I have to say I got the chills reading that article above about how the "Patsy/shooter" avoided CIA owned facebook/myspace and how that was a "social anamoly." it will probably be required to have a facebook soon which is horrifying to me.
They are using this overtly obvious false flag in order to enforce surveillance policies. This is similar to indoctrinating children into the IBM electronic slave collar at early ages:
School shows off its laptop surveillance tactics
http://news.cnet.com/8301-17852_3-10460729-71.htmlby Chris Matyszczyk February 26, 2010 3:35 PM PST
"This kid looks like they're editing their MySpace page." So declares an assistant principal at Intermediate School 339 in the Bronx borough of New York, a "former technology coach" (PDF) named Dan Ackerman (but not to be confused with CNET's Dan Ackerman). You might imagine that he's wandering around a classroom looking over kids' shoulders as they fiddle about on their laptops. You might imagine, then, that storks deliver milk as well as babies. This remarkable 2009 footage from the PBS show "Frontline," promoted on its site earlier this month and thrust into the limelight on Thursday by the people at Boing Boing, might just make your own moral code offer a boing or two, as you view the apparent normality of a school administrator peeping into his students' lives through software installed on their school-issued laptops.
The entertainment begins at around the 4:30 mark. We watch him watching a girl comb her hair, using her Mac's Photo Booth application as a mirror. He then observes the editing of a MySpace profile page, reportedly via a program called Apple Remote Desktop, marketed as enabling teachers to "pause all of their [students'] screens, give them new instructions, and start them up again when [they're] ready." Perhaps the most chilling line of the video, especially in the context of this week's revelations at Harriton High School in Pennsylvania--which allegedly used security software to surreptitiously activate a school-issued laptop Webcam when off-campus--is when Ackerman utters these words with almost a chuckle: "They don't even realize that we're watching." They seem to realize something, though. As Ackerman demonstrates how he "always [likes] to mess with [students] and take a picture" by remote-controlling the Photo Booth software, a girl ducks out of shot. "Nine times out of 10," Ackerman explains, referring to the moment Photo Booth indicates to the student that a picture is being taken, "they duck out of the way." And on occasion, according to "Frontline" reporter Rachel Dretzin, Ackerman interrupts students' instant-message conversations "with his own message, telling them to get back to work."
More Details Emerging About School Laptop Spying, And It Doesn't Look Good
http://www.techdirt.com/articles/20100222/1118438253.shtmlfrom the a-bit-proud-of-your-spying... dept
Following up on this morning's post, new details are emerging about the school spying scandal in which a student was punished for apparently chowing down on Mike&Ike candy (which the school thought were drugs). In our comments, someone named Paul points us to a blog post from a security consultant, who digs much deeper into the story -- focusing on one of the techies who worked at the school and apparently had a noticeable internet presence, having said a few things that could come back to haunt him. Note, that the school itself has said that only two techies on staff had the power to initiate the use of the remote spying tool.
Apparently, in various forums, blog posts and videos, one of the school's techies talked about the technology they were using and how to set it up so that the user would not realize they were being spied on. He also discussed how to prevent a laptop using this software from being "jailbroken," so users couldn't discover that their computers were being used in this manner.
Other forum posts from students at the school show that they were told they could not use other computers, could not disable the cameras and could not jailbreak their laptops on the risk of expulsion. Furthermore, in looking at the software that was being used, the security consultant found serious security problems with it, in some ways similar to the famed Sony BMG rootkit:
With some of my colleagues, I began a reverse engineering effort against LANRev in order to determine the nature of the threat and possible countermeasures. Some of the things we found at first left us aghast as security pros: the spyware "client" (they call it an agent) binds to the server permanently without using authentication or key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port... runs as root. I'm not kidding. For those unfamiliar with the principle of least privilege- this is an indicator of a highly unskilled design. Unfortunately, when we got down to basic forensics, LANRev appears to cover its tracks well. Things keep looking worse for the school, and school officials have done little to actually explain what happened, if the prevailing story is not actually the case.
The Spy at Harriton High
http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.htmlSunday, February 21, 2010
This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
PanoMasterMind
The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable "curtain mode", a special remote administration mode that makes remote control of a laptop invisible to the victim. Listen at 35:47, when he says:
"you're controlling someone's machine, you don't want them to know what you're doing" -Mike Perbix
It isn't until 37 minutes into the video till Perbix begins talking about the Theft Tracking feature, which causes the laptop to go into a mode where it beacons its location and silent webcam screenshots out to an Internet server controlled by the school.
The beacon feature appears to have been one of the primary methods for remote spying, however, network footprints abound over the details and architecture of the remote administration effort. In this post, Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just "a glitch."
Perbix also maintains a prolific blog, where in this blog post he describes using the remote monitoring feature to locate a stolen laptop:
"As a prime example, we initially attempted to recover a stolen laptop that reported back to us it's internet address and DNS name. The police went to the house and were befuddled to find out the people we knew had the laptop was not the family that lived there...well, we eventually found out that they were the neighboring house and were borrowing the unsecured WI-FI."
In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:
"what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking"
What's the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case?
We Found the Glitch, Mrs. Buttle
The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:
-Possession of a monitored Macbook was required for classes
-Possession of an unmonitored personal computer was forbidden and would be confiscated
-Disabling the camera was impossible
-Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion
When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case. On a familiar note, the authorities are denying everything. As one reads comments on this story, a consistent story begins to emerge:
"My name is Manuel Tebas. I was a student at Harriton High School, in the graduating class of 2009. We were the first year on the one-to-one laptop initiative. [...] I saw your post about removing webcam capability from the Macbook. It is possible - I did it last year. I will preface this by saying that
when I did it, I was almost expelled, saved only by the fact that there was, at the time, no rule against doing so."
"I remember that the laptop was a requirement in school for many classes. That may remain so." " had brought in my own personal computer to work on a project for school one day. I was doing a presentation involving programs not available on the regular computers, only in specific labs. I happened to have a copy of my own. My personal property was confiscated from me in a study hall when I was working on a school assignment because it was against the schools 'code of conduct'."
"Hi, I'm a 2009 Graduate of Harriton Highschool. [...] I and a few of my fellow peers were suspicious of this sort of activity when we first received the laptops. The light next to the web cam would randomly come on, whether we were in class, in study hall or at home minding our own business. We reported it multiple times, each time getting the response: "It's only a malfunction. if you'd like we'll look into it and give you a loaner computer."
"The webcam could NOT be disabled due through tough tough security settings. Occasionally we would notice that the green light was on from time to time but we just figured that it was glitching out as some macbooks do sometimes. Some few covered it up with tape and post its because they thought the IT guys were watching them. I always thought they were crazy and that the district, one of the more respectable ones within the state, would never pull some shit like this. I guess I was wrong."
"I am the father of a 17 y/o Harrington High student. She has had one of these laptops for 2 years. She has noticed the "green light" coming on but was not computer literate enough to know what initiated it" Browse as many web forums as you like, the comments above are highly representative. Students were told green webcam activation lights going off at home were a glitch, were required to use a jailed computer, were threatened with expulsion if they attempted to jailbreak the computer to find the truth, and were not allowed to use computers they controlled.
Inside LANRev
With some of my colleagues, I began a reverse engineering effort against LANRev in order to determine the nature of the threat and possible countermeasures. Some of the things we found at first left us aghast as security pros: the spyware "client" (they call it an agent) binds to the server permanently without using authentication or key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port... runs as root. I'm not kidding. For those unfamiliar with the principle of least privilege- this is an indicator of a highly unskilled design. Unfortunately, when we got down to basic forensics, LANRev appears to cover its tracks well. Here's a screenshot of the server application monitoring a tracked host:
Tracking intervals available at the top; screenshots and webcam shots in the lower right pane. No webcam shot is visible here as a webcam was not connected during testing In order to spy on my computer, I had to mark it for spying. The icon for spying is a detective hat and a magnifying glass; very Sherlock Holmes. Once I had the agent installed, I used dtrace to monitor its activity as it hung around and spied on my system. The log below is an edited trace of the agents activity during a spy interval. It uses a fixed dump point, /tmp/Image, as its save file before uploading to the server, sadly this is wiped. Only a full forensics scan which picks up deleted files will have a chance of picking up the history of the spying on a particular computer. On laptops with a webcam, a second fixed save point, /tmp/Image1, is used to save the webcam pic.
For the technically inclined, I've highlighted some of the key points, use of the system screengrabber, the use of RawCamera, the fixed save point, etc. We're still working on our technical writeup of this software and hope to update soon. During our testing, we infected a laptop with LANRev, then closed the lid, hoping to activate the LANRev feature which takes a webcam picture when the computer wakes. As my colleague Aaron opened the lid of his Mac, the green webcam light flickered, ever so briefly.
It wasn't a glitch. It was a highly sophisticated remote spy in his system. And even though he was in control, the effect was still very creepy. Here's one last capture from the Windows version of the administration console,
showing a forced remote webcam snapshot. We've pixellated this, but rest assured the real thing looks very detailed
In other news on the case, subpoenas have been issued, the FBI is on the case, the candy in question has been caught red-fingered, and some enterprising chap is ready to cash in with a t-shirt. Doug Muth's hands on screenshots provide the best first hand encounter with the client end of the spyware in question. What amazes me most is that the family and lawyer filing the suit appear to have done no digital forensics going in, and no enterprising student hacker ever jailbroke a laptop and proved this was going on. The greatest threat to this investigation now is the possibility that the highly trained technical staff at LMSD could issue a LANRev script to wipe digital forensic evidence off all the laptops. This is why it is imperative for affected parents to have the hard drive removed from their children's laptops and digitally imaged before the laptop is connected to a network. With enough persistence, and enough luck, we may eventually learn the truth.
-stryde.hax
