 2,620 laptops purchased.

So the district recovered 18 $1,000 laptops.  If we presume that the depreciated value of each machine at the time of theft was about 70% of its new purchase price (probably a reasonable guess, given how fast computers depreciate in real value and their expected service life) the district "saved" $12,600 through this program.

A common "commercial" product made for this purpose has an "educational" site license available for about $10/machine.  That is, the district purchased 2,620 laptops and spent $26,200 on the security software (this, by the way, is one of the least-expensive Macintosh options for said software) for a return of $12,600 on an investment of $26,200.

Only in government would one spend $26,200 to "recover" $12,600, without providing full and fair notice to the parents and students that such was installed (since providing said notice might promote some sort of deterrent effect against a "bad guy" stealing said laptop.)

Why does this Superintendent still have a job?

6. How was funding obtained for the laptop program?

  • Laptops were purchased using a combination of district funds and and Classrooms for the Future grants.

Tickerguy's translation into English: "We spent your tax money, and in point of fact wasted about $13,000 on a strict cost-benefit basis for the so-called "security software", ignoring the privacy issues (and the legal fees that doing this is now generating), of course."

I'm quite certain that $13,000 will be a tiny fraction of those legal fees.  Don't you feel good parents and taxpayers in this district at how fantastic a job the district does in shepherding your hard-earned money extracted from you in the form of property taxes?

8. In the future, will students be required to use district issued laptops?

  • The district believes students received significant benefit from the one-to-one laptop program and has no intention of discontinuing the program.

Notice that in direct contrast to the claim in the first sentence about being as open as possible the answer is a non-response.  The question was quite direct - the "answer" was not responsive for the question.  In other words, the district is lying.  Again.

10. Can parents return currently issued laptops to the district at this time?

  • They can, but we note that the laptops are an integral component of the educational program in the district. The security feature has been deactivated and there is no reason to be concerned about the use of the laptop on campus or at home.

Is this a statement that should a parent refuse to have such a device in their home or carried by their student that they cannot complete the required coursework at the school?

If so there is a further issue related to these devices, in that the school has already proven itself untrustworthy through it's previous actions.  That has nothing to do with the activation of cameras per-se - it has to do with the fact that the district did not notify parents that it had installed spyware on the machines and give them the opportunity to opt out of any such spyware or use of said machine. 

Indeed, the above "response" strongly implies that such an option still does not exist for parents who simply refuse to allow anything that the school "owns" and yet can record material in any form into their home.

It gets better, of course.  Macs, along with PCs, have a feature called "remote desktop."  This allows an "authorized user" to connect to the machine and display the user's screen and see exactly what they're doing and such a connection can be entirely invisible to the user being connected to.  Now normally this would only work on a local network (such as in a classroom) - unless the IT department had set up the machines to attempt to connect via VPN back to the school.  In that case a teacher (or administrator) could connect to the machine irrespective of where it is and literally do and see anything that the local user can, plus whatever additional privileges they may have.  It is not clear whether this capability is enabled on these machines, but it is reasonably safe to assume it is inside the school's network.  Do we know that this capability was not enabled for machines beyond the school's boundaries? 

LMSD, and indeed any school, does not have a right to compel a student to take beyond the boundaries of their facilities any device which can record any material, whether it be in audio or video format, and return it to the school where the contents thereof become STATE PROPERTY.  The school also has no right to establish the ability of a teacher or administrator to spy on the person carrying it in places where they have a reasonable expectation of privacy - such as in their bedroom.

That LMSD refuses to recognize and address this is the primary issue.

4. Do you anticipate reactivating the tracking-security feature?

  • Not without express written notification to all students and families.

Notice that nowhere in the above answer is what all students and parents should require: and without the ability for any individual parent to opt out of said "feature." 

If such "opting out" means the student will not be issued a laptop, then said student must be able to successfully complete their course of study without it.  In addition, parents should be free to provide their own laptops on which they retain full administrative control, without delegating any of those rights to the school.  I see nothing in the above so-called "questions and answers" section that makes clear that the district does or intends to offer such.

There are various reports on The Internet of threatened disciplinary actions aimed at students who have brought their own laptop hardware onto campus, so this question may be answered (assuming they're telling the truth.)

Again, the issue here is the issuance of a device that the school has specified and ordered with equipment that can and does record either or both visual and audio materials beyond the boundaries of the school's facilities which then, by default, become the property of the school either immediately or as soon as that device returns to the school's grounds.  Such a device is inherently violative of the student's and parent's rights and it is alleged in the lawsuit such a violation did in fact occur.

It is not legal for me to "bug" your premises via surreptitious means. The so-called "acceptable use policies" for school-district owned computers and similar devices are suitable for on-campus use of said devices in a classroom where no expectation of privacy exists, but there's a serious problem that immediately arises as soon as a student is compelled, either through compulsory or effectively-compulsory issue of a device that is intended to be taken beyond the school's physical boundaries.

Irrespective of the merits (or lack thereof) of the lawsuit filed this is the primary issue at hand and one that LMSD, and all school districts in The United States must be compelled to address - by the parents and students if LMSD and other schools will comply peacefully with what are a clear delineation of the rights of both parents and students to be secure in their homes and personal effects as delineated by the 4th Amendment to The Constitution, or by force of law through lawsuits and criminal prosecution if not.

The legitimate discovery of the location of stolen (or "missing") laptops is trivially handled by a very simple application that sends ONE PACKET to a central district machine when a computer owned by the district is connected to the Internet.  That packet contains the MAC address for each media interface in the box and nothing more.  MAC addresses must be unique on a given LAN (or havoc will ensue) and as such they are as close to a unique serial number as can be relied upon.  They are not "visible" beyond the LAN the machine is connected to, thus the requirement for a tiny application to send them.  The prefix (first three hex digits) of the MAC address identify the vendor and are published (warning, this is a large file!)  The rest are vendor-determined and must be unique.  As such the MAC address is a serial number for a given network card.  While in some cases this can be temporarily changed by the user, doing so requires administrative privilege and is temporary (it disappears when the machine is turned off, as the permanent MAC address is stored in read-only memory on a chip.)  The recipient device of such a packet obtains thus the MAC address and the "externally-visible" (Internet) IP number from which it was sent.

If a given MAC address (all of which the district has from their purchase as the machine went through their hands) is reported lost or stolen the software is configured to alarm (e.g. via text message, at an IT department desk, etc) if that MAC address "phones in" along with the IP number where it came from. 

All other "phone in" notices - those from machines NOT lost or stolen - are intentionally and immediately discarded, and NOT stored in any form or fashion.

If I have a MAC address identifying a stolen or lost computer and an IP address I can have the cops at your door in less than an hour to recover said machine.

This is what should be on said district machines for "theft deterrence" and the fact that it is there, and that all non-stolen machine records will not be recorded or stored in any form or fashion should be clearly delineated by the district and disseminated as policy.

Anything more, including "remote desktop" capability and "tracking software" that takes photographs or activates the machine's microphone,  is a violation of both the student's and parent's 4th Amendment rights and must not be allowed to stand, either at LMSD or anywhere else. 

It appears that this little dustup has led to more than a few people looking at this from a forensics point of view, and it also appears that the software involved may have been designed to attempt to evade such detection.  (By the way, good luck if the agency wanting in is the FBI with that one.)

A bit-level copy of the disk from one of these machines, (before LMSD can tamper with the evidence of course) would immediately reveal the truth.  It's not that hard to do if you know how and have a Mac Linux or FreeBSD machine laying around that you happen to have administrative access to (one command and a lot of free disk space is all it takes to image that sucker) but I suspect they'd know you did it (probably via a sticker that would be torn if you opened it to do so - the "old-fashioned" way of detecting tampering.)

If LMSD is serious about the rights of the students and parents in their district this is exactly what they will do, right here and now, today, without any weasel words, ifs, ands or buts.

If not, then any and all administrators and district officials anywhere in the US who have gone further than this must be identified, removed from their positions, and held to both civil and criminal account for their actions.

That's the beginning and end of the discussion.

A call to Doug Young at Lower Merion School District to attempt to clarify the issues in this article, along with whether the school in fact has the laptops configured for VPN service, was returned but Mr. Young was unable to respond to a detailed list of questions before press time.