Bookmarked Situating Student Hacking by Doug Levin (k12cybersecure.com)
When a student does cross the line, schools should consider long and hard whether the most appropriate response is to expel the student and criminalize that behavior versus viewing it as a unique teaching moment and a chance to shore up internal security practices. (Many organizations, in fact, pay good money for penetration testing services and/or offer bug bounties as part of their security compliance programs). Given the emphasis on STEM careers and the importance of computer science for the broader economy, it would seem that we’d want to embrace and channel the energies of those who show an interest and facility in computer operations…even when it may be in unanticipated ways.
Doug Levin reflects upon the state of hacking schools today. He provides a case study of a student from Michigan who through his own curiousity found various holes in his school’s structure, which he used to circumvent security and prank other classes. Although the easy option can be to make an example of such students, Levin argues that more proactive measures most be taken by districts in protecting data and security. For in the end digital security is a leadership issue.

Penalties and disciplinary actions for students who violate acceptable use policies are established, but what of the consequences to school districts. At what point could district leadership be considered negligent? What obligation do schools have to be forthright with their communities about their digital security shortcomings? How might schools react differently to these incidents, in ways that are more proactive and even humane? These are hard questions, no doubt, but given the frequency of ‘students hacking their schools’ incidents, I believe it is time we more forthrightly address this complicated issue.

It is interesting to consider this alongside Mal Lee and Roger Broadie’s work on digital trust.

Bookmarked The Information on School Websites Is Not as Safe as You Think by E.K. Moore (nytimes.com)
Some tracking scripts may be harmless. But others are designed to recognize I.P. addresses and embed cookies that collect information prized by advertisers.
E.K. Moore discusses the presence of trackers on school websites. One of the interesting points was the impact of YouTube on all this:

Google’s DoubleClick ad trackers, for instance, are commonly found on school pages that host YouTube videos, like the Community Website Introduction video on a school site in Massapequa, on New York’s Long Island. The trackers tee up videos containing advertising on the school page, once its own video finishes playing.

I have reflected upon this topic elsewhere.

Liked Facial Recognition Technology Has No Place in Schools by Doug Levin (edtechstrategies.com)
Cory Doctorow’s novel, Little Brother, was intended as an act of science fiction, not a prediction. Other countries – like China and the UK – are already moving down the path of facial recognition in schools. In the U.S., we would do well to follow a different path.
Bookmarked Hacking the ISTE18 Smart Badge, Part II by Doug Levin (k12cybersecure.com)
There are three points about the risks of what ISTE deployed at their conference to know: (1) the ‘smart badge’ is a really effective locator beacon, transmitting signals that are trivial to intercept and read, (2) you can’t turn it off, and (3) most people I spoke to had no idea how it worked. (I freaked out more than a few people by telling them what their badge number was by reading it from my phone. Most of those incidents ended up with ‘smart badges’ being removed and destroyed.)
Doug Levin reflects on the introduction of ‘smart badges’ at ISTE. Really just a Bluetooth tracking device that then allowed vendors (and anyone for that matter) to collect data on attendees. Levin hacked a badge to unpacking their use. He explains that with little effort they could be used by anybody to track somebody:

Downloading a free mobile app, as I did, an attacker could easily track a specific badge and be notified when it goes out of or comes into range. With little technical skill, an attacker could use it to approach someone outside of the convention center (at a bar or restaurant or tourist attraction) and by employing social engineering techniques attempt to gain their trust. I myself was able to identify that there were over a dozen ISTE conference participants on my train platform on Wednesday morning bound for Chicago O’Hare. When one ISTE participant entered my train car at a later stop, that was trivial to identify. While there were no other ISTE participants on my flight back to the DC area, I located two badges in the baggage claim area (likely packed in someone’s luggage or carry-on).

Audrey Watters suggests that, “ISTE has helped here to normalize surveillance as part of the ed-tech experience. She suggests that it is only time that this results in abuse. Mike Crowley wonders why in a post-GDPR world attendees are not asked for consent? If this is the future, then maybe Levin’s ‘must-have’ guide will be an important read for everyone.

Liked Always Read the Terms by Doug Levin (edtechstrategies.com)
Amidst all the conversations about the importance of imparting information literacy and ‘digital citizenship’ skills to students, isn’t it time that we help them turn a more critical eye to the intellectual property and privacy provisions of commercial terms of service?