Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers Albion College has a plan for students to return safely to campus this fall amid the COVID-19 coronavirus pandemic. It involves being tracked by an app that, at least until a few days ago, appears to have been insecure. The Michigan institution announced its plan on July 28, which calls for testing coordinated by Testing …
Although it's a fair assumption in the main these days, particularly among the yoof, I think that taking it for granted that all people carry and use a smartphone these days is still a bit of a stretch, and mandating it to get education is probably rather unfair, particularly if you are more accustomed to worrying about rent and food rather than phone plans.
Sorry, but in the US, I haven't seen a College or University for years (decades?) that didn't consider a laptop as a mandatory piece of equipment. When I was teaching College engineering courses a couple of years ago, it certainly was baked into the entire system that every kid had a laptop. You didn't pass out paper, you put reading material online.
What about high schools? It's likely that this tracking application will be used there also.
Should mobile phones be a requirement there also? Will the schools (i.e. the taxpayers) provide them to the students? If $10 is an unreasonable burden for voting IDs, how could requiring a smart phone be considered reasonable if the parents have to incur the cost? It would certainly disenfranchise certain groups.
Not to mention parental objections to smart phones in the classroom, or the adverse effects they often have on the education itself.
Not that there is much of a risk of lowering the academic level of many schools in the USA. It's already near the bottom.
"you put reading material online."
Given how many lecturers make money by writing the text books, make them required reading, then periodically change things so graduates can't sell them to this years intake... I foresee a fair bit of pushback in the transition to online only.
Of course, this is easily defeated by buying one copy for the whole class, scanning it, then distributing the PDF - to which the counter is to have the book as a requirement for the written exams, with no devices allowed... but I digress.
(Sorry for the run-on sentences.)
I know that 5 years ago at least that was not the case at the University of Edinburgh, having been peripherally involved in the fallout when a lecturer assumed all students could just install some software on their laptops (end-result: a short-notice addition to the student computer labs)
A friend of mine used to teach robotics at a University.
The older members of the faculty could fill boards with all the mathematical notation governing robot arms. However, they struggled to use modern computers (with a GUI). Specifically, they struggled to use the e-learning system that was the main way the university expected them to interact with the students, including assignment submissions.
Making it quite difficult for their students.
This post has been deleted by its author
Average tuition fees for a university course in the US are over $130,000. Then there are accomodation costs and other things in addition to that. If you are able to afford to attend university at all, having to buy a cheap phone and laptop as well is not going to be thing that breaks your budget.
FYI - in the UK student loans are supposed* to written off after 30 years if you've not paid them back. It's on the basis you aren't earning enough to have benefitted from your degree in pocelain studies to burden you with lifelong debt and society should be willing to share that for the greater good.
What interest rate are US student loans at - full commercial rates or government (taxpayer) subsidised ones?
* Obviously, the current system hasn't been in place that long, so who knows if it won't be 'updated' in line with longeveity and the requirement to work into your 70s before you get a state pension anyway...
PS. I used my student loan to buy a PC - money well spent! In those days, you repaid it by direct debit rather than the insane PAYE supplement we have now...
Icon for time spent well, sort of.. - >>
It is exactly a graduate tax, the only reason we have all the cost and hassle of the student loans system is to avoid politicians having to use the word "tax".
At the current rates of interest and tax you have to be earning something like £50,000 before you start reducing the overall amount of the "loan" + accumulated interest.
Its a loan not because of an aversion to calling it a new "tax" but a reaction to the increased mobility of workers and students - it was introduced when the UK was in the EU (with then an assumed no obvious likelihood of leaving) so UK university places were open to all EU students on the same basis so there was a perceived increased likelihood of UK graduates moving to jobs outside the UK where they would not be subject to any UK taxes. So by structuring a loan in a way where it is unlikely to be piad off in 30 years at which point they are written off the loan payments are effectively a proxy for a tax .... except that importantly when a student takes out the load they explicitly agree to informing HMRC if they ever move to another country and also commit in that circumstance to making the required loan payments direct to HMRC while they are earning sufficient to make payments but are outside PAYE. If people don't do that then the missed payments roll up on their accounts along with penalties and interest charges and these are not written off after 30 years.
At Eton, not exactly a progressive, liberal school, 'fagging', wherein younger boys were the fetch-and-carry 'servants' of the older boys and who were, for generations, mocked, bullied and even physically abused (I resume to teach them to endure all of this as adults), was ended in I think the 1960s, when a generation of older boys decided it was distasteful and demeaning to all concerned. But some older boys, and the teachers, fought long for its retention, because dammit they had been bullied and abused when young and to take away their right, as survivors, to get justice by doing it to the next generation seemed outrageously unjust.
Sometimes a better idea replaces a worse idea, and it seems unfair that you paid back your loan when younger generations could have that crippling burden removed from them. But sometimes one generation has to be the last to bear a burden. Why not rejoice that the evil ended with you and did not carry on?
> If you are able to afford to attend university at all, having to buy a cheap phone and laptop as well is not going to be thing that breaks your budget.
I knew someone was going to pull that one.
Didn't it ever occur to you that having to find all that money for tuition and accommodation might be the reason that you can afford little else?
Consider for once that most people attending full time education are generally not that well off, and rapidly putting themselves into decades of debt.
I doubt this is a case of kickbacks. It's probably the thing that ElReg readers are very familiar with, albeit with more well known players. Vendors will claim that their software will do what is needed (even if it doesn't in its current state) and the one with the lowest price wins.Same as it ever was.
"The AWS keys are no longer present in that version, Q3w3e3 said."
They may no longer be present but that in itself is no guarantee that the keys have been changed. Without Q3w3e3 or anyone else who'd copied them actually testing you'd just have to trust the company based on its past record.
"This protocol that STUDENTS ONLY are required to sign and abide by says that they will download an app that tracks their locations, that they will not leave campus for 14 weeks,"
So they'll install it on a cheap phone, and leave that phone in the dorm when they go out to party.
I'm not a fan of hi-tech boondongles. They are more about the vendor selling their boondongle, and the admin having something to show, than actually solving the problem. If you want them to stay on campus for 14 weeks, put a guard on the gate.
The next thing will be transceivers, embedded in their but cheeks. You must have one to attend Uni. Oh and the cost is on you! Why the butt cheek? It makes it harder to extract. Can be embedded deeper and you need your mate to dig it out it you want to go out partying. Um, no!
Well, until it's decisively proven that it isn't, by a data dump of student information appearing somewhere. Then Albion College will wheel out a brain-dead drone to state "The safety and security of our users remains our highest priority" when it patently isn't and that "no personally identifiable data has been disclosed" even though it's totally obvious to anyone with more than two brain cells to rub together that it has.
I seem to recall potential criminal liabilities for the mishandling of PHI data written into HIPAA from the training I get evey six months at any company that potentially handles PHI. Yes, there are a few oddities and special cases related to reporting data about COVID more precisely than HIPAA normally allows, but I seriously doubt that the college is exempt from the rules requiring strict proper handling and penalties for mishandling and failure to report such mishandling.
Should be quite simple to set up an automated way to find hardcoded login IDs for the principal cloud servers and password keys in general ?
If not must be easy for hackers to download apps to search for these security bugs? or is the app code unreadable when downloaded from app store ?
Yes. And large % of the apps I have looked at have some kind of hardcoded credentials. The developers just shrug their shoulders.
Our resident white hat hacker did a MITM on a medical device's TLS in 4 minutes after he started testing.
No good app will have passwords.
It will at best have API keys that are hardwired, and likely changed for each release so they can be used to track releases in use.
The good things with API keys is, that they are applied before user validation, and before users gets their access token, giving them access to only their own data.
And you can block API keys, so basicly killing 1 version of the software only. Or throttle them. Or other interesting things.
Anything looking like a university should be aware, and do things the right way.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
