Have you logged into a personal account using a school computer in the last two months? Now think about what would happen if your passwords got into the wrong hands. Let’s say a malicious student got a hold of your Google login information. What can this student do? Firstly, they can lock you out of your account, change your password, and remove any way of getting back in. Then, they can get into any website that you’ve used this email for—Facebook, Twitter, Instagram, Snapchat, Edmodo, Amazon, PayPal, you name it. All of these websites have a password recovery feature that enables anyone who can get into your email to change your password and lock you out. At this point, every major account you have on the internet is entirely under someone else’s control. They can read your messages, talk to people under your name, and they can spend your money if you have an account linked to a credit card (like an iCloud, Amazon, Snapchat, or PayPal account).
You may be familiar with a program called LanSchool, a software program set up on computers in the Technology Labs at IHS, designed to control and monitor computer activities. One of LanSchool’s lesser-known capabilities is its keylogger, a program that takes everything you’ve typed—usernames, passwords, and private messages included—and records them.
This isn’t that bad by itself; there are legitimate reasons for a school to be keeping tabs on its students, and after all, the district has no malicious intentions. But the problem lies in its implementation.
Stoneware, the company behind LanSchool, has a reputation for not caring about the security of its products. Before version 5 of the software, commands sent across the network were insecure, meaning anyone, students included, could take control of or surreptitiously monitor other people’s computers. Although this was later fixed, the keylogger remains a glaring security flaw.
The keylogger data file for a computer, where recorded keystrokes are stored, is accessible to any user of that computer. Stoneware claims that this file is encrypted, but the encryption is trivially easy to break. It is little more than a “substitution cipher,” a type of encryption that has been breakable for hundreds of years. Any competent computer scientist would find this a trivial task, and it is easily possible for an AP Computer Science student to create a program to decode the keylogger file.
Theoretically, a well-educated high-school student could crack the encryption in only a few hours. (Of course, to actually do so would be a violation of school policy and could therefore result in disciplinary action.) Dominick Lisi, head of the Technology Department, confirmed that the district is aware of the ability to hack into LanSchool. Anyone with a little computer science knowledge would be able to successfully retrieve time and username of any login, as well as every keystroke and the name of the program in which the keystroke was typed.
Although LanSchool attempts to detect and censor passwords, it is largely unsuccessful. Often, the password is only partially censored, and sometimes it isn’t censored at all. This means an attacker could easily find usernames and passwords of students’ personal accounts. Many students use their school passwords for online accounts, such as Edmodo or SchoolTool, so it would not be difficult for an attacker to figure out how to log in to a student’s school account. Despite Stoneware’s claim that LanSchool records only 50,000 characters, it in fact records up to an entire megabyte (about a million characters), or about two full months of keystrokes.
Due to these concerns, the district should immediately stop using LanSchool’s keylogger. Luckily, Lisi said that the program is not scheduled to be in use next year. Although the problem will be addressed by discontinuing use of the program, the fact that it was in use for so long in spite of the district’s knowledge of its insecurity is deeply concerning. One would sincerely hope, especially with the integration of Chromebooks next year, that the district steps up its security game. Security vulnerabilities such as this one have no place in our school’s future.