Information Technology

Image: REDTEAM.PL

A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices.
The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL.
Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021.
How does the bug work
In a blog post today, Wylecial said the bug resides in Safari’s implementation of the Web Share API — a new web standard that introduced a cross-browser API for sharing text, links, files, and other content.
The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user’s local hard drive (via the file:// URI scheme).
This is a big privacy issue as this could lead to situations where malicious web pages might invite users to share an article via email with their friends, but end up secretly siphoning or leaking a file from their device.
See the video below for a demonstration of the bug, or play with these two demo pages that can exfiltrate a Safari user’s /etc/passwd or browser history database files.
[embedded content]
Wylecial described the bug as “not very serious” as user interaction and complex social engineering is needed to trick users into leaking local files; however, he also admitted that it was also quite easy for attackers “to make the shared file invisible to the user.”
Recent criticism of Apple’s patch handling
However, the real issue here is not just the bug itself and how easy or complex it is to exploit it, but how Apple handled the bug report.
Not only did Apple fail to have a patch ready in time after more than four months, but the company also tried to delay the researcher from publishing his findings until next spring, almost a full year since the original bug report, and way past the standard 90-days vulnerability disclosure deadline that’s broadly accepted in the infosec industry.
Situations like the one Wylecial had to face are becoming increasingly common among iOS and macOS bug hunters these days.
Apple — despite announcing a dedicated bug bounty program — is increasingly being accused of delaying bugs on purpose and trying to silence security researchers.
For example, when Wylecial disclosed his bug earlier today, other researchers reported similar situations where Apple delayed patching security bugs they reported for more than a year.

For two of my bugs they’ve told me same thing that it will be fixed on “Fall of 2020” and yesterday I ask for the update. They replied it’s not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020

When in July, Apple announced the rules of the Security Research Device program, Google’s vaunted Project Zero security team declined to participate, claiming that the program rules were specifically written to limit public disclosure and muzzle security researchers about their findings.
Three months before, in April, another security researcher also reported a similar experience with Apple’s bug bounty program, which he described as “a joke,” describing the program’s goal as trying “to keep researchers quiet about bugs for as long as possible.”

The industry standard for disclosure of security issues is 90 days. We’re well beyond that point now. Why should I not publish?
— Jeff Johnson (@lapcatsoftware) April 21, 2020

Apple acknowledged a request for comment but did not have a statement on the issue. More

Like all operating systems, Linux isn’t perfectly secure. Nothing is. As security guru, Bruce Schneider said, “Security is a process, not a product.”  It’s just that, generally speaking, Linux is more secure than its competitors. You couldn’t tell that from recent headlines which harp on how insecure Linux is. But, if you take a closer look, you’ll find most — not all, but most — of these stories are bogus.

For instance, Boothole sounded downright scary. You could get root access on any system! Oh no! Look again. The group which discovered it comes right out and says an attacker needs admin access in order for their exploit to do its dirty work. 
Friends, if someone has root access to your system, you already have real trouble. Remember what I said about Linux not being perfect? Here’s an example. The initial problem was real, albeit only really dangerous to an already hacked system. But several Linux distributors botched the initial fix so their systems wouldn’t boot. That’s bad.   
Sometimes fixing something in a hurry can make matters worse and that’s what happened here.
In another recent case, the FBI and NSA released a security alert about Russian malware, Drovorub. This program uses unsigned Linux kernel modules to attack systems. True, as McAfee CTO, Steve Grobman said, “The United States is a target-rich environment for potential cyber-attacks,” but is production Linux run by anyone with a clue really in danger from it?
I don’t think so.
First, this malware can only work on Linux distributions running the Linux 3.6.x  kernel or earlier. Guess what? The Linux 3.6 kernel was released eight-years ago. 
I suppose if you’re still running the obsolete Red Hat Enterprise Linux (RHEL) 6 you might have to worry. Of course, the fix for signing Linux kernel modules has been available for RHEL 6 since 2012.  Besides, most people are using Linux distros that are a wee bit newer than that. 
In fact, let’s make a little list of the top production Linux distros:
CentOS/RHEL 7 started with kernel 3.10.
Debian 8 started with kernel 3.16.
Ubuntu 13.04 started with kernel 3.8.
SUSE Linux 12.3 started with kernel 3.7.10.
All these years-old distros started life immune to this attack. All recent Linux versions are invulnerable to this malware.
But, wait! There’s more. And this is the really annoying bit. Let’s say you are still running the no longer supported Ubuntu 12.04, which is theoretically vulnerable. So what. As Red Hat’s security team points out, “attackers [must] gain root privileges using another vulnerability before successful installation.”
Once more for Linux to be compromised — for your system to get a dose of Drovorub — your system already had to be completely compromised. If an attacker already has root access, you are totally hosed. 
Yes, there’s a security problem here, but it’s not a technical one. In the tech support business we like to call this kind of trouble: Problem Exists Between keyboard And chair (PEBKAC). So yes, if you have a complete idiot as a system administrator, you’ve got real trouble, but you can’t blame Linux for it.  
Let’s look at another example: Doki, a new backdoor trojan. This time around, although described by many as a Linux problem, it’s not. It can only successfully attack Linux systems when whoever set up the Docker containers exposed the management interface’s application programming interface (API) on the internet. 
That’s dumb, but dumber still is that for it to get you, your server’s firewall must be set to open up port 2375. Here’s a lesson from networking security 101: Block all ports except the ones you must have open. And, while you’re at it, set your firewall to reject all incoming connections that are not in response to outbound requests. If your administrator hasn’t already done this, they’re incompetent.
Finally, let’s consider the recent sudo command problem. This sudo security vulnerability was real, it’s since been patched, but it requires, again, a case of PEBKAC to work. In this case, you had to misconfigure sudo’s set up so that any user could theoretically run sudo. Once again, if you already have an insecure system, it can always get worse.
There’s a common theme here. The problems often aren’t with Linux. The problems are with totally incompetent administrators. And, when I say “totally incompetent,” that’s exactly what I mean. We’re not talking subtle, small mistakes that anyone might make. We’re talking fundamental blunders. 
Whether you’re running Windows Server, Linux, NetBSD, whatever on your mission-critical systems, if you utterly fail at security, it doesn’t matter how “secure” your operating system is. It’s like leaving your car keys in an unlocked car, your system will be hacked, your car will be stolen. 
So, enough with blaming Linux. Let’s blame the real problem: Simple system administrator incompetence. 
Related Stories: More

Palo Alto Networks on Monday announced its plans to acquire The Crypsis Group, an incident response, risk management and digital forensics consulting firm. Palo Alto plans to pay $265 million in cash for the Crypsis Group, which currently operates as part of the ZP Group, an organization with a portfolio of companies. The deal is expected to close during Palo Alto Networks’ fiscal first quarter.
Once the deal closes, Palo Alto plans to integrate the Crypsis Group’s processes and technology into Cortex XDR, its cybersecurity product that natively integrates network, endpoint and cloud data.

“The addition of The Crypsis Group’s security consulting and forensics capabilities will strengthen Cortex XDR’s ability to collect rich security telemetry, manage breaches and initiate rapid response actions,” Palo Alto said in its release. “The Crypsis Group’s experts and insights will also fuel the Cortex XDR platform with a continuous feedback loop between incident response engagements and product research teams to prevent future cyberattacks.”
The Crypsis Group has more than 150 security consultants and responds to more than 1,300 security engagements per year. Its customers span a variety of industries including health care, financial services, retail, e-commerce and energy. The firm’s CEO, Bret Padres, will join Palo Alto Networks. 
A few days earlier, Palo Alto finalized its $420 million acquisition of CloudGenix, a software-defined wide-area networking (SD-WAN) provider.
Meanwhile, Palo Alto on Monday also reported better-than-expected fourth quarter financial results, driven in part by work-from-home tailwinds. 
Non-GAAP net income for the fiscal fourth quarter 2020 was $144.9 million, or $1.48 per diluted share. Revenue grew 18 percent year-over-year to $950.4 million.
Analysts were expecting earnings of $1.39 on revenue of $923.51 million. 
For the full fiscal year 2020, Palo Alto’s earnings per share came to $4.88 on revenue of $3.4 billion, an increase of 18 percent year-over-year. 

In a statement, CEO Nikesh Arora attributed the growth to “strong execution, work-from-home tailwinds, and continued success in next-gen security.”
‘Fourth quarter billings grew 32 percent year-over-year to $1.4 billion. Fiscal year 2020 billings grew 23 percent year-over-year to $4.3 billion.
Deferred revenue grew 32 percent year-over-year to $3.8 billion.
For the fiscal first quarter 2021, Palo Alto expects revenue in the range of $915 million to $925 million. 
Analysts are expecting revenue of $901.08 million. 

Tech Earnings More

In an explosive report published today, developer security firm Snyk claims it found malicious code inside a popular iOS SDK used by more than 1,200 iOS applications, all collectively downloaded more than 300 million times per month.
According to Snyk, this malicious code was hidden inside the iOS SDK of Mintegral, a Chinese-based advertising platform.
Mintegral provides this SDK to Android and iOS app developers for free. Developers use the SDK to embed ads inside their apps with just a few lines of code, in order to cut down development time and costs.
But Snyk claims the iOS version of this SDK contains malicious features that sit silently in an iOS app’s background and wait for a tap on any ad that’s not its own (mobile apps regularly use multiple advertising SDKs to diversify their ads and monetization strategies).
When an ad tap takes place, the Mintegratal SDK hijacks the click referral process, making it appear to the underlying iOS operating system that the user clicked on one of its ads, instead of a competitor’s, effectively robbing revenue from other SDKs and advertising networks.
Image: Snyk
Logging user information as well
But while it appears that Mintegral is engaging in ad fraud, Snyk claims the SDK also contains other sneaky functions aimed at logging and collecting user-related information.
“Snyk further learned that the Mintegral SDK captures details of every URL-based request that is made from within the compromised application,” the company said in a blog post today.
This information is logged and then sent to a remote server, and includes details such as:
the URL that was requested, which could potentially include identifiers or other sensitive information
headers of the request that was made which could include authentication tokens and other sensitive information
wherein the application’s code the request originated which could help identify user patterns
the device’s Identifier for Advertisers (IDFA), which is a unique random number used to identify the device and the unique hardware identifier of the device, the IMEI.
“The attempts by Mintegral to conceal the nature of the data being captured, both through anti-tampering controls and a custom proprietary encoding technique, are reminiscent of similar functionality reported by researchers that analyzed the Tik Tok app,” said Alyssa Miller, Application Security Advocate at Snyk.
“In the case of SourMint [codename given by Snyk to the Mintegral iOS SDK], the scope of data being collected is greater than would be necessary for legitimate click attribution,” Miller added.
Snyk did not release a list of iOS apps using the Mintegral SDK; however, the company said that the first version of the SDK where they found the malicious code was v5.5.1, released on July 17, 2019.
iOS users have no way of telling if they’re using an app that secretly loads the Mintegral SDK, so there’s little they can do to safeguard their private information and browsing habits. Nonetheless, app developers can use the information from the Snyk report to review their app codebases and remove the SDK, or downgrade to a version where the malicious code is not present.
Mintegral has not returned a request for comment.
In an email today, Apple said it has spoken with Snyk researchers about their report, and that they have not seen any evidence the Mintegral SDK is harming users, at least for the time being.
The OS maker said that app developers are responsible for the SDKs they put in their apps, and that many third-party libraries may include code that may be misinterpreted and abused due to its specific functionality, situations that Apple has seen in the past.
Apple cited these dual-functionality SDKs as the reason why the company chose in recent years to expand the privacy controls it now offers to users through iOS, specifically pointing at a big batch of new privacy-boosting features set to arrive later this year, with the release of iOS 14, which will help unmask privacy-intrusive apps and SDKs easier.
Article updated shortly after publication with comment from Apple. More

Brazil has seen a spike in brute-force cyberattacks driven by the increase in remote working, according to a new report on security threats in the first six months of 2020.
More than 2.6 billion attempts at cyber attacks have been recorded by cybersecurity firm Fortinet from January to June, out of a total of 15 billion attempts across Latin America and the Caribbean.
According to the report, there has been a “considerable increase” of brute-force attacks – the practice of guessing possible combinations of login information multiple times through automated means, until the correct access information is discovered.

The increase in the uptake of remote working has rekindled the interest of cybercriminals in this type of attack, according to Alexandre Bonatti, Engineering Director at Fortinet Brazil: “[Attackers] are finding a significant number of incorrectly configured Remote Desktop Protocol servers, which facilitates invasions,” he noted.
An example of such attacks mentioned by the cybersecurity firm in the report is SSH.Connection.Brute.Force, which consists of several secure shell (SSH) requests designed to perform a brute-force SSH login, launched about 200 times in 10 seconds.
When it comes to other types of cyberattacks, phishing campaigns relating to Covid-19 are still frequent in Brazil but are not occurring with the same intensity of the start of the pandemic – such attacks peaked in April, according to the Fortinet report.
According to a separate report on phishing, published by Kaspersky in April 2020, there was an increase of 124% in this type of scam in Brazil at the start of the pandemic.
Phishing growth that month was driven by a surge in malicious messages sent through WhatsApp taking advantage of the Covid-19 situation: cybercriminals would send messages aimed at stealing the user’s personal data to use in other attacks, or made victims download legitimate apps, so that they could get paid by affiliation programs.
Another report published in March 2020, by Trend Micro, placed Brazil third in a global ranking of cyber threats distributed via email and ransomware, behind the United States and China. The same report listed Brazil as the third country in the world with the highest number of ransomware attacks in 2019 behind the US and India. More

Illustration set of flags made from binary code targets.
Getty Images/iStockphoto
Cyber-security firm Group-IB says it identified a group of low-skilled hackers operating out of Iran that has been launching attacks against companies in Asia and attempting to encrypt their networks with a version of the Dharma ransomware.

The attacks have targeted companies located in Russia, Japan, China, and India, according to a report Group-IB researchers published Aug. 24.
The security firm described the group as “newbie hackers” based on the low level of sophistication and simple tactics and tools employed during attacks.
Per the report, the group used only publicly-available hacking tools, either open-sourced on GitHub or downloaded from Telegram hacking channels.
This included the likes of Masscan, NLBrute, Advanced Port Scanner, Defender Control, or Your Uninstaller.
This suggests the group is not capable of developing their own hacking tools, or they do not (yet) possess the monetary resources to buy access to private and more advanced hacking utilities.
Even the use of the Dharma ransomware is considered a sign of a low-skilled attacker today, primarily because the ransomware’s source code was put up for sale and then leaked online earlier this year, making it available to any newcomers at literally no development cost.
Group breaches companies via RDP endpoints
Group-IB says this hacker gang prefers targeting Remote Desktop Protocol (RDP) endpoints to breach a target’s network.
RDP endpoints are today’s top entry vector into enterprise networks for ransomware gangs, according to reports from multiple cybersecurity firms, primarily due to the ease of identifying RDP systems and brute-forcing their credentials.
Group-IB says that despite attacking companies in the private sector, this particular Iranian hacking group has not demanded ransoms in the realm of hundreds of thousands or millions of US dollars — which has become the norm for most ransomware gangs today.
Instead, the group has requested small ransom payments ranging from 1 to 5 bitcoin ($10k to $50k), most likely to ensure they’re getting paid and that they go under the radar, while authorities focus on the bigger gangs ransoming companies for millions.
In the grand scheme of things, this “newbie” group is a far cry from Iran’s most infamous ransomware gang: the operators of the SamSam ransomware.
SamSam was a professional hacker group that developed a very advanced ransomware strain that they used to target large corporations and government entities. The group wreaked havoc across the US in 2018 before disappearing after the US Department of Justice charged two of its members in December 2018.
However, even if this newer group is not as advanced and skilled as SamSam, companies shouldn’t ignore the risk they pose. Since 2017-2018, the cybercrime ecosystem has evolved to automate, simplify, and monetize the entire process of breaching companies and deploying ransomware.
While in 2017-2018, an group needed talented hackers to pull off a ransomware attack, today, even “newbie” groups like the ones in the Group-IB report can download hacking tools and follow tutorials shared on hacking forums to orchestrate their own intrusion and ransom attacks in a matter of days.
While some security experts will pin the blame on the proliferation of offensive hacking tools and hacking tutorials, the actual problem is entirely with companies, many of which are still failing at basic security hygiene, such as securing RDP systems they expose online with proper passwords, or patching servers and edge networking equipment, leaving glaring holes that even low-skilled hackers can exploit. More

Suebsiri, Getty Images/iStockphoto

Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020.
While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year.
The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances.
RDP — number one on the list
At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from Coveware, Emsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.
“Today, RDP is regarded as the single biggest attack vector for ransomware,” cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.
Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.

Image: Coveware
Further, data from threat intelligence company Recorded Future, also puts RDP firmly at the top.
“Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware,” Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

Image: Recorded Future
Some might think that RDP is today’s top intrusion vector for ransomware gangs because of the current work-from-home setups that many companies have adopted; however, this is wrong and innacurate.
RDP has been the top intrusion vector for ransomware gangs since last year when ransomware gangs have stopped targeting home consumers and moved en-masse towards targeting companies instead.
RDP is today’s top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online, which makes RDP a huge attack vector to all sorts of cyber-criminals, not just ransomware gangs.
Today, we have cybercrime groups specialized in scanning the internet for RDP endpoints, and then carrying out brute-force attacks against these systems, in attempts to guess their respective credentials.
Systems that use weak username and password combos are compromised and then put up for sale on so-called “RDP shops,” from where they’re bought by various cybercrime groups.
RDP shops have been around for years, and they are not something new.
However, as ransomware groups migrated from targeting home consumers to enterprises last year, ransomware gangs found a readily available pool of vulnerable RDP systems on these shops — a match made in heaven.
Today, ransomware gangs are the biggest clients of RDP shops, and some shop operators have even shut down their shops to work with ransomware gangs exclusively, or have become customers of Ransomware-as-a-Service (RaaS) portals to monetize their collection of hacked RDP systems themselves.
VPN appliances — the new RDPs
But 2020 has also seen the rise of another major ransomware intrusion vector, namely the use of VPN and other similar network appliances to enter corporate networks.
Since the summer of 2019, multiple severe vulnerabilities have been disclosed in VPN appliances from today’s top companies, including Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Secureworks, and F5.
Once proof-of-concept exploit code became public for any of these vulnerabilities, hacker groups began exploiting the bugs to gain access to corporate networks. What hackers did with this access varied, depending on each group’s specialization.
Some groups engaged in nation-level cyber-espionage, some groups engaged in financial crime and IP theft, while other groups took the “RDP shops” approach and re-sold access to other gangs.
While some sparse ransomware incidents using this vector were reported last year, it was in 2020 when we’ve seen an increasing number of ransomware groups use hacked VPN appliances as the entry point into corporate networks.
Over the course of 2020, VPNs quickly rose as the hot new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets, according to a report published last week by SenseCy.
Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.

Image: Recorded Future
Similarly, SenseCy says ransomware groups like REvil and Black Kingdom have leveraged Pulse Secure VPNs that have not been patched for bug CVE-2019-11510 to attack their targets.
Per Recorded Future, the latest entry on this list is the NetWalker gang, which appears to have started targeting Pulse Secure systems to deployt their payloads on corporate or government networks where these systems might be installed.

Image: Recorded Future
With a small cottage industry developing around hacked RDPs and VPNs on the cybercrime underground, and with tens of cyber-security firms and experts constantly reminding everyone about patching and securing these systems, companies have no more excuses about getting hacked via these vectors.
It’s one thing to have an employee fall victim to a cleverly disguise spear-phishing email, and it’s another thing not patching your VPN or networking equipment for more than a year, or using admin/admin as your RDP credentials. More

Online education was gaining significant momentum with colleges and universities, even before the coronavirus pandemic. But as dozens and dozens of schools, like USC, Harvard, Rutgers, George Washington University, and UNC at Chapel Hill, take all or some of their Fall 2020 semester online in response to COVID-19, technology is playing an increasingly important role in higher education, both in term of the classroom and student administration. Tasks that were once conducted face-to-face, now have to be accomplished remotely. Blockchain could help schools perform some of these administrative tasks with more security and transparency.
At Salesforce’s Dreamforce 2019 conference, I had a chance to speak with Donna Kidwell, CTO at EdPlus at Arizona State University, about the institution’s plans for blockchain. Kidwell explained that ASU has a goal of supporting 100,000 online learners by 2025. They are already have 55,000 students. Blockchain will play a key role in helping them meet that goal by allowing ASU to better track and certify each student’s “learning accomplishments,” Kidewell said.
Having a trusted, portable record of someone’s educational achievements is particularly important today, as most students don’t follow a traditional four-year college degree path, Kidwell said. Instead, they are “life-long learners” who will earn skills and knowledge at many institutions over the course of their educational and professional careers. Blockchain and a general public ledger when combined with identity management technology can help institutions like ASU build “transparent trust” into each student’s transcript.
The following in a transcript of our interview, edited for readability.
SEE: Online education toolbox: Tips and resources for distance learning (free PDF) (TechRepublic)
Bill Detwiler: So how is ASU using blockchain?
Donna Kidwell: This is one of my favorite questions, so thank you for asking. We have been working on this for about 18 months, give or take. It took maybe six months to figure out should we actually be using blockchain, because that’s a whole thing. Is it the right technology to use? We looked at about a dozen different things that we thought, well, maybe blockchain would be good for this. Maybe blockchain would look good for that, until we really honed in on something that really where the technology of blockchain, the way blockchain allows us to think about things really matters, because otherwise, you don’t want to do it just because it’s blockchain. You want to have a valid reason for it underneath it. That’s how we came up to where we’re at now. We’ve got a roadmap that gets us towards using blockchain for reverse transfer, if you’re familiar with that concept. If not, I can explain it a little.
Bill Detwiler: Sure, why don’t you explain it, so everybody knows?
Donna Kidwell: So a pretty simple story. Let’s say somebody goes to high school, then they decide, I’m going to go to a community college for a little while. They go to the community college. They’re thinking, I really dig this. I’m going to go ahead and do a four year degree. So they transfer in. They could do that and not have their associates. In fact, a large percentage of ASU online students don’t have their associates. End up getting their four year degree, but along that way, they probably get that one English class that they were missing or whatever, how many ever hours they were missing. If we can actually get them to the point where they can get that associates while they’re on the bachelors, then one, they get to actually use that out in the marketplace for themselves, tell their employer, “Hey, I got this,” see if that gets them a raise.
That’s all great. Let’s get them that credential because they’ve earned it by this point, right? They’ve done the work. Let’s give them the actual accomplishment. The other thing it allows us to do is between institutions, we can see what really pathways are happening there? Right now, when you stop going to the community college, basically you go dark. So community college doesn’t know about your journey beyond that. Well, it would be really interesting across these public institutions, across higher ed generally, if we could actually see what was happening to our learners. Now, along that whole way, a big piece of this is privacy and trust, another reason we’re using trust technologies like blockchain. To do that, we need the learner themselves to consent and say, “Yeah, I totally get it, and I would love to have that.”
So we are enabling this very different way of working between institutions. Previously, like Jose in the keynote that I had this morning, a guy like Jose has got to get permission. He’s got to call up his advisor, get his transcripts. Maybe he’s got transcripts from two or three different places, a high school and two community colleges. It’s pretty typical. He compiles all of that and makes it happen. This would allow us to take the friction out of all of that. All he has to do is say, “I consent.” These partners, and we’ve worked with almost every community college already. ASU has been around. We’ve been doing this. We’re not actually transforming anything that’s not a business process that already exists, but now we’re putting that learner right in the heart of it and giving them a lot more agency to be able to actually make all the things happen.
More education: Intel aims to bring AI education to community colleges | Is higher education ready to serve the new traditional and connected students? | How will online education evolve? Coursera’s Leah Belsky has a few ideas | Online learning, now at an all-time high, signals a new future for education
Bill Detwiler: So it allows you to gather that data and create a record-
Donna Kidwell: Right.
Bill Detwiler: … that is portable with the student that they can source.
Donna Kidwell: That’s right.
Bill Detwiler: Blockchain allows you to verify the authenticity of that record-
Donna Kidwell: Absolutely.Bill Detwiler: … as they move through from organization to organization, institution to institution.

ASU EdPlus website
Donna Kidwell: What’s really beautiful about it is the nature of that distributed ledger means I’m not the only one with a copy, which is how it is today. We’ve each got our own little fiefdoms, right, our own little domains. So now we’ve got a general public ledger where all of those learning accomplishments are being recorded across the ledger. I, ASU, issue that credential. Yep, that happened. I verify that it happened. So I’m still issuing the credential. I still, for all practical purposes, I’m doing the kinds of things that universities have always done in terms of owning that data. But now I’ve got it in a place where the learner can say, okay, we’re going to allow others to actually see it, can allow some other transactions to happen a little bit easier. That’s really why the general public ledger ended up making sense.
Bill Detwiler: Right, and so what role does Salesforce play in that process for ASU?
Donna Kidwell: Yeah, so that’s a great question. A couple of different things. One, they’ve been a great technology partner for us all along. So if we’re thinking scale, which we are, we want to get to 100,000 learners in the online space by 2025. We’re at 55,000 now. I expect we’re going to hit that 100,000 well before our 2025 year mark. So if you’re thinking about that many learners, we already need a really strong, what in my world would be a learner relationship management platform. How am I relating to that learner as they’re going through their different journeys? Salesforce was already doing a lot of stuff with us. So Salesforce was trying to figure out what’s going to be their blockchain strategy? We’re trying to figure out, does blockchain even make sense? A design partnership there really, really works.
Frankly, if you’re on a campus, you’ve got student information systems, we’ve got learning management systems, we’ve got CRM systems, a little triumvirate of all this tech. Each of those have their own different jobs, and somewhere in the middle of that is a different job. It’s accomplishment. Like how are we actually recording this accomplishment? Could we give that to a learner across their life now, not just for the four years because we know that’s actually not the path most people are taking. Could we give it to them for the whole duration of their career? That makes you think about the technology differently. Salesforce is thinking about their version of a lifelong learner. All of this was happening around the same time that they’re really creating Trailhead. So here we are, mission aligned towards different types of learning, but at the end, trying to really empower people to, in the nomenclature here, to blaze their own trails. I totally get it. That’s what we want to. So in as much as we can work with them to design what that future looks like, it’s a good thing.
Bill Detwiler: What were some of the challenges that you faced either from the institution, administration side of things at ASU, or just technical challenges with moving to blockchain? Because everybody thinks this is cryptocurrency, right?
Donna Kidwell: Right.
SEE: Technology in education: The latest products and trends (free PDF) (TechRepublic)
Bill Detwiler: But blockchain is more than that. So as a CTO, did you have to convince the administration at ASU? Did you have to convince other stakeholders that this is the right path to take?
Donna Kidwell: So great question, kind of two parts. We’ll take the, how do you get this job done inside a bureaucratic, not so much at ASU, but most public institutions are known for what I’d call bureau viscosity. Things slow down in the bureaucracy and you got to make all that happen. ASU is a horse of a different color in that way. President Crow has really created, over the years that he’s been there, a culture of innovation. So I am, in some ways, very blessed at ASU. It’s really fortunate in that the provost office sponsors this project. It has the registrar there meeting with me. Registrar and I went to Washington DC to talk to the Department of Ed about how this might have policy implications. It’s not-
Bill Detwiler: So how was it? Talk a little bit, I mean, how that … how you were able to maybe overcome some of their concerns, the regulator’s concerns, or maybe they didn’t have any. Maybe they were already moving a role.

Donna Kidwell: Oh no, it’s still a conversation, right? I think that’s part of it, is that I don’t go to the table as a CTO and say, technology enables us to do new things. Instead, we’re having this dialogue and saying, okay, so what if technology enabled us to do new things? Then the registrar is able to say, well, here’s how I’m funded. Here’s the pain points I have. Here’s where the system breaks. Here’s where it works for me, but it doesn’t work for a student, or it works for me, but it doesn’t work for the other registrar in my sister institution, or whatever. If we have these real honest conversations, the same is true for the Department of Ed and FERPA, like a real conversation. Like what does it actually mean to do what we’re trying to do, and does law and policy actually support it?
Those are two different things, right? So how do we actually make all of that happen? It’s all through really sitting down at a table, the same table, but having a diversity of people who are at the table. That’s one of the things where I’d say, at ASU, we really approach the problems that way. So to go back to the second part of your question, the burden on a project that’s an innovative project in a place that’s as entrepreneurial as ASU, but still a public institution. So I’ve really got to prove I have a business case. I’ve got to show, it’s going to make a difference for students. There’s going to be sustainable opportunity in it. It is going to be something that not only can we create this wonderful technology, can be gardens and unique gardeners forever. So not only am I going to be able to build a beautiful garden, but it’s going to be sustainable. Every milestone that we meet is trying to demonstrate value. It’s to demonstrate sustainability. I’ve got to make that case almost as if I were a startup.
Bill Detwiler: For other organizations, whether they’re public institutions like universities, whether they’re healthcare organizations, they’re other privates who are looking at blockchain to solve problems that they have, what advice would you give them?
Donna Kidwell: Well, a couple of lessons learned with us. All of the processes we’re talking about already existed. They just existed in ways that weren’t very easy to work with. So require a lot of man hours, or are business processes that have some automation, but are pretty manual, are still processes where boy, if we could talk to one another, things would be a lot easier. So that’s nice. We’re not actually building something off as something that doesn’t exist. A case like reverse transfer is pretty well known amongst institutions all across the country. You can talk to register to register. They get it. They know what’s happening, so that’s one thing, our admissions to admissions.
The other thing though, is to be able to understand what is that underlying problem? For us, part of the issue is trust. So I think blockchain is one of trust technologies. The other ones that we’re really interested in are around identity management, because lifelong learning, that gets really interesting. So for me, trying to figure out the heart of where we’re going to be able to create value, then let’s you say, okay, well then this is why you’d need that technology. You need it for speed. You need it for scale. Whatever the reason is, blockchain serves itself really well if you need transparent trust.
So in our case, we want to be able to issue something because it’s the university’s name, it’s the faculty’s name. We put a lot of esteem into that, a lot of work into that. We’re going to issue that credential as universities always have. We want that to be verified. We want that to be something other people can double check. We want that process to be transparent, but private and permission-based. So it was that set of rules that then led us to say, oh, this actually … the technology capabilities and the function that we get from the tech matches the same set of business needs and values that we have. You see that a lot in health care. It’s another place where there’d be really, or I think every industry is trying to figure out where’s their mix of that, that same recipe that would help them understand how blockchain may or may not be a fit.
More education:
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.

PREVIOUSLY ON MONDAY MORNING OPENER: More