RFID, GPS Technology and Electronic Surveillance
School-Issued Laptops Took Thousands of Images of Students at Home
April 15, 2010Philadephia Inquirer - The system that Lower Merion school officials used to track lost and stolen laptops wound up secretly capturing thousands of images, including photographs of students in their homes, Web sites they visited, and excerpts of their online chats, says a new motion filed in a suit against the district.
More than once, the motion asserts, the camera on Robbins' school-issued laptop took photos of Robbins as he slept in his bed. Each time, it fired the images off to network servers at the school district.
Back at district offices, the Robbins motion says, employees with access to the images marveled at the tracking software. It was like a window into "a little LMSD soap opera," a staffer is quoted as saying in an e-mail to Carol Cafiero, the administrator running the program. "I know, I love it," she is quoted as having replied. Those details, disclosed in the motion filed late Thursday in federal court by Robbins' attorney, offer a wider glimpse into the now-disabled program that spawned Robbins' lawsuit and has shined an international spotlight on the district.
In the filing, the Penn Valley family claims the district's records show that the controversial tracking system captured more than 400 photos and screen images from 15-year-old Blake Robbins' school-issued laptop during two weeks last fall, and that "thousands of webcam pictures and screen shots have been taken of numerous other students in their homes."
Robbins, a sophomore at Harriton High School, and his parents, Michael and Holly Robbins, contend e-mails turned over to them by the district suggest Cafiero "may be a voyeur" who might have viewed some of the photos on her home computer.
The motion says Cafiero, who has been placed on paid leave, has failed to turn that computer over to the plaintiffs despite a court order to do so, and asks a judge to sanction her.
Cafiero's lawyer Thursday night disputed the suggestion that his client had downloaded any such photos to her home computer. Lawyer Charles Mandracchia said Cafiero has cooperated with federal investigators and is willing to let technicians hired by the district examine her computer if the judge so orders.
He also said Robbins' attorney had never asked him for Cafiero's personal computer.
"He's making this up because his case is falling apart," Mandracchia said.Since the Robbinses sued in February, district officials have acknowledged that they activated the theft-tracking software on school-issued laptops 42 times since September, and a number of times in the previous school year -- all in order to retrieve lost or stolen computers.
But they have stopped short of specifying how many students may have been photographed and monitored, or how often -- information that could shed light on whether Robbins' experience was unique or common.
An attorney for the district declined to comment last night on the Robbinses' latest motion, except to say that a report due in a few weeks will spell out what the district's own investigation has found.
"To the extent there is any evidence of misuse of any images, that also will be disclosed," said the attorney, former federal prosecutor Henry E. Hockeimer Jr. "However, at this late stage of our investigation we are not aware of any such evidence."The Robbinses' lawyer, Mark S. Haltzman, said the new details emerged in tens of thousands of pages of documents and e-mails the district turned over to him in recent weeks.
Three district employees have also given sworn depositions in the suit. A fourth, Cafiero, declined to answer Haltzman's questions, asserting her Fifth Amendment right against self-incrimination.
According to the latest filing by the Robbinses, officials first activated the tracking software on a school-issued Apple MacBook that Robbins took home on Oct. 20.
Hundreds of times in the next two weeks, the filing says, the program did its job each time it was turned on: A tiny camera atop the laptop snapped a photo, software inside copied the laptop screen image, and a locating device recorded the Internet address -- something that could help district technicians pinpoint where the machine was.
The system was designed to take a new picture every 15 minutes until it was turned off.
The material disclosed by the district contains hundreds of photos of Robbins and his family members -- "including pictures of Blake partially undressed and of Blake sleeping," the motion states.
Through Haltzman, the Robbinses last night gave The Inquirer a photo they said was among the Web cam images turned over by school officials. The picture shows Blake asleep in bed at 5 p.m. last Oct. 26, the lawyer said.
Robbins and his parents say they first learned of the technology on Nov. 11, when an assistant Harriton principal confronted the teen with an image collected by the tracking software.
Robbins has said one image showed him with a handful of Mike and Ike candies -- which the administrator thought were illegal pills.
The family's lawyers have argued that neither Blake nor many of the other students whose laptop cameras were activated had reported those laptops missing or stolen. According to the motion, an unspecified number of laptops were being tracked because students had failed to return computers or pay a required insurance fee.
The district has said it turned on the camera in Robbins' computer because his family had not paid the $55 insurance fee and he was not authorized to take the laptop home.
U.S. District Judge Jan E. DuBois has ordered all parties in the case to meet by Tuesday, the latest step toward a settlement. Meanwhile, federal and county investigators are examining whether the laptop security program violated any laws.
Also Thursday, Sen. Arlen Specter (D., Pa.) introduced legislation to close what he said was a loophole in federal wiretap laws and prevent unauthorized monitoring. Specter recently held a hearing in Philadelphia on the issue.
"Many of us expect to be subject to certain kinds of video surveillance when we leave our homes and go out each day -- at the ATM, at traffic lights, or in stores, for example," Specter, who is running for reelection, said on the floor of the Senate. "What we do not expect is to be under visual surveillance in our homes, in our bedrooms and, most especially, we do not expect it for our children in our homes."Video: Good Morning America - School Allegedly Spied Via Web Cams
Hacking the Smart Grid
One researcher shows how your house's power could be shut down remotely, but the threat is only theoretical--for now.April 5, 2010
Technology Review - Components of the next-generation smart-energy grid could be hacked in order to change household power settings or to spoof communications with a utility's network, according to a study of three pilot implementations ...
The power industry is in the midst of a massive rollout of smart-grid technologies fueled by $3.4 billion in stimulus funds. By delivering detailed usage information, smart meters promise to allow consumers to control their power usage and to enable power companies to better manage their distribution networks. Nearly 60 million smart meters--covering half of the U.S. households and businesses--are expected to be deployed this year, according to estimates by the Edison Foundation's Institute for Electrical Efficiency.
To help test the infrastructure, InGuardian's Wright created an open-source hacking tool, dubbed KillerBee. This tool lets security researchers test the security of the most popular wireless communications protocol for smart meters, a low-power wireless communications technology called ZigBee. This protocol has a longer range than Bluetooth and is the most popular way of creating a home-area network (HAN).
"It's how your meter--the gateway--will talk to your dryer, your thermostat, and your water heater," says John Shaw, senior vice president of products and technology at Industrial Defender, an infrastructure security company.Researchers have previously warned that allowing network access to the home opens up a host of security issues. Last year, security firm IOActive found flaws in a smart-meter device that allowed its researchers to insert code into one device and have it spread to others--essentially, injecting a computer worm into a local power network.
"If you could get that meter to talk to its neighbors and those to talk to their neighbors, you could conceptually tell them to turn off and cause a fairly broad power outage," Shaw says.The ZigBee Alliance, which oversees the protocol, has submitted its specification for smart-grid-specific communications to three separate security reviews, according to Bob Heile, the group's chairman.
"What comes back is that [the specification] is okay, but there are always suggestions to make it better," Heile says. "We always implement those suggestions."Using KillerBee, Wright found that some ZigBee devices exchange encryption keys in the open, allowing an eavesdropper to grab the information needed to clone a device, the researcher stated in a presentation given late last year at ToorCon, a hacking conference.
"He developed a suite of tools that allows (hackers) to do what they can do in the wired world," says the SANS Institute's Sachs. "If you have a radio that can receive ZigBee, then you can use these same tools."Despite the latest research report, the threat remains theoretical for now. Smart meters are not yet attached to most households, device manufacturers are taking security more seriously, and utilities are testing their networks for vulnerabilities, says Industrial Defender's Shaw. Overall, the manufacturers and utilities have become better at talking to security researchers, he says.
"Yes, there are vulnerabilities there, but this is more of a public relations issue and a nuisance issue than a threat to the power infrastructure," Shaw says. He points to an industrywide agreement on a single process for upgrading software on the devices as a sign of progress.David Baker, director of services for IOActive, another company that counts power companies and device manufacturers among its clients, also says that the industry as a whole is making progress.
"The utilities are acutely aware of the issues and are trying their damnedest to fix the problems." Baker says. "It is getting really, really difficult to find these holes now."
No comments:
Post a Comment