
They Hacked Their School District When They Were 12 - jqueryin
https://www.edweek.org/ew/articles/2018/11/07/they-hacked-their-school-district-when-they.html
======
peterwwillis
I'm almost surprised that school administrators are still pulling the same
shit they did 19 years ago. I have basically the same story. I dropped out and
got a GED after I was framed by a malicious network admin and expelled, the
record of which followed me to each subsequent school. I still managed to work
my way into having a career, luckily. But the effects on my family and my
development as a kid were significant.

Not only is it unfair, it's hypocritical. First the school keeps the lamest
possible security practices (or none at all), and then they punish the kids
that stumble onto unprotected systems. It's like keeping unlocked storage
closets where kids could get into harsh chemicals, and then recommending the
state pursue criminal charges when the kids find them and spill them
everywhere. The bigger question is, _Why did the school leave the closet
unlocked, and why is the school not held accountable??_

To answer the article's question, they should partner with other school
districts to offer advanced cybersecurity programs to gifted students. At the
very least, get the kids to participate in something like picoCTF so they have
an outlet for their talents. After-school programs in addition to more
advanced online classes will really help.

But also, schools should stop being run by moronic fear-mongering
administrators with no conscience.

~~~
thomasfedb
A friend and I managed to gain superuser access to my school's systems
(including remote screen access to every teacher's laptop) when I was in
secondary school.

After a little playing around we handed the duty technician a post-it note
with the superuser password on it and told them we would explain how we found
it if they wanted.

I was summoned to the office of the head of IT, congratulated, asked to
explain how we did it, and told that we had to keep the password a secret
until they had a chance to fix the issues. A week later they told us it was
fixed. After I graduated my school hired me as a freelancer.

This is in Australia, but I'm unsure how well my experience generalises here.

~~~
sandworm101
Because your school ran its own IT. In today's north america schools this is
contracted out, or at least covered by a multi-school or district team who
never talk to actual children. Any kid finding a flaw is a threat to that
contract or system. Administrators dont want to look foolish, or admit
liability for a flawed system, so they go after the kid (Modern privacy laws
make them fearful of admitting anything.) Remember too that there is a culture
in NA of adults seeing teenagers as a threat. They are suspect the moment they
get to school. Any deviation from a norm only confirms that perception.

~~~
thomasfedb
Our IT department each rotated through being the Helpdesk person who talked to
kids all day. They ran our robotics club. If you were interested in mail
servers, or LDAP, etc they'd invite you in to see the server room.

I suppose they felt they had a duty to teach us, just like the rest of the
staff.

------
krsdcbl
Is it just me or does the story inexplicably blow up the boys tech
proficiencies and then almost casually mentions that all they did was log in
to school computers with credentials from a post-it on the machine itself in a
public space?

How are they at fault if said credentials grants them access to unprotected
sensitive records and an obviously badly exposed administration system?

~~~
edtechstrats
They boys are clearly tech-savvy to a degree (they build their own PCs, mined
crypto, understood Windows user permissions, etc.), but I seriously doubt that
they would or could have broken into the district's systems without two
things: 1/ an admin password left on a sticky note and 2/ clear text storage
of other user passwords in an excel file published in a shared folder on the
first machine they accessed (a public machine in the middle school library!).
Other issues: old user accounts left still active; no review of access logs or
logs of server usage (which would have spotted Monero mining). Note: the boys
reported that passwords on sticky notes was routine throughout the district
(and how they got access to the security cameras, too).

------
TipVFL
I had a similar level of access to my school's network when I was 12. It was
really easy, just watch the teacher slowly peck-type her password. It was
"teach". That gave me access to everything for her class.

Later on she had to log in to the admin account, and that password was
"burger". It turned out to be the password for every admin account in every
school in my district. I'm guessing they were all set up by the same guy, with
a note saying, "make sure to change the password!"

I had access to EVERYTHING. But, I was a pretty good kid, so I just poked
around enough to really verify that I could do anything and then I logged out
and never logged back in. I was terrified that I was going to get in huge
trouble just for accessing things I shouldn't have.

~~~
Rjevski
> It was really easy, just watch the teacher slowly peck-type her password. It
> was "teach".

Exact same story on my side, and the password wasn't much better either. The
worst is that she hinted at what the password could be (I assumed it was a
joke to calm down curious kids) but it was totally right when I managed to
actually see that password for myself.

~~~
xfitm3
The computer password in my school was "secret". We'd always ask the teacher
for the password and we were told "its a secret".

------
pdkl95
One day (1994) during AP CompSci, my friend was looking for ways to bypass the
cheap Mac System 7 lockdown software ("Mac Control" by BDW Software). He found
the fill that changed during password changes, and was astonished to find it
was the same length as the password. (N character password -> N byte file)

Me: That sounds trivial to break; have you tried XOR?

Friend: I'll try that now. [Tries ONE value] It's just XORing each character
of the password with 0xC9!

Me: Wow, that was fast. Why did you guess 0xC9?

Friend: 0xC9 is 11001001.

Yes, my friend was a huge trekkie. ( [http://memory-
alpha.wikia.com/wiki/11001001_%28episode%29](http://memory-
alpha.wikia.com/wiki/11001001_%28episode%29) )

We spent the rest of high school getting strange looks from teachers that
hated that we always seemed to know their passwords, but also wanted our help
fixing their computers.

~~~
asaph
> Me: That sounds trivial to break; have you tried XOR?

> Friend: I'll try that now. [Tries ONE value] It's just XORing each character
> of the password with 0xC9!

Really? You kids just guessed it on the first try? I'm skeptical.

~~~
pdkl95
Is is that hard to believe that two different trekkies (my friend, and
possibly the author of the software) might have picked the same "random"
constant that just happened to be the title of a TNG episode? It was very
surprising at the time, but plausible given that people give VERY non-uniform-
random values when asked to pick a random number.

Meh, believe it or not, it's what happened. The real lessons are that XOR
isn't a very secure hash function, and a lot of high school level "security"
has often been little more than a cheap facade.

------
volfied
I wonder if the security guard or the librarian who left the post-it notes on
their machines are reprimanded in any way. Or the librarian who left the
student list excel file unlocked on the machine, that contains sensitive
information.

While what the kids did is simple to us, it is magic to these other people who
can't even fathom the security implications of such a system. And that's the
scary part. The technology is adapted faster than it is being understood.

~~~
philamonster
Probably not. There's hardly ever a push to get staff members trained in ways
like this for a myriad of reasons, some of which are sound. The irony being,
the next week an admin could be phished or have their account compromised in
the same manner. There just seems to be this acceptance that, much like the
view of the current public education system, it's not worth the investment to
improve.

------
watwut
I hate that cultural thing where actions like this are treating as something
good to be glorified - while simultaneously threatening them with jail.

What about not overreacting either way, teaching them right and wrong, legal
and illegal too and punishing them in age appropriate way without involving
cops.

------
contingencies
So close to my own memories! Back in Sydney the mid 90s at perhaps 15 I
reconfigured a modem to allow for dial-in then explored the regional network
of the NSW education department remotely in the evenings. The machine was
intended to serve code, which we set up for diskless network boot and
distributed games like _Quake_ for network deathmatch (we also wrote our own
from scratch, eg. we had a _nibbles.bas_ hacking competition where we modified
multiplayer single keyboard versions to add features ... I recall
flamethrowers, mines and lasers). We also used to play _crobots_. I stopped
exploring the network after teachers started perplexingly asking questions if
anyone was in the school computer room later in the evening. Similar to the
subject of this story, it was really just curiosity, and I was also later
offered a job with an ISP as a result of the control obtained, where I made my
first RIP advert mistake, learned to tar to and from tape, and other such fun.
Also managed to intern at Fuji-Xerox where the Unix admin department had me
learn bash scripting, walked me through cabling and network topology
management techniques and I got to self-educate through a broad range of Cisco
online learning courses. Fun times. Years later used essentially that body of
knowledge to design and operate substantial Linux clusters. I have worked in
many continents in areas as diverse as embedded, clustering, mobile, digital
video, finance, and now run a robotics company in China. At the time I recall
I just hungered for knowledge and wanted nothing more than a teacher to point
the way to new areas. One of the accidental teachers who popped up on my
periphery was Julian Assange, whose _strobe_ got me in to protocol analysis
and much reading of RFCs which resulted in announcing ~1999 many discoveries
of undisclosed remote OS detection techniques across protocols like ICMP,
IGMP, and even ARP. I've since written a few internet standards drafts of my
own. Key insight for kids in these spaces ... it's harder to create a system
and defend it than to find holes in them. The parents are correct to encourage
building versus breaking. Breaking is very important also, however, but should
ideally be encouraged with a parallel focus on professional ethical
development and perhaps anthropological/philosophical insights as a personal
frame of reference in to the established national/educational/legal
bureaucracies who may otherwise seek to spurn talented and unique individuals
such as these.

------
peterkelly
The district should hire these guys, because they're obviously more competent
than the current IT staff.

------
philamonster
Speaking to the ineptitude of the district, you have to understand that a lot
of districts are horribly understaffed and/or mismanaged. "Best practices"
from an IT perspective is often an unknown or misinterpreted/ignored to band-
aid disparate systems RIGHT NOW because someone forgot to renew a license or
so-and-so at DO got this great deal on some (most-likely) Pearson product from
a frat-brother/neighbor/family member. There is no room for growth
professionally and not much in the way of training/certification that doesn't
require the employee learning on their own time and dime.

Soul-crushing lack of accountability is a factor as well. Outside of
physically assaulting someone or stealing a bunch of shit it is almost unheard
of for someone to be terminated for either incompetence or negligence unless
it's so optically bad for the district or administration as a whole that they
have no choice.

Then you have to take into account the skillsets that you're left with when
capable people leave. In my experience, those that can swim best often jump
ship first and with them take knowledge that was either carelessly preserved
or is totally unattainable by the staff that remains. Positions are sometimes
never back-filled leaving less capable staff to pick up slack and the cycle
continues, things get overlooked and stagnate and smart, bored kids own your
ass.

------
vezycash
With the school being technically inept, how did they get caught?

~~~
edtechstrats
Other students tipped off school administrators when a network filtering
bypass devised by one of the two boys went viral across the district.

------
pbhjpbhj
If they just got in, didn't break stuff, didn't copy test papers or change
grades, didn't victimise anyone - just took some electric and processing power
- then they resisted a lot of temptation (or didn't realise quite the power
they were holding).

Give the proceeds to charity, repay the electric from their own pockets (eg by
doing chores), get them on a course or give them hardware to set up comps they
can hack at legally.

~~~
watwut
They had computers to hack legally at home. One of them was building mining
computers, so apparently he had also access to money to buy hardware.

It was not lack of access or lack of outlet. It was lack of boundaries and
access to school network was not the only behavioral problem mentioned in the
article.

------
auganov
So they mined crypto, installed backdoors, accessed camera footage... and the
story is generally positive and defensive of them[0]. This clearly goes beyond
"just a prank" and depending on the severity ranges from very irresponsible to
anti-social and malicious.

[0] for the record I don't mean it shouldn't be, it just sounds bad enough, so
imagine how bad a non-charitable take would be

~~~
ballenf
By 'backdoors' are you referring to the TeamViewer client they installed on a
student computer in the back of a science classroom? If so, suddenly my
grandma is now a leet hacker.

~~~
watwut
That is backdoor, just not particularly leet or advanced. Low skill hacking
and backdoor are still hacking and backdoor. Article makes them sound like
cybersecurity geniuses, not comment here. Article is all odd.

Imo, the actual tech achievement there (for that age) is building mining
computer and learning javascript basics from video. Which is more then other
kids can do and shows some self motivation.

------
haser_au
A school system, where this level of potential and passion goes unnoticed and
unharnessed for good, is a broken system. The full extent of their exploits
remain unclear, due to ongoing legal action, but it should have been detected
well and truly before it got to the CCTV access stage.

~~~
amelius
I'm wondering how one would break into a CCTV system without physical access.
Are these systems connected to the internet?

~~~
vezycash
If you're referring to the boys, they found a sticky note on a guard's laptop
containing the login details.

For general cctv, many are installed to allow monitoring while away from the
house. Nanny cams for example.

Installing cctv to an existing network will put it online automatically.

The most important issue to consider is these devices - routers, cameras,
alarms, locks... come with default passwords. And almost no one changes them.
So anyone who knows which port (Shodan search engine, port scanner) to look
has a high chance of getting entry.

~~~
amelius
Ok, thanks. I was under the impression that CCTV systems are always "closed
systems", in the sense that one can watch the recorded video only after an
incident (where an authority has to provide the password).

------
fauxpersona
Similar story here, but very different outcome. Messed around a bit in junior
high, but in senior high our school had their home-built web-based intranet.
Several security issues (at least half of OWASP 10 basically), so escalated
that to full access of db with cracked account passwords. Windows AD network
and I don't remember the details but it involved a service account with a weak
password, Remote Desktoping into some admin server and getting a local copy of
a database with NTLM hashed passwords, cracking those for all users. I didn't
actually do anything much apart from just exploring the security aspects.
Didn't probe in private messages between teachers (definitely in their
internal message boards though!), try to look at the grading database, etc.
Eventually got caught because one of my two friends who were in on this had
got caught having the wrong window open at school and they got on to us.

That was nerve-wrecking.

There was a whole internal crisis around it - it was not a huge school,
private IT and media school with less than 1000 students at the time. They had
logs that made me have to admit and I effectively got cut off the AD. Game
over.

However, I still had a private 0day for the intranet so I could see what they
were writing about what to do with the situation. It seems like the consensus
was to turn us in to the police - just like with the boys in the article. But
then our head of school posted an MP3 file on an internal closed message-board
arguing for how this was not a way to to this and instead we got "detention";
I had to build a web app and database for connecting students to companies for
internships. Which was pretty fun.

Some time after graduation and military service, the head of school calls me
out of the blue and wonders what I am up to now. Apparently he had moved on
from the school and was now working with one of the most famous web
entrepreneurs in our country with a small startup in the town where I went to
high school.

So that's how I got my first full-time job, where I learned a lot.

Morality aside, which approach was more constructive here?

------
jtbayly
My freshman year of high school we had similar access. Mostly used it for
auto-installing Doom on all the library computers at once every time the poor
admin went through each computer and manually deleted it.

One friend wrote a fake login program that would immediately quit and run the
real login program so we could collect credentials.

Another friend got in real trouble though, supposedly for either trying to or
actually changing grades. I knew we could get in trouble. But I also never
would have considered doing anything other than pranks.

Of course, even pranks can be dangerous. One of my friends found an open mail
server (not that there were any shortage of those at the time) and sent some
prank emails that could have gotten him in real trouble.

------
mynameishere
This article and all the comments here are really making these kids out to be
heroic geniuses. Maybe, just maybe, they knew they were breaking some pretty
serious rules. Because, you know, while not exactly geniuses, they weren't
idiots either.

~~~
kalleboo
That's what kids do though. They break rules, test boundaries. You give them
enough of slap on the wrist to teach them to never do that again. Not expel
them and ruin their future. Especially if it's true what the article says that
one of the kids had a behavioral disorder!

------
edtechstrats
I first profiled the story of one of the two boys at
[https://k12cybersecure.com/blog/moths-to-a-
flame/](https://k12cybersecure.com/blog/moths-to-a-flame/). AMA.

~~~
em-bee
could you comment on this message please?
[https://news.ycombinator.com/item?id=18421274](https://news.ycombinator.com/item?id=18421274)

------
vezycash
The school taped passwords for anyone's eyes. What did they expect? Based on
the available info, all the boys did was use available login details, and
installed remote login software and cypto mining software and played cia
surveillance.

The school's extremely negligent / tech poor and they want to hide their
embarrassment by blowing up the skills of the boys. Anyone who has used team
viewer will testify that it's impossible to hide a remote viewing session from
the client screen.

The boys should sue for entrapment.

------
jacquesm
At the ETS in Amsterdam the system was set up in such a way that you only got
so many compute seconds per schoolyear. I spent nearly all my budget defeating
the accounting system so I could have unlimited computer access. That and
drafting classes were the few interesting things in that school, the remainder
was very basic electro technical and electronics stuff.

------
xs
If you like this story you may like this podcast episode. 15 year old hacks
his school and gets more than he bargained for.
[https://darknetdiaries.com/episode/17/](https://darknetdiaries.com/episode/17/)

