Back in the day...
... we called this ``social engineering''.
A devious mother posed as another parent in an attempt to remove a rival child's name from a school waiting list. The woman created a fraudulent Gmail account to fool school authorities at the "outstanding" Coleridge primary school in Crouch End, London. Using this fake account and quoting the name and correct date of birth of …
... we called this ``social engineering''.
By a domestic engineer no doubt.
Britain needs a Public Key Infrastructure to enable email to be useful for trusted communications.
If Estonia can do it, why can't we?
"Britain needs a Public Key Infrastructure to enable email to be useful for trusted communications."
Sounds a good idea.
"If Estonia can do it, why can't we?"
IIRC Estonia has a population of about 2million with very limited original infrastructure to either make compatible or replace with new stuff.
A more critical question would be weather it *depends* on having an ID card system.Given how much trouble has been gone to *dump* the attempt to install the massively invasive UK ID card system, and its highly intrusive NIR database.
"Britain needs a Public Key Infrastructure to enable email to be useful for trusted communications."
No, nobody needs an overarching specific (and broken) technology rolled out to "prevent" people from being stupid. Think about it.
Suppose there is a PKI rolled out with signing key chains right up to the Queen. And rules mandating They Must Be Used. And the inevitable enrolling stations and ID rules and steep fees and whatnot else. Just look at verisign's price list to see what that would run to. Then what?
Then the enterprising social engineering mum would have setup a free email account and emailed just the same, perhaps with a fake signature, followed by an apologetic phone call that the signature would be coming through Real Soon Now and please expedite anyway, please? Most desk jockeys would easily cave in for a bit of whimpering or bullying or what-have-you.
The problem you're trying to solve is one of trust, and seeing the state of PKI, or PGP, or whatever else there is, technology alone can't do it. In fact we don't even know how to express "trust" meaningfully in these applications. Same with various "trusted by" and "certified" logos. It's all mostly snake oil and where it isn't snake oil it's easily circumvented. If not technologically circumvented, then by simple social engineering expedient. Guess what happened in the first place? Oh that's right, social engineering.
Don't believe me? Here's an academic paper that explains how pgp doesn't work:
Once you're read that, consider that PKI is something like an order of magnitude harder to use. Just the documentation for openssl is notorious for absence and incoherency. More reading material:
Once you've read that, do you still think that *PKI* is a good idea? Well, go ahead and enter politics. You'll be a good fit.
Not to say that all crypto or all certification is useless. Certainly not. But the attitude to "just slap a certificate on" isn't doing any good, in fact it's doing exactly the reverse. Much like, oh, blizzard just tried with their RealID, how mcse usually means "minesweeper consultant and solitaire expert", how gov.uk tried with their ID cards and databases, or how Puerto Rico now finds itself forced to replace all birth certificates due to rampant theft and abuse, because you need it for *everything* and *everybody* keeps a copy, often badly secured.
Let's face it, trust is hard. Knowing who to trust, but more importantly who and when not to trust, is hard. We don't even fully understand how it works, so all attempts to codify that into software, with or without crypto, have failed miserably. This proposal would be yet another blind slap-on, making it snake oil, and ultimately doing more harm than good.
It would be much, much better for the desk jockey that received the email to recognize that the email was from a free account and probably from an address they hadn't seen before. Recognizing that, the same person would find the associated phone number *in their files* and ring the impersonated mum back. "You sure you want us to drop your kid off our list? Just checking ma'am."
There, problem solved. And instead of the multimegabillions the government would need to roll out PKI with the help of some outsized big corporation, incurring lots of hassle to distribute the certificates, teaching people how to sign emails, and ultimately coming down to some email client generating warnings in pop-up messages that people will just click trough, all this solution cost was a single phone call.
Estonia is probably the most technologically advanced country in the EU, e.g. wifi monitoring of everyone with cardiac problems (5 years ago) - easily done as they had over 400 free wifi hotspots for those 2 million people.
"The problem you're trying to solve is one of trust, and seeing the state of PKI, or PGP, or whatever else there is, technology alone can't do it. In fact we don't even know how to express "trust" meaningfully in these applications."
What? This shows that you don't know anything about PKI.
A central authority is not strictly necessary as proved by the many people who have been holding key exchange parties for years. And if done properly, is very secure.
"Not to say that all crypto or all certification is useless. Certainly not. But the attitude to "just slap a certificate on" isn't doing any good, in fact it's doing exactly the reverse."
On the contrary, had authentication been in use when the parent first contacted the school, then the impostor would have been revealed. This is a perfect example of why cryptographic authentication is a good thing.
"And instead of the multimegabillions the government would need to roll out PKI with the help of some outsized big corporation, incurring lots of hassle to distribute the certificates, teaching people how to sign emails, and ultimately coming down to some email client generating warnings in pop-up messages that people will just click trough, all this solution cost was a single phone call."
True, there is a cost for upgrading stuff, however it need not be government subsidized or controlled, in fact I know of no certificate authority which is. The main benefit the government could provide is an incentive to speed up the glacial pace of adoption. And nobody's talking about forcing people to use it for every email.
Additionally, people's data need not be centrally stored or administered for this system to work. We could, for instance, have generic security smart cards on sale at the convenience store and these would be accepted at various places such as one's bank, the school, library, ecommerce site, etc. Software could be used to manage the certs on these. Ideally these would be integrated into phones, email, www, possibly even the ATM, etc. This would all come together to prove you are the same person as yesterday. These technologies could largely be transparent to the user, they'd only get bothered when a signature fails, which means something's wrong anyways.
Note, a certificate authority is completely optional. This is still useful because it still proves that someone is the same person on the phone as they were at the school, or when they opened an customer account.
One last note, it wouldn't be necessary to use the same signature for each interaction. One could use as many signatures as needed.
Cryptography needs to be embraced to solve today's real problems. The technology is proven and already works, the biggest two hurdles are getting it adopted universally, and doing so in a way which people manage their own signatures rather than their governments.
Using a stufy of software that are at best 10 years out of date hardly promotes your cause. PKi will never be persuasive enough to fulfill its role in security or authenticity, and it will never be mandated and lets leave it at that.
In my experience you cannot expect a subordinate office person to perform anything more than routine tasks, so each institution must design routines simple enough for the personnel to follow. Crypto routines will easily become more complex than common sense based routines. That would be reason enough to avoid them.
"... many people who have been holding key exchange parties for years..."
I've been tried to get invited to a key exchange party for years :(
If this is correct, then Estonia shouldn't be a net recipient of EU funds and should be paying back some of the money they have already had. Maybe the UK could have some to improve some of the dire schools from which parents are desperate for their children to avoid.
The PKI infra in the Baltics is a result of a BIG cash injection there from Scandinavia in the 90-es. Britain does not happen to have a rich uncle with spare money (or the uncle does not seem to care).
In addition to that Estonia did not have some British institutions which will do anything to prevent anything new that may interfere with a supposedly secure communication which they claim to deliver. To be more specific - Royal mail and to a lesser extent BT.
And thirdly - the PKI in the Baltics is tied up to the national ID. Oops, did I just say a dirty word? Guess I did. Having a working national identity register and working physical IDs is a prereq for a digital ID I am afraid. C'est la vie.
I'm saying technology alone isn't enough, and then you say "you don't know anything", and "all hail technology". Uhm, you're still presuming technology can do I just asserted it can not, or at least not alone. Please show how technology is a sine qua non for trust and perhaps you'd care to explain how we possibly got by without digital signatures in aeons past? So is (yes, not you) asserting that the quoted studies are "out of date" because, well, nothing much has changed in the meantime not a good counter either. It does show that we haven't figured out how to improve on this sad state of affairs. Just "embracing" the technology because, well, if we all really believe it works then magic happens is similar in not being a compelling argument. That's astroturfing your pet technology.
You're so busy doing that, that you gloss over a bit of a conundrum that lies behind your assertion that "had authentication been in use when the parent first contacted the school, then the impostor would have been revealed", and then you continue to assert that central repositories and chains of trust and all that are optional. Yes, they are, and it's one reason why PKI is not a silver bullet: It is married to a hierarchical notion of where trust originates. But saying that doesn't explain how to establish authentication in the first place. How do you start? It's called "trusting trust" and our technology has no good answer to that, in fact not even a theory that puts the thing in perspective. To many a techie will conveniently gloss over this gaping black hole in our thinking and move on to write some more code... to do what, exactly?
The point, ultimately, is that you need to "trust" the communication as coming from whoever it says it's coming from. Cryptographic signatures could help establish that, but having a phone number on record and calling that for a double-check works pretty well too. However, signatures can be faked --I've repeatedly had to explain habitual email-pgp-signers that if a signature gives a signer but doesn't check out they can not afford to gloss over that fact--, and then what? Does the average clerk know what to do?
And that's the crux: It's ultimately the human that calls the shots. It must be this way, for a gazillion reasons and if you stop and think about it you should be able to think of a couple, seeing how you presume you know better than I do how PKI works. Do you know what "trust" is, and can you explain how to apply this in an office setting without resorting to jargon or even referring to information technology?
"Crypto routines will easily become more complex than common sense based routines. That would be reason enough to avoid them."
Today, people have to go out of their way to support crypto, and as long as that's the case then I agree with you, people won't do it. The benefits of converting individually are rather weak without wide scale adoption (a catch 22). However it doesn't have to be this way. In a parallel universe, everyone uses safe crypto, not because they installed the right software or had the know how, but because security is just built into the systems they already use.
"I've been tried to get invited to a key exchange party for years :("
Haha, if you're serious, try to find a local Linux Users Group, they'll often schedule things like this.
"the biggest two hurdles are getting it adopted universally, and doing so in a way which people manage their own signatures"
And there you have it, although I agree broadly with your arguments anyone that has had to work with your average user in a support role will tell you that the vast majority of the population are incapable or uninterested in using crypto properly,
"On the contrary, had authentication been in use when the parent first contacted the school, then the impostor would have been revealed. This is a perfect example of why cryptographic authentication is a good thing."
That's utter rubbish. If the woman could create a fake gmail account, and the person at the office didnt care / want to check if it was a legitimate, then how is any amount of PKI or even quantum cryptography going to make the tiniest bit of difference? If the administrator couldnt be bothered to check the validity of an email address, then why would they bother to check the validity of any key?
It's social engineering, pure and simple. forever unavoidable through technology alone...
...unless you're suggesting that *all* communication be compulsively locked down. which will never happen even in north korea.
Kinda like PKI/PGP but instead: we should bar-code everyone's foreheads, then we should implant a chip in the back of everyone's neck, force retina scans for every email, and a camera watching everyone all the time...
of course that will do nothing against simple "social engineering" but that's just the start, then we remove people's frontal lobes (or what ever part of the brain) so that they are incapable of independent thought, implant a GPS on every person, so that the school will get the physical address of the sender, then we fragment society into loads of different groups, call them "classes", or whatever, and then we should arbitrarily decide that one group deserves a place in a particular school, then if there aren't enough places, we just define some criteria like, i don't know blueness of eyes and then it's clear who's more deserving a place in that school. we can then force people into their respective schools as opposed to having waiting lists.
or we can just chill out and not worry too much about these things, and not let the tabloids get us into a frenzy because of one (or a few) crazy people.
AC: "It does show that we haven't figured out how to improve on this sad state of affairs. Just 'embracing' the technology because, well, if we all really believe it works then magic happens is similar in not being a compelling argument."
All the compelling arguments in the world will not necessarily sell crypto to the public, this much we can agree on. Yet this is an entirely different argument than saying that the crypto doesn't work, which I get the impression is also what you're claiming.
AC: "The point, ultimately, is that you need to 'trust' the communication as coming from whoever it says it's coming from"
Two people who meet each other (in a business context, client/contractors, at a bank, even on the street) can cryptographically ensure that future communications between them are secure without a third party certificate authority.
Let's take the bank example. When you open an account you could submit your e-signature, which you generated yourself. Now you can communicate with your bank securely. Note that there is no need to trust a central third party CA since the bank has already identified you to their satisfaction when you opened the account.
"That's utter rubbish. If the woman could create a fake gmail account, and the person at the office didnt care / want to check if it was a legitimate, then how is any amount of PKI or even quantum cryptography going to make the tiniest bit of difference?"
It's utter rubbish today because secure communications is not the norm, and neither the school nor the woman could expect the other to use secure protocols. My point was that cryptography does solve this problem, but only if it is widely used across all mediums of communication.
There is no intrinsic technical problem with the cryptography. The biggest impediment is the social mindset that it can't work, or it doesn't matter; the first is wrong, the later may end up being true.
Agreed. We don't need a government ID card or PKI system. I advocate PGP. Create your PGP key and then hand it in to the school when you register your child.
Social engineering will always be there so whatever used will be bypassed at some point, which negates the point of signed certs anyway. Maybe a degree of checking by everyone would be of use, but I fear that this will detract from seeking the lowest common denominator we prefer to use. (I wonder why I advocate PGP?)
"A more critical question would be weather it..." Did you mean whether, or has the sun affected you. In case anyone is confused about spelling the weather or whether, then simply remember that, like most wh words in English, [who being on of those exceptions] ]we are actually meant to pronounce the h. Its not silent.
more years than I want to count but well over 20.
I have on various occasions tried to play with encryption and each time got so pissed off with it gave up.
There is a lot of pressure now to encrypt disk drives, files sent by email, laptops amd memory sticks.
Big fail, do you know how many times a user can loose the peiece of paper they have written their passwords and keys on. Shouldn't do it but they do, they share them too, although it is a missconduct offence that can cost them their job.
Our insurance company insists on accessible files for 70+ years, so everything also has to be stored unencrypted as well, if we can get them to, so that they can be accessed in the future when everyone who knows the keys/passwords is dead and buried.
Again, here comes the lowest common denominator bit. 'People are stupid. Don't help them, just get them to press buttons until they are a little more stupid.' Perhaps PKI can help?
... could indeed agree to exchange public keys. And if they know what to do with it, more power to them. That's quite different from a national PKI rollout.
I understand that you're saying that the technology works... as technology. I could quibble with that, especially with PKI, but on the face of it, yes, it does seem to, well, do something. Whether it does what it must do and doesn't what it shouldn't is more than I can assess, nevermind joe random luser, which doesn't contribute to establishing the trust needed to use the system. But I digress.
What I was getting at is this: If technology does not manage to be useful to people, especially non-technical people (_Why Johhny can't encrypt_), then that's a very different but equally valid definition of "doesn't work". And there, PKI, PGP, and various other authentication systems clearly "do not work", even though some are being rolled out regardless. You don't even need crypto to create an unusable system, but I've so far seen precious few _usable_ systems that had crypto as a core premise. OTR comes close, maybe.
The social mindsets are part of it, yes. And that's indeed plural, because it's the social mindset of the people who create their fancy convoluted complex crypto-using systems that's creating a needlessly high barrier for the "users", people with a "don't bother me, it should Just Work" mindset. Though I'll grant that some user education will be necessairy, but to do that we first need something that's teachable, and what we have is not.
And that, in turn, points to a glaring deficit in not understanding how "trust" works and how to sensibly map it onto technology so that "users" can "use" it. As long as that's the case, it's much better to just expect people to pick up the phone and dial a number than to get them to try and use a cryptographic signature system, quite regardless of whatever technology sits behind it.
Different side, same coin. Could still be another strip in there. The point is that something like PKI requires (unwilling) user co-operation, the observation is that it's very easy to subvert with the same techniques that made the original attack feasible, and the complaint is that even with willing users you won't get co-operation because they're not able to fit the software that does it. So, it'd be serving technology all over again, instead of technology serving us. For no gain, at great cost. Boy, do our techfanbois have good ideas.
There's a group of people seriously in need of some hobbies!!!
"Haha, if you're serious, try to find a local Linux Users Group, they'll often schedule things like this."
Will they, now? Funny, I've been to Linux user group meetings and key exchange parties, but every key exchange party I've been to wasn't a Linux user group meeting, and every Linux user group meeting I've been to most CERTAINLY wasn't a key exchange party (thank God!).
"Whether it does what it must do and doesn't what it shouldn't is more than I can assess, nevermind joe random luser, which doesn't contribute to establishing the trust needed to use the system"
So you're saying that because you don't understand it, you cannot trust it?
I guess I follow the logic. But it's certainly not fair to go on implying that the crypto algorithms are untrustworthy. Person A may be entirely trustworthy, yet person B doesn't trust him. B's non-trust for A, despite being true, is no factual basis for claiming A's non-trustworthiness.
The best I argument I can offer someone to convince them that it's safe is: banks use it to protect their own transactions, and governments use it for protecting their own secret material. These institutions have security experts who do understand crypto working for them. Since they trust the crypto, so can you.
"And that, in turn, points to a glaring deficit in not understanding how 'trust' works and how to sensibly map it onto technology so that 'users' can 'use' it"
We're full circle again, you claim normal people cannot use crypto, and that it's inherently too complex for normal people. Let me counter that by example...
People use HTTPS for online shopping, is it a problem? No it's transparent.
People use crypto security cards in their cable boxes, is it a problem? No it just works.
People can use Skype crypto with no problem, why not their other phones?
Businesses use NT authentication for websites, fileshares, internet access, etc. Does this prevent users from doing their work? No, because it's built in.
What if gmail upgraded it's back end to a more secure SMTP protocol? It wouldn't affect how people use gmail.
I assert that during normal use cases, crypto does not impact the complexity of a service. The only additional complexity would be during setup, in which case people will seek help as they always do to setup the service.
Sure, there can be potential problems with any of these, but in normal use people can use crypto technology absolutely transparently. When there is a problem, they can, and should contact someone who knows something about fixing it.
"it's much better to just expect people to pick up the phone and dial a number than to get them to try and use a cryptographic signature system"
In my scenario (obviously not possible today), the school would be capable of verifying the woman's crypto signature over the phone, regardless of who placed the call. This might even occur automatically without user action so that both parties can verify the other before speaking - signature based caller id.
I stand behind my claims that technology 1) does solve these problems, and 2) is usable by normal people, assuming it's built-in and well integrated into regular use cases.
"I guess I follow the logic. But it's certainly not fair to go on implying that the crypto algorithms are untrustworthy."
I have two issues with that second sentence. First, I claimed that "rolling out PKI" as if it was a silver bullet would be a spectacularly bad idea. Second, it's not about the algorithms themselves, it's how we use them.
You're looking at it from a technological PoV. Don't. Look at it from the user's PoV. Do you know in detail how a lock works? Do you know what locks are safe? Well, most people have little idea about the former but can spot the reverse of the latter, which are unsafe, if it's obvious enough. Back to crypto tech: How would you explain to someone with no crypto background how good this particular algorithm is?
You really have to shake yourself loose from the tech outlook, at least for a little while, and look at the whole forest baffled like a luser. *Then* ask yourself, how can we improve this for our confused fellow?
"We're full circle again, you claim normal people cannot use crypto, and that it's inherently too complex for normal people."
No, I'm claiming we haven't figured out how to make it casually usable, that it's too much the techies domain and works on techie-centric premises, and unless and until we fix that, then yes it stays inherently too complex for non-cryptonerds. And since plenty techies can't seem to shake the techie-centric worldview...
People use HTTPS, but they have to rely on whether their browser bar turns yellow or green, and even if they'd religiously check it (who does?), it can be faked and subverted. Want a techie complaint? Most ssl certificates in use are misconfigured.
That doesn't even begin to touch on the problem that the trust anchors we're using for HTTPS aren't really trustable; the corporations selling the certificates only protect your custmers from the people they're not taking money from. That's an inherent, economically driven, non-techie, structural problem in the infrastructure we built to "make things safe".
Then there's practical problems like getting your CA distributed. The process to add them on any single computer seems designed to baffle mere users the most. Getting your CA submitted to central stores gets you a flood of requirements, all different. That's what makes CAs valuable, and ensures that bandits like verisign continue to make good money. Then there's little things like the fact that you can't readily remove CA certs from the windows CA store, it'll silently add them back in. Who do you trust? Whoever some corporation tells you to trust, that's what.
SMTP can be setup to use SSL to protect the content from eavesdroppers provided nobody stages a Man in the Middle attack, but to prevent MitM attacks you come back to the above CA problems.
So it seems to work, but are you sure? I'm not. And that is the crux with securing anything: Just the mere appearance of function doesn't make it correct or even safe.
Your other examples don't illustrate what you seem to think they do:
Cable crypto isn't there to protect the content, but to protect the revenue. That sets entirely different requirements.
Skype similarly protects the content but doesn't ensure that you're talking to whom you think you're talking to, which is what the problem was with the woman impersonating someone else. Normal phones, at least mobile phones, come with a similar crypto setup that's similarly broken, both in content protection and in clonability of SIM cards.
Authentication and authorisation can be done with crypto but they're different problems than preventing eavesdroppers to listen in.
Banks, well, they use a lot of crypto and crap and even through their legendary secrecy you can still see the signs on the wall that their systems are horribly broken. Nobody dares to blow the lid sky-high on that.
My technological complaint is not that shoving layers of crypto between what we do is impossible, but that it's hard to use properly, as in meaningfully, and actually doing what we expect it does. The tip of the iceberg is that the user interfaces are so bad no mere user know what to do or even gets what certainly not to do, which is what the _Why Johnny can't encrypt_ paper made painfully clear.
I'm also saying that you can't fix that purely through technology. You first have to understand what "trust" is, and if I look at the ideas the PGP people have about it and what the PKI people have about it, I think they're on crack. They're convenient to implement, somewhat, but clearly not engineered to be understandable and useful to end users.
I don't disagree that technology can help, but the current technology is clearly unhelpful. Eventually we can make "trust" technology usable to normal people, but to do that we have to stop thinking solely in terms of technology, and it'd help if we understood "trust" too.
"So it seems to work, but are you sure? I'm not. And that is the crux with securing anything"
I am experienced with the implementation of RSA, AES, DH, PKCS standards, rabin miller tests, etc. I could spell out in excruciating detail how the school could trust the mother, but I doubt you'd believe me anyways, so you'll just have to study the technology to convince yourself.
"but the current technology is clearly unhelpful"
I'd be more inclined to agree with "the current implementations are clearly unhelpful". The technology itself is already very mature. We just need to roll out implementations which are based upon concepts which people are already accustomed to, like my previous example of cryptographically secure caller-id. Even a child could use it without any training whatsoever.
Provisioning secure devices could be as simple as inserting one's security card like on cable boxes. Nothing "Johnny" can't figure out.
"[...] so you'll just have to study the technology to convince yourself."
Not the most compelling salespitch I ever heard. Yes, it's the standard techie answer, and it's also the one I just argued was absolutely the wrong one. In fact I explicitly asked earlier on for a non-techie explanation. I'm not surprised it's not forthcoming, because coming up with a good one is *hard*.
"The technology itself is already very mature."
As in, the cryptographic algorithms and so on. Yes, that part is reasonably well understood. But that's not the only thing you can call technology. To most "users" of cars the motor isn't the only bit of "technology", the entire thing is. It's nitpicking details but it turns out the narrow view (only the motor) isn't sufficient to sell the entire thing (the car).
"We just need to roll out implementations which are based upon concepts which people are already accustomed to, like my previous example of cryptographically secure caller-id. Even a child could use it without any training whatsoever."
Well, yes and no. People not only need the tools to assess trust, they also need to know how to use them. And to provide the right tools and to teach their use, we need to understand how this "trust" thing works so that we can map it meaningfully on our technology, that's underlying algorithms, implementations, but also front-ends, propagation models, and all the folderol that makes up an infrastructure.
There's nothing "just" about that. In fact, "just" is an IT techie's buzzword as sure as "lightweight" (LDAP, anyone?), "framework" (any widget set, for starters), "XML" (the embodiment of data bloat writ twooh), and so on are. "Buzzword" is said to make people feel all abuzz, but what really should happen is that your bullshit detector should start buzzing.
And that, that it's *not* simple, and much more than just the algorithms and their implementations, and that the most important part of the whole argument is that it's not even about the technology but about not even understanding how to use what we have, that the models they're built around are poor fits for what they're proposed to do, and that there's no way in heaven or hell, nevermind on earth, that we're going to convince our fellow "normal" human beings that we just terminally confused, to use these "solutions" nevermind use them safely, that is the core of the argument.
But to understand that, you have to get down from orbit and learn how to look like a perpetually confused luser. Since techies became that to get away from that, they don't like it. But if we're to make technology *useful* to those beyond the in-crowd, we have no choice.
"Provisioning secure devices could be as simple as inserting one's security card like on cable boxes. Nothing "Johnny" can't figure out."
Average people don't understand encryption algorithms, however they are already aware of the primitives such as a signature, seal, lock which are synonymous to the digital versions. In any case I fold, but only because it's not my problem to convince people who don't want to hear about it.
weight? time? maternity suite room number? midwife's maiden name?
Was the child put back on the list once the fraud came to light?
Computer says no.
But probably back at the end of the queue!
Not THAT serious a set of issues. I mean looking after her kids and wanting them to have the best schooling available is just natural.
Just doesn't have quite the hypersensitive sense of right-and-wrong that you need to not piss anyone off anymore.
Saying that, if it was my kid I'd congratulate them for such a simple, elegant fraud then beat them senseless for risking _my_ kid's future.
I'd then sue the idiot set of school authorities that needed a short email from a free email address to remove kids from a school waiting list. A phone call from their previously noted home phone number would be a bare minimum- and an interview c/w proof of identity is more the level I'd expect. That way the crime to fake it goes waay up (faking a passport or driving license is serious, right?) and makes it that bit less likely that this would happen. Even better, it'd work without any Big Brother-ish surveillance needed- at most a confirmation of the passport number would sort it out.
Fool me once; shame on you
Fool me twice; shame on me
By my maths we're still at "once". It is very easy to be wise AFTER the event. I think mostly schools have focused on "do they really live that close?" and scams to do with renting rooms with close addresses. The "gmail" scam is new. I'm intrigued as to how the mother in question was caught - Google didn't "rat her out" - did they? Or did the authorities pretend to be China?
If their policies are anything like the ones Microsoft and Yahoo didn't want us to read, they will hand over the information in response to a valid court order, which they would be able to get fairly easily. That would give them the IP address, and they would need to do some further searching at the relevant ISP to find out who that belongs to.
This sounds just like the "American way" which has caused so much trouble recently - "I'll do what's best for me and sod everyone else."
Yes, looking after her kid's interests are important, but no more so than the other's kid's interests.
There are reasons fraud and other activities like this are illegal: they are against a civilised society. Lying and cheating should not be the way to get "ahead" - some of us still believe in "fairness". Seems like we're a dying breed...
You are thinking of the other half of America, that is to say the political half who figures people are too stupid to do things for themselves and need guidance on how to do it "right". Mind you there is a small fee for this guidance that consists of pretty much everything one owns. Of course this political half doesn't know they are just as stupid as everyone else if not more so.
Yes, yes, I know there are some who group themselves by either a red elephant shirt or blue donkey jeans and they are thinking I'm talking about the "other guy". Know if full confidence that both groups are right.
"A phone call from their previously noted home phone number would be a bare minimum"
Wrong way round. A phone TO the previously noted home phone number would be a bare minimum.
And even if they didn't know anything about gmail (quite likely if they aren't highly IT literate), they should still have asked for written confirmation which would have included a signature. No need for passports or driving licenses, unless they were shown at the initial application.
Yes, I ment to say the school ought to call the mum (dad, legal guardian) of the kid on the list, and it must not take that number from the email (obviously) -- that's where the "from their files" reference comes in. Well spotted. And yes, not needing all sorts of ID or technology was pretty much the point.
"Not THAT serious a set of issues. I mean looking after her kids and wanting them to have the best schooling available is just natural.
Just doesn't have quite the hypersensitive sense of right-and-wrong that you need to not piss anyone off anymore."
Correction: doesn't have any sense of right-and-wrong
This is taking the stupidness over school admissions to a new level. I hope she gets hauled into the Magistrates court and they make an proper example out of her.
I suspect this sort of behaviour is driven less by care for the sprogs and more by the fear of "missing out" on something.
For a good school with a waiting list I would think removing just one child ahead in the queue is not sufficient -- that does no good unless your child would then be in line for a place. There might have been more kids so affected but their paren't hadn't called to check on their progress...
Alec Guiness in "Kind Hearts and Coronets" comes to mind.
Did this mother do something wrong? Yes. No doubt - illegal too, depending on the law (most western countries have a problem with identity theft, no matter how brain-dead the checks are).
But what's the "real crime" here? It's this "waiting list" for schools that needs to wake up and smell the cordite. Seriously, I mean at FOUR FRICKIN YEARS OLD you need a waiting list to get into a school?
This touches me directly in my own country. My son currently can go to one of two schools - the one across the road, where our daughter goes too. Or another one about 15km away, requiring us to run two cars. Guess what we got told across the road? "Oh we're a bit full. We can't turn you away but.." That's all well and good - school too full, no attention for my kid. But then you ask, "well what about next year - the school 15km away doesn't do secondary levels?"
"Oh, um, whatever".
This is a public school. There are 15 kids my son's age in the district - 15 kids who should be getting first place. Yet the class is brimming over with 35 kids.
Mines the one with a dozen application forms for schools.
i have this pain next year !!!
got two kids wonder if they wil get in the same school !!
We were lucky in that our nearest school just started a nursery, which would, of course, be "independent" from the main school. Yeah - it worked out well that we joined.
To me it looks like a seriously corrupt mess, managed by people who may have educational qualification but who have never been anywhere close to reality.
The moment a private company starts buying up schools one by one you should start paying attention (I saw it happen in North London). Money paid to shareholders equals money not used for education. You can work that out with *any* sort of education..
...it's simple but effective. I've got to laugh at the lengths some parents will go to give their genetic offspring the 'best' start in life. Signing them away at birth was a good start :)
...we need more ID cards, kiddie databases, earmarkings, ID chips, barcoding.......