Covid hits us by surprise. Okay, we were warned certain times by authors, scientists, and Hollywood, but anyway.
We learned fast, that it is not that good to gather around and started to get back home. From my point as a Software Developer, I always tended to work from home. Staying in an office was something that took place in the dark medieval ages of computer science. And Company owners who tend to gather their people should better move to a therapy that solves thrust issues. But also – anyway!
Malta was going ahead of time and started an initiative that gave every student in the republic a more or less useful device to keep track of school during lockdowns. Sound good?
It is! So why ranting?
The design of the Tablets was the first issue. This device cannot be used and charged at the same time. It took me a while to figure out, that you can only attach the charger while using the device is possible when it is charged 100%. I wrote the “vendor” in Malta, that a simple OTA Update could solve it fast since it was just a wrong configuration. I got no answer.
Later I got some information (not official – I did some investigations on my own) that this Tablet was bought from a Chinese Whitelabel Vendor that does things like MediaTab (what was popular by swiss retailers 6 years ago) and this means it is always delivered with badly designed software by default. Later they changed to a new Vendor or Model. The new Tablets appear like a Samsung Clone which works better but feels a bit like something you can buy at Wish.
The next big thing:
I keep track, of what my Kids are consuming over the Internet. Everything is tailored for secure and content filtering in my home network, which makes the Chinese Government looks like a bloody beginner. And what is the government doing? They add the original Youtube App on the devices. Content Filtering like Youtube Kids is not available. My younger son came back and quoted clips from the Netflix Show “Squid Game”. As I asked where this was coming from, he answered that they did “Youtube and Chill” with the devices during the breaks. He is a very young boy – far away from the rating age of this kind of media. Thank you, Ministry of education Malta for planning things.
Now comes the Funny part:
My oldest son’s Teams Account was accidentally set to the wrong class and school. So he couldn’t participate from information that was posted on the channels of the class and school he is in. I wrote a message to the Head of his school, that they solve the small issue (at last there is just a click in Microsoft AD needed to solve it).
The next day an Admin showed up in school and did some things on the LearnPad. My son gave me the LearnPad because his Password was invalid after – maybe happened by the process. So I created a new password for his account, and surprise: The wrong Teams Groups shows up again. So I had a new Password the manage, but the Issue I mentioned before wasn’t solved. Thank you for that.
I wrote the head of School again. This time he answered fast and said, that I have to call Ministry for Education. (Update: The Head o. S. told me to call the number written on the Device. The person on the line told me to call the M. o. E.)
I did it. They told me to call Institute for Education(ICT) after a lot of questions.
After a few questions asked by the Institute for Education(ICT), they send me to the Digital Literacy Centre.
After a few attempts to get the Digital Literacy Centre on the line, I stopped and got back to the Ministry for Education.
The Ministry for Education told me again that I have to get to the Institute for Education(ICT). So I called again Institute for Education(ICT). They explained to me again that I have to call the Digital Literacy Centre. With some social engineering, he provides me the Email-Address: email@example.com
I don’t know if the story is over now – but well – let’s take a deeper look at it.
What happens when there is a data breach? Malware? Grooming? How could you manage to get away your kids from foreign Teams Users since Teams opened up for Users that were not part of the Domain? Child Abuse – did anyone notice this?
During the whole process, I didn’t meet someone who is responsible for the Teams Accounts. Nobody takes care of security (even of data and the user – kids). That a big country like Germany has a lot of chaotic processes is a result of a lot of areas and was grown over the years. And they have – I love my Twitter for that. It gives me a lot of laughers at last. But a very young Process with a simple Active Directory for about 450k people (if we just take the number of citizens). What actually happens, is dangerous and messy from the view of a computer scientist.
I’m not sure what would happen when I would touch the structure with real pentest setups. I better don’t try.
Sorry – this is rubbish. A clear F on the test.
During my investigation, I checked if it is possible to contact my child with an anonymous account in Teams of the LearnPad provided by the Ministry of Education. It is easily possible for everyone to get in touch with our kids. The doors for grooming and child abuse are widely open for every kid that is using the ilearn.edu.mt accounts.
I tried to file it at the Ministry of Education without Success. Responsibly disclosure was not possible!
By mistake I wrote firstname.lastname@example.org – this is wrong. The Email is email@example.com.
Also, the head of school told me to call the number written on the Tablet (This number pleased me to call the Ministry of Education)… Sorry for that 🙂
They did it. My oldest son was (re)added to the right school and class in Teams.