Passwords were stored in clear text and it was common for students to ask her what their forgotten password was. She would look it up in the system, and tell them.
Eventually some of us figured out how to change other users passwords and of course we changed them to all sorts of unseemly phrases that a high school student boy would find amusing.
When that student would ask for their password she would simply change it to something pleasant...but amusingly maintain the general structure of the unseemly phrase changing only the bad words. We saw her laugh a few times.
Most of them weren't equipped for the job they were doing and I've seen that in others in my own career(s). An important lesson about authority.
I think the nature of catholic schools being a diocese to diocese (or grouping of them) thing tends to create a lot of variety.
My school had similar teachers (this one sister and one priest aside) to any of the other local schools.
Also unlike the schools near me now ... it was basically open enrollment like any public school and the costs were on a sliding scale based on income. Many students (myself included) paid very little in tuition. The diocese picked up the tab for the rest.
Meanwhile the catholic schools where I live now are ultra exclusive and bonkers expensive. They like to hint at a very 'classical' education and a lot of discipline.
But at my school things were very much easy going and by the time you were a senior you effectively were taking mostly college classes from the local colleges, and coming and going from school as you pleased as you might at college. It was a great experience (although I proved to be a terrible college student... so maybe not as effective for me, but I wouldn't blame the school).
Bumped into a friend from freshman year in the computer lab one day. I don't recall what happened, but he decided that something I had said or done offended his honor (half jokingly) and that he was going to email bomb my account as retribution. He writes a shell script to do this, and proudly shows it to me. I read the code, state, "You don't want to do that," and walk away.
He does want to do that. A moment later he notices that his terminal window has started acting oddly. So he decides to log out and log back in (he could have just opened a new window). And it won't let him log in.
As I open my email client to delete the couple dozen emails his script managed to send, I explain to him that he just fork-bombed himself, and since the ulimit was something tiny (32 processes?) it took me less time to delete the 'mail bomb' he sent me than it did to explain what he did. And since he closed his only shell, only an admin could now get him out of this.
"I told you you didn't want to do that."
He did, in fact, have to go to the admin and apologize.
A year later, "friend" applies to and is accepted into the NSA. And joke's on me, because I have slept a little less soundly every night since knowing the idiot who fork-bombed himself is now involved in national security. God help us all.
Maybe he learned?
Anywho, those experiences made me realize how much I value A) my privacy and B) just being left alone.
Just for reference, in middle school we had one Pentium 60 with a CD-ROM that was an absolutely mindblowing machine. I got to use it maybe once a month or so... Everyone else had to use the 386s while one kid would have his day on the fast machine.
It seemed so futuristic at the time, and now the story just makes me sound old.
It was a string match.
We called all our games winword.exe lol
Come to find out one day that 1) This was enforced only at the Finder (file manager) level, and 2) the AppleScript tool was on the allow-list(!)
A quick "tell application terminal to open" was all I needed to get into a fully-open environment. Not having a quarrel with the school, I didn't mess with anything. I just used it to do real work (like SSHing to my home server to fetch docs I forgot to bring in, or working on my AP Comp Sci stuff). But I also found out that the AirPort admin passwords were simply the SSID, so on the last day of my Senior year I changed a bunch of SSIDs to funny things. I also dropped a line to IT (via long AirPort SSIDs) letting them (and the students paying attention) know of the vuln :P
Bonus story: Years later at uni, I accidentally discovered that the shared "podium" account (used by guests to give presentations, but usable on any machine) was being used by someone to store their, uh, video collection. Much to the chagrin of the multiple presenters that accidentally ran across it during their presentations. Not to mention the rich browser autocomplete.
Of course, saving and running them didn't work at all. But clicking Run from the AppleScript editor meant that a "privileged application" was starting an unprivileged one :D
So this guy was the sysadmin, a freshly minted assistant which had the bad habit of copying our sources and see if anything interesting is in it. Therefor I wrote a piece of code called Super.exe with nice graphics and a lot of bling bling that had inside a virus which when run from a normal user (like ours) did nothing but when was run from a Supervisor (Novel's name for Administrator) account would create another user called Hypervisor with blank password. I created the .exe, erased the sources and let it sit on my account and went home.
Next morning I tried the Hypervisor account and what do you know! I got in. Used for next 3 years to give my normal user more space when I need it and to do creepy stuff to said assistant when he was pissing me off. Poor sod never knew, always suspected bugs and viruses. I told him 5 years after that, when we met by chance at a beer with common friends. His eyes opened wide and exclaimed: "So it was you!!? I never suspected you". Fun times.
In college we had 2 (large) rooms with computers; 1 had Windows boxes with win3.11 (for networks) and later win NT and the other had Sun sparcstations. The Windows room was always full and the unix room always empty. So I sat in the Unix room behind these machines that never crashed and had access to not only all the others in the room for doing interesting distributed things, but also to the 2 E450's in the basement of the college. While the Windows machines were on another network and were just basically crashing all day long (got a lot better with win NT obviously but still wasn't great). I later learned that the school head sys admin seriously hated Windows and loved Unix. So he basically ignored everything happening in the Windows world and just switched off the entire room at night while the Unix machines had uptimes that felt impossible if you compare them.
Ofcourse, as the PC won, the room with the Sun machines was replaced with Windows machines; I got 10 SparcStation 5's (with the gigantic CRTs), a few SparcStation 1's, few UltraSparcs (5+10) and an E450 after they removed all. All are still working without fault to this day. It is depressing how throw-away modern hardware is, but what can you do.
A lot of my most creative stuff growing up came out of me needing to work around really weird restrictions in middle/high school. In a really weird way, I'm almost grateful for some of the arbitrary rules and setups because they created a similar environment to what people seek out nowadays with platforms like the Pico 8 -- limitations in an unfamiliar environment force you to be creative with the resources you do have.
Edit: The other articles you reference in this one are also great! https://martinrue.com/give-yourself-more-playtime/ makes me really happy.
He was honest and had a crowd of people around him including staff as he did it, which was No Fun At All.
It was clear the principal had no idea what this "Linux" thing was, but the IT person did his best to make it as spooky and evil as possible unfortunately.
I don't remember what came of it, but later in the year a computer virus hit a few computers in the school, and I distinctly remember a multiple people thinking I had done it...
Of course I would never, I was the last person who would want a run in with that IT guy again all. But no call into the office that time, and in retrospect I wouldn't be surprised if it was a simple misconfiguration being called a "virus" since it allegedly only affected teachers' classroom PCs
I’ll open a terminal in my university courses and take notes in vim just to see people’s reactions.
Even better, doing anything with a lot of stdout. Fast scrolling text in a terminal freaks out a lot of people.
Try compiling GCC during your lecture
It listed all the built in help, basically masses of text scrolling down the screen. I assume the teacher thought I was hacking the computers or something, scared them.
To be fair, I was hacking the computers, but not when they were watching. Turns out the password file used very simple reversible encryption, but we only used our powers for good, and games.
Linux does sound evil, is it from one of those eastern european countries? I hear it's like communism
But this brings up a fun idea for a red team challenge, How well can you disguise what you are doing while being watched by somebody.
But as a formal challenge it would be super neat to try to do. The sneaky hackathon
So I had to do the reverse hack of this guy. Easiest way was just to load up the VS resource editor and change the icon so that it always looked like there was no connection.
VNC ran as a separate user with its password hash protected by the relevant registry permissions
one day we found a machine undergoing an automatic rebuild, found the password hash, and of course VNC only supports upto 8 char passwords
apparently it turned out they used the same VNC password for every single machine, including the staff ones
It seems like most programs people start on relatively level playing fields, but that couldn’t be more untrue for computer science.
My CS course had everything from a few of us already writing commercial software to people who had never touched a computer.
Most other programs people goto post secondary to learn the subject at hand ... for a lot of trades and CS related programs they go into them because they enjoy that work and have been doing it on the side for a while. Those people immediately have a leg up on anyone who came in fresh.
For senior prank I created small Autohotkey executables that would swap what some keyboard keys would do (e.g. 'm' with 'n'). Then I booted the lab computers with a Linux live CD, and copied the executables into the global start folder (a different executable for each computer). When students came in that day to finish their homework in the morning at the last minute, they were quite annoyed, but some found it funny. One clever student figured out that killing the firefox.exe process fixed it (until the next login).
I didn't get in any trouble (senior prank was semi-sanctioned), but they did need me to clean it up the next day.
After my Grand Hacking Crime of teaching all of my friends how to use proxy servers and supplying them with a text file containing several hundred that allowed them to bypass the website filter, I was constantly being watched, which annoyed the hell out of me.
So I started digging around when the teacher wasn't looking and discovered that, while only the server part of the monitoring system was "installed", the files for the client part were still included. Without having the admin creds, all I could do is send messages, but that was enough. After testing it on a friend's computer as a joke, I sent the master PC a single message containing several hundred lines of Shakespeare's plays. The message appeared in an always-on-top msgbox and could only be dismissed by the OK button, which was by my estimate several meters below the bottom edge of the monitor.
C network programming:
Commodore 64 & BASIC programming:
How could this possibly work in the era before convolutional neural networks?
The internet webpage filter at the school would stop you from playing games (particularly flash games), something as kids we quite enjoyed doing. I noticed that sometimes the real page would flash up and then go to the block page. After a while, I found out it was simply serving a "redirect" if the page contained banned keywords.
My 14 year old brain figured that I could make use of iframes so that the top section of 1 pixel height got given all of the "redirects" whilst the bottom half opened up google.com, where we could merrily search for games and proxies. This worked until I got VNC'd one day, logged off, account banned and the blocking system updated to filter prior to connection.
Still wanting to play games, I went to a friend's home (I didn't have internet back then), downloaded the entirety of a games website using a crawler and then brought the flash games in on a memory stick. As some of the teaching software also used flash player, this method of playing games was good until the every end.
My friend was watching all of these little tricks and thought they were cool. I wanted to try some things that would require two people to pull off. One lunch time we go to the library (the only machines in the school I can actually use now) and start experimenting with emails. It turns out that we could set custom rules.
A few minutes later, he has a rule that emails "Hi" every time I send him an email, and mine in return says "Hey". We trigger this snowball off... 500 emails... Haha. 5000 emails... Still funny. 50,000 emails - erm. 500,000 emails, the computers are grinding too a halt. Disk space on everybody's accounts is evaporating.
Email system starts sending out "Unable to send message, not enough space". Few, we thought. But each one of these messages was a few kilobytes, and each one triggered a new one (as there wasn't any space for that either). Suddenly the number of emails starts growing again as each of our accounts gets an automated space message.
We undid the rules and held the delete key for 30 minutes, there was still 500k emails when we left for class, but it wasn't growing any more. I assume an IT guy saw what we did, because the next time I logged on, the rules were disabled and the emails were gone.
I email him this web page, he opens it, crashes his machine. He thinks this is as brilliant as I did. He emails it to all of his friends. Their machines also crash. They email it to their friends, etc, etc.
"Trolling" had become a thing, where you would try to cause somebody an inconvenience and leave a troll face there to let them know it was on purpose. Some of our exploits included taping a troll face to the underside of a laser mouse, unplugging mice/keyboards and taping troll faces over the USB ports, swapping people's mice over so that they controlled each other's computers, turning everything upside down in the settings when somebody left their computer unlocked and left the room, holding down sticky keys to crash the computer out whilst making an awful noise, etc. We got quite creative with this.
Printing was done by room, with printers automatically added to your account depending on where you log in. In one of our classes there was an "expensive" glossy colour A3 printer, where the teacher would monitor what it was used for. We figured it did no authentication and that we could copy the printer settings and print remotely. We could also pretend to be another user as it didn't connect at all to the user database. In a class with a few friends in, we remotely printed large cartoon pictures. Apparently the teacher was frantically trying to find the person who was printing and they all had a good laugh. They then took that printer off the network.
File explorer back then was patched so that we couldn't see network drives and even if we could, we couldn't get onto them. A few teachers sharing their screens would leak the fact that they had a private staff share. Child mind: Challenge accepted.
After several failed attempts using browsers and explorer, we discovered that Microsoft Office wasn't patched. Suddenly we could access other student's work spaces and save files in there. We could access staff's work spaces and save files in there. We could access IT work spaces and save files in there. We occasionally left a "I'm watching you" file (created at home so it didn't have our user account metadata) in random staff accounts.
At this point I think we were on their radar, but they needed proof. One afternoon we access the headmasters work space, who apparently left files on his desktop with his various login details. A bunch of students could now pretend to be the headmaster (we didn't as we knew this was suicide). (Turns out later that this headmaster was stealing school funds, so in retrospect I don't feel bad.)
We then found the "program" drive. It was a literal jack pot. Installation binaries with site-wide licenses. Back then there was no IP checking, one of these licenses was golden. We could install thousands of dollars worth of software at home for free, including Adobe everything, Maya and other 3D packages, office and every other custom piece of software.
Stupidly I had shown other people how to do this and they were running through the network like a bull in a China shop, triggering lots of errors, and as it turned out - getting lots of attention. In bursts a network administrator and he shouts my username into the room. This was the "oh shit" moment. I was dragged into the headmasters office whilst my teach protested that I was a good pupil.
I sit there whilst being berated, the network admin wants to call the police - whilst he wafts a large document full of screenshots in his hand (50+ pages). (Apparently they kept screenshots for evidence as I caught them off guard and they didn't have video capture.) They come to an agreement that I am indefinitely banned from using a school computer with no police involvement, as long as I give them all of my exploits. As a child I don't see any way out and agree. They handed me single piece of A4 paper and said "write everything you know on here". Before I put even a single word to paper, I replied: "Can I have some more paper please?".