Sunday, September 11, 2016

Compromising National Security Through Public Schools

One of the most pernicious and successful ways in which cybernetic systems can be compromised is through the act of social engineering.  In other words, a human who has secure access to a system or systems is duped or is compromised by misplaced trust in a third party to granting access to the otherwise secure system.

In recent weeks, at least two public announcements have given me grave concern that the EO Smith School systems may have been compromised  in the recent past.

Most recently, the FBI issued the following;

"Targeting Activity Against State Board of Election Systems Summary 
The FBI received information of an additional IP address, 5.149.249.172, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 185.104.9.39 used in the aforementioned compromise.
Technical Details The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation. In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below. "
The document goes into further detail of system contagion;

"Conduct vulnerability scans on local government and law enforcement websites and promptly remediate any vulnerabilities (or contact your hosting provider to do so on your behalf). Particular attention should be paid to SQLi vulnerabilities. Website hosting providers should also pay attention to vulnerabilities on other websites on the same server, which may provide a back-door into the local government's website."

Earlier ARSTechnica reported the existence of a previously unknown attack vehicle;

 ""Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."
Kaspersky researchers said they discovered the malware last September after a customer at an unidentified government organization hired them to investigate anomalous network traffic. They eventually unearthed a "strange" executable program library that was loaded into the memory of one of the customer's domain controller servers. The library was masquerading as a Windows password filter, which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password, and it was able to view passcodes in plaintext.
The main purpose of the malware platform was to obtain passwords, cryptographic keys, configuration files, and IP addresses of the key servers related to any encryption software that was in use. Infected groups include government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries."
A number of years ago, some EO Smith students claim to have installed software (thought to be a for-credit school project) onto EO Smith, Town of Mansfield, CT and Mansfield Public Schools. Recent events have disclosed that the software was not written by the students but was outsourced to an eastern block country's software development firm paid for and sponsored by the student's parents in one form or another.

An internet search reveals numerous claims by the students about the scope and effectiveness of the software that appear to have no basis in fact. School officials claim the software was never allowed to co-exist with legitimate school systems.

Further discussion of this issue will be conducted at the September 20th curriculum meeting.

The revelations introduce disturbing questions about the academic veracity of the school's program, the ethical veracity of the claims of the students, and serves as a wake-up call to all public schools when it comes to their system relationship to broader government systems.



Friday, September 09, 2016

The Winds of Change

I received an email from CABE, the Ct Association of Boards of Education, a few days ago. It contained some surprising news in a deja vu kind of way.

"Over the course of 3 hours, Judge Moukawsher read his decision in the Connecticut Coalition for Justice in Education Funding v. Rell case. While the Judge did not see it as the role of the court to order specific additional state funding, he issued a series of orders requiring the state to come back within 180 days with plans to revise many aspects of Connecticut’s education system. 
The state must submit proposed reforms consistent with this opinion on the following subjects:
  •  the relationship between the state and local government in education.
  •  an educational aid and school construction formula that is rational, substantial and verifiable
  •  a definition of elementary and secondary education, including an objective and mandatory statewide graduation standard
  •  standards for hiring, firing, evaluating, and paying education professionals;
  •  funding, identification, and educational services standards for special education.
 
Once the state submits its proposed remedies, the plaintiffs will have 60 days to comment on them and propose alternatives. 
A hearing will then be scheduled."
At face value and assuming we haven't done this dance a few times before, this looks promising.  Then again, considering the principals involved, it can become a cluster-muck of frightening and expensive special interest featherbedding.

Whatever good comes of this will likely manifest itself as one or more unintended consequences of the measures adopted.




Thursday, September 08, 2016

Unethical Uses of Psychological Expertise

I'm becoming increasingly interested in the ethics of psychology specifically when it concerns digital media.

A particularly interesting debate has been sparked by the post-911 torture and abuse controversy.

"For Dr. Bradley Olson, who is past president of APA Division 48, which studies peace, conflict, and violence, using one’s training to assist in a mission like JTRIG’s, which involves the deception and manipulation of unsuspecting targets, is inherently problematic. Using one’s “expertise, research, or consultation to guide deceptive statements, even the statements of others, when the deceptive intentions are clearly documented … that is against psychological ethics,” according to Olson, who has collaborated with Soldz, including as a co-founder of the Coalition for an Ethical Psychology. “This is a terrible, terrible violation of psychological ethics” and a violation of the APA’s ethical standards, he added."

Another point of interest, selective publishing: 


"In psychology research, there is a particular problem with researchers who selectively publish some of their experiments to guarantee a positive result. "Let's say you have this theory that, when you play Mozart, people want to pay more for musical instruments," says Simonsohn. "So you do a study and you play Mozart (or not) and you ask people, 'How much would you pay for a piano or flute and five instruments?'"
If it turned out that only the price of a single type of instrument, violins, say, went up after people had listened to Mozart, it would be possible to publish a research paper that omitted the fact that the researchers had ever asked about any other instruments. This would not allow the reader to make a proper assessment of the strength of the effect that Mozart may (or may not) have on how much a person would pay for musical instruments.
Fanelli has examined this positive result bias. He looked at 4,600 studies across all disciplines between 1990 and 2007, and counted the number of papers that, after declaring an intent to test a particular hypothesis, reported a positive support for it. The overall frequency of positive supports had grown by more than 22% over this time period. In a separate study, Fanelli found that "the odds of reporting a positive result were around five times higher among papers in the disciplines of psychology and psychiatry and economics and business compared with space science"."

And, of course, there's money and entitlement that drive certain unethical behaviors;

Whether affluenza is real or imagined, money really does change everything, as the song goes — and those of high social class do tend to see themselves much differently than others. Wealth (and the pursuit of it) has been linked with immoral behavior — and not just in movies like The Wolf of Wall Street. Psychologists who study the impact of wealth and inequality on human behavior have found that money can powerfully influence our thoughts and actions in ways that we’re often not aware of, no matter our economic circumstances. Although wealth is certainly subjective, most of the current research measures wealth on scales of income, job status or measures of socioeconomic circumstances, like educational attainment and intergenerational wealth.

Hmmm. Some of this sounds all too familiar.


Edit: I located the UConn Ethics hotline for any of you out there who may have questions about any local activities that come to mind;

"You may use the University’s confidential reportline at 1-888-685-2637 to report any compliance concerns you may have. Individuals who report in good faith possible compliance issues will be afforded confidentiality and/or anonymity to the extent possible under the law. Also, you may file a complaint directly with the Office of State Ethics."




Cartoons (click to site of ownership):