Discussion in 'The Sanctum Santorum' started by RyanMM, Nov 20, 2012.
I don't think you understand the nature of untrusted information.
Here's what I really don't get.
If I was going outside to smoke myself a jay, or whatever the kids call it these days, why wouldn't I just leave my id in my desk or locker?
Given that it would be quite plausible for a kid to leave her id in her desk or locker, how could you trust that you were getting valid info on who left campus?
Because they aggressively police the hallways and haul children to the principal's office for detention and a haranguing if they don't have a hall pass and their student ID.
If I'm caught on the way to get stoned I would think a haranguing for forgetting my ID is the least of my worries.
I grew up in the '80s, maybe I just don't understand the level of security at school these days. Do kids just not misbehave until they're off campus nowadays?
No. Instead, exactly the same thing happens as in Prohibition; everyone violates the rules because they rules are nonsensical, and the administration chooses who to come down on for their own reasons.
I don't think you understand the nature of simple logic. The chip doesn't have to be trusted for you to verify that something is up, just the scanner. I can dupe another student's card if I want to land him in detention, but I'd then have to physically pickpocket his card in order for two copies of him to not appear to the system. At no point do I have to trust anything except the fact that the scanner is telling me that the student exists in two places simultaneously: obviously wrong. This isn't rocket surgery.
Scanners designed to track the movement of people and/or deny entry/exit to unauthorized personnel (i.e. don't have credentials in the form of an RFID tag) generally alarm in some fashion or trigger a surveillance device when something moves through them without a tag via the magic of infrared breakbeam detectors (which are actually pretty cheap, being just oddly configured diodes). So if the teacher runs off to the photocopier and you sneak out while leaving your tag behind it's entirely possible that any system they put in place took your picture and alarmed the principal's office.
So I walk into class with Sheepherder, reflash my RFID card (literally that easy, I can do it with a smartphone without taking the phone out of my pocket), walk out, do some shenanigans, walk back in.
At that point you fall back to relying on the teacher... who, if you were relying on the teacher already, you don't need the RFID system.
Untrusted information isn't useful.
Presumably you'd need to read my RFID first, to know what it is. Which means walking to within a meter of me and not anybody else, pulling out your phone, and doing a search of radio frequencies. You know:
So all I have to do is run an app that does a radio frequency scan within a meter of you and records it?
And you think this is hard?
Or you could just not bother and have them try to explain and prove to the authorities which copy was actually him, and that it was the legit one. After all it's just bonus trouble for the person you wanted to drop in hot water.
The entire system is dumb in general, given it relies on something that's by no means given -- that is, that the chip with the student's ID is actually carried by the student who's supposed to carry it. Wonder if it's going to take more than a day for someone to just leave the thing in their room to gain "perfect" alibi that they were staying on campus when they really weren't.
edit: and yeah, standing wih a phone out close to someone else isn't exactly suspicious since it happens often as it is -- just pretend you are talking with someone over the phone or texting them, and no fucks will be given.
Umm, yes, yes it is. Because everyone in the classroom has a cellphone, tag, and possibly a laptop that is also broadcasting on one frequency or another.
Also, we haven't yet gotten into encryption, presumably tags could be outfitted with such, since students are generally valued more than a pair of jeans. Everyone here who has a cellphone that can brute force even a relatively weak cryptographic function in the length of a class raise their hand!
Do all these devices use RFID protocol to broadcast, and are they all within a meter of the person you're attempting to scan?
Everyone with a Android or iOS smartphone, raise your hand.
Also, as someone who has very recently done a very thorough look at encrypted RFID, it all massively, monstrously sucks.
Everyone who have a tough go of Google, raise your hand.
Translation: with a degree in electrical engineering or programming you too can skip class!
So 7 years ago, assuming you don't let students take the RFID cards home, and assuming that you cross-verify rigorously everything that the RFID system might ever tell you, along with ensuring that no student is ever within one meter of only one other student at a time, the system works perfectly!
Well yes, but that would sort of make it hard to do it in class, now wouldn't it? The whole "stand and let you FPGA array interrogate the pass uninterrupted for ten hours" thing. But hey, watch out guys, when everyone's phone is rocking a Core2Duo shit's gonna get real! For everyone still using 40-bit encryption. I mean, really?
So you are, just to make sure I get this right, assuming that the school successfully prevents anyone from taking their IDs home?
Also, I should point out that I know the guys who did the hack in the article in question, which amuses me greatly. Ari's a cool guy, but the only reason that article doesn't have a line like "and then we implemented the hack in software and managed to clone a key in five minutes with a decent laptop" is because they didn't really feel like doing it, not because it would have been hard.
(In fact, it would have been boring, which is sufficient reason not to do any work past the point where you're done working a project up for publication.)
Oh for Christ's sake at this point just stop speculating and talk in hypotheticals. You guys have no idea what these do, what, specifically they're being used for, or, pretty much anything so all you're doing now is "I bet they do this." "No, you don't know that, I bet they do this!"
You know the worst part about these badges? The way they make children's heads explode if they think about cookies!
Now I want cookies.
On the other hand, he's not a high school student who wants more smoke breaks who also apparently has a ninja-like ability to detect when the teacher isn't in the room so he can dodge out and in with neither the teacher nor the scanner catching him.
I trust he will do the right thing and take this secret (and any potential ninja teachings he may be able to pass on) to the grave.
It doesn't take grad-student-level skills to replicate a published exploit. It doesn't take ninja-like abilities to detect when the teacher is or isn't in the room.
I'll give you this. There are theoretically decent, cryptographically secure RFID systems*. In the hands of an intelligent, technologically-literate, competent, and fair administration, they would be a significant aid to the policing of the students.
I don't think that's a sane way to approach schooling, and I don't think that's a sane set of assumptions.
* Generally they're using asymmetric crypto and decent key-length RSA, but even so, providing an oracle is rarely going to be met with joy from the security guys.
The published exploit involves FPGA's. You might lose a high school student explaining that with a few transistors you can create a logical AND. It's all about the high level languages now. Or maybe the math teachers they roped into playing CS teacher where I live skipped shop to blaze some trees.
True story: a kid in my high school thought it would be a great idea to empty an aerosol can of bear mace in a stairwell, cementing his reputation as an elite ninja or something. Having discovered that it didn't spray fast enough to suit him, he then grabbed it in both fists and started slamming it against a square metal railing. Naturally, the can failed eventually, releasing it's contents. You can see where I'm going, right?
EDIT: It all truly is sort of beside the point though, I can't really argue with that. Attendance requirements always struck me as sort of retarded.
Ok, Jesus. Enough with hypotheticals and reductivism.
Here. There's some illuminating information in here. Yes, it's a student publication, but it's about as close of a source you're going to get.
1. The school is instituting this because of the loss of ADM (average daily membership) dollars. Schools report attendance to the district, and get funded based on that attendance. The district will take money away if there is a question of students attending class (but will expect the school to educate those students anyhow if they are still enrolled. I know, don't ask me.).
2. There are about 2,900 students in this particular school.
3. There is a procedure for up to NINE offenses of students being tardy to first hour in a six-week period (That's a minimum 70% attendance rate) before they start looking at removing the student from class. They need ADM monies!!!
4. There are about 100 scanners on campus. I don't know how big the campus is, but I think it includes two schools (Jay and Jay-STEM).
5. Students are required to wear their ids on the front of their person at all times on campus. They do take their IDs home.
6. The school says multiple times that the IDs don't work off campus. I know that they are probably lying. Just putting that out there.
And so on. If we are going to debate the system and whether it will work better than eyeballs, let's actually stick to facts. Is this compliance worth the cost?
I will bet you nine million imaginary dollars that their RFID cards are not cryptographically secure.
Anyway, if all they do is do attendance shit and don't try to use it for actually tracking kids' whereabouts, then it will only be futile, unnecessary, and moderately offensive, rather than actively damaging.
Is anyone likely to give enough of a crap to crack/hack their school ID card in a way that might be interesting or relevant? I mean a school isn't a military base that dedicated teams are going to want to break through the security of. AFAIK there is no real way for sinister hacker/paedos to use the RFID chips in the cards to 'track kids everywhere' without also installing a citywide system of RFID scanners and somehow ensuring that the kids wear their ID badges when not going to and from school, at which point there are far easier ways for this mega paedophile to track kids. Finally there are so many simpler ways for dedicated kids to thwart the system other than hacking the chips that I imagine even the most nerdy would just do that instead if they wanted to bunk school (except if they are nerds they probably enjoy school in the first place).
So what I'm saying is that the inherent level of security in RFID chips is really pretty irrelevant to this story, its being used because it is cheaper and about as effective for the average student than employing people to patrol the corridors and collate the manual data. The real question is whether you think kids should have their rough location (to the nearest scanner) monitored at every step of the school day or not (100 scanners seems like more than just an in or out of school grounds thing) and whether you think school funding incentives should be setup by local government to encourage this level of attendance monitoring. The method being used is really a red herring.
You don't remember being in high school, do you?
Man, it's like none of you have ever seen Ferris Bueller.
That's why I put 'interesting or relevant' on there. If some geek does it just to 'beat the man' it doesn't really affect the overall picture in terms of school security/padeogeddon/whatever. I mean in terms of skipping class it's a lot easier just to have a friend carry the ID in their pocket or use one of the old classics like a sick note than hacking your card to err... stop it registering you while you are in school so you get in trouble and then explain how you were there the whole time but hacked your card, smug-face-aren't-I-so-smart?
I can see someone doing it once or twice but really that is statistical noise.
BOOM!! AHH MY HEAD!
So what was wrong with counting the kids in homeroom again with, you know, a role-call?
I don't know about your homeroom, but my homeroom teacher assigned a student to take the roll call. We all knew who the student was, so we would find her sometime in the morning before homeroom and check in with her. "Hey Lisa, I'm here, okay?"
She would say okay, stop in for homeroom and check everyone off who checked in with her. Most everyone stopped going to homeroom and everyone was happy.
My homeroom teacher later became a state representative.
How much money the school gets is tied to attendance. If they can show an RFID print out as evidence they'll get in less trouble if it's proven false than if they told the teachers to fudge the numbers.
In my school at least you didn't ditch homeroom, you ditched a class later. So in theory attendance had little to do with who showed up in the first place, but more with who stuck around.
That said: tying funding to attendance seems like a terrible idea with little redeeming value for the students. It seems more like punting the responsibility for figuring out how to educate better to the teachers, and then yanking funding for under performing schools. Which, you know, doesn't start a spiral of further performance issues that yank even more funding etc etc.
I guess what I'm trying to get at is: how does this system help the core goal of educating students?
Welcome to the US education system!
I am weary generally of the insistence on trying to solve with technology what should be human problems. If your students aren't showing up to class, maybe your efforts would be better spent on figuring out why.
That's a little unfair. I'm pretty sure they have been trying to figure out why. When I found that student publication, I also found a newsletter that communicated what students were missing when they missed school (for example, you don't get full credit for a class if you miss more than 10% of the classes). That sounds like a positive response to try to communicate to students the natural consequences of their actions.
Now, I will say that this solution won't work because it leads to as many problems as it solves, and doesn't actually change student behavior (it will probably change teacher behavior, since they don't NEED to take attendance anymore unless it's for their own purposes).
Communicating long term consequences to students doesn't often work because a lot of them aren't thinking long term yet. It's why we don't let them do a bunch of shit in the first place. I had a lot of discussions about my GPA and going to the colleges I wanted to go to, but I had little interest in what that actually meant for Real Life outside school.
My issue wasn't skipping class (I skipped.. one class, ever. And we spent the hour watching Thundercats while everyone else was stoned and I was wondering why I agreed to this idiocy), my issue was doing Homework which I adamantly refused to be bothered with.
Separate names with a comma.