Two computer security experts, Aaron Rhodes and a man known by his pseudonym Stryde Hax, put together an eye-opening and well-researched attack on both the Lower Merion High School that’s been accused of spying on students and the software that was used to do it. In the process, they reveal some disturbing school policies regarding the use of the laptops, and the unnerving nature of the software itself.
The writers scoured forum activity, blog posts, and publicity videos made by one Mike Perbix, the Harriton High School technical security staffer who was in charge of the use of LANRev, the software in question. They also hunted down comments from some of the more tech-savvy members of the student body, who revealed some pretty startling policies regarding the laptops.
The main points: the school-supplied (and monitored) MacBooks were required for certain classes; the included Webcams could not be disabled; the laptops could not be “jailbroken” to circumvent the security measures (and any attempt could result in expulsion); and possession of a personal computer, meaning one other than the school-supplied MacBook, was forbidden and subject to confiscation. One example, from a student:
I had brought in my own personal computer to work on a project for school one day. I was doing a presentation involving programs not available on the regular computers, only in specific labs [Harriton High School has several computer labs, designed for a specific purpose, in addition to the MacBooks]. I happened to have a copy of my own. My personal property was confiscated from me in a study hall when I was working on a school assignment because it was against the school’s “code of conduct.”
Mike Perbix was very active in the security community, participating in forums and blogs on the subject, and was actually featured in a promotional video for LANRev, singing its praises. LANRev has since stated that they see theft recovery as “best left in the hands of professionals,” and that they “discourage any customer from taking theft recovery into their own hands.”
But Stryde Hax and Aaron Rhodes don’t see LANRev as an innocent in this situation at all–they reverse-engineered the software to see both how effective it is as security and how easily it can be overcome. Aside from their criticism of LANRev as a shoddily-coded product, they found that it did its job scarily well (they call it “very creepy”)–and that it does indeed flash the telltale green light next to the Webcam when monitoring the user’s actions. Looks like those paranoid kids that were putting Post-Its over their school laptop’s Webcams weren’t so paranoid after all! In the software advertisement in which Perbix was featured, LANRev enthusiastically embraces Perbix’s, and thus Lower Merion School District’s, use of the software–seems they’ve done a very quick about-face.
Stryde Hax and Aaron Rhodes’ piece is really fascinating, especially if you’ve got some knowledge of cybersecurity and remote monitoring. But the more you know, the scarier this case gets.