back to article Q. What do you call an IT admin for 20-plus young children? A. A teacher

Protecting students' privacy – from securing their personal information to safeguarding their schoolwork – is a challenge for schools and software developers, apparently. Alex Smolen, engineering manager for infrastructure and security at school management software maker Clever, told the 2019 Usenix Enigma conference in San …

  1. Anonymous Coward
    Anonymous Coward

    It's horrendous out there in local Ed IT

    Sraff training and awareness is a huge issue. You have local government IT workers on the ground dealing with nursery schools for example. No one is paid huge amounts and simply trying to make sure they adhere to the myriad of conflicting rules is horrendous. School teachers having to constantly be aware of how they can touch or approach students is now so heavily regulated. They have to make sure thet Johnny hasn't brought a peanut butter sandwich in 'cos nut allergies are serious business in schools and for the most part banned. Then we get to IT last. Teachers and carers that only have their own home tech experiences to go on. Stories of teachers borrowing the digital cameras, tablets and such like for personal use,leaving stuff on equipment, this before we even get to malware, AV and phishing the most basic of IT security concerns.

    I know all this as I know someone who works in local Ed and the stories I hear just scare me to death.

    1. Ian Emery Silver badge
      Mushroom

      Re: It's horrendous out there in local Ed IT

      Been there, had to do that unsupported by the management for 25 years.

      Meanwhile, my Y1 daughter has to log in online to do various homework, the "security" consists in her name for user and a 2 digit number for the password on a portal ANYONE can access.

      1. jon909

        Re: It's horrendous out there in local Ed IT

        re "2 digit number"- that is horrendous! if they can't afford something like Duo, the could just do a TOTP or even just a client side certificate.

      2. D_X

        Re: It's horrendous out there in local Ed IT

        Similar here:

        My reception year son has a similar online tool for reading homework, not that he can read well yet at 4 years old!

        The online portal, accessible to all needs a school code which will be the same for all kids in the school, and a username & password.

        Both username and password assigned to my son were: 2 digit year (his school intake year) , firstname, last initial. There were no online prompts or advice in the guidance leaflet about changing passwords.

        I haven't tried but I'm pretty sure I could get onto the reading records of at least 80% of the schools kids who won't have changed the password simply by knowing the child's name and applying the same user/password formula.

      3. bombastic bob Silver badge
        Devil

        Re: It's horrendous out there in local Ed IT

        well it sounds to me like there needs to be some kind of RFID as the 'second factor' in a 2 factor method.

        Back when i was a kid, they had these dog tags that parents usually bought for us (it was a school program as I recall, take home the ad and mom/dad mailed it in), that had a kids' name + address on it, maybe other info [I forget exactly], some kind of emblem or catholic saint or haiku or something on the otehr side.

        So if a kid wears a dog tag, just make sure it has an RFID in it that can be used as the 'second factor' for 2-factor authentication. Or a QR code. Or bar code. Or whatever.

        At least that way, the device would have to be within a certain distance of the RFID to work. Or the device would visually scan the QR code or bar code on it, same idea.

        Anyway, it's something that kids would get used to really fast, "wear the key". And maybe a teacher override for occasional "I forgot it" usage.

        1. Charles 9 Silver badge

          Re: It's horrendous out there in local Ed IT

          And for kids that constantly LOSE things...or are frequently bullied and their belongings stolen?

    2. Anonymous Coward
      Anonymous Coward

      Re: It's horrendous out there in local Ed IT

      I use to work in ED IT 12 years ago, seems nothing has changed at all!

  2. deadlockvictim Silver badge

    Tell me about it

    Poor teachers and poor children. Neither know yet that many of the online services are bad for them in the long run. They think that Whatsapp, facebook and Google are wonderful and that the children should be expsoed to them.

    Smoking was cool & fun and not at all bad for you until about 50 years' ago. Then the spoilsports and busybodies came and ruined it all. And so it is with paranoid parents who complain to teachers that they don't warn their pupils about the dangers of Whatsapp, facebook and Google. Although I do note that the schools where smartphones are banned are popular with parents in Silicon Valley.

    1. A.P. Veening

      Re: Tell me about it

      "Although I do note that the schools where smartphones are banned are popular with parents in Silicon Valley."

      That last line should get some more attention, most important one of your post.

      1. VTAMguy

        Re: Tell me about it

        Yes, this. See New York Times articles:

        A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley

        https://www.nytimes.com/2018/10/26/style/phones-children-silicon-valley.html

        "Technologists know how phones really work, and many have decided they don’t want their own children anywhere near them."

        Silicon Valley Nannies are Phone Police for Kids

        https://www.nytimes.com/2018/10/26/style/silicon-valley-nannies.html

        The Digital Gap Between RIch and Poor Kids

        https://www.nytimes.com/2018/10/26/style/digital-divide-screens-schools.html

        "America’s public schools are still promoting devices with screens — even offering digital-only preschools. The rich are banning screens from class altogether."

    2. Rich 11 Silver badge

      Re: Tell me about it

      Yeah, those damn spoilsports stopped me from inhaling lung cancer and snorting asbestos. How dare they interfere with my life choices! I mean, I was eleven and understood the risks perfectly.

      1. Ken Hagan Gold badge

        Re: Tell me about it

        Note to el reg: we still need a whoosh icon.

  3. chivo243 Silver badge
    Childcatcher

    Living the dream

    I work in Education, but luckily, mostly on the operations side. I see so many issues that have bad solutions. It's amazing how common sense and doing things right never enter into the equation...

    1. DJV Silver badge

      "common sense and doing things right never enter into the equation"

      Obviously, they are providing the perfect training for future politicians!

  4. rmason Silver badge

    "Clever uses QR codes that kids can carry on student badges, and then scan to log in to a machine."

    That's a username, not a password.

    I'm a dad, I get that young kids won't be able to remember a randomised 12 digit password or whatever, but at least teach them about passwords, and why they are a thing. Some sort of middle ground basically.

    1. Nick Kew Silver badge

      I get that young kids won't be able to remember a randomised 12 digit password

      Neither can old farts. Nor even those at the prime of life. With no doubt a few exceptions among any group.

      I'd've thought school students would be a good case for biometric security. A closed population of a few hundred or at most a few thousand make distinction by fingerprint a straightforward task. That would leave an annual one-off bootstrap exercise, for which teachers could be trained or consultants hired.

      1. Anonymous Coward
        Anonymous Coward

        It's not just about the school computers.

        Though bio-metric logons can replace passwords on the school computers - Assuming they can afford them, but that's another story - the real requirement is education. Outside school, the kids will need to use all hardware and software, not just fingerprint equipped stuff.

        1. Nick Kew Silver badge

          Re: It's not just about the school computers.

          Biometric security in schools is a solution to the specific problem discussed in the article. You're broadening it to the general.

          Biometric security at school won't really affect kids interactions with the outside world one way or t'other. Except that they'll grow up with a mindset that passwords are not the only way, and be better-equipped to question the unthinking and poorly-designed use of passwords when they encounter it.

      2. Martin an gof Silver badge

        A closed population of a few hundred or at most a few thousand make distinction by fingerprint a straightforward task

        So long as it works. My children's school uses fingerprint recognition for dinner payments (it works like a charge account). My children have never registered, and there's a plastic card available as an alternative. The machines are so unreliable that most children apparently use the card by default, only attempting to use the fingerprint reader if they've forgotten their card.

        But as you go on to say, this (and the QR code idea) is only really a solution in the school. For many teachers, half the point of computerised systems is to force the children to do their homework online, even at primary level. QR codes or fingerprint readers or retinal scanners on the home desktop or laptop that can handshake securely with school systems?

        How much of a problem it is, is another matter. There is a world of difference between being able to guess the login for a child's reading record and being able to log in to a system which gives you name, address, phone numbers etc. As far as I'm aware, none of this type of information is available on the homework systems used by my children, so the biggest risk is that child A might copy homework from child B. Many schools offer "homework clubs" as lunchtime or after-school activities, so copying - or at least sharing information and help - is par for the course anyway, in much the same way as I used to do my homework on the bus (it took an hour to get to school) so that my Oxford-bound best friend could help me :-)

        M.

        1. doublelayer

          "There is a world of difference between being able to guess the login for a child's reading record and being able to log in to a system which gives you name, address, phone numbers etc."

          I beg to differ. Having an address or phone number can lead to spam, sure. Consider, however, how things would go if some students could find the grades for other students. That could be very unpleasant, and lead to torment of various types. There's reason number one not to let it happen. While we're on the topic of torment, a student with an urge to be malicious could log in as another and send in homework, either to have their victim fail or to frame them for an offense. Reason number two. An external attacker could obtain a list of students from the school (this is easy to get) and access all the accounts, either communicating with the child, sending the child elsewhere (think an XSS on the page that probably wasn't built well), or collecting information that could be used to track them. Reason number three.

          Access to these systems is sensitive, and must be protected.

          1. Martin an gof Silver badge

            Access to these systems is sensitive, and must be protected.

            Don't disagree at all. I am of the opinion that data should be private by default and security should be as high as possible by default, but you can see why schools want / need to make these things simple to use too.

            What you describe is bullying pure-and-simple and should be sortable using normal school procedure. In the long run, a lot more damage could be done by the theft of phone numbers, next-of-kin and the like. Not that I'm saying schools are obviously better in this front - the only experience I have is that the school keeps sending my mobile number to the third party company they've decided we should all use to receive school "letters", despite being asked on several occasions not to do this - but at least this information is not available (as far as I'm aware) to a moderately savvy eleven year-old.

            M.

            1. doublelayer

              Given how many people have mobile phones, it would not be particularly difficult for a child to obtain phone numbers. They could easily get the student's number from their contacts, and with a little effort, gain access to their contacts using a number of methods. I think the risk of bullying is important, as it has proven difficult to prevent. I therefore suggest that we do our best not to make it easier.

              However, let's consider some ways the access of these accounts could be abused by others who are not schoolmates. This is yet another source of data, and one that companies would not mind mining. Do we want our children to have their primary school grades analyzed or leaked? I think we can all agree the answer is no. There are many parents who obsessively check the grades of their children, but some of them* would not mind seeing the grades of other children for comparison. They could use this insecurity as an entrance. If we want to overthink this, there is probably a lot of personal information in this that could be used to socially engineer the child, too.

              Children do not have much data on them. Their schoolwork can be a very personal thing. Some may divulge it to others, which is entirely their right, but others do not want their friends or anyone else to know all the details. I believe it is extremely important that it remain private to them and their parents. The worst-case scenario with a leaked phone number is irritating calls. This is certainly a thing to be avoided, but I can think of worse things that could be done with leaked educational data.

              *Parents spying on students' grades: I know parents who do this, usually by "casually" asking students increasingly leading questions. It is not that many of them, but one is already too many and there is more than one.

      3. David 18

        "I'd've thought school students would be a good case for biometric security. "

        Biometrics are also just an ID, not a password. At least a QR code can be changed when compromised. We don't want another generation thinking biometrics are effective and secure

      4. Ian Emery Silver badge

        Bimometrics were tried at some schools/colleges

        And the parents were up in arms about it; I'm not even sure of the legality of finger-printing Primary children; Even the Chinese baulk at that!

        Daughters old nursery school started using one of the online education tracking systems, despite my pointing out the servers and all the data they held are based in the USA, and so break the DPA.

        I am teaching my recently turned 6 y/o daughter to set passwords the way I do; pick a memorable phrase from a book or film she likes, and swap out the "O" and "i" for 1's and 0's.

        Example, Scoobydoo fan, "Th0seDarnK1ds"

        1. Charles 9 Silver badge

          Re: Bimometrics were tried at some schools/colleges

          But start adding them up and people start getting them mixed up. Was it correcthorsebatterystaple or donkeyenginepaperclipwrong?

    2. GnuTzu Bronze badge

      Chipped, Right Hand --> Apocalypse

      Yeah, this is where it starts. They'll chip kids in the their writing hand so that all they have to do is wave it over a device. Sorry, this and AI will cause a new evolution in which we plain old humans will go the way of the neanderthals, whether you believe in the Apocalypse or not. Frankly, I'm a skeptic, but I don't need a supernatural explanation for the Apocalypse to know that we will surely either cease to be human or simply cease.

  5. Rich 11 Silver badge

    High hopes

    If someone can come up with a reliable method of getting kids to handle security properly, there could be as high as a 50-50 chance that it'll work with adults too.

    1. fandom Silver badge

      Re: High hopes

      I was reading the article and everytime they mentioned a problem about dealing with kids I thought "and they think dealing with adult users is different because ...."

      1. Charles 9 Silver badge

        Re: High hopes

        ...because at least adults have full-grown brains and certain expectations. There are children out there who still have trouble remembering their names and distinguishing a g from a q. How do you expect to teach cybersecurity to someone THAT limited?

  6. Waseem Alkurdi

    "Young students, for example, cannot be expected to remember and enter a password. "

    Eh? They only can bother remembering that of Fortnite/PUBG/whatever online game?

    I've been dealing w/ passwords since age six or something. It was mostly 1234s, but hell, it's possible.

    1. ThatOne Silver badge
      Unhappy

      Re: "Young students, for example, cannot be expected to remember and enter a password. "

      This is mostly an issue of mental attitude.

      I have (adult) relatives who just refuse to use passwords, even for important things like for instance their banking site. Even when I make them a little paper notebook with all the websites and passwords clearly written. Our conversations are always a variation of this:

      "I can't use a password! Just leave the door open!"

      "But anyone could access your bank account and empty it!"

      "I can not, and will not use a password! I already forgot it!"

      "But look, everything is written here, in the passwords notebook..."

      "I can't use a password! Just leave the door open!" (re-read from top)

      .

      Long story short, there is nothing wrong with passwords. The problem is user resistance and the belief they can complain themselves out of using them. There are solutions, but they just don't want to use them, throwing hissy fits and requesting some miracle solution instead. (To the delight of all snake oil vendors...)

      1. DJV Silver badge

        Re: "Young students, for example, cannot be expected to remember and enter a password. "

        Well then, just empty out their accounts - they might actually start getting the idea then!

        It's similar with data backups - people don't do them until they get bitten by losing something essential (though, it does take a couple bites before they really start doing it properly).

        1. ThatOne Silver badge

          Re: "Young students, for example, cannot be expected to remember and enter a password. "

          > Well then, just empty out their accounts

          Bad idea, because I'm the one they call when something is amiss, and I'm supposed to unravel the mess because "they don't know how to".

          I definitely prefer them to use good passwords, the days I spend brainwashing them are weeks I won't have to waste trying to repair real damage.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Young students, for example, cannot be expected to remember and enter a password. "

            Tell them you're not allowed as a legal matter (unless you have something like power of attorney), meaning they're on their own; either sort it out or start living on dirt.

    2. pig

      Re: "Young students, for example, cannot be expected to remember and enter a password. "

      My 3 year old Nephew knows the passcodes of all the iPads in his house.

      Why my sister has pass codes when all her kids know them I don't know. If I am there and I want to use one I just ask my nephew for the code.

      The problem with school IT is usually more with the teachers than the students, especially in infant and primary school.

      My wife is an early years teacher. She has a passion for it. She does not have a passion for IT security, and neither has she been taught how to deal with it. And neither have her bosses.

      As such they bumble along finding practical ways to get things done. If, and it always does, this involves unencrypted pen drives rather then secure storage they will use it.

      Can we really blame them when they haven't been taught why this might be wrong?

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: "Young students, for example, cannot be expected to remember and enter a password. "

        The problem with school IT is usually more with the teachers than the students....

        My wife is an early years teacher. She has a passion for it. She does not have a passion for IT security, and neither has she been taught how to deal with it. And neither have her bosses.

        I humbly submit the problem as you describe it is not with the teachers, either. IT security is not a requirement for teachers to do their primary job. Same as for school admins. There are people who can be brought in to set this up, explain it to the various customers (teachers, children, school administrators, parents) and keep it going. The issue is with the public not seeing this as a need to be addressed and then providing the resources with which to do it. The people who should be taking this to the public to explain the need, request funds and whatever else it takes are the local school boards and state and federal departments of education, at least in the US. This is a matter of policy and budget, not something local school administrators should be expected to deal with.

        1. ThatOne Silver badge

          Re: "Young students, for example, cannot be expected to remember and enter a password. "

          I agree. Schools have been taken unawares by that new tool, and the teachers, usually from the generation before computers were commonplace, usually barely know enough to get it working; You can't expect them to become knowledgeable IT specialists all on their own, at least not at this level of salary. And it's not like schools are rolling in dough and can afford to train their staff, so they left to hope nothing too bad will happen...

          1. Barry Rueger Silver badge

            Re: "Young students, for example, cannot be expected to remember and enter a password. "

            teachers, usually from the generation before computers were commonplace

            Wow. you must have some significantly old teachers.

            Guess what? Pretty much anyone under sixty years old, or even seventy to be honest, has been using computers for several decades. IBM PCs began to be commonplace 30+ years ago, and were becoming ubiquitous a decade later. Apples, Commodores, and Ataris were well known too.

            And of course the entire computer industry and the Internet was developed by people now nearing their allotted four score and seven years.

            It really is time that we discarded the cliche that old people can't understand computers. It's insulting and inaccurate.

            1. doublelayer

              Re: "Young students, for example, cannot be expected to remember and enter a password. "

              I'm not sure that's accurate. In principle, I agree that the stereotype should die. However, let's analyze some things you claimed:

              "And of course the entire computer industry and the Internet was developed by people now nearing their allotted four score and seven years."

              That puts the computer industry and internet as developed by people born in 1932. Some of them, sure. Most of them, no. The people who did a lot of the modern-day internet technology were born in the 50s through the 80s. We're not including every computer science professor who wrote a lot of important texts; I'm thinking the engineers at the companies who designed the products we're currently using, from old concepts like HTML and HTTP to newer technologies like JSON. However, I also contend that this doesn't matter; if the point is that older people have had less contact with computers, citing old computer scientists is finding the exception that certainly doesn't disprove the rule.

              As for when the majority of people encountered computers, I do not think we can really count the machines of the late 70s and early 80s. I don't think they count for a generational rule because they were not that commonly held by everyone. Remember that a lot of people here had them because we self-select to be more interested in computers. The population at large was not guaranteed to have a home computer in 1985. I would conservatively estimate that, if you were a child in 1990, that you would then be guaranteed to have a lot of contact with computers during your youth. We'll say that this would happen if you were younger than ten years at the time.

              This puts our threshold of stereotypical computer familiarity birth year at 1980. In other words, the maximum age for such a person is 38 years. Many teachers are older than this,, as it is a job they typically hold for many years. Since we're talking about primary and secondary schools, I estimate that about a half of my teachers were above the age of 40. Nearly all the teachers were older than 40 in my primary school, though I do not know if that is a pattern.

              Of course, this is a stereotype, and will not be generally correct, but I believe I've made clear that there are many people who did not have contact with computers during their youth. There is no guarantee that, even though they have undoubtedly had to use a computer at some point during these past decades, that they are literate in the technology and can successfully manage it. Look at all the people that are, according to this stereotype, supposed to know what they are doing. Many of them are not competent in using it. Unfortunately, while I have found many older people who have no difficulty with technology, I have found many more who reject it entirely or make me wish that they did.

  7. Anonymous Coward
    Anonymous Coward

    Usenix Enigma

    FPA Unisex Enigma...

    That confused me!

  8. spold Bronze badge

    >What do you call an IT admin for 20-plus young children?

    A masochist

    >"We give them our adult defenses," Smolen said

    It's the US - this means guns! Shoot them darn pesky hackers. :-)

    "Use conjoined or complex passphrases such as.... Horatiofuckwaffle!" - 20 students now have this as their password....

    1. bombastic bob Silver badge
      Trollface

      correct horse battery staple

      what could be so difficult?

      1. Charles 9 Silver badge

        Someone with poor memory could easily morph that into donkeyenginepaperclipwrong.

        We need solutions for people too proud to ask for help AND with memories that bad, before they take the rest of us with them.

  9. Anonymous Coward
    Anonymous Coward

    20+ pupils? Ahahahahahahahahahaha

    Clearly never seen the inside of your average UK school where a class of 20 means there is an epidemic of dysentery ravaging the local population. 30+ would be much more accurate.

    1. Ian Emery Silver badge

      Re: 20+ pupils? Ahahahahahahahahahaha

      But no school can afford enough PCs for that many children, they can just about afford to to meet the classic "two to a book" system (so 10 old PCs).

      I only know one school with enough for a whole class, and that was a fluke; they were broken into and all the PCs were stolen; insurers paid for replacements, then over a YEAR later the Police turned up the stolen PCs in a lock up in London.

      By then it was too much hassle for the insurer to deal with taking back the replacement PCs, so the school kept them AND got the old ones back!! KERCHING!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019