The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.
Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html
Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.
I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data.
Reduce or Completely Remove Windows
I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:
If you want to do the math:
- 106 Ransomware programs
- 100 Target Windows Operating Systems
- 93%-94% of Targets are Windows Operating Systems
- Using Windows is Riskier than Using other Systems
“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target.
If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users).
There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.
Create Very Inconvenient Backups of Data
Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data.
Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.
There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.
If the answer is ‘Yes’, then backups are going to be vulnerable.
There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk.
Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.
Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).
Tests need to include:
- Data restoration
- Data access and use
- A scan for malware, ransomware, etc
- An iterative process to consistently reduce the size of backups
- An archival process to store data that will most likely never be needed, but is legally required to store
- Imagination. Because you never know where you will be and what the situation will be when you need to access these backups
A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.
If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing.
The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.
The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups.
Start Your Research Here
Ransomware: Best Practices for Prevention and Response
Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.
I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest
As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.
Finding a Good Pentester
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…
What is wrong here?
Here is how this should go
School: We are looking for someone to help test our security.
Pentester: Great. I can do that ( credentials and background presented).
School: What do you need?
Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.
A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.
There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events. If you provide and manage laptops, a good pentester will need one of the school’s laptops.
These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.
Doing Your Own Testing
I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.
Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.
|Subscription and Services Discovery||Can your subscriptions and services be easily discovered?|
|Files Exposed to the Public||Are there files publicly available that supposed to be private?|
|Calendars Exposed to the Public||Is calendar data that should be private, private?|
|Staff and/or Student Email Harvesting||Can your staff and/or student PII be used to create a database for phishing and spamming?|
|Portals and SIS||Are your portals and SIS properly secured and difficult to brute force attack?|
|Websites and Social Media||Are websites and social media properly secured; is the media being used legally and correctly?|
|Cloud Services||Have cloud services been properly secured?|
|Third-Party Sharing||Is anyone sharing your content and do they have permission?|
|FTP, SSH, and Telnet||Are any of these protocols a threat to your school via publically accessible information?|
|Email Blacklist||Is your email domain blacklisted?|
|Email Header Check||Is there any data in your header that could be anonymous or lead to blacklisting?|
|Email Catch-All for Non Existent Emails||Is your email set up to catch any email that does not exist and alert someone?|
|SMTP Relay||Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?|
|4xx and 5xx Error Check||Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?|
|HTML Forms||Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)|
I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.
In other words, avoid jargon and lingo.
Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.
If you do not know what is actually dangerous, then everything could be sold as dangerous.
I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.
Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.
Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).
Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html
Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.
Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.
Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.
Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.
It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.
Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.
Defending Against Social Engineering in a Friendly Manner
Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:
- Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
- Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict. An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM. Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.
- Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school. A common mistake schools make, is to use these network/electrical closets to store cleaning supplies. Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb. The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.
- Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data. A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust. Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.
- Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization. Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices. Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus. Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.
- Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security. Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.
- Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
- Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.
I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.
I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at email@example.com
- DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
- I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8
- What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
- Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
- Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/
Often in leadership, it is difficult to keep those important connections that once motivated us to work in education. Meetings, software, cloud platforms, and numerous other tasks can easily overwhelm a schedule and make it difficult to connect with students in a meaningful way.
Here are some ideas and strategies I use to keep student connections strong.
Walk and Engage
Every day I plan a route to walk through the campus. While I walk, I make it a point to engage with students. I like to approach them, and often surprise them, and ask them what they are doing, what they are working on, what is “ridiculous” in math class, etc.
If they are playing games I put away the adult hat and ask them about the game. I want to know if it is challenging, does it teach anything, is it just a distraction, do they think they are addicted to playing, and so on.
Occasionally there is a comment or revelation that allows me to interject an idea or opportunity into their field of view. This casual approach helps me spot trends in the student community, get new ideas, and find students who might be looking for some additional non-academic opportunities.
Join a Club
To be honest, I normally start clubs, but it is a better strategy to join a club. As an administrator, weekly club meetings can be tough to facilitate. As a member and mentor, club meetings are manageable.
Joining a club as a novice who knows nothing is great. Students get to instruct the adult and take a few cheap shots when you make a mistake. All in good fun, but it really helps build the relationship when the equal footing is found.
Build a Student Support Team for Everything
It does not matter if you are an administrator in IT, college counseling, the library, etc. You can build a student support team. Identify students who have free periods, free time, and an interest in what your department is doing. Train these students to work with you and your team, and give them some space to make suggests. Eventually, they will be managing projects.
I have started supported teams from US Grade Level 5 and seen growth and success. Children can do amazing things, even if they refuse to do their homework.
Maintaining a solid foundation in any profession is important. Many in education chose that path because of the benefits of working with children. If you lose that foundation, you will lose your joy, and when that happens cafeteria food will taste much worse than it is.
I am not one to recommend products. However, lately I have come to realize that since Apple removed all the useful ports on their laptops, I am reliant on a single $2.00 piece of hardware: a USB C-Port Adapter. This little piece of plastic magic makes my workflow work.
This tool is a simple design at a modest price point, yet, it is often the solution that moves a project from idea to reality. I connect dozens of devices using this technology bridge in order to deliver curriculum, podcasts, 3D printed objects, etc.
The most remarkable quality this small island of magic possesses is that is constantly reminds me that we do not need solve problems via upgrades. We should be solving problems with technology and educational technology by tightening our workflows and being resourceful.
There seems to be a constant insistence that X is not fast enough, or Y is not dependable. I constantly hear people state that the equipment they have in 2019 cannot solve a 2001 problem. The issue is rarely the stuff, the issue is usually the workflow.
Try Something New with Something Old
Here is an exercise I would recommend everyone try on their campus. This can be done for fun, as club, or as some type of fun challenge.
Have departments, staff, students, and other community members submit some issues or problems that continue to linger in the classrooms (learning spaces). Appoint a small team to review the problems, and choose one.
Finally, put this problem out to those willing to compete for a solution with the following criteria:
- The total budget that can be used to solve the problem must be less than $10.00 (or equivalent)
- Solving the problem using used equipment, materials, recyclables, etc. earns teams extra points
- Using school owned equipment to plan and produce a solution is required; donations are not allowed
Professionally, I actually try to follow this process all the time. The items above are on a personal check-list. My goal is to model a solution using existing resources.
What if It Works?
Often real solutions arise that are functional, but below standard. That is not a bad thing. The school has empowered a community driven development cycle, and created a working prototype under the umbrella of healthy competition. There are no losers in this game, everyone learns, and everyone wins.
In fact, if a school can continue to improve the process, and raise the standard internally, the outcome would be a community built and maintained solution. Older students can keep the momentum going as long as school mentors and leaders provide regular oversight.
Small Solutions have Real Power
This small solution below, is actually very important to my workflow.
No one needs to build a Tesla to change the world for the better. It is important to develop a philosophy of empowering students and teachers to create small things that improve daily workflows, increase efficiency, and add comfort and entertainment to the campus.
Start small. Ask questions. Find a problem. Make a prototype. Change the world.
By: Tony DePrato | Follow me on LinkedIn
Plagiarism is serious issue for most high schools. It is rare to find a school without a detailed plagiarism policy. Most of these policies have a few tiers, because it is common for students to commit plagiarism more than once in their academic career.
Unfortunately, the tools educators rely on only cover a small portion of things students can plagiarize. In the last decade I have seen inauthentic:
- Computer Science projects
- Art projects
- Math internal assessments (IB)
- Research papers with a perfect Turn It In score
- Foreign language course work
- 3D printing
In many of these cases, the student and their parents argued that the work was not plagiarized. These people had full legal ownership of the end product, because they paid for the work, or paid for someone to help guide the work.
The work is often a result of tutoring, where the student did technically do the work, but was aided along the way. Sometimes this support did result in the tutor physically contributing to the final product.
These situations are complicated. They are well beyond someone simply copying an academic paper.
Identifying Inauthentic Work and Projects
As soon as I mention plagiarism, people are quick to react. In every conversation, people ask me, “How did you know it was not their work?” or “How did you prove they did not do it on their own?”.
I find the first problem with most project-based planning is a lack of pre-assessment. Students need a baseline assessment. Teachers should be assessing projects on some sort of trendline. The measurements being used need to monitor growth, and not simply check off rubric boxes.
If teachers set baseline assessments for every project, they can clearly find students who are developing seemingly accelerated skills in a very short time. If the teacher suspects a problem, they can require all the students to do an in-class timed assignment. These assignments need to encourage the students to practice their skills without risking their grades. Students who have been submitting inauthentic work will most likely show signs of stress, become angry, and/or ask to leave the room.
Rubrics Can Be a Roadmap for Cheating
Rubrics should guide students toward a standard, but they should be flexible enough that the end result is a product of a student’s imagination and creativity. In fact, if a student has a great idea, the rubric could be put to the side (a discussion for another time.)
I have seen an increase in teachers providing students with highly detailed rubrics, designed to meet detailed criteria. In those cases, it does seem as if the teacher would like all the student work to be nearly identical. Those highly detailed rubrics are essentially a blueprint for a tutor.
Rubrics that leave no room for personalization, are going to increase cheating. There is a sense that students need to be trusted, and educators must trust students to make good decisions. However, schools usually do not let students use phones during exams, or walk into copy rooms with cameras. Why? Because they are young and impulsive. They will sometimes make bad choices, and simply using good practice to remove temptation is not a violation of trust.
Projects are Assessments, Plan them Accordingly
Many schools have an assessment calendar or planner. These are used to ensure students do not have three or four tests (or exams) on a single day. Projects are often left off of these planning documents. I have made this mistake numerous times leading project-based courses.
Project due dates are often pushed and changed, and therefore the final due date may shift. Adding a due date to an assessment calendar requires other teachers to plan their assessments around those dates. Changing those dates can create havoc. Not being able to change those dates can impact students who need more time, or were denied time due to some unforeseen past issue.
When students feel the pressure of a final project they might make the choice to seek outside help. Having a tutor is not plagiarism, but often project-based disciplines lead to the tutor doing the work on behalf of the student.
Planning projects with three or four important due dates allows student work to be assessed in stages and reduces the risk of missing the final deadline. I personally feel that having multiple stages reduces stress, although my evidence is purely anecdotal.
Current technology and online services cannot identify cheating within project-based courses. Teachers need to know their students, and plan accordingly to reduce those impulsive and misguided choices teenagers often make.
By: Tony DePrato | Follow me on LinkedIn
Stress at the start of the school year is normal. I firmly believe that a positive start leads to a positive year. Here are some suggestions I like to give to people at the start of the year.
What do you need to start the school year?
Students. Teachers. And a place for them to meet. Many of the things people stress about are not required to actually start the school year. Remember, not everything can be the most important. If everything is critical, and everything is a priority, then nothing is a priority.
No, really, what do you need to start the school year?
Here is a core checklist for the school start-up:
- A roster of students who should be attending
- A roster of students who left, to make certain they do not return without re-enrollment
- Schedules (or at least a plan for the first week while scheduling is being sorted)
- Lunch planning needs to be sorted and should be running smoothly; food is important; the communal time is important
- Two to three weeks of lesson plans that can be executed with the resources from the previous year
- Buddies for new staff, with a simple schedule to keep them connected and interacting
- Short meetings scheduled to touch base on facilities issues; administrators should take the issues down and get everyone back to work
- If the technology is being unreliable, remove layers of complexity, and simply give people access to the internet; new management protocols and summer updates can take weeks to sort out
- Keep students connecting socially, and offline; build community first and the curriculum will be easier to deliver
Consider Staying Offline for a Few Days
For students under USA grade level 3, I would keep them offline for 2-3 weeks. Focus on social interactivity, building a relationship with their teachers, and learning how everything works within the learning environment.
For students in who are USA grade levels 3 -5 and middle school grades 6-8, I would keep them offline for at least a week. I would make sure they do a full review of the school’s AUP and Digital Citizenship program.
High school students in USA grade levels 12 and 11 should be the main focus of IT for the first two days of school. Grades 9-10 can wait. Once the upper grade technology is sorted, move down to 9-10. Remember, high school students are flexible, and they can meet IT for support in varying intervals. High school should be all online within the first four days of school.
The Big Bang is Not Good for Stress
The Big Bang Implementation Approach (big bang), is something schools tend to do annually. Basically, they try to do everything for everyone at once. For example, connecting all BYOD devices K-12 in one day. Think about who needs access, and when they need it. Consider the curriculum. What percentage of a grade level’s content is only available with a device in hand? Do the higher percentages first, and the rest later following a steady pace.
Communicate the planning to everyone. Take a breath. And keep the school start steady, positive, and peaceful.
By: Tony DePrato | Follow me on LinkedIn
Not every problem has a solution. Maybe a better way to express that idea is not every problem has a solution within its current construct.
Sometimes, the rules, the structure, and/or the environment are opposed to the solution. Trying and trying again will be an endless cycle; and gains will be replaced by more and more losses.
If you cannot win the game, you need to change the game you are playing.
Finding the Correct Question(s) to Ask
Recently I was reading a comment thread about a housing situation. The situation was ridiculous. I could not think of a single country or job situation where this type of agreement would be acceptable. In fact, it seemed illegal, and more like a scam than a contractual housing issue.
The person in the situation was asking, “What can I do to manage my financial loss in this situation?”
That was the wrong question to ask. This person was focusing on the result of a bad contract. The question they should be asking is, “How can I get out of this contract?”
The contract is/was the issue. If you beat the financial loss with a loophole, another jab will come from another direction. How do I know this? Because the contract is a scam. The scammer needs the scam. The scammer will not take a loss.
In another recent situation, I had 100s of devices start to fail. The software just stopped working. Initially, I was trying to fix the devices. That seems normal, but my choice was wrong.
I only attempted to fix the problem for about 45 minutes. Then I took a step back and asked myself, “What causes 100s of stable devices to systematically fail?”
There was pressure to keep trying to fix each device. I resisted. I knew that if I fixed them, they would fail again. I knew this, because a system wide failure is not created by something on one device. It had to be external.
The problem was external. It took two weeks of paperwork and the support of a two external companies to correct the issue. There was no way for me to solve the problem. The problem was unsolvable within my environment. I had to change the process, and the entire workflow, to bring everything back online.
Avoid Being Locked Into the Past
Many people get locked into a process or workflow. They get so locked in, they never look-up, the never reflect, and they always want to carry their environment with them into the future.
When this happens they spend all their time trying to make their past work in the present.
Technology can be fascinating. It is one of the only areas of the human experience where older solutions are often actually better and more evolved than current solutions. People who are locked in on a process are not always wrong. Their older solution is better compared to the new solution.
The problem is, technology solutions are often abandoned. Developers stop developing. Companies stop supporting. Licensing stops being available. Eventually, the solution does not work unless you bring the entire version of the past into the present. The software. The hardware. Everything. Not only is this not practical, eventually everyone involved is alienated except the “time-traveler”.
I have seen a school running a version of PowerSchool too old to be viable outside of the school’s local network. It was so old, it could not be upgraded using new releases from PowerSchool. So old that PowerSchool would not provide support. And, so old that it eventually did not meet data security standards for any of the other partners the school was using.
This particular implementation had amazing features. It was customized beyond normal limits. It was also something that no parent or student wanted to use anymore. The largest user groups wanted a change, and the only solution was a completely new information system. That also means the school had to hire a new department of people. Those who kept their system living well beyond its life were too entrenched to change.
Reflecting on decisions on a regular basis, and having critical input from others, will prevent these scenarios. And this type of complete rebuild scenario is common. It is far too common, and it is destructive.
A Bad Deal, is a Bad Deal
Education is often seen as an industry that does not follow common business strategy. In many cases, this is true and unavoidable. Schools do not get to choose perfect children. Schools work with students, and sometimes at great cost, to help them grow and develop.
However, the business processes, procurement planning, and infrastructural systems do not need to operate irresponsibly for educational goals to be achieved. Planning to be inefficient, and being content to lose, is not a benefit to any child.
I have seen many bad deals, bad contracts, and predatory vendor relationships. These situations create unsolvable problems. The game is rigged. The school is often getting a poor value with a low to zero return on investment.
I had the unfortunate luck of managing a bad printing contract for a school. The school had made a deal with a third-party for Xerox solutions. Xerox has their own sales force and service, so why would anyone need a third party?
The contractor not only could not manage the hardware, they had no idea how the software worked, they were not aware of all the requirements needed for an Apple Computer environment, and they did not understand the accounting system connected to the service.
What was my solution? Remove the contractor. Instead of trying to fix the printers, I spent every moment collecting evidence and documenting breaches of the contract. I eventually made a strong case, and the school switched to a direct partner relationship.
There was no win-win. The contract was bad. The situation was impossible.
No matter how much we want something to work, or be a solution, there is a point in the process where we need to step back. We need to ask, is this worth it? Is there a better way? Are we driving the process, or is it driving us?
By: Tony DePrato | Follow me on Twitter @tdeprato
Developing STEM and STEAM programs (Science Technology Engineering/Art Mathematics) is very exciting, but I have noticed recently there is a lack of cohesive standards to measure progress.
Like many people, I am working on building a set of standards. Some are customized, and some are licensed.
In my research, and through various networking engagements, I have settled on a set of core skills that need to be incorporated throughout the STEAM environment. The standards are being built around these skills.
I have found more engagement among students if the skills are presented first. The skills tend to fuel the desire for hands on work. I also want students to not focus on grades and common rubric models. I want them to focus on creating and going through the design process.
These skills have been developed by the MIT FabLab Program. The FabLab has been operating for well over a decade, and many FabLab partners have developed programs for younger students as well.
The overall philosophy is to learn the skills at every level, but increase the difficulty and complexity within the projects as students gain experience.
|DIGITAL FABRICATION PRINCIPLES AND PRACTICES|
|COMPUTER-AIDED DESIGN, MANUFACTURING, AND MODELING|
|COMPUTER-CONTROLLED CUTTING / Drawing|
|ELECTRONICS DESIGN AND PRODUCTION|
|3D MOLDING AND CASTING|
|COLLABORATIVE TECHNICAL DEVELOPMENT AND PROJECT MANAGEMENT|
|3D SCANNING AND PRINTING|
|SENSORS, ACTUATORS, AND DISPLAYS|
|INTERFACE AND APPLICATION PROGRAMMING|
|EMBEDDED NETWORKING AND COMMUNICATIONS|
|DIGITAL FABRICATION APPLICATIONS AND IMPLICATIONS|
|INVENTION, INTELLECTUAL PROPERTY, AND BUSINESS MODELS|
|DIGITAL FABRICATION PROJECT DEVELOPMENT|
Looking at this list, it might seem impossible to imagine a Grade 3 or even Grade 8 students accomplishing these in a meaningful way. I would argue that all are achievable at least at the planning and design thinking stage. Most of these are achievable with the correct level or equipment and/or some creative outsourcing.
Gamification has been a buzzword at conferences for some time. I have finally found an fairly universal way to “gamify” the list and formally track progress.
As students learn a core skill at different levels, their progress as a class or individual can be color coded.
For better analysis, the color bands can also connect to numeric values. There are many ways to approach tracking. Even curriculum mapping systems can do this.
The best part about this structure, is each school can decide what their levels mean for their students.
I look at this as age independent. It is very possible for a grade 5 student to be a beginner in many skills, and have completed others at a level. It is also very likely that many older students who have never attempted STEAM topics, would fine they can quickly master Levels 1-3, while struggling with the final two levels.
As a student, I would like to see this type of grid and work towards being in the all green club :).
As a teacher, I would like to have students be all green, and after the smiles settle, add Level 6.
If you are inclined, share how you are measuring STEAM and STEM skills or standards. You can do this in the comments, or email me directly. I will post all ideas and give you full credit. ~ firstname.lastname@example.org