Tuesday, 9 December 2014

HOLY CRAP that is sinister

A friend told me that his child brought home a note from his school about staying safe online.  Apparently (and quite surprisingly) it wasn’t too bad apart from one thing:  it said “never tell your password to anyone outside school” (emphasis mine).

As the friend said, this gets more sinister the more you think about it.  There’s almost nobody in a better position to groom children than their teachers. The teachers will most likely know what problems the child is having at school, which subjects they’re good at and what achievements they’ve made, whether and how they’re being bullied, what buttons to press etc.  Arming them with even more information is a bad idea. 

I don’t know yet whether the letter was talking about passwords in general or the password to its students’ school accounts.  Of course, schools (probably rightly) will have access to student accounts, but teachers and other staff knowing a student’s password is bad for lots of reasons, including:

  • They won’t leave much of a trail if they log in as the student, providing they’re careful. Which they probably would be if they were up to no good.
  • A staff member could pose as the friend of a student for a whole load of bad reasons.  Or the enemy of a student, for that matter.  Imagine how that could terrorise at least two students.
  • Staff members could edit the students’ personal data without leaving much of a trail.  I don’t know what kind of data can be found on a student’s school account, but the possibility of staff rewriting history to protect themselves or incriminate students is rather worrying.
  • Students are quite likely to use the same password on their other accounts, or their passwords might give clues to what those other passwords might be. They might also reveal how students tend to choose passwords or something personal to them. How many people use something associated with a sport team or a celebrity as a password? I frequently recommend the book Microserfs by Douglas Coupland as a brilliant insight into early-days Silicon Valley/web-bubble culture. In it, one character reveals that his password is ‘hellojed’. Jed was the character’s younger brother who died as a child and the password was the character’s way to remember him and feel sad about the loss every day.  That would be a significant vulnerability, especially for a child, which could easily be exploited.  That’s one of the reasons we shouldn’t reveal passwords or answer memorable questions honestly.
  • “Inside school” is worryingly vague.  It might imply that revealing passwords to other students might be OK.
  • Instructions like this could make people feel that there are situations where it’s safe or OK to reveal passwords or that authority figures have a right to know their passwords. Authority figures are exactly the wrong kind of people to know other people’s passwords because they have a greater ability to abuse them.
  • It is never OK to tell someone under what circumstances they must or should reveal their passwords.

I could go on.  I will if and when I can clarify exactly what the letter said.

No comments:

Post a Comment