Skip to content

Blog

It is time to talk about software security in education

Weak Bridge sign
Photo by Elliott Brown. Licensed under CC-BY 2.0

Both software quality, and the mechanisms that support its improvement, are critical to the security of people’s personal data.

In education, protecting sensitive personal data is an integral part of safeguarding those for whom we are responsible.

It isn’t good enough to shrug our shoulders if sensitive data about the children in our care could easily be compromised and leaked.

It isn’t good enough to idly preside over a plethora of vulnerable smart things sending who-knows-what to who-knows-where and say we are keeping people safe online.

Unfortunately, we know that software quality in a lot of sectors is… patchy. With the broadest brush strokes, we can separate software into these categories:

  • Really great work, made with great care;
  • Work that will need ongoing extrinsic motivation to deliver and maintain quality;
  • Software that is so badly designed it should not be out there.

The particular challenge is that it is very difficult, if not impossible, from marketing materials, to determine which category a given product is in and make an informed decision about whether to invest in it or not. Proprietary code, licence agreements that forbid investigating how things actually work, software supply chains that are opaque even to the vendor… It is even less likely you will be successful at that assessment when it’s software as a service, a.k.a “in the cloud”, because you can’t see any of it.

Throughout the software industry, there exists this problem: without regulation and enforcement of professional standards (where are the professional standards?), and because customers can’t accurately assess quality for the reasons I’ve just stated, many get away with delivering inadequate quality. Or, they could and would do the right thing, but don’t have the expertise or the extrinsic motivators that help to identify problems and incentivise improvement. Because competitors aren’t held to a higher standard either, there is a race to the bottom of the barrel for software quality in order to compete.

The best tools today we have to address critical security issues include vulnerability disclosure programmes (bug bounties), actively soliciting the support of others to identify and fix vulnerabilities. Even if a rewards programme isn’t part of the picture, the Enlightened Vendor does have a process and responds appropriately to good-faith security researchers.

However, education is an area that often suffers from a lack of computer security expertise, and certainly doesn’t have enterprise budgets. Today, education vendors generally do not fit into the “Enlightened Vendor” category, because people are not yet asking the questions.

“No-one’s ever asked us that before”… well, a lot of the time people should have asked that before.

Where I see myself fitting into this equation: I would like to be someone who can help drive this improvement in education software. My interest and experience with computer security, and being in the position to influence this as a school IT Manager puts me at the crossroads of safeguarding in education and computer security.

So, I will be asking the difficult questions that “no-one has ever asked before”. I will indeed be observing how software actually behaves in practice when trialling software. I will be asking SaaS vendors why they don’t have a vulnerability disclosure policy and making sure they are thinking about emerging threats.

This isn’t going to be particularly easy.

But, if we say we care about keeping those in our care safe from online threats to their safety, growth and development, computer security is an area we should no longer ignore.

The Case of the Rogue Caching Servers (Unable to Download iOS Apps Over The Air)

macOS Server

A recent version of iTunes dropped support for downloading and syncing apps to iOS devices — the only methods for this are now using the App Store, Apple Configurator(?), or having some other over-the-air MDM solution push the apps to devices.

This caused me to run into a little bit of an issue in my day job — we’d been having sporadic issues doing over-the-air app updates on our corporate network, but when devices were taken off site, apps would update perfectly. I had been sort-of ignoring, sort-of working around this by downloading the apps to a desktop running iTunes and syncing (a small(!) number of) devices by Lightning cable.

But, now my workaround feature was gone! What was I to do? The story here is true, but some names and specific technical details have been omitted for professional privacy!

I was curious, so I did a packet dump or two and discovered the iOS devices were talking happily to the iTunes Store as you’d expect they should, but that when it came to actually downloading the app’s bits, they were contacting an IP address in a private range!

» Read the rest of this post…

Filesystem? What New Filesystem?

A quite legitimate criticism of iOS for some time has been the fact that you seem to end up with multiple gigabytes of unexplained “other” disk space usage after using the device for some time. It’s frustrating, especially on smaller devices.

Reinstalling iOS and restoring from your most recent backup would clear the mythical “other”, at least for a while.

It seems that the latest update to iOS, version 10.3, introduces a whole new filesystem technology, APFS. This wasn’t mentioned in the release notes, and is only really detectable by the end user in the form of a much longer upgrade process than would be needed for a typical iOS release.

Since upgrading a few devices, I have noticed a big jump in the available free space on those devices. The pesky “other” is still there, but appears to have shrunk significantly.

Hats of to Apple for fixing what was a criticism going a long way back, and for managing a quite potentially disruptive filesystem migration in such a transparent way for the end user.

May the “other” space usage forever remain small.

The Windows 10 Experience

New Windows logo

I haven’t said much about Windows 10 here on this blog, but my day job brings me into contact with it quite extensively.

There is a huge amount about the Windows experience that this release improves, but also there are elements of Microsoft’s new approach to developing and releasing it that are problematic.

The Good

Installing Windows 10 across a variety of devices, it is striking just how much less effort is required to source and install drivers. In fact, in most cases no effort is required at all! Aside from the occasional minor frustration of bloated drivers that are desperate to add startup applications, this makes such a positive difference. Unlike in the past, you can typically just install Windows, connect to a network, and everything will work.

This is particularly notable in any environment where you have a large number of devices with anything more than a little bit of hardware diversity. Previously in an enterprise environment, hunting for drivers, extracting the actual driver files, removing unwanted ‘helper application’ bits and building clean driver packages for deployment was tedious and wasteful of time. Now, much of the time, you let Windows Update take care of the drivers for you over the network, all running in parallel to the actual provisioning process that you have configured!

There are numerous other pockets of the operating system where there really feels like there has been a commitment to improve the user experience, but from my “world of work” experience of the OS, this is the most significant. It’s true as well that many of the criticisms you could make about past versions of Windows no longer apply.

The Bad

I guess that the coalescing of monthly Windows Updates into a single cumulative update helps significantly with the ‘236 updates’ problem with (and atrocious performance of) Windows Update in 7. However, Microsoft’s recent history of updates causing issues (the recent issues with KB3163622 and Group Policy, for example) combined with the inability to apply updates piecemeal leaves some IT departments reluctant to apply the monthly patch. The result, if Microsoft continues to experience these kind of issues, or doesn’t communicate clearly about backwards-incompatible changes, is more insecure systems, which hurts everybody.

This leads me to my other main complaint. There have been reports about the new approach Microsoft is taking with software testing. An army of ‘Insiders’ seem to be providing the bulk of the telemetry and feedback now, but my concern is that this testing feedback doesn’t necessarily end up being representative of the all of the very diverse groups of Windows users. Particularly when deploying Windows 10 in an Enterprise environment, it has felt at times like we are the beta testers! When one update is a problem, you then have to put people at risk by rejecting them all. 🙁

(Yes, there is LTSB, but it hangs back a very long way on features!)

The Ugly

Windows 10 'Hero' image

At least you can turn it off on the login screen officially now. 🙂

Staying Safe

I have written on this subject before, but as suspected, surveillance is back on Parliament’s agenda again.

Is the Investigatory Powers Bill the latest attempt at a “modernising” of existing laws and conventions, as is often claimed, or an unprecedented extension of surveillance powers?

I would argue strongly that the capability for your local council, tax enforcement authorities, and the myriad of other agencies that are proposed to have access to this data, to ‘see’ every thought you might have dared to research online is vastly more than would have been possible in human history. It’s also vastly more than any other country has sought the legal power to access.

Photo by Luz on Flickr. Licensed under CC-BY.

Photo by Luz on Flickr. Licensed under CC-BY.

Given what we know in a post-Snowden era, this proposed legislation is quite clearly not about ensuring a continued intelligence flow for the purposes of national security. That has been going on behind closed doors, away from any democratic process and meaningful oversight, for many years, and will no doubt continue. Whether or not the activities of military intelligence agencies have a strong legal foundation has apparently not stopped them from gathering what they need to do their job. It is important for me to note that I don’t doubt the hard work they do, and the success they have had over the last ten years in preventing violence in the UK. However, we know that overreach and abuse have occurred — at the kind of scale that undermines the very values our government and their agencies are there to protect.

It is clear to me that, given the secret and ‘shady’ nature of much of the activities of the security apparatus of perhaps every nation state, what we do not need to do as a democratic society is provide a strong legal protection for such morally ambiguous acts. If a tactic is invasive or aggressive, but genuinely necessary in a “lesser of two evils” sense, the fact that the actor has to take on the liability for it provides an inherent safeguard. If it is easy and low risk to employ that tactic, there is a stronger temptation for its abuse, or for its inappropriate extension into everyday investigations. When these laws are ‘sold’ to the people as being for national security and to keep us safe from violence, it cannot be acceptable that the powers are made available to other agencies for any other purposes, as the Bill proposes.

A nation state does not have the right to violate the sanctity of the boundary of someone’s home without strong justification — a warrant. A nation state similarly does not have the right to violate that boundary in the form of bulk data collection on an entire populace. The Internet connections we open and the data we transfer is something that we can keep private from our government, unless due process is followed to override that on an individual basis.

That must remain. That principle must be protected, or we’ve forgotten why we bother with this ‘free country’ thing.

It must be protected even when we face short- and medium-term risks to our safety. Why? Because it is not hyperbole to say that failing to do so lays the technical and legal foundations of a police state, which is a much more significant long-term risk.

Fortunately, there are many fighting against this Bill, which (even if you disagree with my arguments above) is widely regarded to be completely unfit for purpose.

I wholeheartedly support the Don’t Spy on Us campaign and its six principles, and I stand with them as a supporter of the Open Rights Group, one of the organisations behind the campaign.

My Alternative Christmas Wish

Conflict minerals 5 by Sasha Lezhnev of the Enough Project - http://www.enoughproject.org/

Conflict minerals 5 by Sasha Lezhnev of the Enough Project

Licensed under CC-BY-ND 2.0

I am always interested to know where the products I buy come from, and at this particularly consumer-focused time of the year, it highlights the issue further. It is interesting to me just how complex the chains of dependencies involved in making any non-trivial ‘thing’ really are.

The computer I am writing this on was assembled in the UK, but I would suggest that most, or all, of its components were not. What about the suppliers who provided sub-components for those components? What about the raw materials, including the traces of rare earth minerals needed to do its electronic magic?

Unfortunately, the result of this enormous complexity, and the fact that the retailers from which we buy care about little but the price they pay, means it is very difficult to verify really important aspects of how the goods we consume were made. It seems that nobody, not even the retailers at this end of the chain, has the depth of insight into their supply chain needed to affirmatively say “this is how our product was made”.

So, when cost is the primary concern, and nobody really digs deep to understand what is happening at each stage of a product’s life, how can consumers at this side of the transaction be empowered to make more ethical choices?

If I go to my local big-name supermarket to buy a kettle, for example, I cannot look at all the options and make an assessment about which product was made in a way that best aligns with my values. Did the manufacture of the cheapest £5 kettle involve the exploitation of somebody? Probably. Is the £30 ‘luxury’ choice any better? We just don’t know.

There are pockets of hope in this area — initiatives like Fairtrade have, for some product categories, encouraged supermakets to go ‘all Fairtrade’ for particular items, and for other companies (tea and coffee businesses being a good example) to take steps to at least appear to be sourcing more ethically.

I just wish there were a big push from somewhere to gather accurate intelligence about how our stuff is made, and begin labelling more products in a way that empowers consumers to make better choices. I think there is a good portion of the population who want to make better choices that support human rights, environmental protection and social progress, but without high quality, verifiable information about what goes into what we consume, we are in the dark. While we remain uninformed, we cannot exert pressure on the market to do better as a whole.

Better

On the face of it, this is just another corporate “aren’t we so great” feel-good video, the kind that we have every right to look at cynically.

However, and at the significant risk of being judged a Tim Cook fanboi, I actually think something has changed under his leadership. Even if it is just that we are allowed to see more of this side of Apple now, Tim’s tenure so far seems to be bringing about a much stronger focus on values than ever before.

We have their ‘Intention’ video, Tim’s public musings at the Fuqua School of Business, and perhaps more importantly, actions like their Supplier Responsibility work and bringing the manufacturing of the new Mac Pro to the USA.

‘There are some ideas we want every company to copy’

Perhaps what is most exciting about this new, very public, focus on these issues is the idea that ethics can become a point of competition.

Not every customer is going to care about this stuff, but most people will want to feel like they’re doing the right thing. The pressure that companies like Apple can put on their competitors might be one of the most effective tools for actually making a difference to a whole industry’s behaviour.

I hope we see that.

Preserving Playtime

We spend a significant portion of our childhood learning through play. It’s fun and it’s intuitive and it is how we learn so many things about the world and where we fit in to it. It’s practically burnt into our ROM, if I can misuse a technology metaphor.

Dirt path in woods
As we grow older, I think many of us become embarrassed about play. I remember very clearly being told, about the impending move up to secondary school at the age of 11, that if you were seen ‘playing’ at breaktime, you’d be at the very least teased and mocked. It’s even in the name — suddenly it’s a time for a ‘break’, and not a time to ‘play’.

For me, and I suspect for many people, maintaining play as a primary way of learning and self improvement is immensely important. Many of the things I have learned, and enjoy doing today, I picked up not by heavily structured learning, but by playing around with things. I still use the word a lot when talking to people about how I’m going to investigate and solve a problem — ‘I’ll have a play around and see how far I get’.

Play, to me, means exploring ideas or practising things, apparently aimlessly, or at least without a strong sense of direction.

It’s challenging, though, to maintain playtime in a social environment that frequently sees being intensely interested in something that is directly productive as ‘weird’, or (negatively slanted) ‘geeky’, and when balancing all of the other responsibilities life will grant you.

Here’s how I try and maintain an environment that is conducive to play.

Structure the Unstructured

It becomes increasingly difficult as you get older to have the unstructured time needed to be able to be led by your curiosity to explore something new. In the 21st century, the wider variety of entertainment content available than ever before, and endless opportunities to be distracted by communications make it even more challenging.

There is an inevitability to greater time pressure when your responsibilities grow too, so with the free time you do have left, it’s important to make sure some of it isn’t filled, particularly with consuming entertainment media*. Play should be about creating your own entertainment through exploration!

Take the Geek Heat

There is a compromise you’re making here, and the cost is that some people aren’t going to understand or appreciate what you’re spending time on. Sometimes, you’re going to be risking missing out on being in the loop socially, because you’ll be consuming less of the media (mainstream and social) that others have.

You need to be prepared to figure out where the balance of this trade-off lies for you, and accept your choices about your time. It helps if other people support your choices too!

Follow

I’m immensely guilty of trying to be too structured a lot of the time. I try and keep myself as productive as possible, and do a lot of conscious self-analysis and self-management.

This kind of approach doesn’t invite play to the party. You have to listen to that quiet, subconscious sense inside you that already knows where it wants to lead you. You have to not have too many set ideas about where playtime will take you. Listen to yourself, and follow, don’t lead.

You have to be prepared to end up having not been productive quite a bit of the time, too. It is only by taking the risk of wasting time that you often discover something very valuable.

Recreation and Reward

I feel fortunate that the curiosity and excitement inside me is very much alive still. When I make sure I create the time and space to play, it rewards me — both recreationally, because it’s fun not to have a strongly pressured agenda, and because there are often more tangibly productive rewards that come about too.

When I suddenly have the desire to play with a bit of technology, or an idea, that I know nothing about, I try to make sure I have some time for that scheduled soon. I mess about, break things, fix things, poke things, observe things, until I am satisfied I know more than I did before.

I hope that I can always find a way to keep that a significant part of how I spend the rest of my time on this planet, and I’d love it if more people felt confident and proud about doing this too!

* This is why generally, no, I haven’t seen that new TV show. Sorry, but I need my playtime!

Image is ‘The Road Less Travelled’ by Andrew Butitta on Flickr. Licensed under CC-BY-SA.

Personalised Search: Technologically Induced Confirmation Bias

DuckDuckGo filter bubble site

I can’t unfortunately remember what led me to this page (I think a retweet from someone), but I found myself perusing DuckDuckGo’s marketing site “Escape your Search Engine’s Filter Bubble” recently.

(I don’t have a relationship or particularly strong opinion about DuckDuckGo at this time, by the way, so this is no marketing astroturf.)

It shows you just how search engines deliver different results for the same query, based on the user’s habits in the past.

The profile the search engine has built up on the user through their cookies doesn’t just inform them about relevant advertising, it literally changes the search results.

This troubles me greatly.

Now, I don’t believe I am experiencing this when I search. I am borderline obsessed with clearing cookies and other browsing data to ‘reset’ my browser to the same state after each session. Assuming mainstream search engines aren’t using technology like Evercookie, then I get a generic set of results across different browsing sessions.

Most people don’t do that, which means that most people are becoming increasingly unlikely to come across viewpoints that differ from their own on the web. They have a technologically induced confirmation bias, where, unless they click through a number of pages of search results, they will rarely hear people who might (respectfully, thoughtfully) disagree with them.

Confirmation bias… is a tendency of people to favour information that confirms their beliefs or hypotheses. People display this bias when they gather or remember information selectively, or when they interpret it in a biased way.

I am, frankly, frightened at the idea of people never being exposed to a diversity and plurality of opinions. I am frightened of how easy it could be to not develop and nurture empathy. The consequences of that could very well be more profound than we might realise on the surface.

As well as the societal implications, it doesn’t seem the right decision to me either in terms of the technical role a search engine should play. What I previously liked about the ‘old days’ of Google Search was their strong commitment to put the most relevant result first. I’m not sure, though, that delivering the most personally relevant result is the same as delivering the most relevant result for the query.

So how do we address this? Well, I think that media literacy in general is something we need to make a priority. Trying to change the way the search engines work when everything ‘targeted’ is such big business is unlikely to be successful.

At the very least, we need to get the message out to people that this is happeningprivacy might not be the only reason you might want to clear your cookies.

Valuing Corporate Values

Much is said about Google’s “don’t be evil” corporate motto. That is not what this post is about.

This is about corporate values — and a (rather smaller) company I have found myself appreciating because of their words and actions on the subject. This stuff can be easily overlooked when the market demands a rush to the lowest price, but to consumers like myself, it is possibly the most important thing.

This isn’t some murky sponsored post (although I do have an affiliate link at the bottom) — this is all genuine and from the heart.

Cloak

Cloak logo

I found out about Cloak through their co-branding with 1Password, my password manager of choice. They are a VPN service designed to give you a way to encrypt your traffic when you are connected to untrusted networks. Their service is technically brilliant, but what is more important than that is the honesty, openness and realism they have shown so far in their communications.

At first I felt a little apprehensive about their corporate values and how well they were upheld in practice. Their privacy policy was scant in detail — using claims along the lines of “we don’t store any of your data”, but with an exception of data that they’d need “to make sure you’re not sending out spam”.

Well, what does that mean?

» Read the rest of this post…