I am upset. I am actually pretty “pissed off” (pardon my French). And this is definitely a rant against unprofessional politicians, lobbying and propriety software that apparently has been sold very well.
On March 19th, a press release originally written by Saxony’s Minister of Education PR Manager Dirk Reelfs was published. Headline: “Home schooling: Learning platform will become more powerful” in German.
This Saxon Minister of Education, Christian Piwarz, is a member of the conservative CDU party and the Saxon Parliament. He used to be President of the Young Union for Saxony and Silesia (which actually seems to be completely Polish since at least 70 years – just wondering).
However, this platform with the lurid name “LearnSax” was not available over the last weekend as announced in the press release. Wondering why announcing a software platform that isn’t available in a press release? More about that later…
I still had a chance to have a first look at it last Thursday, and I was totally shocked: On the surface, it looks quite okay (well, just “okay”) but digging a bit deeper with just a bit of a technical understanding: alas, what a complete mess…
- The triplication of user accounts (as announced in the press release) is absolutely explainable as there is no Captcha validation for the registration forms, nor any honey pot: gosh – bots love that behaviour!
- This is 2020. And honestly, there are Session-IDs in the URIs! Do you bl**dy dabblers have a clue what “Session Fixation” means? What you presently sold is standard of 20 years ago!
- By the way, the demo suffers from missing demo data. Which doesn’t make it a demo because nobody can learn from it.
- On Thursday, I read a lot of the “cloud” words on your home page. Did you really understand what “cloud” means? It is definitely not your ill-hosted SaaS solution!
- The down time of 56(!) hours over the last weekend literally documents your flaws.
Actually, the entire LernSax platform will be reported to the BSI (Bundesamt für Sicherheit im Internet, German Authority for Internet Security) because it is – at least IMO – not reliable: the fact of handing over Session IDs within the URL is negligent at best. This is a security issue discussed many times before (google it if you don’t trust me).
Nevertheless, Saxony’s Minister of Education, Christian Piwarz, isn’t afraid to sensationalize it in a press release. His subordinates praise LernSax as the official tool of one’s choosing, schools ought to use it!
Let’s go ahead and take a technical view at it. From Friday 10PM until Monday, 6AM, LernSax has been switched off. Instead they render a picture of the entire website including text (in German). Here you go:
First, read the caption of this picture once again and shake your head as I do:
Attention: LernSax will not be available fro FR 2020/03/20 10 PM until MO 2020/03/23 06AM..
Have you guys ever heard about downtime-less deployment before? You dare to re-arrange your stuff over 56 hours? Wow… and certainly: Change Management could be done more professionally.
In their “deep analysis” (in the text, rendered in a picture, without referring to any source), they admit that LernSax still runs close to or even over the limit. Presently, the peak is between 8:30 and 11:39 CET – typical school hours. In parallel, they “have suffered from DOS attacks”.
At least at this point, I am certainly convinced that the provider of this platform is completely incompetent, along with the consultants which had have to approve it. Either this or they’re smoking some very strange stuff.
A DoS (Denial of Service) can be defended very simply, for example leading requests to Nirvana via UDP in your own firewall / have an own instead of a shared hardware firewall for your web space etc. whilst DDoS attacks need a bit more brains. Cloudflare would be another good and proven service provider apart from hosting this application in a real cloud like AWS (linked a good service provider from Saxony for that 😉
In your maintenance picture, you’re stating that you are convinced that the problems in delivering e-mails are not because of the huge attachments but in the massive jams and grey lists of the other (evil) e-mail providers. You assume that LernSax might have been black listed because of the massive increase of the users.
What you actually want to say is that all the others are wrong, and you’re not guilty. This assumption is stupid in many ways:
- Check if LernSax is not used as a spam slingshot (as it is vulnerable as said before).
- Make sure the SPF record is set correctly in your DNS.
- Make sure your e-mails will be send tick-wise.
- Make sure you use SMTP via port 587 (TLS) when using PhpMailer library.
- If all of that doesn’t work, look up my personal advisories I gave nine (!) years ago to another audience.
LernSax is a massive turd, looking at it from a security as well as a bit of a technical point of view. From other sources I heard that even usability is disgusting. I am wondering why it is sensationalized by the officials of this province.
Later this year
All above I started writing nine months earlier, in March 2020, never published it because there was a little chance to get direct, personal influence. Unfortunately, nothing has happened since.
Shortly before the next complete lockdown, we got the following message from the teacher of the school where my 2nd grade (kid #3) now attends:
In order to ensure data protection, teachers are encouraged to gradually transfer our communication with you and the children to LernSax. Emails can be sent there. I (teacher) can also use it to post assignments online and the children in turn can indicate whether they have completed the assignments.
In the mean time, I got a little insight in LernSax’s usability. Let me pick that apart:
- Indeed, teachers can send their tasks to pupils, and they will receive them, if they confirm their pre-defined accounts.
- Pre-defined accounts, however, no matter if they are used or not, are a security incident!
- The LernSax system provides a messaging service. However, it will not forward to SMTP servers so one would be able to receive an information via e-mail. Instead you ought to use LernSax at least a couple of times per day in order to receive messages, tasks etc.
- It is possible to print the material that comes with tasks, resolve, scan and upload them again.
- File and folder conventions are completely missing, except the teacher has a good definition of conventions for himself: all parents may (and do!) upload anything with any file extension to any folder.
- In case you uploaded into another folder than intended by chance, everybody else can see your homework fail – I spare to upload a picture of what I’ve seen today.
In a matter of fact, there’s no advantage at all in using this super nova “digitized” platform: receiving tasks, scanning results and sending them back can be done using any other system (even via e-mail) as well, in most cases on a higher level of user experience, efficiency, security and even data protection.
And once again, with the date of closing down schools, LernSax is not available for hours during the regular schooling times. Piwarz is talking about a hacking attack again (this time using the term “DDoS”) in his press releases. Maybe they just don’t know how many pupils are working with this platform on an every day basis – in other words: “I can no longer get rid of the ghosts I called”? However, I can’t even understand why LernSax is hosted at the implementation agency bringe.net in Karlsruhe as we have good and reliable professional hosting providers and management services in Saxony.
Let’s talk about GDPR compliance. You guess it, don’t you?
- You as a pupil, or her/his parents are forced to use this useless platform, there’s no other chance as to accept or refuse their terms of data protection, as crude as they are. For example, this is stated already in the prologue: “The use of LernSax for direct teaching purposes by pupils and their teachers is not subject to consent. The Saxon State Ministry of Education and Cultural Affairs and the Saxon Data Protection Commissioner share the view that internal electronic communication between teachers and pupils is covered by the educational mandate according to § 1 SächsSchulG and therefore does not require any further consent.” Excuse me, how again is it connected?
- Where is the cookie consent tool on the LernSax site? Isn’t it mandatory for any website or is it “no subject to consent” as well?
And what about user support for the platform, training courses for pupils, teachers and parents or responsibility?
Well, I found something like a basic online training for parents at a totally different institution, not announced anywhere else and (state of Oct 8th, 2020) fully booked until the end of this year.
Responsibilities are wide splattered, beginning with teachers, schools and at last, the Saxon State Ministry of Education. The vendor of this software is completely out of these essential inquiries as they have kind of a “service contract”.
And for all of you who argue that “it is better then nothing”: Anything else (as mentioned above) is better than this – am sorry to be that negative about the “great efforts” our Ministry of Education made. But turned out as _nothing_, from the depth of my heart.
Hope you had a Merry Christmas, wishing a Happy New Year. Stay home and stay save and healthy!