School's Laptop Spying Software Exploitable from Anywhere

This is an excellent piece in the first place. But the following quote (from towards the end of the article):<p><i>Remote administration products like Absolute Manage carry large risks because they intentionally create a mechanism for a remote third party to take control of the machine. This can be powerful in the right hands but devastating if exploited by attackers. There will always be a risk of abuse by authorized parties, as alleged in the students' lawsuit against Lower Merion School District, but correctly designed technology should at least prevent unauthorized third-party attacks by making sure only authorized parties can issue commands. This requires getting authentication right--exactly what Absolute Manage failed to do.</i><p>is superb.

"since the same, easy-to-discover key is used in every client"<p>OH, COME ON! Seriously? Like even beyond some external attacker, if the key is the same on every client, students could wreck havoc pretty easily if they find it. That's like setting every locker in the school to the same combo and hoping no-one notices.<p>"If the attacker knows the IP address of the server a client is trying to contact, he can just impersonate a freshly-booted client and ask the server to send him the correct SeedValue."<p>OK, no. If you have to have it like this, at least install the SeedValue when you set up the computer.<p>"If the server is unreachable from outside the firewall, clients that are rebooted away from the local network will be unable to obtain a SeedValue. In this situation, the clients insecurely default to accepting arbitrary commands without even the protection of a SeedValue."<p>:HeadDesk:

Cargo Cult Cryptography.

lol. apparently it's hard to hire competent hackers to make super evil software?