PA SCHOOL SPYCAM CASE: COMPUTERS RIGGED TO SPY; PROTOCOL IGNORED
Seems folks who are very knowledgeable about computers had the same reaction as I did to the Lower Merion School District’s “explanation” of using webcams only to recover lost or stolen school-issued computers: I don’t believe you.
I can’t urge you strongly enough to read and follow a quite thorough investigation of the technology involved located at Stryde Hax: The Spy at Harriton High.
(A follow-up post is called “Network Fingerprint for LANRev Trojan.“)
Given that you still may not visit that blog, I attempt to summarize the contents here. Please be advised it contains technological jargon with which I am incredibly unfamiliar…again, another reason to view the original blog entry in its entirety.
And yet again, I implore you to share this information with all parents, regardless of where their children go to school or how they are educated. I know, I know; it isn’t happening in your child’s school. But while this appears to be an isolated incident, I don’t for one moment believe that others aren’t taking advantage of the technology. Couple it with just a bit of that “we know what’s best for you” attitude sweeping through government employees today like the plague and said technology is employed to…help educate your children? Crucial lines have been crossed here, and it’s up to parents to start drawing some lines of their own in response – or to tell the system it will just have to get along without your children.
The Lower Merion School District (LMSD) lists Mike Perbix as one of its three Network Techs. “Mr Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD…Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.”
I looked up “panopticon” as it has not been part of my vocabulary until today.
According to Wikipedia: The Panopticon is a type of prison building designed by English philosopher and social theorist Jeremy Bentham in 1785. The concept of the design is to allow an observer to observe (-opticon) all (pan-) prisoners without the prisoners being able to tell whether they are being watched, thereby conveying what one architect has called the “sentiment of an invisible omniscience.”
Bentham himself described the Panopticon as “a new mode of obtaining power of mind over mind, in a quantity hitherto without example.”
Mr. Perbix created a massive, highly effective digital mode of obtaining power of mind over mind.
Wikipedia also offers this:
While the design did not come to fruition during Bentham’s time, it has been seen as an important development. For instance, the design was invoked by Michel Foucault (in Discipline and Punish) as metaphor for modern “disciplinary” societies and their pervasive inclination to observe and normalise. Foucault proposes that not only prisons but all hierarchical structures like the army, the school, the hospital and the factory have evolved through history to resemble Bentham’s Panopticon.
To observe and normalise, like the hierarchical structure of school.
(Many people homeschool their children because of this stark similarity between school and prison.)
Mr. Perbix appears in a promotional webcast for LANRev, identifies himself as a high school network tech, “and then speaks at length about using the track-and-monitor features of LANRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable ‘curtain mode,’ a special remote administration mode that makes remote control of a laptop invisible to the victim.”
Now it starts to get more technical. About 37 minutes into the promo, Mr. Perbix discusses the Theft Tracking feature that lets a laptop silently send location information (via Internet address and DNS name) to the school’s server. “The beacon feature appears to have been one of the primary methods for remote spying, however, network footprints abound over the details and architecture of the remote administration effort.” In a blog post, Mr. Perbix “discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking a picture or if, as the school administration claimed, the blinking webcams were just ‘a glitch.’” (Emphasis here and elsewhere added.)
Former and fellow Harriton students are adding information to this horrifying picture. They have in many different arenas stated the school’s rules regarding the “free” laptops:
- Possession of a monitored Macbook was required for classes
- Possession of an unmonitored personal computer was forbidden and would be confiscated
- Disabling the camera was impossible
- Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion.
The Stryde Hax blog writers then describe experimenting with LANRev. “Some of the things we found at first left us aghast as security pros: the spyware ‘client’ (they call it an agent) binds to the server permanently without using authentication or key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port…runs as root. I’m not kidding. For those unfamiliar with the principle of least privilege – this is an indicator of a highly unskilled design. Unfortunately, when we got down to basic forensics, LANRev appears to cover its tracks well…
“During our testing, we infected a laptop with LANRev, then closed the lid, hoping to activate the LANRev feature which takes a webcam picture when the computer wakes. As my colleague Aaron opened the lid of his Mac, the green webcam light flickered, ever so briefly. It wasn’t a glitch. It was a highly sophisticated remote spy in his system…”
The following is important if you happen to be a family affected by the spycams: The greatest threat to this investigation now is the possibility that the highly trained technical staff at LMSD could issue a LANRev script to wipe digital forensic evident off all the laptops. This is why it is imperative for affected parents to have the hard drive removed from their children’s laptops and digitally imaged before the laptop is connected to a network.
And on another front of this case: A ComputerWorld.com post by Gregg Keizer, “Software maker blasts ‘vigilantism’ in Pa. school spying case; Absolute Software will update its LANRev to disable camera feature,” states, in part:
“To kick off the recovery of a stolen or lost laptop, customers first must file a police report — not a requirement of LANRev — and only then contact Absolute, which in turn tracks the location of the missing machine via its IP address when the system goes online. Absolute employs a team of former law enforcement professionals who reach out to local police, provide them with the location information and then get out of the way. ‘We take the responsibility out of the hand of the end user,’ said Midgley, ‘and do the work for them.’
“Absolute claims that it recovers about 75% of all laptops reported stolen.
“According to Lower Merion’s superintendent, the district has switched on the camera of a lost or stolen MacBook 42 times thus far this school year, and found 18, for a recovery rate of 43%…
“Any other approach to theft recovery is a waste of time and a potential minefield, said Midgley. ‘It just gets into potential vigilantism. Even if you are able to locate the laptop on your own, what do you do then?’ he asked. The idea that police would be able, or willing, to follow up on individuals’ reports that they had located their laptop is unsupportable. ‘Someone says, ‘I think my laptop is here,’ but that could just send the police on a wild goose chase…’
“Absolute’s Midgley declined to speculate about whether his company might be liable to legal action for LANRev’s part in the alleged spying on students, but put the responsibility solely on the school district.
‘The customer acted on their own to do what they did,’ he said.”
NOTE TO BLOG AND OTHER PUBLISHERS: While I realize this site contains a copyright notice, I give you full permission to distribute this post without need to get in touch with me for permission. Many thanks to the fellows at Stryde Hax who are being notified of these links to their posts liberally quoted so as to do justice to the important technical elements of this case. Thank you for any help you can provide in getting what just may be some of the most important news for parents, regarding schools, in their lifetimes into their hands.