Moving at the Speed of Creativity by Wesley Fryer

Addressing concerns about Ning open social networking vulnerability

I posted the following memo to our Celebrate Oklahoma Voices learning community this afternoon, in response to questions raised by a school district official and a company providing content filtering services for some of our Oklahoma school districts. This is also available as a PDF file. See my November 11, 2008, post “Making the case for a safe, moderated learning community for Oklahoma schools” for part 1.

To: Celebrate Oklahoma Voices Project Participants
From: Wesley Fryer
Date: November 17, 2008
RE: Learning Community Website Issues – Part 2

Some members of our COV advisory committee have had additional discussions with Oklahoma school district personnel as well as commercial vendors who provide content filtering services for Oklahoma schools about whitelisting our COV learning community websites per the Nov 11th instructions and memo published last week. This memo is a response to those new questions which have been raised.

QUESTION ABOUT OPEN SOCIAL AUTHENTICATION

Our Celebrate Oklahoma Voices learning community currently uses (along with other websites created with Ning.com) the open social authentication protocol: http://en.wikipedia.org/wiki/OpenSocial

One of the commercial vendors serving Oklahoma school districts participating in the COV project has pointed out there is a “fairly obscure vulnerability” which permits users once the http://api.ning.com domain has been opened/whitelisted to access content from other social networking websites like Friendster, Myspace, Orkut, Ning, and other social networking websites using scripts/hacks for the open social authentication protocol. The following question came up: “Given this obscure vulnerability, should our school district keep all Ning.com websites blocked including Celebrate Oklahoma Voices?”

EXPLANATION AND RECOMMENDATIONS

Use of this exploit is analogous to student use of a proxy service to obtain access to websites which are blocked via the school’s content filter. Here are several things to think about and keep in mind with regard to this question and situation.

1. Recognizing this exploit is analogous to student use of a proxy service and is (according to the commercial vendor who raised this issue) a “fairly obscure vulnerability,” COV project facilitators recommend that school district personnel weigh the tremendous benefits and value of providing teachers and students in their district with access to the moderated content and moderated learning community which is COV in contrast to the limited potential of this obscure vulnerability to be exploited by students to access inappropriate/officially filtered web content. We recommend school officials continue to monitor student Internet use and deal with students utilizing web scripts/hacks which exploit this vulnerability in the same way other students are disciplined who use web proxy services to bypass the school content filter. We recommend school officials continue to permit access and use of the moderated COV learning community by whitelisting http://celebrateoklahoma.us and http://api.ning.com.

2. If an Oklahoma school district’s administrators are adamant that the risks posed by this “fairly obscure vulnerability” is excessive and not tolerable, there is a content filtering work-around which can still provide teachers and students with access to the COV learning community. This access can be handled in two ways:

A. If the school district has implemented authentication for web access (also referred to as “differentiated content filtering”) where teachers are permitted different/more permissive access rights to Internet websites than students, then port 443 (ssl) access to the https://celebrateoklahoma.us and https://api.ning.com domains can be authorized/permitted on the content filter for teachers, but denied for students. Students, however, can STILL be permitted to have port 80 (standard http) access to these web domains. Unauthenticated port 80 access to these sites still permits students to view videos and other content on the COV learning community, but does not permit the posting of new content or commenting.

B. If the school has NOT implemented a scheme for differentiated content filtering, then read-only access to the COV learning community can still be provided by permitting the port80-only access to the above cited websites and prohibiting port 443 (ssl) access. This is NOT the preferred/recommended access COV project facilitators recommend for school districts, but compared to “completely blocking / banning” the COV website from all educator and student access, this limited read-only access IS preferable.

3. From the perspective of legal mandates (CIPA, COPPA, FRCP, etc) schools are NOT required to block student access to all social networking websites. While many Oklahoma schools do block access to social networking websites, this is not required by law. Schools CAN therefore (as also addressed in our memo from 11 Nov 2008) legally permit access to our COV moderated learning community.

4. It is important to remember there is no substitute for face-to-face relationships and conversations with students to address issues of digital ethics and citizenship. In virtually all our Oklahoma schools today, some students are utilizing proxy websites and services to circumvent district-imposed content filters. Schools are required by law to have a content filtering policy in place and enforce that policy. These good-faith efforts comply with the mandates of federal and state laws regarding Internet access on school networks. No technological policy or procedure for content filtering Internet websites is guaranteed to be 100 percent effective, however. When users are granted ANY access to the Internet, some risk is accepted for those users accessing content which may be inappropriate or undesirable.

As leaders and officials in our schools and organizations, it is important that we move forward in helping equip students with the skills they need to become responsible and ethical citizens in our community, state, nation and world. In many of our Oklahoma school districts today, the level of censorship enforced and authorized by school administrators is more severe than that imposed by the Communist, totalitarian government of China. School district officials must walk a line balancing the expectations of citizens in our free society on the one hand, and the need to protect students, teachers, and the organization itself from harm and liability risks on the other. This is a formidable challenge.

Our focus in our Oklahoma schools must be not only on protecting our people, resources and organizations, but also facilitating the processes of creating, collaborating, and communicating with digital tools. Our schools should be digitally relevant learning spaces for teachers as well as students. By providing access to the Celebrate Oklahoma Voices learning community as well as project, school officials can take important steps forward in meeting these challenges and priorities alongside other Oklahomans committed to the best interests of our students, their educational future, and our shared future as creative Oklahomans.

If you have questions regarding these issues or recommendations, please do not hesitate to contact me toll free at 888-501-2059, or by email at wes [at] oklahomaheritage [dot] com.

Technorati Tags:
, , , , , , , , , , ,

If you enjoyed this post and found it useful, subscribe to Wes’ free newsletter. Check out Wes’ video tutorial library, “Playing with Media.” Information about more ways to learn with Dr. Wesley Fryer are available on wesfryer.com/after.

On this day..


by

Tags:

Comments

2 responses to “Addressing concerns about Ning open social networking vulnerability”

  1. Christy Tvarok Green Avatar

    Wes,
    Thank you so much for the information. This is an on-going debate in my district. “How do we allow staff/students access to online collaborative sites while still protecting staff/students from ‘inappropriate communication’ and protect the district from liability.” We are making progress in the area, but it’s unfortunately slow going. We don’t have a technology supervisor, and our IT team is conservative (understandably so), so we have no full time advocate for the movement, except for a few technology teachers. We are a K-8 district so some sites are just not appropriate for our young students. However, I’m a firm advocate for allowing teachers access to these tools to advance their own PD, while having the power to post on behalf of their students if necessary. I will most definitely pass this on to our curriculum director and IT team! Thanks again!

  2. Chad Bruns Avatar

    Ning is absolutely awesome for teaching. It allows for so much collaboration and communication all for free!! It’s the best thing to ever happen to my class. Luckily my school does not block it.