¶ Intro / Opening
How'd your family handle that?
¶ Podcast Introduction
They were grossed out. Very grossed out. As was I. My stomach kind of did a thing.
I was going to say, I think I might have vomited.
On tonight's episode of the K-12 Tech Talk Podcast, Chris learns to look before he licks. We discuss some updates to the power school breach, and we spend the majority of the episode talking about the changes we'd like to see in K-12 technology practices that we think will have the most impact on district cybersecurity. Thanks for listening.
Live from the ntp studios this is the k12 tech talk podcast this is episode 198 two away from the big 200 we'll talk about that too i am josh tech director in missouri been at it for uh wow more than 10 years on the downhill slide with me is chris you are also from missouri you were also a tech director yeah
Yeah i am
And hello mark you're wearing a is that a is that a crocheted uh head warmer yeah
It's it's cold it's new england it's like what is we at negative seven today it's.
¶ Cold Weather Conversations
Cold we were we were cold earlier this week not that cold but we were we were cold earlier this week chris's water froze it
Did it really did
We you know we were talking before the show oh first let me talk about ntp tech
Guys like water by the way so i i knew exactly what to do when it froze
Oh i
Had no idea i was like i don't know
The water is not turning on how many times did people joke with you do your bill yeah
Can you unplug the water no i don't know
Uh so ntp one of our biggest sponsors they've been with us for a while now uh i had lunch with david text me yesterday out of the blue at like nine o'clock he's like hey you want to do lunch okay yeah sure let's do lunch david so uh we met um we had a good conversation two two things um i took away from this conversation with david yesterday One, he swears that he could give away or, well, probably sell headshots of us when he goes to visit with K-12 customers. For sure.
They're so excited. And, you know, have you met Mark? Yeah, so we need to have headshots made and autograph and give them to David when he goes out for site visits. The other thing, David made a comment that, well, and Zach, his son was with him, that they love listening to the podcast and keeping up to date on episodes because they feel like they have to.
Because when they go to visit a customer and they ask a question about David's competitive rock skipping or competitive wall climbing skills, they can't look like they don't know what they're talking about. An inside joke, David really does not do competitive wall climbing or rock skipping, but he did swear to me that he is a very good rock skipper yesterday. So, no, it was a really good lunch with David. NTP, they sell Sentinel-1 services, SOC services.
They'll monitor your network like a SIEM, however you pronounce that. And I just got a new tool from David called TVM. Not real sure what the acronym stands for. Probably like Threat Vulnerability Management, something along those lines.
That sounds perfect.
It sounds great for what it does. Low decline on all your machines. It'll look at the software installed, tell you which ones have CVEs, what patches need to be applied. And then it'll also roll those patches for you. The other really cool thing is there is a standardization feature where it'll tell you how your settings comply with critical controls like CIS's IG1234 and a couple others NIST standards and a couple other standards. I spent some good time today rolling through the CIS centers,
and it literally told me, hey, you need to check these firewall settings. It's a policy. This is the setting you're looking for. Bam. I'm now CIS rule compliant XYZ. Like, amazing tool. Amazing tool. So Chris is probably tired of me talking about it because I've done nothing but talk about it for the last two days.
And then you started sending screenshots. It's been a lot.
Yeah.
I do.
It's been a lot.
Yeah. It's cool.
If you get a hold of NTP, ask for Kato Tech Pro or Kato Tech Talk Podcast special pricing, and he'll hook you up.
Maybe he'll send you a headshot.
Headshot.
¶ Chris’s Disney Adventure
All right. Chris, you're back from Disney with lightsaber in tow.
I built a lightsaber. I picked red. I want power.
Really?
Yeah, it's who I am. I want to come green. I have pride issues and I want glory. It was really a self, like you really learned about yourself when you're building the lifesaver.
You know who else picked red this week? America.
And the only thing I'll say to that, Mark is so we left Orlando, had a layover in DC. I was telling my son, Chase, that you get to say that like you're, it was on inauguration day. I was like, we're going to DC for inauguration day. And then like they metered the flights and there was a winter weather advisory and they weren't letting planes in and we were in DC for a total of like 10 minutes. But we were there.
How cold was it?
I didn't go outside to know. I heard it was very i heard it was very cold i heard it was very cold really
Okay i mean because i never mind.
¶ The Barbecue Sauce Incident
Oh mark if i can refrain you can refrain
Okay you guys you guys should refrain my only story too that i'll tell a partial story and then we'll move on uh at at disney i won't tell the second part of this it's just going to be one of those whatever but true story read this alien whatever restaurant i think it was like the aliens a toy story whatever i think um ate some good chicken strips and stuff uh relieving and my wife stephanie's like is that ketchup or blood on your hand and i thought that was a ridiculous
question i'm not gonna be bleeding so i full send a lick on my hand uh what i thought was gonna be ketchup but it was barbecue sauce instead and you might be wondering why does that matter chris well it matters because i did not consume i did not consume barbecue sauce while i was eating my chicken strips and fries and then my brain's processing that and i look over at the alien trash can uh and it's dripping in barbecue sauce i had just thrown
away our trays uh so i full sent the lick of someone else's barbecue sauce trash
Can barbecue sauce trash
I i ate barbecue sauce off of a trash can you
Might as well just lick the trash can
I mean they're different colors the color on your hand didn't like q u of like that's not ketchup.
I don't know no i did don't know anyway he
Was in the zone he was in the disney zone man he didn't he wasn't seeing colors he wasn't
How'd your family handle that.
They were grossed out uh very grossed out as was i my stomach kind of did i
Was gonna say i think i might have vomited
Had a great time though but that lightsaber it's sweet it's actually in my office at the school now well
Sure you got to keep the bad guys away sweet
Like sweet like barbecue sauce.
Anyway anyway was
It never mind uh so mark again every week you just knock it out of the park curating these stories out of the park have you guys heard that phrase before he knocked it out of the park of
Course i have.
I live
In boston it was.
A joke we
Knock it out of the park all the time here in Boston. Yeah. Whatever.
All right.
Step on up here, news boy.
News. All right. We got some AI. We got some cybersecurity. And yeah. What do you want to start with?
I like AI.
Yeah. All right.
This is a fun one because it's not K-12. But like when you think about this one and how it can apply to K-12, it scares you. So there's a data protection company called Harmonic Security, and they analyzed some corporate companies' usage of AI, and what they found was pretty interesting and alarming. So I'm going to go through this one. Now, again, this is corporate data. This is not K-12. But if you think about how this could be transitioned over to K-12, it'll frighten you a little bit.
So they analyzed prompts from Copilot, ChatGPT, Gemini, Claude, Perplexity, Anthropic, and the majority of prompts that people entered in are obviously pretty mundane. But what they did find is 8.5% of prompts posed potential security risks.
¶ AI and Cybersecurity Risks
And I'm going to break down of that 8.5% what categories these things fall into. So 46% exposed customer data. So billing, authentication information, potentially employee client confidentiality information that users were entering into prompts, into AI. I would say if that were K-12, you're talking about teachers entering in student data into that. That's 46, almost half of the prompts that they found that were concerning. That's only 9% were customer data.
27% were employee data. So payroll details, personal identifiers, and even requests for AI-assisted performance reviews. So you better be sure teachers are doing that, too, in K-12. Or, you know, I got to do my teacher evaluation, upload all this kind of stuff to teach our student evaluations and IEP stuff, all that kind of stuff. This is where it gets really, really scary. 15% contained legal and finance information. So pipeline data, investment portfolios, mergers and acquisition activity.
Oh, wow.
It gets worse. 7% was security data, penetration test results.
Oh my God.
Network configurations, instant reports.
Yeah, make me more efficient with that report.
And then the last six percent was sensitive code like access keys and proprietary source code, so that's wow private sector usage of it i would i would guess that those numbers are probably going to be uh increasing a little bit if you were to analyze k12 data so that's that's one in 10 prompts into ai was potentially exposing data sensitive customer employee data in the private sector i.
¶ PowerSchool Breach Update
Just did a demo with my curriculum director with one of the or the fastest growing most used k-12 ais we're looking at pricing for students and staff kind of thing So we have people using the free account right now. So part of the demo was they're showing who's using it.
Sure.
And the top 10 list, I believe it was three or four of 10 were all special services people that would be writing IEPs and different things.
And yeah, what are they putting in there? I don't know. um but it raises some questions uh very quickly because i wouldn't say that we have professionally developed uh our teachers well just yet about you know what to be putting into ai so yeah for the i think it was number two was a very surprising oh wow what are they using that so much for and then you know that their job responsibilities uh are with data yeah so this i'd see this i'm like oh yeah i bet i bet we'd be surprised right oh
Yeah that's not good all right all right mark your favorite topic what is it what
Let's quickly
I was gonna go to the fcc but let's okay let's let's go to um power school first so, We have been on edge waiting for the PowerSchool investigation report to come out.
You know what I love is that Mark left school, and then he got this little gig with the school, and he's excited about he's going to help with student data. And they use PowerSchool, and then this breach happens. I don't love it. I feel really bad for you, Mark, but I kind of love it. Yeah. I love that your data – I love that. no your data didn't get breached or whatever it doesn't matter
Oh no it sure did oh yeah yeah gone gone anyway.
But but they've promised not to release it
Just to summarize i went 11 years as the cio for like the largest district in new england without a breach, two three months into this smallest district in the state and i get a major major international did a breach.
But it's not the district's fault. Sure.
It's not Mark's fault. Josh, it's not Mark's fault.
It can't be tied to Mark at all.
No, I didn't make that decision.
Don't blame Mark.
So, okay, so PowerSchool, summarize what we've learned. Honestly, not a lot. PowerSchool has not come out with their investigation report. We're very eager to find out the details of it. We've seen some kind of hints. There have been a couple of major articles on TechCrunch and Bleeping Computer that have confirmed a few things. One being that PowerSchool did not have MFA on their power source, which is their support portal.
So there's a lot of questions after the webinars, whether or not PowerSchool did or did not have MFA or whether it was just insufficient MFA. It does look like they did not have MFA at all in place. The other thing that did come out is that they did suffer.
There was another incident in which an engineer's computer was compromised with malware and, through a browser extension, and then data was exfiltrated from that computer and then sold on the black market, it's possible that that sale of data from the engineer's computer then led to the other breach. But right now, we don't have any evidence linking the two incidents to each other. So it could be a second incident. It could be the incident that sparked the big one.
So those are the two TechCrunch articles that will link to this one. And we will see exactly what comes out from PowerSchool, but I think other than the FAQs being updated once or twice since we last talked, there really hasn't been too much of a change coming from PowerSchool.
There was a discussion on, I think it was the Bleeping Computer article today or yesterday, that says they spoke with the hackers that did this, and they claim to have, what was it, 63 million student accounts and like nine point something staff accounts. This person that I'm having this conversation with says, you know, the largest breach or the largest ransom ever paid in private industry for ransomware for a ransomware incident was $75 million.
We'll do the math. That's $1.20 for those, you know, let's just say $75 million for those 63 million students. That's $1.20 per student. Yeah. Okay. It's going to be interesting if that number ever comes out.
Well, speaking of costs, our school also did confirm that they will be providing credit monitoring for impacted students and adults. So there's at least some good news coming from that side of things.
But wasn't that release worded weirdly that said students over the age of 18?
Yeah. When we talked about that, when I did some research and Experian and some of the major credit companies don't actually have information on minors. They don't track your credit scores, so it's very hard for them to provide credit monitoring when the companies aren't monitoring the kids in the first place. That might be the reason for that one.
¶ K-12 Tech Community Engagement
So I don't really want to hold that one against PowerSchool.
No, no, no, no, no. I just found it. It was worded strangely.
Yeah, yeah, yeah.
All the more reason to freeze your kids' credits.
¶ Upcoming 200th Episode
Hey, I want to mention too, subreddit, KatoSysAdmin, been an awesome source uh as soon as an article hits it's posted there we still have that power school breach uh special section on k12 tech pro it's been great just the k12 community in general posting stuff getting stuff out there as quick as they can yeah even some of those articles that have talked up the community that we know is k12 that's great to work with k12 techs uh
So if you have we'll segue that real quick into feedback for us if you have feedback for us or uh want to shoot us an email k12 tech talk at gmail.com in two weeks we will be celebrating our 200th episode so excited chris is the one managing the agenda for the 200th episode and he says he has guests secret it's it's jam-packed boys how many guys are talking like mark and i have no clue what he has worked up.
Let me get my little piece of paper out. I have a... Rsvps from uh two four six to eight people i'll tell you uh there's two that are kind of kicking around uh these are people that that that that you know a list celebrities uh people that you know their names um i really mark doesn't like hints so i'm not gonna really and josh just has pure anxiety about this whole thing but i
I think the the better litmus test there is would our parents know the names of these
And i'm not going to tell you i can't but it's going to be a special episode it's going to come out uh that first week of february uh if you've if if you listen to episode 100 we did this whole the doorbell rings and someone comes in it's total it was total chaos
That was so
Total chaos
Jack Recyder from Darknet Diaries came in that.
Was pretty cool
Josh couldn't even speak that was neat I mean this has some hype to it and I know that it has I don't know it's gotta be good I feel pretty good about it should
I dress up that night
I don't know. I don't know. I can't tell you.
You want to talk about one of our advertisers, Lightspeed, real quick?
Yeah, Lightspeed, a proud sponsor of our podcast. They're hanging out with us for all of 2025. They can help you. I mean, they're mostly known for content filter, but they can help you with insights into app usage, student safety monitoring, classroom screen monitoring, device health, all that kind of stuff. They have a lot of different products they can help you with. Mostly known for content filter. I'm a Lightspeed customer. I have used Lightspeed for, I guess, like 10 plus years now.
So check out LightspeedSystems.com. Mention us.
All right. And the last bit of news coming out of the FCC is that they announced the recipients of the cybersecurity pilot. So we talked about this before. There's 2,734 districts and libraries that had applied for funding. They had estimated roughly $3.7 billion was requested out of only $200 billion actually available. They have announced the districts that have received funding, either in full or partial, and it's about 700 districts and libraries.
So pretty cool cross-selection of large, small, urban, rural districts. And yeah, we don't really have information on what these districts applied for. I think you'd probably have to go district by district and look for their submission. So we just have the list of districts and there's other than that, the district will be required in addition to receiving the funding. They will have to submit reports on their progress. So a little bit higher bar than than typical e-read funding.
But that's obviously going to give us data as to what's working and how well the money is being used. So pretty exciting.
Mark, I know there were some assumptions made when that list was when that list came out about what was the what was the real grading curve or what was held in highest priority. And I think a lot of people were saying it was their free and reduced lunch status or count or percentage. Has there been anything official to support that statement?
No, it's that's a hard one to say. I was talking with somebody about this exact issue as to whether or not, you know, did more money go towards the large urban districts that have it? And I think one of the pieces of feedback, I think this is very, very valuable. When you're in a larger district, you have more resources to write a more compelling grant as well as provide the funding necessary for that because this was a match funding grant.
So, you know, I think that it's hard to say is this causation or correlation, but right now we really don't have any formal data on who is selected and why.
Interesting i
Didn't get picked
I didn't either but but some people not far from us or a district not far from us well no two districts by us got picked um yeah my
Chat gpt didn't work well enough
Nope oh
Well that might have been it they probably just ran everything through should.
Have used gemini yeah
That's it for the news um nothing else whatsoever happened in the news this week nope nothing nothing at all nothing.
No snow in dc um all right so the main topic for tonight mark has been working mark's been coming up with lists man he's he's
On it he's got news he's got topics
It's almost like he's retired you know he just he the content he cranks out is just unbelievable um so mark tell us about this most recent top 10 list we're not trying to rip off any late night shows or anything here yeah
So you know we've we've talked a lot since the power school breach as to like what's our response is power power power something power school power school.
I don't
Use power school there's no way any of that could happen to me right mark exactly
Going into the office
Um we we've talked a lot about like where do we go from here what do we need to do in school districts? What do we need to do with our ed tech vendors and partners? And it's really, really hard to have this conversation without talking about some of the challenges that we currently have within K-12 technology and what do we need to do to improve? And so we thought we'd do is talk about the top 10 items that we as a podcast feel need to improve in order to really secure K-12 education.
These are things that they're not cut and dry. They're not a button away, a button click away. These are cultural changes. These are cultural changes and discussions that have to happen within school districts that some of these you're going to have to talk with teachers and principals and make sure that leadership is bought into it.
These are also things that if we as school districts can get in front of it and start to push for these things to improve, then we're going to start to also see our service providers respond as well. Because a lot of these is we'll kind of get into these top 10 items. They require some changes on the ed tech side. You know, the vendors and service providers that are providing these services, they're only responding to what school districts want.
And so if we don't ask and we don't kind of push for these things to change and these things to improve, then the service providers are just going to continue to keep on the status quo that that school districts ask for. So if.
¶ Top Ten K-12 Cybersecurity Improvements
This is, in no particular order, the top 10 things that we believe K-12 needs to mature in order to improve the cybersecurity landscape for us all. Gentlemen, who wants to start with number one?
I'll do it. Unfinished MFA rollouts. MFA needs to be expanded to all accounts, including students, service accounts, and contractors. Um, you know, one of the things that we've talked about several times a student, you know, is student MFA a viable option? Then we talked about this before the show. This is one of those really sticky situations where, I mean, I know certain vendors have rolled out MFA for students with pick an animal or a card or a pin.
But man I just don't know well one those vendors still charge for that feature to be turned on and rolled out. Two I just don't know if it's baked in enough. We had to do AMI days a couple days ago and alternative methods of instruction so it's a snow day but it's not really a snow day the kids have work that they need to be doing and we had some elementary students that were needing to log in to hit Google Classroom. Well, a subset of our students didn't know what their Google credentials were
because they used badging to log in and their badges were at school. So Yes, I understand the idea of being secure, and it's super easy for a kid to badge in and out. But if that's always left at school or there's not another way to do that, and I worry that MFA would fall into that trap as well. Absolutely, contractors. Service accounts, yes, you need app passwords. We're starting to see more and more Windows laptops roll out for admins.
I really think just because that's a laptop and there's data on it and it's super mobile, if you're using that device, it's getting MFA'd. Your account needs MFA on that device. So, yeah. Any other thoughts?
I'll offer a counterpoint. Clark County and Jefferson County were two big districts hit with cyber attacks last year that specifically targeted students.
Yeah.
Uh, and these were attackers that were going after student accounts because they knew they could use the accounts to further penetrate the district. And I think this is, for me, is the reason why we need to start to, to think about that mindset of MFA on student accounts. How is the hard question? We know that kids can't, uh, bring cell phones, uh, in every, you know, there, that, that's another trend going on right now.
So cell phone MFA is not the standard way, but Indianapolis public schools is obviously a very large district. They have rolled out MFA to students. They did it about five years ago and they did it in a kind of a different way. It was, I guess you could kind of categorize as more of like a recovery account. You have a secondary email account that's used to authorize that device. But they've proven that, you know, pre-kindergarten and kindergarten age students
can do this. And I think the number of districts onboarding Clever MFA and ClassLink MFA are showing that it can be done.
But if you pay for it.
Yeah. Yeah. Right now, there are only paid options available. Number two. FTP.
Yeah, come on.
I don't know, boys.
I think building off of that last conversation about MFA and service accounts, we all talk about service accounts for staff, but then we have all these FTP, SFTP servers hanging around with just username and passwords for authentication. So, you know, it feels very antiquated at this point, but at the same time, we continue to ask for SFTP to move data between platforms and systems.
It's just there's so many things wrong with it from a security perspective and as well as just data integrity so moving towards apis moving towards data standards like edfi and sif is where we'd like the industry to move um way easier said than done.
Yeah the in the industry has been working on that since the 90s yeah like we're not we need something we i i don't we can't fix some of this like we need something bigger to happen like your Ed Fi your A4L stuff with SIF like when we did the A4L conference and there's people that were around when that stuff first came out and again in the 90s it'd be nice to move on but I don't know
But it's the hard part is like those technologies while as great as they are they're super complicated and And so those of us who just, we just don't have the time. You know, when you're working in districts, you know the issue of time crunch. You're like, just throw it into an FTP server and we'll call it a day. But it's not moving things.
Chris, you want to talk about ClassLink real quick since we were talking about them in item one?
Yeah, ClassLink. Check out classlink.com. You know ClassLink. They can help you with your roster, your analytics, your SSO, and more. They can take your identity and access, manage it from overwhelming to automated. If you do talk to ClassLink, make sure you mention our podcast, please.
Number three, shared accounts. Ugh, this is the one I hate the most. And it is such a cultural thing. Every school district has accounts that are used by multiple people. They are department accounts or school-wide accounts. You might have like, you know, school name at your district domain. And it's not attached to a single person. It might be checked by the school secretary, principal or department. or group of people.
And these shared accounts and even service accounts, for me, are a huge security risk because it's hard to put MFA on that. It leads to greater MFA fatigue if you've got somebody just saying yes. And then when an employee leaves, those of us in IT, we don't think to ask, well, does this person have the username and password for the shared account?
So these are things that these are just kind of like legacy accounts that have just been there for a very long time, we've got to take steps towards getting rid of shared and service accounts as much as possible, or at least minimizing the usage of them.
Yeah, service accounts. Google has rolled out, what do they call it, app passwords now?
Mm-hmm.
If you've got a service account for email or something. But yeah, I've held a line pretty firmly on shared accounts. I'll do an alias. If you want to do a generic alias type.
Alias, do a Google group, do a group.
Distribution list. Yeah.
I think shared accounts is something you can get into the whole trenches or argument banter with a lot of different departments. Like, yeah, we just we got to have shared accounts. You know, we have these special situations for it. But I think in 2025, you can come up with something that is a solution that is not a shared account. Yeah. Like, you can figure out something that gets you away from this.
Yeah.
Leaving AD. So there's new identity management systems or platforms like Active Directory. Is it time to abandon Active Directory? Mark, you know, pre-show we were talking and you said if you were walking into a school that had nothing right now, local accounts on PCs, Is Active Directory the right solution, on-prem Active Directory the right solution for that district?
And I think there are some pretty compelling arguments to say at least looking at Intra or Intune, whatever the cloud Active Directory solution is right now, looking at that. Google has its authentication protocol now that you can log into a Google account and have it authenticate to a PC. Yeah, I don't know if Active Directory still is the solution anymore.
Yeah, I think the antiquated AD structures that we have in place, a lot of districts built their AD structure many, many years ago, and it made sense at the time. It's very, very hard to change its structure. And a lot of modern identity systems just want to provision directly into Office 365 or Google Workspace. And if I were to build a brand new school district from the ground up,
I wouldn't even start with AD. I would go buy a modern ID solution, IDM, and provision directly into Google and call it a day.
This one hurts my head, but I think it is probably the most controversial one that we're talking about. As a veteran K-12 tech, I don't see me ever. I'm going to retire on AD. This sounds like a major project. like it reminds me of like you know like oh we're gonna go from nobel to to ad yeah like it's it's we're gonna touch every workstation we're gonna uh rethink ou's we're gonna rethink policies uh i'm skipping i'm skipping this one
Well but you you hit the nail right on the head like with this one so much of this is tied so much of our infrastructure is tied into ad our devices our accounts to the systems we log into to the wireless even the printers like it's hard for us to think how to unravel ad when it's in place but the point is like if you were to start from scratch i don't think you'd start there yeah.
¶ Local Admin Rights Discussion
I i could i could get there uh local admin rights this is just easy like stop it yep
It's easy if you are already there.
Yeah i mean it was one of the first things that i did when i walked in 10 years ago or 11 years ago um
How we yeah how how much did people love you when you took away their ability Oh.
I was hated. It was a deal. There were tears. Yeah.
But we remember.
I don't really care.
But extend this. You're the tech director in your district. Do you have local admin rights on your machine?
On my daily driver? No.
Good for you. Good for you. I think that's not necessarily the norm, though.
No, I would agree. And to be honest, it wasn't that scenario four years ago. It only happened when we moved to MFA protecting our admin accounts that I made and there's only four people in my district that have any sort of elevated account every one of them their daily driver is a standard account and they only elevate when they need to run an application as an elevated privilege but before that yeah my daily driver was an admin account absolutely this
Is one that still sits out there as like At my school district, we took that away from, you know, faculty, staff. I mean, that's been a long time ago. And you just kind of you act like it's a low hanging fruit. But I mean, we've heard the stories of the of the large school district that still let their teachers be local admins. Or I always used to get there easy with the small school district, the one person show that they will get more tickets than they can take on the
burden of if they take away those rights. So you're balancing. I mean, just like functionality. And you'd be like yeah i know it's not best practice but it makes sense for the small school i i think this is still very relevant in 2025 like but we're seeing it like we need you need to figure out how to get away from it yeah but it might not be the easiest path for a lot of school it guys yeah
And even if you know you may not have local admin rights on on user devices and user devices but there's still a lot of local admin accounts on the most critical pieces of infrastructure and IT department devices and things like that. And those are arguably the ones that you need to protect first and foremost.
Well, and I think this is worth stating too, that if you're not using LAPS, local admin password system, whatever the hell it stands for, it's built into Windows now. You need to be using LAPS with AD. It randomizes the local admin password, resets it however many days you tell it to reset it, and stores it in an active directory so that you can see it if you ever do need to log in with the local computer admin account. If you're not using LAPS, L-A-P-S, look it up.
And it literally took me 10 minutes to get configured and running. And all of a sudden I'm saving, like all of my admin accounts are randomized now. There's really not a reason to not be doing that.
If you connect some of the ones that we talked about in terms of local admin rights, active directory, and shared accounts. Right now, you've got the top three reasons why districts get taken out because a tech account or a service account on a device gets compromised. And that virus, that person, that threat actor just spreads across the district. Those three things together are...
And we're actually blaming Microsoft for all of that,
Right? Well, I mean...
We're not talking about Apple and Google right now.
Well, it's our it's our choices that we have made in the usage of it. I'm sure that's what a Microsoft lawyer would say.
Sure.
Unmanaged browsers. The Wild West of being able to install any browser extension is going to end up biting you. You don't have to go too far back in the news. What over the last month, even the number of browser extensions that turned out to be malicious code or have been taken over by companies.
Um with malicious code it was there was like a span of two weeks there where it felt like it was every other day there was a story breaking about it um yeah the the days of of yeah not managing what extensions can be installed in your browser environments yeah
That was and that's you know it hasn't been officially confirmed by power school but the tech crunch article did say that power school's you know engineer was breached by a chrome extension or a browser extension that had gone bad. So this is, you know, I think this is the area that, um, while a lot of districts might have taken local admin rights away from users, we still are very, uh, loose with our browser management.
And that's something that it's going to take more attacks and more breaches before we see the reason for it. But that's, that's a big, big area, um, to change, but that's really hard to make teachers and school staff feel ownership over their browser. They've never had somebody else manage their browser and their and their browser extensions. So taking that away is painful, but that's number six.
Standalone usernames and passwords. So we're back to this SSO conversation that we had a couple weeks ago. You know, yeah, if you're not leveraging, I was a holdout. I'll admit I was a holdout. But if you're not leveraging SSO from some sort of authority, be it Google, Office 365, or whatever it's called now, OAuth, or not OAuth, damn it, I can't think of it.
You really need to be doing that so people aren't reusing passwords um have i been pwned you'd be less of a target with individual accounts on how many different websites um yeah start start really leveraging sso and and you can doubly protect yourself that way too if you have mfa turned on those accounts i
Was really excited when i started in my new district uh that they had already rolled out MFA. So I had to like, this is great. We've already, you know, half the battle's already done. And then I got my account in PowerSchool and nope, not using single sign-on. It's all standalone usernames and passwords. So it kind of defeats the purpose of rolling out MFA.
That wasn't a weak point,
Mark. Yeah, yeah, yeah. Which is funny because I'm going to extend it to number eight, which is when my account was granted in the SIS, it was using my personal email account.
And that number eight is the use of personal accounts in district systems and this is one you're either solid and rock solid on this one or it's a it's a hot mess and for me it's a i it's such a a thorn in my side when i see personal accounts used in district systems you have zero control over that account over mfa over authentication Well, it just it kills me.
I will say the Sys that we use allows staff members or parents to change their email addresses in the parent portal. And if it's a staff member that is a parent and they change their email address to where their primary email address is their personal email address is. It breaks a bunch of things. So, yeah, the whole personal account thing being used at school, I'll go one step further, Mark.
Personal data in a school account. The amount of times we've had to have conversations with someone because their tax returns or their divorce decree or mortgage statement or credit app to buying a car is in their Google Drive. And they tried sharing it externally. And I'm getting DLP notifications because of it. That has to stop.
Let me chase a little rabbit. Like, and I've not really thought about this, but do you, what would be the thought? Are you okay with your staff member accessing their personal email on a school device? Like they get into their Hotmail account, they get into their personal Gmail. email. I'm thinking this as we're talking through this, and I've allowed that.
So, yeah. And the conversation that has been had has been the second that you attempt to prevent that, all you're doing is asking them to send more personal email to their school account. So you end up with more of that personal communication in a district-owned asset then if you're blocking access to Hotmail or you prevent logging into at gmail.com from the school computer. Is that the right answer? I don't know.
That's a weird, odd circle thing that we're talking through. We're going to put up all these fences and then I'm letting personal Gmail happen. that
Well, and this is, you know, this is an example of something where, you know, it bothers me sometimes that EdTech providers and vendors allow personal accounts into their systems. But I also know that they're just responding to their customers, that districts, you know, districts are asking for this. Can you make this account? And so I'm always happy when a system is locked down to only the accounts that we provision that, you know, it has to be within our account.
I have a horror story of an ed tech vendor that sent a list. It was a free service, and they sent a list of all the accounts that were in our district. And it was horrifying to see the personal accounts and other school districts' email accounts that were authorized into our domain.
Oh, geez.
And this is security that we have to ask for this, and enough of us have to ask for this to be security for our ed tech vendors to allow it or to enforce that kind of stuff. But that's a cultural change. We all know that districts and school staff, you know, sometimes they use their personal and their school staff interchangeably.
I'm not going to call out somebody who lives in my household, but like the number of times I see her on, she's got her personal browser profile and her work browser profile and just uses those two interchangeably and doesn't like, I need you to check the icon that's in the upper right before you start Googling stuff. So that's, that's cultural change. It's technical training and it's really, really hard to turn that stone over.
It is some, you know, ask yourself the questions on what's your, if you're using Google, what's your drive sharing settings like? Like we've had teacher way in the past of she was trying to do a right thing, not do work account at home. But then she was sharing all files externally with like personal account, which we were allowing then whatever. Like that's bad. So then when we're investigating what kind of external shares and stuff we got going on, we have some red flags going on.
You know, you fix those settings or whatever stuff. But it's a good look to think about what you let your people share.
Yeah. Yeah. Yeah. Number nine, manual account provisioning. Yeah, we still have a lot of this.
Yeah, you need to be. Well, partially, I put the blame of this at the foot of the ed tech vendors as much as the districts vendor. More vendors need to be supporting rostering and account creation via an interface engine like class link or via SFTP. If you don't if they don't support class link or clever type interfaces, but manually. no no no no
Yeah no i think i think between one roster clever and class link there's enough options on the table now that everybody you know all the edtech applications and vendors should support this the good news about this is we've seen that industry change over the last few years yeah um but you know the freemium stuff is where they get you uh and you have a lot of teachers who sign up for free and make their class list and and we have to as an industry push,
away from that and say these are very, very dangerous habits when you have people manually creating accounts. Because it's not, the manual work is not the problem. It's the deprovisioning or lack thereof that has to happen. And if you're not deprovisioning accounts, you have no control over data when an employee leaves or a student leaves your district. So that's a cultural change and it's chicken or the egg.
Do the ed tech vendors push for it or do the school districts ask for it and both have to happen at the same time.
It's culture and it's procedure. We had a struggle for a while of knowing when one staff member was transferred from one building to another and that matters. It wasn't malicious that tech department wasn't in the loop, but we were in the loop. We weren't changing these manual accounts. We weren't changing them to the right permissions and stuff because we didn't know.
Or the person that leaves and we just didn't get told so all these accounts are out just at the i mean they're just wide open number we use level data for students uh which has been good we struggle with staff stuff we do a lot of manual stuff with staff still well
And i i we're gonna post a k12 tech pro article shortly about this i did i i mentioned the challenge with staff data is it sucks like find a school district where like the HR department's management of staff data is flawless. And I'm talking about all the different categories of student teachers, contractors, vendors, interns, parent volunteers, on top of all your full-time employees. That data doesn't always necessarily sit in the HR system.
And then that makes it hard for us in IT to automate and provision these things.
Yeah, we tried to automate staff And this isn't really a knock on these departments, but the, or the, these, these areas, but the, the time between like board approval and then like the actual start date to HR with payroll and the paperwork and they do background check to when the person's actually showing up in the building and wanting a tech account.
Yep.
It doesn't work.
Yeah.
And what is in the system that I would be pulling from, it's not ready. Yeah. Or even the person is terminated immediately, but above them where they're getting paid, their paycheck is coming later, so they're not deactivated yet. And that system doesn't have the ability to put in a later date kind of stuff. It's just hard. But you're right. We need to get there. It needs to be a focus, a priority.
Chris, before we hit our last one, do you want to talk about CTL?
Yeah, CTL hanging out with us throughout 2025. They do Chromebooks. So if you're looking at refreshing your Chromebooks, check out CTL. They have a new line of Chromebooks for 2025. They promise good performance. They promise good Wi-Fi. Their Google end of life stuff as well into the next decade kind of thing. So check out CTL. They'll even hook you up with resources to help you run your one-to-one program to help with mastering your Chromebook deployment.
So check out CTL. I think it's CTL.net slash 2025 to get you started.
And finally, Mark.
Data hoarding. We're so bad at this. We hoard on to every piece of data. We keep it in our system. And we put everything in our SIS, and the PowerSchool breach has definitely shown school districts that nobody is immune. And for me, I think as a culture, we need to start to think about data expiration dates, and when are you getting rid of this?
And rather than holding on to a student's entire digital record for years and years and years, at what point are you purging those records from your system?
¶ Data Purging and Management
So I think, I hope of all these things, I hope that's the biggest thing that comes out of this is that we as as an industry begin to talk about purging data both school districts and vendors um but i i still have an entire fifth grade classroom library in my basement because i think that someday i'm just going to need a whole bunch of of kids books and like i can't i can't bring it to my i can't bring it to throw that stuff away
and we take the same approach with data uh in school district we just keep it.
I agree.
I love like I keep like I have a folder that's a year and I keep all my random docs and crap in it. And the next year I make a new folder that's a year and I put in like I don't delete any of it.
Oh, yeah.
I don't like I have it all. Nope.
I don't delete any mail. And every I'm a note taker. Like I have to pen to paper note take when I'm doing things. I have every notebook I've written in since I've been at my school.
I won't say what school this was at and stuff, but I got a new job one time, and one of the first things I saw was in the office refrigerator, like the freezer, there was some hard drives that someone thought they were being preserved. One, why are we keeping this? But two, did we really think we're going to pull them out of the freezer and spin them up someday?
We've put Chromebooks in a freezer to kill bugs before. our food service director came in one day she's like why is there a chromebook in the freezer yeah wow in our office freezer or not where kids get food before you get all bent
I've had more i i've had uh zero conversations about how long should we keep this data and should we set a time on it agree but i've had a lot of conversations about how much more storage we need to get like the contrast of those conversations over the years there's a clear winner
Yeah, when you get those phone calls from a student that graduated in 1993, hey, can I have a copy of my vaccine record from my senior year in high school?
Yes, you can. We saved it. We have your artwork, too. You want that?
But, like, I mean, I don't know if your school district still has, like, the paper cumulative folders. But if you open up a high school kid's cumulative folder and you see the hand turkey drawings from when they were in kindergarten, why are we keeping this? And realistically, teachers don't use that. They'll look at the data in the system. They might open up the paper cumulative folders, but we just put paper in a folder and pass it on, and we do the same
thing in our systems. We put data in the systems, and then we just keep it. And so I would like to personally see a whole lot of purging going on from our data systems, obviously within your state's statutes. But we've got to get to a point where you're not calling alumni and saying, I'm really sorry, but your data was stolen.
Yeah, from 1973.
Also, and your kids, because you're that old and you have kids in the system and their data was also stolen.
And you didn't move. All right, Chris, our last sponsor for tonight.
Fortinet. Again, I keep talking about 2025, I think, because this is some things that we need to knock out or try to knock out 2025. But Fortinet hanging out with us this year. Email fortinetpodcast at fortinet.com. I'll say that this is a little bit of segue, I think, into talking about they are also K2 Tech Pro sponsors. And today, pretty cool day. We hit 1,000 members, which is really exciting, a cool milestone. We are finally in every state.
New Mexico, talking to you, you took forever to join. There's one tech now in New Mexico, but an exciting day. And Fortinet has been hanging out with us since the very beginning of podcast of K12 Tech Pro. So check out Fortinet Podcasts at fortinet.com. And if you're not on KTOL Tech Pro, I mean, this is the plug for that. Join us. It is a great community.
One of us.
Yeah, yeah, yeah. I don't know. It's exciting to be a part of. And, yeah, I say that because I'm in it and I help run it. But there are great people on there sharing great tips, great resources. You post a question, you're going to get an answer.
We just announced today this cool partnership with Chromebookparts.com with WISE certifications K12 Tech Pro members can get a reduced cost to get Chromebook certification for doing repairs can get reduced cost for your Chromebook parts for your school district pretty cool stuff there's all kinds of good perks in there we try to act like it's a secret club and it kind of is I think we're at like close to 20 parks that you get as a pro member
The Chromebook parts stuff to me is just really cool because it's impactful in the school. Technicians, you can get certified now. It's a legit certification. And you can save money on the parts that you're buying now for your school to fix these things. So shout out, Fortinet. Shout out, K2 Tech Pro. Join us if you haven't already.
¶ Upcoming Events and Wrap-Up
So reminder, in two weeks will be episode 200. And there is a special guest list. Chris, are they names that our listeners will know?
Some of them.
Hmm.
Let me look at my list again, Josh. Let me just tell you.
Why? If they.
I would say. I would say about half. It's going to be an instant like. Yes. And then there's just some there's some twists and turns going on. There might be some that you guys are like, we don't know who walked in the door, Chris. Would you please introduce us?
Are we interviewing? Are we talking to your mom? Is your mom coming out?
My mom? Yeah. Or Mark's mom?
No, you're not.
There's going to be some random guy and you're like, who is this guy? And he's like, I'm the one that spilled barbecue sauce in the trash can at Disney World.
I found him, guys. I found him.
Oh, if he only told the other part of that story.
We got to let it go. Suspense. Hey, next week, we're going to be virtually at the Secure Ed Conference. I'll put a link to that in the podcast description. We're doing two sessions. And I think the little teaser is that Mark is creating both of them. Right, Mark? That's right. And we're actually, again, talking 2025 for some reason today.
We have a lot of trips planned and we're going to be at a lot of different events we're going to start to post those and promote those a little better some of those maybe we're just attending but we want to if you listen to this and you're at some of these things that we're going to be at we want to talk to you say hi to you kind of thing so we'll talk those up a little bit I
Think Chris is traveling so much he is a part-time resident of Missouri now
We'll see I might move to Boston
That was no New Hampshire you're going to New Hampshire uh
Live free live free
Yeah or or die yeah die or die they're they're softening the or die part are they yeah yeah like there's a whole bunch of billboards in boston that have like for new hampshire like come on up and visit us and it just says live free or like we know the rest of that slogan you're not fooling anybody you can't fool us we know you're gonna kill us if we don't all.
Right that was episode 198 uh 200's coming 200's coming we don't know what it is uh we'll see you next week thanks for listening The
Views and opinions expressed on the k12 tech talk podcast are the personal opinions of josh chris and mark and do not represent the views or opinions of our sponsors or other organizations that we're affiliated with. The material information presented here is for general information and entertainment purposes only. Thanks for listening, and we'll see you next week.