back to article Mathletics promises security upgrades after parents' security gripes

Mathletics, an e-learning platform for mathematics that is used by millions of school kids across the English speaking world, has admitted a coding error that meant kids’ login details were transmitted in the clear. Developers Australia-based 3P Learning said that the security snafu was down to a coding error, which it has …

  1. tiggity Silver badge

    Obligatory?

    That would be an interesting argument if school says a child is obliged to use a site for homework that has flash.

    Let's see

    No computing device has flash installed in the household

    Some or all of those devices do not even support flash (e.g. various small ithings)

    If a machine did have capability to have flash installed, child would not be able to install it as they would not have sufficient permissions on that machine, and no security conscious adult would install Flash on a machine a child (or anyone!) would use.

    etc...

    1. HollyHopDrive

      Re: Obligatory?

      Also schools seemed to sign up to these platforms without checking this kind of stuff, probably because another school uses it and didn't think they may need to check.(or more likely didn't have the skills to check)

      Not blaming teachers BTW (my wife is one) but a real lack of IT literacy in educational circles is shocking. My wife's school only implemented laptop encryption 6 months ago even though I pointed out they weren't using it 12 months ago when my wife joined the school. Her previous school didn't see my issue and refused to encrypt teacher laptops!

      So this isn't a shock.....

      1. Trigonoceps occipitalis

        Re: Obligatory?

        Do the companies supplying these platforms offer seminars in, say, The Bahamas for users or sales prospects? Only a subset of teachers would be seduced but then they become ambassadors for the product. Introduce three new schools and get an invitation to Mathletics 2017 in Las Vegas or whatever.

        It is a sales model that works in many many spheres.

        Of course I am confident that much time will be spent at the seminar explaining the security model, why https is not required and how they have fully mitigated Flash vulnerabilities. (Event held in a cellar, beware of the leopard ... you get the picture.)

        1. Lee D Silver badge

          Re: Obligatory?

          As someone who runs the IT for schools, allow me to jump in.

          All these manufacturers are NOT chosen by the IT department of the schools. We suddenly get some login details emailled and a guy on the phone asking for our entire school database, and that's the first we hear of anything. The maths department would be generally to blame for Mathletics, for instance.

          Then we argue and fight and point out the holes and get made to do it anyway. We do this, in a way compatible with Data Protection (yes, I've told staff where to go AFTER they've paid for products because the data would be hosted in the Cayman Islands and things like that and I refuse to do that as it's a breach of the DPA and similar EU rules), and get the service running.

          It's then pushed "because we spent a lot of money" and - primarily - "because other schools do it". The parents complain. The IT department fends them off for several months (we know it doesn't work, there's nothing we can do - yes we'll "pass it on" to our suppliers - guess what the answer has been for Mathletics for the past two years? "We're working on non-Flash versions". TWO YEARS). Then eventually, people get bored, ignore it, carry on. Whether those people are the parents, the maths department or the suppliers, the system dies a death.

          Would you like me to tell you how many similar things I have in my network and on my list of services at the moment? I'm actually HOSTING an internal resource that isn't iPad-compatible. In a school full of 1:1 iPads. It was purchased, so that means it sticks around until the person who got it authorised leaves, and about 1% of the games on it are actually iPad (or even touchboard) compatible. There are promises, as always, but little momentum.

          Even things like Apple Pages vs Office - people just assume all computers are the same and that they all work identically. Even with management - powerful MDM does not provide anywhere near the same level of control over an iPad as GPO does over a PC. Or similarly for Macs. And "Why can't our Macs run *insert some ancient piece of software written for Windows 95*.

          Good schools listen more, but never listen completely. And because it's someone's pet project, they push it through, ride through the storm, and then claim success - and then a couple of year's later use that success to get a job elsewhere and everyone still complains so we just scrap the "old" system and buy another almost identical in its range of problems. And, yes, parents do sometimes think that having some computers in the IT Suite is an acceptable solution. But mostly not.

          IT in schools is immature and the purchasing decisions are not made properly. Even where IT specifically point out incompatibilities and problems, sometimes they are rode over because "other schools do this". And then when you speak to their IT guy you find he had the same argument pulled on him and we're all just following some idiot somewhere who didn't think through their purchase in order to be the same as everyone else.

          That said, there is an amazing lack of cross-platform compatibility in educational software. As this proves, even being "web-based" doesn't save you the hassle of it not working on Chromebooks, Macs, iPads, Android, their mum's phone, or whatever. The magic word at the moment is "HTML5", but even there I've seen things that render atrociously on small screen devices because just being HTML5 doesn't mean that it actually was thought about. And then you get into "How do I filter videos, games, etc. that are written in HTML5?" - because that's much harder than it sounds.

          Hell, it's common practice for my suppliers to tell me to "just unblock" the entirety of the Amazon Elastic Cloud so that their cheap servers aren't caught up in our filters. And they are serious. And there's little I can do about it if we want that expensive new service to work.

          It's the school's fault, yes. But also the manufacturer's. And, in a way, the people who encourage iPad (not "tablet", notice, but a specific, branded, particular tablet) use in education.

          400+ iPads and counting...

          1. markberry

            Re: Obligatory?

            I run an IT Department in a school too. I think you have summed up the school situation perfectly.

            The only thing I would add is that it seems like standard (and accepted) practice in the Education Software industry to produce sub-standard software, charge huge amounts for it, then provide poor support and development to the schools going forward. I'm sure this would not be accepted in industry but schools seem to accept it. The amount of poorly put together pieces of software we seem to be forced to implement, including finance packages that are so poorly written and have so many security flaws in them.

            1. Martin an gof Silver badge

              Re: Obligatory?

              it seems like standard (and accepted) practice in the Education Software industry to produce sub-standard software, charge huge amounts for it, then provide poor support and development to the schools going forward

              Whatever happened to the people that brought us the likes of Granny's Garden and the wonderful Podd?

              Oh, goodness. Granny's Garden is still available!

              M.

    2. Mr Humbug

      Re: Obligatory?

      The issue with Flash on sites for homework was raised at a meeting for parents of my daughter's Year 6 class last November when one parent pointed out that they "only had an iPad". The teacher's response was that on Monday lunch times the school computer room was made available for the exclusive use of Year 6 children who couldn't do their homework at home. That seemed to satisfy the parent who asked.

    3. Martin an gof Silver badge
      Childcatcher

      Re: Obligatory?

      That would be an interesting argument if school says a child is obliged to use a site for homework that has flash.

      It's not just the installation of Flash, it's the constant updating of it, with browsers "blocking" an out of date version (which the children can't update) and with one site our school uses the fact that between last year and this year the site has had an "upgrade" and now won't run reliably on our OSX 10.6 machine even if I have updated Flash.

      I hate homework at the best of times, much of it seems to be "make-work" and often puts the children off a subject. This sort of automated (effectively) drill-and-practice stuff is just a low-maintenance way for the teacher to have some nice graphs at the end of the month to show how the children have "progressed".

      Hurumph.

      M.

    4. bob salmon

      Re: Obligatory?

      Exactly how many computer do you know that have been blown open due to flash?

  2. Anonymous Coward
    Anonymous Coward

    I literally can't read PR non-apologies.

    Boycott / shitlist / die in a fire.

  3. Anonymous Coward
    Anonymous Coward

    "a binary encryption method for transmissions (AMF)"

    Translation: the AMF3 specification is too complex for our small brains to handle, therefore the communication is clearly "encrypted".

    https://en.wikipedia.org/wiki/Action_Message_Format

    This level of stupidity is criminal in an organisation handling childrens' personal data.

  4. Anonymous Coward
    Anonymous Coward

    HTTPS, yeah edu's have heard of it.

    My wife has to use a local authority web portal to transfer certain information to do with her work with a local education authority, you guessed it public facing gov web portal with no sign of HTTPS to be seen. Just keep praying the bad guys aren't interested in it and everything will be fine.

  5. Doctor Syntax Silver badge
    Facepalm

    "a failure to support https"

    Oh, the irony.

    1. Adam 1

      It is ridiculous that in 2016 that there are websites out there that transmit credentials in clear text. You wouldn't catch any of us here using such websites; that's for sure, er.... Oh.

  6. Ole Juul

    coding error

    Seriously, login details in the clear is probably not really a "coding error". So, will kids now start to say "I lost my homework because of a coding error"?

  7. Anonymous Coward
    Anonymous Coward

    As someone who is affected by this..

    I don't really care. The usernames are not the child's name, the password is configured by the teacher, and the content of the site is maths questions and answers. I'm sure my child would love it if someone hacked into it and completed the homework for the week.

    1. Grikath

      Re: As someone who is affected by this..

      or crashed the entire thing.. so Homework evaporates altogether.. ;)

    2. cgg

      Re: As someone who is affected by this..

      Dead right. There is exactly zero personal information at risk here. And Mathletics, for all its faults, is so much better than the alternative (every child does the same maths just because they are the same age...)

      1. bob salmon

        Re: As someone who is affected by this..

        Add another one to that.

        And I have a really good understanding of K/12 elearning and how awful it can be.

  8. Adam 1

    > The new HTML based home pages that we have released are indeed served via HTTP, however the API called to authenticate a user is most certainly HTTPS

    I hope that I am misreading that sentence.

    It is important to authenticate via HTTPS, but equally important to deliver the JavaScript that talks to the API over HTTPS as well. Otherwise a miscreant mitm will just alter the JavaScript on the way through. Same vulnerability when embedding a HTTPS iframe in a page delivered over HTTP.

    Another (recently fixed) real world example of the same attempted argument:

    http://www.troyhunt.com/2016/01/thank-you-waitrose-now-fix-your.html

  9. Anonymous Coward
    Facepalm

    Mathletics tested regularly by security experts?

    "3P has its sites externally tested regularly by security experts"

    Q: What was the name of these security experts?

    A: We're just making this sh1t up.

    Q: What was the name of the company that designed the e-learning platform?

    A: Some lowest tender contractor, who outsourced the job to India.

    1. Crazy Operations Guy Silver badge

      Re: Mathletics tested regularly by security experts?

      I really want to know who these 'security experts' are so that I can avoid dealing with them. This is basic Secure Programming 101 type stuff that they missed.

      All pages should be https-only, with a few supporting both http and https (such as the main page, the support FAQ, and the contacts page). No page should be http-only.

      As for login pages, I am severely disappointed at how few websites support certificate-based auth.

  10. P. Lee Silver badge

    Security?

    "I'd like some system which has useful maths practice."

    -Says techie Dad.

  11. Anonymous Coward
    Anonymous Coward

    Still not fixed

    As someone who is affected by this I thought I'd try the Australian site:

    http://au.mathletics.com/signin/ still loads an insecure page rather than redirects to SSL. Manually changing to "https://" causes an ERR_TIMED_OUT.

    When did they say they fixed this?

  12. Mark 65

    2016

    Let me see:

    1. No https for login and JS delivery

    2. Requires flash and hence an insecure machine in the house

    Their CTO isn't worth the steam off of my piss.

  13. bob salmon

    A Jobsian legacy

    As other posters have indicated there is no real data stored about the child, the tests and exercises are very low stakes.

    The problem with the whole flash thing is that all of the best quality learning animations and tests are flash based. The money ran out when developers, pushed by Jobs anti flash policy tried other techniques.

    The large K/12 publishing organisations have made it worse by publishing "cutting edge" elearning materials based on PDF (basically a text book).

    So all these people that bemoan this are way of the mark. I saw this years ago and decided to ignore it as the content was better than the ridiculous perceived security risk.

  14. myhandler

    Anyone else find the name Mathletics hideous ?

  15. Anonymous Coward
    Anonymous Coward

    As a parent end user and and Information Security Manager I was appalled to receive a 6 character password of lowercase and numbers for my daughter's Mathletics account. This is in 2018 so they clearly have made little or no progress in improving their security posture!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020