So theoretically, I could have just generated answer files for every single lesson for the whole semester- and a lot of them I did. BUT, I was scared that the final exam was going to be conducted on-campus, where it would be less tenable to be a dirty-rotten-cheating-scumbag.
So I actually had to learn the coursework, and learn how to read music and all its intricacies. (I do not play an instrument unless you count guitar chords.)
When the final exam came, instead of it being on-campus, the professor used the EXACT SAME VB application to run it. It took me about 5 minutes and I scored a 100% on it thanks to notepad.exe.
There's a moral to this story somewhere. I use notepad.exe a lot more these days than I read music, so perhaps it was foreshadowing an IT career?
This continues in the working world as well, unfortunately. Many employees will optimize behaviors and attention to what’s most likely to get them a bonus or promotion regardless of how damaging it is to other people, users, or the company long term.
I think good companies (which are incredibly rare) will figure out how to make the behaviors that get people bonuses and/or promoted coincide with the ones that are good for the company long-term. Sadly, it doesn't seem to happen that way too frequently.
It was somewhat annoying to have to get our teacher to enter the password each time it froze etc. Partially because higher level classes were all individual study and often math classes were in progress in the same room. So it could take a while to get the teacher’s attention.
So one time some classmates switched the keyboards between two computers and handed one to the teacher to enter the password.
As the characters appeared in plaintext, another student typed the characters into the boot screen as fast as possible.
The boot password was passed down as a secret between juniors and seniors for years.
I didn't have any real reason to steal everyone's credentials including the teacher's, but it was fun. And I would have gotten away with it, if I wasn't storing the output in a file called stolen_passwords.txt!
I got busted, and the teacher said I could either take 23 saturday detentions, or help him fix the login screen so that my attack wouldn't work anymore. I made an honest effort at the latter, and he let me off.
I still hate Vista, though.
30 Minutes later I was in my professor's account. Their birthday month and day were public on Facebook, so it was only a matter of guessing their age.
I reported this to our IT department and they were not pleased. They let me know they had the power to expel me but wouldn't.
A week later, I found another exploit. I think blackboard group chat allowed JS execution outright. I redirected the class to "disney.com" but never disclosed it to IT because of the earlier threats.
One guy however, decided to sell grade-editing as a service to others. Of course it was noticed by the school, and it became a big deal with police involved and everything. Happy ending, though, the two people I know that was involved got master's in compsci a few years later.
This response is grounds for immediate dismissal of the IT person in my view.
I got plenty of logins, but not the one I wanted. Until a friend looked over the sysadmin's shoulder. I lost interest right there, but my friend went on to wreck the entire network by mistake and barely escaped paying for the whole mess.
Have to give some credit to the sysadmin for the catch. To figure out who was messing with his stuff, he put a program that emitted a high frequency tone through the PC-speaker in his login script and sat down next door to wait for my friend to take the bait.
> 02/27: Attended conference call with Blackboard and NTNU to explain exploit
> Blackboard stopped responding to our e-mails 02/28.
To his big surprise, he found his own. On a spreadsheet, with usernames and passwords of 35000 others, in clear text
Turns out students had credentials to such places.
He tipped the school, who in turn called the cops on him. Cops went to his home and confiscated his computer.
And second, how did they actually exploit it? Presumably the authentication works by some kind of token, right? Is the client js generally allowed to perform http requests outside of the origin domain? If not how did they hijack the authentication?
As someone who used blackboard in college I can tell you it's a mess. Neither teachers nor students like it. It integrates with a ton of 3rd party libraries to be "helpful" by embedding content like this but ends up with a ton of different, inconsistent and often broken experiences.
I think Blackboard sees this as a convenience feature, i.e. students submit assignments as, say, PDF documents and they can be viewed directly within Blackboard without the extra steps of downloading. Just silly that it works with anything that can interact with web API, but maybe that was requested specifically?
> Is the client js generally allowed to perform http requests outside of the origin domain?
EDIT: By default, yes, but I'm not sure what restrictions can be applied. (I'm misremembering how CORS even works so I took out my previous paragraph.)
In any case, Blackboard probably provided other tools they could use within the domain as well. For example they could probably trigger some sort of user-to-user private messaging and send the token in the body.
Turned out, there was an admin account (u/p: admin/admin or something equally trivial to guess) with superuser access that someone learned.
I was in an accounting class (using excel) and I tended to finish the earliest with our in-class work because of judicious use of formulas and copy-paste (instead of entering data twice for the two-ledger stuff).
The computers were set to disallow running unapproved programs, but I figured out that you could launch an executable from within a zip file (the computers ran XP IIRC). The only thing left to do was to configure the game at home (before zipping it up) to save files, look for other config, etc. from the the drive letter the thumbdrive would be mounted at at school because it of course couldn't save the updated settings to the zip file.
I had a good teacher - he let me sit at the back, and I just kept the volume down :)
I wasn't able to figure out how to change my grades (and I would like to think that I wouldn't have even if I could have), but I did find a directory of all their registered software that I was able to download, and the teachers' profile pages were editable. If I recall, I think I edited the profile of one teacher (that I was reasonably certain wouldn't get me in trouble if I got caught) to end with "Mr. <Teacher's Name> is a goofball".
Assuming it isn't ignored, you can smile to yourself years later at the thought that there is a bug report open somewhere that a poor engineer has probably spent weeks trying to reproduce.
But in the real life they could save a draft and view it a student to see if they can hijack the session.
Another perhaps lesson - if security really matters - perhaps instructors and students should have completely different decoupled apps to do the job. (security through obscurity)
This is a pretty meaningless sentiment. There are plenty of things one can study that will lead to more ignorance and less well-roundedness. In the extreme, this is pretty much how cults can operate.
I believe it also applies to a number of subjects in mainstream universities, but I am not going to hop into that fire pit.
It's a university.. there are a broad array of departments and courses, and I am saying that a handful of them at a multitude of universities have the potential to close minds and lead to more ignorance - this broad statement isn't too controversial - witnessed by the very vocal debate about it. I am not going to jump into the pit of the specifics of that debate though.
Also, seems like a weird bar. I doubt any single class "changed your life trajectory." Why would it need to? I could say that about very few things in life.
But I get it, liberal arts bad, STEM good.
Have you considered the possibility that he's a highly motivated person who simply has a more creative "It" in mind?
They did it to show they could, I guess.
The idea of a liberal arts degree at a university is to create a well-rounded individual. The idea of taking classes outside your major is to learn about life. The idea of even going to college (which is ENTIRELY optional) is to learn. Not just to pass classes and get an A.
This is something that, traditionally, CS and Engineering students like to shit on - as an example, see the other post about Sociology being useless.
The thing is, there are boot camps and trade schools to learn job skills. People are now attending University and complaining about the 'gen ed' courses in their degree because they're not "useful for my future". This is meant to be "not job skills directly connected to what I think I want to grow up to be".
They aren't supposed to get you a job. They're not job skills programs. They're liberal arts programs. They're supposed to make you into a fully realized human. Those other general courses exist because many students enter college not knowing what their passions are, right or wrong.
Source: My career in higher education. One thing has been constant in the decades that I've worked in this field - Engineering and CS students complain about and shit on the 'gen. ed' classes more than any other major. They also don't like hearing that they can just go to trade school or a boot camp if they just want job skills training; which makes no sense to me - trade school is cheaper, and boot camps are shorter in duration.
Right now, they are quite inferior. Not because they are necessarily bad, but just, they don't last long enough to cover what a computer science education does. (Being in mind I am aware that "computer science" and "programming" aren't even really the same thing.) I think, without judging it good or bad, if something could fill in the gulf between the 4-year rounded degree and its computer programming content and the 8-week bootcamp a lot of people would be interested in it, but there's a lot of activation energy required there.
When I took computer science 20 years ago, it was only marginally related to "programming", and it has gotten much worse since then, because "programming" hasn't exactly changed but all the stuff around it has. "Deploying" used to be copying over the directory full of .ASP or .PHP files and maybe restarting the server, not committing to source control, handling a PR, running through CI, open source compliance analysis, and sundry other automated things, to be package up to something that we use devops tools to manage deploying, etc. etc. I'd love a new graduate who came to me with enough programming skills to prove they can do it, but knew source control, monitoring, basic commit hygiene, and the dozen other skills you need to have nowadays to get anything released to the public. You'll learn none of that in college.
And I'm not even saying you necessarily "should". But you definitely don't.
That was the original idea, yes. That does not mean that actual liberal arts degrees today at actual universities actually come anywhere close to doing that. For one thing, under that original idea, science was one of the liberal arts, and anyone who expected to be considered well rounded had to study it. How many liberal arts programs include any kind of serious exposure to science?
> see the other post about Sociology being useless
To the degree that it claims to be a science, I would argue that it probably is. It has basically no predictive power.
Why should teenagers receive federally subsidized loans in the tens to hundreds of thousands of dollars—not dischargable even in bankruptcy—to receive such a degree? How is that a wise financial decision for a normal person rather than merely an amusing hobby for the hereditary rich?
You may be aware that you don't need to go to college in order to be a software developer/hacker. But if you decide to do that then what's the point in faking the grades?
To get the really expensive piece of paper that lets you through the HR gatekeeping.
I went to college because I wanted to get a job as a high paid software engineer.
And although many of the class that I took, did indeed help me with this goal, many of them that I had to take did not.
It would have been awesome if I could have replaced some of my required classes that weren't particularly useful, with more focused ones on web development, and industry related.
Besides, I don't think anyone making their point would suggest that you shouldn't try to make good grades, which involves learning a subject well enough, including doing the boring work, to get a good mark.
I agree with them. If grades are the only thing you care about such that you'd be fine with paying an insider for a diploma without doing the work, then I'd say you wasted the entirely opportunity and only exercised your ability to cheat and be dishonest.