Slashdot Mirror
School Tricks Pupils Into Installing a Root CA
First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."
Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.
All in all, it's just another brick in the firewall
I work at a school. Yes, we have all machines on their network trust us as a root CA. We do that with good reason.
Currently in most countries, especially the UK, there is an atmosphere of paranoia bordering on terror anywhere that minors and sex may come within a hundred meters of each other. Even so, teenagers tend to meet their stereotype and display a fascination with sexual imagery. This means that it is absolutely essential that schools maintain a comprehensive internet content filter. This is not an optional extra. Without it, it's only a matter of time (and not much time) before some student happens across Dirty Dave's Scat and Fisting Gallery and shows it off to all his classmates. This in turn results in many terrified parents, legal action against the school for destroying jimmy's innocent little mind, and columns in the Daily Mail demanding the head be fired.
If we could not filter the internet, there would be no option but to forgo it. If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443. There is no possibility of effectively filtering SSL without installing a root CA, and so that is what we have to do for any device on our network that needs SSL connectivity.
Got that? No filtering, no internet. That's just the way it is. I don't like censorship more than anyone else, but this is the real world and sometimes ideology has to take a back seat to practicality and an angry mob of parents. Besides, without effective filtering, the students would spend more time playing flash games, watching the yogscast, listening to music videos and checking facebook than actually doing their work. Giving the students a locked-down and heavily censored internet is still better than giving them no internet at all, which would hold them back academically.
Just ask management a very simple question: Which policy requires IT to read pupils' communication? DON'T leave out the "policy" - because that is the part management is directly responsible for! Then just watch them boil...
how IT is changing the world - http://max.zamorsky.name
K-12 schools have a duty of care to their students, so this is just a case of them protecting themselves. Being your own device, you're still able to bypass your school - just remove the certificate and run through a 3G connection. Right or wrong, as an IT consultant who works with this type of technology in schools on a daily basis, your school management and parents will likely agree with these measures under the guise of protecting you.
I don't see the problem with the tech itself. If you have a "BYOD's allowed" policy, that also usually states that "if you put your own device in, here are the rules". Rules may state installing the network owner's root CA and allowing for traffic to be inspected.
In most cases, this is intended to be benevolent - it's kind of hard to run threat detection algorithms on an encrypted connection. In business environments, DLP and similar can of course be used too.
Now, in here I think the key issue was that the users were not told about the practice, and were not asked to agree to these stipulations. And of course, the old adage about not attributing to malice what can be explained by incompetence also applies here - if the issue got "fixed" then it might have been simply just that, incompetence. Somebondy enabled the same SSL interception on the student network that they are using for faculty, or similar.
The school would simply explain that monitoring use of the IT facilities is an essential part of their safeguarding or child protection policy. That's as far as it'll go.
It's one of the big rules of school management. You do *not* question the safeguarding program. No matter how silly it may seem. To do so would risk opening onesself up to accusations of endangering students. No school employee ever lost their job for being too cautious.
This is a common problem in that most users lack the knowledge that you obviously have, and are willing to follow like blind sheeple, even with some very very bad advice.
This is by no means limited to IT. Any profession with specialists (with specialized knowledge) will have similar effects. Were you to go through medical school it's possible you'd disagree more with your doctor, but you simply lack the knowledge. Were you to go through law school, you might decide your lawyer is an idiot (and gives bad advice). Etc.
The difference is that whereas with medicine, bad advice will generate all kinds of law suits and maybe because people will die you have sort of an impetus to ensure your medical care is good (and there are boards to make sure practitioners meet some minimum standards regularly). With IT, probably the idiot who set up the network won't get fired, and because people do not have any real understanding, there will be no law suits, and nothing bad will happen to encourage better security practices.
Wouldn't mean much. Screencaps can be trivially faked, anyway. The submitter clearly doesn't want us to know which school this is. I can only say it isn't the one I work at - we use SSL interception on the school computers, but not on the BYOD network, which simply blocks SSL entirely.
Even if it's legal to install the CA, it is almost certainly not legal to intercept the traffic (wiretapping laws etc).
So, probably illegal, but IANAL.
Shachar
Per the subject - that root ca only covers your school's applications. If you go to https://www.yourschool.com/ it ensures that your computer can vet out the complete certificate trust chain. However, if you can establish a connection to https://www.xhamster.com/ your school will not be able to peer into the encrypted contents of the connection unless you're connecting via a proxy that they control.
If you think "Root CA BAAAAD!" then you're not looking deeply enough into ssl or the security concepts behind the certificates to understand their ramifications. Stay in school and dig deeper.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
You should go read up on the Computer Fraud and Abuse Act. What they did might qualify as a violation of that act, in that they might have been intercepting information w/o knowledge or consent. Having worked with digital certs, I can say that most people, (even tech savvy ones) usually don't understand the first thing about CAs and how they work, so 'accidentally' installing a root CA all over the place sounds like a typical n00b maneuver. Hard to say what their intent was. Further, when they changed the network policy, that might qualify as evidence tampering, depending on what they did and how they did it.
Someone (either the cops or the school board) should investigate what the hell was going on.
HA! I just wasted some of your bandwidth with a frivolous sig!
Just because a root CA is installed doesn't mean someone's spying on you. In order for it to be used, the service in question would have to have a cert signed by it. In order to do pervasive spying, they'd have to have every tls enabled site on the internet complicit in it. They don't. This cert is likely for their own applications/services. WPA2 enterprise mode uses 802.1x which uses certs.. That's probably what it's for. Same if they use 802.1x for wired authentication. If you're worried about sniffing, make your own tunnel.
The top bods at the school might not know (understand), but perhaps the techs were being creepy? Well worth escalating.
Waiting for an amusing sig.
Root CAs can sign anything, you'd still trust it. Certificates for individual services or even a wildcard cert for *.yourschool.com wouldn't be a root CA certificate. They can intercept all your traffic while you are using their network and so can anyone that has hacked them and got access to their private keys. Regardless of the risk (it's not very low usually in schools) they have been eavesdropping on you without telling you and I believe even the UK has privacy laws that explicitly prohibit that.
Someone bet their job on this the OP said. Well, I guess that eavesdropping on students is illegal, so they should quit their job and file a police report describing what they did.
I was promised a flying car. Where is my flying car?
a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.
b) "there was a root CA from the school" - it happens due to
1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.
c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.
All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
This is the UK, totally different wiretap law - this doesn't breach it, its their network and they can intercept what they wish.
So what? If the kids are really young then they should have adult supervision after school is over. Or, if they're older and can actually be trusted, then you just need rules in place. Which will of course be broken (remember the scene in dead poets society where they build a crystal radio and listen to (illegal) rock and roll? a million similar avenues exist for students who want to break outside the firewall, not the least of which is buying a USB 3G stick which can be quite cheap these days).
how'd you know you are connecting directly to https://www.xhamster.com/? they can simply alter DNS to make everything go through their proxies.
The entire department of education out here (.AU) installs a root CA with the express purpose of intercepting HTTPS to "protect the children". There are secondary certs installed at every school so that 802.1x doesn't crap out when you try to sign in (in point of fact, pretty sure windows installs the profile by default when you bind a machine).
;)
There is the potential for creepy, but pretty sure 99% of the techs at schools aren't actually smart enough to intercept traffic. Being one of the 1% who can (actually not a school tech, a consultant, but anyway) I can say in all honesty that there is better porn available for free on the Internet. I'm only going to look if you kick up a fuss about my ability to look
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
No, they really can't. Read the text of RIPA for why, and that's just for starters.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Any fule kno parent haz never read Molesworth and cannot be regarded as tru Englishman chiz.
Their intent may be just fine. For instance, you want want to have an internal CA installed so that you can deploy SSL-enabled services without having to buy certificates from a commercial CA.
Of course it allows SSL traffic interception, which is likely to be illegal, but nothing proves it was done, or even planned. The the real problem here is that the CA framework allows any CA to sign any certificate.
If you fear your SSL traffic is intercepted, install a browser extension that track certificate change. Firefox has certpatrol, for instance.
Where are all the people who say "it's their network!" when it is snooping in the workplace we are talking about?
This is a freakin school, which is actually supposed to have a watchful protector role over students. In loco parentis, you know.
And a couple of humbling observations:
They went to America because they didn't like religious freedom.
.
Assuming you are under 18, your parents' role in this is more significant than yours. If you are over, it gets far more interesting!
I work in schools.
I work in UK schools.
I work in IT in UK schools.
This is normal. Sorry, but there's nothing shocking here.
You join our domain, we get the right to push any and all security measures to your client that we deem necessary. If you don't want to allow it, don't join our domain (which also means we probably won't authorise you to use our Internet connection, etc.)
The domain will have a "Default Domain Policy" that almost certainly includes software you don't want (but we insist you have), settings you'd rather not have (but which we will enforce on you) and things like this - installation of a required domain certificate so we can check your not using OUR SCHOOL FILTER to do illegal / illicit things.
Chances are if you read your network acceptable usage policy, it states this. The alternative is you don't get network access. Because we are LEGALLY RESPONSIBLE for what is accessed through the network on our network, as well as the protection of our internal data and services.
Complain all you like. The alternative is that we block SSL site-wide. That means no Facebook at all, by the way. Or GMail. Or Hotmail. Or anything else that uses SSL by default.
We have a legal duty to monitor, record and analyse the logs of Internet traffic to ensure our child-protection policy (a legally-required policy) is followed. Additionally, it's OUR resource. If you want to use your own external 3G connection on your own time, argue for that. Chances are it will fail.
If you want to use the SCHOOL connection on SCHOOL time for NON-SCHOOL business, that's not going to happen. However if you want to use it for SCHOOL BUSINESS then you are required to allow us to apply our domain policy. If that, at any particular place, happens to include SSL certificates, monitoring software (potentially even INVISIBLE monitoring software like Securus, Ranger, etc.) then that's what you get.
Sorry, but as an IT Manager specialising in schools, and working in state, private and boarding schools from primary to further education, this is bog-standard and has happened for years. I believe even places like LGfL (a London-wide, government-backed school IT services supplier) do it.
There's a reason - we are required to protect our systems and protect ALL the children. That means everything gets summarised, logged and monitored. If we then need to dig into detailed logs, we can enable that option and do that too. Because - as in a previous school I worked for many years ago - we get things like members of staff browsing child pornography on school time. Yes, they are that stupid. And yes, they get caught. And, sorry, but our child-protection and data-protection policies take precedence over you going on your private Facebook after hours and we can't spend the time to distinguish hours, locations, staff-types, etc. for everyone.
If you don't like it, do not join your computer to a domain. If you are on the domain, it's literally our DOMAIN. Our rules. Clearly stated. That you would have agreed to.
Please, also don't act like your the first person ever that this has happened to. It's been standard practice for at least the last 15 years I've been working IT in schools in the UK.
First, a school network is not a public network and it can run any policy it wants, including intercepting and monitoring traffic. You don't have to sign anything, using the network is implicit consent to the rules it is run by. The only legal requirement in my country (so your laws may differ) is disclosure of those rules, you must be able to look them up somewhere.
Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic. If the school rates that as "low", then it assumes that users of the network don't do anything of personal importance, like online banking.
Assorted stuff I do sometimes: Lemuria.org
Never underestimate the determination of an adolescent boy in search of porn.
Do you know what a CA is? Once they leave the network, the school isn't able to decrypt SSL traffic.
I think it depends on where you are from. Here in the US this is widely practiced by all sorts of places like work, school, etc.
Installing the CA's is sketchy, but the users probably didn't read the fine print. Intercepting the traffic is business as usual.
Not sure if your trying to claim there is better child porn? Or even insinuating that you are able to intercept normal porn over the school network. That scares me a little mate.
What the hell are you watching.
It's their network and they can do what they want with it. Don't want to use it? Tether a smartphone then.
ah you must be the true Scotsman we keep hearing about.
All the comments I've read so far have been on whether or not the school is morally right in deploying a Man-In-The-Middle attack. While an interesting question, for me this is missed the big point: which OS/Web-browser is so insecure that it accepts a root certificate from the network like this?
When a Web-browser or OS accepts a new Certificate Authority certificate there is an tacit acceptance of trust: you trust that whoever holds the corresponding private key will behave responsibly --- given online banking is secured via the same security infrastructure, that's some level of trust! There's no reasonable way this can happen automatically: you, personally, must indicate that you trust the CA involved. This normally this happens transitively: by installing Firefox, or using your OS you trust the people to have selected trust-worthy CAs.
While people can point to this as another nail in the SSL/TLS coffin, it doesn't help when software is so broken like this. Any Web-browser or OS that accepts a new Root CA (either automatically or without warning the user exactly how dangerous is accepting it) is so broken that you should immediately stop using it for any secure interactions.
| What, you were expecting
-O_O- +---- something witty?
really? you are playing man in the middle for all the https websites out there? I find it hard to believe.
how about the the username password for those websites, you are capturing username and password to banks, hotmail, gmail, facebook, paypal, ebay
to capture and store that information you'd need some really strong and clear disclosures
Ummm... No...
http://en.wikipedia.org/wiki/M...
The Quakers had the same issues and they too migrated to the US to escape religious persecution. Look it up.
So to say it was "religious freedom they were running away from" is totally false.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
as I've mentioned before, you may not question it.
I need strong disclosure if you are intercepting my usename and password for paypal, bank, council, government accounts.
I hope it is illegal to intercept someones bank credentials, and government login details, like council, medical
Most schools do this and workplaces, my university in the UK included does as well (hoping that banking sites are whitelisted is probably wishful thinking). I'd be very surprised if you are actually able to get your school to change it's practices in the long run.
So instead of "Just because you're paranoid, doesn't mean they aren't after you.", we now have "They're only after you because you're paranoid."?
Undoubtedly the reason for installing the cert would be to monitor/filter SSL traffic via a proxy. These days it's quite trivial to setup a transparent proxy that uses a MITM attack with a spoofed cert to monitor your traffic. Have a look at untangle. It does this out of the box. Just put the CA on the client and you can intercept all SSL traffic. Obviously it's not difficult to look at the cert chain to detect this, but even if you do discover a spoofed cert, getting around it isn't trivial.
Area51 - We are watching...
I've never been in a large organization that didn't use their own root CA cert, and I've certainly made sure it was done everywhere I've worked.
Has nothing to do with pulling a MITM on you. You aren't worth the fucking time and effort, get over yourself, you aren't special, no one cares what you're doing.
Its more likely they just didn't want to spend several thousand dollars making certs for everything that needs an SSL cert because none of the registered root CAs will let you sign your own domain certs ... so they can get paid for every fucking cert you use. At one organization I worked with, we shaved off nearly 20k a year by going to our own internal CA.
Yep, we could have MITM any of those people.
Guess what, it would be easier and less suspicious to use a virus rather than a MITM. A MITM takes work, you have to setup the relay to be the actual MITM. Viruses to steal data are point click next a few time, select some options, click finish - with the current level of virus toolkits you can buy.
So, back to my original point.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Not me, no. I mixed two threads into one comment.
One of the states particularly in my mind intercepts SSL, ostensibly purely for DPI/content Filtering. Knowing their internal structure moderately well, I'd say this is about all their capable of - using McAfee's gateway to do it. A large number of private schools do it, particularly the more wealthy ones, and I've even seen it in a few government departments.
The other comment was more of a fall-over from my days as an exchange admin. Controlling the EXSRV means I can, if I choose, attach a mailbox anywhere I please. Got better things to do than read peoples email though..
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Your post is constructive right up to phrase "the last 15 years" which apparently justifies how little your network reveals to the surveilled about the actual extent of the surveillance, even to the point of having software installed that they know little to nothing about on their own equipment that could open back doors to the device when employed outside of the school network if by some extraordinary turn of events proves to be slightly less than 100% bullet proof in its coding, implementation, and deployment. Nothing ever goes wrong with WEP or SSL.
Would it damage the small little minds to know more about how this all became "bog standard" without so much as a public whimper? Probably. Does that mean your Slashdot post is filtered on your own school network? Probably.
In my world, forged SSL certificates should be clearly marked as such. There should even be a "forger identity" field and a "forger authority" field (containing the pertinent parental agreement UUID).
None of this would interfere whatsoever with your legal authority to protect your network or your success in achieving this protection. It would increase the awareness of the surveilled of what externalities they have actually taken on downstream of their agreement with you to allow you to do so.
The fact that you've been doing this for fifteen years already without any of this in place is a sad argument.
If this is the school's equipment so that the school absorbs it's own externalities of having badly-coded surveillance kits forcibly installed (I'm guessing the rock stars on that coding team were on the guaranteed forcible-installation side of the house) and the equipment is emblazoned with a giant warning "abandon privacy all ye who input here" there should still be a giant warning screen that comes up whenever a user tries to access a major financial institution (I'm told the government tracks the identities of these organizations) which warns the user "you are attempted to access a financial institution through a forged SSL root chain which is potentially a far leakier pipe than regular SSL, are you really sure you want to do this?"
So you're justified in doing what you do, but you're also so damn sneaky about doing it, that fires spring up in public opinion when the least of what goes on is exposed to public discussion.
No need to hammer the state of affairs in the daily consciousness so that these public fires don't flare up. Because fifteen years.
My bank has a security mechanism where they show a set of images unique to my account so that I can detect impostor sites that entice me to enter my credentials where they shouldn't go (the impostor site doesn't know the unique images associated with each banking account). There really should be a law against these security fingerprint images being conveyed through a forged-certificate SSL proxy no matter how legitimate the usage agreement. Once those images are scraped and laundered, one more safeguard we've be taught to trust is down the spiral tube.
If it's rational, necessary, and you're proud of it, do it out in the open as democracy conceptually demands, with plenty of loud warning signs where the externalities impose heightened risk.
News at 11... Standard practice. It's their network. It's not a public network. If your BYOD computer joins a Windows domain, typically a GPO will install a root CA to various things can be self signed. If you using WPA-Enterprise, you need a cert installed for this also, not necessarily a Root CA, but doing so make life easier down the track for the schools IT dept. The Root CA will allow inspection of SSL via the school (transparent) proxy. If you are so paranoid about the traffic being snooped on, look at the sites cert chain. If it's spoofed to the School's Root CA, you'll know they can see your traffic. Just go buy a 3G stick or hotspot your phone and bypass the school network when you want some privacy. Then the problem shifts from the school to your parents.
Area51 - We are watching...
No, this explanation doesn't pass muster.
If you can't allow secure web-browsing then don't allow it.
There is no excuse for breaking the security system used for online banking.
Apart from any moral issues, consider the liability if someone else gets hold of your private key and empties everyone's bank accounts.
| What, you were expecting
-O_O- +---- something witty?
but are they actually using this root certificate to "transcrypt" (or whatever the term is for decrypting your traffic and then re-encrypting it with the desired external certificate) - or are they just adding a new certificate to your machine.
I can see plenty of reasons they'd want to do this - for example just allowing you to connect securely to your internal school webmail without them having to pay somebody else for a cert or getting your browser to bleat about how it can't validate the certificate every time you connect.
Our company has three root certificates installed, and I can't find a single MITM on any domains.
There are other legit reasons for issuing internal root certs, such as accessing secure internal resources, like intranets, email, domain authentication, attendance/payroll systems, etc.
Try going to a secure site, like facebook, and check to see if the cert was hijacked, then you know for sure.
Yes they can, Read the RIPA some time and this time pay attention to this bit.
RIPA can be invoked by government officials specified in the Act on the grounds of national security, and for the purposes of detecting crime, preventing disorder, public safety, protecting public health, or in the interests of the economic well-being of the United Kingdom, that is, any grounds can be covered at will under its exceedingly broad scope.[citation needed]
"I'm at a boarding school, and I'm annoyed that I don't get to do anything I want. Here's a way that I can prove I'm clever, and try to gain sympathy by making it sound ("...school TRICKS people into installing...") like it's the perpetration of some sort of subterfuge or a liberty/civil rights issue."
Want freedom? Don't go to boarding school aka juvenile prison.
Don't like the idea of someone looking over your shoulder while you're surfing? Become an adult, pay for your own web connection, and wank, er, surf away.
-Styopa
Because the USA pushes its policies on other countries through treaty obligations. If it hasn't yet, it will soon.
That being said, the more things change the more they stay the same. We now try and do those things in our own country now.
When you cant win, ad hominem.
The important lesson you are about to learn is this: Pick your battles.
This is a battle you cannot possibly win.
Why not? Because you're still a pupil.
Virtually every argument you can come up with for why that certificate shouldn't be there - no matter how well-reasoned - is going to be dismissed by staff. Even if you can come up with a well-reasoned argument that no sensible adult would counter (you probably can't; there are very good reasons for a school to want to monitor everything that are likely to be perceived as overriding any concerns you have about privacy), you'll be crushed.
At this level, arguments like this inevitably wind up being less about who is technically right or wrong and more about who has the power. As far as the school is concerned, the person who wins the argument has the power - and there is no way they will ever let a pupil win such an argument because it means conceding power to a pupil.
In your position, I'd install some sort of plugin that allowed me to verify that my HTTPS session was using the "right" certificate - and if not, I'd tether my laptop to a personal mobile phone.
Doing Main-In-The-Middle attacks with the root CA and SSL certificates signed by that root CA is only one of the risks. Once certificates signed by that CA are accepted, they're permanently usable for fake websites, for main-in-the-middle attacks with proxies using those faked SSL certificates for designated websites, and for replacing ordinary SSL signed software or update packages with fake, rootkitted packages. The list of subtler security issues is longer: those are only a few of the leading problems.
I'd be profoundly concerned that the school is not competent to protect their CA, or other certificates that have already been signed with it. Since they've already demonstrated ignorance among some personnel of their own security practices, and unwillingness to communicate truthfully with students, I'd assume that they've never properly secured the host or network on which they've stored their CA. Unless they have _erased_ the private CA and all copies of it, it can be misused at anytime in the future, especially on the school's own network.
Moreover, if possible before the CA is erased, _all_ of those certificates already signed with the CA need to be revoked, and replaced with a correctly signed one. That's quite expensive, at roughly $200 USD/certificate/year. You can buy get the certificates more cheaply, but that estimate includes the technical time to go replace the old certificates.
If you want to use the SCHOOL connection on SCHOOL time
At a boarding school, what is not "SCHOOL time"?
I use zScaler Cloud for my work proxy, and I choose to have them decrypt all traffic using their CA cert that we have to install on all user laptops. This is critical because they are using heuristics to detect activity types (e.g. don't rely on a "list" of anonymizers, detect that anonymizing is being done and block it). Even if they are sitting at home, the proxy is decrypting all their activity. And the analytics are amazing.
The big difference is between this and the OP, though, is that my company owns these laptops. I display banners and let it be known that you have zero expectation of privacy. Hell, I use my personal iPad for personal browsing at work so as not to be tracked.
A year spent in artificial intelligence is enough to make one believe in God.
In the case of the Puritans at least, yes, it is accurate. That 'hostile political climate' was the state preventing the Puritans from enforcing religious law on their communities and refusing to do what they wanted. They were entitled bastards who considered inability to persecute to be persecution. You can see their attitude still rampant in US politics, which is probably why it is so important for people to remember them as seeking freedom.
But the actual threatening, the actual hostile environment? Classic 'how dare you curb our freedom to curb other people's freedoms, we follow god!'.
Their network, their rules. Don't like it, dont use it and buy/build your own. its really quite simple. You are NOT entitled to anything on another persons property.
Now, should they explicitly tell you they are installing certs that are required for access, perhaps it would have been polite, ( tho few would understand it ) but i'm sure there was far reaching something somewhere that you agreed to anyway, so they really dont have to tell you anything.
---- Booth was a patriot ----
is CA supposed to be an acronym for something? CA Inc? Computer Associates? California, Canada? I don't know what CA stands for.
Who said that they actually were? It said that what they were doing made them to be able to do this, but nowhere that I can see does it say that is what they were actually doing.
File under 'M' for 'Manic ranting'
If they install a physical mailbox where people can post letters which some employee then delivers to the post office, are they allowed to read the mail that people put into it?
Wayne? Why does slashdot always mention this?
I just did that on my computer at my school.....
The concept of compulsory public schooling is wrong-headed: http://en.wikipedia.org/wiki/T...
"The film takes a look at public school education in America and concludes that schools are not only failing to educate, but are increasingly authoritarian institutions more akin to prisons that are eroding the foundations of American democracy. tudents are robbed of basic freedoms primarily due to irrational fears; they are searched, arbitrarily punished and force-fed dangerous pharmaceutical drugs. The educational mission of the public school system has been reduced from one of learning and preparation for adult citizenship to one of control and containment."
Consequences that flow from it, like random adults needing to surveil unrelated children all day via hidden means are also wrong.
http://www.the-open-boat.com/G...
"Schooling is a form of adoption. You give your kid up in his or her most plastic years to a group of strangers. You accept a promise, sometimes stated and more often implied that the state through its agents knows better how to raise your children and educate them than you, your neighbors, your grandparents, your local traditions do. And that your kid will be better off so adopted.
But by the time the child returns to the family, or has the option of doing that, very few want to. Their parents are some form of friendly stranger too and why not? In the key hours of growing up, strangers have reared the kid.
Now let's look at the strangers of which you (interviewer) was one and I was one. Regardless of our good feeling toward children. Regardless of our individual talents or intelligence, we have so little time each day with each of these kids, we can't possibly know enough vital information about that particular kid to tailor a set of exercises for that kid. Oh, you know, some of us will try more than others, but there simply isn't any time to do it to a significant degree. "
We can have sympathy for all the people caught up in the madness, but it is still madness. Alternatives:
http://www.educationrevolution...
As a starting point why not just give the money that goes to public schools to the parents of young children so the parents can spend more time with their children and also hire tutors and such? My essay on that:
http://www.pdfernhout.net/towa...
But ultimately we need a basic income for all from birth, like John Holt talked about in "Escape from Childhood".
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
The network owner can and should be able to set the terms of service for access to their network and if you don't like a root CA being placed on your system, don't use that network get their own network -that is, a mobile WAN hotspot or adapter assuming these are independently owned devices. Ones owned by the school should be subject to the school's requirements.
Just go here and check the signature of the certificate you are getting against the one listed there. If they don't match you know there's someone fucking around.
Improve at backgammon rapidly through addictive quickfire position quizzes: www.bgtrain.com
They were running away from other people's religious freedom. Which of course is perfectly correct, since other people are wrong and should be blown to tiny bits, in His mercy.
There's no fun in puritanism if you can't torment non-puritans, of which there are very many because it's a bit shit wearing only black and eating sawdust.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
"our only method of communicating to the outside world is over their network"
Do you live in the middle ages? If convicts can get cellphones into prison, I'm sure you have access to one. Also there is always ip over semaphore.
http://tools.ietf.org/html/rfc...
lose != loose
Go to a library.
Don't get kicked out of school and you won't have to go to secondary school. Count yourself lucky if your biggest problem involves digital certificates.
Yes, they were having their political power neutralized, so that they couldn't force their beliefs on others. That was "persecution" much like murders are "persecuted" for their beliefs.
Learn to love Alaska
It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.
John
I suppose he meant that while they might have the right to "wiretap" communications on their own equipment (which I doubt is true), they don't have that if some of the equipment is owned by the user. For example the laptop.
Frankly I feel like the only reason we have an issue here is that people don't understand how the certificates work. I don't accept the idea that having root CAs which are specific to an organization's network is somehow flawed. If the solution being proposed is little more than "Pay someone else to sign your certificates", what you've actually done is completely disregarded the problem. There are a multitude of abuses that can come from it, but you don't make them disappear by relying on an outside authority in that manner. With some of the code issues that have recently publicized regarding SSL, I have to wonder if the security issues can even be avoided to begin with.
Yes,,, but that doesn't necessarily mean that they are actually being monitored or spied on, it only means that they COULD be... which was my point. I didn't see anywhere that it said that such spying was actually occurring.
File under 'M' for 'Manic ranting'
BUT you still need to advise parents and students as to what you are doing; and
Ensure that you have policies and controls that ensure that everyone knows what you are doing, and how it will not be used for other purposes (e.g. sniffing credit card details from student purchases, etc.);
Without that the job is only half done.
As someone who is part of the elected 'management' of a public school, I can say with some certainty, if you were request to address management in private, opposed to in a public forum, and respectfully indicate that the institution has engaged in a (potentially) illegal activity, they should sit up and take note. Especially if you recommend a simple solution to what could have been a simple mistake, you're more likely to get a positive response.
As far as explaining to non-technical people, I would recommend giving them a real-world example. Such as saying that you've locked up your house, but you leave one window open on the second floor. While it's not likely that someone could get in because it's on the second floor and there's no obvious way in, it's not a reasonable practice if you want to know that your home is secure.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
The big difference is between this and the OP, though, is that my company owns these laptops.
Yeah... and you and YOUR COMPANY (rather) potentially get to share liability with your service provider, in the event that your CA's private key facilitates the commission of fraud or some other crime against the user, for example, if the zScaler CA or zScaler's infrastructure is used to steal banking information or PII from someone using one of these laptops; the person can sue your company and/or Information Technology professionals responsible for the intercept or misappropriation of information.
For what it's worth though.... the user could also sue if there was a keylogger installed on it by your company that lead to to damages against them, or possibly if there was malware -- that the owner of a laptop had a duty to prevent or detect.
It doesn't matter that your company owns the laptop. Legally you can surveil the activity of the laptop, BUT there is a duty of care that comes with you and your company's choice to do so and legal owernship of the laptop.
So your company best be darned 100% certain that zScaler passes all due dilligence for protection of crypto secured information.
They can also require web filtering and surveillance software, of course. In many schools, this kind of software, web filtering (including filtering of proxies and category of SSL-based websites) is ACTUALLY REQUIRED in the US, for many schools to keep funding under various federal programs -- eg E-rate.
Sure, there are things that may be tweaked by the school, but the are laws setting the basic boundaries for such modifications.
Well, they are perfectly within their rights to provide a policy of "No laptops allowed past this point", at the door.
Anything less is a concession on their part. In the case of your physical PERSON, they can't require arbitrary concessions, such as body cavity searches without infringing on people's rights.
With laptops however; they can require arbitrary modifications or standards of their choosing, before the laptop is permitted access.
Fully updated, not running an EOL operating system such as Widnows XP, No infections present and working antimalware, would be some common restrictions.
Well, so how do certificates work? Root CA basically gives you the right to issue certificates for whatever website you want. It's unclear whether that happened in this case, other posts (supposedly from people working at schools in the UK) suggest that's how it works.
I agree that there are cases when accepting a certificate authority specific for the organization is a good solution. However it needs to be done openly, not secretly by installing it in the background. Installing root CA in the background is essentially what rootkits do.
Yes, I have my doubts about how much we can trust to the CAs, but I don't really understand how's that related to the issue here. Need to secure access to some school websites? Issue a regular SSL certificate and ask everyone to accept it (or install it in the background, I have no problem with that). Installing a root CA in a shady way is not the right solution.
They can also require web filtering and surveillance software, of course.
In many schools, this kind of software, web filtering (including filtering of proxies and category of SSL-based websites) is ACTUALLY REQUIRED in the US, for many schools to keep funding under various federal programs -- eg E-rate.
I'm not going to pretend I know the US law. Or even UK law, for that matter. IANAL
Sure, there are things that may be tweaked by the school, but the are laws setting the basic boundaries for such modifications.
Well, they are perfectly within their rights to provide a policy of "No laptops allowed past this point", at the door.
I'm fine with "no laptops allowed past this point" policy. Heck, I'm fine even with monitoring the traffic, assuming it's publicly announced. What I'm not OK with is when this happens in secret, without telling anyone.
Anything less is a concession on their part.
In the case of your physical PERSON, they can't require arbitrary concessions, such as body cavity searches without infringing on people's rights.
With laptops however; they can require arbitrary modifications or standards of their choosing, before the laptop is permitted access.
Fully updated, not running an EOL operating system such as Widnows XP, No infections present and working antimalware, would be some common restrictions.
There may be differences between US/UK, and the part of Europe where I live. Here we have "privacy of correspondence" which applies even when I (for example) access my personal email while at work. Or whatever. So no, it's not just about physical person - at least not universally.
I'm guessing the software they get students to install is Cisco Clean Access, and the CA is most likely only available by logging onto the Cisco device doing traffic management and network protection. "Protection" of the CA would be unnecessary, because it's entirely probable that it's not even possible to get the CA private key.
Most likely the IT staff didn't even realise that they had root CA provisioning enabled - Cisco configurations are usually mazes of poorly documented switches, commands and screens.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
The big difference is between this and the OP, though, is that my company owns these laptops.
Yeah... and you and YOUR COMPANY (rather) potentially get to share liability with your service provider, in the event that your CA's private key facilitates the commission of fraud or some other crime against the user, for example, if the zScaler CA or zScaler's infrastructure is used to steal banking information or PII from someone using one of these laptops; the person can sue your company and/or Information Technology professionals responsible for the intercept or misappropriation of information.
For what it's worth though.... the user could also sue if there was a keylogger installed on it by your company that lead to to damages against them, or possibly if there was malware -- that the owner of a laptop had a duty to prevent or detect.
It doesn't matter that your company owns the laptop. Legally you can surveil the activity of the laptop, BUT there is a duty of care that comes with you and your company's choice to do so and legal owernship of the laptop.
So your company best be darned 100% certain that zScaler passes all due dilligence for protection of crypto secured information.
Well, actually, no, since the devices are provisioned for work use. If your bank or passport details are stolen because you used your WORK laptop on the WORK network to access those PERSONAL sites, that's on you. The company only has a duty of care to protect information they know thy have.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Just read Winthrop's own history of the Massachusetts Bay Colony. He was pretty clear about it. The Puritans wanted religious freedom for the Puritans and none for anyone else.
However, I think the fact that the school initially denied what they had done and then reconfigured the network is quite telling.
No, it really isn't. Take off the tinfoil hat, the most likely scenario goes thus:
"No, we don't intercept SSL communications, student."
Student leaves.
"Hey Bob, looks like we left that setting enabled that installs the CCA certificate on client devices."
"Ah shit. Can we disable that?"
"Yeah, but it's gonna mean restarting the ASA."
(Restarts ASA. 5 minute IOS boot time ensues)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Comment removed based on user account deletion
Yes, the possibility of doing wrong is obvious but that root CA installation is very common when dealing with 802.1x authentication with Windows clients. Its a side-effect of how stupid Windows' handling of certificates is.
cf. this vendor's suggestion https://kb.meraki.com/knowledg... to disable certificate checking altogether to make it work instead.
- Michael T. Babcock (Yes, I blog)
For that to hold, the company has to expressly forbid using the laptop for personal purposes, otherwise (as previous cases have ascertained), there is reasonable grounds to expect that the device will store personal information.
Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
That's a fascinating guess. It's not a feature I've personally used. Although yes, the Cisco configurations and the Cisco _clients_ do tend to have a horrible morass of undocumented options.
If you want to intercept google.com's traffic, you simply create a certificate for google.com, signed by your root CA, and make a proxy use that to communicate with the user, while using google's real cert to communicate with Google. Both Google and the user are communicating with what they think are good certificates, when really only one of them is. Your proxy can see all the traffic, unencrypted, without either party realising.
Or since they're probably using a web filtering solution of some sort, category/site-based blocking of the banking sites should resolve that legal issue in short order.
Here's a nice bit of history about religious tolerance and liberty in the colonies right in the middle of the American Revolution:
http://books.google.co.uk/book...
"It is difficult to overestimate the degree to which, on the eve of the Revolution, Catholics in America were still widely discriminated against. Several members of the Continental Congress, including Congregationalist Roger Sherman, were opposed to hiring Catholics to fight in the Continental Army. Only three colonies allowed Catholics to vote. They were banned from holding public office in all New England colonies save Rhode Island. New Hampshire law called for the imprisonment of all persons who refused to repudiate the pope, the mass, and transsubstantiation. New York held the DEATH PENALTY [emphasis mine] over priests who entered the colony; Virginia boasted that it would only arrest them."
In Virginia, the birthplace of the separation of church and state, it took *seven years* for Thomas Jefferson to convince the General Assembly to pass the Virginia Statute for Religious Freedom, and debates on the matter bear a striking resemblance to the sorts of thing one might read in YouTube comments.
By the time that the United States Bill of Rights was ratified, the freedom to practice any religion without fear of being barred from holding land, accessing the courts, or holding most professional jobs had been established by law in most of the British Empire.
This is not entirely surprising as many of the most influential people who formed the Federalist faction in what became the United States were in close cooperation with the Foxites in the British parliament from well before the Revolution until well after, and agreed on many -- or even most -- civil liberties and constitutional issues. The American Revolution weakened the common enemy (principally the Northites and Grenvilleites, who are all fairly called Tories in spite of their claim to the Whig mantle).
By comparison, the erosion of Tory (see above) dominance in the British parliament in the wake of the Seven Years' War led to a series of religious Relief Acts relaxing restrictions on Catholics. It's noteworthy that the first major such act, the Quebec Act 1774, was one of the "Intolerable Acts" protested by the Americans (in the political faction sense) that they argued justifed Independence. Additionally, in the thick of the Revolution, the British parliament passed the Relief Act 1778 and the Schools and Bishops Act 1782, in spite of vigorous domestic opposition (there were riots in Britain in the wake of each), and even more vigorous opposition in the parts of the Thirteen Colonies not already in full rebellion, and some upset in several of the others that ultimately did not join the American Revolution.
You go to secondary school, so you are pretty young. Good that you took a stance. Good you made a /. post out of the story. Carry on, lad, you'll go a long way.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Oh come on, everybody knows about dike swarms, dikes and sills, pegmatite dikes :-)
We do expressly forbid personal use. Of course we don't really care, but you have to say it.
A year spent in artificial intelligence is enough to make one believe in God.
Are they required to disclose that they are doing MITM attacks on https traffic though?
Which my employer does for one. (And it's a non-trivial point : I've been away at a work location for 41 days now, using the work's laptop because I don't have enough baggage allowance to take my own, using the work's network because there isn't another (nearest mobile phone service is about 30km over the horizon ; leaving the site is impossible due to sharks).
It's part of the deal that most people accepted when they signed their contract (it wasn't mentioned in mine, because it wasn't envisaged a credible idea at that time).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Under RIPA, that's not the case. Once they've notified affected people (pupils and parents), THEN they can do what they want, otherwise there are substantial prison terms involved for unlawful intercepts, no matter how well-intentioned.
A 3rd party commentator has offered this:
=======
From "Inspecting e-safety in schools" within
http://www.ofsted.gov.uk/sites...
"Indicators of inadequate practice ...
There is no internet filtering or monitoring."
"Key features of good and outstanding practice..."
Rigorous e-safety policies and procedures are in place...
The e-safety policy should incorporate an Acceptable Usage Policy that is understood and respected by pupils, staff and parents."
"Sample questions for school leadership... ... children can recall rules."
What to look for? e-safety policy is regularly reviewed evidence that these are freely available (poster, handbooks, etc)
[BTW note this: "Pupils in the schools that had ‘managed’ systems had better knowledge and understanding of how to stay safe than those in schools with ‘locked down’ systems. Pupils were more vulnerable overall when schools used locked down systems because they were not given enough opportunities to learn how to assess and manage risk for themselves."]
======
I'm fairly sure the OP had to sign an AUP. He should doublecheck it.
Many others have commented that in this day and age it's easy to bypass the school system by tethering to your mobile, however many "eilte" UK boarding schools are in areas with rotten coverage and laptops used for schoolwork are often so locked down they can't be used on the home network when on vacation or after leaving the school (I have one such laptop onhand. Although owned by the ex-pupil, even the bios is passworded and the school refuses to divulge the details)