Wednesday, June 22, 2011

The Summer Pain of Snow Days

Today is June 22, 2011, and it is the last day of school for my kids. Their cousins in Utah have been out since late May. Up until today, every time they chat with each other online via Skype, XBox Live, etc, the Utah cousins say something to the effect of, "You're still in school? That's totally lame."

I am inclined to agree. Running the school year out 2/3 of the way through June and one day past the official start of summer borders on torturous.

What causes this summer pain? Snow days. We typically have 2-3 snow days every year. In a good year we have 0 and in a bad year we have 6. This year was 3.5 (yes, they did a half day back in November). This March the Lake Washington School District (LWSD) sent out a news release and letter to parents announcing the revised schedule.

An excerpt from the article: "The district is required by state law to provide 180 days of school.... One of the November snow days was a scheduled half day and the last day of school was scheduled as a half day. If both half days were combined into one full day, the district would only be offering 179 days of school. This unusual schedule, with two half days at the end of the school year, keeps the district in compliance with state law."

Yes, there are a state-mandated number of days and hours that students must be in class. This makes a difficult position for the principals/superintendent. They have to balance the safety of transporting students to school during winter weather with the state-mandated time spent with "butts in the seats," to use a travel industry term.

In the Seattle area we don't get enough snow to have an army of plows at the ready every time it snows like they do in mid-west and other northern states that have severe winter for months at a time. The low amount of snow we get every year (average 12" TOTAL for a year) and it typically melts off within 24-72 hours anyway. Some people call it "inclement weather" but it's only "inclement" if it doesn't happen every year, which it almost always does.

To make up for the missed snow days some districts have to build in a certain number of "snow day make-up days" through the year. In the LWSD they do not have this policy. They do have 10 school days off for winter break, 3 days off for "mid-winter break" (some call it "ski weekend", I call it Presidents Day Weekend), 5 days off for "spring break," and 3 other days spread throughout the year for "teacher training" (LEAP days). These days off are written into teacher contracts and "not negotiable". In other words, if there is a snow day they tack it onto the end of the year instead of cancelling mid-winter break, shortening Spring Break, or cancelling a LEAP day. Gotta love those teacher's unions.

So what do our students do during these make-up days? In LWSD final grades for the year are due on June 15. That was 5 school days ago. What have they been doing for the past 5 days? Let me put it this way...

The next time there's a day that is "almost" a snow day, I'm going to call the principle and ask him what movie my kids will be watching during their class party. ...because all they do on snow make-up days is have parties and watch @#$%! movies!!! No, I'm not kidding. I'll post an update later with the list of movies that my kids watched in their STATE MANDATED snow make-up days.
Here's an issue my wife brought up: "Last Monday (2 school days ago) our oldest son's class cleaned the classroom and stacked the desks. Um...They have two more days. Just what are they going to do? Oh right, copyrighted movies distributed for home use. See the mandatory warning at the beginning of the DVD you ...can't skip? Thank you LWSD for teaching my kids how to ignore the law. I asked one of the teachers and they brushed it off. Why can't they turn it into a learning experience? Yes they watched a few movies based on books they read during the year, how was it different from the book? Can they write about the locations seen in the movie? Would you like to lived there? etc.  ARGGGGG."

OK, I'm done venting. It feels good to finally put this out in the public sphere. Maybe someday I'll tone down my remarks a bit and send them off to Randy Dorn, the Washington State Superintendent of Public Instruction. If they are going to extend the school year, TEACH my children, don't entertain them. If I want them entertained I'll keep them home and give them my own supervised entertainment like I do every Family Night.

Sony PSN and Data Security

This got lost in my "Drafts" folder...

I work at a large company doing data systems engineering and architecture. One of the major components of my job is data security so when I hear of a security breach at a major online service my ears perk up.

The news doesn't look good. What Sony initially acknowledged only as a service interruption has escalated into an "external intrusion." In other words, they were hacked. PWN3D. People are already complaining about fraud and the lawsuits are lining up even before the dust settles. What did the hackers get? The investigation is ongoing but this is the list so far-

  • Your personal profile information: Name, email, birthday

  • Your PSN login information (username/password and answers to security questions)

What might have been taken-

  • Your purchase history on PSN

  • Your billing information: home address

Was credit card data access? Yes, but it was encrypted. Were the hackers able to read the encrypted data? Sony is still investigating.

Even though Sony has a major black eye right now, here is where Sony is shining:

  • They are doing a complete service rebuild from the ground up. This is Security 101: when you are compromised in a major way instead of trying to ferret out every intrusion point, malware, and hacked admin account, just rebuild the entire thing. They are maintaining evidence where necessary to investigate and cooperate with law enforcement but they also have a service to run. The only way to know that your service is not compromised is to go back to a known good state. Which means re-imaging every server in your datacenter from a known-good copy and start fresh.

  • They are being open and honest about what happened and the possible consequences to the point of advising everyone to watch their credit reports and credit card accounts for unusual activity.

It took weeks to recover and bring the site back up only to be taken town again... and again... and again.

What does this mean to the information security world?

  1. Encrypt or at least hash your passwords BEFORE you store them in the DB.

  2. Teach your IT guys appropriate security practices

  3. AUDIT, AUDIT, AUDIT. And when you are done, AUDIT SOME MORE.

  4. Teach your users to TRUST NO ONE. When you receive an attachment from someone call them up and ask them: did you mean to send me this document (in Excel format with an embedded malicious flash component)? (that's how RSA was hacked)

Will the Sony debacle blow over? Of course. Will people every forgive them for screwing up and come back to the PSN? Of course they will. People want to play games and Sony has a popular (albeit #2) game console. The public forgets all the time. They will eventually forget with the next ultra-cool, can't-miss games comes out as a PS3 exclusive.

But will the industry ever be the same? People are already calling 2011 the "Golden Age of Hacking." Exploits are no longer being bragged about by hackers to show who is the best: they are hiding them close to the vest and selling them off to the highest bidder or embedding them in malware that is then sold on the web to spammers and would-be botnet controllers.

Wake up people, tighten your belts and gird your loins. The advanced persistent threat is here to stay. Only good development practices, sound security policies, and self-analysis will win the day.