This morning I received a notification from Katy ISD that they were experiencing outages with their video conferencing platform, Zoom. I later learnt of the incident in McArthur High School in San Antonio, Texas, that involved an intruder that spent 40 minutes sharing racist and sexual content remotely with high school class. The intruder used the name of a real student to get access to the Zoom geometry class. I assume Katy ISD´s “outage issue” was related to this incident, and that it was a precautionary step.
What happened in McArthur High School is known as VTC Hijacking – video teleconference hijacking, although most refer to it as “Zoombombing”. It involves intruders connecting to sessions / classes and disrupting by sharing pornographic and/or hate-images and speech. The problem became so prevalent that FBI issued a warning on March 30th 2020, including some quick guidelines for people to follow to avoid this.
For those who don´t know, Zoom is a video conferencing platform, and the company behind it is currently valued at approx. $80 billion – 4x more than at the beginning of the year, mainly driven by the wave of remote work done by organizations and schools alike. The founder of the company is now worth close to $10 billion. Other providers, like Microsoft who makes Microsoft Teams, also provide video conference platform. What sets them apart is that Zoom has had numerous serious security incidents (do a quick Google search on “zoom security incident” and “Zoombombing” to learn more).
Let’s face it – in today’s situation we do need many students to connect via video conferencing platform. But exposing our children to “zoombombing” like this is not acceptable under no circumstance. The good news is that it is not necessary, either, and the exposure is mostly due to incompentence and perfectly avoidable.
I’d like to offer 4 quick-takes on a letter sent to parents by MacArthur High School principal Pete Martinez:
1. Don’t blame the students. Your statement “In addition, please take some time to remind your children of proper behavior while on virtual learning and to avoid sharing or displaying on media, their zoom links and their names” attempts to deflect from the the real problem here – which is that you are using a video conference platform with a long track record of disturbing security incidents, and you use it in a way that is inherently insecure. This is not a problem created by the students, it is a problem created by you.
2. Don’t blame the teachers. Teachers are our heros, but let´s face it – not all heroes are technology heroes. That is what you have an IT department for. “We have discussed with our teachers the importance of monitoring all the students’ screens while bringing students into the virtual classroom. In addition, we are addressing this situation directly with the teacher of this class.” Yes, this should not have gone on for 40 minutes undetected, I agree. But fix the systemic issue that allowed this to happen first – if your policy was to only verify names by people before letting them into the virtual class room, how was the teacher supposed to know this was an intruder?
3. Take Responsibility and Fix It! To clean this up, first ensure that all school virtual classrooms are secured and require properly authenticated accounts (user names and passwords, not just a link that is easily distributed to bad actors). Why do school students connect to unsecure meetings? Convenience and cost – but I am sorry, those are not good enough reasons.
4. Fix the Massive Privacy Crater enabled by the Texas Public Information Act. According to the Texas Public Information Act, anyone who wants can request and receive directory information containing student names, addresses, telephone number, photographs, and more from public schools that our children attend. It is a privacy disaster that is magnified by default values when citizens register their children for school.
At the end of the day, this is primarily a management and policy failure, and secondarily an IT failure. Similar situations can easily be avoided with the an honest and proactive focus on information security and privacy.
Vik Bulletin 