Ofsted downplays site security concerns

The same Ofsted

That expected a large rural school to build a complete security fence all the way round it at a cost of £100000 despite the fact that it is impossible to check that nobody is climbing over it. Because of course paedophiles can't climb.

If you think about it, this is exactly the same attitude.

Nothing to validate here, move along please

They probably don't see themselves as needing any security, who cares if you can verify who sent feedback if that feedback is never going to be read by anyone?

Ofstead seems to be there purely as a "we can tell the electorate that we have this covered" for whatever government is in charge.

Its not like their reports can actually be trusted

Having seen Ofstead reports from multiple schools (in some depth) you can see the varying quality's of report and weird things they seem to pick on. (one report made a comment about a teacher wearing jeans....)

From speaking to teachers I know, Ofsted are a joke organisation anyway.

A school I went to recently got a new headteacher (well a year or two ago). There was pressure from Ofsted to have it become an academy, something with the headteacher point blank refused to do. So what happens? Ofsted give it a "Needs Improvement" rating, straight from "Outstanding". Half because of his refusal to become an academy, half because he's a new headteacher. Which, aparently, means Ofsted reduce the rating by default.

The school my sister teaches in didn't receive an Ofsted inspection for a while, and when it did they were reluctant to give it a rating. Why? Well she teaches at an academy, and if her school were to lose it's Outstanding status then the authority would be without an outstanding academy in the district. Which would look awfully bad for a flagship idea introduced by the Government.

Anonymous because, well I don't want to get hit.

All Educational Websites

It seems to me that all educational websites practice weak to no security. My son's school recently sent us details of Mathletics, as a good parent I dutifully signed up and was gobsmacked that we are letting kids use such tripe.

Ignoring its use of Flash which is bad enough to start with, I quickly noticed that all I needed to log into the account was the copy the address which contained the session id, no password or anything. Then things got worse, after signing up for a parent account, I noticed that the username and password were there in plain text in the address bar ripe for any sniffer to pick up. Things didn't stop there however, realising that my password was now in the public domain, I went to change it in my account section only to see it there in plain text so clearly not hashed at all.

Oh and it only uses HTTPS for the sign in itself, everything else is HTTP.

I got in touch with the school who clearly got a stock response from the company behind this which ammounted to the password is sent using HTTPS so it is okay and it isn't really important anyway.

The school now knows my son will not be using this piece of garbage.

Cool.

So I can boost the value of my house by making all the schools in the area outstanding.

This probably explains why a shit hole like Sutton has some of the best schools in the UK.

Does anybody actual give weight to Ofsted reports?

Given that the teachers know when they're going to be inspected it occurs to me that getting a good Ofsted score is pretty arbitrary since the teachers can put together amazing lessons for the day they're inspected then return to shitty lessons when the inspection is done.

What are Paul Moore's security qualifications?

"There is no mechanism for verifying the person providing feedback is a parent, no token or means of identifying the person, any email address can be used to sign up and the process could easily be automated,"

"Ofsted claimed to have received 1 recording for this school but 55 (or so) parents have stated their children left recordings,"

Experienced security consultant Paul Moore downplayed Oli's concerns. "There's nothing really substantial here," Moore told El Reg. "There's no proof that any data has been lost, so far as I can see ... and although the report process could be refined, it's not exactly a security concern." "

Nice to see such complacency in a security consultant, I suppose he is okay with users using very simple passwords (Eg. 'Password1') until such time as there is proof of data loss directly arising from an unauthorised third-party using those credentials... I won't be giving him a call...

In my security experience, the providence and integrity of datasets that will be used to make business decisions, is a security concern; you can't expect the users who draw up survey's to understand the IT mechanisms necessary to ensure the data collected comes from the intended sources and only the intended sources.

"Up until now, we have opted for a non-disruptive approach, based on the 'implied consent' of users,"

Pretty sure 'implied consent' is explicitly disallowed under the rules the government passed a while back regarding storing cookies. Interesting to see the government still isn't sticking to those rules, while expecting others to