The spyware that Impero supplies to UK schools — which searches kids’ Internet use for “jihadi” terms — uses “password” as its default password, and the company has threatened brutal legal reprisals against the researcher who repeatedly demonstrated their total security negligence.
Zammis Clark posted his findings to Github (they’ve been removed). The company’s lawyers, Gately, threatened action against him for violating their terms-of-service (which ban reverse engineering, the gold standard for testing the security of a technology) and for copyright infringement under the UK equivalent of the DMCA, which contains a version of section 1201’s anti-circumvention clause.
Spying on kids is a terrible way to solve your problems. Spying on them with incompetent, insecure malware that lets anyone with half a brain hijack their computers, storage, keystrokes, mics, and cameras? That’s just evil.
Clark has been given until 17 July to act on the demands in the letter. He says he isn’t sure how he’ll respond. “Obviously, to researchers, a legal threat just says that ‘we do not work with security researchers at all’, causing a security researcher to either go straight to full disclosure, or worse, not look at the software at all, which would mean potentially security issues would not be found, or worse, be found by blackhats [malicious hackers].”
All of which leaves the two parties at an awkward impasse. Whilst he says he was unsure of where he would responsibly disclose the issue, should Clark have made private contact first? Perhaps. But Impero’s decision to ban anyone from reverse engineering its code in its terms and conditions is designed to prevent outsiders from poking holes in the technology. That’s anathema to a research community that works on the premise they are permitted to hack everything as long as they’re not doing so for malicious gain, only to highlight threats in the name of security.
This ‘Anti-Radicalisation’ Tech Teachers Use To Monitor Kids Has A Shocking Security Hole [Thomas Fox-Brewster/Forbes]