back to article Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers

Albion College has a plan for students to return safely to campus this fall amid the COVID-19 coronavirus pandemic. It involves being tracked by an app that, at least until a few days ago, appears to have been insecure. The Michigan institution announced its plan on July 28, which calls for testing coordinated by Testing …

  1. cornetman Silver badge

    Although it's a fair assumption in the main these days, particularly among the yoof, I think that taking it for granted that all people carry and use a smartphone these days is still a bit of a stretch, and mandating it to get education is probably rather unfair, particularly if you are more accustomed to worrying about rent and food rather than phone plans.

    1. The Man Who Fell To Earth Silver badge
      FAIL

      Nope

      Sorry, but in the US, I haven't seen a College or University for years (decades?) that didn't consider a laptop as a mandatory piece of equipment. When I was teaching College engineering courses a couple of years ago, it certainly was baked into the entire system that every kid had a laptop. You didn't pass out paper, you put reading material online.

      1. Drew Scriver Silver badge

        Re: Nope

        What about high schools? It's likely that this tracking application will be used there also.

        Should mobile phones be a requirement there also? Will the schools (i.e. the taxpayers) provide them to the students? If $10 is an unreasonable burden for voting IDs, how could requiring a smart phone be considered reasonable if the parents have to incur the cost? It would certainly disenfranchise certain groups.

        Not to mention parental objections to smart phones in the classroom, or the adverse effects they often have on the education itself.

        Not that there is much of a risk of lowering the academic level of many schools in the USA. It's already near the bottom.

      2. Glen 1 Silver badge

        Re: Nope

        "you put reading material online."

        Given how many lecturers make money by writing the text books, make them required reading, then periodically change things so graduates can't sell them to this years intake... I foresee a fair bit of pushback in the transition to online only.

        Of course, this is easily defeated by buying one copy for the whole class, scanning it, then distributing the PDF - to which the counter is to have the book as a requirement for the written exams, with no devices allowed... but I digress.

        (Sorry for the run-on sentences.)

      3. Anonymous Coward
        Anonymous Coward

        Re: Nope

        I know that 5 years ago at least that was not the case at the University of Edinburgh, having been peripherally involved in the fallout when a lecturer assumed all students could just install some software on their laptops (end-result: a short-notice addition to the student computer labs)

    2. HildyJ Silver badge
      Holmes

      Not an assumption

      In the States many universities require students to have a smartphone AND a computer (for which they will provide WiFi and the software the students are required to run.

      1. AMBxx Silver badge

        Re: Not an assumption

        It must be such a shock for all those 50 year olds retraining to be teachers. I could imagine turning up on my first day with a box of chalk.

        1. David Harper 1

          Re: Not an assumption

          That's a remarkable ageist comment, if I may say so as someone whose 50th birthday is now just a rapidly receding dot in the rear-view mirror and yet is perfectly at home with laptops, iPads, cellphones and the rest.

          1. Kientha

            Re: Not an assumption

            Even my Gran who is very technophobic get's on amazingly with her iPad which she effectively uses as a laptop

          2. AMBxx Silver badge

            Re: Not an assumption

            It was a joke at my own expense, nothing ageist. I'm 52 BTW and felt very old when I was last in a school - all those new fangled projectors.

          3. Anonymous Coward
            Anonymous Coward

            Re: Not an assumption

            A friend of mine used to teach robotics at a University.

            The older members of the faculty could fill boards with all the mathematical notation governing robot arms. However, they struggled to use modern computers (with a GUI). Specifically, they struggled to use the e-learning system that was the main way the university expected them to interact with the students, including assignment submissions.

            Making it quite difficult for their students.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not an assumption

              "Specifically, they struggled to use the e-learning system"

              Considering all of them are basically crap, I don't wonder that at all.

              Could you find *anyone* who *didn't* struggle with it? And how?

        2. This post has been deleted by its author

    3. Cuddles Silver badge

      Average tuition fees for a university course in the US are over $130,000. Then there are accomodation costs and other things in addition to that. If you are able to afford to attend university at all, having to buy a cheap phone and laptop as well is not going to be thing that breaks your budget.

      1. Cliffwilliams44

        It's all borrowed money, so you might as well borrow for the laptop, smartphone and wireless service.

        And why not! The Democrats will forgive your student loans!

        Hey Dems, I paid mine off, do I get that money back?

        Dems: No, Shut up you damn racist!

        1. Mr Sceptical
          Pint

          FYI - in the UK student loans are supposed* to written off after 30 years if you've not paid them back. It's on the basis you aren't earning enough to have benefitted from your degree in pocelain studies to burden you with lifelong debt and society should be willing to share that for the greater good.

          What interest rate are US student loans at - full commercial rates or government (taxpayer) subsidised ones?

          * Obviously, the current system hasn't been in place that long, so who knows if it won't be 'updated' in line with longeveity and the requirement to work into your 70s before you get a state pension anyway...

          PS. I used my student loan to buy a PC - money well spent! In those days, you repaid it by direct debit rather than the insane PAYE supplement we have now...

          Icon for time spent well, sort of.. - >>

          1. Moonrunner

            In some parts of Canada, they are higher than commercial, but good luck getting a commercial loan. Never forgiven. Bankruptcy won't save you, either.

          2. David Nash

            And the UK ones don't count towards any kind of credit scoring so they are not really a true "debt" in the sense that they are a burden. They are best regarded as a graduate tax which will be cancelled after 30 years at the most.

            1. Anonymous Coward
              Anonymous Coward

              It is exactly a graduate tax, the only reason we have all the cost and hassle of the student loans system is to avoid politicians having to use the word "tax".

              At the current rates of interest and tax you have to be earning something like £50,000 before you start reducing the overall amount of the "loan" + accumulated interest.

              1. Anonymous Coward
                Anonymous Coward

                Its a loan not because of an aversion to calling it a new "tax" but a reaction to the increased mobility of workers and students - it was introduced when the UK was in the EU (with then an assumed no obvious likelihood of leaving) so UK university places were open to all EU students on the same basis so there was a perceived increased likelihood of UK graduates moving to jobs outside the UK where they would not be subject to any UK taxes. So by structuring a loan in a way where it is unlikely to be piad off in 30 years at which point they are written off the loan payments are effectively a proxy for a tax .... except that importantly when a student takes out the load they explicitly agree to informing HMRC if they ever move to another country and also commit in that circumstance to making the required loan payments direct to HMRC while they are earning sufficient to make payments but are outside PAYE. If people don't do that then the missed payments roll up on their accounts along with penalties and interest charges and these are not written off after 30 years.

        2. Hollerithevo Silver badge

          Sometimes you are the last soldier to die...

          At Eton, not exactly a progressive, liberal school, 'fagging', wherein younger boys were the fetch-and-carry 'servants' of the older boys and who were, for generations, mocked, bullied and even physically abused (I resume to teach them to endure all of this as adults), was ended in I think the 1960s, when a generation of older boys decided it was distasteful and demeaning to all concerned. But some older boys, and the teachers, fought long for its retention, because dammit they had been bullied and abused when young and to take away their right, as survivors, to get justice by doing it to the next generation seemed outrageously unjust.

          Sometimes a better idea replaces a worse idea, and it seems unfair that you paid back your loan when younger generations could have that crippling burden removed from them. But sometimes one generation has to be the last to bear a burden. Why not rejoice that the evil ended with you and did not carry on?

      2. cornetman Silver badge

        > If you are able to afford to attend university at all, having to buy a cheap phone and laptop as well is not going to be thing that breaks your budget.

        I knew someone was going to pull that one.

        Didn't it ever occur to you that having to find all that money for tuition and accommodation might be the reason that you can afford little else?

        Consider for once that most people attending full time education are generally not that well off, and rapidly putting themselves into decades of debt.

  2. The Man Who Fell To Earth Silver badge
    WTF?

    Follow the money

    One has to wonder if someone in the college Administration has financial ties to Aura as the explanation for picking a company with no track record & a crap app (CrApp ?).

    1. HildyJ Silver badge
      Facepalm

      Re: Follow the money

      I doubt this is a case of kickbacks. It's probably the thing that ElReg readers are very familiar with, albeit with more well known players. Vendors will claim that their software will do what is needed (even if it doesn't in its current state) and the one with the lowest price wins.Same as it ever was.

      1. 2+2=5 Silver badge

        Re: Follow the money

        > Nucleus Careers, LLC, is a recruiting company focused on machine learning and AI.

        They probably supplied the software for free in return for the details of people they will soon be able to target with job ads from their clients.

  3. Doctor Syntax Silver badge

    "The AWS keys are no longer present in that version, Q3w3e3 said."

    They may no longer be present but that in itself is no guarantee that the keys have been changed. Without Q3w3e3 or anyone else who'd copied them actually testing you'd just have to trust the company based on its past record.

    1. Korev Silver badge

      She sounds Like she’s on the ball, I’d be surprised if she didn’t test them

  4. Mike 137 Silver badge

    Just another example of why

    We're never going to achieve cyber security until those implementing it are verifiably competent. I'm not holding my breath ...

    1. Doctor Syntax Silver badge

      Re: Just another example of why

      It makes no difference if they are when senior management find it too expensive, too inconvenient or just too unnecessary.

  5. Anonymous Coward
    Anonymous Coward

    Phone is not person

    "This protocol that STUDENTS ONLY are required to sign and abide by says that they will download an app that tracks their locations, that they will not leave campus for 14 weeks,"

    So they'll install it on a cheap phone, and leave that phone in the dorm when they go out to party.

    I'm not a fan of hi-tech boondongles. They are more about the vendor selling their boondongle, and the admin having something to show, than actually solving the problem. If you want them to stay on campus for 14 weeks, put a guard on the gate.

    1. Cliffwilliams44

      Re: Phone is not person

      The next thing will be transceivers, embedded in their but cheeks. You must have one to attend Uni. Oh and the cost is on you! Why the butt cheek? It makes it harder to extract. Can be embedded deeper and you need your mate to dig it out it you want to go out partying. Um, no!

      1. J. Cook Silver badge
        Coat

        Re: Phone is not person

        kinky!

    2. Doctor Syntax Silver badge

      Re: Phone is not person

      "If you want them to stay on campus for 14 weeks, put a guard on the gate."

      Or just close the place down for lack of students.

  6. ChrisElvidge

    Perfidious Albion?

    As title.

  7. DJV Silver badge

    Safe? Of course the app is safe!

    Well, until it's decisively proven that it isn't, by a data dump of student information appearing somewhere. Then Albion College will wheel out a brain-dead drone to state "The safety and security of our users remains our highest priority" when it patently isn't and that "no personally identifiable data has been disclosed" even though it's totally obvious to anyone with more than two brain cells to rub together that it has.

  8. Version 1.0 Silver badge
    Joke

    We don't need Track and Trace

    Just tell everyone to install TikTok, there's no need to create any special apps, in the modern world virtually every app on your phone provides this service.

  9. mmccul

    How many mishandled medical records?

    I seem to recall potential criminal liabilities for the mishandling of PHI data written into HIPAA from the training I get evey six months at any company that potentially handles PHI. Yes, there are a few oddities and special cases related to reporting data about COVID more precisely than HIPAA normally allows, but I seriously doubt that the college is exempt from the rules requiring strict proper handling and penalties for mishandling and failure to report such mishandling.

    1. Anonymous Coward
      Anonymous Coward

      Re: How many mishandled medical records?

      "college is exempt from the rules requiring strict proper handling"

      There, I fixed it for you: It's a college, it's exempt from every responsibility derived from HIPAA.

  10. Chris the bean counter Bronze badge

    So Google and Apple do not search for these when approving an app?

    Should be quite simple to set up an automated way to find hardcoded login IDs for the principal cloud servers and password keys in general ?

    If not must be easy for hackers to download apps to search for these security bugs? or is the app code unreadable when downloaded from app store ?

    1. A random security guy Bronze badge

      Re: So Google and Apple do not search for these when approving an app?

      Yes. And large % of the apps I have looked at have some kind of hardcoded credentials. The developers just shrug their shoulders.

      Our resident white hat hacker did a MITM on a medical device's TLS in 4 minutes after he started testing.

  11. A random security guy Bronze badge

    Why do they need all that information?

    Can they justify the need for all that information?

    Probably not.

    Wish we had GDPR. The app makers should be fired.

  12. Povl H. Pedersen

    Passwords ?

    No good app will have passwords.

    It will at best have API keys that are hardwired, and likely changed for each release so they can be used to track releases in use.

    The good things with API keys is, that they are applied before user validation, and before users gets their access token, giving them access to only their own data.

    And you can block API keys, so basicly killing 1 version of the software only. Or throttle them. Or other interesting things.

    Anything looking like a university should be aware, and do things the right way.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020