+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast
Results 46 to 60 of 100
MIS Systems Thread, [Development] An Open Source Parent Gateway in Technical; Originally Posted by matt40k @ pcstru If you use the SIMS API, you use a SIMS user account, this uses ...
  1. #46


    Join Date
    May 2009
    Posts
    3,277
    Thank Post
    290
    Thanked 883 Times in 661 Posts
    Rep Power
    339
    Quote Originally Posted by matt40k View Post
    @pcstru

    If you use the SIMS API, you use a SIMS user account, this uses the standard SIMS security groups which schools have spreadsheet details what permissions are, there is an audit trail that details when users are added or removed. This limits it in an approved, standard, controlled way who has access to what.
    Ok, so you meant permissions rather than auditing. But people are talking about API's that make data available to 3rd party systems. They are likely to be configured to use elevated privileges and for use of command reporter pulling out great swathes of data, that is now sitting in a text file somewhere. So what exactly protects that?
    Creating a sql user with read-only access would ignore this and give you full access over the database. Using the SA or similar with read-write would be completely stupid and would get you fired.
    I'm not and have never been talking about writing to a live database. I can understand why companies do not want people to do that and having had to pick apart a database contaminated with ignorance, they have my sympathies. Technically, I am simply taking a copy of the database and putting it on a different platform. The target database is as well protected as the MS SQL database and the utility used can transfer at a socket level without ever dumping a text file some where inconvenient. Access to the data is then controlled through the 'application' that I provide. I access the copy via SQL because the application 'platform' I'm working with (LAMPS - but perl rather than PHP) makes it very cost effective to do so. There is no reason why this is necessarily any less secure than access via an API.
    If a school (head, SMT, governors, parents, staff) decide to use a open-source product to access their MIS system, which is fine, they have to access the risk and the damage that it could cause if a security hole is exploted. If you purchase a product off the shelf, the company would have hired a 3rd party to regularly security check there software and would have insurance to cover any costs that might occur if the worse happens.
    You have a very rosy view of software development within the private sector. I spent 30 years doing database development for private companies on products that were sold to customers and I can only say that putting your trust in them blindly is a bit of a mistake. At least with an in-house app, I know exactly what I am dealing with and the only person I need to trust is myself and others in the team.
    Clearly posting on a public forum that you're ignoring the approved methods of data access is silly. If you've actually done it, your leaving your school vulunable and unsupported is professional gross misconduct. I hope for anyone sake that ignores the approve methods that they have covered there backs (in writing) and for the schools sake, they don't end up getting hacked.
    I am entirely comfortable with what I am doing, how I am doing it and perhaps most importantly why I am doing it. I don't believe there is any danger of me being fired for doing it, but thank you for your concern. I'm a strong believer that we own our own data and have the rights to access it in whatever way suits us best. I'm not encouraging others to follow my 'lead' just trying to put information where others who might find it useful, might find it.

    ETA - Apologies to all for the diversion, I'll shut me gob now.
    Last edited by pcstru; 23rd March 2012 at 11:14 AM.

  2. #47
    penfold_99's Avatar
    Join Date
    Feb 2008
    Location
    East Sussex
    Posts
    985
    Thank Post
    58
    Thanked 165 Times in 117 Posts
    Rep Power
    68
    Quote Originally Posted by matt40k View Post
    How is it? Work ok?
    Quote Originally Posted by zag View Post
    We are supported directly so I gave capita education services a ring (0844 893 8000)

    1st Lady - She has never heard of the "Sims API". Put me onto her manager, he asked why I wanted them which I told him I just wanted access to the reports in an automated way. He transferred me to the "correct department".
    2nd chap - He had also never heard of the Sims API either, Spoke to his manager. They didn't know so logged a call....

    Searched Support net for API, no relevant results.

    Am I looking in the wrong places?
    You need to ask for SIMS Business Objects documentation.

  3. #48

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,446
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    Quote Originally Posted by pcstru View Post
    I am entirely comfortable with what I am doing, how I am doing it and perhaps most importantly why I am doing it. I don't believe there is any danger of me being fired for doing it, but thank you for your concern. I'm a strong believer that we own our own data and have the rights to access it in whatever way suits us best. I'm not encouraging others to follow my 'lead' just trying to put information where others who might find it useful, might find it.
    My concern is that you help someone who isn't an expert who then does get into trouble and I'm one of the people who could end up picking up the pieces. If you do something that isn't using the approved method, include a very bold - this is not supported, check with your support provider as this may invaild your support agreement.

    My other concern is that you spend £££ of tax payers money developing a system, then you leave and the school just ditches it or replaces it with something else. I'm aware of this happening for real in a school. Lovely system too from what I gather.

  4. #49


    Join Date
    May 2009
    Posts
    3,277
    Thank Post
    290
    Thanked 883 Times in 661 Posts
    Rep Power
    339
    @matt. I'm afraid that by default, I like to treat people as responsible adults who are quite capable of making informed decisions off their own backs and taking responsibility for their own actions. I need some evidence before I start to think, or treat them as idiots. So I won't be including any disclaimers for example when I supplied examples of SQL and stored procedures to ease access to assessment data in CMIS or when I supplied some example spreadsheets which could be configured to directly access MIS databases. I assume if people have the means to provide the credentials to access a database at that level, then they have that means for a reason.

    Naturally, I'm delighted that you like me, hate to see tax payers money wasted. I do believe we (by which I mean the school I work at) are in the business of educating students, we are not a software development house. When we choose to do something a particular way, it should be because that maximises the benefits to the students. There is a balance to be had with staff skills. If you worry too much about what happens when people leave, then you will restrict what you can offer to the lowest common denominator that you can expect to recruit. If we always did that then our IT staff would be unhappy (because they would feel undervalued) and our students would be ill served (because we actually have some highly skilled staff that have a lot to offer). The risk needs to be identified and managed rather than ignored but such risks can be managed.

    I'm sure there are many examples of failed systems and systems that are replaced when people do leave. 'Systems' do tend to have limited lifetimes anyway so change is a natural part of the cycle. I'm not sure I can think of any particularly successful systems that started out in Schools. SIMS, CMIS, Parentpay ... most of the performance monitoring stuff I've been looking at seems to have been cooked up in a school or in very close association (often by the immediate family of a teacher), but I'm sure none of them are good examples that anyone actually uses. We must naturally leave this kind of thing to the boys and girls at the likes of Capita and Serco, they after all are gifted with a talent that can only thrive in the profit motivated private sector and as the consummate professionals they are, we never witness them withdrawing a spring release or issuing an upgrade which is so ill thought out that the only option is to restore a database from backup after applying it.

    Anyway, just sayin'. Have a splendidly sunny weekend everyone.

  5. Thanks to pcstru from:

    PiqueABoo (24th March 2012)

  6. #50

    Join Date
    Sep 2006
    Location
    London
    Posts
    1,356
    Thank Post
    36
    Thanked 362 Times in 247 Posts
    Rep Power
    81
    I recommend that every iteration of what you implement is externally PEN tested by a recognised organisation - the fines on the school for exposing data to the wrong people are crippling. Make sure you deal properly with court orders; once a court order is issued the excluded parent must not be able to see any details of the child.

  7. #51

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Nit-pick: pen is an abbreviation not a TLA.

    Mixed feelings about that, on the one-hand discouraging amateurs lacking a "security mindset" from exposing the crown jewels to the world is probably a good thing, but it reads like "You can't afford to do this so don't even try".

  8. #52


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by PiqueABoo View Post
    discouraging amateurs lacking a "security mindset" from exposing the crown jewels to the world is probably a good thing
    One of the reasons I was advocating the use of tried and tested framework such as moodle

  9. Thanks to CyberNerd from:

    matt40k (24th March 2012)

  10. #53


    Join Date
    May 2009
    Posts
    3,277
    Thank Post
    290
    Thanked 883 Times in 661 Posts
    Rep Power
    339
    Quote Originally Posted by PhilNeal View Post
    I recommend that every iteration of what you implement is externally PEN tested by a recognised organisation - the fines on the school for exposing data to the wrong people are crippling. Make sure you deal properly with court orders; once a court order is issued the excluded parent must not be able to see any details of the child.
    Thanks Phil. If we can learn from the mistakes of others, it's always useful. It's like standing on the shoulders of giants. Every iteration must be particularly expensive for an organisation using Agile development methods?

  11. #54

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,446
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    Sorry, the cost of PEN testing vs the fine alone makes it worth while. Not before you think about damage of data getting into the wrong hands. If it's only internal then it's a different matter. If you're opening it up to the internet PEN testing is a must. Remember, if you're on a LA connection, they will regularly PEN test the connection and they may be able to give you reports for your sites. Just note this won't be application testing, so it won't be as detailed. But it's a start, before you go live you may want to look at getting it specifically tested - this is the bonus of using Moodle (like cybernerd said) or similar, as this would have been tested by others.

    PS: You wouldn't be making many changes to the live site surely? Only the dev site would be changed regularly, other then (hopefully) content.

  12. #55


    Join Date
    May 2009
    Posts
    3,277
    Thank Post
    290
    Thanked 883 Times in 661 Posts
    Rep Power
    339
    Quote Originally Posted by matt40k View Post
    Sorry, the cost of PEN testing vs the fine alone makes it worth while.
    Say what? When I worked for a software company, commissioning external 'penetration' testing of a specific application cost £20K a pop. For that a company would essentially provide an indemnified certificate against a specific version on a specific configuration. If you were ISO9000 or similar that actually matters - maybe.
    Not before you think about damage of data getting into the wrong hands. If it's only internal then it's a different matter. If you're opening it up to the internet PEN testing is a must.
    Right. Err ... you don't think INTERNAL threats are an issue - in a school? Good to know no students are going to be having a go, from the inside as it were.
    Remember, if you're on a LA connection, they will regularly PEN test the connection and they may be able to give you reports for your sites.
    Will they indeed! I've never seen that in an LA contract and I would have expected to given that doing so without the schools permission might lead to criminal prosecution under the computer misuse act.
    Just note this won't be application testing, so it won't be as detailed. But it's a start, before you go live you may want to look at getting it specifically tested - this is the bonus of using Moodle (like cybernerd said) or similar, as this would have been tested by others.
    I doubt that Moodle actually qualifies in the sense of professional quality standard driven PEN testing. I couldn't point anyone toward certification of testing, test scripts ticked off, QA sheets signed by professionally indemnified persons. With moodle, apache, MySQL, Linux, Ubuntu/Red Hat/Centos/Debian etc, Perl, PHP - I'm going to have my work cut out putting together a platform that complies to any reasonabe quality standard without actually commissioning 3rd party testing for my environment - sudo forbid that If I actually did, I could then ever afford to apt-get update. It's interesting though that you think Moodle is secure given the lack of certification. Good job people like me don't contribute to the code writing mucky old SQL! No, luckily it's all done by consummate professionals ... err ... somewhere via... err, some ... err ... API ... thang ... or summat.
    PS: You wouldn't be making many changes to the live site surely? Only the dev site would be changed regularly, other then (hopefully) content.
    [/quote]

    No. Lord forbid anyone even so much as changes their password lest I have to get the whole network signed off by an external agency ... again. Perhaps ... oh, I dunno, Capita could offer a service of something. Save us from our data and deliver us our hosting, for thine is the securely-penetration-tested-cloud, the bandwidth and the latency, forever and ever, ahmme..., profits! Trebles all round!
    Last edited by pcstru; 24th March 2012 at 10:13 PM.

  13. #56

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,446
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    @pcstru - For a smart person you are being extremely dumb. We are giving you free advice that will prevent you and your school getting into trouble. I hope someone who knows where you work informs your employer\LA and ensure you follow the correct procedures. Otherwise we look forward to reading about it in the newspaper and we'll be posting our comments of "I did warn him...". I'm amazed Phil Neal actual posted as he normally stays clear of such posts - he does refer them them later on however

    Internal use is limited to physically being onsite (unless you have some external access) and users are subjective to the ICT policy, UK law etc. If a student or member of staff hacked into something, they would be subject to school discipline procedure (and UK law etc if required) and could be easily dealt with (ie sacked, "slapped"), a person in China hacking in would be much, much more difficult to deal with and would take a lot longer too.

    LA PEN tests everything it controls - part of GCSX, COCO, PCI-DSS and all those other policy's they must follow and standards they must meet. If they've already got a package for external testing, my comment was to ask them if they could include your website in the list - ie extend what they do currently by testing your website (assuming it's hosted at the school\LA?)

    Moodle and others, are just frameworks, following a framework means that the underlying technology is dealt with by someone else, you just deal with the content and add-ons - allows you to be more agile too. It's smart way to work and that's why nearly every major player does it. Apache\Perl\Linux blah blah blah is just a pointless comment, it's getting onto managing the server which isn't part of the discussion, if you do it all, you need to follow security alerts and ensure the server is patched regularly and you've hardened it correctly and a million other things. If you buy a hosting package, they should be doing it otherwise you shouldn't be using them for sensitive data. Google\Microsoft offer such services, your LA will most likely offer web hosting too. It may or may not meet the requirements for what you want to do.

    IMHO your a failed software developer (possible your old work went bust so perhaps a harsh complete) and your trying to make your current job into something you want rather then what it is, what it needs to be. I find it extremely disrespectful that you find Capita numerous interface useless, the Capita team have more knowledge, experience and understanding then you could ever hope to have, which is why I don't get why you blatantly ignore it. Even if your LA refuses to assist, which to be fair, they might not be able to support so it's a reasonable thing - actually they won't 99.9% of the time. But if you were determined to do this and your school was backing you, you contact Capita - a quick look on Capita's website gave me the name and contact details of the person in partners team at Capita. I've dealt with him before, so has Penfold, ok he might not be willing to give out everything to anyone who asks, but they will help. You'll have to start off slow and build up to the large bits, but shortly that's how all programmers work?

    I know no-one likes following all the polices and procedures - I personally really hate it. But we all must do it, so we do. It took me over a year to get our SOLUS3 server setup, it took me longer to do the first design document then it did to build and configure it! If policy wasn't needed, it wouldn't exist and although it may seem silly to you or others, it is important and must, MUST be obeyed.

    Sad facts. Most open-source software (on here anyway) are one developer. The project dies when the developer moves on, gets bored or gives up. If you've (anyone reading this) had a "unique" idea*, your most likely not be the first one to come up with it, there are 22,000+ schools using SIMS, all doing the same thing - running a school. There are, Capita claim, over 200 partners - someone has most likely already build that "unique" idea. My first draft of this post, most of it got lost.

    * By unique I me anything other that what Capita should be doing (ie not a bug fix).

    I REALLY don't want to read in paper about a pedo who hacked (or paid someone to) into a schools parent gateway because some lazy (explicate word) couldn't be bothered to follow a few simple rules and build it the right way. Don't cut corners, it will cost later. If you honestly don't think it'll never happen, I hope your right. But personally, I would NEVER risk it.

    PS: Plus if anything bad did happen, it would mean we would all hear about it again and again from Capita as they try to sell us some more rubbish add-on.
    Last edited by matt40k; 25th March 2012 at 12:09 AM.

  14. #57


    Join Date
    May 2009
    Posts
    3,277
    Thank Post
    290
    Thanked 883 Times in 661 Posts
    Rep Power
    339
    @matt. You are probably right. I do recognise that I have vast oceans of ignorance at my disposal and since despite your best efforts to help, I remain confused, I must be being extremely dumb.

    I’m perhaps most confused about the API and mandated use of it. If I use the API, I will use it to extract data which I will then import into the other database (a fairly common approach as I understand it, or at least that seems to be what a number of different suppliers systems do – Parentpay, nationwide, truancy call, moodle, ParentMail, etc etc). So I might pay the supplier for the API, learn to use it which will probably take a week or so (maybe a lot longer for a failed software developer <sob!>), craft some specific procedures together so that I can make the API calls in the way that the API demands which will probably take another week. After all that I might have the data sitting in the other database, a task that took me 5 minutes and cost £40 with the tool that I initially ‘recommended’. As far as I can see, I’m no better or worse off in terms of security, since the API was only used to transfer data, in bulk, out of the MIS. It’s doing nothing for me at the application side – how could it? But I have just spent a few weeks of taxpayers money to get somewhere my ignorance could have taken me in five. Ignoring all the other fluff – can you please explain a bit more what I am doing wrong there – where exactly is the flaw in my plan?

    I find it extremely disrespectful that you find Capita numerous interface useless, the Capita team have more knowledge, experience and understanding then you could ever hope to have, which is why I don't get why you blatantly ignore it.
    I had to read back over my posts because I don’t remember being disrespectful towards the SIMS API. I don’t see it reading them again, so perhaps you could point it out? I actually blatantly ignore Capita’s API because we do not use SIMS, as I said in an earlier post (which you obviously took care great care to read).

    I hope someone who knows where you work informs your employer\LA and ensure you follow the correct procedures.
    And people wonder why some folks value their anonymity.

  15. #58

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,784
    Thank Post
    715
    Thanked 1,438 Times in 1,191 Posts
    Rep Power
    359
    Quote Originally Posted by zag View Post
    I wont be using a live database for this Its all on a test SQL instance for now.

    Is there any official documentation for these API's? How do I get hold of them?
    Contact @David_Grashoff with specifics of what data you want to access, and he'll be able to advise.

    Command Reporter will work well for most things though, if you read on some of the other specific threads there are some complications and limitations, especially when automating it. Certain reports that work directly in SIMS, wont necessarily work automated.

    Personally, i don't see anything wrong with porting a backup of your data to a test server that is internal only and locked down. Then extracting what you want with your own queries. It's a pain making sense of the structure and you have to change what you've done if they rearrange the data in the system during upgrades.

    TBH you only want really basic info out anyway and that can all be dumped on a report. Accessing linked documents might be harder and how you make them available, but the concerns with wrong parent etc. are equal in any system. So long as your public site is locked down to a high standard. Go for separate parent logins though as recommended.

    BTW @matt40k - @pcstru is a CMIS guy, so chill - we don't care if he mucks up 'their' system.

  16. #59

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    @matt40k and @pcstru

    The reference to LAs performing penetration tests is a little misleading and will vary from LA to LA. If your schools connects into the NEN (and hence to JANET) there is a duty by the RBC / LA to ensure that the network is not left vulnerable and so are likely to actively monitor traffic and what is open on the various ports. This can include doing remote system checks to see if there are common vulnerabilities open. This does not require anything specific to be tried to see if it can be 'broken into' and the aggressive testing on specified IPs is something different and most will only do it on request.

    It is also worth saying that you are on *their* network. Depending on what type of school you are you are technically part of the same organisation so before anyone starts throwing round things like Computer Misuse Act it is worth finding out what is checked, who has authority to do so and why. If you are on a network that crosses over onto a GSi family connection (GCSx, N3/N4, etc) then I would struggle to think of any school that could operate fully with the agreed CoCo ... and connection into it is likely to be limited, heavily controlled and with a lot of caveats. Having spoken with a number of LAs involved in ContactPoint (before it was binned) and eCAF ... those who were allowing schools to connect in their GCSx lines only did so via a Citrix / virtualised front-end ... we certainly didn't go down that route and kept schools and LA very, very separate ... which kept the LA IT folk happy and meant that unworkable restrictions where not put on schools ... but a lot of advice to schools was given and the attitudes of many for security was very scary.

  17. Thanks to GrumbleDook from:

    PiqueABoo (25th March 2012)

  18. #60

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Quote Originally Posted by CyberNerd View Post
    One of the reasons I was advocating the use of tried and tested framework such as moodle
    I was just responding to the preceding post.. wasn't a comment on the pros/cons of earlier comments.

    ---

    Quote Originally Posted by matt40k View Post
    I REALLY don't want to read in paper about a pedo who hacked (or paid someone to) into a schools parent gateway
    FUD glorious FUD. Things I think are true, anyone is free to correct:

    1) Not pointing any fingers in any particular direction, but I've tripped over exploitable serious security vulnerabilities in some stuff from some large vendors. Far as I'm concerned none of 'em deserve your trust simply because you've heard of them, it's a long-standing product with some discernable market share, they say it's wonderfully secure, you haven't heard about it being hacked or whatever. For the most part proprietory school systems/software has had an easy ride re. security because folk who hack things well generally have more interesting targets.

    2) I'm not aware of a school being fined by ICO for anything relevant yet, as opposed to undertaking to pull their socks up. We had the publicised school with password reuse issue last year where hacked credentials retrieved from one system got them into an independent (MIS) system - you really ought to think very hard about the implications of user password reuse, also of AD integration.

    3) The main risk reading data out of anyone's undocumented DB is of course interpreting it wrongly e.g. you may have to decode the meaning of obscure content in several fields to accurately decide whether some Widgit record is active, whether it should be collected or ignored. The main benefit of APIs then is that they ought to do that work for you. However the DBs I've pillaged don't have APIs I can get, so I've just painstakingly reversed stuff like that and OMG(!) one vendor update even changed the contents of a rather critical field once, but ::shrug::
    Last edited by PiqueABoo; 25th March 2012 at 05:11 PM.

SHARE:
+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast

Similar Threads

  1. An Open Letter to David Cameron’s Parents
    By mattx in forum General Chat
    Replies: 32
    Last Post: 12th August 2011, 04:47 PM
  2. An Open Source MIS
    By garrysaddington in forum MIS Systems
    Replies: 51
    Last Post: 22nd July 2010, 12:42 AM
  3. Replies: 3
    Last Post: 15th April 2010, 01:11 PM
  4. Choosing an Open Source CMS
    By edusites in forum Virtual Learning Platforms
    Replies: 5
    Last Post: 11th February 2008, 10:32 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •